feat(bd-ch6.8): add systemd hardening limits to fabric-web.service

- MemoryMax=1536M, MemoryHigh=1200M (1.5GB hard limit, 1.2GB soft) - CPUQuota=200% (max 2 cores) - StartLimitInterval=120s, StartLimitBurst=5 (rate-limit restarts) - Add --max-old-space-size=1024 to Node heap - Add --heap-snapshots --snapshot-interval 30 for leak debugging Prevents runaway memory/CPU from taking down the host. Watchdog already implemented in bd-ch6.6 (Type=notify, WatchdogSec=30). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Bead-Id: bd-ch6.8
2026-04-28 14:36:24 -04:00 · 2026-04-28 14:36:24 -04:00 · a6418ac539
commit a6418ac539
parent ff81b91097
1 changed files with 12 additions and 1 deletions
--- a/scripts/fabric-web.service
+++ b/scripts/fabric-web.service
@ -6,12 +6,23 @@ After=network.target
 Type=notify
 NotifyAccess=all
 WorkingDirectory=/home/coding/FABRIC
-ExecStart=/usr/bin/node dist/cli.js web --port 3000 --source /home/coding/.needle/logs --otlp-http :4318
+# Run with 1GB heap limit, enable heap snapshots for leak detection
+ExecStart=/usr/bin/node --max-old-space-size=1024 dist/cli.js web --port 3000 --source /home/coding/.needle/logs --otlp-http :4318 --heap-snapshots --snapshot-interval 30
 Restart=on-failure
 RestartSec=5
+# Rate limit restarts: 5 times within 2 minutes before entering failed state
+StartLimitInterval=120s
+StartLimitBurst=5
+# Watchdog: service must ping systemd via sd_notify WATCHDOG=1 every 15s (half of 30s WatchdogSec)
+# Implemented in src/web/server.ts with dynamic interval calculation
 WatchdogSec=30
 EnvironmentFile=/home/coding/.config/fabric/secrets.env
 Environment=NODE_ENV=production
+# Memory limits: 1.5GB max, will trigger OOM if exceeded
+MemoryMax=1536M
+MemoryHigh=1200M
+# CPU limit: max 2 cores (200%)
+CPUQuota=200%
 StandardOutput=journal
 StandardError=journal
 SyslogIdentifier=fabric-web