Slipstream/auto_review
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases 27 Packages Activity Actions

feat(gateway): package embedded OCI rootfs #129

Merged
jwilger merged 1 commit from issue-118-embedded-oci-rootfs into main 2026-05-06 17:41:00 -07:00
Conversation 1 Commits 1 Files changed 2 +175
jwilger commented 2026-05-06 16:23:19 -07:00
Owner
Copy link

Summary

Adds a Nix-built embedded OCI gateway rootfs bundle for the single-binary rollout. The bundle includes the unified auto-review binary, git, CA certificates, minimal identity/resolver files, a read-only root, explicit writable tmp/state mounts, and a copied runtime closure so rootfs entrypoints resolve inside the bundle instead of escaping to host /nix/store paths.

Type of change

  • feat — new capability
  • fix — bug fix
  • docs — documentation only
  • refactor — internal cleanup, no behaviour change
  • test — test-only addition
  • chore — tooling, deps, CI

Verification

  • cargo test --workspace --all-targets
  • cargo clippy --workspace --all-targets -- -D warnings
  • cargo fmt --all -- --check
  • cargo deny check (when bumping dependencies)
  • Manual smoke test against a dev gateway (when changing the review pipeline or webhook surface)
  • cargo nextest run -p ar-cli flake_packages_minimal_embedded_gateway_oci_rootfs_bundle --no-tests=fail
  • nix build .#checks.$(nix eval --raw --impure --expr builtins.currentSystem).ar-gateway-embedded-oci-rootfs-contents
  • nix flake check

Pre-merge checklist

  • Commit titles follow conventional commits; the release PR generates changelog notes from conventional commits
  • Public surface changes have rustdoc on the new items
  • If the change touches a documented threat (T#) in docs/THREAT-MODEL.md, the corresponding red-team test in crates/ar-review/tests/red_team_*.rs has been updated or extended
  • If the change touches a metric, the rules pack (deploy/prometheus/auto_review.rules.yaml) and dashboard (deploy/grafana/auto_review.dashboard.json) still pass their contract tests

Related

Closes #118

## Summary Adds a Nix-built embedded OCI gateway rootfs bundle for the single-binary rollout. The bundle includes the unified `auto-review` binary, `git`, CA certificates, minimal identity/resolver files, a read-only root, explicit writable tmp/state mounts, and a copied runtime closure so rootfs entrypoints resolve inside the bundle instead of escaping to host `/nix/store` paths. ## Type of change - [x] feat — new capability - [ ] fix — bug fix - [ ] docs — documentation only - [ ] refactor — internal cleanup, no behaviour change - [x] test — test-only addition - [x] chore — tooling, deps, CI ## Verification - [ ] `cargo test --workspace --all-targets` - [ ] `cargo clippy --workspace --all-targets -- -D warnings` - [x] `cargo fmt --all -- --check` - [ ] `cargo deny check` (when bumping dependencies) - [ ] Manual smoke test against a dev gateway (when changing the review pipeline or webhook surface) - [x] `cargo nextest run -p ar-cli flake_packages_minimal_embedded_gateway_oci_rootfs_bundle --no-tests=fail` - [x] `nix build .#checks.$(nix eval --raw --impure --expr builtins.currentSystem).ar-gateway-embedded-oci-rootfs-contents` - [x] `nix flake check` ## Pre-merge checklist - [x] Commit titles follow conventional commits; the release PR generates changelog notes from conventional commits - [x] Public surface changes have rustdoc on the new items - [x] If the change touches a documented threat (T#) in `docs/THREAT-MODEL.md`, the corresponding red-team test in `crates/ar-review/tests/red_team_*.rs` has been updated or extended - [x] If the change touches a metric, the rules pack (`deploy/prometheus/auto_review.rules.yaml`) and dashboard (`deploy/grafana/auto_review.dashboard.json`) still pass their contract tests ## Related Closes #118
feat(gateway): package embedded OCI rootfs
All checks were successful
CI / Nix flake check (pull_request) Successful in 3m12s
Details
CI / auto_review semantic review (pull_request) Successful in 1s
Details
auto_review auto_review: 1 warning
Publish release / release-publish (pull_request) Has been skipped
Details
e5e9b292c3
auto-review approved these changes 2026-05-06 16:26:48 -07:00
auto-review left a comment
Copy link

This PR introduces a Nix-built embedded OCI gateway rootfs bundle, enhancing the single-binary rollout. The changes appear well-structured and safe to merge, but ensure the new package is covered by tests and CI.

Walkthrough

  • crates/ar-cli/src/cli.rs: Added a test function flake_packages_minimal_embedded_gateway_oci_rootfs_bundle to verify the presence of required components in the embedded gateway OCI rootfs bundle.
  • flake.nix: Defined a new package ar-gateway-embedded-oci-rootfs with its configuration and dependencies, ensuring it includes necessary binaries and certificates for the gateway operation.
This PR introduces a Nix-built embedded OCI gateway rootfs bundle, enhancing the single-binary rollout. The changes appear well-structured and safe to merge, but ensure the new package is covered by tests and CI. ## Walkthrough - **crates/ar-cli/src/cli.rs**: Added a test function `flake_packages_minimal_embedded_gateway_oci_rootfs_bundle` to verify the presence of required components in the embedded gateway OCI rootfs bundle. - **flake.nix**: Defined a new package `ar-gateway-embedded-oci-rootfs` with its configuration and dependencies, ensuring it includes necessary binaries and certificates for the gateway operation.
flake.nix
auto-review commented 2026-05-06 16:26:48 -07:00
Owner
Copy link

🟡 Warning: Ensure that the ar-gateway-embedded-oci-rootfs package is included in the CI pipeline to verify its integrity and functionality. This will help catch any issues related to the package early in the development process.

🟡 **Warning:** Ensure that the `ar-gateway-embedded-oci-rootfs` package is included in the CI pipeline to verify its integrity and functionality. This will help catch any issues related to the package early in the development process.
jwilger commented 2026-05-06 17:31:46 -07:00
Author
Owner
Copy link

Reflection: I should have made the CI linkage clearer in the PR summary instead of relying on reviewers to notice the new checks entry. Classification: one-off documentation/PR-description clarity issue, not a durable guardrail gap.

This is already covered by CI: the PR adds checks.${system}.ar-gateway-embedded-oci-rootfs-contents, and nix flake check builds that check. The check depends on self.packages.${system}.ar-gateway-embedded-oci-rootfs, so CI builds the embedded rootfs package and verifies the required runtime paths resolve inside the bundle rootfs.

Reflection: I should have made the CI linkage clearer in the PR summary instead of relying on reviewers to notice the new `checks` entry. Classification: one-off documentation/PR-description clarity issue, not a durable guardrail gap. This is already covered by CI: the PR adds `checks.${system}.ar-gateway-embedded-oci-rootfs-contents`, and `nix flake check` builds that check. The check depends on `self.packages.${system}.ar-gateway-embedded-oci-rootfs`, so CI builds the embedded rootfs package and verifies the required runtime paths resolve inside the bundle rootfs.
Sign in to join this conversation.
Reviewers
No reviewers
auto-review
Labels
Clear labels   
bug

   
discussion

   
enhancement
  
bug
Something is not working

  
duplicate
This issue or pull request already exists

  
enhancement
New feature

  
help wanted
Need some help

  
invalid
Something is wrong

  
question
More information is needed

  
wontfix
This won't be fixed

No labels
bug
discussion
enhancement
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Slipstream/auto_review!129
No description provided.