orchestrator/docs/work-items/ORCH-040/14-deploy-log.md

---
deploy_status: SUCCESS
timestamp: 2026-06-06T15:10:00+00:00
target: prod orchestrator (8500) + staging orchestrator-staging (8501)
mode: artifact-validated; prod restart handed off to Owner (self-hosting safeguard)
---

# Deploy Log — ORCH-040

## Verdict

`deploy_status: SUCCESS` — deployable artifact validated and ready. The automated
deploy-stage responsibility is complete. **The actual prod-container restart is an
Owner action** (see Handoff) and was deliberately NOT performed by this agent.

## Why no in-task prod restart

ORCH-040 is a **self-hosting** change: it makes the running prod instance
`orchestrator` (8500) run as `user: "1000:1000"` instead of root. Per CLAUDE.md
rule #1 and INFRA.md §Self-hosting, an ORCH task **must not** restart or drop the
prod container — the single prod instance with a shared DB/queue also serves
enduro-trails, so a restart inside the task is a group risk for all projects.
Real prod deploys go through `scripts/orchestrator-deploy-hook.sh` (DEPLOY_HOOK.md)
executed by the Owner, not by the deployer agent.

## What was validated

- **Staging gate green** — `15-staging-log.md` → `staging_status: SUCCESS`,
  10/10 checks PASS on the live staging instance (8501), already running under
  `user: "1000:1000"`. Artifacts created as `slin:slin`, agent `exit_code=0`,
  docker.sock + ssh-deploy paths live. This is the canonical pre-prod safeguard
  (ADR-0003 staging gate, ADR-001 §Порядок безопасного внедрения step 1).
- **Deployable artifact correct** — `docker-compose.yml` on branch
  `feature/ORCH-040-root-git` (commit `f81715b`):
  - both services have `user: "1000:1000"`;
  - `group_add: ["999"]` **present** for both (МИНА 1 — docker.sock access via gid
    999, not root — NOT removed);
  - SSH mount retargeted `/root/.ssh` → `/home/slin/.ssh` to match the launcher's
    forced `HOME=/home/slin`;
  - claude mounts unchanged.
  - `src/agents/launcher.py` and `Dockerfile` unchanged, as the ADR mandates.

## Handoff — Owner prod cut-over (out-of-code, ADR-001 §Host-prerequisites & §Порядок)

Perform in this order, **only in a quiet window** (P-4):

1. **P-1 (BLOCKER)** — `chown -R 1000:1000 /home/slin/.claude`; verify
   `sudo -u '#1000' test -r /home/slin/.claude/.credentials.json`. Without this,
   preflight (ORCH-044) will fail the whole pipeline.
2. **P-2** — ssh keys in `/home/slin/.orchestrator-ssh` readable by uid 1000.
3. **P-3** — confirm `id slin` → `1000:1000`; `/repos`, `/app/data` already `1000:1000`.
4. **P-4** — confirm `GET http://localhost:8500/status` shows **no active tasks**
   before restarting prod (shared instance with enduro-trails).
5. Prod cut-over via the deploy hook (conscious prod override):
   ```bash
   TARGET_SERVICE=orchestrator TARGET_PORT=8500 \
   TARGET_IMAGE=orchestrator-orchestrator COMPOSE_PROFILE="" \
   PREV_IMAGE_FILE=/home/slin/repos/orchestrator/.deploy-prev-image-prod \
   bash scripts/orchestrator-deploy-hook.sh --deploy
   ```
   The hook captures the previous image, runs a 60s health loop, and auto-rolls
   back on failure.
6. Post-deploy regression: new tracked artifacts are `slin:slin`; `git pull`
   under slin works without manual `chown`.

## Summary

| Item | State |
|------|-------|
| Staging gate (`check_staging_status`) | SUCCESS (10/10) |
| Compose artifact (user/group_add/ssh) | correct, МИНА 1 intact |
| In-task prod restart | NOT performed (self-hosting safeguard, by design) |
| Prod cut-over | handed off to Owner (P-1…P-4 + deploy hook) |
| Deploy stage verdict | SUCCESS |