docs(#20): mark hook phases 1+2 done; resume notes point to phase 3 (indeedhub)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-21 11:49:05 -04:00 · 2026-06-21 11:49:05 -04:00 · ccb5b7ca39
commit ccb5b7ca39
parent 955c54b713
2 changed files with 25 additions and 18 deletions
--- a/docs/PRODUCTION-MASTER-PLAN.md
+++ b/docs/PRODUCTION-MASTER-PLAN.md
@ -150,6 +150,14 @@ phases 2–6 (`dual-ecash-design.md`).
 ## 8b. SESSION STATE + RESUME (2026-06-21, live)

 **Landed + committed on main this session (newest first):**
+- `955c54b7` hook capability (#20) **phase 2** — `container::hooks::run_post_install`
+  executor (podman exec + copy_from_host w/ allowlist canonicalise + symlink-escape
+  prefix check; best-effort/idempotent) wired into `install_fresh` after container
+  is up (fresh-container-only). 5 unit tests; `cargo test -p archipelago` green.
+- `4c1a4e59` hook capability (#20) **phase 1** — `LifecycleHooks`/`HookStep`/`HostCopy`
+  schema + validate() + re-exports + 3 schema tests; also fixed 3 pre-existing
+  `ContainerConfig` test literals missing `generated_secrets` (container crate now
+  compiles; `cargo test -p archipelago-container` green, 53 pass).
 - `f0c6b79d` immich containers named underscore (immich_server/_postgres/_redis) to
  match runtime lifecycle code — fixes package.stop/start/restart. **immich fully
  migrated + verified on .228** (manifest-driven stack via orchestrator).
@ -161,19 +169,14 @@ phases 2–6 (`dual-ecash-design.md`).
 - `192238cb` docs consolidation 56→28 + CLAUDE.md.
 - `03a4ee1b` generated-secrets system + companion/quadlet fixes.

-**IN FLIGHT — hook capability (#20), phase 1 (schema):** building controlled
-post-install hooks so indeedhub/netbird can migrate. Design: `docs/manifest-hooks-design.md`.
- DONE: `LifecycleHooks`/`HookStep`/`HostCopy` types + `hooks` field on AppDefinition
-  + validate() + re-exports + 3 schema tests (manifest.rs).
- **BLOCKING COMPILE FIX NEEDED:** `cargo test -p archipelago-container` fails —
-  3 pre-existing test `ContainerConfig {…}` literals (manifest.rs ~1658/1711/1752)
-  are missing the `generated_secrets` field (added in 03a4ee1b but the container
-  crate's own tests were never run since). Add `generated_secrets: vec![],` to each.
- THEN: implement executor `core/archipelago/src/container/hooks.rs`
-  (run_post_install: podman exec + copy_from_host with allowlist canonicalisation),
-  wire into orchestrator install (post-create, install-only), tests, commit.
+**DONE — hook capability (#20), phases 1+2 (schema + executor + wiring):**
+controlled post-install hooks so indeedhub/netbird can migrate. Design:
+`docs/manifest-hooks-design.md`. Schema, validate(), executor, and install-path
+wiring all landed + green (commits `4c1a4e59`/`955c54b7` above). Remaining #20
+phases: 3 = indeedhub migration (NEXT, below); 4 = netbird; 5 = `pre_start` hooks
+(type exists, NOT yet executed — wire into `prepare_for_start` if/when needed).

-**NEXT (after #20):** indeedhub migration — author 7 member manifests
+**NEXT — #20 phase 3, indeedhub migration:** author 7 member manifests
 (postgres/redis/minio/relay/api/ffmpeg + frontend) on archy-net with container-name
 hostnames; frontend carries the `post_install` hook (strip X-Frame-Options, copy
 nostr-provider.js, inject script, nginx reload — see `patch_indeedhub_nostr_provider`
--- a/docs/manifest-hooks-design.md
+++ b/docs/manifest-hooks-design.md
@ -94,10 +94,14 @@ the `post_install` hook above. `install_indeedhub_stack` becomes orchestrator-fi

 ## 6. Phases

-1. **Schema + executor + validation + unit tests** (this design) — `exec` +
-   `copy_from_host`, allowlist-enforced.
-2. **Wire into orchestrator install** (post-create, install-only).
-3. **indeedhub**: author member manifests + frontend `post_install` hook; wire
+1. ✅ **Schema + validation + unit tests** — `LifecycleHooks`/`HookStep`/`HostCopy`
+   in `archipelago-container::manifest`, allowlist-enforced at `validate()`.
+   (commit `4c1a4e59`)
+2. ✅ **Executor + wire into orchestrator install** — `container::hooks::run_post_install`
+   (`exec` + `copy_from_host`, canonicalise + symlink-escape prefix check, best-effort);
+   called from `install_fresh` after the container is up, fresh-container-only.
+   (commit `955c54b7`)
+3. ⏳ **indeedhub**: author member manifests + frontend `post_install` hook; wire
   `install_indeedhub_stack` orchestrator-first; live-migrate + verify on .228.
-4. **netbird**: assess its setup steps; migrate with hooks.
-5. `pre_start` hooks (repair/ownership) if needed.
+4. ⏳ **netbird**: assess its setup steps; migrate with hooks.
+5. ⏳ `pre_start` hooks (repair/ownership) — type exists; executor not yet wired.