boxlite-ai
diff --git a/‎.github/workflows/deploy-dev.yml‎
Lines changed: 155 additions & 0 deletions b/‎.github/workflows/deploy-dev.yml‎
Lines changed: 155 additions & 0 deletions
diff --git a/‎apps/infra/README.md‎
Lines changed: 5 additions & 0 deletions b/‎apps/infra/README.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎apps/infra/sst.config.ts‎
Lines changed: 21 additions & 2 deletions b/‎apps/infra/sst.config.ts‎
Lines changed: 21 additions & 2 deletions
diff --git a/‎docs/deploy/dev-deploy.md‎
Lines changed: 133 additions & 0 deletions b/‎docs/deploy/dev-deploy.md‎
Lines changed: 133 additions & 0 deletions
@@ -0,0 +1,155 @@
+name: Deploy Dev
+
+on:
+  workflow_dispatch:
+    inputs:
+      deploy_mode:
+        description: 'SST action to run'
+        required: true
+        type: choice
+        default: diff-only
+        options:
+          - diff-only
+          - deploy
+      runner_mode:
+        description: 'Runner rollout strategy'
+        required: true
+        type: choice
+        default: skip
+        options:
+          - skip
+          - existing-release
+          - temporary-build
+          - rollback
+      runner_ref:
+        description: 'Runner release version for existing-release, e.g. 0.9.5'
+        required: false
+        type: string
+      confirm:
+        description: 'Type dev to confirm this targets the dev environment'
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  id-token: write
+
+concurrency:
+  group: deploy-dev
+  cancel-in-progress: false
+
+jobs:
+  config:
+    uses: ./.github/workflows/config.yml
+
+  deploy:
+    name: Deploy dev
+    needs: config
+    runs-on: ubuntu-latest
+    environment: dev
+    env:
+      AWS_REGION: ${{ vars.AWS_REGION }}
+      STACK_DOMAIN: ${{ vars.DEV_STACK_DOMAIN }}
+      RUNNER_ARTIFACT_BUCKET: ${{ vars.DEV_RUNNER_ARTIFACT_BUCKET }}
+      RUNNER_MANIFEST_PREFIX: ${{ vars.DEV_RUNNER_MANIFEST_PREFIX }}
+      ADMIN_API_KEY: ${{ secrets.DEV_ADMIN_API_KEY }}
+      CLOUDFLARE_DEFAULT_ACCOUNT_ID: ${{ vars.CLOUDFLARE_DEFAULT_ACCOUNT_ID }}
+      CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+      OIDC_ISSUER_BASE_URL: ${{ vars.DEV_OIDC_ISSUER_BASE_URL }}
+      OIDC_CLIENT_ID: ${{ vars.DEV_OIDC_CLIENT_ID }}
+      OIDC_AUDIENCE: ${{ vars.DEV_OIDC_AUDIENCE }}
+      PUBLIC_OIDC_DOMAIN: ${{ vars.DEV_PUBLIC_OIDC_DOMAIN }}
+      PUBLIC_OIDC_AUDIENCE: ${{ vars.DEV_PUBLIC_OIDC_AUDIENCE }}
+      PUBLIC_OIDC_CLIENT_ID: ${{ vars.DEV_PUBLIC_OIDC_CLIENT_ID }}
+      GHCR_USERNAME: ${{ vars.GHCR_USERNAME }}
+      GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
+      POSTHOG_API_KEY: ${{ secrets.DEV_POSTHOG_API_KEY }}
+      POSTHOG_HOST: ${{ vars.DEV_POSTHOG_HOST }}
+      CLICKHOUSE_WRITER_ENDPOINT: ${{ vars.DEV_CLICKHOUSE_WRITER_ENDPOINT }}
+      CLICKHOUSE_WRITER_DATABASE: ${{ vars.DEV_CLICKHOUSE_WRITER_DATABASE }}
+      CLICKHOUSE_WRITER_USERNAME: ${{ vars.DEV_CLICKHOUSE_WRITER_USERNAME }}
+      CLICKHOUSE_WRITER_PASSWORD: ${{ secrets.DEV_CLICKHOUSE_WRITER_PASSWORD }}
+      CLICKHOUSE_CREATE_SCHEMA: ${{ vars.DEV_CLICKHOUSE_CREATE_SCHEMA }}
+      CLICKHOUSE_COMPRESS: ${{ vars.DEV_CLICKHOUSE_COMPRESS }}
+      GH_TOKEN: ${{ github.token }}
+
+    steps:
+      - name: Validate dispatch inputs
+        run: |
+          set -euo pipefail
+          test "${{ inputs.confirm }}" = "dev"
+          if [ "${{ inputs.deploy_mode }}" = "diff-only" ] && [ "${{ inputs.runner_mode }}" != "skip" ]; then
+            echo "runner rollout requires deploy_mode=deploy" >&2
+            exit 1
+          fi
+          if [ "${{ inputs.runner_mode }}" = "existing-release" ] && [ -z "${{ inputs.runner_ref }}" ]; then
+            echo "runner_ref is required for existing-release" >&2
+            exit 1
+          fi
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ needs.config.outputs.node-build-version }}
+
+      - name: Set up Go for temporary runner builds
+        if: inputs.runner_mode == 'temporary-build'
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ needs.config.outputs.go-version }}
+
+      - name: Set up Rust for temporary runner builds
+        if: inputs.runner_mode == 'temporary-build'
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: ${{ needs.config.outputs.rust-toolchain }}
+
+      - name: Install temporary runner build dependencies
+        if: inputs.runner_mode == 'temporary-build'
+        run: sudo apt-get update && sudo apt-get install -y libx11-dev libxtst-dev libxinerama-dev
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ vars.BOXLITE_DEV_DEPLOY_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION || 'ap-southeast-1' }}
+          role-session-name: deploy-dev-${{ github.run_id }}
+
+      - name: Install infra dependencies
+        run: npm ci
+        working-directory: apps/infra
+
+      - name: Deploy dev
+        env:
+          DEPLOY_MODE: ${{ inputs.deploy_mode }}
+          RUNNER_MODE: ${{ inputs.runner_mode }}
+          RUNNER_REF: ${{ inputs.runner_ref }}
+          CONFIRM: ${{ inputs.confirm }}
+        run: |
+          set -euo pipefail
+          scripts/deploy/dev-full.sh \
+            --deploy-mode "$DEPLOY_MODE" \
+            --runner-mode "$RUNNER_MODE" \
+            --runner-ref "$RUNNER_REF" \
+            --stage dev \
+            --confirm "$CONFIRM"
+
+      - name: Write summary
+        if: always()
+        run: |
+          {
+            echo "### Deploy Dev"
+            echo
+            echo "- Branch: \`${GITHUB_REF_NAME}\`"
+            echo "- Commit: \`${GITHUB_SHA}\`"
+            echo "- Deploy mode: \`${{ inputs.deploy_mode }}\`"
+            echo "- Runner mode: \`${{ inputs.runner_mode }}\`"
+            echo "- Runner ref: \`${{ inputs.runner_ref }}\`"
+            echo "- Stage: \`dev\`"
+            echo "- Stack domain: \`${STACK_DOMAIN:-unset}\`"
+          } >> "$GITHUB_STEP_SUMMARY"
@@ -208,6 +208,11 @@ npx sst shell  --stage dev       # open shell with SST-linked env vars
 npx sst remove --stage dev       # destroy everything
 ```
 
+For the standard dev release path, prefer the GitHub Actions workflow
+`Deploy Dev`. It wraps SST deploy plus optional runner rollout modes:
+`skip`, `existing-release`, `temporary-build`, and `rollback`. See
+[`docs/deploy/dev-deploy.md`](../../docs/deploy/dev-deploy.md).
+
 ## Runner lifecycle
 
 The Runner EC2 instance (`tag:Name=boxlite-runner`) holds load-bearing state:
 
@@ -156,6 +156,24 @@ export default $config({
     const db = new sst.aws.Postgres('Database', { vpc, instance: 't4g.micro', storage: '20 GB' })
     const redis = new sst.aws.Redis('Cache', { vpc, cluster: false }) // NestJS uses SELECT (multi-DB)
     const storage = new sst.aws.Bucket('Storage')
+    const deployArtifactsBucketName = $interpolate`${$app.name}-${$app.stage}-deploy-artifacts-${aws.getCallerIdentityOutput().accountId}-${REGION}`
+    const deployArtifacts = new aws.s3.Bucket('DeployArtifacts', {
+      bucket: deployArtifactsBucketName,
+      forceDestroy: input?.stage !== 'production',
+      tags: { App: $app.name, Stage: $app.stage, Role: 'deploy-artifacts' },
+    })
+    new aws.s3.BucketLifecycleConfigurationV2('DeployArtifactsLifecycle', {
+      bucket: deployArtifacts.id,
+      rules: [
+        {
+          id: 'expire-runner-temp-artifacts',
+          status: 'Enabled',
+          filter: { prefix: 'runner-temp/' },
+          expiration: { days: 30 },
+          abortIncompleteMultipartUpload: { daysAfterInitiation: 1 },
+        },
+      ],
+    })
     const cluster = new sst.aws.Cluster('Cluster', { vpc, forceUpgrade: 'v2' })
 
     // ─── 3. IAM ──────────────────────────────────────────────────────────────
@@ -735,6 +753,7 @@ export default $config({
     ]).apply(([apiUrl, token, otelEndpoint, ghcrSecretArn]) =>
       buildRunnerUserData({ apiUrl, token, otelEndpoint, ghcrSecretArn: ghcrSecretArn || undefined, ghcrUsername }),
     )
+    const runnerTags = (name: string) => ({ App: $app.name, Stage: $app.stage, Role: 'runner', Name: name })
 
     // Runner holds load-bearing box state (/var/lib/boxlite + in-memory
     // libkrun VMs). Two Pulumi resource options keep it persistent across
@@ -761,7 +780,7 @@ export default $config({
         associatePublicIpAddress: true,
         userDataBase64: runnerUserData,
         rootBlockDevice: { volumeSize: RUNNER.rootDiskGB },
-        tags: { Name: 'boxlite-runner' },
+        tags: runnerTags('boxlite-runner'),
       },
       {
         ignoreChanges: ['ami', 'userDataBase64'],
@@ -801,7 +820,7 @@ export default $config({
               buildRunnerUserData({ apiUrl, token, otelEndpoint, ghcrSecretArn: ghcrSecretArn || undefined, ghcrUsername }),
           ),
           rootBlockDevice: { volumeSize: RUNNER.rootDiskGB },
-          tags: { Name: `boxlite-runner-${name}` },
+          tags: runnerTags(`boxlite-runner-${name}`),
         },
         {
           ignoreChanges: ['ami', 'userDataBase64'],
 
@@ -0,0 +1,133 @@
+# Dev Deploy Workflow
+
+`Deploy Dev` is the operator entrypoint for deploying the SST dev stage and,
+optionally, rolling out a runner binary to the dev runner EC2 instances.
+
+## User Flow
+
+Open GitHub Actions, select `Deploy Dev`, then click `Run workflow`.
+
+The branch selector is the source checkout. Use `main` for normal dev deploys
+or a PR branch for dev validation.
+
+Inputs:
+
+| Input         | Values                                                    | Meaning                                     |
+| ------------- | --------------------------------------------------------- | ------------------------------------------- |
+| `deploy_mode` | `diff-only`, `deploy`                                     | Preview SST changes or actually deploy dev. |
+| `runner_mode` | `skip`, `existing-release`, `temporary-build`, `rollback` | Runner rollout strategy.                    |
+| `runner_ref`  | `0.9.5`, empty                                            | Required only for `existing-release`.       |
+| `confirm`     | `dev`                                                     | Required safety confirmation.               |
+
+Common runs:
+
+| Goal                                                   | Inputs                                                                       |
+| ------------------------------------------------------ | ---------------------------------------------------------------------------- |
+| Preview dev infra/service changes                      | `deploy_mode=diff-only`, `runner_mode=skip`                                  |
+| Deploy SST dev only                                    | `deploy_mode=deploy`, `runner_mode=skip`                                     |
+| Deploy dev and install a released runner               | `deploy_mode=deploy`, `runner_mode=existing-release`, `runner_ref=<version>` |
+| Deploy dev and test the selected branch's runner       | `deploy_mode=deploy`, `runner_mode=temporary-build`                          |
+| Roll back dev runner to the previous recorded artifact | `deploy_mode=deploy`, `runner_mode=rollback`                                 |
+
+`diff-only` never rolls out a runner.
+
+## Runner Artifact Model
+
+There are three artifact classes:
+
+| Class               | Storage                        | Lifetime                               | Intended use                                             |
+| ------------------- | ------------------------------ | -------------------------------------- | -------------------------------------------------------- |
+| Official release    | GitHub Release asset           | Long-lived                             | Stage/prod and durable rollbacks.                        |
+| Temporary dev build | Dev deploy-artifacts S3 bucket | Short-lived, default lifecycle 30 days | Dev-only branch validation without publishing a release. |
+| Rollout manifest    | Dev deploy-artifacts S3 bucket | Long-lived                             | Current/previous runner deployment record.               |
+
+Temporary builds are versioned as:
+
+```text
+<Cargo.toml version>-dev.<commit-sha>
+```
+
+Dirty local worktree builds get a `-dirty` suffix. The GitHub Action normally
+checks out a clean commit, so dev deploys from Actions should not be dirty.
+
+## What The Workflow Does
+
+1. Checks out the selected branch.
+2. Confirms `confirm=dev`.
+3. Assumes the dev AWS deploy role.
+4. Runs `npx sst diff --stage dev`.
+5. Runs `npx sst deploy --stage dev` when `deploy_mode=deploy`.
+6. Applies the selected runner mode:
+   - `skip`: no runner changes.
+   - `existing-release`: checks the GitHub Release asset and installs it.
+   - `temporary-build`: builds C SDK + daemon + computer-use + runner from the
+     selected commit, uploads the tarball to S3, presigns it, and installs it.
+   - `rollback`: reads the previous runner manifest and reinstalls that source.
+7. Verifies public API health.
+8. If `DEV_ADMIN_API_KEY` is configured, verifies the Admin runner overview.
+
+Runner rollout uses AWS SSM Run Command. It does not SSH into instances and does
+not replace EC2 instances. The runner service is stopped, the binary is replaced,
+and the service is started again. `/var/lib/boxlite` is untouched.
+
+## Required GitHub Configuration
+
+Create a GitHub Environment named `dev`.
+
+Required variables:
+
+| Name                            | Purpose                                   |
+| ------------------------------- | ----------------------------------------- |
+| `BOXLITE_DEV_DEPLOY_ROLE_ARN`   | AWS IAM role assumed by the workflow.     |
+| `DEV_STACK_DOMAIN`              | Dev domain, for example `dev.boxlite.ai`. |
+| `CLOUDFLARE_DEFAULT_ACCOUNT_ID` | Cloudflare account for SST DNS.           |
+| `DEV_OIDC_ISSUER_BASE_URL`      | OIDC issuer URL required by the API.      |
+
+Required secrets:
+
+| Name                   | Purpose                                 |
+| ---------------------- | --------------------------------------- |
+| `CLOUDFLARE_API_TOKEN` | Lets SST manage Cloudflare DNS records. |
+
+Optional variables/secrets:
+
+| Name                                | Purpose                                              |
+| ----------------------------------- | ---------------------------------------------------- |
+| `DEV_RUNNER_ARTIFACT_BUCKET`        | Override the default deploy-artifacts bucket name.   |
+| `DEV_RUNNER_MANIFEST_PREFIX`        | Override the manifest prefix, default `deployments`. |
+| `DEV_ADMIN_API_KEY`                 | Enables Admin runner overview verification.          |
+| `GHCR_USERNAME`, `GHCR_TOKEN`       | Runner image pull credentials when needed.           |
+| `DEV_POSTHOG_*`, `DEV_CLICKHOUSE_*` | Optional runtime integrations.                       |
+
+The default artifact bucket name is:
+
+```text
+boxlite-dev-deploy-artifacts-<aws-account-id>-ap-southeast-1
+```
+
+SST creates this bucket as part of the dev stack. Temporary runner artifacts are
+stored under `runner-temp/`; rollout manifests are stored under
+`deployments/dev/runner/`.
+
+## Local Fallback
+
+The same flow can run from a Linux deploy host:
+
+```bash
+scripts/deploy/dev-full.sh \
+  --deploy-mode deploy \
+  --runner-mode skip \
+  --stage dev \
+  --confirm dev
+```
+
+Use GitHub Actions for `temporary-build`. Local temporary builds require Linux
+amd64 because the runner uses CGO.
+
+## Safety Boundaries
+
+- This workflow only supports `stage=dev`.
+- Runner rollout requires `deploy_mode=deploy`.
+- Runner EC2 discovery requires SST-managed tags:
+  `App=boxlite`, `Stage=dev`, `Role=runner`.
+- Production deploys need a separate workflow with approval and canary rules.