Skip to main content

max / makenotwork

sando: log Session 4 (0.9.6 path-decoupling) follow-ups in todo.md Soak clock for rm -rf /opt/makenotwork/, the mnw-cli drop-in cleanup once the unit is redeployed, and a note on the pre-existing prod bug where /etc/mnw/makenotwork.env was unreadable by the git user. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Author: Max Johnson <me@maxj.phd> · 2026-06-03 06:19 UTC
Commit: 1318230895d2daf918dfcc75fc28c6e3931bf8b6
Parent: 445bfb7
1 file changed, +6 insertions, -0 deletions
M sando/todo.md +6
@@ -19,6 +19,12 @@ Claude-only follow-ups (no user input needed; pick the next slice):
19 19 - Phase 4 prep — first Sando-only deploy to testnot (needs Track B — see below)
20 20 - Sando test suite — see "Testing" section below; sandod and TUI have zero unit/integration tests today
21 21
22 + Session 4 — 0.9.6 path-decoupling shipped 2026-06-03 (commits `bfba435`, `445bfb7`). Remaining:
23 +
24 + - [ ] **Soak clock for `rm -rf /opt/makenotwork/`** — 0.9.6 cut over 2026-06-03 03:46 UTC, `rebuild-keys` ran the same minute, all 4 authorized_keys repointed at `/opt/mnw/current/mnw-admin`. Eligible for cleanup ~2026-06-10. Pre-cleanup checks per launchplan §7: `journalctl -u makenotwork --since "1 week ago" | grep /opt/makenotwork/` empty, plus the §7 "Then, cleanup" sublist (rm /opt/makenotwork, rm /opt/git after the duality decision, migrate backups dir, leave makenotwork shell as bash for sando).
25 + - [ ] **Remove live drop-in** `/etc/systemd/system/mnw-cli.service.d/fhs-git-path.conf` on prod — it added `ReadWritePaths=/var/lib/mnw` to fix the EROFS that broke every creator git push after Session 3 (mnw-cli's systemd namespace had `/opt/git` writable but not `/var/lib/mnw/git`). The unit file in `mnw-cli/deploy/mnw-cli.service` is now patched to include the path, so the drop-in becomes redundant next time `./mnw-cli/deploy/deploy.sh --config` runs. Until then both apply (harmless dupe).
26 + - [ ] **Discovered pre-existing prod bug, fixed live:** `/etc/mnw/makenotwork.env` was unreadable by the git user (mode 640 root:makenotwork), so any `mnw-admin git-auth` invocation via authorized_keys command= panicked with "DATABASE_URL must be set". Same was true of the legacy `/opt/makenotwork/.env` (had been silently broken on 0.9.5 too). Applied `setfacl u:git:r` on both env files and `setfacl u:git:x /etc/mnw` directly on prod; codified the ACL block (conditional on git user existing) in `bootstrap-node.sh`. Next bootstrap will set it automatically.
27 +
22 28 Decision-gated (needs user input first):
23 29
24 30 - Track B testnot live-app: postgres role+db (Claude), `.env` secrets (which Stripe/SMTP/S3 creds to use for staging — needs user), Caddyfile + Cloudflare Origin CA cert for testnot.work (user issues cert in CF dashboard; Claude installs)