fix: route decision CLI to NC01 k8s
Pipelines as Code CI / hwlab-web-probe-sentinel-nc01- Success

This commit is contained in:
Codex
2026-07-09 20:13:40 +02:00
parent c1f0a2ac6b
commit c4ee6bcc90
3 changed files with 121 additions and 30 deletions
+14
View File
@@ -23,6 +23,19 @@ NC01 databases run on host-native PostgreSQL, not Docker or Kubernetes. Kubernet
For HWLAB v0.3, the Kubernetes Service `nc01-host-postgres` in namespace `hwlab-v03` points to host PostgreSQL at `10.42.0.1:5432`. Runtime database Secrets are sourced from `.state/secrets/hwlab/*` via YAML sourceRef and must only be reported as present/fingerprint metadata, never as full values.
## Decision Center
Decision Center production runs on NC01 k8s in namespace `unidesk`, not on a bare Docker/Compose runtime and not on the old D601 Decision Center path. Runtime objects are `deployment/decision-center` and `service/decision-center`; GitHub storage credentials are distributed through the `decision-center-github-ssh` Secret and must only be reported as object/key presence or fingerprint metadata.
The durable store is the GitHub repo `pikasTech/decision-center-data` on branch `main`, with base path `data`. PostgreSQL is the service index/cache, not the durable source of truth. After data migration or repair, validate both layers:
- service health shows `storage.primary=github-repo`, `recordCount` and `diaryEntryCount`;
- `/api/storage/verify` reports cache and repo index counts with zero deltas;
- the repo worktree HEAD and `git ls-remote origin refs/heads/main` match;
- `bun scripts/cli.ts decision health`, `decision list` and `decision diary list` succeed through the NC01 k8s entrypoint.
When exporting legacy PostgreSQL data, do not stream Markdown bodies as plain JSONL through terminal output. Use a single-line-safe encoding such as hex-encoded JSON per row, write a manifest with row counts and SHA-256, transfer the bundle through `trans download/upload`, then compare canonical source and target hashes before claiming migration complete.
## GitHub Token
The local GitHub token source is `.env/gh_token.txt`. It must be stored as a bare token and consumed through controlled YAML/sourceRef or temporary non-printing credential helpers. Do not place the token in command argv, logs, committed files, or rendered manifests.
@@ -37,5 +50,6 @@ Web-probe sentinel deployments that need public ingress must declare their own Y
- Provider/trans: `scripts/trans NC01 argv true`.
- NC01 k8s route: `scripts/trans NC01:k3s kubectl get nodes -o wide`.
- Decision Center: `bun scripts/cli.ts decision health`; drill-down storage verification can be run inside the NC01 `decision-center` Pod against `/api/storage/verify`.
- HWLAB v0.3: `bun scripts/cli.ts hwlab nodes control-plane status --node NC01 --lane v03 --full`.
- AgentRun v0.2: `bun scripts/cli.ts agentrun control-plane status --node NC01 --lane nc01-v02`.