docs(deployment-spec): NOETL_SIDE_EFFECT_BARRIER env var (#104 Phase E)
docs(deployment-spec): NOETL_RESULT_TIER_DR env var (#104 Phase F)
docs(deployment-spec): result-tier flags incl. Phase D mint-authoritative (#104)
docs(deploy-spec): off-server state builder shadow env vars + metrics (RFC #115 Phase 4)
NOETL_STATE_BUILDER_SHADOW (+ _STREAM/_BATCH/_TIMEOUT_MS/_IDLE_SLEEP_MS) and the
noetl_worker_state_builder_* metrics (wal_events_total WAL-read proof,
event_scans_total no-scan proof, builds_total{outcome}, chain_hops). System pool
only, observation-only, default off; drive cutover staged behind the server's
NOETL_STATE_BUILDER=offserver. Lockstep with noetl/worker#118.
deployment-spec: scrape-path note — kind=VMServiceScrape vs prod=GMP PodMonitoring (the lag gauge is blind on prod without it)
deployment-spec: document materializer-lag gauge + materializer counters (CQRS #103 flip guardrail)
deployment-spec: require memory-backed /dev/shm for the Arrow IPC cache
The worker SIGBUSes (exit 135) and crash-loops when the Arrow IPC cache
(NOETL_IPC_CACHE_BUDGET_BYTES, default 256 MB) writes past the k8s default
64 MiB /dev/shm tmpfs. Document the required memory-backed /dev/shm
(emptyDir medium: Memory, sizeLimit 320Mi >= budget), the coherent
memory limit (768Mi), and the three values that must move together.
Fixed in noetl/ops#193. Tracks noetl/ai-meta#112.
docs(deployment-spec): NOETL_EVENT_RESULT_CONTEXT_MAX_BYTES (results-by-reference budget)
Refs noetl/ai-meta#101, noetl/worker#89
deployment-spec: sealed credential delivery + NOETL_SEALED_CREDENTIALS (Phase 5c)
Documents the worker-side opt-in for sealed credential responses:
NOETL_SEALED_CREDENTIALS env gate, X25519 keypair registered in the
register payload's runtime JSON blob, zeroize on the resolved bytes.
noetl/worker#58 (Secrets Wallet Phase 5c, noetl/ai-meta#61).
deployment-spec: worker mTLS client env (Phase 4b)
NOETL_TLS_CLIENT_CERT / NOETL_TLS_CLIENT_KEY (present a client cert) +
NOETL_TLS_CA (trust a private-CA server) in a Transport-security subsection;
rustls-tls backend; https NOETL_SERVER_URL note; wait-for-api init-container
mTLS caveat (Phase 4c). noetl/worker#56 (Secrets Wallet Phase 4b, noetl/ai-meta#61).
wiki: deployment-specification page (env-var catalogue + runtime contract)
New top-level page covering the deployment shape for noetl-worker:
runtime contract, NATS layout, KEDA scaling, resources, health
probes, FULL env-var catalogue with the why behind each one,
secrets handling, snowflake node-id derivation, observability,
kind-validation procedure.
Captures the existing env surface (WORKER_ID, WORKER_POOL_NAME,
WORKER_HEARTBEAT_INTERVAL, WORKER_MAX_CONCURRENT,
WORKER_METRICS_BIND, WORKER_NATS_LAG_POLL_INTERVAL,
NOETL_SERVER_URL, NATS_URL/USER/PASSWORD/STREAM/CONSUMER/SUBJECT/
FILTER_SUBJECT, NOETL_SNOWFLAKE_NODE_ID, NOETL_SHARD_ID,
NOETL_NODE_ID, NODE_NAME, NOETL_SNOWFLAKE_EPOCH_MS,
NOETL_KEYCHAIN_ENV_VARS, NOETL_IPC_CACHE_BUDGET_BYTES, HOSTNAME,
RUST_LOG). Several of these had only inline rustdoc coverage
before; this page is the durable single-source-of-truth.
Sidebar gains an "Operations" section linking the new page;
Home references it in the Pages list.
Going forward this page is the single source of truth for env
vars + ports + dependencies; any code change that touches
std::env::var or envy::from_env must update it in the same
change set per the new agents/rules/wiki-maintenance.md Rule 2a
(landing separately on ai-meta).