7. Build
maand build reads workspace/ and updates the local catalog. It does not push files to workers.
maand build
Combine with deploy when you want both:
maand deploy --build
What build does
| Step | Result |
|---|---|
Sync workers.json |
worker table, labels, tags |
| Sync jobs | Job rows, file index in job_files, ports |
| Match selectors | Create/update allocations |
Apply disabled.json |
Set disabled flags on allocations |
| Validate | Resources, ports, circular demands, certs |
| Generate TLS | Per-job certs from manifest; auto-rotate per certs_ttl |
Compute deployment_seq |
Order jobs that depend on each other |
Run post_build hooks |
Hooks on CLI host, in sequence order |
| Persist KV | Vars from vars.conf, template-related state |
Output lives in data/maand.db and KV — not on workers.
Inspect after build
maand info
maand cat workers
maand cat jobs # includes deployment_seq
maand cat allocations
maand cat ports --jobs api
maand cat certs --jobs api
If build fails, nothing in the catalog advances for that run. Common errors: missing Makefile, port clash, worker too small for job reservation, invalid workers.json.
Reference: build.md.
Build vs deploy
| build | deploy | |
|---|---|---|
| Reads | workspace/ |
maand.db + KV |
| Writes | Catalog, certs in bucket | Worker filesystem + lifecycle |
| SSH to workers | No (hooks on CLI host only) | Yes |
| Safe in CI without workers | Yes | No (needs SSH) |
Typical loop: edit workspace → build (validate) → deploy (push).
Job dependencies (demands)
If job api declares a demand on job database command hook_schema, build assigns deployment_seq so database deploys in an earlier wave than api.
deployment_seq 0: database, cache
deployment_seq 1: api
Reference: deployment-sequence.md.
Certificates
Jobs declare certs in the manifest. Build checks CA expiry (warn or fail), then generates or renews leaf TLS material under the bucket and indexes it for deploy. Workers receive certs under jobs/<job>/certs/ on rsync.
Inspect expiry (CA + leaf):
maand cat certs
maand cat certs --jobs api
An expiring or expired CA row means rotate secrets/ca.crt / ca.key — build warns in the renewal window and fails once expired.
Reference: certs.md.
Next
08 — Deploy — rsync and rolling lifecycle on workers.