@rip-lang/stamp 0.1.5 → 0.1.7

package/README.md

@@ -4,9 +4,9 @@
 
 **Declarative host provisioning — no state file, no agent, no YAML.**
 
-Stamp reads a Stampfile, resolves each directive to a handler, and reconciles
-the declared state against reality using three operations: **check**, **apply**,
-and **verify**.
+Stamp reads a Stampfile, resolves each directive to a handler, and
+reconciles the declared state against reality. No state file to lose.
+No agent to install. No YAML to wrestle. Just a blueprint and an engine.
 
 ```
 stamp apply Hostfile
@@ -14,49 +14,64 @@ stamp apply Hostfile
 
 ---
 
+## Why Stamp?
+
+- **No state file.** Every handler queries the live system. The Stampfile
+  IS the source of truth. Running `stamp apply` twice is always safe.
+- **Tiny directives.** Each handler is 30–50 lines of Rip. Three functions:
+  `check`, `apply`, `verify`. No imports, no boilerplate.
+- **Injection-safe by default.** Shell commands use `$"..."` tagged templates —
+  interpolated values can never become shell code.
+- **Pluggable.** Drop a `.rip` file in `directives/` and it just works.
+  Community handlers are npm packages with three exported functions.
+- **Cross-platform.** Works on macOS (Homebrew, Multipass) and Linux
+  (apt-get, ZFS, Incus, systemd).
+
+---
+
 ## Quick Start
 
 ```bash
-# Preview changes (read-only)
-stamp plan Hostfile
+stamp plan Hostfile       # preview what would change
+stamp apply Hostfile      # make it so
+stamp verify Hostfile     # audit current state
+```
 
-# Apply the declared state
-stamp apply Hostfile
+All three commands are read-safe. `plan` and `verify` never modify
+anything. `apply` only changes what doesn't match.
 
-# Audit current state
-stamp verify Hostfile
-```
+---
 
 ## Stampfile Syntax
 
 A Stampfile declares the desired state of a system. Each top-level entry
 names a resource using a **directive**. Indented lines below it describe
-properties.
+properties. The file is read top to bottom — order IS the dependency order.
+
+### Inline — one line, done
 
 ```
 packages curl git jq zfsutils-linux
+```
 
-pool tank /dev/sdb
-  compression zstd
-  atime off
+### Block — directive + properties
 
+```
 container web ubuntu/24.04
   profile trusted
   disk data /tank/web -> /data
   start
-
-firewall
-  default deny incoming
-  default allow outgoing
-  allow ssh
-  allow 443/tcp
 ```
 
-### Three levels of expression
+### Expanded — property with its own sub-block
 
-- **Inline** — single line: `packages curl git jq`
-- **Block** — directive + indented properties
-- **Expanded** — property with its own nested sub-block
+```
+container web ubuntu/24.04
+  disk data
+    source /tank/web
+    path /data
+    readonly true
+```
 
 ### Variables
 
@@ -65,11 +80,17 @@ set POOL   tank
 set DEVICE /dev/sdb
 
 pool $POOL $DEVICE
+  compression zstd
+  atime off
+  mountpoint /tank
 ```
 
+Variables are expanded before parsing. `$NAME` and `${NAME}` both work.
+Undefined variables expand to the empty string.
+
 ### The `->` operator
 
-Source-to-destination mapping:
+Source-to-destination mapping for disks, mounts, and similar:
 
 ```
 disk data /tank/web -> /data
@@ -88,78 +109,207 @@ datasets
     mode 2775
 ```
 
-## Built-in Directives
+This is syntactic sugar — `datasets` decomposes to individual `dataset`
+calls before dispatching.
 
-| Directive | Purpose |
-|-----------|---------|
-| `brew` | Homebrew packages (macOS) |
-| `packages` | System packages (apt-get) |
-| `pool` | ZFS pool creation |
-| `dataset` | ZFS dataset with ownership/permissions |
-| `profile` | Incus profile configuration |
-| `container` | Incus container management |
-| `incus` | Incus daemon initialization |
-| `multipass` | Multipass virtual machines |
-| `user` | System user management |
-| `group` | System group management |
-| `firewall` | ufw firewall rules |
-| `ssh` | SSH daemon configuration |
-| `service` | systemd service management |
+---
 
-## Handler Contract
+## Examples
 
-Every directive handler exports three async functions:
+### macOS: Create an Ubuntu VM with Multipass
 
-- **check(name, props)** — returns `"ok"`, `"drift"`, or `"missing"`
-- **apply(name, props)** — make reality match the declaration
-- **verify(name, props)** — return `[{ status, message }]` results
+```
+brew multipass
 
-## Plugin System
+multipass stamp 24.04
+  cpus 2
+  memory 4G
+  disk 20G
+  start
 
-Handlers resolve in this order:
+ensure unzip
+  check multipass exec stamp -- which unzip
+  apply multipass exec stamp -- sudo apt-get update -qq
+  apply multipass exec stamp -- sudo apt-get install -y -qq unzip
 
-1. Built-in (`directives/`)
-2. Local (`./directives/` beside Stampfile)
-3. Installed (`~/.stamp/directives/`)
-4. npm (`@stamp/<name>` or `stamp-<name>`)
-5. Remote (via `use` directive)
+ensure bun
+  check multipass exec stamp -- test -x /home/ubuntu/.bun/bin/bun
+  apply multipass exec stamp -- bash -lc "curl -fsSL https://bun.sh/install | bash"
 
-### Writing a directive
+ensure rip
+  check multipass exec stamp -- test -x /home/ubuntu/.bun/bin/rip
+  apply multipass exec stamp -- /home/ubuntu/.bun/bin/bun add -g rip-lang
+```
 
-```coffee
-import { sh, ok, run } from "@rip-lang/stamp/helpers"
+One file installs Multipass, creates a VM, and bootstraps Bun + Rip
+inside it. Run it again — everything shows `ok`, nothing changes.
+
+### Linux: Provision an Incus + ZFS host
+
+```
+set POOL   tank
+set DEVICE /dev/disk/by-id/scsi-0Linode_Volume_tank
+set MOUNT  /tank
+
+packages
+  zfsutils-linux
+  incus
+  openssh-server
+  fail2ban
+  ufw
+
+pool $POOL $DEVICE
+  compression zstd
+  atime off
+  mountpoint $MOUNT
+
+dataset $POOL/home
+dataset $POOL/home/web
+  owner 1000:1000
 
+incus
+  storage default zfs $POOL/incus/default
+  network incusbr0
+
+profile trusted
+  security.privileged true
+  limits.memory 2GB
+  limits.cpu 2
+
+container web ubuntu/24.04
+  profile trusted
+  disk home $MOUNT/home/web -> /home
+  user shreeve 1000:1000
+  start
+
+firewall
+  default deny incoming
+  default allow outgoing
+  allow ssh
+
+service fail2ban
+
+ssh
+  password-auth no
+  permit-root-login prohibit-password
+  pubkey-auth yes
+```
+
+This replaces ~600 lines of bash scripts, preseed templates, and
+numbered setup files with a single declarative file.
+
+---
+
+## Built-in Directives
+
+| Directive   | Purpose                                | Platform |
+|-------------|----------------------------------------|----------|
+| `brew`      | Homebrew packages                      | macOS    |
+| `packages`  | System packages (apt-get)              | Linux    |
+| `ensure`    | Guarded imperative commands            | any      |
+| `pool`      | ZFS pool creation                      | Linux    |
+| `dataset`   | ZFS dataset with ownership/permissions | Linux    |
+| `profile`   | Incus profile configuration            | Linux    |
+| `container` | Incus container management             | Linux    |
+| `incus`     | Incus daemon initialization            | Linux    |
+| `multipass` | Multipass virtual machines             | macOS    |
+| `user`      | System user management                 | Linux    |
+| `group`     | System group management                | Linux    |
+| `firewall`  | ufw firewall rules                     | Linux    |
+| `ssh`       | SSH daemon configuration               | Linux    |
+| `service`   | systemd service management             | Linux    |
+
+---
+
+## Writing a Directive
+
+A directive is a `.rip` file that exports three functions. That's it.
+No imports needed — `sh`, `ok`, and `run` are available globally.
+
+```coffee
 export name        = "mydirective"
 export description = "What it does"
 
 export check = (name, props) ->
-  return 'missing' unless ok "some-check"
+  return 'missing' unless ok $"some-check #{name}"
   'ok'
 
 export apply = (name, props) ->
-  sh "some-command"
+  sh $"some-command #{name}"
 
 export verify = (name, props) ->
-  [{ status: 'pass', message: 'looks good' }]
+  results = []
+  if ok $"some-check #{name}"
+    results.push { status: 'pass', message: "#{name} is good" }
+  else
+    results.push { status: 'fail', message: "#{name} is missing" }
+  results
 ```
 
+### Shell helpers
+
+| Function     | Returns                          | Use case               |
+|--------------|----------------------------------|------------------------|
+| `sh $"cmd"`  | stdout string, throws on failure | Do the thing           |
+| `ok $"cmd"`  | boolean                          | Does this exist?       |
+| `run $"cmd"` | `{ ok, stdout, stderr, code }`   | Need the full picture  |
+| `sh [array]` | stdout string, throws on failure | Dynamic argument lists |
+
+The `$"..."` syntax prevents shell injection — interpolated values are
+passed as separate arguments, never interpreted by a shell.
+
+### Handler contract
+
+- **check** has no side effects. Returns `"ok"`, `"drift"`, or `"missing"`.
+- **apply** is idempotent. Only called when check returns something other
+  than `"ok"`. The engine runs a post-apply re-check to confirm success.
+- **verify** has no side effects. Returns `[{ status, message }]` results
+  where status is `"pass"`, `"warn"`, or `"fail"`.
+
+### Plugin resolution
+
+Handlers resolve in this order:
+
+1. **Built-in** — `directives/` in the stamp package
+2. **Local** — `./directives/` beside the Stampfile
+3. **Installed** — `~/.stamp/directives/`
+4. **npm** — `@stamp/<name>` or `stamp-<name>`
+5. **Remote** — fetched via `use` directive in the Stampfile
+
+The first match wins. Drop a file in `./directives/` beside your
+Stampfile to override any built-in.
+
+---
+
 ## CLI
 
 ```
-stamp apply [file]           Reconcile system to match Stampfile
-stamp verify [file]          Check current state, report PASS/WARN/FAIL
-stamp plan [file]            Dry-run: show what apply would do
-stamp list                   Show all available directives
-stamp info <directive>       Show a directive's syntax and properties
-stamp version                Print version
-stamp help                   Show help
+stamp apply [file]       Reconcile system to match Stampfile
+stamp verify [file]      Check current state, report PASS/WARN/FAIL
+stamp plan [file]        Dry-run: show what apply would do
+stamp list               Show all available directives
+stamp info <directive>   Show a directive's syntax and properties
+stamp version            Print version
+stamp help               Show help
 ```
 
 Default file search: `Stampfile`, `Hostfile`, `Containerfile`.
 
+### Exit codes
+
+| Code | Meaning                                                         |
+|------|-----------------------------------------------------------------|
+| 0    | Success (apply completed, verify had no FAILs, plan found nothing) |
+| 1    | Failure (apply error, verify had FAILs, plan found changes)    |
+| 2    | Usage error (bad arguments, file not found)                    |
+
+---
+
 ## Runtime
 
-Bun + Rip. Zero dependencies beyond `rip-lang`.
+Bun + Rip. Zero dependencies beyond `rip-lang`. The entire engine —
+parser, handler resolution, execution loop, and shell helpers — is
+524 lines of Rip.
 
 ## License
 

package/directives/dataset.rip

@@ -15,7 +15,7 @@ export check = (path, props) ->
   'ok'
 
 export apply = (path, props) ->
-  sh $"zfs create #{path}" unless ok $"zfs list #{path}"
+  sh $"zfs create -p #{path}" unless ok $"zfs list #{path}"
   mountpoint = sh $"zfs get -H -o value mountpoint #{path}"
   sh $"chown #{props.owner[0].args[0]} #{mountpoint}" if props.owner
   sh $"chmod #{props.mode[0].args[0]} #{mountpoint}" if props.mode

package/directives/ensure.rip

@@ -0,0 +1,29 @@
+export name        = "ensure"
+export description = "Ensures a condition is met, running commands if not"
+export positional  = ["name"]
+export properties  =
+  check: { description: "Command to test — exit 0 means ok" }
+  apply: { description: "Commands to run if check fails", multi: true }
+
+getCheck = (props) ->
+  props.check?[0]?.args
+
+export check = (name, props) ->
+  return 'ok' unless args = getCheck(props)
+  if ok args then 'ok' else 'missing'
+
+export apply = (name, props) ->
+  if props.apply
+    for entry in props.apply
+      sh entry.args
+
+export verify = (name, props) ->
+  results = []
+  unless args = getCheck props
+    results.push { status: 'warn', message: "#{name} has no check command" }
+    return results
+  if ok args
+    results.push { status: 'pass', message: "#{name} is present" }
+  else
+    results.push { status: 'fail', message: "#{name} is missing" }
+  results

package/directives/firewall.rip

@@ -18,13 +18,14 @@ export check = (name, props) ->
     status = sh $"ufw status verbose"
     for entry in props.default
       [action, direction] = entry.args
-      return 'drift' unless status.includes action
+      return 'drift' unless status.includes "#{action} (#{direction})"
 
   if props.allow
-    status = sh $"ufw status"
+    status ??= sh $"ufw status verbose"
     for entry in props.allow
       rule = entry.args.join ' '
-      return 'drift' unless status.toUpperCase().includes rule.toUpperCase()
+      port = (run $"getent services #{rule}").stdout.split(/\s+/)?[1] or ''
+      return 'drift' unless status.toUpperCase().includes(rule.toUpperCase()) or status.includes(port)
 
   'ok'
 
@@ -65,14 +66,19 @@ export verify = (name, props) ->
     status = sh $"ufw status verbose"
     for entry in props.default
       [action, direction] = entry.args
-      if status.includes action
+      if status.includes "#{action} (#{direction})"
         results.push { status: 'pass', message: "default #{action} #{direction}" }
       else
         results.push { status: 'fail', message: "default #{action} #{direction} not set" }
 
   if props.allow
+    status ??= sh $"ufw status verbose"
     for entry in props.allow
       rule = entry.args.join ' '
-      results.push { status: 'pass', message: "allow #{rule}" }
+      port = (run $"getent services #{rule}").stdout.split(/\s+/)?[1] or ''
+      if status.toUpperCase().includes(rule.toUpperCase()) or status.includes(port)
+        results.push { status: 'pass', message: "allow #{rule}" }
+      else
+        results.push { status: 'fail', message: "allow #{rule} not found" }
 
   results

package/directives/incus.rip

@@ -11,6 +11,7 @@ export check = (name, props) ->
   if props.storage
     poolName = props.storage[0].args[0]
     return 'drift' unless ok $"incus storage show #{poolName}"
+    return 'drift' unless ok $"incus profile device get default root pool"
 
   if props.network
     bridge = props.network[0].args[0]
@@ -76,14 +77,16 @@ export apply = (name, props) ->
       raise "incus admin init failed: #{out.stderr.toString().trim()}"
   else
     if props.storage
-      poolName = props.storage[0].args[0]
+      [poolName, driver, source] = props.storage[0].args
       unless ok $"incus storage show #{poolName}"
-        raise "Incus already initialized but storage pool '#{poolName}' does not exist"
+        sh $"incus storage create #{poolName} #{driver} source=#{source}"
+      unless ok $"incus profile device get default root pool"
+        sh $"incus profile device add default root disk path=/ pool=#{poolName}"
 
     if props.network
       bridge = props.network[0].args[0]
       unless ok $"incus network show #{bridge}"
-        raise "Incus already initialized but network '#{bridge}' does not exist"
+        sh $"incus network create #{bridge}"
 
 export verify = (name, props) ->
   results = []

package/directives/pool.rip

@@ -9,6 +9,12 @@ export properties  =
 
 export check = (name, props) ->
   return 'missing' unless ok $"zpool list #{name}"
+  if want = props.compression?[0]?.args?[0]
+    return 'drift' if want isnt sh $"zfs get -H -o value compression #{name}"
+  if want = props.atime?[0]?.args?[0]
+    return 'drift' if want isnt sh $"zfs get -H -o value atime #{name}"
+  if want = props.mountpoint?[0]?.args?[0]
+    return 'drift' if want isnt sh $"zfs get -H -o value mountpoint #{name}"
   'ok'
 
 export apply = (name, props) ->
@@ -16,8 +22,8 @@ export apply = (name, props) ->
   raise "pool '#{name}' requires a device argument" unless device
 
   unless ok $"zpool list #{name}"
-    raise "Block device not found: #{device}" unless ok $"test -b #{device}"
-    raise "Device #{device} has existing data. Run 'wipefs -a #{device}' first." if ok $"blkid #{device}"
+    raise "Device not found: #{device}" unless ok $"test -b #{device}" or ok $"test -f #{device}"
+    raise "Device #{device} has existing data. Run 'wipefs -a #{device}' first." if ok $"test -b #{device}" and ok $"blkid #{device}"
 
     ashift = props.ashift?[0]?.args?[0] or '12'
     sh $"zpool create -f -o ashift=#{ashift} #{name} #{device}"

package/directives/ssh.rip

@@ -15,6 +15,12 @@ OPTION_MAP =
   'permit-root-login': 'PermitRootLogin'
   'pubkey-auth':       'PubkeyAuthentication'
 
+SYNONYMS =
+  'without-password': 'prohibit-password'
+
+normalize = (val) ->
+  SYNONYMS[val] or val
+
 export check = (name, props) ->
   out = run $"sshd -T"
   return 'missing' unless out.ok
@@ -24,7 +30,7 @@ export check = (name, props) ->
     sshdKey = OPTION_MAP[key]?.toLowerCase()
     continue unless sshdKey
     match = out.stdout.match new RegExp "^#{sshdKey}\\s+(\\S+)", 'mi'
-    return 'drift' if match?[1] != want
+    return 'drift' if normalize(match?[1]) != want
 
   'ok'
 
@@ -55,7 +61,7 @@ export verify = (name, props) ->
     sshdKey = OPTION_MAP[key]?.toLowerCase()
     continue unless sshdKey
     match = out.stdout.match new RegExp "^#{sshdKey}\\s+(\\S+)", 'mi'
-    actual = match?[1]
+    actual = normalize match?[1]
     if actual == want
       results.push { status: 'pass', message: "#{key} is #{want}" }
     else

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rip-lang/stamp",
-  "version": "0.1.5",
+  "version": "0.1.7",
   "author": "Steve Shreeve <steve.shreeve@gmail.com>",
   "repository": {
     "type": "git",
@@ -19,6 +19,7 @@
     "bin/",
     "src/",
     "directives/",
+    "stamps/",
     "README.md"
   ],
   "homepage": "https://github.com/shreeve/rip-lang/tree/main/packages/stamp#readme",
@@ -40,6 +41,6 @@
   },
   "type": "module",
   "dependencies": {
-    "rip-lang": ">=3.13.106"
+    "rip-lang": ">=3.13.108"
   }
 }

package/src/cli.rip

@@ -3,7 +3,8 @@ import * as path from 'path'
 import { parse } from './parser.rip'
 import { execute } from './engine.rip'
 
-VERSION = '0.1.0'
+pkg = JSON.parse fs.readFileSync path.join(import.meta.dir, '..', 'package.json'), 'utf-8'
+VERSION = pkg.version
 
 # ── Default file resolution ──────────────────────────────────────────────────
 
@@ -37,7 +38,7 @@ showVersion = ->
 # ── Subcommands ──────────────────────────────────────────────────────────────
 
 runMode = (mode, file) ->
-  stampfile = file or findStampfile!
+  stampfile = file or findStampfile()
 
   unless stampfile
     warn "No Stampfile found. Provide a file or create Stampfile, Hostfile, or Containerfile."
@@ -63,7 +64,7 @@ runMode = (mode, file) ->
     exit 1
 
 listDirectives = ->
-  builtins = ['brew', 'packages', 'pool', 'dataset', 'profile', 'container', 'incus', 'multipass', 'user', 'group', 'firewall', 'ssh', 'service']
+  builtins = ['brew', 'packages', 'ensure', 'pool', 'dataset', 'profile', 'container', 'incus', 'multipass', 'user', 'group', 'firewall', 'ssh', 'service']
   p "\nBuilt-in directives:\n"
   for name in builtins
     p "  #{name}"

package/src/engine.rip

@@ -11,9 +11,11 @@ globalThis.run ??= run
 
 STAMP_HOME = process.env.STAMP_HOME or path.join(process.env.HOME or '', '.stamp')
 
+BUILTIN_DIR = path.join import.meta.dir, '..', 'directives'
+
 resolveHandler = (type, stampDir) ->
   candidates = [
-    path.join(stampDir, '..', 'directives', "#{type}.rip")       # Built-in
+    path.join(BUILTIN_DIR, "#{type}.rip")                        # Built-in
     path.join(stampDir, 'directives', "#{type}.rip")              # Local (beside Stampfile)
     path.join(stampDir, 'directives', "#{type}.js")
     path.join(STAMP_HOME, 'directives', "#{type}.rip")           # Installed
@@ -80,18 +82,19 @@ export apply = (directives, handlers) ->
   for dir in directives
     handler = handlers[dir.type]
     props   = propsFor dir
+    label   = dir.name or dir.args?.join(' ') or null
     result  = handler.check! dir.name, props
 
     if result == 'ok'
-      log.ok dir.type, dir.name
+      log.ok dir.type, label
     else
-      log.apply dir.type, dir.name
+      log.apply dir.type, label
       handler.apply! dir.name, props
 
       after = handler.check! dir.name, props
       if after != 'ok'
-        log.fail dir.type, dir.name, "still not ok after apply"
-        throw new Error "Directive '#{dir.type}#{if dir.name then ' ' + dir.name else ''}' failed post-apply check"
+        log.fail dir.type, label, "still not ok after apply"
+        raise "Directive '#{dir.type}#{if label then ' ' + label else ''}' failed post-apply check"
       applied++
 
   p "\nApplied #{applied} of #{total} directives."
@@ -120,12 +123,13 @@ export plan = (directives, handlers) ->
   for dir in directives
     handler = handlers[dir.type]
     props   = propsFor dir
+    label   = dir.name or dir.args?.join(' ') or null
     result  = handler.check! dir.name, props
 
     switch result
-      when 'ok'      then log.ok dir.type, dir.name
-      when 'drift'   then log.update dir.type, dir.name; changes++
-      when 'missing' then log.create dir.type, dir.name; changes++
+      when 'ok'      then log.ok dir.type, label
+      when 'drift'   then log.update dir.type, label; changes++
+      when 'missing' then log.create dir.type, label; changes++
 
   if changes > 0
     p "\n#{changes} change#{if changes > 1 then 's' else ''} would be applied."

package/src/parser.rip

@@ -159,7 +159,7 @@ export parse = (source, env = {}) ->
     singular = PLURALS[dir.type]
     if singular
       for own pname, props of dir.properties
-        sub = { type: singular, name: pname, args: [], properties: {}, line: dir.line }
+        sub = { type: singular, name: pname, args: props[0]?.args or [], properties: {}, line: dir.line }
         for prop in props when prop.args.length or prop.source? or prop.sub?
           for own k, v of (prop.sub ?? {})
             sub.properties[k] = v

package/stamps/basic

@@ -0,0 +1,17 @@
+# Test Stampfile
+
+set NAME  testhost
+set POOL  tank
+
+packages curl git jq
+
+group trust 1101
+group jail 1002
+
+user shreeve 1100:1100
+  groups trust
+
+firewall
+  default deny incoming
+  default allow outgoing
+  allow ssh

package/stamps/host

@@ -0,0 +1,102 @@
+# Hostfile — test parsing only
+
+set POOL     tank
+set DEVICE   /dev/disk/by-id/scsi-0Linode_Volume_tank
+set MOUNT    /tank
+set INCUS_DS incus/default
+set SHARED   shared/common
+
+# ── system packages ──────────────────────────────────────────
+
+packages
+  zfsutils-linux
+  incus
+  uidmap
+  acl
+  gettext-base
+  openssh-server
+  ripgrep
+  fail2ban
+  ufw
+  unattended-upgrades
+
+# ── ZFS pool and datasets ───────────────────────────────────
+
+pool $POOL $DEVICE
+  ashift 12
+  compression zstd
+  atime off
+  mountpoint $MOUNT
+
+dataset $POOL/$INCUS_DS
+
+dataset $POOL/home
+dataset $POOL/home/foo
+  owner 1000:1000
+dataset $POOL/home/bar
+  owner 1000:1000
+
+dataset $POOL/$SHARED
+  owner 1001:1001
+  mode 2775
+
+# ── host users and groups ───────────────────────────────────
+
+user shreeve 1000:1000
+  groups trust
+
+user trust 1001:1001
+
+group jail 1002
+
+# ── Incus initialization ────────────────────────────────────
+
+incus
+  storage default zfs $POOL/$INCUS_DS
+  network incusbr0
+
+# ── Incus profiles ──────────────────────────────────────────
+
+profile trusted
+  security.privileged true
+  limits.memory 2GB
+  limits.cpu 2
+
+profile hardened
+  security.idmap.isolated true
+  security.nesting false
+  limits.memory 1GB
+  limits.cpu 1
+  limits.processes 512
+
+# ── containers ──────────────────────────────────────────────
+
+container foo ubuntu/24.04
+  profile trusted
+  disk home $MOUNT/home/foo -> /home
+  disk shared $MOUNT/$SHARED -> /shared
+  user shreeve 1000:1000
+  user trust 1001:1001
+  start
+
+container bar ubuntu/24.04
+  profile trusted
+  disk home $MOUNT/home/bar -> /home
+  disk shared $MOUNT/$SHARED -> /shared readonly
+  user shreeve 1000:1000
+  user trust 1001:1001
+  start
+
+# ── security ────────────────────────────────────────────────
+
+firewall
+  default deny incoming
+  default allow outgoing
+  allow ssh
+
+service fail2ban
+
+ssh
+  password-auth no
+  permit-root-login prohibit-password
+  pubkey-auth yes

package/stamps/mac-install

@@ -0,0 +1,22 @@
+# VMfile — Ubuntu 24.04 VM on macOS via Multipass
+
+brew multipass
+
+multipass stamp 24.04
+  cpus 2
+  memory 4G
+  disk 20G
+  start
+
+ensure unzip
+  check multipass exec stamp -- which unzip
+  apply multipass exec stamp -- sudo apt-get update -qq
+  apply multipass exec stamp -- sudo apt-get install -y -qq unzip
+
+ensure bun
+  check multipass exec stamp -- test -x /home/ubuntu/.bun/bin/bun
+  apply multipass exec stamp -- bash -lc "curl -fsSL https://bun.sh/install | bash"
+
+ensure rip
+  check multipass exec stamp -- test -x /home/ubuntu/.bun/bin/rip
+  apply multipass exec stamp -- /home/ubuntu/.bun/bin/bun add -g rip-lang

package/stamps/mac-vm

@@ -0,0 +1,95 @@
+# VMHostfile — Full Incus + ZFS host inside a Multipass VM
+#
+# Adapted from Hostfile for local VM testing:
+#   - File-backed ZFS pool (no block device)
+#   - UIDs offset to avoid conflict with ubuntu (1000)
+
+set POOL     tank
+set MOUNT    /tank
+set INCUS_DS incus/default
+set SHARED   shared/common
+
+# ── system packages ──────────────────────────────────────────
+
+packages
+  zfsutils-linux
+  incus
+  uidmap
+  acl
+  gettext-base
+  openssh-server
+  ripgrep
+  fail2ban
+  ufw
+  unattended-upgrades
+
+# ── ZFS pool (file-backed for VM testing) ────────────────────
+
+ensure tank-image
+  check test -f /tmp/tank.img
+  apply truncate -s 2G /tmp/tank.img
+
+pool $POOL /tmp/tank.img
+  compression zstd
+  atime off
+  mountpoint $MOUNT
+
+# ── ZFS datasets ─────────────────────────────────────────────
+
+dataset $POOL/$INCUS_DS
+
+dataset $POOL/home
+dataset $POOL/home/foo
+  owner 1100:1100
+dataset $POOL/home/bar
+  owner 1100:1100
+
+dataset $POOL/$SHARED
+  owner 1101:1101
+  mode 2775
+
+# ── host users and groups ────────────────────────────────────
+
+group trust 1101
+group jail 1002
+
+user shreeve 1100:1100
+  groups trust
+
+user trust 1101:1101
+
+# ── Incus initialization ─────────────────────────────────────
+
+incus
+  storage default zfs $POOL/$INCUS_DS
+  network incusbr0
+
+# ── Incus profiles ───────────────────────────────────────────
+
+profile trusted
+  security.privileged true
+  limits.memory 1GB
+  limits.cpu 1
+
+# ── containers ───────────────────────────────────────────────
+
+container foo images:ubuntu/24.04
+  profile trusted
+  disk home $MOUNT/home/foo -> /home
+  disk shared $MOUNT/$SHARED -> /shared
+  user shreeve 1100:1100
+  start
+
+# ── security ─────────────────────────────────────────────────
+
+firewall
+  default deny incoming
+  default allow outgoing
+  allow ssh
+
+service fail2ban
+
+ssh
+  password-auth no
+  permit-root-login prohibit-password
+  pubkey-auth yes