Add jl4-service NixOS module with Thailand cosmetics orchestrator#849
Merged
Add jl4-service NixOS module with Thailand cosmetics orchestrator#849
Conversation
Bring up jl4-service (the multi-tenant successor to jl4-decision-service) as a NixOS-deployed service with nginx reverse proxy at /service/. New jl4-service Nix module features: - Systemd service with DynamicUser sandboxing - Pre-seed mechanism: bundles option copies L4 files into the persistent store on first boot, compiled eagerly on startup - CBOR cache for fast restarts after initial compilation Thailand cosmetics Article 41 tribrid ruleset: - Three-tier evaluation (category-specific, manual-specific, core Act) - 26 product categories with Do/Don't rules from the Manual (BE 2567) - @export annotations on evaluate sub-claim (default) and evaluate full statement for decision service discovery - Prelude symlink for import resolution Also adds thailand-cosmetics to jl4-decision-service sourcePaths (Dockerfile, dev-start.sh, docker-compose, Nix config) for the legacy service path. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Pre-seeds the classic L4 examples alongside thailand-cosmetics so jl4-service boots with the same functions available as the legacy jl4-decision-service. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The jl4-decision-service had compute_qualifies, vermin_and_rodent, and the_answer as inline Haskell string literals in Examples.hs. Extract them as proper .l4 files with @export annotations so jl4-service can discover and serve them from the classic bundle. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This change fixes the resolvconf signature mismatch issue that caused network-setup.service to fail after manual DNS edits. systemd-networkd with systemd-resolved provides more predictable DNS management and avoids the fragile resolvconf signature checking. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The service was failing with status=226/NAMESPACE because systemd tried to mount /var/lib/private/jl4-service/store before the preseed script could create it. With DynamicUser=true, StateDirectory already provides write access to the state directory and all subdirectories, making ReadWritePaths redundant and problematic. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…osmetics Replace the static tribrid rule engine with the full orchestrator that calls Claude API for category detection and predicate evaluation, then runs the three-tier regulatory logic. Adds EnvironmentFile support for ANTHROPIC_API_KEY and nye SSH key for staging access. Bundle now includes: orchestrator.l4, anthropicClient.l4, promptLibrary.l4 (51 prompts across 3 tiers). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add "-" prefix to EnvironmentFile path so systemd continues startup even if the .env file doesn't exist yet. This prevents deployment failures on fresh systems while still loading secrets when present. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The orchestrator makes ~20 sequential Claude API calls which exceeds the default 60s timeout. Also fix nginx proxy_read_timeout to match. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ache - Replace prelude.l4 symlink with actual file so nix store derivation includes the real content (symlinks break in sandboxed builds) - Add SHA-256 hash check to pre-seed script: when source files change between deploys, the old bundle (including CBOR cache) is wiped and re-seeded, ensuring the service always compiles the latest sources Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The orchestrator expects JSON: {"verdict": true, "confidence": 85, "reasoning": "..."}
But prompts were asking for text: "YES/NO, Confidence: X%, Reasoning: ..."
This caused JSONDECODE to fail, returning LEFT err, which isViolation
treated as FALSE - making all tests appear to pass.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.l4filesKey Features
jl4-service
jl4/experiments/at startupThailand Cosmetics Orchestrator
Test plan
/service/deploymentsreturns classic and thailand-cosmeticsevaluateClaimwith violating claim - correctly returns PROHIBITED with 9 violations🤖 Generated with Claude Code