recipe-maintainers/project-orchestrator
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

memory: correct Tangled gotcha — case-sensitive rkey in SSH path (not network/perms)

Browse Source 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01ALPo5Y86fzQjsALNZRSSG5
This commit is contained in:
mfowler
2026-06-23 20:35:44 +00:00
parent 7cd0ab2170
commit 4f18a6c01c
1 changed files with 14 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
memory/tangled-bot-and-repo-creation.md
View File

@ -12,12 +12,20 @@ PDS `https://auriporia.us-west.host.bsky.network`). Its bsky password is in
`.secrets/notplants-bot.bsky.social.env` in the PO repo — **gitignored via `/.secrets/`**, perms 600,
never committed. (Consider rotating to an atproto app-password; the stored one looks like the main pw.)
**Tangled networking gotcha:** knots like `knot1.tangled.sh` are Cloudflare-fronted, so **SSH (port 22)
to a knot host is unreachable** from this box, but **HTTPS (443) works**. Git push goes through the
reachable SSH proxy `git@tangled.org:<handle>/<repo>` (which routes to the knot internally) — NOT
directly to the knot. The tangled SSH proxy addresses repos by the **owner's atproto identity/handle**,
not the knot-storage DID shown in clone URLs; "repo not found" over SSH means no access OR wrong owner
identity, not necessarily nonexistent.
**Tangled SSH-path gotcha (THE big one):** the `git@tangled.org` SSH proxy matches the repo by its
**rkey, which is the lowercased repo name** — and the match is **case-sensitive**. A path with capitals
(`…/Apertus-70B-Instruct-2509-experiments`) returns **"repo not found"** even when you have access;
use the lowercased form (`…/apertus-70b-instruct-2509-experiments`). This misled a whole session into
thinking it was a network/permissions problem — it was just case. "repo not found" over SSH usually
means wrong rkey case or wrong owner path, NOT lack of access (access denial looks different).
Address repos on the proxy by the **owner's atproto handle/DID** (e.g. `notplants.bsky.social` /
its DID `3nog…`), NOT the knot-storage repoDid shown in clone-URL redirects (e.g. `54ba…`). The
repoDid is just where bytes live (handleless, PDS=knot1); it is never the SSH path.
**Networking:** knots like `knot1.tangled.sh` are Cloudflare-fronted — **SSH (port 22) to a knot host
is unreachable** from this box, but **HTTPS (443) works**, and git push always goes through the
reachable `git@tangled.org` proxy anyway (it routes to the knot internally), so this rarely matters.
**Create a repo programmatically as the bot** (no CLI exists; this is what the web "+ new repo" does):
1. `com.atproto.server.createSession` on the PDS → `accessJwt`, `did`.