diff --git a/TODO.md b/TODO.md index a39b90d..1f6ec7d 100644 --- a/TODO.md +++ b/TODO.md @@ -62,6 +62,33 @@ Pick anything from here when relevant. Cross-cutting design notes live in derived from the same config so the operator stays in control of what's exposed. +## Operational hygiene (post-meta-flake) + +- **Tag retention.** Every approval mints up to 5 tags in + `applied//.git` (`proposal/`, `approved/`, `building/`, + `deployed/`, plus `failed/` or `denied/`). Every successful + deploy adds one commit to `/var/lib/hyperhive/meta/.git`. + Both grow unbounded. A retention policy — keep all + `deployed/*` indefinitely, age-out `failed/` + `denied/` + after N days, drop `proposal/` + `approved/` + `building/` + once a terminal sibling lands — would keep the audit + trails browsable without forever-growth. + +- **Reject proposals that touch `flake.nix`.** The manager's + prompt says don't edit it, but nothing on the host side + enforces. Add a check in + `manager_server::submit_apply_commit`: after fetching the + proposal sha into applied, `git diff-tree -- flake.nix` + — non-empty diff → refuse + clear error message. Cheap + belt-and-suspenders. + +- **Inert `nix flake lock` no-args call in `meta::sync_agents`.** + Still valid in current nix (resolves missing inputs without + bumping existing ones) but parallel to the deprecated + `--update-input` we just had to migrate. Worth keeping an + eye on; if it gets renamed too, sync_agents stops being + able to seed a fresh meta repo. + ## Bugs - **Pending question doesn't always appear on the dashboard.** @@ -84,12 +111,14 @@ Pick anything from here when relevant. Cross-cutting design notes live in ## UI / UX -- **Web UI for config repos.** Browse history, diffs, tags - (proposed + approval/* + applied/*) per agent, all from the - dashboard. Something lighter than a full forge — read-only - log + diff + raw-file view is enough. Pairs naturally with - the upcoming config-repo overhaul (tags become the audit - trail; UI surfaces them). +- **Web UI for config repos + meta deploy log.** Browse + per-agent proposed / applied tags + (`proposal/* / approved/* / building/* / deployed/* / + failed/* / denied/*`) plus the swarm-wide meta repo's git + log on the dashboard. Read-only log + diff + raw-file view + is enough — something lighter than a full forge. The meta + log already answers "what's deployed where + when"; this + surfaces it without an ssh-to-host detour. - **xterm.js terminal** embedded per-agent, attached to a PTY exposed by the harness. Pairs well with the unprivileged-container work — would let