chore: record railiance deployment review

workplans/IHUB-WP-0018-railiance01-deployment.md

@@ -8,7 +8,7 @@ status: active
 owner: custodian
 topic_slug: inter_hub
 created: "2026-04-29"
-updated: "2026-06-04"
+updated: "2026-06-05"
 depends_on: IHUB-WP-0015
 state_hub_workstream_id: "080d841a-3acd-4adf-b684-2d1890a5e986"
 ---
@@ -68,13 +68,31 @@ no indexed task rows for it. The deployment work is not complete; this file now
 contains explicit task blocks so the hub can track the remaining Railiance01
 deployment work instead of treating the workplan as empty.
 
+## Deployment Review - 2026-06-05
+
+Review against the current repo and public Railiance endpoint shows the
+deployment scaffold is partially implemented but the live deployment is behind
+`origin/main`.
+
+- `origin/main` is at `a3d980c`, which includes the completed ops-hub bootstrap
+  API work from `IHUB-WP-0019`.
+- `https://hub.coulomb.social/` returns 200 and serves inter-hub.
+- The public OpenAPI only lists the older v2 endpoints; it does not include
+  `/hubs`, `/hub-capability-manifests`, `/api-consumers`, or `/policy-scopes`.
+- Unauthenticated `/api/v2/hubs` returns 404 publicly, while current source
+  should route it and return 401. This means ops-hub bootstrap cannot run
+  against production until the current image is deployed.
+- The registry endpoint returns the expected unauthenticated `/v2/` 401
+  challenge, but this workspace does not have `kubectl`, so R3 cluster readiness
+  cannot be fully verified from here.
+
 ## Tasks
 
-### R1 — Add OCI image build to flake.nix
+### R1 - Add OCI image build to flake.nix
 
 ```task
 id: IHUB-WP-0018-T01
-status: todo
+status: done
 priority: high
 state_hub_task_id: "27420bd7-0f70-4793-8805-393d8d5cacfd"
 ```
@@ -105,9 +123,14 @@ docker run --rm -p 8000:8000 -e DATABASE_URL=... -e IHP_SESSION_SECRET=... inter
 ```
 
 **Note:** First build pulls the full Haskell binary closure (~2 GB); subsequent
-builds are incremental (layer caching). Build must run on haskelseed — the only
+builds are incremental (layer caching). Build must run on haskelseed - the only
 machine with the Nix store populated for GHC 9.10.3.
 
+**Implementation note (2026-06-05):** `flake.nix` exposes `packages.docker =
+config.packages.unoptimized-docker-image`, the IHP-provided production OCI
+image used by the Railiance runbook. The original `buildLayeredImage` sketch is
+superseded by that IHP image path.
+
 ### R2 — Verify container runs correctly
 
 ```task
@@ -152,6 +175,12 @@ Also confirm:
 If any check fails, block here and open the relevant Railiance workstream.
 Do not proceed until all checks pass.
 
+**Review note (2026-06-05):** Public smoke probes show
+`https://hub.coulomb.social/` returning 200 and the Gitea registry `/v2/`
+endpoint returning the expected unauthenticated 401 challenge. Full R3 remains
+blocked from this workspace because `kubectl` is not available here, and the
+live app is not serving the current `origin/main` v2 bootstrap routes.
+
 ### R4 — Provision inter-hub database on railiance-platform
 
 ```task
@@ -202,7 +231,7 @@ using the age key from a Kubernetes Secret (bootstrapped once manually).
 
 ```task
 id: IHUB-WP-0018-T06
-status: blocked
+status: in_progress
 priority: high
 state_hub_task_id: "4c4acc98-5773-4289-ad57-03f3fd5c381c"
 ```
@@ -234,11 +263,17 @@ chart = "railiance-apps/helm/inter-hub"
 namespace = "inter-hub"
 ```
 
+**Implementation note (2026-06-05):** A Helm chart exists in
+`deploy/helm/inter-hub/` with Deployment, Service, Ingress, and values for the
+current Gitea registry and `hub.coulomb.social`. Remaining gaps: no repo-root
+`app.toml`, no committed SOPS secret manifest, and no separate
+`railiance-apps/helm/inter-hub` handoff in this repo.
+
 ### R7 — Gitea Actions CI/CD pipeline
 
 ```task
 id: IHUB-WP-0018-T07
-status: blocked
+status: in_progress
 priority: medium
 state_hub_task_id: "ec25c67c-3cb0-4534-9fb0-9bd6578a2def"
 ```
@@ -277,6 +312,13 @@ Secrets in Gitea: `REGISTRY`, `SSH_KEY_HASKELSEED`, `SSH_KEY_COULOMBCORE`.
 **Alternative if self-hosted runner is available on CoulombCore:** run the
 deploy step directly without the SSH hop to coulombcore.
 
+**Implementation note (2026-06-05):** `.gitea/workflows/deploy.yaml` exists and
+builds `.#docker` on a self-hosted `haskelseed` runner, pushes to
+`92.205.130.254:32166/coulomb/inter-hub`, deploys with Helm, and smoke-tests
+the public endpoint. Remote `main` is already current, but production is still
+serving an older API surface, so the workflow needs an attended rerun/inspection
+or a new deployment trigger.
+
 ### R8 — Staged deployment and smoke test
 
 ```task
@@ -311,7 +353,7 @@ Follow the Railiance staged promotion lifecycle:
 
 ```task
 id: IHUB-WP-0018-T09
-status: blocked
+status: in_progress
 priority: medium
 state_hub_task_id: "4d1e55c7-8dbb-480f-b07b-6c5e39a04218"
 ```
@@ -319,9 +361,15 @@ state_hub_task_id: "4d1e55c7-8dbb-480f-b07b-6c5e39a04218"
   secret rotation, rollback (`railiance rollback inter-hub`), log access
   (`kubectl logs -n inter-hub -l app=inter-hub --tail=100`)
 - Add progress event to state hub
-- Remove haskelseed socat/OpenRC production role note from quickstart —
+- Remove haskelseed socat/OpenRC production role note from quickstart -
   document it as the build machine only, not the production host
 
+**Implementation note (2026-06-05):** `deploy/railiance/RUNBOOK.md` exists and
+documents architecture, image build/push, Helm deployment, logs, restart,
+rollback, secret rotation, and smoke checks. The deployment record remains
+incomplete until current `main` is running and the ops-hub bootstrap smoke test
+passes against production.
+
 ## Exit Criteria
 
 - `https://hub.coulomb.social/` returns the Landing page (200, no auth)