GloriousFlywheel Post 209 PR Slice Map 2026-04-16

GloriousFlywheel Post 209 PR Slice Map 2026-04-16

Snapshot date: 2026-04-16

Purpose

Turn the large local post-#209 worktree into a small number of reviewable PR lanes.

GitHub owner surfaces:

  • follow-on slices after merged PR #209
  • adjacent planning issues #210, #211, #212
  • runner hygiene issue #213
  • runner memory-envelope issue #214
  • publication-boundary issue #215

Use README.md in this directory for the broader note inventory. Use gloriousflywheel-cleanup-structure-2026-04-17.md for the current workstream-level cleanup structure after the large local slice wave landed.

Current Dirty-Worktree Shape

Local file counts from git status --short on 2026-04-16:

  • 49 changed or untracked app/ paths
  • 34 changed or untracked operator/runtime paths across .github, Justfile, config/, scripts/, tofu/, README.md, and .env.example
  • 46 untracked docs/research/ notes

This is too large to treat as one follow-on PR.

Proposed Reviewable Slices

Slice 1: Backend And Operator Path

Primary goal:

  • package the real post-#209 backend-authority and local-operator path work

Primary files:

  • Justfile
  • .env.example
  • config/backend.http.example.hcl
  • config/organization.example.yaml
  • config/backends/*
  • scripts/tofu-preflight.sh
  • scripts/scaffold-backend-config.sh
  • scripts/lib/config.sh
  • scripts/validate-org-config.sh
  • tofu/stacks/*/backend.tf
  • tofu/stacks/*/terraform.tfvars.example
  • tofu/stacks/*/Justfile
  • docs/infrastructure/quick-start.md
  • docs/getting-started-guide.md
  • docs/infrastructure/cluster-access.md
  • docs/infrastructure/clusters-and-environments.md
  • docs/infrastructure/proxy-and-access.md
  • docs/reference/config-reference.md
  • docs/reference/justfile-commands.md
  • docs/infrastructure/customization-guide.md

Why it should go first:

  • this is the remaining execution blocker for real local rollout convergence
  • it is the cleanest follow-on to merged PR #209

Slice 2: Dashboard Auth, Policy, And Audit

Primary goal:

  • package the tailnet-first auth model, permission boundaries, and admin audit surface into one reviewable app slice

Primary files:

  • app/src/hooks.server.ts
  • app/src/lib/server/auth/*
  • app/src/lib/server/control-audit.ts
  • app/src/lib/server/db/migrate.ts
  • app/src/routes/api/auth/*
  • app/src/routes/api/control/*
  • app/src/routes/api/gitops/*
  • app/src/routes/api/runners/*
  • app/src/routes/auth/*
  • app/src/routes/gitops/*
  • app/src/routes/runners/*
  • app/src/routes/settings/*
  • app/src/lib/components/auth/*
  • docs/dashboard/overview.md
  • docs/infrastructure/gitlab-oauth.md

Why it should stay separate:

  • it is a large app-and-policy change set
  • it is conceptually independent from backend-init authority

Slice 3: Dogfood And Shared Runner Contract

Primary goal:

  • package the explicit Nix-bootstrap and acceleration-vs-publication contract in composite actions, workflows, and public downstream docs
  • package repo-owned dogfood beta validation so post-deploy checks stop depending on billing-sensitive GitHub-hosted jobs where the self-hosted lane is already healthy
  • package any platform-owned runner hygiene or workspace-lifecycle fixes that affect downstream checkout reliability before repo code runs

Primary files:

  • .github/actions/nix-job/action.yml
  • .github/actions/setup-flywheel/action.yml
  • .github/actions/docker-job/action.yml
  • .github/workflows/test-arc-runners.yml
  • tofu/modules/arc-runner/locals.tf
  • docs/runners/github-actions.md
  • docs/runners/nix-builds.md
  • docs/runners/runner-selection.md
  • docs/runners/self-service-enrollment.md
  • docs/runners/downstream-migration-checklist.md
  • docs/guides/github-app-adoption.md
  • docs/guides/cross-forge-ci.md
  • docs/reference/environment-variables.md

Why it is its own slice:

  • this is now a coherent public contract and dogfood lane
  • it should not be buried inside the backend or dashboard PRs
  • current downstream evidence now also shows platform-owned runner workspace hygiene belongs here because checkout can fail before downstream repo code runs
  • current downstream evidence also shows runner memory-envelope and placement clarity belongs here because pod-level limits can contradict operator intuition from cluster-wide capacity
  • current dogfood evidence now also shows a repo-owned lane can be healthy while hosted ubuntu-latest beta jobs still create false blocker signals

Slice 4: PM And Research Surface

Primary goal:

  • preserve the research trail while collapsing stale PM language and keeping only the notes that still help execute

Primary files:

  • docs/research/gloriousflywheel-program-surface-2026-04-15.md
  • docs/research/gloriousflywheel-milestone-execution-matrix-2026-04-15.md
  • docs/research/gloriousflywheel-convergence-slice-plan-2026-04-16.md
  • docs/research/gloriousflywheel-honey-onprem-rollout-2026-04-16.md
  • targeted supporting notes that are still actively referenced

Why it should be last:

  • it is useful, but it does not unblock runtime behavior
  • it becomes cleaner after the executable slices are separated
  1. Slice 1: backend and operator path
  2. Slice 2: dashboard auth, policy, and audit
  3. Slice 3: dogfood and shared runner contract
  4. Slice 4: PM and research surface

Current Slice 1 Reality

Local Slice 1 checks on 2026-04-16 now have a real backend/state read instead of scaffold placeholders:

  • ENV=dev just tofu-state-audit confirms archived tinyland/gf-overlay (project_id 79706605) still owns attic-dev and arc-runners-dev
  • the same audit confirms runner-dashboard-dev and gitlab-runners-dev do not exist there
  • ENV=dev just tofu-preflight arc-runners passes
  • ENV=dev just tofu-init arc-runners passes against the real legacy state
  • ENV=dev just tofu-plan arc-runners now produces a truthful convergence plan rather than a bogus greenfield create

Current arc-runners plan truth:

  • create tinyland-nix-heavy
  • update the baseline runtime so tinyland-nix and tinyland-docker carry the normalized cache env from repo-owned policy
  • preserve live ARC 0.14.0 instead of downgrading back to the old 0.13.1 pin
  • stop trying to recreate Longhorn from the runner stack on honey
  • stop assuming a GHCR pull secret by default because the live honey ARC lanes currently do not use imagePullSecrets
  • clean up stale imagePullSecrets values still recorded in Helm release state for the controller and runner sets

Execution result from the real legacy-state plan:

  • apply completed successfully on 2026-04-16
  • tinyland-nix-heavy is now live
  • baseline tinyland-nix and tinyland-docker now carry the normalized cache env
  • ARC remains on live 0.14.0
  • stale imagePullSecrets drift is cleared from the repo-owned lanes

So Slice 1 is no longer blocked on repo-owned arc-runners runtime drift. It is now blocked on narrower state convergence decisions:

  • how to handle stacks that do not have surviving legacy GitLab state
  • how to separate repo-owned ARC lanes from personal ARC lanes that coexist on honey but are not part of baseline GloriousFlywheel policy

Current arc-runners operator-path refinement:

  • the local root recipes now include the committed dev-policy.tfvars and dev-extra-runner-sets.tfvars surfaces for arc-runners, not just dev.tfvars
  • that means additive lanes like tinyland-nix-heavy are now part of the real local operator path instead of only existing in docs and CI-oriented notes
  • the real legacy-state plan against honey now shows tinyland-nix-heavy as a clean create delta on top of live ARC state
  • the remaining local rollout blockers are state drift choices, not missing bootstrap plumbing

Operator audit improvement now in-repo:

  • just tofu-backend-audit summarizes backend mode, backend ref, and first blocker across all four active stacks
  • just tofu-state-audit now checks the known legacy GitLab state paths directly instead of relying on a broken project-level list endpoint
  • this gives Slice 1 one stable command surface for local truthing instead of ad hoc single-stack checks

Acceptance Criteria

  • no follow-on PR tries to carry all post-#209 work at once
  • backend/operator path gets a dedicated reviewable lane
  • dashboard auth/policy work is not mixed with operator bootstrap refactors
  • dogfood/public runner-contract work is readable as a standalone change
  • PM docs reflect merged #209 reality and point at the new slices

GloriousFlywheel