Skip to content

feat(capy): add capy secrets-manager package#230

Draft
cvince wants to merge 4 commits into
gominimal:mainfrom
capysc:add-capy-package
Draft

feat(capy): add capy secrets-manager package#230
cvince wants to merge 4 commits into
gominimal:mainfrom
capysc:add-capy-package

Conversation

@cvince

@cvince cvince commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown

Installs the Capy CLI (@capysc/cli@0.6.1) into a Minimal environment and pinholes the developer's ~/.capy session into the box, so in-box capy run -- <cmd> injects branch-scoped secrets without transporting any key material (shared-session model).

  • build.ncl: @capysc/cli install, runtime deps (node-lts, git, ca-certificates, coreutils, glibc, base), node_modules output, and a ~/.capy Credential pinhole (read-write; trusted dev shells only).
  • build.sh: npm global install into the output prefix.
  • self-test: capy --version runs in a clean room and matches the pin.

Verified: minimal package capy + minimal check capy pass; capy runs in a box.

Summary

Related issues

Changes

Checklist

  • I've read CONTRIBUTING.md.
  • I've accepted the ICLA (and CCLA if contributing on my employer's time). CLA Assistant will prompt me on this PR if I haven't already.
  • min check passes for the affected packages/harnesses.
  • min patched-build <name> succeeds for any package I added or modified.
  • For new packages: source_provenance points to the canonical upstream and the source builds from source (not a prebuilt release binary) where the required toolchain is available.
  • For version bumps: I've verified the new sha256 against the upstream archive.

Notes for reviewers

@cvince
feat(capy): add capy secrets-manager package
141ae2c 
Installs the Capy CLI (@capysc/cli@0.6.1) into a Minimal environment and
pinholes the developer's ~/.capy session into the box, so in-box
`capy run -- <cmd>` injects branch-scoped secrets without transporting any
key material (shared-session model).

- build.ncl: @capysc/cli install, runtime deps (node-lts, git,
  ca-certificates, coreutils, glibc, base), node_modules output, and a
  ~/.capy Credential pinhole (read-write; trusted dev shells only).
- build.sh: npm global install into the output prefix.
- self-test: capy --version runs in a clean room and matches the pin.

Verified: minimal package capy + minimal check capy pass; capy runs in a box.
@CLAassistant

CLAassistant commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@coderabbitai

coderabbitai Bot commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 124699bc-a61e-42b8-8dc1-8d8afd2b856e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

twitchyliquid64
twitchyliquid64 reviewed Jun 8, 2026
View reviewed changes
Comment thread packages/capy/build.sh Outdated
mkdir -p "$PREFIX"

# Keep npm's cache inside the build sandbox (no writable $HOME).
export npm_config_cache="$(pwd)/.npm-cache"

@twitchyliquid64 twitchyliquid64 Jun 8, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm, does it work without this?

@cvince cvince Jun 8, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. You probably have your own caching in dep management that this interferes with?

@twitchyliquid64

twitchyliquid64 commented Jun 8, 2026

Copy link
Copy Markdown
Member

/build

@cvince
review: drop hand-rolled npm cache, rely on toolchain env_state_wiring
e4d3610 
The previous `export npm_config_cache="$(pwd)/.npm-cache"` was redundant and
non-deterministic: node/node-lts already wire NPM_CONFIG_CACHE to a Minimal-
managed state dir via env_state_wiring. Simplify build.sh to match the other
npm-CLI packages (pyright, typescript-language-server, mermaid-cli).

Verified: minimal package capy + minimal check capy still pass (incl. self-test).
@cvince cvince marked this pull request as draft June 8, 2026 01:24
@cvince

cvince commented Jun 8, 2026

Copy link
Copy Markdown
Author

I'm going to swtich this to draft. There's some stuff I want to confirm with @jtnkminimal

@cvince
feat(capy): add source_provenance for the canonical upstream
264c05c 
Declares capysc/capy-cli as the source of record per the new-package
checklist. (Building from source vs the npm prebuilt is deferred — still
npm-install for now.)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@twitchyliquid64 twitchyliquid64 twitchyliquid64 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cvince @CLAassistant @twitchyliquid64