chore(deploy): preflight docker workspace snapshot sync

2026-05-15 19:04:15 -04:00 · 2026-05-15 19:04:15 -04:00 · 803740190c
commit 803740190c
parent 0db40562ee
5 changed files with 166 additions and 23 deletions
--- a/.beads/issues.jsonl
+++ b/.beads/issues.jsonl
@ -1,3 +1,4 @@
+{"_type":"issue","id":"islandflow-k4f","title":"Gate deploy script on docker workspace snapshot sync","description":"Prevent frozen-lockfile build failures during deploy by adding a local preflight in scripts/deploy.ts that runs bun run check:docker-workspace and aborts with a clear sync+commit remediation message when stale.","status":"closed","priority":1,"issue_type":"task","assignee":"dirtydishes","owner":"dishes@dpdrm.com","created_at":"2026-05-15T23:01:44Z","created_by":"dirtydishes","updated_at":"2026-05-15T23:04:11Z","started_at":"2026-05-15T23:01:48Z","closed_at":"2026-05-15T23:04:11Z","close_reason":"Closed","dependency_count":0,"dependent_count":0,"comment_count":0}
 {"_type":"issue","id":"islandflow-xll","title":"Fix bun.lock drift causing frozen-lockfile Docker build failures","description":"Docker image builds fail in multiple targets (candles, web, ingest services) because bun install --frozen-lockfile detects lockfile changes. Update workspace lockfile to match manifests and verify frozen install succeeds.","status":"closed","priority":1,"issue_type":"bug","assignee":"dirtydishes","owner":"dishes@dpdrm.com","created_at":"2026-05-15T22:52:38Z","created_by":"dirtydishes","updated_at":"2026-05-15T22:55:23Z","started_at":"2026-05-15T22:52:40Z","closed_at":"2026-05-15T22:55:23Z","close_reason":"Closed","dependency_count":0,"dependent_count":0,"comment_count":0}
 {"_type":"issue","id":"islandflow-9nd","title":"Hosted synthetic tape redesign with internal control surface","description":"Implement hosted synthetic market redesign with shared deterministic regime engine, internal JetStream KV control plane, ingest coupling across options and equities, and an internal bottom-right synthetic-control drawer with Next proxy routes. Preserve the six public smart-money categories while adding hidden subtype families, soft coverage accounting, and backend-only admin endpoints.\n","status":"closed","priority":1,"issue_type":"feature","assignee":"dirtydishes","owner":"dishes@dpdrm.com","created_at":"2026-05-14T01:25:02Z","created_by":"dirtydishes","updated_at":"2026-05-14T02:10:03Z","started_at":"2026-05-14T01:25:09Z","closed_at":"2026-05-14T02:10:03Z","close_reason":"Completed","dependency_count":0,"dependent_count":0,"comment_count":0}
 {"_type":"issue","id":"islandflow-9dz","title":"Tune synthetic smart-money scenario coverage","description":"Redesign synthetic smart-money option prints so the emitted scenarios trigger each classifier category more consistently while staying directionally plausible. Focus on scenario mix, DTE/moneyness, price placement, and event/structure context so the Electron demo reliably shows institutional directional, retail whale, event-driven, vol seller, arbitrage, and hedge reactive hits.\n","status":"in_progress","priority":1,"issue_type":"task","assignee":"dirtydishes","owner":"dishes@dpdrm.com","created_at":"2026-05-13T21:36:37Z","created_by":"dirtydishes","updated_at":"2026-05-13T21:36:41Z","started_at":"2026-05-13T21:36:41Z","dependency_count":0,"dependent_count":0,"comment_count":0}
--- a/bun.lock
+++ b/bun.lock
@ -39,6 +39,7 @@
    "packages/bus": {
      "name": "@islandflow/bus",
      "dependencies": {
+        "@islandflow/types": "workspace:*",
        "nats": "^2.24.0",
      },
    },
--- a/deployment/docker/workspace-root/bun.lock
+++ b/deployment/docker/workspace-root/bun.lock
@ -39,6 +39,7 @@
    "packages/bus": {
      "name": "@islandflow/bus",
      "dependencies": {
+        "@islandflow/types": "workspace:*",
        "nats": "^2.24.0",
      },
    },
--- a/docs/turns/2026-05-15-deploy-preflight-docker-workspace-check.html
+++ b/docs/turns/2026-05-15-deploy-preflight-docker-workspace-check.html
@ -0,0 +1,83 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Turn Report - 2026-05-15 - Deploy preflight docker workspace check</title>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; line-height: 1.5; margin: 2rem auto; max-width: 920px; padding: 0 1rem; }
+    h1, h2 { line-height: 1.25; }
+    code, pre { font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace; }
+    pre { background: #f6f8fa; border-radius: 8px; padding: 0.75rem; overflow-x: auto; }
+    .summary { background: #eef6ff; border: 1px solid #cfe3ff; border-radius: 8px; padding: 0.85rem 1rem; }
+  </style>
+</head>
+<body>
+  <h1>Turn Report: Deploy script preflight guard for Docker workspace snapshot</h1>
+  <p><strong>Date/Time:</strong> 2026-05-15 19:03:09 EDT</p>
+
+  <h2>Summary</h2>
+  <div class="summary">
+    Updated <code>scripts/deploy.ts</code> so <code>./deploy</code> now fails fast when
+    <code>deployment/docker/workspace-root</code> is stale. The script now runs
+    <code>bun run check:docker-workspace</code> during local prechecks and prints a clear remediation
+    message to run sync + commit before deployment.
+  </div>
+
+  <h2>Changes Made</h2>
+  <ul>
+    <li>Created <code>localWorkspaceSnapshotPrecheck()</code> in <code>scripts/deploy.ts</code>.</li>
+    <li>Added preflight invocation to both deployment modes:
+      <ul>
+        <li><code>localMainPrecheck()</code></li>
+        <li><code>localBranchPrecheck()</code></li>
+      </ul>
+    </li>
+    <li>On failure, deploy now exits with an explicit message:</li>
+  </ul>
+  <pre>Refusing deploy: deployment/docker/workspace-root is out of sync.
+Run bun run sync:docker-workspace, commit updated snapshot files, then retry deploy.</pre>
+  <ul>
+    <li>Refreshed lock state to keep checks green:
+      <ul>
+        <li><code>bun.lock</code></li>
+        <li><code>deployment/docker/workspace-root/bun.lock</code></li>
+      </ul>
+    </li>
+  </ul>
+
+  <h2>Context</h2>
+  <p>
+    The deployment compose stack builds from a snapshot under
+    <code>deployment/docker/workspace-root</code>. If that snapshot drifts from the active
+    workspace graph, Docker build-time <code>bun install --frozen-lockfile</code> fails remotely.
+    This change catches drift locally before any remote rollout starts.
+  </p>
+
+  <h2>Important Implementation Details</h2>
+  <ul>
+    <li>Preflight uses <code>spawnSync("bun", ["run", "check:docker-workspace"])</code> with inherited stdio for transparent output.</li>
+    <li>Failure exits with the same non-zero status, preserving script CI/shell behavior.</li>
+    <li>Guard applies to both <code>./deploy main</code> and <code>./deploy current-branch</code> flows.</li>
+  </ul>
+
+  <h2>Validation</h2>
+  <ul>
+    <li>Passed: <code>bun run scripts/deploy.ts --help</code></li>
+    <li>Passed: <code>bun run check:docker-workspace</code> (after lock sync)</li>
+  </ul>
+
+  <h2>Issues, Limitations, and Mitigations</h2>
+  <ul>
+    <li><strong>Limitation:</strong> Did not execute a full remote deploy during this turn.</li>
+    <li><strong>Mitigation:</strong> The guard is in the local precheck path, so next real deploy run will enforce the new check automatically.</li>
+  </ul>
+
+  <h2>Follow-up Work</h2>
+  <ul>
+    <li>Optional defense-in-depth: run <code>bun run check:docker-workspace</code> on the server in remote rollout before <code>docker compose up -d --build</code>.</li>
+    <li>Optional CI gate: add <code>bun run check:docker-workspace</code> to PR checks to prevent stale snapshots reaching <code>main</code>.</li>
+    <li>Beads issue: <code>islandflow-k4f</code>.</li>
+  </ul>
+</body>
+</html>
--- a/scripts/deploy.ts
+++ b/scripts/deploy.ts
@ -11,16 +11,32 @@ const REMOTE_HOST = "delta@152.53.80.229";
 const REMOTE_REPO = "/home/delta/islandflow";
 const REMOTE_DEPLOYMENT = "/home/delta/islandflow/deployment/docker";
 const SSH_KEY = path.join(process.env.HOME ?? "", ".ssh", "delta_ed25519");
-const SSH_OPTIONS = ["-i", SSH_KEY, "-o", "IdentitiesOnly=yes", "-o", "BatchMode=yes"];
+const SSH_OPTIONS = [
+  "-i",
+  SSH_KEY,
+  "-o",
+  "IdentitiesOnly=yes",
+  "-o",
+  "BatchMode=yes",
+];
 const ALLOWED_REMOTE_UNTRACKED = new Set([
  "deployment/docker/signal-cli-0.14.3-Linux-native.tar.gz",
-  "deployment/npm/"
+  "deployment/npm/",
 ]);
 const API_CONTAINER = "islandflow-vps-api-1";
 const WEB_CONTAINER = "islandflow-vps-web-1";
-const PUBLIC_APP_URL = process.env.DEPLOY_PUBLIC_APP_URL?.trim() || "https://flow.deltaisland.io";
-const PUBLIC_API_HEALTH_URL = process.env.DEPLOY_PUBLIC_API_HEALTH_URL?.trim() || null;
-const LOG_SERVICES = ["api", "web", "compute", "candles", "ingest-options", "ingest-equities"];
+const PUBLIC_APP_URL =
+  process.env.DEPLOY_PUBLIC_APP_URL?.trim() || "https://flow.deltaisland.io";
+const PUBLIC_API_HEALTH_URL =
+  process.env.DEPLOY_PUBLIC_API_HEALTH_URL?.trim() || null;
+const LOG_SERVICES = [
+  "api",
+  "web",
+  "compute",
+  "candles",
+  "ingest-options",
+  "ingest-equities",
+];

 const scriptPath = fileURLToPath(import.meta.url);
 const repoRoot = path.resolve(path.dirname(scriptPath), "..");
@ -55,12 +71,16 @@ function formatCommand(command: string, args: string[]): string {
    .join(" ");
 }

-function runChecked(command: string, args: string[], options: SpawnSyncOptions = {}): void {
+function runChecked(
+  command: string,
+  args: string[],
+  options: SpawnSyncOptions = {},
+): void {
  console.log(`$ ${formatCommand(command, args)}`);
  const result = spawnSync(command, args, {
    cwd: repoRoot,
    stdio: "inherit",
-    ...options
+    ...options,
  });

  if (result.status !== 0) {
@ -68,12 +88,16 @@ function runChecked(command: string, args: string[], options: SpawnSyncOptions =
  }
 }

-function captureChecked(command: string, args: string[], options: SpawnSyncOptions = {}): string {
+function captureChecked(
+  command: string,
+  args: string[],
+  options: SpawnSyncOptions = {},
+): string {
  const result = spawnSync(command, args, {
    cwd: repoRoot,
    encoding: "utf8",
    stdio: ["inherit", "pipe", "pipe"],
-    ...options
+    ...options,
  });

  if (result.status !== 0) {
@ -84,7 +108,11 @@ function captureChecked(command: string, args: string[], options: SpawnSyncOptio
  return result.stdout ?? "";
 }

-function runRemoteScript(title: string, script: string, args: string[] = []): void {
+function runRemoteScript(
+  title: string,
+  script: string,
+  args: string[] = [],
+): void {
  section(title);
  const sshArgs = [...SSH_OPTIONS, REMOTE_HOST, "bash", "-s", "--", ...args];
  console.log(`$ ${formatCommand("ssh", sshArgs)}`);
@ -92,7 +120,7 @@ function runRemoteScript(title: string, script: string, args: string[] = []): vo
    cwd: repoRoot,
    input: script,
    encoding: "utf8",
-    stdio: ["pipe", "inherit", "inherit"]
+    stdio: ["pipe", "inherit", "inherit"],
  });

  if (result.status !== 0) {
@ -100,7 +128,10 @@ function runRemoteScript(title: string, script: string, args: string[] = []): vo
  }
 }

-function parseArgs(rawArgs: string[]): { mode: DeployMode; forceRecreate: boolean } {
+function parseArgs(rawArgs: string[]): {
+  mode: DeployMode;
+  forceRecreate: boolean;
+} {
  if (rawArgs.includes("--help") || rawArgs.includes("-h")) {
    usage(0);
  }
@ -114,7 +145,9 @@ function parseArgs(rawArgs: string[]): { mode: DeployMode; forceRecreate: boolea

  if (
    (positional.length === 1 && positional[0] === "current-branch") ||
-    (positional.length === 2 && positional[0] === "current" && positional[1] === "branch")
+    (positional.length === 2 &&
+      positional[0] === "current" &&
+      positional[1] === "branch")
  ) {
    return { mode: "current-branch", forceRecreate };
  }
@ -129,12 +162,28 @@ function assertSshKeyExists(): void {
  }
 }

+function localWorkspaceSnapshotPrecheck(): void {
+  console.log("$ bun run check:docker-workspace");
+  const result = spawnSync("bun", ["run", "check:docker-workspace"], {
+    cwd: repoRoot,
+    stdio: "inherit",
+  });
+
+  if (result.status !== 0) {
+    console.error(
+      "Refusing deploy: deployment/docker/workspace-root is out of sync. Run `bun run sync:docker-workspace`, commit updated snapshot files, then retry deploy.",
+    );
+    process.exit(result.status ?? 1);
+  }
+}
+
 function localMainPrecheck(): void {
  section("Local Precheck");
  runChecked("git", ["fetch", "origin"]);
  runChecked("git", ["status", "--short", "--branch"]);
  runChecked("git", ["rev-parse", "--verify", "HEAD"]);
  runChecked("git", ["rev-parse", "origin/main"]);
+  localWorkspaceSnapshotPrecheck();
 }

 function currentBranchName(): string {
@ -155,10 +204,12 @@ function localBranchPrecheck(branch: string): void {
  const porcelain = captureChecked("git", ["status", "--porcelain=v1"]).trim();
  if (porcelain) {
    console.error(
-      `Refusing to deploy ${branch} with uncommitted local changes. Commit the intended state first.`
+      `Refusing to deploy ${branch} with uncommitted local changes. Commit the intended state first.`,
    );
    process.exit(1);
  }
+
+  localWorkspaceSnapshotPrecheck();
 }

 function publishCurrentBranch(branch: string): void {
@ -169,8 +220,8 @@ function publishCurrentBranch(branch: string): void {
    {
      cwd: repoRoot,
      encoding: "utf8",
-      stdio: ["inherit", "pipe", "pipe"]
-    }
+      stdio: ["inherit", "pipe", "pipe"],
+    },
  );

  if (upstreamResult.status === 0) {
@ -218,12 +269,18 @@ while IFS= read -r line; do
      ;;
  esac
 done <<< "$status"
-`
+`,
  );
 }

-function remoteRollout(mode: DeployMode, branch: string | null, forceRecreate: boolean): void {
-  const composeArgs = forceRecreate ? "up -d --build --force-recreate" : "up -d --build";
+function remoteRollout(
+  mode: DeployMode,
+  branch: string | null,
+  forceRecreate: boolean,
+): void {
+  const composeArgs = forceRecreate
+    ? "up -d --build --force-recreate"
+    : "up -d --build";
  const switchCommand =
    mode === "main"
      ? `git switch main
@ -242,7 +299,7 @@ ${switchCommand}

 cd "${REMOTE_DEPLOYMENT}"
 docker compose ${composeArgs}
-`
+`,
  );
 }

@ -257,7 +314,7 @@ docker compose ps
 docker compose logs --tail=100 ${LOG_SERVICES.join(" ")}
 docker exec ${API_CONTAINER} bun -e 'const r = await fetch("http://127.0.0.1:4000/health"); console.log(await r.text())'
 docker exec ${WEB_CONTAINER} bun -e 'const r = await fetch("http://127.0.0.1:3000/"); console.log(r.status)'
-`
+`,
  );
 }

@ -271,7 +328,7 @@ function publicVerification(): void {
  }

  console.log(
-    "Skipping separate public API health check; same-origin mode relies on the public app check plus container-local API verification."
+    "Skipping separate public API health check; same-origin mode relies on the public app check plus container-local API verification.",
  );
 }

@ -293,7 +350,7 @@ function main(): void {
  console.log(
    mode === "main"
      ? "Deploying origin/main to the existing Islandflow VPS checkout."
-      : "Deploying the current local branch to the existing Islandflow VPS checkout."
+      : "Deploying the current local branch to the existing Islandflow VPS checkout.",
  );

  if (mode === "main") {