15 KiB
15 KiB
Issue 9 K3s User-Service CI/CD State
Snapshot date: 2026-05-21
This matrix closes the current review pass for the decision-center, mdtodo, claudeqq, todo-note, project-manager and frontend artifact lane. It records only focused smoke evidence: health, runtime commit/digest or deployment labels, private proxy API checks and registry artifact presence. No full e2e/Playwright run, backend-core restart, Code Queue restart, backend-core prod deploy, frontend deploy, publish, or Code Queue prod deploy is part of this lane.
Shared Findings
| Area | State | Impact | Next step |
|---|---|---|---|
| Artifact producer catalog | CI.json has source-build producer entries for the reviewed services, including frontend. |
The standard producer route is modeled for the lane. | Keep producer commands as the only source-build entrypoint: ci publish-user-service --service <id> --commit <full-sha>. |
| CD consumer plan | `deploy plan --env dev | prod --service anddeploy apply --env dev |
prod --service --dry-runresolve standard consumers: k3s-managed fordecision-center, mdtodo, claudeqqand devfrontend; main-server Compose artifact consumer for todo-noteand prodfrontend`. |
| Artifact-registry probe | Remote frontend Host SSH probing is no longer blocked by command length. Registry runtime API is reachable and frontend publish dry-run can report ready, while artifact-registry health still reports service drift in rendered config / registry image scopes. |
Runtime artifact reads are usable for contract evidence; registry service drift remains an infra hygiene item and should not be confused with a frontend publish blocker. | Repair registry rendered-config/image drift separately before treating registry health as fully clean. |
| Project-manager registry probe | deploy.json wants 0c3cdb4ee06a23361ed511a2da033d67b53d16f4; config.json still records runtime commit a278de032d5cdb91010466ac1e2183c79026550d; remote registry HEAD for 127.0.0.1:5000/unidesk/project-manager:0c3cdb4ee06a23361ed511a2da033d67b53d16f4 returned 404, so no digest is available yet. |
The producer and consumer contract is wired, but the desired artifact is still missing. | Publish the desired artifact before any live dev or prod apply. |
| Dev service catalog | decision-center-dev exists in k3s, while mdtodo-dev and claudeqq-dev do not. The adapter public catalog did not expose the dev aliases during this pass. |
Dev promotion cannot be claimed for mdtodo or claudeqq; decision-center-dev is reachable through direct k3s service proxy only. |
Publish artifacts first, then create/verify dev consumers and register dev aliases where intended. |
| Frontend closure contract | bun scripts/frontend-artifact-lane-contract-test.ts is the standard lightweight contract for the frontend artifact sample. |
Frontend lane evidence is now repeatable without live deploy, publish, service restart, or Playwright. | Keep the contract green whenever frontend deploy.json, health metadata, artifact digest, producer preflight, or CD dry-run shape changes. |
| User-service gap contract | bun scripts/issue-9-user-service-artifact-gap-contract-test.ts normalizes mdtodo, claudeqq and todo-note with desiredCommit, runtimeCommit, artifactExists, devStatus, prodStatus, blockedScopes and recommendedAction; bun scripts/issue-9-user-service-deploy-apply-dry-run-contract-test.ts covers the top-level `deploy apply --env dev |
prod --service --dry-run` envelope for the same three services. | The remaining gap surface is repeatable from deploy.json, CI.json, deploy apply --dry-run and local artifact-registry dry-runs without publish, deploy, service restart, or full check/e2e. |
Service Matrix
| Service | Desired artifact | Deployment and CI shape | Dev acceptance | Prod acceptance | Ideal-state status | Blockers / next step |
|---|---|---|---|---|---|---|
decision-center |
127.0.0.1:5000/unidesk/decision-center:b5486a61ab0aa6c227366a95d1afa68281584359, registry digest sha256:55ae6b20af3b6ec88394de46678cd4ddf86c461126ee1e95e91005baf72f03ed. Previous desired tag 54c1f8e165f90fa8509fda1f0c01f8c3fa82cbee still exists with digest sha256:8af6842a2a1b23bfaf6067a402821f4d0e54b76ebc24e59303c6cbefad6490d1, but it is no longer the desired state. |
k3s-managed artifact consumer on D601. CI producer is UniDesk source-build from src/components/microservices/decision-center/Dockerfile; CD dry-run is a no-build D601 k3s artifact consumer for dev and prod. |
unidesk-dev/decision-center-dev is ready 1/1 and health reports deploy.commit / deploy.requestedCommit as b5486a61ab0aa6c227366a95d1afa68281584359, matching desired and artifact. |
unidesk/decision-center is ready 1/1 and health reports deploy.commit / deploy.requestedCommit as b5486a61ab0aa6c227366a95d1afa68281584359; private proxy /api/records?limit=1 returned 200. |
Complete for artifact CD contract. Dev/prod desired, live health and registry artifact now align on b5486a61ab0aa6c227366a95d1afa68281584359; no deploy was needed. |
Remaining work is manual UI/product acceptance only: record CRUD, diary lifecycle, doc-number uniqueness and frontend Decision Center visibility. Keep the desired-state contract green so future edits cannot reintroduce stale desired commits or source-build CD. |
mdtodo |
127.0.0.1:5000/unidesk/mdtodo:595de3d320b73ec006794440b32db48b3ad14d2b; registry artifact still needs publication. The previous 75fb6757b2504ba86d61f2587fb34a9c9ed4019a target predates mdtodo health deploy metadata. |
k3s-managed artifact consumer on D601. CI producer is UniDesk source-build from src/components/microservices/mdtodo/Dockerfile. |
unidesk-dev/mdtodo-dev does not exist. |
unidesk/mdtodo is ready 1/1 at the old annotated commit 75fb6757b2504ba86d61f2587fb34a9c9ed4019a; health returned ok=true, and /live returned 200 during the earlier smoke. Runtime health metadata still needs proof after the new artifact is deployed. |
Partial. The source/desired contract now points at a health-metadata-capable commit, but the desired registry artifact is absent, dev is absent and prod runtime is intentionally behind the new desired commit. | Publish the new desired artifact, create/verify unidesk-dev/mdtodo-dev, prove /health.deploy.commit and /live.deploy.commit in dev, then decide whether prod needs artifact replacement. |
claudeqq |
127.0.0.1:5000/unidesk/claudeqq:203b1f46684c91340ecbbd8a74502bd55e4f2011; registry HEAD returned 404, so no digest was available. |
k3s-managed artifact consumer on D601. CI producer uses the external Gitee source plus UniDesk adapter/overlay. | unidesk-dev/claudeqq-dev does not exist. |
unidesk/claudeqq is ready 1/1. Deployment annotations and /health report commit/requested commit 203b1f46684c91340ecbbd8a74502bd55e4f2011; health also reports NapCat logged_in. Focused API probes for /api/events/recent and /api/events/subscriptions returned 404. |
Partial. Prod commit alignment and health are good, but the desired registry artifact is absent, dev is absent and the expected event API surface is not verified. | Publish the desired artifact, create/verify dev, and either fix or document the current event API paths before any prod artifact replacement. |
todo-note |
127.0.0.1:5000/unidesk/todo-note:a14ce0eb855a685fa17b47adacd54623e72cd2ff; registry HEAD returned 404, so no digest was available. |
Main-server Compose artifact consumer. CI producer uses the external Gitee source. CD plan is pull-only and no-build for Compose service todo-note, container todo-note-backend. |
The dev/prod consumer plans resolve, but no live dev apply was attempted because the desired artifact is absent. | Runtime health returned 200 with PostgreSQL storage and running reminders. Private proxy /api/instances returned 200. The running container image is unidesk-todo-note; runtime labels do not expose unidesk.ai/source-commit, and health does not expose deploy metadata. |
Not yet. Runtime behavior is healthy, but image digest/commit proof is missing and the desired registry artifact is absent. | Publish the desired artifact, then use the Compose artifact consumer to recreate only todo-note with no build/no deps and verify image labels plus health deploy metadata. |
project-manager |
127.0.0.1:5000/unidesk/project-manager:0c3cdb4ee06a23361ed511a2da033d67b53d16f4; registry HEAD returned 404, so no digest was available. Current runtime registry commit in config.json is a278de032d5cdb91010466ac1e2183c79026550d. |
Main-server Compose artifact consumer. CI producer is UniDesk source-build from src/components/microservices/project-manager/Dockerfile. |
deploy plan --env dev --service project-manager resolves the same no-build main-server Compose path; no live dev apply was attempted because the desired artifact is absent. |
deploy plan --env prod --service project-manager --dry-run resolves the same main-server Compose consumer and health contract, but live prod apply remains blocked until the artifact exists and /health can report deploy.commit / deploy.requestedCommit. |
Partial. The source and consumer contract are in place; the registry artifact is not. | Publish 0c3cdb4ee06a23361ed511a2da033d67b53d16f4 to the D601 registry, then run dev and prod artifact-consumer verification. |
frontend |
127.0.0.1:5000/unidesk/frontend:b5486a61ab0aa6c227366a95d1afa68281584359, registry v2 manifest digest sha256:76d7c47e797605470959ca2274f116149bdc367e6fa155913d19f42516e5b9e4. |
CI producer is ci publish-user-service from src/components/frontend/Dockerfile. Dev CD is D601 native k3s frontend-dev; prod CD is master-server Compose frontend / unidesk-frontend; both are pull-only artifact consumers. |
Public dev http://74.48.78.17:18083/health reports ok=true, environment=dev, namespace=unidesk-dev, and deploy commit/requestedCommit b5486a61ab0aa6c227366a95d1afa68281584359. |
Public prod http://74.48.78.17:18081/health reports ok=true and deploy commit/requestedCommit b5486a61ab0aa6c227366a95d1afa68281584359. Remote ci publish-user-service --service frontend --commit b5486... --dry-run reports runnerDisposition=ready, all control channels ready, and no missing control channels. |
Complete for CI/CD contract. Dev/prod desired and live commit match the artifact; CD dry-runs are non-mutating and no-build. | Remaining UI route acceptance is a manual product/UI gate and is independent of CI/CD artifact correctness. |
Normalized Gap Matrix
Focused read-only evidence for this refresh:
- remote
microservice statusandmicroservice healthformdtodo,claudeqqandtodo-note; - D601 registry v2 manifest
HEADagainst each desired tag, all returning 404; deploy plan --env dev|prod --service <id>,deploy apply --env dev|prod --service <id> --dry-runandartifact-registry deploy-service --env dev|prod --service <id> --commit <desiredCommit> --dry-run, all resolving no-build artifact consumers.
| Service | desiredCommit | runtimeCommit | artifactExists | devStatus | prodStatus | blockedScopes | recommendedAction |
|---|---|---|---|---|---|---|---|
mdtodo |
595de3d320b73ec006794440b32db48b3ad14d2b |
75fb6757b2504ba86d61f2587fb34a9c9ed4019a from prod Deployment annotations; that runtime predates mdtodo health deploy metadata |
false |
missing-dev-service |
healthy-prod-annotation-stale-after-health-metadata-repin |
registry-artifact, dev-service, runtime-health-metadata-proof, prod-runtime-commit-drift |
Publish the desired artifact that includes mdtodo health deploy metadata, create/verify unidesk-dev/mdtodo-dev, then run focused dev smoke before deciding whether prod needs replacement. |
claudeqq |
203b1f46684c91340ecbbd8a74502bd55e4f2011 |
203b1f46684c91340ecbbd8a74502bd55e4f2011 from prod /health.deploy.commit and /health.deploy.requestedCommit |
false |
missing-dev-service |
healthy-prod-health-aligned-event-api-unverified |
registry-artifact, dev-service, event-api-surface |
Publish the desired artifact, create/verify unidesk-dev/claudeqq-dev, then resolve or document the event API paths before prod artifact replacement. |
todo-note |
a14ce0eb855a685fa17b47adacd54623e72cd2ff |
null; prod health and container labels do not expose source commit |
false |
consumer-plan-only-no-live-dev |
healthy-behavior-no-commit-proof |
registry-artifact, runtime-commit-proof, health-deploy-metadata |
Publish the desired artifact, then use the no-build Compose artifact consumer to recreate only todo-note and verify image labels plus health deploy metadata. |
Repeatable contracts:
bun scripts/issue-9-mdtodo-health-metadata-contract-test.ts
bun scripts/issue-9-user-service-artifact-gap-contract-test.ts
bun scripts/issue-9-user-service-deploy-apply-dry-run-contract-test.ts
Execution Decision
No live deployment or publish was executed in this pass.
decision-centerdrift was desired-state only: dev/prod live health and the registry artifact already matchedb5486a61..., sodeploy.jsonwas repinned to that verified commit without deploying.mdtodo,claudeqq,todo-noteandproject-managerdo not have the desired registry artifact tags, so live apply would not satisfy the artifact-consumer contract. Formdtodo, the desired tag is now595de3d320b73ec006794440b32db48b3ad14d2bbecause that is the already-merged commit that adds/health.deployand/live.deploy.frontendis the first batch sample that can be marked complete for the CI/CD artifact lane: desired commit, registry artifact digest, dev/prod health metadata, publish dry-run readiness and dev/prod CD no-build dry-runs are aligned.- Focused smoke stayed limited to health, deployment metadata, registry HEAD/tag checks and small private proxy API calls.
MDTODO Next Preconditions
Before a real mdtodo artifact publish or dev deploy:
- Run the read-only publish preflight for
595de3d320b73ec006794440b32db48b3ad14d2b:bun scripts/cli.ts ci publish-user-service --service mdtodo --commit 595de3d320b73ec006794440b32db48b3ad14d2b --dry-run. It must reportrunnerDisposition=readyor clearly classify only infrastructure blockers. - Publish only from the controlled D601 CI path:
bun scripts/cli.ts ci publish-user-service --service mdtodo --commit 595de3d320b73ec006794440b32db48b3ad14d2b --wait-ms 1200000. - Record the resulting
artifactSummary.imageRef,digestanddigestRef; verify registryHEAD /v2/unidesk/mdtodo/manifests/595de3d320b73ec006794440b32db48b3ad14d2breturns a digest. - Keep
deploy apply --env dev --service mdtodo --dry-runon the D601 k3s no-build artifact consumer and confirm it targets onlyunidesk-dev/mdtodo-dev. - Run real dev apply only after the artifact exists, then verify
unidesk-dev/mdtodo-devreadiness and service-proxy/health.deploy.commit,/health.deploy.requestedCommit,/live.deploy.commitall equal595de3d320b73ec006794440b32db48b3ad14d2b. - Evaluate prod replacement only after dev proof is recorded; prod currently runs the older annotated
75fb6757b2504ba86d61f2587fb34a9c9ed4019aruntime.