From 9a2ab974e6a353190a7ff4a3d81afc3aea3e4a4c Mon Sep 17 00:00:00 2001 From: mwiegand Date: Fri, 15 May 2026 12:17:55 +0200 Subject: [PATCH] spec: session handoff pointing next session at uid-split MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Short companion to the existing topic-specific handoff docs. Captures the situationally-fresh state at the end of the 2026-05-15 deploy-dir-rethink + janitorial sweep so a fresh session can pick up cold: what just landed, what's next (uid-split), what's NOT next (build-overlay-unit, until uid-split decides), and the decision-relevant signals that emerged during this session — mostly that the 2-uid model was freshly load-bearing in the build-time-idmap work and that srcds hardening already covers most of what a gameserver-uid split would add. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../specs/2026-05-15-session-handoff.md | 105 ++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 docs/superpowers/specs/2026-05-15-session-handoff.md diff --git a/docs/superpowers/specs/2026-05-15-session-handoff.md b/docs/superpowers/specs/2026-05-15-session-handoff.md new file mode 100644 index 0000000..9d332d6 --- /dev/null +++ b/docs/superpowers/specs/2026-05-15-session-handoff.md @@ -0,0 +1,105 @@ +# Session handoff — next: uid-split decision + +Short handoff for the session that follows the 2026-05-15 deploy-dir +rethink + janitorial sweep. The full project context is in CLAUDE.md +and the per-topic specs/plans linked below; this doc covers only +what's situationally fresh. + +## What just landed + +Four commits since `e38b844`, pushed to `origin/master`: + +- `5284e28` — privileged helpers moved out of `deploy/files/usr/local/{libexec,sbin}/` + into top-level `scripts/{libexec,sbin}/`. `deploy/` is now reference + material (README + example configs + curated example units). Dead + static artifacts deleted: `left4me-apply-cake`, `left4me-cake.service`, + `left4me-nft-mark.service`, `cake.env`, `left4me-mark.nft`, the + superseded `deploy-test-server.sh`. +- `160911f` — plan landed at `docs/superpowers/plans/2026-05-15-deploy-dir-rethink.md`; + adjacent specs marked resolved. +- `8f30dd7` — janitorial item 6 (bubblewrap doc-drift) corrected. +- `4aa69c2` — janitorial items 8 and 9 verified on `ovh.left4me` + (141.95.32.8) and marked resolved. + +Companion change in **ckn-bw** is committed (`91b7265`) but **not yet +pushed**. Verified against the test host via `bw apply ovh.left4me`; +the working-tree-as-applied was committed afterwards. Pushing it is +safe and idempotent (deployed bytes already match). + +Janitorial spec status: items 1, 2 (partial), 3, 4, 5, 6, 8, 9 +closed. Items 7 and 10 remain (item 7 is conditional on the +build-overlay-unit refactor; item 10 is a calendar reminder for SM +1.13 in late 2026). + +## What's next: uid-split + +Existing handoff: +[`docs/superpowers/specs/2026-05-15-user-uid-split-design.md`](2026-05-15-user-uid-split-design.md). +Read that first. The decision is whether left4me should have 1, 2, +or 3 system users; today it has 2 (`left4me` + `l4d2-sandbox`). + +This is a **decision** task, not a migration. Likely outcome: settle +the question with a short plan and either a memory entry / spec +resolution (if status quo wins) or a follow-up implementation plan +(if "split to 3" or "collapse to 1" wins). Time-box the decision to +one session; defer any migration work to a follow-up plan. + +### Decision-relevant context that emerged this session + +- **The 2-uid model is freshly load-bearing.** The build-time-idmap + work (commits `2f6a9cf` + `9053186`, plan + `docs/superpowers/plans/2026-05-15-build-time-idmap.md`) explicitly + used "sandbox escape could see web.env / DB / running gameservers" + as the argument for keeping `l4d2-sandbox` as a separate uid. That + argument cuts the "collapse to 1" option hard. +- **Verified clean on the host:** `left4me-server@{1,2}.service` are + both running as `left4me` today (janitorial item 8 diagnostic). + No orphan idmap binds; the 2-uid invariants hold. +- **Files-overlay invariant verified:** overlay 8 (`Optimized + Settings`, files-type) is `left4me:left4me` end-to-end with no + `l4d2-sandbox`-owned files (janitorial item 9). This means files + overlays would not be affected by a gameserver-uid split — the + Python web app writes them directly as `left4me`. +- **The hardening floor is high.** `srcds` already runs with + `NoNewPrivileges=true`, `ProtectSystem=strict`, + `PrivateDevices=true`, `ReadOnlyPaths=...installation...overlays`, + `RestrictSUIDSGID=true`, `LockPersonality=true` (see + `deploy/files/usr/local/lib/systemd/system/left4me-server@.service`). + Most exfil paths a gameserver-uid split would close are already + closed by systemd hardening. The case for "split to 3" is + defense-in-depth, not a missing primary control. +- **Sudoers / cross-repo cost.** A new uid would need additions in + ckn-bw's `bundles/left4me/items.py` (`users` dict) and in the + sudoers grants. Both are in the right state to receive that change + cleanly; deploy-dir-rethink already pinned where each lives. + +### Downstream consequence + +Whatever uid-split decides constrains the **build-overlay-unit** +refactor that follows +([`docs/superpowers/specs/2026-05-15-build-overlay-unit-design.md`](2026-05-15-build-overlay-unit-design.md)). +The systemd template unit replacing `left4me-script-sandbox` encodes +the idmap mapping `l4d2-sandbox` → ``. Settling the uid +question first means build-overlay-unit composes against a final +foundation rather than retouching. + +## Pointers + +- Source-of-truth spec: `docs/superpowers/specs/2026-05-15-user-uid-split-design.md` +- Build-time-idmap plan (the load-bearing security argument): + `docs/superpowers/plans/2026-05-15-build-time-idmap.md` +- Live unit files for srcds hardening review: + `deploy/files/usr/local/lib/systemd/system/left4me-server@.service` +- ckn-bw users definition: `~/Projekte/ckn-bw/bundles/left4me/items.py` + (the `users = {...}` dict near the top) +- Sandbox helper that does the idmap mapping today: + `scripts/libexec/left4me-script-sandbox` + +## What's NOT next + +- Build-overlay-unit refactor. Wait for uid-split. +- Janitorial item 7 (`_sandbox_script_dir` cleanup). Conditional on + build-overlay-unit Option B landing. +- Mako template duplication in ckn-bw. Separate cleanup; the + templates legitimately need bw's metadata access. +- Pushing the ckn-bw `91b7265` commit. Safe but not blocking.