Files
pikasTech-unidesk/docs/issue/issue-9-k3s-user-service-cicd-state.md
T

6.9 KiB

Issue 9 K3s User-Service CI/CD State

Snapshot date: 2026-05-21

This matrix closes the current review pass for the decision-center, mdtodo, claudeqq and todo-note lane. It records only focused smoke evidence: health, runtime commit/digest or deployment labels, private proxy API checks and registry artifact presence. No full e2e/Playwright run, backend-core restart, Code Queue restart, backend-core prod deploy or Code Queue prod deploy is part of this lane.

Shared Findings

Area State Impact Next step
Artifact producer catalog CI.json has source-build producer entries for all four services. The standard producer route is modeled for the whole lane. Keep producer commands as the only source-build entrypoint: ci publish-user-service --service <id> --commit <full-sha>.
CD consumer plan `deploy plan --env dev prod --service resolves standard consumers for all four services: k3s-managed fordecision-center, mdtodo, claudeqq; main-server Compose artifact consumer for todo-note`. The dry-run contract exists, but live apply still depends on artifact and verification readiness.
Artifact-registry probe Direct D601 registry API access is healthy, but remote frontend artifact-registry health and CI publish dry-run registry checks fail because the provider Host SSH command is rejected as too long (4039 bytes). The registry itself is reachable from D601, but the standard preflight tool path reports registry as infra-blocked. Split or shrink the registry health probe before relying on remote CI dry-run as release evidence.
Dev service catalog decision-center-dev exists in k3s, while mdtodo-dev and claudeqq-dev do not. The adapter public catalog did not expose the dev aliases during this pass. Dev promotion cannot be claimed for mdtodo or claudeqq; decision-center-dev is reachable through direct k3s service proxy only. Publish artifacts first, then create/verify dev consumers and register dev aliases where intended.

Service Matrix

Service Desired artifact Deployment and CI shape Dev acceptance Prod acceptance Ideal-state status Blockers / next step
decision-center 127.0.0.1:5000/unidesk/decision-center:54c1f8e165f90fa8509fda1f0c01f8c3fa82cbee, registry digest sha256:8af6842a2a1b23bfaf6067a402821f4d0e54b76ebc24e59303c6cbefad6490d1. Current live tag b5486a61ab0aa6c227366a95d1afa68281584359 has digest sha256:55ae6b20af3b6ec88394de46678cd4ddf86c461126ee1e95e91005baf72f03ed. k3s-managed artifact consumer on D601. CI producer is UniDesk source-build from src/components/microservices/decision-center/Dockerfile. unidesk-dev/decision-center-dev is ready 1/1 and health is ok=true, but it runs b5486a61ab0aa6c227366a95d1afa68281584359, not desired 54c1f8e165f90fa8509fda1f0c01f8c3fa82cbee. unidesk/decision-center is ready 1/1 and health is ok=true; private proxy /api/records?limit=1 returned 200. Prod also runs b5486a61ab0aa6c227366a95d1afa68281584359, not desired 54c1f8e165f90fa8509fda1f0c01f8c3fa82cbee. Partial. The desired artifact exists and the service is healthy, but dev/prod drift from deploy.json. Do not redeploy until the registry preflight path is fixed or an operator explicitly accepts the safe drift repair. Then consume the existing 54c1f8... artifact through dev -> focused smoke -> prod.
mdtodo 127.0.0.1:5000/unidesk/mdtodo:75fb6757b2504ba86d61f2587fb34a9c9ed4019a; registry HEAD returned 404, so no digest was available. k3s-managed artifact consumer on D601. CI producer is UniDesk source-build from src/components/microservices/mdtodo/Dockerfile. unidesk-dev/mdtodo-dev does not exist. unidesk/mdtodo is ready 1/1. Deployment annotations record deploy and requested commit 75fb6757b2504ba86d61f2587fb34a9c9ed4019a; health returned ok=true, and /live returned 200. Health does not expose deploy metadata. Partial. Prod is healthy and annotated with the desired commit, but the desired registry artifact is absent and dev is absent. Publish the desired artifact, add deploy metadata to health or keep strict label/annotation verification, then run dev -> focused smoke -> prod if prod replacement is still needed.
claudeqq 127.0.0.1:5000/unidesk/claudeqq:203b1f46684c91340ecbbd8a74502bd55e4f2011; registry HEAD returned 404, so no digest was available. k3s-managed artifact consumer on D601. CI producer uses the external Gitee source plus UniDesk adapter/overlay. unidesk-dev/claudeqq-dev does not exist. unidesk/claudeqq is ready 1/1. Deployment annotations and /health report commit/requested commit 203b1f46684c91340ecbbd8a74502bd55e4f2011; health also reports NapCat logged_in. Focused API probes for /api/events/recent and /api/events/subscriptions returned 404. Partial. Prod commit alignment and health are good, but the desired registry artifact is absent, dev is absent and the expected event API surface is not verified. Publish the desired artifact, create/verify dev, and either fix or document the current event API paths before any prod artifact replacement.
todo-note 127.0.0.1:5000/unidesk/todo-note:a14ce0eb855a685fa17b47adacd54623e72cd2ff; registry HEAD returned 404, so no digest was available. Main-server Compose artifact consumer. CI producer uses the external Gitee source. CD plan is pull-only and no-build for Compose service todo-note, container todo-note-backend. The dev/prod consumer plans resolve, but no live dev apply was attempted because the desired artifact is absent. Runtime health returned 200 with PostgreSQL storage and running reminders. Private proxy /api/instances returned 200. The running container image is unidesk-todo-note; runtime labels do not expose unidesk.ai/source-commit, and health does not expose deploy metadata. Not yet. Runtime behavior is healthy, but image digest/commit proof is missing and the desired registry artifact is absent. Publish the desired artifact, then use the Compose artifact consumer to recreate only todo-note with no build/no deps and verify image labels plus health deploy metadata.

Execution Decision

No live deployment was executed in this pass.

  • decision-center has an available desired artifact, but both dev and prod are currently healthy on b5486a61...; the task scope asked for review and gap recording unless a repair is clearly safe. The standard remote registry preflight path is currently infra-blocked, so this pass records drift instead of changing prod/dev.
  • mdtodo, claudeqq and todo-note do not have the desired registry artifact tags, so live apply would not satisfy the artifact-consumer contract.
  • Focused smoke stayed limited to health, deployment metadata, registry HEAD/tag checks and small private proxy API calls.