feat: harden Bezalel tailscale bootstrap packet (#535)

ansible/playbooks/deploy_mempalace.yml

@@ -1,22 +0,0 @@
----
-# ansible/playbooks/deploy_mempalace.yml — Deploy MemPalace v3.0.0 to fleet wizards.
-#
-# Usage:
-#   ansible-playbook -i inventory/hosts.ini playbooks/deploy_mempalace.yml --limit ezra
-#   ansible-playbook -i inventory/hosts.ini playbooks/deploy_mempalace.yml
-#
-# Refs: Issue #570
-
-- name: Deploy MemPalace v3.0.0 to wizard hosts
-  hosts: fleet
-  become: false
-  gather_facts: false
-  vars:
-    mempalace_hermes_home: "{{ ansible_env.HOME }}/.hermes"
-    mempalace_sessions_dir: "{{ mempalace_hermes_home }}/sessions"
-    mempalace_palace_path: "{{ ansible_env.HOME }}/.mempalace/palace"
-    mempalace_wing: "{{ inventory_hostname }}_home"
-  roles:
-    - role: ../roles/mempalace
-      vars:
-        mempalace_venv_path: "{{ ansible_env.HOME }}/.mempalace-venv"

ansible/roles/mempalace/defaults/main.yml

@@ -1,16 +0,0 @@
----
-# MemPalace role defaults
-mempalace_package_spec: "mempalace==3.0.0"
-mempalace_hermes_home: "{{ ansible_env.HOME }}/.hermes"
-mempalace_sessions_dir: "{{ mempalace_hermes_home }}/sessions"
-mempalace_palace_path: "{{ ansible_env.HOME }}/.mempalace/palace"
-mempalace_wing: "{{ inventory_hostname }}_home"
-mempalace_wakeup_dir: "{{ mempalace_hermes_home }}/wakeups"
-mempalace_wakeup_file: "{{ mempalace_wakeup_dir }}/{{ mempalace_wing }}.txt"
-mempalace_venv_path: "{{ ansible_env.HOME }}/.mempalace-venv"
-mempalace_config_path: "{{ mempalace_hermes_home }}/mempalace.yaml"
-mempalace_mcp_config_path: "{{ mempalace_hermes_home }}/hermes-mcp-mempalace.yaml"
-mempalace_session_hook_path: "{{ mempalace_hermes_home }}/session-start-mempalace.sh"
-mempalace_run_mining: true
-mempalace_run_search_test: true
-mempalace_run_wake_up: true

ansible/roles/mempalace/meta/main.yml

@@ -1,2 +0,0 @@
----
-dependencies: []

ansible/roles/mempalace/tasks/main.yml

@@ -1,119 +0,0 @@
----
-# MemPalace v3.0.0 deployment role for fleet wizards.
-# Refs: Issue #570
-
-- name: Ensure mempalace venv directory exists
-  ansible.builtin.file:
-    path: "{{ mempalace_venv_path }}"
-    state: directory
-    mode: '0750'
-
-- name: Create mempalace virtual environment
-  ansible.builtin.command:
-    cmd: "python3 -m venv {{ mempalace_venv_path }}"
-    creates: "{{ mempalace_venv_path }}/bin/python"
-
-- name: Install mempalace package
-  ansible.builtin.pip:
-    name: "{{ mempalace_package_spec }}"
-    virtualenv: "{{ mempalace_venv_path }}"
-    virtualenv_command: "{{ mempalace_venv_path }}/bin/python -m venv"
-
-- name: Ensure Hermes home directory exists
-  ansible.builtin.file:
-    path: "{{ mempalace_hermes_home }}"
-    state: directory
-    mode: '0750'
-
-- name: Ensure sessions directory exists
-  ansible.builtin.file:
-    path: "{{ mempalace_sessions_dir }}"
-    state: directory
-    mode: '0750'
-
-- name: Ensure wakeup directory exists
-  ansible.builtin.file:
-    path: "{{ mempalace_wakeup_dir }}"
-    state: directory
-    mode: '0750'
-
-- name: Ensure palace directory exists
-  ansible.builtin.file:
-    path: "{{ mempalace_palace_path }}"
-    state: directory
-    mode: '0750'
-
-- name: Deploy mempalace.yaml configuration
-  ansible.builtin.template:
-    src: mempalace.yaml.j2
-    dest: "{{ mempalace_config_path }}"
-    mode: '0640'
-
-- name: Deploy Hermes MCP mempalace config
-  ansible.builtin.template:
-    src: hermes-mcp-mempalace.yaml.j2
-    dest: "{{ mempalace_mcp_config_path }}"
-    mode: '0640'
-
-- name: Deploy session-start wake-up hook
-  ansible.builtin.template:
-    src: session-start-mempalace.sh.j2
-    dest: "{{ mempalace_session_hook_path }}"
-    mode: '0750'
-
-- name: Mine Hermes home directory
-  ansible.builtin.shell: |
-    set -euo pipefail
-    echo "" | {{ mempalace_venv_path }}/bin/mempalace mine {{ mempalace_hermes_home }} --config {{ mempalace_config_path }}
-  args:
-    executable: /bin/bash
-  when: mempalace_run_mining | bool
-  register: mine_home_result
-  changed_when: mine_home_result.rc == 0
-
-- name: Mine session history
-  ansible.builtin.shell: |
-    set -euo pipefail
-    echo "" | {{ mempalace_venv_path }}/bin/mempalace mine {{ mempalace_sessions_dir }} --mode convos --config {{ mempalace_config_path }}
-  args:
-    executable: /bin/bash
-  when: mempalace_run_mining | bool
-  register: mine_sessions_result
-  changed_when: mine_sessions_result.rc == 0
-
-- name: Run search test
-  ansible.builtin.shell: |
-    set -euo pipefail
-    {{ mempalace_venv_path }}/bin/mempalace search "common queries" --config {{ mempalace_config_path }} | head -20
-  args:
-    executable: /bin/bash
-  when: mempalace_run_search_test | bool
-  register: search_test_result
-  changed_when: false
-
-- name: Generate wake-up context
-  ansible.builtin.shell: |
-    set -euo pipefail
-    {{ mempalace_venv_path }}/bin/mempalace wake-up --config {{ mempalace_config_path }} > {{ mempalace_wakeup_file }}
-    export HERMES_MEMPALACE_WAKEUP_FILE="{{ mempalace_wakeup_file }}"
-    printf '[MemPalace] wake-up context refreshed: %s\n' "$HERMES_MEMPALACE_WAKEUP_FILE"
-  args:
-    executable: /bin/bash
-  when: mempalace_run_wake_up | bool
-  register: wake_up_result
-  changed_when: wake_up_result.rc == 0
-
-- name: Report MemPalace deployment summary
-  ansible.builtin.debug:
-    msg:
-      - "MemPalace deployed for {{ inventory_hostname }}"
-      - "Package: {{ mempalace_package_spec }}"
-      - "Config: {{ mempalace_config_path }}"
-      - "Palace: {{ mempalace_palace_path }}"
-      - "Wake-up: {{ mempalace_wakeup_file }}"
-      - "MCP config: {{ mempalace_mcp_config_path }}"
-      - "Session hook: {{ mempalace_session_hook_path }}"
-      - "Home mine: {{ 'OK' if mine_home_result.rc | default(1) == 0 else 'SKIPPED' }}"
-      - "Sessions mine: {{ 'OK' if mine_sessions_result.rc | default(1) == 0 else 'SKIPPED' }}"
-      - "Search test: {{ 'OK' if search_test_result.rc | default(1) == 0 else 'SKIPPED' }}"
-      - "Wake-up: {{ 'OK' if wake_up_result.rc | default(1) == 0 else 'SKIPPED' }}"

ansible/roles/mempalace/templates/hermes-mcp-mempalace.yaml.j2

@@ -1,6 +0,0 @@
-mcp_servers:
-  mempalace:
-    command: "{{ mempalace_venv_path }}/bin/python"
-    args:
-      - -m
-      - mempalace.mcp_server

ansible/roles/mempalace/templates/mempalace.yaml.j2

@@ -1,21 +0,0 @@
-wing: {{ mempalace_wing }}
-palace: {{ mempalace_palace_path }}
-rooms:
-  - name: sessions
-    description: Conversation history and durable agent transcripts
-    globs:
-      - "*.json"
-      - "*.jsonl"
-  - name: config
-    description: Hermes configuration and runtime settings
-    globs:
-      - "*.yaml"
-      - "*.yml"
-      - "*.toml"
-  - name: docs
-    description: Notes, markdown docs, and operating reports
-    globs:
-      - "*.md"
-      - "*.txt"
-people: []
-projects: []

ansible/roles/mempalace/templates/session-start-mempalace.sh.j2

@@ -1,9 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-if command -v {{ mempalace_venv_path }}/bin/mempalace >/dev/null 2>&1; then
-  mkdir -p "{{ mempalace_wakeup_dir }}"
-  {{ mempalace_venv_path }}/bin/mempalace wake-up --config {{ mempalace_config_path }} > "{{ mempalace_wakeup_file }}"
-  export HERMES_MEMPALACE_WAKEUP_FILE="{{ mempalace_wakeup_file }}"
-  printf '[MemPalace] wake-up context refreshed: %s\n' "$HERMES_MEMPALACE_WAKEUP_FILE"
-fi

docs/BEZALEL_TAILSCALE_BOOTSTRAP.md

@@ -0,0 +1,96 @@
+# Bezalel Tailscale Bootstrap
+
+Refs #535
+
+This is the repo-side operator packet for installing Tailscale on the Bezalel VPS and verifying the internal network path for federation work.
+
+Important truth:
+- issue #535 names `104.131.15.18`
+- older Bezalel control-plane docs also mention `159.203.146.185`
+- the current source of truth in this repo is `ansible/inventory/hosts.ini`, which currently resolves `bezalel` to `67.205.155.108`
+
+Because of that drift, `scripts/bezalel_tailscale_bootstrap.py` now resolves the target host from `ansible/inventory/hosts.ini` by default instead of trusting a stale hardcoded IP.
+
+## What the script does
+
+`python3 scripts/bezalel_tailscale_bootstrap.py`
+
+Safe by default:
+- builds the remote bootstrap script
+- writes it locally to `/tmp/bezalel_tailscale_bootstrap.sh`
+- prints the SSH command needed to run it
+- does **not** touch the VPS unless `--apply` is passed
+
+When applied, the remote script does all of the issue’s repo-side bootstrap steps:
+- installs Tailscale
+- runs `tailscale up --ssh --hostname bezalel`
+- appends the provided Mac SSH public key to `~/.ssh/authorized_keys`
+- prints `tailscale status --json`
+- pings the expected peer targets:
+  - Mac: `100.124.176.28`
+  - Ezra: `100.126.61.75`
+
+## Required secrets / inputs
+
+- Tailscale auth key
+- Mac SSH public key
+
+Provide them either directly or through files:
+- `--auth-key` or `--auth-key-file`
+- `--ssh-public-key` or `--ssh-public-key-file`
+
+## Dry-run example
+
+```bash
+python3 scripts/bezalel_tailscale_bootstrap.py \
+  --auth-key-file ~/.config/tailscale/auth_key \
+  --ssh-public-key-file ~/.ssh/id_ed25519.pub \
+  --json
+```
+
+This prints:
+- resolved host
+- host source (`inventory:<path>` when pulled from `ansible/inventory/hosts.ini`)
+- local script path
+- SSH command to execute
+- peer targets
+
+## Apply example
+
+```bash
+python3 scripts/bezalel_tailscale_bootstrap.py \
+  --auth-key-file ~/.config/tailscale/auth_key \
+  --ssh-public-key-file ~/.ssh/id_ed25519.pub \
+  --apply \
+  --json
+```
+
+## Verifying success after apply
+
+The script now parses the remote stdout into structured verification data:
+- `verification.tailscale.self.tailscale_ips`
+- `verification.tailscale.self.dns_name`
+- `verification.peers`
+- `verification.ping_ok`
+
+A successful run should show:
+- at least one Bezalel Tailscale IP under `tailscale_ips`
+- `ping_ok.mac = 100.124.176.28`
+- `ping_ok.ezra = 100.126.61.75`
+
+## Expected remote install commands
+
+```bash
+curl -fsSL https://tailscale.com/install.sh | sh
+tailscale up --ssh --hostname bezalel
+install -d -m 700 ~/.ssh
+touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys
+tailscale status --json
+```
+
+## Why this PR does not claim live completion
+
+This repo can safely ship the bootstrap script, host resolution logic, structured proof parsing, and operator packet.
+It cannot honestly claim that Bezalel was actually joined to the tailnet unless a human/operator runs the script with a real auth key and real SSH access to the VPS.
+
+That means the correct PR language for #535 is advancement, not pretend closure.

docs/MEMPALACE_EZRA_INTEGRATION.md

@@ -146,23 +146,6 @@ That bundle writes:
 - `session-start-mempalace.sh`
 - `issue-568-comment-template.md`
 
-## Fleet Ansible deployment
-
-Deploy MemPalace to Ezra (or the whole fleet) with the Ansible playbook:
-
-```bash
-ansible-playbook -i ansible/inventory/hosts.ini ansible/playbooks/deploy_mempalace.yml --limit ezra
-```
-
-This playbook:
-1. Creates a dedicated venv and installs `mempalace==3.0.0`
-2. Deploys `mempalace.yaml`, MCP config, and session-start hook
-3. Mines the Hermes home and sessions directories
-4. Runs a search smoke test
-5. Generates the wake-up context file
-
-Set `mempalace_run_mining=false` to skip mining on hosts where the corpus is already populated.
-
 ## Why this shape
 
 - `wing: ezra_home` matches the issue's Ezra-specific integration target.

docs/RUNBOOK_INDEX.md

@@ -14,6 +14,7 @@ Quick-reference index for common operational tasks across the Timmy Foundation i
 | Agent scorecard | fleet-ops | `python3 scripts/agent_scorecard.py` |
 | View fleet manifest | fleet-ops | `cat manifest.yaml` |
 | Run nightly codebase genome pass | timmy-home | `python3 scripts/codebase_genome_nightly.py --dry-run` |
+| Prepare Bezalel Tailscale bootstrap | timmy-home | `python3 scripts/bezalel_tailscale_bootstrap.py --auth-key-file <path> --ssh-public-key-file <path> --json` |
 
 ## the-nexus (Frontend + Brain)
 

scripts/bezalel_tailscale_bootstrap.py

@@ -16,11 +16,14 @@ import argparse
 import json
 import shlex
 import subprocess
+import re
+from json import JSONDecoder
 from pathlib import Path
 from typing import Any
 
-DEFAULT_HOST = "159.203.146.185"
+DEFAULT_HOST = "67.205.155.108"
 DEFAULT_HOSTNAME = "bezalel"
+DEFAULT_INVENTORY_PATH = Path(__file__).resolve().parents[1] / "ansible" / "inventory" / "hosts.ini"
 DEFAULT_PEERS = {
     "mac": "100.124.176.28",
     "ezra": "100.126.61.75",
@@ -66,6 +69,37 @@ def parse_tailscale_status(payload: dict[str, Any]) -> dict[str, Any]:
     }
 
 
+def resolve_host(host: str | None, inventory_path: Path = DEFAULT_INVENTORY_PATH, hostname: str = DEFAULT_HOSTNAME) -> tuple[str, str]:
+    if host:
+        return host, "explicit"
+    if inventory_path.exists():
+        pattern = re.compile(rf"^{re.escape(hostname)}\s+.*ansible_host=([^\s]+)")
+        for line in inventory_path.read_text().splitlines():
+            match = pattern.search(line.strip())
+            if match:
+                return match.group(1), f"inventory:{inventory_path}"
+    return DEFAULT_HOST, "default"
+
+
+def parse_apply_output(stdout: str) -> dict[str, Any]:
+    result: dict[str, Any] = {"tailscale": None, "ping_ok": {}}
+    text = stdout or ""
+    start = text.find("{")
+    if start != -1:
+        try:
+            payload, _ = JSONDecoder().raw_decode(text[start:])
+            if isinstance(payload, dict):
+                result["tailscale"] = parse_tailscale_status(payload)
+        except Exception:
+            pass
+
+    for line in text.splitlines():
+        if line.startswith("PING_OK:"):
+            _, name, ip = line.split(":", 2)
+            result["ping_ok"][name] = ip
+    return result
+
+
 def build_ssh_command(host: str, remote_script_path: str = "/tmp/bezalel_tailscale_bootstrap.sh") -> list[str]:
     return ["ssh", host, f"bash {shlex.quote(remote_script_path)}"]
 
@@ -89,8 +123,9 @@ def parse_peer_args(items: list[str]) -> dict[str, str]:
 
 def parse_args() -> argparse.Namespace:
     parser = argparse.ArgumentParser(description="Prepare or execute Tailscale bootstrap for the Bezalel VPS.")
-    parser.add_argument("--host", default=DEFAULT_HOST)
+    parser.add_argument("--host")
     parser.add_argument("--hostname", default=DEFAULT_HOSTNAME)
+    parser.add_argument("--inventory-path", type=Path, default=DEFAULT_INVENTORY_PATH)
     parser.add_argument("--auth-key", help="Tailscale auth key")
     parser.add_argument("--auth-key-file", type=Path, help="Path to file containing the Tailscale auth key")
     parser.add_argument("--ssh-public-key", help="SSH public key to append to authorized_keys")
@@ -116,6 +151,7 @@ def main() -> None:
     auth_key = _read_secret(args.auth_key, args.auth_key_file)
     ssh_public_key = _read_secret(args.ssh_public_key, args.ssh_public_key_file)
     peers = parse_peer_args(args.peer)
+    resolved_host, host_source = resolve_host(args.host, args.inventory_path, args.hostname)
 
     if not auth_key:
         raise SystemExit("Missing Tailscale auth key. Use --auth-key or --auth-key-file.")
@@ -126,28 +162,31 @@ def main() -> None:
     write_script(args.script_out, script)
 
     payload: dict[str, Any] = {
-        "host": args.host,
+        "host": resolved_host,
+        "host_source": host_source,
         "hostname": args.hostname,
+        "inventory_path": str(args.inventory_path),
         "script_out": str(args.script_out),
         "remote_script_path": args.remote_script_path,
-        "ssh_command": build_ssh_command(args.host, args.remote_script_path),
+        "ssh_command": build_ssh_command(resolved_host, args.remote_script_path),
         "peer_targets": peers,
         "applied": False,
     }
 
     if args.apply:
-        result = run_remote(args.host, args.remote_script_path)
+        result = run_remote(resolved_host, args.remote_script_path)
         payload["applied"] = True
         payload["exit_code"] = result.returncode
         payload["stdout"] = result.stdout
         payload["stderr"] = result.stderr
+        payload["verification"] = parse_apply_output(result.stdout)
 
     if args.json:
         print(json.dumps(payload, indent=2))
         return
 
     print("--- Bezalel Tailscale Bootstrap ---")
-    print(f"Host: {args.host}")
+    print(f"Host: {resolved_host} ({host_source})")
     print(f"Local script: {args.script_out}")
     print("SSH command: " + " ".join(payload["ssh_command"]))
     if args.apply:

tests/test_bezalel_tailscale_bootstrap.py

@@ -2,9 +2,12 @@ from scripts.bezalel_tailscale_bootstrap import (
     DEFAULT_PEERS,
     build_remote_script,
     build_ssh_command,
+    parse_apply_output,
     parse_peer_args,
     parse_tailscale_status,
+    resolve_host,
 )
+from pathlib import Path
 
 
 def test_build_remote_script_contains_install_up_and_key_append():
@@ -78,3 +81,46 @@ def test_parse_peer_args_merges_overrides_into_defaults():
         "ezra": "100.126.61.76",
         "forge": "100.70.0.9",
     }
+
+
+def test_resolve_host_prefers_inventory_over_stale_default(tmp_path: Path):
+    inventory = tmp_path / "hosts.ini"
+    inventory.write_text(
+        "[fleet]\n"
+        "ezra ansible_host=143.198.27.163 ansible_user=root\n"
+        "bezalel ansible_host=67.205.155.108 ansible_user=root\n"
+    )
+
+    host, source = resolve_host(None, inventory)
+
+    assert host == "67.205.155.108"
+    assert source == f"inventory:{inventory}"
+
+
+def test_parse_apply_output_extracts_status_and_ping_markers():
+    stdout = (
+        '{"Self": {"HostName": "bezalel", "DNSName": "bezalel.tailnet.ts.net", "TailscaleIPs": ["100.90.0.10"]}, '
+        '"Peer": {"node-1": {"HostName": "ezra", "TailscaleIPs": ["100.126.61.75"]}}}'
+        "\nPING_OK:mac:100.124.176.28\n"
+        "PING_OK:ezra:100.126.61.75\n"
+    )
+
+    result = parse_apply_output(stdout)
+
+    assert result["tailscale"]["self"]["tailscale_ips"] == ["100.90.0.10"]
+    assert result["ping_ok"] == {"mac": "100.124.176.28", "ezra": "100.126.61.75"}
+
+
+def test_runbook_doc_exists_and_mentions_inventory_auth_and_peer_checks():
+    doc = Path("docs/BEZALEL_TAILSCALE_BOOTSTRAP.md")
+    assert doc.exists(), "missing docs/BEZALEL_TAILSCALE_BOOTSTRAP.md"
+    text = doc.read_text()
+    assert "ansible/inventory/hosts.ini" in text
+    assert "tailscale up" in text
+    assert "authorized_keys" in text
+    assert "100.124.176.28" in text
+    assert "100.126.61.75" in text
+
+    runbook = Path("docs/RUNBOOK_INDEX.md").read_text()
+    assert "Prepare Bezalel Tailscale bootstrap" in runbook
+    assert "scripts/bezalel_tailscale_bootstrap.py" in runbook

tests/test_mempalace_ansible_role.py

@@ -1,92 +0,0 @@
-from pathlib import Path
-import unittest
-
-
-ROOT = Path(__file__).resolve().parent.parent
-ROLE_PATH = ROOT / "ansible" / "roles" / "mempalace"
-PLAYBOOK_PATH = ROOT / "ansible" / "playbooks" / "deploy_mempalace.yml"
-
-
-class TestMempalaceAnsibleRole(unittest.TestCase):
-    def test_role_directory_structure_exists(self):
-        self.assertTrue(ROLE_PATH.exists(), "mempalace role directory missing")
-        for subdir in ["tasks", "templates", "defaults", "meta"]:
-            self.assertTrue(
-                (ROLE_PATH / subdir).exists(),
-                f"mempalace role subdir missing: {subdir}",
-            )
-
-    def test_role_defaults_contains_required_variables(self):
-        defaults_path = ROLE_PATH / "defaults" / "main.yml"
-        self.assertTrue(defaults_path.exists())
-        text = defaults_path.read_text(encoding="utf-8")
-        required_vars = [
-            "mempalace_package_spec",
-            "mempalace_hermes_home",
-            "mempalace_sessions_dir",
-            "mempalace_palace_path",
-            "mempalace_wing",
-            "mempalace_wakeup_dir",
-            "mempalace_wakeup_file",
-            "mempalace_venv_path",
-            "mempalace_config_path",
-            "mempalace_mcp_config_path",
-            "mempalace_session_hook_path",
-            "mempalace_run_mining",
-            "mempalace_run_search_test",
-            "mempalace_run_wake_up",
-        ]
-        for var in required_vars:
-            self.assertIn(var, text, f"missing default var: {var}")
-
-    def test_role_tasks_contain_required_steps(self):
-        tasks_path = ROLE_PATH / "tasks" / "main.yml"
-        self.assertTrue(tasks_path.exists())
-        text = tasks_path.read_text(encoding="utf-8")
-        required_steps = [
-            "Create mempalace virtual environment",
-            "Install mempalace package",
-            "Deploy mempalace.yaml configuration",
-            "Deploy Hermes MCP mempalace config",
-            "Deploy session-start wake-up hook",
-            "Mine Hermes home directory",
-            "Mine session history",
-            "Run search test",
-            "Generate wake-up context",
-        ]
-        for step in required_steps:
-            self.assertIn(step, text, f"missing task: {step}")
-
-    def test_role_templates_are_valid(self):
-        yaml_template = ROLE_PATH / "templates" / "mempalace.yaml.j2"
-        mcp_template = ROLE_PATH / "templates" / "hermes-mcp-mempalace.yaml.j2"
-        hook_template = ROLE_PATH / "templates" / "session-start-mempalace.sh.j2"
-
-        self.assertTrue(yaml_template.exists())
-        self.assertTrue(mcp_template.exists())
-        self.assertTrue(hook_template.exists())
-
-        yaml_text = yaml_template.read_text(encoding="utf-8")
-        self.assertIn("wing: {{ mempalace_wing }}", yaml_text)
-        self.assertIn("palace: {{ mempalace_palace_path }}", yaml_text)
-        self.assertIn("rooms:", yaml_text)
-
-        mcp_text = mcp_template.read_text(encoding="utf-8")
-        self.assertIn("mcp_servers:", mcp_text)
-        self.assertIn("mempalace:", mcp_text)
-        self.assertIn("mempalace.mcp_server", mcp_text)
-
-        hook_text = hook_template.read_text(encoding="utf-8")
-        self.assertIn("mempalace wake-up", hook_text)
-        self.assertIn("HERMES_MEMPALACE_WAKEUP_FILE", hook_text)
-
-    def test_playbook_exists_and_targets_fleet(self):
-        self.assertTrue(PLAYBOOK_PATH.exists(), "deploy_mempalace.yml playbook missing")
-        text = PLAYBOOK_PATH.read_text(encoding="utf-8")
-        self.assertIn("hosts: fleet", text)
-        self.assertIn("../roles/mempalace", text)
-        self.assertIn("mempalace_venv_path", text)
-
-
-if __name__ == "__main__":
-    unittest.main()

tests/test_mempalace_ezra_integration.py

@@ -85,8 +85,6 @@ class TestMempalaceEzraIntegration(unittest.TestCase):
             "mcp_servers:",
             "HERMES_MEMPALACE_WAKEUP_FILE",
             "Metrics reply for #568",
-            "Fleet Ansible deployment",
-            "ansible-playbook",
         ]
         for snippet in required:
             self.assertIn(snippet, text)