backlog(B-0738+B-0739): zflash Linux + Windows extension scope (limitations documented; cross-platform decomposed)#5001
Closed
AceHack wants to merge 2 commits into
Conversation
…ations documented; cross-platform decomposed)
Aaron 2026-05-25 after B-0737 (zflash Mac variant) shipped:
'is this mac only? does our install / pre install scripts take care of
everyting needed for mac? what do we need to do to extend this to windows
and linux? we should document liminations and scope and backlog the rest'
Mac-only confirmed. Two new P3 rows decompose cross-platform scope:
B-0738 — Linux variant:
- lsblk-based device enumeration replacing diskutil
- pam_fprintd.so biometric gate (when fingerprint hardware enrolled)
- pkexec/polkit fallback when no biometric hardware
- tools/setup/linux.sh integration touchpoint (--with-zflash opt-in)
- Limited to Debian/Ubuntu (matches linux.sh's existing support);
RHEL/Fedora/Arch/Alpine deferred to future B-NNNN rows
B-0739 — Windows variant (two paths; recommend WSL2 first):
- Path A (WSL2): usbipd-win USB pass-through + reuse B-0738 Linux
substrate verbatim; faster ship; lower scope
- Path B (PowerShell-native): Get-Disk/Clear-Disk + Windows Hello
biometric + UAC elevation; better Windows UX; ~10x scope; deferred
- tools/setup/install.sh currently routes only Darwin + non-Darwin
(assumed Linux); needs Windows branch + new windows.ps1 helper
Both rows preserve B-0737 safety substrate end-to-end (per-run nonce +
explicit consent token + system-level biometric/UAC gate). Both compose
with B-0728 destructive-tool authoring contract + B-0732 leverage-class
safety substrate.
P3 priority — cross-platform support enables future operator base but
doesn't gate current critical path (Aaron primary workstation Mac;
cluster nodes don't need zflash — they run zeta-install natively after
boot from flashed USB).
Co-Authored-By: Claude <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds two new P3 backlog rows to decompose zflash cross-platform scope (Linux + Windows variants) and updates the generated backlog index to include them.
Changes:
- Added backlog row B-0738 describing a Linux variant (lsblk-based enumeration + pam_fprintd / pkexec fallback + optional linux.sh touchpoint).
- Added backlog row B-0739 describing a Windows variant with two possible approaches (WSL2+usbipd-win reuse vs PowerShell-native path).
- Regenerated
docs/BACKLOG.mdto include the new rows.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| docs/backlog/P3/B-0738-zflash-linux-variant-lsblk-plus-pam-fprintd-plus-pkexec-fallback-2026-05-25.md | New backlog row proposing Linux zflash substrate and scope. |
| docs/backlog/P3/B-0739-zflash-windows-variant-wsl2-path-plus-powershell-native-path-windows-hello-uac-2026-05-25.md | New backlog row proposing Windows zflash substrate with WSL2 vs native decomposition. |
| docs/BACKLOG.md | Auto-generated index updated to list B-0738 and B-0739. |
Comment on lines
+11
to
+14
| composes_with: | ||
| - B-0737 | ||
| - B-0728 | ||
| - B-0732 |
Comment on lines
+15
to
+19
| related_substrate: | ||
| - full-ai-cluster/tools/flash-usb.ts | ||
| - full-ai-cluster/tools/zflash.ts | ||
| - full-ai-cluster/tools/zflash-setup.ts | ||
| - tools/setup/linux.sh |
Comment on lines
+11
to
+15
| composes_with: | ||
| - B-0737 | ||
| - B-0738 | ||
| - B-0728 | ||
| - B-0732 |
Comment on lines
+18
to
+19
| - full-ai-cluster/tools/zflash.ts | ||
| - full-ai-cluster/tools/zflash-setup.ts |
|
|
||
| ## Carved blade | ||
|
|
||
| > Windows extension is qualitatively harder than Linux (B-0738). Two viable paths exist + the choice is substrate-engineering trade-off: **WSL2 path** reuses the Linux substrate from B-0738 verbatim BUT requires `usbipd-win` USB pass-through (extra setup step; not Microsoft-shipped by default). **PowerShell-native path** is a complete rewrite — `Get-Disk` / `Get-Partition` / `Clear-Disk` instead of `lsblk`+`dd`; Windows Hello for Business as the biometric gate (or PIN/password fallback); UAC elevation instead of sudo; needs careful Defender-exclusion + admin-prompt-handling. WSL2 path ships faster; PowerShell-native gives the native-feel Windows operator experience. Recommendation: ship WSL2 first; PowerShell-native as future scope when there's actual Windows operator demand. `tools/setup/install.sh` currently routes only on `Darwin` + non-Darwin (assumed Linux); needs a Windows branch for either path. |
Comment on lines
+45
to
+47
| | `pam_tid.so` is Apple-only | N/A on Windows | Replace with Windows Hello for Business (`Microsoft.Windows.SecureBiometric` API) on native path; reuse pam_fprintd via WSL2 path when available | | ||
| | No `tools/setup/install.sh` Windows entry | Routes only Darwin + non-Darwin (assumed Linux) | Add Windows branch routing to a new `tools/setup/windows.ps1` (or `windows.sh` if WSL2-only) | | ||
| | No `manifests/winget` or `manifests/chocolatey` | Doesn't exist | New manifest file for Windows package source per chosen package manager | |
5 tasks
Member
Author
|
Closing as substrate-stale (DIRTY-conflict) per .claude/rules/pr-triage-tiers.md Tier 3 + the discriminator pass below. Discriminator pass:
Disposition: close. The branch content is preserved in git history; re-land path is cherry-pick onto a fresh branch off current main with any ID-collision renumbering needed. This is the same Tier 3 disposition applied to today's #5038 + #5032 (same root cause: 2026-05-25 evening session left ~9 backlog/rule PRs DIRTY when the next morning's iter-5.x + iter-6 work landed and moved main forward). This close is NOT a punt — it's explicit ownership classification per .claude/rules/fighting-past-self-vs-peer-agent-distinguisher-fix-your-own-coordinate-on-peers-dont-punt-by-default.md (recurrence anchor landed today via #5126). The substrate-honest re-land path is documented; the operator-tax of indeterminate DIRTY state is cleared. |
auto-merge was automatically disabled
May 26, 2026 08:07
Pull request was closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Aaron 2026-05-25 after B-0737 (zflash Mac variant) shipped: "is this mac only? does our install / pre install scripts take care of everyting needed for mac? what do we need to do to extend this to windows and linux? we should document liminations and scope and backlog the rest"
Two new P3 backlog rows decompose cross-platform scope.
Limitations confirmed (Mac-only today)
flash-usb.tsdiskutil+/dev/rdiskNraw-device convention; bails on non-Darwinzflash.tszflash-setup.tspam_tid.so(Apple Secure Enclave);bioutil; bails on non-Darwintools/setup/install.shhandles dev toolchain only (Xcode CLT, Homebrew, mise, etc.) — does NOT auto-run zflash-setup (Touch ID PAM is opt-in operator step; deliberate touchpoint).B-0738 — Linux variant
lsblk-based enumeration (replacesdiskutil);/dev/sdX(no raw-prefix)pam_fprintd.sobiometric (when fingerprint hardware enrolled — ThinkPad / Framework / Dell XPS / etc.)pkexec/polkit fallback when no biometric hardwaretools/setup/linux.sh--with-zflashopt-in (matches Mac touchpoint discipline)linux.sh's current matrix); RHEL/Fedora/Arch/Alpine deferredB-0739 — Windows variant (two paths)
Path A — WSL2 (recommend first; lower scope):
usbipd-winUSB pass-through, then reuse B-0738 Linux substrate verbatim inside WSL2. Faster ship.Path B — PowerShell-native (deferred):
Get-Disk/Clear-Disk+ Windows Hello biometric (UWP API) + UAC elevation. Better Windows UX, ~10x scope. Wait for actual Windows-operator demand.tools/setup/install.shroutes only Darwin + non-Darwin (assumed Linux) today; needs Windows branch + newtools/setup/windows.ps1helper for either path.Safety substrate preserved across all variants
yesoraccept-destroy)Composes with
tools/setup/install.sh+macos.sh+linux.sh(existing install graph; Windows is the gap)Test plan
Limitations+Scope items+Substrate-honest framingcomposes_withcontains B-NNNN row IDs only; file paths inrelated_substrate:BACKLOG_WRITE_FORCE=1 bun tools/backlog/generate-index.ts🤖 Generated with Claude Code