# Kestra NAS KB memory-governance takeover runbook

## Files

- Bridge v1: `runtime/scripts/kestra_nas_kb_bridge_v1.py`
- Flows:
  - `runtime/flows/nas_kb_preflight_status.yml`
  - `runtime/flows/nas_kb_daily_collect_approval.yml`
  - `runtime/flows/nas_kb_approval_monitor_merge.yml`
  - `runtime/flows/nas_kb_memory_cleanup_fallback.yml`
- Briefs:
  - `runtime/briefs/nas_kb_daily_collect_and_create_approval.md`
  - `runtime/briefs/nas_kb_approval_monitor_and_merge.md`

## Start Bridge v1 manually for test

Do not print the token in chat/logs.

```bash
export KESTRA_AGENT_BRIDGE_TOKEN='<set-a-random-token>'
python3 '/Users/bot1/Volumes/root_for_ai/AI工作区/通用_多Agent编排_Kestra评估POC_20260602_2208/runtime/scripts/kestra_nas_kb_bridge_v1.py'
```

Expected health:

```bash
curl -s http://127.0.0.1:19092/health
```

POST test:

```bash
curl -sS \
  -H "Authorization: Bearer $KESTRA_AGENT_BRIDGE_TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{"request_id":"manual-preflight","task_key":"preflight"}' \
  http://127.0.0.1:19092/v1/nas-kb/run
```

## Deploy flows to Kestra

Kestra 1.3.x API in the POC requires Basic Auth and raw YAML content type.
Do not print credentials.

```bash
for f in runtime/flows/nas_kb_*.yml; do
  curl -u "$KESTRA_BASIC_AUTH" \
    -X POST \
    -H 'Content-Type: application/x-yaml' \
    --data-binary "@$f" \
    http://127.0.0.1:18080/api/v1/main/flows
done
```

Set secret `KESTRA_AGENT_BRIDGE_TOKEN` in Kestra before enabling POST flows.
If secret support is not configured in the local POC, use an environment-backed secret or temporarily replace the header in a test copy only; do not commit real tokens into Flow YAML.

## Manual smoke-test order

1. Run `preflight_status` manually.
2. Run `memory_cleanup_fallback` manually; expected no-op if no authorized pending cleanup.
3. Run `daily_collect_approval` only when ready to allow real Feishu approval creation, or temporarily patch `dry_run: true` in a disposable test copy.
4. Run `approval_monitor_merge` only after confirming current queue packages are safe to monitor.

## Production cutover — requires user confirmation

Before cutover, explicitly confirm:

- Pause cron jobs:
  - `f859bdb12387`
  - `a3d332a1d4b8`
  - `388e37df5449`
- Enable Kestra schedules:
  - `daily_collect_approval`
  - `approval_monitor_merge`
  - `memory_cleanup_fallback`
- Bridge v1 runtime mode: manual/background/LaunchAgent.
- Token/Basic Auth/reverse proxy/log retention.

Rollback:

1. Disable Kestra schedules.
2. Stop Bridge v1.
3. Resume the three Hermes cron jobs.
4. Run `nas_kb_approval_queue_status.py` once to confirm queue state.