Deploy Knowledge Loop on loop pinned to knowledge#18

[Svaag]

Summary

• Pin knowledge_loop_version on the loop VM to 0b414ae — the merged Knowledge revision (Add Knowledge Loop agent knowledge#18) that first ships hyrule-knowledge loop --once.
• Keep knowledge_loop_timer_enabled: false so applying only provisions the runtime (dedicated user, pinned checkout, dependency sync, disabled service/timer). No producer cycle runs yet.
• Live OpenRouter enrichment budget stays at the role default 0.

Dependency / ordering

• Merge and deploy Add Knowledge Loop runtime scaffold #302 first (the knowledge_loop Ansible role). This host_vars pin is inert until that role lands on main.
• Kept as a draft until Add Knowledge Loop runtime scaffold #302 is merged.

Safety

• Timer disabled by default; this PR does not start the loop.
• Runtime credential scope is separate from Engineering Loop and CI/CD PR-Agent (per Add Knowledge Loop runtime scaffold #302's knowledge-loop Vault policy/AppRole).
• No fleet SSH, Docker socket, wallet, app runtime, or broad Vault access.

Follow-up (not in this PR)

• A separate reviewed canary PR flips knowledge_loop_timer_enabled: true and adds the passive run-status / timer monitoring checks, after a manual one-shot smoke run.

🤖 Generated with Claude Code

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis ❌ 18 - Not compliant Non-compliant requirements: None of the requirements are addressed by this PR (pinning a version for a separate agent, not touching rtr NAT64 infrastructure) Requires further human verification: The PR description claims to pin the knowledge loop to the merged revision of this ticket, but the ticket content is about a NAT64/rtr ARP issue, not about a hyrule-knowledge loop --once command. This discrepancy requires human verification. 302 - Not compliant Non-compliant requirements: This PR does not add any of the role, systemd units, Vault integration, or workflow changes. It only sets two host variables that depend on those items existing.

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪

🏅 Score: 75

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Missing Dependency Gate The host_vars reference knowledge_loop_version which expects the knowledge_loop Ansible role (defined in ticket knowledge_loop_version: "0b414aea6777ab067ae69c4fd82f715e847cc58e" knowledge_loop_timer_enabled: false Unvalidated Commit Hash The pinned commit 0b414aea6777ab067ae69c4fd82f715e847cc58e is provided without a repository prefix. If this hash does not exist in the expected Git repository (or if the variable resolves to a different repo than intended), the deployment will silently fail or check out the wrong code. No CI step validates that the hash is reachable. knowledge_loop_version: "0b414aea6777ab067ae69c4fd82f715e847cc58e"

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Use variable for commit hash The commit hash 0b414aea6777ab067ae69c4fd82f715e847cc58e is hardcoded. Consider using a variable or tag reference to make future updates easier and avoid manual hash lookups. ansible/inventory/host_vars/loop.yml [32-33] -knowledge_loop_version: "0b414aea6777ab067ae69c4fd82f715e847cc58e" +knowledge_loop_version: "{{ knowledge_loop_commit_hash | default('0b414aea6777ab067ae69c4fd82f715e847cc58e') }}" knowledge_loop_timer_enabled: false Suggestion importance[1-10]: 4 __ Why: The suggestion is valid but offers a minor improvement in maintainability. The hardcoded commit hash is intentional per the PR comments (pinned to a specific revision), and introducing a variable adds unnecessary indirection for a value that is explicitly pinned and rarely changed.	Low

[Svaag]

Superseded by #302. Per Codex review, the knowledge_loop_version pin on loop is folded directly into the scaffold PR #302 (commit b48083d) so the role, workflow enablement, and version pin land together and the first apply is reproducible. Closing this standalone deploy PR.