Inventory Odoo bootstrap and restore safety scripts

[cbusillo]

Objective

Inventory the existing Odoo bootstrap, restore, credential setup, and env override scripts across Launchplane, odoo-devkit, and odoo-tenant-cm, then decide which scripts should remain in devkit, move behind Launchplane service routes, or be refactored/deleted after the Odoo preview path is proven.

Finish Line

Odoo preview safety script inventory complete

Current Status

State: Inventory complete, and the only immediate safety blocker found in the inventory is resolved. odoo-devkit PR #33 hardened public/non-local Odoo startup credential preflight and passed post-merge main CI/CodeQL. Current ownership split remains: devkit owns Odoo startup/bootstrap/restore/data workflow; Launchplane owns runtime key-safety, managed secret bindings, Odoo override records, artifact evidence, and service ingress; tenant repos own thin OIDC request clients/workflows.
Next action: Continue CM preview workflow wiring in cbusillo/odoo-tenant-cm#29, using a fresh/bootstrap-only or sanitized-template DB path and Launchplane runtime key-safety/override records. After preview smoke is real, do hygiene cleanup under cbusillo/launchplane#79 for old duplicated scripts.
Blocked by: none for inventory; tenant preview implementation remains.
Last verified: 2026-05-09; scan commands and inventory table are recorded in this issue, odoo-devkit#32 is closed, PR #33 merged, and post-merge devkit main CI/CodeQL passed.

Scope

• Inspect scripts, workflows, docs, and request clients in:
  • cbusillo/launchplane
  • cbusillo/odoo-devkit
  • cbusillo/odoo-tenant-cm
• Classify bootstrap and restore scripts by ownership:
  • keep in odoo-devkit as local/runtime tool
  • expose through Launchplane service route
  • keep as tenant-only validation/request client
  • delete after replacement is proven
• Confirm whether scripts check for unsafe/default Odoo admin/master credentials before public exposure.
• Confirm whether scripts protect previews/testing from prod-only keys through Launchplane runtime key-safety or need a new gate.
• Identify any duplicate or dead scripts that should move to cleanup issue Cleanup pass: docs, dead code, dead files, and stale config #79 after preview MVP smoke passes.

Acceptance Criteria

• Inventory includes every production-relevant bootstrap, restore, credential setup, env override, and preview request-client script found in the three repos.
• Each inventory row records current caller, required secrets/env, safety checks, and recommended owner/action.
• CM preview MVP has one documented DB/bootstrap approach: fresh/bootstrap-only, sanitized template, or testing clone.
• Unsafe/default Odoo credentials are explicitly checked before any public preview is marked ready, or a follow-up implementation issue is opened.
• Runtime key-safety is confirmed as the guard for preview/testing secret bindings, or a follow-up implementation issue is opened.
• Follow-up issues are linked for any required Launchplane route, devkit refactor, tenant workflow change, or cleanup deletion.

Relationships

• Supports cbusillo/odoo-tenant-cm#29.
• Related to cbusillo/launchplane#488.
• Feeds the later hygiene pass in cbusillo/launchplane#79.
• related: cbusillo/odoo-tenant-cm#29 - https://github.com/cbusillo/odoo-tenant-cm/issues/29

Validation

• Repeatable rg scan commands are recorded in the issue or resulting PR notes.
• No secrets or credential values are copied into the inventory; only names/classes/statuses and safe descriptions are recorded.
• Any implementation follow-up names targeted tests or live preflight checks.

Decisions

• Inventory completed in the issue body.
• Found one implementation follow-up: cbusillo/odoo-devkit#32 for public-runtime credential preflight.
• CM preview DB/bootstrap policy is carried by cbusillo/odoo-tenant-cm#29.
• Runtime key-safety is confirmed as the Launchplane guard for preview/testing managed secret bindings; preview implementation must ensure required preview/template secret keys flow through that gate.
• Later duplicate/dead script cleanup feeds cbusillo/launchplane#79 only after live preview smoke passes.

Open Questions

• Where should the inventory live after completion: issue body only, repo docs, or a short checked-in Odoo preview safety note?
• Which bootstrap/restore scripts are still actively used by stable testing/prod lanes versus legacy local-only flows?

Inventory

Area	File / surface	Current owner	Live caller	Safety behavior observed	Preview relevance	Recommended action
Runtime startup/bootstrap	odoo-devkit/docker/scripts/run_odoo_startup.py	odoo-devkit	Odoo runtime image entrypoint / web service startup	Requires ODOO_DB_NAME and ODOO_MASTER_PASSWORD; waits for DB; initializes missing modules; applies launchplane.settings env overrides; can set admin password; checks active admin/admin only when ODOO_ADMIN_PASSWORD is configured	Critical for public previews because this is the first-start path for fresh/bootstrap DBs	Keep in devkit, but harden via cbusillo/odoo-devkit#32 so public runtimes fail closed on missing/unsafe admin/master credential policy
Local restore/bootstrap/update	odoo-devkit/odoo_devkit/local_runtime.py (run_restore_workflow, run_bootstrap_workflow, run_update_workflow, run_local_data_workflow)	odoo-devkit	Local platform runtime restore / `workflow bootstrap	update`	Restore fails closed when upstream source env is missing unless intentionally bootstrap/update; runs DB/script-runner; stops web during data workflow; runs with sanitized command environment	Useful as reference behavior, but should not directly own Launchplane PR preview lifecycle
Remote restore/bootstrap/update	odoo-devkit/odoo_devkit/remote_runtime.py (run_remote_*_workflow)	odoo-devkit with Launchplane-owned Dokploy target catalog	Explicit `platform runtime ... --instance testing	prod` remote data workflows	Requires control-plane target catalog, compose target, target id, DOKPLOY_HOST, DOKPLOY_TOKEN, ODOO_DB_NAME; restore requires upstream env unless bootstrap/update; builds disabled manual Dokploy schedule; rejects already-running schedule	Candidate implementation pattern for preview DB/bootstrap if preview remains compose-like or needs data workflow schedule
Upstream source guard	odoo-devkit/odoo_devkit/local_runtime.py::missing_upstream_source_keys and remote equivalent	odoo-devkit	Restore workflow preflight	Restore requires upstream settings unless bootstrap=True or update_only=True	Helps CM because there is no real prod/upstream today; first preview should be explicit bootstrap/fresh or sanitized template	Keep. In #29, choose bootstrap/fresh/template explicitly; no implicit production clone
Typed Odoo override payload	odoo-devkit/odoo_devkit/local_runtime.py::apply_typed_odoo_instance_override_payload	odoo-devkit	Local/runtime env rendering	Converts stack odoo_overrides and legacy ENV_OVERRIDE_* into ODOO_INSTANCE_OVERRIDES_PAYLOAD_B64; forbids typed overrides mixed with legacy override envs	Relevant if preview template needs Odoo config parameters/addon settings	Keep in devkit for local/runtime rendering; Launchplane-owned previews should prefer DB-backed Odoo override records where possible
Odoo instance override records	launchplane/control_plane/contracts/odoo_instance_override_record.py, control_plane/odoo_instance_overrides.py, workflows/odoo_post_deploy.py	Launchplane	POST /v1/drivers/odoo/post-deploy and stable lane post-deploy	Secret-shaped values reference managed secret bindings; renders only env names and base64 payload; protected Shopify store keys are checked; apply evidence is recorded	Important for preview if Odoo preview needs addon settings or integration config after bootstrap	Keep in Launchplane. Consider reusing for preview phase once Odoo preview bootstrap is designed
Runtime key-safety	launchplane/control_plane/runtime_key_safety.py, tests	Launchplane	artifact publish payloads, product config, generic preview/runtime secret gates	Rejects prod-only classes in testing/preview, unclassified bindings, missing bindings, disabled bindings, ambiguous bindings, unknown environment class	Critical guard for preview/testing runtime secrets	Already built. Ensure CM preview product profile marks required template/runtime secret keys so generic/Odoo preview path evaluates them
Odoo artifact publish inputs	launchplane/control_plane/workflows/odoo_artifact_publish.py plus odoo-tenant-cm/.github/workflows/odoo-artifact-publish.yml	Split: Launchplane resolves runtime publish env; tenant workflow builds/pushes via devkit	Manual artifact publish workflow	Launchplane resolves publish env and enforces key-safety for runtime-environment-bound keys; tenant workflow injects ODOO_SOURCE_GITHUB_TOKEN into payload for private addon fetch	Needed for preview artifact builds, likely adapted from manual workflow	Keep thin tenant workflow. For preview, ensure artifact publish path uses PR SHA/tag, does not print secrets, and distinguishes build-time source token from runtime preview secrets
Thin Launchplane request clients	odoo-tenant-cm/scripts/ops/request-launchplane-odoo-*.mjs	odoo-tenant-cm	Tenant GitHub Actions	Require explicit Launchplane URL; request GitHub OIDC; use idempotency keys; no provider mutation in tenant repo	Need new preview refresh/destroy clients or reuse generic structure	Keep as thin request-client pattern; add preview refresh/destroy clients under odoo-tenant-cm#29
Stable lane workflows	odoo-tenant-cm/.github/workflows/odoo-post-deploy.yml, artifact publish, prod promotion, rollback	odoo-tenant-cm thin wrappers over Launchplane	Manual workflow dispatch	Main-branch guard, explicit confirmations, OIDC to Launchplane	Not preview, but proves tenant-thin Launchplane pattern	Keep. Later cleanup in #79 can remove duplicated patterns once preview/prod request clients are consolidated
Preview workflow gap	odoo-tenant-cm preview workflow / request clients	Not implemented yet	None	No preview refresh/destroy workflow currently present	Direct blocker for client preview	Implement under cbusillo/odoo-tenant-cm#29 after credential policy decision and product profile/authz are ready

Scan commands used:

rg -n "bootstrap|restore|post-deploy|post_deploy|override|runtime key|key-safety|secret binding|credential|password|admin|master|ODOO_ADMIN|ODOO_MASTER|ODOO_DB|upstream|preview" control_plane docs tests .github -g '!state/**'
rg -n "bootstrap|restore|post-deploy|post_deploy|override|runtime key|key-safety|secret binding|credential|password|admin|master|ODOO_ADMIN|ODOO_MASTER|ODOO_DB|upstream|preview" . -g '!**/.git/**' -g '!**/__pycache__/**' -g '!uv.lock'
fd 'preview|cleanup|odoo' .github/workflows scripts/ops -t f

[cbusillo]

Inventory completed. The immediate devkit credential preflight blocker was resolved by cbusillo/odoo-devkit#33; CM preview wiring continues in cbusillo/odoo-tenant-cm#29, and post-MVP hygiene remains tracked by #79.