Generated App Deployment Contract¶
Purpose¶
This document defines the provider-neutral deployment artifact contract for generated apps.
The OSS mozaiks repo owns this contract. Hosted-product policy, approvals, provider adapters, and secret orchestration remain outside this repo.
Production Boundary¶
Generated apps use a repo-per-app (workspace-per-app) boundary.
This keeps deployment ownership, environments, CI history, and secret boundaries isolated per app.
Contract Models¶
The contract is represented by two typed models in AppGenerator structured outputs.
DeployTargetSpecDeploymentTemplateManifestDeploymentBuildOutput
DeployTargetSpec¶
Provider-neutral target definition.
Required shape:
target_idtarget_kind:container | compose | external_adapterruntimecontainer_porthealth_pathstart_command(optional)artifact_outputsDockerfile(optional)docker-compose.yml(optional).github/workflows/deploy.yml(optional)env.exampledeployment.manifest.jsonenvironmentrequired_variablesoptional_variablessecret_variablespublic_variablesimageimage_nametag_strategychecksbuildsmokehealthprovider_profile- generic metadata only in OSS
Optional shape:
ci_secret_requirementsrequiredoptionalworkflow_inputs
DeploymentTemplateManifest¶
Deterministic output manifest for generated deployment artifacts.
Required shape:
schema_versionapp_iddeployment_profilegenerated_filesrequired_envsecret_envexposed_portshealthcheckci_workflowci_secret_requirements(optional)dockerfilecomposevalidation_statusdeploy_target_specbuild_output_contract(optional)
CI Workflow Secret Requirements¶
Generated deployment workflows may declare a names-only CI contract under ci_secret_requirements.
Suggested shape:
requirednamepurpose(optional)used_by(optional)optionalnamepurpose(optional)used_by(optional)workflow_inputsnamerequiredpurpose(optional)
Rules:
- Entries carry names only, never values.
- Secret names must use safe identifiers.
- Workflow input names must use safe identifiers.
- Generated workflow files may reference those names, for example
${{ secrets.NAME }}or${{ inputs.name }}, but must never embed secret values. - Hosts and adapters provision real secret values outside generated artifacts. The generated app bundle only describes expected names.
Build Output Contract¶
DeploymentBuildOutput is the provider-neutral handoff contract from repo/export/build systems to deployment providers/hosts.
It carries build/export output metadata and does not execute builds.
Suggested shape:
repo_url(optional)commit_sha(optional)build_status:pending | running | succeeded | failedimage_ref(required when status issucceeded)artifact_digest(optional,sha256:prefix)workflow_run_url(optional)logs_url(optional)safe_details(optional, non-secret metadata only)error_code(optional)
Provider-neutral examples:
repo_url:https://repo.example.invalid/demo-appimage_ref:registry.example.invalid/demo-app:abc123artifact_digest:sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
Validation rules:
build_statusmust be one of pending/running/succeeded/failed.image_refis required whenbuild_statusis succeeded.artifact_digest, if present, usessha256:prefix.- URL fields are URL-shaped when present.
- Raw secrets and secret-shaped keys are not allowed in
safe_details. - No provider-specific required fields.
Artifact Contract¶
When deployment artifacts are requested by scaffold/export flags, AppGenerator emits deterministic outputs from the provider-neutral contract:
Dockerfile(optional)docker-compose.yml(optional).github/workflows/deploy.yml(optional)env.exampledeployment.manifest.json
When .github/workflows/deploy.yml is emitted, the manifest may also carry a concrete ci_secret_requirements section describing the names-only secret and workflow-input contract used by that generated workflow.
Env and Secrets Rules¶
env.examplemay include variable names and placeholders only.- Secret variables are declared by name only and must not contain real values.
ci_secret_requirementsis names-only and must not contain real values.- Generated workflow files may reference secret names but never secret values.
- Generated artifacts must not include:
- cloud tenant ids
- provider credentials
- registry passwords
- GitHub tokens
- hosted-product policy secrets
- Real secrets are injected by deployment adapters (CI secret stores / cloud secret stores), not committed in app repos.
AppGenerator and Adapter Split¶
OSS AppGenerator emits and validates:
- deployment contract schema
- deterministic artifact rendering
- artifact validation rules
- provider-neutral build output handoff contract
- names-only CI workflow secret requirements contract
Adapter layers outside AppGenerator handle:
- provider-specific deployment execution
- hosted policy/approval gates
- hosted lifecycle state transitions
- secret delivery and rotation
- persistence of build outputs in host deployment records
- mapping names-only CI secret requirements to provider-specific secret stores
E2B Role¶
E2B in AppGenerator is pre-deploy validation/preview only.
It is not a production runtime or hosting target.
Self-Host Mode¶
This contract supports self-hosting through the same generic artifact outputs:
- local Docker
- local Compose
- generic container platform deployment
Self-host users consume generated artifacts and provide their own infrastructure and secret stores.
Hosted Product Handoff¶
Hosted products (for example mozaiks-app) consume this contract but own hosted-specific behavior:
- Host With Us UX
- policy/approval gates
- provider adapters and defaults
- deployment status and operations surfaces