feat(alloy): add journal relabeling and kottos integration on puck

Introduce structured journal relabel rules on puck to tag Pallas-managed
units with {service, project, component} labels matching the Mnemosyne
and Daedalus schema. Add kottos release variable and vault secrets
example entries for the new Pallas FastAgent runtime.

Remove the defunct mnemosyne syslog listener now that Mnemosyne ships
JSON logs via the docker-socket pipeline.

ansible/inventory/group_vars/all/vars.yml

@@ -34,6 +34,7 @@ spelunker_rel: main
 mcp_switchboard_rel: main
 kernos_rel: main
 rommie_rel: main
+kottos_rel: main
 # PyPI release version (no 'v' prefix) - https://pypi.org/project/open-webui/
 freecad_mcp_version: 0.6.1
 openwebui_rel: 0.8.3

ansible/inventory/group_vars/all/vault.yml.example

@@ -99,3 +99,25 @@ vault_ntth_token_1_app_secret: changeme
 vault_ntth_token_2_app_secret: changeme
 vault_ntth_token_3_app_secret: changeme
 vault_ntth_token_4_app_secret: changeme
+
+# Kottos (Pallas FastAgent runtime on puck)
+#   vault_kottos_openai_api_key      — API key for the OpenAI-compatible LLM
+#                                      endpoint (nyx Qwen in Ouranos, varies
+#                                      per environment).  Set to any string
+#                                      if the endpoint doesn't validate.
+#   vault_kottos_github_pat          — GitHub personal access token passed
+#                                      into the github MCP Docker container
+#                                      via GITHUB_PERSONAL_ACCESS_TOKEN env.
+#   vault_kottos_angelia_bearer      — Bearer token for the Angelia MCP
+#                                      server (accepts the outgoing auth).
+#   vault_kottos_mnemosyne_jwt       — Long-lived team JWT minted in the
+#                                      Daedalus admin UI → Settings →
+#                                      Pallas Instances → kottos row →
+#                                      "Reveal" or "Rotate".  Mnemosyne
+#                                      validates this on every search_memory
+#                                      call and scopes results to the
+#                                      workspaces attached to this team.
+vault_kottos_openai_api_key: changeme
+vault_kottos_github_pat: changeme
+vault_kottos_angelia_bearer: changeme
+vault_kottos_mnemosyne_jwt: changeme

ansible/inventory/host_vars/puck.incus.yml

@@ -7,6 +7,7 @@ services:
   - docker
   - gitea_runner
   - athena
+  - kottos
 
 # Gitea Runner
 gitea_runner_name: "puck-runner"
@@ -14,14 +15,86 @@ gitea_runner_name: "puck-runner"
 # Alloy
 alloy_log_level: "warn"
 angelia_syslog_port: 51422
+# mnemosyne_syslog_port retained for inventory-compatibility while the
+# Alloy Docker-socket discovery block rolls out; no listener binds to it
+# any more.  Delete once the docker-socket pipeline is proven in prod.
 mnemosyne_syslog_port: 51431
 athena_syslog_port: 51424
 kairos_syslog_port: 51425
 icarlos_syslog_port: 51426
 spelunker_syslog_port: 51428
 jupyterlab_syslog_port: 51411
+# daedalus_syslog_port retained for the same reason as mnemosyne above.
 daedalus_syslog_port: 51430
 
+# =============================================================================
+# PPLG scrape targets on puck
+# =============================================================================
+# Consumed by ``ansible/pplg/prometheus.yml.j2`` on Prospero.  Defining them
+# here keeps the scrape config fully parametric so the same playbook runs
+# unchanged against Ouranos / Virgo / Taurus — each environment sets its
+# own puck-equivalent host in its host_vars.
+
+# Daedalus (FastAPI on puck, behind nginx)
+daedalus_metrics_host: "puck.incus"
+daedalus_metrics_port: 22181
+
+# Mnemosyne — /metrics is served by nginx (mnemosyne-web:23181) and
+# proxied to the Django app container, which owns the single
+# prometheus_client process registry that both django-prometheus
+# (HTTP / Celery) and the MCP server's tool-call counters write to.
+mnemosyne_metrics_host: "puck.incus"
+mnemosyne_metrics_port: 23181
+
+# =============================================================================
+# Kottos Configuration (Pallas FastAgent runtime)
+# =============================================================================
+# Engineering agents (Harper, Scotty, Research, Tech Research) running as a
+# single systemd-managed ``pallas`` process.  Logs land in journald via
+# SyslogIdentifier=kottos, then Alloy's journal relabel block tags them as
+# {service="pallas", project="kottos"} for Loki.
+kottos_user: kottos
+kottos_group: kottos
+kottos_directory: /srv/kottos
+kottos_host: "puck.incus"
+kottos_namespace: "ca.helu.kottos"
+
+# Ports — registry at 24100, agents 24101–24149, sub-agents 24150–24199
+kottos_registry_port: 24100
+kottos_harper_port: 24101
+kottos_scotty_port: 24102
+kottos_research_port: 24150
+kottos_tech_research_port: 24151
+
+# Log level — INFO surfaces lifecycle + failures, DEBUG adds per-request
+# detail and successful health probe lines.  Ouranos Lab convention:
+# health-check 200 OKs live in DEBUG, never in INFO.
+pallas_log_level: INFO
+
+# fast-agent's own logger — keep at INFO in prod, bump to DEBUG alongside
+# pallas_log_level when chasing MCP transport issues.
+kottos_fastagent_log_level: info
+
+# LLM provider — the same OpenAI-compatible Qwen endpoint Kottos uses today.
+kottos_default_model: "openai.Qwen3.5-35B-A3B-UD-Q4_K_XL.gguf"
+kottos_openai_base_url: "http://nyx.helu.ca:22079/v1"
+kottos_model_vision: true
+kottos_model_context_window: 192000
+kottos_model_max_output_tokens: 16384
+kottos_timezone: "America/Toronto"
+
+# Downstream MCP server URLs — each parametric so Virgo / Taurus override
+# them in their own host_vars without touching the templates.
+kottos_argos_url: "http://miranda.incus:25534/mcp"
+kottos_neo4j_cypher_url: "http://circe.helu.ca:22034/mcp"
+kottos_kernos_scotty_url: "http://caliban.incus:22062/mcp"
+kottos_rommie_url: "http://caliban.incus:20361/mcp"
+kottos_gitea_url: "http://miranda.incus:25535/mcp"
+kottos_grafana_url: "http://miranda.incus:25533/mcp"
+kottos_kernos_harper_url: "http://korax.helu.ca:20261/mcp"
+kottos_angelia_url: "https://ouranos.helu.ca/mcp/"
+kottos_mnemosyne_url: "https://mnemosyne.ouranos.helu.ca/mcp/"
+
 # =============================================================================
 # Athena Configuration
 # =============================================================================