From a5c74fee7e7e3b819092a26c7988f452bd80f2cc Mon Sep 17 00:00:00 2001 From: Agent Date: Sat, 18 Apr 2026 11:51:36 +0000 Subject: [PATCH 01/11] =?UTF-8?q?fix:=20[nomad-step-5]=20S5-fix-5=20?= =?UTF-8?q?=E2=80=94=20chat.hcl=20tmpfs=20syntax:=20use=20mount=20block=20?= =?UTF-8?q?not=20tmpfs=20argument=20(#1012)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- nomad/jobs/chat.hcl | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/nomad/jobs/chat.hcl b/nomad/jobs/chat.hcl index ead8e71..195f728 100644 --- a/nomad/jobs/chat.hcl +++ b/nomad/jobs/chat.hcl @@ -10,7 +10,7 @@ # # Sandbox hardening (#706): # - Read-only root filesystem (enforced via entrypoint) -# - tmpfs /tmp:size=64m for runtime temp files +# - tmpfs /tmp for runtime temp files (64MB) # - cap_drop ALL (no Linux capabilities) # - pids_limit 128 (prevent fork bombs) # - mem_limit 512m (matches compose sandbox hardening) @@ -89,19 +89,28 @@ job "chat" { config { image = "disinto/chat:local" force_pull = false - # Sandbox hardening (#706): cap_drop ALL (no Linux capabilities) - # tmpfs /tmp for runtime files (64MB) - # pids_limit 128 (prevent fork bombs) # ReadonlyRootfs enforced via entrypoint script (fails if running as root) - cap_drop = ["ALL"] - tmpfs = ["/tmp:size=64m"] - pids_limit = 128 # Security options for sandbox hardening # apparmor=unconfined needed for Claude CLI ptrace access # no-new-privileges prevents privilege escalation security_opt = ["apparmor=unconfined", "no-new-privileges"] } + # ── Sandbox hardening (#706) ──────────────────────────────────────────── + # cap_drop ALL (no Linux capabilities) + # tmpfs /tmp for runtime files (64MB) + # pids_limit 128 (prevent fork bombs) + cap_drop = ["ALL"] + pids_limit = 128 + mount { + type = "tmpfs" + target = "/tmp" + readonly = false + tmpfs_options { + size = 67108864 # 64MB in bytes + } + } + # ── Volume mounts ────────────────────────────────────────────────────── # Mount chat-history for conversation persistence volume_mount { From 31e2f63f1bc5f7dacd8b3aff82b14bf1beab4992 Mon Sep 17 00:00:00 2001 From: Claude Date: Sat, 18 Apr 2026 12:43:08 +0000 Subject: [PATCH 02/11] =?UTF-8?q?fix:=20[nomad-step-5]=20S5-fix-5=20?= =?UTF-8?q?=E2=80=94=20chat.hcl=20tmpfs=20syntax:=20use=20mount=20block=20?= =?UTF-8?q?not=20tmpfs=20argument=20(#1012)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.6 (1M context) --- nomad/jobs/chat.hcl | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/nomad/jobs/chat.hcl b/nomad/jobs/chat.hcl index ead8e71..ad18cec 100644 --- a/nomad/jobs/chat.hcl +++ b/nomad/jobs/chat.hcl @@ -89,13 +89,18 @@ job "chat" { config { image = "disinto/chat:local" force_pull = false - # Sandbox hardening (#706): cap_drop ALL (no Linux capabilities) - # tmpfs /tmp for runtime files (64MB) - # pids_limit 128 (prevent fork bombs) + # Sandbox hardening (#706): cap_drop ALL, pids_limit 128, tmpfs /tmp # ReadonlyRootfs enforced via entrypoint script (fails if running as root) cap_drop = ["ALL"] - tmpfs = ["/tmp:size=64m"] pids_limit = 128 + mount { + type = "tmpfs" + target = "/tmp" + readonly = false + tmpfs_options { + size = 67108864 # 64MB in bytes + } + } # Security options for sandbox hardening # apparmor=unconfined needed for Claude CLI ptrace access # no-new-privileges prevents privilege escalation From 4f5e546c42137db888d2b5f6798606532d98d508 Mon Sep 17 00:00:00 2001 From: Agent Date: Sat, 18 Apr 2026 13:01:12 +0000 Subject: [PATCH 03/11] =?UTF-8?q?fix:=20[nomad-step-5]=20S5-fix-6=20?= =?UTF-8?q?=E2=80=94=20chat=20Dockerfile=20must=20bake=20Claude=20CLI=20(s?= =?UTF-8?q?ame=20as=20agents=20#984)=20(#1016)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docker/chat/Dockerfile | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docker/chat/Dockerfile b/docker/chat/Dockerfile index 3d89863..f17a079 100644 --- a/docker/chat/Dockerfile +++ b/docker/chat/Dockerfile @@ -1,6 +1,6 @@ # disinto-chat — minimal HTTP backend for Claude chat UI # -# Small Debian slim base with Python runtime. +# Small Debian slim base with Python runtime and Node.js. # Chosen for simplicity and small image size (~100MB). # # Image size: ~100MB (well under the 200MB ceiling) @@ -10,11 +10,14 @@ FROM debian:bookworm-slim -# Install Python (no build-time network access needed) +# Install Node.js (required for Claude CLI) and Python RUN apt-get update && apt-get install -y --no-install-recommends \ - python3 \ + nodejs npm python3 \ && rm -rf /var/lib/apt/lists/* +# Install Claude Code CLI — chat backend runtime +RUN npm install -g @anthropic-ai/claude-code@2.1.84 + # Non-root user — fixed UID 10001 for sandbox hardening (#706) RUN useradd -m -u 10001 -s /bin/bash chat From 38b55e1855cb2268b43bb788d803a59527657872 Mon Sep 17 00:00:00 2001 From: Agent Date: Sat, 18 Apr 2026 13:08:01 +0000 Subject: [PATCH 04/11] =?UTF-8?q?fix:=20[nomad-step-5]=20S5-fix-6=20?= =?UTF-8?q?=E2=80=94=20chat=20Dockerfile=20must=20bake=20Claude=20CLI=20(s?= =?UTF-8?q?ame=20as=20agents=20#984)=20(#1016)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docker/chat/Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docker/chat/Dockerfile b/docker/chat/Dockerfile index f17a079..c4cb28b 100644 --- a/docker/chat/Dockerfile +++ b/docker/chat/Dockerfile @@ -5,8 +5,7 @@ # # Image size: ~100MB (well under the 200MB ceiling) # -# The claude binary is mounted from the host at runtime via docker-compose, -# not baked into the image — same pattern as the agents container. +# Claude CLI is baked into the image — same pattern as the agents container. FROM debian:bookworm-slim From e6dcad143db2c4b9266d3f4a7ffefa969be08a01 Mon Sep 17 00:00:00 2001 From: Claude Date: Sat, 18 Apr 2026 13:39:30 +0000 Subject: [PATCH 05/11] =?UTF-8?q?fix:=20[nomad-step-5]=20S5-fix-7=20?= =?UTF-8?q?=E2=80=94=20staging=20port=2080=20collides=20with=20edge;=20sta?= =?UTF-8?q?ging=20should=20use=20dynamic=20port=20(#1018)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.6 (1M context) --- docker/edge/entrypoint-edge.sh | 7 +++++ nomad/jobs/edge.hcl | 52 ++++++++++++++++++++++++++++++++++ nomad/jobs/staging.hcl | 9 +++--- 3 files changed, 63 insertions(+), 5 deletions(-) diff --git a/docker/edge/entrypoint-edge.sh b/docker/edge/entrypoint-edge.sh index 1b5f94f..6db96b7 100755 --- a/docker/edge/entrypoint-edge.sh +++ b/docker/edge/entrypoint-edge.sh @@ -234,6 +234,13 @@ fi rm -f "$_fetch_log" done) & +# Nomad template renders Caddyfile to /local/Caddyfile via service discovery; +# copy it into the expected location if present (compose uses the mounted path). +if [ -f /local/Caddyfile ]; then + cp /local/Caddyfile /etc/caddy/Caddyfile + echo "edge: using Nomad-rendered Caddyfile from /local/Caddyfile" >&2 +fi + # Caddy as main process — run in foreground via wait so background jobs survive # (exec replaces the shell, which can orphan backgrounded subshells) caddy run --config /etc/caddy/Caddyfile --adapter caddyfile & diff --git a/nomad/jobs/edge.hcl b/nomad/jobs/edge.hcl index 1f3e855..779b53b 100644 --- a/nomad/jobs/edge.hcl +++ b/nomad/jobs/edge.hcl @@ -114,6 +114,58 @@ job "edge" { read_only = false } + # ── Caddyfile via Nomad service discovery (S5-fix-7, issue #1018) ──── + # Renders staging upstream from Nomad service registration instead of + # hardcoded staging:80. Caddy picks up /local/Caddyfile via entrypoint. + template { + destination = "local/Caddyfile" + change_mode = "restart" + data = < Date: Sat, 18 Apr 2026 16:20:53 +0000 Subject: [PATCH 06/11] chore: gardener housekeeping 2026-04-18 --- AGENTS.md | 4 ++-- architect/AGENTS.md | 2 +- dev/AGENTS.md | 2 +- gardener/AGENTS.md | 2 +- gardener/dust.jsonl | 1 - gardener/pending-actions.json | 6 +++--- lib/AGENTS.md | 2 +- nomad/AGENTS.md | 6 +++--- planner/AGENTS.md | 2 +- predictor/AGENTS.md | 2 +- review/AGENTS.md | 2 +- supervisor/AGENTS.md | 2 +- vault/policies/AGENTS.md | 2 +- 13 files changed, 17 insertions(+), 18 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 42f7253..35cb380 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -1,4 +1,4 @@ - + # Disinto — Agent Instructions ## What this repo is @@ -39,7 +39,7 @@ disinto/ (code repo) │ hooks/ — Claude Code session hooks (on-compact-reinject, on-idle-stop, on-phase-change, on-pretooluse-guard, on-session-end, on-stop-failure) │ init/nomad/ — cluster-up.sh, install.sh, vault-init.sh, lib-systemd.sh (Nomad+Vault Step 0 installers, #821-#825); wp-oauth-register.sh (Forgejo OAuth2 app + Vault KV seeder for Woodpecker, S3.3); deploy.sh (dependency-ordered Nomad job deploy + health-wait, S4) ├── nomad/ server.hcl, client.hcl (allow_privileged for woodpecker-agent, S3-fix-5), vault.hcl — HCL configs deployed to /etc/nomad.d/ and /etc/vault.d/ by lib/init/nomad/cluster-up.sh -│ jobs/ — Nomad jobspecs: forgejo.hcl (Vault secrets via template, S2.4); woodpecker-server.hcl + woodpecker-agent.hcl (host-net, docker.sock, Vault KV, S3.1-S3.2); agents.hcl (7 roles, llama, Vault-templated bot tokens, S4.1); vault-runner.hcl (parameterized batch dispatch, S5.3); staging.hcl (Caddy file-server, S5.2); chat.hcl (Claude chat UI, Vault OAuth secrets, S5.2); edge.hcl (Caddy proxy + dispatcher sidecar, S5.1) +│ jobs/ — Nomad jobspecs: forgejo.hcl (Vault secrets via template, S2.4); woodpecker-server.hcl + woodpecker-agent.hcl (host-net, docker.sock, Vault KV, S3.1-S3.2); agents.hcl (7 roles, llama, Vault-templated bot tokens, S4.1); vault-runner.hcl (parameterized batch dispatch, S5.3); staging.hcl (Caddy file-server, dynamic port — edge discovers via service registration, S5.2); chat.hcl (Claude chat UI, tmpfs via mount block, Vault OAuth secrets, S5.2); edge.hcl (Caddy proxy + dispatcher sidecar, S5.1) ├── projects/ *.toml.example — templates; *.toml — local per-box config (gitignored) ├── formulas/ Issue templates (TOML specs for multi-step agent tasks) ├── docker/ Dockerfiles and entrypoints: reproduce, triage, edge dispatcher, chat (server.py, entrypoint-chat.sh, Dockerfile, ui/) diff --git a/architect/AGENTS.md b/architect/AGENTS.md index b2bd57a..91b36cd 100644 --- a/architect/AGENTS.md +++ b/architect/AGENTS.md @@ -1,4 +1,4 @@ - + # Architect — Agent Instructions ## What this agent is diff --git a/dev/AGENTS.md b/dev/AGENTS.md index ff529af..af014cf 100644 --- a/dev/AGENTS.md +++ b/dev/AGENTS.md @@ -1,4 +1,4 @@ - + # Dev Agent **Role**: Implement issues autonomously — write code, push branches, address diff --git a/gardener/AGENTS.md b/gardener/AGENTS.md index fdfae86..9906343 100644 --- a/gardener/AGENTS.md +++ b/gardener/AGENTS.md @@ -1,4 +1,4 @@ - + # Gardener Agent **Role**: Backlog grooming — detect duplicate issues, missing acceptance diff --git a/gardener/dust.jsonl b/gardener/dust.jsonl index 14b0d5c..e69de29 100644 --- a/gardener/dust.jsonl +++ b/gardener/dust.jsonl @@ -1 +0,0 @@ -{"issue":915,"group":"lib/generators.sh","title":"remove no-op sed in generate_compose --build mode","reason":"sed replaces agents: with itself — no behavior change; single-line removal","ts":"2026-04-17T01:04:05Z"} diff --git a/gardener/pending-actions.json b/gardener/pending-actions.json index 724b2ee..dc08304 100644 --- a/gardener/pending-actions.json +++ b/gardener/pending-actions.json @@ -1,12 +1,12 @@ [ { "action": "edit_body", - "issue": 996, - "body": "Flagged by AI reviewer in PR #993.\n\n## Problem\n\nThe consul-template with/else/end pattern using aggressive whitespace trimming (e.g. `{{- with secret ... -}}` / `{{- else -}}` / `{{- end }}` then immediately `{{- with`) strips all newlines between consecutive single-variable env blocks at parse time. This would render the secrets env file as one concatenated line (`GITHUB_TOKEN=valCODEBERG_TOKEN=val...`), which Nomad's `env = true` cannot parse correctly.\n\n## Why not blocked\n\nagents.hcl has been runtime-tested (S4-fix-6 and S4-fix-7 made observable runtime fixes). If the env file were broken, all bot tokens would be absent — a loud, observable failure. This suggests consul-template may handle whitespace trimming differently from raw Go text/template. Needs runtime verification.\n\n## Verification\n\nDeploy either job and inspect the rendered secrets file:\n```\nnomad alloc exec cat /secrets/bots.env\n```\nConfirm each KEY=VALUE pair is on its own line.\n\n---\n*Auto-created from AI review*\n\n## Affected files\n- `nomad/jobs/agents.hcl` — bots.env template (lines 147-189)\n- `nomad/jobs/vault-runner.hcl` — runner.env template (PR #993)\n\n## Acceptance criteria\n- [ ] Deploy `agents` or `vault-runner` job on factory host\n- [ ] Inspect rendered secrets file: `nomad alloc exec cat /secrets/bots.env`\n- [ ] Confirm each KEY=VALUE pair is on its own line (not concatenated)\n- [ ] If broken: fix whitespace trimming to preserve newlines between blocks; if fine, close as not-a-bug" + "issue": 915, + "body": "Flagged by AI reviewer in PR \\#911.\n\n## Problem\n\n`lib/generators.sh` line 660 contains a no-op `sed` invocation:\n```\nsed -i 's|^\\( agents:\\)|\\1|' \"$compose_file\"\n```\n\nThis replaces ` agents:` with itself — it does nothing. It is dead code left over from a prior iteration.\n\n## Fix\n\nRemove the no-op `sed` line at line 660 of `lib/generators.sh`.\n\n## Affected files\n- `lib/generators.sh` (line 660 — the no-op sed invocation in generate_compose --build mode)\n\n## Acceptance criteria\n- [ ] The no-op sed line is removed from `lib/generators.sh`\n- [ ] `shellcheck` clean on `lib/generators.sh`\n- [ ] CI green\n\n---\n*Auto-created from AI review*" }, { "action": "add_label", - "issue": 996, + "issue": 915, "label": "backlog" } ] diff --git a/lib/AGENTS.md b/lib/AGENTS.md index 146648a..aa1699e 100644 --- a/lib/AGENTS.md +++ b/lib/AGENTS.md @@ -1,4 +1,4 @@ - + # Shared Helpers (`lib/`) All agents source `lib/env.sh` as their first action. Additional helpers are diff --git a/nomad/AGENTS.md b/nomad/AGENTS.md index 6fda250..9c42c88 100644 --- a/nomad/AGENTS.md +++ b/nomad/AGENTS.md @@ -1,4 +1,4 @@ - + # nomad/ — Agent Instructions Nomad + Vault HCL for the factory's single-node cluster. These files are @@ -19,8 +19,8 @@ see issues #821–#992 for the step breakdown. | `jobs/woodpecker-server.hcl` | submitted via `lib/init/nomad/deploy.sh` | Woodpecker CI server; host networking, Vault KV for `WOODPECKER_AGENT_SECRET` + Forgejo OAuth creds (S3.1) | | `jobs/woodpecker-agent.hcl` | submitted via `lib/init/nomad/deploy.sh` | Woodpecker CI agent; host networking, `docker.sock` mount, Vault KV for `WOODPECKER_AGENT_SECRET`; `WOODPECKER_SERVER` uses `${attr.unique.network.ip-address}:9000` (Nomad interpolation) — port binds to LXC alloc IP, not localhost (S3.2, S3-fix-6, #964) | | `jobs/agents.hcl` | submitted via `lib/init/nomad/deploy.sh` | All 7 agent roles (dev, review, gardener, planner, predictor, supervisor, architect) + llama variant; Vault-templated bot tokens via `service-agents` policy; `force_pull = false` — image is built locally by `bin/disinto --with agents`, no registry (S4.1, S4-fix-2, S4-fix-5, #955, #972, #978) | -| `jobs/staging.hcl` | submitted via `lib/init/nomad/deploy.sh` | Caddy file-server mounting `docker/` as `/srv/site:ro`; no Vault integration; internal-only via edge proxy (S5.2, #989) | -| `jobs/chat.hcl` | submitted via `lib/init/nomad/deploy.sh` | Claude chat UI; custom `disinto/chat:local` image; sandbox hardening (cap_drop ALL, tmpfs, pids_limit 128); Vault-templated OAuth secrets via `service-chat` policy (S5.2, #989) | +| `jobs/staging.hcl` | submitted via `lib/init/nomad/deploy.sh` | Caddy file-server mounting `docker/` as `/srv/site:ro`; no Vault integration; **dynamic host port** (no static 80 — edge owns 80/443, collision fixed in S5-fix-7 #1018); edge discovers via Nomad service registration (S5.2, #989) | +| `jobs/chat.hcl` | submitted via `lib/init/nomad/deploy.sh` | Claude chat UI; custom `disinto/chat:local` image; sandbox hardening (cap_drop ALL, **tmpfs via mount block** not `tmpfs=` arg — S5-fix-5 #1012, pids_limit 128); Vault-templated OAuth secrets via `service-chat` policy (S5.2, #989) | | `jobs/edge.hcl` | submitted via `lib/init/nomad/deploy.sh` | Caddy reverse proxy + dispatcher sidecar; routes /forge, /woodpecker, /staging, /chat; uses `disinto/edge:local` image built by `bin/disinto --with edge`; Vault-templated ops-repo creds via `service-dispatcher` policy (S5.1, #988) | Nomad auto-merges every `*.hcl` under `-config=/etc/nomad.d/`, so the diff --git a/planner/AGENTS.md b/planner/AGENTS.md index 14b153d..81049d2 100644 --- a/planner/AGENTS.md +++ b/planner/AGENTS.md @@ -1,4 +1,4 @@ - + # Planner Agent **Role**: Strategic planning using a Prerequisite Tree (Theory of Constraints), diff --git a/predictor/AGENTS.md b/predictor/AGENTS.md index ba54a05..e26f220 100644 --- a/predictor/AGENTS.md +++ b/predictor/AGENTS.md @@ -1,4 +1,4 @@ - + # Predictor Agent **Role**: Abstract adversary (the "goblin"). Runs a 2-step formula diff --git a/review/AGENTS.md b/review/AGENTS.md index 19fc4c7..8291f2c 100644 --- a/review/AGENTS.md +++ b/review/AGENTS.md @@ -1,4 +1,4 @@ - + # Review Agent **Role**: AI-powered PR review — post structured findings and formal diff --git a/supervisor/AGENTS.md b/supervisor/AGENTS.md index 7ca3d7f..8fce4fd 100644 --- a/supervisor/AGENTS.md +++ b/supervisor/AGENTS.md @@ -1,4 +1,4 @@ - + # Supervisor Agent **Role**: Health monitoring and auto-remediation, executed as a formula-driven diff --git a/vault/policies/AGENTS.md b/vault/policies/AGENTS.md index 0a67acb..029adf9 100644 --- a/vault/policies/AGENTS.md +++ b/vault/policies/AGENTS.md @@ -1,4 +1,4 @@ - + # vault/policies/ — Agent Instructions HashiCorp Vault ACL policies for the disinto factory. One `.hcl` file per From c24d204b0fa1d145e05cd90329a8e9d8f342b000 Mon Sep 17 00:00:00 2001 From: Agent Date: Sat, 18 Apr 2026 16:29:59 +0000 Subject: [PATCH 07/11] fix: tech-debt: no-op sed in generate_compose --build mode (lib/generators.sh) (#915) --- lib/generators.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/generators.sh b/lib/generators.sh index 5664b55..77af9a7 100644 --- a/lib/generators.sh +++ b/lib/generators.sh @@ -657,7 +657,6 @@ COMPOSEEOF # In build mode, replace image: with build: for locally-built images if [ "$use_build" = true ]; then - sed -i 's|^\( agents:\)|\1|' "$compose_file" sed -i '/^ image: ghcr\.io\/disinto\/agents:/{s|image: ghcr\.io/disinto/agents:.*|build:\n context: .\n dockerfile: docker/agents/Dockerfile\n pull_policy: build|}' "$compose_file" sed -i '/^ image: ghcr\.io\/disinto\/edge:/{s|image: ghcr\.io/disinto/edge:.*|build: ./docker/edge\n pull_policy: build|}' "$compose_file" fi From 2fd5bf219202ae75b1b28503230e9fa763847139 Mon Sep 17 00:00:00 2001 From: Claude Date: Sat, 18 Apr 2026 22:26:40 +0000 Subject: [PATCH 08/11] chore: gardener housekeeping 2026-04-18 --- AGENTS.md | 2 +- architect/AGENTS.md | 2 +- dev/AGENTS.md | 2 +- gardener/AGENTS.md | 2 +- gardener/pending-actions.json | 13 +------------ lib/AGENTS.md | 2 +- nomad/AGENTS.md | 2 +- planner/AGENTS.md | 2 +- predictor/AGENTS.md | 2 +- review/AGENTS.md | 2 +- supervisor/AGENTS.md | 2 +- vault/policies/AGENTS.md | 2 +- 12 files changed, 12 insertions(+), 23 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 35cb380..c327330 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -1,4 +1,4 @@ - + # Disinto — Agent Instructions ## What this repo is diff --git a/architect/AGENTS.md b/architect/AGENTS.md index 91b36cd..98d2561 100644 --- a/architect/AGENTS.md +++ b/architect/AGENTS.md @@ -1,4 +1,4 @@ - + # Architect — Agent Instructions ## What this agent is diff --git a/dev/AGENTS.md b/dev/AGENTS.md index af014cf..a614eaa 100644 --- a/dev/AGENTS.md +++ b/dev/AGENTS.md @@ -1,4 +1,4 @@ - + # Dev Agent **Role**: Implement issues autonomously — write code, push branches, address diff --git a/gardener/AGENTS.md b/gardener/AGENTS.md index 9906343..975522c 100644 --- a/gardener/AGENTS.md +++ b/gardener/AGENTS.md @@ -1,4 +1,4 @@ - + # Gardener Agent **Role**: Backlog grooming — detect duplicate issues, missing acceptance diff --git a/gardener/pending-actions.json b/gardener/pending-actions.json index dc08304..fe51488 100644 --- a/gardener/pending-actions.json +++ b/gardener/pending-actions.json @@ -1,12 +1 @@ -[ - { - "action": "edit_body", - "issue": 915, - "body": "Flagged by AI reviewer in PR \\#911.\n\n## Problem\n\n`lib/generators.sh` line 660 contains a no-op `sed` invocation:\n```\nsed -i 's|^\\( agents:\\)|\\1|' \"$compose_file\"\n```\n\nThis replaces ` agents:` with itself — it does nothing. It is dead code left over from a prior iteration.\n\n## Fix\n\nRemove the no-op `sed` line at line 660 of `lib/generators.sh`.\n\n## Affected files\n- `lib/generators.sh` (line 660 — the no-op sed invocation in generate_compose --build mode)\n\n## Acceptance criteria\n- [ ] The no-op sed line is removed from `lib/generators.sh`\n- [ ] `shellcheck` clean on `lib/generators.sh`\n- [ ] CI green\n\n---\n*Auto-created from AI review*" - }, - { - "action": "add_label", - "issue": 915, - "label": "backlog" - } -] +[] diff --git a/lib/AGENTS.md b/lib/AGENTS.md index aa1699e..e38f53b 100644 --- a/lib/AGENTS.md +++ b/lib/AGENTS.md @@ -1,4 +1,4 @@ - + # Shared Helpers (`lib/`) All agents source `lib/env.sh` as their first action. Additional helpers are diff --git a/nomad/AGENTS.md b/nomad/AGENTS.md index 9c42c88..4b2c590 100644 --- a/nomad/AGENTS.md +++ b/nomad/AGENTS.md @@ -1,4 +1,4 @@ - + # nomad/ — Agent Instructions Nomad + Vault HCL for the factory's single-node cluster. These files are diff --git a/planner/AGENTS.md b/planner/AGENTS.md index 81049d2..91ea3e8 100644 --- a/planner/AGENTS.md +++ b/planner/AGENTS.md @@ -1,4 +1,4 @@ - + # Planner Agent **Role**: Strategic planning using a Prerequisite Tree (Theory of Constraints), diff --git a/predictor/AGENTS.md b/predictor/AGENTS.md index e26f220..c491976 100644 --- a/predictor/AGENTS.md +++ b/predictor/AGENTS.md @@ -1,4 +1,4 @@ - + # Predictor Agent **Role**: Abstract adversary (the "goblin"). Runs a 2-step formula diff --git a/review/AGENTS.md b/review/AGENTS.md index 8291f2c..12cc0d7 100644 --- a/review/AGENTS.md +++ b/review/AGENTS.md @@ -1,4 +1,4 @@ - + # Review Agent **Role**: AI-powered PR review — post structured findings and formal diff --git a/supervisor/AGENTS.md b/supervisor/AGENTS.md index 8fce4fd..a21edb5 100644 --- a/supervisor/AGENTS.md +++ b/supervisor/AGENTS.md @@ -1,4 +1,4 @@ - + # Supervisor Agent **Role**: Health monitoring and auto-remediation, executed as a formula-driven diff --git a/vault/policies/AGENTS.md b/vault/policies/AGENTS.md index 029adf9..ab7b244 100644 --- a/vault/policies/AGENTS.md +++ b/vault/policies/AGENTS.md @@ -1,4 +1,4 @@ - + # vault/policies/ — Agent Instructions HashiCorp Vault ACL policies for the disinto factory. One `.hcl` file per From cf8a4b51edc330e2bbba6060cd67ff0269fd68b0 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 19 Apr 2026 04:34:16 +0000 Subject: [PATCH 09/11] chore: gardener housekeeping 2026-04-19 --- AGENTS.md | 2 +- architect/AGENTS.md | 2 +- dev/AGENTS.md | 2 +- gardener/AGENTS.md | 2 +- gardener/dust.jsonl | 1 + gardener/pending-actions.json | 43 ++++++++++++++++++++++++++++++++++- lib/AGENTS.md | 2 +- nomad/AGENTS.md | 2 +- planner/AGENTS.md | 2 +- predictor/AGENTS.md | 2 +- review/AGENTS.md | 2 +- supervisor/AGENTS.md | 2 +- vault/policies/AGENTS.md | 2 +- 13 files changed, 54 insertions(+), 12 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index c327330..9c42667 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -1,4 +1,4 @@ - + # Disinto — Agent Instructions ## What this repo is diff --git a/architect/AGENTS.md b/architect/AGENTS.md index 98d2561..7286ee3 100644 --- a/architect/AGENTS.md +++ b/architect/AGENTS.md @@ -1,4 +1,4 @@ - + # Architect — Agent Instructions ## What this agent is diff --git a/dev/AGENTS.md b/dev/AGENTS.md index a614eaa..c64551f 100644 --- a/dev/AGENTS.md +++ b/dev/AGENTS.md @@ -1,4 +1,4 @@ - + # Dev Agent **Role**: Implement issues autonomously — write code, push branches, address diff --git a/gardener/AGENTS.md b/gardener/AGENTS.md index 975522c..5dcd12f 100644 --- a/gardener/AGENTS.md +++ b/gardener/AGENTS.md @@ -1,4 +1,4 @@ - + # Gardener Agent **Role**: Backlog grooming — detect duplicate issues, missing acceptance diff --git a/gardener/dust.jsonl b/gardener/dust.jsonl index e69de29..09af349 100644 --- a/gardener/dust.jsonl +++ b/gardener/dust.jsonl @@ -0,0 +1 @@ +{"issue":850,"group":"lib/generators.sh","title":"compose dup-detection smoke CI failures","reason":"4+ consecutive ci_exhausted failures across PRs #872 #908 #971; planner flagged for human re-scope","ts":"2026-04-19T00:00:00Z"} diff --git a/gardener/pending-actions.json b/gardener/pending-actions.json index fe51488..9827786 100644 --- a/gardener/pending-actions.json +++ b/gardener/pending-actions.json @@ -1 +1,42 @@ -[] +[ + { + "action": "edit_body", + "issue": 1025, + "body": "## Goal\nVerify that Forgejo, Woodpecker, and chat all function correctly when served\nunder /forge/, /ci/, and /chat/ subpaths on a single domain. Catch redirect\nloops, OAuth callback failures, and asset 404s before they hit production.\n\n## Sprint\nPart of sprint [edge-subpath-chat](https://forgejo:3000/disinto-admin/disinto-ops/pulls/37) — vision issue #623.\n\n## Acceptance criteria\n- [ ] Forgejo login at /forge/ completes without redirect loops\n- [ ] Forgejo OAuth callback for Woodpecker succeeds under subpath\n- [ ] Woodpecker dashboard loads all assets at /ci/ (no 404s on JS/CSS)\n- [ ] Chat OAuth login flow works at /chat/login\n- [ ] Forward_auth on /chat/* rejects unauthenticated requests with 401\n- [ ] Staging content loads at /staging/\n- [ ] Root / redirects to /forge/\n- [ ] CI pipeline added to .woodpecker/ to run this test on edge-related changes\n\n## Affected files\n- `nomad/jobs/edge.hcl` — edge Caddy routing config under test\n- `docker/edge/` — edge container and Caddyfile template\n- `tools/edge-control/register.sh` — route registration\n- `.woodpecker/` — CI pipeline for edge smoke test\n\n## Dependencies\nNone — first issue in sprint.\n" + }, + { + "action": "add_label", + "issue": 1025, + "label": "backlog" + }, + { + "action": "edit_body", + "issue": 1026, + "body": "## Goal\nReplace the blocking one-shot claude --print invocation in the chat backend with\na WebSocket connection that streams tokens to the UI as they arrive.\n\n## Sprint\nPart of sprint [edge-subpath-chat](https://forgejo:3000/disinto-admin/disinto-ops/pulls/37) — vision issue #623.\n\n## Acceptance criteria\n- [ ] /chat/ws endpoint accepts WebSocket upgrade with valid session cookie\n- [ ] /chat/ws rejects upgrade if session cookie is missing or expired\n- [ ] Chat backend streams claude output over WebSocket as text frames\n- [ ] UI renders tokens incrementally as they arrive\n- [ ] Rate limiting still enforced on WebSocket messages\n- [ ] Caddy proxies WebSocket upgrade correctly through /chat/ws with forward_auth\n\n## Affected files\n- `docker/chat/server.py` — chat backend WebSocket endpoint\n- `docker/chat/ui/` — frontend WebSocket client rendering\n- `nomad/jobs/edge.hcl` — Caddy WebSocket proxy config\n- `nomad/jobs/chat.hcl` — chat Nomad job\n\n## Dependencies\n- Depends on #1025 — subpath routing smoke test\n" + }, + { + "action": "add_label", + "issue": 1026, + "label": "backlog" + }, + { + "action": "edit_body", + "issue": 1027, + "body": "## Goal\nGive the chat container Claude session read-write access to the project working\ntree so the operator can inspect, explain, or modify code — scoped to that tree\nonly, with no access to factory internals, secrets, or Docker socket.\n\n## Sprint\nPart of sprint [edge-subpath-chat](https://forgejo:3000/disinto-admin/disinto-ops/pulls/37) — vision issue #623.\n\n## Acceptance criteria\n- [ ] Chat container bind-mounts the project working tree as a named volume\n- [ ] Claude invocation in server.py sets cwd to the workspace directory\n- [ ] Claude permission mode is acceptEdits (not bypassPermissions)\n- [ ] verify-chat-sandbox.sh updated to assert workspace mount exists\n- [ ] Compose generator adds the workspace volume conditionally\n\n## Affected files\n- `docker/chat/server.py` — Claude invocation and cwd setup\n- `tools/edge-control/verify-chat-sandbox.sh` — sandbox verification\n- `lib/generators.sh` — Compose generator workspace volume\n- `nomad/jobs/chat.hcl` — chat container bind-mount config\n\n## Dependencies\n- Depends on #1025 — subpath routing smoke test\n" + }, + { + "action": "add_label", + "issue": 1027, + "label": "backlog" + }, + { + "action": "edit_body", + "issue": 1028, + "body": "## Goal\nIf the smoke test reveals unfixable subpath issues, automate the pivot to\nper-service subdomains so the switch is a single config change.\n\n## Sprint\nPart of sprint [edge-subpath-chat](https://forgejo:3000/disinto-admin/disinto-ops/pulls/37) — vision issue #623.\n\n## Acceptance criteria\n- [ ] generators.sh _generate_caddyfile_impl accepts EDGE_ROUTING_MODE env var\n- [ ] In subdomain mode, Caddyfile emits four host blocks per edge-routing-fallback.md\n- [ ] register.sh registers additional subdomain routes when EDGE_ROUTING_MODE=subdomain\n- [ ] OAuth redirect URIs in ci-setup.sh respect routing mode\n- [ ] .env template documents EDGE_ROUTING_MODE with a comment referencing the fallback doc\n\n## Affected files\n- `lib/generators.sh` — _generate_caddyfile_impl routing mode switch\n- `tools/edge-control/register.sh` — subdomain route registration\n- `lib/ci-setup.sh` — OAuth redirect URI handling\n- `projects/*.toml.example` — .env template documentation\n\n## Dependencies\n- Depends on #1025 — subpath routing smoke test\n" + }, + { + "action": "add_label", + "issue": 1028, + "label": "backlog" + } +] diff --git a/lib/AGENTS.md b/lib/AGENTS.md index e38f53b..09f18b1 100644 --- a/lib/AGENTS.md +++ b/lib/AGENTS.md @@ -1,4 +1,4 @@ - + # Shared Helpers (`lib/`) All agents source `lib/env.sh` as their first action. Additional helpers are diff --git a/nomad/AGENTS.md b/nomad/AGENTS.md index 4b2c590..57667bc 100644 --- a/nomad/AGENTS.md +++ b/nomad/AGENTS.md @@ -1,4 +1,4 @@ - + # nomad/ — Agent Instructions Nomad + Vault HCL for the factory's single-node cluster. These files are diff --git a/planner/AGENTS.md b/planner/AGENTS.md index 91ea3e8..911ff21 100644 --- a/planner/AGENTS.md +++ b/planner/AGENTS.md @@ -1,4 +1,4 @@ - + # Planner Agent **Role**: Strategic planning using a Prerequisite Tree (Theory of Constraints), diff --git a/predictor/AGENTS.md b/predictor/AGENTS.md index c491976..a263066 100644 --- a/predictor/AGENTS.md +++ b/predictor/AGENTS.md @@ -1,4 +1,4 @@ - + # Predictor Agent **Role**: Abstract adversary (the "goblin"). Runs a 2-step formula diff --git a/review/AGENTS.md b/review/AGENTS.md index 12cc0d7..24606d1 100644 --- a/review/AGENTS.md +++ b/review/AGENTS.md @@ -1,4 +1,4 @@ - + # Review Agent **Role**: AI-powered PR review — post structured findings and formal diff --git a/supervisor/AGENTS.md b/supervisor/AGENTS.md index a21edb5..23a3832 100644 --- a/supervisor/AGENTS.md +++ b/supervisor/AGENTS.md @@ -1,4 +1,4 @@ - + # Supervisor Agent **Role**: Health monitoring and auto-remediation, executed as a formula-driven diff --git a/vault/policies/AGENTS.md b/vault/policies/AGENTS.md index ab7b244..9a4b588 100644 --- a/vault/policies/AGENTS.md +++ b/vault/policies/AGENTS.md @@ -1,4 +1,4 @@ - + # vault/policies/ — Agent Instructions HashiCorp Vault ACL policies for the disinto factory. One `.hcl` file per From 7fd8a0cbba6e6a36354b67efcb052e6ba04095f1 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 19 Apr 2026 04:36:32 +0000 Subject: [PATCH 10/11] =?UTF-8?q?fix:=20edge.hcl=20uses=20Docker=20hostnam?= =?UTF-8?q?e=20routing=20=E2=80=94=20forgejo/woodpecker/chat=20upstreams?= =?UTF-8?q?=20unreachable=20in=20Nomad=20(#1031)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add network_mode = "host" to the caddy task docker config (matching woodpecker-agent.hcl pattern) and replace all bare Docker hostnames with 127.0.0.1:: - forgejo:3000 → 127.0.0.1:3000 - woodpecker:8000 → 127.0.0.1:8000 - chat:8080 → 127.0.0.1:8080 - FORGE_URL env in both caddy and dispatcher tasks Staging route already uses nomadService discovery (S5-fix-7, #1018). Co-Authored-By: Claude Opus 4.6 (1M context) --- nomad/jobs/edge.hcl | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/nomad/jobs/edge.hcl b/nomad/jobs/edge.hcl index 779b53b..e88ae22 100644 --- a/nomad/jobs/edge.hcl +++ b/nomad/jobs/edge.hcl @@ -6,6 +6,11 @@ # dispatcher sidecar polls disinto-ops for vault actions and dispatches them # via Nomad batch jobs. # +# Host networking (issue #1031): +# Caddy uses network_mode = "host" so upstreams are reached at +# 127.0.0.1: (forgejo :3000, woodpecker :8000, chat :8080). +# Staging uses Nomad service discovery (S5-fix-7, issue #1018). +# # Host_volume contract: # This job mounts caddy-data from nomad/client.hcl. Path # /srv/disinto/caddy-data is created by lib/init/nomad/cluster-up.sh before @@ -97,9 +102,10 @@ job "edge" { config { # Use pre-built disinto/edge:local image (custom Dockerfile adds # bash, jq, curl, git, docker-cli, python3, openssh-client, autossh). - image = "disinto/edge:local" - force_pull = false - ports = ["http", "https"] + image = "disinto/edge:local" + force_pull = false + network_mode = "host" + ports = ["http", "https"] # apparmor=unconfined matches docker-compose — needed for autossh # in the entrypoint script. @@ -132,12 +138,12 @@ job "edge" { # Reverse proxy to Forgejo handle /forge/* { - reverse_proxy forgejo:3000 + reverse_proxy 127.0.0.1:3000 } # Reverse proxy to Woodpecker CI handle /ci/* { - reverse_proxy woodpecker:8000 + reverse_proxy 127.0.0.1:8000 } # Reverse proxy to staging — dynamic port via Nomad service discovery @@ -148,19 +154,19 @@ job "edge" { # Chat service — reverse proxy to disinto-chat backend (#705) # OAuth routes bypass forward_auth — unauthenticated users need these (#709) handle /chat/login { - reverse_proxy chat:8080 + reverse_proxy 127.0.0.1:8080 } handle /chat/oauth/callback { - reverse_proxy chat:8080 + reverse_proxy 127.0.0.1:8080 } # Defense-in-depth: forward_auth stamps X-Forwarded-User from session (#709) handle /chat/* { - forward_auth chat:8080 { + forward_auth 127.0.0.1:8080 { uri /chat/auth/verify copy_headers X-Forwarded-User header_up X-Forward-Auth-Secret {$FORWARD_AUTH_SECRET} } - reverse_proxy chat:8080 + reverse_proxy 127.0.0.1:8080 } } EOT @@ -168,10 +174,10 @@ EOT # ── Non-secret env ─────────────────────────────────────────────────── env { - FORGE_URL = "http://forgejo:3000" - FORGE_REPO = "disinto-admin/disinto" + FORGE_URL = "http://127.0.0.1:3000" + FORGE_REPO = "disinto-admin/disinto" DISINTO_CONTAINER = "1" - PROJECT_NAME = "disinto" + PROJECT_NAME = "disinto" } # Caddy needs CPU + memory headroom for reverse proxy work. @@ -226,7 +232,7 @@ EOT # ── Non-secret env ─────────────────────────────────────────────────── env { DISPATCHER_BACKEND = "nomad" - FORGE_URL = "http://forgejo:3000" + FORGE_URL = "http://127.0.0.1:3000" FORGE_REPO = "disinto-admin/disinto" FORGE_OPS_REPO = "disinto-admin/disinto-ops" PRIMARY_BRANCH = "main" From 47046ead2e5b7f3b117132d4584a178795ed6d57 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 19 Apr 2026 04:44:10 +0000 Subject: [PATCH 11/11] =?UTF-8?q?fix:=20add=20network=5Fmode=3Dhost=20to?= =?UTF-8?q?=20dispatcher=20task=20=E2=80=94=20FORGE=5FURL=20unreachable=20?= =?UTF-8?q?from=20bridge=20namespace?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The dispatcher task's FORGE_URL was changed to 127.0.0.1:3000 but the task was still in bridge networking mode, making the host's loopback unreachable. Add network_mode = "host" to match the caddy task. Co-Authored-By: Claude Opus 4.6 (1M context) --- nomad/jobs/edge.hcl | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nomad/jobs/edge.hcl b/nomad/jobs/edge.hcl index e88ae22..4a495d9 100644 --- a/nomad/jobs/edge.hcl +++ b/nomad/jobs/edge.hcl @@ -193,8 +193,9 @@ EOT config { # Use same disinto/agents:local image as other agents. - image = "disinto/agents:local" - force_pull = false + image = "disinto/agents:local" + force_pull = false + network_mode = "host" # apparmor=unconfined matches docker-compose. security_opt = ["apparmor=unconfined"]