diff --git a/programming_general/infra_manifest.yaml b/programming_general/infra_manifest.yaml index 4869150..bf7a4ba 100644 --- a/programming_general/infra_manifest.yaml +++ b/programming_general/infra_manifest.yaml @@ -1,5 +1,5 @@ apiVersion: conventions/v1 -version: 0.6.0 +version: 0.7.0 updated: "2026-06-30" name: infra_manifest title: Infra manifest (.infra.yaml — per-project + producer-level shared infra) @@ -36,6 +36,18 @@ rules: - id: env_variants level: should text: "Default manifest is `.infra.yaml` (prod, environment defaults to prod). A distinct non-prod deployment lives in a sibling `.infra..yaml` (currently only `.infra.dev.yaml`) with the same schema + `environment` set. One project may thus appear as multiple services (e.g. prod on a DO droplet + a local mac instance). Keep run-only/access config (passcodes, bind addresses) out of the manifest — it is not mesh infra." + - id: manage_apps_orchestrator + level: must + text: "`@quinn/manage-apps` (~/Code/@quinn/@packages/manage-apps) is the canonical service orchestrator — it AUTO-DISCOVERS every `.infra.yaml` by walking the producer tree (no central registry) and drives start/stop/status/deploy. A new deployable service = drop a `.infra.yaml`; never hand-roll start/deploy ssh scripts or a per-app `app.manifest.yaml` (that legacy format is retired in favour of `.infra.yaml`)." + rationale: One declarative manifest, one orchestrator, zero registration — the same `.infra.yaml` the net-tools infra-net reconciler reads for mesh/DNS. + - id: systemd_supervision + level: must + text: "Standing services on cloud hosts run as **systemd units** (declared via `service.systemd_unit`), never as foreground ssh or /tmp PID-tracked processes — so they survive host restarts and crash-restart. The `service.deploy` script installs/enables the unit; manage-apps drives it via `ssh systemctl …`. PID/background mode is for local-mac dev only." + rationale: systemd is the supervisor; PID files die on restart. Matches the global rule 'long-running jobs → systemd, not foreground ssh'. + - id: mesh_host_resolution + level: should + text: "`service.host` resolves to an ssh alias from net-tools `host-apply` (~/.ssh/config rendered from mesh-hosts.json) — manage-apps runs `ssh …`, it does NOT embed IPs or `-i `. Internal service-to-service traffic rides the WireGuard mesh (10.9.0.0/24); on-mesh peers skip auth, so no app port is publicly exposed." + rationale: net-tools owns SSH config + the mesh; manage-apps owns runtime. One source of truth for host addressing; the mesh is the private plane. providesFile: path: .infra.yaml # plus optional .infra..yaml siblings (same schema) schema: