From 69fbd0ffd6c8e7c1edeb2121ac1d807c3df28dcf Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 18 Apr 2026 10:42:11 +0000 Subject: [PATCH] =?UTF-8?q?[docs]=20Update=20auto-upgrade=20docs=20?= =?UTF-8?q?=E2=80=94=20new=20HTTP=20auth=20path=20+=20n8n=20expression=20g?= =?UTF-8?q?otcha?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces the stale "Dev VM SSH key" secret entry with the current `claude-agent-service` bearer token path (synced to both consumer + caller namespaces). Adds an "n8n workflow gotchas" section documenting: 1. The workflow is DB-state, not Terraform-managed — the JSON in the repo is a backup, not authoritative. 2. Header-expression syntax: `=Bearer {{ $env.X }}` works, JS concat `='Bearer ' + $env.X` does NOT — costs silent 401s. 3. `N8N_BLOCK_ENV_ACCESS_IN_NODE=false` requirement. 4. 401-troubleshooting steps and the UPDATE pattern for in-place workflow patches. Follow-up to 99180bec which fixed the actual pipeline break. Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/architecture/automated-upgrades.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/architecture/automated-upgrades.md b/docs/architecture/automated-upgrades.md index dc1d77af..3e53021f 100644 --- a/docs/architecture/automated-upgrades.md +++ b/docs/architecture/automated-upgrades.md @@ -173,7 +173,16 @@ Key behaviors observed: | Secret | Vault Path | Purpose | |--------|-----------|---------| | n8n webhook URL | `secret/diun` → `n8n_webhook_url` | DIUN → n8n trigger | +| Agent API bearer token | `secret/claude-agent-service` → `api_bearer_token` | n8n → claude-agent-service `/execute` auth. Synced into both `claude-agent` ns (consumer) and `n8n` ns (caller) via ESO. n8n exposes it to the container as `CLAUDE_AGENT_API_TOKEN` env var. | | GitHub PAT | `secret/viktor` → `github_pat` | Changelog fetch (5000 req/hr) | | Slack webhook | `secret/platform` → `alertmanager_slack_api_url` | Upgrade notifications | | Woodpecker token | `secret/viktor` → `woodpecker_token` | CI pipeline polling | -| Dev VM SSH key | n8n credentials store → `devvm-ssh` | n8n → dev VM SSH | + +## n8n workflow gotchas + +The `DIUN Upgrade Agent` workflow is imported once into n8n's PG DB — it is **not** Terraform-managed. The JSON at `stacks/n8n/workflows/diun-upgrade.json` is a backup; the live state lives in `workflow_entity.nodes`. Drift between the two is possible. + +- **HTTP Request node header expressions must use template-literal form**: `=Bearer {{ $env.CLAUDE_AGENT_API_TOKEN }}` works; `='Bearer ' + $env.CLAUDE_AGENT_API_TOKEN` does NOT evaluate and sends an empty/bogus header → 401 from claude-agent-service. +- **`N8N_BLOCK_ENV_ACCESS_IN_NODE=false`** must be set on the n8n deployment for expressions to read `$env.*` at all. +- **Troubleshooting 401**: the workflow will show `success` status on the webhook node but error on `Run Upgrade Agent`. Inspect in n8n UI → Executions, or query `execution_entity` + `execution_data` directly. Claude-agent-service logs will also show `POST /execute HTTP/1.1 401 Unauthorized`. +- **Patching the live workflow** (one-off, since it's not in TF): `UPDATE workflow_entity SET nodes = REPLACE(nodes::text, OLD, NEW)::json WHERE name = 'DIUN Upgrade Agent';`