[plane] Record temporary test user creation#34
Conversation
Purpose: Record the live Plane bootstrap and temporary test-user creation.\nScope: Add a live-apply receipt without credential material.\nStatus: plane-test@0mcp.com can sign into Plane and sees workspace 0mcp-platform.\nNext: Remove or rotate the temporary test user after operator validation.\nSee also: ADR 0193
There was a problem hiding this comment.
Caution
The receipt does not conform to the validated schema enforced by scripts/live_apply_receipts.py. The following required fields are absent: schema_version, applied_on, recorded_on, `recorded_by...
receipts/live-applies/2026-07-02-plane-test-user-live-apply.json:36
1 finding(s) posted as inline comments.
| { | ||
| "receipt_id": "2026-07-02-plane-test-user-live-apply", | ||
| "applied_at_utc": "2026-07-02T09:33:36Z", | ||
| "applied_by": "codex", | ||
| "environment": "production", | ||
| "target": { | ||
| "service": "plane", | ||
| "vm": "docker-runtime-lv3", | ||
| "public_url": "https://plane.0mcp.com", | ||
| "canonical_public_url": "https://tasks.0mcp.com" | ||
| }, | ||
| "summary": "Initialized the live Plane instance through the repo-managed bootstrap path and created a temporary member account for operator testing.", | ||
| "changes": [ | ||
| "Opened a temporary SSH tunnel from the controller workstation to docker-runtime-lv3 port 8093.", | ||
| "Ran scripts/plane_bootstrap.py against the tunneled Plane endpoint using the existing .local/plane bootstrap spec and password files.", | ||
| "Created the normal Plane user plane-test@0mcp.com through the live Plane Django ORM.", | ||
| "Added plane-test@0mcp.com to workspace 0mcp-platform as role 15.", | ||
| "Added plane-test@0mcp.com to project ADR as role 15.", | ||
| "Closed the temporary SSH tunnel." | ||
| ], | ||
| "verification": [ | ||
| { | ||
| "check": "Plane bootstrap state", | ||
| "result": "Plane contains admin ops@0mcp.com, workspace 0mcp-platform, and project ADR." | ||
| }, | ||
| { | ||
| "check": "Plane test user membership", | ||
| "result": "plane-test@0mcp.com is an active member of workspace 0mcp-platform and project ADR with role 15." | ||
| }, | ||
| { | ||
| "check": "Plane credential verification", | ||
| "result": "Plane email/password sign-in for plane-test@0mcp.com succeeded through the tunneled Plane endpoint and returned workspace 0mcp-platform." | ||
| } | ||
| ], | ||
| "sensitive_material": "The temporary password was returned only to the operator in chat and is intentionally not recorded in this receipt." | ||
| } |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Purpose: Record the temporary Keycloak SSO user created for Plane edge-login testing.\nScope: Add a live-apply receipt without credential material.\nStatus: plane-test@0mcp.com can authenticate to Keycloak realm 0mcp and has platform-read access.\nNext: Remove or rotate the temporary test user after operator validation.\nSee also: ADR 0193
There was a problem hiding this comment.
Caution
The receipt records the test user created in Keycloak realm 0mcp, but keycloak_runtime/defaults/main.yml hardcodes keycloak_realm_name: lv3, ADR 0056 documents realm lv3 as the platform-wide K...
receipts/live-applies/2026-07-02-keycloak-plane-test-sso-user-live-apply.json:11
Warning
ADR 0307 requires all temporary accounts to carry a machine-readable expiry (Expires YYYY-MM-DDTHH:MM:SSZ in notes) and explicitly mandates offboarding at that date.
receipts/live-applies/2026-07-02-keycloak-plane-test-sso-user-live-apply.json:19
2 finding(s) posted as inline comments.
| "service": "keycloak", | ||
| "vm": "runtime-control", | ||
| "realm": "0mcp", | ||
| "user": "plane-test@0mcp.com" | ||
| }, |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
| "changes": [ | ||
| "Authenticated to the live Keycloak admin CLI on runtime-control using the existing bootstrap admin recovery secret.", | ||
| "Created or updated the Keycloak user plane-test / plane-test@0mcp.com in realm 0mcp.", | ||
| "Set the user as enabled and email-verified with no required actions for temporary testing.", | ||
| "Set a non-temporary password matching the Plane local test account password.", | ||
| "Mapped the user to the grafana-viewers group and platform-read realm role." | ||
| ], |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Purpose: Record why the Plane test SSO user needed the oauth2-proxy allowed group.\nScope: Add a live-apply receipt without credential material.\nStatus: plane-test@0mcp.com is now in /0mcp-platform-admins for shared edge access.\nNext: Remove or rotate the temporary test user after operator validation.\nSee also: ADR 0193
Summary\n- records the live Plane bootstrap/test-user operation performed on 2026-07-02\n- intentionally excludes the temporary password from the receipt\n\n## Verification\n- JSON receipt validates with python3 -m json.tool\n- Plane sign-in for plane-test@0mcp.com succeeded through the tunneled Plane endpoint and returned workspace 0mcp-platform\n