infra: isolate dev lane layer stacks

Create dedicated dev layer stacks and make platform stack references configurable so dev can move onto the foundation/dev-staging manager without sharing production layer state.

Made-with: Cursor

Author: gankoji

environments/main-dev.json

@@ -1,7 +1,7 @@
 {
   "version": 1,
   "name": "main-dev",
-  "display_name": "Main → Dev (pre-prod Swarm)",
+  "display_name": "Main -> Dev (dedicated dev Swarm)",
   "kind": "hosted",
   "status": "active",
   "repo_root": ".",
@@ -11,8 +11,8 @@
     "infra_root": "/Users/jacbaile/Workspace/MLE/RocketLeague/sprocket/infra"
   },
   "entrypoints": {
-    "web": "https://dev.app.sprocket.gg",
-    "api_graphql": "https://api.dev.app.sprocket.gg/graphql"
+    "web": "https://dev.sprocket.mlesports.gg",
+    "api_graphql": "https://api.dev.sprocket.mlesports.gg/graphql"
   },
   "topology": [
     "web",
@@ -47,7 +47,7 @@
   "safety": {
     "mutable_side_effects_require_operator_judgment": true,
     "notes": [
-      "Hosted dev shares the pre-prod Swarm; treat mutations as non-production but still bounded.",
+      "Hosted dev runs on the dedicated foundation/dev-staging manager; treat mutations as non-production but still bounded.",
       "GitHub Actions Tier 0 uses the development environment secret HARNESS_MAIN_DEV_ENV (multiline key=value file, same shape as scripts/harness/env/main-dev.env) written to a temp path and passed as the third argument to verify-lane.sh so CI can override URLs/markers without committing secrets. Operators still use the committed template for local runs."
     ]
   }

infra/README.md

@@ -112,16 +112,16 @@ Canonical mapping (Pulumi platform stack names, subdomains, and public hostnames
 | `dev` | `dev` | `dev.sprocket.mlesports.gg`, `api.dev.sprocket.mlesports.gg`, … |
 | `staging` | `staging` | `staging.sprocket.mlesports.gg`, `api.staging.sprocket.mlesports.gg`, … |
 
-Hostnames are derived in `infra/platform` from `platform:hostname` and `platform:subdomain` (`global/helpers/buildHost.ts` and `Platform.ts`). Staging uses `Pulumi.staging.yaml` on the same Swarm as dev with a different stack name so Swarm services do not collide.
+Hostnames are derived in `infra/platform` from `platform:hostname` and `platform:subdomain` (`global/helpers/buildHost.ts` and `Platform.ts`). The dev lane now uses dedicated `layer_1/dev`, `layer_2/dev`, and `platform/dev` stacks on the foundation-managed `dev-staging` node.
 ## Lane ↔ Pulumi stack map (hosted)
 
 | Lane (harness) | Environment contract | Platform stack (typical) | Notes |
 |----------------|----------------------|---------------------------|--------|
 | `main-prod` | `environments/main-prod.json` | `platform` / `prod` | Production Swarm + DO managed DB. |
-| `main-dev` | `environments/main-dev.json` | `platform` / `dev` | Pre-prod Swarm; **isolated** subdomain, DB target, Redis prefix, RabbitMQ vhost, and Swarm labels vs prod/staging. Template: `platform/Pulumi.dev.template.yaml`. Cross-ref: GitHub #672. |
+| `main-dev` | `environments/main-dev.json` | `platform` / `dev` | Dedicated dev Swarm with `layer_1/dev`, `layer_2/dev`, and `platform/dev`; isolated subdomain, DB target, Redis prefix, RabbitMQ vhost, and Swarm labels vs prod/staging. Template: `platform/Pulumi.dev.template.yaml`. Cross-ref: GitHub #672. |
 | `v15-beta` | `environments/v15-beta.json` | `platform` / stack per operator | Template: `platform/Pulumi.v15-beta.template.yaml`. |
 
-`layer_1` and `layer_2` stack names are usually `layer_1` and `layer_2` on the same manager unless a separate substrate is provisioned; confirm with `pulumi stack ls` per project before apply.
+`layer_1` and `layer_2` stack names are environment-specific when a lane has its own substrate (for example `dev` on the dedicated `dev-staging` node) and remain `layer_1` / `layer_2` on the production manager; confirm with `pulumi stack ls` per project before apply.
 
 ## GitHub Actions
 

infra/ci/README.md

@@ -97,7 +97,7 @@ Maintainers who add or rename Pulumi stacks. After `pulumi stack ls` in each pro
 
 **Execution model:** `_reusable-pulumi-deploy.yml` now computes a scope-aware plan from `git_sha`, then runs the selected stack sequence in a **single runner**. App-only commits usually touch `platform` only; lower-layer infra changes pull in the affected layer plus `platform`; shared infra / workflow changes keep the full order. When an explicit `preview` row exists immediately before an `up` row for the same stack, the apply uses `--skip-preview` to avoid paying for the same preview twice.
 
-For `dev_cd`, the reusable workflow also runs a **foundation prerequisite** against `infra/foundation` / `dev-staging` before the Swarm stacks. That foundation apply is gated so it only runs when the foundation stack has never been applied yet or when the target commit touches foundation-related inputs; otherwise the job records a skip and continues to the normal dev stack sequence.
+For `dev_cd`, the reusable workflow also runs a **foundation prerequisite** against `infra/foundation` / `dev-staging` before the Swarm stacks. Dev then applies the dedicated `layer_1/dev`, `layer_2/dev`, and `platform/dev` stacks against the dev manager host instead of sharing the production layer stacks. The foundation apply is gated so it only runs when the foundation stack has never been applied yet or when the target commit touches foundation-related inputs; otherwise the job records a skip and continues to the normal dev stack sequence.
 
 **Reusable workflow inputs (for junior devs):**
 

infra/ci/stack-map.yaml

@@ -7,12 +7,12 @@ version: 1
 
 environments:
   dev:
-    description: "Pre-prod Swarm on the main dev manager — matches .github/workflows/cd-deploy-dev.yml"
+    description: "Dedicated dev Swarm on the foundation/dev-staging manager — matches .github/workflows/cd-deploy-dev.yml"
     deploy_order:
-      # layer_* stack names match project folder names (same as prod). Platform stack defaults to dev;
-      # CD can override via workflow input / PULUMI_DEV_PLATFORM_STACK (must not be prod).
-      - { project: layer_1, stack: layer_1 }
-      - { project: layer_2, stack: layer_2 }
+      # Dev runs dedicated layer stacks on the dev manager. Platform stack defaults to dev;
+      # CD can override the platform stack via workflow input / PULUMI_DEV_PLATFORM_STACK (must not be prod).
+      - { project: layer_1, stack: dev }
+      - { project: layer_2, stack: dev }
       - project: platform
         stack: dev
 

infra/global/refs/LayerOne.ts

@@ -4,4 +4,4 @@ export enum LayerOneExports {
     IngressNetwork = "IngressNetwork",
 }
 
-export default new SprocketStackDefinition("layer_1", `${__dirname}/../../layer_1`);
+export default new SprocketStackDefinition("layer_1", `${__dirname}/../../layer_1`, "layer_1-stack");

infra/global/refs/LayerTwo.ts

@@ -25,4 +25,4 @@ export enum LayerTwoExports {
     N8nNetwork = "N8nNetworkId"
 }
 
-export default new SprocketStackDefinition("layer_2", `${__dirname}/../../layer_2`);
+export default new SprocketStackDefinition("layer_2", `${__dirname}/../../layer_2`, "layer_2-stack");

infra/global/refs/types.ts

@@ -1,15 +1,28 @@
 import * as pulumi from "@pulumi/pulumi";
 
 export class SprocketStackDefinition {
-    constructor(public readonly name: string,
-        public readonly location: string) {
+    constructor(
+        public readonly name: string,
+        public readonly location: string,
+        private readonly stackConfigKey?: string,
+    ) {
     }
 
     _stack: pulumi.StackReference | undefined
+    _stackReferenceName: string | undefined
 
     get stack() {
-        if (!this._stack)
-            this._stack = new pulumi.StackReference(`gankoji/${this.name}/${this.name}`)
+        const configuredStackName = this.stackConfigKey
+            ? new pulumi.Config().get(this.stackConfigKey)?.trim()
+            : undefined;
+        const stackName = configuredStackName || this.name;
+        const stackReferenceName = `gankoji/${this.name}/${stackName}`;
+
+        if (!this._stack || this._stackReferenceName !== stackReferenceName) {
+            this._stack = new pulumi.StackReference(stackReferenceName);
+            this._stackReferenceName = stackReferenceName;
+        }
+
         return this._stack
     }
 }

infra/layer_1/Pulumi.dev.yaml

@@ -0,0 +1,18 @@
+config:
+  layer_1:discord-fa-client-secret:
+    secure: AAABAPlXRAG7Fju5B2ZlThOfDiA/Q2d6utE2LbmRO7GRrgQs6zt3galkykj9eTgC6a1dp2/WInIw9PN/+06jyg==
+  layer_1:docker-access-token:
+    secure: AAABAKJiFFU994YKGc2MXodmncCWXoDtKdbEcxCcVkxBouN43YXKDoRYO9FjmCqg8XHLTuxXbHDtRWtBlMB9XrtrFkhC2Pbp
+  layer_1:docker-username: gankoji
+  layer_1:hostname: dev.sprocket.mlesports.gg
+  layer_1:image-namespace: sprocketbot
+  layer_1:postgres-host: sprocketbot-postgres-d5033d2-do-user-24528890-0.j.db.ondigitalocean.com
+  layer_1:postgres-password:
+    secure: AAABAGL/iz/zELYpO9YXB3et6YlOiPpP7RDbJ3iW5LgHQcmbC9d69OTidghR0wtwFv/csG3MXgg=
+  layer_1:postgres-port: "25060"
+  layer_1:postgres-username: sprocketbot
+  layer_1:vault-s3-access-key: DO801Q8P44QRYP9HEQVL
+  layer_1:vault-s3-bucket: vault-secrets
+  layer_1:vault-s3-endpoint: https://nyc3.digitaloceanspaces.com
+  layer_1:vault-s3-secret-key:
+    secure: AAABAKLovp2AYHUSmiVzKyos7mPFK9rRoVR/izXq3pTU1CsHZIav75tUBePuwiAX/nB42u0/YWf4IGwuzfPmVlLQKkrFcjoXPSim

infra/layer_2/Pulumi.dev.yaml

@@ -0,0 +1,20 @@
+config:
+  layer_2:docker-access-token:
+    secure: AAABAF9TFDLGgwbqwEPc3azts0liRLSc8pToLr0PYwYLkqGQIwHVZ/1/p0hHLk3sGrbNZ1PYtDtwh29+LoI2PAePxdil9wrQ
+  layer_2:docker-username: gankoji
+  layer_2:hostname: dev.sprocket.mlesports.gg
+  layer_2:image-namespace: sprocketbot
+  layer_2:postgres-host: sprocketbot-postgres-d5033d2-do-user-24528890-0.j.db.ondigitalocean.com
+  layer_2:postgres-password:
+    secure: AAABABAZ/oN/74YPhYlCC/4xd/9oLLTrV6LXJx68skEY1Zat30A/6zjahiHAmiuck7hPmkAcHv0=
+  layer_2:postgres-port: "25060"
+  layer_2:postgres-username: doadmin
+  layer_2:root-vault-token:
+    secure: AAABAPHRxFJegysezP56OpCZ9gbYfvpemsXN0t8bZFPQ2BHBgk81/Og=
+  layer_2:s3-access-key: DO004ZHPV38R8C9Q46XG
+  layer_2:s3-endpoint: nyc3.digitaloceanspaces.com
+  layer_2:s3-secret-key:
+    secure: AAABAIeQCGx2unCboHD/foN8TOap8B7IlHk2/NE2rN0USfZxlRd6nWrn9vJoFMjwckqA198ubn/DhxmFJF3Uy/eTn7uWV5KuE3A/
+  layer_2:smtp-password:
+    secure: AAABAFjL2/m0iFUvA0S18ecmawH9yJC4vNXBQUzjnCWdc1mBAuejpijWloZyh01Aerd6hm4=
+  layer_2:layer_1-stack: dev

infra/platform/Pulumi.dev.template.yaml

@@ -18,6 +18,8 @@ config:
   platform:image-namespace: sprocketbot
   platform:legacy-image-namespace: asaxplayinghorse
   platform:image-tag: dev
+  # platform:layer_1-stack: dev
+  # platform:layer_2-stack: dev
 
   # Postgres endpoint for the **dev** database cluster (not prod).
   # platform:postgres-username: <dev-db-user>