manager_server: reject proposals that modify flake.nix
submit_apply_commit now diffs the freshly-tagged proposal/<id> against applied/main and refuses if flake.nix is in the changeset. flake.nix is fixed boilerplate the meta flake depends on (it exports nixosModules.default = import ./agent .nix); silent edits there would break the nixosConfiguration in subtle ways. the manager prompt already says don't touch it; this is the host-side belt — clear error to the manager on submit, row marked failed in sqlite, no orphan pending approval to chase. diff-failure is logged + ignored: the build path surfaces concrete errors if flake.nix is actually broken.
This commit is contained in:
müde
parent
68ef6ab433
commit
6b3ef4549c
2 changed files with 50 additions and 8 deletions
8
TODO.md
8
TODO.md
|
|
@ -74,14 +74,6 @@ Pick anything from here when relevant. Cross-cutting design notes live in
|
|||
once a terminal sibling lands — would keep the audit
|
||||
trails browsable without forever-growth.
|
||||
|
||||
- **Reject proposals that touch `flake.nix`.** The manager's
|
||||
prompt says don't edit it, but nothing on the host side
|
||||
enforces. Add a check in
|
||||
`manager_server::submit_apply_commit`: after fetching the
|
||||
proposal sha into applied, `git diff-tree <sha> -- flake.nix`
|
||||
— non-empty diff → refuse + clear error message. Cheap
|
||||
belt-and-suspenders.
|
||||
|
||||
- **Inert `nix flake lock` no-args call in `meta::sync_agents`.**
|
||||
Still valid in current nix (resolves missing inputs without
|
||||
bumping existing ones) but parallel to the deprecated
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue