nyxcore-systems
5 min read

The Gatekeeper's Glitch: Unblocking Cael and Taming Production Deployments

A deep dive into fixing a critical dual-provider gate bug, navigating tricky production deployments, and the lessons learned preparing for automated CI/CD.

workflow-enginebugfixdeploymentdocker-composeci/cdproductionsshhetznertechnical-debt

Every developer knows that feeling: a critical feature isn't working as expected, and it's holding up the show. For us, it was the "dual-provider gate" – a key mechanism designed to trigger our Cael arbiter when specific conditions were met. The problem? Cael was stubbornly refusing to engage, leaving our dual-provider workflows in limbo. This past session was all about tracking down that elusive bug, pushing it live, and setting the stage for smoother, automated deployments.

The Case of the Stubborn Gate: Unlocking Cael

Our Cael arbiter is designed to step in and make intelligent decisions when our system is processing data from multiple providers simultaneously. It's a critical piece of logic, but for a specific scenario involving compareProviders.length > 1 and dualProviderAutoSelect: true, Cael was simply not getting the memo. The gate meant to open for it remained resolutely shut.

The Bug Hunt

The hunt led us deep into workflow-engine.ts, a file that orchestrates much of our system's core logic. Specifically, the culprit was found lurking around line 1292. The gate condition, which evaluates whether to trigger Cael, was missing a crucial alternative. It was looking for one set of conditions, but completely ignoring another valid path that should have opened the gate.

The Fix: The solution was elegantly simple: add || step.compareProviders.length > 1 to the existing alternatives block. This small addition told the gate, "Hey, if this other condition is met, you should also open!"

Here's a simplified illustration of the change:

typescript
// workflow-engine.ts:1292 (Illustrative snippet)

// Before: The gate was too restrictive, missing a valid trigger path.
if (step.somePrimaryCondition && step.dualProviderAutoSelect) {
    // ... proceed to Cael arbiter trigger logic ...
} else {
    // ... Cael arbiter bypassed, even when it should have triggered ...
}

// After: The gate now correctly considers dual-provider comparisons.
if ((step.somePrimaryCondition && step.dualProviderAutoSelect) || step.compareProviders.length > 1) {
    // This path now correctly triggers the Cael arbiter when dual-providers are active.
    // ... proceed to Cael arbiter trigger logic ...
} else {
    // ... Cael arbiter bypassed ...
}

With this change, committed as 1cfbad0 ("Fix dual-provider gate: include compareProviders in alternatives condition"), we were ready to deploy. The expectation was clear: the next workflow with compareProviders.length > 1 and dualProviderAutoSelect: true would finally trigger our Cael arbiter as intended.

The Deployment Gauntlet: Lessons from Production

Fixing the bug was one thing; getting it safely to production was another. Our current setup involves a manual deployment process to our Hetzner server. This session highlighted some common pitfalls and reinforced the need for automation.

Docker Compose: The Production Gotcha

My first attempt to rebuild the application on the production server (46.225.232.35) went something like this:

bash
cd /opt/nyxcore
git pull origin main
docker compose build app

Failure! no such service: app. A classic case of forgetting the subtle differences between local development and production environments. Our production setup uses a specific docker-compose.production.yml file, not the default docker-compose.yml.

Lesson Learned: Always explicitly specify your production Compose file. It's a small detail that can save significant head-scratching.

bash
docker compose -f docker-compose.production.yml build app
docker compose -f docker-compose.production.yml up -d --force-recreate

This successfully rebuilt and redeployed the application. A quick health check confirmed that both the database and Redis were healthy, and the new commit 1cfbad0 was live.

Battling SSH Rate Limiting

During the deployment, I found myself making multiple rapid SSH connections to the server – pulling logs, checking status, restarting services. After two or three quick connections, my SSH client would inexplicably drop the connection.

The Problem: Hetzner, like many cloud providers, implements SSH rate limiting to prevent brute-force attacks. Rapid, successive connections from the same IP can trigger this defense mechanism.

Workaround (and a better practice): To avoid these frustrating drops, I had to introduce deliberate pauses between SSH commands and, more importantly, combine multiple commands into a single SSH session.

bash
# Bad practice: Multiple rapid SSH sessions
ssh root@46.225.232.35 'command1'
ssh root@46.225.232.35 'command2' # Likely to drop

# Better practice: Introduce sleep, combine commands
ssh root@46.225.232.35 'command1 && sleep 5 && command2 && sleep 10 && command3'

Lesson Learned: When interacting with remote servers, especially production ones, be mindful of rate limits. Combine commands where possible, and don't be afraid to add a sleep command to prevent connection drops. It's slower, but far more reliable than constantly reconnecting.

Immediate Next Steps: Towards Automation

With the critical bug fix live and confirmed, our focus immediately shifts to preventing these manual deployment pains in the future.

  1. CI/CD Pipeline (GitHub Actions): This is top priority. Automating the build, test, and deployment process will eliminate human error, enforce consistency, and free up valuable developer time. No more docker-compose file confusion or SSH woes during deploys!
  2. Re-test Dual-Provider Workflow: We need to execute a real-world workflow on production that exercises the fixed compareProviders.length > 1 condition to ensure Cael triggers as expected.
  3. Certbot Auto-Renewal: Essential server hygiene. Ensuring our SSL certificates auto-renew prevents unexpected downtime.
  4. SSHD MaxStartups Configuration: To address the SSH connection drops more permanently, we'll look into adjusting the MaxStartups setting in the sshd_config on the server. This will give us more leeway for legitimate rapid connections without compromising security.

Conclusion

This session was a microcosm of real-world development: finding a subtle bug in complex logic, navigating the sometimes-frustrating landscape of production deployments, and learning valuable lessons along the way. Unblocking the Cael arbiter was a significant win, and the immediate next steps lay a clear path to a more robust, automated future. Every manual deployment pain is a strong argument for CI/CD, and we're excited to build that automation next.

json
{"thingsDone":[
    "Identified root cause of dual-provider gate bug in workflow-engine.ts:1292.",
    "Fixed gate condition by adding '|| step.compareProviders.length > 1'.",
    "Committed and pushed fix (1cfbad0) to main.",
    "Successfully deployed fix to production using 'docker compose -f docker-compose.production.yml'.",
    "Confirmed production health (database + redis healthy)."
],
"pains":[
    "Attempted 'docker compose build app' on production, failed due to missing 'app' service (incorrect compose file used).",
    "Experienced SSH connection drops after 2-3 rapid connections to Hetzner server (SSH rate limiting)."
],
"successes":[
    "Successfully fixed critical dual-provider gate bug.",
    "Deployed fix to production and verified its status.",
    "Identified and applied workarounds for deployment issues (correct docker-compose file, SSH command bundling/sleep).",
    "Established clear next steps for CI/CD and server maintenance."
],
"techStack":[
    "TypeScript",
    "Node.js",
    "Docker",
    "Docker Compose",
    "Hetzner (Cloud Provider)",
    "SSH",
    "Git",
    "GitHub Actions (Planned)"
]}