feat(capy): add capy secrets-manager package#1
Draft
cvince wants to merge 5 commits into
Draft
Conversation
* virtio-kernel-raw: decompress the virtio-linux kernel to a raw Image Gunzip the virtio-linux Image.gz to an uncompressed aarch64 Image so consumers (minvmd) can load it with KRUN_KERNEL_FORMAT_RAW, skipping libkrun's in-VMM gzip decompress (~77 ms, over half of microVM boot-to-READY). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * minvmd-rootfs: package the minvmd guest rootfs as an ext4 image Assemble the minvmd microVM guest rootfs (socat + bash + coreutils closure, bring-up init, /etc/minvmd/manifest boot contract) into a read-only ext4 image via mke2fs. minvmd loads it as a block device (krun_add_disk2 -> /dev/vda). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * genericize: rename minvmd-rootfs -> microvm-rootfs, drop product references Make the packages product-agnostic: microvm-rootfs with /sbin/microvm-init and /etc/microvm/manifest, and scrub internal references from comments. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * virtio-kernel-raw: handle x86_64 bzImage (not just aarch64 Image.gz) The kernel is only gzip-compressed on aarch64 (Image.gz); on x86_64 virtio-linux ships a bzImage, so the unconditional gunzip failed the build there. gzip-test first: decompress when gzip, else pass through. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * microvm-rootfs: ship runtime closure only; harden init + prune Address review feedback: - Declare base + socat as runtime_deps and e2fsprogs as a build-only dep (mke2fs packs the image), instead of lumping everything in build_deps. - Remove the build-only e2fsprogs files from the staged tree before packing, so the runtime image carries only the runtime closure (mke2fs runs from the build sandbox PATH, not from $STAGE). Verified absent from rootfs.img. - Fail the bring-up init if the READY handshake never succeeds, rather than starting the listener and turning a boot failure into a downstream timeout. - Scope `|| true` to the find invocation so a cd/rm failure still fails the build. * virtio-kernel-raw: add version plumbing; depend on base Add the version binding, attrs.upstream_version, and build_args forwarding the repo's build.ncl contract expects. Depend on base (provides gzip + sh at build) instead of listing gzip/bash/coreutils individually. --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Installs the Capy CLI (@capysc/cli@0.6.1) into a Minimal environment and pinholes the developer's ~/.capy session into the box, so in-box `capy run -- <cmd>` injects branch-scoped secrets without transporting any key material (shared-session model). - build.ncl: @capysc/cli install, runtime deps (node-lts, git, ca-certificates, coreutils, glibc, base), node_modules output, and a ~/.capy Credential pinhole (read-write; trusted dev shells only). - build.sh: npm global install into the output prefix. - self-test: capy --version runs in a clean room and matches the pin. Verified: minimal package capy + minimal check capy pass; capy runs in a box.
The previous `export npm_config_cache="$(pwd)/.npm-cache"` was redundant and non-deterministic: node/node-lts already wire NPM_CONFIG_CACHE to a Minimal- managed state dir via env_state_wiring. Simplify build.sh to match the other npm-CLI packages (pyright, typescript-language-server, mermaid-cli). Verified: minimal package capy + minimal check capy still pass (incl. self-test).
Declares capysc/capy-cli as the source of record per the new-package checklist. (Building from source vs the npm prebuilt is deferred — still npm-install for now.)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds the
capypackage: the Capy CLI (@capysc/cli@0.6.1) installed into a Minimal environment.A task that includes
packages = ["capy"]gets thecapybinary plus a~/.capypinhole — the developer's host Capy session is mapped into the box, so in-boxcapy run -- <cmd>injects branch-scoped secrets with no key material transported in (the shared-session model; trusted dev shells only — not for untrusted agent tasks).Contents
build.ncl— installs@capysc/cli, runtime deps (node-lts,git,ca-certificates,coreutils,glibc,base),usr/lib/node_modules/**output, andenv_dir_mappingsfor~/.capy(class = 'Credential, read-write).build.sh— npm global install into the output prefix.capy --versionruns in a clean room and matches the pinned version.Verification
minimal package capy→ exit 0minimal check capy→ all checks pass (incl.standalone tests,fmt,imports)capy --versionconfirmed running live in a box →0.6.1Notes
@capysc/cliis public on npm; the build fetches it at build time. Follow-up: vendor the tarball + transitive deps as hash-pinned Sources for a fully hermetic / SLSA build.