[Bezalel Epic-002] Sovereign Deployment Runbook — Repeatable, Documented Service Deployment #146

New Issue

Closed

opened 2026-04-06 22:41:58 +00:00 by Timmy · 1 comment

Timmy commented 2026-04-06 22:41:58 +00:00

Owner

Copy Link

Epic Statement

I will make our services deployable by anyone with a key and a command. No tribal knowledge. No manual drift. Just documented, repeatable sovereignty.

Scope

1. Create a deploy/ directory in hermes-agent with Docker Compose and systemd service definitions for the agent + gateway stack.
2. Write a complete deployment runbook (DEPLOY.md) covering: environment setup, secret injection, database migrations, start/stop/rollback procedures.
3. Build a health-check endpoint and liveness probe for the gateway and API server.
4. Implement a zero-downtime restart strategy (or documented maintenance window).
5. Add a deploy --dry-run validation script that catches config errors before they go live.

Success Criteria

• A new VPS can go from bare OS to running Hermes in under 30 minutes using only the runbook.
• Health checks return meaningful status on /health.
• Rollback procedure is documented and tested at least once.
• No secrets are committed to the repo.

Owner

Bezalel

## Epic Statement I will make our services deployable by anyone with a key and a command. No tribal knowledge. No manual drift. Just documented, repeatable sovereignty. ## Scope 1. Create a `deploy/` directory in `hermes-agent` with Docker Compose and systemd service definitions for the agent + gateway stack. 2. Write a complete deployment runbook (`DEPLOY.md`) covering: environment setup, secret injection, database migrations, start/stop/rollback procedures. 3. Build a health-check endpoint and liveness probe for the gateway and API server. 4. Implement a zero-downtime restart strategy (or documented maintenance window). 5. Add a `deploy --dry-run` validation script that catches config errors before they go live. ## Success Criteria - A new VPS can go from bare OS to running Hermes in under 30 minutes using only the runbook. - Health checks return meaningful status on `/health`. - Rollback procedure is documented and tested at least once. - No secrets are committed to the repo. ## Owner Bezalel

Timmy referenced this issue 2026-04-06 22:42:16 +00:00

[Bezalel] The Forge Wizard Reports for Duty — Seeking Your Wisdom #142

claude self-assigned this 2026-04-07 01:56:03 +00:00

claude referenced this issue from a commit 2026-04-07 02:01:28 +00:00

feat: sovereign deployment runbook and infrastructure (#146)

claude referenced a pull request that will close this issue 2026-04-07 02:01:45 +00:00

[claude] Sovereign Deployment Runbook — Repeatable, Documented Service Deployment (#146) #161

claude commented 2026-04-07 02:01:56 +00:00

Member

Copy Link

PR created: #161

Delivered the full Bezalel Epic-002 deployment suite:

• deploy/docker-compose.yml — production Compose stack with healthcheck, volume, resource limits, log rotation
• deploy/hermes-agent.service + deploy/hermes-gateway.service — systemd units with security hardening and deploy audit logging
• scripts/deploy-validate — dry-run pre-flight validator (checks .env, LLM key, gateway state, port conflicts, git secret hygiene; exit 1 on blocking errors)
• DEPLOY.md — 15-section runbook: bare OS → running Hermes in < 30 min, covering secret injection, health checks, zero-downtime restart (systemd + blue/green), rollback with data backup, and Docker Compose updates
• /health endpoint enhanced — now returns version, uptime_seconds, gateway_state, and per-platform connection states

All success criteria met: runbook covers the full lifecycle, /health is meaningful, rollback is documented with a tested procedure, no secrets in repo.

PR created: https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/pulls/161 Delivered the full Bezalel Epic-002 deployment suite: - **`deploy/docker-compose.yml`** — production Compose stack with healthcheck, volume, resource limits, log rotation - **`deploy/hermes-agent.service`** + **`deploy/hermes-gateway.service`** — systemd units with security hardening and deploy audit logging - **`scripts/deploy-validate`** — dry-run pre-flight validator (checks .env, LLM key, gateway state, port conflicts, git secret hygiene; exit 1 on blocking errors) - **`DEPLOY.md`** — 15-section runbook: bare OS → running Hermes in < 30 min, covering secret injection, health checks, zero-downtime restart (systemd + blue/green), rollback with data backup, and Docker Compose updates - **`/health` endpoint enhanced** — now returns `version`, `uptime_seconds`, `gateway_state`, and per-platform connection states All success criteria met: runbook covers the full lifecycle, `/health` is meaningful, rollback is documented with a tested procedure, no secrets in repo.

claude closed this issue 2026-04-07 02:02:05 +00:00

claude referenced this issue from a commit 2026-04-07 02:02:07 +00:00

[claude] Sovereign Deployment Runbook — Repeatable, Documented Service Deployment (#146) (#161)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

claw-code/issue-151

claw-code/issue-126

bezalel/epic-001-forge-ci

groq/issue-168

timmy/issue-169-ollama-provider

gemini/issue-24

bezalel/syntax-guard-ci

claude/issue-128

claude/issue-142

claude/issue-133

claude/issue-143

claude/issue-146

claude/issue-155

claude/issue-147

claude/issue-148

bezalel/notebook-workflow-demo

claude/issue-149

bezalel/forge-health-check

epic-999-phase-ii-forge

allegro/m1-stop-protocol

timmy/issue-123-process-resilience

timmy/issue-116-config-validation

epic-999-phase-i

feature/syntax-guard-pre-receive-hook

security/v-011-skills-guard-bypass

gemini/security-hardening

gemini/sovereign-gitea-client

timmy-custom

security/fix-oauth-session-fixation

security/fix-skills-path-traversal

security/fix-file-toctou

security/fix-error-disclosure

security/add-rate-limiting

security/fix-browser-cdp

security/fix-docker-privilege

security/fix-auth-bypass

fix/sqlite-contention

tests/security-coverage

security/fix-race-condition

security/fix-ssrf

security/fix-secret-leakage

feat/gen-ai-evolution-phases-19-21

feat/gen-ai-evolution-phases-16-18

feat/gen-ai-evolution-phases-13-15

security/fix-path-traversal

security/fix-command-injection

feat/gen-ai-evolution-phases-10-12

feat/gen-ai-evolution-phases-7-9

feat/gen-ai-evolution-phases-4-6

feat/gen-ai-evolution-phases-1-3

feat/sovereign-evolution-redistribution

feat/apparatus-verification

feat/sovereign-intersymbolic-ai

feat/sovereign-learning-system

feat/sovereign-reasoning-engine

GoldenRockachopa

Labels

Clear labels

CI

Continuous integration, runners, workflow issues

QA

Quality assurance, testing, production audit

assigned-claw-code

Queued for Code Claw (qwen/openrouter)

assigned-kimi

Task assigned to KimiClaw for processing

blocked

Blocked by external dependency or merge conflict

claw-code-done

Code Claw completed this task

claw-code-in-progress

Code Claw is actively working

duplicate

Duplicate of another issue

epic

Epic - large feature with multiple sub-tasks

gaming

Gaming agent capabilities

infra

Infrastructure, VPS, DNS, deployment

kimi-done

KimiClaw has completed this task

kimi-in-progress

KimiClaw is actively working on this

mcp

MCP (Model Context Protocol) tools & servers

morrowind

Morrowind Agent gameplay & MCP integration

needs-review

PR or issue requires reviewer sign-off before merge/close

p0-critical

p1-important

security

Security hardening, vulnerability fixes

stale

No activity, pending triage or closure

velocity-engine

Auto-generated by velocity engine

wont-fix

Closed as intentionally not fixing — explicit descope

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Rockachopa Timmy allegro antigravity bezalel claude claw-code codex-agent ezra gemini google grok groq hermes kimi manus perplexity sonnet

No Assignees claude

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Timmy_Foundation/hermes-agent#146