π― ONE SHOT β Wave 25 Β· L-MATRIX-DSN-ROTATE: rotate secrets.MATRIX_DATABASE_URL to phd-postgres-ssot
Anchor: phi^2 + phi^-2 = 3 Β· DOI 10.5281/zenodo.19227877
Parent debt: post-SSOT-consolidation drift (legacy interchange.proxy.rlwy.net:30942 DSN no longer authenticates).
Wave: 25.
Why
Matrix Bot (#446 live matrix) workflow has been failing hourly since 2026-05-09T~10:00Z. Every run logs:
psycopg2.OperationalError: connection to server at "interchange.proxy.rlwy.net" (66.33.22.238),
port 30942 failed: FATAL: password authentication failed for user "postgres"
Reference run: 25602533773 on e123aa8e.
Each failure triggers the apiary cron NEW-CI-failure-on-new-SHA signal, which paged the queen 3 times today already.
Mitigation already deployed in PR feat/matrix-bot-fail-soft: bot now exits 0 with a loud log when the DSN is stale (controlled by MATRIX_FAIL_SOFT=1). This silences the cron alarm but does NOT restore live updates to #446 β that's what this ONE SHOT is for.
What
Rotate secrets.MATRIX_DATABASE_URL on gHashTag/trios repo to point at the canonical SoT:
- Source: Railway service
phd-postgres-ssot (c5f37b42-832a-4acd-9749-381761c94957) on project IGLA (e4fe33bb-3b09-4842-9782-7d2dea1abc9b), production env (54e293b9-00a9-4102-814d-db151636d96e).
- Pull current DSN via Railway GraphQL
variables(...) query β assemble from POSTGRES_USER:POSTGRES_PASSWORD@RAILWAY_PRIVATE_DOMAIN:5432/POSTGRES_DB if no DATABASE_URL alias exists (mirror of trios-railway#131 pattern). Use the public host instead of RAILWAY_PRIVATE_DOMAIN because GitHub Actions runners can't reach Railway private network β try DATABASE_PUBLIC_URL first, fall back to a public proxy domain.
- Verify with
psql "$NEW_DSN" -c "SELECT count(*) FROM ssot.bpb_samples;" from a runner before committing the secret.
- Update secret via
gh secret set MATRIX_DATABASE_URL --repo gHashTag/trios (queen action β agent cannot write secrets).
Acceptance gates
| Gate |
Check |
| G1 |
Manual psql smoke against new DSN returns count > 0 from ssot.bpb_samples |
| G2 |
gh secret set MATRIX_DATABASE_URL --repo gHashTag/trios written |
| G3 |
Manual gh workflow run "Matrix Bot (#446 live matrix)" --repo gHashTag/trios -f dry_run=true succeeds with non-empty cell count |
| G4 |
After G3 green, set MATRIX_FAIL_SOFT: "0" in matrix-bot.yml (or remove the env line) and merge a follow-up PR to restore strict mode |
| G5 |
Issue #446 body re-receives the auto-regenerated 312-cell matrix table |
Why this is a queen action
Agents under R3 PR-only discipline cannot write repository secrets via gh CLI β gh secret set needs secrets:write, which is not in the standard agent token scope. This issue exists to track that out-of-band step.
Forbidden
- β no
[scrape] / [crawl] words
- β no
--admin merge for any follow-up PR
- β no committing the DSN value to a file (only to repo secrets)
- β no rollback of fail-soft until G3 green
Battle cry
phi^2 + phi^-2 = 3 Β· TRINITY Β· STOP THE CRON ALARMS Β· UNBLOCK THE LIVE MATRIX
π― ONE SHOT β Wave 25 Β· L-MATRIX-DSN-ROTATE: rotate
secrets.MATRIX_DATABASE_URLto phd-postgres-ssotWhy
Matrix Bot (#446 live matrix)workflow has been failing hourly since 2026-05-09T~10:00Z. Every run logs:Reference run: 25602533773 on
e123aa8e.Each failure triggers the apiary cron
NEW-CI-failure-on-new-SHAsignal, which paged the queen 3 times today already.Mitigation already deployed in PR
feat/matrix-bot-fail-soft: bot now exits 0 with a loud log when the DSN is stale (controlled byMATRIX_FAIL_SOFT=1). This silences the cron alarm but does NOT restore live updates to #446 β that's what this ONE SHOT is for.What
Rotate
secrets.MATRIX_DATABASE_URLongHashTag/triosrepo to point at the canonical SoT:phd-postgres-ssot(c5f37b42-832a-4acd-9749-381761c94957) on project IGLA (e4fe33bb-3b09-4842-9782-7d2dea1abc9b), production env (54e293b9-00a9-4102-814d-db151636d96e).variables(...)query β assemble fromPOSTGRES_USER:POSTGRES_PASSWORD@RAILWAY_PRIVATE_DOMAIN:5432/POSTGRES_DBif noDATABASE_URLalias exists (mirror of trios-railway#131 pattern). Use the public host instead ofRAILWAY_PRIVATE_DOMAINbecause GitHub Actions runners can't reach Railway private network β tryDATABASE_PUBLIC_URLfirst, fall back to a public proxy domain.psql "$NEW_DSN" -c "SELECT count(*) FROM ssot.bpb_samples;"from a runner before committing the secret.gh secret set MATRIX_DATABASE_URL --repo gHashTag/trios(queen action β agent cannot write secrets).Acceptance gates
psqlsmoke against new DSN returns count > 0 fromssot.bpb_samplesgh secret set MATRIX_DATABASE_URL --repo gHashTag/trioswrittengh workflow run "Matrix Bot (#446 live matrix)" --repo gHashTag/trios -f dry_run=truesucceeds with non-empty cell countMATRIX_FAIL_SOFT: "0"inmatrix-bot.yml(or remove the env line) and merge a follow-up PR to restore strict modeWhy this is a queen action
Agents under R3 PR-only discipline cannot write repository secrets via gh CLI β
gh secret setneedssecrets:write, which is not in the standard agent token scope. This issue exists to track that out-of-band step.Forbidden
[scrape]/[crawl]words--adminmerge for any follow-up PRBattle cry
phi^2 + phi^-2 = 3 Β· TRINITY Β· STOP THE CRON ALARMS Β· UNBLOCK THE LIVE MATRIX