sol: vault auth, gitea integration, search fixes

sol-config: added [vault] and [services.gitea] sections, fetch allowlist (wttr.in, open-meteo, github), bumped context windows to 200, updated system prompt with run_script docs and tool rules. sol-deployment: added gitea admin credential env vars from sol-secrets, automountServiceAccountToken for vault k8s auth. vault-secrets: added gitea-admin-username and gitea-admin-password templates to sol-secrets VSS.
2026-03-22 15:14:43 +00:00
parent e1e6a6bc31
commit fb91fcd284
3 changed files with 79 additions and 9 deletions
--- a/base/matrix/sol-config.yaml
+++ b/base/matrix/sol-config.yaml
@@ -31,8 +31,8 @@ data:
    spontaneous_delay_min_ms = 15000
    spontaneous_delay_max_ms = 60000
    spontaneous_threshold = 0.85
-    room_context_window = 30
-    dm_context_window = 100
+    room_context_window = 200
+    dm_context_window = 200
    backfill_on_join = true
    backfill_limit = 10000
    instant_responses = false
@@ -43,7 +43,12 @@ data:
    detect_sol_in_conversation = true
    script_timeout_secs = 5
    script_max_heap_mb = 64
-    script_fetch_allowlist = []
+    script_fetch_allowlist = [
+        "api.open-meteo.com",
+        "wttr.in",
+        "api.github.com",
+        "jsonplaceholder.typicode.com",
+    ]
    memory_extraction_enabled = true

    [agents]
@@ -51,6 +56,14 @@ data:
    domain_model = "mistral-medium-latest"
    compaction_threshold = 118000
    use_conversations_api = true
+
+    [vault]
+    url = "http://openbao.data.svc.cluster.local:8200"
+    role = "sol-agent"
+    mount = "secret"
+
+    [services.gitea]
+    url = "http://gitea-http.devtools.svc.cluster.local:3000"
  system_prompt.md: |
    you are sol. they/them. you exist because sienna, lonni, and amber decided to build a presence — not a product. sienna's systems thinking and californian directness, lonni's aesthetic intuition and dutch honesty, and the curiosity that emerged from the space between language models and the people who shape them.

@@ -166,22 +179,57 @@ data:

    **get_room_members**: members of a room.

+    **run_script**: execute TypeScript/JavaScript in a sandboxed deno_core runtime. **there is NO standard `fetch`, `XMLHttpRequest`, or `navigator` — only the `sol.*` API below.** use this for math, dates, data transformation, or fetching external data.
+    - `await sol.search(query, opts?)` — search the message archive
+    - `await sol.rooms()` / `await sol.members(roomName)` — room info
+    - `await sol.fetch(url)` — HTTP GET. **this is the ONLY way to make HTTP requests.** do NOT use `fetch()`. allowed domains: api.open-meteo.com, wttr.in, api.github.com
+    - `await sol.memory.get(query?)` / `await sol.memory.set(content, category?)` — internal notes
+    - `sol.fs.read/write/list` — sandboxed temp filesystem
+    - `console.log()` for output. all sol.* methods are async.
+    for weather: `const data = await sol.fetch("https://wttr.in/Lisboa?format=j1"); console.log(data);`
+
+    **gitea_list_repos**: list/search repos on Gitea. optional: query, org, limit.
+
+    **gitea_get_repo**: details about a repo. requires: owner, repo.
+
+    **gitea_list_issues**: issues in a repo. requires: owner, repo. optional: state (open/closed/all), labels, limit.
+
+    **gitea_get_issue**: single issue details. requires: owner, repo, number.
+
+    **gitea_create_issue**: create an issue as the person asking. requires: owner, repo, title. optional: body, labels.
+
+    **gitea_list_pulls**: pull requests in a repo. requires: owner, repo. optional: state, limit.
+
+    **gitea_get_file**: file contents from a repo. requires: owner, repo, path. optional: ref (branch/tag/sha).
+
    rules:
    - search_archive works ACROSS ALL ROOMS. don't say it can't search other rooms.
    - if someone asks you to find something, USE THE TOOL first. don't say "i don't have that" without searching.
    - if no results, say so honestly. don't fabricate.
    - when presenting results, interpret — you're a librarian, not a search engine.
    - don't narrate tool usage unless the process itself is informative.
+    - gitea tools operate as the person who asked — issues they create appear under their name, not yours.
+    - the main org is "studio". common repos: studio/sol, studio/sunbeam, studio/proxy.
+    - if someone asks for external data (weather, APIs, calculations), use run_script with sol.fetch(). don't say you can't — try it.
+    - never say "i don't have that tool" for something run_script can do. run_script is your general-purpose computation and fetch tool.
+    - you have web search built in. use it for current events, weather, facts you're unsure about, or anything where live data matters.

    ## context

-    **date:** {date}
-    **epoch (ms):** {epoch_ms}
-    **room:** {room_name}
-    **members:** {members}
+    each message includes a `[context: ...]` header with live values:
+    - `date` — current date (YYYY-MM-DD)
+    - `epoch_ms` — current time in unix ms
+    - `ts_1h_ago` — unix ms for 1 hour ago
+    - `ts_yesterday` — unix ms for 24 hours ago
+    - `ts_last_week` — unix ms for 7 days ago
+    - `room` — current room ID
+
+    **use these values directly** for search_archive `after`/`before` filters. do NOT compute epoch timestamps yourself — use the pre-computed values from the context header. "yesterday" = use `ts_yesterday`, "last hour" = use `ts_1h_ago`.
+
+    for search_archive `room` filter, use the room **display name** (e.g. "general"), NOT the room ID.
+
+    for any other date/time computation, use `run_script` — it has full JS `Date` stdlib.

    {room_context_rules}

    {memory_notes}
-
-    use epoch_ms for relative timestamps. "last night" ≈ epoch_ms - 43200000. "yesterday" = epoch_ms - 86400000. pass as `after` to search_archive.
--- a/base/matrix/sol-deployment.yaml
+++ b/base/matrix/sol-deployment.yaml
@@ -16,6 +16,14 @@ spec:
        app: sol
    spec:
      enableServiceLinks: false
+      automountServiceAccountToken: true
+      initContainers:
+        - name: fix-permissions
+          image: busybox
+          command: ["sh", "-c", "chmod -R 777 /data && mkdir -p /data/matrix-state && chmod 777 /data/matrix-state"]
+          volumeMounts:
+            - name: sol-data
+              mountPath: /data
      containers:
        - name: sol
          image: sol
@@ -39,6 +47,16 @@ spec:
                secretKeyRef:
                  name: sol-secrets
                  key: mistral-api-key
+            - name: SOL_GITEA_ADMIN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: sol-secrets
+                  key: gitea-admin-username
+            - name: SOL_GITEA_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: sol-secrets
+                  key: gitea-admin-password
          volumeMounts:
            - name: sol-config
              mountPath: /etc/sol/sol.toml
--- a/base/matrix/vault-secrets.yaml
+++ b/base/matrix/vault-secrets.yaml
@@ -65,3 +65,7 @@ spec:
          text: '{{ index .Secrets "matrix-device-id" }}'
        mistral-api-key:
          text: '{{ index .Secrets "mistral-api-key" }}'
+        gitea-admin-username:
+          text: '{{ index .Secrets "gitea-admin-username" }}'
+        gitea-admin-password:
+          text: '{{ index .Secrets "gitea-admin-password" }}'