feat(deploy/atomicassets): aa-feed service + persistence:full (Phase 2 Slice C)#11
Conversation
…2 Slice C) - wormdb.json: store.persistence none -> full, so the live overlay (the SHiP feed's forward overrides + add-sets + checkpoint) is WAL-backed and survives a wormdb-aa restart instead of being lost. - docker-compose: mount a named volume (aa-wormdb-data) at /var/lib/wormdb for that WAL/snapshot; add a curl healthcheck on wormdb-aa; add the `aa-feed` service (profile "feed"/"all") that builds the bun feed (../../../../wormdb/apps/bun Dockerfile.feed), waits for wormdb-aa healthy, and EXECs into wormdb-aa:6389 from a nodeos SHiP (host.docker.internal:28080) with a per-block checkpoint. Run the live stack with `docker compose --profile all up` (state + feed). FEED_START defaults to the snapshot block; on a node whose SHiP retention starts later the feed clamps to the available range (a backfill gap the H-tier covers in Phase 3). Validated live on Jungle 4: aa-feed tracks LIB (0 behind); restarting wormdb-aa replays the WAL (40974 records) and the feed resumes from the persisted checkpoint.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Atomic Assets deployment configuration to enable full persistence for wormdb and introduces a new aa-feed service along with a healthcheck for wormdb-aa. Feedback on these changes highlights a potential path error in the build context for aa-feed, suggests using 127.0.0.1 instead of localhost in the healthcheck to prevent IPv6 resolution issues, and warns about security risks associated with leaving authentication disabled in non-development environments.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| # from the wormdb bun app; EXECs aa_mint/aa_transfer/aa_burn over WormWire into wormdb-aa:6389. | ||
| aa-feed: | ||
| build: | ||
| context: ../../../../wormdb/apps/bun |
There was a problem hiding this comment.
The relative path ../../../../wormdb/apps/bun goes 4 levels up from deploy/atomicassets/docker-compose.yml, which points to the grandparent directory of the repository root. If wormdb is cloned as a sibling to this repository, the correct path to the sibling directory should be 3 levels up: ../../../wormdb/apps/bun.
context: ../../../wormdb/apps/bun| profiles: ["state", "all"] | ||
| healthcheck: | ||
| # the bun feed (aa-feed) waits on this; the wormdb image ships curl, so probe the HTTP gateway. | ||
| test: ["CMD-SHELL", "curl -fsS http://localhost:6390/atomicassets/v1/config >/dev/null || exit 1"] |
There was a problem hiding this comment.
Using localhost in the healthcheck command can sometimes cause issues in environments where localhost resolves to the IPv6 loopback address (::1) first, while the service is only listening on IPv4 (127.0.0.1). Using 127.0.0.1 explicitly is more robust and avoids potential IPv6 resolution delays or failures.
test: ["CMD-SHELL", "curl -fsS http://127.0.0.1:6390/atomicassets/v1/config >/dev/null || exit 1"]| "store": { "persistence": "full" }, | ||
| "server": { "port": 6389 }, | ||
| "gateway": { "enabled": true, "port": 6390 }, | ||
| "auth": { "require_auth": false } |
There was a problem hiding this comment.
Setting "require_auth": false allows any container or service on the shared Docker network (aa-stack) to connect to the WormWire port (6389) and execute privileged commands (such as aa_mint, aa_transfer, aa_burn) without authentication. While acceptable for local development and testing, ensure that authentication is enabled (require_auth: true) with strong credentials in any production or non-loopback environments.
There was a problem hiding this comment.
Pull request overview
Adds Phase 2 “Slice C” deploy updates for the AtomicAssets live stack by making the WormDB overlay durable (WAL-backed) and introducing a managed SHiP feed service that resumes from a persisted checkpoint across restarts.
Changes:
- Switch WormDB store persistence from
nonetofullto persist the overlay/checkpoint acrosswormdb-aarestarts. - Add a dedicated named volume mounted at
/var/lib/wormdbto store WAL/snapshots for persistence. - Add a
wormdb-aahealthcheck and a newaa-feedservice (profiled) that waits for WormDB readiness and streams SHiP updates into WormWire.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| deploy/atomicassets/wormdb.json | Enables durable persistence for the WormDB store/overlay. |
| deploy/atomicassets/docker-compose.yml | Adds persistent storage, healthcheck gating, and an aa-feed service to keep the overlay live. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # from the wormdb bun app; EXECs aa_mint/aa_transfer/aa_burn over WormWire into wormdb-aa:6389. | ||
| aa-feed: | ||
| build: | ||
| context: ../../../../wormdb/apps/bun |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8186e68a2f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # from the wormdb bun app; EXECs aa_mint/aa_transfer/aa_burn over WormWire into wormdb-aa:6389. | ||
| aa-feed: | ||
| build: | ||
| context: ../../../../wormdb/apps/bun |
There was a problem hiding this comment.
In a normal Unix/WSL checkout like /workspace/hyperion-tools, Compose resolves this relative context from deploy/atomicassets, so ../../../../wormdb/apps/bun points at /wormdb/apps/bun instead of the sibling repo location /workspace/wormdb/apps/bun implied by the existing four-repo sibling layout. That makes docker compose --profile all up --build fail before the live stack can start unless a nonstandard /wormdb checkout exists; this should only walk up to the workspace parent, e.g. ../../../wormdb/apps/bun.
Useful? React with 👍 / 👎.
|
Addressed (and CI stays green):
|
…althcheck (PR #11 review) - aa-feed build context: the hardcoded ../../../../wormdb assumed this repo's local nesting; parameterize as ${WORMDB_DIR:-../../../wormdb}/apps/bun (default = wormdb as a SIBLING of this repo, the common layout) + document WORMDB_DIR + FEED_START in .env.example. - wormdb-aa healthcheck: localhost -> 127.0.0.1 (avoid an IPv6 ::1 resolution that the IPv4-only listener wouldn't answer).
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 40a1f2a629
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| wormdb-aa: | ||
| condition: service_healthy | ||
| networks: [aa-stack] | ||
| profiles: ["feed", "all"] |
There was a problem hiding this comment.
When the new feed profile is enabled by itself (for example, docker compose --profile feed up to attach the live feed after the state stack already exists), Compose includes aa-feed but ignores wormdb-aa because it only has state/all profiles. Docker's profiles reference says services whose profiles do not match are ignored and that references to ignored services do not automatically enable them, so this depends_on target makes the feed profile invalid instead of starting the feed. Add a matching profile to the dependency chain or avoid exposing feed as a standalone profile.
Useful? React with 👍 / 👎.
|
Fixed — Validated with Usage (documented in the compose comment): |
…eview) aa-feed depends_on wormdb-aa, which is in state/all. A standalone `--profile feed` project would include aa-feed but ignore wormdb-aa (per Docker's profiles rules: ignored services aren't auto-enabled by a depends_on reference), making the project invalid. Adding "feed" to the whole dependency chain (wormdb-aa -> aa-loader -> mongodb) would just make "feed" == "all". So drop the standalone "feed" profile: aa-feed is in "all" only. Run the live stack: `docker compose --profile all up`. Attach just the feed to a running state stack: `docker compose --profile all up -d aa-feed` (named service → deps resolve without restarting them). Static snapshot only: `--profile state up`.
Phase 2, Slice C (deploy half) — make the live feed a managed service + durable. Pairs with https://github.com/igorls/wormdb/pull/21 (Dockerfile.feed + start clamp).
wormdb.json:store.persistencenone→full— the overlay (forward overrides + add-sets + the feed checkpoint) is WAL-backed and survives awormdb-aarestart.aa-wormdb-dataat/var/lib/wormdbfor that WAL/snapshot; acurlhealthcheck onwormdb-aa; theaa-feedservice (profilefeed/all) that builds the bun feed, waits forwormdb-aahealthy, and EXECs intowormdb-aa:6389from the Jungle 4 SHiP (host.docker.internal:28080).Run the live stack:
docker compose --profile all up.FEED_STARTdefaults to the snapshot block; the feed clamps to the node's SHiP range if it starts later (backfill gap → Phase 3).Validated live on Jungle 4:
aa-feedtracks LIB (0 behind); restartingwormdb-aareplays the WAL (40974 records) and the feed resumes from the persisted checkpoint — snapshot→live continuity holds across restarts.