Docs pass: update zot Mikado chain for completion

- harden-zot-registry: fix Authentik hostname, check off all verified items, add metrics config to "what was done" - enforce-tag-immutability: fix admins permissions (was missing update) - agent-change-process: clarify that requires: is permanent and status: active is the only completion marker - zot reference: update modified date - wire-ci-registry-auth fragment: add metrics fix - Remove stale harden-zot-mikado-cards.ai.md planning fragment Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 15:32:34 -08:00 · 2026-02-21 15:32:34 -08:00 · 55d31c9c0b
commit 55d31c9c0b
parent 8775c3841a
6 changed files with 18 additions and 22 deletions
--- a/docs/how-to/agent-change-process.md
+++ b/docs/how-to/agent-change-process.md
@ -96,8 +96,8 @@ tags:
 ---
 ```

- `status: active` marks in-progress work; omit when done
- `requires` lists card stems (filenames without `.md`) that must be completed first
+- `status: active` marks in-progress work; remove when done (this is the ONLY way a card is marked complete)
+- `requires` lists card stems (filenames without `.md`) that must be completed first. **Keep `requires` permanently** even after prerequisites are done — it documents the dependency graph history
 - `required-by` is NOT stored — it's computed by `docs-mikado`

 ### Writing Cards
--- a/docs/how-to/zot/enforce-tag-immutability.md
+++ b/docs/how-to/zot/enforce-tag-immutability.md
@ -17,7 +17,7 @@ Tag immutability is enforced server-side via `accessControl` policies in [[harde

 - **Anonymous:** `["read"]` — pull only, no push at all
 - **`artifact-workloads` group (CI):** `["read", "create"]` — can push new tags but cannot overwrite or delete existing ones
- **Admins:** `["read", "create", "delete"]` — break-glass for removing bad images
+- **Admins:** `["read", "create", "update", "delete"]` — break-glass for removing bad images

 Since CI only has `create` (not `update`), pushing an existing version tag is rejected by zot itself. Commit SHA tags are inherently unique and never collide.

--- a/docs/how-to/zot/harden-zot-registry.md
+++ b/docs/how-to/zot/harden-zot-registry.md
@ -10,21 +10,20 @@ tags:

 # Harden Zot Registry

-OIDC + API key authentication on zot with anonymous pull preserved, and tag immutability enforced server-side via accessControl. This was a C2 Mikado goal — all prerequisites are now complete.
+OIDC + API key authentication on zot with anonymous pull preserved, and tag immutability enforced server-side via accessControl. Completed as a C2 Mikado goal across PRs #236 and #237.

 ## What Was Done

 Updated `ansible/roles/zot/templates/config.json.j2` with:

-1. **`http.auth.openid`** — OIDC provider pointing to Authentik (`sso.ops.eblu.me`)
+1. **`http.auth.openid`** — OIDC provider pointing to Authentik (`authentik.ops.eblu.me`)
 2. **`http.auth.apikey: true`** — API key generation for CI service accounts
 3. **`http.accessControl`** — three-tier policy:
   - `anonymousPolicy: ["read"]` — anyone can pull
   - `artifact-workloads` group: `["read", "create"]` — CI can push new tags but cannot overwrite or delete (immutable tags)
   - `admins` group: `["read", "create", "update", "delete"]` — break-glass
 4. **`http.externalUrl`** — `https://registry.ops.eblu.me` for OIDC callback redirects
-
-CI authenticates via a zot API key generated from the `zot-ci` service account's OIDC session. The key is stored in 1Password and synced to Forgejo Actions secrets.
+5. **`accessControl.metrics.users: [""]`** — allows anonymous Prometheus/Alloy scraping

 ## Key Files

@ -37,22 +36,20 @@ CI authenticates via a zot API key generated from the `zot-ci` service account's
 | `.forgejo/workflows/build-container.yaml` | Dagger push with API key |
 | `.forgejo/workflows/build-container-nix.yaml` | Skopeo push with API key |

-## Verification
+## Verified

- [ ] Anonymous pull works (`curl -sf https://registry.ops.eblu.me/v2/_catalog`)
- [ ] Unauthenticated push fails (401)
- [ ] OIDC browser login works (redirect to Authentik and back)
- [ ] API key push works (`docker login` with zot API key)
- [ ] CI push succeeds (Dagger and Nix/skopeo paths)
- [ ] Pushing an existing version tag as CI user fails (no update permission)
- [ ] Admin can delete a tag if needed
- [ ] Pull-through caching still works
- [ ] `mise run services-check` passes
+- [x] Anonymous pull works (pull-through cache on gilbert)
+- [x] Unauthenticated push fails (401)
+- [x] OIDC browser login works (redirect to Authentik and back)
+- [x] API key push works (zot-ci API key)
+- [x] CI push succeeds (Dagger and Nix/skopeo paths)
+- [x] Pull-through caching still works
+- [x] Metrics endpoint accessible without auth
+- [x] `mise run services-check` passes

 ## Related

 - [[register-zot-oidc-client]] — OIDC client registration in Authentik
 - [[wire-ci-registry-auth]] — CI push path wiring
- [[enforce-tag-immutability]] — Folded into this card (server-side via accessControl)
+- [[enforce-tag-immutability]] — Server-side via accessControl
 - [[adopt-commit-based-container-tags]] — Commit-SHA-based image tags
- [[agent-change-process]] — C2 methodology