dirtydishes/islandflow
1
0
Fork 0
Code Issues 2 Pull requests 4 Projects Releases Packages Wiki Activity Actions 1

fix native deploy ssh assumptions

Browse source
This commit is contained in:
dirtydishes 2026-05-19 19:40:20 -04:00
parent 4b8eaae0ee
commit e70835e9c4
3 changed files with 206 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.beads/issues.jsonl
View file

@ -15,6 +15,7 @@
{"_type":"issue","id":"islandflow-ayo","title":"Drop stale backlog events from live fanout","description":"Follow-up to live freshness rollout: /ws/live was still fanning out stale backlog events for freshness-gated channels, which kept tape panes in Live feed behind despite active synthetic ingest. Gate fanout and cache ingest by freshness for options/nbbo/equities/flow.","status":"closed","priority":1,"issue_type":"bug","assignee":"dirtydishes","owner":"dishes@dpdrm.com","created_at":"2026-04-28T21:26:39Z","created_by":"dirtydishes","updated_at":"2026-04-28T21:26:44Z","started_at":"2026-04-28T21:26:44Z","closed_at":"2026-04-28T21:26:44Z","close_reason":"Completed","dependency_count":0,"dependent_count":0,"comment_count":0}
{"_type":"issue","id":"islandflow-0v6","title":"Fix tape freshness, NBBO coverage, pause controls, and filter popup","description":"Implement the tape fixes requested for synthetic options notional sizing, strict live freshness, live-mode pause/resume behavior, stronger NBBO snapshot coverage, and moving flow filters behind a popup. Includes server-side live cache changes, web terminal state/UI changes, and tests for synthetic pricing, live snapshot freshness/NBBO retention, and live pause/filter interactions.","status":"closed","priority":1,"issue_type":"task","assignee":"dirtydishes","owner":"dishes@dpdrm.com","created_at":"2026-04-28T21:02:52Z","created_by":"dirtydishes","updated_at":"2026-04-28T21:13:38Z","started_at":"2026-04-28T21:02:57Z","closed_at":"2026-04-28T21:13:38Z","close_reason":"Completed","dependency_count":0,"dependent_count":0,"comment_count":0}
{"_type":"issue","id":"islandflow-e4r","title":"Implement smart-money flow filtering and synthetic firehose modes","description":"Implement the approved multi-surface plan for named synthetic market profiles, options raw-vs-signal filtering, live/API filter contracts, Tape page client-side flow filters, firehose-readiness improvements, tests, and README updates.","status":"closed","priority":1,"issue_type":"feature","assignee":"dirtydishes","owner":"dishes@dpdrm.com","created_at":"2026-04-28T20:10:49Z","created_by":"dirtydishes","updated_at":"2026-04-28T20:29:29Z","started_at":"2026-04-28T20:10:53Z","closed_at":"2026-04-28T20:29:29Z","close_reason":"Implemented synthetic market profiles, options signal-path filtering, signal-aware API/replay contracts, Tape page filters, tests, and README updates. Follow-up tracked in islandflow-biq.","dependency_count":0,"dependent_count":0,"comment_count":0}
{"_type":"issue","id":"islandflow-fmg","title":"Fix native deploy SSH path and verification cwd assumptions","description":"Native deploys over SSH assumed bun was already on PATH and that remote verification would run from the repository root. On the live VPS, non-login SSH shells omitted /home/delta/.bun/bin and remote native verification could not find deployment/native/check-native-infra.sh because it ran from the home directory. Update the deploy helper to prepend /Users/kell/.bun/bin when present and cd into the repo before native verification checks run.","status":"open","priority":2,"issue_type":"bug","owner":"dishes@dpdrm.com","created_at":"2026-05-19T23:38:32Z","created_by":"dirtydishes","updated_at":"2026-05-19T23:38:32Z","dependency_count":0,"dependent_count":0,"comment_count":0}
{"_type":"issue","id":"islandflow-wf5","title":"Harden native options provider configuration after synthetic recovery","description":"Native production recovery restored OPTIONS_INGEST_ADAPTER=synthetic because the current Alpaca setup fails authentication and crash-loops ingest-options. Follow up by deciding whether production options should remain synthetic or move to a supported live provider auth path, then add a deploy-time smoke test or config validation that catches provider auth failures before native cutover.","status":"open","priority":2,"issue_type":"task","owner":"dishes@dpdrm.com","created_at":"2026-05-19T23:27:51Z","created_by":"dirtydishes","updated_at":"2026-05-19T23:27:51Z","dependency_count":0,"dependent_count":0,"comment_count":0}
{"_type":"issue","id":"islandflow-m83","title":"Restore options ingestion and print generation on native deployment","description":"After moving the production/VPS deployment from Docker-managed services to the native runtime, the options feed appears behind and fresh option prints are not reaching the UI. Investigate the native deployment path on the server, identify the ingestion or compute breakage, apply the required code and/or host configuration changes, validate that fresh option prints resume, and document any follow-up operational work.","status":"closed","priority":2,"issue_type":"bug","assignee":"dirtydishes","owner":"dishes@dpdrm.com","created_at":"2026-05-19T23:20:01Z","created_by":"dirtydishes","updated_at":"2026-05-19T23:27:52Z","started_at":"2026-05-19T23:20:10Z","closed_at":"2026-05-19T23:27:52Z","close_reason":"Restored native options ingest by switching the VPS back to the last known-good synthetic adapter, verified fresh option prints and compute output, and documented the native env precedence gotcha.","dependency_count":0,"dependent_count":0,"comment_count":0}
{"_type":"issue","id":"islandflow-o1v","title":"Add SCM provider layer with Forgejo detection","description":"Implement provider-aware source-control detection and mirror-aware guardrails for repo automation so Forgejo remotes are treated as authoritative when present.","status":"closed","priority":2,"issue_type":"feature","assignee":"dirtydishes","owner":"dishes@dpdrm.com","created_at":"2026-05-19T23:04:33Z","created_by":"dirtydishes","updated_at":"2026-05-19T23:06:55Z","started_at":"2026-05-19T23:04:35Z","closed_at":"2026-05-19T23:06:55Z","close_reason":"created by mistake during interrupted turn; no implementation was started","dependency_count":0,"dependent_count":0,"comment_count":0}

191
docs/turns/2026-05-19-harden-native-ssh-deploy-checks.html Normal file
View file

@ -0,0 +1,191 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>2026-05-19 Harden Native SSH Deploy Checks</title>
<style>
:root {
color-scheme: light;
--bg: #f6f4f8;
--surface: #ffffff;
--ink: #1f1726;
--muted: #5f536d;
--line: #ddd4e6;
--accent: #7c4dff;
--accent-soft: #efe7ff;
--code-bg: #17131d;
--code-ink: #f7f2ff;
}
* { box-sizing: border-box; }
body {
margin: 0;
font-family: Inter, ui-sans-serif, system-ui, sans-serif;
background: var(--bg);
color: var(--ink);
line-height: 1.55;
}
main {
max-width: 980px;
margin: 0 auto;
padding: 40px 24px 72px;
}
header, section {
background: var(--surface);
border: 1px solid var(--line);
border-radius: 14px;
padding: 24px;
margin-bottom: 18px;
}
h1, h2 {
margin: 0 0 12px;
line-height: 1.15;
}
h1 { font-size: 2rem; }
h2 { font-size: 1.15rem; }
.lede {
font-size: 1.05rem;
color: var(--muted);
}
.meta {
display: inline-block;
margin-top: 10px;
padding: 6px 10px;
border-radius: 999px;
background: var(--accent-soft);
color: var(--accent);
font-size: 0.9rem;
font-weight: 600;
}
ul {
margin: 0;
padding-left: 18px;
}
pre {
margin: 0;
padding: 16px;
overflow: auto;
border-radius: 10px;
background: var(--code-bg);
color: var(--code-ink);
}
code {
font-family: "SFMono-Regular", ui-monospace, monospace;
font-size: 0.94rem;
}
.note {
margin-top: 10px;
color: var(--muted);
font-size: 0.92rem;
}
</style>
</head>
<body>
<main>
<header>
<h1>Harden Native SSH Deploy Checks</h1>
<p class="lede">
Native deploys over SSH were failing for avoidable operator reasons: the remote shell did not inherit Bun's install path, and native verification assumed it was already running from the repository root before it called checked-in health scripts. This patch makes the SSH path more forgiving and fixes the verification working directory.
</p>
<div class="meta">Generated 2026-05-19 19:38 EDT</div>
</header>
<section>
<h2>Summary</h2>
<p>
Updated <code>scripts/deploy.ts</code> so native SSH deploys prepend <code>$HOME/.bun/bin</code> when it exists, and native verification now explicitly <code>cd</code>s into the remote repo before running the checked-in health helpers.
</p>
</section>
<section>
<h2>Changes Made</h2>
<ul>
<li>Prepended <code>$HOME/.bun/bin</code> during native remote precheck when available.</li>
<li>Prepended <code>$HOME/.bun/bin</code> during native remote rollout when available.</li>
<li>Changed native remote verification to run from <code>/home/delta/islandflow</code> before calling <code>deployment/native/check-native-infra.sh</code>.</li>
</ul>
</section>
<section>
<h2>Context</h2>
<p>
During a live native rollout, the deploy helper failed first because the non-login SSH shell could not find <code>bun</code> even though it was installed under the deploy user's home directory. After that was corrected on the host, worker rollout still reported failure because remote verification executed from the home directory and could not resolve the relative path to the checked-in infra check script.
</p>
</section>
<section>
<h2>Important Implementation Details</h2>
<ul>
<li>The fallback only adjusts <code>PATH</code> when <code>$HOME/.bun/bin/bun</code> exists, so it stays harmless on hosts that already expose Bun globally.</li>
<li>The repo-root <code>cd</code> keeps the existing relative helper calls intact instead of hardcoding every individual script path in multiple places.</li>
<li>This change improves SSH-based deploys without changing local-server deploy behavior.</li>
</ul>
</section>
<section>
<h2>Relevant Diff Snippets</h2>
<p class="note">Unified diff blocks below are formatted for diffs-compatible rendering.</p>
<pre><code class="language-diff">diff --git a/scripts/deploy.ts b/scripts/deploy.ts
@@ -754,6 +754,10 @@ set -euo pipefail
cd ${shellEscape(REMOTE_REPO)}
+if [[ -x "$HOME/.bun/bin/bun" ]]; then
+ export PATH="$HOME/.bun/bin:$PATH"
+fi
+
if ! command -v bun >/dev/null 2>&1; then
@@ -855,6 +859,10 @@ set -euo pipefail
+if [[ -x "$HOME/.bun/bin/bun" ]]; then
+ export PATH="$HOME/.bun/bin:$PATH"
+fi
+
${remoteGitUpdateScript(mode, remote, branch)}
@@ -943,6 +951,12 @@ set -euo pipefail
+cd ${shellEscape(REMOTE_REPO)}
+
+if [[ -x "$HOME/.bun/bin/bun" ]]; then
+ export PATH="$HOME/.bun/bin:$PATH"
+fi
+
declare -a units=(${units})</code></pre>
</section>
<section>
<h2>Expected Impact for End-Users</h2>
<p>
End users should see fewer failed native deploy attempts and fewer partial restarts caused by tooling assumptions rather than application health. This lowers the odds of avoidable downtime during native rollouts.
</p>
</section>
<section>
<h2>Validation</h2>
<ul>
<li>Observed the original failures during live rollout: missing <code>bun</code> in SSH PATH and missing <code>deployment/native/check-native-infra.sh</code> during remote verification.</li>
<li>Used the patched operational path to complete native worker, API, and web rollouts successfully on the VPS.</li>
<li>Verified API health at <code>http://127.0.0.1:4000/health</code> and web health at both <code>http://127.0.0.1:3000/</code> and <code>https://flow.deltaisland.io</code>.</li>
</ul>
</section>
<section>
<h2>Issues, Limitations, and Mitigations</h2>
<ul>
<li>This patch does not solve the separate <code>ingest-news</code> credential problem. Full native deploys still need that unit and provider path to be made healthy before they are completely clean.</li>
<li>The VPS also needed a host-level Bun symlink during this recovery. The repo patch reduces dependence on that fix for future SSH deploys but does not remove it retroactively.</li>
</ul>
</section>
<section>
<h2>Follow-up Work</h2>
<ul>
<li><code>islandflow-fmg</code>: Keep the deploy helper aligned with the actual VPS runtime assumptions and add regression checks around native verification paths.</li>
<li><code>islandflow-wf5</code>: Decide whether <code>ingest-news</code> and live options should stay provider-backed or remain intentionally synthetic until auth is hardened.</li>
</ul>
</section>
</main>
</body>
</html>

14
scripts/deploy.ts
View file

@ -754,6 +754,10 @@ set -euo pipefail
cd ${shellEscape(REMOTE_REPO)}
if [[ -x "$HOME/.bun/bin/bun" ]]; then
export PATH="$HOME/.bun/bin:$PATH"
fi
if ! command -v bun >/dev/null 2>&1; then
echo "Refusing native rollout: bun is not installed on the server." >&2
echo "The current supported VPS path remains --runtime docker." >&2
@ -855,6 +859,10 @@ function remoteNativeRollout(
`#!/usr/bin/env bash
set -euo pipefail
if [[ -x "$HOME/.bun/bin/bun" ]]; then
export PATH="$HOME/.bun/bin:$PATH"
fi
${remoteGitUpdateScript(mode, remote, branch)}
cd ${shellEscape(REMOTE_REPO)}
@ -943,6 +951,12 @@ function remoteNativeVerification(scope: DeployScope, fast: boolean): void {
`#!/usr/bin/env bash
set -euo pipefail
cd ${shellEscape(REMOTE_REPO)}
if [[ -x "$HOME/.bun/bin/bun" ]]; then
export PATH="$HOME/.bun/bin:$PATH"
fi
declare -a units=(${units})
for unit in "\${units[@]}"; do
${NATIVE_SYSTEMCTL_PREFIX} is-active --quiet "$unit"