kanibako-cli 1.5.0.dev14__py3-none-any.whl

kanibako/containers/Containerfile.kanibako

@@ -0,0 +1,99 @@
+# Shared Containerfile for all kanibako image variants.
+# The droste base tier is selected via --build-arg BASE_IMAGE=...
+# (seed → min, fiber → oci, thread → lxc, hair → vm).
+ARG BASE_IMAGE=ghcr.io/doctorjei/droste-fiber:1.1.0
+FROM $BASE_IMAGE
+
+ARG AGENT_USER=agent
+ARG VARIANT=oci
+
+USER root
+
+# Rename droste user (UID 1000) to the desired agent username
+RUN existing=$(getent passwd 1000 | cut -d: -f1); \
+    if [ -n "$existing" ] && [ "$existing" != "$AGENT_USER" ]; then \
+        usermod -l "$AGENT_USER" -d "/home/$AGENT_USER" -m "$existing" \
+        && groupmod -n "$AGENT_USER" "$existing"; \
+    fi \
+    && echo "$AGENT_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/$AGENT_USER \
+    && chmod 0440 /etc/sudoers.d/$AGENT_USER
+
+# Fix subuid/subgid ownership after user rename (droste -> agent)
+RUN if [ -f /etc/subuid ]; then sed -i "s/^droste:/$AGENT_USER:/" /etc/subuid; fi \
+    && if [ -f /etc/subgid ]; then sed -i "s/^droste:/$AGENT_USER:/" /etc/subgid; fi
+
+# Packages kanibako needs that the droste bases at our tiers don't supply.
+# nodejs/npm back MCP servers + tweakcc. cifs-utils/nfs-common/openssh-client
+# are absent from seed (min) and fiber (oci); they ship in thread/hair
+# (lxc/vm), where reinstalling them is a no-op.
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    cifs-utils \
+    nfs-common \
+    nodejs \
+    npm \
+    openssh-client \
+    && rm -rf /var/lib/apt/lists/*
+
+# Lean CLI tools for the seed-based min variant only. fiber (oci) and the
+# thread/hair tiers (lxc/vm) already ship these via droste, so install them
+# only where the base lacks them. gh and uv are intentionally omitted from
+# min — add them locally if a min box ever needs them.
+RUN if [ "$VARIANT" = "min" ]; then \
+        apt-get update && apt-get install -y --no-install-recommends \
+            fd-find \
+            inotify-tools \
+            ripgrep \
+            sshpass \
+        && rm -rf /var/lib/apt/lists/* \
+        && ln -sf /usr/bin/fdfind /usr/local/bin/fd; \
+    fi
+
+RUN if command -v pip >/dev/null 2>&1; then \
+        pip install --break-system-packages kanibako-base build twine; \
+    fi
+
+# tweakcc: custom Claude Code patching tool (requires node/npm)
+RUN if command -v npm >/dev/null 2>&1; then \
+        npm install -g tweakcc 2>/dev/null || true; \
+    fi
+
+# LXC-specific fixes: mask failing units, enable DHCP, configure rootless Podman
+RUN if [ "$VARIANT" = "lxc" ]; then \
+        : > /etc/fstab \
+        && systemctl mask \
+            systemd-remount-fs.service systemd-growfs-root.service \
+            dev-hugepages.mount dev-mqueue.mount run-lock.mount \
+            tmp.mount run-rpc_pipefs.mount \
+        && systemctl enable getty@console.service \
+        && mkdir -p /etc/systemd/network \
+        && printf '[Match]\nName=eth0\n\n[Network]\nDHCP=yes\n' \
+               > /etc/systemd/network/80-dhcp.network \
+        && mkdir -p /etc/containers \
+        && printf '[engine]\ncgroup_manager = "cgroupfs"\n\n[network]\ndefault_rootless_network_cmd = "slirp4netns"\n' \
+               > /etc/containers/containers.conf \
+        && mkdir -p /var/lib/systemd/linger \
+        && touch "/var/lib/systemd/linger/$AGENT_USER"; \
+    fi
+
+# LXC/VM need systemd as PID 1; OCI/min use /bin/bash
+RUN if [ "$VARIANT" = "lxc" ] || [ "$VARIANT" = "vm" ]; then \
+        printf '#!/bin/bash\nexec /sbin/init\n' > /usr/local/bin/kanibako-entrypoint; \
+    else \
+        printf '#!/bin/bash\nexec /bin/bash "$@"\n' > /usr/local/bin/kanibako-entrypoint; \
+    fi \
+    && chmod +x /usr/local/bin/kanibako-entrypoint
+
+# Default tmux config (user can override via shell template or bind mount)
+COPY tmux.conf /etc/tmux.conf
+
+USER $AGENT_USER
+WORKDIR /home/$AGENT_USER
+
+ENV LANG=C.UTF-8
+ENV PATH="/home/$AGENT_USER/.local/bin:${PATH}"
+
+RUN mkdir -p workspace .local/state/kanibako .local/bin share-ro share-rw
+
+WORKDIR /home/$AGENT_USER/workspace
+
+ENTRYPOINT ["/usr/local/bin/kanibako-entrypoint"]

kanibako/containers/Containerfile.template-android

@@ -0,0 +1,55 @@
+# kanibako-template: Android SDK command-line tools + NDK
+# kanibako-template-check: java -version
+# kanibako-template-check: sdkmanager --version
+# kanibako-template-check: adb --version
+# Android development template: command-line tools, platform-tools,
+# platform android-34, build-tools 34.0.0, NDK, and a JDK.
+# Built on top of any kanibako base image.
+#
+# Default base: kanibako-oci:latest. Override with:
+#   podman build --build-arg BASE_IMAGE=ghcr.io/doctorjei/kanibako-lxc:latest ...
+ARG BASE_IMAGE=ghcr.io/doctorjei/kanibako-oci:latest
+FROM $BASE_IMAGE
+
+# Re-declare ARG after FROM so $BASE_IMAGE is in scope for RUN.
+# Surfaces the actual base in build output (default or explicit).
+ARG BASE_IMAGE
+RUN echo "[kanibako template] Building android on BASE_IMAGE=$BASE_IMAGE"
+
+USER root
+
+# Android tooling needs a JDK; use the distro default (same as the jvm
+# template, which builds cleanly on every base). unzip extracts the
+# command-line tools archive.
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    default-jdk \
+    unzip \
+    && rm -rf /var/lib/apt/lists/*
+
+ENV ANDROID_SDK_ROOT=/opt/android-sdk
+ENV PATH="${PATH}:/opt/android-sdk/cmdline-tools/latest/bin:/opt/android-sdk/platform-tools"
+
+# Install the Android command-line tools (pinned release) into
+# $ANDROID_SDK_ROOT/cmdline-tools/latest/. The zip extracts a top-level
+# cmdline-tools/ dir, which sdkmanager requires to live under latest/.
+RUN curl -fsSL \
+        https://dl.google.com/android/repository/commandlinetools-linux-11076708_latest.zip \
+        -o /tmp/cmdline-tools.zip \
+    && mkdir -p "$ANDROID_SDK_ROOT/cmdline-tools" \
+    && unzip -q /tmp/cmdline-tools.zip -d /tmp/android-cmdline \
+    && mv /tmp/android-cmdline/cmdline-tools "$ANDROID_SDK_ROOT/cmdline-tools/latest" \
+    && rm -rf /tmp/cmdline-tools.zip /tmp/android-cmdline
+
+# Accept licenses and install a minimal SDK set (pinned versions).
+RUN yes | sdkmanager --licenses \
+    && sdkmanager \
+        "platform-tools" \
+        "platforms;android-34" \
+        "build-tools;34.0.0" \
+        "ndk;26.1.10909125"
+
+# Hand the SDK tree to the agent user so it can run/update tooling.
+RUN chown -R agent:agent "$ANDROID_SDK_ROOT"
+
+USER agent
+WORKDIR /home/agent/workspace

kanibako/containers/Containerfile.template-dotnet

@@ -0,0 +1,29 @@
+# kanibako-template: .NET SDK (LTS)
+# kanibako-template-check: dotnet --info
+# .NET development template: .NET SDK on the 8.0 LTS channel.
+# Built on top of any kanibako base image.
+#
+# Default base: kanibako-oci:latest. Override with:
+#   podman build --build-arg BASE_IMAGE=ghcr.io/doctorjei/kanibako-lxc:latest ...
+ARG BASE_IMAGE=ghcr.io/doctorjei/kanibako-oci:latest
+FROM $BASE_IMAGE
+
+# Re-declare ARG after FROM so $BASE_IMAGE is in scope for RUN.
+# Surfaces the actual base in build output (default or explicit).
+ARG BASE_IMAGE
+RUN echo "[kanibako template] Building dotnet on BASE_IMAGE=$BASE_IMAGE"
+
+USER root
+
+# Install the .NET SDK via the official script pinned to the 8.0 LTS channel.
+# Using the script avoids apt-feed/distro coupling across base tiers.
+RUN curl -fsSL https://dot.net/v1/dotnet-install.sh -o /tmp/dotnet-install.sh \
+    && bash /tmp/dotnet-install.sh --channel 8.0 --install-dir /usr/share/dotnet \
+    && ln -s /usr/share/dotnet/dotnet /usr/local/bin/dotnet \
+    && rm /tmp/dotnet-install.sh
+
+ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 \
+    DOTNET_NOLOGO=1
+
+USER agent
+WORKDIR /home/agent/workspace

kanibako/containers/Containerfile.template-js

@@ -0,0 +1,43 @@
+# kanibako-template: Node tooling: yarn, pnpm, bun, TypeScript
+# kanibako-template-check: node --version
+# kanibako-template-check: yarn --version
+# kanibako-template-check: pnpm --version
+# kanibako-template-check: tsc --version
+# kanibako-template-check: bun --version
+# JavaScript/TypeScript development template: yarn, pnpm, bun, TypeScript.
+# node/npm already ship in every kanibako base.
+# Built on top of any kanibako base image.
+#
+# Default base: kanibako-oci:latest. Override with:
+#   podman build --build-arg BASE_IMAGE=ghcr.io/doctorjei/kanibako-lxc:latest ...
+ARG BASE_IMAGE=ghcr.io/doctorjei/kanibako-oci:latest
+FROM $BASE_IMAGE
+
+# Re-declare ARG after FROM so $BASE_IMAGE is in scope for RUN.
+# Surfaces the actual base in build output (default or explicit).
+ARG BASE_IMAGE
+RUN echo "[kanibako template] Building js on BASE_IMAGE=$BASE_IMAGE"
+
+USER root
+
+# unzip is required by the bun installer and is not guaranteed on every base.
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    unzip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install pinned package managers + TypeScript globally (the npm global prefix is
+# root-owned, so these land as real binaries on PATH for every user).
+# NOT corepack: corepack's `prepare --activate` pins per-user and runs here as
+# root, but the container runs as `agent` at runtime — whose corepack cache has
+# no pinned version, so corepack would re-resolve to the *latest* pnpm/yarn at
+# runtime (pnpm 11 needs Node >=22.13 via node:sqlite; the base ships Node 20).
+# Direct npm-global installs are deterministic and need no network at runtime.
+# pnpm is pinned to 9.x (the last line that supports Node 20).
+RUN npm install -g pnpm@9 yarn typescript ts-node
+
+# bun: installed under the agent home so ~/.bun has correct ownership
+USER agent
+RUN curl -fsSL https://bun.sh/install | bash
+ENV PATH="/home/agent/.bun/bin:${PATH}"
+
+WORKDIR /home/agent/workspace

kanibako/containers/Containerfile.template-jvm

@@ -0,0 +1,27 @@
+# kanibako-template: Java, Kotlin, Maven (JVM toolchain)
+# kanibako-template-check: java -version
+# kanibako-template-check: kotlin -version
+# kanibako-template-check: mvn -version
+# JVM development template: Java, Kotlin, Maven.
+# Built on top of any kanibako base image.
+#
+# Default base: kanibako-oci:latest. Override with:
+#   podman build --build-arg BASE_IMAGE=ghcr.io/doctorjei/kanibako-lxc:latest ...
+ARG BASE_IMAGE=ghcr.io/doctorjei/kanibako-oci:latest
+FROM $BASE_IMAGE
+
+# Re-declare ARG after FROM so $BASE_IMAGE is in scope for RUN.
+# Surfaces the actual base in build output (default or explicit).
+ARG BASE_IMAGE
+RUN echo "[kanibako template] Building jvm on BASE_IMAGE=$BASE_IMAGE"
+
+USER root
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    default-jdk \
+    kotlin \
+    maven \
+    && rm -rf /var/lib/apt/lists/*
+
+USER agent
+WORKDIR /home/agent/workspace

kanibako/containers/Containerfile.template-systems

@@ -0,0 +1,46 @@
+# kanibako-template: C/C++, Rust, cross-compilation toolchain
+# kanibako-template-check: gcc --version
+# kanibako-template-check: clang --version
+# kanibako-template-check: cmake --version
+# kanibako-template-check: cargo --version
+# Systems development template: C/C++, Rust, cross-compilation tools.
+# Built on top of any kanibako base image.
+#
+# Default base: kanibako-oci:latest. Override with:
+#   podman build --build-arg BASE_IMAGE=ghcr.io/doctorjei/kanibako-lxc:latest ...
+ARG BASE_IMAGE=ghcr.io/doctorjei/kanibako-oci:latest
+FROM $BASE_IMAGE
+
+# Re-declare ARG after FROM so $BASE_IMAGE is in scope for RUN.
+# Surfaces the actual base in build output (default or explicit).
+ARG BASE_IMAGE
+RUN echo "[kanibako template] Building systems on BASE_IMAGE=$BASE_IMAGE"
+
+USER root
+
+# Additional archive tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    p7zip-full \
+    unrar-free \
+    && rm -rf /var/lib/apt/lists/*
+
+# C/C++ toolchain
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    gcc g++ clang llvm \
+    cmake make ninja-build meson \
+    gdb lldb \
+    nasm yasm \
+    && rm -rf /var/lib/apt/lists/*
+
+# QEMU user-mode emulation for cross-compilation
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    qemu-user-static \
+    binfmt-support \
+    && rm -rf /var/lib/apt/lists/*
+
+# Rust (installed as agent so ~/.cargo has correct ownership)
+USER agent
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+ENV PATH="/home/agent/.cargo/bin:${PATH}"
+
+WORKDIR /home/agent/workspace

kanibako/crabs.py

@@ -0,0 +1,89 @@
+"""Crab YAML configuration: load, write, and resolve per-crab settings."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from pathlib import Path
+
+from kanibako.config_io import dump_doc, load_doc
+
+# Keys that live directly in [crab] as crab identity (not crab state).
+IDENTITY_KEYS = frozenset({"name", "shell", "run_args"})
+
+
+@dataclass
+class CrabConfig:
+    """Per-crab configuration loaded from a crab YAML file.
+
+    Sections:
+      crab   — identity (name, shell, run_args) plus crab-state knobs
+               (model, access, start_mode, autonomous, …)
+      env    — raw env vars injected into container
+      shared — crab-level shared cache paths
+    """
+
+    name: str = ""
+    shell: str = "standard"
+    run_args: list[str] = field(default_factory=list)
+    state: dict[str, str] = field(default_factory=dict)
+    env: dict[str, str] = field(default_factory=dict)
+    shared_caches: dict[str, str] = field(default_factory=dict)
+    tweakcc: dict = field(default_factory=dict)
+
+
+def crabs_dir(data_path: Path, paths_crabs: str = "crabs") -> Path:
+    """Return the crabs directory under *data_path*."""
+    return data_path / (paths_crabs or "crabs")
+
+
+def crab_toml_path(
+    data_path: Path, crab_id: str, paths_crabs: str = "crabs",
+) -> Path:
+    """Return the path to a crab's config file."""
+    return crabs_dir(data_path, paths_crabs) / f"{crab_id}.yaml"
+
+
+def load_crab_config(path: Path) -> CrabConfig:
+    """Read a crab config file and return a CrabConfig.
+
+    Returns defaults if the file does not exist.
+    """
+    cfg = CrabConfig()
+    if not path.exists():
+        return cfg
+
+    data = load_doc(path)
+
+    crab_sec = data.get("crab", {})
+    cfg.name = str(crab_sec.get("name", ""))
+    cfg.shell = str(crab_sec.get("shell", "standard"))
+    raw_args = crab_sec.get("run_args", [])
+    cfg.run_args = [str(a) for a in raw_args] if isinstance(raw_args, list) else []
+
+    cfg.state = {
+        k: str(v) for k, v in crab_sec.items() if k not in IDENTITY_KEYS
+    }
+    cfg.env = {k: str(v) for k, v in data.get("env", {}).items()}
+    cfg.shared_caches = {k: str(v) for k, v in data.get("shared", {}).items()}
+    cfg.tweakcc = dict(data.get("tweakcc", {}))
+
+    return cfg
+
+
+def write_crab_config(path: Path, cfg: CrabConfig) -> None:
+    """Write a CrabConfig to a YAML file."""
+    crab_sec: dict = {
+        "name": cfg.name,
+        "shell": cfg.shell,
+        "run_args": list(cfg.run_args),
+    }
+    for k, v in cfg.state.items():
+        crab_sec[k] = v
+
+    data: dict = {
+        "crab": crab_sec,
+        "env": dict(cfg.env),
+        "shared": dict(cfg.shared_caches),
+        "tweakcc": dict(cfg.tweakcc),
+    }
+    dump_doc(path, data)

kanibako/errors.py

@@ -0,0 +1,33 @@
+"""Kanibako error hierarchy."""
+
+
+class KanibakoError(Exception):
+    """Base exception for all kanibako errors."""
+
+
+class ConfigError(KanibakoError):
+    """Configuration file missing or malformed."""
+
+
+class ProjectError(KanibakoError):
+    """Project path does not exist or cannot be resolved."""
+
+
+class ContainerError(KanibakoError):
+    """Container runtime or image operation failed."""
+
+
+class ArchiveError(KanibakoError):
+    """Archive creation, extraction, or validation failed."""
+
+
+class GitError(KanibakoError):
+    """Git check failed (uncommitted changes, unpushed commits, etc.)."""
+
+
+class WorksetError(KanibakoError):
+    """Workset creation, loading, or manipulation failed."""
+
+
+class UserCancelled(KanibakoError):
+    """User cancelled an interactive prompt."""

kanibako/freshness.py

@@ -0,0 +1,67 @@
+"""Non-blocking image freshness check: warn when a newer image is available."""
+
+from __future__ import annotations
+
+import json
+import sys
+import time
+from pathlib import Path
+
+from kanibako.container import ContainerRuntime
+from kanibako.registry import get_remote_digest
+
+_CACHE_TTL = 86400  # 24 hours
+
+
+def check_image_freshness(runtime: ContainerRuntime, image: str, cache_path: Path) -> None:
+    """Compare local and remote digests; print a note to stderr if stale.
+
+    This function **never** raises — all exceptions are silently swallowed
+    so it cannot block container startup.
+    """
+    try:
+        _check(runtime, image, cache_path)
+    except Exception:
+        pass
+
+
+def _check(runtime: ContainerRuntime, image: str, cache_path: Path) -> None:
+    local_digest = runtime.get_local_digest(image)
+    if local_digest is None:
+        return
+
+    remote_digest = _cached_remote_digest(image, cache_path)
+    if remote_digest is None:
+        return
+
+    if local_digest != remote_digest:
+        print(
+            f"Note: A newer version of {image} is available. "
+            f"Run 'kanibako rig rebuild' to update.",
+            file=sys.stderr,
+        )
+
+
+def _cached_remote_digest(image: str, cache_path: Path) -> str | None:
+    """Return the remote digest, using a 24h file cache."""
+    cache_file = cache_path / "digest-cache.json"
+    now = time.time()
+
+    cache: dict = {}
+    if cache_file.is_file():
+        try:
+            cache = json.loads(cache_file.read_text())
+        except (json.JSONDecodeError, OSError):
+            cache = {}
+
+    entry = cache.get(image)
+    if entry and now - entry.get("ts", 0) < _CACHE_TTL:
+        return entry.get("digest")
+
+    digest = get_remote_digest(image)
+    if digest is not None:
+        cache[image] = {"digest": digest, "ts": now}
+        cache_path.mkdir(parents=True, exist_ok=True)
+        cache_file.write_text(json.dumps(cache))
+
+    return digest

kanibako/git.py

@@ -0,0 +1,114 @@
+"""Git checks: uncommitted/unpushed detection, metadata extraction."""
+
+from __future__ import annotations
+
+import subprocess
+from dataclasses import dataclass
+from pathlib import Path
+
+from kanibako.errors import GitError
+
+
+@dataclass
+class GitMetadata:
+    """Information about a project's git state."""
+
+    branch: str
+    commit: str
+    remotes: list[tuple[str, str]]  # (name, url)
+
+
+def is_git_repo(path: Path) -> bool:
+    """Return True if *path* contains a .git directory."""
+    return (path / ".git").is_dir()
+
+
+def check_uncommitted(path: Path) -> None:
+    """Raise GitError if there are uncommitted changes in *path*."""
+    result = subprocess.run(
+        ["git", "diff-index", "--quiet", "HEAD", "--"],
+        cwd=path,
+        capture_output=True,
+    )
+    if result.returncode != 0:
+        raise GitError(
+            "Uncommitted changes detected.\n"
+            "Commit your changes or use --allow-uncommitted to override."
+        )
+
+
+def check_unpushed(path: Path) -> None:
+    """Raise GitError if there are unpushed commits on the current branch."""
+    # Get current branch
+    branch_result = subprocess.run(
+        ["git", "rev-parse", "--abbrev-ref", "HEAD"],
+        cwd=path,
+        capture_output=True,
+        text=True,
+    )
+    if branch_result.returncode != 0:
+        return  # Cannot determine branch; skip check
+
+    # Check for upstream
+    upstream_result = subprocess.run(
+        ["git", "rev-parse", "--abbrev-ref", "@{upstream}"],
+        cwd=path,
+        capture_output=True,
+        text=True,
+    )
+    if upstream_result.returncode != 0:
+        return  # No upstream; skip check
+
+    upstream = upstream_result.stdout.strip()
+    count_result = subprocess.run(
+        ["git", "rev-list", f"{upstream}..HEAD", "--count"],
+        cwd=path,
+        capture_output=True,
+        text=True,
+    )
+    if count_result.returncode != 0:
+        return
+
+    count = int(count_result.stdout.strip())
+    if count > 0:
+        raise GitError(
+            f"{count} unpushed commit(s) detected.\n"
+            "Push your changes or use --allow-unpushed to override."
+        )
+
+
+def get_metadata(path: Path) -> GitMetadata | None:
+    """Extract git branch, HEAD SHA, and fetch remotes.  Returns None on failure."""
+    branch_result = subprocess.run(
+        ["git", "rev-parse", "--abbrev-ref", "HEAD"],
+        cwd=path,
+        capture_output=True,
+        text=True,
+    )
+    commit_result = subprocess.run(
+        ["git", "rev-parse", "HEAD"],
+        cwd=path,
+        capture_output=True,
+        text=True,
+    )
+    if branch_result.returncode != 0 or commit_result.returncode != 0:
+        return None
+
+    remote_result = subprocess.run(
+        ["git", "remote", "-v"],
+        cwd=path,
+        capture_output=True,
+        text=True,
+    )
+    remotes: list[tuple[str, str]] = []
+    for line in remote_result.stdout.splitlines():
+        if "(fetch)" in line:
+            parts = line.split()
+            if len(parts) >= 2:
+                remotes.append((parts[0], parts[1]))
+
+    return GitMetadata(
+        branch=branch_result.stdout.strip(),
+        commit=commit_result.stdout.strip(),
+        remotes=remotes,
+    )