6.9 KiB
6.9 KiB
Issue 9 K3s User-Service CI/CD State
Snapshot date: 2026-05-21
This matrix closes the current review pass for the decision-center, mdtodo, claudeqq and todo-note lane. It records only focused smoke evidence: health, runtime commit/digest or deployment labels, private proxy API checks and registry artifact presence. No full e2e/Playwright run, backend-core restart, Code Queue restart, backend-core prod deploy or Code Queue prod deploy is part of this lane.
Shared Findings
| Area | State | Impact | Next step |
|---|---|---|---|
| Artifact producer catalog | CI.json has source-build producer entries for all four services. |
The standard producer route is modeled for the whole lane. | Keep producer commands as the only source-build entrypoint: ci publish-user-service --service <id> --commit <full-sha>. |
| CD consumer plan | `deploy plan --env dev | prod --service resolves standard consumers for all four services: k3s-managed fordecision-center, mdtodo, claudeqq; main-server Compose artifact consumer for todo-note`. |
The dry-run contract exists, but live apply still depends on artifact and verification readiness. |
| Artifact-registry probe | Direct D601 registry API access is healthy, but remote frontend artifact-registry health and CI publish dry-run registry checks fail because the provider Host SSH command is rejected as too long (4039 bytes). |
The registry itself is reachable from D601, but the standard preflight tool path reports registry as infra-blocked. |
Split or shrink the registry health probe before relying on remote CI dry-run as release evidence. |
| Dev service catalog | decision-center-dev exists in k3s, while mdtodo-dev and claudeqq-dev do not. The adapter public catalog did not expose the dev aliases during this pass. |
Dev promotion cannot be claimed for mdtodo or claudeqq; decision-center-dev is reachable through direct k3s service proxy only. |
Publish artifacts first, then create/verify dev consumers and register dev aliases where intended. |
Service Matrix
| Service | Desired artifact | Deployment and CI shape | Dev acceptance | Prod acceptance | Ideal-state status | Blockers / next step |
|---|---|---|---|---|---|---|
decision-center |
127.0.0.1:5000/unidesk/decision-center:54c1f8e165f90fa8509fda1f0c01f8c3fa82cbee, registry digest sha256:8af6842a2a1b23bfaf6067a402821f4d0e54b76ebc24e59303c6cbefad6490d1. Current live tag b5486a61ab0aa6c227366a95d1afa68281584359 has digest sha256:55ae6b20af3b6ec88394de46678cd4ddf86c461126ee1e95e91005baf72f03ed. |
k3s-managed artifact consumer on D601. CI producer is UniDesk source-build from src/components/microservices/decision-center/Dockerfile. |
unidesk-dev/decision-center-dev is ready 1/1 and health is ok=true, but it runs b5486a61ab0aa6c227366a95d1afa68281584359, not desired 54c1f8e165f90fa8509fda1f0c01f8c3fa82cbee. |
unidesk/decision-center is ready 1/1 and health is ok=true; private proxy /api/records?limit=1 returned 200. Prod also runs b5486a61ab0aa6c227366a95d1afa68281584359, not desired 54c1f8e165f90fa8509fda1f0c01f8c3fa82cbee. |
Partial. The desired artifact exists and the service is healthy, but dev/prod drift from deploy.json. |
Do not redeploy until the registry preflight path is fixed or an operator explicitly accepts the safe drift repair. Then consume the existing 54c1f8... artifact through dev -> focused smoke -> prod. |
mdtodo |
127.0.0.1:5000/unidesk/mdtodo:75fb6757b2504ba86d61f2587fb34a9c9ed4019a; registry HEAD returned 404, so no digest was available. |
k3s-managed artifact consumer on D601. CI producer is UniDesk source-build from src/components/microservices/mdtodo/Dockerfile. |
unidesk-dev/mdtodo-dev does not exist. |
unidesk/mdtodo is ready 1/1. Deployment annotations record deploy and requested commit 75fb6757b2504ba86d61f2587fb34a9c9ed4019a; health returned ok=true, and /live returned 200. Health does not expose deploy metadata. |
Partial. Prod is healthy and annotated with the desired commit, but the desired registry artifact is absent and dev is absent. | Publish the desired artifact, add deploy metadata to health or keep strict label/annotation verification, then run dev -> focused smoke -> prod if prod replacement is still needed. |
claudeqq |
127.0.0.1:5000/unidesk/claudeqq:203b1f46684c91340ecbbd8a74502bd55e4f2011; registry HEAD returned 404, so no digest was available. |
k3s-managed artifact consumer on D601. CI producer uses the external Gitee source plus UniDesk adapter/overlay. | unidesk-dev/claudeqq-dev does not exist. |
unidesk/claudeqq is ready 1/1. Deployment annotations and /health report commit/requested commit 203b1f46684c91340ecbbd8a74502bd55e4f2011; health also reports NapCat logged_in. Focused API probes for /api/events/recent and /api/events/subscriptions returned 404. |
Partial. Prod commit alignment and health are good, but the desired registry artifact is absent, dev is absent and the expected event API surface is not verified. | Publish the desired artifact, create/verify dev, and either fix or document the current event API paths before any prod artifact replacement. |
todo-note |
127.0.0.1:5000/unidesk/todo-note:a14ce0eb855a685fa17b47adacd54623e72cd2ff; registry HEAD returned 404, so no digest was available. |
Main-server Compose artifact consumer. CI producer uses the external Gitee source. CD plan is pull-only and no-build for Compose service todo-note, container todo-note-backend. |
The dev/prod consumer plans resolve, but no live dev apply was attempted because the desired artifact is absent. | Runtime health returned 200 with PostgreSQL storage and running reminders. Private proxy /api/instances returned 200. The running container image is unidesk-todo-note; runtime labels do not expose unidesk.ai/source-commit, and health does not expose deploy metadata. |
Not yet. Runtime behavior is healthy, but image digest/commit proof is missing and the desired registry artifact is absent. | Publish the desired artifact, then use the Compose artifact consumer to recreate only todo-note with no build/no deps and verify image labels plus health deploy metadata. |
Execution Decision
No live deployment was executed in this pass.
decision-centerhas an available desired artifact, but both dev and prod are currently healthy onb5486a61...; the task scope asked for review and gap recording unless a repair is clearly safe. The standard remote registry preflight path is currently infra-blocked, so this pass records drift instead of changing prod/dev.mdtodo,claudeqqandtodo-notedo not have the desired registry artifact tags, so live apply would not satisfy the artifact-consumer contract.- Focused smoke stayed limited to health, deployment metadata, registry HEAD/tag checks and small private proxy API calls.