Skip to content

feat(prx): beadsd-box OCI image + CI publish workflow (prx-634)#754

Merged
bdelanghe merged 9 commits into
mainfrom
feat/beadsd-box-image
Jun 23, 2026
Merged

feat(prx): beadsd-box OCI image + CI publish workflow (prx-634)#754
bdelanghe merged 9 commits into
mainfrom
feat/beadsd-box-image

Conversation

@bdelanghe

@bdelanghe bdelanghe commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Builds beadsd-box OCI image via nix dockerTools.streamLayeredImage (prx, bd, dolt, gitMinimal, cacert — entrypoint prx beads serve)
  • Pushes ghcr.io/bounded-systems/prx/beadsd-box to GHCR (aarch64-linux, same arch as Mac M-series podman machine)
  • Pins the image digest in beadsd-room.ts so podman pulls an immutable, content-addressed image
  • Exports BEADSD_ROOM_IMAGE constant (matches KEEPERD_ROOM_IMAGE pattern) — test stays in sync without hardcoding
  • Adds publish-oci-boxes.yml CI workflow: triggers on push: tags v* and workflow_dispatch; builds on ubuntu-24.04-arm (native aarch64-linux), pushes to GHCR with --digestfile, outputs digest in step summary for future repins

Test plan

  • bun test packages/prx/test/room/ — 80/80 pass
  • Image pushed and verified: ghcr.io/bounded-systems/prx/beadsd-box@sha256:b080ac973799c724f181df08b01de26c55d5a29d7f94fd54ba0cb1dd8cb57173
  • CI workflow builds on aarch64-linux runner and reports digest in step summary

🤖 Generated with Claude Code

@bdelanghe bdelanghe requested a review from a team as a code owner June 23, 2026 18:50
@github-code-quality

github-code-quality Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Code Coverage Overview

Languages: TypeScript

TypeScript / unit

The overall coverage in the branch remains at 88%, unchanged from the branch.

Show a code coverage summary of the most impacted files.
File d25eb7b 5158ad8 +/-
packages/prx/sr...chain-bridge.ts 91% 86% -5%
packages/prx/sr...pr-state/cli.ts 60% 60% 0%
packages/prx/sr.../room/podman.ts 99% 99% 0%
packages/prx/sr.../beadsd-room.ts 100% 100% 0%
packages/prx/sr...keeperd-room.ts 100% 100% 0%
packages/prx/src/room/spec.ts 100% 100% 0%
packages/prx/sr...dman-runtime.ts 84% 87% +3%

Updated June 23, 2026 19:46 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

github-code-quality[bot]
github-code-quality Bot found potential problems Jun 23, 2026
View reviewed changes
Comment thread packages/prx/src/machine/contracts/anchored-chain-bridge.ts Fixed
Comment thread packages/prx/test/room/launch-pod.test.ts
// (attest + store the L2; the daemon remembers it so the box's writes auto-link).
// Best-effort attest: a failure surfaces as null but never tears the pod down.
import { describe, test, expect } from "bun:test";
import { describe, test, expect, afterEach } from "bun:test";
bdelanghe and others added 9 commits June 23, 2026 15:44
@bdelanghe @claude
feat: migrate to machine-schema v0.3.0 parse-seam API
0f95cef 
Replace all direct zod schema object usages with the new explicit type +
parse-function surface from @bounded-systems/machine-schema@0.3.0:

- handoff/cli.ts: handoffTargetActor.safeParse → safeParseHandoffTargetActor;
  handoffTargetActor.options → HANDOFF_TARGET_ACTOR_VALUES (3 call sites)
- handoff/store.ts: handoffEnvelope.parse → parseHandoffEnvelope (4 call sites)
- derive/cli.ts: z.array(rawStateV1Schema) → z.array(z.unknown().transform(parseRawStateV1))
- machine/contracts/guards.ts: rawStateV1Schema.parse → parseRawStateV1
- machine/contracts/anchored-chain-bridge.ts: rawStateV1Schema →
  z.unknown().transform(parseRawStateV1)
- pr-state/domain_state.ts: .shape.* → z.custom<T>(); rawStateV1Schema.parse →
  z.unknown().transform(parseRawStateV1) + parseRawStateV1
- machine/work_unit.ts: update brand comment (v0.3.0 uses unique-symbol brand,
  not zod BRAND — explicit `as WorkUnitId` casts remain correct)

Dependency: @bounded-systems/machine-schema@^0.3.0 (published separately).
CI is blocked until that package is available on JSR.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bdelanghe @claude
feat(prx): TCP transport for keeperd on macOS virtiofs (→ non-null l2…
e86674b 
…LaunchDigest on Mac) (#749)

virtiofs forwards file semantics but not Unix socket semantics: the keeperd.sock
file appears on the macOS filesystem but connections from the Mac host fail with
ENOENT. TCP tunnels around this — keeperd-room declares tcpPort: 9999, podman
publishes -p 9999:9999 and passes --port 9999 as a CMD arg, and launchPod sets
KEEPERD_HOST=127.0.0.1:9999 so door-kit's client connects via TCP instead of
the Unix socket path. launchPod falls back to KEEPERD_SOCK (Unix) when tcpPort
is absent, so the Linux production path is unchanged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bdelanghe @claude
ci: publish beadsd-box OCI image to GHCR (prx-634)
16af3ec 
Adds publish-oci-boxes.yml — builds beadsd-box via nix on an aarch64-linux
runner (ubuntu-24.04-arm, same arch as Mac M-series podman machine) and pushes
to ghcr.io/bounded-systems/prx/beadsd-box with a digest-file so the SHA can be
pinned in beadsd-room.ts.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bdelanghe @claude
feat(prx): pin beadsd-box OCI digest in beadsd-room (prx-634)
df69665 
Publishes ghcr.io/bounded-systems/prx/beadsd-box (aarch64-linux, nix
streamLayeredImage) and pins its digest in beadsd-room.ts so podman
pulls an immutable, content-addressed image instead of the placeholder
"beadsd-box" string.

Also exports BEADSD_ROOM_IMAGE from beadsd-room.ts (matching
KEEPERD_ROOM_IMAGE pattern) so the podman test stays in sync
without hardcoding the full reference.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bdelanghe @claude
chore: update bun lockfile (machine-schema ^0.3.0)
cece363 
Regenerate after the package.json bump in 4b1e551 was not matched by
a lockfile update at the time.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bdelanghe @claude
chore: add changeset for beadsd-box image pin (prx-634)
bfeb83a 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bdelanghe @claude
fix: migrate tests to machine-schema v0.3.0 API; fix raw_state_v1 dri…
ef3dc92 
…ft pin

- anchored-chain-bridge: `import type {z}` → `import {z}` (z used as value
  in defaultMachineSchemaMap); replace `z.unknown().transform(parseRawStateV1)`
  with a ZodObject + `.refine()` so the drift-pin test can introspect required
  keys (Zod v4 .transform() creates ZodPipe, .refine() stays ZodObject)
- envelope.test.ts: rewrite for v0.3.0 API (parseHandoffEnvelope /
  HANDOFF_TARGET_ACTOR_VALUES replace removed Zod schema exports)
- sprint.test.ts: use canonicalWorkUnitIdSchema.parse() instead of
  WorkUnitId cast — Zod v4 brand is $brand<"WorkUnitId"> not symbol-brand

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bdelanghe @claude
chore: retire stale coverage baseline entry for podman-runtime.ts
71b1540 
podman-runtime.ts has crossed the 85% per-file threshold; remove from
the allow-below-85 list per the ratchet rule (baseline only shrinks).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bdelanghe @claude
ci: retrigger CI after coverage baseline fix
5158ad8 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bdelanghe bdelanghe force-pushed the feat/beadsd-box-image branch from a2d7d07 to 5158ad8 Compare June 23, 2026 19:45
@bdelanghe bdelanghe merged commit 513c2bd into main Jun 23, 2026
10 checks passed
@bdelanghe bdelanghe deleted the feat/beadsd-box-image branch June 23, 2026 19:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer
@github-code-quality github-code-quality[bot] github-code-quality[bot] left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bdelanghe