feat(deploy): personal-prod user unit과 cache 격리 추가#51
Conversation
personal-prod 배포에서 기존 scan cache와 충돌하지 않도록 SECURITY_SCANNER_CACHE_ROOT override를 지원한다. 신규 user-level personal systemd unit과 securityscanner.slice를 추가해 :4567 personal table, user manager, resource cap, IO idle scheduling 경로를 분리한다. 검증: uv run pytest -q Co-Authored-By: Codex GPT-5 <noreply@openai.com>
pureliture
force-pushed
the
codex/personal-prod-deploy-m2-m6
branch
from
2c2f3af to
815dbbe
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces systemd user services and timers for deploying a personal instance of the security-scanner, along with a custom resource slice. It also adds support for overriding the cache root directory via the SECURITY_SCANNER_CACHE_ROOT environment variable and includes comprehensive structural tests. The review feedback suggests several valuable improvements: handling whitespace-only environment variables defensively in the fetcher, adding an initial trigger (OnActiveSec) to the lease reaper timer, increasing the slice's TasksMax limit to prevent process fork failures under concurrent load, and expanding the path validation tests to cover all systemd service files.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
origin/main이 personal-prod-deploy 계열(PR #51~#55, M8 dashboard)로 전진해 충돌. 사용자 승인 결정대로 해소: - governance 3파일(autopilot_goal.yml/current.yml/CURRENT.md) → main(theirs) 채택. main의 active_goal(personal-prod-deploy)을 그대로 유지 = governance를 main에 맞춤(우리 goal-activation 폐기). 이 3파일은 origin/main과 byte-identical → governance self-modification도 scope-expansion도 아님. ghas는 active_goal 슬롯 불필요(M1~M5 전부 default-off/report-only라 슬롯 없이 안전 동작). - 코드 2파일(scan_worker.py/test_scan_worker.py) → 양쪽 로직 병합. main의 baseline-job full-history(_scan_options_for_job/_is_baseline_job)와 우리 M3 verify job pending-반환 가드 + enqueue가 양립(auto-merge 성공, 테스트 green). - 우리 신규 파일(parity/normalize/context_filter/verify_queue/parity_slo, eval/ghas-parity-corpus, spec docs)은 충돌 없음. 검증: uv run pytest 1253 passed, 4 skipped(env-gated). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01TwGs78e6Rb7P5BDe2ezQEh
1 participant
What
SECURITY_SCANNER_CACHE_ROOToverride를 추가해 personal-prod clone cache를 기존 cache와 분리할 수 있게 했습니다.deploy/systemd/user/에 personal-prod user unit과securityscanner.slice를 추가했습니다.localhost:4567,security_scanner_personal, user manager, capped slice,Nice=15,IOSchedulingClass=idle경로를 사용합니다.Why
Validation
uv run pytest tests/test_fetcher.py tests/test_personal_prod_systemd_units.py tests/test_systemd_units.py -quv run pytest -q