engineering-loop: enable agent-core trace emission via deploy env

[Svaag]

Turns on the (already-merged) Phase 3 agent-core emitter for the live engineering-loop
by setting its env in the deploy config. Additive; role default stays off.

• roles/engineering_loop/defaults/main.yml: engineering_loop_agent_core_trace_enabled
  (default false) + engineering_loop_agent_core_trace_path
  ({{ engineering_loop_state_dir }}/agent-core-trace.jsonl).
• roles/vault_agent/templates/engineering-loop.env.ctmpl.j2: render
  HYRULE_ENGINEERING_AGENT_CORE_TRACE + _PATH (outside the secret block).
• host_vars/loop.yml: enable on the loop host.

Sink /var/lib/engineering-loop/agent-core-trace.jsonl is inside the unit's
ReadWritePaths (ProtectSystem=strict). render-all.sh is clean (no generated/ drift).

Apply (operator-gated — not done here)

This changes a production host. Per the deploy runbook, an operator applies it with Icinga
pre/post snapshots:

cd ansible && set -a; source ../secrets.local.sh; set +a
ansible-playbook playbooks/engineering-loop.yml -e engineering_loop_apply=true --limit loop

(vault-agent re-renders the env; the next timer cycle emits.) Verify after with:
ssh loop 'tail -f /var/lib/engineering-loop/agent-core-trace.jsonl'.

Notes

• Knowledge is intentionally not included. Its loop timer is disabled
  (knowledge_loop_timer_enabled: false, your deferred canary) and its live path is the
  knowledge MCP server, which the emitter doesn't hook yet — so enabling its env now would
  be a no-op. Handled separately.
• Follow-up: log rotation/retention for the JSONL sink (filed as an issue).

🤖 Generated with Claude Code

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪

🏅 Score: 90

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Operational Risk Enabling agent-core trace emission on the live loop host before log rotation/retention is implemented (as noted in PR description). The sink file at /var/lib/engineering-loop/agent-core-trace.jsonl will grow unbounded under ProtectSystem=strict, potentially filling the state directory and causing the engineering-loop unit to fail. This should be gated until rotation is in place, or the PR should include basic logrotate config. HYRULE_ENGINEERING_AGENT_CORE_TRACE={{ '1' if engineering_loop_agent_core_trace_enabled | bool else '0' }} HYRULE_ENGINEERING_AGENT_CORE_TRACE_PATH={{ engineering_loop_agent_core_trace_path }}

[github-actions]

PR Code Suggestions ✨

No code suggestions found for the PR.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5728c1221b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Bump the loop runtime before enabling tracing

This enables trace emission for the live host, but the same host remains pinned to engineering_loop_version eb37b1c4d1d7c3f349c8c6cdb3bd890f168c2755 on line 7. I checked that pinned AS215932/engineering-loop source tree, and it has no reader for HYRULE_ENGINEERING_AGENT_CORE_TRACE, _PATH, AGENT_CORE, TraceEvent, or CostUsage, so these rendered env vars are ignored and /var/lib/engineering-loop/agent-core-trace.jsonl will not be produced until the pin is moved to a build that contains the emitter.

Useful? React with 👍 / 👎.

[Svaag]

Addressed the codex P2 (the pinned loop runtime had no reader for the trace env):

• Bumped engineering_loop_version eb37b1c → 2800630 on the loop host. That range is exactly engineering-loop Make dom0 a proper Ansible role (currently bash-only via bootstrap-dom0.sh) #24 (Phase 3 emitter) + firewall: codify /etc/pf.bogons6 in Ansible firewall role + remove ff00::/8 #25 (agent-core dep) and nothing else, so HYRULE_ENGINEERING_AGENT_CORE_TRACE/_PATH are now read by the deployed build and /var/lib/engineering-loop/agent-core-trace.jsonl is produced on the next cycle after apply.
• Sink growth is low-velocity here (engineering_loop_max_runs_per_day: 2); rotation/retention tracked in Add log rotation/retention for agent-core trace JSONL sinks #309.

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 👍

Reviewed commit: 3adaa9905b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".