NationTech/harmony
3
0
Fork 2
Code Issues 38 Pull Requests 29 Actions Packages Projects Releases 1 Wiki Activity
Files
docs/fleet-secrets-device-access
harmony/nats/callout/manual_mint/README.md
Jean-Gabriel Gill-Couture a4b3d18bd6 refactor(fleet): drop deploy-crate dev creds, HARMONY_* env vars, lean docs 
Caller must pass `UserPassCredentials` to `FleetNatsScore::user_pass`
— no more `e2e-admin`/`e2e-device` defaults shipped in the library.
The deploy binary reads `HARMONY_FLEET_*` env vars (default namespace
`harmony-fleet-system`) and fails fast when NATS creds aren't set.

Also: `style/dist/` gitignored, `manual_mint/mint.py` moved next to
`nats/callout/` with README + secrets gitignore (the real RSA key
that was sitting untracked has been removed), `architecture_review.md`
moved to `docs/adr/drafts/024-`, three low-value ROADMAP docs deleted.

Updates pre-merge checklist (§1.6, §1.8, §3.1, §5).
2026-05-22 17:54:48 -04:00

1.8 KiB
Raw Permalink Blame History

manual_mint

One-shot operator tool — mint a Zitadel JWT-bearer access token by hand for a NATS callout-account user, given that user's machine-key PEM.

Lives next to nats/callout/ because the access token this script produces is the input the callout signs into a per-connection NATS user JWT. The shape of the assertion (claims, scopes, audience) has to match what the callout will accept at validation time — keeping the two side by side makes that contract visible.

When to use it

Almost never. Production agents mint their own tokens via the harmony-fleet-auth CredentialSource::ZitadelMachineKey. Reach for this only for:

  • Out-of-band debugging when a real agent is failing to authenticate and you want to confirm the Zitadel side is happy with a hand- crafted token.
  • Smoke-testing a fresh Zitadel install before the agent runtime is wired up.

Usage

cd nats/callout/manual_mint
python3 -m venv venv && source venv/bin/activate
pip install pyjwt requests

# Drop the Zitadel machine-key PEM next to mint.py (filename `ops.pem`).
# DO NOT commit this file — it is a private key. `.gitignore` is set
# up to keep it out of git, but double-check before `git add`.
python mint.py

Secrets

The script reads ops.pem from the current directory. That file is a Zitadel-issued RSA private key — treat it like any other secret. .gitignore in this folder excludes *.pem and the venv/ directory; the only tracked file is mint.py itself.

Hard-coded IDs

mint.py currently embeds client_id, key_id, user_id, and two project_id values from a specific Zitadel staging install. Update them to match your environment before running. A future cleanup could read them from env vars; today the script is small enough to edit in place.