knowledge-genome-orchestrator/deploy/vm101/README.md

2.3 KiB

deploy/vm101

System artifacts deployed to vm101 (the GPU ingest node). The repo is the source of truth; the live copies live in /usr/local/bin/. Edit here, then sudo ./install.sh on vm101 to push changes.

Contents

  • n8n-pi-wrap — forced-command wrapper that fronts every n8n→vm101 SSH call.
  • install.sh — installs the wrapper(s) into /usr/local/bin (idempotent).

n8n-pi-wrap

The only entry point for the n8n-runner identity onto vm101. n8n never gets a shell here: whatever it sends arrives as SSH_ORIGINAL_COMMAND, and a case whitelist decides what runs. Anything outside the whitelist is denied and logged.

Allowed commands:

Command What it does
pi run one-shot prompt via stdin (proof-of-life / health)
pi ingest <genome> <raw_path> the real two-phase ingest (below)
ollama list / ollama ps model introspection

The two-phase ingest

pi ingest runs the clean-start + two phases, then stops:

  1. Clean startgit fetch && switch <INGEST_BASE> && reset --hard origin/<base>. Destroys only vm101's scratch checkout (never a shared branch, never a force-push) — this determinism is by design.
  2. Semanticskills/ingest/scripts/ingest-semantic.py <genome> <raw_path> drives pi to WRITE wiki/* pages + .ingest-manifest.json. NOTE: this is the script, NOT pi -p "/skill:ingest ..." (that form makes the model reply in chat and write nothing — the classic "manifest not found" trap).
  3. Mechanicalskills/ingest/scripts/run-ingest.sh <genome> validates the manifest, then index/log/scoped-lint/commit on feat/ai-ingest-<slug> and opens a PR onto <INGEST_BASE>. Emits one JSON line {status,slug,pr_url,...}.

The PR then waits for the human gate. One raw per session, sequential.

Input hardening

Both inputs come from SSH_ORIGINAL_COMMAND, so both are validated:

  • genome — kebab lowercase ^[a-z0-9-]+$.
  • raw_path — must be under raw/, no .. traversal, restricted charset [A-Za-z0-9._/-], and the file must exist. Rejected paths return a JSON error.

Config (INGEST_BASE, GENOMES_ROOT, INGEST_MODEL, Forgejo token) is sourced from ~/.config/knowledge-genome.env (0600, owner-only).

Install / update

# on vm101
cd ~/knowledge-genome-orchestrator/deploy/vm101
sudo ./install.sh