NationTech/harmony
3
0
Fork 2
Code Issues 38 Pull Requests 29 Actions Packages Projects Releases 1 Wiki Activity
Files
master
harmony/nats/callout/manual_mint/README.md
Jean-Gabriel Gill-Couture a4b3d18bd6 refactor(fleet): drop deploy-crate dev creds, HARMONY_* env vars, lean docs 
Caller must pass `UserPassCredentials` to `FleetNatsScore::user_pass`
— no more `e2e-admin`/`e2e-device` defaults shipped in the library.
The deploy binary reads `HARMONY_FLEET_*` env vars (default namespace
`harmony-fleet-system`) and fails fast when NATS creds aren't set.

Also: `style/dist/` gitignored, `manual_mint/mint.py` moved next to
`nats/callout/` with README + secrets gitignore (the real RSA key
that was sitting untracked has been removed), `architecture_review.md`
moved to `docs/adr/drafts/024-`, three low-value ROADMAP docs deleted.

Updates pre-merge checklist (§1.6, §1.8, §3.1, §5).
2026-05-22 17:54:48 -04:00

52 lines
1.8 KiB
Markdown
Raw Permalink Blame History

# manual_mint
One-shot operator tool — mint a Zitadel JWT-bearer access token by
hand for a NATS callout-account user, given that user's machine-key
PEM.
Lives next to `nats/callout/` because the access token this script
produces is the input the callout signs into a per-connection NATS
user JWT. The shape of the assertion (claims, scopes, audience) has
to match what the callout will accept at validation time — keeping
the two side by side makes that contract visible.
## When to use it
Almost never. Production agents mint their own tokens via the
`harmony-fleet-auth` `CredentialSource::ZitadelMachineKey`. Reach
for this only for:
- Out-of-band debugging when a real agent is failing to authenticate
and you want to confirm the Zitadel side is happy with a hand-
crafted token.
- Smoke-testing a fresh Zitadel install before the agent runtime is
wired up.
## Usage
```bash
cd nats/callout/manual_mint
python3 -m venv venv && source venv/bin/activate
pip install pyjwt requests
# Drop the Zitadel machine-key PEM next to mint.py (filename `ops.pem`).
# DO NOT commit this file — it is a private key. `.gitignore` is set
# up to keep it out of git, but double-check before `git add`.
python mint.py
```
## Secrets
The script reads `ops.pem` from the current directory. That file is
a Zitadel-issued RSA private key — treat it like any other secret.
`.gitignore` in this folder excludes `*.pem` and the `venv/`
directory; the only tracked file is `mint.py` itself.
## Hard-coded IDs
`mint.py` currently embeds `client_id`, `key_id`, `user_id`, and two
`project_id` values from a specific Zitadel staging install. Update
them to match your environment before running. A future cleanup
could read them from env vars; today the script is small enough to
edit in place.
Reference in New Issue View Git Blame Copy Permalink