feat(statehub): deploy empty railiance state hub

Makefile

@@ -88,8 +88,9 @@ railiance-state-hub-client-dry-run:
 	$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-credentials.sops.yaml.template; \
 	$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-cluster.yaml; \
 	$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-networkpolicies.yaml; \
+	$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-namespace.yaml; \
 	$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-env.secret.sops.yaml.template; \
-	$(KUBECTL) apply --dry-run=client -f "$$tmpdir/state-hub.yaml"
+	$(KUBECTL) apply --dry-run=client -n $(RAILIANCE_STATE_HUB_NAMESPACE) -f "$$tmpdir/state-hub.yaml"
 
 railiance-state-hub-server-dry-run:
 	@set -e; \
@@ -99,22 +100,18 @@ railiance-state-hub-server-dry-run:
 		--namespace $(RAILIANCE_STATE_HUB_NAMESPACE) \
 		-f $(RAILIANCE_STATE_HUB_VALUES) \
 		--set image.tag=$(RAILIANCE_STATE_HUB_IMAGE_TAG) > "$$tmpdir/state-hub.yaml"; \
-	$(HELM) template $(RAILIANCE_STATE_HUB_RELEASE) $(RAILIANCE_STATE_HUB_CHART) \
-		--namespace $(RAILIANCE_STATE_HUB_NAMESPACE) \
-		-f $(RAILIANCE_STATE_HUB_VALUES) \
-		--set image.tag=$(RAILIANCE_STATE_HUB_IMAGE_TAG) \
-		--show-only templates/namespace.yaml > "$$tmpdir/state-hub-namespace.yaml"; \
 	$(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-credentials.sops.yaml.template; \
 	$(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-cluster.yaml; \
 	$(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_PLATFORM_DIR)/state-hub-db-networkpolicies.yaml; \
-	$(KUBECTL) apply --dry-run=server -f "$$tmpdir/state-hub-namespace.yaml"; \
+	$(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-namespace.yaml; \
 	if $(KUBECTL) get namespace $(RAILIANCE_STATE_HUB_NAMESPACE) >/dev/null 2>&1; then \
 		$(KUBECTL) apply --dry-run=server -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-env.secret.sops.yaml.template; \
-		$(KUBECTL) apply --dry-run=server -f "$$tmpdir/state-hub.yaml"; \
+		$(KUBECTL) apply --dry-run=server -n $(RAILIANCE_STATE_HUB_NAMESPACE) -f "$$tmpdir/state-hub.yaml"; \
 	else \
 		echo "Namespace $(RAILIANCE_STATE_HUB_NAMESPACE) does not exist; validating namespaced app manifests with client dry-run."; \
+		$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-namespace.yaml; \
 		$(KUBECTL) apply --dry-run=client -f $(RAILIANCE_STATE_HUB_APP_MANIFESTS)/state-hub-env.secret.sops.yaml.template; \
-		$(KUBECTL) apply --dry-run=client -f "$$tmpdir/state-hub.yaml"; \
+		$(KUBECTL) apply --dry-run=client -n $(RAILIANCE_STATE_HUB_NAMESPACE) -f "$$tmpdir/state-hub.yaml"; \
 	fi
 
 test: test-python dashboard-check

deploy/railiance/README.md

@@ -69,9 +69,11 @@ App promotion into `railiance-apps`:
 
 - copy `apps/charts/state-hub/` to `charts/state-hub/`;
 - copy `apps/helm/state-hub-values.yaml` to `helm/state-hub-values.yaml`;
+- apply or GitOps-manage `apps/manifests/state-hub-namespace.yaml`;
 - create `state-hub-env` in the `state-hub` namespace from the approved
   secret-delivery path;
-- deploy with Helm only after `state-hub-db` is healthy.
+- deploy with Helm using the production values file, which sets
+  `namespace.create=false`, only after `state-hub-db` is healthy.
 
 ## Runtime Secret Contract
 

deploy/railiance/apps/helm/state-hub-values.yaml

@@ -1,8 +1,11 @@
 # Production values for the State Hub Railiance chart handoff.
 # Non-secret values only. DATABASE_URL comes from the Secret `state-hub-env`.
 
+namespace:
+  create: false
+
 image:
   tag: "b536741"
 
 ingress:
-  enabled: false
+  enabled: false

deploy/railiance/apps/manifests/state-hub-namespace.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: state-hub
+  labels:
+    railiance.io/layer: s5-app
+    railiance.io/postgres-client: state-hub-db

deploy/railiance/platform/state-hub-db-networkpolicies.yaml

@@ -17,9 +17,9 @@ spec:
   policyTypes:
     - Egress
   egress:
-    - to:
-        - namespaceSelector: {}
-      ports:
+    - ports:
+        - protocol: TCP
+          port: 443
         - protocol: TCP
           port: 6443
 ---

workplans/CUST-WP-0011-state-hub-threephoenix-migration.md

@@ -266,8 +266,9 @@ in `deploy/railiance/README.md`.
 
 ```task
 id: CUST-WP-0011-T05
-status: todo
+status: done
 priority: high
+completed: "2026-06-25"
 state_hub_task_id: "a307dd46-a8e2-49df-b016-c187759ebcf1"
 ```
 
@@ -283,6 +284,19 @@ Checks:
 
 **Done when:** an empty but structurally valid State Hub runs on railiance01.
 
+Completed 2026-06-25: deployed an empty State Hub stack to railiance01.
+Created the `state-hub` namespace, generated live-only database and app runtime
+Secrets, created the dedicated `state-hub-db` CNPG cluster, and applied database
+NetworkPolicies. Fixed the State Hub database egress policy to allow the
+in-cluster Kubernetes API service on TCP 443 as well as 6443, which CNPG
+needed during initdb. Ran Alembic migrations in a one-shot Kubernetes Job
+using image `gitea.coulomb.social/coulomb/state-hub:b536741`; migrations
+completed through `e9f0a1b2c3d4 (head)`. Installed the Helm release
+`state-hub` into the pre-created namespace with `namespace.create=false`.
+Verified Deployment rollout, zero pod restarts, service creation, pod logs,
+in-pod Alembic current revision, and `/state/health` via temporary port-forward
+returning `{"status":"ok","db":"connected"}`.
+
 ---
 
 ### T06 — Restore WSL2 data copy into cluster and compare