Initial import — snapshot from admin host /srv/gosec/gsc-ops-api
This repo had no version control prior to this commit. The import is a
straight snapshot of the working tree at 2026-05-03; the deployed
binary on fihelvop01 was being rebuilt from this source via `make
build` + scp into place, with no upstream review path.
The snapshot already includes one in-flight fix made on 2026-05-03 to
internal/service/persona.go:GetSelfModel — the handler queried
`source` and `strength` columns plus an `is_active = true` filter on
persona.persona_commitments, none of which exist on that table (its
shape is session-bound commitments with `status`, `commitment_meta`,
etc.). The query returned a 500 every time SynapseHub bootstrapped a
persona's self-model, dropping the IdentityConstraints / Commitments /
ConscienceStandards layer from the assembled prompt. The patched
query reads existing columns only (commitment_text, commitment_type),
filters on `status='active'`, and synthesises Source="learned" /
Strength=1.0 to keep the SelfModel response shape stable for callers.
Verified live: `GET /api/v1/personas/70f7cfd9-.../self-model` now
returns 200 with `{identityConstraints:[],commitments:[],
conscienceStandards:[]}` instead of 500.
Future changes go through PRs against this repo — no more bin-only
deploys.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude (gsc-ops-api init)
105
scripts/install.sh
Executable file
105
scripts/install.sh
Executable file
@@ -0,0 +1,105 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
APP_NAME="gsc-ops-api"
|
||||
APP_USER="gsc-ops-api"
|
||||
INSTALL_DIR="/srv/gosec/${APP_NAME}"
|
||||
CONFIG_DIR="/etc/${APP_NAME}"
|
||||
TLS_DIR="${CONFIG_DIR}/tls"
|
||||
BIN_DIR="${INSTALL_DIR}/bin"
|
||||
|
||||
echo "=== Installing ${APP_NAME} ==="
|
||||
|
||||
# Create system user
|
||||
if ! id "${APP_USER}" &>/dev/null; then
|
||||
useradd -r -s /sbin/nologin -d "${INSTALL_DIR}" "${APP_USER}"
|
||||
echo "Created system user: ${APP_USER}"
|
||||
fi
|
||||
|
||||
# Create directories
|
||||
mkdir -p "${BIN_DIR}" "${CONFIG_DIR}" "${TLS_DIR}"
|
||||
|
||||
# Copy binary
|
||||
if [ -f "${INSTALL_DIR}/bin/${APP_NAME}" ]; then
|
||||
echo "Binary found at ${BIN_DIR}/${APP_NAME}"
|
||||
else
|
||||
echo "WARNING: Binary not found. Build with 'make build' first."
|
||||
fi
|
||||
|
||||
# Copy config if not exists
|
||||
if [ ! -f "${CONFIG_DIR}/config.yaml" ]; then
|
||||
cp "${INSTALL_DIR}/configs/config.yaml" "${CONFIG_DIR}/config.yaml"
|
||||
echo "Config installed to ${CONFIG_DIR}/config.yaml"
|
||||
else
|
||||
echo "Config already exists, skipping"
|
||||
fi
|
||||
|
||||
# Set permissions
|
||||
chown -R root:${APP_USER} "${CONFIG_DIR}"
|
||||
chmod 750 "${CONFIG_DIR}"
|
||||
chmod 640 "${CONFIG_DIR}/config.yaml"
|
||||
chmod 750 "${TLS_DIR}"
|
||||
|
||||
if [ -f "${CONFIG_DIR}/.infisical" ]; then
|
||||
chown root:${APP_USER} "${CONFIG_DIR}/.infisical"
|
||||
chmod 640 "${CONFIG_DIR}/.infisical"
|
||||
fi
|
||||
|
||||
chown root:${APP_USER} "${BIN_DIR}"
|
||||
if [ -f "${BIN_DIR}/${APP_NAME}" ]; then
|
||||
chmod 750 "${BIN_DIR}/${APP_NAME}"
|
||||
fi
|
||||
|
||||
# Install systemd service
|
||||
cat > /etc/systemd/system/${APP_NAME}.service << 'SYSTEMD_EOF'
|
||||
[Unit]
|
||||
Description=GSC Operations API Server
|
||||
Documentation=https://wiki.gosec.internal/infrastructure/gsc-ops-api
|
||||
After=network-online.target postgresql.service
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=gsc-ops-api
|
||||
Group=gsc-ops-api
|
||||
ExecStart=/srv/gosec/gsc-ops-api/bin/gsc-ops-api
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
StandardOutput=journal
|
||||
StandardError=journal
|
||||
SyslogIdentifier=gsc-ops-api
|
||||
|
||||
# Security hardening
|
||||
NoNewPrivileges=true
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
PrivateTmp=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
RestrictSUIDSGID=true
|
||||
RestrictNamespaces=true
|
||||
|
||||
ReadOnlyPaths=/etc/gsc-ops-api
|
||||
ReadWritePaths=/srv/gosec/gsc-ops-api/bin
|
||||
|
||||
# Environment
|
||||
Environment=GSC_OPS_API_CONFIG=/etc/gsc-ops-api/config.yaml
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
SYSTEMD_EOF
|
||||
|
||||
systemctl daemon-reload
|
||||
echo "Systemd service installed"
|
||||
|
||||
echo ""
|
||||
echo "=== Installation complete ==="
|
||||
echo ""
|
||||
echo "Next steps:"
|
||||
echo " 1. Copy TLS certificates to ${TLS_DIR}/"
|
||||
echo " 2. Copy Infisical token to ${CONFIG_DIR}/.infisical"
|
||||
echo " 3. Edit config: ${CONFIG_DIR}/config.yaml"
|
||||
echo " 4. Start service: systemctl enable --now ${APP_NAME}"
|
||||
echo " 5. Check status: systemctl status ${APP_NAME}"
|
||||
echo " 6. View logs: journalctl -u ${APP_NAME} -f"
|
||||
Reference in New Issue
Block a user