feat(daemon): supervisor unit + chittyserv-vm bootstrap (stops before start)#105
feat(daemon): supervisor unit + chittyserv-vm bootstrap (stops before start)#105chitcommit wants to merge 4 commits into
Conversation
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
chittycommand | aee1235 | Jun 04 2026, 12:58 PM |
|
Warning Review limit reached
More reviews will be available in 59 minutes and 32 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (15)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
|
To use Codex here, create a Codex account and connect to github. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e029e35933
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| Type=simple | ||
| User=chittycommand | ||
| Group=chittycommand | ||
| WorkingDirectory=/opt/chittycommand |
There was a problem hiding this comment.
If Node.js 20+ is installed somewhere other than /usr/bin (for example via nvm, a custom /usr/local/bin install, or a packaged path the script finds in PATH), the installer passes command -v node but the enabled service later fails at start because ExecStart ignores that detected path. Either render/install the unit with the discovered NODE_BIN or make /usr/bin/node an explicit prerequisite.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Fixed in 6d02b99. Unit ships with ExecStart=@@NODE_BIN@@ placeholder; install-daemon-vm.sh now sed-substitutes the detected command -v node path into a tempfile before installing the unit, so nvm / /usr/local/bin / packaged node paths all work.
chitcommit
force-pushed
the
feat/daemon-supervisor-vm-bootstrap
branch
from
e029e35 to
1361080
Compare
|
|
To use Codex here, create a Codex account and connect to github. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1361080cba
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
P1 entrypoint stub executor → refusal (codex 3352439151): The stub returned a sentinel dispatchedTaskId, causing the leader loop to call markIntentDispatched + completeIntent and record real pending intents as 'done' without execution. Replace with an explicit throw so the loop's failure path runs (intent → failed with clear refusal message). The real executor lands in PR #107. P2 entrypoint SIGTERM release sessionId (codex 3353069328): releaseLeadership gates on session ownership (codex-p2 PR#101); the fallback shutdown release passed no sessionId, so it always no-op'd against our own session-stamped lease. Pass the loop's sessionId. P2 install-daemon-vm.sh devDeps prune (codex 3352439158): npm ci --omit=dev pruned typescript, breaking 'npm run build:daemon'. Install full deps for the repo build step; runtime image in still gets --omit=dev separately. P2 systemd unit NODE_BIN (codex 3352439162): Hard-coded /usr/bin/node breaks nvm / /usr/local/bin installs. Ship unit with @@NODE_BIN@@ placeholder; install script substitutes the detected node path before installing. P2 systemd MDWE+JIT (codex 3352439169): MemoryDenyWriteExecute=true is documented incompatible with V8 JIT and would abort node at startup. Remove the flag; document why. P2 launchd plist missing env (codex 3352439167): launchd has no EnvironmentFile equivalent. Plist invoked node directly without DATABASE_URL/NODE_CHITTY_ID/NODE_DESCRIPTOR, hitting entrypoint.ts's fatal-missing-env branch on Mac Mini nodes. Add a launchd-shim.sh that sources /etc/chittycommand/env (same shape as systemd EnvironmentFile) then execs node. P2 migration 0016 single-upload conflict (codex 3352439160): Unique partial index on r2_key broke single /upload's plain INSERT...RETURNING — re-uploads now 500'd on unique violation. Add ON CONFLICT (r2_key) WHERE (r2_key IS NOT NULL) DO NOTHING to match batch path; fall back to SELECT-existing returning 200. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
To use Codex here, create a Codex account and connect to github. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6d02b99c5b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| plan "install -m 0644 -o root -g root /tmp/chittycommand-daemon.service ${UNIT_DST}" | ||
| else | ||
| RENDERED_UNIT="$(mktemp)" | ||
| sed "s|@@NODE_BIN@@|${NODE_BIN}|g" "${UNIT_SRC}" > "${RENDERED_UNIT}" |
There was a problem hiding this comment.
When the installer is run with sudo -E from an nvm-based setup, command -v node can resolve to /home/.../.nvm/.../node; this line then renders that path into ExecStart, but the unit also sets ProtectHome=true, so the service running as chittycommand cannot traverse the invoking user's home directory and fails at start. Either reject/canonicalize home-directory Node paths during install or relax the unit assumptions before advertising nvm support.
Useful? React with 👍 / 👎.
| # EnvironmentFile expects, rendered by `op inject` at install time. | ||
| set -a | ||
| # shellcheck disable=SC1090 | ||
| . "${ENV_FILE}" |
There was a problem hiding this comment.
On macOS nodes using this shim, /etc/chittycommand/env is rendered from op inject in systemd EnvironmentFile format, but sourcing it as shell code means characters in DATABASE_URL or CHITTYCONNECT_TOKEN such as $ or backticks are expanded/executed instead of treated as literal secret bytes. A generated DB password containing these characters will make the daemon start with corrupted credentials; parse KEY=VALUE without shell evaluation or render a shell-escaped launchd-specific env file.
Useful? React with 👍 / 👎.
| --> | ||
| <key>ProgramArguments</key> | ||
| <array> | ||
| <string>/opt/chittycommand/dist/daemon/runtime/launchd-shim.sh</string> |
There was a problem hiding this comment.
The launchd plist points directly at /opt/chittycommand/dist/daemon/runtime/launchd-shim.sh, but the daemon build only emits the TypeScript outputs under dist and rg shows no installer or copy step for this shell script. On a Mac Mini node that installs the documented plist path, launchd will fail before Node starts because the referenced ProgramArguments executable is absent unless operators manually copy it into dist.
Useful? React with 👍 / 👎.
| rm -f "${RENDERED_UNIT}" | ||
| fi | ||
| run "systemctl daemon-reload" | ||
| run "systemctl enable chittycommand-daemon.service" |
There was a problem hiding this comment.
The script promises to stop before the operator's final systemctl start, but enabling the unit here means any VM reboot after install and before that manual verification starts the daemon automatically at boot. If the human gate is meant to prevent execution until the operator explicitly starts/smoke-tests the service, leave it disabled during install or move enable into the same operator-approved step as start.
Useful? React with 👍 / 👎.
| 4. **Neon project provisioned** for ChittyCommand with the `cc_node_leases`, | ||
| `cc_goals`, `cc_plans`, `cc_intents` tables (migrations `0001_*`/`0002_*` | ||
| from the foundation PR applied). |
There was a problem hiding this comment.
Following this prerequisite on a fresh Neon project leaves migration 0003_* unapplied even though the daemon loop calls reclaimStuckIntents(), whose UPDATE increments cc_intents.reclaim_count. In that documented setup the daemon logs reclaim_error every tick and never recovers stale claimed/running intents; include the migration that adds reclaim_count in the required schema baseline.
Useful? React with 👍 / 👎.
Code review findings (automated)CriticalNone. Important
Suggestion
Confirmed clean
|
|
|
To use Codex here, create a Codex account and connect to github. |
…tch → heartbeat) (#107) Stacked on #106. Replaces the injected-executor abstraction in daemon/loop.ts with a direct call to meta/intent.ts::executeIntent, closing the meta-orchestrator loop. Status transitions, audit-row writes, and the second sovereignty gate are all owned by executeIntent → dispatch; the loop's responsibility is leader lifecycle, intent claiming, heartbeats, and outcome classification. Four outcomes are handled distinctly: - ok=true (executed) → bump processed counter, reset error backoff - ok=true (replayed) → bump replayed counter, no backoff, no double-count - ok=false (refused) → bump refused counter, no backoff (steady-state) - ok=false (exec error) → bump errored counter, bounded exp backoff Sovereignty refusals are identified by canonical error prefixes emitted by meta/executors/dispatch.ts ("sovereignty re-reckon:" / "sovereignty snapshot stale ..."). Refusals are NOT treated as transient faults — they are valid outcomes and do not trigger backoff. The loop honors options.signal via AbortController throughout, including inside the sleep helper, so SIGTERM from daemon/runtime/entrypoint.ts (PR #105) unwinds cleanly through releaseLeadership. tests/daemon/loop.spec.ts — real Neon integration. Seeds two pending intents against the update_obligation_status executor, runs runLeaderLoop with maxIntents=2, asserts: - both intents reach status='done' - each produces exactly one cc_actions_log row (attempt=1, key set, status='completed') - cc_obligations rows actually moved to 'deferred' - cc_node_leases shows leadership released on clean exit - log stream contains intent_heartbeat_before / intent_heartbeat_after pairs Out of scope (not in this PR): - new executors (mercury, etc.) - production deploy - multi-node coordination beyond single-node leader - schema additions on cc_intents / cc_actions_log Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…l consumer (#109) * feat(daemon): loop body wires executeIntent end-to-end (claim → dispatch → heartbeat) Stacked on #106. Replaces the injected-executor abstraction in daemon/loop.ts with a direct call to meta/intent.ts::executeIntent, closing the meta-orchestrator loop. Status transitions, audit-row writes, and the second sovereignty gate are all owned by executeIntent → dispatch; the loop's responsibility is leader lifecycle, intent claiming, heartbeats, and outcome classification. Four outcomes are handled distinctly: - ok=true (executed) → bump processed counter, reset error backoff - ok=true (replayed) → bump replayed counter, no backoff, no double-count - ok=false (refused) → bump refused counter, no backoff (steady-state) - ok=false (exec error) → bump errored counter, bounded exp backoff Sovereignty refusals are identified by canonical error prefixes emitted by meta/executors/dispatch.ts ("sovereignty re-reckon:" / "sovereignty snapshot stale ..."). Refusals are NOT treated as transient faults — they are valid outcomes and do not trigger backoff. The loop honors options.signal via AbortController throughout, including inside the sleep helper, so SIGTERM from daemon/runtime/entrypoint.ts (PR #105) unwinds cleanly through releaseLeadership. tests/daemon/loop.spec.ts — real Neon integration. Seeds two pending intents against the update_obligation_status executor, runs runLeaderLoop with maxIntents=2, asserts: - both intents reach status='done' - each produces exactly one cc_actions_log row (attempt=1, key set, status='completed') - cc_obligations rows actually moved to 'deferred' - cc_node_leases shows leadership released on clean exit - log stream contains intent_heartbeat_before / intent_heartbeat_after pairs Out of scope (not in this PR): - new executors (mercury, etc.) - production deploy - multi-node coordination beyond single-node leader - schema additions on cc_intents / cc_actions_log Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(health,wrangler): real-dependency /health probe + chittytrack tail consumer The previous /health returned a static {status:"ok",...} regardless of whether the worker could reach its real dependencies — a direct violation of the chittyentity CLAUDE.md "No Mocks, Fake Data, or Placeholder Endpoints" binding rule ("every endpoint must return real results against a real datastore on the day it is committed"). This change replaces /health with a real probe that executes against the worker's actual dependencies: * db — SELECT 1 via Neon HTTP driver. Critical: failure -> 503. * chittyconnect — GET ${CHITTYCONNECT_URL}/health. Degraded if unreachable. * daemon — newest cc_node_leases.heartbeat_at, stale if older than 2x daemon/loop.ts default heartbeatMs (10000ms -> 20000ms cutoff). Missing table -> not_provisioned (degraded, NOT down) so deploys against bases without #101 don't 503. Per-dep timeout 2000ms; total probe bounded ≤ 5000ms via Promise.all. Runs unauthenticated (no auth middleware on /health). The probe handler is extracted to src/routes/health.ts so it can be integration-tested in pure Node — importing src/index.ts directly drags in `cloudflare:` modules (Agents SDK / DOs) that only resolve under workerd. Integration test exercises the handler against a real Neon branch (no mocks), validates DB probe ok and shape of all three probes, and asserts 503 + status=down when DB is unreachable. wrangler.jsonc already declares `tail_consumers: [{service: chittytrack}]` (present on the base branch) — no change required there. Verified against Neon branch br-spring-queen-akggkmso of project cool-bar-13270800 (ChittyCommand). Sample real response: { "status": "degraded", "service": "chittycommand", "version": "0.1.0", "timestamp": "2026-06-04T05:27:16.111Z", "probes": { "db": { "status": "ok", "latency_ms": 226 }, "chittyconnect": { "status": "degraded", "latency_ms": 0, "error": "CHITTYCONNECT_URL not configured" }, "daemon": { "status": "not_provisioned", "newest_heartbeat_age_ms": null, "error": "relation \"cc_node_leases\" does not exist" } } } Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(health): query active leases by heartbeat_at, not released_at Addresses Codex P2 on PR #109. The cc_node_leases schema in src/db/schema.ts has no released_at column — release is represented by NULLing heartbeat_at/lease_expires_at in daemon/leader.ts. The previous WHERE released_at IS NULL clause raised 'column released_at does not exist', which the catch block then mis-classified as 'not_provisioned', so /health would never report ok/stale based on real heartbeats. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: chitcommit <noreply@chitty.cc>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: aee1235254
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| run "cp ${REPO_ROOT}/package.json ${INSTALL_DIR}/package.json" | ||
| # Runtime deps only (no devDeps); production install into install dir. | ||
| run "cd ${INSTALL_DIR} && npm install --omit=dev --no-audit --no-fund" |
There was a problem hiding this comment.
When this runs after a dependency publishes a new semver-compatible version, /opt/chittycommand only has package.json, so npm install --omit=dev resolves a fresh dependency tree instead of the one that was just built and tested with npm ci in the repo. That can leave the daemon running against different package versions than the compiled artifact was validated with; copy package-lock.json and use npm ci --omit=dev for the runtime install.
Useful? React with 👍 / 👎.
| const nodeId = process.env.NODE_CHITTY_ID; | ||
| const dbUrl = process.env.DATABASE_URL; | ||
| const descriptor = process.env.NODE_DESCRIPTOR ?? process.env.HOSTNAME ?? ''; |
There was a problem hiding this comment.
When a node is configured from daemon/supervisor.md, the documented required variables are CHITTYCOMMAND_NODE_ID and CHITTYCOMMAND_NODE_DESCRIPTOR, but this entrypoint only reads NODE_CHITTY_ID/NODE_DESCRIPTOR and exits through the missing-env path. Either accept the documented names as aliases or update the supervisor/launchd environment contract everywhere; otherwise a daemon installed from the existing supervisor plan never reaches the leader loop.
Useful? React with 👍 / 👎.
| echo "[install] fatal: 'op' is not signed in. Run: eval \$(op signin)" >&2 | ||
| exit 6 | ||
| fi | ||
| op inject -i "${ENV_TMPL}" -o "${ENV_FILE}" |
There was a problem hiding this comment.
On the second run of this advertised-idempotent installer, /etc/chittycommand/env already exists, so op inject -o can stop for overwrite confirmation instead of completing unattended; I checked the 1Password CLI docs and --force is the documented flag to avoid prompting. Add --force here or render to a temporary file and atomically replace the env file so reruns don't hang/fail during the secret-render step.
Useful? React with 👍 / 👎.
…tch → heartbeat) (#107) Stacked on #106. Replaces the injected-executor abstraction in daemon/loop.ts with a direct call to meta/intent.ts::executeIntent, closing the meta-orchestrator loop. Status transitions, audit-row writes, and the second sovereignty gate are all owned by executeIntent → dispatch; the loop's responsibility is leader lifecycle, intent claiming, heartbeats, and outcome classification. Four outcomes are handled distinctly: - ok=true (executed) → bump processed counter, reset error backoff - ok=true (replayed) → bump replayed counter, no backoff, no double-count - ok=false (refused) → bump refused counter, no backoff (steady-state) - ok=false (exec error) → bump errored counter, bounded exp backoff Sovereignty refusals are identified by canonical error prefixes emitted by meta/executors/dispatch.ts ("sovereignty re-reckon:" / "sovereignty snapshot stale ..."). Refusals are NOT treated as transient faults — they are valid outcomes and do not trigger backoff. The loop honors options.signal via AbortController throughout, including inside the sleep helper, so SIGTERM from daemon/runtime/entrypoint.ts (PR #105) unwinds cleanly through releaseLeadership. tests/daemon/loop.spec.ts — real Neon integration. Seeds two pending intents against the update_obligation_status executor, runs runLeaderLoop with maxIntents=2, asserts: - both intents reach status='done' - each produces exactly one cc_actions_log row (attempt=1, key set, status='completed') - cc_obligations rows actually moved to 'deferred' - cc_node_leases shows leadership released on clean exit - log stream contains intent_heartbeat_before / intent_heartbeat_after pairs Out of scope (not in this PR): - new executors (mercury, etc.) - production deploy - multi-node coordination beyond single-node leader - schema additions on cc_intents / cc_actions_log Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…l consumer (#109) * feat(daemon): loop body wires executeIntent end-to-end (claim → dispatch → heartbeat) Stacked on #106. Replaces the injected-executor abstraction in daemon/loop.ts with a direct call to meta/intent.ts::executeIntent, closing the meta-orchestrator loop. Status transitions, audit-row writes, and the second sovereignty gate are all owned by executeIntent → dispatch; the loop's responsibility is leader lifecycle, intent claiming, heartbeats, and outcome classification. Four outcomes are handled distinctly: - ok=true (executed) → bump processed counter, reset error backoff - ok=true (replayed) → bump replayed counter, no backoff, no double-count - ok=false (refused) → bump refused counter, no backoff (steady-state) - ok=false (exec error) → bump errored counter, bounded exp backoff Sovereignty refusals are identified by canonical error prefixes emitted by meta/executors/dispatch.ts ("sovereignty re-reckon:" / "sovereignty snapshot stale ..."). Refusals are NOT treated as transient faults — they are valid outcomes and do not trigger backoff. The loop honors options.signal via AbortController throughout, including inside the sleep helper, so SIGTERM from daemon/runtime/entrypoint.ts (PR #105) unwinds cleanly through releaseLeadership. tests/daemon/loop.spec.ts — real Neon integration. Seeds two pending intents against the update_obligation_status executor, runs runLeaderLoop with maxIntents=2, asserts: - both intents reach status='done' - each produces exactly one cc_actions_log row (attempt=1, key set, status='completed') - cc_obligations rows actually moved to 'deferred' - cc_node_leases shows leadership released on clean exit - log stream contains intent_heartbeat_before / intent_heartbeat_after pairs Out of scope (not in this PR): - new executors (mercury, etc.) - production deploy - multi-node coordination beyond single-node leader - schema additions on cc_intents / cc_actions_log Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(health,wrangler): real-dependency /health probe + chittytrack tail consumer The previous /health returned a static {status:"ok",...} regardless of whether the worker could reach its real dependencies — a direct violation of the chittyentity CLAUDE.md "No Mocks, Fake Data, or Placeholder Endpoints" binding rule ("every endpoint must return real results against a real datastore on the day it is committed"). This change replaces /health with a real probe that executes against the worker's actual dependencies: * db — SELECT 1 via Neon HTTP driver. Critical: failure -> 503. * chittyconnect — GET ${CHITTYCONNECT_URL}/health. Degraded if unreachable. * daemon — newest cc_node_leases.heartbeat_at, stale if older than 2x daemon/loop.ts default heartbeatMs (10000ms -> 20000ms cutoff). Missing table -> not_provisioned (degraded, NOT down) so deploys against bases without #101 don't 503. Per-dep timeout 2000ms; total probe bounded ≤ 5000ms via Promise.all. Runs unauthenticated (no auth middleware on /health). The probe handler is extracted to src/routes/health.ts so it can be integration-tested in pure Node — importing src/index.ts directly drags in `cloudflare:` modules (Agents SDK / DOs) that only resolve under workerd. Integration test exercises the handler against a real Neon branch (no mocks), validates DB probe ok and shape of all three probes, and asserts 503 + status=down when DB is unreachable. wrangler.jsonc already declares `tail_consumers: [{service: chittytrack}]` (present on the base branch) — no change required there. Verified against Neon branch br-spring-queen-akggkmso of project cool-bar-13270800 (ChittyCommand). Sample real response: { "status": "degraded", "service": "chittycommand", "version": "0.1.0", "timestamp": "2026-06-04T05:27:16.111Z", "probes": { "db": { "status": "ok", "latency_ms": 226 }, "chittyconnect": { "status": "degraded", "latency_ms": 0, "error": "CHITTYCONNECT_URL not configured" }, "daemon": { "status": "not_provisioned", "newest_heartbeat_age_ms": null, "error": "relation \"cc_node_leases\" does not exist" } } } Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(health): query active leases by heartbeat_at, not released_at Addresses Codex P2 on PR #109. The cc_node_leases schema in src/db/schema.ts has no released_at column — release is represented by NULLing heartbeat_at/lease_expires_at in daemon/leader.ts. The previous WHERE released_at IS NULL clause raised 'column released_at does not exist', which the catch block then mis-classified as 'not_provisioned', so /health would never report ok/stale based on real heartbeats. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: chitcommit <noreply@chitty.cc>
… start) Stacked on #101. Adds the runtime supervisor surface for the meta-orchestrator daemon foundation: - daemon/runtime/entrypoint.ts — Node entrypoint wiring runLeaderLoop with SIGTERM/SIGINT graceful shutdown that releases the lease before exit. - daemon/runtime/chittycommand-daemon.service — hardened systemd unit (Restart=always, dedicated chittycommand user, EnvironmentFile from /etc/chittycommand/env, journal logging). - daemon/runtime/env.tmpl — op inject template; only op:// references, no secret values. 1Password stays the cold source of truth. - daemon/runtime/launchd/com.chittyos.chittycommand-daemon.plist — macOS artifact for the Mac Mini cluster (not used on the VM, included so next-node bring-up doesn't need a separate PR). - daemon/runtime/tsconfig.daemon.json + package.json build:daemon script — emits dist/daemon/runtime/entrypoint.js for the service ExecStart. - scripts/install-daemon-vm.sh — idempotent VM bootstrap; supports --dry-run; creates user, builds, syncs to /opt/chittycommand, renders env via op inject, installs+enables the unit, STOPS WITHOUT STARTING. - docs/runbooks/daemon-bring-up-vm.md — operator runbook (mint flow, verify, heartbeat, failure modes, rollback). - daemon/supervisor.md — links to the runbook and pins chittyserv-vm as first-node target. Operator action required: sudo systemctl start chittycommand-daemon.service (after sudo -E ./scripts/install-daemon-vm.sh). See PR body for dry-run output. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
P1 entrypoint stub executor → refusal (codex 3352439151): The stub returned a sentinel dispatchedTaskId, causing the leader loop to call markIntentDispatched + completeIntent and record real pending intents as 'done' without execution. Replace with an explicit throw so the loop's failure path runs (intent → failed with clear refusal message). The real executor lands in PR #107. P2 entrypoint SIGTERM release sessionId (codex 3353069328): releaseLeadership gates on session ownership (codex-p2 PR#101); the fallback shutdown release passed no sessionId, so it always no-op'd against our own session-stamped lease. Pass the loop's sessionId. P2 install-daemon-vm.sh devDeps prune (codex 3352439158): npm ci --omit=dev pruned typescript, breaking 'npm run build:daemon'. Install full deps for the repo build step; runtime image in still gets --omit=dev separately. P2 systemd unit NODE_BIN (codex 3352439162): Hard-coded /usr/bin/node breaks nvm / /usr/local/bin installs. Ship unit with @@NODE_BIN@@ placeholder; install script substitutes the detected node path before installing. P2 systemd MDWE+JIT (codex 3352439169): MemoryDenyWriteExecute=true is documented incompatible with V8 JIT and would abort node at startup. Remove the flag; document why. P2 launchd plist missing env (codex 3352439167): launchd has no EnvironmentFile equivalent. Plist invoked node directly without DATABASE_URL/NODE_CHITTY_ID/NODE_DESCRIPTOR, hitting entrypoint.ts's fatal-missing-env branch on Mac Mini nodes. Add a launchd-shim.sh that sources /etc/chittycommand/env (same shape as systemd EnvironmentFile) then execs node. P2 migration 0016 single-upload conflict (codex 3352439160): Unique partial index on r2_key broke single /upload's plain INSERT...RETURNING — re-uploads now 500'd on unique violation. Add ON CONFLICT (r2_key) WHERE (r2_key IS NOT NULL) DO NOTHING to match batch path; fall back to SELECT-existing returning 200. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chitcommit
force-pushed
the
feat/daemon-supervisor-vm-bootstrap
branch
from
aee1235 to
ac30e3e
Compare
|
|
To use Codex here, create a Codex account and connect to github. |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
chittycommand | 076f0ba | Jun 15 2026, 12:04 PM |
… build Replaying #105 onto current main (executor registry from #106) broke the daemon build two ways. Fix both so #105 ships a daemon that builds on the VM. 1. entrypoint.ts passed an `executor` callback to runLeaderLoop — removed in #106 when the loop began dispatching through the canonical executor registry (executeIntent). Drop the stub: an empty registry routes every claimed intent through dispatch's "no executor registered" throw → failIntent → `failed`, never silent `done`, preserving the PR #105 Codex-P1 safety property without a callback. 2. The executor registry (meta/executors/{types,dispatch,update-obligation- status}.ts) hard-imported the Workers `Env` from src/index, neither available nor compilable in the daemon's NodeNext + node-types build. Per ADR-001 the registry is consumed by BOTH the Worker and the daemon, so it must not depend on Workers-only types. Introduce a minimal structural `ExecutorEnv { DATABASE_URL?, HYPERDRIVE? }` (the only env the registry reads; getSql already cast to exactly this). Worker `Env` stays structurally assignable — ActionAgent callers unchanged. No index signature: keeps typo-safety on env reads for the real-money mercury path. Also add the explicit `/index.js` extension to meta/intent.ts's dynamic `import('./executors')` (required under NodeNext; accepted by the Worker's Bundler resolution). Verified: `npm run typecheck` (Worker, Bundler) and `npm run build:daemon` (NodeNext) both exit 0. Follow-up (needs `workflow` scope, separate push): add `tsc -p daemon/runtime/tsconfig.daemon.json --noEmit` as a CI step so the daemon build is gated — catches the #108 ripple (mercury also imports Workers `Env`) at PR time instead of VM install. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Build fix landed at Heads up to the other active session on this branch: the rebase onto main replayed the original commits, which still fail the build against #106's executor registry. Two root causes fixed:
Verified locally: Follow-up (blocked on |
|
To use Codex here, create a Codex account and connect to github. |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
|
To use Codex here, create a Codex account and connect to github. |
|
@chitcommit Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub. You can ask me to try again later by mentioning me in a new comment. If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: Sorry for the inconvenience! |
5 similar comments
|
@chitcommit Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub. You can ask me to try again later by mentioning me in a new comment. If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: Sorry for the inconvenience! |
|
@chitcommit Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub. You can ask me to try again later by mentioning me in a new comment. If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: Sorry for the inconvenience! |
|
@chitcommit Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub. You can ask me to try again later by mentioning me in a new comment. If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: Sorry for the inconvenience! |
|
@chitcommit Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub. You can ask me to try again later by mentioning me in a new comment. If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: Sorry for the inconvenience! |
|
@chitcommit Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub. You can ask me to try again later by mentioning me in a new comment. If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: Sorry for the inconvenience! |
2 participants
Stacked on the meta-orchestrator foundation branch (
feat/meta-orchestrator-extension, the work referred to as PR #101).Adds the runtime supervisor surface for the meta-orchestrator daemon. The daemon is installed and enabled, but not started — the operator runs the final command.
Summary
daemon/runtime/entrypoint.ts— Node entrypoint wiringrunLeaderLoopwith SIGTERM/SIGINT graceful shutdown that releases the lease before exit.daemon/runtime/chittycommand-daemon.service— hardened systemd unit (Restart=always, dedicatedchittycommanduser,EnvironmentFile=/etc/chittycommand/env, journal logging, sandboxing flags).daemon/runtime/env.tmpl—op injecttemplate; onlyop://references, no secret values. 1Password remains the cold source of truth per operator-manifest policy.daemon/runtime/launchd/com.chittyos.chittycommand-daemon.plist— macOS artifact for the Mac Mini cluster (not used on the VM; included so next-node bring-up doesn't need a separate PR).daemon/runtime/tsconfig.daemon.json+package.jsonbuild:daemon— emitsdist/daemon/runtime/entrypoint.jsfor the serviceExecStart.scripts/install-daemon-vm.sh— idempotent VM bootstrap with--dry-run. Creates the system user, builds, syncs to/opt/chittycommand, renders the env viaop inject, installs+enables the unit, stops without starting.docs/runbooks/daemon-bring-up-vm.md— operator runbook (ChittyID mint flow, verify, heartbeat, failure modes, rollback, uninstall).daemon/supervisor.md— links the runbook and pinschittyserv-vmas the first-node target.Operator action required
Auto-merge is off. The VM bring-up is a human gate.
ChittyID minting
The public
chittyid.chitty.ccendpoint serves only the landing page and does not expose an unauthenticated mint route. The runbook documents two real mint paths the operator must take (ch1tty gateway → chittyid, or the existing ChittyCommand 43-tool MCPchittyid-mintaction), then stores the result in 1Password atop://ChittyOS-Core/CHITTYCOMMAND_NODES/chittyserv-vm/chitty_id. No fake ChittyID is generated in this PR.Typecheck status
npm run typecheck— cleannpm run build:daemon— clean (emitsdist/daemon/runtime/entrypoint.js)Dry-run output
Test plan
./scripts/install-daemon-vm.sh --dry-runmatches the dry-run shown abovechittyserv-vm, store in 1Passwordsudo -E ./scripts/install-daemon-vm.shsucceedssudo systemctl start chittycommand-daemon.servicecc_node_leasesrow populated with the node ChittyID,lease_expires_atadvancing every ~10sjournalctl -u chittycommand-daemon.serviceshowsdaemon_start → leader_acquired → heartbeat_okcadenceOut of scope
op injectstep🤖 Generated with Claude Code