#!/usr/bin/env bash # graduation-push.sh — ship this machine's scratch (tmp/, temp/, .claude/tmp/) to BEAST's # graduation inbox over Tailscale+SSH, for async Ollama triage. Part of the scratch # graduation pipeline (see .claude/TEMP_GRADUATION.md / graduation-pipeline spec). # # DECOUPLED from /save and SOFT-FAIL: if BEAST is off/unreachable it warns and exits 0 — # it must never block a save or a commit. # # Transport: tar the scratch -> scp ONE tarball to guru@:graduation-inbox//. # Secrets in scratch (e.g. hardcoded creds) ride the WireGuard-encrypted Tailscale/SSH link # and land ONLY on BEAST (a trusted fleet box) — they never enter git. The graduation step # sanitizes secrets (-> vault lookups) before anything is committed to a permanent home. # # BEAST: guru@100.101.122.4 (key auth as `guru`), default SSH shell = cmd.exe, home C:\Users\guru. set -u ROOT="${CLAUDETOOLS_ROOT:-$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)}" SSH="/c/Windows/System32/OpenSSH/ssh.exe"; [ -x "$SSH" ] || SSH="ssh" SCP="/c/Windows/System32/OpenSSH/scp.exe"; [ -x "$SCP" ] || SCP="scp" BEAST="guru@100.101.122.4" CTO=8 MACHINE="$(jq -r '.machine_name // .hostname // empty' "$ROOT/.claude/identity.json" 2>/dev/null)" [ -z "$MACHINE" ] && MACHINE="$(hostname)" STAMP="$(date -u +%Y%m%dT%H%M%SZ)" # Collect existing scratch dirs + count files. DIRS=(); for d in tmp temp .claude/tmp; do [ -d "$ROOT/$d" ] && DIRS+=("$d"); done [ "${#DIRS[@]}" -eq 0 ] && { echo "[INFO] graduation-push: no scratch dirs — nothing to send"; exit 0; } N=$(find "${DIRS[@]/#/$ROOT/}" -type f ! -name '.gitkeep' ! -name '.grad-*.tgz' 2>/dev/null | wc -l | tr -d ' ') [ "${N:-0}" -eq 0 ] && { echo "[INFO] graduation-push: scratch empty — nothing to send"; exit 0; } # Reachability gate (fast, BatchMode so it can't prompt). if ! "$SSH" -o BatchMode=yes -o ConnectTimeout=$CTO "$BEAST" "exit 0" >/dev/null 2>&1; then echo "[WARN] graduation-push: BEAST ($BEAST) unreachable — skipped; scratch stays local" >&2 exit 0 fi # Tar to an OS-temp path OUTSIDE the scratch dirs (avoid taring our own tarball). TARBALL="$(mktemp -t gradpush-XXXXXX 2>/dev/null).tgz"; [ -z "$TARBALL" ] && TARBALL="/tmp/gradpush-$STAMP.tgz" if ! tar -czf "$TARBALL" -C "$ROOT" "${DIRS[@]}" 2>/dev/null; then echo "[WARN] graduation-push: tar failed" >&2; rm -f "$TARBALL" 2>/dev/null; exit 0 fi # Ensure remote per-machine inbox (cmd.exe: mkdir makes intermediate dirs; 2>nul ignores 'exists'). "$SSH" -o ConnectTimeout=$CTO "$BEAST" "mkdir graduation-inbox\\$MACHINE 2>nul & exit 0" >/dev/null 2>&1 REMOTE="graduation-inbox/$MACHINE/scratch-$STAMP.tgz" if "$SCP" -o ConnectTimeout=$CTO -q "$TARBALL" "$BEAST:$REMOTE" 2>/dev/null; then echo "[OK] graduation-push: sent $N scratch file(s) -> BEAST:$REMOTE" else echo "[WARN] graduation-push: scp to BEAST failed" >&2 bash "$ROOT/.claude/scripts/log-skill-error.sh" "graduation-push" "scp of scratch tarball to BEAST failed (machine=$MACHINE)" >/dev/null 2>&1 fi rm -f "$TARBALL" 2>/dev/null exit 0