💜 Aria Docs

Deployment

Aria deploys to two environments: K3s (local) on the DGX Spark workstation and GCP Cloud Run (production). Each has its own deploy path and safety gates.

Local Deploy (K3s)

Organism Deploy (Canonical)

Use the organism script for core service deployment. It applies YAML in dependency order.

bash scripts/apply-aria-organism.sh

Targeted Image Update

# Build new image
docker build -t localhost:5000/aria-soul:tag apps/arias-soul

# Update deployment
kubectl set image deployment/aria-soul aria-soul=localhost:5000/aria-soul:tag

Image Tag Rules

Admission policies require canonical tags: localhost:5000/aria-soul:deepseek-hybrid-*. Non-conforming tags are rejected.

Production Deploy (GCP Cloud Run)

Deploy Aria Soul

gcloud run deploy arias-soul \
  --image gcr.io/gifted-airway-485905-i5/arias-soul:latest \
  --region us-central1 \
  --platform managed \
  --allow-unauthenticated

Update Environment Variables

gcloud run services update arias-soul \
  --update-env-vars "ARIA_MAIN_MODEL=gemini-3.1-pro,ARIA_CASUAL_MODEL=deepseek-chat"

Website Publishing

Cloudflare Pages (Default)

# Fast wrapper
bash scripts/publish-site.sh <subdomain> <source-path> [project-name]

# Full command
bash scripts/publish-static-site-cloudflare-pages.sh \
  --project <project> \
  --domain <subdomain.ariasos.com> \
  --source-file <path>

Preflight Checklist

  1. curl -I https://<domain> returns 200
  2. Domain serves expected content
  3. No dependency on local process managers
  4. No dependency on temporary tunnel endpoints

Deploy Safety Gates

The Harness Guard enforces admission policies on all deploy-class commands:

PolicyWhat It Blocks
no-production-touch-v1kubectl exec into pods, destructive DB ops without token
admission-deploy-v1Deploys to hard-gated services without admission token
no-pipeline-touch-v1Edits to streamConversation.ts, nadia/*, forge-psi/*

Rollback

# Cloud Run rollback
gcloud run services update-traffic arias-soul --to-revisions <prev-revision>=100

# K3s rollback
kubectl rollout undo deployment/aria-soul

Hard-gated services (aria-soul, manifold-service, hospital-service, immortal-*) require an explicit admission token for deployment. "yes, do it" is not sufficient.