Skip to content

[plane] Record temporary test user creation#34

Open
baditaflorin wants to merge 3 commits into
mainfrom
codex/plane-test-user
Open

[plane] Record temporary test user creation#34
baditaflorin wants to merge 3 commits into
mainfrom
codex/plane-test-user

Conversation

@baditaflorin

Copy link
Copy Markdown
Owner

Summary\n- records the live Plane bootstrap/test-user operation performed on 2026-07-02\n- intentionally excludes the temporary password from the receipt\n\n## Verification\n- JSON receipt validates with python3 -m json.tool\n- Plane sign-in for plane-test@0mcp.com succeeded through the tunneled Plane endpoint and returned workspace 0mcp-platform\n

Purpose: Record the live Plane bootstrap and temporary test-user creation.\nScope: Add a live-apply receipt without credential material.\nStatus: plane-test@0mcp.com can sign into Plane and sees workspace 0mcp-platform.\nNext: Remove or rotate the temporary test user after operator validation.\nSee also: ADR 0193

@prelint prelint Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

The receipt does not conform to the validated schema enforced by scripts/live_apply_receipts.py. The following required fields are absent: schema_version, applied_on, recorded_on, `recorded_by...

receipts/live-applies/2026-07-02-plane-test-user-live-apply.json:36

1 finding(s) posted as inline comments.

Comment on lines +1 to +36
{
"receipt_id": "2026-07-02-plane-test-user-live-apply",
"applied_at_utc": "2026-07-02T09:33:36Z",
"applied_by": "codex",
"environment": "production",
"target": {
"service": "plane",
"vm": "docker-runtime-lv3",
"public_url": "https://plane.0mcp.com",
"canonical_public_url": "https://tasks.0mcp.com"
},
"summary": "Initialized the live Plane instance through the repo-managed bootstrap path and created a temporary member account for operator testing.",
"changes": [
"Opened a temporary SSH tunnel from the controller workstation to docker-runtime-lv3 port 8093.",
"Ran scripts/plane_bootstrap.py against the tunneled Plane endpoint using the existing .local/plane bootstrap spec and password files.",
"Created the normal Plane user plane-test@0mcp.com through the live Plane Django ORM.",
"Added plane-test@0mcp.com to workspace 0mcp-platform as role 15.",
"Added plane-test@0mcp.com to project ADR as role 15.",
"Closed the temporary SSH tunnel."
],
"verification": [
{
"check": "Plane bootstrap state",
"result": "Plane contains admin ops@0mcp.com, workspace 0mcp-platform, and project ADR."
},
{
"check": "Plane test user membership",
"result": "plane-test@0mcp.com is an active member of workspace 0mcp-platform and project ADR with role 15."
},
{
"check": "Plane credential verification",
"result": "Plane email/password sign-in for plane-test@0mcp.com succeeded through the tunneled Plane endpoint and returned workspace 0mcp-platform."
}
],
"sensitive_material": "The temporary password was returned only to the operator in chat and is intentionally not recorded in this receipt."
}

This comment was marked as resolved.

Purpose: Record the temporary Keycloak SSO user created for Plane edge-login testing.\nScope: Add a live-apply receipt without credential material.\nStatus: plane-test@0mcp.com can authenticate to Keycloak realm 0mcp and has platform-read access.\nNext: Remove or rotate the temporary test user after operator validation.\nSee also: ADR 0193

@prelint prelint Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

The receipt records the test user created in Keycloak realm 0mcp, but keycloak_runtime/defaults/main.yml hardcodes keycloak_realm_name: lv3, ADR 0056 documents realm lv3 as the platform-wide K...

receipts/live-applies/2026-07-02-keycloak-plane-test-sso-user-live-apply.json:11

Warning

ADR 0307 requires all temporary accounts to carry a machine-readable expiry (Expires YYYY-MM-DDTHH:MM:SSZ in notes) and explicitly mandates offboarding at that date.

receipts/live-applies/2026-07-02-keycloak-plane-test-sso-user-live-apply.json:19

2 finding(s) posted as inline comments.

Comment on lines +7 to +11
"service": "keycloak",
"vm": "runtime-control",
"realm": "0mcp",
"user": "plane-test@0mcp.com"
},

This comment was marked as resolved.

Comment on lines +13 to +19
"changes": [
"Authenticated to the live Keycloak admin CLI on runtime-control using the existing bootstrap admin recovery secret.",
"Created or updated the Keycloak user plane-test / plane-test@0mcp.com in realm 0mcp.",
"Set the user as enabled and email-verified with no required actions for temporary testing.",
"Set a non-temporary password matching the Plane local test account password.",
"Mapped the user to the grafana-viewers group and platform-read realm role."
],

This comment was marked as resolved.

Purpose: Record why the Plane test SSO user needed the oauth2-proxy allowed group.\nScope: Add a live-apply receipt without credential material.\nStatus: plane-test@0mcp.com is now in /0mcp-platform-admins for shared edge access.\nNext: Remove or rotate the temporary test user after operator validation.\nSee also: ADR 0193
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant