Slipstream/auto_review
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases 27 Packages Activity Actions

Persist gateway state when using embedded OCI on NixOS #270

New issue
Closed
opened 2026-05-19 08:14:28 -07:00 by jwilger · 0 comments
jwilger commented 2026-05-19 08:14:28 -07:00
Owner
Copy link

Problem

The NixOS module can run the gateway automatically, but currently opts into bare mode. The packaged embedded OCI gateway path mounts /var/lib/auto_review as tmpfs, so review history, learnings, vector cache, and webhook dedup state are not truly persistent across restarts.

Desired Outcome

NixOS deployments can use embedded OCI isolation while keeping gateway SQLite state persistent.

Scope

  • Add NixOS/module support for persistent state with embedded OCI.
  • Ensure host state is available inside the embedded OCI gateway at /var/lib/auto_review.
  • Preserve fail-closed OCI behavior unless the operator explicitly opts into bare mode.
  • Keep secrets out of the Nix store.
  • Add module/packaging contract tests for persistent OCI state behavior.
  • Update deployment docs to show the NixOS embedded-OCI path.

Notes

The current embedded OCI bundle uses tmpfs for /var/lib/auto_review, which is appropriate for isolated ephemeral operation but not for a managed NixOS service with durable review history/learnings.

## Problem The NixOS module can run the gateway automatically, but currently opts into bare mode. The packaged embedded OCI gateway path mounts `/var/lib/auto_review` as tmpfs, so review history, learnings, vector cache, and webhook dedup state are not truly persistent across restarts. ## Desired Outcome NixOS deployments can use embedded OCI isolation while keeping gateway SQLite state persistent. ## Scope - Add NixOS/module support for persistent state with embedded OCI. - Ensure host state is available inside the embedded OCI gateway at `/var/lib/auto_review`. - Preserve fail-closed OCI behavior unless the operator explicitly opts into bare mode. - Keep secrets out of the Nix store. - Add module/packaging contract tests for persistent OCI state behavior. - Update deployment docs to show the NixOS embedded-OCI path. ## Notes The current embedded OCI bundle uses tmpfs for `/var/lib/auto_review`, which is appropriate for isolated ephemeral operation but not for a managed NixOS service with durable review history/learnings.
jwilger added this to the 1.1 milestone 2026-05-19 08:14:35 -07:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
issue-287-release-metadata-and-nl-corrections
issue-277-pr-metadata-controls
release/v0.15.0
issue-28-cost-per-review
release/v0.14.2
config-issue-command
issue-248-opencode-plugin-tests
fix-agent-variant-effort
issue-220-binary-only-release-artifacts
fix/release-prepare-json-isolation
fix/release-prepare-skip-checks
issue-219-remove-official-docker-image
issue-226-rgr-cycle-guard
issue-217-retain-nix-boundary
bdd-tdd-guardrails
opencode-migration
add-some-tools
chore/pi-safe-branch-switch
fix/issue-207-spawnsync-guardrails
docs-threat-model-formatting
issue-149-oci-env-errors
pi-safe-tools-review
process-pilens-deferred-format-guardrail
issue-150-threat-model-release-scope
fix-release-publish-install-tools
pi-migration
update-release-image-promotion
issue-15-pr-metadata-check
release/v0.8.4
issue-134-docs-test-guidance
issue-176-pr-discussion-history
fix-release-publish-release-upload
fix-linux-artifact-build
issue-121-linux-binary-provenance
issue-135-nixos-deployment
issue-120-single-binary-docs-tests
issue-122-runtime-isolation-posture
issue-119-unified-docker-binary
issue-117-oci-gateway-launcher
issue-118-embedded-oci-rootfs
issue-117-embedded-youki-oci-launcher
issue-116-unified-auto-review-cli
release/v0.2.1
issue-115-single-binary-exploration
release-pr-supersede-hybrid-bump
fix-release-prep-run-on-release-fixes
fix-release-prep-package-verify
issue-14-incremental-walkthrough
fix-release-publish-dispatch-input-type
fix-release-publish-rerun
fix-release-publish-detached-head
release-plz-2026-05-05T18-58-15Z
fix-release-plz-push-auth
fix-release-plz-git-identity
fix-release-plz-repo-url
semantic-release-bump
fix-release-changelog-duplication
fix-release-workflow-loop
release-generated-changelog
fix-release-prepare-stages-lockfile
fix-release-prepare-lockfile
fix-release-tests-after-prepare
fix-release-prep-explicit-token
fix-release-prep-token-fallback
fix-release-prep-token-env
fix-release-prep-auth
fix-release-prepare-trigger
issue-66-release-pr-workflow
issue-43-ci-review-action
issue-43-forgejo-ci-review-action
issue-46-sandbox-rescope
issue-51-ci-linter-advisories
repo-maintenance
issue-45-remove-bundled-linters
issue-10-mandatory-sandbox
v1.3.0
v1.0.2
v1.0.1
v1.0.0
v0.14.1
v0.14.0
v0.8.0
0.8.0-rc.329
0.8.0-rc.325
0.7.0-rc.318
0.6.0-rc.305
0.5.0-rc.299
0.4.0-rc.293
0.4.0-rc.289
0.3.0-rc.279
0.3.0-rc.273
0.3.0-rc.269
0.3.0-rc.263
0.3.0-rc.259
0.3.0-rc.255
0.3.0-rc.251
0.3.0-rc.247
0.3.0-rc.242
0.2.1-rc.238
v0.2.0
0.2.0-rc.232
v0.1.3
Labels
Clear labels   
bug

   
discussion

   
enhancement
  
bug
Something is not working

  
duplicate
This issue or pull request already exists

  
enhancement
New feature

  
help wanted
Need some help

  
invalid
Something is wrong

  
question
More information is needed

  
wontfix
This won't be fixed

No labels
bug
discussion
enhancement
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
1.1
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Slipstream/auto_review#270
No description provided.