Skip to content

Implement basic components#1

Merged
Koukyosyumei merged 6 commits into
mainfrom
core
Mar 11, 2026
Merged

Implement basic components#1
Koukyosyumei merged 6 commits into
mainfrom
core

Conversation

@Koukyosyumei

Copy link
Copy Markdown
Collaborator

No description provided.

@Koukyosyumei Koukyosyumei merged commit 869c7ea into main Mar 11, 2026
@Koukyosyumei Koukyosyumei deleted the core branch March 11, 2026 06:03
Koukyosyumei added a commit that referenced this pull request Jun 16, 2026
Context DAG conflict-resolution (#1): the trace DAG is union-by-id and
conflict-free by construction, but it is stored as a single-line JSON
blob, so libgit2's line merge aborted gcc_merge_into whenever both sides
appended a node -- the normal case when an env's reasoning branch and its
parent both advance. dag.json now union-resolves (union_dag_json) during
conflict resolution, before the abort check, so the existing union-by-id
logic is reachable. Real conflicts on other files still abort.

Source-conflict ergonomics (#2): apply/rebase refuse cleanly with no
'git merge --continue' state, so the error text now hands the user the
full in-box runbook (conflict_runbook): env shell -> git merge <parent>
-> commit -> env apply.

Tests: union_dag_json unit + robustness, gcc_merge regression for the
divergent-DAG scenario, conflict_runbook content, and the existing
metadata.yaml conflict test confirms non-DAG conflicts still abort.

Co-authored-by: Claude Opus 4.8 <[email protected]>
Koukyosyumei added a commit that referenced this pull request Jun 19, 2026
…l-closed private_paths, bounded secret extractor

Resolves four review findings on the coasts-borrowed env features:

- #1 (High): service declarations are now pinned at `env create` into an
  env-local services.json (immutable from the box) with a service_digest in the
  manifest; service_start loads the pinned manifest and verifies the digest
  (fail-closed), so editing the worktree .h5i/env.toml after create can't change
  what a service runs. The start event records the redacted command.
- #2 (High): `env ports` reframed as port INJECTION, not forwarding — there is
  no host->box forwarder in v1, so the URL is rendered conditional ('if the
  service binds the injected port'), never a guarantee; CLI/MCP/docs updated.
- #3 (Medium): comma-bearing private_paths now fail closed — rejected in
  validate_private_paths (rel) and prepare_private_paths (container backing)
  instead of being silently skipped in build_run_argv.
- #4 (Medium): the opted-in command: secret extractor is now bounded — 10s wall
  timeout + 1 MiB stdout cap, own process group (killpg on timeout), drain-to-EOF
  reader (no pipe deadlock, bounded memory), all fail-closed.

Also updates the MCP tool-count test for the env tools added earlier.

Tests: lib 891 pass; env_integration 98 pass. Clippy clean on default and
--no-default-features.
Koukyosyumei added a commit that referenced this pull request Jun 19, 2026
…mon-free services + dynamic ports (#169)

* Add docs/borrowing-from-coasts.md: ideas to improve h5i env from Coasts

Survey of ../coasts/ (runtime orchestrator: ports, secrets keystore, daemon+UI,
agent-shells, private_paths, shared services) mapped onto h5i env's
confinement+provenance core. Nine borrow ideas with posture guards (no mandatory
daemon, isolated-by-default, in-box agent). Codex consulted via i5h over two
rounds; governing principle: every borrowed affordance = policy grant + event +
capture, or don't ship it.

* env: fleet/doctor, private_paths, gated secret command extractor, daemon-free services + dynamic ports

Implements ideas borrowed from ../coasts (docs/borrowing-from-coasts.md) for
`h5i env`, each with CLI + MCP parity and tests:

- Idea 0 (fleet/doctor): `env list --json` (manifest + drift), new `env doctor`
  with a per-env enforcement-readiness check (functional verify_exec self-test)
  plus policy-digest/branch/context/drift health; exits non-zero when unhealthy.
- Idea 3 (private_paths): new [profile.X.private_paths] policy field
  (kind/persist); per-env backing dirs bind-mounted over workspace paths to give
  concurrent same-repo envs distinct inodes (no cross-env flock/cache
  contention) — pre_exec binds on process/supervised, --mount on container;
  fail-closed validation (relative, no .., no overlap, kind allowlist).
- Idea 1 (secrets): gated command: extractor (allow_command_extractors, pinned
  in the policy digest, refused at load and resolve) + `env secrets` legibility
  CLI (status + fingerprint, never values).
- Idea 3.5 (services): daemon-free `env service start|stop|status|logs`
  (sandbox::spawn_background, pid registry, logs-as-captures on stop, start/stop
  events on refs/h5i/env).
- Idea 2 (ports): per-service dynamic host port allocated + injected
  (H5I_ENV_PORT_<NAME>/PORT), surfaced by `env ports`.

Audit note: the flagged exec patterns are intentional — the confined background
spawn (pre_exec) and the policy-gated command: extractor (sh -c).

Tests: env_integration 96 pass; lib sandbox/secrets/container 80 pass;
sandbox_api 4 pass. Clippy clean on default and --no-default-features.

* env: address review — pin service defs, port-injection semantics, fail-closed private_paths, bounded secret extractor

Resolves four review findings on the coasts-borrowed env features:

- #1 (High): service declarations are now pinned at `env create` into an
  env-local services.json (immutable from the box) with a service_digest in the
  manifest; service_start loads the pinned manifest and verifies the digest
  (fail-closed), so editing the worktree .h5i/env.toml after create can't change
  what a service runs. The start event records the redacted command.
- #2 (High): `env ports` reframed as port INJECTION, not forwarding — there is
  no host->box forwarder in v1, so the URL is rendered conditional ('if the
  service binds the injected port'), never a guarantee; CLI/MCP/docs updated.
- #3 (Medium): comma-bearing private_paths now fail closed — rejected in
  validate_private_paths (rel) and prepare_private_paths (container backing)
  instead of being silently skipped in build_run_argv.
- #4 (Medium): the opted-in command: secret extractor is now bounded — 10s wall
  timeout + 1 MiB stdout cap, own process group (killpg on timeout), drain-to-EOF
  reader (no pipe deadlock, bounded memory), all fail-closed.

Also updates the MCP tool-count test for the env tools added earlier.

Tests: lib 891 pass; env_integration 98 pass. Clippy clean on default and
--no-default-features.

* env: close service-pinning gaps from re-review (no-service envs, name validation)

Two High findings from Codex's re-review of the service feature:

- No-service envs were left with service_digest=None, which routes service_start
  to the legacy fallback that reads the mutable worktree/repo .h5i/env.toml — so
  an env created with no services could add [service.*] afterwards and start it
  unpinned. Fix: pin_services_at_create now ALWAYS writes services.json and
  records a digest (even for the empty set), so every new env is pinned (empty or
  not) and the mutable fallback only applies to truly pre-pinning legacy envs.

- Service names were used directly in services/<name>.json and <name>.log paths,
  so a key like ../manifest could escape services/ and overwrite env-local files.
  Fix: validate_service_name (strict slug — rejects '/', '..', leading-dot)
  enforced at parse/pin time (create fails closed on a bad [service.*] key) AND
  at the top of service_start/stop/logs before any path is built.

Tests: no-service env can't start an added service; traversing names rejected at
start and at create. env_integration 101 pass; clippy clean.

* docs: document env fleet/doctor, secrets, services, ports + private_paths

Update MANUAL.md, the man page (man/man1/h5i.1), and the regenerated
docs/manual/index.html for the new env surface:

- Command table / man subcommands: env list --json, env doctor, env secrets,
  env service start|stop|status|logs, env ports; service added to the event list.
- Policy file: [profile.X.private_paths] (kind/persist), the gated command:
  secret source + allow_command_extractors, and [service.<name>] (command/port/
  restart/logs), with notes that service defs are pinned at create.
- New 'Services and dynamic ports' subsection (TOC + anchor) covering pinning,
  confinement, logs-as-evidence, and injection-not-forwarding port semantics.
- Secrets-broker section: command: source (bounded, gated) + env secrets dry-run.

docs/manual/index.html regenerated via scripts/gen_manual.py.
Koukyosyumei added a commit that referenced this pull request Jun 30, 2026
'430+ GitHub stars · the #1 worktree manager by stars' under the
definition bullets.
Koukyosyumei added a commit that referenced this pull request Jul 1, 2026
* improve hero-badge

* docs(pitch): simplify title slide to the one-line definition

Drop the three feature cards and the closing punchline on slide 1, and
enlarge the lede so the h5i definition is the focal point.

* docs(pitch): make the title-slide definition three bullet points

* docs(pitch): enlarge the title-slide bullet points

* docs(pitch): enlarge title-slide bullets further

* update

* docs(blog): stop featuring 'Why AI Agents Need Auditable Workspaces'

Demote it from the highlighted featured card to a regular post card in
the Ensemble group.

* docs(guides): feature the 'Run many agents, merge one auditable result' overview

Apply the shared blog.css featured-card treatment to the workflows
overview entry at the top of the guides list.

* docs(pitch): add a social-proof line to the title slide

'430+ GitHub stars · the #1 worktree manager by stars' under the
definition bullets.

* docs(pitch): tighten slide 2 to the two contrast cards

Remove the lede and the closing summary paragraph. Shorten and enlarge
the today/with-h5i cards, and broaden the h5i side from 'evidence' to
sandbox + record + multi-agent review (one verified result).

* docs(pitch): frame slide 2 cards around safety

today: 'An agent run is unsafe and opaque' (untracked, can run out of
control); with h5i: 'An agent run is safe and auditable'.

* docs(pitch): sharpen the 'today' card on runaway-agent risk

Note that an out-of-control agent can destroy the environment and
conflict with other agents.

* docs(pitch): mirror the 'with h5i' card to the today risks

Sandboxed, fully recorded, conflict-free multi-agent development.

* docs(pitch): make slide 2 cards mirrored bullet lists

today (✕ red): untracked prompts/context, dangerous tool usage,
conflicting multi-agents. with h5i (✓ green): sandboxed environment,
tracked prompt/context, conflict-free multi-agent development.

* docs(pitch): reorder to Already-painful before The-problem, restructure into three pains

Move the 'pain is already here' slide up to third so real incidents lead
into the analytical breakdown. Replace the two failure-mode tables with
three compounding pains: lost context/unversioned prompts, unsafe
autonomy (wreck env / malware / secret exfil), and multi-agent token
waste + conflicts — mapping to capture/recall, env, and team.

* docs(pitch): merge the two problem slides into one five-pain slide

Combine 'Already painful' and 'The problem' into a single slide in the
metric-card style: five pains (unversioned prompts, lost context,
unsafe/unmonitored autonomy, multi-agent waste, multi-agent conflict)
closing on 'every agent needs an auditable workspace'.

* update

* docs(pitch): trim the five-pain explanations to short phrases

* update

* docs(pitch): lay the five pains in two rows with larger fonts

Switch the pain grid to a centered flex-wrap (3 + 2 rows) and enlarge
the item titles (1.9rem) and descriptions (1.2rem).

* docs(pitch): drop the auditable-workspace kicker from the five-pain slide

* docs(pitch): recast the product slide as five answers to the five pains

* docs(pitch): split team detail into prompts/context, env sandbox, and team slides

* update

* docs(pitch): add token-reduction slide with raw-to-filtered comparison

* docs(pitch): move traction to slide 9 and refresh its metrics

* docs(pitch): fix sandbox embed overflow in PDF export

* update

* docs(pitch): add audit pain/answer pair, an audit-review slide, and refine buyer slide

* docs(pitch): reframe closing slides around the AI-code acceptance layer

* update

* update

* docs(pitch): restructure beachhead slide into beachhead + expansion tiers

* docs(readme): add a short intro line and fix a typo

* update
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant