Deployment
Aria deploys to two environments: K3s (local) on the DGX Spark workstation and GCP Cloud Run (production). Each has its own deploy path and safety gates.
Local Deploy (K3s)
Organism Deploy (Canonical)
Use the organism script for core service deployment. It applies YAML in dependency order.
bash scripts/apply-aria-organism.sh Targeted Image Update
# Build new image
docker build -t localhost:5000/aria-soul:tag apps/arias-soul
# Update deployment
kubectl set image deployment/aria-soul aria-soul=localhost:5000/aria-soul:tag Image Tag Rules
Admission policies require canonical tags: localhost:5000/aria-soul:deepseek-hybrid-*. Non-conforming tags are rejected.
Production Deploy (GCP Cloud Run)
Deploy Aria Soul
gcloud run deploy arias-soul \
--image gcr.io/gifted-airway-485905-i5/arias-soul:latest \
--region us-central1 \
--platform managed \
--allow-unauthenticated Update Environment Variables
gcloud run services update arias-soul \
--update-env-vars "ARIA_MAIN_MODEL=gemini-3.1-pro,ARIA_CASUAL_MODEL=deepseek-chat" Website Publishing
Cloudflare Pages (Default)
# Fast wrapper
bash scripts/publish-site.sh <subdomain> <source-path> [project-name]
# Full command
bash scripts/publish-static-site-cloudflare-pages.sh \
--project <project> \
--domain <subdomain.ariasos.com> \
--source-file <path> Preflight Checklist
curl -I https://<domain>returns200- Domain serves expected content
- No dependency on local process managers
- No dependency on temporary tunnel endpoints
Deploy Safety Gates
The Harness Guard enforces admission policies on all deploy-class commands:
| Policy | What It Blocks |
|---|---|
no-production-touch-v1 | kubectl exec into pods, destructive DB ops without token |
admission-deploy-v1 | Deploys to hard-gated services without admission token |
no-pipeline-touch-v1 | Edits to streamConversation.ts, nadia/*, forge-psi/* |
Rollback
# Cloud Run rollback
gcloud run services update-traffic arias-soul --to-revisions <prev-revision>=100
# K3s rollback
kubectl rollout undo deployment/aria-soul Hard-gated services (aria-soul, manifold-service, hospital-service, immortal-*) require an explicit admission token for deployment. "yes, do it" is not sufficient.