disinto-admin/disinto
1
0
Fork 0
Code Issues 23 Pull requests 1 Projects Releases Packages Wiki Activity Actions

chore: gardener housekeeping #1020

Merged
dev-qwen merged 1 commit from chore/gardener-20260418-1620 into main 2026-04-18 16:28:07 +00:00
Conversation 2 Commits 1 Files changed 13 +17 -18
13 changed files with 17 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit b475f99873 - Show all commits

4
AGENTS.md
View file

@ -1,4 +1,4 @@
<!-- last-reviewed: 8fc3ba5b59cd6cb15bd01ca0658cfea2bcb12068 --> <!-- last-reviewed: b05a31197cc78aa28f3c3e6365e782032bfb25af -->
# Disinto — Agent Instructions # Disinto — Agent Instructions
## What this repo is ## What this repo is
@ -39,7 +39,7 @@ disinto/ (code repo)
│ hooks/ — Claude Code session hooks (on-compact-reinject, on-idle-stop, on-phase-change, on-pretooluse-guard, on-session-end, on-stop-failure) │ hooks/ — Claude Code session hooks (on-compact-reinject, on-idle-stop, on-phase-change, on-pretooluse-guard, on-session-end, on-stop-failure)
│ init/nomad/ — cluster-up.sh, install.sh, vault-init.sh, lib-systemd.sh (Nomad+Vault Step 0 installers, #821-#825); wp-oauth-register.sh (Forgejo OAuth2 app + Vault KV seeder for Woodpecker, S3.3); deploy.sh (dependency-ordered Nomad job deploy + health-wait, S4) │ init/nomad/ — cluster-up.sh, install.sh, vault-init.sh, lib-systemd.sh (Nomad+Vault Step 0 installers, #821-#825); wp-oauth-register.sh (Forgejo OAuth2 app + Vault KV seeder for Woodpecker, S3.3); deploy.sh (dependency-ordered Nomad job deploy + health-wait, S4)
├── nomad/ server.hcl, client.hcl (allow_privileged for woodpecker-agent, S3-fix-5), vault.hcl — HCL configs deployed to /etc/nomad.d/ and /etc/vault.d/ by lib/init/nomad/cluster-up.sh ├── nomad/ server.hcl, client.hcl (allow_privileged for woodpecker-agent, S3-fix-5), vault.hcl — HCL configs deployed to /etc/nomad.d/ and /etc/vault.d/ by lib/init/nomad/cluster-up.sh
│ jobs/ — Nomad jobspecs: forgejo.hcl (Vault secrets via template, S2.4); woodpecker-server.hcl + woodpecker-agent.hcl (host-net, docker.sock, Vault KV, S3.1-S3.2); agents.hcl (7 roles, llama, Vault-templated bot tokens, S4.1); vault-runner.hcl (parameterized batch dispatch, S5.3); staging.hcl (Caddy file-server, S5.2); chat.hcl (Claude chat UI, Vault OAuth secrets, S5.2); edge.hcl (Caddy proxy + dispatcher sidecar, S5.1) │ jobs/ — Nomad jobspecs: forgejo.hcl (Vault secrets via template, S2.4); woodpecker-server.hcl + woodpecker-agent.hcl (host-net, docker.sock, Vault KV, S3.1-S3.2); agents.hcl (7 roles, llama, Vault-templated bot tokens, S4.1); vault-runner.hcl (parameterized batch dispatch, S5.3); staging.hcl (Caddy file-server, dynamic port — edge discovers via service registration, S5.2); chat.hcl (Claude chat UI, tmpfs via mount block, Vault OAuth secrets, S5.2); edge.hcl (Caddy proxy + dispatcher sidecar, S5.1)
├── projects/ *.toml.example — templates; *.toml — local per-box config (gitignored) ├── projects/ *.toml.example — templates; *.toml — local per-box config (gitignored)
├── formulas/ Issue templates (TOML specs for multi-step agent tasks) ├── formulas/ Issue templates (TOML specs for multi-step agent tasks)
├── docker/ Dockerfiles and entrypoints: reproduce, triage, edge dispatcher, chat (server.py, entrypoint-chat.sh, Dockerfile, ui/) ├── docker/ Dockerfiles and entrypoints: reproduce, triage, edge dispatcher, chat (server.py, entrypoint-chat.sh, Dockerfile, ui/)

2
architect/AGENTS.md
View file

@ -1,4 +1,4 @@
<!-- last-reviewed: 8fc3ba5b59cd6cb15bd01ca0658cfea2bcb12068 --> <!-- last-reviewed: b05a31197cc78aa28f3c3e6365e782032bfb25af -->
# Architect — Agent Instructions # Architect — Agent Instructions
## What this agent is ## What this agent is

2
dev/AGENTS.md
View file

@ -1,4 +1,4 @@
<!-- last-reviewed: 8fc3ba5b59cd6cb15bd01ca0658cfea2bcb12068 --> <!-- last-reviewed: b05a31197cc78aa28f3c3e6365e782032bfb25af -->
# Dev Agent # Dev Agent
**Role**: Implement issues autonomously — write code, push branches, address **Role**: Implement issues autonomously — write code, push branches, address

2
gardener/AGENTS.md
View file

@ -1,4 +1,4 @@
<!-- last-reviewed: 8fc3ba5b59cd6cb15bd01ca0658cfea2bcb12068 --> <!-- last-reviewed: b05a31197cc78aa28f3c3e6365e782032bfb25af -->
# Gardener Agent # Gardener Agent
**Role**: Backlog grooming — detect duplicate issues, missing acceptance **Role**: Backlog grooming — detect duplicate issues, missing acceptance

1
gardener/dust.jsonl
View file

@ -1 +0,0 @@
{"issue":915,"group":"lib/generators.sh","title":"remove no-op sed in generate_compose --build mode","reason":"sed replaces agents: with itself — no behavior change; single-line removal","ts":"2026-04-17T01:04:05Z"}

6
gardener/pending-actions.json
View file

@ -1,12 +1,12 @@
[ [
{ {
"action": "edit_body", "action": "edit_body",
"issue": 996, "issue": 915,
"body": "Flagged by AI reviewer in PR #993.\n\n## Problem\n\nThe consul-template with/else/end pattern using aggressive whitespace trimming (e.g. `{{- with secret ... -}}` / `{{- else -}}` / `{{- end }}` then immediately `{{- with`) strips all newlines between consecutive single-variable env blocks at parse time. This would render the secrets env file as one concatenated line (`GITHUB_TOKEN=valCODEBERG_TOKEN=val...`), which Nomad's `env = true` cannot parse correctly.\n\n## Why not blocked\n\nagents.hcl has been runtime-tested (S4-fix-6 and S4-fix-7 made observable runtime fixes). If the env file were broken, all bot tokens would be absent — a loud, observable failure. This suggests consul-template may handle whitespace trimming differently from raw Go text/template. Needs runtime verification.\n\n## Verification\n\nDeploy either job and inspect the rendered secrets file:\n```\nnomad alloc exec <alloc-id> cat /secrets/bots.env\n```\nConfirm each KEY=VALUE pair is on its own line.\n\n---\n*Auto-created from AI review*\n\n## Affected files\n- `nomad/jobs/agents.hcl` — bots.env template (lines 147-189)\n- `nomad/jobs/vault-runner.hcl` — runner.env template (PR #993)\n\n## Acceptance criteria\n- [ ] Deploy `agents` or `vault-runner` job on factory host\n- [ ] Inspect rendered secrets file: `nomad alloc exec <alloc-id> cat /secrets/bots.env`\n- [ ] Confirm each KEY=VALUE pair is on its own line (not concatenated)\n- [ ] If broken: fix whitespace trimming to preserve newlines between blocks; if fine, close as not-a-bug" "body": "Flagged by AI reviewer in PR \\#911.\n\n## Problem\n\n`lib/generators.sh` line 660 contains a no-op `sed` invocation:\n```\nsed -i 's|^\\( agents:\\)|\\1|' \"$compose_file\"\n```\n\nThis replaces ` agents:` with itself — it does nothing. It is dead code left over from a prior iteration.\n\n## Fix\n\nRemove the no-op `sed` line at line 660 of `lib/generators.sh`.\n\n## Affected files\n- `lib/generators.sh` (line 660 — the no-op sed invocation in generate_compose --build mode)\n\n## Acceptance criteria\n- [ ] The no-op sed line is removed from `lib/generators.sh`\n- [ ] `shellcheck` clean on `lib/generators.sh`\n- [ ] CI green\n\n---\n*Auto-created from AI review*"
}, },
{ {
"action": "add_label", "action": "add_label",
"issue": 996, "issue": 915,
"label": "backlog" "label": "backlog"
} }
] ]

2
lib/AGENTS.md
View file

@ -1,4 +1,4 @@
<!-- last-reviewed: 8fc3ba5b59cd6cb15bd01ca0658cfea2bcb12068 --> <!-- last-reviewed: b05a31197cc78aa28f3c3e6365e782032bfb25af -->
# Shared Helpers (`lib/`) # Shared Helpers (`lib/`)
All agents source `lib/env.sh` as their first action. Additional helpers are All agents source `lib/env.sh` as their first action. Additional helpers are

6
nomad/AGENTS.md
View file

@ -1,4 +1,4 @@
<!-- last-reviewed: 8fc3ba5b59cd6cb15bd01ca0658cfea2bcb12068 --> <!-- last-reviewed: b05a31197cc78aa28f3c3e6365e782032bfb25af -->
# nomad/ — Agent Instructions # nomad/ — Agent Instructions
Nomad + Vault HCL for the factory's single-node cluster. These files are Nomad + Vault HCL for the factory's single-node cluster. These files are
@ -19,8 +19,8 @@ see issues #821#992 for the step breakdown.
| `jobs/woodpecker-server.hcl` | submitted via `lib/init/nomad/deploy.sh` | Woodpecker CI server; host networking, Vault KV for `WOODPECKER_AGENT_SECRET` + Forgejo OAuth creds (S3.1) | | `jobs/woodpecker-server.hcl` | submitted via `lib/init/nomad/deploy.sh` | Woodpecker CI server; host networking, Vault KV for `WOODPECKER_AGENT_SECRET` + Forgejo OAuth creds (S3.1) |
| `jobs/woodpecker-agent.hcl` | submitted via `lib/init/nomad/deploy.sh` | Woodpecker CI agent; host networking, `docker.sock` mount, Vault KV for `WOODPECKER_AGENT_SECRET`; `WOODPECKER_SERVER` uses `${attr.unique.network.ip-address}:9000` (Nomad interpolation) — port binds to LXC alloc IP, not localhost (S3.2, S3-fix-6, #964) | | `jobs/woodpecker-agent.hcl` | submitted via `lib/init/nomad/deploy.sh` | Woodpecker CI agent; host networking, `docker.sock` mount, Vault KV for `WOODPECKER_AGENT_SECRET`; `WOODPECKER_SERVER` uses `${attr.unique.network.ip-address}:9000` (Nomad interpolation) — port binds to LXC alloc IP, not localhost (S3.2, S3-fix-6, #964) |
| `jobs/agents.hcl` | submitted via `lib/init/nomad/deploy.sh` | All 7 agent roles (dev, review, gardener, planner, predictor, supervisor, architect) + llama variant; Vault-templated bot tokens via `service-agents` policy; `force_pull = false` — image is built locally by `bin/disinto --with agents`, no registry (S4.1, S4-fix-2, S4-fix-5, #955, #972, #978) | | `jobs/agents.hcl` | submitted via `lib/init/nomad/deploy.sh` | All 7 agent roles (dev, review, gardener, planner, predictor, supervisor, architect) + llama variant; Vault-templated bot tokens via `service-agents` policy; `force_pull = false` — image is built locally by `bin/disinto --with agents`, no registry (S4.1, S4-fix-2, S4-fix-5, #955, #972, #978) |
| `jobs/staging.hcl` | submitted via `lib/init/nomad/deploy.sh` | Caddy file-server mounting `docker/` as `/srv/site:ro`; no Vault integration; internal-only via edge proxy (S5.2, #989) | | `jobs/staging.hcl` | submitted via `lib/init/nomad/deploy.sh` | Caddy file-server mounting `docker/` as `/srv/site:ro`; no Vault integration; **dynamic host port** (no static 80 — edge owns 80/443, collision fixed in S5-fix-7 #1018); edge discovers via Nomad service registration (S5.2, #989) |
| `jobs/chat.hcl` | submitted via `lib/init/nomad/deploy.sh` | Claude chat UI; custom `disinto/chat:local` image; sandbox hardening (cap_drop ALL, tmpfs, pids_limit 128); Vault-templated OAuth secrets via `service-chat` policy (S5.2, #989) | | `jobs/chat.hcl` | submitted via `lib/init/nomad/deploy.sh` | Claude chat UI; custom `disinto/chat:local` image; sandbox hardening (cap_drop ALL, **tmpfs via mount block** not `tmpfs=` arg — S5-fix-5 #1012, pids_limit 128); Vault-templated OAuth secrets via `service-chat` policy (S5.2, #989) |
| `jobs/edge.hcl` | submitted via `lib/init/nomad/deploy.sh` | Caddy reverse proxy + dispatcher sidecar; routes /forge, /woodpecker, /staging, /chat; uses `disinto/edge:local` image built by `bin/disinto --with edge`; Vault-templated ops-repo creds via `service-dispatcher` policy (S5.1, #988) | | `jobs/edge.hcl` | submitted via `lib/init/nomad/deploy.sh` | Caddy reverse proxy + dispatcher sidecar; routes /forge, /woodpecker, /staging, /chat; uses `disinto/edge:local` image built by `bin/disinto --with edge`; Vault-templated ops-repo creds via `service-dispatcher` policy (S5.1, #988) |
Nomad auto-merges every `*.hcl` under `-config=/etc/nomad.d/`, so the Nomad auto-merges every `*.hcl` under `-config=/etc/nomad.d/`, so the

2
planner/AGENTS.md
View file

@ -1,4 +1,4 @@
<!-- last-reviewed: 8fc3ba5b59cd6cb15bd01ca0658cfea2bcb12068 --> <!-- last-reviewed: b05a31197cc78aa28f3c3e6365e782032bfb25af -->
# Planner Agent # Planner Agent
**Role**: Strategic planning using a Prerequisite Tree (Theory of Constraints), **Role**: Strategic planning using a Prerequisite Tree (Theory of Constraints),

2
predictor/AGENTS.md
View file

@ -1,4 +1,4 @@
<!-- last-reviewed: 8fc3ba5b59cd6cb15bd01ca0658cfea2bcb12068 --> <!-- last-reviewed: b05a31197cc78aa28f3c3e6365e782032bfb25af -->
# Predictor Agent # Predictor Agent
**Role**: Abstract adversary (the "goblin"). Runs a 2-step formula **Role**: Abstract adversary (the "goblin"). Runs a 2-step formula

2
review/AGENTS.md
View file

@ -1,4 +1,4 @@
<!-- last-reviewed: 8fc3ba5b59cd6cb15bd01ca0658cfea2bcb12068 --> <!-- last-reviewed: b05a31197cc78aa28f3c3e6365e782032bfb25af -->
# Review Agent # Review Agent
**Role**: AI-powered PR review — post structured findings and formal **Role**: AI-powered PR review — post structured findings and formal

2
supervisor/AGENTS.md
View file

@ -1,4 +1,4 @@
<!-- last-reviewed: 8fc3ba5b59cd6cb15bd01ca0658cfea2bcb12068 --> <!-- last-reviewed: b05a31197cc78aa28f3c3e6365e782032bfb25af -->
# Supervisor Agent # Supervisor Agent
**Role**: Health monitoring and auto-remediation, executed as a formula-driven **Role**: Health monitoring and auto-remediation, executed as a formula-driven

2
vault/policies/AGENTS.md
View file

@ -1,4 +1,4 @@
<!-- last-reviewed: 8fc3ba5b59cd6cb15bd01ca0658cfea2bcb12068 --> <!-- last-reviewed: b05a31197cc78aa28f3c3e6365e782032bfb25af -->
# vault/policies/ — Agent Instructions # vault/policies/ — Agent Instructions
HashiCorp Vault ACL policies for the disinto factory. One `.hcl` file per HashiCorp Vault ACL policies for the disinto factory. One `.hcl` file per