dan/ops-jrz1
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: dan:7ca9770e146137681c2401ad9fe623c44d73996e
Branches Tags
dan:001-extract-matrix-platform
dan:main
dan:v0.2.0
...
compare: dan:2dfe4ea82950b7b1150e503cb62d4908a42fc6a9
Branches Tags
dan:main
dan:001-extract-matrix-platform
dan:v0.2.0

10 commits
7ca9770e14 ... 2dfe4ea829

Author SHA1 Message Date
Dan 2dfe4ea829 Document current architecture, manual fixes, and QA checklist 
Added comprehensive documentation:
- Manual workaround for sender_localpart registration bug
- QA testing checklist for untested features
- Future monitoring/alerting requirements
- Current architecture diagram and data flow
- Security model and operational notes
 2025-10-26 14:52:31 -07:00
Dan 0b1751766b Ignore worklogs directory for security 
Worklogs may contain sensitive troubleshooting information, error messages,
tokens, or infrastructure details that should not be in version control.
 2025-10-26 14:37:26 -07:00
Dan bce31933ed Add platform vision and spec-kit integration docs 2025-10-26 14:36:52 -07:00
Dan ca379311b8 Add Slack bridge integration feature specification 
Includes spec, plan, research, data model, contracts, and quickstart guide
for mautrix-slack Socket Mode bridge deployment.
 2025-10-26 14:36:44 -07:00
Dan d69f8a4ac8 Add Forgejo repository setup worklog 2025-10-26 14:36:42 -07:00
Dan 3337175436 Ignore VM disk images 2025-10-26 14:34:50 -07:00
Dan 406dda9960 Untrack spec-kit framework files 
These files are maintained in ~/proj/spec-kit repo and should not be
tracked here. Added to .gitignore to prevent future tracking.
 2025-10-26 14:34:18 -07:00
Dan a00a5fe312 Deploy mautrix-slack bridge with IPv4 networking fixes 
Changes:
- Fix nginx proxy_pass directives to use 127.0.0.1 instead of localhost
- Fix bridge homeserverUrl to use explicit IPv4 address
- Enable debug logging on conduwuit
- Add spec-kit framework files to .gitignore
- Document deployment in comprehensive worklog

Resolves connection refused errors from localhost resolving to IPv6 [::1]
while services bind only to IPv4 127.0.0.1. Bridge now fully operational
with bidirectional Slack-Matrix message flow working.
 2025-10-26 14:33:00 -07:00
Dan 8d51f6f16e Fix bridge homeserver URL to use IPv4 (127.0.0.1) instead of localhost 2025-10-25 21:48:38 -07:00
Dan 776a5a71eb Update nixpkgs-unstable for conduwuit 0.5.0-rc.8 2025-10-25 17:50:37 -07:00
40 changed files with 4913 additions and 6354 deletions
Show stats Expand all files Collapse all files

184
.claude/commands/speckit.analyze.md
View file

@ -1,184 +0,0 @@
---
description: Perform a non-destructive cross-artifact consistency and quality analysis across spec.md, plan.md, and tasks.md after task generation.
---
## User Input
```text
$ARGUMENTS
```
You **MUST** consider the user input before proceeding (if not empty).
## Goal
Identify inconsistencies, duplications, ambiguities, and underspecified items across the three core artifacts (`spec.md`, `plan.md`, `tasks.md`) before implementation. This command MUST run only after `/tasks` has successfully produced a complete `tasks.md`.
## Operating Constraints
**STRICTLY READ-ONLY**: Do **not** modify any files. Output a structured analysis report. Offer an optional remediation plan (user must explicitly approve before any follow-up editing commands would be invoked manually).
**Constitution Authority**: The project constitution (`.specify/memory/constitution.md`) is **non-negotiable** within this analysis scope. Constitution conflicts are automatically CRITICAL and require adjustment of the spec, plan, or tasks—not dilution, reinterpretation, or silent ignoring of the principle. If a principle itself needs to change, that must occur in a separate, explicit constitution update outside `/analyze`.
## Execution Steps
### 1. Initialize Analysis Context
Run `.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks` once from repo root and parse JSON for FEATURE_DIR and AVAILABLE_DOCS. Derive absolute paths:
- SPEC = FEATURE_DIR/spec.md
- PLAN = FEATURE_DIR/plan.md
- TASKS = FEATURE_DIR/tasks.md
Abort with an error message if any required file is missing (instruct the user to run missing prerequisite command).
For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
### 2. Load Artifacts (Progressive Disclosure)
Load only the minimal necessary context from each artifact:
**From spec.md:**
- Overview/Context
- Functional Requirements
- Non-Functional Requirements
- User Stories
- Edge Cases (if present)
**From plan.md:**
- Architecture/stack choices
- Data Model references
- Phases
- Technical constraints
**From tasks.md:**
- Task IDs
- Descriptions
- Phase grouping
- Parallel markers [P]
- Referenced file paths
**From constitution:**
- Load `.specify/memory/constitution.md` for principle validation
### 3. Build Semantic Models
Create internal representations (do not include raw artifacts in output):
- **Requirements inventory**: Each functional + non-functional requirement with a stable key (derive slug based on imperative phrase; e.g., "User can upload file" → `user-can-upload-file`)
- **User story/action inventory**: Discrete user actions with acceptance criteria
- **Task coverage mapping**: Map each task to one or more requirements or stories (inference by keyword / explicit reference patterns like IDs or key phrases)
- **Constitution rule set**: Extract principle names and MUST/SHOULD normative statements
### 4. Detection Passes (Token-Efficient Analysis)
Focus on high-signal findings. Limit to 50 findings total; aggregate remainder in overflow summary.
#### A. Duplication Detection
- Identify near-duplicate requirements
- Mark lower-quality phrasing for consolidation
#### B. Ambiguity Detection
- Flag vague adjectives (fast, scalable, secure, intuitive, robust) lacking measurable criteria
- Flag unresolved placeholders (TODO, TKTK, ???, `<placeholder>`, etc.)
#### C. Underspecification
- Requirements with verbs but missing object or measurable outcome
- User stories missing acceptance criteria alignment
- Tasks referencing files or components not defined in spec/plan
#### D. Constitution Alignment
- Any requirement or plan element conflicting with a MUST principle
- Missing mandated sections or quality gates from constitution
#### E. Coverage Gaps
- Requirements with zero associated tasks
- Tasks with no mapped requirement/story
- Non-functional requirements not reflected in tasks (e.g., performance, security)
#### F. Inconsistency
- Terminology drift (same concept named differently across files)
- Data entities referenced in plan but absent in spec (or vice versa)
- Task ordering contradictions (e.g., integration tasks before foundational setup tasks without dependency note)
- Conflicting requirements (e.g., one requires Next.js while other specifies Vue)
### 5. Severity Assignment
Use this heuristic to prioritize findings:
- **CRITICAL**: Violates constitution MUST, missing core spec artifact, or requirement with zero coverage that blocks baseline functionality
- **HIGH**: Duplicate or conflicting requirement, ambiguous security/performance attribute, untestable acceptance criterion
- **MEDIUM**: Terminology drift, missing non-functional task coverage, underspecified edge case
- **LOW**: Style/wording improvements, minor redundancy not affecting execution order
### 6. Produce Compact Analysis Report
Output a Markdown report (no file writes) with the following structure:
## Specification Analysis Report
| ID | Category | Severity | Location(s) | Summary | Recommendation |
|----|----------|----------|-------------|---------|----------------|
| A1 | Duplication | HIGH | spec.md:L120-134 | Two similar requirements ... | Merge phrasing; keep clearer version |
(Add one row per finding; generate stable IDs prefixed by category initial.)
**Coverage Summary Table:**
| Requirement Key | Has Task? | Task IDs | Notes |
|-----------------|-----------|----------|-------|
**Constitution Alignment Issues:** (if any)
**Unmapped Tasks:** (if any)
**Metrics:**
- Total Requirements
- Total Tasks
- Coverage % (requirements with >=1 task)
- Ambiguity Count
- Duplication Count
- Critical Issues Count
### 7. Provide Next Actions
At end of report, output a concise Next Actions block:
- If CRITICAL issues exist: Recommend resolving before `/implement`
- If only LOW/MEDIUM: User may proceed, but provide improvement suggestions
- Provide explicit command suggestions: e.g., "Run /specify with refinement", "Run /plan to adjust architecture", "Manually edit tasks.md to add coverage for 'performance-metrics'"
### 8. Offer Remediation
Ask the user: "Would you like me to suggest concrete remediation edits for the top N issues?" (Do NOT apply them automatically.)
## Operating Principles
### Context Efficiency
- **Minimal high-signal tokens**: Focus on actionable findings, not exhaustive documentation
- **Progressive disclosure**: Load artifacts incrementally; don't dump all content into analysis
- **Token-efficient output**: Limit findings table to 50 rows; summarize overflow
- **Deterministic results**: Rerunning without changes should produce consistent IDs and counts
### Analysis Guidelines
- **NEVER modify files** (this is read-only analysis)
- **NEVER hallucinate missing sections** (if absent, report them accurately)
- **Prioritize constitution violations** (these are always CRITICAL)
- **Use examples over exhaustive rules** (cite specific instances, not generic patterns)
- **Report zero issues gracefully** (emit success report with coverage statistics)
## Context
$ARGUMENTS

287
.claude/commands/speckit.checklist.md
View file

@ -1,287 +0,0 @@
---
description: Generate a custom checklist for the current feature based on user requirements.
---
## Checklist Purpose: "Unit Tests for English"
**CRITICAL CONCEPT**: Checklists are **UNIT TESTS FOR REQUIREMENTS WRITING** - they validate the quality, clarity, and completeness of requirements in a given domain.
**NOT for verification/testing**:
- ❌ NOT "Verify the button clicks correctly"
- ❌ NOT "Test error handling works"
- ❌ NOT "Confirm the API returns 200"
- ❌ NOT checking if code/implementation matches the spec
**FOR requirements quality validation**:
- ✅ "Are visual hierarchy requirements defined for all card types?" (completeness)
- ✅ "Is 'prominent display' quantified with specific sizing/positioning?" (clarity)
- ✅ "Are hover state requirements consistent across all interactive elements?" (consistency)
- ✅ "Are accessibility requirements defined for keyboard navigation?" (coverage)
- ✅ "Does the spec define what happens when logo image fails to load?" (edge cases)
**Metaphor**: If your spec is code written in English, the checklist is its unit test suite. You're testing whether the requirements are well-written, complete, unambiguous, and ready for implementation - NOT whether the implementation works.
## User Input
```text
$ARGUMENTS
```
You **MUST** consider the user input before proceeding (if not empty).
## Execution Steps
1. **Setup**: Run `.specify/scripts/bash/check-prerequisites.sh --json` from repo root and parse JSON for FEATURE_DIR and AVAILABLE_DOCS list.
- All file paths must be absolute.
- For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
2. **Clarify intent (dynamic)**: Derive up to THREE initial contextual clarifying questions (no pre-baked catalog). They MUST:
- Be generated from the user's phrasing + extracted signals from spec/plan/tasks
- Only ask about information that materially changes checklist content
- Be skipped individually if already unambiguous in `$ARGUMENTS`
- Prefer precision over breadth
Generation algorithm:
1. Extract signals: feature domain keywords (e.g., auth, latency, UX, API), risk indicators ("critical", "must", "compliance"), stakeholder hints ("QA", "review", "security team"), and explicit deliverables ("a11y", "rollback", "contracts").
2. Cluster signals into candidate focus areas (max 4) ranked by relevance.
3. Identify probable audience & timing (author, reviewer, QA, release) if not explicit.
4. Detect missing dimensions: scope breadth, depth/rigor, risk emphasis, exclusion boundaries, measurable acceptance criteria.
5. Formulate questions chosen from these archetypes:
- Scope refinement (e.g., "Should this include integration touchpoints with X and Y or stay limited to local module correctness?")
- Risk prioritization (e.g., "Which of these potential risk areas should receive mandatory gating checks?")
- Depth calibration (e.g., "Is this a lightweight pre-commit sanity list or a formal release gate?")
- Audience framing (e.g., "Will this be used by the author only or peers during PR review?")
- Boundary exclusion (e.g., "Should we explicitly exclude performance tuning items this round?")
- Scenario class gap (e.g., "No recovery flows detected—are rollback / partial failure paths in scope?")
Question formatting rules:
- If presenting options, generate a compact table with columns: Option | Candidate | Why It Matters
- Limit to AE options maximum; omit table if a free-form answer is clearer
- Never ask the user to restate what they already said
- Avoid speculative categories (no hallucination). If uncertain, ask explicitly: "Confirm whether X belongs in scope."
Defaults when interaction impossible:
- Depth: Standard
- Audience: Reviewer (PR) if code-related; Author otherwise
- Focus: Top 2 relevance clusters
Output the questions (label Q1/Q2/Q3). After answers: if ≥2 scenario classes (Alternate / Exception / Recovery / Non-Functional domain) remain unclear, you MAY ask up to TWO more targeted followups (Q4/Q5) with a one-line justification each (e.g., "Unresolved recovery path risk"). Do not exceed five total questions. Skip escalation if user explicitly declines more.
3. **Understand user request**: Combine `$ARGUMENTS` + clarifying answers:
- Derive checklist theme (e.g., security, review, deploy, ux)
- Consolidate explicit must-have items mentioned by user
- Map focus selections to category scaffolding
- Infer any missing context from spec/plan/tasks (do NOT hallucinate)
4. **Load feature context**: Read from FEATURE_DIR:
- spec.md: Feature requirements and scope
- plan.md (if exists): Technical details, dependencies
- tasks.md (if exists): Implementation tasks
**Context Loading Strategy**:
- Load only necessary portions relevant to active focus areas (avoid full-file dumping)
- Prefer summarizing long sections into concise scenario/requirement bullets
- Use progressive disclosure: add follow-on retrieval only if gaps detected
- If source docs are large, generate interim summary items instead of embedding raw text
5. **Generate checklist** - Create "Unit Tests for Requirements":
- Create `FEATURE_DIR/checklists/` directory if it doesn't exist
- Generate unique checklist filename:
- Use short, descriptive name based on domain (e.g., `ux.md`, `api.md`, `security.md`)
- Format: `[domain].md`
- If file exists, append to existing file
- Number items sequentially starting from CHK001
- Each `/speckit.checklist` run creates a NEW file (never overwrites existing checklists)
**CORE PRINCIPLE - Test the Requirements, Not the Implementation**:
Every checklist item MUST evaluate the REQUIREMENTS THEMSELVES for:
- **Completeness**: Are all necessary requirements present?
- **Clarity**: Are requirements unambiguous and specific?
- **Consistency**: Do requirements align with each other?
- **Measurability**: Can requirements be objectively verified?
- **Coverage**: Are all scenarios/edge cases addressed?
**Category Structure** - Group items by requirement quality dimensions:
- **Requirement Completeness** (Are all necessary requirements documented?)
- **Requirement Clarity** (Are requirements specific and unambiguous?)
- **Requirement Consistency** (Do requirements align without conflicts?)
- **Acceptance Criteria Quality** (Are success criteria measurable?)
- **Scenario Coverage** (Are all flows/cases addressed?)
- **Edge Case Coverage** (Are boundary conditions defined?)
- **Non-Functional Requirements** (Performance, Security, Accessibility, etc. - are they specified?)
- **Dependencies & Assumptions** (Are they documented and validated?)
- **Ambiguities & Conflicts** (What needs clarification?)
**HOW TO WRITE CHECKLIST ITEMS - "Unit Tests for English"**:
**WRONG** (Testing implementation):
- "Verify landing page displays 3 episode cards"
- "Test hover states work on desktop"
- "Confirm logo click navigates home"
**CORRECT** (Testing requirements quality):
- "Are the exact number and layout of featured episodes specified?" [Completeness]
- "Is 'prominent display' quantified with specific sizing/positioning?" [Clarity]
- "Are hover state requirements consistent across all interactive elements?" [Consistency]
- "Are keyboard navigation requirements defined for all interactive UI?" [Coverage]
- "Is the fallback behavior specified when logo image fails to load?" [Edge Cases]
- "Are loading states defined for asynchronous episode data?" [Completeness]
- "Does the spec define visual hierarchy for competing UI elements?" [Clarity]
**ITEM STRUCTURE**:
Each item should follow this pattern:
- Question format asking about requirement quality
- Focus on what's WRITTEN (or not written) in the spec/plan
- Include quality dimension in brackets [Completeness/Clarity/Consistency/etc.]
- Reference spec section `[Spec §X.Y]` when checking existing requirements
- Use `[Gap]` marker when checking for missing requirements
**EXAMPLES BY QUALITY DIMENSION**:
Completeness:
- "Are error handling requirements defined for all API failure modes? [Gap]"
- "Are accessibility requirements specified for all interactive elements? [Completeness]"
- "Are mobile breakpoint requirements defined for responsive layouts? [Gap]"
Clarity:
- "Is 'fast loading' quantified with specific timing thresholds? [Clarity, Spec §NFR-2]"
- "Are 'related episodes' selection criteria explicitly defined? [Clarity, Spec §FR-5]"
- "Is 'prominent' defined with measurable visual properties? [Ambiguity, Spec §FR-4]"
Consistency:
- "Do navigation requirements align across all pages? [Consistency, Spec §FR-10]"
- "Are card component requirements consistent between landing and detail pages? [Consistency]"
Coverage:
- "Are requirements defined for zero-state scenarios (no episodes)? [Coverage, Edge Case]"
- "Are concurrent user interaction scenarios addressed? [Coverage, Gap]"
- "Are requirements specified for partial data loading failures? [Coverage, Exception Flow]"
Measurability:
- "Are visual hierarchy requirements measurable/testable? [Acceptance Criteria, Spec §FR-1]"
- "Can 'balanced visual weight' be objectively verified? [Measurability, Spec §FR-2]"
**Scenario Classification & Coverage** (Requirements Quality Focus):
- Check if requirements exist for: Primary, Alternate, Exception/Error, Recovery, Non-Functional scenarios
- For each scenario class, ask: "Are [scenario type] requirements complete, clear, and consistent?"
- If scenario class missing: "Are [scenario type] requirements intentionally excluded or missing? [Gap]"
- Include resilience/rollback when state mutation occurs: "Are rollback requirements defined for migration failures? [Gap]"
**Traceability Requirements**:
- MINIMUM: ≥80% of items MUST include at least one traceability reference
- Each item should reference: spec section `[Spec §X.Y]`, or use markers: `[Gap]`, `[Ambiguity]`, `[Conflict]`, `[Assumption]`
- If no ID system exists: "Is a requirement & acceptance criteria ID scheme established? [Traceability]"
**Surface & Resolve Issues** (Requirements Quality Problems):
Ask questions about the requirements themselves:
- Ambiguities: "Is the term 'fast' quantified with specific metrics? [Ambiguity, Spec §NFR-1]"
- Conflicts: "Do navigation requirements conflict between §FR-10 and §FR-10a? [Conflict]"
- Assumptions: "Is the assumption of 'always available podcast API' validated? [Assumption]"
- Dependencies: "Are external podcast API requirements documented? [Dependency, Gap]"
- Missing definitions: "Is 'visual hierarchy' defined with measurable criteria? [Gap]"
**Content Consolidation**:
- Soft cap: If raw candidate items > 40, prioritize by risk/impact
- Merge near-duplicates checking the same requirement aspect
- If >5 low-impact edge cases, create one item: "Are edge cases X, Y, Z addressed in requirements? [Coverage]"
**🚫 ABSOLUTELY PROHIBITED** - These make it an implementation test, not a requirements test:
- ❌ Any item starting with "Verify", "Test", "Confirm", "Check" + implementation behavior
- ❌ References to code execution, user actions, system behavior
- ❌ "Displays correctly", "works properly", "functions as expected"
- ❌ "Click", "navigate", "render", "load", "execute"
- ❌ Test cases, test plans, QA procedures
- ❌ Implementation details (frameworks, APIs, algorithms)
**✅ REQUIRED PATTERNS** - These test requirements quality:
- ✅ "Are [requirement type] defined/specified/documented for [scenario]?"
- ✅ "Is [vague term] quantified/clarified with specific criteria?"
- ✅ "Are requirements consistent between [section A] and [section B]?"
- ✅ "Can [requirement] be objectively measured/verified?"
- ✅ "Are [edge cases/scenarios] addressed in requirements?"
- ✅ "Does the spec define [missing aspect]?"
6. **Structure Reference**: Generate the checklist following the canonical template in `.specify/templates/checklist-template.md` for title, meta section, category headings, and ID formatting. If template is unavailable, use: H1 title, purpose/created meta lines, `##` category sections containing `- [ ] CHK### <requirement item>` lines with globally incrementing IDs starting at CHK001.
7. **Report**: Output full path to created checklist, item count, and remind user that each run creates a new file. Summarize:
- Focus areas selected
- Depth level
- Actor/timing
- Any explicit user-specified must-have items incorporated
**Important**: Each `/speckit.checklist` command invocation creates a checklist file using short, descriptive names unless file already exists. This allows:
- Multiple checklists of different types (e.g., `ux.md`, `test.md`, `security.md`)
- Simple, memorable filenames that indicate checklist purpose
- Easy identification and navigation in the `checklists/` folder
To avoid clutter, use descriptive types and clean up obsolete checklists when done.
## Example Checklist Types & Sample Items
**UX Requirements Quality:** `ux.md`
Sample items (testing the requirements, NOT the implementation):
- "Are visual hierarchy requirements defined with measurable criteria? [Clarity, Spec §FR-1]"
- "Is the number and positioning of UI elements explicitly specified? [Completeness, Spec §FR-1]"
- "Are interaction state requirements (hover, focus, active) consistently defined? [Consistency]"
- "Are accessibility requirements specified for all interactive elements? [Coverage, Gap]"
- "Is fallback behavior defined when images fail to load? [Edge Case, Gap]"
- "Can 'prominent display' be objectively measured? [Measurability, Spec §FR-4]"
**API Requirements Quality:** `api.md`
Sample items:
- "Are error response formats specified for all failure scenarios? [Completeness]"
- "Are rate limiting requirements quantified with specific thresholds? [Clarity]"
- "Are authentication requirements consistent across all endpoints? [Consistency]"
- "Are retry/timeout requirements defined for external dependencies? [Coverage, Gap]"
- "Is versioning strategy documented in requirements? [Gap]"
**Performance Requirements Quality:** `performance.md`
Sample items:
- "Are performance requirements quantified with specific metrics? [Clarity]"
- "Are performance targets defined for all critical user journeys? [Coverage]"
- "Are performance requirements under different load conditions specified? [Completeness]"
- "Can performance requirements be objectively measured? [Measurability]"
- "Are degradation requirements defined for high-load scenarios? [Edge Case, Gap]"
**Security Requirements Quality:** `security.md`
Sample items:
- "Are authentication requirements specified for all protected resources? [Coverage]"
- "Are data protection requirements defined for sensitive information? [Completeness]"
- "Is the threat model documented and requirements aligned to it? [Traceability]"
- "Are security requirements consistent with compliance obligations? [Consistency]"
- "Are security failure/breach response requirements defined? [Gap, Exception Flow]"
## Anti-Examples: What NOT To Do
**❌ WRONG - These test implementation, not requirements:**
```markdown
- [ ] CHK001 - Verify landing page displays 3 episode cards [Spec §FR-001]
- [ ] CHK002 - Test hover states work correctly on desktop [Spec §FR-003]
- [ ] CHK003 - Confirm logo click navigates to home page [Spec §FR-010]
- [ ] CHK004 - Check that related episodes section shows 3-5 items [Spec §FR-005]
```
**✅ CORRECT - These test requirements quality:**
```markdown
- [ ] CHK001 - Are the number and layout of featured episodes explicitly specified? [Completeness, Spec §FR-001]
- [ ] CHK002 - Are hover state requirements consistently defined for all interactive elements? [Consistency, Spec §FR-003]
- [ ] CHK003 - Are navigation requirements clear for all clickable brand elements? [Clarity, Spec §FR-010]
- [ ] CHK004 - Is the selection criteria for related episodes documented? [Gap, Spec §FR-005]
- [ ] CHK005 - Are loading state requirements defined for asynchronous episode data? [Gap]
- [ ] CHK006 - Can "visual hierarchy" requirements be objectively measured? [Measurability, Spec §FR-001]
```
**Key Differences:**
- Wrong: Tests if the system works correctly
- Correct: Tests if the requirements are written correctly
- Wrong: Verification of behavior
- Correct: Validation of requirement quality
- Wrong: "Does it do X?"
- Correct: "Is X clearly specified?"

176
.claude/commands/speckit.clarify.md
View file

@ -1,176 +0,0 @@
---
description: Identify underspecified areas in the current feature spec by asking up to 5 highly targeted clarification questions and encoding answers back into the spec.
---
## User Input
```text
$ARGUMENTS
```
You **MUST** consider the user input before proceeding (if not empty).
## Outline
Goal: Detect and reduce ambiguity or missing decision points in the active feature specification and record the clarifications directly in the spec file.
Note: This clarification workflow is expected to run (and be completed) BEFORE invoking `/speckit.plan`. If the user explicitly states they are skipping clarification (e.g., exploratory spike), you may proceed, but must warn that downstream rework risk increases.
Execution steps:
1. Run `.specify/scripts/bash/check-prerequisites.sh --json --paths-only` from repo root **once** (combined `--json --paths-only` mode / `-Json -PathsOnly`). Parse minimal JSON payload fields:
- `FEATURE_DIR`
- `FEATURE_SPEC`
- (Optionally capture `IMPL_PLAN`, `TASKS` for future chained flows.)
- If JSON parsing fails, abort and instruct user to re-run `/speckit.specify` or verify feature branch environment.
- For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
2. Load the current spec file. Perform a structured ambiguity & coverage scan using this taxonomy. For each category, mark status: Clear / Partial / Missing. Produce an internal coverage map used for prioritization (do not output raw map unless no questions will be asked).
Functional Scope & Behavior:
- Core user goals & success criteria
- Explicit out-of-scope declarations
- User roles / personas differentiation
Domain & Data Model:
- Entities, attributes, relationships
- Identity & uniqueness rules
- Lifecycle/state transitions
- Data volume / scale assumptions
Interaction & UX Flow:
- Critical user journeys / sequences
- Error/empty/loading states
- Accessibility or localization notes
Non-Functional Quality Attributes:
- Performance (latency, throughput targets)
- Scalability (horizontal/vertical, limits)
- Reliability & availability (uptime, recovery expectations)
- Observability (logging, metrics, tracing signals)
- Security & privacy (authN/Z, data protection, threat assumptions)
- Compliance / regulatory constraints (if any)
Integration & External Dependencies:
- External services/APIs and failure modes
- Data import/export formats
- Protocol/versioning assumptions
Edge Cases & Failure Handling:
- Negative scenarios
- Rate limiting / throttling
- Conflict resolution (e.g., concurrent edits)
Constraints & Tradeoffs:
- Technical constraints (language, storage, hosting)
- Explicit tradeoffs or rejected alternatives
Terminology & Consistency:
- Canonical glossary terms
- Avoided synonyms / deprecated terms
Completion Signals:
- Acceptance criteria testability
- Measurable Definition of Done style indicators
Misc / Placeholders:
- TODO markers / unresolved decisions
- Ambiguous adjectives ("robust", "intuitive") lacking quantification
For each category with Partial or Missing status, add a candidate question opportunity unless:
- Clarification would not materially change implementation or validation strategy
- Information is better deferred to planning phase (note internally)
3. Generate (internally) a prioritized queue of candidate clarification questions (maximum 5). Do NOT output them all at once. Apply these constraints:
- Maximum of 10 total questions across the whole session.
- Each question must be answerable with EITHER:
* A short multiplechoice selection (25 distinct, mutually exclusive options), OR
* A one-word / shortphrase answer (explicitly constrain: "Answer in <=5 words").
- Only include questions whose answers materially impact architecture, data modeling, task decomposition, test design, UX behavior, operational readiness, or compliance validation.
- Ensure category coverage balance: attempt to cover the highest impact unresolved categories first; avoid asking two low-impact questions when a single high-impact area (e.g., security posture) is unresolved.
- Exclude questions already answered, trivial stylistic preferences, or plan-level execution details (unless blocking correctness).
- Favor clarifications that reduce downstream rework risk or prevent misaligned acceptance tests.
- If more than 5 categories remain unresolved, select the top 5 by (Impact * Uncertainty) heuristic.
4. Sequential questioning loop (interactive):
- Present EXACTLY ONE question at a time.
- For multiplechoice questions:
* **Analyze all options** and determine the **most suitable option** based on:
- Best practices for the project type
- Common patterns in similar implementations
- Risk reduction (security, performance, maintainability)
- Alignment with any explicit project goals or constraints visible in the spec
* Present your **recommended option prominently** at the top with clear reasoning (1-2 sentences explaining why this is the best choice).
* Format as: `**Recommended:** Option [X] - <reasoning>`
* Then render all options as a Markdown table:
| Option | Description |
|--------|-------------|
| A | <Option A description> |
| B | <Option B description> |
| C | <Option C description> | (add D/E as needed up to 5)
| Short | Provide a different short answer (<=5 words) | (Include only if free-form alternative is appropriate)
* After the table, add: `You can reply with the option letter (e.g., "A"), accept the recommendation by saying "yes" or "recommended", or provide your own short answer.`
- For shortanswer style (no meaningful discrete options):
* Provide your **suggested answer** based on best practices and context.
* Format as: `**Suggested:** <your proposed answer> - <brief reasoning>`
* Then output: `Format: Short answer (<=5 words). You can accept the suggestion by saying "yes" or "suggested", or provide your own answer.`
- After the user answers:
* If the user replies with "yes", "recommended", or "suggested", use your previously stated recommendation/suggestion as the answer.
* Otherwise, validate the answer maps to one option or fits the <=5 word constraint.
* If ambiguous, ask for a quick disambiguation (count still belongs to same question; do not advance).
* Once satisfactory, record it in working memory (do not yet write to disk) and move to the next queued question.
- Stop asking further questions when:
* All critical ambiguities resolved early (remaining queued items become unnecessary), OR
* User signals completion ("done", "good", "no more"), OR
* You reach 5 asked questions.
- Never reveal future queued questions in advance.
- If no valid questions exist at start, immediately report no critical ambiguities.
5. Integration after EACH accepted answer (incremental update approach):
- Maintain in-memory representation of the spec (loaded once at start) plus the raw file contents.
- For the first integrated answer in this session:
* Ensure a `## Clarifications` section exists (create it just after the highest-level contextual/overview section per the spec template if missing).
* Under it, create (if not present) a `### Session YYYY-MM-DD` subheading for today.
- Append a bullet line immediately after acceptance: `- Q: <question> → A: <final answer>`.
- Then immediately apply the clarification to the most appropriate section(s):
* Functional ambiguity → Update or add a bullet in Functional Requirements.
* User interaction / actor distinction → Update User Stories or Actors subsection (if present) with clarified role, constraint, or scenario.
* Data shape / entities → Update Data Model (add fields, types, relationships) preserving ordering; note added constraints succinctly.
* Non-functional constraint → Add/modify measurable criteria in Non-Functional / Quality Attributes section (convert vague adjective to metric or explicit target).
* Edge case / negative flow → Add a new bullet under Edge Cases / Error Handling (or create such subsection if template provides placeholder for it).
* Terminology conflict → Normalize term across spec; retain original only if necessary by adding `(formerly referred to as "X")` once.
- If the clarification invalidates an earlier ambiguous statement, replace that statement instead of duplicating; leave no obsolete contradictory text.
- Save the spec file AFTER each integration to minimize risk of context loss (atomic overwrite).
- Preserve formatting: do not reorder unrelated sections; keep heading hierarchy intact.
- Keep each inserted clarification minimal and testable (avoid narrative drift).
6. Validation (performed after EACH write plus final pass):
- Clarifications session contains exactly one bullet per accepted answer (no duplicates).
- Total asked (accepted) questions ≤ 5.
- Updated sections contain no lingering vague placeholders the new answer was meant to resolve.
- No contradictory earlier statement remains (scan for now-invalid alternative choices removed).
- Markdown structure valid; only allowed new headings: `## Clarifications`, `### Session YYYY-MM-DD`.
- Terminology consistency: same canonical term used across all updated sections.
7. Write the updated spec back to `FEATURE_SPEC`.
8. Report completion (after questioning loop ends or early termination):
- Number of questions asked & answered.
- Path to updated spec.
- Sections touched (list names).
- Coverage summary table listing each taxonomy category with Status: Resolved (was Partial/Missing and addressed), Deferred (exceeds question quota or better suited for planning), Clear (already sufficient), Outstanding (still Partial/Missing but low impact).
- If any Outstanding or Deferred remain, recommend whether to proceed to `/speckit.plan` or run `/speckit.clarify` again later post-plan.
- Suggested next command.
Behavior rules:
- If no meaningful ambiguities found (or all potential questions would be low-impact), respond: "No critical ambiguities detected worth formal clarification." and suggest proceeding.
- If spec file missing, instruct user to run `/speckit.specify` first (do not create a new spec here).
- Never exceed 5 total asked questions (clarification retries for a single question do not count as new questions).
- Avoid speculative tech stack questions unless the absence blocks functional clarity.
- Respect user early termination signals ("stop", "done", "proceed").
- If no questions asked due to full coverage, output a compact coverage summary (all categories Clear) then suggest advancing.
- If quota reached with unresolved high-impact categories remaining, explicitly flag them under Deferred with rationale.
Context for prioritization: $ARGUMENTS

77
.claude/commands/speckit.constitution.md
View file

@ -1,77 +0,0 @@
---
description: Create or update the project constitution from interactive or provided principle inputs, ensuring all dependent templates stay in sync.
---
## User Input
```text
$ARGUMENTS
```
You **MUST** consider the user input before proceeding (if not empty).
## Outline
You are updating the project constitution at `.specify/memory/constitution.md`. This file is a TEMPLATE containing placeholder tokens in square brackets (e.g. `[PROJECT_NAME]`, `[PRINCIPLE_1_NAME]`). Your job is to (a) collect/derive concrete values, (b) fill the template precisely, and (c) propagate any amendments across dependent artifacts.
Follow this execution flow:
1. Load the existing constitution template at `.specify/memory/constitution.md`.
- Identify every placeholder token of the form `[ALL_CAPS_IDENTIFIER]`.
**IMPORTANT**: The user might require less or more principles than the ones used in the template. If a number is specified, respect that - follow the general template. You will update the doc accordingly.
2. Collect/derive values for placeholders:
- If user input (conversation) supplies a value, use it.
- Otherwise infer from existing repo context (README, docs, prior constitution versions if embedded).
- For governance dates: `RATIFICATION_DATE` is the original adoption date (if unknown ask or mark TODO), `LAST_AMENDED_DATE` is today if changes are made, otherwise keep previous.
- `CONSTITUTION_VERSION` must increment according to semantic versioning rules:
* MAJOR: Backward incompatible governance/principle removals or redefinitions.
* MINOR: New principle/section added or materially expanded guidance.
* PATCH: Clarifications, wording, typo fixes, non-semantic refinements.
- If version bump type ambiguous, propose reasoning before finalizing.
3. Draft the updated constitution content:
- Replace every placeholder with concrete text (no bracketed tokens left except intentionally retained template slots that the project has chosen not to define yet—explicitly justify any left).
- Preserve heading hierarchy and comments can be removed once replaced unless they still add clarifying guidance.
- Ensure each Principle section: succinct name line, paragraph (or bullet list) capturing nonnegotiable rules, explicit rationale if not obvious.
- Ensure Governance section lists amendment procedure, versioning policy, and compliance review expectations.
4. Consistency propagation checklist (convert prior checklist into active validations):
- Read `.specify/templates/plan-template.md` and ensure any "Constitution Check" or rules align with updated principles.
- Read `.specify/templates/spec-template.md` for scope/requirements alignment—update if constitution adds/removes mandatory sections or constraints.
- Read `.specify/templates/tasks-template.md` and ensure task categorization reflects new or removed principle-driven task types (e.g., observability, versioning, testing discipline).
- Read each command file in `.specify/templates/commands/*.md` (including this one) to verify no outdated references (agent-specific names like CLAUDE only) remain when generic guidance is required.
- Read any runtime guidance docs (e.g., `README.md`, `docs/quickstart.md`, or agent-specific guidance files if present). Update references to principles changed.
5. Produce a Sync Impact Report (prepend as an HTML comment at top of the constitution file after update):
- Version change: old → new
- List of modified principles (old title → new title if renamed)
- Added sections
- Removed sections
- Templates requiring updates (✅ updated / ⚠ pending) with file paths
- Follow-up TODOs if any placeholders intentionally deferred.
6. Validation before final output:
- No remaining unexplained bracket tokens.
- Version line matches report.
- Dates ISO format YYYY-MM-DD.
- Principles are declarative, testable, and free of vague language ("should" → replace with MUST/SHOULD rationale where appropriate).
7. Write the completed constitution back to `.specify/memory/constitution.md` (overwrite).
8. Output a final summary to the user with:
- New version and bump rationale.
- Any files flagged for manual follow-up.
- Suggested commit message (e.g., `docs: amend constitution to vX.Y.Z (principle additions + governance update)`).
Formatting & Style Requirements:
- Use Markdown headings exactly as in the template (do not demote/promote levels).
- Wrap long rationale lines to keep readability (<100 chars ideally) but do not hard enforce with awkward breaks.
- Keep a single blank line between sections.
- Avoid trailing whitespace.
If the user supplies partial updates (e.g., only one principle revision), still perform validation and version decision steps.
If critical info missing (e.g., ratification date truly unknown), insert `TODO(<FIELD_NAME>): explanation` and include in the Sync Impact Report under deferred items.
Do not create a new template; always operate on the existing `.specify/memory/constitution.md` file.

122
.claude/commands/speckit.implement.md
View file

@ -1,122 +0,0 @@
---
description: Execute the implementation plan by processing and executing all tasks defined in tasks.md
---
## User Input
```text
$ARGUMENTS
```
You **MUST** consider the user input before proceeding (if not empty).
## Outline
1. Run `.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks` from repo root and parse FEATURE_DIR and AVAILABLE_DOCS list. All paths must be absolute. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
2. **Check checklists status** (if FEATURE_DIR/checklists/ exists):
- Scan all checklist files in the checklists/ directory
- For each checklist, count:
* Total items: All lines matching `- [ ]` or `- [X]` or `- [x]`
* Completed items: Lines matching `- [X]` or `- [x]`
* Incomplete items: Lines matching `- [ ]`
- Create a status table:
```
| Checklist | Total | Completed | Incomplete | Status |
|-----------|-------|-----------|------------|--------|
| ux.md | 12 | 12 | 0 | ✓ PASS |
| test.md | 8 | 5 | 3 | ✗ FAIL |
| security.md | 6 | 6 | 0 | ✓ PASS |
```
- Calculate overall status:
* **PASS**: All checklists have 0 incomplete items
* **FAIL**: One or more checklists have incomplete items
- **If any checklist is incomplete**:
* Display the table with incomplete item counts
* **STOP** and ask: "Some checklists are incomplete. Do you want to proceed with implementation anyway? (yes/no)"
* Wait for user response before continuing
* If user says "no" or "wait" or "stop", halt execution
* If user says "yes" or "proceed" or "continue", proceed to step 3
- **If all checklists are complete**:
* Display the table showing all checklists passed
* Automatically proceed to step 3
3. Load and analyze the implementation context:
- **REQUIRED**: Read tasks.md for the complete task list and execution plan
- **REQUIRED**: Read plan.md for tech stack, architecture, and file structure
- **IF EXISTS**: Read data-model.md for entities and relationships
- **IF EXISTS**: Read contracts/ for API specifications and test requirements
- **IF EXISTS**: Read research.md for technical decisions and constraints
- **IF EXISTS**: Read quickstart.md for integration scenarios
4. **Project Setup Verification**:
- **REQUIRED**: Create/verify ignore files based on actual project setup:
**Detection & Creation Logic**:
- Check if the following command succeeds to determine if the repository is a git repo (create/verify .gitignore if so):
```sh
git rev-parse --git-dir 2>/dev/null
```
- Check if Dockerfile* exists or Docker in plan.md → create/verify .dockerignore
- Check if .eslintrc* or eslint.config.* exists → create/verify .eslintignore
- Check if .prettierrc* exists → create/verify .prettierignore
- Check if .npmrc or package.json exists → create/verify .npmignore (if publishing)
- Check if terraform files (*.tf) exist → create/verify .terraformignore
- Check if .helmignore needed (helm charts present) → create/verify .helmignore
**If ignore file already exists**: Verify it contains essential patterns, append missing critical patterns only
**If ignore file missing**: Create with full pattern set for detected technology
**Common Patterns by Technology** (from plan.md tech stack):
- **Node.js/JavaScript**: `node_modules/`, `dist/`, `build/`, `*.log`, `.env*`
- **Python**: `__pycache__/`, `*.pyc`, `.venv/`, `venv/`, `dist/`, `*.egg-info/`
- **Java**: `target/`, `*.class`, `*.jar`, `.gradle/`, `build/`
- **C#/.NET**: `bin/`, `obj/`, `*.user`, `*.suo`, `packages/`
- **Go**: `*.exe`, `*.test`, `vendor/`, `*.out`
- **Universal**: `.DS_Store`, `Thumbs.db`, `*.tmp`, `*.swp`, `.vscode/`, `.idea/`
**Tool-Specific Patterns**:
- **Docker**: `node_modules/`, `.git/`, `Dockerfile*`, `.dockerignore`, `*.log*`, `.env*`, `coverage/`
- **ESLint**: `node_modules/`, `dist/`, `build/`, `coverage/`, `*.min.js`
- **Prettier**: `node_modules/`, `dist/`, `build/`, `coverage/`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`
- **Terraform**: `.terraform/`, `*.tfstate*`, `*.tfvars`, `.terraform.lock.hcl`
5. Parse tasks.md structure and extract:
- **Task phases**: Setup, Tests, Core, Integration, Polish
- **Task dependencies**: Sequential vs parallel execution rules
- **Task details**: ID, description, file paths, parallel markers [P]
- **Execution flow**: Order and dependency requirements
6. Execute implementation following the task plan:
- **Phase-by-phase execution**: Complete each phase before moving to the next
- **Respect dependencies**: Run sequential tasks in order, parallel tasks [P] can run together
- **Follow TDD approach**: Execute test tasks before their corresponding implementation tasks
- **File-based coordination**: Tasks affecting the same files must run sequentially
- **Validation checkpoints**: Verify each phase completion before proceeding
7. Implementation execution rules:
- **Setup first**: Initialize project structure, dependencies, configuration
- **Tests before code**: If you need to write tests for contracts, entities, and integration scenarios
- **Core development**: Implement models, services, CLI commands, endpoints
- **Integration work**: Database connections, middleware, logging, external services
- **Polish and validation**: Unit tests, performance optimization, documentation
8. Progress tracking and error handling:
- Report progress after each completed task
- Halt execution if any non-parallel task fails
- For parallel tasks [P], continue with successful tasks, report failed ones
- Provide clear error messages with context for debugging
- Suggest next steps if implementation cannot proceed
- **IMPORTANT** For completed tasks, make sure to mark the task off as [X] in the tasks file.
9. Completion validation:
- Verify all required tasks are completed
- Check that implemented features match the original specification
- Validate that tests pass and coverage meets requirements
- Confirm the implementation follows the technical plan
- Report final status with summary of completed work
Note: This command assumes a complete task breakdown exists in tasks.md. If tasks are incomplete or missing, suggest running `/tasks` first to regenerate the task list.

80
.claude/commands/speckit.plan.md
View file

@ -1,80 +0,0 @@
---
description: Execute the implementation planning workflow using the plan template to generate design artifacts.
---
## User Input
```text
$ARGUMENTS
```
You **MUST** consider the user input before proceeding (if not empty).
## Outline
1. **Setup**: Run `.specify/scripts/bash/setup-plan.sh --json` from repo root and parse JSON for FEATURE_SPEC, IMPL_PLAN, SPECS_DIR, BRANCH. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
2. **Load context**: Read FEATURE_SPEC and `.specify/memory/constitution.md`. Load IMPL_PLAN template (already copied).
3. **Execute plan workflow**: Follow the structure in IMPL_PLAN template to:
- Fill Technical Context (mark unknowns as "NEEDS CLARIFICATION")
- Fill Constitution Check section from constitution
- Evaluate gates (ERROR if violations unjustified)
- Phase 0: Generate research.md (resolve all NEEDS CLARIFICATION)
- Phase 1: Generate data-model.md, contracts/, quickstart.md
- Phase 1: Update agent context by running the agent script
- Re-evaluate Constitution Check post-design
4. **Stop and report**: Command ends after Phase 2 planning. Report branch, IMPL_PLAN path, and generated artifacts.
## Phases
### Phase 0: Outline & Research
1. **Extract unknowns from Technical Context** above:
- For each NEEDS CLARIFICATION → research task
- For each dependency → best practices task
- For each integration → patterns task
2. **Generate and dispatch research agents**:
```
For each unknown in Technical Context:
Task: "Research {unknown} for {feature context}"
For each technology choice:
Task: "Find best practices for {tech} in {domain}"
```
3. **Consolidate findings** in `research.md` using format:
- Decision: [what was chosen]
- Rationale: [why chosen]
- Alternatives considered: [what else evaluated]
**Output**: research.md with all NEEDS CLARIFICATION resolved
### Phase 1: Design & Contracts
**Prerequisites:** `research.md` complete
1. **Extract entities from feature spec**`data-model.md`:
- Entity name, fields, relationships
- Validation rules from requirements
- State transitions if applicable
2. **Generate API contracts** from functional requirements:
- For each user action → endpoint
- Use standard REST/GraphQL patterns
- Output OpenAPI/GraphQL schema to `/contracts/`
3. **Agent context update**:
- Run `.specify/scripts/bash/update-agent-context.sh claude`
- These scripts detect which AI agent is in use
- Update the appropriate agent-specific context file
- Add only new technology from current plan
- Preserve manual additions between markers
**Output**: data-model.md, /contracts/*, quickstart.md, agent-specific file
## Key rules
- Use absolute paths
- ERROR on gate failures or unresolved clarifications

208
.claude/commands/speckit.specify.md
View file

@ -1,208 +0,0 @@
---
description: Create or update the feature specification from a natural language feature description.
---
## User Input
```text
$ARGUMENTS
```
You **MUST** consider the user input before proceeding (if not empty).
## Outline
The text the user typed after `/speckit.specify` in the triggering message **is** the feature description. Assume you always have it available in this conversation even if `$ARGUMENTS` appears literally below. Do not ask the user to repeat it unless they provided an empty command.
Given that feature description, do this:
1. Run the script `.specify/scripts/bash/create-new-feature.sh --json "$ARGUMENTS"` from repo root and parse its JSON output for BRANCH_NAME and SPEC_FILE. All file paths must be absolute.
**IMPORTANT** You must only ever run this script once. The JSON is provided in the terminal as output - always refer to it to get the actual content you're looking for. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
2. Load `.specify/templates/spec-template.md` to understand required sections.
3. Follow this execution flow:
1. Parse user description from Input
If empty: ERROR "No feature description provided"
2. Extract key concepts from description
Identify: actors, actions, data, constraints
3. For unclear aspects:
- Make informed guesses based on context and industry standards
- Only mark with [NEEDS CLARIFICATION: specific question] if:
- The choice significantly impacts feature scope or user experience
- Multiple reasonable interpretations exist with different implications
- No reasonable default exists
- **LIMIT: Maximum 3 [NEEDS CLARIFICATION] markers total**
- Prioritize clarifications by impact: scope > security/privacy > user experience > technical details
4. Fill User Scenarios & Testing section
If no clear user flow: ERROR "Cannot determine user scenarios"
5. Generate Functional Requirements
Each requirement must be testable
Use reasonable defaults for unspecified details (document assumptions in Assumptions section)
6. Define Success Criteria
Create measurable, technology-agnostic outcomes
Include both quantitative metrics (time, performance, volume) and qualitative measures (user satisfaction, task completion)
Each criterion must be verifiable without implementation details
7. Identify Key Entities (if data involved)
8. Return: SUCCESS (spec ready for planning)
4. Write the specification to SPEC_FILE using the template structure, replacing placeholders with concrete details derived from the feature description (arguments) while preserving section order and headings.
5. **Specification Quality Validation**: After writing the initial spec, validate it against quality criteria:
a. **Create Spec Quality Checklist**: Generate a checklist file at `FEATURE_DIR/checklists/requirements.md` using the checklist template structure with these validation items:
```markdown
# Specification Quality Checklist: [FEATURE NAME]
**Purpose**: Validate specification completeness and quality before proceeding to planning
**Created**: [DATE]
**Feature**: [Link to spec.md]
## Content Quality
- [ ] No implementation details (languages, frameworks, APIs)
- [ ] Focused on user value and business needs
- [ ] Written for non-technical stakeholders
- [ ] All mandatory sections completed
## Requirement Completeness
- [ ] No [NEEDS CLARIFICATION] markers remain
- [ ] Requirements are testable and unambiguous
- [ ] Success criteria are measurable
- [ ] Success criteria are technology-agnostic (no implementation details)
- [ ] All acceptance scenarios are defined
- [ ] Edge cases are identified
- [ ] Scope is clearly bounded
- [ ] Dependencies and assumptions identified
## Feature Readiness
- [ ] All functional requirements have clear acceptance criteria
- [ ] User scenarios cover primary flows
- [ ] Feature meets measurable outcomes defined in Success Criteria
- [ ] No implementation details leak into specification
## Notes
- Items marked incomplete require spec updates before `/speckit.clarify` or `/speckit.plan`
```
b. **Run Validation Check**: Review the spec against each checklist item:
- For each item, determine if it passes or fails
- Document specific issues found (quote relevant spec sections)
c. **Handle Validation Results**:
- **If all items pass**: Mark checklist complete and proceed to step 6
- **If items fail (excluding [NEEDS CLARIFICATION])**:
1. List the failing items and specific issues
2. Update the spec to address each issue
3. Re-run validation until all items pass (max 3 iterations)
4. If still failing after 3 iterations, document remaining issues in checklist notes and warn user
- **If [NEEDS CLARIFICATION] markers remain**:
1. Extract all [NEEDS CLARIFICATION: ...] markers from the spec
2. **LIMIT CHECK**: If more than 3 markers exist, keep only the 3 most critical (by scope/security/UX impact) and make informed guesses for the rest
3. For each clarification needed (max 3), present options to user in this format:
```markdown
## Question [N]: [Topic]
**Context**: [Quote relevant spec section]
**What we need to know**: [Specific question from NEEDS CLARIFICATION marker]
**Suggested Answers**:
| Option | Answer | Implications |
|--------|--------|--------------|
| A | [First suggested answer] | [What this means for the feature] |
| B | [Second suggested answer] | [What this means for the feature] |
| C | [Third suggested answer] | [What this means for the feature] |
| Custom | Provide your own answer | [Explain how to provide custom input] |
**Your choice**: _[Wait for user response]_
```
4. **CRITICAL - Table Formatting**: Ensure markdown tables are properly formatted:
- Use consistent spacing with pipes aligned
- Each cell should have spaces around content: `| Content |` not `|Content|`
- Header separator must have at least 3 dashes: `|--------|`
- Test that the table renders correctly in markdown preview
5. Number questions sequentially (Q1, Q2, Q3 - max 3 total)
6. Present all questions together before waiting for responses
7. Wait for user to respond with their choices for all questions (e.g., "Q1: A, Q2: Custom - [details], Q3: B")
8. Update the spec by replacing each [NEEDS CLARIFICATION] marker with the user's selected or provided answer
9. Re-run validation after all clarifications are resolved
d. **Update Checklist**: After each validation iteration, update the checklist file with current pass/fail status
6. Report completion with branch name, spec file path, checklist results, and readiness for the next phase (`/speckit.clarify` or `/speckit.plan`).
**NOTE:** The script creates and checks out the new branch and initializes the spec file before writing.
## General Guidelines
## Quick Guidelines
- Focus on **WHAT** users need and **WHY**.
- Avoid HOW to implement (no tech stack, APIs, code structure).
- Written for business stakeholders, not developers.
- DO NOT create any checklists that are embedded in the spec. That will be a separate command.
### Section Requirements
- **Mandatory sections**: Must be completed for every feature
- **Optional sections**: Include only when relevant to the feature
- When a section doesn't apply, remove it entirely (don't leave as "N/A")
### For AI Generation
When creating this spec from a user prompt:
1. **Make informed guesses**: Use context, industry standards, and common patterns to fill gaps
2. **Document assumptions**: Record reasonable defaults in the Assumptions section
3. **Limit clarifications**: Maximum 3 [NEEDS CLARIFICATION] markers - use only for critical decisions that:
- Significantly impact feature scope or user experience
- Have multiple reasonable interpretations with different implications
- Lack any reasonable default
4. **Prioritize clarifications**: scope > security/privacy > user experience > technical details
5. **Think like a tester**: Every vague requirement should fail the "testable and unambiguous" checklist item
6. **Common areas needing clarification** (only if no reasonable default exists):
- Feature scope and boundaries (include/exclude specific use cases)
- User types and permissions (if multiple conflicting interpretations possible)
- Security/compliance requirements (when legally/financially significant)
**Examples of reasonable defaults** (don't ask about these):
- Data retention: Industry-standard practices for the domain
- Performance targets: Standard web/mobile app expectations unless specified
- Error handling: User-friendly messages with appropriate fallbacks
- Authentication method: Standard session-based or OAuth2 for web apps
- Integration patterns: RESTful APIs unless specified otherwise
### Success Criteria Guidelines
Success criteria must be:
1. **Measurable**: Include specific metrics (time, percentage, count, rate)
2. **Technology-agnostic**: No mention of frameworks, languages, databases, or tools
3. **User-focused**: Describe outcomes from user/business perspective, not system internals
4. **Verifiable**: Can be tested/validated without knowing implementation details
**Good examples**:
- "Users can complete checkout in under 3 minutes"
- "System supports 10,000 concurrent users"
- "95% of searches return results in under 1 second"
- "Task completion rate improves by 40%"
**Bad examples** (implementation-focused):
- "API response time is under 200ms" (too technical, use "Users see results instantly")
- "Database can handle 1000 TPS" (implementation detail, use user-facing metric)
- "React components render efficiently" (framework-specific)
- "Redis cache hit rate above 80%" (technology-specific)

111
.claude/commands/speckit.tasks.md
View file

@ -1,111 +0,0 @@
---
description: Generate an actionable, dependency-ordered tasks.md for the feature based on available design artifacts.
---
## User Input
```text
$ARGUMENTS
```
You **MUST** consider the user input before proceeding (if not empty).
## Outline
1. **Setup**: Run `.specify/scripts/bash/check-prerequisites.sh --json` from repo root and parse FEATURE_DIR and AVAILABLE_DOCS list. All paths must be absolute. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
2. **Load design documents**: Read from FEATURE_DIR:
- **Required**: plan.md (tech stack, libraries, structure), spec.md (user stories with priorities)
- **Optional**: data-model.md (entities), contracts/ (API endpoints), research.md (decisions), quickstart.md (test scenarios)
- Note: Not all projects have all documents. Generate tasks based on what's available.
3. **Execute task generation workflow** (follow the template structure):
- Load plan.md and extract tech stack, libraries, project structure
- **Load spec.md and extract user stories with their priorities (P1, P2, P3, etc.)**
- If data-model.md exists: Extract entities → map to user stories
- If contracts/ exists: Each file → map endpoints to user stories
- If research.md exists: Extract decisions → generate setup tasks
- **Generate tasks ORGANIZED BY USER STORY**:
- Setup tasks (shared infrastructure needed by all stories)
- **Foundational tasks (prerequisites that must complete before ANY user story can start)**
- For each user story (in priority order P1, P2, P3...):
- Group all tasks needed to complete JUST that story
- Include models, services, endpoints, UI components specific to that story
- Mark which tasks are [P] parallelizable
- If tests requested: Include tests specific to that story
- Polish/Integration tasks (cross-cutting concerns)
- **Tests are OPTIONAL**: Only generate test tasks if explicitly requested in the feature spec or user asks for TDD approach
- Apply task rules:
- Different files = mark [P] for parallel
- Same file = sequential (no [P])
- If tests requested: Tests before implementation (TDD order)
- Number tasks sequentially (T001, T002...)
- Generate dependency graph showing user story completion order
- Create parallel execution examples per user story
- Validate task completeness (each user story has all needed tasks, independently testable)
4. **Generate tasks.md**: Use `.specify.specify/templates/tasks-template.md` as structure, fill with:
- Correct feature name from plan.md
- Phase 1: Setup tasks (project initialization)
- Phase 2: Foundational tasks (blocking prerequisites for all user stories)
- Phase 3+: One phase per user story (in priority order from spec.md)
- Each phase includes: story goal, independent test criteria, tests (if requested), implementation tasks
- Clear [Story] labels (US1, US2, US3...) for each task
- [P] markers for parallelizable tasks within each story
- Checkpoint markers after each story phase
- Final Phase: Polish & cross-cutting concerns
- Numbered tasks (T001, T002...) in execution order
- Clear file paths for each task
- Dependencies section showing story completion order
- Parallel execution examples per story
- Implementation strategy section (MVP first, incremental delivery)
5. **Report**: Output path to generated tasks.md and summary:
- Total task count
- Task count per user story
- Parallel opportunities identified
- Independent test criteria for each story
- Suggested MVP scope (typically just User Story 1)
Context for task generation: $ARGUMENTS
The tasks.md should be immediately executable - each task must be specific enough that an LLM can complete it without additional context.
## Task Generation Rules
**IMPORTANT**: Tests are optional. Only generate test tasks if the user explicitly requested testing or TDD approach in the feature specification.
**CRITICAL**: Tasks MUST be organized by user story to enable independent implementation and testing.
1. **From User Stories (spec.md)** - PRIMARY ORGANIZATION:
- Each user story (P1, P2, P3...) gets its own phase
- Map all related components to their story:
- Models needed for that story
- Services needed for that story
- Endpoints/UI needed for that story
- If tests requested: Tests specific to that story
- Mark story dependencies (most stories should be independent)
2. **From Contracts**:
- Map each contract/endpoint → to the user story it serves
- If tests requested: Each contract → contract test task [P] before implementation in that story's phase
3. **From Data Model**:
- Map each entity → to the user story(ies) that need it
- If entity serves multiple stories: Put in earliest story or Setup phase
- Relationships → service layer tasks in appropriate story phase
4. **From Setup/Infrastructure**:
- Shared infrastructure → Setup phase (Phase 1)
- Foundational/blocking tasks → Foundational phase (Phase 2)
- Examples: Database schema setup, authentication framework, core libraries, base configurations
- These MUST complete before any user story can be implemented
- Story-specific setup → within that story's phase
5. **Ordering**:
- Phase 1: Setup (project initialization)
- Phase 2: Foundational (blocking prerequisites - must complete before user stories)
- Phase 3+: User Stories in priority order (P1, P2, P3...)
- Within each story: Tests (if requested) → Models → Services → Endpoints → Integration
- Final Phase: Polish & Cross-Cutting Concerns
- Each user story phase should be a complete, independently testable increment

15
.gitignore vendored
View file

@ -2,6 +2,12 @@
result
result-*
# VM disk images
*.qcow2
*.qcow
*.vmdk
*.vdi
# Staging directories (temporary extraction workspace)
staging/
staging-sanitized/
@ -39,3 +45,12 @@ venv/
# Bash script temporaries
.bash_history
# Spec-kit framework (auto-updated by framework)
.claude/commands/speckit.*.md
.specify/memory/
.specify/scripts/
.specify/templates/
# Worklogs (may contain sensitive troubleshooting info)
docs/worklogs/

50
.specify/memory/constitution.md
View file

@ -1,50 +0,0 @@
# [PROJECT_NAME] Constitution
<!-- Example: Spec Constitution, TaskFlow Constitution, etc. -->
## Core Principles
### [PRINCIPLE_1_NAME]
<!-- Example: I. Library-First -->
[PRINCIPLE_1_DESCRIPTION]
<!-- Example: Every feature starts as a standalone library; Libraries must be self-contained, independently testable, documented; Clear purpose required - no organizational-only libraries -->
### [PRINCIPLE_2_NAME]
<!-- Example: II. CLI Interface -->
[PRINCIPLE_2_DESCRIPTION]
<!-- Example: Every library exposes functionality via CLI; Text in/out protocol: stdin/args → stdout, errors → stderr; Support JSON + human-readable formats -->
### [PRINCIPLE_3_NAME]
<!-- Example: III. Test-First (NON-NEGOTIABLE) -->
[PRINCIPLE_3_DESCRIPTION]
<!-- Example: TDD mandatory: Tests written → User approved → Tests fail → Then implement; Red-Green-Refactor cycle strictly enforced -->
### [PRINCIPLE_4_NAME]
<!-- Example: IV. Integration Testing -->
[PRINCIPLE_4_DESCRIPTION]
<!-- Example: Focus areas requiring integration tests: New library contract tests, Contract changes, Inter-service communication, Shared schemas -->
### [PRINCIPLE_5_NAME]
<!-- Example: V. Observability, VI. Versioning & Breaking Changes, VII. Simplicity -->
[PRINCIPLE_5_DESCRIPTION]
<!-- Example: Text I/O ensures debuggability; Structured logging required; Or: MAJOR.MINOR.BUILD format; Or: Start simple, YAGNI principles -->
## [SECTION_2_NAME]
<!-- Example: Additional Constraints, Security Requirements, Performance Standards, etc. -->
[SECTION_2_CONTENT]
<!-- Example: Technology stack requirements, compliance standards, deployment policies, etc. -->
## [SECTION_3_NAME]
<!-- Example: Development Workflow, Review Process, Quality Gates, etc. -->
[SECTION_3_CONTENT]
<!-- Example: Code review requirements, testing gates, deployment approval process, etc. -->
## Governance
<!-- Example: Constitution supersedes all other practices; Amendments require documentation, approval, migration plan -->
[GOVERNANCE_RULES]
<!-- Example: All PRs/reviews must verify compliance; Complexity must be justified; Use [GUIDANCE_FILE] for runtime development guidance -->
**Version**: [CONSTITUTION_VERSION] | **Ratified**: [RATIFICATION_DATE] | **Last Amended**: [LAST_AMENDED_DATE]
<!-- Example: Version: 2.1.1 | Ratified: 2025-06-13 | Last Amended: 2025-07-16 -->

166
.specify/scripts/bash/check-prerequisites.sh
View file

@ -1,166 +0,0 @@
#!/usr/bin/env bash
# Consolidated prerequisite checking script
#
# This script provides unified prerequisite checking for Spec-Driven Development workflow.
# It replaces the functionality previously spread across multiple scripts.
#
# Usage: ./check-prerequisites.sh [OPTIONS]
#
# OPTIONS:
# --json Output in JSON format
# --require-tasks Require tasks.md to exist (for implementation phase)
# --include-tasks Include tasks.md in AVAILABLE_DOCS list
# --paths-only Only output path variables (no validation)
# --help, -h Show help message
#
# OUTPUTS:
# JSON mode: {"FEATURE_DIR":"...", "AVAILABLE_DOCS":["..."]}
# Text mode: FEATURE_DIR:... \n AVAILABLE_DOCS: \n ✓/✗ file.md
# Paths only: REPO_ROOT: ... \n BRANCH: ... \n FEATURE_DIR: ... etc.
set -e
# Parse command line arguments
JSON_MODE=false
REQUIRE_TASKS=false
INCLUDE_TASKS=false
PATHS_ONLY=false
for arg in "$@"; do
case "$arg" in
--json)
JSON_MODE=true
;;
--require-tasks)
REQUIRE_TASKS=true
;;
--include-tasks)
INCLUDE_TASKS=true
;;
--paths-only)
PATHS_ONLY=true
;;
--help|-h)
cat << 'EOF'
Usage: check-prerequisites.sh [OPTIONS]
Consolidated prerequisite checking for Spec-Driven Development workflow.
OPTIONS:
--json Output in JSON format
--require-tasks Require tasks.md to exist (for implementation phase)
--include-tasks Include tasks.md in AVAILABLE_DOCS list
--paths-only Only output path variables (no prerequisite validation)
--help, -h Show this help message
EXAMPLES:
# Check task prerequisites (plan.md required)
./check-prerequisites.sh --json
# Check implementation prerequisites (plan.md + tasks.md required)
./check-prerequisites.sh --json --require-tasks --include-tasks
# Get feature paths only (no validation)
./check-prerequisites.sh --paths-only
EOF
exit 0
;;
*)
echo "ERROR: Unknown option '$arg'. Use --help for usage information." >&2
exit 1
;;
esac
done
# Source common functions
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/common.sh"
# Get feature paths and validate branch
eval $(get_feature_paths)
check_feature_branch "$CURRENT_BRANCH" "$HAS_GIT" || exit 1
# If paths-only mode, output paths and exit (support JSON + paths-only combined)
if $PATHS_ONLY; then
if $JSON_MODE; then
# Minimal JSON paths payload (no validation performed)
printf '{"REPO_ROOT":"%s","BRANCH":"%s","FEATURE_DIR":"%s","FEATURE_SPEC":"%s","IMPL_PLAN":"%s","TASKS":"%s"}\n' \
"$REPO_ROOT" "$CURRENT_BRANCH" "$FEATURE_DIR" "$FEATURE_SPEC" "$IMPL_PLAN" "$TASKS"
else
echo "REPO_ROOT: $REPO_ROOT"
echo "BRANCH: $CURRENT_BRANCH"
echo "FEATURE_DIR: $FEATURE_DIR"
echo "FEATURE_SPEC: $FEATURE_SPEC"
echo "IMPL_PLAN: $IMPL_PLAN"
echo "TASKS: $TASKS"
fi
exit 0
fi
# Validate required directories and files
if [[ ! -d "$FEATURE_DIR" ]]; then
echo "ERROR: Feature directory not found: $FEATURE_DIR" >&2
echo "Run /speckit.specify first to create the feature structure." >&2
exit 1
fi
if [[ ! -f "$IMPL_PLAN" ]]; then
echo "ERROR: plan.md not found in $FEATURE_DIR" >&2
echo "Run /speckit.plan first to create the implementation plan." >&2
exit 1
fi
# Check for tasks.md if required
if $REQUIRE_TASKS && [[ ! -f "$TASKS" ]]; then
echo "ERROR: tasks.md not found in $FEATURE_DIR" >&2
echo "Run /speckit.tasks first to create the task list." >&2
exit 1
fi
# Build list of available documents
docs=()
# Always check these optional docs
[[ -f "$RESEARCH" ]] && docs+=("research.md")
[[ -f "$DATA_MODEL" ]] && docs+=("data-model.md")
# Check contracts directory (only if it exists and has files)
if [[ -d "$CONTRACTS_DIR" ]] && [[ -n "$(ls -A "$CONTRACTS_DIR" 2>/dev/null)" ]]; then
docs+=("contracts/")
fi
[[ -f "$QUICKSTART" ]] && docs+=("quickstart.md")
# Include tasks.md if requested and it exists
if $INCLUDE_TASKS && [[ -f "$TASKS" ]]; then
docs+=("tasks.md")
fi
# Output results
if $JSON_MODE; then
# Build JSON array of documents
if [[ ${#docs[@]} -eq 0 ]]; then
json_docs="[]"
else
json_docs=$(printf '"%s",' "${docs[@]}")
json_docs="[${json_docs%,}]"
fi
printf '{"FEATURE_DIR":"%s","AVAILABLE_DOCS":%s}\n' "$FEATURE_DIR" "$json_docs"
else
# Text output
echo "FEATURE_DIR:$FEATURE_DIR"
echo "AVAILABLE_DOCS:"
# Show status of each potential document
check_file "$RESEARCH" "research.md"
check_file "$DATA_MODEL" "data-model.md"
check_dir "$CONTRACTS_DIR" "contracts/"
check_file "$QUICKSTART" "quickstart.md"
if $INCLUDE_TASKS; then
check_file "$TASKS" "tasks.md"
fi
fi

113
.specify/scripts/bash/common.sh
View file

@ -1,113 +0,0 @@
#!/usr/bin/env bash
# Common functions and variables for all scripts
# Get repository root, with fallback for non-git repositories
get_repo_root() {
if git rev-parse --show-toplevel >/dev/null 2>&1; then
git rev-parse --show-toplevel
else
# Fall back to script location for non-git repos
local script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
(cd "$script_dir/../../.." && pwd)
fi
}
# Get current branch, with fallback for non-git repositories
get_current_branch() {
# First check if SPECIFY_FEATURE environment variable is set
if [[ -n "${SPECIFY_FEATURE:-}" ]]; then
echo "$SPECIFY_FEATURE"
return
fi
# Then check git if available
if git rev-parse --abbrev-ref HEAD >/dev/null 2>&1; then
git rev-parse --abbrev-ref HEAD
return
fi
# For non-git repos, try to find the latest feature directory
local repo_root=$(get_repo_root)
local specs_dir="$repo_root/specs"
if [[ -d "$specs_dir" ]]; then
local latest_feature=""
local highest=0
for dir in "$specs_dir"/*; do
if [[ -d "$dir" ]]; then
local dirname=$(basename "$dir")
if [[ "$dirname" =~ ^([0-9]{3})- ]]; then
local number=${BASH_REMATCH[1]}
number=$((10#$number))
if [[ "$number" -gt "$highest" ]]; then
highest=$number
latest_feature=$dirname
fi
fi
fi
done
if [[ -n "$latest_feature" ]]; then
echo "$latest_feature"
return
fi
fi
echo "main" # Final fallback
}
# Check if we have git available
has_git() {
git rev-parse --show-toplevel >/dev/null 2>&1
}
check_feature_branch() {
local branch="$1"
local has_git_repo="$2"
# For non-git repos, we can't enforce branch naming but still provide output
if [[ "$has_git_repo" != "true" ]]; then
echo "[specify] Warning: Git repository not detected; skipped branch validation" >&2
return 0
fi
if [[ ! "$branch" =~ ^[0-9]{3}- ]]; then
echo "ERROR: Not on a feature branch. Current branch: $branch" >&2
echo "Feature branches should be named like: 001-feature-name" >&2
return 1
fi
return 0
}
get_feature_dir() { echo "$1/specs/$2"; }
get_feature_paths() {
local repo_root=$(get_repo_root)
local current_branch=$(get_current_branch)
local has_git_repo="false"
if has_git; then
has_git_repo="true"
fi
local feature_dir=$(get_feature_dir "$repo_root" "$current_branch")
cat <<EOF
REPO_ROOT='$repo_root'
CURRENT_BRANCH='$current_branch'
HAS_GIT='$has_git_repo'
FEATURE_DIR='$feature_dir'
FEATURE_SPEC='$feature_dir/spec.md'
IMPL_PLAN='$feature_dir/plan.md'
TASKS='$feature_dir/tasks.md'
RESEARCH='$feature_dir/research.md'
DATA_MODEL='$feature_dir/data-model.md'
QUICKSTART='$feature_dir/quickstart.md'
CONTRACTS_DIR='$feature_dir/contracts'
EOF
}
check_file() { [[ -f "$1" ]] && echo "$2" || echo "$2"; }
check_dir() { [[ -d "$1" && -n $(ls -A "$1" 2>/dev/null) ]] && echo "$2" || echo "$2"; }

97
.specify/scripts/bash/create-new-feature.sh
View file

@ -1,97 +0,0 @@
#!/usr/bin/env bash
set -e
JSON_MODE=false
ARGS=()
for arg in "$@"; do
case "$arg" in
--json) JSON_MODE=true ;;
--help|-h) echo "Usage: $0 [--json] <feature_description>"; exit 0 ;;
*) ARGS+=("$arg") ;;
esac
done
FEATURE_DESCRIPTION="${ARGS[*]}"
if [ -z "$FEATURE_DESCRIPTION" ]; then
echo "Usage: $0 [--json] <feature_description>" >&2
exit 1
fi
# Function to find the repository root by searching for existing project markers
find_repo_root() {
local dir="$1"
while [ "$dir" != "/" ]; do
if [ -d "$dir/.git" ] || [ -d "$dir/.specify" ]; then
echo "$dir"
return 0
fi
dir="$(dirname "$dir")"
done
return 1
}
# Resolve repository root. Prefer git information when available, but fall back
# to searching for repository markers so the workflow still functions in repositories that
# were initialised with --no-git.
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
if git rev-parse --show-toplevel >/dev/null 2>&1; then
REPO_ROOT=$(git rev-parse --show-toplevel)
HAS_GIT=true
else
REPO_ROOT="$(find_repo_root "$SCRIPT_DIR")"
if [ -z "$REPO_ROOT" ]; then
echo "Error: Could not determine repository root. Please run this script from within the repository." >&2
exit 1
fi
HAS_GIT=false
fi
cd "$REPO_ROOT"
SPECS_DIR="$REPO_ROOT/specs"
mkdir -p "$SPECS_DIR"
HIGHEST=0
if [ -d "$SPECS_DIR" ]; then
for dir in "$SPECS_DIR"/*; do
[ -d "$dir" ] || continue
dirname=$(basename "$dir")
number=$(echo "$dirname" | grep -o '^[0-9]\+' || echo "0")
number=$((10#$number))
if [ "$number" -gt "$HIGHEST" ]; then HIGHEST=$number; fi
done
fi
NEXT=$((HIGHEST + 1))
FEATURE_NUM=$(printf "%03d" "$NEXT")
BRANCH_NAME=$(echo "$FEATURE_DESCRIPTION" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/-\+/-/g' | sed 's/^-//' | sed 's/-$//')
WORDS=$(echo "$BRANCH_NAME" | tr '-' '\n' | grep -v '^$' | head -3 | tr '\n' '-' | sed 's/-$//')
BRANCH_NAME="${FEATURE_NUM}-${WORDS}"
if [ "$HAS_GIT" = true ]; then
git checkout -b "$BRANCH_NAME"
else
>&2 echo "[specify] Warning: Git repository not detected; skipped branch creation for $BRANCH_NAME"
fi
FEATURE_DIR="$SPECS_DIR/$BRANCH_NAME"
mkdir -p "$FEATURE_DIR"
TEMPLATE="$REPO_ROOT/.specify/templates/spec-template.md"
SPEC_FILE="$FEATURE_DIR/spec.md"
if [ -f "$TEMPLATE" ]; then cp "$TEMPLATE" "$SPEC_FILE"; else touch "$SPEC_FILE"; fi
# Set the SPECIFY_FEATURE environment variable for the current session
export SPECIFY_FEATURE="$BRANCH_NAME"
if $JSON_MODE; then
printf '{"BRANCH_NAME":"%s","SPEC_FILE":"%s","FEATURE_NUM":"%s"}\n' "$BRANCH_NAME" "$SPEC_FILE" "$FEATURE_NUM"
else
echo "BRANCH_NAME: $BRANCH_NAME"
echo "SPEC_FILE: $SPEC_FILE"
echo "FEATURE_NUM: $FEATURE_NUM"
echo "SPECIFY_FEATURE environment variable set to: $BRANCH_NAME"
fi

60
.specify/scripts/bash/setup-plan.sh
View file

@ -1,60 +0,0 @@
#!/usr/bin/env bash
set -e
# Parse command line arguments
JSON_MODE=false
ARGS=()
for arg in "$@"; do
case "$arg" in
--json)
JSON_MODE=true
;;
--help|-h)
echo "Usage: $0 [--json]"
echo " --json Output results in JSON format"
echo " --help Show this help message"
exit 0
;;
*)
ARGS+=("$arg")
;;
esac
done
# Get script directory and load common functions
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/common.sh"
# Get all paths and variables from common functions
eval $(get_feature_paths)
# Check if we're on a proper feature branch (only for git repos)
check_feature_branch "$CURRENT_BRANCH" "$HAS_GIT" || exit 1
# Ensure the feature directory exists
mkdir -p "$FEATURE_DIR"
# Copy plan template if it exists
TEMPLATE="$REPO_ROOT/.specify/templates/plan-template.md"
if [[ -f "$TEMPLATE" ]]; then
cp "$TEMPLATE" "$IMPL_PLAN"
echo "Copied plan template to $IMPL_PLAN"
else
echo "Warning: Plan template not found at $TEMPLATE"
# Create a basic plan file if template doesn't exist
touch "$IMPL_PLAN"
fi
# Output results
if $JSON_MODE; then
printf '{"FEATURE_SPEC":"%s","IMPL_PLAN":"%s","SPECS_DIR":"%s","BRANCH":"%s","HAS_GIT":"%s"}\n' \
"$FEATURE_SPEC" "$IMPL_PLAN" "$FEATURE_DIR" "$CURRENT_BRANCH" "$HAS_GIT"
else
echo "FEATURE_SPEC: $FEATURE_SPEC"
echo "IMPL_PLAN: $IMPL_PLAN"
echo "SPECS_DIR: $FEATURE_DIR"
echo "BRANCH: $CURRENT_BRANCH"
echo "HAS_GIT: $HAS_GIT"
fi

738
.specify/scripts/bash/update-agent-context.sh
View file

@ -1,738 +0,0 @@
#!/usr/bin/env bash
# Update agent context files with information from plan.md
#
# This script maintains AI agent context files by parsing feature specifications
# and updating agent-specific configuration files with project information.
#
# MAIN FUNCTIONS:
# 1. Environment Validation
# - Verifies git repository structure and branch information
# - Checks for required plan.md files and templates
# - Validates file permissions and accessibility
#
# 2. Plan Data Extraction
# - Parses plan.md files to extract project metadata
# - Identifies language/version, frameworks, databases, and project types
# - Handles missing or incomplete specification data gracefully
#
# 3. Agent File Management
# - Creates new agent context files from templates when needed
# - Updates existing agent files with new project information
# - Preserves manual additions and custom configurations
# - Supports multiple AI agent formats and directory structures
#
# 4. Content Generation
# - Generates language-specific build/test commands
# - Creates appropriate project directory structures
# - Updates technology stacks and recent changes sections
# - Maintains consistent formatting and timestamps
#
# 5. Multi-Agent Support
# - Handles agent-specific file paths and naming conventions
# - Supports: Claude, Gemini, Copilot, Cursor, Qwen, opencode, Codex, Windsurf, Kilo Code, Auggie CLI, or Amazon Q Developer CLI
# - Can update single agents or all existing agent files
# - Creates default Claude file if no agent files exist
#
# Usage: ./update-agent-context.sh [agent_type]
# Agent types: claude|gemini|copilot|cursor-agent|qwen|opencode|codex|windsurf|kilocode|auggie|q
# Leave empty to update all existing agent files
set -e
# Enable strict error handling
set -u
set -o pipefail
#==============================================================================
# Configuration and Global Variables
#==============================================================================
# Get script directory and load common functions
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/common.sh"
# Get all paths and variables from common functions
eval $(get_feature_paths)
NEW_PLAN="$IMPL_PLAN" # Alias for compatibility with existing code
AGENT_TYPE="${1:-}"
# Agent-specific file paths
CLAUDE_FILE="$REPO_ROOT/CLAUDE.md"
GEMINI_FILE="$REPO_ROOT/GEMINI.md"
COPILOT_FILE="$REPO_ROOT/.github/copilot-instructions.md"
CURSOR_FILE="$REPO_ROOT/.cursor/rules/specify-rules.mdc"
QWEN_FILE="$REPO_ROOT/QWEN.md"
AGENTS_FILE="$REPO_ROOT/AGENTS.md"
WINDSURF_FILE="$REPO_ROOT/.windsurf/rules/specify-rules.md"
KILOCODE_FILE="$REPO_ROOT/.kilocode/rules/specify-rules.md"
AUGGIE_FILE="$REPO_ROOT/.augment/rules/specify-rules.md"
ROO_FILE="$REPO_ROOT/.roo/rules/specify-rules.md"
CODEBUDDY_FILE="$REPO_ROOT/.codebuddy/rules/specify-rules.md"
Q_FILE="$REPO_ROOT/AGENTS.md"
# Template file
TEMPLATE_FILE="$REPO_ROOT/.specify/templates/agent-file-template.md"
# Global variables for parsed plan data
NEW_LANG=""
NEW_FRAMEWORK=""
NEW_DB=""
NEW_PROJECT_TYPE=""
#==============================================================================
# Utility Functions
#==============================================================================
log_info() {
echo "INFO: $1"
}
log_success() {
echo "$1"
}
log_error() {
echo "ERROR: $1" >&2
}
log_warning() {
echo "WARNING: $1" >&2
}
# Cleanup function for temporary files
cleanup() {
local exit_code=$?
rm -f /tmp/agent_update_*_$$
rm -f /tmp/manual_additions_$$
exit $exit_code
}
# Set up cleanup trap
trap cleanup EXIT INT TERM
#==============================================================================
# Validation Functions
#==============================================================================
validate_environment() {
# Check if we have a current branch/feature (git or non-git)
if [[ -z "$CURRENT_BRANCH" ]]; then
log_error "Unable to determine current feature"
if [[ "$HAS_GIT" == "true" ]]; then
log_info "Make sure you're on a feature branch"
else
log_info "Set SPECIFY_FEATURE environment variable or create a feature first"
fi
exit 1
fi
# Check if plan.md exists
if [[ ! -f "$NEW_PLAN" ]]; then
log_error "No plan.md found at $NEW_PLAN"
log_info "Make sure you're working on a feature with a corresponding spec directory"
if [[ "$HAS_GIT" != "true" ]]; then
log_info "Use: export SPECIFY_FEATURE=your-feature-name or create a new feature first"
fi
exit 1
fi
# Check if template exists (needed for new files)
if [[ ! -f "$TEMPLATE_FILE" ]]; then
log_warning "Template file not found at $TEMPLATE_FILE"
log_warning "Creating new agent files will fail"
fi
}
#==============================================================================
# Plan Parsing Functions
#==============================================================================
extract_plan_field() {
local field_pattern="$1"
local plan_file="$2"
grep "^\*\*${field_pattern}\*\*: " "$plan_file" 2>/dev/null | \
head -1 | \
sed "s|^\*\*${field_pattern}\*\*: ||" | \
sed 's/^[ \t]*//;s/[ \t]*$//' | \
grep -v "NEEDS CLARIFICATION" | \
grep -v "^N/A$" || echo ""
}
parse_plan_data() {
local plan_file="$1"
if [[ ! -f "$plan_file" ]]; then
log_error "Plan file not found: $plan_file"
return 1
fi
if [[ ! -r "$plan_file" ]]; then
log_error "Plan file is not readable: $plan_file"
return 1
fi
log_info "Parsing plan data from $plan_file"
NEW_LANG=$(extract_plan_field "Language/Version" "$plan_file")
NEW_FRAMEWORK=$(extract_plan_field "Primary Dependencies" "$plan_file")
NEW_DB=$(extract_plan_field "Storage" "$plan_file")
NEW_PROJECT_TYPE=$(extract_plan_field "Project Type" "$plan_file")
# Log what we found
if [[ -n "$NEW_LANG" ]]; then
log_info "Found language: $NEW_LANG"
else
log_warning "No language information found in plan"
fi
if [[ -n "$NEW_FRAMEWORK" ]]; then
log_info "Found framework: $NEW_FRAMEWORK"
fi
if [[ -n "$NEW_DB" ]] && [[ "$NEW_DB" != "N/A" ]]; then
log_info "Found database: $NEW_DB"
fi
if [[ -n "$NEW_PROJECT_TYPE" ]]; then
log_info "Found project type: $NEW_PROJECT_TYPE"
fi
}
format_technology_stack() {
local lang="$1"
local framework="$2"
local parts=()
# Add non-empty parts
[[ -n "$lang" && "$lang" != "NEEDS CLARIFICATION" ]] && parts+=("$lang")
[[ -n "$framework" && "$framework" != "NEEDS CLARIFICATION" && "$framework" != "N/A" ]] && parts+=("$framework")
# Join with proper formatting
if [[ ${#parts[@]} -eq 0 ]]; then
echo ""
elif [[ ${#parts[@]} -eq 1 ]]; then
echo "${parts[0]}"
else
# Join multiple parts with " + "
local result="${parts[0]}"
for ((i=1; i<${#parts[@]}; i++)); do
result="$result + ${parts[i]}"
done
echo "$result"
fi
}
#==============================================================================
# Template and Content Generation Functions
#==============================================================================
get_project_structure() {
local project_type="$1"
if [[ "$project_type" == *"web"* ]]; then
echo "backend/\\nfrontend/\\ntests/"
else
echo "src/\\ntests/"
fi
}
get_commands_for_language() {
local lang="$1"
case "$lang" in
*"Python"*)
echo "cd src && pytest && ruff check ."
;;
*"Rust"*)
echo "cargo test && cargo clippy"
;;
*"JavaScript"*|*"TypeScript"*)
echo "npm test && npm run lint"
;;
*)
echo "# Add commands for $lang"
;;
esac
}
get_language_conventions() {
local lang="$1"
echo "$lang: Follow standard conventions"
}
create_new_agent_file() {
local target_file="$1"
local temp_file="$2"
local project_name="$3"
local current_date="$4"
if [[ ! -f "$TEMPLATE_FILE" ]]; then
log_error "Template not found at $TEMPLATE_FILE"
return 1
fi
if [[ ! -r "$TEMPLATE_FILE" ]]; then
log_error "Template file is not readable: $TEMPLATE_FILE"
return 1
fi
log_info "Creating new agent context file from template..."
if ! cp "$TEMPLATE_FILE" "$temp_file"; then
log_error "Failed to copy template file"
return 1
fi
# Replace template placeholders
local project_structure
project_structure=$(get_project_structure "$NEW_PROJECT_TYPE")
local commands
commands=$(get_commands_for_language "$NEW_LANG")
local language_conventions
language_conventions=$(get_language_conventions "$NEW_LANG")
# Perform substitutions with error checking using safer approach
# Escape special characters for sed by using a different delimiter or escaping
local escaped_lang=$(printf '%s\n' "$NEW_LANG" | sed 's/[\[\.*^$()+{}|]/\\&/g')
local escaped_framework=$(printf '%s\n' "$NEW_FRAMEWORK" | sed 's/[\[\.*^$()+{}|]/\\&/g')
local escaped_branch=$(printf '%s\n' "$CURRENT_BRANCH" | sed 's/[\[\.*^$()+{}|]/\\&/g')
# Build technology stack and recent change strings conditionally
local tech_stack
if [[ -n "$escaped_lang" && -n "$escaped_framework" ]]; then
tech_stack="- $escaped_lang + $escaped_framework ($escaped_branch)"
elif [[ -n "$escaped_lang" ]]; then
tech_stack="- $escaped_lang ($escaped_branch)"
elif [[ -n "$escaped_framework" ]]; then
tech_stack="- $escaped_framework ($escaped_branch)"
else
tech_stack="- ($escaped_branch)"
fi
local recent_change
if [[ -n "$escaped_lang" && -n "$escaped_framework" ]]; then
recent_change="- $escaped_branch: Added $escaped_lang + $escaped_framework"
elif [[ -n "$escaped_lang" ]]; then
recent_change="- $escaped_branch: Added $escaped_lang"
elif [[ -n "$escaped_framework" ]]; then
recent_change="- $escaped_branch: Added $escaped_framework"
else
recent_change="- $escaped_branch: Added"
fi
local substitutions=(
"s|\[PROJECT NAME\]|$project_name|"
"s|\[DATE\]|$current_date|"
"s|\[EXTRACTED FROM ALL PLAN.MD FILES\]|$tech_stack|"
"s|\[ACTUAL STRUCTURE FROM PLANS\]|$project_structure|g"
"s|\[ONLY COMMANDS FOR ACTIVE TECHNOLOGIES\]|$commands|"
"s|\[LANGUAGE-SPECIFIC, ONLY FOR LANGUAGES IN USE\]|$language_conventions|"
"s|\[LAST 3 FEATURES AND WHAT THEY ADDED\]|$recent_change|"
)
for substitution in "${substitutions[@]}"; do
if ! sed -i.bak -e "$substitution" "$temp_file"; then
log_error "Failed to perform substitution: $substitution"
rm -f "$temp_file" "$temp_file.bak"
return 1
fi
done
# Convert \n sequences to actual newlines
newline=$(printf '\n')
sed -i.bak2 "s/\\\\n/${newline}/g" "$temp_file"
# Clean up backup files
rm -f "$temp_file.bak" "$temp_file.bak2"
return 0
}
update_existing_agent_file() {
local target_file="$1"
local current_date="$2"
log_info "Updating existing agent context file..."
# Use a single temporary file for atomic update
local temp_file
temp_file=$(mktemp) || {
log_error "Failed to create temporary file"
return 1
}
# Process the file in one pass
local tech_stack=$(format_technology_stack "$NEW_LANG" "$NEW_FRAMEWORK")
local new_tech_entries=()
local new_change_entry=""
# Prepare new technology entries
if [[ -n "$tech_stack" ]] && ! grep -q "$tech_stack" "$target_file"; then
new_tech_entries+=("- $tech_stack ($CURRENT_BRANCH)")
fi
if [[ -n "$NEW_DB" ]] && [[ "$NEW_DB" != "N/A" ]] && [[ "$NEW_DB" != "NEEDS CLARIFICATION" ]] && ! grep -q "$NEW_DB" "$target_file"; then
new_tech_entries+=("- $NEW_DB ($CURRENT_BRANCH)")
fi
# Prepare new change entry
if [[ -n "$tech_stack" ]]; then
new_change_entry="- $CURRENT_BRANCH: Added $tech_stack"
elif [[ -n "$NEW_DB" ]] && [[ "$NEW_DB" != "N/A" ]] && [[ "$NEW_DB" != "NEEDS CLARIFICATION" ]]; then
new_change_entry="- $CURRENT_BRANCH: Added $NEW_DB"
fi
# Process file line by line
local in_tech_section=false
local in_changes_section=false
local tech_entries_added=false
local changes_entries_added=false
local existing_changes_count=0
while IFS= read -r line || [[ -n "$line" ]]; do
# Handle Active Technologies section
if [[ "$line" == "## Active Technologies" ]]; then
echo "$line" >> "$temp_file"
in_tech_section=true
continue
elif [[ $in_tech_section == true ]] && [[ "$line" =~ ^##[[:space:]] ]]; then
# Add new tech entries before closing the section
if [[ $tech_entries_added == false ]] && [[ ${#new_tech_entries[@]} -gt 0 ]]; then
printf '%s\n' "${new_tech_entries[@]}" >> "$temp_file"
tech_entries_added=true
fi
echo "$line" >> "$temp_file"
in_tech_section=false
continue
elif [[ $in_tech_section == true ]] && [[ -z "$line" ]]; then
# Add new tech entries before empty line in tech section
if [[ $tech_entries_added == false ]] && [[ ${#new_tech_entries[@]} -gt 0 ]]; then
printf '%s\n' "${new_tech_entries[@]}" >> "$temp_file"
tech_entries_added=true
fi
echo "$line" >> "$temp_file"
continue
fi
# Handle Recent Changes section
if [[ "$line" == "## Recent Changes" ]]; then
echo "$line" >> "$temp_file"
# Add new change entry right after the heading
if [[ -n "$new_change_entry" ]]; then
echo "$new_change_entry" >> "$temp_file"
fi
in_changes_section=true
changes_entries_added=true
continue
elif [[ $in_changes_section == true ]] && [[ "$line" =~ ^##[[:space:]] ]]; then
echo "$line" >> "$temp_file"
in_changes_section=false
continue
elif [[ $in_changes_section == true ]] && [[ "$line" == "- "* ]]; then
# Keep only first 2 existing changes
if [[ $existing_changes_count -lt 2 ]]; then
echo "$line" >> "$temp_file"
((existing_changes_count++))
fi
continue
fi
# Update timestamp
if [[ "$line" =~ \*\*Last\ updated\*\*:.*[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] ]]; then
echo "$line" | sed "s/[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]/$current_date/" >> "$temp_file"
else
echo "$line" >> "$temp_file"
fi
done < "$target_file"
# Post-loop check: if we're still in the Active Technologies section and haven't added new entries
if [[ $in_tech_section == true ]] && [[ $tech_entries_added == false ]] && [[ ${#new_tech_entries[@]} -gt 0 ]]; then
printf '%s\n' "${new_tech_entries[@]}" >> "$temp_file"
fi
# Move temp file to target atomically
if ! mv "$temp_file" "$target_file"; then
log_error "Failed to update target file"
rm -f "$temp_file"
return 1
fi
return 0
}
#==============================================================================
# Main Agent File Update Function
#==============================================================================
update_agent_file() {
local target_file="$1"
local agent_name="$2"
if [[ -z "$target_file" ]] || [[ -z "$agent_name" ]]; then
log_error "update_agent_file requires target_file and agent_name parameters"
return 1
fi
log_info "Updating $agent_name context file: $target_file"
local project_name
project_name=$(basename "$REPO_ROOT")
local current_date
current_date=$(date +%Y-%m-%d)
# Create directory if it doesn't exist
local target_dir
target_dir=$(dirname "$target_file")
if [[ ! -d "$target_dir" ]]; then
if ! mkdir -p "$target_dir"; then
log_error "Failed to create directory: $target_dir"
return 1
fi
fi
if [[ ! -f "$target_file" ]]; then
# Create new file from template
local temp_file
temp_file=$(mktemp) || {
log_error "Failed to create temporary file"
return 1
}
if create_new_agent_file "$target_file" "$temp_file" "$project_name" "$current_date"; then
if mv "$temp_file" "$target_file"; then
log_success "Created new $agent_name context file"
else
log_error "Failed to move temporary file to $target_file"
rm -f "$temp_file"
return 1
fi
else
log_error "Failed to create new agent file"
rm -f "$temp_file"
return 1
fi
else
# Update existing file
if [[ ! -r "$target_file" ]]; then
log_error "Cannot read existing file: $target_file"
return 1
fi
if [[ ! -w "$target_file" ]]; then
log_error "Cannot write to existing file: $target_file"
return 1
fi
if update_existing_agent_file "$target_file" "$current_date"; then
log_success "Updated existing $agent_name context file"
else
log_error "Failed to update existing agent file"
return 1
fi
fi
return 0
}
#==============================================================================
# Agent Selection and Processing
#==============================================================================
update_specific_agent() {
local agent_type="$1"
case "$agent_type" in
claude)
update_agent_file "$CLAUDE_FILE" "Claude Code"
;;
gemini)
update_agent_file "$GEMINI_FILE" "Gemini CLI"
;;
copilot)
update_agent_file "$COPILOT_FILE" "GitHub Copilot"
;;
cursor-agent)
update_agent_file "$CURSOR_FILE" "Cursor IDE"
;;
qwen)
update_agent_file "$QWEN_FILE" "Qwen Code"
;;
opencode)
update_agent_file "$AGENTS_FILE" "opencode"
;;
codex)
update_agent_file "$AGENTS_FILE" "Codex CLI"
;;
windsurf)
update_agent_file "$WINDSURF_FILE" "Windsurf"
;;
kilocode)
update_agent_file "$KILOCODE_FILE" "Kilo Code"
;;
auggie)
update_agent_file "$AUGGIE_FILE" "Auggie CLI"
;;
roo)
update_agent_file "$ROO_FILE" "Roo Code"
;;
codebuddy)
update_agent_file "$CODEBUDDY_FILE" "CodeBuddy"
;;
q)
update_agent_file "$Q_FILE" "Amazon Q Developer CLI"
;;
*)
log_error "Unknown agent type '$agent_type'"
log_error "Expected: claude|gemini|copilot|cursor-agent|qwen|opencode|codex|windsurf|kilocode|auggie|roo|q"
exit 1
;;
esac
}
update_all_existing_agents() {
local found_agent=false
# Check each possible agent file and update if it exists
if [[ -f "$CLAUDE_FILE" ]]; then
update_agent_file "$CLAUDE_FILE" "Claude Code"
found_agent=true
fi
if [[ -f "$GEMINI_FILE" ]]; then
update_agent_file "$GEMINI_FILE" "Gemini CLI"
found_agent=true
fi
if [[ -f "$COPILOT_FILE" ]]; then
update_agent_file "$COPILOT_FILE" "GitHub Copilot"
found_agent=true
fi
if [[ -f "$CURSOR_FILE" ]]; then
update_agent_file "$CURSOR_FILE" "Cursor IDE"
found_agent=true
fi
if [[ -f "$QWEN_FILE" ]]; then
update_agent_file "$QWEN_FILE" "Qwen Code"
found_agent=true
fi
if [[ -f "$AGENTS_FILE" ]]; then
update_agent_file "$AGENTS_FILE" "Codex/opencode"
found_agent=true
fi
if [[ -f "$WINDSURF_FILE" ]]; then
update_agent_file "$WINDSURF_FILE" "Windsurf"
found_agent=true
fi
if [[ -f "$KILOCODE_FILE" ]]; then
update_agent_file "$KILOCODE_FILE" "Kilo Code"
found_agent=true
fi
if [[ -f "$AUGGIE_FILE" ]]; then
update_agent_file "$AUGGIE_FILE" "Auggie CLI"
found_agent=true
fi
if [[ -f "$ROO_FILE" ]]; then
update_agent_file "$ROO_FILE" "Roo Code"
found_agent=true
fi
if [[ -f "$CODEBUDDY_FILE" ]]; then
update_agent_file "$CODEBUDDY_FILE" "CodeBuddy"
found_agent=true
fi
if [[ -f "$Q_FILE" ]]; then
update_agent_file "$Q_FILE" "Amazon Q Developer CLI"
found_agent=true
fi
# If no agent files exist, create a default Claude file
if [[ "$found_agent" == false ]]; then
log_info "No existing agent files found, creating default Claude file..."
update_agent_file "$CLAUDE_FILE" "Claude Code"
fi
}
print_summary() {
echo
log_info "Summary of changes:"
if [[ -n "$NEW_LANG" ]]; then
echo " - Added language: $NEW_LANG"
fi
if [[ -n "$NEW_FRAMEWORK" ]]; then
echo " - Added framework: $NEW_FRAMEWORK"
fi
if [[ -n "$NEW_DB" ]] && [[ "$NEW_DB" != "N/A" ]]; then
echo " - Added database: $NEW_DB"
fi
echo
log_info "Usage: $0 [claude|gemini|copilot|cursor-agent|qwen|opencode|codex|windsurf|kilocode|auggie|codebuddy|q]"
}
#==============================================================================
# Main Execution
#==============================================================================
main() {
# Validate environment before proceeding
validate_environment
log_info "=== Updating agent context files for feature $CURRENT_BRANCH ==="
# Parse the plan file to extract project information
if ! parse_plan_data "$NEW_PLAN"; then
log_error "Failed to parse plan data"
exit 1
fi
# Process based on agent type argument
local success=true
if [[ -z "$AGENT_TYPE" ]]; then
# No specific agent provided - update all existing agent files
log_info "No agent specified, updating all existing agent files..."
if ! update_all_existing_agents; then
success=false
fi
else
# Specific agent provided - update only that agent
log_info "Updating specific agent: $AGENT_TYPE"
if ! update_specific_agent "$AGENT_TYPE"; then
success=false
fi
fi
# Print summary
print_summary
if [[ "$success" == true ]]; then
log_success "Agent context update completed successfully"
exit 0
else
log_error "Agent context update completed with errors"
exit 1
fi
}
# Execute main function if script is run directly
if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
main "$@"
fi

23
.specify/templates/agent-file-template.md
View file

@ -1,23 +0,0 @@
# [PROJECT NAME] Development Guidelines
Auto-generated from all feature plans. Last updated: [DATE]
## Active Technologies
[EXTRACTED FROM ALL PLAN.MD FILES]
## Project Structure
```
[ACTUAL STRUCTURE FROM PLANS]
```
## Commands
[ONLY COMMANDS FOR ACTIVE TECHNOLOGIES]
## Code Style
[LANGUAGE-SPECIFIC, ONLY FOR LANGUAGES IN USE]
## Recent Changes
[LAST 3 FEATURES AND WHAT THEY ADDED]
<!-- MANUAL ADDITIONS START -->
<!-- MANUAL ADDITIONS END -->

40
.specify/templates/checklist-template.md
View file

@ -1,40 +0,0 @@
# [CHECKLIST TYPE] Checklist: [FEATURE NAME]
**Purpose**: [Brief description of what this checklist covers]
**Created**: [DATE]
**Feature**: [Link to spec.md or relevant documentation]
**Note**: This checklist is generated by the `/speckit.checklist` command based on feature context and requirements.
<!--
============================================================================
IMPORTANT: The checklist items below are SAMPLE ITEMS for illustration only.
The /speckit.checklist command MUST replace these with actual items based on:
- User's specific checklist request
- Feature requirements from spec.md
- Technical context from plan.md
- Implementation details from tasks.md
DO NOT keep these sample items in the generated checklist file.
============================================================================
-->
## [Category 1]
- [ ] CHK001 First checklist item with clear action
- [ ] CHK002 Second checklist item
- [ ] CHK003 Third checklist item
## [Category 2]
- [ ] CHK004 Another category item
- [ ] CHK005 Item with specific criteria
- [ ] CHK006 Final item in this category
## Notes
- Check items off as completed: `[x]`
- Add comments or findings inline
- Link to relevant resources or documentation
- Items are numbered sequentially for easy reference

115
.specify/templates/spec-template.md
View file

@ -1,115 +0,0 @@
# Feature Specification: [FEATURE NAME]
**Feature Branch**: `[###-feature-name]`
**Created**: [DATE]
**Status**: Draft
**Input**: User description: "$ARGUMENTS"
## User Scenarios & Testing *(mandatory)*
<!--
IMPORTANT: User stories should be PRIORITIZED as user journeys ordered by importance.
Each user story/journey must be INDEPENDENTLY TESTABLE - meaning if you implement just ONE of them,
you should still have a viable MVP (Minimum Viable Product) that delivers value.
Assign priorities (P1, P2, P3, etc.) to each story, where P1 is the most critical.
Think of each story as a standalone slice of functionality that can be:
- Developed independently
- Tested independently
- Deployed independently
- Demonstrated to users independently
-->
### User Story 1 - [Brief Title] (Priority: P1)
[Describe this user journey in plain language]
**Why this priority**: [Explain the value and why it has this priority level]
**Independent Test**: [Describe how this can be tested independently - e.g., "Can be fully tested by [specific action] and delivers [specific value]"]
**Acceptance Scenarios**:
1. **Given** [initial state], **When** [action], **Then** [expected outcome]
2. **Given** [initial state], **When** [action], **Then** [expected outcome]
---
### User Story 2 - [Brief Title] (Priority: P2)
[Describe this user journey in plain language]
**Why this priority**: [Explain the value and why it has this priority level]
**Independent Test**: [Describe how this can be tested independently]
**Acceptance Scenarios**:
1. **Given** [initial state], **When** [action], **Then** [expected outcome]
---
### User Story 3 - [Brief Title] (Priority: P3)
[Describe this user journey in plain language]
**Why this priority**: [Explain the value and why it has this priority level]
**Independent Test**: [Describe how this can be tested independently]
**Acceptance Scenarios**:
1. **Given** [initial state], **When** [action], **Then** [expected outcome]
---
[Add more user stories as needed, each with an assigned priority]
### Edge Cases
<!--
ACTION REQUIRED: The content in this section represents placeholders.
Fill them out with the right edge cases.
-->
- What happens when [boundary condition]?
- How does system handle [error scenario]?
## Requirements *(mandatory)*
<!--
ACTION REQUIRED: The content in this section represents placeholders.
Fill them out with the right functional requirements.
-->
### Functional Requirements
- **FR-001**: System MUST [specific capability, e.g., "allow users to create accounts"]
- **FR-002**: System MUST [specific capability, e.g., "validate email addresses"]
- **FR-003**: Users MUST be able to [key interaction, e.g., "reset their password"]
- **FR-004**: System MUST [data requirement, e.g., "persist user preferences"]
- **FR-005**: System MUST [behavior, e.g., "log all security events"]
*Example of marking unclear requirements:*
- **FR-006**: System MUST authenticate users via [NEEDS CLARIFICATION: auth method not specified - email/password, SSO, OAuth?]
- **FR-007**: System MUST retain user data for [NEEDS CLARIFICATION: retention period not specified]
### Key Entities *(include if feature involves data)*
- **[Entity 1]**: [What it represents, key attributes without implementation]
- **[Entity 2]**: [What it represents, relationships to other entities]
## Success Criteria *(mandatory)*
<!--
ACTION REQUIRED: Define measurable success criteria.
These must be technology-agnostic and measurable.
-->
### Measurable Outcomes
- **SC-001**: [Measurable metric, e.g., "Users can complete account creation in under 2 minutes"]
- **SC-002**: [Measurable metric, e.g., "System handles 1000 concurrent users without degradation"]
- **SC-003**: [User satisfaction metric, e.g., "90% of users successfully complete primary task on first attempt"]
- **SC-004**: [Business metric, e.g., "Reduce support tickets related to [X] by 50%"]

250
.specify/templates/tasks-template.md
View file

@ -1,250 +0,0 @@
---
description: "Task list template for feature implementation"
---
# Tasks: [FEATURE NAME]
**Input**: Design documents from `/specs/[###-feature-name]/`
**Prerequisites**: plan.md (required), spec.md (required for user stories), research.md, data-model.md, contracts/
**Tests**: The examples below include test tasks. Tests are OPTIONAL - only include them if explicitly requested in the feature specification.
**Organization**: Tasks are grouped by user story to enable independent implementation and testing of each story.
## Format: `[ID] [P?] [Story] Description`
- **[P]**: Can run in parallel (different files, no dependencies)
- **[Story]**: Which user story this task belongs to (e.g., US1, US2, US3)
- Include exact file paths in descriptions
## Path Conventions
- **Single project**: `src/`, `tests/` at repository root
- **Web app**: `backend/src/`, `frontend/src/`
- **Mobile**: `api/src/`, `ios/src/` or `android/src/`
- Paths shown below assume single project - adjust based on plan.md structure
<!--
============================================================================
IMPORTANT: The tasks below are SAMPLE TASKS for illustration purposes only.
The /speckit.tasks command MUST replace these with actual tasks based on:
- User stories from spec.md (with their priorities P1, P2, P3...)
- Feature requirements from plan.md
- Entities from data-model.md
- Endpoints from contracts/
Tasks MUST be organized by user story so each story can be:
- Implemented independently
- Tested independently
- Delivered as an MVP increment
DO NOT keep these sample tasks in the generated tasks.md file.
============================================================================
-->
## Phase 1: Setup (Shared Infrastructure)
**Purpose**: Project initialization and basic structure
- [ ] T001 Create project structure per implementation plan
- [ ] T002 Initialize [language] project with [framework] dependencies
- [ ] T003 [P] Configure linting and formatting tools
---
## Phase 2: Foundational (Blocking Prerequisites)
**Purpose**: Core infrastructure that MUST be complete before ANY user story can be implemented
**⚠️ CRITICAL**: No user story work can begin until this phase is complete
Examples of foundational tasks (adjust based on your project):
- [ ] T004 Setup database schema and migrations framework
- [ ] T005 [P] Implement authentication/authorization framework
- [ ] T006 [P] Setup API routing and middleware structure
- [ ] T007 Create base models/entities that all stories depend on
- [ ] T008 Configure error handling and logging infrastructure
- [ ] T009 Setup environment configuration management
**Checkpoint**: Foundation ready - user story implementation can now begin in parallel
---
## Phase 3: User Story 1 - [Title] (Priority: P1) 🎯 MVP
**Goal**: [Brief description of what this story delivers]
**Independent Test**: [How to verify this story works on its own]
### Tests for User Story 1 (OPTIONAL - only if tests requested) ⚠️
**NOTE: Write these tests FIRST, ensure they FAIL before implementation**
- [ ] T010 [P] [US1] Contract test for [endpoint] in tests/contract/test_[name].py
- [ ] T011 [P] [US1] Integration test for [user journey] in tests/integration/test_[name].py
### Implementation for User Story 1
- [ ] T012 [P] [US1] Create [Entity1] model in src/models/[entity1].py
- [ ] T013 [P] [US1] Create [Entity2] model in src/models/[entity2].py
- [ ] T014 [US1] Implement [Service] in src/services/[service].py (depends on T012, T013)
- [ ] T015 [US1] Implement [endpoint/feature] in src/[location]/[file].py
- [ ] T016 [US1] Add validation and error handling
- [ ] T017 [US1] Add logging for user story 1 operations
**Checkpoint**: At this point, User Story 1 should be fully functional and testable independently
---
## Phase 4: User Story 2 - [Title] (Priority: P2)
**Goal**: [Brief description of what this story delivers]
**Independent Test**: [How to verify this story works on its own]
### Tests for User Story 2 (OPTIONAL - only if tests requested) ⚠️
- [ ] T018 [P] [US2] Contract test for [endpoint] in tests/contract/test_[name].py
- [ ] T019 [P] [US2] Integration test for [user journey] in tests/integration/test_[name].py
### Implementation for User Story 2
- [ ] T020 [P] [US2] Create [Entity] model in src/models/[entity].py
- [ ] T021 [US2] Implement [Service] in src/services/[service].py
- [ ] T022 [US2] Implement [endpoint/feature] in src/[location]/[file].py
- [ ] T023 [US2] Integrate with User Story 1 components (if needed)
**Checkpoint**: At this point, User Stories 1 AND 2 should both work independently
---
## Phase 5: User Story 3 - [Title] (Priority: P3)
**Goal**: [Brief description of what this story delivers]
**Independent Test**: [How to verify this story works on its own]
### Tests for User Story 3 (OPTIONAL - only if tests requested) ⚠️
- [ ] T024 [P] [US3] Contract test for [endpoint] in tests/contract/test_[name].py
- [ ] T025 [P] [US3] Integration test for [user journey] in tests/integration/test_[name].py
### Implementation for User Story 3
- [ ] T026 [P] [US3] Create [Entity] model in src/models/[entity].py
- [ ] T027 [US3] Implement [Service] in src/services/[service].py
- [ ] T028 [US3] Implement [endpoint/feature] in src/[location]/[file].py
**Checkpoint**: All user stories should now be independently functional
---
[Add more user story phases as needed, following the same pattern]
---
## Phase N: Polish & Cross-Cutting Concerns
**Purpose**: Improvements that affect multiple user stories
- [ ] TXXX [P] Documentation updates in docs/
- [ ] TXXX Code cleanup and refactoring
- [ ] TXXX Performance optimization across all stories
- [ ] TXXX [P] Additional unit tests (if requested) in tests/unit/
- [ ] TXXX Security hardening
- [ ] TXXX Run quickstart.md validation
---
## Dependencies & Execution Order
### Phase Dependencies
- **Setup (Phase 1)**: No dependencies - can start immediately
- **Foundational (Phase 2)**: Depends on Setup completion - BLOCKS all user stories
- **User Stories (Phase 3+)**: All depend on Foundational phase completion
- User stories can then proceed in parallel (if staffed)
- Or sequentially in priority order (P1 → P2 → P3)
- **Polish (Final Phase)**: Depends on all desired user stories being complete
### User Story Dependencies
- **User Story 1 (P1)**: Can start after Foundational (Phase 2) - No dependencies on other stories
- **User Story 2 (P2)**: Can start after Foundational (Phase 2) - May integrate with US1 but should be independently testable
- **User Story 3 (P3)**: Can start after Foundational (Phase 2) - May integrate with US1/US2 but should be independently testable
### Within Each User Story
- Tests (if included) MUST be written and FAIL before implementation
- Models before services
- Services before endpoints
- Core implementation before integration
- Story complete before moving to next priority
### Parallel Opportunities
- All Setup tasks marked [P] can run in parallel
- All Foundational tasks marked [P] can run in parallel (within Phase 2)
- Once Foundational phase completes, all user stories can start in parallel (if team capacity allows)
- All tests for a user story marked [P] can run in parallel
- Models within a story marked [P] can run in parallel
- Different user stories can be worked on in parallel by different team members
---
## Parallel Example: User Story 1
```bash
# Launch all tests for User Story 1 together (if tests requested):
Task: "Contract test for [endpoint] in tests/contract/test_[name].py"
Task: "Integration test for [user journey] in tests/integration/test_[name].py"
# Launch all models for User Story 1 together:
Task: "Create [Entity1] model in src/models/[entity1].py"
Task: "Create [Entity2] model in src/models/[entity2].py"
```
---
## Implementation Strategy
### MVP First (User Story 1 Only)
1. Complete Phase 1: Setup
2. Complete Phase 2: Foundational (CRITICAL - blocks all stories)
3. Complete Phase 3: User Story 1
4. **STOP and VALIDATE**: Test User Story 1 independently
5. Deploy/demo if ready
### Incremental Delivery
1. Complete Setup + Foundational → Foundation ready
2. Add User Story 1 → Test independently → Deploy/Demo (MVP!)
3. Add User Story 2 → Test independently → Deploy/Demo
4. Add User Story 3 → Test independently → Deploy/Demo
5. Each story adds value without breaking previous stories
### Parallel Team Strategy
With multiple developers:
1. Team completes Setup + Foundational together
2. Once Foundational is done:
- Developer A: User Story 1
- Developer B: User Story 2
- Developer C: User Story 3
3. Stories complete and integrate independently
---
## Notes
- [P] tasks = different files, no dependencies
- [Story] label maps task to specific user story for traceability
- Each user story should be independently completable and testable
- Verify tests fail before implementing
- Commit after each task or logical group
- Stop at any checkpoint to validate story independently
- Avoid: vague tasks, same file conflicts, cross-story dependencies that break independence

392
CLAUDE.md
View file

@ -1,24 +1,406 @@
# ops-jrz1 Development Guidelines
Auto-generated from all feature plans. Last updated: 2025-10-11
Auto-generated from all feature plans. Last updated: 2025-10-22
## Active Technologies
- Nix 2.x, NixOS 24.05+, Bash 5.x (for scripts) (001-extract-matrix-platform)
- mautrix-slack (Python 3.11), PostgreSQL 15.10, sops-nix (002-slack-bridge-integration)
- Matrix homeserver: conduwuit (clarun.xyz)
- Secrets management: sops-nix with age encryption
## Project Structure
```
src/
tests/
.
├── hosts/ # NixOS host configurations
│ └── ops-jrz1.nix # VPS configuration (45.77.205.49)
├── modules/ # NixOS modules
│ ├── dev-services.nix # PostgreSQL, Forgejo, bridge coordination
│ ├── mautrix-slack.nix # Slack bridge module
│ └── matrix-continuwuity.nix # Matrix homeserver
├── secrets/ # sops-encrypted secrets
│ └── secrets.yaml # Encrypted credentials (age)
├── specs/ # Feature specifications
│ ├── 001-extract-matrix-platform/
│ └── 002-slack-bridge-integration/
│ ├── spec.md # Feature specification
│ ├── plan.md # Implementation plan
│ ├── research.md # Technical research findings
│ ├── data-model.md # Data model & state machines
│ ├── quickstart.md # Deployment runbook
│ └── contracts/ # Configuration schemas
├── docs/ # Documentation
│ ├── platform-vision.md # North star document
│ └── worklogs/ # Deployment logs
└── .specify/ # Spec-kit framework files
```
## Commands
# Add commands for Nix 2.x, NixOS 24.05+, Bash 5.x (for scripts)
### Deployment
```bash
# Deploy configuration to VPS
nixos-rebuild switch --flake .#ops-jrz1 \
--target-host root@45.77.205.49 \
--build-host localhost
# Deploy to staging
nixos-rebuild switch --flake .#ops-jrz1-staging \
--target-host root@45.77.205.49 \
--build-host localhost
```
### Bridge Management
```bash
# Check bridge status
ssh root@45.77.205.49 'systemctl status mautrix-slack'
# View bridge logs
ssh root@45.77.205.49 'journalctl -u mautrix-slack -f'
# Check Socket Mode connection
ssh root@45.77.205.49 'journalctl -u mautrix-slack -n 20 | grep -i socket'
# Query bridge database
ssh root@45.77.205.49 'sudo -u mautrix_slack psql mautrix_slack -c "SELECT * FROM portal;"'
```
### Secrets Management
```bash
# Edit encrypted secrets
sops secrets/secrets.yaml
# View decrypted secrets (never commit output)
sops -d secrets/secrets.yaml
# Add new secret
sops secrets/secrets.yaml
# (Edit in your $EDITOR, auto-encrypts on save)
```
### Matrix Server
```bash
# Check Matrix homeserver
ssh root@45.77.205.49 'systemctl status matrix-continuwuity'
# Test federation
ssh root@45.77.205.49 'curl -s http://localhost:8008/_matrix/client/versions | jq .'
```
### Database
```bash
# List databases
ssh root@45.77.205.49 'sudo -u postgres psql -l'
# Check bridge database
ssh root@45.77.205.49 'sudo -u postgres psql mautrix_slack -c "\dt"'
# Backup bridge database
ssh root@45.77.205.49 'sudo -u postgres pg_dump mautrix_slack' > backup.sql
```
## Code Style
Nix 2.x, NixOS 24.05+, Bash 5.x (for scripts): Follow standard conventions
- Nix 2.x, NixOS 24.05+, Bash 5.x: Follow standard conventions
- NixOS modules: Use nixpkgs module pattern (options, config, mkIf)
- Configuration: Declarative over imperative
- Secrets: Never hardcode, use sops-nix or interactive login
- Logging: Use appropriate levels (debug for troubleshooting, info for production)
## Development Patterns
### Slack Bridge (002-slack-bridge-integration)
- **Authentication**: Interactive login via Matrix chat (`login app` command)
- **Socket Mode**: WebSocket connection, no public endpoint needed
- **Portal Creation**: Automatic based on activity (no manual channel mapping)
- **Secrets**: Stored in bridge database after authentication (not in NixOS config)
- **Token Requirements**: Bot token (xoxb-) + app-level token (xapp-)
### Secrets Management
- **Encryption**: Age encryption via SSH host key (/etc/ssh/ssh_host_ed25519_key)
- **Storage**: secrets/secrets.yaml (encrypted, safe to commit)
- **Runtime**: Decrypted to /run/secrets/ (tmpfs, cleared on reboot)
- **Permissions**: 0440 for service-specific secrets, owned by service user
### Deployment Workflow
1. Make configuration changes locally
2. Commit to git
3. Deploy via nixos-rebuild
4. Verify service status and logs
5. Document in worklogs/
6. Test functionality
7. Monitor for stability
## Recent Changes
- 001-extract-matrix-platform: Added Nix 2.x, NixOS 24.05+, Bash 5.x (for scripts)
- 002-slack-bridge-integration: Deployed mautrix-slack bridge with Socket Mode (2025-10-26)
- Phase 0-1: Research and design complete
- Phase 2: Infrastructure deployed and operational
- Status: Bidirectional message flow working (Slack ↔ Matrix)
- ~50 Slack channels synced to Matrix rooms
## Known Issues
- olm-3.2.16 marked insecure (permitted via nixpkgs.config.permittedInsecurePackages)
- conduwuit log level set to "debug" (intended for troubleshooting, consider reverting to "info")
- Fresh database required after conduwuit version upgrades (wipe /var/lib/matrix-continuwuity/db/)
## Testing Guidelines
- Test message latency: Should be <5 seconds (FR-001, FR-002)
- Test reactions, edits, file attachments
- Monitor health indicators: connection_status, last_successful_message, error_count
- Stability target: 99% uptime over 7-day period
<!-- MANUAL ADDITIONS START -->
## Manual Configuration Workarounds
### mautrix-slack Registration File Fix (KNOWN ISSUE)
**Problem:** The bridge's registration generator creates a random `sender_localpart` instead of using the configured `bot.username` value.
**Current Manual Fix (Required on Fresh Deploy):**
```bash
# After bridge service starts and generates registration
ssh root@45.77.205.49 'systemctl stop mautrix-slack'
# Edit registration file to fix sender_localpart
ssh root@45.77.205.49 "sed -i 's/^sender_localpart: .*/sender_localpart: slackbot/' /var/lib/matrix-appservices/mautrix_slack_registration.yaml"
# Re-register appservice in Matrix admin room
# In Element, send to admin room:
# !admin appservices unregister slack
# !admin appservices register
# <paste corrected YAML>
# Restart homeserver to load new registration
ssh root@45.77.205.49 'systemctl restart matrix-continuwuity'
# Start bridge
ssh root@45.77.205.49 'systemctl start mautrix-slack'
```
**Root Cause:** mautrix-slack's `-g` flag generates registration independently of `config.yaml` settings.
**Potential Permanent Fix:** Patch `modules/mautrix-slack.nix` to post-process registration file after generation:
```nix
# In ExecStartPre, after registration generation:
${pkgs.gnused}/bin/sed -i 's/^sender_localpart: .*/sender_localpart: ${cfg.appservice.senderLocalpart}/' "$REG_PATH"
```
**Impact:** Without this fix, registration sender_localpart won't match bridge config, causing authentication failures.
---
## QA Testing Checklist
### Core Features (✅ Tested & Working)
- [x] Bidirectional text messaging (Slack ↔ Matrix)
- [x] Channel discovery and room creation (~50 channels synced)
- [x] Socket Mode WebSocket connection
- [x] Bot authentication with Matrix homeserver
- [x] Bridge startup and recovery after restart
### Features Requiring QA Testing (⚠️ Untested)
- [ ] **File Attachments**
- Upload file in Slack → verify appears in Matrix
- Upload file in Matrix → verify appears in Slack
- Test various file types (images, PDFs, archives)
- Test large files (>10MB)
- [ ] **Emoji Reactions**
- Add reaction in Slack → verify appears in Matrix
- Add reaction in Matrix → verify appears in Slack
- Remove reaction → verify syncs
- [ ] **Message Edits**
- Edit message in Slack → verify updates in Matrix
- Edit message in Matrix → verify updates in Slack
- [ ] **Message Deletion**
- Delete message in Slack → verify removes from Matrix
- Delete message in Matrix → verify removes from Slack
- [ ] **Thread Replies**
- Reply in Slack thread → verify threading in Matrix
- Reply in Matrix thread → verify threading in Slack
- [ ] **User Profile Sync**
- Change Slack display name → verify updates Matrix puppet
- Change Slack avatar → verify updates Matrix puppet
- [ ] **Error Handling**
- Network interruption recovery
- Matrix homeserver restart handling
- Slack WebSocket reconnection
- Invalid token handling
- [ ] **Performance**
- High-volume channel (>100 messages/hour)
- Large file transfer times
- Message latency under load
### Test Commands
```bash
# Monitor bridge during testing
ssh root@45.77.205.49 'journalctl -u mautrix-slack -f'
# Check for errors
ssh root@45.77.205.49 'journalctl -u mautrix-slack --since "1 hour ago" | grep -E "ERR|WRN|FTL"'
# Verify message flow
# Test in #vlads-pad or similar channel
# Send from Slack, verify in Matrix room
# Send from Matrix room, verify in Slack
```
---
## Future Infrastructure Needs
### Monitoring & Alerting (Not Implemented)
**Health Checks Needed:**
- Bridge WebSocket connection status
- Matrix homeserver availability
- Message processing latency
- Database connection health
- Error rate thresholds
**Potential Solutions:**
```bash
# Option 1: Simple systemd monitoring
systemctl status mautrix-slack | grep -q "active (running)" || alert
# Option 2: Prometheus + Alertmanager
# - Export bridge metrics (if available)
# - Alert on service down, high error rate, message lag
# Option 3: Uptime monitoring
# - External ping to Matrix homeserver
# - Check /_matrix/client/versions endpoint
# - Alert on HTTP errors or timeout
```
**Metrics to Track:**
- Bridge uptime percentage
- Messages processed (Slack → Matrix, Matrix → Slack)
- WebSocket reconnection events
- Database query performance
- Error counts by type
**Alert Conditions:**
- Bridge down for >5 minutes
- No messages processed in >15 minutes (if active channels exist)
- Error rate >5% of total messages
- Database connection failures
- Disk space <10% free
### Backup Strategy (Not Implemented)
**Critical Data:**
- Matrix RocksDB: `/var/lib/matrix-continuwuity/db/` (66M)
- Bridge PostgreSQL: `mautrix_slack` database (172K)
- Registration files: `/var/lib/matrix-appservices/*.yaml`
- Secrets: sops-encrypted `secrets/secrets.yaml` (in git)
**Backup Approach:**
```bash
# Daily database backups
ssh root@45.77.205.49 'tar czf /root/backups/matrix-$(date +%Y%m%d).tar.gz /var/lib/matrix-continuwuity/db/'
ssh root@45.77.205.49 'sudo -u postgres pg_dump mautrix_slack > /root/backups/bridge-$(date +%Y%m%d).sql'
# Retention: 7 daily, 4 weekly, 12 monthly
# Store off-VPS (rsync to backup server or cloud storage)
```
**Recovery Procedure:**
1. Deploy NixOS configuration
2. Restore database backups
3. Restore registration files
4. Re-authenticate with Slack (new tokens via `login app`)
5. Verify message flow
**Note:** Matrix database can be wiped and rebuilt from Slack if needed (current architecture treats Matrix as ephemeral view layer).
---
## Current Architecture State (2025-10-26)
### Deployed Services
```
┌─────────────────────────────────────────────────────┐
│ clarun.xyz (45.77.205.49) │
│ │
│ ┌─────────────────────────────────────────────┐ │
│ │ nginx :443 (HTTPS) │ │
│ │ - Matrix Client-Server API │ │
│ │ - Forgejo (git.clarun.xyz) │ │
│ └────────────┬────────────────────────────────┘ │
│ │ │
│ ├─→ conduwuit :8008 (127.0.0.1) │
│ │ - Matrix homeserver │
│ │ - RocksDB schema v18 │
│ │ - 66M database │
│ │ │
│ └─→ Forgejo :3000 (127.0.0.1) │
│ │
│ ┌─────────────────────────────────────────────┐ │
│ │ mautrix-slack :29319 (127.0.0.1) │ │
│ │ - Socket Mode WebSocket to Slack │ │
│ │ - PostgreSQL backend (172K) │ │
│ │ - ~50 portal rooms │ │
│ └────────────┬────────────────────────────────┘ │
│ │ │
│ └─→ PostgreSQL :5432 (unix socket) │
│ │
└─────────────────────────────────────────────────────┘
└─→ Slack API (Socket Mode WebSocket)
- Workspace: chochacho
- Bot token: xoxb-...
- App token: xapp-...
```
### Critical Networking Details
- **All internal services use IPv4 (127.0.0.1)** - NOT "localhost"
- Reason: `localhost` resolves to IPv6 `[::1]` but services bind IPv4-only
- Fixed in: nginx proxy_pass, bridge homeserverUrl configuration
### Service Dependencies
```
postgresql.service
└─→ mautrix-slack.service
└─→ matrix-continuwuity.service
└─→ nginx.service
```
### Data Flow
1. **Slack → Matrix:**
- Slack pushes event via Socket Mode WebSocket
- Bridge receives, transforms to Matrix event
- Bridge POSTs to conduwuit appservice endpoint
- conduwuit distributes to Matrix rooms
- Element clients receive via /sync
2. **Matrix → Slack:**
- Element client sends message via conduwuit
- conduwuit forwards to bridge appservice endpoint
- Bridge transforms to Slack API call
- Bridge POSTs to Slack API (bot token)
- Appears in Slack channel
### Security Model
- **Secrets:** Managed via sops-nix, deployed to `/run/secrets/`
- **Bridge tokens:**
- `as_token`: Bridge authenticates to Matrix
- `hs_token`: Matrix authenticates to bridge
- **Slack tokens:**
- `xoxb-`: Bot API calls
- `xapp-`: Socket Mode connection
- **No public bridge endpoint:** Socket Mode eliminates webhook requirement
### Operational Notes
- Matrix database disposable (can rebuild from Slack)
- Bridge config fully declarative except sender_localpart fix
- Fresh database recommended after conduwuit version upgrades
- Debug logging currently enabled on conduwuit
<!-- MANUAL ADDITIONS END -->

343
docs/platform-vision.md Normal file
View file

@ -0,0 +1,343 @@
# ops-jrz1 Platform Vision
**Status:** North Star Document
**Last Updated:** 2025-10-22
**Maintainers:** dan (primary), team (shared responsibility)
## Executive Summary
ops-jrz1 is a self-hosted collaborative development platform for small engineering teams (2-5 engineers). It provides communication bridging (Matrix ↔ Slack), code hosting (Forgejo), and declarative deployment infrastructure (NixOS) with a focus on **sustainability over speed** and **quality over quick wins**.
## Core Philosophy
**Build It Right Over Time**
- Avoid technical debt
- Declarative and reproducible (NixOS)
- Self-documenting
- Sustainable for small team
- Clear patterns for contributions
**Presentable State First**
- Working demo-able features
- Clear documentation
- Inviting for new engineers
- Professional appearance
## Current State (Generation 31+)
### Operational Services
- ✅ Matrix homeserver (conduwuit 0.5.0-rc.8) on clarun.xyz
- ✅ Forgejo (7.0.12) at git.clarun.xyz
- ✅ nginx reverse proxy with TLS (Let's Encrypt)
- ✅ PostgreSQL 15.10 (Forgejo database)
- ✅ sops-nix secrets management
- ✅ Self-hosted infrastructure configuration (ops-jrz1 repo on Forgejo)
### Security Posture
- ✅ SSH key-only authentication
- ✅ Secrets encrypted with age/sops-nix
- ✅ Services isolated on localhost (Matrix, PostgreSQL)
- ✅ Firewall (only SSH, HTTP, HTTPS exposed)
- ✅ Comprehensive security validation completed
### Incomplete/Blocked
- ⚠️ mautrix-slack bridge (exit code 11, needs configuration)
- ⚠️ mautrix-whatsapp (configured but not tested)
- ⚠️ mautrix-gmessages (configured but not tested)
- ⚠️ No deployment pattern for team projects yet
## Target "Presentable MVP"
### Definition of Presentable
When we can say: "Here's a working platform you can use and contribute to"
**Criteria:**
1. Slack bridge works bidirectionally
2. One example project successfully deployed
3. Clear onboarding documentation
4. Stable and tested (not constantly broken)
5. Professional presentation (docs, architecture clarity)
### Milestone 1: Working Slack Bridge
**Goal:** Engineers in Slack can see it's alive and useful
**Success Metric:** Send "Hello from Matrix!" message that appears in Slack via bridge
**Tasks:**
- Update workspace config (delpadtech → chochacho)
- Create Slack app in chochacho workspace
- Configure Slack credentials (app token, bot token) in sops-nix
- Debug exit code 11 issue
- Test bidirectional messaging (Slack ↔ Matrix)
- Document setup in worklog
**Impact:** Highly visible proof of concept, validates core architecture
**Priority:** **HIGH** - Unblocks team communication and collaboration
### Milestone 2: Example Project Pattern
**Goal:** Clear template for "how to add a project"
**Success Metric:** Engineer can clone template repo, modify, and deploy a simple bot
**Deliverables:**
- Example project: "chochacho-hello-bot" (responds to !hello in Matrix)
- Project structure: Nix flake + NixOS module pattern
- Documentation: docs/project-template.md
- Template repository on Forgejo
**Impact:** Makes platform "joinable" - clear contribution path
**Priority:** **MEDIUM** - Required before onboarding engineers
### Milestone 3: Platform Documentation
**Goal:** New engineer can understand and use the platform
**Deliverables:**
- docs/architecture.md - How the platform works
- docs/onboarding.md - How to join as an engineer
- docs/deployment.md - How to deploy projects
- README.md - Overview and navigation
**Impact:** Presentability factor, shows maturity and thoughtfulness
**Priority:** **MEDIUM** - Can iterate as engineers join
## Architecture Principles
### Communication Layer
**Primary:** Slack (chochacho workspace)
**Hub:** Matrix homeserver bridges to Slack
**Direction:** Bidirectional (Slack ↔ Matrix)
**Current Focus:** Slack bridge only (not WhatsApp, Google Messages, etc.)
**User Experience:** Engineers stay in Slack, Matrix runs behind the scenes to unify communication
### Code Hosting
**Primary:** Self-hosted Forgejo at git.clarun.xyz
**Flexibility:** Projects can also reference external repos (GitHub, etc.)
**Model:**
- `ops-jrz1` repository: Platform infrastructure (NixOS config)
- Project repositories: Individual team projects
- Clear separation: Infrastructure vs applications
### Deployment Philosophy
**Chosen Approach:** NixOS-Native (Strict Declarative)
**Pattern: Project as NixOS Module**
```nix
# Example project structure
project-name/
├── flake.nix # Nix flake (how to build)
├── default.nix # Derivation (package definition)
├── module.nix # NixOS service module
├── src/ # Project code
└── README.md # Deployment instructions
```
**Deployment Workflow:**
1. Engineer develops project locally (with Nix)
2. Project added to ops-jrz1 as import or flake reference
3. Push to Forgejo (project repo or ops-jrz1 update)
4. Admin reviews change (pull request optional)
5. `nixos-rebuild switch` deploys to production
6. Rollback available via NixOS generations
**Benefits:**
- ✅ Declarative and reproducible
- ✅ Built-in rollback (generation management)
- ✅ Consistent with existing ops-jrz1 pattern
- ✅ Forces proper packaging (quality gate)
- ✅ No additional deployment systems to maintain
**Trade-offs:**
- ❌ Requires NixOS knowledge (acceptable: team can learn)
- ❌ Less "instant" than webhook deployment (acceptable: "no deployment urgency")
- ❌ Admin approval step (beneficial: quality control)
**Alternative Considered:** Hybrid model (platform in NixOS, projects flexible)
- Deferred: Can relax strictness later if needed
- Starting strict enforces quality and consistency
### Multi-Engineer Access Model
**Level 1: Communication Only**
- Slack workspace access (chochacho)
- Can participate in bridged conversations
- No infrastructure access needed
**Level 2: Code Contributor**
- Forgejo account (pattern established)
- SSH key uploaded to Forgejo
- Can push to project repositories
- Can submit pull requests
**Level 3: Deployer**
- Can trigger deployments (merge to main?)
- May have SSH access for debugging
- Permissions to restart services
**Level 4: Admin**
- SSH root access to VPS
- Can modify ops-jrz1 NixOS config
- Secrets management access (sops-nix keys)
- Infrastructure decision authority
**Target Distribution (2-5 engineers):**
- Level 1: All engineers
- Level 2: All engineers (default)
- Level 3: 2-3 trusted engineers
- Level 4: 1-2 admins (primary: dan)
### Secrets Management
**Tool:** sops-nix with age encryption
**Current State:**
- VPS SSH host key as age key: `age1vuxcwvdvzl2u7w6kudqvnnf45czrnhwv9aevjq9hyjjpa409jvkqhkz32q`
- Admin workstation can decrypt (dan's age key)
**Pattern:**
```yaml
# secrets/secrets.yaml (encrypted)
matrix-registration-token: "..."
acme-email: "..."
slack-app-token: "..." # Future
slack-bot-token: "..." # Future
```
**Future Considerations:**
- Add engineer age keys for collaboration
- Per-project secrets (if needed)
- Secret rotation workflow
### Testing Strategy
**Current:** ops-jrz1-vm (VM testing before production)
**Workflow:**
1. Develop locally
2. Test in VM (`nixos-rebuild build-vm`)
3. Deploy to production (`nixos-rebuild switch`)
4. Rollback if issues (`nixos-rebuild switch --rollback`)
**Future:**
- Automated testing (unit, integration)
- Staging environment (if needed)
- Pre-deployment health checks
## Technical Stack
### Infrastructure
- **OS:** NixOS 24.05
- **Config Management:** Nix flakes
- **Secrets:** sops-nix with age encryption
- **Firewall:** iptables (nixos-fw)
- **Web Server:** nginx with ACME/Let's Encrypt
### Communication
- **Matrix Homeserver:** conduwuit 0.5.0-rc.8
- **Bridge Framework:** mautrix (Python-based)
- **Target Bridge:** mautrix-slack (Socket Mode)
### Development Platform
- **Git Server:** Forgejo 7.0.12
- **Database:** PostgreSQL 15.10
- **CI/CD:** Forgejo Actions (future consideration)
### Expected Project Stack (Flexible)
- Python bots (primary expectation)
- Node.js services (if needed)
- Go binaries (if needed)
- Any language with Nix packaging support
## Open Questions
### Communication Bridge
- Which Slack channels to bridge? (All? Specific list? On-demand?)
- User identity mapping: Slack display names or Matrix usernames?
- Bot integration needs: GitHub notifications? CI/CD status?
### Project Deployment
- Automated deployment on merge? Or manual trigger?
- Pull request workflow required? Or direct push to main?
- Health checks before deployment?
- Monitoring and alerting strategy?
### Team Collaboration
- How many engineers will actually join? (impacts scaling decisions)
- Shared development environments needed?
- Per-project Matrix rooms or one big room?
- Weekly syncs or async-only collaboration?
### Repository Organization
- Monorepo (ops-jrz1 + projects) or separate repos?
- Public vs private repositories?
- Who owns which repositories?
## Success Metrics
### Technical Success
- ✅ All services healthy and monitored
- ✅ Zero unplanned downtime
- ✅ Fast rollback capability (< 5 minutes)
- ✅ Clear audit trail (git history + NixOS generations)
### Team Success
- ✅ Engineers can deploy projects independently
- ✅ Onboarding time < 1 hour
- ✅ Documentation answers common questions
- ✅ Platform feels stable and trustworthy
### Project Success (Presentable State)
- ✅ Slack bridge works reliably
- ✅ Example project demonstrates the pattern
- ✅ Documentation is complete and clear
- ✅ At least one other engineer has successfully deployed
## Timeline
**Phase 1: Working Slack Bridge** (1-2 focused sessions)
- Update workspace configuration
- Slack app setup and credential management
- Debug and validate bidirectional messaging
**Phase 2: Project Pattern** (1-2 sessions after Phase 1)
- Create example bot
- Document deployment pattern
- Establish template repository
**Phase 3: Documentation** (1 session)
- Architecture documentation
- Onboarding guide
- Deployment runbook
**Phase 4: Team Onboarding** (1 session per engineer)
- Invite engineers
- Supervised first deployment
- Gather feedback and iterate
**Target:** Presentable state within 4-8 focused work sessions
**Constraint:** Not pressing, quality over speed
## References
### Internal Documentation
- [Security Test Report](worklogs/2025-10-22-security-validation-test-report.md) - Generation 31 validation
- [Deployment Log](worklogs/2025-10-22-deployment-generation-31.md) - Initial deployment
- [Forgejo Setup](worklogs/2025-10-22-forgejo-repository-setup.org) - Git server configuration
### External Resources
- [Mautrix Bridges Documentation](https://docs.mau.fi/)
- [NixOS Manual](https://nixos.org/manual/nixos/stable/)
- [Forgejo Documentation](https://forgejo.org/docs/)
- [Matrix Specification](https://spec.matrix.org/)
## Revision History
- **2025-10-22:** Initial vision document created after brainstorming session
- Defined presentable MVP criteria
- Established three-milestone roadmap
- Documented architectural principles
- Identified open questions for iteration

237
docs/spec-kit-integration.md Normal file
View file

@ -0,0 +1,237 @@
# Spec-Kit Integration for ops-jrz1
**Purpose:** How to use the spec-kit framework for structured feature development
## What is Spec-Kit?
Spec-kit is a feature development framework that provides structured planning and execution. It's designed to:
- Force clear thinking before coding
- Document decisions and rationale
- Create actionable task lists
- Provide quality checklists
- Track progress systematically
## Current Spec-Kit Usage
**Existing Feature:**
- `specs/001-extract-matrix-platform/` - The feature that established this platform
**Structure:**
```
specs/001-extract-matrix-platform/
├── spec.md # What we're building and why
├── plan.md # How we'll build it
├── tasks.md # Specific actionable tasks
├── analysis.md # Technical analysis and decisions
├── research.md # Background research
├── data-model.md # Data structures and schemas
├── quickstart.md # Quick reference guide
├── checklists/ # Validation checklists
└── contracts/ # Interface contracts
```
## Using Spec-Kit for New Features
### When to Create a Spec
**✅ Good candidates for spec-kit:**
- Complex features with multiple components (e.g., Slack bridge integration)
- Features that affect architecture or patterns
- Features requiring team coordination
- Features with unclear requirements
**❌ Not worth spec-kit overhead:**
- Bug fixes
- Minor config changes
- Documentation updates
- Quick experiments
### Workflow
1. **Create spec:** `/speckit.specify` - Describe what you want to build
2. **Plan implementation:** `/speckit.plan` - Break down into design steps
3. **Generate tasks:** `/speckit.tasks` - Create actionable task list
4. **Implement:** `/speckit.implement` - Execute tasks systematically
5. **Validate:** Use checklists to verify completion
## Recommended: Slack Bridge Feature Spec
Given our north star goal (Milestone 1: Working Slack Bridge), this is a **perfect candidate** for spec-kit.
### Why Use Spec-Kit for Slack Bridge?
**Complexity factors:**
- Requires external service integration (Slack API)
- Needs secrets management coordination
- Involves debugging unknown exit code 11
- Has architectural implications (bridge pattern for future features)
- Requires documentation for team onboarding
**Benefits:**
- Clear specification prevents scope creep
- Plan documents decision rationale
- Tasks provide clear progress tracking
- Checklists ensure quality (security, testing, docs)
- Future engineers can understand the design
### Proposed Feature: `002-slack-bridge-integration`
**Spec outline:**
```markdown
# Feature: Matrix-Slack Bridge Integration
## Goal
Enable bidirectional communication between Slack (chochacho workspace)
and Matrix homeserver to unify team communication.
## Background
- Team currently uses Slack as primary communication
- Matrix homeserver operational on clarun.xyz
- mautrix-slack module exists but exits with code 11
- Existing Slack bot needs reauthorization with updated scopes
- Need Socket Mode for reliable connection
## Success Criteria
- Send message in Slack → appears in Matrix
- Send message in Matrix → appears in Slack
- Bridge survives server restart
- Clear documentation for adding/removing channels
- Secrets properly managed via sops-nix
## Non-Goals
- WhatsApp bridge (future)
- Google Messages bridge (future)
- Multi-workspace support (future)
```
## Next Steps
1. **Start the spec process:**
```bash
# Create new feature spec
# Use /speckit.specify command or create directory manually
mkdir -p specs/002-slack-bridge-integration
```
2. **Write initial spec.md:**
- What: Slack bridge integration
- Why: Team communication unification
- Success criteria: Bidirectional messaging
- Constraints: Socket Mode, sops-nix secrets
3. **Run planning:**
```bash
# Generate implementation plan
# Use /speckit.plan command
```
4. **Generate tasks:**
```bash
# Create actionable task list
# Use /speckit.tasks command
```
5. **Execute systematically:**
- Work through tasks in order
- Document blockers and decisions
- Update worklog as you go
## Important Context: Existing Slack Bot
**Key Information from User:**
> "We have access to a bot, we need to have a manager reauthorize
> the bot because we need to change something or other, redo the
> scopes maybe, change it to socket based"
**Action Items:**
1. Identify existing Slack bot name/app
2. Document current scopes/permissions
3. Determine required scopes for mautrix-slack bridge
4. Request manager to reauthorize with new scopes
5. Enable Socket Mode in Slack app settings
6. Extract bot token and app token for sops-nix
**Socket Mode Benefits:**
- No public webhook URL needed
- More reliable than polling
- Better for localhost-based bridges
- Recommended by mautrix-slack documentation
## Coordination with Platform Vision
The Slack bridge spec should reference and align with:
- `docs/platform-vision.md` - Overall platform goals
- Milestone 1: Working Slack Bridge
- Architecture Principles → Communication Layer
## Checklist Template for Bridge Features
```markdown
# Bridge Integration Checklist
## Configuration
- [ ] External service credentials obtained
- [ ] Secrets added to sops-nix
- [ ] NixOS module configuration updated
- [ ] Database schema initialized
## Testing
- [ ] Service starts without errors
- [ ] Bidirectional messaging works
- [ ] Bridge survives restart
- [ ] Error handling tested
## Documentation
- [ ] Setup documented in worklog
- [ ] Credentials management documented
- [ ] Troubleshooting guide created
- [ ] Architecture diagram updated
## Security
- [ ] Secrets encrypted and committed
- [ ] Permissions scoped appropriately
- [ ] Network isolation verified
- [ ] Audit logging enabled
```
## Questions to Answer in Spec
When creating `002-slack-bridge-integration`, make sure to address:
1. **Scope:** Which channels to bridge? (all, specific list, on-demand)
2. **Identity:** How to map Slack users to Matrix users?
3. **Permissions:** Who can manage bridge? (admin-only vs engineer-accessible)
4. **Failure Modes:** What happens if Slack is down? Bridge crashes?
5. **Monitoring:** How to know if bridge is healthy?
6. **Scaling:** Future multi-workspace support?
## Integration with Worklogs
**Relationship:**
- Spec-kit specs are **planning documents** (what and how)
- Worklogs are **execution records** (what happened and why)
**Workflow:**
1. Create spec for the feature (e.g., `002-slack-bridge-integration`)
2. Work on implementation
3. Write worklogs documenting sessions (e.g., `2025-10-23-slack-bridge-setup.org`)
4. Update spec with learnings (if design changes)
**Cross-references:**
- Specs should link to worklogs for implementation details
- Worklogs should reference specs for context
- Platform vision should reference both
## Conclusion
For the Slack bridge work (Milestone 1 of our platform vision), I recommend:
**✅ Use spec-kit:** Create `specs/002-slack-bridge-integration/`
- Complex enough to warrant structured planning
- Clear bounded feature
- Important architectural precedent
- Needs team coordination
**Next Command:** `/speckit.specify` to start the spec process
This will ensure we build it right, document decisions, and make it easy for future engineers to understand and extend.

499
docs/worklogs/2025-10-13-ops-jrz1-foundation-initialization.org
View file

@ -1,499 +0,0 @@
#+TITLE: ops-jrz1 Repository Foundation Initialization - Phase 1 & 2 Complete
#+DATE: 2025-10-13
#+KEYWORDS: nixos, matrix, infrastructure-extraction, sanitization, git-hooks, foundation-setup
#+COMMITS: 1
#+COMPRESSION_STATUS: uncompressed
* Session Summary
** Date: 2025-10-13 (Day 3 of project)
** Focus Area: Infrastructure Foundation & Repository Initialization
This session focused on implementing Phase 1 (Setup) and Phase 2 (Foundational Prerequisites) of the Matrix platform extraction project. The goal was to create a robust foundation for safely extracting, sanitizing, and deploying Matrix homeserver modules from the ops-base production repository to the new ops-jrz1 dev/test server.
This is a continuation of the speckit workflow that began on 2025-10-11 with specification and planning phases. The previous sessions established the RFC, created the specification document, generated the implementation plan, defined the data model, created sanitization rules contracts, and generated the task breakdown.
* Accomplishments
- [X] Created complete directory structure for ops-jrz1 repository (modules/, hosts/, docs/, secrets/, scripts/, scripts/hooks/)
- [X] Implemented NixOS configuration skeleton with three core files (flake.nix, configuration.nix, hosts/ops-jrz1.nix)
- [X] Created sanitization script implementing all 22 sanitization rules from contracts/sanitization-rules.yaml
- [X] Created validation script with gitleaks integration and pattern checking
- [X] Configured git hooks with pre-commit framework (.pre-commit-config.yaml)
- [X] Created three custom git hook wrapper scripts (validate-sanitization, nix-flake-check, nix-build)
- [X] Verified .gitignore configuration (already existed, comprehensive)
- [X] Created comprehensive README.md with project overview, structure, and workflows
- [X] Created MIT LICENSE file
- [X] Performed automated foundation review - all checks passed
- [X] Configured git repository (user.name, user.email)
- [X] Created initial commit with 42 files (7,741 insertions)
- [X] Updated tasks.md to mark Phase 1 (T001-T004c) and Phase 2 (T005-T011) as complete
* Key Decisions
** Decision 1: Single-Repository Architecture
- Context: Originally considered a dual-repository approach (ops-jrz1 for planning + nixos-matrix-platform-template for public sharing)
- Options considered:
1. Dual-repo: Separate planning docs and public template
- Pros: Clean separation, easy to publish later
- Cons: Overhead, premature optimization, complex sync
2. Single-repo: Everything in ops-jrz1 (planning + modules + server config)
- Pros: Simpler, less overhead, matches actual use case (dev/test server)
- Cons: Public sharing deferred to future
- Rationale: The immediate need is to configure ops-jrz1 server, not create a public template. Public sharing can be deferred. This decision was made in previous sessions and solidified during surgical artifact updates.
- Impact: All paths in tasks.md updated, repository structure simplified, T002-T003 marked obsolete
** Decision 2: Sanitization Strategy - Hybrid Automated + Manual
- Context: Need to remove personal domains (clarun.xyz, talu.uno), IPs (192.168.1.x, 45.77.205.49), paths (/home/dan), and secrets from ops-base modules before committing
- Options considered:
1. Fully automated: sed/awk replacements only
- Pros: Fast, repeatable
- Cons: May miss edge cases in comments, context-dependent replacements
2. Fully manual: Review every file line-by-line
- Pros: Thorough, catches everything
- Cons: Slow, error-prone, not repeatable
3. Hybrid: Automated rules + manual review checklist
- Pros: Fast for patterns, thorough for edge cases, repeatable with human oversight
- Cons: Requires both automation and human time
- Rationale: The hybrid approach balances speed and thoroughness. Automated scripts handle 95% of patterns, manual review catches edge cases and verifies completeness. This was documented in research.md from Phase 0.
- Impact: Created scripts/sanitize-files.sh (22 rules) + scripts/validate-sanitization.sh + manual review checklist in T024-T025
** Decision 3: Git Hooks as Primary Validation
- Context: Need to prevent accidental commit of personal information or broken Nix configurations
- Options considered:
1. CI/CD only: Validation on push to remote
- Pros: Centralized, consistent
- Cons: Slow feedback loop, requires infrastructure
2. Git hooks only: Local validation on commit/push
- Pros: Fast feedback, prevents bad commits before push
- Cons: Can be bypassed with --no-verify, requires pre-commit framework
3. Both: Git hooks + CI/CD
- Pros: Defense in depth, fast local feedback + centralized enforcement
- Cons: Duplication of validation logic
- Rationale: Git hooks provide immediate feedback (pre-commit for sanitization, pre-push for builds). CI/CD is deferred for future public sharing (Phase 8). For a dev/test server, local validation is sufficient and faster.
- Impact: Created .pre-commit-config.yaml with 3 custom hooks, nixpkgs-fmt, gitleaks, and general file checks
** Decision 4: Skeleton Configuration Files vs Full Implementation
- Context: Phase 1 requires creating flake.nix, configuration.nix, and hosts/ops-jrz1.nix, but we don't have extracted modules yet
- Options considered:
1. Wait for Phase 3: Don't create config files until modules are extracted
- Pros: Accurate imports, no placeholders
- Cons: Can't validate structure, blocks foundation checkpoint
2. Full configuration: Try to replicate structure from ops-base
- Pros: More complete
- Cons: Premature, may be inaccurate, requires ops-base access now
3. Skeleton with comments: Create structure with placeholder imports commented out
- Pros: Validates directory structure, documents intent, easy to fill in later
- Cons: Requires later expansion (expected)
- Rationale: Skeleton files serve as documentation and structural validation. They allow Phase 2 scripts to reference correct file paths. Commented-out imports show what will be added in Phase 3.
- Impact: Created skeleton files with REPLACE_ME comments and clear documentation of what will be added
** Decision 5: Bash Scripts vs Nix for Sanitization
- Context: Sanitization rules could be implemented in bash scripts or Nix expressions
- Options considered:
1. Pure Nix: Use Nix derivations for sanitization
- Pros: Nix-native, reproducible
- Cons: Complex for string replacements, harder to debug
2. Bash scripts: sed/awk/find for pattern replacement
- Pros: Simple, fast, readable, easy to debug
- Cons: Less Nix-native, platform-dependent (but we're Linux-only)
3. Python/other: Use a more powerful language
- Pros: Better regex support, more flexible
- Cons: Additional dependency, overkill for simple replacements
- Rationale: Bash scripts are simpler for the task at hand (find/replace patterns in files). All sanitization rules are straightforward regex replacements. The scripts are easy to understand and modify. NixOS provides bash, so no additional dependencies.
- Impact: scripts/sanitize-files.sh uses find + sed for all 22 rules, scripts/validate-sanitization.sh uses ripgrep for pattern checking
* Problems & Solutions
| Problem | Solution | Learning |
|---------|----------|----------|
| Initial `/speckit.implement` execution encountered architectural confusion about dual-repo vs single-repo | During previous session, performed surgical updates to spec.md, plan.md, and tasks.md to clarify single-repository architecture. Ran `/speckit.analyze` to validate consistency. | Architectural decisions need to be crystal clear before implementation. The analyze command is valuable for catching inconsistencies. |
| Nix file syntax validation failed with `nix-instantiate --parse` on skeleton files | This is expected - skeleton files have commented-out imports and placeholder values. They need full context (modules, nixpkgs) to parse. Validation will work in Phase 3 after module extraction. | Skeleton files won't validate until dependencies exist. This is normal and acceptable for foundational work. |
| Flake metadata check failed: "Path 'flake.nix' not tracked by Git" | Files were created but not yet committed. After staging and committing all foundation files, this error will resolve. This is just a git working tree state issue. | Nix flakes require files to be git-tracked. Always commit before running `nix flake` commands. |
| Git commit failed: "Author identity unknown" | User hadn't configured git for this repository. Configured with `git config user.name "Dan"` and `git config user.email "dleink@gmail.com"` in the local repository (not global). | Always check git config before first commit in a new repository. Local config is fine for single-user repos. |
| Ripgrep scan for sensitive information timed out after 2 minutes | The scan was checking the entire specs/ directory which contains documentation with references to personal info (as examples of what to sanitize). This is expected and harmless - specs/ is documentation, not code. Added grep filters to exclude specs/ from sensitive scans. | When scanning for sensitive patterns, exclude documentation directories that legitimately discuss those patterns. Be specific about what to scan. |
| Pre-commit hooks not actually installed in git | Created `.pre-commit-config.yaml` but didn't run `pre-commit install` to activate hooks in `.git/hooks/`. This is intentional - user needs to install pre-commit framework first (`nix-env -iA nixpkgs.pre-commit`) then run `pre-commit install`. | Git hooks are two-step: (1) create config, (2) install hooks. Document this in README as optional enhancement. |
* Technical Details
** Code Changes
- Total files created: 11 (foundation only, not counting specs/ which were from previous sessions)
- Key files created:
- `flake.nix` - NixOS flake configuration with ops-jrz1 nixosConfiguration, nixpkgs 24.05 pinned, sops-nix commented out for later
- `configuration.nix` - Base NixOS system configuration with boot loader, networking, SSH, firewall placeholders
- `hosts/ops-jrz1.nix` - Server-specific configuration importing Matrix modules (commented out until Phase 3)
- `scripts/sanitize-files.sh` - 171 lines, implements 22 sanitization rules with rsync copy, sed replacements, colorized output
- `scripts/validate-sanitization.sh` - 111 lines, validates with ripgrep pattern checks, gitleaks integration (optional), exit codes
- `scripts/hooks/validate-sanitization-hook.sh` - 62 lines, pre-commit hook checking staged files for personal info
- `scripts/hooks/nix-flake-check-hook.sh` - 37 lines, pre-push hook running nix flake check
- `scripts/hooks/nix-build-hook.sh` - 40 lines, pre-push hook building ops-jrz1 configuration
- `.pre-commit-config.yaml` - 50 lines, configures nixpkgs-fmt, gitleaks, general checks, custom hooks
- `README.md` - 134 lines, comprehensive project overview, structure, workflows, security notes
- `LICENSE` - 21 lines, MIT license
** Sanitization Rules Implementation
The sanitization script implements all 22 rules from `specs/001-extract-matrix-platform/contracts/sanitization-rules.yaml`:
Critical Rules (must pass):
1. clarun.xyz → example.com (domain)
2. talu.uno → matrix.example.org (domain)
3. 192.168.1.x → 10.0.0.x (private IP)
4. 45.77.205.49 → 203.0.113.10 (public IP, TEST-NET-3)
5. /home/dan → /home/user (path)
6. jrz1 → matrix (hostname, with special handling for ops-jrz1)
7. @admin:clarun.xyz → @admin:example.com (Matrix user)
8-10. Secret patterns (validated by gitleaks, not replaced)
High Priority Rules:
11. my-workspace → your-workspace
12. dlei@duck.com → admin@example.com
13. /home/dan/proj/ops-base → /path/to/ops-base
14. git+file:///home/dan/proj/continuwuity → github:girlbossceo/conduwuit
15. Example registration token → GENERATE_WITH_openssl_rand_hex_32
Worklog Sanitization Rules:
20. connection to (192.168.1.x|45.77.205.49) → connection to <host>
21. ssh root@(45.77.205.49|192.168.1.x) → ssh root@<vps-ip>
22. curl https://(clarun.xyz|talu.uno) → curl https://example.com
** Commands Used
```bash
# Create directory structure
mkdir -p modules hosts docs secrets scripts/hooks
# Make scripts executable
chmod +x scripts/sanitize-files.sh
chmod +x scripts/validate-sanitization.sh
chmod +x scripts/hooks/*.sh
# Check bash syntax
bash -n scripts/sanitize-files.sh
# Git configuration (local repository)
git config user.name "Dan"
git config user.email "dleink@gmail.com"
# Stage foundation files
git add .gitignore .pre-commit-config.yaml CLAUDE.md LICENSE README.md \
configuration.nix flake.nix hosts/ scripts/ specs/
# Create initial commit
git commit -m "Initialize ops-jrz1 repository with Matrix platform extraction foundation"
# Verify commit
git log --oneline
git status
```
** Architecture Notes
*** Repository Structure Pattern
The ops-jrz1 repository follows a single-repository pattern combining:
1. Planning documents (specs/001-extract-matrix-platform/)
2. NixOS configuration (flake.nix, configuration.nix, hosts/)
3. Extracted modules (modules/ - pending Phase 3)
4. Documentation (docs/, README.md)
5. Helper scripts (scripts/)
6. Secrets (secrets/ - gitignored, sops-nix encrypted)
This pattern allows the repository to serve multiple purposes:
- Development planning and tracking (speckit workflow)
- NixOS server configuration (deployable)
- Knowledge base (documentation, worklogs)
- Template for future extraction (potential public sharing)
The staging/ directory (gitignored) serves as a temporary workspace for extraction and sanitization, keeping unsanitized code out of git history.
*** Sanitization Pipeline Pattern
The sanitization workflow follows a 5-stage pipeline:
1. Copy (rsync from ops-base to staging/)
2. Automated sanitization (scripts/sanitize-files.sh applies all rules)
3. Validation (scripts/validate-sanitization.sh checks patterns)
4. Manual review (T024-T025, human verification)
5. Commit (move to permanent location, git add, git commit)
Each stage has clear inputs/outputs and can be repeated. The pipeline is fail-fast: validation errors block progression.
*** Git Hooks Defense in Depth
Three layers of protection:
1. Pre-commit: validate-sanitization-hook.sh (checks staged files for personal info)
2. Pre-push: nix-flake-check-hook.sh (validates Nix syntax)
3. Pre-push: nix-build-hook.sh (validates builds work)
This provides fast feedback locally without requiring remote CI/CD. Hooks can be bypassed with --no-verify if needed, but this is discouraged.
*** NixOS Configuration Modularity
The configuration is split into:
- flake.nix: Inputs (nixpkgs, sops-nix), outputs (nixosConfigurations.ops-jrz1)
- configuration.nix: Base system config (boot, network, SSH, firewall)
- hosts/ops-jrz1.nix: Server-specific config (Matrix modules, bridge config)
- modules/*: Reusable service modules (extracted from ops-base)
This separation allows:
- Base config to be stable
- Host-specific config to be customized per server
- Modules to be reused or published independently
* Process and Workflow
** What Worked Well
- **Speckit workflow**: The /speckit.specify → /speckit.plan → /speckit.tasks → /speckit.implement workflow provided clear structure and caught architectural inconsistencies early
- **Surgical artifact updates**: When the single-repo decision was made, updating spec.md, plan.md, and tasks.md surgically (rather than regenerating) preserved all the detailed work
- **TodoWrite tool**: Tracking phase progress with todo items kept focus clear
- **Automated foundation review**: Running a comprehensive review script after Phase 2 provided confidence before proceeding
- **Skeleton files with comments**: Creating configuration files with placeholder imports and REPLACE_ME comments documents intent without premature implementation
- **Bash scripts for sanitization**: Simple sed/find commands are readable, debuggable, and sufficient for pattern replacement tasks
** What Was Challenging
- **Architectural ambiguity**: The dual-repo vs single-repo decision took multiple clarification rounds in previous sessions. This was resolved through explicit user questions and RFC validation.
- **Nix validation timing**: Understanding that skeleton files won't validate until dependencies exist required acceptance of "expected failures" during foundation phase
- **Git configuration**: First commit failed due to missing git identity. This is a one-time setup issue.
- **Sensitive information scanning**: Initial ripgrep scans included specs/ documentation which legitimately discusses personal patterns. Required filtering to scan only runtime code.
- **Pre-commit installation**: The .pre-commit-config.yaml file is created but hooks aren't active until user installs pre-commit framework and runs `pre-commit install`. This is documented as optional.
** Time Allocation
Estimated time spent on each phase:
- Phase 1 (T004-T004c): ~15 minutes (directory structure + skeleton files)
- Phase 2 (T005-T011): ~45 minutes (scripts, hooks, documentation)
- Automated review: ~20 minutes (running checks, generating report)
- Git setup: ~10 minutes (configuration, commit)
- Total: ~90 minutes for foundation
* Learning and Insights
** Technical Insights
- **NixOS flakes require git-tracked files**: Nix flake commands will fail if flake.nix isn't committed. This is a feature, not a bug - flakes are designed to be reproducible from git.
- **Bash script portability**: All sanitization rules are POSIX-compatible (find + sed + grep). The scripts will work on any Linux system with standard tools.
- **Ripgrep type filtering**: Using `--type nix --type md` limits scans to relevant files, avoiding false positives in logs, binary files, or other formats.
- **Git config scopes**: `git config` (local) vs `git config --global` affects only current repo vs all repos. Local is fine for single-user repositories.
- **rsync for safe copying**: Using `rsync -av` instead of `cp -r` ensures proper permissions and metadata preservation during staging.
** Process Insights
- **Foundation checkpoint value**: Pausing after Phase 2 to review and commit creates a clean checkpoint. If Phase 3 goes wrong, we can reset to this commit.
- **Automated review catches omissions**: The review script found all critical files and validated their properties. This would have caught missing files or incorrect permissions.
- **Skeleton documentation**: Comments in skeleton files (`# REPLACE: Your Matrix server domain`) serve as inline documentation for future expansion.
- **Phase dependencies matter**: Phase 2 scripts (sanitize, validate) must be created before Phase 3 extraction. Task dependency ordering is critical.
** Architectural Insights
- **Single-repo scales**: Combining planning, code, and documentation in one repository works well for infrastructure projects. The specs/ directory provides context without cluttering the working files.
- **Extraction workspace pattern**: The staging/ directory (gitignored) creates a safe temporary space for unsanitized code. This prevents accidentally committing personal info.
- **Git hooks as guardrails**: Pre-commit/pre-push hooks are not enforcement (can be bypassed) but guardrails. They catch mistakes before they become problems.
- **Sanitization is iterative**: The hybrid automated-then-manual approach acknowledges that no automated system catches 100% of edge cases. Human review is essential.
* Context for Future Work
** Open Questions
- **ops-base module structure**: Do the module paths in ops-base match our expectations? (`modules/matrix-continuwuity.nix` vs `services/matrix/continuwuity.nix`?)
- **Configuration file paths**: Do the configuration files exist at `configurations/vultr-dev.nix` and `configurations/dev-vps.nix`?
- **sops-nix version**: What version of sops-nix is ops-base using? Do we need to match it?
- **Module dependencies**: Do any extracted modules depend on other ops-base modules not in our extraction list?
- **Hardware configuration**: Does ops-jrz1 server have a hardware-configuration.nix we need to generate or copy?
** Next Steps
- **Phase 3 preparation**: Verify ops-base repository structure before extraction (T012-T021)
- **Module extraction**: Copy 8 modules + 2 configurations from ops-base to staging/ (can run in parallel)
- **Sanitization**: Run scripts/sanitize-files.sh on staging/ → modules/ and staging/ → hosts/
- **Manual review**: Check comments, documentation strings, inline notes for personal references (T024-T025)
- **Validation**: Run scripts/validate-sanitization.sh + gitleaks + manual checklist (T026-T028)
- **Build testing**: After modules are in place, expand flake.nix to import sops-nix and modules, run `nix flake check`
** Related Work
- Worklog: `docs/worklogs/2025-10-11-matrix-platform-extraction-rfc.org` (RFC consensus and spec creation)
- Worklog: `docs/worklogs/2025-10-11-matrix-platform-planning-phase.org` (Plan, data model, contracts generation)
- Specification: `specs/001-extract-matrix-platform/spec.md` (29 functional requirements, 5 user stories)
- Plan: `specs/001-extract-matrix-platform/plan.md` (tech stack, architecture, phase breakdown)
- Tasks: `specs/001-extract-matrix-platform/tasks.md` (125 tasks, dependency ordering)
- Sanitization rules: `specs/001-extract-matrix-platform/contracts/sanitization-rules.yaml` (22 rules with validation)
- Data model: `specs/001-extract-matrix-platform/data-model.md` (8 entities, lifecycle states, validation matrix)
** Testing Strategy for Phase 3
When extracting modules, follow this validation sequence:
1. Copy module to staging/ (T012-T019)
2. Visual inspection: Does the file contain obvious personal info?
3. Run sanitization: `./scripts/sanitize-files.sh staging/modules modules/`
4. Run validation: `./scripts/validate-sanitization.sh modules/`
5. Manual review: Check comments line-by-line
6. Git diff: Review all changes before staging
7. Commit: Only commit after all checks pass
If validation fails:
1. Don't commit - leave in staging/
2. Check which rule failed
3. Either: (a) Fix rule in sanitize-files.sh, or (b) Manually fix file
4. Re-run sanitization and validation
5. Repeat until clean
* Raw Notes
** Automated Review Output
The foundation review script checked:
- Directory structure: 7 directories (all present)
- Configuration files: 3 files (flake.nix, configuration.nix, hosts/ops-jrz1.nix)
- Scripts: 5 scripts (all executable, valid syntax)
- Git hooks: .pre-commit-config.yaml + 3 hook scripts
- Security: .gitignore patterns, no sensitive info in runtime code
- Documentation: README.md, LICENSE
All checks passed. No critical issues found.
** File Counts
- Foundation files created this session: 11
- Speckit infrastructure (from previous sessions): 31
- Total committed: 42 files
- Lines of code: 7,741 insertions
** Script Sizes
- sanitize-files.sh: 171 lines
- validate-sanitization.sh: 111 lines
- validate-sanitization-hook.sh: 62 lines
- nix-flake-check-hook.sh: 37 lines
- nix-build-hook.sh: 40 lines
- Total script code: 421 lines
** README.md Structure
The README is organized as:
1. Overview (project purpose, services)
2. Current status (phase tracking, checkboxes)
3. Repository structure (tree diagram)
4. Planned features (homeserver, bridges, security)
5. Development workflow (prerequisites, building, sanitization)
6. Security notes (secrets management, git hooks, validation)
7. License
8. Related documentation (links to specs/)
This structure serves multiple audiences:
- New contributors: What is this project?
- Current developers: What's the status? How do I work on it?
- Future maintainers: What's the architecture? How do I deploy?
** Sanitization Script Design
The sanitize-files.sh script is designed to be:
- **Idempotent**: Running it multiple times produces the same result
- **Safe**: Uses rsync to copy before modifying, never touches source
- **Verbose**: Echoes each rule being applied for transparency
- **Colorized**: Uses ANSI colors (green/red/yellow) for readability
- **Documented**: Comments explain each rule and its contract reference
The script structure is:
1. Argument validation (source-dir, output-dir)
2. rsync copy (preserve permissions, metadata)
3. Apply all 22 rules sequentially (find + sed)
4. Print summary with next steps
Each rule follows the pattern:
```bash
echo " - Replacing clarun.xyz → example.com"
find "$OUTPUT_DIR" -type f \( -name "*.nix" -o -name "*.md" \) \
-exec sed -i 's/clarun\.xyz/example.com/g' {} \;
```
This makes rules easy to add, remove, or modify.
** Validation Script Design
The validate-sanitization.sh script checks for:
1. Personal domains (clarun.xyz, talu.uno)
2. Personal IPs (192.168.1.x, 45.77.205.49)
3. Personal paths (/home/dan)
4. Personal hostname (jrz1, but allow ops-jrz1)
5. Personal email (dlei@duck.com)
6. Secrets (via gitleaks if available)
Exit codes:
- 0: All checks passed
- 1: One or more checks failed
The script provides colored output:
- Green ✓ for passed checks
- Red ✗ for failed checks
- Yellow ⚠ for warnings (gitleaks not installed)
** Git Hook Design Philosophy
The hooks are designed to be:
- **Fast on commit**: validate-sanitization-hook only checks staged files (not full repo)
- **Thorough on push**: nix-flake-check and nix-build run before remote push (slow but safe)
- **Informative**: All hooks provide clear error messages with debugging hints
- **Bypassable**: Can use --no-verify if needed (emergency commits)
The pre-commit framework manages hook installation and execution. The custom hooks are just bash scripts that the framework calls.
** Decision: No CI/CD Yet
We decided not to implement GitHub Actions or other CI/CD in Phase 2. Rationale:
- This is a dev/test server, not production
- Local git hooks provide sufficient validation
- CI/CD adds infrastructure dependency
- Public sharing (which would need CI/CD) is deferred to Phase 8
When we eventually share publicly, we'll add:
- .github/workflows/ci.yml (nix flake check, gitleaks, build validation)
- .github/ISSUE_TEMPLATE/ (bug reports, feature requests)
- CONTRIBUTING.md (contribution guidelines)
- SECURITY.md (vulnerability disclosure)
But for now, local validation is enough.
** User Interaction Points
During this session, the user:
1. Requested automated review after Phase 2 completion
2. Noticed git status issues (no commits yet)
3. Asked to set up git repository
4. Requested git config for this repo only (not global)
5. Provided name ("Dan") and email ("dleink@gmail.com")
6. Approved commit with foundation files
This demonstrates the speckit workflow allows natural pausing and reviewing. The user wasn't pressured to proceed immediately to Phase 3, but instead took time to understand the foundation.
** Performance Considerations
The sanitization script uses `find -exec sed -i`, which is:
- Fast enough for our use case (8 modules, ~300 lines each)
- Simple and readable
- POSIX-compatible
For larger codebases (hundreds of files), we might consider:
- Parallel execution with GNU parallel
- Bulk sed script (one sed invocation with multiple rules)
- Rust/Go rewrite for speed
But for this project, bash is sufficient. Premature optimization avoided.
** Security Considerations
The foundation implements defense in depth:
1. .gitignore prevents committing secrets (secrets/*.yaml)
2. Sanitization scripts remove personal info
3. Validation scripts verify removal
4. Git hooks block bad commits
5. Pre-push hooks validate builds
6. gitleaks scans for secrets
This layered approach means multiple failures must occur for personal info to leak:
- Must bypass sanitization script
- Must pass validation script (or not run it)
- Must bypass pre-commit hook (--no-verify)
- Must not notice in git diff
- Must push without pre-push hook blocking
The probability of all these failing is low. Defense in depth works.
* Session Metrics
- Commits made: 1 (initial commit with 42 files)
- Files created this session: 11 (foundation only)
- Lines added: 7,741 (foundation + specs from previous sessions)
- Lines removed: 0
- Tests added: 0 (validation scripts, not automated tests)
- Tests passing: N/A (no test suite yet)
- Phases completed: 2 (Phase 1: Setup, Phase 2: Foundational)
- Tasks completed: 11 (T001-T004c, T005-T011)
- Tasks remaining in Phase 3: 28 (T012-T039)
- Time invested: ~90 minutes
- Checkpoint achieved: Foundation ready for Phase 3
** Phase Progress
- Phase 0 (Research): ✅ Complete (from 2025-10-11)
- Phase 1 (Setup): ✅ Complete (this session)
- Phase 2 (Foundational): ✅ Complete (this session)
- Phase 3 (US2 - Extract & Sanitize): ⏳ Next (28 tasks)
- Phase 4 (US5 - Documentation): ⏳ Pending (17 tasks)
- Phase 5 (US3 - Governance): 🔄 Optional/Deferred (15 tasks)
- Phase 6 (US4 - Sync): 🔄 Optional (10 tasks)
- Phase 7 (US1 - Deploy): ⏳ Pending (23 tasks)
- Phase 8 (Polish): 🔄 Partial Deferral (21 tasks, some deferred)
Total progress: 11/125 tasks complete (8.8%)
Critical path progress: 11/73 MVP tasks complete (15.1%)

1041
docs/worklogs/2025-10-13-phase-3-module-extraction.org
View file

File diff suppressed because it is too large Load diff

894
docs/worklogs/2025-10-14-migration-strategy-and-planning.org
View file

@ -1,894 +0,0 @@
#+TITLE: ops-jrz1 Migration Strategy and Deployment Planning Session
#+DATE: 2025-10-14
#+KEYWORDS: migration-planning, vultr-vps, ops-base, deployment-strategy, vm-testing, configuration-management
#+COMMITS: 0
#+COMPRESSION_STATUS: uncompressed
* Session Summary
** Date: 2025-10-14 (Day 4 of project, evening session)
** Focus Area: Strategic Planning for VPS Migration from ops-base to ops-jrz1
This session focused on understanding the deployment context, analyzing migration strategies, and planning the approach for moving the Vultr VPS from ops-base management to ops-jrz1 management. No code was written, but critical architectural understanding was established and a comprehensive migration plan was created.
This is a continuation from the previous day's Phase 3 completion. After successfully extracting and sanitizing Matrix platform modules, the session shifted to planning the actual deployment strategy.
Context: Session started with strategic assessment of post-Phase 3 state and evolved into deep dive on migration planning when the actual server relationship was clarified through user questions.
* Accomplishments
- [X] Completed strategic assessment of post-Phase 3 project state (39/125 tasks, 53.4% MVP)
- [X] Clarified critical misunderstanding about server relationship (ops-base manages SAME VPS, not different servers)
- [X] Analyzed four migration approach options (in-place, parallel, fresh deployment, dual VPS)
- [X] Examined ops-base repository structure and deployment scripts to understand current setup
- [X] Documented Vultr VPS configuration from ops-base (hostname jrz1, domain clarun.xyz, sops-nix secrets)
- [X] Created comprehensive 7-phase migration plan with rollback procedures
- [X] Identified VM testing as viable local validation approach before touching VPS
- [X] Generated local testing options guide (VM, container, build-only, direct deployment)
- [X] Documented risks and mitigation strategies for each migration approach
- [X] Established that ops-jrz1 modules are extracted from the SAME ops-base config currently running on VPS
- [ ] Execute migration (pending user decision on approach)
- [ ] Test in VM (recommended next step)
* Key Decisions
** Decision 1: Clarify Server Relationship and Purpose
- Context: Documentation referred to "dev/test server" but relationship to ops-base was unclear. Through iterative questioning, actual setup was clarified.
- Options considered:
1. ops-jrz1 as separate dev/test server (different hardware from ops-base)
- Pros: Low risk, can test freely
- Cons: Requires new hardware, doesn't match actual intent
2. ops-jrz1 as new repo managing THE SAME VPS as ops-base
- Pros: Matches actual setup, achieves configuration migration goal
- Cons: Higher risk (it's the running production/dev server)
3. ops-jrz1 as production server separate from ops-base dev server
- Pros: Clear separation
- Cons: Doesn't match user's actual infrastructure
- Rationale: Through user clarification: "ops-jrz1 is the new repo to manage the same server" and "we're going to use the already existing VPS on vultr that was set up with ops-base." This is a configuration management migration, not a deployment to new hardware. The server is a dev/test environment (not user-facing production), but it's the SAME physical VPS currently managed by ops-base.
- Impact: Changes entire deployment approach from "deploy to new server" to "migrate configuration management of existing server." Requires different risk assessment, testing strategy, and migration approach.
** Decision 2: Migration Approach - In-Place Configuration Swap (Recommended)
- Context: Four possible approaches for migrating VPS from ops-base to ops-jrz1 management
- Options considered:
1. In-Place Migration (swap configuration)
- Pros: Preserves all state (Matrix DB, bridge sessions), zero downtime if successful, NixOS generations provide rollback, cost-effective, appropriate for dev/test
- Cons: If migration fails badly server might not boot, need to copy hardware-configuration.nix, need to migrate secrets properly, differences might break things
- Risk: Medium (can test first with `nixos-rebuild test`, rollback available)
2. Parallel Deployment (dual boot)
- Pros: Very safe (always have ops-base fallback), full test with real hardware, easy rollback via GRUB
- Cons: State divergence between boots, secrets need availability to both, more complex to maintain two configs
- Risk: Low (safest approach)
3. VM Test → Fresh Deployment (clean slate)
- Pros: Clean slate, validates from scratch, VM testing first, good practice for production migrations
- Cons: Downtime during reinstall, complex backup/restore, data loss risk, time-consuming, overkill for dev/test
- Risk: High for data, Low for config
4. Deploy to Clean VPS (second server)
- Pros: Zero risk to existing VPS, old VPS keeps running, time to test new VPS
- Cons: Costs money (two VPS), DNS migration needed, data migration still required
- Risk: Very low (but expensive)
- Rationale: Option 1 (In-Place Migration) recommended because: (1) NixOS safety features (`nixos-rebuild test` validates before persisting, generations provide instant rollback), (2) State preservation (keeps Matrix database, bridge sessions intact - no re-pairing), (3) Cost-effective (no second VPS), (4) Appropriate risk for dev/test environment, (5) Built-in rollback via NixOS generations.
- Impact: Migration plan focused on in-place swap with test-before-commit strategy. Requires: (1) Get hardware-configuration.nix from VPS, (2) Un-sanitize ops-jrz1 config with real values (clarun.xyz, not example.com), (3) Test build locally, (4) Deploy with `test` mode (non-persistent), (5) Only `switch` if test succeeds.
** Decision 3: VM Testing as Pre-Migration Validation (Optional but Recommended)
- Context: Uncertainty about whether to test in VM before touching VPS
- Options considered:
1. VM test first (paranoid path)
- Pros: Catches configuration errors before VPS, validates service startup, tests module interactions, identifies missing pieces (hardware config, secrets)
- Cons: Adds 1-2 hours, some issues only appear on real hardware, secrets mocking required
2. Deploy directly to VPS (faster path)
- Pros: Faster to tangible result, acceptable risk for dev/test, can fix issues on server, `nixos-rebuild test` provides safety
- Cons: First run on production hardware, potential downtime if issues severe
- Rationale: VM testing recommended even for dev/test server because: (1) Builds validate syntax but don't test runtime behavior, (2) Issues caught in VM are issues prevented on VPS, (3) 1-2 hours investment prevents potential hours of VPS debugging, (4) Validates that extracted modules actually work together, (5) Tests secrets configuration (or reveals what's needed). However, this is optional - direct deployment is acceptable given NixOS safety features.
- Impact: Migration plan includes optional VM testing phase. If chosen, adds pre-migration step: build VM, test services start, fix issues, gain confidence before VPS deployment.
** Decision 4: Documentation Strategy - Keep Historical Context vs. Update for Accuracy
- Context: Documentation repeatedly refers to "dev/test server" which is technically correct, but the relationship to ops-base was initially misunderstood
- Options considered:
1. Update all docs to clarify migration context
- Pros: Accurate representation of what's happening, prevents future confusion
- Cons: Historical worklogs would be rewritten (loses authenticity)
2. Keep worklogs as-is, update only forward-facing docs (README, spec)
- Pros: Historical accuracy preserved, worklogs show evolution of understanding
- Cons: Worklogs might confuse future readers
3. Add clarification notes to worklogs without rewriting
- Pros: Preserves history + adds clarity
- Cons: Slightly verbose
- Rationale: Keep worklogs as historical record (they document the journey of understanding), but update README and spec.md to clarify the server relationship. The confusion itself is valuable context - shows how architectural understanding evolved through clarifying questions.
- Impact: Worklogs remain unchanged (historical accuracy), this worklog documents the clarification journey, README.md and spec.md can be updated later if needed. The "dev/test" terminology is correct and stays.
** Decision 5: Phase Sequencing - Migration Planning Before Phase 4 Documentation
- Context: After Phase 3 completion, could proceed with Phase 4 (documentation extraction) or Phase 7 (deployment/migration)
- Options considered:
1. Phase 4 first (documentation extraction)
- Pros: Repository becomes well-documented, no server dependencies, can work while preparing deployment, safe work
- Cons: Delays validation that extracted modules actually work, documentation without deployment experience might miss practical issues
2. Phase 7 first (deployment/migration)
- Pros: Validates extraction actually works in practice, achieves primary goal (working server), deployment experience improves Phase 4 documentation quality
- Cons: Requires server access and preparation, higher risk than documentation work
3. Hybrid (start Phase 4, pause for deployment when ready, finish Phase 4 with insights)
- Pros: Makes progress while preparing deployment, documentation informed by real deployment
- Cons: Context switching, incomplete phases
- Rationale: Decided to plan deployment thoroughly before executing either Phase 4 or 7. Understanding the migration context is critical for both: Phase 4 docs need to reflect migration reality, and Phase 7 execution needs careful planning given it's a live server. This session achieves that planning.
- Impact: Session focused on strategic planning rather than execution. Created comprehensive migration plan document, analyzed server relationship, examined ops-base configuration. This groundwork enables informed decision on Phase 4 vs. 7 vs. hybrid approach.
* Problems & Solutions
| Problem | Solution | Learning |
|---------|----------|----------|
| Initial misunderstanding of server relationship: Docs suggested ops-jrz1 was a separate "dev/test server" distinct from ops-base production. Unclear if same physical server or different hardware. | Through iterative clarifying questions: (1) "Is ops-jrz1 separate physical server?" (2) "ops-jrz1 is the new repo to manage the same server" (3) "we're going to use the already existing VPS on vultr that was set up with ops-base." This revealed: ops-base = old repo, ops-jrz1 = new repo, SAME Vultr VPS. | Ask clarifying questions early when architectural assumptions are unclear. Don't assume based on documentation alone - verify actual infrastructure setup. The term "dev/test" was correct (server purpose) but didn't clarify repository/server relationship. |
| User's question "can we build/deploy locally to test?" revealed gap in migration planning: Hadn't considered VM testing as option before deployment. | Generated comprehensive local testing options document covering: (1) VM build with `nix build .#...vm`, (2) NixOS containers, (3) Build-only validation, (4) Direct system deployment. Explained pros/cons of each, demonstrated VM workflow, positioned VM as safety layer before VPS. | NixOS provides excellent local testing capabilities (VMs, containers) that should be standard practice before deploying to servers. Even for dev/test environments, VM testing catches issues cheaper than server debugging. Document testing options as part of deployment workflow. |
| Uncertainty about risk profile: Is it safe to deploy to VPS? What if something breaks? How do we recover? | Documented NixOS safety features: (1) `nixos-rebuild test` = activate without persisting (survives reboot rollback), (2) `nixos-rebuild switch --rollback` = instant undo to previous generation, (3) NixOS generations = always have previous configs bootable, (4) GRUB menu = select generation at boot. Created rollback procedures for each migration phase. | NixOS generation system provides excellent safety for configuration changes. Unlike traditional Linux where bad config might brick system, NixOS generations mean previous working config is always one command (or boot menu selection) away. This dramatically lowers risk of configuration migrations. |
| How to find VPS IP and connection details without explicit knowledge? | Examined ops-base repository for clues: (1) Found deployment script `scripts/deploy-vultr.sh` showing usage pattern, (2) Checked configuration files for hostname/domain info, (3) Suggested checking bash history for recent deployments, (4) Suggested checking ~/.ssh/known_hosts for connection history. | Infrastructure connection details often scattered across: deployment scripts, bash history, SSH known_hosts, git commit messages. When explicit documentation missing, these artifacts reconstruct deployment patterns. Always check deployment automation first. |
| Need to understand current VPS configuration to plan migration: What services running? What secrets configured? What hardware? | Analyzed ops-base repository: (1) Read `configurations/vultr-dev.nix` - revealed hostname (jrz1), domain (clarun.xyz), email (dlei@duck.com), services (Matrix + Forgejo + Slack), (2) Read `flake.nix` - showed configuration structure and deployment targets, (3) Read `scripts/deploy-vultr.sh` - showed deployment command pattern. Documented findings for migration plan. | Current configuration is well-documented in IaC repository. When planning migration, examine source repo first before touching server. NixOS declarative configs are self-documenting - the .nix files ARE the documentation of what's deployed. |
| Migration plan needed to be actionable and comprehensive: Not just "deploy to VPS" but step-by-step with rollback at each phase. | Created 7-phase migration plan with: Phase 1 (get VPS IP), Phase 2 (gather config/backup), Phase 3 (adapt ops-jrz1), Phase 4 (test build locally), Phase 5 (deploy in test mode), Phase 6 (commit migration), Phase 7 (cleanup). Each phase has: time estimate, detailed steps, outputs/success criteria, rollback procedures. | Migration planning should be: (1) Phased with checkpoints, (2) Time-estimated for resource planning, (3) Explicit about outputs/validation, (4) Include rollback procedures for each phase, (5) Testable (non-persistent modes before commit). Good migration plan reads like a runbook. |
* Technical Details
** Code Changes
- Total files modified: 0 (planning session, no code written)
- Analysis performed on:
- `~/proj/ops-base/flake.nix` - Examined configuration structure and deployment targets
- `~/proj/ops-base/configurations/vultr-dev.nix` - Analyzed current VPS configuration
- `~/proj/ops-base/scripts/deploy-vultr.sh` - Reviewed deployment script pattern
- `/home/dan/proj/ops-jrz1/README.md` - Read to identify documentation gaps
- `/home/dan/proj/ops-jrz1/specs/001-extract-matrix-platform/spec.md` - Reviewed to understand project intent
** Key Findings from ops-base Analysis
### Current VPS Configuration (from vultr-dev.nix)
```nix
networking.hostName = "jrz1"; # Line 51
services.dev-platform = {
enable = true;
domain = "clarun.xyz"; # Line 124 - REAL domain, not sanitized
matrix = {
enable = true;
port = 8008;
};
forgejo = {
enable = true;
subdomain = "git";
port = 3000;
};
slackBridge = {
enable = true;
};
};
# sops-nix configuration
sops = {
defaultSopsFile = ../secrets/secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # Line 14
secrets."matrix-registration-token" = {
mode = "0400";
};
secrets."acme-email" = {
mode = "0400";
};
};
# Real values (not sanitized)
security.acme.defaults.email = "dlei@duck.com"; # Line 118
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqHsgAuD/8LL6HN3fo7X1ywryQG393pyQ19a154bO+h delpad-2025"
];
```
**Key Insights**:
- Hostname: `jrz1` (matches repository name ops-jrz1)
- Domain: `clarun.xyz` (personal domain, currently in production use)
- Services: Matrix homeserver + Forgejo git server + Slack bridge
- Secrets: Managed via sops-nix with SSH host key encryption
- Network: Vultr VPS using ens3 interface, DHCP
- Boot: Legacy BIOS mode, GRUB on /dev/vda
### Deployment Pattern (from deploy-vultr.sh)
```bash
# Check NixOS system first
if ssh root@"$VPS_IP" 'test -f /etc/NIXOS'; then
# Deploy with flake
nixos-rebuild switch --flake ".#$CONFIG" --target-host root@"$VPS_IP" --show-trace
fi
# Default config: vultr-dev
CONFIG="${2:-vultr-dev}"
```
**Pattern**: Direct SSH deployment using nixos-rebuild with flake reference. No intermediate steps, relies on NixOS already installed on target.
### Flake Structure (from ops-base flake.nix)
```nix
# Line 115-125: vultr-dev configuration
vultr-dev = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit pkgs-unstable; };
modules = [
sops-nix.nixosModules.sops
./configurations/vultr-dev.nix
./modules/mautrix-slack.nix
./modules/security/fail2ban.nix
./modules/security/ssh-hardening.nix
];
};
```
**Match with ops-jrz1**: Extracted modules are IDENTICAL to what's running. The modules in ops-jrz1 are sanitized versions of the SAME modules currently managing the VPS.
** Commands Used
### Information Gathering
```bash
# Check ops-base deployment scripts
ls -la ~/proj/ops-base/scripts/
# Found: deploy-vultr.sh, deploy-dev-vps.sh, etc.
# Read deployment script
cat ~/proj/ops-base/scripts/deploy-vultr.sh
# Revealed: nixos-rebuild switch --flake pattern
# Examine current VPS configuration
cat ~/proj/ops-base/configurations/vultr-dev.nix
# Found: hostname jrz1, domain clarun.xyz, sops-nix config
# Check flake structure
cat ~/proj/ops-base/flake.nix
# Found: vultr-dev configuration at line 115-125
```
### Finding VPS Connection Info (Suggested for Migration)
```bash
# Option 1: Check bash history for recent deployments
cd ~/proj/ops-base
grep -r "deploy-vultr" ~/.bash_history | tail -5
# Look for: ./scripts/deploy-vultr.sh <IP>
# Option 2: Check SSH known_hosts
grep "vultr\|jrz1" ~/.ssh/known_hosts
# Option 3: Test SSH connection
ssh root@<vps-ip> 'hostname'
# Should return: jrz1
ssh root@<vps-ip> 'nixos-version'
# Should return: NixOS version info
```
### Migration Commands (From Plan)
```bash
# Phase 1: Get hardware config from VPS
ssh root@<vps-ip> 'cat /etc/nixos/hardware-configuration.nix' > /tmp/vps-hardware-config.nix
# Phase 2: Document current state
ssh root@<vps-ip> 'systemctl list-units --type=service --state=running | grep -E "matrix|mautrix|continuwuity"'
ssh root@<vps-ip> 'nixos-rebuild list-generations | head -5'
# Phase 3: Test build locally
cd /home/dan/proj/ops-jrz1
nix build .#nixosConfigurations.ops-jrz1.config.system.build.toplevel --show-trace
# Phase 4: Optional VM test
nix build .#nixosConfigurations.ops-jrz1.config.system.build.vm
./result/bin/run-ops-jrz1-vm
# Phase 5: Deploy in test mode (non-persistent)
ssh root@<vps-ip>
cd /root/ops-jrz1-config
sudo nixos-rebuild test --flake .#ops-jrz1 --show-trace
# Phase 6: Verify and switch permanently
sudo nixos-rebuild switch --flake .#ops-jrz1 --show-trace
# Rollback if needed
sudo nixos-rebuild switch --rollback
```
** Architecture Notes
### Configuration Management Migration Pattern
This migration represents a common pattern: moving from one IaC repository to another while managing the same infrastructure.
**Key characteristics**:
1. **Source of Truth Migration**: ops-base → ops-jrz1 as authoritative config
2. **State Preservation**: Matrix database, bridge sessions, user data must survive
3. **Zero-Downtime Goal**: Services should stay running through migration
4. **Rollback Capability**: Must be able to return to ops-base management if issues arise
**NixOS Advantages for This Pattern**:
- **Declarative Config**: Both repos define desired state, not imperative steps
- **Atomic Activation**: Config changes are atomic (all or nothing)
- **Generations**: Previous configs remain bootable (instant rollback)
- **Test Mode**: `nixos-rebuild test` activates without persisting (safe validation)
### ops-jrz1 Architecture Decisions Validated
**Module Extraction Correctness**:
- ✅ Extracted modules match what's running on VPS (validated by examining ops-base)
- ✅ Module paths are correct (e.g., modules/mautrix-slack.nix in both repos)
- ✅ Sanitization preserved functionality (only replaced values, not logic)
- ✅ sops-nix integration pattern matches (SSH host key encryption)
**What Needs Un-Sanitization for This VPS**:
- Domain: `example.com` → `clarun.xyz`
- Email: `admin@example.com` → `dlei@duck.com`
- Services: Currently commented out examples → Actual service enables
- Hostname: `matrix` (sanitized) → `jrz1` (actual)
**What Stays Sanitized (For Public Sharing)**:
- Git repository: Keep sanitized versions committed
- Local un-sanitization: Happens during deployment configuration
- Pattern: Sanitized template + deployment-specific values = actual config
### Deployment Safety Layers
**Layer 1: Local Build Validation**
```bash
nix build .#nixosConfigurations.ops-jrz1.config.system.build.toplevel
```
- Validates: Syntax, module imports, option types, build dependencies
- Catches: 90% of configuration errors before deployment
- Time: ~2-3 minutes
**Layer 2: VM Testing (Optional)**
```bash
nix build .#nixosConfigurations.ops-jrz1.config.system.build.vm
./result/bin/run-ops-jrz1-vm
```
- Validates: Service startup, systemd units, network config, module interactions
- Catches: Runtime issues, missing dependencies, startup failures
- Time: ~30-60 minutes (build + testing)
**Layer 3: Test Mode Deployment**
```bash
nixos-rebuild test --flake .#ops-jrz1
```
- Validates: Real hardware, actual secrets, network interfaces
- Catches: Hardware-specific issues, secrets problems, network misconfig
- Safety: Non-persistent (survives reboot)
- Time: ~5 minutes
**Layer 4: NixOS Generations Rollback**
```bash
nixos-rebuild switch --rollback
# Or select at boot via GRUB
```
- Validates: Nothing (this is the safety net)
- Recovers: Any issues that made it through all layers
- Safety: Previous config always bootable
- Time: ~30 seconds
**Risk Reduction Through Layers**:
- No layers: High risk (deploy directly, hope it works)
- Layer 1 only: Medium risk (syntax valid, but might not run)
- Layers 1+3: Low risk (tested on target, with rollback)
- Layers 1+2+3: Very low risk (tested in VM and on target)
- All layers: Paranoid but comprehensive
### State vs. Configuration Management
**State (Preserved Across Migration)**:
- Matrix database: User accounts, rooms, messages, encryption keys
- Bridge sessions: Slack workspace connection, WhatsApp pairing, Google Messages pairing
- Secrets: Registration tokens, app tokens, encryption keys (in sops-nix)
- User data: Any files in /var/lib/, /home/, etc.
**Configuration (Changed by Migration)**:
- NixOS system closure: Which packages, services, systemd units
- Service definitions: How services are configured and started
- Network config: Firewall rules, interface settings (though values same)
- Boot config: GRUB entries (adds new generation)
**Why This Matters**:
- State persists on disk: Database files, secret files, session data
- Configuration is regenerated: NixOS rebuilds system closure on each switch
- Migration changes configuration source but not state
- As long as new config reads same state files, services continue seamlessly
**Potential State Issues**:
- Database schema changes: If new modules expect different schema (shouldn't, same modules)
- Secret paths: If ops-jrz1 looks for secrets in different location (need to match)
- Service user/group changes: If UID/GID changes, file permissions break (need to match)
- Data directory paths: If paths change, services can't find data (need to match)
**Mitigation**:
- Use SAME module code (extracted from ops-base, so identical)
- Use SAME secret paths (sops-nix config matches)
- Use SAME service users (module code defines users)
- Use SAME data directories (module code defines paths)
* Process and Workflow
** What Worked Well
- **Iterative clarifying questions**: Started with strategic assessment, but user questions ("can we build locally?", "use existing VPS") revealed need for deeper understanding. Each clarification refined the migration plan.
- **Repository archaeology**: Examining ops-base (flake, configs, scripts) reconstructed current VPS setup without needing to SSH to server. Declarative configs are self-documenting.
- **Options analysis with pros/cons**: For each decision point (migration approach, VM testing, documentation), laid out multiple options with explicit trade-offs. This made decision-making transparent.
- **Comprehensive migration plan**: Created 7-phase plan with time estimates, detailed steps, outputs, and rollback procedures. Reads like a runbook - actionable and specific.
- **Risk assessment at each layer**: Documented deployment safety layers (build, VM, test mode, generations) with risk reduction analysis. Helps user choose appropriate safety level.
- **Learning from previous sessions**: Referenced previous worklogs for continuity (Phase 1-3 completion). Showed progression from foundation → extraction → deployment planning.
** What Was Challenging
- **Architectural ambiguity**: Initial confusion about ops-base vs. ops-jrz1 relationship. Documentation said "dev/test server" but didn't clarify if it was the SAME server or a different one. Required multiple clarifying exchanges.
- **Balancing documentation accuracy vs. historical record**: Worklogs mentioned "dev/test" which is correct, but initial interpretation was wrong. Decided to keep worklogs as-is (historical accuracy) rather than rewrite them.
- **Estimating migration time**: Hard to predict without knowing: (1) if VPS IP is known, (2) if VM testing will be done, (3) user's comfort with NixOS. Provided ranges (5-80 minutes) rather than single estimates.
- **Secrets migration complexity**: sops-nix with SSH host keys means secrets are encrypted to server's key. Need to verify ops-jrz1 expects secrets in same location with same encryption. Documented but didn't test.
- **No hands-on validation**: Created migration plan without access to VPS or testing in VM. Plan is based on analysis of ops-base config and NixOS knowledge, but hasn't been validated. Risk: Plan might miss VPS-specific details.
** Time Allocation
Estimated time spent on strategic planning session:
- Strategic assessment: ~10 minutes (reviewing Phase 3 state, options analysis)
- Server relationship clarification: ~15 minutes (iterative questioning, resolving confusion)
- ops-base repository analysis: ~20 minutes (reading flake, configs, scripts)
- Migration approach analysis: ~15 minutes (4 options with pros/cons)
- Local testing options: ~10 minutes (VM, container, build-only documentation)
- Comprehensive migration plan: ~30 minutes (7 phases with details, rollback procedures)
- Total: ~100 minutes for planning (no execution)
Comparison: Phase 3 execution took ~80 minutes. This planning session (100 minutes) is longer than Phase 3 because migration to live server requires more careful planning than extracting code.
** Workflow Pattern That Emerged
The strategic planning workflow that emerged:
1. **Assess Current State** (what's complete, what's next)
2. **User Clarifying Questions** (reveal context gaps)
3. **Repository Archaeology** (examine existing code for clues)
4. **Options Analysis** (multiple approaches with trade-offs)
5. **Risk Assessment** (identify safety layers and rollback)
6. **Comprehensive Planning** (detailed step-by-step with validation)
7. **Document Plan** (actionable runbook format)
This pattern works well for infrastructure migrations where: (1) existing system is running, (2) new system must match functionality, (3) state must be preserved, (4) risk of failure is non-trivial.
* Learning and Insights
** Technical Insights
- **NixOS test mode is underutilized**: `nixos-rebuild test` activates configuration without persisting across reboot. This is perfect for validating migrations - you can test the new config, verify services work, then either `switch` (make permanent) or `reboot` (rollback). Many NixOS users don't know about this feature.
- **Declarative configs are self-documenting**: The ops-base vultr-dev.nix file is complete documentation of what's deployed. No separate "deployment notes" needed - the .nix file IS the notes. This makes IaC repository analysis extremely valuable for migration planning.
- **sops-nix with SSH host keys is clever**: Using `/etc/ssh/ssh_host_ed25519_key` for age encryption means secrets are encrypted to the server's identity. The secret files can be in git (encrypted), and they auto-decrypt on the server (because it has the key). No manual key management needed.
- **NixOS generations are the ultimate safety net**: Every `nixos-rebuild switch` creates a new generation. Previous generations are always bootable. This means configuration changes are nearly risk-free - worst case, you boot to previous generation. This is a HUGE advantage over traditional Linux where bad config might brick the system.
- **Module extraction preserves functionality**: ops-jrz1 modules are extracted from ops-base. Because NixOS modules are hermetic (all dependencies declared), extracting a module to a new repo doesn't break it. The module code is self-contained. This validates the extraction approach.
** Process Insights
- **Clarify infrastructure before planning deployment**: The session started with "should we deploy now?" but needed to clarify "deploy WHERE?" first. Understanding ops-base manages the same VPS changed the entire migration strategy. Always map infrastructure before planning changes.
- **Options analysis prevents premature decisions**: Laying out 4 migration approaches with pros/cons prevented jumping to "just deploy it." User can now make informed choice based on risk tolerance, time availability, and comfort level. Better than recommending one approach dogmatically.
- **Migration planning is iterative refinement**: Started with "Phase 4 or Phase 7?", refined to "What server are we deploying to?", refined to "How should we migrate?", refined to "7-phase detailed plan." Each question revealed more context. Planning sessions should embrace this iterative discovery.
- **Time estimates with ranges are more honest**: Saying "Phase 5: 15 minutes" is misleading because it assumes: (1) no issues during test, (2) user is familiar with commands, (3) VPS responds quickly. Saying "5-20 minutes depending on issues" is more realistic. Ranges > point estimates for complex operations.
- **Documentation gaps reveal understanding gaps**: When user asked "can we build locally?", it revealed we hadn't discussed VM testing. When clarifying server relationship, it revealed docs were ambiguous about ops-base vs. ops-jrz1. Documentation writing surfaces assumptions.
** Architectural Insights
- **Configuration management migration vs. infrastructure migration**: This isn't "deploy to new server" (infrastructure migration), it's "change how we manage existing server" (config management migration). The distinction matters: infrastructure migration = new state, config management migration = preserve state. Different risk profiles, different approaches.
- **Sanitization creates reusable templates**: ops-jrz1 modules are sanitized (example.com, generic IPs) but deployment configs use real values (clarun.xyz). This separation enables: (1) Public sharing of modules (sanitized), (2) Private deployment configs (real values), (3) Clear boundary between template and instance. This is a pattern worth replicating.
- **Layers of validation match risk tolerance**: Build validation (low cost, catches 90%) → VM testing (medium cost, catches 95%) → Test mode (high cost, catches 99%) → Generations (recovery layer). Users can choose which layers based on risk tolerance. Not everyone needs all layers, but everyone should know what each layer provides.
- **State preservation is the hard part of migrations**: Configuration is easy to change (NixOS makes this atomic and rollback-safe). State preservation is hard (databases, secrets, sessions). Migration plan must explicitly address state: what persists, what doesn't, how to verify. Most migration plans focus on config and forget state.
** Security Insights
- **Sanitization prevents accidental exposure**: The fact that ops-jrz1 modules have example.com (not clarun.xyz) prevents accidentally publishing personal domains in commits. When un-sanitizing for deployment, values live in local deployment config (not committed). This separation protects privacy.
- **Secrets with sops-nix are git-safe**: The ops-base secrets/secrets.yaml can be committed (encrypted). Only the server with SSH host key can decrypt. This means: (1) Secrets in version control (good for auditing), (2) No plain-text secrets on developer machines, (3) Server-specific decryption (can't decrypt secrets without server access). Better than "secrets in environment variables" or "secrets in .env files."
- **Migration preserves secret access**: Because ops-jrz1 uses sops-nix with same SSH host key path, migrating config doesn't require re-encrypting secrets. The encrypted secrets.yaml from ops-base can work with ops-jrz1 config. This is key for zero-downtime migration.
** Migration Planning Insights
- **Test mode before commit mode**: `nixos-rebuild test` (non-persistent) before `nixos-rebuild switch` (persistent) is critical safety pattern. Costs ~5 minutes extra but prevents breaking production with bad config. Should be standard practice for any server config change.
- **Rollback procedures at each phase**: Not just "here's how to migrate" but "here's how to undo if this phase fails." Migration plans without rollback procedures are incomplete. Every phase should document: if this breaks, do X to recover.
- **Validate outputs at each phase**: Phase 1 should output VPS_IP. Phase 2 should output hardware-configuration.nix. Phase 3 should output "build succeeded." Each phase has clear success criteria. This makes migration debuggable - you know exactly which phase failed and what was expected.
- **Migration time is longer than deployment time**: Deploying to fresh server: ~30 minutes. Migrating existing server: ~80 minutes. Why? More validation steps, state verification, backup procedures, rollback planning. Plan accordingly - migrations are NOT quick deploys.
* Context for Future Work
** Open Questions
- **VPS IP unknown**: Migration plan requires VPS IP, but we don't have it yet. Need to either: (1) check bash history for recent deployments, (2) ask user directly, (3) check ~/.ssh/known_hosts for connection history. Until VPS IP is known, can't proceed with migration.
- **Secrets structure verification**: ops-base uses sops-nix with specific secret names (matrix-registration-token, acme-email). Does ops-jrz1 reference these same names? Need to verify module code expects same secret structure. Mismatch would cause service failures.
- **Hardware config availability**: Does Vultr VPS have hardware-configuration.nix at /etc/nixos/hardware-configuration.nix? Or does ops-base use a static vultr-hardware.nix (which exists in repo)? Need to check which approach is currently used. This affects Phase 2 of migration.
- **Service state preservation risk**: What happens to bridge sessions during migration? Slack bridge uses tokens (should survive). WhatsApp bridge uses QR pairing (might need re-pairing?). Google Messages uses oauth (might need re-auth?). Need to understand service state persistence.
- **VM testing feasibility**: Can we build a working VM with ops-jrz1 config? VM will fail on secrets (no age key), but should it fail gracefully (services disabled) or catastrophically (build fails)? Need to test if VM build is viable for validation.
- **Time to migrate**: Is now the right time? User might prefer: (1) more planning/preparation, (2) VM testing first, (3) Phase 4 documentation before deployment, (4) wait for better time (less busy, more bandwidth for debugging). Migration timing is user decision.
** Next Steps
### Immediate Options (User Decision Required)
**Option A: Execute Migration Now**
1. Find VPS IP (bash history, known_hosts, or ask)
2. Run Phase 1-2: Gather VPS info and backup
3. Run Phase 3: Adapt ops-jrz1 config with real values
4. Run Phase 4: Test build locally
5. Run Phase 5: Deploy in test mode to VPS
6. Run Phase 6: Switch permanently if test succeeds
7. Run Phase 7: Update docs and cleanup
- **Time**: ~80 minutes (if no issues)
- **Risk**: Low-Medium (NixOS safety features provide rollback)
- **Outcome**: VPS managed by ops-jrz1
**Option B: VM Testing First (Paranoid Path)**
1. Adapt ops-jrz1 config for VM (disable/mock secrets)
2. Build VM: `nix build .#ops-jrz1.config.system.build.vm`
3. Run VM and test services
4. Fix any issues discovered in VM
5. THEN execute Option A (migration) with confidence
- **Time**: ~2-3 hours (VM testing + migration)
- **Risk**: Very Low (issues caught in VM before VPS)
- **Outcome**: VPS managed by ops-jrz1, high confidence it works
**Option C: Phase 4 Documentation First**
1. Extract deployment guides from ops-base docs/
2. Extract bridge setup guides
3. Sanitize and commit documentation
4. THEN return to migration when ready
- **Time**: ~2-3 hours for Phase 4
- **Risk**: Zero (no server changes)
- **Outcome**: Better docs, migration deferred
**Option D: Pause and Prepare**
1. Gather prerequisites (VPS IP, check secrets, review plan)
2. Choose best time for migration (when have 2-3 hours)
3. Execute when prepared
- **Time**: Deferred
- **Risk**: Zero (no changes)
- **Outcome**: Better preparation, migration later
### Prerequisites Checklist (For Options A or B)
Before migration, verify:
- [ ] VPS IP address known
- [ ] SSH access to VPS works: `ssh root@<vps-ip> hostname`
- [ ] ops-base secrets structure understood (sops-nix config)
- [ ] ops-jrz1 modules reference same secret names
- [ ] Have 2-3 hours available for migration (including contingency)
- [ ] Comfortable with NixOS rollback procedures
- [ ] Know how to access VPS console (Vultr panel) if SSH breaks
### Phase 4 Tasks (If Chosen)
If doing Phase 4 (documentation) first:
- T040-T044: Extract deployment guides (5 tasks)
- T045-T048: Extract bridge setup guides (4 tasks)
- T049-T051: Extract reference documentation (3 tasks)
- T052-T056: Sanitize, validate, commit (5 tasks)
- Total: 17 tasks, ~2-3 hours
### Phase 7 Tasks (If Migration Executed)
If doing Phase 7 (deployment/migration):
- Gather info and backup (10-15 min)
- Adapt configuration (30 min)
- Test build locally (10 min)
- Deploy in test mode (15 min)
- Switch permanently (5 min)
- Verify and document (15 min)
- Total: ~80 minutes (optimistic), 2-3 hours (realistic with issues)
** Related Work
- Worklog: `docs/worklogs/2025-10-11-matrix-platform-extraction-rfc.org` - RFC consensus and spec creation
- Worklog: `docs/worklogs/2025-10-11-matrix-platform-planning-phase.org` - Plan, data model, contracts generation
- Worklog: `docs/worklogs/2025-10-13-ops-jrz1-foundation-initialization.org` - Phase 1 & 2 foundation setup
- Worklog: `docs/worklogs/2025-10-13-phase-3-module-extraction.org` - Phase 3 module extraction complete
- ops-base repository: `~/proj/ops-base/` - Source of modules and current VPS management
- Migration plan: `/tmp/migration-plan-vultr-vps.md` - Comprehensive 7-phase migration plan (generated this session)
- Testing options: `/tmp/local-testing-options.md` - VM, container, build-only guides (generated this session)
- Specification: `specs/001-extract-matrix-platform/spec.md` - Project requirements and user stories
- Tasks: `specs/001-extract-matrix-platform/tasks.md` - 125 tasks breakdown (39 complete)
** Testing Strategy for Migration
When migration is executed (Phase 7), validate at each step:
### Phase 2 Validation: Gather VPS Info
- [ ] hardware-configuration.nix obtained (or vultr-hardware.nix identified)
- [ ] Current services list shows: continuwuity, mautrix-slack, nginx, fail2ban
- [ ] NixOS generation list shows recent successful boots
- [ ] Secrets directory exists: /run/secrets/ or /var/lib/sops-nix/
### Phase 3 Validation: Adapt ops-jrz1 Config
- [ ] hosts/hardware-configuration.nix exists and matches VPS
- [ ] hosts/ops-jrz1.nix imports hardware config
- [ ] hosts/ops-jrz1.nix has sops-nix config matching ops-base
- [ ] hosts/ops-jrz1.nix has services enabled (not commented examples)
- [ ] Real values used: clarun.xyz (not example.com), dlei@duck.com (not admin@example.com)
### Phase 4 Validation: Local Build
- [ ] Build succeeds: `nix build .#ops-jrz1.config.system.build.toplevel`
- [ ] No errors in output
- [ ] Result symlink created
- [ ] Optional: VM builds (if testing VM)
### Phase 5 Validation: Test Mode Deployment
- [ ] nixos-rebuild test completes without errors
- [ ] Services start: `systemctl status continuwuity mautrix-slack nginx`
- [ ] Matrix API responds: `curl http://localhost:8008/_matrix/client/versions`
- [ ] Forgejo responds: `curl http://localhost:3000`
- [ ] No critical errors in journalctl: `journalctl -xe | grep -i error`
### Phase 6 Validation: Permanent Switch
- [ ] nixos-rebuild switch completes without errors
- [ ] New generation added: `nixos-rebuild list-generations`
- [ ] Services still running after switch
- [ ] Optional: Reboot and verify services start on boot
### Rollback Validation (If Needed)
- [ ] Rollback command works: `sudo nixos-rebuild switch --rollback`
- [ ] Services return to previous state
- [ ] ops-base config active again
- [ ] No data loss (Matrix DB intact, bridge sessions preserved)
* Raw Notes
** Server Relationship Evolution of Understanding
Session started with assumption: ops-jrz1 is separate dev/test server from ops-base production.
First clarification: "ops-jrz1 is the new repo to manage the same server"
- This revealed: Not separate servers, same physical VPS
- But still unclear: Is that VPS production or dev/test?
Second clarification: "there is no prod server, this is a dev/test server for experimentation"
- OK, so ops-jrz1 is correct label (dev/test)
- But then: Is it NEW dev/test server or EXISTING from ops-base?
Third clarification: "we're going to use the already existing VPS on vultr that was set up with ops-base"
- AH! Same VPS that ops-base currently manages
- Migration, not fresh deployment
- ops-base = old management, ops-jrz1 = new management, SAME hardware
This iterative refinement was essential for correct planning. Each question revealed another layer of context.
** ops-base Repository Findings
Examined ops-base flake.nix and found 10 configurations:
1. local-dev (current host)
2. vultr-vps (production template)
3. local-vm (Proxmox VM)
4. matrix-vm (testing)
5. continuwuity-vm (official test)
6. continuwuity-federation-test (federation testing)
7. comm-talu-uno (production VM 900 on Proxmox)
8. dev-vps (development VPS)
9. dev-vps-vm (dev VPS as VM)
10. **vultr-dev** (Vultr VPS optimized for development) ← This is the one!
The `vultr-dev` configuration (line 115-125) is what's currently deployed. It:
- Imports dev-services.nix (composite module)
- Imports mautrix-slack.nix
- Imports security modules (fail2ban, ssh-hardening)
- Uses sops-nix for secrets
- Targets development (no federation)
This matches exactly what we extracted to ops-jrz1. The modules are IDENTICAL.
** Migration Approach Analysis
Considered 4 approaches, scored on multiple dimensions:
| Approach | State Preservation | Downtime | Risk | Complexity | Cost |
|----------|-------------------|----------|------|------------|------|
| In-Place | Excellent | Zero* | Medium | Low | $0 |
| Parallel | Good | Zero* | Low | Medium | $0 |
| Fresh Deploy | Poor | High | High (data) | High | $0 |
| Dual VPS | Excellent | Zero | Very Low | High | $$ |
*assuming successful migration
Winner: In-Place migration because:
- Best state preservation (no data migration)
- Lowest complexity (direct config swap)
- NixOS safety features reduce risk
- Cost-effective
Parallel (dual boot) is safer but more complex to maintain two configs.
** NixOS Safety Features Deep Dive
`nixos-rebuild test` implementation:
```
test: Activate new config but DON'T set as boot default
- Switches systemd to new units
- Restarts changed services
- Does NOT update bootloader
- Does NOT survive reboot
Result: Test the config, reboot undoes it
```
`nixos-rebuild switch` implementation:
```
switch: Activate new config AND set as boot default
- Switches systemd to new units
- Restarts changed services
- Updates bootloader (GRUB) with new generation
- Survives reboot
Result: Permanent change
```
Generations:
```
Each nixos-rebuild switch creates new generation:
- /nix/var/nix/profiles/system-N-link
- Bootloader shows all recent generations
- Can select at boot (GRUB menu)
- Can switch to specific generation
Result: Every config change is versioned and reversible
```
This is fundamentally different from traditional Linux where:
- Bad config might prevent boot
- Recovery requires rescue USB/mode
- No built-in versioning
- Manual backups needed
NixOS generations make config changes nearly risk-free.
** Secrets Management with sops-nix
From ops-base vultr-dev.nix:
```nix
sops = {
defaultSopsFile = ../secrets/secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets."matrix-registration-token" = {
mode = "0400";
};
};
```
How this works:
1. secrets/secrets.yaml is encrypted with age
2. Encrypted to server's SSH host key (public key)
3. On server, SSH host key (private key) decrypts secrets
4. Decrypted secrets placed in /run/secrets/
5. Services read from /run/secrets/matrix-registration-token
Benefits:
- Secrets in git (encrypted, safe)
- No manual key distribution (uses SSH host key)
- Server-specific (can't decrypt without server access)
- Automatic decryption on boot
For migration:
- ops-jrz1 needs SAME secret structure
- Must reference SAME secret names
- Can reuse SAME encrypted secrets.yaml (encrypted to same SSH host key)
- No re-encryption needed
** VM Testing Considerations
Building VM from ops-jrz1 config will likely fail because:
1. Secrets not available (no SSH host key from VPS)
2. sops-nix will error trying to decrypt
3. Services that need secrets won't start
Options for VM testing:
1. Disable sops-nix in VM config (comment out)
2. Mock secrets with plain files (insecure but works for testing)
3. Generate test age key and encrypt test secrets
4. Accept that secrets fail, test everything else
Even with secret failures, VM tests:
- Configuration syntax
- Module imports
- Service definitions
- Network config (port allocations)
- Systemd unit structure
Worth doing VM test? Depends on:
- Time available (adds 1-2 hours)
- Risk tolerance (paranoid or confident?)
- NixOS experience (familiar with rollback or not?)
Recommendation: Optional but valuable. Even partial VM test (without secrets) catches 80% of issues.
** Migration Time Breakdown
Optimistic (everything works first try):
- Phase 1: 5 min (get IP, test SSH)
- Phase 2: 10 min (gather config, backup)
- Phase 3: 30 min (adapt ops-jrz1)
- Phase 4: 10 min (test build)
- Phase 5: 15 min (deploy test mode)
- Phase 6: 5 min (switch permanent)
- Phase 7: 5 min (verify, document)
- Total: 80 minutes
Realistic (with debugging):
- Phase 1: 10 min (might need to search for IP)
- Phase 2: 20 min (careful backup, document state)
- Phase 3: 45 min (editing, testing locally, fixing issues)
- Phase 4: 20 min (build might fail, need fixes)
- Phase 5: 30 min (test might reveal issues, need fixes)
- Phase 6: 10 min (verify thoroughly before commit)
- Phase 7: 15 min (document, cleanup)
- Total: 150 minutes (2.5 hours)
Worst case (multiple issues):
- Add 50-100% to realistic estimate
- 3-4 hours if significant problems
- Rollback and defer if issues severe
Planning guidance: Allocate 2-3 hours, hope for 1.5 hours, be prepared for 4 hours.
** User Interaction Patterns
User's questions revealed gaps in planning:
1. "can we build/deploy locally to test?" → VM testing not discussed
2. "we're going to use the already existing VPS" → Server relationship unclear
3. Iterative clarifications refined understanding
This is healthy pattern: User questions drive planning refinement. Better than assuming and being wrong.
Assistant should:
- Ask clarifying questions early
- Don't assume infrastructure setup
- Verify understanding with user
- Adapt plan as context revealed
** Documentation vs. Execution Trade-off
Could have proceeded with:
1. Phase 4 (documentation extraction) - safe, no risk
2. Phase 7 (migration execution) - valuable, some risk
3. This session (planning) - preparatory, no execution
Chose planning because:
- Migration risk required careful thought
- User questions revealed context gaps
- Better to plan thoroughly than execute hastily
- Planning session creates actionable artifact (migration plan)
Trade-off: No tangible progress (no code, no deployment), but better understanding and safer path forward.
Was this the right choice? For infrastructure work with live systems, YES. Over-planning is better than under-planning when real services are affected.
** Next Session Possibilities
Depending on user decision:
1. VM testing session (~2 hours) - Build VM, test, iterate
2. Migration execution session (~2-3 hours) - Run the 7-phase plan
3. Documentation session (~2-3 hours) - Phase 4 extraction
4. Hybrid session (~4-5 hours) - VM test + migration
Each has different time commitment, risk profile, and outcome.
* Session Metrics
- Commits made: 0 (planning session, no code changes)
- Files read/analyzed: 5 (ops-base flake, configs, scripts; ops-jrz1 README, spec)
- Analysis documents generated: 3 (migration plan, testing options, strategic assessment)
- Lines of analysis: ~400 lines (migration plan) + ~200 lines (testing options) = ~600 lines
- Planning time: ~100 minutes
- Migration approaches analyzed: 4 (in-place, parallel, fresh, dual VPS)
- Decisions documented: 5 (server relationship, migration approach, VM testing, documentation strategy, phase sequencing)
- Problems identified: 6 (relationship confusion, VM testing gap, risk uncertainty, connection details, VPS config understanding, migration plan detail)
- Open questions: 6 (VPS IP, secrets structure, hardware config, service state, VM testing feasibility, migration timing)
** Progress Metrics
- Phase 0 (Research): ✅ Complete (2025-10-11)
- Phase 1 (Setup): ✅ Complete (2025-10-13)
- Phase 2 (Foundational): ✅ Complete (2025-10-13)
- Phase 3 (Extract & Sanitize): ✅ Complete (2025-10-13)
- Phase 3.5 (Strategic Planning): ✅ Complete (this session)
- Phase 4 (Documentation): ⏳ Pending (17 tasks)
- Phase 7 (Deployment): ⏳ Pending (23 tasks, plan created)
Total progress: 39/125 tasks (31.2%)
Critical path: 39/73 MVP tasks (53.4%)
** Project Health Assessment
- ✅ Foundation solid (Phases 1-2 complete)
- ✅ Modules extracted and validated (Phase 3 complete)
- ✅ Migration plan comprehensive (this session)
- ✅ Clear understanding of infrastructure (ops-base analysis)
- ⚠️ Migration not tested (VM testing pending)
- ⚠️ Deployment not executed (Phase 7 pending)
- ⚠️ Documentation incomplete (Phase 4 pending)
- ✅ On track for MVP (good progress, clear path forward)
** Session Type: Strategic Planning
Unlike previous sessions which were execution-focused (building foundation, extracting modules), this session was strategic planning:
- No code written
- No commits made
- Focus on understanding, analysis, decision-making
- Output: comprehensive plans and decision documentation
Value: Prevented hasty deployment, revealed infrastructure context, created actionable migration plan with safety layers.

528
docs/worklogs/2025-10-21-ops-jrz1-vm-testing-vps-deployment-package-fixes.org
View file

@ -1,528 +0,0 @@
#+TITLE: ops-jrz1 VM Testing Workflow and VPS Deployment with Package Resolution Fixes
#+DATE: 2025-10-21
#+KEYWORDS: nixos, vps, deployment, vm-testing, nixpkgs-unstable, package-resolution, matrix, vultr
#+COMMITS: 6
#+COMPRESSION_STATUS: uncompressed
* Session Summary
** Date: 2025-10-21 (Day 9 of ops-jrz1 project - Continuation session)
** Focus Area: VM testing workflow implementation, package resolution debugging, and production VPS deployment
This session focused on implementing VM testing as a pre-deployment validation step, discovering and fixing critical package availability issues, and deploying the ops-jrz1 configuration to the production VPS. The work validated the VM testing workflow by catching deployment-breaking issues before they could affect production.
* Accomplishments
- [X] Researched ops-base deployment patterns and historical approaches from worklogs
- [X] Fixed VM configuration build (package resolution for mautrix bridges)
- [X] Validated production configuration builds successfully
- [X] Discovered and fixed nixpkgs stable vs unstable package availability mismatch
- [X] Updated module function signatures to accept pkgs-unstable parameter
- [X] Configured ACME (Let's Encrypt) for production deployment
- [X] Retrieved hardware-configuration.nix from running VPS
- [X] Configured production host (hosts/ops-jrz1.nix) with clarun.xyz domain
- [X] Deployed to VPS using nixos-rebuild boot (safe deployment method)
- [X] Created 6 commits documenting VM setup, package fixes, and deployment config
- [X] Validated VM testing workflow catches deployment issues early
* Key Decisions
** Decision 1: Use VM Testing Before VPS Deployment (Option 3 from ops-base patterns)
- Context: User provided VPS IP (45.77.205.49) and asked about deployment approach
- Options considered:
1. Build locally, deploy remotely - Test build before touching production
2. Build & deploy on VPS directly - Simpler, faster with VPS cache
3. Safe testing flow - Build locally, deploy with nixos-rebuild boot, reboot to test
- Rationale:
- VPS is running live production services (Matrix homeserver with 2 weeks uptime)
- nixos-rebuild boot doesn't activate until reboot (safer than switch)
- Previous generation available in GRUB for rollback if needed
- Matches historical deployment pattern from ops-base worklogs
- Impact: Deployment approach minimizes risk to running production services
** Decision 2: Fix Module Package References to Use pkgs-unstable (Option 2)
- Context: VM build failed with "attribute 'mautrix-slack' missing" error
- Problem: ops-jrz1 uses nixpkgs 24.05 stable for base, but mautrix packages only in unstable
- Options considered:
1. Use unstable for everything - Affects entire system unnecessarily
2. Fix modules to use pkgs-unstable parameter - Precise scoping, self-documenting
3. Override per configuration - Repetitive, harder to maintain
- Rationale:
- Keeps stable base system (NixOS core, security updates)
- Only Matrix packages from unstable (under active development)
- Self-documenting (modules explicitly show they need unstable)
- Precise scoping (doesn't affect entire system stability)
- User feedback validated this was proper approach vs Option 1
- Impact: Enables building while maintaining system stability with hybrid approach
** Decision 3: Permit olm-3.2.16 Despite Security Warnings
- Context: Deprecated olm library with known CVEs (CVE-2024-45191, CVE-2024-45192, CVE-2024-45193)
- Problem: Required by all mautrix bridges, no alternatives currently available
- Rationale:
- Matrix bridges require olm for end-to-end encryption
- Upstream Matrix.org confirms exploits unlikely in practical conditions
- Vulnerability is cryptography library side-channel issues, not network exploitable
- Documented explicitly in configuration for future review
- Acceptable risk for bridge functionality until alternatives available
- Impact: Enables Matrix bridge functionality with informed security trade-off
** Decision 4: Enable Services in Production Host Configuration
- Context: hosts/ops-jrz1.nix had placeholder disabled service configs
- Problem: Need actual service configuration for VPS deployment
- Rationale:
- VPS already running Matrix homeserver and Forgejo from ops-base
- Continuity requires same services enabled in ops-jrz1
- Configuration from SSH inspection: clarun.xyz domain, delpadtech workspace
- Matches running system to avoid service disruption
- Impact: Seamless transition from ops-base to ops-jrz1 configuration
** Decision 5: Use dlei@duck.com for ACME Email
- Context: Let's Encrypt requires email for certificate expiration notices
- Rationale:
- Historical pattern from ops-base worklog (2025-10-01-vultr-vps-https-lets-encrypt-setup.org)
- Email not publicly exposed, only for CA notifications
- Matches previous VPS deployment pattern
- Impact: Enables automatic HTTPS certificate management
* Problems & Solutions
| Problem | Solution | Learning |
|---------|----------|----------|
| VM build failed: "attribute 'mautrix-slack' missing" at modules/mautrix-slack.nix:58 | 1. Identified root cause: pkgs from nixpkgs 24.05 stable lacks mautrix packages<br>2. Updated module function signatures to accept pkgs-unstable parameter<br>3. Changed package defaults from pkgs.* to pkgs-unstable.*<br>4. Fixed 5 references across 4 modules | NixOS modules need explicit parameters passed via specialArgs. Package availability differs significantly between stable and unstable channels. Module option defaults must use the correct package set. |
| Module function signatures missing pkgs-unstable parameter | Added pkgs-unstable to function parameters in all 4 modules: mautrix-slack.nix, mautrix-whatsapp.nix, mautrix-gmessages.nix, dev-services.nix | Module parameters must be explicitly declared in function signature before use. Nix will error on undefined variables. |
| VM flake check failed: "Package 'olm-3.2.16' is marked as insecure" | 1. Added permittedInsecurePackages to VM flake.nix pkgs-unstable config<br>2. Added permittedInsecurePackages to hosts/ops-jrz1-vm.nix nixpkgs.config<br>3. Documented security trade-off with explicit comments | Insecure package permissions must be set both in pkgs-unstable import (flake.nix) AND in nixpkgs.config (host config). Different scopes require different permission locations. |
| Production build failed with same olm error | Added permittedInsecurePackages to production flake.nix pkgs-unstable config AND configuration.nix | Same permission needed in both VM and production. Permissions in specialArgs pkgs-unstable don't automatically apply to base pkgs. |
| ACME configuration missing for production | Added security.acme block to configuration.nix with acceptTerms and defaults.email from ops-base pattern | ACME requires explicit terms acceptance and email configuration. Pattern matches historical deployment from ops-base/docs/worklogs/2025-10-01-vultr-vps-https-lets-encrypt-setup.org |
| VM testing attempted GUI console (qemu-kvm symbol lookup error for pipewire) | Recognized GUI not needed for validation - build success validates package availability | VM runtime testing not required when goal is package resolution validation. Successful build proves all packages resolve correctly. GUI errors in QEMU don't affect headless VPS deployment. |
* Technical Details
** Code Changes
- Total files modified/created: 9
- Commits made: 6
- Key files changed:
- `flake.nix` - Added ops-jrz1-vm configuration, configured pkgs-unstable with olm permission for both VM and production
- `configuration.nix` - Updated boot loader (/dev/vda), network (ens3), added ACME config, added olm permission
- `hosts/ops-jrz1-vm.nix` - Created VM testing config with services enabled, olm permission
- `hosts/ops-jrz1.nix` - Updated from placeholder to production config (clarun.xyz, delpadtech)
- `hardware-configuration.nix` - Created from VPS nixos-generate-config output
- `modules/mautrix-slack.nix` - Added pkgs-unstable parameter, changed default package
- `modules/mautrix-whatsapp.nix` - Added pkgs-unstable parameter, changed default package
- `modules/mautrix-gmessages.nix` - Added pkgs-unstable parameter, changed default package
- `modules/dev-services.nix` - Added pkgs-unstable parameter, changed 2 package references
** Commit History
```
40e5501 Fix: Add olm permission to pkgs-unstable in production config
0cbbb19 Allow olm-3.2.16 for mautrix bridges in production
982d288 Add ACME configuration for Let's Encrypt certificates
413a44a Configure ops-jrz1 for production deployment to Vultr VPS
4c38331 Fix Matrix package references to use nixpkgs-unstable
b8e00b7 Add VM testing configuration for pre-deployment validation
```
** Commands Used
### Package reference fixes
```bash
# Find all package references that need updating
rg "pkgs\.(mautrix|matrix-continuwuity)" modules/
# Test local build after fixes
nix build .#nixosConfigurations.ops-jrz1.config.system.build.toplevel -L
# Validate flake syntax
nix flake check
```
### VPS investigation
```bash
# Test SSH connectivity and check running services
ssh root@45.77.205.49 "hostname && nixos-version"
ssh root@45.77.205.49 'systemctl list-units --type=service --state=running | grep -E "(matrix|mautrix|continuwuit)"'
# Retrieve hardware configuration
ssh root@45.77.205.49 'cat /etc/nixos/hardware-configuration.nix'
# Check secrets setup
ssh root@45.77.205.49 'ls -la /run/secrets/'
```
### Deployment commands
```bash
# Sync repository to VPS
rsync -avz --exclude '.git' --exclude 'result' --exclude 'result-*' --exclude '*.qcow2' --exclude '.specify' \
/home/dan/proj/ops-jrz1/ root@45.77.205.49:/root/ops-jrz1/
# Deploy using safe boot method (doesn't activate until reboot)
ssh root@45.77.205.49 'cd /root/ops-jrz1 && nixos-rebuild boot --flake .#ops-jrz1'
# After reboot, switch would be:
# ssh root@45.77.205.49 'nixos-rebuild switch --flake .#ops-jrz1'
```
## Architecture Notes
### Hybrid nixpkgs Approach (Stable Base + Unstable Overlay)
The configuration uses a two-tier package strategy:
- **Base system (pkgs)**: nixpkgs 24.05 stable for core NixOS, systemd, security
- **Matrix packages (pkgs-unstable)**: nixpkgs-unstable for Matrix ecosystem
Implemented via specialArgs in flake.nix:
```nix
specialArgs = {
pkgs-unstable = import nixpkgs-unstable {
system = "x86_64-linux";
config = {
allowUnfree = true;
permittedInsecurePackages = ["olm-3.2.16"];
};
};
};
```
Modules access via function parameters:
```nix
{ config, pkgs, pkgs-unstable, lib, ... }:
```
### Package Availability Differences
**nixpkgs 24.05 stable does NOT include:**
- mautrix-slack
- mautrix-whatsapp
- mautrix-gmessages
- matrix-continuwuity (Conduwuit Matrix homeserver)
**nixpkgs-unstable includes all of the above** because Matrix ecosystem under active development.
### ACME Certificate Management Pattern
From ops-base historical deployment (2025-10-01):
- security.acme.acceptTerms = true (required)
- security.acme.defaults.email for notifications
- nginx virtualHosts with enableACME = true and forceSSL = true
- HTTP-01 challenge (requires port 80 open)
- Automatic certificate renewal 30 days before expiration
### VM Testing Workflow
Purpose: Catch deployment issues before they affect production
**Approach:**
1. Create ops-jrz1-vm configuration with services enabled (test-like)
2. Build VM: `nix build .#nixosConfigurations.ops-jrz1-vm.config.system.build.vm`
3. Successful build validates package resolution, module evaluation, secrets structure
4. Runtime testing optional (GUI limitations in some environments)
**Benefits demonstrated:**
- Caught package availability mismatch before VPS deployment
- Validated olm permission configuration needed
- Verified module function signatures
- Tested configuration without touching production
### VPS Current State (Before Deployment)
- Hostname: jrz1
- NixOS: 25.11 unstable
- Running services: Matrix (continuwuity), mautrix-slack, Forgejo, PostgreSQL, nginx, fail2ban, netdata
- Uptime: 2 weeks (Matrix homeserver stable)
- Secrets: /run/secrets/matrix-registration-token, /run/secrets/acme-email
- Domain: clarun.xyz
- Previous config: ops-base (unknown location on VPS)
* Process and Workflow
** What Worked Well
- VM testing workflow caught critical deployment issue before production
- Historical worklog research provided proven deployment patterns
- Incremental fixes (module by module) easier to debug than batch changes
- Local build testing before VPS deployment validated configuration
- SSH investigation of running VPS informed configuration decisions
- User feedback loop corrected initial weak reasoning (Option 1 vs Option 2)
- Git commits at logical checkpoints preserved intermediate working states
** What Was Challenging
- Initial attempt to fix package references forgot to add pkgs-unstable to function signatures
- olm permission needed in BOTH flake.nix specialArgs AND configuration.nix
- Understanding that pkgs-unstable permissions don't automatically apply to pkgs
- VM GUI testing didn't work in terminal environment (but wasn't needed)
- Deployment still running at end of session (long download time)
- Multiple rounds of rsync + build to iterate on fixes
** What Would Have Helped
- Earlier recognition that build success validates package resolution (VM runtime not needed)
- Understanding that permittedInsecurePackages needs to be in multiple locations
- Clearer mental model of flake specialArgs vs nixpkgs.config scoping
* Learning and Insights
** Technical Insights
- NixOS modules require explicit function parameters; specialArgs only provides them at module boundary
- Package availability differs dramatically between stable (24.05) and unstable channels
- Matrix ecosystem packages rarely make it into stable due to rapid development pace
- Insecure package permissions must be set in BOTH pkgs-unstable import AND nixpkgs.config
- VM build success is sufficient validation for package resolution; runtime testing is optional
- VM testing can run in environments without GUI (build-only validation)
- nixos-rebuild boot is safer than switch for production deployments (activate on reboot)
- GRUB generations provide rollback path if deployment breaks boot
- ops-base worklogs contain valuable deployment patterns and historical decisions
** Process Insights
- Research historical worklogs before choosing deployment approach
- User feedback critical for correcting reasoning flaws (Option 1 vs 2 decision)
- Incremental fixes with test builds catch issues early
- Local build validation before VPS deployment prevents partial failures
- SSH investigation of running system informs configuration accuracy
- Git commits at working states enable bisecting issues
- Background bash commands allow multitasking during long builds
** Architectural Insights
- Hybrid stable+unstable approach balances system stability with package availability
- Module function signatures make dependencies explicit and self-documenting
- specialArgs provides clean dependency injection to NixOS modules
- Package permissions have different scopes (import-time vs config-time)
- VM configurations useful for validation even without runtime testing
- Secrets already in place from ops-base (/run/secrets/) simplify migration
- Hardware config from running system (nixos-generate-config) ensures boot compatibility
** Security Insights
- olm library deprecation with CVEs is acceptable risk for Matrix bridge functionality
- Upstream Matrix.org assessment: exploits unlikely in practical network conditions
- Explicit documentation of security trade-offs critical for future review
- Side-channel attacks in cryptography libraries different risk profile than network exploits
- ACME email for Let's Encrypt notifications not publicly exposed
- SSH key-based authentication maintained throughout deployment
* Context for Future Work
** Open Questions
- Will the VPS deployment complete successfully? (still downloading packages at session end)
- Will services remain running after reboot to new ops-jrz1 configuration?
- Do Matrix bridges need additional configuration beyond module defaults?
- Should we establish automated testing of VM builds in CI?
- How to handle olm deprecation long-term? (wait for upstream alternatives)
- Should we add monitoring for ACME certificate renewal failures?
** Next Steps
- Wait for nixos-rebuild boot to complete on VPS
- Reboot VPS to activate ops-jrz1 configuration
- Verify all services start successfully (matrix-continuwuity, mautrix-slack, forgejo, postgresql, nginx)
- Test HTTPS access to clarun.xyz and git.clarun.xyz
- Confirm ACME certificates obtained from Let's Encrypt
- Test Matrix homeserver functionality
- Validate Slack bridge still working
- Document any post-deployment issues or fixes needed
- Create worklog for deployment completion session
- Consider adding VM build to pre-commit hooks or CI
** Related Work
- Previous worklog: 2025-10-14-migration-strategy-and-planning.org (strategic planning session)
- Previous worklog: 2025-10-13-phase-3-module-extraction.org (module extraction from ops-base)
- ops-base worklog: 2025-10-01-vultr-vps-https-lets-encrypt-setup.org (ACME pattern reference)
- ops-base worklog: 2025-09-30-vultr-vps-boot-fix-matrix-forgejo-deployment-success.org (nixos-rebuild boot pattern)
- Related issue: mautrix bridge dependency on deprecated olm library
- Next worklog: Will document deployment completion, reboot, and service verification
** Technical Debt Identified
- olm-3.2.16 deprecated with CVEs - need to monitor for alternatives
- VM testing workflow not yet integrated into automated testing
- No monitoring/alerting configured for ACME renewal failures
- Deployment approach manual (rsync + ssh); could use deploy-rs or colmena
- No rollback testing performed (trust in GRUB generations)
- Documentation of VM testing workflow not yet written
- No pre-commit hook to validate flake builds before commit
* Raw Notes
## Session Flow Timeline
### Phase 1: Status Assessment and Planning (Start)
- User asked about deployment next steps after previous session
- I provided status summary: 53.4% MVP complete, 3+ phases done
- User expressed interest in VM testing workflow: "I like VM Test First"
- Goal: Make VM testing regular part of workflow for certain deploys
### Phase 2: VM Configuration Creation
- Created hosts/ops-jrz1-vm.nix with VM-specific settings
- Updated flake.nix to add ops-jrz1-vm configuration
- Attempted VM build, discovered package availability error
### Phase 3: Package Resolution Debugging
- Error: "attribute 'mautrix-slack' missing" at modules/mautrix-slack.nix:58
- Root cause: pkgs from nixpkgs 24.05 stable lacks mautrix packages
- Researched ops-base to understand their approach (uses unstable for everything)
- Proposed Option 1: Use unstable everywhere
- User feedback: "2 and 4 are the same reason and not a good one. 3. Simplicity isn't a reason if it potentially introduces future complexity. 1. is a good reason."
- Revised to Option 2: Fix modules to use pkgs-unstable parameter
### Phase 4: Module Fixes Implementation
- Updated 4 module function signatures to accept pkgs-unstable
- Changed 5 package references from pkgs.* to pkgs-unstable.*
- Discovered olm permission needed in multiple locations
- Added permittedInsecurePackages to VM flake config
- Added permittedInsecurePackages to VM host config
- VM build succeeded!
### Phase 5: Production Configuration
- User provided VPS IP: 45.77.205.49
- User asked about deployment approach (local vs VPS build)
- Researched ops-base deployment patterns from worklogs
- Found historical use of nixos-rebuild boot (safe deployment)
- User agreed: "I like the look of Option 3, a reboot is fine"
### Phase 6: VPS Investigation
- SSH to VPS to check current state
- Found: NixOS 25.11 unstable, Matrix + services running, 2 weeks uptime
- Retrieved hardware-configuration.nix from VPS
- Checked secrets: /run/secrets/matrix-registration-token exists
- Found domain: clarun.xyz
- No ops-base repo found on VPS (config location unknown)
### Phase 7: Production Config Updates
- Created hardware-configuration.nix locally from VPS output
- Updated configuration.nix: boot loader (/dev/vda), network (ens3), SSH keys, Nix flakes
- Added ACME configuration (dlei@duck.com from ops-base pattern)
- Updated hosts/ops-jrz1.nix: enabled services, clarun.xyz domain, delpadtech workspace
- Added olm permission to production flake and configuration
### Phase 8: Production Build Testing
- Built ops-jrz1 config locally to validate
- Build succeeded - confirmed all package references working
- Committed production configuration changes
### Phase 9: Deployment Initiation
- Synced ops-jrz1 to VPS via rsync
- Started nixos-rebuild boot on VPS (running in background)
- Deployment downloading 786.52 MiB packages (still running at session end)
## Key Error Messages Encountered
### Package availability error
```
error: attribute 'mautrix-slack' missing
at /nix/store/.../modules/mautrix-slack.nix:58:17:
58| default = pkgs.mautrix-slack;
```
Solution: Change to `pkgs-unstable.mautrix-slack`
### Insecure package error
```
error: Package 'olm-3.2.16' in /nix/store/.../pkgs/by-name/ol/olm/package.nix:42 is marked as insecure, refusing to evaluate.
Known issues:
- The libolm endtoend encryption library used in many Matrix
clients and Jitsi Meet has been deprecated upstream, and relies
on a cryptography library that has known sidechannel issues...
```
Solution: Add to permittedInsecurePackages in both flake.nix pkgs-unstable config AND configuration.nix
### Module parameter undefined
```
error: undefined variable 'pkgs-unstable'
at /nix/store/.../modules/mautrix-slack.nix:58:17:
```
Solution: Add pkgs-unstable to module function signature parameters
## VPS Details Discovered
### Current System Info
- Hostname: jrz1
- OS: NixOS 25.11.20250902.d0fc308 (Xantusia) - unstable channel
- Current system: /nix/store/z7gvv83gsc6wwc39lybibybknp7kp88z-nixos-system-jrz1-25.11
- Generations: 29 (current from 2025-10-03)
### Running Services
- matrix-continuwuity.service - active (running) since Oct 7, 2 weeks uptime
- fail2ban.service
- forgejo.service
- netdata.service
- nginx.service
- postgresql.service
### Network Config
- Interface: ens3 (not eth0)
- Boot: Legacy BIOS (/dev/vda MBR, not UEFI)
- Firewall: Ports 22, 80, 443 open
### Filesystems
```
/dev/vda4 52G 13G 37G 25% /
/dev/vda2 488M 71M 382M 16% /boot
swap: /dev/disk/by-uuid/b06bd8f8-0662-459e-9172-eafa9cbdd354
```
### Secrets Present
- /run/secrets/acme-email
- /run/secrets/matrix-registration-token
## Configuration Snippets
### Module function signature update
```nix
# Before
{ config, pkgs, lib, ... }:
# After
{ config, pkgs, pkgs-unstable, lib, ... }:
```
### Package option default update
```nix
# Before
package = mkOption {
type = types.package;
default = pkgs.mautrix-slack;
description = "Package providing the bridge executable.";
};
# After
package = mkOption {
type = types.package;
default = pkgs-unstable.mautrix-slack;
description = "Package providing the bridge executable.";
};
```
### Flake specialArgs configuration
```nix
specialArgs = {
pkgs-unstable = import nixpkgs-unstable {
system = "x86_64-linux";
config = {
allowUnfree = true;
permittedInsecurePackages = [
"olm-3.2.16" # Required by mautrix bridges
];
};
};
};
```
### ACME configuration
```nix
security.acme = {
acceptTerms = true;
defaults.email = "dlei@duck.com";
};
```
## Resources Consulted
- ~/proj/ops-base/docs/worklogs/ - Historical deployment patterns
- ~/proj/ops-base/docs/worklogs/2025-10-01-vultr-vps-https-lets-encrypt-setup.org - ACME setup
- ~/proj/ops-base/docs/worklogs/2025-09-30-vultr-vps-boot-fix-matrix-forgejo-deployment-success.org - nixos-rebuild boot pattern
- NixOS module system documentation - specialArgs usage
- mautrix bridge deprecation notices for olm library
## User Feedback Highlights
- "I like VM Test First, I want to make that a regular part of the workflow for certain deploys"
- "2 and 4 are the same reason and not a good one. 3. Simplicity isn't a reason if it potentially introduces future complexity. 1. is a good reason."
- "Sounds Great, let's come up with an implementation plan for Option 2"
- "ok, the vultr IP is 45.77.205.49"
- "I like the look of Option 3, a reboot is fine"
* Session Metrics
- Commits made: 6
- Files touched: 9
- Files created: 2 (hardware-configuration.nix, hosts/ops-jrz1-vm.nix)
- Lines changed: ~100+ across all files
- Build attempts: 5+ (VM config iterations + production config)
- VPS SSH connections: 10+
- rsync deployments: 3
- Deployment status: In progress (nixos-rebuild boot downloading packages)
- Session duration: ~3 hours
- Background process: nixos-rebuild boot still running at worklog creation

128
docs/worklogs/2025-10-22-deployment-generation-31.md
View file

@ -1,128 +0,0 @@
# Deployment: Generation 31 - Matrix Platform Migration
**Date:** 2025-10-22
**Status:** ✅ SUCCESS
**Generation:** 31
**Deployment Time:** ~5 minutes (build + reboot)
## Summary
Successfully deployed ops-jrz1 Matrix platform using modules extracted from ops-base. This deployment established the foundation deployment pattern and validated sops-nix secrets management integration.
## Deployment Method
Following ops-base best practices from worklog research:
```bash
# 1. Build and install to boot (safe, rollback-friendly)
rsync -avz --exclude '.git' --exclude 'result' /home/dan/proj/ops-jrz1/ root@45.77.205.49:/root/ops-jrz1/
ssh root@45.77.205.49 'cd /root/ops-jrz1 && nixos-rebuild boot --flake .#ops-jrz1'
# 2. Reboot to test
ssh root@45.77.205.49 'reboot'
# 3. Verify services after reboot (verified all running)
ssh root@45.77.205.49 'systemctl status matrix-continuwuity nginx postgresql forgejo'
# 4. Test API endpoints
curl http://45.77.205.49:8008/_matrix/client/versions
```
## What Works ✅
### Core Infrastructure
- **NixOS Generation 31** booted successfully
- **sops-nix** decrypting secrets correctly using VPS SSH host key
- **Age encryption** working with key: `age1vuxcwvdvzl2u7w6kudqvnnf45czrnhwv9aevjq9hyjjpa409jvkqhkz32q`
### Services Running
- **Matrix Homeserver (matrix-continuwuity):** ✅ Running, API responding
- Version: conduwuit 0.5.0-rc.8
- Listening on: 127.0.0.1:8008
- Database: RocksDB schema version 18
- Registration enabled, federation disabled
- **nginx:** ✅ Running
- Proxying to Matrix homeserver
- ACME certificates configured for clarun.xyz and git.clarun.xyz
- Note: WebDAV errors expected (legacy feature, can be removed)
- **PostgreSQL 15.10:** ✅ Running
- Serving Forgejo database
- Minor client disconnect logs normal (connection pooling)
- **Forgejo 7.0.12:** ✅ Running
- Git service operational
- Connected to PostgreSQL
- Available at git.clarun.xyz
### Files Successfully Migrated
- `.sops.yaml` - Encrypted secrets configuration
- `secrets/secrets.yaml` - Encrypted secrets (committed to git, safe because encrypted)
- All Matrix platform modules from ops-base
## Configuration Highlights
### sops-nix Setup
Located in `hosts/ops-jrz1.nix:26-38`:
```nix
sops.defaultSopsFile = ../secrets/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.matrix-registration-token = {
owner = "continuwuity";
group = "continuwuity";
mode = "0440";
};
sops.secrets.acme-email = {
owner = "root";
mode = "0444";
};
```
### Version Compatibility
Pinned sops-nix to avoid Go version mismatch (flake.nix:9):
```nix
sops-nix = {
url = "github:Mic92/sops-nix/c2ea1186c0cbfa4d06d406ae50f3e4b085ddc9b3"; # June 2024 version
inputs.nixpkgs.follows = "nixpkgs";
};
```
## Key Lessons from ops-base Research
### Deployment Pattern (Recommended)
1. **`nixos-rebuild boot`** - Install to bootloader, don't activate yet
2. **Reboot** - Test new configuration
3. **Verify services** - Ensure everything works
4. **`nixos-rebuild switch`** (optional) - Make current profile permanent
**Rollback:** If anything fails, select previous generation from GRUB or `nixos-rebuild switch --rollback`
### Secrets Management
- Encrypted `secrets.yaml` **should be committed to git** (it's encrypted with age, safe to track)
- SSH host key converts to age key automatically via `ssh-to-age`
- Multi-recipient encryption allows both VPS and admin workstation to decrypt
### Common Pitfalls Avoided
From 46+ ops-base deployments:
1. **Exit code 11 ≠ always segfault** - Often intentional exit_group(11) from config validation
2. **SystemCallFilter restrictions** - Can block CPU affinity syscalls, needs allowances
3. **LoadCredential patterns** - Use for Python scripts reading secrets from environment
4. **ACME debugging** - Check `journalctl -u acme-*`, verify DNS, test staging first
## Build Statistics
- **285 derivations built**
- **378 paths fetched** (786.52 MiB download, 3.39 GiB unpacked)
- **Boot time:** ~30 seconds
- **Service startup:** All services up within 2 minutes
## Next Steps
- [ ] Monitor mautrix-slack (currently segfaulting, needs investigation)
- [ ] Establish regular deployment workflow (local build + remote deploy)
- [ ] Configure remaining Matrix bridges (WhatsApp, Google Messages)
- [ ] Set up monitoring/alerting
## References
- ops-base worklogs: Reviewed 46+ deployment entries
- sops-nix docs: Age encryption with SSH host keys
- NixOS deployment patterns: boot -> reboot -> switch workflow

352
docs/worklogs/2025-10-22-security-validation-test-report.md
View file

@ -1,352 +0,0 @@
# Security & Validation Test Report - Generation 31
**Date:** 2025-10-22
**System:** ops-jrz1 (45.77.205.49)
**Generation:** 31
**Status:** ✅ PASS - All Critical Tests Passed
## Executive Summary
Comprehensive security, integration, and validation testing performed on the production VPS following Generation 31 deployment. All critical security controls are functioning correctly, services are operational, and no security vulnerabilities detected.
---
## Test Results Overview
| Test Category | Status | Critical Issues | Notes |
|---------------|--------|----------------|-------|
| Matrix API Endpoints | ✅ PASS | 0 | 18 protocol versions supported |
| nginx/TLS Configuration | ✅ PASS | 0 | HTTP/2, HSTS enabled |
| sops-nix Secrets | ✅ PASS | 0 | Proper decryption & permissions |
| Firewall & Network | ✅ PASS | 0 | Only SSH/HTTP/HTTPS exposed |
| SSH Hardening | ✅ PASS | 0 | Key-only auth, root restricted |
| Database Security | ✅ PASS | 0 | Proper isolation & permissions |
| System Integrity | ✅ PASS | 0 | No failed services |
---
## Test 1: Matrix Homeserver API ✅
### Tests Performed
- Matrix API versions endpoint
- Username availability check
- Federation status verification
- Service systemd status
### Results
```json
{
"versions": ["r0.0.1"..."v1.14"],
"version_count": 18,
"service_state": "active (running)",
"username_check": "available: true"
}
```
### Security Findings
- ✅ Matrix API responding correctly on localhost:8008
- ✅ Service enabled and running under systemd
- ✅ conduwuit 0.5.0-rc.8 homeserver operational
- ✅ Federation disabled as configured (enableFederation: false)
---
## Test 2: nginx Reverse Proxy & TLS ✅
### Tests Performed
- HTTPS connectivity to clarun.xyz
- TLS certificate validation
- Matrix well-known delegation
- nginx configuration syntax
### Results
```
HTTPS clarun.xyz: HTTP/2 200 OK
HTTPS git.clarun.xyz: HTTP/2 502 (Forgejo starting)
Matrix delegation: {"m.server": "clarun.xyz:443"}
nginx config: Active (running), enabled
ACME certificates: Present for both domains
```
### Security Findings
- ✅ HTTPS working with valid certificates
- ✅ HTTP Strict Transport Security (HSTS) enabled
- ✅ Matrix delegation properly configured
- ✅ nginx running with HTTP/2 support
- ⚠️ git.clarun.xyz returns 502 (Forgejo still starting migrations)
### TLS Configuration
- Certificate Authority: Let's Encrypt (ACME)
- Domains: clarun.xyz, git.clarun.xyz
- Protocol: HTTP/2
- HSTS: max-age=31536000; includeSubDomains
---
## Test 3: sops-nix Secrets Management ✅
### Tests Performed
- Secrets directory existence
- File ownership and permissions
- Age key import verification
- Secret decryption validation
### Results
```bash
/run/secrets/matrix-registration-token:
Owner: continuwuity:continuwuity
Permissions: 0440 (-r--r-----)
/run/secrets/acme-email:
Owner: root:root
Permissions: 0444 (-r--r--r--)
```
### Security Findings
- ✅ Age key successfully imported from SSH host key
- ✅ Fingerprint matches: age1vuxcwvdvzl2u7w6kudqvnnf45czrnhwv9aevjq9hyjjpa409jvkqhkz32q
- ✅ Matrix secret properly restricted to continuwuity user
- ✅ ACME email readable by root for cert management
- ✅ Secrets decrypted at boot from encrypted secrets.yaml
### Boot Log Confirmation
```
sops-install-secrets: Imported /etc/ssh/ssh_host_ed25519_key as age key
with fingerprint age1vuxcwvdvzl2u7w6kudqvnnf45czrnhwv9aevjq9hyjjpa409jvkqhkz32q
```
---
## Test 4: Firewall & Network Security ✅
### Port Scan Results (External)
```
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3000/tcp filtered ppp ← Not exposed (good)
8008/tcp closed http ← Not exposed (good)
```
### Listening Services (Internal)
```
Matrix (8008): 127.0.0.1 only ✅ Not exposed
PostgreSQL (5432): 127.0.0.1 only ✅ Not exposed
nginx (80/443): 0.0.0.0 ✅ Public (expected)
SSH (22): 0.0.0.0 ✅ Public (expected)
```
### Security Findings
- ✅ **EXCELLENT:** Only SSH, HTTP, HTTPS exposed to internet
- ✅ Matrix homeserver protected behind nginx reverse proxy
- ✅ PostgreSQL not directly accessible from internet
- ✅ Forgejo port 3000 filtered (nginx proxy only)
- ✅ No unexpected open ports detected
### Firewall Policy
- Default INPUT policy: ACCEPT (with nixos-fw chain rules)
- All services properly firewalled via iptables
- Critical services bound to localhost only
---
## Test 5: SSH Hardening ✅
### SSH Configuration
```
permitrootlogin: without-password ✅
passwordauthentication: no ✅
pubkeyauthentication: yes ✅
permitemptypasswords: no ✅
```
### Security Findings
- ✅ Root login ONLY with SSH keys (password disabled)
- ✅ Password authentication completely disabled
- ✅ Public key authentication enabled
- ✅ Empty passwords prohibited
- ✅ SSH keys properly deployed
### Authorized Keys
```
Root user: 1 authorized key (ssh-ed25519, delpad-2025)
```
### Notes on fail2ban
- Module imported in configuration (modules/security/fail2ban.nix)
- **Not currently enabled** - consider enabling for brute-force protection
- SSH hardening alone provides good protection
- Recommendation: Enable fail2ban in future deployment
---
## Test 6: Database Connectivity & Permissions ✅
### Database Inventory
```
Database Owner Tables Status
forgejo forgejo 112 ✅ Fully migrated
mautrix_slack mautrix_slack - ✅ Ready
postgres postgres - ✅ System DB
```
### User Roles
```
Role Privileges
postgres Superuser, Create role, Create DB
forgejo Standard user (forgejo DB owner)
mautrix_slack Standard user (mautrix_slack DB owner)
```
### Security Findings
- ✅ PostgreSQL listening on localhost only (127.0.0.1, ::1)
- ✅ Each service has dedicated database user
- ✅ Proper privilege separation (no unnecessary superusers)
- ✅ Forgejo database fully populated (112 tables)
- ✅ Connection pooling working correctly
### Database Versions
- PostgreSQL: 15.10
- Encoding: UTF8
- Collation: en_US.UTF-8
---
## Test 7: System Integrity & Logs ✅
### Error Analysis
```
Boot errors (critical): 0
Current failed services: 0
```
### Warning Analysis
Services temporarily failed during boot then auto-restarted (expected systemd behavior):
- continuwuity.service: Multiple restart attempts → Now running
- forgejo.service: Multiple restart attempts → Now running
- mautrix-slack.service: Multiple restart attempts → Still failing (known issue)
### Benign Warnings
- Kernel elevator= parameter (deprecated, no effect)
- ACPI MMCONFIG warnings (VPS environment, harmless)
- IPv6 router availability (not configured, expected)
- Firmware regulatory.db (WiFi regulatory, not needed on VPS)
### System Resources
```
Uptime: 0:57 (57 minutes since reboot)
Load avg: 1.48, 1.31, 1.30 (moderate load)
Memory: 210 MiB used / 1.9 GiB total (11% used)
Swap: 0 used / 2.0 GiB available
Disk usage: 18 GiB / 52 GiB (37% used)
```
### Security Findings
- ✅ No critical errors in system logs
- ✅ No failed services after boot completion
- ✅ Systemd restart policies working correctly
- ✅ Adequate system resources available
- ✅ No evidence of system compromise
---
## Known Issues & Recommendations
### Issue: mautrix-slack Exit Code 11
**Severity:** Medium (Non-Critical)
**Status:** Known Issue
**Impact:** Slack bridge not functional
**Analysis:**
Based on ops-base research, exit code 11 is often intentional exit_group(11) from configuration validation, not necessarily a segfault. Likely causes:
1. Missing or invalid configuration
2. SystemCallFilter restrictions blocking required syscalls
3. Registration file permission issues
**Recommendation:** Debug separately, not deployment-blocking
### Issue: fail2ban Not Enabled
**Severity:** Low
**Status:** Optional Enhancement
**Impact:** No automated brute-force protection
**Analysis:**
While fail2ban module exists in modules/security/fail2ban.nix, it's not currently enabled. SSH hardening (key-only auth, no passwords) provides primary protection.
**Recommendation:** Consider enabling fail2ban in next deployment for defense-in-depth
### Issue: git.clarun.xyz Returns 502
**Severity:** Low (Temporary)
**Status:** In Progress
**Impact:** Forgejo web interface not accessible during migrations
**Analysis:**
Forgejo service in start-pre state, running database migrations. This is expected behavior after deployment. Service will become available once migrations complete.
**Recommendation:** Wait for migrations to complete, verify git.clarun.xyz responds
---
## Security Compliance Summary
### ✅ Passed Security Controls
1. **Encryption in Transit:** TLS/HTTPS with valid certificates
2. **Secrets Management:** sops-nix with age encryption
3. **Access Control:** SSH key-only authentication
4. **Network Segmentation:** Services isolated on localhost
5. **Least Privilege:** Dedicated service accounts
6. **Firewall Protection:** Minimal exposed surface area
7. **Service Isolation:** systemd service units with proper permissions
### 🔄 Deferred Security Enhancements
1. **Brute-force Protection:** fail2ban not yet enabled (low priority)
2. **Certificate Monitoring:** ACME auto-renewal configured but not monitored
3. **Intrusion Detection:** No IDS/IPS configured (future consideration)
### ❌ No Critical Vulnerabilities Detected
- No exposed databases
- No password authentication
- No unencrypted credentials
- No unnecessary network exposure
- No privilege escalation vectors identified
---
## Recommendations for Future Deployments
### Immediate Actions
1. ✅ **Monitor mautrix-slack** - Debug exit code 11 issue
2. ✅ **Verify Forgejo** - Confirm git.clarun.xyz becomes accessible
3. ✅ **Document baseline** - This report serves as security baseline
### Short-term Enhancements (Optional)
1. Enable fail2ban for SSH brute-force protection
2. Configure log aggregation/monitoring
3. Set up automated ACME certificate expiry alerts
4. Enable additional Matrix bridges (WhatsApp, Google Messages)
### Long-term Enhancements
1. Consider adding intrusion detection (e.g., OSSEC)
2. Implement security scanning automation
3. Configure backup verification testing
4. Set up disaster recovery procedures
---
## Conclusion
**Overall Status: ✅ PRODUCTION READY**
The ops-jrz1 VPS has successfully passed comprehensive security and integration testing. All critical security controls are functioning correctly, services are operational (except known mautrix-slack issue), and the system demonstrates a strong security posture suitable for production use.
**Key Strengths:**
- Excellent network isolation (Matrix/PostgreSQL on localhost only)
- Proper secrets management with sops-nix
- Strong SSH hardening (key-only auth)
- Valid TLS certificates with HSTS
- Minimal attack surface (only SSH/HTTP/HTTPS exposed)
**Deployment Validation:** ✅ APPROVED for production use
**Test Performed By:** Automated security testing suite
**Report Generated:** 2025-10-22
**Next Review:** After addressing mautrix-slack issue

6
flake.lock
View file

@ -34,11 +34,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1756787288,
"narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=",
"lastModified": 1761114652,
"narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1",
"rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c",
"type": "github"
},
"original": {

14
modules/dev-services.nix
View file

@ -116,7 +116,7 @@ in
allow_federation = false
database_backend = "rocksdb"
database_path = "/var/lib/matrix-continuwuity/db/"
log = "info"
log = "debug"
admin_room_tag = "m.server_notice"
EOF
'';
@ -202,7 +202,7 @@ in
package = pkgs-unstable.mautrix-slack or (pkgs-unstable.callPackage ../pkgs/mautrix-slack {});
matrix = {
homeserverUrl = "http://localhost:${toString cfg.matrix.port}";
homeserverUrl = "http://127.0.0.1:${toString cfg.matrix.port}";
serverName = cfg.matrix.serverName;
};
@ -244,14 +244,14 @@ in
'';
locations = {
"~ ^/_matrix/client/(r0|v3)/login" = {
proxyPass = "http://localhost:${toString cfg.matrix.port}";
proxyPass = "http://127.0.0.1:${toString cfg.matrix.port}";
proxyWebsockets = true;
extraConfig = ''
limit_req zone=logins burst=10 nodelay;
'';
};
"/_matrix" = {
proxyPass = "http://localhost:${toString cfg.matrix.port}";
proxyPass = "http://127.0.0.1:${toString cfg.matrix.port}";
proxyWebsockets = true;
};
"/.well-known/matrix/server" = {
@ -278,21 +278,21 @@ in
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
'';
locations."/user/login" = {
proxyPass = "http://localhost:${toString cfg.forgejo.port}";
proxyPass = "http://127.0.0.1:${toString cfg.forgejo.port}";
proxyWebsockets = true;
extraConfig = ''
limit_req zone=logins burst=10 nodelay;
'';
};
locations."/user/sign_up" = {
proxyPass = "http://localhost:${toString cfg.forgejo.port}";
proxyPass = "http://127.0.0.1:${toString cfg.forgejo.port}";
proxyWebsockets = true;
extraConfig = ''
limit_req zone=logins burst=10 nodelay;
'';
};
locations."/" = {
proxyPass = "http://localhost:${toString cfg.forgejo.port}";
proxyPass = "http://127.0.0.1:${toString cfg.forgejo.port}";
proxyWebsockets = true;
extraConfig = ''
client_max_body_size 512M;

97
specs/002-slack-bridge-integration/checklists/requirements.md Normal file
View file

@ -0,0 +1,97 @@
# Specification Quality Checklist: Matrix-Slack Bridge Integration
**Purpose**: Validate specification completeness and quality before proceeding to planning
**Created**: 2025-10-22
**Feature**: [spec.md](../spec.md)
## Content Quality
- [x] No implementation details (languages, frameworks, APIs)
- [x] Focused on user value and business needs
- [x] Written for non-technical stakeholders
- [x] All mandatory sections completed
## Requirement Completeness
- [x] No [NEEDS CLARIFICATION] markers remain
- [x] Requirements are testable and unambiguous
- [x] Success criteria are measurable
- [x] Success criteria are technology-agnostic (no implementation details)
- [x] All acceptance scenarios are defined
- [x] Edge cases are identified
- [x] Scope is clearly bounded
- [x] Dependencies and assumptions identified
## Feature Readiness
- [x] All functional requirements have clear acceptance criteria
- [x] User scenarios cover primary flows
- [x] Feature meets measurable outcomes defined in Success Criteria
- [x] No implementation details leak into specification
## Validation Results
**Status**: ✅ ALL CHECKS PASSED
### Detailed Review
#### Content Quality
- ✅ Specification avoids mentioning specific technologies (NixOS, PostgreSQL mentioned only as dependencies, not implementation)
- ✅ Focus remains on user outcomes: message delivery, reliability, configuration
- ✅ Language accessible to non-technical stakeholders (business-focused success criteria)
- ✅ All mandatory sections present: User Scenarios, Requirements, Success Criteria
#### Requirement Completeness
- ✅ Zero [NEEDS CLARIFICATION] markers (all decisions made based on context)
- ✅ All 15 functional requirements are testable (can verify message relay, timing, auth, etc.)
- ✅ Success criteria measurable with specific metrics (5 second delivery, 99% uptime, etc.)
- ✅ Success criteria technology-agnostic (focused on user experience, not tech stack)
- ✅ 16 acceptance scenarios across 4 user stories provide comprehensive coverage
- ✅ 7 edge cases identified with expected behaviors
- ✅ Scope explicitly defines what's in/out with rationale
- ✅ Dependencies documented across technical, external, and process categories
#### Feature Readiness
- ✅ FR-001 through FR-015 map to user stories and acceptance criteria
- ✅ Four prioritized user stories (P1-P3) cover core flows: Slack→Matrix, Matrix→Slack, reliability, configuration
- ✅ Eight success criteria directly measurable without implementation knowledge
- ✅ No technical leakage: "Socket Mode" and "sops-nix" appropriately mentioned as requirements, not implementation details
### Assumptions Validated
The specification makes informed assumptions about:
- Message volume (< 1000/day per channel) - reasonable for small team
- Channel count (< 10 initially) - appropriate for MVP
- Network reliability (>99%) - standard expectation
- No historical import needed - MVP can start fresh
- Manual testing sufficient - matches "build it right" philosophy
These assumptions are explicitly documented in the Assumptions section.
### Scope Clarity
In-scope and out-of-scope items clearly delineated:
- Core bidirectional messaging: IN SCOPE
- Advanced features (threads, reactions, editing): OUT OF SCOPE (explicitly deferred)
- Single workspace focus: IN SCOPE
- Multi-workspace: OUT OF SCOPE
This provides clear boundaries for implementation.
## Notes
- Specification is complete and ready for planning phase
- No clarifications needed from user (all decisions made with reasonable defaults)
- Feature aligns with Platform Vision Milestone 1
- Dependencies clearly identified for implementation planning
- Edge cases provide guidance for error handling design
## Recommendation
**PROCEED TO PLANNING**: Specification meets all quality criteria and is ready for `/speckit.plan`.
The spec successfully balances:
- Completeness (all required information present)
- Clarity (unambiguous requirements)
- Feasibility (realistic scope for MVP)
- Flexibility (identified future enhancements)

292
specs/002-slack-bridge-integration/contracts/bridge-config.yaml Normal file
View file

@ -0,0 +1,292 @@
# Configuration Contract: mautrix-slack Bridge
# This contract defines the expected NixOS configuration structure for the
# Slack↔Matrix bridge deployment. It serves as a specification for how the
# bridge should be configured in hosts/ops-jrz1.nix.
# =============================================================================
# NixOS Module Configuration (hosts/ops-jrz1.nix)
# =============================================================================
services:
mautrix-slack:
enable: true # Enable the bridge service
# Matrix Homeserver Configuration
# --------------------------------
# Connects the bridge to the local Matrix homeserver (conduwuit)
matrix:
homeserverUrl: "http://127.0.0.1:8008"
# Type: URL
# Description: Matrix homeserver client-server API endpoint
# Default: "http://127.0.0.1:8008"
# Notes: Use localhost since bridge and homeserver are on same host
serverName: "clarun.xyz"
# Type: domain
# Description: Matrix server domain for user IDs and room aliases
# Default: null (required)
# Notes: Must match homeserver configuration
# Database Configuration
# ----------------------
# PostgreSQL connection for bridge state storage
database:
type: "postgres"
# Type: enum ["postgres", "sqlite"]
# Description: Database backend type
# Default: "postgres"
# Notes: PostgreSQL recommended for production
uri: "postgresql:///mautrix_slack?host=/run/postgresql"
# Type: URI
# Description: Database connection string
# Default: "postgresql:///mautrix_slack?host=/run/postgresql"
# Format: postgresql://[user[:password]@][host][:port]/dbname[?params]
# Notes:
# - Empty user/password uses peer authentication
# - Unix socket via /run/postgresql (no network exposure)
# - Database created by dev-services.nix
maxOpenConnections: 32
# Type: integer
# Description: Maximum concurrent database connections
# Default: 32
maxIdleConnections: 4
# Type: integer
# Description: Maximum idle connections in pool
# Default: 4
# Appservice Configuration
# ------------------------
# Matrix application service protocol settings
appservice:
hostname: "127.0.0.1"
# Type: string
# Description: Bind address for appservice HTTP server
# Default: "127.0.0.1"
# Notes: Localhost-only (homeserver is local)
port: 29319
# Type: integer (1024-65535)
# Description: Port for appservice HTTP server
# Default: 29319
# Notes: Must be unique per bridge instance
id: "slack"
# Type: string
# Description: Appservice identifier in registration file
# Default: "slack"
# Notes: Must match registration.yaml
senderLocalpart: "slackbot"
# Type: string
# Description: Localpart for bridge bot user
# Default: "slackbot"
# Results in: @slackbot:clarun.xyz
userPrefix: "slack_"
# Type: string
# Description: Prefix for ghost user IDs
# Default: "slack_"
# Results in: @slack_U123ABC:clarun.xyz
botDisplayName: "Slack Bridge Bot"
# Type: string
# Description: Display name for bridge bot
# Default: "Slack Bridge Bot"
# Optional: Can be customized for branding
botAvatar: ""
# Type: mxc:// URL or empty string
# Description: Avatar for bridge bot
# Default: ""
# Optional: Set after deployment via Matrix client
# Bridge Behavior Configuration
# ------------------------------
# Controls bridge-specific functionality
bridge:
commandPrefix: "!slack"
# Type: string
# Description: Prefix for bridge bot commands
# Default: "!slack"
# Usage: "!slack help", "!slack status"
permissions:
"clarun.xyz": "user"
# Type: map[domain]permission_level
# Description: Access control by homeserver domain
# Levels: "relay", "user", "admin"
# Notes:
# - "relay": Can use relay mode (bot posts on behalf)
# - "user": Can login and bridge their own chats
# - "admin": Can manage bridge, access all portals
# Example for multiple domains:
# "clarun.xyz": "user"
# "example.com": "relay"
# "admin.clarun.xyz": "admin"
# Encryption Configuration
# ------------------------
# End-to-end encryption support in Matrix rooms
encryption:
enable: true
# Type: boolean
# Description: Allow bridge to participate in encrypted rooms
# Default: true
# Notes: Requires crypto dependencies (already in package)
default: false
# Type: boolean
# Description: Enable encryption by default for new portals
# Default: false
# Notes: Can cause issues with search/backfill
require: false
# Type: boolean
# Description: Require encryption for all portals
# Default: false
# Notes: Set true for high-security deployments
# Logging Configuration
# ---------------------
# Service logging settings
logging:
level: "info"
# Type: enum ["debug", "info", "warn", "error"]
# Description: Minimum log level to output
# Default: "info"
# Notes:
# - Use "debug" for initial deployment troubleshooting
# - Use "info" for production
# - Logs viewable via: journalctl -u mautrix-slack -f
# =============================================================================
# Generated config.yaml Structure (for reference)
# =============================================================================
# The following represents the actual config.yaml generated by the NixOS
# module. This is NOT directly edited; it's created from the NixOS options above.
# homeserver:
# address: "http://127.0.0.1:8008"
# domain: "clarun.xyz"
# software: "standard" # Auto-detected
# status_endpoint: null
# message_send_checkpoint_endpoint: null
# async_media: false
# websocket: false
# ping_interval_seconds: 0
# appservice:
# address: "http://127.0.0.1:29319"
# hostname: "127.0.0.1"
# port: 29319
# id: "slack"
# bot:
# username: "slackbot"
# displayname: "Slack Bridge Bot"
# avatar: ""
# ephemeral_events: true
# async_transactions: false
# as_token: "generated-from-registration"
# hs_token: "generated-from-registration"
# database:
# type: "postgres"
# uri: "postgresql:///mautrix_slack?host=/run/postgresql"
# max_open_conns: 32
# max_idle_conns: 4
# max_conn_idle_time: null
# max_conn_lifetime: null
# bridge:
# username_template: "slack_{{.}}"
# displayname_template: "{{.RealName}} (S)"
# bot_messages_as_notices: true
# bridge_matrix_leave: true
# sync_with_custom_puppets: true
# sync_direct_chat_list: false
# double_puppet_server_map: {}
# double_puppet_allow_discovery: false
# login_shared_secret_map: {}
# command_prefix: "!slack"
# management_room_text:
# welcome: "Hello, I'm a Slack bridge bot."
# connected: "Successfully logged into Slack."
# not_connected: "This bridge is not logged in. Use `login` to log in."
# encryption:
# allow: true
# default: false
# require: false
# appservice: false
# allow_key_sharing: false
# permissions:
# "clarun.xyz": "user"
# relay:
# enabled: false
# admin_only: true
# message_handling_timeout:
# error_after: 0s
# deadline: 120s
# slack:
# # Credentials NOT in config file
# # Provided via `login app` command interactively
# # Stored in database after authentication
# conversation_count: 10 # Number of recent chats to sync on login
# logging:
# min_level: "info"
# writers:
# - type: "stdout"
# format: "pretty-colored"
# time_format: " "
# print_level: "debug"
# file_name_format: ""
# file_date_format: "2006-01-02"
# file_mode: 384
# timestamp_format: "Jan _2, 2006 15:04:05"
# print_json: false
# =============================================================================
# Configuration Validation Checklist
# =============================================================================
# Before deployment, verify:
# [ ] services.mautrix-slack.enable = true
# [ ] matrix.serverName matches homeserver configuration
# [ ] database.uri points to existing PostgreSQL database
# [ ] appservice.port is unique (not used by other services)
# [ ] bridge.permissions includes homeserver domain
# [ ] Secrets NOT in config (tokens provided via interactive login)
# [ ] logging.level set appropriately (debug for initial deploy, info for production)
# After deployment, verify:
# [ ] Service started: systemctl status mautrix-slack
# [ ] Logs show no errors: journalctl -u mautrix-slack -n 50
# [ ] Registration file created: ls -l /var/lib/matrix-appservices/mautrix_slack_registration.yaml
# [ ] Database has tables: sudo -u mautrix_slack psql mautrix_slack -c '\dt'
# [ ] Bot user registered in Matrix: DM with @slackbot:clarun.xyz works
# =============================================================================
# Related Files
# =============================================================================
# NixOS Module: /home/dan/proj/ops-jrz1/modules/mautrix-slack.nix
# Host Config: /home/dan/proj/ops-jrz1/hosts/ops-jrz1.nix
# Service Config: /home/dan/proj/ops-jrz1/modules/dev-services.nix (database provisioning)
# Secrets: /home/dan/proj/ops-jrz1/secrets/secrets.yaml (sops-encrypted)
# Registration: /var/lib/matrix-appservices/mautrix_slack_registration.yaml (runtime)
# Generated Config: /var/lib/mautrix_slack/config/config.yaml (runtime)
# =============================================================================
# Version Information
# =============================================================================
# Contract Version: 1.0
# Created: 2025-10-22
# mautrix-slack Version: Latest from nixpkgs-unstable
# NixOS Version: 24.05+
# Last Updated: 2025-10-22

497
specs/002-slack-bridge-integration/contracts/channel-mapping.yaml Normal file
View file

@ -0,0 +1,497 @@
# Channel Mapping Contract: Slack↔Matrix Portal Configuration
# This contract documents how Slack channels map to Matrix rooms in the
# mautrix-slack bridge. Unlike traditional bridges with static channel mappings,
# mautrix-slack uses **automatic portal creation** based on activity.
# =============================================================================
# Automatic Portal Creation Model
# =============================================================================
# mautrix-slack does NOT use static configuration files for channel mappings.
# Instead, portals (Slack channel ↔ Matrix room pairs) are created automatically
# based on:
#
# 1. Initial Login: Bridge syncs recent conversations (controlled by conversation_count)
# 2. Message Receipt: Portal auto-created when message arrives in new Slack channel
# 3. Bot Membership: Channels where Slack bot is invited are auto-bridged
#
# This contract documents the EXPECTED structure for understanding operational
# behavior, not a configuration file to be edited.
# =============================================================================
# Portal Lifecycle
# =============================================================================
portal_lifecycle:
creation_triggers:
- event: "Initial authentication (`login app` command)"
action: "Bridge syncs N recent conversations (conversation_count)"
portals_created: "Up to conversation_count channels/DMs"
user_experience: "User receives Matrix room invitations"
- event: "Message received in unbridged Slack channel"
action: "Bridge auto-creates portal"
portals_created: "1 new portal for that channel"
user_experience: "Invitation to new Matrix room, message appears"
- event: "Slack bot invited to channel (App Login mode)"
action: "Bridge auto-creates portal"
portals_created: "1 new portal"
user_experience: "Matrix users can now interact with channel"
destruction_triggers:
- event: "Admin runs `delete-portal` command (if available)"
action: "Bridge kicks users from Matrix room, deletes room, removes DB entry"
result: "Portal destroyed, can be recreated if needed"
- event: "Slack channel deleted"
expected: "Portal becomes inactive (not documented behavior)"
recommendation: "Test in pilot deployment to confirm"
state_changes:
- from: "Nonexistent"
to: "Active"
trigger: "Any creation trigger above"
- from: "Active"
to: "Archived"
trigger: "Slack channel archived"
behavior: "Read-only, no new messages flow"
- from: "Archived"
to: "Active"
trigger: "Slack channel unarchived"
- from: "Active"
to: "Deleted"
trigger: "delete-portal command or Slack channel deleted"
# =============================================================================
# Portal Entity Structure
# =============================================================================
# Stored in bridge PostgreSQL database (table: portal)
portal_entity:
slack_channel_id:
type: "string"
format: "C[A-Z0-9]{8,10}" # Public channel
example: "C0123ABCDEF"
primary_key: true
description: "Slack channel identifier"
slack_channel_type:
type: "enum"
values:
- "public_channel" # Standard public channel
- "private_channel" # Private channel (groups)
- "dm" # 1:1 direct message
- "mpim" # Multi-party direct message (group DM)
- "connect" # Slack Connect shared channel
description: "Type of Slack conversation"
matrix_room_id:
type: "string"
format: "!([a-zA-Z0-9]+):clarun.xyz"
example: "!AbCdEfGhIjKlMnOp:clarun.xyz"
description: "Matrix room identifier (opaque ID)"
matrix_room_alias:
type: "string"
format: "#slack_([a-z0-9_-]+):clarun.xyz"
example: "#slack_dev-platform:clarun.xyz"
description: "Human-readable Matrix room alias"
notes:
- "Based on Slack channel name"
- "Lowercase, hyphens preserved, special chars removed"
- "May not exist for DMs"
channel_name:
type: "string"
example: "dev-platform"
description: "Slack channel name (without #)"
notes: "Synced from Slack, updated on channel rename"
topic:
type: "string"
example: "Platform development discussion"
description: "Channel topic/description"
synced: true
notes: "Updated when Slack topic changes"
avatar_url:
type: "mxc:// URI"
example: "mxc://clarun.xyz/AbCdEfGhIjKlMnOpQrStUvWxYz"
description: "Matrix Content URI for channel avatar"
notes: "Synced from Slack workspace icon"
encrypted:
type: "boolean"
default: false
description: "Whether Matrix room has encryption enabled"
notes: "Controlled by bridge.encryption.default config"
in_space:
type: "boolean"
default: false
description: "Whether portal is in a Matrix Space"
notes: "Spaces not commonly used for bridge portals"
members:
type: "list[string]"
example: ["U0123ABC", "U0456DEF", "U0789GHI"]
description: "Slack user IDs of channel members"
synced: true
notes: "Updated when users join/leave channel"
created_at:
type: "timestamp"
example: "2025-10-22T14:30:00Z"
description: "When portal was created in bridge"
last_activity:
type: "timestamp"
example: "2025-10-22T15:45:30Z"
description: "Timestamp of last message in portal"
notes: "Used for health monitoring"
# =============================================================================
# Example Portal Mappings
# =============================================================================
# Example 1: Public Channel
# --------------------------
example_public_channel:
slack:
channel_id: "C05N2EXAMPLE"
channel_name: "dev-platform"
workspace: "chochacho"
url: "https://chochacho.slack.com/archives/C05N2EXAMPLE"
type: "public_channel"
members: 12
topic: "Platform infrastructure development"
matrix:
room_id: "!xYzAbCdEfGhIjKlM:clarun.xyz"
room_alias: "#slack_dev-platform:clarun.xyz"
display_name: "dev-platform (Slack)"
topic: "Platform infrastructure development"
encrypted: false
members:
- "@alice:clarun.xyz" # Real Matrix user
- "@slack_U0123ABC:clarun.xyz" # Ghost user (John from Slack)
- "@slack_U0456DEF:clarun.xyz" # Ghost user (Jane from Slack)
- "@slackbot:clarun.xyz" # Bridge bot
portal_metadata:
created_at: "2025-10-22T14:00:00Z"
last_activity: "2025-10-22T16:30:00Z"
message_count: 427
state: "active"
# Example 2: Private Channel
# ---------------------------
example_private_channel:
slack:
channel_id: "G05N2EXAMPLE" # Private channels start with G
channel_name: "leadership-team"
workspace: "chochacho"
type: "private_channel"
members: 5
topic: "Leadership discussions"
matrix:
room_id: "!aBcDeFgHiJkLmNoP:clarun.xyz"
room_alias: "#slack_leadership-team:clarun.xyz"
display_name: "leadership-team (Slack)"
topic: "Leadership discussions"
encrypted: true # High-security channel
members:
- "@alice:clarun.xyz"
- "@bob:clarun.xyz"
- "@slack_U0789GHI:clarun.xyz"
- "@slackbot:clarun.xyz"
portal_metadata:
created_at: "2025-10-22T14:05:00Z"
last_activity: "2025-10-22T15:00:00Z"
message_count: 89
state: "active"
# Example 3: Direct Message
# --------------------------
example_direct_message:
slack:
channel_id: "D05N2EXAMPLE" # DMs start with D
workspace: "chochacho"
type: "dm"
members: 2 # Alice (Matrix) and John (Slack)
matrix:
room_id: "!qRsTuVwXyZaBcDeF:clarun.xyz"
room_alias: null # DMs don't have aliases
display_name: "John Doe (Slack DM)"
encrypted: false
members:
- "@alice:clarun.xyz"
- "@slack_U0123ABC:clarun.xyz" # John
- "@slackbot:clarun.xyz"
portal_metadata:
created_at: "2025-10-22T14:10:00Z"
last_activity: "2025-10-22T16:45:00Z"
message_count: 52
state: "active"
# Example 4: Archived Channel
# ----------------------------
example_archived_channel:
slack:
channel_id: "C05N2OLDCHAN"
channel_name: "old-project"
workspace: "chochacho"
type: "public_channel"
archived: true
members: 0 # All members removed when archived
matrix:
room_id: "!gHiJkLmNoPqRsTuV:clarun.xyz"
room_alias: "#slack_old-project:clarun.xyz"
display_name: "old-project (Slack) [ARCHIVED]"
topic: "[Archived] Old project discussions"
encrypted: false
members:
- "@slackbot:clarun.xyz" # Only bot remains
portal_metadata:
created_at: "2025-08-15T10:00:00Z"
last_activity: "2025-10-01T12:00:00Z" # Before archival
message_count: 1543
state: "archived"
# =============================================================================
# Configuration Parameters (config.yaml)
# =============================================================================
# The only configuration parameter affecting portal creation:
conversation_count:
type: "integer"
default: 10
description: "Number of recent Slack conversations to sync on initial login"
location: "config.yaml → slack.conversation_count"
behavior:
- "Set to 10: Sync 10 most recent channels/DMs"
- "Set to 0: No initial sync (portals created on-demand only)"
- "Set to 100: Sync 100 recent conversations (may be slow)"
recommendation: "Start with 10 for testing, adjust based on team size"
# No other static channel mapping configuration exists.
# =============================================================================
# Operational Commands (via Matrix DM with @slackbot:clarun.xyz)
# =============================================================================
# Note: These commands are inferred from other mautrix bridges and may not
# all be available in mautrix-slack. Verify with `help` command.
commands:
- command: "help"
description: "Display available bridge commands"
usage: "help"
- command: "login app"
description: "Authenticate bridge with Slack app credentials"
usage: "login app"
prompts:
- "Please provide bot token (xoxb-...)"
- "Please provide app token (xapp-...)"
- command: "logout"
description: "Disconnect bridge from Slack"
usage: "logout"
effect: "All portals become inactive until re-login"
- command: "delete-portal"
description: "Remove portal for current room (if available)"
usage: "delete-portal"
context: "Send from within a bridged portal room"
effect: "Kicks users, deletes Matrix room, removes from database"
- command: "sync"
description: "Re-sync portals from Slack (if available)"
usage: "sync"
effect: "Creates portals for newly joined Slack channels"
- command: "status"
description: "Display bridge connection status (if available)"
usage: "status"
expected_output:
- "Connection: Connected"
- "Workspace: chochacho"
- "Portals: 12 active"
- "Last message: 30 seconds ago"
# =============================================================================
# Gradual Rollout Strategy
# =============================================================================
# Phase 1: Single Test Channel (Week 1-2)
# ----------------------------------------
phase_1:
goal: "Validate bridge functionality with minimal scope"
conversation_count: 5 # Limit initial sync
channels:
- slack_channel: "#dev-platform"
matrix_room: "#slack_dev-platform:clarun.xyz"
members: ["@alice:clarun.xyz", "@bob:clarun.xyz"]
purpose: "Testing all bridge features"
success_criteria:
- "Messages flow bidirectionally within 5 seconds"
- "Reactions, edits, deletes sync correctly"
- "File attachments work"
- "No service crashes or errors"
# Phase 2: Small User Group (Week 3-4)
# -------------------------------------
phase_2:
goal: "Test multi-user shared portals"
conversation_count: 10
channels:
- "#dev-platform"
- "#general"
- "#random"
users: 5
success_criteria:
- "Multiple Matrix users can interact in same portal"
- "Ghost users appear correctly"
- "Performance acceptable with 5 users"
- "No conflicts or race conditions"
# Phase 3: Organic Expansion (Week 5+)
# -------------------------------------
phase_3:
goal: "Full team adoption"
conversation_count: 20 # Increase as confidence grows
channels: "Auto-created based on activity"
users: "All team members (2-5)"
approach:
- "Don't pre-configure channel lists"
- "Let users authenticate individually"
- "Portals created organically as users interact"
- "Monitor health metrics"
success_criteria:
- "99% uptime over 7 days"
- "All messages delivered within 5 seconds"
- "User feedback positive"
- "No operational issues"
# =============================================================================
# Monitoring Portal Health
# =============================================================================
# Health indicators per portal (from data-model.md):
health_indicators:
connection_status:
values: ["connected", "disconnected", "refreshing"]
source: "Service logs"
alert: "If disconnected > 5 minutes"
last_successful_message:
type: "timestamp"
source: "portal.last_activity in database"
alert: "If > 1 hour old in active channel"
error_count:
type: "integer"
source: "Service logs (ERROR level)"
alert: "If > 10 errors in 10 minutes"
portal_count:
type: "integer"
source: "SELECT COUNT(*) FROM portal"
expected: "Grows organically, typically 5-20 for small team"
ghost_user_count:
type: "integer"
source: "SELECT COUNT(*) FROM puppet"
expected: "One per Slack user in bridged channels"
# Monitoring queries:
monitoring_queries:
- name: "List active portals"
query: |
SELECT slack_channel_id, mxid, name, topic
FROM portal
WHERE state = 'active'
ORDER BY last_activity DESC;
- name: "Find stale portals"
query: |
SELECT slack_channel_id, name, last_activity
FROM portal
WHERE last_activity < NOW() - INTERVAL '7 days'
ORDER BY last_activity ASC;
- name: "Count messages today"
query: |
SELECT COUNT(*)
FROM message
WHERE timestamp >= CURRENT_DATE;
# =============================================================================
# Troubleshooting Portal Issues
# =============================================================================
troubleshooting:
- issue: "Portal not created for Slack channel"
checks:
- "Verify bridge is authenticated (status command)"
- "Check if message was received (look for Slack event in logs)"
- "Verify bot has access to channel (App Login mode)"
- "Check bridge logs for errors"
resolution: "Send message in Slack channel to trigger portal creation"
- issue: "Messages not appearing in Matrix"
checks:
- "Verify Socket Mode connection active"
- "Check last_successful_message timestamp"
- "Look for relay errors in logs"
- "Verify homeserver is reachable"
resolution: "Check journalctl -u mautrix-slack for specific errors"
- issue: "Messages not appearing in Slack"
checks:
- "Verify bot token valid (test with Slack API)"
- "Check bot is member of channel"
- "Look for Slack API errors in logs"
- "Verify rate limits not exceeded"
resolution: "Re-invite bot to channel if needed"
- issue: "Portal shows as archived when channel is active"
checks:
- "Verify channel not actually archived in Slack"
- "Check portal state in database"
- "Look for Slack channel status sync errors"
resolution: "Unarchive in Slack, may need to re-sync portal"
# =============================================================================
# Related Documentation
# =============================================================================
# mautrix-slack Docs: https://docs.mau.fi/bridges/go/slack/
# Matrix Spaces: https://matrix.org/docs/guides/spaces
# Portal Pattern: https://matrix.org/docs/older/types-of-bridging/#portal-bridging
# =============================================================================
# Version Information
# =============================================================================
# Contract Version: 1.0
# Created: 2025-10-22
# Last Updated: 2025-10-22
# Related Spec: 002-slack-bridge-integration/spec.md
# Portal Model: Automatic creation (no static mapping)

359
specs/002-slack-bridge-integration/contracts/secrets-schema.yaml Normal file
View file

@ -0,0 +1,359 @@
# Secrets Schema Contract: Slack Bridge Credentials
# This contract defines the structure and handling of sensitive credentials
# required for the Slack↔Matrix bridge. All secrets are managed via sops-nix
# with age encryption.
# =============================================================================
# Secret Definitions
# =============================================================================
secrets:
slack-oauth-token:
description: "Slack bot user OAuth token for API operations"
format: "xoxb-[workspace_id]-[token_id]-[secret]"
example: "xoxb-1234567890-1234567890123-AbCdEfGhIjKlMnOpQrStUvWx"
required: true
sensitivity: "high"
scope: "Bot token scopes (29 scopes from app manifest)"
usage: "Provided during `login app` interactive authentication"
rotation: "Manual via Slack app settings → Reinstall app"
storage:
- location: "sops-encrypted secrets.yaml (backup/recovery)"
- location: "Bridge PostgreSQL database (primary storage after login)"
validation:
- "Starts with 'xoxb-'"
- "Length: 50-100 characters"
- "Format: xoxb-[numbers]-[numbers]-[alphanumeric]"
revocation:
- "Slack app settings → OAuth & Permissions → Revoke"
- "Remove app from workspace"
slack-app-token:
description: "Slack app-level token for Socket Mode WebSocket connection"
format: "xapp-[level]-[workspace_id]-[token_id]-[secret]"
example: "xapp-1-A0123456789-1234567890123-abc123def456ghi789jkl012mno345pqr678stu901vwx234yz"
required: true
sensitivity: "high"
scope: "connections:write (Socket Mode)"
usage: "Provided during `login app` interactive authentication"
rotation: "Manual via Slack app settings → App-Level Tokens → Regenerate"
storage:
- location: "sops-encrypted secrets.yaml (backup/recovery)"
- location: "Bridge PostgreSQL database (primary storage after login)"
validation:
- "Starts with 'xapp-'"
- "Length: 80-120 characters"
- "Contains workspace identifier"
revocation:
- "Slack app settings → App-Level Tokens → Revoke"
# =============================================================================
# sops-nix Configuration
# =============================================================================
# File: secrets/secrets.yaml (encrypted)
# ----------------
slack-oauth-token: "ENC[AES256_GCM,data:...,type:str]"
slack-app-token: "ENC[AES256_GCM,data:...,type:str]"
# Age Keys (.sops.yaml)
# ---------------------
keys:
- &vultr_vps age1vuxcwvdvzl2u7w6kudqvnnf45czrnhwv9aevjq9hyjjpa409jvkqhkz32q
# Source: /etc/ssh/ssh_host_ed25519_key on VPS
# Conversion: ssh-to-age < ssh_host_ed25519_key.pub
# Purpose: Production VPS can decrypt secrets at boot
- &admin age18ue40q4fw8uggdlfag7jf5nrawvfvsnv93nurschhuynus200yjsd775v3
# Source: Admin workstation age key
# Purpose: Administrator can edit secrets locally
# Encryption Rules
# ----------------
creation_rules:
- path_regex: secrets/secrets\.yaml$
key_groups:
- age:
- *vultr_vps # VPS auto-decrypts at boot
- *admin # Admin can sops secrets/secrets.yaml
# =============================================================================
# NixOS Declaration (hosts/ops-jrz1.nix)
# =============================================================================
# NOTE: With interactive login approach, these secret declarations are NOT
# required. Tokens are provided via Matrix chat and stored in database.
# The declarations below are for backup/recovery purposes only.
# sops:
# defaultSopsFile: ../secrets/secrets.yaml
# age:
# sshKeyPaths: ["/etc/ssh/ssh_host_ed25519_key"]
#
# secrets:
# slack-oauth-token:
# owner: "mautrix_slack"
# group: "mautrix_slack"
# mode: "0440"
# # Runtime location: /run/secrets/slack-oauth-token
# # Decrypted at boot, available only to mautrix_slack user
#
# slack-app-token:
# owner: "mautrix_slack"
# group: "mautrix_slack"
# mode: "0440"
# # Runtime location: /run/secrets/slack-app-token
# # Decrypted at boot, available only to mautrix_slack user
# =============================================================================
# Runtime Secret Locations
# =============================================================================
# After sops-nix decryption (boot time):
# /run/secrets/slack-oauth-token
# - Permissions: 0440 (-r--r-----)
# - Owner: mautrix_slack:mautrix_slack
# - Storage: tmpfs (RAM-only, cleared on reboot)
# - Usage: NOT used with interactive login approach
# - Purpose: Backup for disaster recovery
# /run/secrets/slack-app-token
# - Permissions: 0440 (-r--r-----)
# - Owner: mautrix_slack:mautrix_slack
# - Storage: tmpfs (RAM-only, cleared on reboot)
# - Usage: NOT used with interactive login approach
# - Purpose: Backup for disaster recovery
# Bridge Database (runtime, primary storage):
# /var/lib/mautrix_slack/mautrix_slack.db (or PostgreSQL)
# - Table: "user"
# - Columns: mxid, slack_user_id, access_token (encrypted)
# - Storage: Persistent, survives reboots
# - Encryption: Filesystem-level (LUKS)
# - Usage: Active tokens after `login app` authentication
# =============================================================================
# Token Generation Process
# =============================================================================
# Step 1: Create Slack App
# -------------------------
# 1. Go to: https://api.slack.com/apps
# 2. Click "Create New App" → "From an app manifest"
# 3. Select workspace: "chochacho"
# 4. Paste manifest from: https://github.com/mautrix/slack/blob/main/app-manifest.yaml
# 5. Review scopes (29 bot scopes, 46 event subscriptions)
# 6. Click "Create"
# Step 2: Enable Socket Mode
# ---------------------------
# 1. In app settings → "Socket Mode"
# 2. Toggle "Enable Socket Mode" → ON
# 3. Click "Generate an app-level token"
# 4. Token name: "socket-mode-token"
# 5. Add scope: "connections:write"
# 6. Click "Generate"
# 7. Copy token (starts with "xapp-") → Save securely
# Step 3: Install App to Workspace
# ---------------------------------
# 1. In app settings → "Install App"
# 2. Click "Install to Workspace"
# 3. Review permissions (29 scopes)
# 4. Click "Allow"
# 5. Copy "Bot User OAuth Token" (starts with "xoxb-") → Save securely
# Step 4: Store Tokens in sops-nix (Optional, for backup)
# --------------------------------------------------------
# 1. Edit encrypted secrets file:
# sops secrets/secrets.yaml
#
# 2. Add tokens:
# slack-oauth-token: "xoxb-..."
# slack-app-token: "xapp-..."
#
# 3. Save (auto-encrypts with age keys)
# 4. Commit to git (encrypted version is safe)
# 5. Deploy configuration (secrets decrypted at boot)
# Step 5: Authenticate Bridge (Primary Method)
# ---------------------------------------------
# 1. Open Matrix client (Element, etc.)
# 2. Start DM with: @slackbot:clarun.xyz
# 3. Send command: "login app"
# 4. Bot prompts: "Please provide bot token"
# 5. Send: "xoxb-..." (paste bot token)
# 6. Bot prompts: "Please provide app token"
# 7. Send: "xapp-..." (paste app token)
# 8. Bot responds: "Successfully logged in" (or error)
# 9. Tokens stored in bridge database (persistent)
# =============================================================================
# Security Best Practices
# =============================================================================
security:
storage:
- rule: "NEVER commit unencrypted tokens to git"
enforcement: ".gitignore excludes secrets.yaml.dec"
- rule: "NEVER hardcode tokens in NixOS configuration"
enforcement: "Use sops-nix or interactive login only"
- rule: "NEVER log tokens in plaintext"
enforcement: "mautrix bridges sanitize logs automatically"
access_control:
- rule: "Tokens only readable by service user"
enforcement: "owner: mautrix_slack, mode: 0440"
- rule: "Tokens cleared on reboot (tmpfs)"
enforcement: "/run/secrets on tmpfs filesystem"
- rule: "Tokens encrypted at rest in database"
enforcement: "LUKS encryption on /var filesystem"
rotation:
- frequency: "Every 90 days (recommended)"
process:
- "Generate new tokens in Slack app settings"
- "Update sops-encrypted secrets.yaml"
- "Re-authenticate bridge via `login app` command"
- "Verify functionality with test message"
- "Revoke old tokens in Slack"
- emergency:
- "If tokens compromised, revoke immediately in Slack"
- "Generate new tokens"
- "Re-authenticate bridge"
- "Review audit logs for unauthorized access"
monitoring:
- "Enable IP allowlisting in Slack app settings (if VPS has static IP)"
- "Monitor Slack app usage dashboard for anomalies"
- "Alert on authentication failures in bridge logs"
- "Track token usage via Slack audit logs (Enterprise Grid)"
# =============================================================================
# Disaster Recovery
# =============================================================================
# Scenario 1: Lost Tokens (Bridge Database Corrupted)
# ----------------------------------------------------
# If bridge database is lost but sops-encrypted secrets.yaml exists:
# 1. Restore from backup or re-deploy service
# 2. Tokens in sops-encrypted secrets.yaml can be retrieved
# 3. Re-authenticate via `login app` command
# 4. Bridge resumes operation
# Scenario 2: Lost Secrets File (Git Repository Intact)
# ------------------------------------------------------
# If secrets.yaml is lost but git repository exists:
# 1. Clone git repository (encrypted secrets.yaml present)
# 2. Decrypt on VPS (age key from SSH host key)
# 3. Extract tokens: sops -d secrets/secrets.yaml | grep slack
# 4. Re-authenticate bridge via `login app` command
# Scenario 3: Complete VPS Failure (Need to Regenerate)
# ------------------------------------------------------
# If VPS is destroyed and no backups exist:
# 1. Go to Slack app settings
# 2. Regenerate app-level token (old token revoked)
# 3. Reinstall app to workspace (new bot token generated)
# 4. Update sops-encrypted secrets.yaml with new tokens
# 5. Deploy to new VPS
# 6. Authenticate bridge via `login app` with new tokens
# Scenario 4: Workspace Migration (Slack → New Workspace)
# --------------------------------------------------------
# If migrating from "delpadtech" to "chochacho":
# 1. Create new Slack app in "chochacho" workspace
# 2. Generate new tokens (different workspace = different tokens)
# 3. Update NixOS config: workspace = "chochacho"
# 4. Update secrets.yaml with new tokens
# 5. Deploy configuration
# 6. Authenticate with new tokens
# 7. Old workspace bridge automatically disconnects
# =============================================================================
# Token Scope Reference
# =============================================================================
# Bot Token Scopes (xoxb-) - 29 Required
# ---------------------------------------
bot_scopes:
channels:
- "channels:read" # List public channels
- "channels:history" # Read messages in public channels
- "channels:write.invites" # Invite users to channels
- "channels:write.topic" # Edit channel topics
groups: # Private channels
- "groups:read"
- "groups:history"
- "groups:write"
- "groups:write.invites"
- "groups:write.topic"
im: # Direct messages
- "im:read"
- "im:history"
- "im:write"
- "im:write.topic"
mpim: # Group direct messages
- "mpim:read"
- "mpim:history"
- "mpim:write"
- "mpim:write.topic"
chat:
- "chat:write" # Send messages
- "chat:write.public" # Send to public channels without joining
- "chat:write.customize" # Customize bot name/avatar (for ghosting)
files:
- "files:read" # Download files
- "files:write" # Upload files
reactions:
- "reactions:read" # View reactions
- "reactions:write" # Add/remove reactions
pins:
- "pins:read" # View pinned messages
- "pins:write" # Pin/unpin messages
users:
- "users:read" # View user info
- "users.profile:read" # View user profiles
- "users:read.email" # View user emails
workspace:
- "team:read" # View workspace info
- "emoji:read" # View custom emoji
# App-Level Token Scopes (xapp-) - 1 Required
# --------------------------------------------
app_scopes:
- "connections:write" # Establish Socket Mode WebSocket connections
# =============================================================================
# Related Documentation
# =============================================================================
# Slack API Scopes: https://api.slack.com/scopes
# sops-nix: https://github.com/Mic92/sops-nix
# Age Encryption: https://age-encryption.org/
# mautrix-slack Auth: https://docs.mau.fi/bridges/go/slack/authentication.html
# =============================================================================
# Version Information
# =============================================================================
# Contract Version: 1.0
# Created: 2025-10-22
# Last Updated: 2025-10-22
# Related Spec: 002-slack-bridge-integration/spec.md
# Security Requirement: FR-007 (sops-nix encrypted secrets)

678
specs/002-slack-bridge-integration/data-model.md Normal file
View file

@ -0,0 +1,678 @@
# Data Model: Slack↔Matrix Bridge
**Feature**: 002-slack-bridge-integration
**Created**: 2025-10-22
**Status**: Design Complete
## Overview
This document defines the conceptual data model for the mautrix-slack bridge. Since this is infrastructure configuration (not application code), the model focuses on configuration entities, runtime state, and operational data flows.
**Key Insight**: Most data is managed internally by mautrix-slack (PostgreSQL database). Our model focuses on **configuration inputs** and **observable runtime state** relevant to NixOS deployment.
---
## 1. Configuration Entities
### 1.1 Bridge Service
**Description**: The mautrix-slack service instance
**Properties**:
| Property | Type | Source | Description |
|----------|------|--------|-------------|
| `workspace` | string | NixOS config | Slack workspace name ("chochacho") |
| `homeserverUrl` | URL | NixOS config | Matrix homeserver address (http://127.0.0.1:8008) |
| `serverName` | domain | NixOS config | Matrix server domain (clarun.xyz) |
| `databaseUri` | URI | NixOS config | PostgreSQL connection string |
| `port` | integer | NixOS config | Appservice listen port (29319) |
| `commandPrefix` | string | NixOS config | Bridge command prefix ("!slack") |
| `permissions` | map | NixOS config | Domain → permission level mappings |
| `loggingLevel` | enum | NixOS config | Log verbosity (debug/info/warn/error) |
| `conversationCount` | integer | config.yaml | Number of recent chats to sync on login |
**Lifecycle**:
- Created: NixOS configuration deployment
- Modified: Configuration updates → rebuild
- Destroyed: Service disabled in config
**State Transitions**: See section 3.1 (Bridge Service State Machine)
### 1.2 Slack Credentials
**Description**: Authentication tokens for Slack API
**Properties**:
| Property | Type | Source | Description |
|----------|------|--------|-------------|
| `botToken` | secret (xoxb-) | sops-nix → bridge DB | Slack bot OAuth token |
| `appToken` | secret (xapp-) | sops-nix → bridge DB | Slack app-level token (Socket Mode) |
| `workspace` | string | Interactive login | Slack workspace identifier (T...) |
**Lifecycle**:
- Created: Slack app configuration → manual token generation
- Stored: Provided via `login app` command → bridge database
- Rotated: Manual token regeneration → re-authentication
- Revoked: Slack app settings or user removes app
**Security Requirements**:
- Tokens never in Nix store (evaluation-time exposure risk)
- Tokens never in config.yaml (file permission risk)
- Tokens stored in bridge PostgreSQL database (encrypted at rest via LUKS)
- Optional: Encrypt in sops-nix for disaster recovery (not used by bridge directly)
### 1.3 Matrix Appservice Registration
**Description**: Matrix homeserver configuration for bridge integration
**Properties**:
| Property | Type | Source | Description |
|----------|------|--------|-------------|
| `id` | string | Generated | Appservice identifier ("slack") |
| `url` | URL | Generated | Bridge endpoint (http://127.0.0.1:29319) |
| `asToken` | secret | Generated | Appservice → homeserver auth |
| `hsToken` | secret | Generated | Homeserver → appservice auth |
| `senderLocalpart` | string | Generated | Bot user localpart ("slackbot") |
| `usernameTemplate` | string | Generated | Ghost user format ("slack_{{.}}") |
| `namespaces.users` | list | Generated | Reserved user namespaces |
**Lifecycle**:
- Created: First service start (`mautrix-slack -g -r registration.yaml`)
- Modified: Rarely (only on namespace changes)
- Consumed: Loaded by Matrix homeserver (conduwuit)
**File Location**: `/var/lib/matrix-appservices/mautrix_slack_registration.yaml`
### 1.4 Channel Portal
**Description**: A bridged Slack channel ↔ Matrix room pair
**Properties** (stored in mautrix-slack database):
| Property | Type | Description |
|----------|------|-------------|
| `slackChannelId` | string | Slack channel ID (C...) |
| `matrixRoomId` | string | Matrix room ID (!...clarun.xyz) |
| `channelName` | string | Slack channel name (#dev-platform) |
| `roomAlias` | string | Matrix room alias (#slack_dev-platform:clarun.xyz) |
| `topic` | string | Channel topic/description |
| `members` | list | Slack users in channel |
| `encrypted` | boolean | Whether Matrix room is encrypted |
| `createdAt` | timestamp | Portal creation time |
| `lastActivity` | timestamp | Last message timestamp |
**Lifecycle**: See section 3.3 (Channel Portal State Machine)
**Observable via**:
- Matrix room list (user perspective)
- Bridge database queries (admin perspective)
- Bot command: `!slack status` (if implemented)
---
## 2. Runtime State Entities
### 2.1 Socket Mode Connection
**Description**: WebSocket connection to Slack's real-time messaging service
**Properties**:
| Property | Type | Description |
|----------|------|-------------|
| `websocketUrl` | URL | Dynamic WebSocket URL (wss://wss.slack.com/link/...) |
| `connectionState` | enum | disconnected / connecting / connected / refreshing |
| `connectionId` | string | Unique connection identifier |
| `connectedAt` | timestamp | When connection established |
| `refreshAt` | timestamp | Estimated refresh time (~2-4 hours) |
| `lastHeartbeat` | timestamp | Last ping/pong from Slack |
| `reconnectAttempts` | integer | Consecutive failed reconnection count |
| `rateLimit` | timestamp | Earliest next connection attempt (1/minute limit) |
**State Transitions**: See section 3.2 (Socket Mode Connection State Machine)
**Observable via**:
- Service logs: `journalctl -u mautrix-slack -f`
- Health indicators: Connection status, last successful message timestamp
### 2.2 Ghost User
**Description**: Matrix representation of a Slack user
**Properties**:
| Property | Type | Description |
|----------|------|-------------|
| `matrixUserId` | string | Ghost user MXID (@slack_U123ABC:clarun.xyz) |
| `slackUserId` | string | Slack user ID (U...) |
| `displayName` | string | Synced from Slack profile |
| `avatarUrl` | mxc:// | Synced from Slack avatar |
| `isBot` | boolean | Whether user is a bot account |
| `email` | string | Slack user email (if available) |
| `slackTeam` | string | Workspace identifier |
**Lifecycle**:
- Created: First message from Slack user in bridged channel
- Updated: Slack profile changes → synced to Matrix
- Deactivated: User leaves workspace (profile retained but inactive)
**Namespace**: `@slack_*:clarun.xyz` (reserved via appservice registration)
### 2.3 Message Event
**Description**: A bridged message in transit
**Properties**:
| Property | Type | Description |
|----------|------|-------------|
| `sourceService` | enum | slack / matrix |
| `sourceEventId` | string | Slack ts or Matrix event ID |
| `targetEventId` | string | Event ID in destination service |
| `messageType` | enum | text / image / file / reaction / edit / delete |
| `content` | object | Message payload (text, attachments, etc.) |
| `sender` | string | User ID in source service |
| `channel` | string | Portal ID |
| `timestamp` | timestamp | Message send time |
| `deliveredAt` | timestamp | When relayed to destination |
| `latency` | duration | deliveredAt - timestamp (should be <5s) |
**Lifecycle** (ephemeral):
- Received: Slack WebSocket event or Matrix /transactions POST
- Transformed: Format conversion (Slack JSON ↔ Matrix JSON)
- Sent: Posted to destination API
- Acknowledged: Event ID stored for deduplication
**Observable via**:
- Bridge logs (debug level)
- Health metrics: Message count, delivery latency
- Spec requirement: FR-001/FR-002 (5 second latency SLA)
---
## 3. State Machines
### 3.1 Bridge Service State Machine
```
┌─────────────┐
│ Disabled │ (services.mautrix-slack.enable = false)
└──────┬──────┘
│ nixos-rebuild switch (enable = true)
┌─────────────┐
│ Starting │ ExecStartPre: Generate config, create registration
└──────┬──────┘
│ Config valid, database reachable
┌─────────────┐
│Unauthenticated (service running, waiting for `login app`)
└──────┬──────┘
│ User sends `login app` command, provides tokens
┌─────────────┐
│ Connecting │ Establishing Socket Mode WebSocket
└──────┬──────┘
│ WebSocket handshake successful
┌─────────────┐
│ Active │ Normal operation (relaying messages)
└──┬─────┬────┘
│ │ Connection refresh (every ~2-4 hours)
│ └──→ Connecting (automatic reconnection)
│ Configuration error, auth revoked, database failure
┌─────────────┐
│ Failed │ Service exits (systemd restarts after 10s)
└──────┬──────┘
│ systemd RestartSec expires
└──→ Starting
```
**Key Observations**:
- **Unauthenticated state is valid**: Service can run without Slack credentials
- **Automatic restart**: systemd handles crash recovery
- **Connection refresh is normal**: Not a failure state, automatic transition
### 3.2 Socket Mode Connection State Machine
```
┌─────────────┐
│Disconnected │ Initial state or after connection loss
└──────┬──────┘
│ Bridge has valid credentials
┌─────────────┐
│Requesting URL Call apps.connections.open API
└──────┬──────┘
│ API returns wss:// URL (rate limit: 1/minute)
┌─────────────┐
│ Connecting │ WebSocket handshake in progress
└──────┬──────┘
│ Receives "hello" message from Slack
┌─────────────┐
│ Connected │ Receiving events, acknowledging with envelope_id
└──┬───┬───┬──┘
│ │ │ Slack sends "warning" disconnect (10s notice)
│ │ └──→ Refreshing
│ │
│ │ Network error, timeout, Slack backend restart
│ └──→ Disconnected (immediate reconnection attempt)
│ Normal operation continues
┌─────────────┐
│ Refreshing │ Graceful connection renewal
└──────┬──────┘
│ Fetch new WebSocket URL
└──→ Requesting URL
```
**Error Paths**:
- **Rate limited**: Stay in Disconnected, retry after 1 minute
- **Auth invalid**: Transition to Failed (requires re-authentication)
- **Network partition**: Exponential backoff reconnection attempts
**Health Indicators**:
- `connection_status`: current state name
- `last_successful_message`: timestamp of last event
- `reconnection_attempts`: incremented on failed connections, reset on success
### 3.3 Channel Portal State Machine
```
┌─────────────┐
│ Pending │ User receives message in unbridged Slack channel
└──────┬──────┘
│ Bridge auto-creates portal
┌─────────────┐
│ Creating │ Allocating Matrix room, sending invites
└──────┬──────┘
│ Room created, Matrix users invited
┌─────────────┐
│ Active │ Relaying messages bidirectionally
└──┬───┬───┬──┘
│ │ │ Slack channel archived
│ │ └──→ Archived
│ │
│ │ Admin runs delete-portal command (if available)
│ └──→ Deleting
│ Normal message relay continues
(Active - steady state)
┌─────────────┐
│ Archived │ Slack channel is read-only
└──────┬──────┘
│ Slack channel unarchived
└──→ Active
┌─────────────┐
│ Deleting │ Cleanup: kick users, delete room, remove from DB
└──────┬──────┘
│ Cleanup complete
┌─────────────┐
│ Deleted │ Portal removed (can be recreated if needed)
└─────────────┘
```
**Key Properties by State**:
- **Pending**: Not yet in bridge database
- **Creating**: Room exists but membership incomplete
- **Active**: `lastActivity` updates on each message
- **Archived**: Read-only, no new messages flow
- **Deleted**: Database record removed, room unlinked
---
## 4. Relationships
### 4.1 Entity Relationship Diagram
```
┌──────────────────┐
│ Bridge Service │
└────────┬─────────┘
│ 1
│ manages
↓ N
┌──────────────────┐ ┌──────────────────┐
│ Socket Connection│←──────│ Slack Credentials│
└────────┬─────────┘ 1 └──────────────────┘
│ uses
│ receives events via
↓ N
┌──────────────────┐
│ Channel Portal │
└────────┬─────────┘
│ bridges
↓ N
┌──────────────────┐ ┌──────────────────┐
│ Message Event │───────│ Ghost User │
└──────────────────┘ from └──────────────────┘
│ N │ N
│ │
│ relays to │ represents
↓ 1 ↓ 1
┌──────────────────┐ ┌──────────────────┐
│ Matrix Room │ │ Slack User │
└──────────────────┘ └──────────────────┘
```
### 4.2 Cardinality Table
| Entity A | Relationship | Entity B | Cardinality | Notes |
|----------|--------------|----------|-------------|-------|
| Bridge Service | manages | Socket Connection | 1:1 | One WebSocket per bridge instance |
| Bridge Service | creates | Channel Portal | 1:N | Multiple channels bridged |
| Socket Connection | uses | Slack Credentials | 1:1 | Credentials shared across portals |
| Channel Portal | contains | Message Event | 1:N | Many messages per channel |
| Channel Portal | links | Matrix Room | 1:1 | Bidirectional mapping |
| Ghost User | sends | Message Event | 1:N | User can send many messages |
| Ghost User | represents | Slack User | 1:1 | One MXID per Slack user per workspace |
| Appservice Registration | reserves | Ghost User namespace | 1:N | All @slack_*:clarun.xyz |
---
## 5. Data Flow Diagrams
### 5.1 Message Flow: Slack → Matrix
```
Slack User
│ Posts message in #dev-platform
Slack API (WebSocket event)
│ message.channels event
mautrix-slack (Socket Mode listener)
│ 1. Acknowledge event (envelope_id)
│ 2. Check portal exists for channel
│ 3. Transform message format
│ 4. Lookup/create ghost user
Matrix Homeserver (/_matrix/app/v1/transactions)
│ PUT transaction with event
Matrix Room (#slack_dev-platform:clarun.xyz)
│ Event appears in room timeline
Matrix Users
│ See message from @slack_john:clarun.xyz
```
**Latency Budget**: <5 seconds (FR-001)
**Failure Modes**:
- Portal doesn't exist → Auto-create, then deliver
- Ghost user doesn't exist → Create, set profile, then deliver
- Matrix homeserver unreachable → Retry with exponential backoff
- Event deduplication → Check Slack `ts` against database, skip if duplicate
### 5.2 Message Flow: Matrix → Slack
```
Matrix User (@alice:clarun.xyz)
│ Sends message in #slack_dev-platform:clarun.xyz
Matrix Homeserver
│ Appservice transaction to bridge
mautrix-slack (/_matrix/app/v1/transactions)
│ 1. Verify hs_token
│ 2. Lookup portal by room ID
│ 3. Transform message format
│ 4. Determine sender identity
Slack API (chat.postMessage or chat.postEphemeral)
│ POST message to channel via bot token
Slack Channel (#dev-platform)
│ Message appears from bridge bot
│ (with Matrix user's display name if using customization)
Slack Users
│ See message: "Alice (Matrix): Hello from Matrix!"
```
**Latency Budget**: <5 seconds (FR-002)
**Failure Modes**:
- Portal not found → Log error, return 200 OK (avoid retry loop)
- Slack API rate limited → Queue message, retry with backoff
- Bot not in channel → Attempt to join, or return error to Matrix user
- Invalid message format → Send error reply to Matrix user
### 5.3 Authentication Flow
```
Admin (NixOS deployment)
│ 1. Deploy configuration (services.mautrix-slack.enable = true)
NixOS Activation
│ 2. Start systemd service
mautrix-slack service
│ 3. Generate config, start service
│ 4. Listen on port 29319
│ 5. State: Unauthenticated
Admin (Matrix client)
│ 6. Open DM with @slackbot:clarun.xyz
│ 7. Send: "login app"
mautrix-slack
│ 8. Prompt: "Please provide bot token"
Admin
│ 9. Send: "xoxb-..."
mautrix-slack
│ 10. Prompt: "Please provide app token"
Admin
│ 11. Send: "xapp-..."
mautrix-slack
│ 12. Store tokens in database
│ 13. Call apps.connections.open
│ 14. Establish WebSocket connection
│ 15. Sync recent conversations (conversation_count)
│ 16. State: Active
Admin
│ 17. Receive success message
│ 18. Invited to bridged channel portals
```
**Security Notes**:
- Tokens transmitted over encrypted Matrix federation (TLS)
- Tokens stored in PostgreSQL database (LUKS-encrypted filesystem)
- Tokens never logged (mautrix bridges sanitize logs)
- Admin can revoke via Slack app settings
### 5.4 Portal Creation Flow
```
Slack User
│ Sends message in #general (not yet bridged)
Slack API (WebSocket event)
│ message.channels event
mautrix-slack
│ 1. Check database: portal exists for channel_id?
│ 2. Not found → Initiate auto-create
Portal Creation Logic
│ 3. Create Matrix room via homeserver API
│ 4. Set room name, topic, avatar
│ 5. Insert portal record in database
│ 6. Map Slack channel ↔ Matrix room
Membership Sync
│ 7. For each Slack member in channel:
│ - Create/update ghost user
│ - Invite ghost user to Matrix room
Relay Message
│ 8. Transform and send original message
Matrix Users
│ 9. Receive room invitation
│ 10. Join room, see first message
```
**Timing**: Portal creation adds ~2-5 seconds latency to first message
**Failure Recovery**:
- Room creation fails → Retry up to 3 times
- Ghost user creation fails → Skip that user, continue
- Database insert fails → Rollback, log error, retry
---
## 6. Database Schema (Conceptual)
**Note**: Actual schema managed by mautrix-slack. This is conceptual understanding for operational purposes.
### Key Tables
**`portal`**
```sql
CREATE TABLE portal (
slack_channel_id TEXT PRIMARY KEY, -- C0123ABC
mxid TEXT NOT NULL, -- !xyz:clarun.xyz
name TEXT, -- dev-platform
topic TEXT,
encrypted BOOLEAN DEFAULT FALSE,
in_space BOOLEAN DEFAULT FALSE,
avatar_url TEXT,
name_set BOOLEAN,
topic_set BOOLEAN,
avatar_set BOOLEAN
);
```
**`puppet`** (Ghost Users)
```sql
CREATE TABLE puppet (
slack_user_id TEXT PRIMARY KEY, -- U0123DEF
team_id TEXT, -- T0456GHI
mxid TEXT NOT NULL, -- @slack_john:clarun.xyz
display_name TEXT,
avatar_url TEXT,
name_set BOOLEAN,
avatar_set BOOLEAN,
contact_info_set BOOLEAN,
is_bot BOOLEAN,
custom_mxid TEXT -- For double-puppeting
);
```
**`user`** (Logged-in Matrix users)
```sql
CREATE TABLE "user" (
mxid TEXT PRIMARY KEY, -- @alice:clarun.xyz
slack_user_id TEXT, -- U789JKL (after login)
team_id TEXT, -- T0456GHI
access_token TEXT, -- Encrypted Slack token
management_room TEXT -- DM with bridge bot
);
```
**`message`** (Event mapping for edits/deletes)
```sql
CREATE TABLE message (
slack_ts TEXT, -- 1234567890.123456
slack_channel_id TEXT, -- C0123ABC
mxid TEXT, -- $event_id:clarun.xyz
UNIQUE(slack_ts, slack_channel_id)
);
```
**Queries Used**:
- Message relay: `SELECT mxid FROM portal WHERE slack_channel_id = ?`
- Ghost user lookup: `SELECT mxid FROM puppet WHERE slack_user_id = ?`
- Edit/delete: `SELECT mxid FROM message WHERE slack_ts = ? AND slack_channel_id = ?`
---
## 7. Configuration Data Flow
```
Git Repository (specs/002-slack-bridge-integration/)
│ Contains: spec.md, plan.md, data-model.md
NixOS Configuration (hosts/ops-jrz1.nix)
│ services.mautrix-slack = { ... }
NixOS Evaluation
│ Merges: modules/mautrix-slack.nix options
ExecStartPre (Python script)
│ 1. Generate example config: mautrix-slack -e
│ 2. Merge configOverrides
│ 3. Write: /var/lib/mautrix_slack/config/config.yaml
mautrix-slack service
│ Reads config.yaml on startup
Runtime Behavior
│ Connects to Matrix, Slack, PostgreSQL
```
**Configuration Layers** (in order of precedence):
1. **Hardcoded defaults** (in mautrix-slack binary)
2. **Example config** (generated with `-e` flag)
3. **NixOS module overrides** (`configOverrides` option)
4. **User extraConfig** (`extraConfig` option)
5. **Runtime authentication** (tokens from `login app` command)
---
## 8. Observability Data
### Health Indicators (SC-003a)
| Metric | Source | Purpose |
|--------|--------|---------|
| `connection_status` | Service logs | Socket Mode connection state |
| `last_successful_message` | Service logs | Timestamp of last relayed message |
| `error_count` | Service logs | Count of errors since last restart |
| `portal_count` | Database query | Number of active channel portals |
| `ghost_user_count` | Database query | Number of Slack users bridged |
| `message_latency` | Bridge metrics | Time between source→destination (should be <5s) |
### Log Events
**Key log patterns** (from mautrix bridge codebase):
```
INFO [WebSocket] Connected to Slack via Socket Mode
INFO [Portal] Creating portal for channel #dev-platform (C0123ABC)
INFO [Message] Relaying message from Slack to Matrix: {...}
WARN [Connection] WebSocket disconnected, reconnecting in 5s
ERROR [Auth] Invalid bot token, authentication failed
```
**Monitoring Strategy**:
1. Use `journalctl -u mautrix-slack -f` for real-time monitoring
2. Export logs to persistent storage for analysis
3. Alert on `ERROR` level logs
4. Track `last_successful_message` metric (alert if >1 hour stale)
---
## 9. Document History
- **2025-10-22**: Initial data model design
- **Phase 1 Status**: ✅ Complete
- **Next**: Create contracts/ directory with schemas

1
.specify/templates/plan-template.md → specs/002-slack-bridge-integration/plan.md
View file

@ -102,3 +102,4 @@ directories captured above]
|-----------|------------|-------------------------------------|
| [e.g., 4th project] | [current need] | [why 3 projects insufficient] |
| [e.g., Repository pattern] | [specific problem] | [why direct DB access insufficient] |

889
specs/002-slack-bridge-integration/quickstart.md Normal file
View file

@ -0,0 +1,889 @@
# Quickstart: Slack Bridge Deployment
**Feature**: 002-slack-bridge-integration
**Target Environment**: ops-jrz1 VPS (45.77.205.49)
**Estimated Time**: 30-45 minutes
## Overview
This guide provides step-by-step instructions for deploying the mautrix-slack bridge from scratch. Follow these steps in order to achieve a working Slack↔Matrix bridge.
**Prerequisites**:
- NixOS 24.05+ running on ops-jrz1 VPS
- Matrix homeserver (conduwuit) running on port 8008
- PostgreSQL running with mautrix_slack database
- Admin access to Slack workspace "chochacho"
- Matrix client (Element, etc.)
**Success Criteria**:
- ✅ Service running without errors
- ✅ Socket Mode connection established
- ✅ Test message flows Slack → Matrix within 5 seconds
- ✅ Test message flows Matrix → Slack within 5 seconds
---
## Phase 0: Pre-Deployment Checks
### 0.1 Verify Infrastructure
```bash
# SSH to VPS
ssh root@45.77.205.49
# Check Matrix homeserver running
systemctl status matrix-continuwuity
curl -s http://localhost:8008/_matrix/client/versions | jq .
# Check PostgreSQL running
systemctl status postgresql
sudo -u postgres psql -c '\l' | grep mautrix_slack
# Check database created
sudo -u postgres psql mautrix_slack -c '\dt'
# Expected: Empty (bridge will create tables on first run)
# Check existing bridge status
systemctl status mautrix-slack
# Expected: Inactive or running but not authenticated
```
**If checks fail**:
- Matrix homeserver not running → Start: `systemctl start matrix-continuwuity`
- Database doesn't exist → Created by dev-services.nix, redeploy configuration
- Other issues → Review recent worklogs in docs/worklogs/
### 0.2 Review Current Configuration
```bash
# Check current mautrix-slack configuration
cat /run/current-system/configuration.nix | grep -A 20 "mautrix-slack"
# Check if service is enabled
systemctl list-unit-files | grep mautrix-slack
```
**Current State** (as of 2025-10-22):
- Module exists: `modules/mautrix-slack.nix`
- Configured for "delpadtech" workspace (needs update)
- Service exits with code 11 (missing credentials)
---
## Phase 1: Slack App Configuration
### 1.1 Create Slack App
1. Open browser: https://api.slack.com/apps
2. Click **"Create New App"**
3. Choose **"From an app manifest"**
4. Select workspace: **"chochacho"**
### 1.2 Configure App Manifest
1. Paste the following manifest (from mautrix-slack):
```yaml
display_information:
name: Matrix Bridge
description: Bridge for Matrix↔Slack messaging
background_color: "#000000"
features:
bot_user:
display_name: Matrix Bridge
always_online: true
oauth_config:
scopes:
bot:
- channels:history
- channels:read
- channels:write.invites
- channels:write.topic
- chat:write
- chat:write.customize
- chat:write.public
- emoji:read
- files:read
- files:write
- groups:history
- groups:read
- groups:write
- groups:write.invites
- groups:write.topic
- im:history
- im:read
- im:write
- im:write.topic
- mpim:history
- mpim:read
- mpim:write
- mpim:write.topic
- pins:read
- pins:write
- reactions:read
- reactions:write
- team:read
- users.profile:read
- users:read
- users:read.email
settings:
event_subscriptions:
bot_events:
- app_uninstalled
- channel_archive
- channel_created
- channel_deleted
- channel_id_changed
- channel_left
- channel_rename
- channel_unarchive
- file_change
- file_deleted
- file_shared
- group_archive
- group_deleted
- group_left
- group_rename
- group_unarchive
- member_joined_channel
- member_left_channel
- message.channels
- message.groups
- message.im
- message.mpim
- pin_added
- pin_removed
- reaction_added
- reaction_removed
- team_domain_change
- user_change
- user_profile_changed
- user_status_changed
org_deploy_enabled: false
socket_mode_enabled: true
token_rotation_enabled: false
```
2. Click **"Create"**
3. Review and click **"Confirm"**
### 1.3 Enable Socket Mode
1. In app settings, navigate to **"Socket Mode"**
2. Toggle **"Enable Socket Mode"** to **ON**
3. Click **"Generate an app-level token"**
- Token name: `socket-mode-connection`
- Add scope: `connections:write`
- Click **"Generate"**
4. **Copy the token** (starts with `xapp-`)
- ⚠️ **Important**: Save this token securely, you'll need it for authentication
- Format: `xapp-1-A0123456789-1234567890123-abc...xyz`
### 1.4 Install App to Workspace
1. Navigate to **"Install App"**
2. Click **"Install to Workspace"**
3. Review permissions (29 bot scopes)
4. Click **"Allow"**
5. **Copy the "Bot User OAuth Token"** (starts with `xoxb-`)
- ⚠️ **Important**: Save this token securely
- Format: `xoxb-1234567890-1234567890123-AbC...WxY`
### 1.5 Verify Tokens
Create a temporary file to store tokens (delete after use):
```bash
# On local workstation (NOT on VPS)
cat > /tmp/slack-tokens.txt <<EOF
Bot Token (xoxb-): xoxb-YOUR-TOKEN-HERE
App Token (xapp-): xapp-YOUR-TOKEN-HERE
EOF
chmod 600 /tmp/slack-tokens.txt
```
**Token Security**:
- These tokens grant full access to your Slack workspace
- Never commit to git
- Never share publicly
- Store in password manager for long-term
- Tokens will be stored in bridge database after authentication
---
## Phase 2: NixOS Configuration
### 2.1 Update Bridge Configuration
Edit `hosts/ops-jrz1.nix`:
```nix
# Enable mautrix-slack bridge
services.mautrix-slack = {
enable = true;
matrix = {
homeserverUrl = "http://127.0.0.1:8008";
serverName = "clarun.xyz";
};
database = {
type = "postgres";
uri = "postgresql:///mautrix_slack?host=/run/postgresql";
};
appservice = {
port = 29319;
};
bridge = {
permissions = {
"clarun.xyz" = "user";
};
};
# Use debug logging for initial deployment
logging = {
level = "debug"; # Change to "info" after successful deployment
};
};
```
**Changes from current config**:
- Removed workspace-specific settings (no longer needed with interactive login)
- Added debug logging
- Simplified configuration
### 2.2 Verify olm-3.2.16 Allowed
Check if production.nix has:
```nix
nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
```
**Status**: ✅ Already present in production.nix (commit 0cbbb19)
### 2.3 Deploy Configuration
```bash
# On local workstation
cd /home/dan/proj/ops-jrz1
# Check git status
git status
# Review changes
git diff hosts/ops-jrz1.nix
# Commit changes
git add hosts/ops-jrz1.nix
git commit -m "Enable mautrix-slack bridge for chochacho workspace"
# Deploy to VPS
nixos-rebuild switch --flake .#ops-jrz1 \
--target-host root@45.77.205.49 \
--build-host localhost
# Expected output:
# - Building configuration...
# - Activating configuration...
# - Starting mautrix-slack.service...
```
**Deployment time**: ~2-5 minutes
---
## Phase 3: Service Verification
### 3.1 Check Service Status
```bash
# SSH to VPS
ssh root@45.77.205.49
# Check service running
systemctl status mautrix-slack
# Expected output:
# ● mautrix-slack.service - mautrix-slack
# Loaded: loaded
# Active: active (running)
# Main PID: [number]
# View recent logs
journalctl -u mautrix-slack -n 50
# Expected log entries:
# INFO [Main] mautrix-slack starting
# INFO [Database] Connected to PostgreSQL
# INFO [AppService] Listening on http://127.0.0.1:29319
# INFO [Bridge] Waiting for authentication
```
**If service fails to start**:
- Check logs: `journalctl -u mautrix-slack -n 100 --no-pager`
- Look for common errors:
- Database connection failed → Check PostgreSQL running
- Port already in use → Check nothing else on 29319
- olm error → Verify permittedInsecurePackages set
- Exit code 11 → Likely missing credentials (expected at this stage)
### 3.2 Verify Registration File
```bash
# Check registration file exists
ls -l /var/lib/matrix-appservices/mautrix_slack_registration.yaml
# View contents
cat /var/lib/matrix-appservices/mautrix_slack_registration.yaml
# Expected structure:
# id: slack
# url: http://127.0.0.1:29319
# as_token: [auto-generated]
# hs_token: [auto-generated]
# sender_localpart: slackbot
# namespaces:
# users:
# - regex: "^@slackbot:clarun.xyz$"
# exclusive: true
# - regex: "^@slack_.*:clarun.xyz$"
# exclusive: true
```
### 3.3 Register Appservice with Homeserver
**For conduwuit** (current homeserver):
```bash
# Stop homeserver
systemctl stop matrix-continuwuity
# Add registration to configuration
# Edit: /var/lib/matrix-continuwuity/continuwuity.toml
cat >> /var/lib/matrix-continuwuity/continuwuity.toml <<EOF
[[appservices]]
registration = "/var/lib/matrix-appservices/mautrix_slack_registration.yaml"
EOF
# Restart homeserver
systemctl start matrix-continuwuity
# Verify homeserver loaded appservice
journalctl -u matrix-continuwuity -n 20 | grep -i slack
# Expected: "Loaded appservice: slack"
```
**Alternative**: Update via NixOS configuration if conduwuit module supports appservice registration.
---
## Phase 4: Bridge Authentication
### 4.1 Create Matrix DM with Bridge Bot
1. Open Matrix client (Element Web, Element Desktop, etc.)
2. Log in as admin user
3. Start new Direct Message
4. Enter: `@slackbot:clarun.xyz`
5. Send message: `Hello`
**Expected Response**:
```
Welcome to the Slack bridge.
Use `help` to see available commands.
You are not logged in. Use `login app` to authenticate.
```
**If no response**:
- Check bot user exists: Try to view profile of `@slackbot:clarun.xyz`
- Check appservice registration loaded by homeserver
- Check bridge logs: `journalctl -u mautrix-slack -f`
- Verify homeserver can reach appservice: `curl http://127.0.0.1:29319/_matrix/app/v1/transactions`
### 4.2 Authenticate with Slack
In the DM with `@slackbot:clarun.xyz`:
1. Send command: `login app`
2. Bot prompts: `Please provide bot token (xoxb-...)`
- **Paste your bot token** from Phase 1.5
- Format: `xoxb-1234567890-1234567890123-AbCdEfGhIjKlMnOpQrStUvWxYz`
3. Bot prompts: `Please provide app token (xapp-...)`
- **Paste your app token** from Phase 1.5
- Format: `xapp-1-A0123456789-1234567890123-abc123def456...xyz`
4. **Expected Success Message**:
```
Successfully logged in to Slack workspace: chochacho
Syncing recent conversations (conversation_count: 10)
Creating portals for active channels...
Done. You should receive invitations to bridged rooms shortly.
```
**Authentication logs** (on VPS):
```bash
# Watch logs during authentication
journalctl -u mautrix-slack -f
# Expected log entries:
# INFO [Auth] Received login command
# INFO [Auth] Validating bot token
# INFO [Slack] Connecting to workspace: chochacho
# INFO [Socket] Calling apps.connections.open
# INFO [Socket] WebSocket URL received: wss://wss.slack.com/link/...
# INFO [Socket] Connecting to WebSocket
# INFO [Socket] Connected successfully
# INFO [Socket] Received hello message
# INFO [Portal] Syncing 10 recent conversations
# INFO [Portal] Creating portal for channel: #general (C0123ABC)
# INFO [Portal] Creating portal for channel: #dev-platform (C0456DEF)
```
### 4.3 Verify Socket Mode Connection
```bash
# Check logs for Socket Mode status
journalctl -u mautrix-slack -n 20 | grep -i "socket\|websocket\|connected"
# Expected:
# INFO [Socket] WebSocket connected
# INFO [Socket] Connection state: connected
```
**Health Indicators**:
- `connection_status`: connected
- `last_successful_message`: Updated within last minute
- `error_count`: 0
---
## Phase 5: Testing
### 5.1 Join Bridged Room
1. In Matrix client, check for room invitations
2. You should see invites for Slack channels:
- `#slack_general:clarun.xyz`
- `#slack_dev-platform:clarun.xyz`
- Others based on recent Slack activity
3. **Join** `#slack_dev-platform:clarun.xyz` (or your test channel)
**Expected room state**:
- Room name: "dev-platform (Slack)" or similar
- Room topic: Synced from Slack channel topic
- Members: Bridge bot + ghost users for Slack members
### 5.2 Test Slack → Matrix
1. In Slack app/web, go to **#dev-platform** channel
2. Post test message: `Hello from Slack! Testing bridge.`
3. **Wait** (should appear in Matrix within 5 seconds)
**Expected in Matrix**:
- Message appears in `#slack_dev-platform:clarun.xyz`
- Sender: `@slack_U123ABC:clarun.xyz` (ghost user)
- Display name: Your Slack display name
- Timestamp: Match Slack timestamp
- **Latency**: <5 seconds (FR-001 requirement)
**If message doesn't appear**:
- Check Slack WebSocket connection: `journalctl -u mautrix-slack -f`
- Look for event reception log: `INFO [Message] Relaying message from Slack`
- Verify Matrix homeserver reachable
- Check for errors in bridge logs
### 5.3 Test Matrix → Slack
1. In Matrix client, in `#slack_dev-platform:clarun.xyz`
2. Send test message: `Hello from Matrix! Bridge working.`
3. **Wait** (should appear in Slack within 5 seconds)
**Expected in Slack**:
- Message appears in **#dev-platform**
- Sender: Matrix Bridge bot (or your display name via customization)
- Content: "Your Matrix Name: Hello from Matrix! Bridge working."
- **Latency**: <5 seconds (FR-002 requirement)
**If message doesn't appear**:
- Check bot token valid: Look for Slack API errors
- Verify bot is member of channel
- Check for rate limiting errors
- Look for relay errors in logs
### 5.4 Test Additional Features
**Reactions** (FR-003):
1. In Slack, react to a message with 👍
2. Verify reaction appears in Matrix within 5 seconds
3. In Matrix, react to a message
4. Verify reaction appears in Slack
**File Attachments**:
1. In Slack, upload an image to #dev-platform
2. Verify image appears in Matrix (as Matrix content URI)
3. In Matrix, upload a file
4. Verify file appears in Slack
**Edits**:
1. In Slack, edit a message
2. Verify edit appears in Matrix
3. In Matrix, edit a message
4. Verify edit appears in Slack
**Threading** (if supported):
1. In Slack, reply in a thread
2. Verify thread structure in Matrix
### 5.5 Verify Health Indicators
```bash
# Check bridge health
journalctl -u mautrix-slack -n 50 | grep -E "connection|message|error"
# Health indicators (from SC-003a):
# - connection_status: connected
# - last_successful_message: [recent timestamp]
# - error_count: 0 (or very low)
# Check portal count
sudo -u mautrix_slack psql mautrix_slack -c "SELECT COUNT(*) FROM portal;"
# Expected: Number of synced channels (at least 1)
# Check ghost users
sudo -u mautrix_slack psql mautrix_slack -c "SELECT COUNT(*) FROM puppet;"
# Expected: Number of Slack users in bridged channels
```
---
## Phase 6: Production Readiness
### 6.1 Reduce Logging Level
After successful testing, reduce log verbosity:
Edit `hosts/ops-jrz1.nix`:
```nix
services.mautrix-slack = {
# ... existing config ...
logging = {
level = "info"; # Changed from "debug"
};
};
```
Redeploy:
```bash
nixos-rebuild switch --flake .#ops-jrz1 \
--target-host root@45.77.205.49 \
--build-host localhost
```
### 6.2 Document Deployment
Create worklog entry:
```bash
# On local workstation
cat > docs/worklogs/2025-10-22-slack-bridge-deployment.org <<EOF
* Slack Bridge Deployment - Generation [NUMBER]
** Date: 2025-10-22
** Objective: Deploy mautrix-slack bridge for chochacho workspace
** Steps Taken
1. Created Slack app with app manifest
2. Enabled Socket Mode, generated tokens
3. Updated NixOS configuration
4. Deployed to VPS
5. Authenticated bridge via Matrix chat
6. Tested bidirectional messaging
** Results
- ✅ Service running without errors
- ✅ Socket Mode connection established
- ✅ Messages relay Slack → Matrix within [X] seconds
- ✅ Messages relay Matrix → Slack within [X] seconds
- ✅ Reactions, files, edits working
** Configuration
- Workspace: chochacho
- Bridge port: 29319
- Database: PostgreSQL (mautrix_slack)
- Logging: info level
- Portals created: [NUMBER]
** Known Issues
- None
** Next Steps
- Monitor stability over 7 days
- Add additional channels based on team usage
- Consider enabling encryption for sensitive channels
EOF
git add docs/worklogs/2025-10-22-slack-bridge-deployment.org
git commit -m "Document Slack bridge deployment"
```
### 6.3 Backup Configuration
```bash
# Backup bridge database (optional but recommended)
ssh root@45.77.205.49 'sudo -u postgres pg_dump mautrix_slack' > /tmp/mautrix_slack_backup.sql
# Backup contains:
# - Portal mappings
# - Ghost user profiles
# - Message event mappings
# - Authentication credentials (encrypted in DB)
```
### 6.4 Set Up Monitoring
Add to monitoring system (if available):
```bash
# Service uptime check
systemctl is-active mautrix-slack
# Connection health (look for "connected" in recent logs)
journalctl -u mautrix-slack --since "5 minutes ago" | grep -i "connected"
# Error rate (should be 0 or very low)
journalctl -u mautrix-slack --since "1 hour ago" | grep -c ERROR
```
**Alerting thresholds**:
- Service down for >5 minutes → Page admin
- No messages relayed in >1 hour → Warning
- Error count >10 in 10 minutes → Warning
---
## Phase 7: Gradual Rollout
### 7.1 Week 1-2: Single Channel Validation
**Current state**: Bridge working with 1 test channel
**Actions**:
- Monitor logs daily: `journalctl -u mautrix-slack --since today`
- Test all features: messages, reactions, files, edits
- Document any issues or unexpected behavior
- Gather feedback from test users (2-3 people)
**Success criteria**:
- Zero service crashes
- All messages delivered within 5 seconds
- No user-reported issues
### 7.2 Week 3-4: Multi-Channel Expansion
**After Week 1-2 validation succeeds**:
1. **Invite Slack bot to additional channels**:
```
# In Slack workspace
/invite @Matrix Bridge to #general
/invite @Matrix Bridge to #random
```
2. **Portals auto-create** when bot joins or messages arrive
3. **Invite Matrix users** to new bridged rooms
4. **Monitor performance**:
- Database size: `sudo -u postgres psql mautrix_slack -c '\dt+'`
- Memory usage: `systemctl status mautrix-slack | grep Memory`
- Message count: `SELECT COUNT(*) FROM message;`
**Success criteria**:
- Handle 1000 messages/day per channel (SC-002 requirement)
- 99% uptime over 7 days (SC-004 requirement)
### 7.3 Week 5+: Full Team Adoption
**After multi-channel testing succeeds**:
1. **Announce to team**: Bridge is production-ready
2. **Provide user guide**: How to authenticate, join rooms
3. **Let adoption grow organically**: Portals created on-demand
4. **Monitor health metrics**: Weekly review of logs and performance
**Ongoing maintenance**:
- Weekly log review for errors
- Monthly token rotation (optional, recommended every 90 days)
- Periodic bridge version updates (via nixpkgs-unstable)
---
## Troubleshooting
### Service Won't Start
**Symptom**: `systemctl status mautrix-slack` shows failed
**Checks**:
1. Review logs: `journalctl -u mautrix-slack -n 100`
2. Check database connection: `sudo -u mautrix_slack psql mautrix_slack -c '\conninfo'`
3. Check port availability: `ss -tuln | grep 29319`
4. Verify olm package allowed: `grep permittedInsecurePackages production.nix`
**Common fixes**:
- Database not created → Check dev-services.nix, redeploy
- Port in use → Change appservice.port in config
- Permission error → Check file ownership in /var/lib/mautrix_slack
### Socket Mode Disconnects Frequently
**Symptom**: Logs show repeated disconnects/reconnects
**Checks**:
1. Check rate limiting: Look for "rate limited" in logs
2. Verify token validity: Test tokens in Slack API tester
3. Check network stability: `ping -c 100 wss.slack.com`
**Common causes**:
- Rate limit hit (1 connection/minute) → Automatic recovery, just wait
- Token revoked → Re-authenticate with new tokens
- Network issues → Check VPS network status
### Messages Not Relaying
**Symptom**: Messages sent but don't appear in destination
**Slack → Matrix troubleshooting**:
1. Check Socket Mode connected: `journalctl -u mautrix-slack | grep -i websocket`
2. Look for event reception: `grep "message.channels" logs`
3. Verify portal exists: `psql -c "SELECT * FROM portal WHERE name='dev-platform';"`
4. Check homeserver reachable: `curl http://localhost:8008/_matrix/client/versions`
**Matrix → Slack troubleshooting**:
1. Check bot token valid: Look for auth errors
2. Verify bot in channel: Check Slack channel members
3. Look for rate limit errors: `grep "rate_limit" logs`
4. Test Slack API manually: `curl -H "Authorization: Bearer xoxb-..." https://slack.com/api/chat.postMessage ...`
### Exit Code 11 (SIGSEGV)
**Symptom**: Service crashes with exit code 11
**Likely causes** (from research.md):
1. Missing credentials (most common at initial deployment)
2. Incomplete configuration
3. Security hardening conflicts
**Fixes**:
1. Enable debug logging
2. Temporarily disable systemd hardening:
```nix
# In mautrix-slack.nix service config
# Comment out: NoNewPrivileges, ProtectSystem, etc.
```
3. Check for nil pointer dereference in logs
4. Verify all required config fields present
---
## Reference Information
### Useful Commands
```bash
# Service management
systemctl status mautrix-slack
systemctl restart mautrix-slack
systemctl stop mautrix-slack
# View logs
journalctl -u mautrix-slack -f # Follow logs
journalctl -u mautrix-slack -n 100 # Last 100 lines
journalctl -u mautrix-slack --since "1 hour ago" # Last hour
journalctl -u mautrix-slack --since today # Today's logs
# Database queries
sudo -u mautrix_slack psql mautrix_slack -c "SELECT * FROM portal;"
sudo -u mautrix_slack psql mautrix_slack -c "SELECT * FROM puppet LIMIT 10;"
sudo -u mautrix_slack psql mautrix_slack -c "SELECT COUNT(*) FROM message;"
# Configuration files
/var/lib/mautrix_slack/config/config.yaml # Generated config
/var/lib/matrix-appservices/mautrix_slack_registration.yaml # Appservice registration
/nix/store/.../modules/mautrix-slack.nix # NixOS module
# Check service resources
systemctl status mautrix-slack | grep -E "Memory|CPU"
ps aux | grep mautrix-slack
```
### Key Endpoints
| Service | Endpoint | Purpose |
|---------|----------|---------|
| Bridge | http://127.0.0.1:29319 | Appservice HTTP server |
| Homeserver | http://127.0.0.1:8008 | Matrix client-server API |
| Database | /run/postgresql | PostgreSQL Unix socket |
| Slack WebSocket | wss://wss.slack.com/link/ | Socket Mode connection |
### Important File Locations
| Path | Contents | Owner |
|------|----------|-------|
| /var/lib/mautrix_slack/config/ | Generated config.yaml | mautrix_slack |
| /var/lib/mautrix_slack/mautrix_slack.db | SQLite DB (if not using PostgreSQL) | mautrix_slack |
| /var/lib/matrix-appservices/ | Appservice registration files | matrix-appservices |
| /run/secrets/ | Decrypted sops-nix secrets | root/service user |
### Success Criteria Checklist
From spec.md:
- [ ] **SC-001**: Bridge relays messages bidirectionally
- [ ] **SC-002**: Handle 1000 messages/day per channel
- [ ] **SC-003**: Reactions sync correctly in both directions
- [ ] **SC-003a**: Health indicators logged (connection status, last message timestamp, error count)
- [ ] **SC-004**: 99% uptime over 7-day observation period
- [ ] **SC-005**: File attachments <10MB sync successfully
- [ ] **SC-006**: Documentation exists (this quickstart!)
---
## Next Steps
After successful deployment:
1. **Run `/speckit.tasks`** to generate detailed implementation task breakdown
2. **Begin monitoring** for 7-day stability period
3. **Gather user feedback** from test users
4. **Plan expansion** to additional channels based on team usage
5. **Document lessons learned** in worklog
---
## Support Resources
- **mautrix-slack docs**: https://docs.mau.fi/bridges/go/slack/
- **Matrix room**: #slack:maunium.net
- **Slack API**: https://api.slack.com/
- **Project spec**: /home/dan/proj/ops-jrz1/specs/002-slack-bridge-integration/spec.md
- **Implementation plan**: /home/dan/proj/ops-jrz1/specs/002-slack-bridge-integration/plan.md
---
**Document Version**: 1.0
**Last Updated**: 2025-10-22
**Tested On**: NixOS 24.05, mautrix-slack (nixpkgs-unstable)
**Status**: Ready for deployment

571
specs/002-slack-bridge-integration/research.md Normal file
View file

@ -0,0 +1,571 @@
# Phase 0: Research Technical Foundations
**Feature**: 002-slack-bridge-integration
**Research Date**: 2025-10-22
**Status**: Complete
## Executive Summary
This document consolidates research on five critical technical areas for implementing the Slack↔Matrix bridge using mautrix-slack with Socket Mode on NixOS.
**Key Decisions**:
- ✅ Use Socket Mode (WebSocket) - no public endpoint needed
- ✅ Use App Login (official OAuth) for production stability
- ✅ Require 29 bot scopes + 1 app-level scope (`connections:write`)
- ✅ Use sops-nix flat key structure for Slack credentials
- ✅ Use automatic portal creation (no manual channel mapping)
- ✅ Leverage existing NixOS module, add secrets integration
---
## 1. Slack Socket Mode
### What is Socket Mode?
Socket Mode is Slack's **WebSocket-based protocol** (RFC 6455) that enables real-time event delivery without requiring a public HTTP endpoint.
**Connection Architecture**:
1. Application calls `apps.connections.open` API with app-level token (xapp-)
2. Slack responds with unique WebSocket URL: `wss://wss.slack.com/link/?ticket=...`
3. Application receives events over WebSocket (Events API, interactivity)
4. Application sends responses via standard Web API (HTTPS)
**Key Characteristics**:
- No public endpoint required (ideal for behind-firewall deployments)
- WebSocket URLs rotate dynamically (not static)
- Up to 10 concurrent connections allowed
- Events may be distributed across connections
- Rate limit: **1 WebSocket URL fetch per minute** (critical for reconnection)
### Token Requirements
**Two tokens required**:
| Token Type | Format | Purpose | Scope Required |
|------------|--------|---------|----------------|
| App-Level Token | `xapp-...` | Establish WebSocket connection | `connections:write` |
| Bot Token | `xoxb-...` | Perform API operations | 29+ bot scopes |
**Authentication Flow**:
1. Open Matrix DM with bridge bot (`@slackbot:clarun.xyz`)
2. Send command: `login app`
3. Provide both tokens when prompted
4. Bridge stores credentials in database, establishes Socket Mode connection
### Limitations and Trade-offs
**Technical Constraints**:
- WebSocket connections refresh every few hours (automatic reconnection)
- Backend container recycling causes occasional disconnects
- Rate-limited reconnections (1 request/minute maximum)
- Long-lived stateful connections (challenging to scale horizontally)
**Production Considerations**:
- ❌ Cannot publish to Slack Marketplace (HTTP required)
- ⚠️ Slack recommends HTTP for highest reliability
- ✅ Socket Mode recommended for: development, local testing, behind-firewall environments
**Why Socket Mode for ops-jrz1**:
1. VPS is private infrastructure (no public webhook complexity)
2. Small team use case (2-5 engineers, moderate message volume)
3. Security model favors minimal external exposure
4. Trade-off of slightly lower reliability is acceptable for non-critical team comms
### References
- [Socket Mode overview](https://docs.slack.dev/apis/events-api/using-socket-mode)
- [HTTP vs Socket Mode comparison](https://docs.slack.dev/apis/events-api/comparing-http-socket-mode)
- [mautrix-slack authentication](https://docs.mau.fi/bridges/go/slack/authentication.html)
---
## 2. Slack API Scopes
### Required Bot Token Scopes (29 total)
From [mautrix-slack app manifest](https://github.com/mautrix/slack/blob/main/app-manifest.yaml):
**Message Operations**:
- `chat:write` - Send messages as bot
- `chat:write.public` - Send to public channels without membership
- `chat:write.customize` - Customize bot username/avatar (for ghosting)
**Channel Access** (public channels):
- `channels:read`, `channels:history` - List and view messages
- `channels:write.invites`, `channels:write.topic` - Manage channels
**Private Channels** (groups):
- `groups:read`, `groups:history`, `groups:write`
- `groups:write.invites`, `groups:write.topic`
**Direct Messages**:
- `im:read`, `im:history`, `im:write`, `im:write.topic`
- `mpim:read`, `mpim:history`, `mpim:write`, `mpim:write.topic` (group DMs)
**User & Workspace**:
- `users:read`, `users.profile:read`, `users:read.email`
- `team:read`
**Rich Content**:
- `files:read`, `files:write`
- `reactions:read`, `reactions:write`
- `pins:read`, `pins:write`
- `emoji:read`
### Required App-Level Token Scopes (1 total)
- `connections:write` - Establish Socket Mode WebSocket connections
### Event Subscriptions (46 events)
The bridge subscribes to events including:
- Workspace: `app_uninstalled`, `team_domain_change`
- Channels: `channel_archive`, `channel_created`, `channel_deleted`, `channel_rename`, etc.
- Messages: `message.channels`, `message.groups`, `message.im`, `message.mpim`
- Interactions: `reaction_added`, `reaction_removed`, `pin_added`, `file_shared`, etc.
### Security Best Practices
**Principle of Least Privilege**:
- Use all 29 scopes from mautrix-slack manifest (required for full functionality)
- Consider removing `conversations.connect:write` if not using Slack Connect
**Token Storage**:
- ✅ Production: Use sops-nix encrypted secrets
- ✅ Never commit tokens to version control
- ✅ Use 0440 permissions (service user only)
**Monitoring**:
- Enable IP allowlisting for token usage (Slack API feature)
- Monitor token usage via Slack app management dashboard
- Log all API calls for audit purposes
### References
- [Permission Scopes Reference](https://api.slack.com/scopes)
- [mautrix-slack app manifest](https://github.com/mautrix/slack/blob/main/app-manifest.yaml)
---
## 3. mautrix-slack Configuration
### Current Module Structure
**Location**: `/home/dan/proj/ops-jrz1/modules/mautrix-slack.nix`
**Configuration Generation** (two-stage):
1. **Root stage**: Creates directory structure (`/var/lib/mautrix_slack/config`)
2. **User stage**: Generates config from example template using `-e` flag, merges overrides
**Module Architecture**:
```nix
# Key configuration sections exposed:
matrix = {
homeserverUrl = "http://127.0.0.1:8008";
serverName = "clarun.xyz";
};
database = {
type = "postgres";
uri = "postgresql:///mautrix_slack?host=/run/postgresql";
maxOpenConnections = 32;
maxIdleConnections = 4;
};
appservice = {
hostname = "127.0.0.1";
port = 29319;
id = "slack";
senderLocalpart = "slackbot";
userPrefix = "slack_";
};
bridge = {
commandPrefix = "!slack";
permissions = { "clarun.xyz" = "user"; };
};
encryption = {
enable = true; # Allow E2EE
default = false; # Don't enable by default
};
logging.level = "info";
```
**Missing from Module Options**:
- Slack-specific configuration (workspace, tokens)
- Socket Mode settings (bot token, app token injection)
- Channel mapping configuration
**Current Issue**: Module configured for "delpadtech" workspace, exits with code 11.
### Socket Mode Configuration Requirements
Based on mautrix patterns, Socket Mode credentials are likely configured via:
**Option A: Interactive login** (current mautrix-slack approach)
- No config needed initially
- Bridge prompts for tokens via Matrix chat
- Stores in database after first login
**Option B: Declarative config** (would require module enhancement)
```yaml
slack:
bot_token: "${BOT_TOKEN}" # From environment or secrets
app_token: "${APP_TOKEN}" # From environment or secrets
```
**Decision**: Use **interactive login** approach (Option A) to avoid module modifications. Tokens provided via `login app` command in Matrix.
### Database Configuration
**Current Setup** (working correctly):
```nix
database = {
type = "postgres";
uri = "postgresql:///mautrix_slack?host=/run/postgresql";
};
```
**Provisioning** (from `modules/dev-services.nix`):
```nix
services.postgresql = {
ensureDatabases = [ "mautrix_slack" ];
ensureUsers = [{
name = "mautrix_slack";
ensureDBOwnership = true;
}];
};
```
✅ No database configuration issues detected.
### Matrix Homeserver Integration
**Appservice Registration**:
- Generated at: `/var/lib/matrix-appservices/mautrix_slack_registration.yaml`
- Contains: `id`, `url`, `as_token`, `hs_token`, `namespaces`
**Missing Step**: Registration file must be loaded into conduwuit homeserver.
**Required Action**: Add to Matrix server configuration:
```toml
[[appservices]]
registration = "/var/lib/matrix-appservices/mautrix_slack_registration.yaml"
```
### Exit Code 11 Root Cause Analysis
**Exit Code 11 = SIGSEGV** (Segmentation Fault)
**Most likely causes** (ranked by probability):
1. **Missing Slack credentials** (95% likely)
- Module generates config without tokens
- Bridge crashes trying to connect with invalid/missing credentials
2. **Incomplete configuration** (80% likely)
- Example config has required fields not set
- Bridge code doesn't validate, crashes on access
3. **olm-3.2.16 library issues** (40% likely)
- Insecure package error requires `permittedInsecurePackages` allowance
- Already addressed in production config (commit 0cbbb19)
4. **SystemD security restrictions** (20% likely)
- Security hardening can cause segfaults with Go binaries
- May need temporary relaxation (as done for mautrix-gmessages)
**Validation Steps**:
1. Enable debug logging: `logging.level = "debug"`
2. Check logs: `journalctl -u mautrix-slack -n 100`
3. Temporarily disable security hardening
4. Verify database connectivity
5. Test with minimal config (no credentials - should fail gracefully)
### References
- [mautrix-slack GitHub](https://github.com/mautrix/slack)
- [mautrix docs](https://docs.mau.fi/bridges/go/slack/)
- Project file: `/home/dan/proj/ops-jrz1/modules/mautrix-slack.nix`
---
## 4. sops-nix Secrets Management
### Current Secrets Infrastructure
**Encryption**: Age encryption via SSH host key conversion
**File**: `/home/dan/proj/ops-jrz1/secrets/secrets.yaml`
```yaml
matrix-registration-token: "..."
acme-email: "dlei@duck.com"
slack-oauth-token: "" # Placeholder (empty)
slack-app-token: "" # Placeholder (empty)
```
**Age Configuration** (`.sops.yaml`):
```yaml
keys:
- &vultr_vps age1vuxcwvdvzl2u7w6kudqvnnf45czrnhwv9aevjq9hyjjpa409jvkqhkz32q
- &admin age18ue40q4fw8uggdlfag7jf5nrawvfvsnv93nurschhuynus200yjsd775v3
creation_rules:
- path_regex: secrets/secrets\.yaml$
key_groups:
- age:
- *vultr_vps # VPS can decrypt via /etc/ssh/ssh_host_ed25519_key
- *admin # Admin workstation can decrypt/edit
```
**Status**: ✅ Working correctly in production (Generation 31, deployed 2025-10-22)
### Secret Lifecycle
```
System Boot
sops-nix activation script runs
Reads /etc/ssh/ssh_host_ed25519_key
Converts to age key (age1vux...)
Decrypts secrets/secrets.yaml
Extracts individual keys
Writes to /run/secrets/<key-name>
Sets ownership and permissions
Services start (can now read secrets)
```
### Pattern for Slack Tokens
**Step 1: Update secrets.yaml**
```yaml
slack-oauth-token: "xoxb-YOUR-ACTUAL-TOKEN"
slack-app-token: "xapp-YOUR-ACTUAL-TOKEN"
```
Encrypt with: `sops secrets/secrets.yaml`
**Step 2: Declare in hosts/ops-jrz1.nix**
```nix
sops.secrets.slack-oauth-token = {
owner = "mautrix_slack";
group = "mautrix_slack";
mode = "0440";
};
sops.secrets.slack-app-token = {
owner = "mautrix_slack";
group = "mautrix_slack";
mode = "0440";
};
```
**Step 3: Reference in Service** (two patterns)
**Pattern A: LoadCredential** (systemd credentials)
```nix
systemd.services.mautrix-slack.serviceConfig = {
LoadCredential = [
"slack-oauth-token:/run/secrets/slack-oauth-token"
"slack-app-token:/run/secrets/slack-app-token"
];
};
# Service reads from: ${CREDENTIALS_DIRECTORY}/slack-oauth-token
```
**Pattern B: Direct file reference**
```nix
services.mautrix-slack = {
oauthTokenFile = "/run/secrets/slack-oauth-token";
appTokenFile = "/run/secrets/slack-app-token";
};
```
**Decision**: Use **interactive login approach** - tokens provided via Matrix chat, not config files. Secrets will be stored in bridge database, not referenced in NixOS config. This simplifies deployment and matches mautrix-slack's intended workflow.
### File Permissions Best Practices
```
-r--r----- (0440): Service-specific secrets (only service user + group can read)
-r--r--r-- (0444): Broadly readable secrets (e.g., email addresses)
-r-------- (0400): Root-only secrets (maximum security)
```
**Security guarantees**:
- ✅ Secrets never in Nix store (world-readable)
- ✅ Secrets only in `/run/secrets/` (tmpfs, RAM-only)
- ✅ Secrets cleared on reboot
- ✅ Encrypted at rest in git (safe to commit secrets.yaml)
### References
- [sops-nix GitHub](https://github.com/Mic92/sops-nix)
- [Michael Stapelberg's Blog](https://michael.stapelberg.ch/posts/2025-08-24-nixos-sops-nix/) (2025-08-24)
- Project file: `/home/dan/proj/ops-jrz1/secrets/secrets.yaml`
---
## 5. Channel Bridging Patterns
### How Channel Mapping Works
mautrix-slack uses **automatic portal creation** rather than manual channel mapping:
**Portal Creation Triggers**:
1. **Initial login**: Bridge creates portals for recent conversations (controlled by `conversation_count`)
2. **Receiving messages**: Portal auto-created when message arrives in new channel
3. **Bot membership**: Channels where Slack bot is invited are automatically bridged
**Portal Types Supported**:
- Public/private channels (including Slack Connect channels)
- Group DMs (multi-party direct messages)
- 1:1 Direct messages
**Shared Portals**: Multiple Matrix users can interact with the same Slack channel through a shared Matrix room.
### Configuration vs Runtime Management
**Configuration-based** (`conversation_count` in config.yaml):
- Controls how many recent conversations sync on initial login
- Only affects initial synchronization
- Separate settings for channels, group DMs, direct messages
**Runtime Management** (automatic):
- No manual channel mapping required
- Portal creation happens dynamically
- No explicit `open <channel-id>` command needed
- To interact with a new channel, simply send/receive a message in Slack
**Bot Commands** (via Matrix DM with `@slackbot:clarun.xyz`):
- `help` - Display available commands
- `login app` - Authenticate with Slack app credentials
- `login token <token> <cookie>` - Authenticate with user account (unofficial)
### Adding/Removing Channels
**Adding Channels**: ✅ **Runtime (no restart)**
- Receive a message in the channel → portal auto-created
- Invite Slack bot to channel (app login mode) → portal auto-created
**Removing Channels**: ⚠️ **Not explicitly documented**
- Likely has `delete-portal` command (based on other mautrix bridges)
- Would be sent from within the Matrix portal room
**Modifying Configuration**:
- Changes to `conversation_count` require bridge restart
- However, setting only affects initial sync, not ongoing operation
### Archived Channel Handling
⚠️ **Not explicitly documented**
Expected behavior:
- Matrix portal remains but becomes inactive
- No new messages flow (Slack channel is read-only)
- Historical messages remain accessible
**Recommendation**: Test this scenario in pilot deployment to document actual behavior.
### Gradual Rollout Strategy
**Phase 1: Single Test Channel** (Week 1-2)
- Set `conversation_count` low (5-10)
- Start with one channel: `#dev-platform` or `#test`
- Verify automatic portal creation, bidirectional messaging, reactions, files
**Phase 2: Small User Group** (Week 3-4)
- 3-5 team members authenticate
- Test shared portal functionality
- Monitor performance and reliability
**Phase 3: Organic Expansion** (Week 5+)
- Don't pre-configure channel lists
- Let automatic portal creation handle it based on usage
- Users get portals only for channels they actively use
**Configuration Strategy**:
```yaml
bridge:
conversation_count: 10 # Start small, expand organically
```
**Advantages**:
- No manual channel mapping to maintain
- Scales naturally with usage
- Easy to expand without configuration changes
- Users only see channels they interact with
### Key Limitations
⚠️ No traditional message backfill (history before bridge setup)
⚠️ Name changes not fully supported
⚠️ Being added to conversations only partially supported
⚠️ No documented manual `open <channel-id>` command
### References
- [mautrix-slack docs](https://docs.mau.fi/bridges/go/slack/)
- [ROADMAP.md](https://github.com/mautrix/slack/blob/main/ROADMAP.md)
- Support room: #slack:maunium.net
---
## 6. Implementation Decisions
### Critical Path Decisions
| Decision Point | Choice | Rationale |
|----------------|--------|-----------|
| **Connection Method** | Socket Mode (WebSocket) | No public endpoint needed, matches security model |
| **Authentication** | App Login (official OAuth) | Production stability, clear audit trail |
| **Token Management** | Interactive login via Matrix | Matches mautrix-slack workflow, simplifies config |
| **Secrets Storage** | sops-nix (existing pattern) | Already working in production (Gen 31) |
| **Channel Bridging** | Automatic portal creation | No manual mapping, scales with usage |
| **Initial Scope** | Single test channel | Validate before expanding |
| **Workspace** | chochacho (production) | Real workspace with admin rights |
### Risks and Mitigations
| Risk | Probability | Impact | Mitigation |
|------|-------------|--------|------------|
| Exit code 11 continues | High | High | Debug logging, relax systemd hardening, validate credentials |
| Socket Mode disconnects | Medium | Low | Automatic reconnection, monitor health indicators |
| Token expiration | Low | Medium | Clear error messages, documented re-authentication |
| Performance issues | Low | Medium | Start with 1 channel, monitor before expanding |
| Slack API rate limits | Low | Low | Respect rate limits, implement backoff |
### Open Questions for Implementation
1. **Exact cause of exit code 11**: Requires deployment with debug logging
2. **Matrix appservice registration**: Need to integrate with conduwuit config
3. **Actual `conversation_count` value**: Determine optimal setting for initial sync
4. **Archived channel behavior**: Document through testing
5. **Permission mapping**: Slack roles → Matrix power levels (verify in practice)
---
## 7. Next Steps
**Immediate** (Phase 1):
1. ✅ Create `data-model.md` (entities, relationships, state machines)
2. ✅ Create `contracts/bridge-config.yaml` (configuration schema)
3. ✅ Create `contracts/secrets-schema.yaml` (secrets structure)
4. ✅ Create `contracts/channel-mapping.yaml` (portal configuration)
5. ✅ Create `quickstart.md` (deployment runbook)
6. ✅ Update `.claude/CLAUDE.md` (agent context)
**Then** (Phase 2):
- Run `/speckit.tasks` to generate implementation task breakdown
- Begin actual implementation based on plan.md
---
## Document History
- **2025-10-22**: Initial research completed (5 research agents)
- **Phase 0 Status**: ✅ Complete
- **Next Phase**: Phase 1 (Design)

264
specs/002-slack-bridge-integration/spec.md Normal file
View file

@ -0,0 +1,264 @@
# Feature Specification: Matrix-Slack Bridge Integration
**Feature Branch**: `002-slack-bridge-integration`
**Created**: 2025-10-22
**Status**: Draft
**Input**: User description: "Matrix-Slack bridge integration for bidirectional communication between Matrix homeserver and Slack workspace (chochacho), enabling unified team communication"
## Clarifications
### Session 2025-10-22
- Q: Initial Channel Bridge Configuration → A: Start with one test channel (e.g., #dev-platform or #test), expand after validation
- Q: Bridge Health Monitoring → A: Basic health indicators (connection status, last message timestamp, error count) logged to journal
## User Scenarios & Testing *(mandatory)*
### User Story 1 - Slack to Matrix Message Delivery (Priority: P1)
A team member sends a message in a Slack channel and it appears automatically in the corresponding Matrix room, allowing Matrix users to participate in the conversation seamlessly.
**Why this priority**: This is the core value proposition - establishing the communication bridge. Without this, the feature has no functionality. This validates that the bridge infrastructure is working correctly.
**Independent Test**: Can be fully tested by sending a test message in Slack and verifying it appears in Matrix, delivering immediate value as a read-only Slack viewer via Matrix.
**Acceptance Scenarios**:
1. **Given** bridge is configured for #general Slack channel, **When** user posts "Hello from Slack" in #general, **Then** message appears in bridged Matrix room within 5 seconds with original sender name
2. **Given** bridge is running and healthy, **When** user posts message with emoji reactions in Slack, **Then** message appears in Matrix with emoji preserved
3. **Given** bridge is configured, **When** user posts multi-line message in Slack, **Then** message formatting is preserved in Matrix (line breaks, lists)
4. **Given** bridge is operational, **When** user uploads file in Slack channel, **Then** file link appears in Matrix room
---
### User Story 2 - Matrix to Slack Message Delivery (Priority: P1)
A team member sends a message in Matrix room and it appears automatically in the corresponding Slack channel, enabling full bidirectional communication.
**Why this priority**: Completes the bidirectional flow, making this a true communication bridge rather than just a viewer. Essential for collaborative work.
**Independent Test**: Can be tested by sending a test message from Matrix and verifying it appears in Slack, proving full two-way communication works.
**Acceptance Scenarios**:
1. **Given** bridge is configured for bidirectional sync, **When** Matrix user posts "Hello from Matrix" in bridged room, **Then** message appears in Slack channel within 5 seconds with Matrix username
2. **Given** bridge supports rich formatting, **When** Matrix user posts message with markdown formatting, **Then** message appears in Slack with formatting converted appropriately
3. **Given** bridge handles mentions, **When** Matrix user mentions another user, **Then** mention is translated to Slack @username notation
4. **Given** bridge is operational, **When** Matrix user posts message with attachment, **Then** attachment link appears in Slack channel
---
### User Story 3 - Bridge Service Reliability (Priority: P2)
The bridge service starts automatically on server boot, recovers from connection failures, and continues operation without manual intervention.
**Why this priority**: Critical for production use but can be validated after basic messaging works. Prevents the bridge from being a maintenance burden.
**Independent Test**: Can be tested by rebooting the server and verifying bridge auto-starts and resumes messaging, or by simulating network failures.
**Acceptance Scenarios**:
1. **Given** server reboots, **When** system comes back online, **Then** bridge service starts automatically within 2 minutes and begins relaying messages
2. **Given** Slack API experiences temporary outage, **When** connectivity is restored, **Then** bridge reconnects automatically without message loss
3. **Given** Matrix homeserver restarts, **When** homeserver is available again, **Then** bridge re-establishes connection and resumes operation
4. **Given** bridge encounters configuration error, **When** error is logged, **Then** service reports clear diagnostic information for troubleshooting
---
### User Story 4 - Bridge Configuration Management (Priority: P3)
Platform administrators can configure which Slack channels are bridged to Matrix rooms through declarative configuration, without writing code or restarting services manually. Initial deployment starts with one test channel to validate the bridge mechanism before expanding to additional channels.
**Why this priority**: Important for managing the bridge long-term, but basic functionality can work with hardcoded configuration initially. Can be iterated after P1-P2 are working. Starting with a single test channel minimizes risk and provides clear validation before broader rollout.
**Independent Test**: Can be tested by adding a new channel to configuration and verifying it bridges correctly after configuration reload.
**Acceptance Scenarios**:
1. **Given** administrator wants to bridge new channel, **When** channel mapping is added to configuration file, **Then** new bridge is established after configuration update
2. **Given** channel is no longer needed, **When** channel mapping is removed from configuration, **Then** bridge stops relaying messages for that channel
3. **Given** multiple channels configured, **When** administrator views configuration, **Then** all active bridges are clearly listed with their mappings
4. **Given** configuration contains error, **When** configuration is applied, **Then** clear error message explains what needs to be fixed
---
### Edge Cases
- What happens when Slack workspace is temporarily unavailable? (Bridge should queue messages and deliver when available, or report unavailability to Matrix users)
- How does system handle rate limits from Slack API? (Bridge should throttle requests and queue messages to stay within limits)
- What happens when bridge tries to relay message too large for target platform? (Message should be truncated with indication, or split into multiple messages)
- How does bridge handle Slack threads? (Thread context should be preserved or indicated in Matrix, possibly with reply chain)
- What happens when user edits or deletes message in Slack? (Edited messages should sync to Matrix if supported, deletions should be reflected)
- How does bridge handle authentication token expiry? (Bridge should detect expiry and report error clearly, requiring reauthorization)
- What happens when two users have same display name? (Bridge should disambiguate with user IDs or workspace indicators)
## Requirements *(mandatory)*
### Functional Requirements
- **FR-001**: Bridge MUST relay messages from Slack to Matrix within 5 seconds of posting
- **FR-002**: Bridge MUST relay messages from Matrix to Slack within 5 seconds of posting
- **FR-003**: Bridge MUST preserve message sender identity (username/display name)
- **FR-004**: Bridge MUST operate using Socket Mode for reliable real-time messaging
- **FR-005**: Bridge MUST authenticate to Slack using bot token and app token
- **FR-006**: Bridge MUST register with Matrix homeserver as application service
- **FR-007**: Bridge MUST store credentials securely using sops-nix encrypted secrets
- **FR-008**: Bridge MUST use PostgreSQL database for storing bridge state and mappings
- **FR-009**: Bridge MUST connect to chochacho Slack workspace
- **FR-009a**: Initial deployment MUST bridge one designated test channel (e.g., #dev-platform or #test) for validation
- **FR-010**: Bridge MUST start automatically on system boot as systemd service
- **FR-011**: Bridge MUST log all operations to system journal for debugging
- **FR-011a**: Bridge MUST log health indicators including connection status, last successful message timestamp, and error counts
- **FR-012**: Bridge MUST map Slack users to Matrix ghost users (puppeting)
- **FR-013**: Bridge MUST handle connection failures gracefully with automatic retry
- **FR-014**: Bridge MUST respect Slack API rate limits to avoid service disruption
- **FR-015**: System MUST support reauthorization of Slack bot when scopes change
### Key Entities
- **Slack Channel**: Represents a conversation space in Slack workspace, identified by channel ID, contains messages and participants
- **Matrix Room**: Represents a conversation space in Matrix homeserver, identified by room ID, contains events and members
- **Channel Bridge Mapping**: Links a Slack channel to a Matrix room, defines bidirectional sync relationship
- **Ghost User**: Matrix user representation of Slack user, allows messages to appear from original sender in Matrix
- **Bridge State**: Persistent connection and sync status information, includes last message timestamps and error states
- **Credentials**: Slack bot token, app token, and Matrix app service tokens required for authentication
## Success Criteria *(mandatory)*
### Measurable Outcomes
- **SC-001**: Engineers can send message in Slack and see it appear in Matrix within 5 seconds
- **SC-002**: Engineers can send message in Matrix and see it appear in Slack within 5 seconds
- **SC-003**: Bridge maintains 99% uptime over 7-day period after deployment
- **SC-003a**: Bridge health status (connected/disconnected, last message time, error count) is visible in system logs
- **SC-004**: Bridge automatically recovers from network failures without manual intervention
- **SC-005**: Bridge setup and configuration is documented clearly enough for another engineer to replicate
- **SC-006**: Platform administrators can add new channel bridge in under 10 minutes
- **SC-007**: Zero message loss during normal operation (messages always delivered or error reported)
- **SC-008**: Bridge remains operational after server reboot without manual restart
## Assumptions
- Slack workspace (chochacho) administrators will grant necessary permissions for bot installation
- Existing Slack bot can be reauthorized with updated scopes and Socket Mode enabled
- Network connectivity between VPS and Slack API is reliable (>99% uptime)
- Matrix homeserver (clarun.xyz) is operational and accessible on localhost
- PostgreSQL database is available for bridge state storage
- Secrets management via sops-nix is already configured and working
- Engineers primarily communicate in Slack and will continue doing so
- Initial deployment bridges one test channel for validation before expanding
- Number of bridged channels will be small initially (< 10 channels after validation)
- Message volume is moderate (< 1000 messages/day per channel)
- No need for historical message import (bridge starts fresh from activation time)
## Scope
### In Scope
- Bidirectional message relay between Slack and Matrix
- Bot token authentication with Socket Mode
- Single Slack workspace (chochacho) integration
- Declarative channel bridge configuration via NixOS
- Automatic service startup and recovery
- Secure credential storage with sops-nix
- Basic message formatting preservation
- User identity preservation via ghost users
### Out of Scope
- Historical message import/migration
- WhatsApp bridge integration (future feature)
- Google Messages bridge integration (future feature)
- Multi-workspace Slack support
- Advanced Slack features (workflows, slash commands, custom integrations)
- Matrix E2E encryption for bridged rooms
- Message editing/deletion sync (nice-to-have, not MVP)
- Thread conversation preservation (nice-to-have, not MVP)
- Reaction sync between platforms (nice-to-have, not MVP)
- File upload sync (links only, not full upload mirroring)
- Voice/video call bridging
## Dependencies
### Technical Dependencies
- Matrix homeserver (conduwuit) operational on clarun.xyz:8008
- PostgreSQL 15.10 available for bridge database
- sops-nix secrets management configured with VPS age key
- NixOS module system for declarative service configuration
- mautrix-slack package available in nixpkgs-unstable
### External Dependencies
- Slack workspace (chochacho) administrator access
- Slack bot reauthorization with required scopes
- Socket Mode enabled for Slack app
- Slack API availability and rate limits
- Network connectivity to Slack API endpoints
### Process Dependencies
- Manager approval for Slack bot reauthorization
- Secrets (bot token, app token) obtained from Slack
- Matrix appservice registration completed
- Platform vision documentation (docs/platform-vision.md) approved
- Deployment pattern established (NixOS module approach)
## Notes
### Context from Platform Vision
This feature represents **Milestone 1** of the ops-jrz1 platform vision: "Working Slack Bridge". Success here validates the core communication architecture and unblocks team onboarding.
Reference: `docs/platform-vision.md` sections:
- Communication Layer principles
- Presentable MVP definition
- Phase 1 timeline
### Existing Infrastructure
- mautrix-slack NixOS module exists: `modules/mautrix-slack.nix`
- Module currently configured for "delpadtech" workspace (needs update to "chochacho")
- Service exits with code 11 (likely missing configuration or credentials)
- PostgreSQL database setup already configured in dev-services.nix
- Secrets management pattern established with Matrix registration token
### Known Issues
- Current exit code 11 suggests missing Slack credentials or configuration
- Workspace name needs update: delpadtech → chochacho
- Socket Mode not yet configured in Slack app
- Bot scopes may need adjustment for mautrix-slack requirements
### Security Considerations
- Bot token and app token MUST be stored in encrypted secrets.yaml
- Tokens MUST NOT appear in configuration files or logs
- Bridge service runs as dedicated user (mautrix_slack) with limited permissions
- Database access restricted to bridge user only
- No public endpoints exposed (bridge connects outbound to Slack API)
### Testing Strategy
- Manual testing sufficient for MVP (automated tests future enhancement)
- Initial deployment validates bridge with single test channel (#dev-platform or #test)
- Test each user story independently as implemented
- Use test messages in Slack and Matrix to verify relay
- Simulate failures (network disconnect, service restart) to test recovery
- Monitor logs for errors and performance issues using basic health indicators (connection status, message timestamps, error counts)
- Validate secrets are never logged or exposed
- Verify health indicators appear in system journal during normal operation and failure scenarios
### Future Enhancements
These are explicitly out of scope for MVP but worth documenting for iteration:
- Message editing/deletion sync
- Thread preservation
- Emoji reaction sync
- Advanced Slack integrations (slash commands, workflows)
- Multi-workspace support
- Historical message import
- Advanced metrics dashboard (Prometheus, Grafana integration)
- Automated health checks and alerting beyond basic logging
- Message throughput and latency histograms

273
specs/002-slack-bridge-integration/tasks.md Normal file
View file

@ -0,0 +1,273 @@
# Tasks: Matrix-Slack Bridge Integration
**Input**: Design documents from `/specs/002-slack-bridge-integration/`
**Prerequisites**: plan.md, spec.md, research.md, data-model.md, contracts/, quickstart.md
**Tests**: Manual integration testing only (no automated test tasks per spec.md testing strategy)
**Organization**: Tasks are grouped by user story to enable independent implementation and testing of each story.
## Format: `[ID] [P?] [Story] Description`
- **[P]**: Can run in parallel (different files, no dependencies)
- **[Story]**: Which user story this task belongs to (e.g., US1, US2, US3, US4)
- Include exact file paths in descriptions
## Path Conventions
- Infrastructure configuration project (NixOS modules)
- Primary files: `modules/mautrix-slack.nix`, `hosts/ops-jrz1.nix`, `secrets/secrets.yaml`
- Documentation: `docs/worklogs/*.org`
---
## Phase 1: Setup (Shared Infrastructure)
**Purpose**: Slack app configuration and secrets preparation (external prerequisites)
- [ ] T001 Create Slack app using mautrix-slack app manifest from https://github.com/mautrix/slack/blob/main/app-manifest.yaml
- [ ] T002 Enable Socket Mode in Slack app settings and generate app-level token (xapp-) with connections:write scope
- [ ] T003 Install Slack app to chochacho workspace and copy bot token (xoxb-)
- [ ] T004 [P] Document app setup process in docs/worklogs/2025-10-22-slack-app-setup.org
- [ ] T005 Verify Slack app has all 29 required bot scopes per research.md section 2
---
## Phase 2: Foundational (Blocking Prerequisites)
**Purpose**: Core infrastructure that MUST be complete before ANY user story can be implemented
**⚠️ CRITICAL**: No user story work can begin until this phase is complete
- [ ] T006 Add slack-oauth-token and slack-app-token to secrets/secrets.yaml using sops secrets/secrets.yaml
- [ ] T007 Verify secrets decrypt correctly on VPS using ssh root@45.77.205.49 'sops -d /path/to/secrets.yaml'
- [X] T008 Update modules/mautrix-slack.nix to change workspace from "delpadtech" to "chochacho"
- [X] T009 Verify PostgreSQL database mautrix_slack exists using ssh root@45.77.205.49 'sudo -u postgres psql -l | grep mautrix_slack'
- [X] T010 Verify Matrix homeserver conduwuit is running on port 8008 using ssh root@45.77.205.49 'curl -s http://localhost:8008/_matrix/client/versions'
**Checkpoint**: Foundation ready - user story implementation can now begin in parallel
---
## Phase 3: User Story 1 - Slack to Matrix Message Delivery (Priority: P1) 🎯 MVP
**Goal**: Relay messages from Slack to Matrix within 5 seconds with sender identity preserved
**Independent Test**: Send test message in Slack #dev-platform, verify appears in Matrix room within 5 seconds with correct sender
### Implementation for User Story 1
- [ ] T011 [US1] Update hosts/ops-jrz1.nix to enable services.mautrix-slack with homeserverUrl http://127.0.0.1:8008 and serverName clarun.xyz
- [ ] T012 [US1] Configure database connection in hosts/ops-jrz1.nix with uri postgresql:///mautrix_slack?host=/run/postgresql
- [ ] T013 [US1] Set logging.level to "debug" in hosts/ops-jrz1.nix for initial deployment troubleshooting
- [ ] T014 [US1] Deploy configuration to VPS using nixos-rebuild switch --flake .#ops-jrz1 --target-host root@45.77.205.49 --build-host localhost
- [ ] T015 [US1] Verify mautrix-slack service started using ssh root@45.77.205.49 'systemctl status mautrix-slack'
- [ ] T016 [US1] Check service logs for startup errors using ssh root@45.77.205.49 'journalctl -u mautrix-slack -n 50'
- [ ] T017 [US1] Verify appservice registration file created at /var/lib/matrix-appservices/mautrix_slack_registration.yaml
- [ ] T018 [US1] Add appservice registration to Matrix homeserver configuration (conduwuit continuwuity.toml)
- [ ] T019 [US1] Restart Matrix homeserver to load appservice using ssh root@45.77.205.49 'systemctl restart matrix-continuwuity'
- [ ] T020 [US1] Open Matrix DM with @slackbot:clarun.xyz and verify bot responds
- [ ] T021 [US1] Authenticate bridge by sending "login app" command and providing bot token and app token
- [ ] T022 [US1] Verify Socket Mode connection established in logs using ssh root@45.77.205.49 'journalctl -u mautrix-slack -f | grep -i socket'
- [ ] T023 [US1] Accept invitation to Matrix room for #dev-platform channel
- [ ] T024 [US1] Test Slack→Matrix relay by posting "Test message from Slack" in #dev-platform and verifying it appears in Matrix within 5 seconds
- [ ] T025 [US1] Verify sender identity preserved (message shows from ghost user @slack_USERID:clarun.xyz)
- [ ] T026 [US1] Test emoji preservation by posting message with emoji in Slack and verifying emoji appears in Matrix
- [ ] T027 [US1] Test multi-line message formatting by posting multi-line message in Slack and verifying line breaks preserved in Matrix
- [ ] T028 [US1] Test file attachment by uploading file to Slack and verifying link appears in Matrix
- [ ] T029 [US1] Document US1 validation results in docs/worklogs/2025-10-22-us1-slack-to-matrix-validation.org
**Checkpoint**: At this point, User Story 1 should be fully functional and testable independently
---
## Phase 4: User Story 2 - Matrix to Slack Message Delivery (Priority: P1)
**Goal**: Relay messages from Matrix to Slack within 5 seconds with Matrix username preserved
**Independent Test**: Send test message from Matrix room, verify appears in Slack channel within 5 seconds with Matrix username
### Implementation for User Story 2
- [ ] T030 [US2] Test Matrix→Slack relay by posting "Test message from Matrix" in bridged Matrix room and verifying it appears in Slack within 5 seconds
- [ ] T031 [US2] Verify Matrix username appears in Slack message (bridge bot posts with sender attribution)
- [ ] T032 [US2] Test markdown formatting by posting message with **bold** and *italic* in Matrix and verifying formatting converted in Slack
- [ ] T033 [US2] Test user mention by mentioning another Matrix user and verifying translated to Slack @username format
- [ ] T034 [US2] Test attachment posting from Matrix and verify link appears in Slack
- [ ] T035 [US2] Verify bidirectional message flow works simultaneously (send messages from both sides)
- [ ] T036 [US2] Document US2 validation results in docs/worklogs/2025-10-22-us2-matrix-to-slack-validation.org
**Checkpoint**: At this point, User Stories 1 AND 2 should both work independently (full bidirectional communication)
---
## Phase 5: User Story 3 - Bridge Service Reliability (Priority: P2)
**Goal**: Bridge starts automatically on boot and recovers from failures without manual intervention
**Independent Test**: Reboot server and verify bridge auto-starts within 2 minutes, or simulate network failure and verify auto-recovery
### Implementation for User Story 3
- [ ] T037 [US3] Verify systemd service has Restart=always in modules/mautrix-slack.nix serviceConfig
- [ ] T038 [US3] Verify service has After=network-online.target postgresql.service matrix-continuwuity.service in systemd dependencies
- [ ] T039 [US3] Test auto-start by rebooting VPS using ssh root@45.77.205.49 'reboot'
- [ ] T040 [US3] Verify bridge service started automatically within 2 minutes using systemctl status mautrix-slack
- [ ] T041 [US3] Verify messages relay successfully after reboot without manual intervention
- [ ] T042 [US3] Test connection recovery by simulating Slack API outage (temporarily revoke token, then restore)
- [ ] T043 [US3] Verify bridge reconnects automatically after token restored without manual restart
- [ ] T044 [US3] Test Matrix homeserver recovery by restarting conduwuit using ssh root@45.77.205.49 'systemctl restart matrix-continuwuity'
- [ ] T045 [US3] Verify bridge re-establishes connection to Matrix automatically
- [ ] T046 [US3] Test configuration error handling by temporarily breaking config and verifying clear diagnostic message in logs
- [ ] T047 [US3] Verify health indicators logged (connection status, last message timestamp, error count) using journalctl -u mautrix-slack --since "1 hour ago"
- [ ] T048 [US3] Document US3 validation results including recovery times in docs/worklogs/2025-10-22-us3-reliability-validation.org
**Checkpoint**: All P1 and P2 user stories should now be independently functional
---
## Phase 6: User Story 4 - Bridge Configuration Management (Priority: P3)
**Goal**: Administrators can configure channel bridges declaratively without code or manual restarts
**Independent Test**: Add new channel to configuration, reload config, verify new bridge established automatically
### Implementation for User Story 4
- [ ] T049 [US4] Review automatic portal creation behavior from research.md section 5 (channels auto-bridge on activity)
- [ ] T050 [US4] Document conversation_count configuration parameter in hosts/ops-jrz1.nix (controls initial sync count)
- [ ] T051 [US4] Test adding new channel by inviting Slack bot to #general using /invite @Matrix Bridge in Slack
- [ ] T052 [US4] Verify portal auto-created when message sent in #general without configuration change
- [ ] T053 [US4] Accept Matrix room invitation for #general and verify messages relay
- [ ] T054 [US4] Test removing channel bridge by kicking bot from Slack channel and verifying portal becomes inactive
- [ ] T055 [US4] Document active bridges by querying database using ssh root@45.77.205.49 'sudo -u mautrix_slack psql mautrix_slack -c "SELECT * FROM portal;"'
- [ ] T056 [US4] Test configuration error handling by setting invalid conversation_count value and verifying error message
- [ ] T057 [US4] Document channel management workflow in docs/worklogs/2025-10-22-us4-channel-management.org
- [ ] T058 [US4] Update CLAUDE.md with channel management patterns and common commands
**Checkpoint**: All user stories should now be independently functional
---
## Phase 7: Polish & Cross-Cutting Concerns
**Purpose**: Production readiness and documentation
- [ ] T059 [P] Change logging.level from "debug" to "info" in hosts/ops-jrz1.nix for production
- [ ] T060 [P] Create comprehensive deployment worklog in docs/worklogs/2025-10-22-slack-bridge-deployment-complete.org
- [ ] T061 [P] Update platform-vision.md to mark Milestone 1 (Working Slack Bridge) as complete
- [ ] T062 Validate all success criteria from spec.md SC-001 through SC-008
- [ ] T063 Run through quickstart.md steps to verify deployment guide accuracy
- [ ] T064 [P] Create backup of bridge database using ssh root@45.77.205.49 'sudo -u postgres pg_dump mautrix_slack > mautrix_slack_backup.sql'
- [ ] T065 [P] Document monitoring commands and health check procedures in CLAUDE.md
- [ ] T066 Monitor bridge stability for 7 days and collect uptime metrics for SC-003 validation
- [ ] T067 [P] Create troubleshooting guide for common issues (exit code 11, Socket Mode disconnects, auth failures)
---
## Dependencies & Execution Order
### Phase Dependencies
- **Setup (Phase 1)**: No dependencies - can start immediately (external Slack app configuration)
- **Foundational (Phase 2)**: Depends on Setup completion - BLOCKS all user stories
- **User Stories (Phase 3-6)**: All depend on Foundational phase completion
- US1 and US2 are both P1 priority but US2 depends on US1 being tested first (builds on Slack→Matrix foundation)
- US3 (P2) can be tested after US1+US2 work
- US4 (P3) can be implemented after core messaging validated
- **Polish (Phase 7)**: Depends on all desired user stories being complete
### User Story Dependencies
- **User Story 1 (P1)**: Can start after Foundational (Phase 2) - No dependencies on other stories
- **User Story 2 (P1)**: Can start after US1 validated - Builds on Slack→Matrix relay working
- **User Story 3 (P2)**: Can start after US1+US2 - Tests existing bridge reliability
- **User Story 4 (P3)**: Can start after US1+US2 - Tests channel management on working bridge
### Within Each User Story
- US1: Setup → Deploy → Authenticate → Test Slack→Matrix → Validate
- US2: Test Matrix→Slack → Validate (uses infrastructure from US1)
- US3: Test auto-start → Test recovery → Monitor health indicators
- US4: Test auto portal creation → Test removal → Document management
### Parallel Opportunities
- Phase 1 (T001-T005): All can run in parallel (different Slack app configuration steps)
- Phase 2: Most tasks sequential (dependencies on secrets, config, services)
- User Stories: Cannot truly parallelize due to shared bridge instance and sequential validation needs
- Phase 7 polish tasks: Most marked [P] can run in parallel (different files/documentation)
---
## Parallel Example: Phase 1 (Slack App Setup)
```bash
# All Slack app configuration tasks can proceed in parallel:
Task: "Create Slack app using manifest"
Task: "Document app setup process"
Task: "Verify scopes"
```
---
## Parallel Example: Phase 7 (Polish)
```bash
# Documentation and monitoring tasks can run in parallel:
Task: "Change logging level to info"
Task: "Create deployment worklog"
Task: "Update platform-vision.md"
Task: "Create database backup"
Task: "Document monitoring commands"
Task: "Create troubleshooting guide"
```
---
## Implementation Strategy
### MVP First (User Stories 1 + 2)
1. Complete Phase 1: Slack App Setup (external)
2. Complete Phase 2: Foundational (CRITICAL - blocks all stories)
3. Complete Phase 3: User Story 1 (Slack→Matrix)
4. **VALIDATE US1**: Test independently, verify <5 second latency, verify sender identity
5. Complete Phase 4: User Story 2 (Matrix→Slack)
6. **VALIDATE US2**: Test independently, verify bidirectional flow works
7. **STOP and VALIDATE MVP**: Full bidirectional messaging working
8. Deploy/demo if ready
### Incremental Delivery
1. Complete Setup + Foundational → Foundation ready
2. Add User Story 1 → Test independently → MVP partial (read-only Slack via Matrix)
3. Add User Story 2 → Test independently → MVP complete (full bidirectional)
4. Add User Story 3 → Test independently → Production ready (auto-recovery)
5. Add User Story 4 → Test independently → Admin friendly (easy channel management)
6. Each story adds value without breaking previous stories
### Single-Person Sequential Strategy
Given infrastructure configuration nature (single bridge instance):
1. Complete Setup (Phase 1) - Slack app external setup
2. Complete Foundational (Phase 2) - Core infrastructure
3. Implement User Story 1 (Phase 3) - Validate thoroughly before proceeding
4. Implement User Story 2 (Phase 4) - Builds on US1, validate bidirectional
5. Implement User Story 3 (Phase 5) - Test reliability features
6. Implement User Story 4 (Phase 6) - Test channel management
7. Polish (Phase 7) - Production hardening and documentation
---
## Notes
- [P] tasks = different files, no dependencies
- [Story] label maps task to specific user story for traceability
- Each user story should be independently completable and testable
- Manual testing throughout (no automated test suite per spec.md)
- Commit after each task or logical group
- Stop at any checkpoint to validate story independently
- Infrastructure project: tasks are configuration updates, not traditional code
- Bridge uses interactive authentication (tokens via Matrix chat, not NixOS config)
- Automatic portal creation means no static channel mapping configuration needed
- Health monitoring via systemd journal logs (basic indicators per FR-011a)