Skip to main content

DevOps Domain

The DevOps domain handles continuous integration, deployment automation, and infrastructure management across the SO1 platform ecosystem.

Overview

DevOps agents ensure your code moves from development to production reliably, securely, and efficiently. They manage GitHub Actions workflows, Railway deployments, and audit pipelines for security and performance.
Use DevOps agents when you need to:
  • Generate CI/CD workflows for repositories
  • Deploy applications to Railway
  • Audit pipelines for security vulnerabilities
  • Optimize build and deployment performance
  • Maintain infrastructure as code

Agents in This Domain

Railway Deployer

Automates Railway platform deployments and service configuration

GitHub Actions Engineer

Generates CI/CD workflows with security and caching best practices

Pipeline Auditor

Audits CI/CD and deployment configs for security and performance

When to Use This Domain

Deploy Hono API or Next.js frontend to Railway
Create GitHub Actions workflows for new repositories
Audit existing pipelines for security vulnerabilities
Optimize CI/CD performance and costs
Configure environment variables and secrets
Set up health checks and monitoring
Not suitable for:
  • Manual deployments (use Railway CLI or console directly)
  • Non-Railway hosting platforms
  • GitLab CI or other CI systems (GitHub Actions only)

Common Patterns

Pattern 1: New Repository CI/CD Setup

Workflow:
  1. GitHub Actions Engineer creates CI workflows (lint, test, build)
  2. Railway Deployer configures deployment environments
  3. Pipeline Auditor reviews both for security and performance

Pattern 2: Security Audit & Remediation

Workflow:
  1. Pipeline Auditor scans workflows and deployment configs
  2. Identifies vulnerabilities (exposed secrets, permissions)
  3. GitHub Actions Engineer fixes workflows based on findings
  4. Pipeline Auditor verifies fixes

Pattern 3: Production Deployment

Workflow:
  1. Code merged to main triggers GitHub Actions
  2. CI workflow runs tests, lint, build
  3. Railway Deployer triggers deployment to production
  4. Health checks verify deployment success

FORGE Stage Integration

AgentFORGE StageEntry GateExit Gate
GitHub Actions Engineer3 (BUILD)Repo structure knownWorkflows created and passing
Railway Deployer4 (DEPLOY)CI checks passingDeployment healthy
Pipeline Auditor5 (VERIFY)Configs existVulnerabilities documented

Integration Points

Control Plane API

DevOps agents interact with the SO1 Control Plane for deployment tracking: 
// Log deployment event
POST /api/v1/deployments
{
  "service": "so1-control-plane-api",
  "environment": "production",
  "status": "success",
  "healthCheckUrl": "https://api.so1.io/health"
}

// Store audit results
POST /api/v1/audits
{
  "repository": "so1-io/so1-control-plane-api",
  "findings": [...],
  "severity": "high"
}

Veritas Prompts

DevOps agents consume and produce Veritas prompts:
AgentConsumesProduces
Railway DeployerRailway best practices, container optimizationInfrastructure tasks
GitHub ActionsCI/CD patterns, security scanningWorkflow tasks
Pipeline AuditorSecurity checklist, performance patternsRemediation tasks

Repositories

All SO1 repositories are managed by DevOps agents:
  • so1-io/so1-control-plane-api - Hono backend (Railway deployment)
  • so1-io/so1-console - Next.js frontend (Railway deployment)
  • so1-io/so1-shared - Shared TypeScript types (npm package)
  • so1-io/so1-agents - Agent definitions (GitHub Actions)
  • so1-io/veritas - Prompt library (GitHub Actions)

Best Practices

CI/CD Workflow Design

1

Parallelize Independent Jobs

Run lint, test, and build in parallel when possible to reduce total workflow time
2

Use Dependency Caching

Configure pnpm or npm caching to avoid reinstalling dependencies on every run
3

Implement Concurrency Controls

Add concurrency groups with cancel-in-progress to stop superseded runs
4

Set Job Timeouts

Add timeout-minutes to prevent runaway jobs from consuming resources

Railway Deployment

1

Start with Staging

Always deploy to staging environment first before production
2

Configure Health Checks

Implement /health endpoints that verify database and Redis connectivity
3

Use Environment Variables

Never hardcode secrets - use Railway’s environment variable system
4

Monitor Resource Usage

Set appropriate memory/CPU limits and monitor for OOM or throttling

Security Auditing

1

Run Regular Audits

Schedule monthly audits of all repositories and pipelines
2

Pin Action Versions

Use SHA pinning for GitHub Actions to prevent supply chain attacks
3

Use Least-Privilege Permissions

Grant only the minimum permissions needed for each workflow
4

Rotate Secrets

If any secret is exposed in logs or history, rotate immediately

Outputs and Artifacts

GitHub Actions Engineer

# .github/workflows/ci.yml
name: CI
on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v3
      - run: pnpm install --frozen-lockfile
      - run: pnpm test

Railway Deployer

{
  "railwayConfig": {
    "services": [{
      "name": "api",
      "deploy": {
        "startCommand": "pnpm start",
        "healthcheckPath": "/health"
      }
    }]
  }
}

Pipeline Auditor

{
  "auditReport": {
    "summary": {
      "critical": 1,
      "high": 2,
      "medium": 3
    },
    "findings": [{
      "id": "SEC-001",
      "severity": "critical",
      "title": "Hardcoded secret in workflow"
    }]
  }
}

Architecture Overview

System architecture and component relationships

FORGE Stages

6-stage execution model with gate compliance

Veritas Integration

Prompt library integration patterns

Engineering Domain

Backend, frontend, and shared library agents

Getting Started

1

Install DevOps Agents

Follow the Agent Installation Guide to add DevOps agents to your OpenCode environment
2

Choose Your Agent

Select the appropriate agent based on your task:
  • New repository → GitHub Actions Engineer
  • Deployment needed → Railway Deployer
  • Security review → Pipeline Auditor
3

Invoke the Agent

Use the agent in your OpenCode chat or workflow
4

Review Outputs

Verify generated workflows, deployment configs, or audit reports
Next Steps: