ops: systemd units for auditor + context7 bridge #4

Merged

profit merged 1 commits from ops/auditor-systemd-units into main 2026-04-22 09:17:10 +00:00

Conversation 1 Commits 1 Files Changed 4 +173

profit commented 2026-04-22 09:16:18 +00:00

Owner

Copy Link

Intent

Make the auditor + context7 bridge survive restarts. Both currently manual-start; this adds Gitea-trackable systemd units + an installer.

Files

• ops/systemd/lakehouse-auditor.service
• ops/systemd/lakehouse-context7-bridge.service
• ops/systemd/install.sh (idempotent)
• ops/systemd/README.md

Post-merge step

sudo bash ops/systemd/install.sh — copies units, daemon-reload, enable --now.

Not in this PR

• Branch protection (auditor commit status still advisory)
• Systemd hardening (running as root, same as other lakehouse-* services)

## Intent Make the auditor + context7 bridge survive restarts. Both currently manual-start; this adds Gitea-trackable systemd units + an installer. ## Files - `ops/systemd/lakehouse-auditor.service` - `ops/systemd/lakehouse-context7-bridge.service` - `ops/systemd/install.sh` (idempotent) - `ops/systemd/README.md` ## Post-merge step `sudo bash ops/systemd/install.sh` — copies units, daemon-reload, enable --now. ## Not in this PR - Branch protection (auditor commit status still advisory) - Systemd hardening (running as root, same as other lakehouse-* services)

profit added 1 commit 2026-04-22 09:16:19 +00:00

ops: systemd units for auditor + context7 bridge ... c85c55006d

Promotes two previously manual-start Bun services to systemd
so they survive restarts + run continuously.

- ops/systemd/lakehouse-auditor.service — polls Gitea every 90s,
  runs 4 audit checks per PR head SHA, posts commit status + review
  comment. Runs as root to match existing lakehouse-* service
  conventions on this host; can read /home/profit/.git-credentials
  (0600 profit:profit).
- ops/systemd/lakehouse-context7-bridge.service — HTTP wrapper on
  :3900 for Phase 45 doc-drift detection. Decoupled from gateway;
  runs independently.
- ops/systemd/install.sh — idempotent installer (copy → daemon-reload
  → enable --now). Prints post-install active/enabled status.
- ops/systemd/README.md — run/stop/logs/pause docs.

Pause control stays per-service (bot.paused / auditor.paused files
at repo root). Not wired to branch protection yet — the auditor's
commit status is currently advisory, not enforcing. Flip via Gitea
branch_protections API when confident.

profit commented 2026-04-22 09:16:30 +00:00

Author

Owner

Copy Link

Auditor verdict: ⚠️ request_changes

One-liner: 3 warnings — see review
Head SHA: c85c55006de7
Audited at: 2026-04-22T09:16:30.181Z

dynamic — 1 findings (0 block, 0 warn, 1 info)

ℹ️ info — dynamic check skipped — skipped by options

• skipped by options

inference — 4 findings (0 block, 3 warn, 1 info)

ℹ️ info — cloud review completed (model=gpt-oss:120b, tokens=3194)

• claim_verdicts: 1, unflagged_gaps: 2
  ⚠️ warn — cloud: claim not backed — "at repo root). Not wired to branch protection yet — the auditor's"
• at commit:c85c5500:19
• cloud reason: The diff only adds systemd unit files and an install script; it does not implement any wiring of the auditor to branch protection or the claim‑blocking behavior descr
  ⚠️ warn — cloud-flagged gap not in any claim: Service description claims the auditor hard‑blocks merges, but no auditor implementation or branch‑protection integratio
• location: ops/systemd/lakehouse-auditor.service:1
  ⚠️ warn — cloud-flagged gap not in any claim: README states the auditor hard‑blocks merges when claims aren't backed, yet the repository contains no auditor code to p
• location: ops/systemd/README.md:1

kb_query — 1 findings (0 block, 0 warn, 1 info)

ℹ️ info — KB: 69 recent scenario runs, 209/289 events ok (fail rate 27.7%)

• most recent: scenario-2026-04-21T05-29-34
• recent failing sigs: 5745bcd5e4c68591, 5745bcd5e4c68591, caeeeffc69d36009

Metrics

{
  "audit_duration_ms": 9488,
  "findings_total": 6,
  "findings_block": 0,
  "findings_warn": 3,
  "findings_info": 3,
  "claims_strong": 0,
  "claims_moderate": 1,
  "claims_weak": 0,
  "claims_total": 1,
  "diff_bytes": 6825
}

_{Lakehouse auditor · SHA c85c5500 · re-audit on new commit flips the status automatically.}

## Auditor verdict: ⚠️ `request_changes` **One-liner:** 3 warnings — see review **Head SHA:** `c85c55006de7` **Audited at:** 2026-04-22T09:16:30.181Z <details><summary><b>dynamic</b> — 1 findings (0 block, 0 warn, 1 info)</summary> ℹ️ **info** — dynamic check skipped — skipped by options - `skipped by options` </details> <details><summary><b>inference</b> — 4 findings (0 block, 3 warn, 1 info)</summary> ℹ️ **info** — cloud review completed (model=gpt-oss:120b, tokens=3194) - `claim_verdicts: 1, unflagged_gaps: 2` ⚠️ **warn** — cloud: claim not backed — "at repo root). Not wired to branch protection yet — the auditor's" - `at commit:c85c5500:19` - `cloud reason: The diff only adds systemd unit files and an install script; it does not implement any wiring of the auditor to branch protection or the claim‑blocking behavior descr` ⚠️ **warn** — cloud-flagged gap not in any claim: Service description claims the auditor hard‑blocks merges, but no auditor implementation or branch‑protection integratio - `location: ops/systemd/lakehouse-auditor.service:1` ⚠️ **warn** — cloud-flagged gap not in any claim: README states the auditor hard‑blocks merges when claims aren't backed, yet the repository contains no auditor code to p - `location: ops/systemd/README.md:1` </details> <details><summary><b>kb_query</b> — 1 findings (0 block, 0 warn, 1 info)</summary> ℹ️ **info** — KB: 69 recent scenario runs, 209/289 events ok (fail rate 27.7%) - `most recent: scenario-2026-04-21T05-29-34` - `recent failing sigs: 5745bcd5e4c68591, 5745bcd5e4c68591, caeeeffc69d36009` </details> ### Metrics ```json { "audit_duration_ms": 9488, "findings_total": 6, "findings_block": 0, "findings_warn": 3, "findings_info": 3, "claims_strong": 0, "claims_moderate": 1, "claims_weak": 0, "claims_total": 1, "diff_bytes": 6825 } ``` _{Lakehouse auditor · SHA c85c5500 · re-audit on new commit flips the status automatically.}

profit merged commit e57ab8ad01 into main 2026-04-22 09:17:10 +00:00

profit referenced this issue from a commit 2026-04-22 09:17:12 +00:00

Merge pull request 'ops: systemd units for auditor + context7 bridge' (#4) from ops/auditor-systemd-units into main

profit referenced this pull request 2026-04-22 19:14:11 +00:00

Phase 45 slice 3: doc_drift check + resolve endpoints #5

profit referenced this issue from a commit 2026-04-27 04:19:59 +00:00

distillation: Phase 6 — acceptance gate suite

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

profit

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: profit/lakehouse#4

No description provided.