fix(deploy): shrink entrypoint to bare-minimum boot prep

themightychris · claude · themightychris · commit b2c0977367ea · 2026-05-19T08:53:47.000-04:00
The entrypoint's reconcile state machine moved into the API process (prior commit). What's left is the bits that *must* run before the Node process exists: trust the PVC, set a pseudonymous git identity for rebase committer lines, and ensure a `.git` exists by doing a full-history clone on first boot. About 190 lines of shell → ~75 (most of it now comments). The reconciliation, conflict-escape-hatch, and fetch-failure handling are all the API's job now. Also updates docs/operations/deploy.md "Boot sequence" to reflect the split — entrypoint clones, API reconciles. Refs #66. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/deploy/docker/entrypoint.sh b/deploy/docker/entrypoint.sh
@@ -1,36 +1,29 @@
 #!/bin/sh
 # CodeForPhilly API entrypoint.
 #
-# On pod start:
-#   1. Ensures a workable clone of CFP_DATA_REMOTE exists at CFP_DATA_REPO_PATH.
-#   2. Reconciles local commits (made by the previous pod's runtime that the
-#      push daemon hadn't yet pushed) with origin:
-#        - in sync        → no-op
-#        - behind         → fast-forward
-#        - ahead          → push pending commits to origin
-#        - diverged + clean rebase → rebase + push
-#        - diverged + conflicts    → push a `conflicts/<UTC-timestamp>` branch
-#          to origin for operator review, then hard-reset local to origin so
-#          the pod boots from a known-good state. Never silently drops work.
-#   3. exec the API.
+# Minimal boot prep. The data-repo reconciliation state machine
+# (in-sync / behind / ahead / diverged-clean-rebase / diverged-conflict-escape)
+# lives in the Node API process now — see apps/api/src/store/reconcile.ts
+# and apps/api/src/plugins/reconcile.ts. This script only ensures:
+#
+#   1. The PVC mount at CFP_DATA_REPO_PATH is trusted by git regardless of
+#      file-ownership (PVCs survive pod restarts and may carry files owned
+#      by a different uid than the current runAsUser).
+#   2. A reasonable git user identity is configured for any rebase committer
+#      writes (rebase preserves authors of replayed commits; the committer
+#      line is the only thing that can pick up runtime identity).
+#   3. There IS a valid `.git` working tree at CFP_DATA_REPO_PATH. On first
+#      pod boot (empty PVC), we do an initial full-history clone. On
+#      subsequent boots, the reconciler inside the API decides what to do.
 #
 # Required env:
 #   CFP_DATA_REPO_PATH — local working-tree path (mounted PVC in k8s)
 # Optional env:
 #   CFP_DATA_REMOTE    — git URL to clone/fetch/push. If unset, the entrypoint
 #                        assumes an offline-style dev setup and uses whatever
 #                        working tree is already at CFP_DATA_REPO_PATH.
-#   CFP_DATA_BRANCH    — branch to track (default: main).
+#   CFP_DATA_BRANCH    — branch to clone initially (default: main).
 #   GIT_SSH_COMMAND    — set when an SSH deploy key is mounted.
-#
-# Failure modes:
-# - Fetch failures are non-fatal — log + continue with local state. The
-#   push-daemon retries on its schedule.
-# - Push failures during reconciliation are non-fatal — the push-daemon
-#   retries once the API starts.
-# - Rebase conflicts trigger the escape hatch (conflict branch + hard reset).
-#   The API still boots; the operator investigates the named branch.
-# - Anything else (clone failure, etc.) crashes the container; k8s restarts.
 
 set -eu
 
@@ -47,144 +40,48 @@ DATA_BRANCH="${CFP_DATA_BRANCH:-main}"
 # runAsUser (e.g., an earlier iteration ran as root).
 git config --global --add safe.directory "$CFP_DATA_REPO_PATH"
 
-# Identity for any direct git operations made by the entrypoint (rebase
-# preserves authors of existing commits; this just covers the committer when
-# rebase actually rewrites a commit). API mutations supply their own GIT_AUTHOR_*
-# via gitsheets transaction options.
+# Pseudonymous identity for any direct git operations that pick up the
+# runtime committer line. API mutations supply their own GIT_AUTHOR_* via
+# gitsheets transaction options; the reconciler re-applies these to the
+# repo-local config too, so this is belt-and-suspenders for any other tool
+# that touches the tree.
 : "${GIT_AUTHOR_NAME:=CodeForPhilly API}"
 : "${GIT_AUTHOR_EMAIL:=api@users.noreply.codeforphilly.org}"
 : "${GIT_COMMITTER_NAME:=$GIT_AUTHOR_NAME}"
 : "${GIT_COMMITTER_EMAIL:=$GIT_AUTHOR_EMAIL}"
 export GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL
 
-# ---------------------------------------------------------------------------
-# Reconcile against origin. Returns 0 on success or a soft failure; only
-# unrecoverable filesystem/clone errors propagate via `set -e`.
-# ---------------------------------------------------------------------------
-reconcile() {
-  cd "$CFP_DATA_REPO_PATH"
-
-  git config user.name  "$GIT_AUTHOR_NAME"
-  git config user.email "$GIT_AUTHOR_EMAIL"
-  git remote set-url origin "$CFP_DATA_REMOTE"
-
-  # Unshallow if a previous clone used --depth=1; the reconciliation logic
-  # below needs the merge-base to be reachable.
-  if [ -f .git/shallow ]; then
-    log "unshallowing existing clone (needed for rebase)"
-    git fetch --unshallow origin "$DATA_BRANCH" 2>&1 | sed 's/^/  /' || \
-      log "WARN: --unshallow failed; continuing with shallow history"
-  fi
-
-  if ! git fetch --prune origin "$DATA_BRANCH" 2>&1 | sed 's/^/  /'; then
-    log "WARN: fetch failed; skipping reconciliation, using local state"
-    return 0
-  fi
-
-  # Ensure we're on the branch.
-  if git rev-parse --verify "refs/heads/$DATA_BRANCH" >/dev/null 2>&1; then
-    git checkout "$DATA_BRANCH" 2>&1 | sed 's/^/  /'
-  else
-    git checkout -b "$DATA_BRANCH" "origin/$DATA_BRANCH" 2>&1 | sed 's/^/  /'
-  fi
-
-  LOCAL=$(git rev-parse HEAD)
-  REMOTE=$(git rev-parse "origin/$DATA_BRANCH")
-  if ! BASE=$(git merge-base HEAD "origin/$DATA_BRANCH" 2>/dev/null); then
-    log "WARN: no merge-base with origin/$DATA_BRANCH; resetting to origin"
-    git reset --hard "origin/$DATA_BRANCH" 2>&1 | sed 's/^/  /'
-    return 0
-  fi
-
-  if [ "$LOCAL" = "$REMOTE" ]; then
-    log "in sync with origin/$DATA_BRANCH"
-    return 0
-  fi
-
-  if [ "$LOCAL" = "$BASE" ]; then
-    log "behind origin/$DATA_BRANCH — fast-forwarding"
-    git merge --ff-only "origin/$DATA_BRANCH" 2>&1 | sed 's/^/  /'
-    return 0
-  fi
-
-  if [ "$REMOTE" = "$BASE" ]; then
-    AHEAD=$(git rev-list --count "origin/$DATA_BRANCH..HEAD")
-    log "ahead of origin/$DATA_BRANCH by ${AHEAD} commit(s) — pushing"
-    if git push origin "$DATA_BRANCH" 2>&1 | sed 's/^/  /'; then
-      log "push succeeded"
-    else
-      log "WARN: push failed; push-daemon will retry once API starts"
-    fi
-    return 0
+if [ ! -d "$CFP_DATA_REPO_PATH/.git" ]; then
+  if [ -z "${CFP_DATA_REMOTE:-}" ]; then
+    log "ERROR: $CFP_DATA_REPO_PATH is not a git repo and CFP_DATA_REMOTE is unset"
+    exit 1
   fi
 
-  # Diverged: local has commits that origin doesn't AND origin has commits
-  # that local doesn't. Attempt a rebase; if it conflicts, escape-hatch.
-  AHEAD=$(git rev-list --count "origin/$DATA_BRANCH..HEAD")
-  BEHIND=$(git rev-list --count "HEAD..origin/$DATA_BRANCH")
-  log "diverged from origin/$DATA_BRANCH (ahead=${AHEAD}, behind=${BEHIND}) — rebasing"
-
-  if git rebase "origin/$DATA_BRANCH" 2>&1 | sed 's/^/  /'; then
-    log "rebase clean — pushing"
-    if git push origin "$DATA_BRANCH" 2>&1 | sed 's/^/  /'; then
-      log "push succeeded"
-    else
-      log "WARN: push failed; push-daemon will retry once API starts"
-    fi
-    return 0
-  fi
+  mkdir -p "$CFP_DATA_REPO_PATH"
 
-  # Conflict — escape hatch.
-  CONFLICT_BRANCH="conflicts/$(date -u +%Y-%m-%dT%H-%M-%SZ)"
-  log "ERROR: rebase conflict on $DATA_BRANCH — invoking escape hatch"
-  git rebase --abort 2>&1 | sed 's/^/  /' || true
-  log "preserving pre-rebase HEAD ($LOCAL) at $CONFLICT_BRANCH"
-  git branch "$CONFLICT_BRANCH" "$LOCAL"
-  if git push origin "$CONFLICT_BRANCH" 2>&1 | sed 's/^/  /'; then
-    log "pushed $CONFLICT_BRANCH to origin — operator must investigate"
-  else
-    log "WARN: failed to push $CONFLICT_BRANCH; diverged commits preserved only in this PVC's reflog"
+  # PVC may carry residue from a previous pod that bailed mid-clone.
+  # `git clone` refuses to clone into a non-empty directory, so wipe it
+  # first. Safe because the data repo is always re-cloneable.
+  if [ -n "$(ls -A "$CFP_DATA_REPO_PATH" 2>/dev/null)" ]; then
+    log "$CFP_DATA_REPO_PATH non-empty but lacks .git — wiping before clone"
+    find "$CFP_DATA_REPO_PATH" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
   fi
-  log "resetting $DATA_BRANCH to origin/$DATA_BRANCH"
-  git reset --hard "origin/$DATA_BRANCH" 2>&1 | sed 's/^/  /'
-  return 0
-}
 
-if [ -z "${CFP_DATA_REMOTE:-}" ]; then
-  if [ -d "$CFP_DATA_REPO_PATH/.git" ]; then
-    log "CFP_DATA_REMOTE unset; using existing working tree at $CFP_DATA_REPO_PATH"
-    cd "$CFP_DATA_REPO_PATH"
-    git config user.name  "$GIT_AUTHOR_NAME"
-    git config user.email "$GIT_AUTHOR_EMAIL"
-    cd - >/dev/null
-  else
-    log "ERROR: CFP_DATA_REMOTE is unset and $CFP_DATA_REPO_PATH is not a git repo"
-    exit 1
-  fi
-else
-  mkdir -p "$CFP_DATA_REPO_PATH"
+  log "cloning $CFP_DATA_REMOTE into $CFP_DATA_REPO_PATH (branch=$DATA_BRANCH)"
+  # Full history (no --depth) so the API-side reconciler can rebase against
+  # any realistic divergence on subsequent boots.
+  git clone --branch "$DATA_BRANCH" "$CFP_DATA_REMOTE" "$CFP_DATA_REPO_PATH"
+fi
 
-  if [ -d "$CFP_DATA_REPO_PATH/.git" ]; then
-    log "reconciling existing data repo at $CFP_DATA_REPO_PATH (branch=$DATA_BRANCH)"
-    reconcile
-    cd - >/dev/null || true
-  else
-    # PVC may carry residue from a previous pod that bailed mid-clone.
-    # `git clone` refuses to clone into a non-empty directory, so wipe it
-    # first. Safe because the data repo is always re-cloneable.
-    if [ -n "$(ls -A "$CFP_DATA_REPO_PATH" 2>/dev/null)" ]; then
-      log "$CFP_DATA_REPO_PATH non-empty but lacks .git — wiping before clone"
-      find "$CFP_DATA_REPO_PATH" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
-    fi
-    log "cloning $CFP_DATA_REMOTE into $CFP_DATA_REPO_PATH (branch=$DATA_BRANCH)"
-    # Full history (no --depth) so subsequent reconciliations can rebase.
-    git clone --branch "$DATA_BRANCH" "$CFP_DATA_REMOTE" "$CFP_DATA_REPO_PATH"
-    cd "$CFP_DATA_REPO_PATH"
-    git config user.name  "$GIT_AUTHOR_NAME"
-    git config user.email "$GIT_AUTHOR_EMAIL"
-    cd - >/dev/null
-  fi
+cd "$CFP_DATA_REPO_PATH"
+git config user.name  "$GIT_AUTHOR_NAME"
+git config user.email "$GIT_AUTHOR_EMAIL"
+# Ensure the origin URL matches the current env (in case CFP_DATA_REMOTE
+# was rotated). Idempotent.
+if [ -n "${CFP_DATA_REMOTE:-}" ] && git remote get-url origin >/dev/null 2>&1; then
+  git remote set-url origin "$CFP_DATA_REMOTE"
 fi
+cd - >/dev/null
 
-log "data repo ready; starting API"
+log "data repo ready; starting API (reconciliation runs inside the API process)"
 exec "$@"
diff --git a/docs/operations/deploy.md b/docs/operations/deploy.md
@@ -101,26 +101,52 @@ curl http://localhost:3001/                  # SPA index.html
 
 ## Boot sequence
 
-The container entrypoint (`deploy/docker/entrypoint.sh`) reconciles the
-data-repo working tree with origin before exec'ing the API. See the
-"Smart entrypoint reconciliation" commit message in `git log
-deploy/docker/entrypoint.sh` for the full state machine; in short:
-
-- in sync → no-op
-- behind → fast-forward
-- ahead → push (push daemon retries on failure)
-- diverged + clean rebase → rebase + push
-- diverged + conflicts → push a `conflicts/<UTC-timestamp>` branch to origin
-  and hard-reset local to origin
+The container entrypoint (`deploy/docker/entrypoint.sh`) only handles the
+bits that *must* run before the Node process exists:
+
+- Trusts the PVC mount via `git config --global safe.directory`.
+- Sets a pseudonymous git identity (`CodeForPhilly API
+  <api@users.noreply.codeforphilly.org>`) for any committer line a future
+  rebase might write.
+- On first pod boot — and only then — does a full-history `git clone` of
+  `CFP_DATA_REMOTE` into `CFP_DATA_REPO_PATH` when no `.git` directory
+  exists. On subsequent boots the PVC already holds a clone; no clone is
+  performed.
+- Refreshes `origin`'s URL to whatever `CFP_DATA_REMOTE` is set to (lets
+  operators rotate the remote without re-cloning the PVC).
+- `exec`s the API. That's all — about a dozen lines of shell now.
 
 Then `exec node apps/api/dist/index.js`. Inside node, `buildApp()` registers
 plugins ([apps/api/src/app.ts](../../apps/api/src/app.ts)) in order: env →
 CORS → cookies → trace IDs → error mapper → **store** (loads public +
-private into memory) → **push daemon** (starts pushing transact'd commits to
+private into memory) → **reconcile** (fetch + ff/rebase/escape-hatch against
+origin — see below) → **push daemon** (starts pushing transact'd commits to
 `CFP_DATA_REMOTE`) → services (FTS) → rate limit → idempotency → session
 middleware → swagger → routes → static SPA. Fastify's `listen()` doesn't
 fire until all of those resolve, so once `/api/health/ready` returns 200
-both stores have loaded.
+both stores have loaded **and** the working tree has been reconciled with
+origin.
+
+### Reconciliation state machine
+
+Lives in [`apps/api/src/store/reconcile.ts`](../../apps/api/src/store/reconcile.ts)
+and is invoked at boot by the reconcile plugin. Same state machine the
+shell used to run, just structured Node so exit codes propagate naturally
+and the same code is reusable from the future hot-reload webhook (#65):
+
+- in sync → no-op (`'in-sync'`)
+- behind → fast-forward (`'fast-forwarded'`)
+- ahead → push (`'pushed-ahead'`; push daemon retries on push failure)
+- diverged + clean rebase → rebase + push (`'rebased'`)
+- diverged + conflicts → abort rebase, create + push a
+  `conflicts/<UTC-timestamp>` branch from the pre-rebase HEAD, hard-reset
+  local to origin (`'conflict-escaped'`; logged at ERROR level so operators
+  see it in production logs)
+- fetch itself fails (network blip) → log warn, continue with local state
+  (`'fetch-failed'`)
+
+When `CFP_DATA_REMOTE` is unset (typical local dev), the reconcile plugin
+skips reconciliation entirely.
 
 ## Probes
 
@@ -133,9 +159,10 @@ both stores have loaded.
 ## Data repo on disk
 
 The API operates on a working tree at `/app/data` backed by a PVC. The
-entrypoint reconciles that tree with `CFP_DATA_REMOTE` on every boot; the
-push daemon pushes commits made during the pod's lifetime back to the
-remote.
+entrypoint ensures the working tree exists (cloning on first boot); the
+API-side reconcile plugin then synchronizes that tree with `CFP_DATA_REMOTE`
+on every boot, and the push daemon pushes commits made during the pod's
+lifetime back to the remote.
 
 Implications:
 
