From 6cf0d55759990eee910fc5e3cfc9c81fa9dcf46c Mon Sep 17 00:00:00 2001 From: Aaron Markham Date: Sat, 30 May 2026 23:07:29 -0700 Subject: [PATCH] signing: arm fail-closed on us-ny1 (zeitghost_require_signing: 1) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #6. Flips shard signing from opt-in to required on the us-ny1 builder now that the key is provisioned and verified signing in prod (signer 7c1d34f0…a49b; 14 signed shards observed, none of the pre-key corpus). With this, `env.j2` renders ZEITGHOST_REQUIRE_SIGNING=1 and `ingest` / `reanalyze` exit non-zero if no valid key resolves — so an accidentally-cleared or mangled secret fails the run loudly instead of silently reverting to unsigned shards. Reversible: set back to 0 and redeploy to restore opt-in. Co-Authored-By: Claude Opus 4.8 (1M context) --- infra/ansible/inventories/us-ny1/hosts.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/infra/ansible/inventories/us-ny1/hosts.yml b/infra/ansible/inventories/us-ny1/hosts.yml index 1ced38c..c4e52f1 100644 --- a/infra/ansible/inventories/us-ny1/hosts.yml +++ b/infra/ansible/inventories/us-ny1/hosts.yml @@ -13,6 +13,11 @@ all: zeitghost_domain: news.spiritwriter.ai # Bind-mount shard store to host for backup / rsync access zeitghost_host_shards: /home/frionode/.zeitghost/shards + # Fail-closed signing: ingest exits non-zero if no valid signing key + # is configured, rather than silently writing unsigned shards. Safe + # to arm now that ZEITGHOST_SIGNING_KEY is provisioned and verified + # signing in prod (signer 7c1d34f0…). See issue #6. + zeitghost_require_signing: 1 vars: ansible_user: frionode