91 lines
2.7 KiB
Bash
Executable file
91 lines
2.7 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# Phase 5c end-to-end approval flow:
|
|
# manager edits proposed -> commits -> request_apply_commit
|
|
# user approves on host -> hive-c0re applies into authoritative repo -> rebuild
|
|
# sub-agent container has the new package
|
|
#
|
|
# Runs as root on a host with services.hive-c0re enabled and the hm1nd
|
|
# container declared. Idempotent — wipes any prior alice state.
|
|
|
|
set -euo pipefail
|
|
|
|
AGENT=alice
|
|
PKG=htop
|
|
|
|
cleanup() {
|
|
echo "=== cleanup ==="
|
|
sudo hive-c0re kill "$AGENT" 2>/dev/null || true
|
|
sudo nixos-container destroy "h-${AGENT}" 2>/dev/null || true
|
|
sudo rm -rf \
|
|
"/var/lib/hyperhive/agents/${AGENT}" \
|
|
"/var/lib/hyperhive/applied/${AGENT}"
|
|
}
|
|
|
|
cleanup
|
|
|
|
echo "=== spawn ${AGENT} ==="
|
|
sudo hive-c0re spawn "$AGENT"
|
|
|
|
echo "=== two-repo split visible ==="
|
|
echo " proposed (manager-editable):"
|
|
sudo ls -la "/var/lib/hyperhive/agents/${AGENT}/config/" | sed 's/^/ /'
|
|
echo " applied (hive-c0re only):"
|
|
sudo ls -la "/var/lib/hyperhive/applied/${AGENT}/" | sed 's/^/ /'
|
|
|
|
echo "=== manager cannot see the applied repo ==="
|
|
if sudo nixos-container run hm1nd -- ls "/var/lib/hyperhive/applied/${AGENT}" 2>/dev/null; then
|
|
echo "FAIL: manager can see applied/ — bind-mount leak"
|
|
exit 1
|
|
fi
|
|
echo " manager has no path to applied/ ✓"
|
|
|
|
echo "=== ${PKG} not installed in h-${AGENT} (pre-approve) ==="
|
|
if sudo nixos-container run "h-${AGENT}" -- which "$PKG" 2>/dev/null; then
|
|
echo "FAIL: ${PKG} already in path"
|
|
exit 1
|
|
fi
|
|
echo " not in path ✓"
|
|
|
|
echo "=== manager: edit agent.nix + commit + request_apply_commit ==="
|
|
sudo nixos-container run hm1nd -- bash -c "
|
|
set -euo pipefail
|
|
cd /agents/${AGENT}/config
|
|
cat > agent.nix <<'EOF'
|
|
{ pkgs, ... }:
|
|
{
|
|
environment.systemPackages = [ pkgs.${PKG} ];
|
|
}
|
|
EOF
|
|
git commit -am 'add ${PKG}'
|
|
SHA=\$(git rev-parse HEAD)
|
|
echo \" manager commit SHA=\$SHA\"
|
|
hive-m1nd request-apply-commit ${AGENT} \$SHA
|
|
"
|
|
|
|
echo "=== pending approvals ==="
|
|
sudo hive-c0re pending
|
|
|
|
ID=$(sudo hive-c0re pending \
|
|
| python3 -c 'import sys,json;print(json.load(sys.stdin)["approvals"][-1]["id"])')
|
|
echo " using approval id ${ID}"
|
|
|
|
echo "=== approve ${ID} (advances applied/main + rebuilds h-${AGENT}) ==="
|
|
sudo hive-c0re approve "$ID"
|
|
|
|
echo "=== verify ${PKG} now in path ==="
|
|
sudo nixos-container run "h-${AGENT}" -- which "$PKG"
|
|
|
|
echo "=== applied repo git log ==="
|
|
sudo git -C "/var/lib/hyperhive/applied/${AGENT}" log --oneline -5
|
|
|
|
echo "=== approvals table ==="
|
|
if command -v sqlite3 >/dev/null; then
|
|
sudo sqlite3 /var/lib/hyperhive/broker.sqlite \
|
|
"SELECT id, agent, substr(commit_ref,1,12) AS sha, status FROM approvals ORDER BY id DESC LIMIT 5;"
|
|
else
|
|
echo " (sqlite3 not on host PATH — skip)"
|
|
fi
|
|
|
|
echo
|
|
read -r -p "press enter to tear down, Ctrl-C to leave running: "
|
|
cleanup
|