diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index 309c0de..9175595 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -18,6 +18,7 @@ - [Coord /messages API shape](reference_coord_messages_api_shape.md) — GET /api/coord/messages returns {total,skip,limit,messages[]} NOT a bare array; parse .messages[], strip control chars, read flag may be null. - [Gitea API credential](reference_gitea_api_credential.md) — Gitea API (PRs/merges) as howard uses services/gitea-howard.sops.yaml password on internal http://172.16.3.20:3000; NOT the gururmm-server SSH password. - [Gitea Internal API Access](reference_gitea_internal.md) — git.azcomputerguru.com is NOT behind Cloudflare — it's the office Cox IP NAT'd to NPM (openresty) on Jupiter. Prefer internal 172.16.3.20:3000 for reliability (bypasses NPM SSL-renewal reload blips). +- [Gitea git-op latency](reference_gitea_git_op_latency.md) — SSH (.20:2222) is SLOWEST (~1.5s); internal HTTP+token ~0.55s; SOPS lookup only ~0.33s. Don't switch to SSH for speed. Gitea SSH is .20:2222 (API ssh_url .21 is wrong). - [GuruRMM technical reference](reference_gururmm.md) — Server (172.16.3.30) layout + API + `context=user_session` (WTS impersonation) + build-pipeline vendoring at `deploy/build-pipeline/` (auto-syncs to /opt/gururmm) + Linux agent systemd sandbox trap (ProtectSystem=strict makes fs/mount observations sandbox-local). ## Users diff --git a/.claude/memory/reference_gitea_git_op_latency.md b/.claude/memory/reference_gitea_git_op_latency.md new file mode 100644 index 0000000..430a98a --- /dev/null +++ b/.claude/memory/reference_gitea_git_op_latency.md @@ -0,0 +1,23 @@ +--- +name: reference_gitea_git_op_latency +description: Gitea git-op latency benchmarks - SSH is SLOWER than internal HTTP+token; the SOPS credential lookup is only ~0.33s, not the bottleneck. Do not switch to SSH for speed. +metadata: + type: reference +--- + +Benchmarked 2026-06-01 on GURU-5070 (ls-remote HEAD, claudetools repo): + +| Path | Time | +|---|---| +| SOPS decrypt of Gitea token (`vault.sh get-field services/gitea.sops.yaml credentials.api.api-token`) | ~0.33s | +| Internal HTTP+token `http://...@172.16.3.20:3000` | ~0.55s | +| External HTTPS `git.azcomputerguru.com` (Cox/NPM/Cloudflare) | ~0.83s | +| **SSH passwordless** `git@172.16.3.20:2222` | **~1.5s** (SLOWEST) | + +Takeaways: +- The "credential lookup" is only ~0.33s - NOT the cause of slow git ops. Do NOT switch git transport to SSH expecting a speedup; the SSH handshake to :2222 costs more than the SOPS decrypt it saves. +- Gitea built-in SSH server is `git@172.16.3.20:2222` (publickey-only). The repo API `ssh_url` advertises `git@172.16.3.21` (port 22) which is WRONG - that's a host sshd (offers password), not Gitea. Gitea `SSH_DOMAIN`/`SSH_PORT` config is misconfigured; the real endpoint is `.20:2222`. +- Switching `origin` to SSH also breaks `sync.sh` submodule credential reuse (it derives submodule creds from an embedded-cred HTTP origin URL, ~line 181). +- If repeated 0.33s SOPS decrypts in a session add up, the right optimization is caching the decrypted token (credential helper / session env), NOT changing transport. +- Intermittent real slowness is usually the NPM SSL-renewal reload blips on the EXTERNAL domain - stay on internal `172.16.3.20:3000` (see [[reference_gitea_internal]]). +- An SSH key named "GURU-5070" (ed25519) was added to the shared `azcomputerguru` Gitea account during this test; remove it if the SSH approach is abandoned.