todo: tag retention, flake.nix tamper-check, sync_agents nix call
three things surfaced by the meta-flake overhaul + the nix CLI deprecation we just fixed worth tracking explicitly. extend the web-UI-for-config-repos entry to also cover the /meta deploy log now that meta's git history is the swarm-wide audit trail.
This commit is contained in:
müde
parent
d202f3785c
commit
65bdde898e
1 changed files with 35 additions and 6 deletions
41
TODO.md
41
TODO.md
|
|
@ -62,6 +62,33 @@ Pick anything from here when relevant. Cross-cutting design notes live in
|
||||||
derived from the same config so the operator stays in control of
|
derived from the same config so the operator stays in control of
|
||||||
what's exposed.
|
what's exposed.
|
||||||
|
|
||||||
|
## Operational hygiene (post-meta-flake)
|
||||||
|
|
||||||
|
- **Tag retention.** Every approval mints up to 5 tags in
|
||||||
|
`applied/<n>/.git` (`proposal/`, `approved/`, `building/`,
|
||||||
|
`deployed/`, plus `failed/` or `denied/`). Every successful
|
||||||
|
deploy adds one commit to `/var/lib/hyperhive/meta/.git`.
|
||||||
|
Both grow unbounded. A retention policy — keep all
|
||||||
|
`deployed/*` indefinitely, age-out `failed/` + `denied/`
|
||||||
|
after N days, drop `proposal/` + `approved/` + `building/`
|
||||||
|
once a terminal sibling lands — would keep the audit
|
||||||
|
trails browsable without forever-growth.
|
||||||
|
|
||||||
|
- **Reject proposals that touch `flake.nix`.** The manager's
|
||||||
|
prompt says don't edit it, but nothing on the host side
|
||||||
|
enforces. Add a check in
|
||||||
|
`manager_server::submit_apply_commit`: after fetching the
|
||||||
|
proposal sha into applied, `git diff-tree <sha> -- flake.nix`
|
||||||
|
— non-empty diff → refuse + clear error message. Cheap
|
||||||
|
belt-and-suspenders.
|
||||||
|
|
||||||
|
- **Inert `nix flake lock` no-args call in `meta::sync_agents`.**
|
||||||
|
Still valid in current nix (resolves missing inputs without
|
||||||
|
bumping existing ones) but parallel to the deprecated
|
||||||
|
`--update-input` we just had to migrate. Worth keeping an
|
||||||
|
eye on; if it gets renamed too, sync_agents stops being
|
||||||
|
able to seed a fresh meta repo.
|
||||||
|
|
||||||
## Bugs
|
## Bugs
|
||||||
|
|
||||||
- **Pending question doesn't always appear on the dashboard.**
|
- **Pending question doesn't always appear on the dashboard.**
|
||||||
|
|
@ -84,12 +111,14 @@ Pick anything from here when relevant. Cross-cutting design notes live in
|
||||||
|
|
||||||
## UI / UX
|
## UI / UX
|
||||||
|
|
||||||
- **Web UI for config repos.** Browse history, diffs, tags
|
- **Web UI for config repos + meta deploy log.** Browse
|
||||||
(proposed + approval/* + applied/*) per agent, all from the
|
per-agent proposed / applied tags
|
||||||
dashboard. Something lighter than a full forge — read-only
|
(`proposal/* / approved/* / building/* / deployed/* /
|
||||||
log + diff + raw-file view is enough. Pairs naturally with
|
failed/* / denied/*`) plus the swarm-wide meta repo's git
|
||||||
the upcoming config-repo overhaul (tags become the audit
|
log on the dashboard. Read-only log + diff + raw-file view
|
||||||
trail; UI surfaces them).
|
is enough — something lighter than a full forge. The meta
|
||||||
|
log already answers "what's deployed where + when"; this
|
||||||
|
surfaces it without an ssh-to-host detour.
|
||||||
|
|
||||||
- **xterm.js terminal** embedded per-agent, attached to a PTY exposed by
|
- **xterm.js terminal** embedded per-agent, attached to a PTY exposed by
|
||||||
the harness. Pairs well with the unprivileged-container work — would let
|
the harness. Pairs well with the unprivileged-container work — would let
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue