profit/lakehouse
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
lakehouse/ops/systemd/README.md
profit c85c55006d
Some checks failed
lakehouse/auditor 3 warnings — see review
ops: systemd units for auditor + context7 bridge 
Promotes two previously manual-start Bun services to systemd
so they survive restarts + run continuously.

- ops/systemd/lakehouse-auditor.service — polls Gitea every 90s,
  runs 4 audit checks per PR head SHA, posts commit status + review
  comment. Runs as root to match existing lakehouse-* service
  conventions on this host; can read /home/profit/.git-credentials
  (0600 profit:profit).
- ops/systemd/lakehouse-context7-bridge.service — HTTP wrapper on
  :3900 for Phase 45 doc-drift detection. Decoupled from gateway;
  runs independently.
- ops/systemd/install.sh — idempotent installer (copy → daemon-reload
  → enable --now). Prints post-install active/enabled status.
- ops/systemd/README.md — run/stop/logs/pause docs.

Pause control stays per-service (bot.paused / auditor.paused files
at repo root). Not wired to branch protection yet — the auditor's
commit status is currently advisory, not enforcing. Flip via Gitea
branch_protections API when confident.
2026-04-22 04:15:58 -05:00

2.0 KiB
Raw Blame History

Lakehouse systemd units

Service definitions for long-running Lakehouse sidecars that aren't the Rust gateway itself. The gateway has its own pre-existing unit (lakehouse.service) that was configured at initial deploy time and isn't tracked here.

Units

File Service Port Purpose
lakehouse-auditor.service lakehouse-auditor n/a Polls Gitea for open PRs, runs four checks (static / dynamic / inference / KB query), posts commit-status + review comment. Hard-blocks merges when claims aren't backed.
lakehouse-context7-bridge.service lakehouse-context7-bridge :3900 HTTP wrapper around context7's public API for Phase 45 doc-drift detection.

Install

sudo bash ops/systemd/install.sh

Idempotent. Copies units to /etc/systemd/system/, reloads, enables + (re)starts both services.

Operate

# Status
systemctl status lakehouse-auditor
systemctl status lakehouse-context7-bridge

# Live logs
journalctl -u lakehouse-auditor -f

# Restart
systemctl restart lakehouse-auditor

# Stop (won't restart until enable + start again)
systemctl stop lakehouse-auditor

Pause the auditor without stopping

touch /home/profit/lakehouse/auditor.paused   # skip cycles until removed
rm    /home/profit/lakehouse/auditor.paused   # resume

Env toggles on the auditor (edit the unit file, systemctl daemon-reload, restart)

LH_AUDITOR_RUN_DYNAMIC=1    # include the hybrid fixture on every audit
                            # default off — fixture mutates live playbook state
LH_AUDITOR_SKIP_INFERENCE=1 # skip cloud inference for fast/cheap runs

Why both services run as root

To match the existing lakehouse.service + mcp-server + observer conventions on this host. Hardening to a dedicated unprivileged user is a follow-up: would need PATH adjustment for bun, credential file accessibility (the auditor reads /home/profit/.git-credentials which is 0600 profit:profit — root reads fine, a non-profit non-root user wouldn't).