You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Caddy terminates TLS and proxies canonical host traffic.
agentic-observatory.service is active on loop.
/healthz returns 200 publicly and locally.
Authenticated read-only pages return 200:
/
/loops
/runs
/cases
/handoffs
/knowledge
/verification
/changes
/analysis
/api/loops/topology
Agent-Core collector query APIs return 200:
/v1/loops
/v1/runs
/v1/actions
/v1/topology
NOC Loop Console signed read APIs authenticate successfully.
State-changing Observatory actions are disabled and return 403.
Current production mode:
OBSERVATORY_READ_ONLY=true
OBSERVATORY_ACTIONS_ENABLED=false
This issue tracks the next logical post-rollout work: close deployment drift, stabilize read-only operation, improve runbooks/monitoring, and prepare a safe audited-action canary without enabling actions prematurely.
Goals
Keep the production Observatory reliable and read-only while operators use it.
Eliminate rollout drift and rough edges found during deployment.
Document recovery/password/reset paths without exposing secrets.
Improve monitoring and alerting for Observatory and its dependencies.
Prepare—but do not prematurely enable—audited state-changing actions.
Non-goals
Do not enable OBSERVATORY_ACTIONS_ENABLED=true as part of this issue unless a separate explicit approval/canary issue is completed.
Do not bypass branch protection, CI, protected environments, or production deployment gates.
Do not print or store Vault tokens, GitHub tokens, operator passwords, HMAC secrets, database passwords, or other secret material in logs/docs/issues.
Do not expose the Observatory publicly beyond the existing operator-only authenticated console.
Phase 1 — Close deployment drift
1.1 Persist and apply trailing-dot Caddy canonicalization
A production hotfix was applied so copied FQDN URLs with the DNS root dot work correctly:
No sustained NOC Loop Console 401 errors for Observatory reads.
No unexpected service restarts beyond planned deploys.
Phase 3 — Fix deployment/runbook rough edges
3.1 Document operator password reset flow
During rollout, password reset succeeded in Vault, but the rendered env initially did not update because the Observatory Vault Agent had consumed its wrapped SecretID and could not re-auth after restart:
error="no known secret ID"
Tasks:
Add an Observatory operations runbook documenting password reset.
Include the safe vault kv patch flow.
Include a warning to use kv patch, not kv put, unless writing every existing key.
Include a no-secret way to confirm rendered env state:
Document how to refresh the Observatory AppRole SecretID if Vault Agent reports no known secret ID.
Document that secret values must not be pasted into issues, logs, shell history, PRs, or chat.
Document service restart order:
Refresh Vault Agent AppRole credentials if needed.
Restart vault-agent-agentic-observatory.service.
Confirm env render mtime changed.
Restart or confirm agentic-observatory.service restarted.
Acceptance criteria:
An operator can reset the Observatory password from the runbook without exposing secrets.
The runbook covers Vault Agent re-auth failure recovery.
3.2 Fix systemd warning
Observed warning:
/etc/systemd/system/agentic-observatory.service:8: Unknown key 'ConditionPathIsReadable' in section [Unit], ignoring.
Tasks:
Replace ConditionPathIsReadable with a supported systemd condition/assertion or remove it.
Validate the rendered unit with systemd-analyze verify if possible.
Apply and confirm warning no longer appears on daemon reload/restart.
Acceptance criteria:
No ConditionPathIsReadable warning on daemon-reload or service restart.
3.3 Avoid app-promotion failure when Engineering Loop one-shot is active
A production apply initially failed because a one-shot hyrule-engineering-loop.service was running as user loop, causing Ansible user management to fail:
usermod: user loop is currently used by process ...
Tasks:
Decide the intended behavior when the one-shot Engineering Loop is active during deploy:
pre-stop it,
skip user mutation when already correct,
retry after it exits,
or separate Observatory-only applies from full engineering-loop applies.
Implement the chosen approach in Ansible/workflow.
Add an IaC test if feasible.
Verify rerun behavior when hyrule-engineering-loop.service is active.
Acceptance criteria:
Observatory/app promotion deploys are not blocked by a currently running one-shot Engineering Loop process.
Phase 4 — Monitoring and alerting
4.1 Confirm blackbox/HTTP monitoring
Tasks:
Confirm monitoring exists for https://observatory.servify.network/healthz.
Confirm alerting route and severity are appropriate.
Confirm Caddy proxy path is monitored, not only local app health.
Confirm monitoring covers trailing-dot canonicalization if desired.
Acceptance criteria:
A proxy/TLS/routing failure for the public Observatory URL pages operators.
A local app-only failure is visible separately.
4.2 Add service-level checks
Tasks:
Add/confirm Icinga service checks for:
agentic-observatory.service
vault-agent-agentic-observatory.service
local http://[loop]:8780/healthz
collector query API availability
Add/confirm logs/metrics for Caddy 5xx on Observatory vhost.
Add/confirm disk checks for Observatory state/log paths.
Acceptance criteria:
Failures in the app, Vault Agent render, proxy, collector, or NOC dependency are observable.
Phase 5 — Read-only UX validation
Use the Observatory during real loop activity and collect UX/data issues before enabling actions.
Tasks:
Validate /loops shows active Agentic Loops clearly.
Validate /runs and run detail pages show action-by-action trace replay.
Validate /cases and case detail pages show CaseService state clearly.
Validate /handoffs shows LHP-v1 state clearly.
Validate /knowledge shows artifacts and review state without treating operator text as model instructions.
Context
The Agentic Observatory rollout is now live in production at
https://observatory.servify.network/in read-only mode.Completed rollout milestones:
agent-corenoc-agentengineering-loopknowledgeagentic-observatorynetwork-operationsobservatory.servify.network.agentic-observatory.serviceis active onloop./healthzreturns200publicly and locally.200://loops/runs/cases/handoffs/knowledge/verification/changes/analysis/api/loops/topology200:/v1/loops/v1/runs/v1/actions/v1/topology403.OBSERVATORY_READ_ONLY=trueOBSERVATORY_ACTIONS_ENABLED=falseThis issue tracks the next logical post-rollout work: close deployment drift, stabilize read-only operation, improve runbooks/monitoring, and prepare a safe audited-action canary without enabling actions prematurely.
Goals
Non-goals
OBSERVATORY_ACTIONS_ENABLED=trueas part of this issue unless a separate explicit approval/canary issue is completed.Phase 1 — Close deployment drift
1.1 Persist and apply trailing-dot Caddy canonicalization
A production hotfix was applied so copied FQDN URLs with the DNS root dot work correctly:
https://observatory.servify.network./→301 https://observatory.servify.network/https://observatory.servify.network./healthz→301 https://observatory.servify.network/healthzTracking PR:
fix: redirect observatory trailing-dot hostTasks:
productionenvironment.proxyafter apply:systemctl is-active caddyisactive.sudo caddy validate --config /etc/caddy/Caddyfilesucceeds.https://observatory.servify.network./returns301to canonical no-dot host.https://observatory.servify.network/healthzstill returns200from the Observatory app.Acceptance criteria:
proxy.Phase 2 — Stabilize read-only Observatory operation
2.1 Keep production read-only
Tasks:
agentic_observatory_read_only: trueagentic_observatory_actions_enabled: falseloopcontains:OBSERVATORY_READ_ONLY=trueOBSERVATORY_ACTIONS_ENABLED=false403 Observatory actions are disabled.Acceptance criteria:
2.2 Observe services for 24–72h
Watch for errors, restarts, memory growth, and upstream dependency failures.
Services/logs:
agentic-observatory.servicevault-agent-agentic-observatory.serviceagent-core-collector.servicenoc-agent.serviceLoop Console readsloopSuggested checks:
Acceptance criteria:
5xxpages.401errors for Observatory reads.Phase 3 — Fix deployment/runbook rough edges
3.1 Document operator password reset flow
During rollout, password reset succeeded in Vault, but the rendered env initially did not update because the Observatory Vault Agent had consumed its wrapped SecretID and could not re-auth after restart:
Tasks:
vault kv patchflow.kv patch, notkv put, unless writing every existing key.sudo awk -F= '/^OBSERVATORY_OPERATOR_USERNAME=/{print $0} /^OBSERVATORY_OPERATOR_PASSWORD_HASH=/{print "OBSERVATORY_OPERATOR_PASSWORD_HASH_present=yes length=" length($2)}' \ /etc/agentic-observatory/observatory.envno known secret ID.vault-agent-agentic-observatory.service.agentic-observatory.servicerestarted.Acceptance criteria:
3.2 Fix systemd warning
Observed warning:
Tasks:
ConditionPathIsReadablewith a supported systemd condition/assertion or remove it.systemd-analyze verifyif possible.Acceptance criteria:
ConditionPathIsReadablewarning ondaemon-reloador service restart.3.3 Avoid app-promotion failure when Engineering Loop one-shot is active
A production apply initially failed because a one-shot
hyrule-engineering-loop.servicewas running as userloop, causing Ansible user management to fail:Tasks:
engineering-loopapplies.hyrule-engineering-loop.serviceis active.Acceptance criteria:
Phase 4 — Monitoring and alerting
4.1 Confirm blackbox/HTTP monitoring
Tasks:
https://observatory.servify.network/healthz.Acceptance criteria:
4.2 Add service-level checks
Tasks:
agentic-observatory.servicevault-agent-agentic-observatory.servicehttp://[loop]:8780/healthzAcceptance criteria:
Phase 5 — Read-only UX validation
Use the Observatory during real loop activity and collect UX/data issues before enabling actions.
Tasks:
/loopsshows active Agentic Loops clearly./runsand run detail pages show action-by-action trace replay./casesand case detail pages show CaseService state clearly./handoffsshows LHP-v1 state clearly./knowledgeshows artifacts and review state without treating operator text as model instructions./verificationshows objectives/results clearly./changesand/analysisprovide balanced better/worse impact assessment.Acceptance criteria:
Phase 6 — Prepare audited actions, but keep disabled
Actions should remain disabled until this preparation is complete and explicitly approved.
6.1 Define rollout order
Proposed order from lowest-risk to higher-risk:
Tasks:
Acceptance criteria:
6.2 Verify action safety contracts
For each action, verify:
403behavior when read-only/actions-disabled.Acceptance criteria:
Phase 7 — Canary audited actions separately
Create a separate issue/PR for actual action enablement after Phases 1–6.
Tasks for a future canary:
Acceptance criteria for future canary:
Suggested immediate next PRs
docs/runbooks/agentic-observatory-operations.mdcovering:ConditionPathIsReadablewarning in the systemd unit template.hyrule-engineering-loop.service./healthz, local app health, and Vault Agent render freshness.References
https://observatory.servify.network/https://observatory.servify.network/healthzkv/agentic-observatoryagentic-observatoryloop8780