// SPEC: PJ2026-01060305 AgentRun execution policy + PJ2026-01020108 cancel lifecycle draft-2026-06-25-p0. // Renders AgentRun YAML lane policy into runtime manager environment. import { createHash } from "node:crypto"; import type { AgentRunLaneSpec } from "./agentrun-lanes"; export interface AgentRunArtifactService { readonly serviceId: string; readonly image: string; readonly digest: string; readonly repositoryDigest: string; readonly imageTag: string; readonly artifactKind: string; readonly status: string; readonly envIdentity: string; readonly envImage: string; readonly envDigest: string; readonly envRepositoryDigest: string; readonly bootCommit: string; readonly bootScript: string; readonly provenance: Record; } export interface AgentRunArtifactCatalog { readonly lane: string; readonly sourceBranch: string; readonly gitopsBranch: string; readonly sourceCommitId: string; readonly summary: string; readonly services: readonly AgentRunArtifactService[]; } export interface AgentRunGitopsRenderInput { readonly sourceCommit: string; readonly image: AgentRunArtifactService; } export interface AgentRunRenderedFile { readonly path: string; readonly content: string; } export function renderAgentRunControlPlaneManifests(spec: AgentRunLaneSpec): readonly Record[] { return [ { apiVersion: "v1", kind: "Namespace", metadata: { name: spec.ci.namespace } }, { apiVersion: "v1", kind: "ServiceAccount", metadata: { name: spec.ci.serviceAccountName, namespace: spec.ci.namespace, labels: agentRunLabels(spec), }, }, { apiVersion: "rbac.authorization.k8s.io/v1", kind: "Role", metadata: { name: spec.ci.serviceAccountName, namespace: spec.ci.namespace, labels: agentRunLabels(spec), }, rules: [ { apiGroups: ["tekton.dev"], resources: ["pipelineruns", "taskruns"], verbs: ["get", "list", "watch", "create", "patch", "update"] }, { apiGroups: [""], resources: ["pods", "pods/log", "secrets", "configmaps", "persistentvolumeclaims"], verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] }, ], }, { apiVersion: "rbac.authorization.k8s.io/v1", kind: "RoleBinding", metadata: { name: spec.ci.serviceAccountName, namespace: spec.ci.namespace, labels: agentRunLabels(spec), }, subjects: [{ kind: "ServiceAccount", name: spec.ci.serviceAccountName }], roleRef: { apiGroup: "rbac.authorization.k8s.io", kind: "Role", name: spec.ci.serviceAccountName }, }, agentRunPipelineManifest(spec), agentRunArgoProjectManifest(spec), agentRunArgoApplicationManifest(spec), ]; } export function renderAgentRunGitopsFiles(spec: AgentRunLaneSpec, input: AgentRunGitopsRenderInput): readonly AgentRunRenderedFile[] { const catalog = agentRunArtifactCatalog(spec, input.sourceCommit, input.image); const source = { lane: spec.version, sourceCommit: input.sourceCommit, generatedBy: "unidesk config/agentrun.yaml", configSource: "config/agentrun.yaml", }; return [ { path: "source.json", content: `${JSON.stringify(source, null, 2)}\n` }, { path: spec.deployment.artifactCatalogPath, content: `${JSON.stringify(catalog, null, 2)}\n` }, { path: `${spec.deployment.gitopsRoot}/argocd/project.yaml`, content: yaml(agentRunArgoProjectManifest(spec)) }, { path: `${spec.deployment.gitopsRoot}/argocd/${spec.deployment.argocd.applicationFile}`, content: yaml(agentRunArgoApplicationManifest(spec)) }, { path: `${spec.deployment.gitopsRoot}/${spec.deployment.runtimeRenderDir}/kustomization.yaml`, content: yaml(agentRunKustomizationManifest(spec)) }, { path: `${spec.deployment.gitopsRoot}/${spec.deployment.runtimeRenderDir}/namespace.yaml`, content: yaml(agentRunRuntimeNamespaceManifest(spec)) }, ...(spec.deployment.localPostgres.enabled ? [{ path: `${spec.deployment.gitopsRoot}/${spec.deployment.runtimeRenderDir}/postgres.yaml`, content: yaml(agentRunPostgresManifest(spec)) }] : []), { path: `${spec.deployment.gitopsRoot}/${spec.deployment.runtimeRenderDir}/mgr.yaml`, content: yamlAll(agentRunManagerManifests(spec, input.sourceCommit, input.image)) }, { path: `${spec.deployment.gitopsRoot}/${spec.deployment.runtimeRenderDir}/runner-rbac.yaml`, content: yamlAll(agentRunRunnerRbacManifests(spec)) }, ]; } export function placeholderAgentRunImage(spec: AgentRunLaneSpec, sourceCommit: string): AgentRunArtifactService { const digest = `sha256:${"0".repeat(64)}`; const image = `${spec.ci.registryPrefix}/agentrun-mgr-env:${sourceCommit}`; return { serviceId: "agentrun-mgr", artifactKind: "env-reuse", status: "placeholder", image, digest, repositoryDigest: `${spec.ci.registryPrefix}/agentrun-mgr-env@${digest}`, imageTag: sourceCommit, envIdentity: sourceCommit, envImage: image, envDigest: digest, envRepositoryDigest: `${spec.ci.registryPrefix}/agentrun-mgr-env@${digest}`, bootCommit: sourceCommit, bootScript: "deploy/runtime/boot/agentrun-boot.sh", provenance: { sourceCommitId: sourceCommit, source: "placeholder", valuesPrinted: false, }, }; } export function agentRunImageArtifact(spec: AgentRunLaneSpec, input: { sourceCommit: string; envIdentity: string; digest: string; status: string; }): AgentRunArtifactService { const image = `${spec.ci.registryPrefix}/${spec.deployment.manager.imageBuild.repository}:${input.envIdentity}`; return { serviceId: "agentrun-mgr", artifactKind: "env-reuse", status: input.status, image, digest: input.digest, repositoryDigest: `${spec.ci.registryPrefix}/${spec.deployment.manager.imageBuild.repository}@${input.digest}`, imageTag: input.envIdentity, envIdentity: input.envIdentity, envImage: image, envDigest: input.digest, envRepositoryDigest: `${spec.ci.registryPrefix}/${spec.deployment.manager.imageBuild.repository}@${input.digest}`, bootCommit: input.sourceCommit, bootScript: "deploy/runtime/boot/agentrun-boot.sh", provenance: { sourceCommitId: input.sourceCommit, source: "unidesk-yaml-only", configSource: "config/agentrun.yaml", valuesPrinted: false, }, }; } export function renderedFilesDigest(files: readonly AgentRunRenderedFile[]): string { const hash = createHash("sha256"); for (const file of [...files].sort((left, right) => left.path.localeCompare(right.path))) { hash.update(file.path); hash.update("\0"); hash.update(file.content); hash.update("\0"); } return `sha256:${hash.digest("hex")}`; } export function renderedObjectsDigest(objects: readonly Record[]): string { return `sha256:${createHash("sha256").update(yamlAll(objects)).digest("hex")}`; } function agentRunPipelineManifest(spec: AgentRunLaneSpec): Record { return { apiVersion: "tekton.dev/v1", kind: "Pipeline", metadata: { name: spec.ci.pipeline, namespace: spec.ci.namespace, labels: agentRunLabels(spec), }, spec: { params: [ { name: "git-url", type: "string", default: spec.source.remote }, { name: "git-read-url", type: "string", default: spec.gitMirror.readUrl }, { name: "git-write-url", type: "string", default: spec.gitMirror.writeUrl }, { name: "source-branch", type: "string", default: spec.source.branch }, { name: "gitops-branch", type: "string", default: spec.gitops.branch }, { name: "revision", type: "string" }, { name: "registry-prefix", type: "string", default: spec.ci.registryPrefix }, { name: "tools-image", type: "string", default: spec.ci.toolsImage }, ], workspaces: [{ name: "source" }, { name: "git-ssh" }], tasks: [ gitopsSmokeTask(spec), ], }, }; } function gitopsSmokeTask(spec: AgentRunLaneSpec): Record { return { name: "render-smoke", workspaces: [{ name: "source", workspace: "source" }], taskSpec: { params: [{ name: "revision" }, { name: "tools-image" }], workspaces: [{ name: "source" }], steps: [ { name: "render-smoke", image: "$(params.tools-image)", script: [ "#!/bin/sh", "set -eu", "echo '{\"event\":\"agentrun-ci-render-smoke\",\"status\":\"placeholder\",\"reason\":\"unidesk-yaml-only-control-plane\",\"valuesPrinted\":false}'", ].join("\n"), }, ], }, params: [ { name: "revision", value: "$(params.revision)" }, { name: "tools-image", value: "$(params.tools-image)" }, ], when: [{ input: spec.deployment.format, operator: "in", values: ["unidesk-yaml-only"] }], }; } function agentRunArgoProjectManifest(spec: AgentRunLaneSpec): Record { return { apiVersion: "argoproj.io/v1alpha1", kind: "AppProject", metadata: { name: spec.deployment.argocd.project, namespace: spec.gitops.argoNamespace, labels: agentRunLabels(spec), }, spec: { description: `AgentRun ${spec.version} GitOps lane`, sourceRepos: [spec.gitops.repoURL, spec.source.remote], destinations: [{ server: "https://kubernetes.default.svc", namespace: spec.runtime.namespace }], clusterResourceWhitelist: [{ group: "", kind: "Namespace" }], namespaceResourceWhitelist: [{ group: "*", kind: "*" }], }, }; } function agentRunArgoApplicationManifest(spec: AgentRunLaneSpec): Record { return { apiVersion: "argoproj.io/v1alpha1", kind: "Application", metadata: { name: spec.gitops.argoApplication, namespace: spec.gitops.argoNamespace, labels: agentRunLabels(spec), }, spec: { project: spec.deployment.argocd.project, source: { repoURL: spec.gitops.repoURL, targetRevision: spec.gitops.branch, path: spec.gitops.path, }, destination: { server: "https://kubernetes.default.svc", namespace: spec.runtime.namespace, }, syncPolicy: { automated: { prune: false, selfHeal: true }, syncOptions: ["CreateNamespace=true", "ApplyOutOfSyncOnly=true"], }, }, }; } function agentRunKustomizationManifest(spec: AgentRunLaneSpec): Record { return { apiVersion: "kustomize.config.k8s.io/v1beta1", kind: "Kustomization", resources: [ "namespace.yaml", ...(spec.deployment.localPostgres.enabled ? ["postgres.yaml"] : []), "mgr.yaml", "runner-rbac.yaml", ], }; } function agentRunRuntimeNamespaceManifest(spec: AgentRunLaneSpec): Record { return { apiVersion: "v1", kind: "Namespace", metadata: { name: spec.runtime.namespace, labels: agentRunLabels(spec), }, }; } function agentRunPostgresManifest(spec: AgentRunLaneSpec): Record { const localPostgres = spec.deployment.localPostgres; if (!localPostgres.enabled || localPostgres.serviceName === null || localPostgres.image === null || localPostgres.storage === null || localPostgres.port === null || localPostgres.database === null || localPostgres.user === null) { throw new Error(`localPostgres is enabled for ${spec.version} without renderable YAML fields`); } const name = localPostgres.serviceName; const secretName = spec.database.secretRef.name; return { apiVersion: "v1", kind: "List", items: [ { apiVersion: "v1", kind: "Service", metadata: { name, namespace: spec.runtime.namespace, labels: agentRunLabels(spec) }, spec: { selector: { "app.kubernetes.io/name": name }, ports: [{ name: "postgres", port: localPostgres.port, targetPort: "postgres" }] }, }, { apiVersion: "apps/v1", kind: "StatefulSet", metadata: { name, namespace: spec.runtime.namespace, labels: agentRunLabels(spec) }, spec: { serviceName: name, replicas: 1, selector: { matchLabels: { "app.kubernetes.io/name": name } }, template: { metadata: { labels: { ...agentRunLabels(spec), "app.kubernetes.io/name": name } }, spec: { containers: [ { name: "postgres", image: localPostgres.image, ports: [{ name: "postgres", containerPort: localPostgres.port }], env: [ { name: "POSTGRES_DB", valueFrom: { secretKeyRef: { name: secretName, key: "POSTGRES_DB" } } }, { name: "POSTGRES_USER", valueFrom: { secretKeyRef: { name: secretName, key: "POSTGRES_USER" } } }, { name: "POSTGRES_PASSWORD", valueFrom: { secretKeyRef: { name: secretName, key: "POSTGRES_PASSWORD" } } }, { name: "PGDATA", value: "/var/lib/postgresql/data/pgdata" }, ], volumeMounts: [{ name: "data", mountPath: "/var/lib/postgresql/data" }], }, ], }, }, volumeClaimTemplates: [ { metadata: { name: "data" }, spec: { accessModes: ["ReadWriteOnce"], resources: { requests: { storage: localPostgres.storage } } }, }, ], }, }, ], }; } function agentRunManagerManifests(spec: AgentRunLaneSpec, sourceCommit: string, image: AgentRunArtifactService): readonly Record[] { const imageRef = image.envRepositoryDigest || image.repositoryDigest; return [ { apiVersion: "v1", kind: "ServiceAccount", metadata: { name: spec.deployment.manager.serviceAccount, namespace: spec.runtime.namespace, labels: agentRunLabels(spec) } }, { apiVersion: "v1", kind: "Service", metadata: { name: spec.runtime.managerService, namespace: spec.runtime.namespace, labels: agentRunLabels(spec) }, spec: { selector: { "app.kubernetes.io/name": spec.runtime.managerDeployment }, ports: [{ name: "http", port: spec.runtime.managerPort, targetPort: "http" }], }, }, { apiVersion: "apps/v1", kind: "Deployment", metadata: { name: spec.runtime.managerDeployment, namespace: spec.runtime.namespace, labels: agentRunLabels(spec) }, spec: { replicas: 1, selector: { matchLabels: { "app.kubernetes.io/name": spec.runtime.managerDeployment } }, template: { metadata: { labels: { ...agentRunLabels(spec), "app.kubernetes.io/name": spec.runtime.managerDeployment }, annotations: { "agentrun.pikastech.local/lane": spec.version, "agentrun.pikastech.local/source-commit": sourceCommit, "agentrun.pikastech.local/env-identity": image.envIdentity, }, }, spec: { serviceAccountName: spec.deployment.manager.serviceAccount, containers: [ { name: "mgr", image: imageRef, imagePullPolicy: "IfNotPresent", ports: [{ name: "http", containerPort: 8080 }], env: managerEnv(spec, sourceCommit, imageRef, image.envIdentity), readinessProbe: { httpGet: { path: "/health/readiness", port: "http" } }, livenessProbe: { httpGet: { path: "/health/live", port: "http" } }, resources: spec.deployment.manager.resources, }, ], }, }, }, }, { apiVersion: "rbac.authorization.k8s.io/v1", kind: "Role", metadata: { name: `${spec.deployment.manager.serviceAccount}-runner-job-controller`, namespace: spec.runtime.namespace, labels: agentRunLabels(spec) }, rules: [ { apiGroups: ["batch"], resources: ["jobs"], verbs: ["create", "delete", "get", "list", "watch"] }, { apiGroups: [""], resources: ["pods"], verbs: ["delete", "get", "list", "watch"] }, { apiGroups: [""], resources: ["persistentvolumeclaims"], verbs: ["create", "get", "list", "watch", "delete"] }, ], }, { apiVersion: "rbac.authorization.k8s.io/v1", kind: "RoleBinding", metadata: { name: `${spec.deployment.manager.serviceAccount}-runner-job-controller`, namespace: spec.runtime.namespace, labels: agentRunLabels(spec) }, subjects: [{ kind: "ServiceAccount", name: spec.deployment.manager.serviceAccount }], roleRef: { apiGroup: "rbac.authorization.k8s.io", kind: "Role", name: `${spec.deployment.manager.serviceAccount}-runner-job-controller` }, }, { apiVersion: "rbac.authorization.k8s.io/v1", kind: "Role", metadata: { name: `${spec.deployment.manager.serviceAccount}-provider-secret-manager`, namespace: spec.runtime.namespace, labels: agentRunLabels(spec) }, rules: [{ apiGroups: [""], resources: ["secrets"], verbs: ["create", "delete", "get", "list", "patch", "update"] }], }, { apiVersion: "rbac.authorization.k8s.io/v1", kind: "RoleBinding", metadata: { name: `${spec.deployment.manager.serviceAccount}-provider-secret-manager`, namespace: spec.runtime.namespace, labels: agentRunLabels(spec) }, subjects: [{ kind: "ServiceAccount", name: spec.deployment.manager.serviceAccount }], roleRef: { apiGroup: "rbac.authorization.k8s.io", kind: "Role", name: `${spec.deployment.manager.serviceAccount}-provider-secret-manager` }, }, ]; } function managerEnv(spec: AgentRunLaneSpec, sourceCommit: string, imageRef: string, envIdentity: string): readonly Record[] { return [ { name: "AGENTRUN_LANE", value: spec.version }, { name: "DATABASE_URL", valueFrom: { secretKeyRef: spec.database.secretRef } }, { name: "AGENTRUN_SOURCE_COMMIT", value: sourceCommit }, { name: "AGENTRUN_BOOT_COMMIT", value: sourceCommit }, { name: "AGENTRUN_BOOT_MODE", value: "mgr" }, { name: "AGENTRUN_BOOT_REPO_URL", value: spec.deployment.manager.bootRepoUrl }, { name: "AGENTRUN_ENV_IDENTITY", value: envIdentity }, { name: "AGENTRUN_RUNTIME_NAMESPACE", value: spec.runtime.namespace }, { name: "AGENTRUN_INTERNAL_MGR_URL", value: spec.runtime.internalBaseUrl }, { name: "AGENTRUN_RUNNER_IMAGE", value: imageRef }, { name: "AGENTRUN_RUNNER_SERVICE_ACCOUNT", value: spec.deployment.runner.serviceAccount }, { name: "AGENTRUN_RUNNER_JOB_NAME_PREFIX", value: spec.deployment.runner.jobNamePrefix }, { name: "AGENTRUN_RUNNER_IDLE_TIMEOUT_MS", value: String(spec.deployment.runner.idleTimeoutMs) }, { name: "AGENTRUN_BACKEND_RETRY_MAX_ATTEMPTS", value: String(spec.deployment.runner.backendRetry.maxAttempts) }, { name: "AGENTRUN_BACKEND_RETRY_INITIAL_BACKOFF_MS", value: String(spec.deployment.runner.backendRetry.initialBackoffMs) }, { name: "AGENTRUN_BACKEND_RETRY_MAX_BACKOFF_MS", value: String(spec.deployment.runner.backendRetry.maxBackoffMs) }, { name: "AGENTRUN_RUNNER_RETENTION_MAX_RUNNERS", value: String(spec.deployment.runner.retention.maxRunners) }, { name: "AGENTRUN_RUNNER_RETENTION_CLEANUP_ORDER", value: spec.deployment.runner.retention.cleanupOrder }, { name: "AGENTRUN_RUNNER_RETENTION_ACTIVE_HEARTBEAT_MAX_AGE_MS", value: String(spec.deployment.runner.retention.activeHeartbeatMaxAgeMs) }, { name: "AGENTRUN_RUNNER_RETENTION_MATCH_LABELS_JSON", value: JSON.stringify(spec.deployment.runner.retention.selectors.matchLabels) }, { name: "AGENTRUN_RUNNER_RETENTION_JOB_NAME_PREFIXES", value: spec.deployment.runner.retention.selectors.jobNamePrefixes.join(",") }, { name: "AGENTRUN_RUNNER_RETENTION_AGE_BASED_CLEANUP_ENABLED", value: String(spec.deployment.runner.retention.ageBasedCleanup.enabled) }, ...(spec.deployment.runner.retention.ageBasedCleanup.maxAgeHours === null ? [] : [{ name: "AGENTRUN_RUNNER_RETENTION_AGE_BASED_MAX_AGE_HOURS", value: String(spec.deployment.runner.retention.ageBasedCleanup.maxAgeHours) }]), { name: "AGENTRUN_CANCEL_DELIVERY_MODE", value: spec.deployment.runner.cancelLifecycle.deliveryMode }, { name: "AGENTRUN_CANCEL_GRACEFUL_ABORT_MS", value: String(spec.deployment.runner.cancelLifecycle.gracefulAbortMs) }, { name: "AGENTRUN_CANCEL_KILL_ESCALATION_MS", value: String(spec.deployment.runner.cancelLifecycle.killEscalationMs) }, { name: "AGENTRUN_CANCEL_STALE_HEARTBEAT_FENCING_MS", value: String(spec.deployment.runner.cancelLifecycle.staleHeartbeatFencingMs) }, { name: "AGENTRUN_CANCEL_LATE_WRITE_FENCING_ENABLED", value: String(spec.deployment.runner.cancelLifecycle.lateWriteFencing.enabled) }, { name: "AGENTRUN_CANCEL_EVENT_STAGES", value: spec.deployment.runner.cancelLifecycle.eventStages.join(",") }, ...(spec.deployment.runner.egressProxyUrl === null ? [] : [{ name: "AGENTRUN_RUNNER_EGRESS_PROXY_URL", value: spec.deployment.runner.egressProxyUrl }]), ...(spec.deployment.runner.noProxyExtra.length === 0 ? [] : [{ name: "AGENTRUN_RUNNER_NO_PROXY_EXTRA", value: spec.deployment.runner.noProxyExtra.join(",") }]), { name: "AGENTRUN_API_KEY", valueFrom: { secretKeyRef: spec.deployment.manager.apiKeySecretRef } }, ...Object.entries(spec.deployment.manager.env).sort(([left], [right]) => left.localeCompare(right)).map(([name, value]) => ({ name, value })), ...(spec.deployment.manager.unideskSshEndpointEnv === null ? [] : [{ name: spec.deployment.manager.unideskSshEndpointEnv.name, value: spec.deployment.manager.unideskSshEndpointEnv.value }]), ]; } function agentRunRunnerRbacManifests(spec: AgentRunLaneSpec): readonly Record[] { return [ { apiVersion: "v1", kind: "ServiceAccount", metadata: { name: spec.deployment.runner.serviceAccount, namespace: spec.runtime.namespace, labels: agentRunLabels(spec) } }, { apiVersion: "rbac.authorization.k8s.io/v1", kind: "Role", metadata: { name: `${spec.deployment.runner.serviceAccount}-secret-reader`, namespace: spec.runtime.namespace, labels: agentRunLabels(spec) }, rules: [{ apiGroups: [""], resources: ["secrets"], verbs: ["get"] }], }, { apiVersion: "rbac.authorization.k8s.io/v1", kind: "RoleBinding", metadata: { name: `${spec.deployment.runner.serviceAccount}-secret-reader`, namespace: spec.runtime.namespace, labels: agentRunLabels(spec) }, subjects: [{ kind: "ServiceAccount", name: spec.deployment.runner.serviceAccount }], roleRef: { apiGroup: "rbac.authorization.k8s.io", kind: "Role", name: `${spec.deployment.runner.serviceAccount}-secret-reader` }, }, ]; } function agentRunArtifactCatalog(spec: AgentRunLaneSpec, sourceCommit: string, image: AgentRunArtifactService): AgentRunArtifactCatalog { return { lane: spec.version, sourceBranch: spec.source.branch, gitopsBranch: spec.gitops.branch, sourceCommitId: sourceCommit, summary: image.status === "placeholder" ? "build=0 reuse=0 placeholder=1" : "build=1 reuse=0 placeholder=0", services: [image], }; } function agentRunLabels(spec: AgentRunLaneSpec): Record { return { "app.kubernetes.io/part-of": "agentrun", "agentrun.pikastech.local/lane": spec.version, "agentrun.pikastech.local/node": spec.nodeId, }; } function yaml(value: unknown): string { return `${Bun.YAML.stringify(value).trim()}\n`; } function yamlAll(values: readonly unknown[]): string { return `${values.map((value) => Bun.YAML.stringify(value).trim()).join("\n---\n")}\n`; }