We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
There was an error while loading. Please reload this page.
Wiki: Phase D R5 R4 ships — typed Checksum + projection_checksums (server#154, v2.54.0, kind-val GREEN) Server#154 merged + image v2.54.0 built + loaded into kind + rolled deployment + replay endpoint re-probed against the prior fanout_reduce execution. Every fold now produces a typed `Checksum` over the full state + a 6-entry `projection_checksums` map (`execution` / `stage` / `frame` / `command` / `business_object` / `loop`). Per user direction this session: the hash function is the *type* of the checksum (not a sibling field) — `ChecksumType` enum gates future types (BLAKE3, SHA-512, …) without a wire-format break. Kind-validated: - top-level checksum 41265876487f32350fc60c5039358456ded76598b99e7a0833ac4a17ceaae426 - 6 projection_checksums entries all populated with the same typed {type: "sha256", value: "<64-char hex>"} shape Touches the four pages that drift together per wiki-maintenance.md Rule 0a (Home + Sessions-Log + Releases + Umbrella-Rust-Server-Port). Refs noetl/ai-meta#49 Phase D R5
Wiki: Phase D R5 R3 ships — loops + business_objects projections (server#153, v2.53.0, kind-val GREEN) Server#153 merged + image v2.53.0 built + loaded into kind + rolled deployment + replay endpoint re-probed against the prior fanout_reduce execution. All five per-projection maps (stages / frames / commands / loops / business_objects) are now typed BTreeMaps with deterministic key ordering — ready for R4's typed `Checksum` + `projection_checksums` bundle. Loops + business_objects maps stay empty for the fanout_reduce fixture (the v10 control-flow shape doesn't emit `loop.*` or business-object events — expected per the PR body). Fold correctness for those projections is verified through the unit-test layer (`fold_populates_loop_with_counters_and_completion`, `fold_populates_business_object_through_lifecycle`). Touches the four pages that drift together per wiki-maintenance.md Rule 0a (Home + Sessions-Log + Releases + Umbrella-Rust-Server-Port). Refs noetl/ai-meta#49 Phase D R5
Wiki: replace "canonical checksum" with the typed-Checksum shape for R4 Per user direction (writing-style banned-word rule + future- proofing): the Phase D R5 R4 design lands a TYPED checksum shape rather than the flat Python pair (`checksum_algorithm` + `checksum`). Reasons: 1. The hash function in use is the *type* of the checksum, not a separate sibling field. 2. We may add more checksum types in the future (BLAKE3 for speed, SHA-512 for compliance contexts, ...) — the typed shape slots them in without a wire-format break. Proposed Rust types (final names land in the R4 PR): enum ChecksumType { Sha256, /* future: Blake3, Sha512, ... */ } struct Checksum { type: ChecksumType, value: String /* hex */ } // in ReplayState: checksum: Option<Checksum> projection_checksums: BTreeMap<String, Checksum> Underlying hash stays SHA-256 — same algorithm Python uses today (`_canonical_checksum` in `service.py`, `hashlib.sha256`). Parity test in R7 asserts byte-for-byte match on the hex string. Touches the four pages that drift together per wiki-maintenance.md Rule 0a (Home + Sessions-Log + Releases + Umbrella-Rust-Server-Port) — every R4 row updated. Refs noetl/ai-meta#49 Phase D R5 R4 Refs noetl/server#148
Wiki: Phase D R5 R2 ships — stages + frames + commands projections (server#152, v2.52.0, kind-val GREEN) Server#152 merged + image v2.52.0 built + loaded into kind + rolled deployment + replay endpoint re-probed against the prior fanout_reduce execution. Commands map populates with 4 entries carrying worker_id + issued_event_id + last_event_id; stages + frames stay empty (the v10 control-flow shape doesn't emit stage.* / frame.* events — expected per the PR body). Touches the four pages that drift together per wiki-maintenance.md Rule 0a: - Home.md — Last refreshed + #49 row last-update flipped to 2026-06-07 + server-cell version v2.48.0 → v2.52.0 with the R5 R2 + R5 R1 + R4 follow-ups recent-activity sweep. - Sessions-Log.md — new entry prepended at the top. - Releases.md — v2.52.0 row prepended at the top of the timeline table. - Umbrella-Rust-Server-Port.md — Recent-activity row + new "Phase D R5" sub-table tracking R1+R2 ✅ / R3 next / R4-R7 pending. Refs noetl/ai-meta#49 Phase D R5
wiki: server#149 merged — Phase D R5 R1 Replay endpoint scaffold (v2.51.0) Sessions-Log: new dated entry at top documenting the Phase D R5 opening + R1 ship (server@f77dead, v2.51.0). Includes a Phase D R5 status table showing R1 merged + R2-R7 in queue. Home: Last-refreshed cell prefix updated with the new headline + server pointer bump. Releases.md: prepended row for noetl-server v2.51.0 + Last refreshed cell updated. Umbrella-Rust-Server-Port: Recent-activity new row at top for Phase D R5 R1 with the full 7-round decomposition cited. Refs noetl/ai-meta#49 Phase D R5 Refs noetl/server#148 noetl/server#149 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
wiki: server#147 merged — status query bug fixed + kind-val GREEN (v2.50.1) Sessions-Log: new dated entry at top documenting the read-side status-query fix (server@d26abf8) + kind-val evidence (prior execution flipped RUNNING→COMPLETED on same DB data; fresh fanout_reduce execution reached COMPLETED in ~600ms wall). Home: Last-refreshed cell prefix updated with the new headline + server pointer bump. Releases.md: prepended row for noetl-server v2.50.1 + Last refreshed cell updated. Umbrella-Rust-Server-Port: Recent-activity new row at top for the Phase D R4 read-side fix. Refs noetl/ai-meta#49 Phase D R4 Refs noetl/server#146 noetl/server#147 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
wiki: Phase D R4 — fanout_reduce kind-val GREEN on Rust-only stack Sessions-Log: new dated entry at top documenting the end-to-end green-state evidence. Built noetl-server-rust:v2.50.0 from server@499b079 via podman + Dockerfile, loaded into kind, rolled the deployment, ran the fanout_reduce_phase6 fixture from e2e@5da36ea. Direct DB query against noetl.event confirms all three barrier assertions pass. Home: Last-refreshed cell prefix updated with the green-state headline + event-log evidence + the surfaced status-query bug (noetl/server#146). Umbrella-Rust-Server-Port: Recent-activity new row at top documenting the green-state run. Phase D status table updated to mark slices 1-3 as GREEN at the orchestrator AND kind-val levels. Refs noetl/ai-meta#49 Phase D R4 Refs noetl/server#146 (read-side status-query bug surfaced during the run) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
wiki: e2e#32 merged — Phase D R4 fanout_reduce kind-val rig ready Sessions-Log: new dated entry at top documenting e2e#32 (e2e@5da36ea) — durable fixture + script for the canonical fanout_reduce shape. Includes a Phase D R4 status table showing slices 1-3 all shipped at the artefact level; run-on-kind is the remaining housekeeping step (needs a fresh v2.50.0+ server image loaded into kind). Home: Last-refreshed cell prefix updated with the new headline + e2e pointer bump + Phase D R4 status. Umbrella-Rust-Server-Port: Recent-activity new row at top for Phase D R4 slice 3. Phase D status table extended with the slice 3 row + the slice 1/2 kind-val column updated to note the rig is in place. Refs noetl/ai-meta#49 Phase D R4 Refs noetl/e2e#31 noetl/e2e#32 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
wiki: server#145 merged — Phase D R4 slice 2 closes barrier follow-up (v2.50.0) Sessions-Log: new dated entry at top documenting server#145 (server@499b079, v2.50.0) closing the gap exposed by slice 1's ignored test. Includes a Phase D R4 status table showing slice 1 + 2 shipped at the orchestrator level; remaining work is kind-validation (slice 3) + possibly context-merging (slice 4, deferred until kind-val signals a need). Home: Last-refreshed cell prefix updated with the new headline + server pointer bump. Releases.md: prepended row for noetl-server v2.50.0; Last refreshed cell updated. Umbrella-Rust-Server-Port: Recent-activity new row at top for Phase D R4 slice 2; Phase D status table extended with the slice 2 row. Refs noetl/ai-meta#49 Phase D R4 Refs noetl/server#144 noetl/server#145 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
wiki: worker#60 merged — Container Tool Callback umbrella #43 Round 4 worker-side adoption ships v5.14.0 Sessions-Log: new dated entry at top documenting the worker PR merge (worker@f96da71 v5.14.0) and the worker-side adoption status (the last code piece of the closed Container Tool Callback umbrella). Home: Last-refreshed cell prefix updated with the new headline + worker pointer bump + healthy-steady-state dashboard fingerprint. Releases.md: prepended row for noetl-worker v5.14.0 + Last refreshed cell updated. Umbrella-Container-Tool-Callback: "Remaining follow-up" section flipped from in-flight to DONE — table marks both cli#56 and worker#60 MERGED; sequence-to-land becomes a done-sequence list; section header reads "✅ DONE" with only the kind-validation step on a fresh worker image remaining as housekeeping. Refs noetl/ai-meta#43 Refs noetl/worker#59 noetl/worker#60 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
wiki: cli#56 + server#143 merged — executor 0.4.1 + Phase D R4 fan-in barrier Sessions-Log: new dated entry at top documenting the two PR merges (cli@77be8be v4.10.0 + server@be37e5c v2.49.0) + the worker PR status (still draft until the noetl-executor 0.4.1 publish lands). Home: Last-refreshed cell prefix updated with the new headline + links. Releases.md: prepended rows for noetl-server v2.49.0 (Phase D R4 fan-in barrier) and noetl/cli v4.10.0 (noetl-executor 0.4.1 bridge propagation); Last refreshed cell updated. Umbrella-Container-Tool-Callback: Round-4-follow-up status table updated — cli#56 marked MERGED, worker#60 still blocked on the 0.4.1 publish. Umbrella-Rust-Server-Port: new Recent activity row for Phase D R4 slice 1 (fan-in / reduce barrier). Phase D status table gets a new row marking R4 slice 1 as v2.49.0 shipped with kind-val pending. Refs noetl/ai-meta#43 Refs noetl/ai-meta#49 Phase D R4 Refs noetl/cli#56 Refs noetl/server#142 noetl/server#143 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
wiki: record Container-Tool Callback Round 4 worker-side adoption PRs (#43 follow-up) Sessions-Log: new dated entry at top documenting the two-PR chain opened today — noetl/cli#56 (executor 0.4.1 bridge propagation, 102/0) + noetl/worker#60 (draft, blocked; 126/0 against local patched executor). Home: Last-refreshed cell prefix updated with the new headline + links to both PRs + per-step sequencing for landing. Umbrella-Container-Tool-Callback: "Remaining follow-up" section under Next-concrete-steps now carries a per-repo status table + the merge-sequence-to-land + the expected dashboard fingerprint after Round 4 lands (the `noetl_worker_call_done_skipped_pending_callback_total{tool_kind="container"}` ≈ server `noetl_container_callback_total{state=...}` shape with stale counter at ~0). Refs noetl/ai-meta#43 Refs noetl/cli#55 noetl/cli#56 Refs noetl/worker#59 noetl/worker#60 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
docs(container-callback): umbrella #43 CLOSED — Round 5 e2e kind-val rig landed Round 5 of the Container Tool Callback umbrella ships (e2e#30, closes e2e#29; e2e@17de21d). All four Rust rounds are in. Umbrella closes. Round 5 deliverables: - fixtures/playbooks/container_callback_happy_path/ (alpine sleep+echo) - fixtures/playbooks/container_callback_oom/ (python:3.12-alpine + 40 MiB bytes() under 32Mi limit) - scripts/kind_validate_container_callback.sh (preflight, run, scrape metrics, sum both counters per state, assert delta ≥ 1) Rule 0a three-page sweep: - Home: Last refreshed + #43 moved from Active umbrellas to Recently closed; preamble count Three → Two. - Sessions-Log: prepend dated entry. - Umbrella-Container-Tool-Callback: mark CLOSED with full per-round landing inventory + drop the now-obsolete Next-concrete-steps Rust-rounds list (worker-side pending_callback adoption is the only follow-up). Worker-side pending_callback adoption is the only remaining work; tracked as a comment on the umbrella issue. Harmless during transition (watcher callback recorded by noetl_container_callback_stale_total).
docs(container-callback): Round 3 shipped — Tool::Container (tools v2.21.0) noetl/ai-meta#43 Round 3 lands: Tool::Container creates a labeled K8s Job and returns immediately, with the new ToolResult.pending_callback marker to signal the worker should suppress its own call.done emit (tools#37, closes tools#36; v2.21.0). Closes the last code round in the chain. Only Round 5 (e2e kind-val rig) remains to close the umbrella. Worker-side adoption of pending_callback (suppressing emit when marker set) is a coordinated follow-up; until then the watcher's callback is treated as stale by the server (recorded by noetl_container_callback_stale_total). Harmless race during the transition. Rule 0a four-page sweep: - Home: Last refreshed + ecosystem-map tools cell v2.20.0 → v2.21.0. - Sessions-Log: prepend dated entry. - Releases: prepend v2.21.0 row. - Umbrella-Container-Tool-Callback: Recent-activity table + mark Round 3 DONE; only Round 5 remains; document the worker-side follow-up.
docs(container-callback): Round 1 shipped — noetl-k8s-watcher Deployment (ops@8892043) noetl/ai-meta#43 Round 1 lands: noetl-k8s-watcher Deployment + RBAC + shell watcher script in ci/manifests/k8s-watcher/ (ops#167, closes ops#166). External K8s Job watcher observes Job state transitions in the noetl namespace and POSTs terminal-state events to noetl-server's Round-2 endpoint when Jobs carrying noetl.execution-id labels transition to a terminal state. Shell MVP per the sub-issue note — kubectl --watch -o json piped through jq + curl. Cluster-scoped read-only RBAC; single-replica Deployment with bitnami/kubectl + jq/curl installed at startup. 3× retry with backoff on 5xx/transport; never on 4xx. Sanity-checked: kubectl kustomize renders 327 lines of valid YAML; sh -n watcher.sh clean; jq classification dry-run resolves Complete → succeeded. Rounds 1 + 2 are both in. The Round-1 ↔ Round-2 chain can be kind-validated end-to-end against the live endpoint by manually kubectl apply-ing a labeled Job before Round 3 lands the tool side. Rule 0a three-page sweep (no Releases.md since noetl/ops is untagged): - Home: Last refreshed + ecosystem-map ops cell. - Sessions-Log: prepend dated entry. - Umbrella-Container-Tool-Callback: Recent-activity table + Next-concrete-steps marked Round 1 DONE; only Rounds 3 + 5 remain.
docs(container-callback): Round 2 shipped — server v2.48.0 noetl/ai-meta#43 Round 2 lands: POST /api/internal/container-callback/ {execution_id}/{step} (server#141, closes server#140). External K8s watcher (Round 1, noetl/ops#166) POSTs Job terminal-state events to this endpoint when a Job carrying the noetl.execution-id label transitions to a terminal state. Handler validates path params, checks staleness via a single indexed SELECT on noetl.event, and emits a call.done event on the orchestrator's pipeline (or bumps stale counter + returns 202 if no events exist for the execution). Six TerminalState variants matching the umbrella's failure-mode taxonomy. Each survives in meta.terminal_state so playbooks branch on the specific failure reason. Two new counters + structured INFO logs. 7 new unit tests; lib 487/0. Round 2 unblocks Round 1 (watcher Deployment) + Round 3 (Tool::Container). Rule 0a four-page sweep: - Home: Last refreshed + ecosystem-map server cell v2.47.0 → v2.48.0. - Sessions-Log: prepend dated entry. - Releases: prepend v2.48.0 row. - Umbrella-Container-Tool-Callback: Recent-activity table + Next-concrete-steps marked Round 2 DONE; Rounds 1/3/5 stay open.
docs(container-tool-callback): settle design (Option B) + sub-issue tree The Container Tool Kind Callback umbrella (noetl/ai-meta#43) moves from 'design conversation; no implementation' to design settled (Option B — external noetl-k8s-watcher deployment) with the sub-issue tree opened across the four Rust repos: - Round 1 noetl/ops#166 — noetl-k8s-watcher deployment + RBAC - Round 2 noetl/server#140 — callback endpoint - Round 3 noetl/tools#36 — Tool::Container with PendingCallback marker - Round 5 noetl/e2e#29 — kind-val rig (happy path + OOMKilled) Round 4 (Python tool update) deferred per the Rust-only standing direction. The wiki page now carries: - The design decision rationale (Option A rejected — brittle to Job crashes; Option C rejected — K8s 1.31+ pin too restrictive). - Catalog entry YAML shape. - Failure-mode taxonomy (6 call.done statuses mapped from K8s terminal conditions). - Recommended round ordering (Round 2 first; smallest blast radius).
docs(tools): record artifact tool kind (v2.20.0) — closes ai-meta#64 Rule 0a three-page sweep for the noetl-tools v2.20.0 release that closes the open ai-task umbrella noetl/ai-meta#64: - Home: Last refreshed bumped; ecosystem-map tools cell v2.19.3 → v2.20.0 with new bullet; #64 moved from Active umbrellas (Todo) to Recently closed; preamble count Five → Four. - Sessions-Log: prepend a dated entry covering the design choice (aliasing vs migrating), the adapter's translation contract, the action handling matrix (get / default-to-get / put / unknown / missing-input), and the 8 unit tests. - Releases: prepend a v2.20.0 row with full context. The umbrella-Secrets-Wallet page isn't touched (not relevant).
docs(secrets-wallet): umbrella #61 closes — three 6d.X cloud providers landed (server v2.45.0-v2.47.0) The Secrets Wallet umbrella noetl/ai-meta#61 is now feature-complete. Three cloud-specific dynamic-secret providers shipped this session: - Phase 6d.1 AWS STS AssumeRoleWithWebIdentity (server#137, v2.45.0): exchanges the EKS-projected ServiceAccount JWT for short-lived AWS temp credentials; no SigV4 (STS anonymous action); response parser handles both XML and JSON. - Phase 6d.3 Azure AAD client-credentials (server#139, v2.46.0): off-cluster (non-IMDS) AAD client_credentials flow; service- principal triple from env; sovereign-cloud overrides. - Phase 6d.2 GCP iamcredentials.generateAccessToken (server#138, v2.47.0): mints short-lived OAuth2 tokens for a target SA via workload-identity impersonation. All three return SecretValue.expires_at populated — Phase 6d's cache_decision clamps cache TTL; Phase 7c.3 background refresh re-resolves inside the refresh window. 39 new unit tests across the three providers. Rule 0a four-page sweep: - Home: Last refreshed bumped + ecosystem-map server cell v2.44.0 → v2.47.0; #61 moved from Active umbrellas to Recently closed; preamble Six → Five. - Sessions-Log: prepend new dated entry covering the three rounds + the full feature inventory. - Releases: prepend v2.45.0 / v2.46.0 / v2.47.0 rows; Last refreshed bumped. - Umbrella-Secrets-Wallet: replace status block with CLOSED state + complete feature inventory; drop the obsolete Remaining work section. The umbrella issue gets closed as part of this change set.
docs(secrets-wallet): record 7c.3 background-refresh wire-up (server v2.44.0) Phase 7c.3 ([server#136](https://github.com/noetl/server/pull/136), closed [server#135](https://github.com/noetl/server/issues/135)) wires the Phase-7c decision primitive + the Phase-7c.2 cache-side companion into the resolver's cache-hit path: - New src/services/keychain_refresh.rs RefreshInflight wraps Arc<tokio::sync::Mutex<HashSet<(i64, String)>>> with try_claim + release for stampede collapse. - CredentialService cache-hit branch spawns a background tokio task that re-resolves via the Phase-3b SecretProvider + updates the cache via KeychainService::set. - Cached value returns to the caller IMMEDIATELY (worker fetches stay on the fast path). - Stampede collapse: N workers crossing the refresh threshold for the same (catalog_id, alias) collapse to one provider call; concurrent callers piggy-back via outcome="stampede_collapsed". - Refactor: extracted resolve_via_provider from try_resolve_keychain so cache-miss inline + background refresh share identical code. - 6 new unit tests; lib 441/0. Phase 7c series is now wire-complete (7c + 7c.2 + 7c.3). Platform- side wallet is otherwise complete; only remaining work is the three cloud-specific dynamic-secret providers (6d.1 AWS STS / 6d.2 GCP iamcredentials / 6d.3 Azure AAD). Rule 0a sweep: Home (Last refreshed + ecosystem-map server cell v2.43.0 → v2.44.0), Sessions-Log (prepend entry for v2.44.0), Releases (prepend row), Umbrella-Secrets-Wallet (latest landings + trim 7c.3 from remaining-work list).
docs(secrets-wallet): record 7a.2/7b.2/7c.2 follow-ups landing v2.42.0+v2.43.0 Rule 0a four-page sweep for the Secrets Wallet umbrella (noetl/ai-meta#61) capturing this session's three follow-up rounds: - Phase 7a.2: KEK rotation endpoint + key-status + DB scans (server#127, v2.42.0) - Phase 7b.2: noetl.secret_audit table + DbAuditSink + GET query endpoint (server#129, v2.43.0) - Phase 7c.2: KeychainService::should_refresh cache-side primitive (server#131, v2.43.0) Three discrete follow-up sub-issues filed for the cloud-specific dynamic-secret providers: 6d.1 AWS STS (server#132), 6d.2 GCP iamcredentials (server#133), 6d.3 Azure AAD (server#134). Phase 7c.3 (resolver-side stampede mutex + background re-resolve) remains queued as the next round on the same branch. Home: Last refreshed → 2026-06-07; ecosystem-map server cell v2.41.0 → v2.43.0 with new bullet; Active umbrellas #61 row 'Last update' → 2026-06-07 with new status summary. Sessions-Log: prepend entry for 2026-06-07. Releases: prepend rows for v2.42.0 (2026-06-06) + v2.43.0 (2026-06-07). Umbrella-Secrets-Wallet: replace Status block with latest landings + remaining-work list pointing at server#132/#133/#134 + 7c.3.
wiki: Secrets Wallet Phase 7c landed — closes Phase 7 (all named rounds 1–7 done) noetl-server v2.41.0 (server#125): token auto-renewal primitives. should_refresh(expires_at, refresh_window, now) decision primitive; KEYCHAIN_CACHE_REFRESH_WINDOW_SECS env; noetl_secret_refresh_total{outcome} counter + noetl_secret_refresh_duration_seconds histogram. Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.41.0 + 'all named phases 1-7 complete' banner; server ecosystem-map refreshed. - Sessions-Log.md: new 2026-06-06 Phase 7c entry prepended with the full Phase 7 architectural shape + the follow-up queue. - Releases.md: new v2.41.0 row + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 7 status flipped to ✅; Status banner updated to 'All named phases (1-7) complete'; remaining queue (7a.2 / 7b.2 / 7c.2 / 6d.1-3) listed. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 7b primitives landed — noetl-server v2.40.0 (server#123) AuditEvent struct (NEVER contains secret value); AuditSink trait + NoopAuditSink default; SecretAuditService with record_async + record_strict + record (dispatches by strict-mode); NOETL_SECRET_AUDIT_REQUIRED env; noetl_secret_audit_writes_total counter (failed_strict alert-worthy). Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.40.0 + server ecosystem-map refreshed. - Sessions-Log.md: new 2026-06-06 Phase 7b entry prepended; calls out Phase 7c (token auto-renewal) as next. - Releases.md: new v2.40.0 row + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 7b primitives cell flipped to ✅ landed; 7b.2 (DbAuditSink + endpoint + handler wire) queued. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 7a primitives landed — noetl-server v2.39.0 (server#121) Starts Phase 7. KeyManager::current_key_version() trait accessor + EnvelopeCipher::rewrap_storage_string primitive (Skipped if same version, else Rewrapped with new storage string). Plaintext NEVER reconstructed during rotation — pure DEK re-wrap. noetl_wallet_rotate_total counter. Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.39.0 + server ecosystem-map refreshed. - Sessions-Log.md: new 2026-06-06 Phase 7a entry prepended. - Releases.md: new v2.39.0 row + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 7 row populated with 7a ✅ landed + 7a.2/7b/7c queued. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 6e landed — noetl-server v2.38.0 (server#119) — Phase 6 closes Cross-region broker; BrokerRegistry + BrokerClient + POST /api/internal/cross-region/resolve peer endpoint; KeychainDef.no_broker_fallback per-credential opt-out; AppError::CrossRegionUnreachable HTTP 502; two new metrics (broker_call_total counter + broker_call_duration_seconds histogram). Phase 6 of the Secrets Wallet umbrella closes — both residency shapes operational (hard isolation + soft federation). Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.38.0 + server ecosystem-map refreshed. - Sessions-Log.md: new 2026-06-06 Phase 6e entry prepended with the full architectural shape diagram. - Releases.md: new v2.38.0 row + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 6e cell flipped to ✅ landed; Status banner updated to 'Phases 1-6 complete'; next: Phase 7. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 6d primitives landed — noetl-server v2.37.0 (server#117) SecretValue.expires_at field + cache_decision honors issuer TTL with SkipCacheAlreadyExpired guard; KEYCHAIN_CACHE_DYNAMIC_SAFETY_MARGIN_SECS env; two new metrics (noetl_secret_dynamic_ttl_seconds histogram + noetl_secret_cache_skip_total counter). Backward compatible. Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.37.0 + server ecosystem-map refreshed. - Sessions-Log.md: new 2026-06-06 Phase 6d entry prepended. - Releases.md: new v2.37.0 row + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 6d primitives cell flipped to ✅ landed; 6d.1/6d.2/6d.3 cloud-specific providers queued as follow-ups. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 6c landed — noetl-server v2.36.0 (server#115) Residency-policy gate (none/advisory/strict) in front of the resolver — strict-mode mismatches short-circuit with AppError::ResidencyViolation (HTTP 403) before any provider call. noetl_secret_residency_check_total{policy, decision} counter per observability.md Principle 1. Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.36.0 + server ecosystem-map refreshed. - Sessions-Log.md: new 2026-06-06 Phase 6c entry prepended. - Releases.md: new v2.36.0 row + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 6c cell flipped to ✅ landed. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 6b landed — noetl-server v2.35.0 (server#113) ProviderRegistry cache of (provider_id, region) → Arc<dyn SecretProvider>; noetl_secret_provider_build_total counter + noetl_secret_resolve_duration_seconds histogram per observability.md Principle 1. Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.35.0 + server ecosystem-map refreshed. - Sessions-Log.md: new 2026-06-06 Phase 6b entry prepended. - Releases.md: new v2.35.0 row + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 6b cell flipped to ✅ landed. Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 6a landed — noetl-server v2.34.0 (server#111) Starts Phase 6 (residency-aware distributed resolution). KeychainDef.region + SecretRef.region routing primitives; AWS provider honors the region with explicit precedence; NOETL_SERVER_REGION env + server_region() / effective_region() fallback helpers; noetl_secret_resolve_total counter per observability.md Principle 1. Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v2.34.0 headline + server ecosystem-map cell refreshed. - Sessions-Log.md: new 2026-06-06 Phase 6a entry prepended. - Releases.md: new v2.34.0 row at the top + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 6 row updated (status 🚧, 6a ✅ landed, 6b/6c/6d/6e queued). Tracks noetl/ai-meta#61.
wiki: Secrets Wallet Phase 5c landed — noetl-worker v5.13.0 (worker#58) Phase 5 (sealed payload delivery) fully merged across server (5a+5b) + worker (5c). Cross-repo kind-val pass: server seals to the worker's registered pubkey; noetl_credentials_sealed_total{status="ok"} ticks. Pages touched (Rule 0a four-page sweep): - Home.md: Last-refreshed flipped to v5.13.0 headline + #61 row 5c cell flipped landed + worker ecosystem-map cell refreshed. - Sessions-Log.md: 2026-06-06 Phase 5c heading flipped to "landed v5.13.0"; cross-repo kind-val results recorded with the captured envelope shape + counter. - Releases.md: new v5.13.0 row at the top + Last-refreshed line. - Umbrella-Secrets-Wallet.md: Phase 5 status flipped from 🚧 to ✅ fully merged. Tracks noetl/ai-meta#61.