| .. | ||
| install.sh | ||
| n8n-pi-wrap | ||
| README.md | ||
deploy/vm101
System artifacts deployed to vm101 (the GPU ingest node). The repo is the
source of truth; the live copies live in /usr/local/bin/. Edit here, then
sudo ./install.sh on vm101 to push changes.
Contents
n8n-pi-wrap— forced-command wrapper that fronts every n8n→vm101 SSH call.install.sh— installs the wrapper(s) into/usr/local/bin(idempotent).
n8n-pi-wrap
The only entry point for the n8n-runner identity onto vm101. n8n never gets a
shell here: whatever it sends arrives as SSH_ORIGINAL_COMMAND, and a case
whitelist decides what runs. Anything outside the whitelist is denied and logged.
Allowed commands:
| Command | What it does |
|---|---|
pi run |
one-shot prompt via stdin (proof-of-life / health) |
pi ingest <genome> <raw_path> |
the real two-phase ingest (below) |
ollama list / ollama ps |
model introspection |
The two-phase ingest
pi ingest runs the clean-start + two phases, then stops:
- Clean start —
git fetch && switch <INGEST_BASE> && reset --hard origin/<base>. Destroys only vm101's scratch checkout (never a shared branch, never a force-push) — this determinism is by design. - Semantic —
skills/ingest/scripts/ingest-semantic.py <genome> <raw_path>drivespito WRITEwiki/*pages +.ingest-manifest.json. NOTE: this is the script, NOTpi -p "/skill:ingest ..."(that form makes the model reply in chat and write nothing — the classic "manifest not found" trap). - Mechanical —
skills/ingest/scripts/run-ingest.sh <genome>validates the manifest, then index/log/scoped-lint/commit onfeat/ai-ingest-<slug>and opens a PR onto<INGEST_BASE>. Emits one JSON line{status,slug,pr_url,...}.
The PR then waits for the human gate. One raw per session, sequential.
Input hardening
Both inputs come from SSH_ORIGINAL_COMMAND, so both are validated:
genome— kebab lowercase^[a-z0-9-]+$.raw_path— must be underraw/, no..traversal, restricted charset[A-Za-z0-9._/-], and the file must exist. Rejected paths return a JSON error.
Config (INGEST_BASE, GENOMES_ROOT, INGEST_MODEL, Forgejo token) is sourced
from ~/.config/knowledge-genome.env (0600, owner-only).
Install / update
# on vm101
cd ~/knowledge-genome-orchestrator/deploy/vm101
sudo ./install.sh