diff --git a/memory/MEMORY.md b/memory/MEMORY.md index 1a26d21..3de7980 100644 --- a/memory/MEMORY.md +++ b/memory/MEMORY.md @@ -2,3 +2,4 @@ - [Git identity / push creds](git-identity-local.md) — git.autonomic.zone push info lives in the active cc-ci project (/srv/cc-ci/.testenv); local git identity set on PO repo - [Memory lives in repo](memory-in-repo.md) — memory/ is in the PO repo and git-tracked; ~/.claude memory path is a symlink to it - [Tangled mirrors](tangled-mirrors.md) — agent-orchestrator + project-orchestrator mirrored to tangled.org (notplants DID); push via `tangled` remote + ~/.ssh/tangled-ed25519 +- [Tangled bot + repo creation](tangled-bot-and-repo-creation.md) — notplants-bot bsky creds in gitignored .secrets/; recipe to create a Tangled repo via XRPC (SSH-to-knot blocked, use HTTPS + git@tangled.org proxy) diff --git a/memory/tangled-bot-and-repo-creation.md b/memory/tangled-bot-and-repo-creation.md new file mode 100644 index 0000000..e44e6e3 --- /dev/null +++ b/memory/tangled-bot-and-repo-creation.md @@ -0,0 +1,34 @@ +--- +name: tangled-bot-and-repo-creation +description: notplants-bot bsky creds location + how to create a Tangled repo programmatically +metadata: + node_type: memory + type: reference + originSessionId: 5c93c441-4896-4a82-9dc4-0f7f39db24f0 +--- + +The Tangled bot account `notplants-bot.bsky.social` (DID `did:plc:qfngkejlw4ghji2myc73hbdh`, +PDS `https://auriporia.us-west.host.bsky.network`). Its bsky password is in +`.secrets/notplants-bot.bsky.social.env` in the PO repo — **gitignored via `/.secrets/`**, perms 600, +never committed. (Consider rotating to an atproto app-password; the stored one looks like the main pw.) + +**Tangled networking gotcha:** knots like `knot1.tangled.sh` are Cloudflare-fronted, so **SSH (port 22) +to a knot host is unreachable** from this box, but **HTTPS (443) works**. Git push goes through the +reachable SSH proxy `git@tangled.org:/` (which routes to the knot internally) — NOT +directly to the knot. The tangled SSH proxy addresses repos by the **owner's atproto identity/handle**, +not the knot-storage DID shown in clone URLs; "repo not found" over SSH means no access OR wrong owner +identity, not necessarily nonexistent. + +**Create a repo programmatically as the bot** (no CLI exists; this is what the web "+ new repo" does): +1. `com.atproto.server.createSession` on the PDS → `accessJwt`, `did`. +2. `com.atproto.server.getServiceAuth?aud=did:web:knot1.tangled.sh&lxm=sh.tangled.repo.create&exp=` + with `Authorization: Bearer ` → service-auth `token`. +3. `POST https://knot1.tangled.sh/xrpc/sh.tangled.repo.create` (Bearer = service token, JSON + `{rkey,name,defaultBranch:"main"}`) → `{repoDid}`. (Needs `server:member` on the knot; the bot + already has it since it pushes existing repos there.) +4. `POST /xrpc/com.atproto.repo.createRecord` (Bearer = accessJwt) collection `sh.tangled.repo`, + record `{$type:"sh.tangled.repo", knot:"knot1.tangled.sh", name, description, createdAt, repoDid}`. +5. `git push git@tangled.org:/ main`. (rkey = lowercased name.) + +Repo created this way: `https://tangled.org/notplants-bot.bsky.social/apertus-70b-instruct-2509-experiments` +(holds the opencode/Apertus-70B config). Related: [[tangled-mirrors]].