7. Build

maand build reads workspace/ and updates the local catalog. It does not push files to workers.

maand build

Combine with deploy when you want both:

maand deploy --build

What build does

Step Result
Sync workers.json worker table, labels, tags
Sync jobs Job rows, file index in job_files, ports
Match selectors Create/update allocations
Apply disabled.json Set disabled flags on allocations
Validate Resources, ports, circular demands, certs
Generate TLS Per-job certs from manifest; auto-rotate per certs_ttl
Compute deployment_seq Order jobs that depend on each other
Run post_build hooks Hooks on CLI host, in sequence order
Persist KV Vars from vars.conf, template-related state

Output lives in data/maand.db and KV — not on workers.


Inspect after build

maand info
maand cat workers
maand cat jobs              # includes deployment_seq
maand cat allocations
maand cat ports --jobs api
maand cat certs --jobs api

If build fails, nothing in the catalog advances for that run. Common errors: missing Makefile, port clash, worker too small for job reservation, invalid workers.json.

Reference: build.md.


Build vs deploy

build deploy
Reads workspace/ maand.db + KV
Writes Catalog, certs in bucket Worker filesystem + lifecycle
SSH to workers No (hooks on CLI host only) Yes
Safe in CI without workers Yes No (needs SSH)

Typical loop: edit workspace → build (validate) → deploy (push).


Job dependencies (demands)

If job api declares a demand on job database command hook_schema, build assigns deployment_seq so database deploys in an earlier wave than api.

deployment_seq 0:  database, cache
deployment_seq 1:  api

Reference: deployment-sequence.md.


Certificates

Jobs declare certs in the manifest. Build checks CA expiry (warn or fail), then generates or renews leaf TLS material under the bucket and indexes it for deploy. Workers receive certs under jobs/<job>/certs/ on rsync.

Inspect expiry (CA + leaf):

maand cat certs
maand cat certs --jobs api

An expiring or expired CA row means rotate secrets/ca.crt / ca.key — build warns in the renewal window and fails once expired.

Reference: certs.md.


Next

08 — Deploy — rsync and rolling lifecycle on workers.