actions::run_apply_commit through meta two-phase

approval-driven deploys now walk the meta flake via prepare_deploy / finalize_deploy / abort_deploy so a failed build leaves no commit in meta's deploy log: 1. capture applied/main sha for rollback 2. tag approved/<id> + building/<id> 3. ff applied/main to proposal/<id>, read-tree sync working tree 4. meta::prepare_deploy(name) — nix flake lock --update-input agent-<n> without committing 5. lifecycle::rebuild_no_meta — container-level only (new extracted helper; public lifecycle::rebuild still wraps it with single-phase meta sync + commit for dashboard / auto _update callers that don't care about rollback) 6a. on success: tag deployed/<id>, meta::finalize_deploy commits the staged lock with 'deploy <n> deployed/<id> <sha12>' 6b. on failure: tag failed/<id> annotated with the build error, git_update_ref applied/main back to prev sha, read-tree to main, meta::abort_deploy git-restores flake.lock meta's git log now records only successful deploys; failures + denials still live in applied as annotated tags.
2026-05-16 00:32:16 +02:00 · 2026-05-16 00:32:16 +02:00 · 06fdbac1ac
commit 06fdbac1ac
parent 22f35def8f
2 changed files with 92 additions and 29 deletions
--- a/hive-c0re/src/lifecycle.rs
+++ b/hive-c0re/src/lifecycle.rs
@ -280,16 +280,6 @@ pub async fn rebuild(
    notes_dir: &Path,
    dashboard_port: u16,
 ) -> Result<()> {
-    validate(name)?;
-    if let Some(other) = port_collision(name).await {
-        bail!(
-            "port {} is already taken by '{other}' — rename one of them and retry",
-            agent_web_port(name)
-        );
-    }
-    setup_applied(applied_dir, None, name).await?;
-    ensure_claude_dir(claude_dir)?;
-    ensure_state_dir(notes_dir)?;
    // Sync the meta flake (idempotent — no-op when the rendered
    // flake matches disk) so a manual rebuild from the dashboard
    // can also recover from a divergent meta repo (e.g. an agent
@ -301,6 +291,31 @@ pub async fn rebuild(
    // `applied/<n>/main` currently points at (deployed/<latest>).
    // Commits the lock if it changed.
    crate::meta::lock_update_for_rebuild(name).await?;
+    rebuild_no_meta(name, agent_dir, applied_dir, claude_dir, notes_dir).await
+}
+
+/// Container-level rebuild without touching the meta repo. Callers
+/// that own the meta side themselves (`actions::run_apply_commit`
+/// drives meta through the two-phase prepare/finalize/abort flow)
+/// use this directly. Public `rebuild` wraps it with idempotent meta
+/// sync + lock-bump-and-commit.
+pub async fn rebuild_no_meta(
+    name: &str,
+    agent_dir: &Path,
+    applied_dir: &Path,
+    claude_dir: &Path,
+    notes_dir: &Path,
+) -> Result<()> {
+    validate(name)?;
+    if let Some(other) = port_collision(name).await {
+        bail!(
+            "port {} is already taken by '{other}' — rename one of them and retry",
+            agent_web_port(name)
+        );
+    }
+    setup_applied(applied_dir, None, name).await?;
+    ensure_claude_dir(claude_dir)?;
+    ensure_state_dir(notes_dir)?;
    let container = container_name(name);
    let flake_ref = format!("{}#{name}", crate::meta::meta_dir().display());
    set_nspawn_flags(&container, agent_dir, claude_dir, notes_dir)?;