Implement basic components#1
Merged
Merged
Conversation
Koukyosyumei
added a commit
that referenced
this pull request
Jun 16, 2026
Context DAG conflict-resolution (#1): the trace DAG is union-by-id and conflict-free by construction, but it is stored as a single-line JSON blob, so libgit2's line merge aborted gcc_merge_into whenever both sides appended a node -- the normal case when an env's reasoning branch and its parent both advance. dag.json now union-resolves (union_dag_json) during conflict resolution, before the abort check, so the existing union-by-id logic is reachable. Real conflicts on other files still abort. Source-conflict ergonomics (#2): apply/rebase refuse cleanly with no 'git merge --continue' state, so the error text now hands the user the full in-box runbook (conflict_runbook): env shell -> git merge <parent> -> commit -> env apply. Tests: union_dag_json unit + robustness, gcc_merge regression for the divergent-DAG scenario, conflict_runbook content, and the existing metadata.yaml conflict test confirms non-DAG conflicts still abort. Co-authored-by: Claude Opus 4.8 <[email protected]>
Koukyosyumei
added a commit
that referenced
this pull request
Jun 19, 2026
…l-closed private_paths, bounded secret extractor Resolves four review findings on the coasts-borrowed env features: - #1 (High): service declarations are now pinned at `env create` into an env-local services.json (immutable from the box) with a service_digest in the manifest; service_start loads the pinned manifest and verifies the digest (fail-closed), so editing the worktree .h5i/env.toml after create can't change what a service runs. The start event records the redacted command. - #2 (High): `env ports` reframed as port INJECTION, not forwarding — there is no host->box forwarder in v1, so the URL is rendered conditional ('if the service binds the injected port'), never a guarantee; CLI/MCP/docs updated. - #3 (Medium): comma-bearing private_paths now fail closed — rejected in validate_private_paths (rel) and prepare_private_paths (container backing) instead of being silently skipped in build_run_argv. - #4 (Medium): the opted-in command: secret extractor is now bounded — 10s wall timeout + 1 MiB stdout cap, own process group (killpg on timeout), drain-to-EOF reader (no pipe deadlock, bounded memory), all fail-closed. Also updates the MCP tool-count test for the env tools added earlier. Tests: lib 891 pass; env_integration 98 pass. Clippy clean on default and --no-default-features.
Koukyosyumei
added a commit
that referenced
this pull request
Jun 19, 2026
…mon-free services + dynamic ports (#169) * Add docs/borrowing-from-coasts.md: ideas to improve h5i env from Coasts Survey of ../coasts/ (runtime orchestrator: ports, secrets keystore, daemon+UI, agent-shells, private_paths, shared services) mapped onto h5i env's confinement+provenance core. Nine borrow ideas with posture guards (no mandatory daemon, isolated-by-default, in-box agent). Codex consulted via i5h over two rounds; governing principle: every borrowed affordance = policy grant + event + capture, or don't ship it. * env: fleet/doctor, private_paths, gated secret command extractor, daemon-free services + dynamic ports Implements ideas borrowed from ../coasts (docs/borrowing-from-coasts.md) for `h5i env`, each with CLI + MCP parity and tests: - Idea 0 (fleet/doctor): `env list --json` (manifest + drift), new `env doctor` with a per-env enforcement-readiness check (functional verify_exec self-test) plus policy-digest/branch/context/drift health; exits non-zero when unhealthy. - Idea 3 (private_paths): new [profile.X.private_paths] policy field (kind/persist); per-env backing dirs bind-mounted over workspace paths to give concurrent same-repo envs distinct inodes (no cross-env flock/cache contention) — pre_exec binds on process/supervised, --mount on container; fail-closed validation (relative, no .., no overlap, kind allowlist). - Idea 1 (secrets): gated command: extractor (allow_command_extractors, pinned in the policy digest, refused at load and resolve) + `env secrets` legibility CLI (status + fingerprint, never values). - Idea 3.5 (services): daemon-free `env service start|stop|status|logs` (sandbox::spawn_background, pid registry, logs-as-captures on stop, start/stop events on refs/h5i/env). - Idea 2 (ports): per-service dynamic host port allocated + injected (H5I_ENV_PORT_<NAME>/PORT), surfaced by `env ports`. Audit note: the flagged exec patterns are intentional — the confined background spawn (pre_exec) and the policy-gated command: extractor (sh -c). Tests: env_integration 96 pass; lib sandbox/secrets/container 80 pass; sandbox_api 4 pass. Clippy clean on default and --no-default-features. * env: address review — pin service defs, port-injection semantics, fail-closed private_paths, bounded secret extractor Resolves four review findings on the coasts-borrowed env features: - #1 (High): service declarations are now pinned at `env create` into an env-local services.json (immutable from the box) with a service_digest in the manifest; service_start loads the pinned manifest and verifies the digest (fail-closed), so editing the worktree .h5i/env.toml after create can't change what a service runs. The start event records the redacted command. - #2 (High): `env ports` reframed as port INJECTION, not forwarding — there is no host->box forwarder in v1, so the URL is rendered conditional ('if the service binds the injected port'), never a guarantee; CLI/MCP/docs updated. - #3 (Medium): comma-bearing private_paths now fail closed — rejected in validate_private_paths (rel) and prepare_private_paths (container backing) instead of being silently skipped in build_run_argv. - #4 (Medium): the opted-in command: secret extractor is now bounded — 10s wall timeout + 1 MiB stdout cap, own process group (killpg on timeout), drain-to-EOF reader (no pipe deadlock, bounded memory), all fail-closed. Also updates the MCP tool-count test for the env tools added earlier. Tests: lib 891 pass; env_integration 98 pass. Clippy clean on default and --no-default-features. * env: close service-pinning gaps from re-review (no-service envs, name validation) Two High findings from Codex's re-review of the service feature: - No-service envs were left with service_digest=None, which routes service_start to the legacy fallback that reads the mutable worktree/repo .h5i/env.toml — so an env created with no services could add [service.*] afterwards and start it unpinned. Fix: pin_services_at_create now ALWAYS writes services.json and records a digest (even for the empty set), so every new env is pinned (empty or not) and the mutable fallback only applies to truly pre-pinning legacy envs. - Service names were used directly in services/<name>.json and <name>.log paths, so a key like ../manifest could escape services/ and overwrite env-local files. Fix: validate_service_name (strict slug — rejects '/', '..', leading-dot) enforced at parse/pin time (create fails closed on a bad [service.*] key) AND at the top of service_start/stop/logs before any path is built. Tests: no-service env can't start an added service; traversing names rejected at start and at create. env_integration 101 pass; clippy clean. * docs: document env fleet/doctor, secrets, services, ports + private_paths Update MANUAL.md, the man page (man/man1/h5i.1), and the regenerated docs/manual/index.html for the new env surface: - Command table / man subcommands: env list --json, env doctor, env secrets, env service start|stop|status|logs, env ports; service added to the event list. - Policy file: [profile.X.private_paths] (kind/persist), the gated command: secret source + allow_command_extractors, and [service.<name>] (command/port/ restart/logs), with notes that service defs are pinned at create. - New 'Services and dynamic ports' subsection (TOC + anchor) covering pinning, confinement, logs-as-evidence, and injection-not-forwarding port semantics. - Secrets-broker section: command: source (bounded, gated) + env secrets dry-run. docs/manual/index.html regenerated via scripts/gen_manual.py.
Koukyosyumei
added a commit
that referenced
this pull request
Jun 30, 2026
'430+ GitHub stars · the #1 worktree manager by stars' under the definition bullets.
Koukyosyumei
added a commit
that referenced
this pull request
Jul 1, 2026
* improve hero-badge * docs(pitch): simplify title slide to the one-line definition Drop the three feature cards and the closing punchline on slide 1, and enlarge the lede so the h5i definition is the focal point. * docs(pitch): make the title-slide definition three bullet points * docs(pitch): enlarge the title-slide bullet points * docs(pitch): enlarge title-slide bullets further * update * docs(blog): stop featuring 'Why AI Agents Need Auditable Workspaces' Demote it from the highlighted featured card to a regular post card in the Ensemble group. * docs(guides): feature the 'Run many agents, merge one auditable result' overview Apply the shared blog.css featured-card treatment to the workflows overview entry at the top of the guides list. * docs(pitch): add a social-proof line to the title slide '430+ GitHub stars · the #1 worktree manager by stars' under the definition bullets. * docs(pitch): tighten slide 2 to the two contrast cards Remove the lede and the closing summary paragraph. Shorten and enlarge the today/with-h5i cards, and broaden the h5i side from 'evidence' to sandbox + record + multi-agent review (one verified result). * docs(pitch): frame slide 2 cards around safety today: 'An agent run is unsafe and opaque' (untracked, can run out of control); with h5i: 'An agent run is safe and auditable'. * docs(pitch): sharpen the 'today' card on runaway-agent risk Note that an out-of-control agent can destroy the environment and conflict with other agents. * docs(pitch): mirror the 'with h5i' card to the today risks Sandboxed, fully recorded, conflict-free multi-agent development. * docs(pitch): make slide 2 cards mirrored bullet lists today (✕ red): untracked prompts/context, dangerous tool usage, conflicting multi-agents. with h5i (✓ green): sandboxed environment, tracked prompt/context, conflict-free multi-agent development. * docs(pitch): reorder to Already-painful before The-problem, restructure into three pains Move the 'pain is already here' slide up to third so real incidents lead into the analytical breakdown. Replace the two failure-mode tables with three compounding pains: lost context/unversioned prompts, unsafe autonomy (wreck env / malware / secret exfil), and multi-agent token waste + conflicts — mapping to capture/recall, env, and team. * docs(pitch): merge the two problem slides into one five-pain slide Combine 'Already painful' and 'The problem' into a single slide in the metric-card style: five pains (unversioned prompts, lost context, unsafe/unmonitored autonomy, multi-agent waste, multi-agent conflict) closing on 'every agent needs an auditable workspace'. * update * docs(pitch): trim the five-pain explanations to short phrases * update * docs(pitch): lay the five pains in two rows with larger fonts Switch the pain grid to a centered flex-wrap (3 + 2 rows) and enlarge the item titles (1.9rem) and descriptions (1.2rem). * docs(pitch): drop the auditable-workspace kicker from the five-pain slide * docs(pitch): recast the product slide as five answers to the five pains * docs(pitch): split team detail into prompts/context, env sandbox, and team slides * update * docs(pitch): add token-reduction slide with raw-to-filtered comparison * docs(pitch): move traction to slide 9 and refresh its metrics * docs(pitch): fix sandbox embed overflow in PDF export * update * docs(pitch): add audit pain/answer pair, an audit-review slide, and refine buyer slide * docs(pitch): reframe closing slides around the AI-code acceptance layer * update * update * docs(pitch): restructure beachhead slide into beachhead + expansion tiers * docs(readme): add a short intro line and fix a typo * update
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.