Skip to content

Enhance build process, restore lost files, and improve test coverage#9

Merged
Snider merged 42 commits into
mainfrom
dev
Jun 29, 2026
Merged

Enhance build process, restore lost files, and improve test coverage#9
Snider merged 42 commits into
mainfrom
dev

Conversation

@Snider

@Snider Snider commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

This pull request introduces the initial orchestration layer for the go-build system, establishing a Core-registerable Service that composes the build orchestrator and provides a unified entry point for build management. It also adds licensing information and includes basic tests and CI output helpers. The most important changes are summarized below.

Licensing and Compliance:

  • Added the full text of the European Union Public Licence v. 1.2 (LICENCE), and applied SPDX license headers to all new Go files to ensure compliance. [1] [2] [3] [4]

Core Service Orchestration:

  • Introduced the build.Service type in go/build.go, which composes the orchestrator manager and provides a Core-registerable service entry point for build orchestration.
  • Added a minimal usage example (go/build_example_test.go) and a comprehensive test suite (go/build_test.go) to verify the construction and behavior of the root service and its manager. [1] [2]

CI Output Helpers:

  • Added emitCIErrorAnnotation in go/cmd/build/ci_output.go and a corresponding test helper in go/cmd/build/ci_output_test.go to format and emit CI error annotations, integrating with GitHub Actions. [1] [2]

Dependency Management:

  • Updated the external/go submodule and added a checksum for dappco.re/go v0.10.3 in go.work.sum to support the new orchestration layer. [1] [2]

Snider and others added 30 commits May 1, 2026 08:33
Reference: core/api/LICENCE.

Co-Authored-By: Cladius Maximus <cladius@lethean.io>
…block)

- git submodule update on external/* to current dev tips
- go.work paths fixed for Phase 1 /go/ subtree layout where stale
- go.work go-version bumped 1.26.0 → 1.26.2 to match submodule floor

Workspace-mode build (`go build ./...`) is the verification path. Some
repos may surface transitive dep issues (api/go.sum checksum drift, etc.)
which are separate cascade tickets — not blocking this metadata refresh.

Co-Authored-By: Cladius Maximus <cladius@lethean.io>
…-artifacts)

Removes from git index: node_modules.bak/, .lintdeps/, .scannerwork/,
.DS_Store, dist/, etc. — regenerable build/scan outputs that should
never be tracked. Updates .gitignore with the canonical pattern set.

Audit dimension `tracked-artifacts` (core/go commit 62aac07) flagged
1 entries. Same root-cause class as Mantis #1333 (gui
ui/node_modules.bak/) — applying the structural fix ecosystem-wide.

Co-Authored-By: Cladius Maximus <cladius@lethean.io>
go-build had no root .go file — the package was entirely in pkg/{api,
events,release,sdk,service,storage}. Athena's #1336 adjudication
(2026-05-10, 90% confidence) placed it in the "Option A: lift root
composer" cohort because the subpackages are layers of one product
(the dev/build orchestrator), not unrelated domains.

This commit lifts the root composer:

- /Users/snider/Code/core/go-build/go/build.go — package decl + Service
  struct definition + package doc
- /Users/snider/Code/core/go-build/go/service.go — canonical NewService
  + Register surface

Service holds buildservice.Manager (the de-facto orchestrator from
pkg/service/manager.go), constructed via buildservice.NewManager() in
NewService. Manager is always wired (no credentials needed).

Note: NewService does NOT register the `core service` command tree —
that's servicecmd.AddServiceCommands(c)'s job and stays an explicit
caller responsibility (the build CLI has multiple cmd subdirs each
with its own AddXxxCommands, registered by the cmd binary, not the
library).

ServiceOptions is empty for v1 — the underlying buildservice.Manager
is config-driven via buildservice.ResolveConfig at command-execution
time, not at service-registration time.

Smoke verified:
- service.go + build.go themselves compile cleanly (correct imports,
  matches reference shape)
- Package-wide vet blocked by pre-existing missing-dep failures in
  pkg/release (signing) and cmd/build (installers, builders) —
  unrelated to this change, present on pristine HEAD (verified by
  stashing both files)

Co-Authored-By: Virgil <virgil@lethean.io>
The generated compliance triplets only asserted no-panic on one trivial
input per predicate, leaving the reflect.Kind decision trees untested.
Add behaviour tests driving typed-nil, map/slice/array containers, the
convertible-vs-assignable map-key paths in Contains, and the order/length
and fall-back-to-deep-equal paths in ElementsMatch.

Co-Authored-By: Virgil <virgil@lethean.io>
Drive the real branches the generated triplets skipped: first-non-empty
key selection in OptionString, native-bool and parseable-string coercion
plus the parse-failure and missing-key fall-backs in OptionBoolDefault,
multi-key lookup in OptionHas, and both result shapes of ResultFromError.

Co-Authored-By: Virgil <virgil@lethean.io>
The existing suite drove only MemoryMedium, leaving every localstore
method at 0%. Add temp-dir-backed behaviour tests for the full Medium
surface (read/write/mode/ensure-dir/delete/rename/list/stat/open/create/
append/streams/exists), the MkdirAll-failure error branch via a file
blocking a parent path, Copy across the real medium, and the fileinfo
Size/ModTime/Sys accessors.

Co-Authored-By: Virgil <virgil@lethean.io>
The recorder-based tests could not reach the gorilla upgrade path, so
readLoop, writeLoop and removeClient sat at 0%. Add an httptest.Server +
real DefaultDialer round-trip: connect, subscribe over the wire, receive
a channel broadcast (exercising writeLoop timestamping), and verify
client+channel pruning on disconnect. Race-clean. Uses core.TrimPrefix
to honour the AX-6 banned-stdlib rule.

Co-Authored-By: Virgil <virgil@lethean.io>
Drive the marker-counting branches directly: empty-marker rejection,
absent-marker zero, exact single match, and split-boundary counting.
The remaining uncovered statements are the assert helpers' t.Fatalf
failure branches, which take testing.TB (a sealed interface) and Goexit
rather than panic, so they are not unit-testable from outside testing.

Co-Authored-By: Virgil <virgil@lethean.io>
Add environment-independent coverage that did not need an external SDK
generator installed: the cancelled-context and blocked-output-dir error
branches shared by all four Generate dispatchers, the full
finalizeTypeScriptOutput pipeline (recursive copy, src-placement
decisions, package.json synthesis incl. metadata defaults and merge of
an existing manifest), the copy-helper stat/list failure branches, and
the LanguagesIter early-break yield path. The remaining uncovered lines
are the native-CLI/docker/npx execution branches, which require the real
generator binaries and so are not unit-coverable in a clean sandbox.

Co-Authored-By: Virgil <virgil@lethean.io>
Exercise the real banned-stdlib-wrapper branches the no-panic triplets
skipped: JSON marshal/unmarshal failure paths, ResolveCommand fallback
and all-missing paths, the nil-context and empty-command guards in
runCommand, an actual subprocess happy path (/bin/echo), a non-zero exit
(/usr/bin/false), the cancelled-context kill path (/bin/sleep), and the
absolute-path short-circuit in resolveExecutable. DS/Getwd/FromSlash env
overrides stay uncovered: Core seals DS and DIR_CWD in systemInfo with no
exported setter in this module version, so t.Setenv cannot reach them.

Co-Authored-By: Virgil <virgil@lethean.io>
…%->89%)

Drive the real branches the no-panic triplets skipped: every
DiffConfig.UnmarshalYAML node shape (scalar true/false, scalar decode
error, expanded mapping with/without enabled, sequence default-branch
failure), version-template resolution incl. the no-version and
empty-version fall-backs, monorepo output-path composition via a publish
path, config cloning isolation, language alias/dedup normalisation, all
diffSummary level/severity combinations, and the scramble + configured +
common-path branches of DetectSpec/detectScramble. The remaining gaps are
the php-export and generator-execution paths that need external tools.

Co-Authored-By: Virgil <virgil@lethean.io>
Add a failing io.Writer routed through SetStdout to reach the !written.OK
early-return branches, plus a recording writer to assert the real output
bytes of each helper on the success path.

Co-Authored-By: Virgil <virgil@lethean.io>
The existing suite covered the Renderable optional-interface branch but
not Streamable. Add a provider implementing Channels() and assert the
channels entry is emitted in the Info map.

Co-Authored-By: Virgil <virgil@lethean.io>
Add the stat-failure and real-binary fingerprint branches of
dockerRuntimeCommandState, and the explicit-fallback-path and
all-missing branches of the TypeScript native CLI resolver. npx is not
tested via fabricated fallback because it is commonly present on PATH and
would resolve there rather than via the fallback list.

Co-Authored-By: Virgil <virgil@lethean.io>
…les)

The go/ restructure (73debaa) moved pkg/ -> go/pkg/, but a global 'build/'
gitignore silently excluded go/pkg/build/ during 'git add'. That commit
recorded the deletion of the old pkg/build/ and never staged the new
location, so the entire build engine (builders, signing, installers, apple,
images, templates) vanished from the tree and disk. The module has not
compiled since.

Restored all 172 files from a8611a9 (parent of the restructure) into
go/pkg/build/. Import paths and the v0.9.0 CoreGO pin matched, so the tree
slots straight back in.

Also reconstructed apple RunOptions + runWithOptions in builders/apple.go:
referenced by the Apple builder's runner interface and call sites but never
defined in any commit (the builder was mid-refactor when lost). Wired
runWithOptions to ax.ExecWithEnv(ctx, dir, env, cmd, args...).

Co-Authored-By: Virgil <virgil@lethean.io>
daemon.Run wired the build-event hub to /api/v1/build/events twice: once
engine-level via coreapi.WithWSPath/WithWSHandler(hub.Handler()), and again
through BuildProvider's /events route (streamEvents -> hub.HandleWebSocket).
gin panics on the duplicate GET registration, so Run() panicked on startup.

Removed the engine-level wiring; BuildProvider owns /events (and has a
nil-hub 503 guard the engine path lacked). Surfaced by the pkg/build
recovery — pkg/service couldn't compile while the engine was missing, so the
panic was latent. TestDaemon_Run_{Good,Bad,Ugly} now pass.

Co-Authored-By: Virgil <virgil@lethean.io>
Fast-forward external/go submodule to the v0.10.3 tag (b48b896 -> f7a84db,
+60 commits, clean ancestor move) and repin go/go.mod. go mod tidy refreshed
go.sum/go.work.sum; the /go.mod hash is unchanged from v0.9.0, confirming
CoreGO stayed zero-dep across the bump. Workspace build + vet + full suite
green (4190 pass).

Co-Authored-By: Virgil <virgil@lethean.io>
go/cmd/build (build/apple/image/installers/project/pwa/release/sdk/service/
workflow commands + tests/examples) and go/tests/cli/build fixtures were
untracked working-tree WIP. They import pkg/build, so they could not compile
while the engine was missing; with pkg/build restored they build and their
tests pass (part of the 4190-test green run). Tracking them protects against
the same untracked-loss that swallowed pkg/build.

Note: still carries the repo-wide error-wrap-antipattern (core.NewError(
r.Error())); cleaned in the follow-up structural sweep.

Co-Authored-By: Virgil <virgil@lethean.io>
Apply the CoreGO idiom (Option A): return the failed Result directly
instead of re-wrapping via core.Fail(core.E(scope, msg,
core.NewError(r.Error()))). Matches external/go's fs.go reference and the
sites in this file that already propagated correctly.

Repointed 4 tests that asserted on the dropped wrapper strings to assert the
propagated inner messages (more specific): 'package name is required',
'permission denied', 'unknown project type', 'unsupported characters'.

pkg/release green (445 tests). First file of the repo-wide error-wrap sweep.

Co-Authored-By: Virgil <virgil@lethean.io>
…audit gaps

The root dappco.re/go/build package (build.go Service + service.go
NewService/Register/ServiceOptions) had no tests at all. Added meaningful
Good/Bad/Ugly triplets (distinct cases with real assertions, not
AssertNotPanics theatre) plus runnable examples, and the '// Usage example:'
doc marker on service.go.

Coverage 0.0% -> 100.0%. Clears 9 audit findings on these two files:
ax7-triplet-gaps, example-gaps, missing-test-files, missing-example-files,
service-usage-example (all now 0).

Co-Authored-By: Virgil <virgil@lethean.io>
Replaced a pre-existing AssertNotPanics/counter theatre triplet with
meaningful AX-7 triplets covering all cmd.go symbols. Tests assert on rendered
CLI output (captured via cli.SetStdout) and core.Result.OK/.Error()/exit codes
— diff exit codes 0/1/2, partial-registration failures, spec load errors.
Distinct Good/Bad/Ugly cases (no theatre). Test files only; cmd.go untouched.

Residual ~10% is the ax.Getwd() failure branch (DIR_CWD is init-frozen, not
inducible in-test) + generator-availability-gated formatting — documented, not
faked.

Co-Authored-By: Virgil <virgil@lethean.io>
Replaced an AssertNotPanics/counter theatre triplet with meaningful AX-7
triplets for all cmd.go symbols + focused branch tests (every-step-can-fail,
action wiring, config-load errors, absolute-output export). Drove
install/start/stop/uninstall through the package's overridable seams
(serviceGetwd, resolveServiceCfg, serviceManager via stubManager,
exportService, runDaemon) + cli.SetStdout capture — no real kardianos/service
controller or daemon loop started. Test files only.

Residual 1.1% is runServiceExport's post-MkdirAll write-error branch (needs
non-portable OS permission manipulation) — documented, not faked.

Co-Authored-By: Virgil <virgil@lethean.io>
Replaced an AssertNotPanics theatre triplet with meaningful AX-7 triplets.
latestTagWithContext(dir) covered 100% via hermetic temp git repos (git init +
isolated identity + gpgsign=false, all under t.TempDir()). cwd-bound handlers
(ax.Getwd reads init-frozen DIR_CWD, not redirectable) tested for
deterministic side-effect-free invariants only: dry-run stops at 'dist/ not
found' pre-network, version/changelog happy paths assert OK + rendered header,
cancellation/invalid-ref fail deterministically. Test files only; tree
confirmed clean post-run.

Honestly skipped: runCIReleaseInit (writes .core/release.yaml into the real
cwd = source tree; its logic is covered 100% via runCIReleaseInitInDir),
runCIPublish post-publish success (needs real registries/artifacts, no
injectable seam in cmd/ci), and unreachable ax.Getwd failure branches.

Co-Authored-By: Virgil <virgil@lethean.io>
…ol seam)

Replaced AssertNotPanics theatre triplets with meaningful AX-7 triplets.
No injectable exec runner here (signers call ax.CombinedOutput/ResolveCommand
directly), so the deterministic seam is fake #!/bin/sh tools written to a
t.TempDir() + t.Setenv(PATH) — the resolvers find them and the real
command-construction/exec paths run portably (gpg sign, codesign sign, the
zip->notarytool->stapler notarise flow incl. args-aware xcrun). GOOS gated via
t.Setenv (core.Env reads live env, unlike init-frozen DIR_CWD) to cover the
macOS signer on any host. Test files only.

Honestly skipped: signtool.Sign/Available (runtime.GOOS==windows, compile-time
gated; covered naming/validation/guard branches), SignBinaries windows arm,
and defensive post-Available tool-missing re-checks (unreachable via absolute
fallback paths on a real macOS host).

Co-Authored-By: Virgil <virgil@lethean.io>
request_test.go was entirely AssertNotPanics/counter theatre — 16 'passing'
tests that asserted nothing, which is why coverage sat at 59.6%. Replaced with
meaningful AX-7 triplets + 7 focused branch tests for FromOptions, LoadConfig,
ApplyOverrides, ParseCSV: inject the getwd/resolve seams (explicit fn params)
as stubs, assert decoded fields, auto-rebuild default-vs-set semantics, alias
precedence, both duration-parse error branches, relative/absolute path joining,
nil-config tolerance. 100% coverage, no skips, no fakery. Test file only.

Co-Authored-By: Virgil <virgil@lethean.io>
…e, drive handlers)

Replaced all AssertNotPanics/counter theatre triplets across the CLI layer
with meaningful AX-7 triplets (172->240 tests). Drove command Action closures
via c.Command(path).Run(opts) to deterministic outcomes (image --list,
apple bundle_id-required, release config-not-found, pwa/from-path input
validation); reused the service/release/installers override-var seams + temp
dirs for copyDir, loadAppleBuildConfig, resolvePWAAppConfig,
resolveReleaseWorkflowTargetPath, runServiceExport. Test files only.

Honest skips (76% is the ceiling without integration infra): runReleaseWorkflow
(writes .github/workflows into the init-frozen-cwd source tree; logic covered
via runReleaseWorkflowInDir), and the heavy orchestration handlers that shell
real go build / docker / linuxkit / nsis / Xcode (validation+error branches
covered, real-compile success left to integration).

Co-Authored-By: Virgil <virgil@lethean.io>
… execution

Approved design (Approach A) for promoting AppleBuilder's credential-free
operations (BuildWailsMacOS/CreateUniversal/CreateDMG) from sandbox-safe skeleton
to real execution via the GoProcessAppleRunner seam: default the runner to
executing, guard placeholder writes behind non-darwin, TDD command construction
with a recording runner. Sign/Notarise/TestFlight/AppStore stay skeleton
(credential-gated). Pre-implementation spec per superpowers brainstorming flow.

Co-Authored-By: Virgil <virgil@lethean.io>
…xecution

Bite-sized red-green-refactor plan (6 tasks): runner default -> executing +
protect existing darwin tests; CreateDMG placeholder guard; CreateUniversal lipo
command lock; BuildWailsMacOS OUTPUT_DIR + skeleton guard; optional skip-if-absent
real-lipo smoke; full verify + audit. Hermetic recording-runner command-construction
TDD throughout. Follows superpowers writing-plans.

Co-Authored-By: Virgil <virgil@lethean.io>
NewAppleBuilder now seeds runner with GoProcessAppleRunner{} so darwin
hosts execute external Apple tooling through the existing runExternal
seam; non-darwin hosts still record-only.

Protect the BuildWailsMacOS skeleton triplets with WithAppleHostOS("linux")
so they no longer shell a real wails3 on darwin. Promote recordingAppleRunner
into apple_realexec_test.go with a configurable result and newRecordingAppleRunner
constructor, migrating existing bare literals to the constructor.

Co-Authored-By: Virgil <virgil@lethean.io>
Snider and others added 12 commits June 4, 2026 09:36
Pin the lipo dispatch to exactly one call via AssertLen, drop the
misleading Good/Bad/Ugly suffixes from the free-form default-runner
behaviour tests (the off-darwin case is a by-design success, not a
failure), and reword the recordingAppleRunner.Run doc comment so the
primary flow reads correctly.

Co-Authored-By: Virgil <virgil@lethean.io>
…nly off-darwin)

CreateDMG previously wrote a skeleton placeholder over cfg.OutputPath
unconditionally, clobbering the real hdiutil convert output on darwin.
Guard the placeholder write behind a non-darwin host check so the genuine
DMG survives on macOS while off-darwin lanes still receive a marker file.

Protect the two pre-existing TestAppleDmg CreateDMG tests that asserted the
placeholder-file behaviour: the _Ugly file-on-disk case now runs on linux
(the placeholder path), and the _Good case stays on darwin to keep its
four-call hdiutil assertion, dropping the file assertion now covered by the
new off-darwin placeholder test.

Co-Authored-By: Virgil <virgil@lethean.io>
Add darwin/off-darwin behaviour tests pinning the lipo invocation:
exactly one -create call with the universal output binary plus both
arch slices as args, runner-failure propagation, and records-only on
non-darwin. No production change needed; the command construction was
already correct.

Co-Authored-By: Virgil <virgil@lethean.io>
…rwin

Tell wails3 v3 where to emit the .app via the OUTPUT_DIR env, and skip the
placeholder skeleton on darwin so the real wails3 output is the artifact
rather than being shadowed by a stub executable. Off-darwin keeps the
skeleton so downstream lanes still receive a bundle.

Fix the TestAppleBuilder_Good end-to-end darwin test: with the skeleton now
skipped on darwin and wails3 stubbed by the recording runner, the per-arch
.app bundles no longer materialise, so CreateUniversal had no arm64/amd64
source to lipo. Seed the bundles the real wails3 would have produced before
Build, preserving the full command-sequence assertion.

Co-Authored-By: Virgil <virgil@lethean.io>
Prove the default executing runner (GoProcessAppleRunner -> ax.ExecWithEnv)
drives a genuine lipo merge through CreateUniversal, with no recording
runner injected. Stage two real thin slices extracted from a universal
system binary, merge them, and assert the output is genuinely multi-arch.

Reads the fixture's actual archs (modern macOS ships x86_64 + arm64e, not
arm64) so the test stays robust across Macs. Skips cleanly on non-darwin,
missing lipo, a non-fat fixture, or extraction failure, keeping CI/linux
and credential-free machines green.

Co-Authored-By: Virgil <virgil@lethean.io>
GOFLAGS is space-tokenised, so a value like '-ldflags=-X main.version=v'
shatters into non-flag tokens ('-w', 'main.version=v') and go aborts with
'parsing $GOFLAGS: non-flag', breaking every go invocation in a wails-v3
build (surfaced as TaskfileBuilder 'exit 201'). Drop -ldflags from the
GOFLAGS string in buildV3GoFlags; the ldflags + version stamp already ride
the quoted BUILD_FLAGS task var. Two tests asserted the broken GOFLAGS as
correct — corrected + added regression guards.

Co-Authored-By: Virgil <virgil@lethean.io>
…kage target

`core build` already defers to a project's Taskfile (`task build`); `core build
apple` did not — it ran go-build's own generic Apple pipeline, which hard-
requires a Developer ID identity when sign is enabled and reimplements .app
assembly the project's Taskfile already owns (ad-hoc/Dev-ID sign, engine
bundling, LSUIElement plist).

Make the two consistent: when the project ships a Taskfile with a `package`
target, `core build apple` runs `task package` (mapping CertIdentity →
SIGN_IDENTITY, so an empty identity takes the Taskfile's ad-hoc default — no
Developer ID needed for a local build) and reports the .app it finds under the
wails-convention bin/. Upload flows (notarise / TestFlight / App Store) still
need the in-pipeline credential handling, so only plain build+sign delegates;
everything else falls through to build.BuildApple unchanged.

Verified end-to-end: `core build apple` on go-ai's lem-runtime now produces a
fresh ad-hoc-signed LEM Runtime.app (Identifier ai.lthn.lem-runtime) instead
of failing on the missing signing identity.

Tests: target detection (incl. darwin:package ≠ bare package), upload-flow and
no-target fall-through, and .app discovery by suffix.

Co-Authored-By: Virgil <virgil@lethean.io>
… "0 artifacts")

A wails v3 Taskfile writes its build product to the project's bin/ (the wails
convention), not the dist/ OUTPUT_DIR go-build passes the task. So a successful
`core build` on lem-runtime ran `task build`, produced bin/lem-runtime, then
reported "Built 0 artifacts" because TaskfileBuilder only scanned OUTPUT_DIR.

Add a fallback: when the OUTPUT_DIR scan is empty, look under bin/ then
build/bin/ (relative to the project) for the executable and any .app bundle.
Generic and safe — it only fires when OUTPUT_DIR yielded nothing, so projects
that do write to dist/ are unaffected.

Verified: `core build` on lem-runtime now reports the bin/lem-runtime artifact.
Tests cover the executable, the .app bundle, the empty case, and that hidden
files / loose non-executables in bin/ are not mistaken for products.

Co-Authored-By: Virgil <virgil@lethean.io>
…t dir

The build success line read "Built 1 artifacts (…/dist)" — wrong plural for a
single artifact, and the dim label showed the configured OUTPUT_DIR even when
the artifact actually landed in the project's bin/ (the wails Taskfile case).

Pluralise the noun by count, and label the line with the directory the
artifacts really landed in (relative to the project) rather than OUTPUT_DIR,
falling back to OUTPUT_DIR only when there is no artifact to point at. Now:
"Built 1 artifact (bin)".

Co-Authored-By: Virgil <virgil@lethean.io>
Advance external/go workspace submodule to v0.10.4 so dev (GOWORK on) and standalone (GOWORK=off) builds resolve the same core/go.

Co-Authored-By: Virgil <virgil@lethean.io>
Add the VZ guest LinuxKit definition and a resolve path that yields the
kernel+initrd artefact directory core/agent's VZ dispatch boots from — the
non-stopgap source for vzResolveImage (replaces the CORE_AGENT_VZ_IMAGE env
stopgap).

- pkg/build/images/core-dev-vz.yml: arm64 VZ guest def — virtio-vsock +
  virtio-fs kernel, an onboot step that mounts `mount -t virtiofs workspace
  /workspace`, and the cross-compiled vzagent baked as a service on vsock
  port 1024 (CAP_SYS_BOOT). Embedded via images/*.yml but kept OUT of
  linuxKitBaseCatalog so the legacy `core build image` pipeline ignores it.
  The full agent toolchain layer is defined in comments and marked build-host
  work (deferred).
- pkg/build/linuxkit_resolve.go: build.LinuxKitResolve renders the def with the
  staged vzagent binary, builds the kernel+initrd format, then assembles the
  canonical kernel/initrd.img/cmdline names matching go-container's
  vzResolveGuestArtefacts contract. linuxkit emits a gzip kernel; resolve
  inflates it to a raw arm64 Image (VZLinuxBootLoader does no decompression),
  leaving the initrd gzipped. A signature over the rendered def + vzagent
  content guards a cache: an unchanged input set with kernel + initrd.img
  present skips the build. The linuxkit exec is an injectable package var.
- cmd/build: `core build image-resolve --vzagent <path> --output <dir>` drives
  resolve and prints the artefact directory on the last stdout line — the
  machine-readable handle core/agent captures.
- Tests: filename mapping, dir assembly, gzip-kernel decompression + raw
  pass-through, caching decision + invalidation, and validation failures, all
  with a mocked linuxkit exec.

Verified against linuxkit v1.8.2: a real kernel+initrd build produces a
decompressed arm64 Image kernel (magic at offset 56) + gzip initrd + cmdline
in the artefact dir.

Co-Authored-By: Virgil <virgil@lethean.io>
…ers/

Verified each design's work is present in source before removal; the docs are
redundant replication guides. Future superpowers output stays local (gitignored).

Co-Authored-By: Virgil <virgil@lethean.io>
@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Important

Review skipped

Too many files!

This PR contains 248 files, which is 98 over the limit of 150.

To get a review, narrow the scope:
• coderabbit review --type committed # exclude uncommitted changes
• coderabbit review --dir # limit to a subdirectory
• coderabbit review --base # compare against a closer base

Upgrade to a paid plan to raise the limit.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b9d7483f-0955-4437-9404-d4963fa0f515

📥 Commits

Reviewing files that changed from the base of the PR and between 9d31caf and 8de89df.

⛔ Files ignored due to path filters (3)
  • .DS_Store is excluded by !**/.DS_Store
  • go.work.sum is excluded by !**/*.sum
  • go/go.sum is excluded by !**/*.sum
📒 Files selected for processing (248)
  • .gitignore
  • LICENCE
  • external/go
  • go/build.go
  • go/build_example_test.go
  • go/build_test.go
  • go/cmd/build/ci_output.go
  • go/cmd/build/ci_output_test.go
  • go/cmd/build/cmd_apple.go
  • go/cmd/build/cmd_apple_delegate_test.go
  • go/cmd/build/cmd_apple_example_test.go
  • go/cmd/build/cmd_apple_test.go
  • go/cmd/build/cmd_build.go
  • go/cmd/build/cmd_build_example_test.go
  • go/cmd/build/cmd_build_test.go
  • go/cmd/build/cmd_commands.go
  • go/cmd/build/cmd_helpers_test.go
  • go/cmd/build/cmd_image.go
  • go/cmd/build/cmd_image_example_test.go
  • go/cmd/build/cmd_image_test.go
  • go/cmd/build/cmd_installers.go
  • go/cmd/build/cmd_installers_example_test.go
  • go/cmd/build/cmd_installers_test.go
  • go/cmd/build/cmd_project.go
  • go/cmd/build/cmd_project_artifacts_test.go
  • go/cmd/build/cmd_project_example_test.go
  • go/cmd/build/cmd_project_test.go
  • go/cmd/build/cmd_pwa.go
  • go/cmd/build/cmd_pwa_test.go
  • go/cmd/build/cmd_release.go
  • go/cmd/build/cmd_release_example_test.go
  • go/cmd/build/cmd_release_test.go
  • go/cmd/build/cmd_sdk.go
  • go/cmd/build/cmd_sdk_test.go
  • go/cmd/build/cmd_service.go
  • go/cmd/build/cmd_service_example_test.go
  • go/cmd/build/cmd_service_test.go
  • go/cmd/build/cmd_workflow.go
  • go/cmd/build/cmd_workflow_example_test.go
  • go/cmd/build/cmd_workflow_test.go
  • go/cmd/build/tmpl/gui/go.mod.tmpl
  • go/cmd/build/tmpl/gui/html/.gitkeep
  • go/cmd/build/tmpl/gui/html/.placeholder
  • go/cmd/build/tmpl/gui/main.go.tmpl
  • go/cmd/ci/ci_test.go
  • go/cmd/ci/cmd_test.go
  • go/cmd/ci/stdlib_assert_test.go
  • go/cmd/sdk/cmd_test.go
  • go/cmd/sdk/stdlib_assert_test.go
  • go/cmd/service/cmd_test.go
  • go/cmd/service/stdlib_assert_test.go
  • go/go.mod
  • go/internal/ax/ax_behaviour_test.go
  • go/internal/buildtest/workflow_behaviour_test.go
  • go/internal/cli/cli_behaviour_test.go
  • go/internal/cmdutil/cmdutil_behaviour_test.go
  • go/internal/servicecmd/request_test.go
  • go/internal/testassert/testassert_behaviour_test.go
  • go/pkg/api/provider/provider_behaviour_test.go
  • go/pkg/build/apple.go
  • go/pkg/build/apple/apple.go
  • go/pkg/build/apple/apple_example_test.go
  • go/pkg/build/apple/apple_test.go
  • go/pkg/build/apple_example_test.go
  • go/pkg/build/apple_test.go
  • go/pkg/build/archive.go
  • go/pkg/build/archive_example_test.go
  • go/pkg/build/archive_test.go
  • go/pkg/build/build.go
  • go/pkg/build/build_example_test.go
  • go/pkg/build/build_test.go
  • go/pkg/build/builders/apple.go
  • go/pkg/build/builders/apple_dmg.go
  • go/pkg/build/builders/apple_dmg_example_test.go
  • go/pkg/build/builders/apple_dmg_test.go
  • go/pkg/build/builders/apple_example_test.go
  • go/pkg/build/builders/apple_notarise.go
  • go/pkg/build/builders/apple_notarise_example_test.go
  • go/pkg/build/builders/apple_notarise_test.go
  • go/pkg/build/builders/apple_plist.go
  • go/pkg/build/builders/apple_plist_example_test.go
  • go/pkg/build/builders/apple_plist_test.go
  • go/pkg/build/builders/apple_realexec_test.go
  • go/pkg/build/builders/apple_test.go
  • go/pkg/build/builders/cpp.go
  • go/pkg/build/builders/cpp_example_test.go
  • go/pkg/build/builders/cpp_test.go
  • go/pkg/build/builders/deno.go
  • go/pkg/build/builders/deno_test.go
  • go/pkg/build/builders/docker.go
  • go/pkg/build/builders/docker_example_test.go
  • go/pkg/build/builders/docker_test.go
  • go/pkg/build/builders/docs.go
  • go/pkg/build/builders/docs_example_test.go
  • go/pkg/build/builders/docs_test.go
  • go/pkg/build/builders/env.go
  • go/pkg/build/builders/go.go
  • go/pkg/build/builders/go_example_test.go
  • go/pkg/build/builders/go_test.go
  • go/pkg/build/builders/linuxkit.go
  • go/pkg/build/builders/linuxkit_example_test.go
  • go/pkg/build/builders/linuxkit_image.go
  • go/pkg/build/builders/linuxkit_image_example_test.go
  • go/pkg/build/builders/linuxkit_image_test.go
  • go/pkg/build/builders/linuxkit_test.go
  • go/pkg/build/builders/node.go
  • go/pkg/build/builders/node_example_test.go
  • go/pkg/build/builders/node_test.go
  • go/pkg/build/builders/package_manager.go
  • go/pkg/build/builders/php.go
  • go/pkg/build/builders/php_example_test.go
  • go/pkg/build/builders/php_test.go
  • go/pkg/build/builders/python.go
  • go/pkg/build/builders/python_example_test.go
  • go/pkg/build/builders/python_test.go
  • go/pkg/build/builders/resolver.go
  • go/pkg/build/builders/resolver_example_test.go
  • go/pkg/build/builders/resolver_init_test.go
  • go/pkg/build/builders/resolver_test.go
  • go/pkg/build/builders/rust.go
  • go/pkg/build/builders/rust_example_test.go
  • go/pkg/build/builders/rust_test.go
  • go/pkg/build/builders/taskfile.go
  • go/pkg/build/builders/taskfile_example_test.go
  • go/pkg/build/builders/taskfile_test.go
  • go/pkg/build/builders/taskfile_wails_artifacts_test.go
  • go/pkg/build/builders/wails.go
  • go/pkg/build/builders/wails_example_test.go
  • go/pkg/build/builders/wails_test.go
  • go/pkg/build/builders/zip_deterministic.go
  • go/pkg/build/builtin_resolver.go
  • go/pkg/build/builtin_resolver_example_test.go
  • go/pkg/build/builtin_resolver_test.go
  • go/pkg/build/cache.go
  • go/pkg/build/cache_example_test.go
  • go/pkg/build/cache_test.go
  • go/pkg/build/checksum.go
  • go/pkg/build/checksum_example_test.go
  • go/pkg/build/checksum_test.go
  • go/pkg/build/ci.go
  • go/pkg/build/ci_example_test.go
  • go/pkg/build/ci_test.go
  • go/pkg/build/config.go
  • go/pkg/build/config_example_test.go
  • go/pkg/build/config_test.go
  • go/pkg/build/discovery.go
  • go/pkg/build/discovery_example_test.go
  • go/pkg/build/discovery_test.go
  • go/pkg/build/env.go
  • go/pkg/build/env_example_test.go
  • go/pkg/build/env_test.go
  • go/pkg/build/images/core-dev-vz.yml
  • go/pkg/build/images/core-dev.yml
  • go/pkg/build/images/core-minimal.yml
  • go/pkg/build/images/core-ml.yml
  • go/pkg/build/installers.go
  • go/pkg/build/installers/installer.go
  • go/pkg/build/installers/installer_example_test.go
  • go/pkg/build/installers/installer_test.go
  • go/pkg/build/installers/templates/agent.sh.tmpl
  • go/pkg/build/installers/templates/ci.sh.tmpl
  • go/pkg/build/installers/templates/dev.sh.tmpl
  • go/pkg/build/installers/templates/go.sh.tmpl
  • go/pkg/build/installers/templates/php.sh.tmpl
  • go/pkg/build/installers/templates/setup.sh.tmpl
  • go/pkg/build/installers_example_test.go
  • go/pkg/build/installers_test.go
  • go/pkg/build/linuxkit_image.go
  • go/pkg/build/linuxkit_image_example_test.go
  • go/pkg/build/linuxkit_image_test.go
  • go/pkg/build/linuxkit_resolve.go
  • go/pkg/build/linuxkit_resolve_test.go
  • go/pkg/build/linuxkit_templates.go
  • go/pkg/build/linuxkit_templates_example_test.go
  • go/pkg/build/linuxkit_templates_test.go
  • go/pkg/build/options.go
  • go/pkg/build/options_example_test.go
  • go/pkg/build/options_test.go
  • go/pkg/build/pipeline.go
  • go/pkg/build/pipeline_example_test.go
  • go/pkg/build/pipeline_test.go
  • go/pkg/build/run.go
  • go/pkg/build/run_example_test.go
  • go/pkg/build/run_test.go
  • go/pkg/build/runtime_config.go
  • go/pkg/build/runtime_config_example_test.go
  • go/pkg/build/runtime_config_test.go
  • go/pkg/build/setup.go
  • go/pkg/build/setup_example_test.go
  • go/pkg/build/setup_test.go
  • go/pkg/build/signing/codesign.go
  • go/pkg/build/signing/codesign_example_test.go
  • go/pkg/build/signing/codesign_test.go
  • go/pkg/build/signing/gpg.go
  • go/pkg/build/signing/gpg_example_test.go
  • go/pkg/build/signing/gpg_test.go
  • go/pkg/build/signing/sign.go
  • go/pkg/build/signing/sign_example_test.go
  • go/pkg/build/signing/sign_test.go
  • go/pkg/build/signing/signer.go
  • go/pkg/build/signing/signer_example_test.go
  • go/pkg/build/signing/signer_test.go
  • go/pkg/build/signing/signing_test.go
  • go/pkg/build/signing/signtool.go
  • go/pkg/build/signing/signtool_example_test.go
  • go/pkg/build/signing/signtool_test.go
  • go/pkg/build/templates/release.yml
  • go/pkg/build/testdata/cpp-project/CMakeLists.txt
  • go/pkg/build/testdata/docs-project/mkdocs.yml
  • go/pkg/build/testdata/empty-project/.gitkeep
  • go/pkg/build/testdata/go-project/go.mod
  • go/pkg/build/testdata/monorepo-project/apps/web/package.json
  • go/pkg/build/testdata/multi-project/go.mod
  • go/pkg/build/testdata/multi-project/package.json
  • go/pkg/build/testdata/node-project/package.json
  • go/pkg/build/testdata/php-project/composer.json
  • go/pkg/build/testdata/python-project/pyproject.toml
  • go/pkg/build/testdata/rust-project/Cargo.toml
  • go/pkg/build/testdata/wails-project/go.mod
  • go/pkg/build/testdata/wails-project/wails.json
  • go/pkg/build/version.go
  • go/pkg/build/version_example_test.go
  • go/pkg/build/version_flags.go
  • go/pkg/build/version_flags_example_test.go
  • go/pkg/build/version_flags_test.go
  • go/pkg/build/version_templates.go
  • go/pkg/build/version_templates_example_test.go
  • go/pkg/build/version_templates_test.go
  • go/pkg/build/version_test.go
  • go/pkg/build/workflow.go
  • go/pkg/build/workflow_example_test.go
  • go/pkg/build/workflow_test.go
  • go/pkg/build/xcode_cloud.go
  • go/pkg/build/xcode_cloud_example_test.go
  • go/pkg/build/xcode_cloud_test.go
  • go/pkg/events/websocket_behaviour_test.go
  • go/pkg/release/release.go
  • go/pkg/release/release_test.go
  • go/pkg/sdk/generators/docker_runtime_behaviour_test.go
  • go/pkg/sdk/generators/generate_errors_behaviour_test.go
  • go/pkg/sdk/generators/typescript_finalize_behaviour_test.go
  • go/pkg/sdk/sdk_behaviour_test.go
  • go/pkg/service/daemon.go
  • go/pkg/storage/localstore_behaviour_test.go
  • go/service.go
  • go/service_example_test.go
  • go/service_test.go
  • go/tests/cli/build/Taskfile.yaml

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Warning

Billing warning: we have not been able to collect payment for this subscription for more than 72 hours. Please update the payment method or pay any pending invoices in Billing to avoid service interruption.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@Snider Snider merged commit 6879e30 into main Jun 29, 2026
2 of 6 checks passed
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant