feat(sec): implement dynamic keyring injection for ledger provisioning

quantDIY · quantDIY · commit 921b3e2de107 · 2026-03-03T22:47:01.000-05:00
diff --git a/QuanuX-Infra/ansible/02-panopticon-observability.yml b/QuanuX-Infra/ansible/02-panopticon-observability.yml
@@ -36,7 +36,7 @@
         state: present
         update_cache: true
       environment:
-        OPENSEARCH_INITIAL_ADMIN_PASSWORD: "QuanuxMasterPassword123!"
+        OPENSEARCH_INITIAL_ADMIN_PASSWORD: "{{ opensearch_admin_password }}"
 
     - name: Configure OpenSearch network host
       lineinfile:
@@ -50,12 +50,6 @@
         regexp: '^#?discovery\.type:'
         line: "discovery.type: single-node"
 
-    - name: Disable OpenSearch security plugin internally
-      lineinfile:
-        path: /etc/opensearch/opensearch.yml
-        regexp: '^#?plugins\.security\.disabled:'
-        line: "plugins.security.disabled: true"
-
     - name: Enable and restart OpenSearch service
       systemd:
         name: opensearch
diff --git a/QuanuX-Infra/cli/habitat_commands.py b/QuanuX-Infra/cli/habitat_commands.py
@@ -31,5 +31,31 @@ def equip(target: str = typer.Argument(..., help="Ansible inventory target (e.g.
         console.print("[bold red]Habitat Equip Failed.[/bold red] Playbook execution aborted.")
         raise typer.Exit(code=1)
 
+@app.command("observe")
+def observe(target: str = typer.Argument("all", help="Ansible inventory target (e.g., panopticon_ledger)")):
+    """
+    Deploys the Panopticon Observability Stack (Ledger, Buffer, and Shadow Node).
+    Expects QUANUX_OS_PASS in the environment for OpenSearch native security.
+    """
+    console.print(f"[bold cyan]Initiating Observability Protocol for:[/bold cyan] {target}")
+    try:
+        ansible_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), "../ansible"))
+        playbook_path = os.path.join(ansible_dir, "02-panopticon-observability.yml")
+        
+        cmd = [
+            "ansible-playbook",
+            "-i", "dynamic_inventory.py",
+            playbook_path,
+            "--limit", target,
+            "-e", "opensearch_admin_password={{ lookup('env', 'QUANUX_OS_PASS') }}"
+        ]
+        
+        console.print(f"[dim]Executing: {' '.join(cmd)}[/dim]")
+        subprocess.run(cmd, cwd=ansible_dir, check=True)
+        console.print("[bold green]Success:[/bold green] Panopticon Observability Matrix activated.")
+    except subprocess.CalledProcessError:
+        console.print("[bold red]Observability Deployment Failed.[/bold red] Playbook execution aborted; verify QUANUX_OS_PASS is exported.")
+        raise typer.Exit(code=1)
+
 if __name__ == "__main__":
     app()
