Implementation Overlay Workstream
Snapshot date: 2026-04-29
This page is the active coordination surface for moving owner-specific Honey deployment facts out of the GloriousFlywheel core repo and into private implementation overlays.
Current State
tinyland-inc/tinyland-infrais private.tinyland-inc/tinyland-infra#2merged the Tinyland overlay overhaul at4b31f6ddf12033cbe52e2e7192649295cf2bc473.Jesssullivan/jesssullivan-infrais private. PR #2 merged the initial Jess overlay, and PR #4 refreshed its GloriousFlywheel core pin at0c6490048be94806f612f4cbf5903a7a3b44d91a.- GloriousFlywheel issue
#421and LinearTIN-568are closed after the Honey overlay authority and Jess state-rehome closeout. - GloriousFlywheel PR
#420merged and restored the implementation-overlay architecture while guarding core ARC applies. - GloriousFlywheel PR
#422merged the workstream surface, owner-distinct ARC registration names, and the read-only enrollment preflight. - GloriousFlywheel PR
#444merged at3c7fdf5261ed74babee54c792c3cce3c9e71112fand clarified that stateless Docker work may usesting, while ARC plan/apply remains honey-bound untilstingkube-API reachability is separately proved. - GloriousFlywheel PR
#445merged at0e42be3bfc39529bc50dce7f23b38d4cb5863df0and made the local hygiene gate bounded while keeping heavyweight Nix/OpenTofu validation explicit. This reduces operator friction for overlay docs and runner-taxonomy cleanup without weakening the full validation path. - GloriousFlywheel PR
#449merged the core-pin drift blocker for implementation overlays. Both overlays now pin selected stable core commit637b7167c400a842cdc7af0709b2251c0542a48ainMODULE.bazelandconfig/organization.yaml. - GloriousFlywheel PRs
#450and#451merged the read-only ARC residue audit guard and classifiedtubebrain-nixas a known standalone compatibility lane, not product runner taxonomy. - GloriousFlywheel PR
#452refreshed the top-level management surfaces after#438/ TIN-681 closed the MassageIthaca Docker-capable shared-runner proof. - GloriousFlywheel PR
#468completed the core cleanup after the six-release Jess state rehome and removed the core recreate hazard. - GloriousFlywheel PR
#469refreshed the docs/status surfaces so#412remains package-lane retirement debt rather than stale state-repair work. - GloriousFlywheel PR
#470refreshed the remaining management docs after the rehome closeout socurrent-state, roadmap, cleanup, and public-alpha surfaces agree on the post-rehome boundary. Jesssullivan/jesssullivan-infraPR#13pinned its ARC deploy workflow to GloriousFlywheel authority commitdefff7fb7d1f3457c5270ce2e57ac6077e797b1c; the Jess apply then reconciled the adopted releases togithub-app-secret-jesssullivan, and a follow-up plan reported no changes.
The overlays are beyond scaffold-only status: both have least-privilege core-read wiring, live ARC registration, and strict enrollment preflight passing. Jess is now live state authority for the old personal-boundary compatibility releases. Those lanes remain compatibility debt until downstream repos move to a normal owner/shared scope or the lanes are explicitly removed.
Deep-dive update: the reusable ARC stack now has to distinguish one shared ARC
controller owner from additional owner overlays. Tinyland can rehome the
existing arc-controller, namespaces, and current Tinyland runner releases.
The Jess overlay should attach to that shared controller with
deploy_arc_controller = false, create_controller_namespace = false, and
create_runner_namespace = false, then use owner-distinct internal Helm
release names and ARC runnerScaleSetName values while preserving tinyland-*
workflow labels.
One-off OpenTofu imports must stay in operator migration steps, not committed
to the reusable stack, because each owner overlay may use distinct internal
release keys.
Active Boundaries
- Tinyland owner scope is organization-scoped:
https://github.com/tinyland-inc. - Jess owner scope uses
Jesssullivan/jesssullivan-infraonly as a private ARC registration anchor. - Shared workflow labels remain capability-shaped:
tinyland-nix,tinyland-docker,tinyland-dind,tinyland-nix-heavy,tinyland-nix-kvm, andtinyland-nix-gpu. - The overlays point at the same Honey cluster, Attic cache, Bazel cache, and RustFS-backed state substrate.
- No personal-account runner group exists or should be described as existing.
Open Work
- Keep the least-privilege core-read credential green for each overlay repo.
Prefer
GF_CORE_DEPLOY_KEYbacked by a read-only deploy key ontinyland-inc/GloriousFlywheel; useGF_CORE_READ_TOKENonly as a compatibility fallback. - Keep the Tinyland GitHub App credentials bound through the overlay
secret path:
just arc-app-secret-dry-run, thenjust arc-app-secret-applyfromtinyland-infra. - Keep the Jess GitHub App credentials bound through the overlay secret
path:
just arc-app-secret-dry-run, thenjust arc-app-secret-applyfromjesssullivan-infra. - Run
GF_EXPECTED_CORE_REF=<selected-core-ref> just enrollment-preflight-strictfrom each overlay after every core pin refresh. The preflight now blocks ifconfig/organization.yamlandMODULE.bazeldisagree, or if both pins do not resolve to the selected core ref. - Keep
#412focused on package personal-lane retirement, not state rehome.Jesssullivan/scheduling-kitandJesssullivan/scheduling-bridgealready use the workflow-facing sharedtinyland-nixlabel; the remaining blocker is GitHub personal-account runner registration reachability. - Prove that overlay plans are non-destructive before applying any core or overlay ARC stack change.
- Keep a default-branch workflow green on shared labels from each owner scope before counting that owner as shared-lane authority.
- Document the capacity boundary from TIN-627: owner-distinct scale sets are registration identities, while global concurrency is still enforced by Kubernetes scheduling and bounded node capacity.
Adjacent Workstreams To Monitor
| Surface | Why It Matters | Current Observation |
|---|---|---|
tinyland-inc/GloriousFlywheel#420 |
Core guard and overlay boundary | Merged; destructive ARC cleanup remains guarded |
tinyland-inc/GloriousFlywheel#419 |
Public alpha export mirror | Merged; default-branch proof package is green, but direct visibility remains blocked by the visibility gate |
tinyland-inc/GloriousFlywheel#421 |
Overlay authority tracker | Closed after TIN-568 and the Jess six-release state rehome; keep as historical authority proof |
tinyland-inc/GloriousFlywheel#412 |
Package compatibility retirement | Open; lanes are Jess-overlay-owned quarantine, but retirement still needs owner-boundary/shared-scope design |
tinyland-inc/GloriousFlywheel#426 |
Tubebrain listener placement | Closed after the April 26 placement cleanup; keep only as historical evidence for avoiding bumble listener drift |
tinyland-inc/GloriousFlywheel#433 |
Attic public-key drift | Closed after the April 26 Attic public-read/key authority cleanup |
tinyland-inc/GloriousFlywheel#438 |
MassageIthaca Docker-capable access | Closed after the Docker-capable MassageIthaca shared-runner proof; keep as historical evidence, not active runner taxonomy |
tinyland-inc/GloriousFlywheel#444 |
Docker placement and ARC deploy lane | Merged; stateless Docker relief belongs on sting, but ARC plan/apply stays honey-bound until kube-API reachability is proved |
tinyland-inc/GloriousFlywheel#445 |
Hygiene validation contract | Merged; bounded just check, explicit full validation, repo-owned OpenTofu wrapper, and updated runtime audit hooks |
tinyland-inc/tinyland-infra#2 |
Tinyland overlay authority PR | Merged at 4b31f6ddf12033cbe52e2e7192649295cf2bc473; strict preflight passes against selected core 637b7167c400 |
Jesssullivan/jesssullivan-infra#4 |
Jess core-pin refresh | Merged at 0c6490048be94806f612f4cbf5903a7a3b44d91a; strict preflight passes with only the expected personal-boundary warning |
TIN-550 / Dell-7810 |
Personal-account shared-lane proof | Downstream beneficiary only; no Dell labels and no coupling to source-repo dogfood integrity |
| TIN-557 / package remote-cache minisprint | Cache consumer pressure | Keep package repos cache-first without runner taxonomy drift |
| TIN-553 / GitLab compatibility drift | Legacy forge examples | Must not reintroduce stale cache endpoints or raw Bazel teaching |
TIN-480 / blahaj app deploy stacks |
App K8s authority | Real Honey app stacks live here; do not duplicate them in overlays |
TIN-72 / tailnet-acl |
Tailnet cluster identity | Dirty local branch includes generated and Tofu work; treat as separate authority |
TIN-404 / elders.tinyland.dev |
CNPG storage-class reality | Clean repo with Honey/Civo overlays; watch for storage-class falsehoods |
Adjacent Repo Review Notes
blahajhas the densest nearby OpenTofu surface and owns app deployment stacks such asacuity-middlewareandmassageithaca. The overlay work should consume shared cluster facts from this reality instead of creating app deployment stacks inside the runner overlay repos.MassageIthacais currently a consumer-side repo in this pass. Its local checkout has package/tooling changes and no Tofu/K8s authority in the quick scan.Dell-7810andXoxdWMare shared-lane reachability consumers. They are proof surfaces for enrollment, not reasons to mint repo-shaped labels.jesssullivan-infrais the personal-account overlay authority. Its initial overlay PR, core-pin refresh, and ARC deploy pin have merged, and validation is green after GitHub App registration, cache/auth fixes, state rehome, and apply. The remaining work is capacity policy and compatibility-lane retirement, not “can it start”.ci-templatesis the compatibility surface to watch for resolver and cache contract drift.Fuzzy,tailnet-acl, andobservabilityhave substantial local infra or cluster-adjacent work in progress. Do not mix their dirty local changes into the overlay authority PRs.
Validation Already Run
Tinyland overlay:
python3 scripts/validate-overlay-runner-taxonomy.py tofu/stacks/arc-runners/tinyland.tfvars
nix develop ../GloriousFlywheel-infra-overlays -c just checkJess overlay:
python3 scripts/validate-overlay-runner-taxonomy.py --allow-repo-registration-anchor tofu/stacks/arc-runners/jesssullivan.tfvars
nix develop ../GloriousFlywheel-infra-overlays -c just checkBoth overlays also passed Justfile formatting, workflow YAML parsing,
git diff --check, and a secret-pattern scan.
Enrollment preflight:
GF_CORE_PATH=/Users/jess/git/GloriousFlywheel-infra-overlays just enrollment-preflightCurrent validation result:
- GloriousFlywheel core: main is green at
8e46bf2b847a60f9f7672960a6e3be40df5d32afafter PR #470, withValidate,Secret Detection,Tranche Proof Status,Deploy Docs,Publish to FlakeHub,Source Bazel Proof, andPlatform Proofpassing. - Runtime audit:
just arc-runtime-auditon 2026-04-28 found ARC listeners Running onsting, no active runner job pods at the audit instant, and no CPU/RAM pressure signal onbumble,honey, orsting. TIN-620 later closed after PR #484 / PR #485 added repeatable runtime and network continuity classification coverage, and the stale Jess overlay push check resolved green on run attempt 3. Future lost-runner incidents should start fromjust arc-runtime-audit,just arc-listener-queue-drift, andjust arc-network-continuity-auditinstead of inherited assumptions. - Tinyland overlay: PR #2 is merged, pins selected core
637b7167c400a842cdc7af0709b2251c0542a48a, and strict preflight passes with 0 blockers / 0 warnings. - Jess overlay: PR #13 pinned the deploy workflow to the selected GloriousFlywheel authority commit, the adopted release apply succeeded, and the follow-up plan was no-op. Strict preflight passes with 0 blockers / 1 expected warning for the private personal-boundary repository registration anchor.
- Remaining blockers are no longer “overlay cannot start”, “stable pin promotion”, or “live state rehome”. They are compatibility-lane retirement and capacity policy across owner-distinct scale sets.