feat: harden Bezalel tailscale bootstrap packet (#535)

configs/burn_velocity_repos.json

@@ -1,18 +0,0 @@
-{
-  "owner": "Timmy_Foundation",
-  "repos": [
-    "timmy-home",
-    "timmy-config",
-    "fleet-ops",
-    "the-beacon",
-    "the-door",
-    "the-nexus"
-  ],
-  "lookback_days": 14,
-  "alert": {
-    "recent_days": 7,
-    "baseline_days": 7,
-    "minimum_baseline_closed": 4,
-    "drop_ratio": 0.6
-  }
-}

docs/BEZALEL_TAILSCALE_BOOTSTRAP.md

@@ -0,0 +1,96 @@
+# Bezalel Tailscale Bootstrap
+
+Refs #535
+
+This is the repo-side operator packet for installing Tailscale on the Bezalel VPS and verifying the internal network path for federation work.
+
+Important truth:
+- issue #535 names `104.131.15.18`
+- older Bezalel control-plane docs also mention `159.203.146.185`
+- the current source of truth in this repo is `ansible/inventory/hosts.ini`, which currently resolves `bezalel` to `67.205.155.108`
+
+Because of that drift, `scripts/bezalel_tailscale_bootstrap.py` now resolves the target host from `ansible/inventory/hosts.ini` by default instead of trusting a stale hardcoded IP.
+
+## What the script does
+
+`python3 scripts/bezalel_tailscale_bootstrap.py`
+
+Safe by default:
+- builds the remote bootstrap script
+- writes it locally to `/tmp/bezalel_tailscale_bootstrap.sh`
+- prints the SSH command needed to run it
+- does **not** touch the VPS unless `--apply` is passed
+
+When applied, the remote script does all of the issue’s repo-side bootstrap steps:
+- installs Tailscale
+- runs `tailscale up --ssh --hostname bezalel`
+- appends the provided Mac SSH public key to `~/.ssh/authorized_keys`
+- prints `tailscale status --json`
+- pings the expected peer targets:
+  - Mac: `100.124.176.28`
+  - Ezra: `100.126.61.75`
+
+## Required secrets / inputs
+
+- Tailscale auth key
+- Mac SSH public key
+
+Provide them either directly or through files:
+- `--auth-key` or `--auth-key-file`
+- `--ssh-public-key` or `--ssh-public-key-file`
+
+## Dry-run example
+
+```bash
+python3 scripts/bezalel_tailscale_bootstrap.py \
+  --auth-key-file ~/.config/tailscale/auth_key \
+  --ssh-public-key-file ~/.ssh/id_ed25519.pub \
+  --json
+```
+
+This prints:
+- resolved host
+- host source (`inventory:<path>` when pulled from `ansible/inventory/hosts.ini`)
+- local script path
+- SSH command to execute
+- peer targets
+
+## Apply example
+
+```bash
+python3 scripts/bezalel_tailscale_bootstrap.py \
+  --auth-key-file ~/.config/tailscale/auth_key \
+  --ssh-public-key-file ~/.ssh/id_ed25519.pub \
+  --apply \
+  --json
+```
+
+## Verifying success after apply
+
+The script now parses the remote stdout into structured verification data:
+- `verification.tailscale.self.tailscale_ips`
+- `verification.tailscale.self.dns_name`
+- `verification.peers`
+- `verification.ping_ok`
+
+A successful run should show:
+- at least one Bezalel Tailscale IP under `tailscale_ips`
+- `ping_ok.mac = 100.124.176.28`
+- `ping_ok.ezra = 100.126.61.75`
+
+## Expected remote install commands
+
+```bash
+curl -fsSL https://tailscale.com/install.sh | sh
+tailscale up --ssh --hostname bezalel
+install -d -m 700 ~/.ssh
+touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys
+tailscale status --json
+```
+
+## Why this PR does not claim live completion
+
+This repo can safely ship the bootstrap script, host resolution logic, structured proof parsing, and operator packet.
+It cannot honestly claim that Bezalel was actually joined to the tailnet unless a human/operator runs the script with a real auth key and real SSH access to the VPS.
+
+That means the correct PR language for #535 is advancement, not pretend closure.

docs/BURN_VELOCITY_TRACKING.md

@@ -1,70 +0,0 @@
-# Burn-down Velocity Tracking
-
-Refs #519.
-
-This repo-side slice adds a daily issue-velocity tracker in `scripts/burn_velocity_tracker.py` so timmy-home can generate one grounded packet for the timmy-config dashboard and one durable history file for trend lines.
-
-## What it emits
-
-Daily run outputs:
-- `~/.timmy/burn-velocity/latest.json` — machine-readable payload for the timmy-config dashboard
-- `~/.timmy/burn-velocity/latest.md` — operator-facing markdown summary
-- `~/.timmy/burn-velocity/history.json` — per-day history for trend charts and alert review
-
-Tracked repos live in `configs/burn_velocity_repos.json`.
-
-## Cron command
-
-```bash
-cd ~/timmy-home && \
-python3 scripts/burn_velocity_tracker.py \
-  --config configs/burn_velocity_repos.json \
-  --output-json ~/.timmy/burn-velocity/latest.json \
-  --output-md ~/.timmy/burn-velocity/latest.md \
-  --history-file ~/.timmy/burn-velocity/history.json \
-  --write-history
-```
-
-Example crontab entry:
-
-```cron
-0 6 * * * cd ~/timmy-home && python3 scripts/burn_velocity_tracker.py --config configs/burn_velocity_repos.json --output-json ~/.timmy/burn-velocity/latest.json --output-md ~/.timmy/burn-velocity/latest.md --history-file ~/.timmy/burn-velocity/history.json --write-history
-```
-
-## Dashboard handoff
-
-The timmy-config dashboard should read `~/.timmy/burn-velocity/latest.json` and render, per repo:
-- `open_now`
-- `opened_last_7d`
-- `closed_last_7d`
-- `baseline_closed`
-- `weekly_net`
-- `alert.status`
-- `alert.kind`
-- `alert.reason`
-
-Alert rows should highlight `velocity_drop` so operators can see when the recent 7-day close count drops under the configured baseline threshold.
-
-## Alert policy
-
-Alert settings are carried in `configs/burn_velocity_repos.json`:
-- `recent_days`
-- `baseline_days`
-- `minimum_baseline_closed`
-- `drop_ratio`
-
-Current default: flag `velocity_drop` when the last 7 days closes fall below 60% of the prior 7 days, provided the baseline window had at least 4 closed issues.
-
-## Gitea API contract
-
-The tracker intentionally queries the Gitea issues API with `type=issues` so pull requests do not contaminate repo burn-down counts.
-
-Live collection shape:
-- open backlog uses `/repos/{owner}/{repo}/issues?state=open&type=issues`
-- recent event scan uses `/repos/{owner}/{repo}/issues?state=all&type=issues&since=...`
-
-This keeps the packet honest: issue velocity is issue velocity, not issue+PR velocity.
-
-## Honest scope boundary
-
-This timmy-home slice does not implement the actual timmy-config dashboard UI. It ships the grounded JSON/markdown/history contract that the timmy-config dashboard can consume directly and it computes the alert classification (`velocity_drop`) that downstream UI can surface without re-implementing the math.

docs/RUNBOOK_INDEX.md

@@ -14,6 +14,7 @@ Quick-reference index for common operational tasks across the Timmy Foundation i
 | Agent scorecard | fleet-ops | `python3 scripts/agent_scorecard.py` |
 | View fleet manifest | fleet-ops | `cat manifest.yaml` |
 | Run nightly codebase genome pass | timmy-home | `python3 scripts/codebase_genome_nightly.py --dry-run` |
+| Prepare Bezalel Tailscale bootstrap | timmy-home | `python3 scripts/bezalel_tailscale_bootstrap.py --auth-key-file <path> --ssh-public-key-file <path> --json` |
 
 ## the-nexus (Frontend + Brain)
 

scripts/bezalel_tailscale_bootstrap.py

@@ -16,11 +16,14 @@ import argparse
 import json
 import shlex
 import subprocess
+import re
+from json import JSONDecoder
 from pathlib import Path
 from typing import Any
 
-DEFAULT_HOST = "159.203.146.185"
+DEFAULT_HOST = "67.205.155.108"
 DEFAULT_HOSTNAME = "bezalel"
+DEFAULT_INVENTORY_PATH = Path(__file__).resolve().parents[1] / "ansible" / "inventory" / "hosts.ini"
 DEFAULT_PEERS = {
     "mac": "100.124.176.28",
     "ezra": "100.126.61.75",
@@ -66,6 +69,37 @@ def parse_tailscale_status(payload: dict[str, Any]) -> dict[str, Any]:
     }
 
 
+def resolve_host(host: str | None, inventory_path: Path = DEFAULT_INVENTORY_PATH, hostname: str = DEFAULT_HOSTNAME) -> tuple[str, str]:
+    if host:
+        return host, "explicit"
+    if inventory_path.exists():
+        pattern = re.compile(rf"^{re.escape(hostname)}\s+.*ansible_host=([^\s]+)")
+        for line in inventory_path.read_text().splitlines():
+            match = pattern.search(line.strip())
+            if match:
+                return match.group(1), f"inventory:{inventory_path}"
+    return DEFAULT_HOST, "default"
+
+
+def parse_apply_output(stdout: str) -> dict[str, Any]:
+    result: dict[str, Any] = {"tailscale": None, "ping_ok": {}}
+    text = stdout or ""
+    start = text.find("{")
+    if start != -1:
+        try:
+            payload, _ = JSONDecoder().raw_decode(text[start:])
+            if isinstance(payload, dict):
+                result["tailscale"] = parse_tailscale_status(payload)
+        except Exception:
+            pass
+
+    for line in text.splitlines():
+        if line.startswith("PING_OK:"):
+            _, name, ip = line.split(":", 2)
+            result["ping_ok"][name] = ip
+    return result
+
+
 def build_ssh_command(host: str, remote_script_path: str = "/tmp/bezalel_tailscale_bootstrap.sh") -> list[str]:
     return ["ssh", host, f"bash {shlex.quote(remote_script_path)}"]
 
@@ -89,8 +123,9 @@ def parse_peer_args(items: list[str]) -> dict[str, str]:
 
 def parse_args() -> argparse.Namespace:
     parser = argparse.ArgumentParser(description="Prepare or execute Tailscale bootstrap for the Bezalel VPS.")
-    parser.add_argument("--host", default=DEFAULT_HOST)
+    parser.add_argument("--host")
     parser.add_argument("--hostname", default=DEFAULT_HOSTNAME)
+    parser.add_argument("--inventory-path", type=Path, default=DEFAULT_INVENTORY_PATH)
     parser.add_argument("--auth-key", help="Tailscale auth key")
     parser.add_argument("--auth-key-file", type=Path, help="Path to file containing the Tailscale auth key")
     parser.add_argument("--ssh-public-key", help="SSH public key to append to authorized_keys")
@@ -116,6 +151,7 @@ def main() -> None:
     auth_key = _read_secret(args.auth_key, args.auth_key_file)
     ssh_public_key = _read_secret(args.ssh_public_key, args.ssh_public_key_file)
     peers = parse_peer_args(args.peer)
+    resolved_host, host_source = resolve_host(args.host, args.inventory_path, args.hostname)
 
     if not auth_key:
         raise SystemExit("Missing Tailscale auth key. Use --auth-key or --auth-key-file.")
@@ -126,28 +162,31 @@ def main() -> None:
     write_script(args.script_out, script)
 
     payload: dict[str, Any] = {
-        "host": args.host,
+        "host": resolved_host,
+        "host_source": host_source,
         "hostname": args.hostname,
+        "inventory_path": str(args.inventory_path),
         "script_out": str(args.script_out),
         "remote_script_path": args.remote_script_path,
-        "ssh_command": build_ssh_command(args.host, args.remote_script_path),
+        "ssh_command": build_ssh_command(resolved_host, args.remote_script_path),
         "peer_targets": peers,
         "applied": False,
     }
 
     if args.apply:
-        result = run_remote(args.host, args.remote_script_path)
+        result = run_remote(resolved_host, args.remote_script_path)
         payload["applied"] = True
         payload["exit_code"] = result.returncode
         payload["stdout"] = result.stdout
         payload["stderr"] = result.stderr
+        payload["verification"] = parse_apply_output(result.stdout)
 
     if args.json:
         print(json.dumps(payload, indent=2))
         return
 
     print("--- Bezalel Tailscale Bootstrap ---")
-    print(f"Host: {args.host}")
+    print(f"Host: {resolved_host} ({host_source})")
     print(f"Local script: {args.script_out}")
     print("SSH command: " + " ".join(payload["ssh_command"]))
     if args.apply:

scripts/burn_velocity_tracker.py

@@ -1,406 +0,0 @@
-#!/usr/bin/env python3
-"""Burn-down velocity tracker for Timmy Foundation issue throughput.
-
-Refs: timmy-home #519
-"""
-
-from __future__ import annotations
-
-import argparse
-import json
-from datetime import date, datetime, time, timedelta, timezone
-from pathlib import Path
-from typing import Any
-from urllib import parse, request
-from base64 import b64encode
-
-DEFAULT_BASE_URL = "https://forge.alexanderwhitestone.com/api/v1"
-DEFAULT_OWNER = "Timmy_Foundation"
-DEFAULT_TOKEN_FILE = Path.home() / ".config" / "gitea" / "token"
-DEFAULT_CONFIG_FILE = Path(__file__).resolve().parent.parent / "configs" / "burn_velocity_repos.json"
-DEFAULT_OUTPUT_DIR = Path.home() / ".timmy" / "burn-velocity"
-DEFAULT_OUTPUT_JSON = DEFAULT_OUTPUT_DIR / "latest.json"
-DEFAULT_OUTPUT_MD = DEFAULT_OUTPUT_DIR / "latest.md"
-DEFAULT_HISTORY_FILE = DEFAULT_OUTPUT_DIR / "history.json"
-DEFAULT_CONFIG = {
-    "owner": DEFAULT_OWNER,
-    "repos": ["timmy-home", "timmy-config", "fleet-ops", "the-beacon", "the-door", "the-nexus"],
-    "lookback_days": 14,
-    "alert": {
-        "recent_days": 7,
-        "baseline_days": 7,
-        "minimum_baseline_closed": 4,
-        "drop_ratio": 0.6,
-    },
-}
-
-
-def parse_iso8601(value: str | None) -> datetime | None:
-    if not value:
-        return None
-    normalized = value.replace("Z", "+00:00")
-    parsed = datetime.fromisoformat(normalized)
-    if parsed.tzinfo is None:
-        return parsed.replace(tzinfo=timezone.utc)
-    return parsed.astimezone(timezone.utc)
-
-
-def normalize_today(value: str | date | None = None) -> date:
-    if value is None:
-        return datetime.now(timezone.utc).date()
-    if isinstance(value, date):
-        return value
-    return date.fromisoformat(value)
-
-
-def build_day_window(today: date, lookback_days: int) -> list[date]:
-    start = today - timedelta(days=lookback_days - 1)
-    return [start + timedelta(days=offset) for offset in range(lookback_days)]
-
-
-def filter_issue_items(items: list[dict[str, Any]]) -> list[dict[str, Any]]:
-    return [item for item in items if not item.get("pull_request")]
-
-
-def build_daily_series(items: list[dict[str, Any]], today: date, lookback_days: int) -> list[dict[str, int | str]]:
-    days = build_day_window(today, lookback_days)
-    counts = {day.isoformat(): {"opened": 0, "closed": 0} for day in days}
-    start_day = days[0]
-
-    for item in filter_issue_items(items):
-        created_at = parse_iso8601(item.get("created_at"))
-        if created_at is not None:
-            created_day = created_at.date()
-            if start_day <= created_day <= today:
-                counts[created_day.isoformat()]["opened"] += 1
-
-        closed_at = parse_iso8601(item.get("closed_at"))
-        if closed_at is not None:
-            closed_day = closed_at.date()
-            if start_day <= closed_day <= today:
-                counts[closed_day.isoformat()]["closed"] += 1
-
-    return [
-        {
-            "date": day.isoformat(),
-            "opened": counts[day.isoformat()]["opened"],
-            "closed": counts[day.isoformat()]["closed"],
-        }
-        for day in days
-    ]
-
-
-def summarize_velocity_alert(
-    *, recent_closed: int, baseline_closed: int, open_now: int, config: dict[str, Any]
-) -> dict[str, Any]:
-    minimum_baseline = int(config.get("minimum_baseline_closed", 4))
-    drop_ratio = float(config.get("drop_ratio", 0.6))
-
-    if baseline_closed >= minimum_baseline and recent_closed < baseline_closed * drop_ratio:
-        return {
-            "status": "drop",
-            "kind": "velocity_drop",
-            "recent_closed": recent_closed,
-            "baseline_closed": baseline_closed,
-            "reason": (
-                f"velocity_drop: closed {recent_closed} in the last {config.get('recent_days', 7)}d "
-                f"vs {baseline_closed} in the prior {config.get('baseline_days', 7)}d"
-            ),
-        }
-
-    if open_now > 0 and baseline_closed >= minimum_baseline and recent_closed == 0:
-        return {
-            "status": "drop",
-            "kind": "velocity_drop",
-            "recent_closed": recent_closed,
-            "baseline_closed": baseline_closed,
-            "reason": "velocity_drop: no issues closed in the recent window while backlog is still open",
-        }
-
-    return {
-        "status": "ok",
-        "kind": "none",
-        "recent_closed": recent_closed,
-        "baseline_closed": baseline_closed,
-        "reason": "velocity stable",
-    }
-
-
-def _sum_window(daily: list[dict[str, int | str]], field: str, days: int) -> int:
-    if days <= 0:
-        return 0
-    return sum(int(item[field]) for item in daily[-days:])
-
-
-def _sum_baseline_window(daily: list[dict[str, int | str]], recent_days: int, baseline_days: int) -> int:
-    if baseline_days <= 0:
-        return 0
-    if recent_days <= 0:
-        return sum(int(item["closed"]) for item in daily[-baseline_days:])
-    baseline_slice = daily[-(recent_days + baseline_days) : -recent_days]
-    return sum(int(item["closed"]) for item in baseline_slice)
-
-
-def build_velocity_report(config: dict[str, Any], snapshot: dict[str, Any], today: str | date | None = None) -> dict[str, Any]:
-    report_day = normalize_today(today)
-    generated_at = snapshot.get("generated_at") or datetime.now(timezone.utc).isoformat().replace("+00:00", "Z")
-    owner = config.get("owner", DEFAULT_OWNER)
-    repos = list(config.get("repos") or sorted((snapshot.get("repos") or {}).keys()))
-    lookback_days = int(config.get("lookback_days", 14))
-    alert_config = dict(DEFAULT_CONFIG["alert"])
-    alert_config.update(config.get("alert") or {})
-    recent_days = int(alert_config.get("recent_days", 7))
-    baseline_days = int(alert_config.get("baseline_days", 7))
-
-    repo_reports: list[dict[str, Any]] = []
-    total_open_now = 0
-    total_closed_last_7d = 0
-    repos_with_alerts: list[str] = []
-
-    for repo_name in repos:
-        repo_snapshot = (snapshot.get("repos") or {}).get(repo_name, {})
-        open_issues = filter_issue_items(list(repo_snapshot.get("open_issues") or []))
-        recent_issues = filter_issue_items(list(repo_snapshot.get("recent_issues") or []))
-        daily = build_daily_series(recent_issues, report_day, lookback_days)
-
-        open_now = len(open_issues)
-        opened_last_7d = _sum_window(daily, "opened", recent_days)
-        closed_last_7d = _sum_window(daily, "closed", recent_days)
-        baseline_closed = _sum_baseline_window(daily, recent_days, baseline_days)
-        weekly_net = opened_last_7d - closed_last_7d
-        alert = summarize_velocity_alert(
-            recent_closed=closed_last_7d,
-            baseline_closed=baseline_closed,
-            open_now=open_now,
-            config=alert_config,
-        )
-
-        repo_report = {
-            "repo": repo_name,
-            "open_now": open_now,
-            "opened_last_7d": opened_last_7d,
-            "closed_last_7d": closed_last_7d,
-            "baseline_closed": baseline_closed,
-            "weekly_net": weekly_net,
-            "daily": daily,
-            "alert": alert,
-        }
-        repo_reports.append(repo_report)
-
-        total_open_now += open_now
-        total_closed_last_7d += closed_last_7d
-        if alert["status"] != "ok":
-            repos_with_alerts.append(repo_name)
-
-    return {
-        "owner": owner,
-        "generated_at": generated_at,
-        "generated_day": report_day.isoformat(),
-        "lookback_days": lookback_days,
-        "dashboard_contract_version": 1,
-        "repos": repo_reports,
-        "summary": {
-            "total_open_now": total_open_now,
-            "total_closed_last_7d": total_closed_last_7d,
-            "repos_with_alerts": repos_with_alerts,
-        },
-    }
-
-
-def render_markdown(report: dict[str, Any]) -> str:
-    lines = [
-        "# Burn-down Velocity Tracking",
-        "",
-        f"Generated: {report['generated_at']}",
-        f"Owner: {report['owner']}",
-        f"Lookback days: {report['lookback_days']}",
-        "",
-        "## Per-repo velocity",
-        "",
-        "| Repo | Open now | Opened 7d | Closed 7d | Previous 7d | Alert |",
-        "| --- | ---: | ---: | ---: | ---: | --- |",
-    ]
-
-    for repo in report["repos"]:
-        alert_label = repo["alert"]["kind"] if repo["alert"]["status"] != "ok" else "ok"
-        lines.append(
-            f"| {repo['repo']} | {repo['open_now']} | {repo['opened_last_7d']} | {repo['closed_last_7d']} | {repo['baseline_closed']} | {alert_label} |"
-        )
-
-    lines.extend(
-        [
-            "",
-            "## Dashboard handoff for timmy-config",
-            "",
-            "The timmy-config dashboard should consume `~/.timmy/burn-velocity/latest.json` and render, for each repo:",
-            "- `open_now`",
-            "- `opened_last_7d`",
-            "- `closed_last_7d`",
-            "- `baseline_closed`",
-            "- `alert.status` / `alert.kind` / `alert.reason`",
-            "",
-            "Cron should also persist `~/.timmy/burn-velocity/history.json` so timmy-config can plot the daily trend line instead of only the latest snapshot.",
-            "",
-            "## Alerts",
-            "",
-        ]
-    )
-
-    alerts = [repo for repo in report["repos"] if repo["alert"]["status"] != "ok"]
-    if not alerts:
-        lines.append("- none")
-    else:
-        for repo in alerts:
-            lines.append(f"- {repo['repo']}: {repo['alert']['reason']}")
-
-    return "\n".join(lines) + "\n"
-
-
-def update_history(history_path: Path, report: dict[str, Any]) -> dict[str, Any]:
-    if history_path.exists():
-        history = json.loads(history_path.read_text(encoding="utf-8"))
-    else:
-        history = {"days": []}
-
-    entry = {
-        "date": report["generated_day"],
-        "generated_at": report["generated_at"],
-        "summary": report["summary"],
-        "repos": report["repos"],
-    }
-
-    retained = [item for item in history.get("days", []) if item.get("date") != report["generated_day"]]
-    retained.append(entry)
-    retained.sort(key=lambda item: item["date"])
-    history["days"] = retained
-
-    history_path.parent.mkdir(parents=True, exist_ok=True)
-    history_path.write_text(json.dumps(history, indent=2), encoding="utf-8")
-    return history
-
-
-class GiteaClient:
-    def __init__(self, token: str, owner: str = DEFAULT_OWNER, base_url: str = DEFAULT_BASE_URL):
-        self.token = token
-        self.owner = owner
-        self.base_url = base_url.rstrip("/")
-
-    def _headers(self) -> list[dict[str, str]]:
-        return [
-            {"Authorization": f"token {self.token}", "Accept": "application/json"},
-            {
-                "Authorization": "Basic " + b64encode(f"{self.token}:".encode()).decode(),
-                "Accept": "application/json",
-            },
-        ]
-
-    def _request_json(self, url: str) -> list[dict[str, Any]]:
-        last_error: Exception | None = None
-        for headers in self._headers():
-            try:
-                req = request.Request(url, headers=headers)
-                with request.urlopen(req, timeout=30) as response:
-                    return json.loads(response.read().decode())
-            except Exception as exc:  # pragma: no cover - exercised only on live API failure
-                last_error = exc
-        if last_error is None:  # pragma: no cover - defensive
-            raise RuntimeError("request failed without an exception")
-        raise last_error
-
-    def list_issues(self, repo: str, *, state: str, since: str | None = None) -> list[dict[str, Any]]:
-        issues: list[dict[str, Any]] = []
-        page = 1
-        while True:
-            query = {"state": state, "type": "issues", "limit": 100, "page": page}
-            if since:
-                query["since"] = since
-            url = f"{self.base_url}/repos/{self.owner}/{repo}/issues?{parse.urlencode(query)}"
-            batch = self._request_json(url)
-            if not batch:
-                break
-            issues.extend(filter_issue_items(batch))
-            page += 1
-        return issues
-
-
-def load_json(path: Path, default: Any) -> Any:
-    if not path.exists():
-        return default
-    return json.loads(path.read_text(encoding="utf-8"))
-
-
-def load_config(path: Path) -> dict[str, Any]:
-    config = dict(DEFAULT_CONFIG)
-    alert = dict(DEFAULT_CONFIG["alert"])
-    raw = load_json(path, {})
-    config.update(raw)
-    alert.update(raw.get("alert") or {})
-    config["alert"] = alert
-    return config
-
-
-def collect_live_snapshot(
-    config: dict[str, Any], *, today: str | date | None = None, token_file: Path = DEFAULT_TOKEN_FILE, base_url: str = DEFAULT_BASE_URL
-) -> dict[str, Any]:
-    token = token_file.read_text(encoding="utf-8").strip()
-    report_day = normalize_today(today)
-    since_day = report_day - timedelta(days=int(config.get("lookback_days", 14)) - 1)
-    since_timestamp = datetime.combine(since_day, time.min, tzinfo=timezone.utc).isoformat().replace("+00:00", "Z")
-    client = GiteaClient(token=token, owner=config.get("owner", DEFAULT_OWNER), base_url=base_url)
-
-    repos = list(config.get("repos") or [])
-    repo_payload = {}
-    for repo in repos:
-        repo_payload[repo] = {
-            "open_issues": client.list_issues(repo, state="open"),
-            "recent_issues": client.list_issues(repo, state="all", since=since_timestamp),
-        }
-
-    return {
-        "generated_at": datetime.now(timezone.utc).isoformat().replace("+00:00", "Z"),
-        "repos": repo_payload,
-    }
-
-
-def parse_args() -> argparse.Namespace:
-    parser = argparse.ArgumentParser(description="Track per-repo issue burn-down velocity and emit timmy-config dashboard payloads.")
-    parser.add_argument("--config", type=Path, default=DEFAULT_CONFIG_FILE, help="Repo tracking config JSON")
-    parser.add_argument("--snapshot-file", type=Path, help="Use a pre-fetched snapshot JSON instead of calling Gitea")
-    parser.add_argument("--token-file", type=Path, default=DEFAULT_TOKEN_FILE, help="Gitea token file for live collection")
-    parser.add_argument("--base-url", default=DEFAULT_BASE_URL, help="Gitea API base URL")
-    parser.add_argument("--today", help="Override report date (YYYY-MM-DD)")
-    parser.add_argument("--output-json", type=Path, default=DEFAULT_OUTPUT_JSON, help="Path for latest JSON payload")
-    parser.add_argument("--output-md", type=Path, default=DEFAULT_OUTPUT_MD, help="Path for latest markdown summary")
-    parser.add_argument("--history-file", type=Path, default=DEFAULT_HISTORY_FILE, help="Path for persisted daily history JSON")
-    parser.add_argument("--write-history", action="store_true", help="Update the daily history file after generating the report")
-    parser.add_argument("--json", action="store_true", help="Print JSON instead of markdown to stdout")
-    return parser.parse_args()
-
-
-def main() -> None:
-    args = parse_args()
-    config = load_config(args.config)
-
-    if args.snapshot_file:
-        snapshot = load_json(args.snapshot_file, {"repos": {}})
-    else:
-        snapshot = collect_live_snapshot(config, today=args.today, token_file=args.token_file, base_url=args.base_url)
-
-    report = build_velocity_report(config, snapshot, today=args.today)
-
-    args.output_json.parent.mkdir(parents=True, exist_ok=True)
-    args.output_md.parent.mkdir(parents=True, exist_ok=True)
-    args.output_json.write_text(json.dumps(report, indent=2), encoding="utf-8")
-    args.output_md.write_text(render_markdown(report), encoding="utf-8")
-
-    if args.write_history:
-        update_history(args.history_file, report)
-
-    if args.json:
-        print(json.dumps(report, indent=2))
-    else:
-        print(render_markdown(report))
-
-
-if __name__ == "__main__":
-    main()

tests/test_bezalel_tailscale_bootstrap.py

@@ -2,9 +2,12 @@ from scripts.bezalel_tailscale_bootstrap import (
     DEFAULT_PEERS,
     build_remote_script,
     build_ssh_command,
+    parse_apply_output,
     parse_peer_args,
     parse_tailscale_status,
+    resolve_host,
 )
+from pathlib import Path
 
 
 def test_build_remote_script_contains_install_up_and_key_append():
@@ -78,3 +81,46 @@ def test_parse_peer_args_merges_overrides_into_defaults():
         "ezra": "100.126.61.76",
         "forge": "100.70.0.9",
     }
+
+
+def test_resolve_host_prefers_inventory_over_stale_default(tmp_path: Path):
+    inventory = tmp_path / "hosts.ini"
+    inventory.write_text(
+        "[fleet]\n"
+        "ezra ansible_host=143.198.27.163 ansible_user=root\n"
+        "bezalel ansible_host=67.205.155.108 ansible_user=root\n"
+    )
+
+    host, source = resolve_host(None, inventory)
+
+    assert host == "67.205.155.108"
+    assert source == f"inventory:{inventory}"
+
+
+def test_parse_apply_output_extracts_status_and_ping_markers():
+    stdout = (
+        '{"Self": {"HostName": "bezalel", "DNSName": "bezalel.tailnet.ts.net", "TailscaleIPs": ["100.90.0.10"]}, '
+        '"Peer": {"node-1": {"HostName": "ezra", "TailscaleIPs": ["100.126.61.75"]}}}'
+        "\nPING_OK:mac:100.124.176.28\n"
+        "PING_OK:ezra:100.126.61.75\n"
+    )
+
+    result = parse_apply_output(stdout)
+
+    assert result["tailscale"]["self"]["tailscale_ips"] == ["100.90.0.10"]
+    assert result["ping_ok"] == {"mac": "100.124.176.28", "ezra": "100.126.61.75"}
+
+
+def test_runbook_doc_exists_and_mentions_inventory_auth_and_peer_checks():
+    doc = Path("docs/BEZALEL_TAILSCALE_BOOTSTRAP.md")
+    assert doc.exists(), "missing docs/BEZALEL_TAILSCALE_BOOTSTRAP.md"
+    text = doc.read_text()
+    assert "ansible/inventory/hosts.ini" in text
+    assert "tailscale up" in text
+    assert "authorized_keys" in text
+    assert "100.124.176.28" in text
+    assert "100.126.61.75" in text
+
+    runbook = Path("docs/RUNBOOK_INDEX.md").read_text()
+    assert "Prepare Bezalel Tailscale bootstrap" in runbook
+    assert "scripts/bezalel_tailscale_bootstrap.py" in runbook

tests/test_burn_velocity_tracker.py

@@ -1,176 +0,0 @@
-from __future__ import annotations
-
-import json
-import subprocess
-import sys
-from datetime import date
-from pathlib import Path
-
-from scripts.burn_velocity_tracker import build_velocity_report, render_markdown, update_history
-
-
-ROOT = Path(__file__).resolve().parent.parent
-DOC_PATH = ROOT / "docs" / "BURN_VELOCITY_TRACKING.md"
-
-
-SNAPSHOT = {
-    "generated_at": "2026-04-22T12:00:00Z",
-    "repos": {
-        "timmy-home": {
-            "open_issues": [
-                {"number": 501, "state": "open", "created_at": "2026-04-20T09:00:00Z"},
-                {"number": 502, "state": "open", "created_at": "2026-04-22T07:00:00Z"},
-            ],
-            "recent_issues": [
-                {"number": 401, "state": "closed", "created_at": "2026-04-21T09:00:00Z", "closed_at": "2026-04-22T05:30:00Z"},
-                {"number": 402, "state": "closed", "created_at": "2026-04-20T09:00:00Z", "closed_at": "2026-04-21T05:30:00Z"},
-                {"number": 403, "state": "closed", "created_at": "2026-04-19T09:00:00Z", "closed_at": "2026-04-20T05:30:00Z"},
-                {"number": 404, "state": "closed", "created_at": "2026-04-14T09:00:00Z", "closed_at": "2026-04-15T05:30:00Z"},
-                {"number": 405, "state": "closed", "created_at": "2026-04-13T09:00:00Z", "closed_at": "2026-04-14T05:30:00Z"},
-                {"number": 406, "state": "closed", "created_at": "2026-04-12T09:00:00Z", "closed_at": "2026-04-13T05:30:00Z"},
-                {"number": 407, "state": "closed", "created_at": "2026-04-11T09:00:00Z", "closed_at": "2026-04-12T05:30:00Z"},
-                {"number": 408, "state": "closed", "created_at": "2026-04-10T09:00:00Z", "closed_at": "2026-04-11T05:30:00Z"},
-                {"number": 409, "state": "closed", "created_at": "2026-04-09T09:00:00Z", "closed_at": "2026-04-10T05:30:00Z"},
-                {"number": 410, "state": "closed", "created_at": "2026-04-08T09:00:00Z", "closed_at": "2026-04-09T05:30:00Z"},
-                {"number": 411, "state": "closed", "created_at": "2026-04-07T09:00:00Z", "closed_at": "2026-04-08T05:30:00Z"},
-                {"number": 412, "state": "closed", "created_at": "2026-04-06T09:00:00Z", "closed_at": "2026-04-07T05:30:00Z"},
-                {"number": 413, "state": "closed", "created_at": "2026-04-05T09:00:00Z", "closed_at": "2026-04-06T05:30:00Z"},
-                {"number": 414, "state": "open", "created_at": "2026-04-22T08:45:00Z", "closed_at": None},
-                {"number": 415, "state": "open", "created_at": "2026-04-17T08:45:00Z", "closed_at": None},
-            ],
-        },
-        "timmy-config": {
-            "open_issues": [
-                {"number": 601, "state": "open", "created_at": "2026-04-18T09:00:00Z"},
-            ],
-            "recent_issues": [
-                {"number": 602, "state": "closed", "created_at": "2026-04-20T09:00:00Z", "closed_at": "2026-04-21T06:00:00Z"},
-                {"number": 603, "state": "open", "created_at": "2026-04-22T06:00:00Z", "closed_at": None},
-            ],
-        },
-    },
-}
-
-
-CONFIG = {
-    "owner": "Timmy_Foundation",
-    "repos": ["timmy-home", "timmy-config"],
-    "lookback_days": 14,
-    "alert": {
-        "recent_days": 7,
-        "baseline_days": 7,
-        "minimum_baseline_closed": 4,
-        "drop_ratio": 0.6,
-    },
-}
-
-
-def test_build_velocity_report_counts_opened_closed_and_flags_drop_alert() -> None:
-    report = build_velocity_report(CONFIG, SNAPSHOT, today=date(2026, 4, 22))
-
-    assert report["generated_day"] == "2026-04-22"
-    assert report["summary"]["repos_with_alerts"] == ["timmy-home"]
-    assert report["summary"]["total_open_now"] == 3
-
-    home = report["repos"][0]
-    assert home["repo"] == "timmy-home"
-    assert home["open_now"] == 2
-    assert home["opened_last_7d"] == 5
-    assert home["closed_last_7d"] == 3
-    assert home["baseline_closed"] == 7
-    assert home["weekly_net"] == 2
-    assert home["alert"]["status"] == "drop"
-    assert home["alert"]["recent_closed"] == 3
-    assert home["daily"][-1] == {"date": "2026-04-22", "opened": 1, "closed": 1}
-
-    timmy_config = report["repos"][1]
-    assert timmy_config["repo"] == "timmy-config"
-    assert timmy_config["open_now"] == 1
-    assert timmy_config["closed_last_7d"] == 1
-    assert timmy_config["alert"]["status"] == "ok"
-
-
-def test_render_markdown_includes_dashboard_handoff_and_alerts() -> None:
-    report = build_velocity_report(CONFIG, SNAPSHOT, today=date(2026, 4, 22))
-    rendered = render_markdown(report)
-
-    for snippet in (
-        "# Burn-down Velocity Tracking",
-        "## Per-repo velocity",
-        "timmy-home",
-        "timmy-config",
-        "## Dashboard handoff for timmy-config",
-        "velocity_drop",
-        "## Alerts",
-    ):
-        assert snippet in rendered
-
-
-def test_update_history_replaces_same_day_snapshot(tmp_path: Path) -> None:
-    history_path = tmp_path / "burn-velocity-history.json"
-    report = build_velocity_report(CONFIG, SNAPSHOT, today=date(2026, 4, 22))
-    update_history(history_path, report)
-
-    updated = json.loads(json.dumps(report))
-    updated["repos"][0]["open_now"] = 9
-    updated["summary"]["total_open_now"] = 10
-    update_history(history_path, updated)
-
-    history = json.loads(history_path.read_text(encoding="utf-8"))
-    assert [item["date"] for item in history["days"]] == ["2026-04-22"]
-    assert history["days"][0]["summary"]["total_open_now"] == 10
-    assert history["days"][0]["repos"][0]["open_now"] == 9
-
-
-def test_cli_writes_json_markdown_and_history_from_snapshot(tmp_path: Path) -> None:
-    snapshot_path = tmp_path / "snapshot.json"
-    output_json = tmp_path / "latest.json"
-    output_md = tmp_path / "latest.md"
-    history_path = tmp_path / "history.json"
-    snapshot_path.write_text(json.dumps(SNAPSHOT), encoding="utf-8")
-
-    result = subprocess.run(
-        [
-            sys.executable,
-            "-m",
-            "scripts.burn_velocity_tracker",
-            "--snapshot-file",
-            str(snapshot_path),
-            "--today",
-            "2026-04-22",
-            "--output-json",
-            str(output_json),
-            "--output-md",
-            str(output_md),
-            "--history-file",
-            str(history_path),
-            "--write-history",
-            "--json",
-        ],
-        check=True,
-        cwd=ROOT,
-        capture_output=True,
-        text=True,
-    )
-
-    payload = json.loads(result.stdout)
-    assert payload["summary"]["repos_with_alerts"] == ["timmy-home"]
-    assert output_json.exists()
-    assert output_md.exists()
-    assert history_path.exists()
-    assert "timmy-config" in output_md.read_text(encoding="utf-8")
-
-
-def test_repo_contains_burn_velocity_tracking_doc() -> None:
-    text = DOC_PATH.read_text(encoding="utf-8")
-    required = [
-        "# Burn-down Velocity Tracking",
-        "python3 scripts/burn_velocity_tracker.py",
-        "configs/burn_velocity_repos.json",
-        "~/.timmy/burn-velocity/latest.json",
-        "timmy-config dashboard",
-        "type=issues",
-        "velocity_drop",
-    ]
-    for snippet in required:
-        assert snippet in text