diff --git a/hive-c0re/src/lifecycle.rs b/hive-c0re/src/lifecycle.rs index b035dd6..3d10edf 100644 --- a/hive-c0re/src/lifecycle.rs +++ b/hive-c0re/src/lifecycle.rs @@ -607,11 +607,22 @@ async fn systemd_daemon_reload() -> Result<()> { /// `containers.hm1nd.bindMounts."/agents"`. pub const CONTAINER_MANAGER_AGENTS_MOUNT: &str = "/agents"; +/// Where the manager sees the applied trees of every agent, read-only. +/// Manager runs `git fetch /applied//.git refs/tags/*:refs/tags/applied/*` +/// to learn what hive-c0re deployed (or rejected, or failed to +/// build); the RO bind makes accidental writes impossible from +/// inside the container. +pub const CONTAINER_MANAGER_APPLIED_MOUNT: &str = "/applied"; + /// The on-host root that gets bind-mounted to `/agents` inside the manager. /// Hard-coded to match `AGENT_STATE_ROOT` in coordinator.rs (kept duplicated /// here so lifecycle stays usable as a leaf module). const HOST_AGENTS_ROOT: &str = "/var/lib/hyperhive/agents"; +/// On-host applied repo root, mirrored RO into the manager. Matches +/// `APPLIED_STATE_ROOT` in coordinator.rs. +const HOST_APPLIED_ROOT: &str = "/var/lib/hyperhive/applied"; + fn set_nspawn_flags( container: &str, runtime_dir: &Path, @@ -629,11 +640,22 @@ fn set_nspawn_flags( if container == MANAGER_NAME { // Manager edits sub-agent proposed/ repos and its own. RW so it can // git-commit. Sub-agents see only their own /run/hive socket and - // /root/.claude (no /agents). + // /root/.claude (no /agents or /applied). + // + // /applied is a separate RO mount of the hive-c0re-only applied + // repos so the manager can `git fetch /applied//.git + // refs/tags/*:refs/tags/applied/*` to mirror deployed/failed/ + // denied tags into its proposed clones and diff against + // what's actually deployed. RO bind makes destructive git + // plumbing inside the container unable to corrupt applied. use std::fmt::Write as _; let _ = write!( binds, - " --bind={HOST_AGENTS_ROOT}:{CONTAINER_MANAGER_AGENTS_MOUNT}" + " --bind={HOST_AGENTS_ROOT}:{CONTAINER_MANAGER_AGENTS_MOUNT}", + ); + let _ = write!( + binds, + " --bind-ro={HOST_APPLIED_ROOT}:{CONTAINER_MANAGER_APPLIED_MOUNT}", ); } let bind_flag = format!("EXTRA_NSPAWN_FLAGS=\"{binds}\"");