cloverleaf-larry

bryan/cloverleaf-larry

Fork 0

Commit Graph

Author	SHA1	Message	Date
bj	ea9f4c2399	v0.9.0: broker mode is the DEFAULT — wire the remote kill-switch into every Cloverleaf-Larry Phase 3 of the Larry remote kill-switch (Pax design; Mack's broker on .135 LAN 8181 / Tailscale 100.86.16.114:8181). Deployed Larry no longer holds a long-lived sk-ant-… key: it holds a per-deployment enrollment secret, mints a short-lived token from the broker, and routes every LLM call THROUGH the broker /v1/messages (real key injected server-side). set-authorized <id> false => the deployment 401s and dies, no box access required. - LARRY_AUTH_MODE=broker is the DEFAULT (was apikey). Self-update flips existing installs to broker-mode too, so upgrading Gundersen delivers the kill-switch. Escape hatch (documented, not default): LARRY_AUTH_MODE=apikey (no kill-switch, never for PHI boxes). - New lib/broker.sh: enroll+mint, fail-closed heartbeat, best-effort PHI wipe (reuses uninstall-larry.sh's shred/overwrite secure-delete + LARRY_HOME guard). - Fail-closed preflight at launch + in-REPL heartbeat (default 60s, 3-miss budget): disabled => refuse to run (+ PHI wipe for profile:phi); unreachable past budget => refuse to run (NO wipe on a network blip — only an explicit disable wipes). - call_api / call_api_stream broker branch: Bearer short-lived token, no x-api-key, token never on disk. - install-larry.sh enrollment provisioning: LARRY_DEPLOYMENT_ID + LARRY_ENROLL_SECRET (+ LARRY_PROFILE/LARRY_BROKER_URL) baked 0600 + into the shim; box shows up in the dashboard ready to toggle. - /auth reports broker state. Reachability (flagged for Bryan): the broker is LAN + Tailscale only (no public route). Egress-restricted boxes reach it over Tailscale (default URL = tailnet). A box that can reach neither fail-closes = won't run (correct kill, useless work state) — such a box MUST run Tailscale, or Bryan must stand up a hardened public broker ingress. Bug fixed in test: _broker_json_field jq `// empty` rendered literal false as empty, mis-classifying a DISABLED deployment as an unreachable MISS (delaying fail-close + skipping the PHI wipe). Fixed to `if has($k) then .[$k] else "" end`. Verified end-to-end against the live broker: enroll -> mint -> proxied call -> disable -> instant 401 + heartbeat fail-close + 5 PHI files shredded. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-31 23:10:09 -07:00

Author

SHA1

Message

Date

ea9f4c2399

v0.9.0: broker mode is the DEFAULT — wire the remote kill-switch into every Cloverleaf-Larry

Phase 3 of the Larry remote kill-switch (Pax design; Mack's broker on .135 LAN
8181 / Tailscale 100.86.16.114:8181). Deployed Larry no longer holds a long-lived
sk-ant-… key: it holds a per-deployment enrollment secret, mints a short-lived
token from the broker, and routes every LLM call THROUGH the broker /v1/messages
(real key injected server-side). set-authorized <id> false => the deployment 401s
and dies, no box access required.

- LARRY_AUTH_MODE=broker is the DEFAULT (was apikey). Self-update flips existing
  installs to broker-mode too, so upgrading Gundersen delivers the kill-switch.
  Escape hatch (documented, not default): LARRY_AUTH_MODE=apikey (no kill-switch,
  never for PHI boxes).
- New lib/broker.sh: enroll+mint, fail-closed heartbeat, best-effort PHI wipe
  (reuses uninstall-larry.sh's shred/overwrite secure-delete + LARRY_HOME guard).
- Fail-closed preflight at launch + in-REPL heartbeat (default 60s, 3-miss budget):
  disabled => refuse to run (+ PHI wipe for profile:phi); unreachable past budget
  => refuse to run (NO wipe on a network blip — only an explicit disable wipes).
- call_api / call_api_stream broker branch: Bearer short-lived token, no x-api-key,
  token never on disk.
- install-larry.sh enrollment provisioning: LARRY_DEPLOYMENT_ID + LARRY_ENROLL_SECRET
  (+ LARRY_PROFILE/LARRY_BROKER_URL) baked 0600 + into the shim; box shows up in the
  dashboard ready to toggle.
- /auth reports broker state.

Reachability (flagged for Bryan): the broker is LAN + Tailscale only (no public
route). Egress-restricted boxes reach it over Tailscale (default URL = tailnet).
A box that can reach neither fail-closes = won't run (correct kill, useless work
state) — such a box MUST run Tailscale, or Bryan must stand up a hardened public
broker ingress.

Bug fixed in test: _broker_json_field jq `// empty` rendered literal false as
empty, mis-classifying a DISABLED deployment as an unreachable MISS (delaying
fail-close + skipping the PHI wipe). Fixed to `if has($k) then .[$k] else "" end`.
Verified end-to-end against the live broker: enroll -> mint -> proxied call ->
disable -> instant 401 + heartbeat fail-close + 5 PHI files shredded.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-05-31 23:10:09 -07:00

1 Commits