profit/lakehouse
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
lakehouse/ops/systemd/lakehouse-auditor.service
profit c85c55006d
Some checks failed
lakehouse/auditor 3 warnings — see review
ops: systemd units for auditor + context7 bridge 
Promotes two previously manual-start Bun services to systemd
so they survive restarts + run continuously.

- ops/systemd/lakehouse-auditor.service — polls Gitea every 90s,
  runs 4 audit checks per PR head SHA, posts commit status + review
  comment. Runs as root to match existing lakehouse-* service
  conventions on this host; can read /home/profit/.git-credentials
  (0600 profit:profit).
- ops/systemd/lakehouse-context7-bridge.service — HTTP wrapper on
  :3900 for Phase 45 doc-drift detection. Decoupled from gateway;
  runs independently.
- ops/systemd/install.sh — idempotent installer (copy → daemon-reload
  → enable --now). Prints post-install active/enabled status.
- ops/systemd/README.md — run/stop/logs/pause docs.

Pause control stays per-service (bot.paused / auditor.paused files
at repo root). Not wired to branch protection yet — the auditor's
commit status is currently advisory, not enforcing. Flip via Gitea
branch_protections API when confident.
2026-04-22 04:15:58 -05:00

35 lines
1.4 KiB
Desktop File
Raw Blame History

[Unit]
Description=Lakehouse Claim Auditor — polls Gitea for open PRs + hard-blocks placeholder merges
Documentation=file:///home/profit/lakehouse/auditor/README.md
After=network.target lakehouse.service
Wants=lakehouse.service
[Service]
Type=simple
WorkingDirectory=/home/profit/lakehouse
# Runs as root to match the other lakehouse-* services on this host
# (gateway, mcp-server, observer). The auditor reads the git PAT out
# of /home/profit/.git-credentials which is 0600 profit:profit —
# root can read it, which is why the service runs as root.
# Alternative: run as `profit` and ensure bun binary is on PATH;
# left for a follow-up hardening PR.
ExecStart=/home/profit/.bun/bin/bun run /home/profit/lakehouse/auditor/index.ts
Restart=on-failure
RestartSec=30
# Stop responds to SIGTERM cleanly — no in-flight cycle survives a
# restart; the poller is idempotent so a mid-cycle restart just
# re-audits from state.json on next start.
KillSignal=SIGTERM
TimeoutStopSec=10
# Optional env toggles documented in auditor/index.ts:
# LH_AUDITOR_RUN_DYNAMIC=1 — include hybrid fixture on every audit
# (default off — mutates live playbook)
# LH_AUDITOR_SKIP_INFERENCE=1 — skip cloud inference for fast runs
# Pause file — operator can `touch /home/profit/lakehouse/auditor.paused`
# to skip the next cycle without stopping the service.
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink