hzhang/Dialectic.Backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8 Commits 3 Branches 0 Tags
15bb942d9b8cf52bc81260b79223a5dab0cc2820
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
hzhang 15bb942d9b feat: POST /api/admin/agent-keys — system-keyed raw key minting 
New admin endpoint for provisioning per-agent dialectic API keys
during recruitment. Auth via separate x-dialectic-admin-key header
matching env DIALECTIC_ADMIN_API_KEY (not bearer — admin lifecycle
is independent of agent identity).

Behavior:
- Body {agent_id, force?}; generates 32-byte hex raw key; stores
  sha256-peppered hash in agent_keys; returns raw key (ONLY time
  exposed — caller stores in agent secret-mgr)
- 409 on existing agent_id unless force:true (rotates the hash,
  clears last_used_at + revoked_at)
- Closed-by-default: if DIALECTIC_ADMIN_API_KEY env is empty, every
  request 401s

Caller pattern: skills/dialectic-hangman-lab/scripts/dialectic-ctrl
(to be added) reads admin key from
/root/.openclaw/system-secrets/dialectic-admin-key on the openclaw
host, POSTs to admin endpoint, stores returned raw key in the proxy-
for agent secret-mgr (inherits the proxy-pcexec context from
recruitment/onboard).

Unblocks Phase 3.5 plan to provision all prod agents and integrate
into recruitment skill.
2026-05-23 14:53:39 +01:00
internal
feat: POST /api/admin/agent-keys — system-keyed raw key minting
2026-05-23 14:53:39 +01:00
.gitignore
feat: greenfield Go rewrite (Phase 2A + 2B + 2C core)
2026-05-23 11:51:55 +01:00
docker-compose.dev.yml
feat: greenfield Go rewrite (Phase 2A + 2B + 2C core)
2026-05-23 11:51:55 +01:00
Dockerfile
feat: greenfield Go rewrite (Phase 2A + 2B + 2C core)
2026-05-23 11:51:55 +01:00
go.mod
feat: greenfield Go rewrite (Phase 2A + 2B + 2C core)
2026-05-23 11:51:55 +01:00
go.sum
feat: greenfield Go rewrite (Phase 2A + 2B + 2C core)
2026-05-23 11:51:55 +01:00
main.go
feat: Phase 2D — orchestrator, arguments/verdict endpoints, fabric announce
2026-05-23 12:02:27 +01:00
README.md
feat: greenfield Go rewrite (Phase 2A + 2B + 2C core)
2026-05-23 11:51:55 +01:00

README.md

Dialectic.Backend — v2 (Go)

Greenfield Go rewrite of the Python v1 backend. Agent-native debate platform per /home/hzhang/arch/DIALECTIC-V2-DESIGN.md.

Python v1 history is preserved on branch archive/python-v1.

What's here (Phase 2A + 2B + 2C, 2026-05-23)

Subsystem Status
HTTP server (chi router)
Config from env (internal/config)
MySQL via sqlx + embedded SQL migrations
Schema: topics, signups, camps, rounds, arguments, verdicts, agent_keys, system_keys, verdict_schemas
Auth middlewares: agent bearer (real), OIDC browser (Phase 2 stub w/ dev bypass)
/api/healthz
/api/topics list / get / create / set-visibility
/api/topics/{id}/signups list / create (agent self-enroll)
Orchestration engine (camp allocation, round driver, judge invocation) Phase 2D
SSE live transcripts Phase 2D
Full OIDC + Keycloak JWKS verification Phase 4
Nginx + CF Origin Cert on server.t3 Phase 2E

Layout

main.go                              entrypoint (load → wire → serve)
go.mod
Dockerfile
docker-compose.dev.yml               backend + mysql for local iteration
internal/
  config/                            12-factor env loader
  db/
    db.go                            sqlx + embedded migration runner
    migrations/001_init.sql          v2 schema, idempotent
  models/                            entity types (sqlx + json tags)
  store/                             query layer (per-entity)
  auth/                              agent api-key + oidc middlewares
  httpapi/
    routes.go                        chi router + auth chains
    handlers/                        per-endpoint handlers

Run locally

docker compose -f docker-compose.dev.yml up --build
# backend on http://localhost:8090
curl http://localhost:8090/api/healthz

Env vars (see internal/config/config.go for the full list):

Var Default (dev) Required in prod
ENV_MODE dev must be prod
HTTP_ADDR 0.0.0.0:8090
CORS_ALLOW_ORIGINS * concrete list (no *)
DB_HOST/PORT/NAME/USER/PASSWORD dev defaults ✓ password required
AGENT_API_KEY_PEPPER
OIDC_ISSUER / OIDC_CLIENT_ID
OIDC_DEV_BYPASS_TOKEN unset ignored in prod
SYSTEM_API_KEY unset populate when announce-channel push lands

Dev bypass for browser routes

In ENV_MODE=dev with OIDC_DEV_BYPASS_TOKEN=<token> set:

curl -H "x-dev-bypass: <token>" http://localhost:8090/api/topics
# attached as user 'dev-operator' with role 'dialectic-admin'

In prod, this header is ignored regardless of value.

Agent bearer for plugin routes

The OpenClaw plugin (Dialectic.OpenclawPlugin, Phase 3) calls with:

Authorization: Bearer <raw-agent-api-key>

The key is hashed with AGENT_API_KEY_PEPPER and matched against agent_keys.key_hash. To provision an agent's key (Phase 3 will add a proper hf user create-dialectic-key CLI; for now, manual SQL):

INSERT INTO agent_keys (agent_id, key_hash)
VALUES ('manager', SHA2(CONCAT('<pepper>:', '<raw>'), 256));

What's next

  • Phase 2D: camp allocation algorithm + round driver + judge invocation. Wired to Fabric announce channel (via system-api-key) + the Dialectic.OpenclawPlugin's tool for agent argument submission.
  • Phase 2E: nginx config + CF Origin Cert + deploy to server.t3.
  • Phase 3: Dialectic.OpenclawPlugin — agent-facing tools.
  • Phase 4: frontend rewrite (STYLE.md + real Keycloak OIDC + visibility toggle UI).
  • Phase 5: end-to-end integration with analyze-intel workflow.
Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 252 KiB
Languages
Go 99.2%
Dockerfile 0.8%