feat(b-0857.2): install.sh NixOS-aware routing — detect live-USB vs installed (docker harness validated)#5606
Closed
AceHack wants to merge 2 commits into
Conversation
…nstalled; route nixos-installed to setup/linux.sh; live-USB stub points to zeta-install.sh Advances B-0857 sub-target B-0857.2 (environment-detection logic in tools/setup/install.sh) and stubs B-0857.4 (routing dispatch). The heavier B-0857.3 work (factoring zeta-install.sh body into a callable nixos-install-from-usb.sh) deferred to its own sub-row. Operator framing per B-0857 (verbatim Aaron 2026-05-27): "install.sh is the universal Unix-like-OS install + self-update entry — there is no distinction between build machines and prod when prod can update itself." Routing matrix after this change: | Environment | Detection | Routes to | |---|---|---| | macOS | uname -s = Darwin | setup/macos.sh (unchanged) | | Linux non-NixOS | no /etc/NIXOS | setup/linux.sh (unchanged) | | NixOS installed | /etc/NIXOS + real fs root | setup/linux.sh (NEW; runtime tooling only, NixOS-side declarative handled via nixos-rebuild) | | NixOS live-USB | /etc/NIXOS + overlayfs/tmpfs root | exit 2 + message pointing to zeta-install.sh (NEW; explicit guard) | Detection mechanism: - Existence check: /etc/NIXOS marker file (canonical NixOS detector) - Live-vs-installed discriminator: findmnt -no FSTYPE / (with /proc/mounts fallback if findmnt absent) — overlay/overlayfs/tmpfs/aufs = live-USB; ext4/btrfs/zfs/xfs/etc = installed - Empty-fstype fallback: assume installed (safer default since live USB hands a clear overlay signal; missing signal more likely means an unusual installed config than a live boot) Backward compatibility: - Darwin path: unchanged (still routes to setup/macos.sh) - Linux non-NixOS path: unchanged (still routes to setup/linux.sh) - Linux NixOS path: NEW; previously fell through to setup/linux.sh with no specific handling; now explicit + properly routed Tested via bash -n (syntax pass) + local Darwin smoke-test (operator's Mac; routes to macos.sh as expected). Follow-up sub-rows queued (per B-0857 Sub-rows section): - B-0857.3: factor zeta-install.sh body into nixos-install-from-usb.sh - B-0857.4: route live-USB-NixOS dispatch to nixos-install-from-usb.sh - B-0857.8: zeta-install.sh becomes thin wrapper around new location - B-0857.9: retire wrapper after one full test cycle Composes with PR #5601 (INJECTION-POINTS.md catalog) — the live-USB stub message points operators to full-ai-cluster/INJECTION-POINTS.md for the per-injection-point reference. Co-Authored-By: Claude <noreply@anthropic.com>
…onical /iso + /run/initramfs markers; short-circuit /.dockerenv to installed (preserves B-0849 docker test harness behavior) Operator framing: "and again dont feel any rush this is critical we get this usb right not fast fast comes after our self healing usb is stable where we can have a stable 3 node cluster and iterate without worrying about the cluster going down or having to recreate all 3 nodes from scratch constantly." Prior commit (1439041) used overlayfs-at-root as the live-USB discriminator. That would have FALSE-POSITIVED on the B-0849 docker-nixos-install-sh-test harness, which: - Manually creates /etc/NIXOS marker in the Dockerfile - Runs in Docker container where root IS overlayfs (Docker's layer composition mechanism) Would have routed docker-test-runs to "nixos-live" branch and exited 2 with the zeta-install.sh message — breaking the existing PR-time B-0849 CI workflow. Refined discriminator priority: 1. /etc/NIXOS marker -> NixOS (else linux-non-nixos) 2. /.dockerenv -> installed (Docker container; B-0849 harness short-circuit; runs FIRST so subsequent overlay check doesn't false-positive) 3. /iso present OR /run/initramfs present -> live-USB (canonical NixOS-installer-ISO markers that zeta-install.sh itself probes for in its boot-USB detection logic) 4. Otherwise -> installed (safer default; overlayfs-without-iso is more likely an unusual installed config than a live boot) LOCAL VALIDATION (per operator's "we can test nixos install in quick iteration locally with docker"): bun tools/ci/docker-nixos-install-sh-test.ts -> [B-0849 Phase 1] SUCCESS — docker build completed in 111s The B-0849 docker harness now passes against the refined install.sh on first try — discriminator-2 (/.dockerenv) correctly short-circuits to nixos-installed branch which routes to setup/linux.sh, preserving the harness's mise + bun + claude-code validation path. No change to other paths (Darwin / linux-non-NixOS / live-USB message + exit 2 behavior unchanged from prior commit). Co-Authored-By: Claude <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
There was a problem hiding this comment.
Pull request overview
This PR extends tools/setup/install.sh with NixOS-aware Linux routing so the script can distinguish NixOS live-USB vs installed NixOS (and preserve the Docker-based NixOS test harness behavior), then dispatch accordingly.
Changes:
- Add
detect_linux_flavor()to classify Linux aslinux-non-nixos,nixos-installed, ornixos-livebased on marker paths (/etc/NIXOS,/.dockerenv,/iso,/run/initramfs). - Update the Linux execution path to route installed NixOS to
setup/linux.sh, while live-USB prints a next-step message and exits non-zero. - Expand header/docs and console output to describe the new routing matrix and intent.
5 tasks
AceHack
added a commit
that referenced
this pull request
May 27, 2026
…B-boot + DevOps-objectives-as-levels (NOT hand-crafted video-game levels) (#5611) * backlog(B-0865): Zeta instantiation of ARC-AGI-3-style benchmark — USB-boot starting state + DevOps objectives as levels (NOT hand-crafted video-game levels) Operator directive 2026-05-27 verbatim: "search ARC3 AGI internet and substrate we are going to create our own version, boot our USB and have the agents make it through devops objectives instead of hand crafted video game levels." ARC-AGI-3 substrate inventory (per WebSearch 2026-05-27): François Chollet's interactive agentic-intelligence benchmark, launched 2026, $2M prize pool, human 100% / frontier AI <1% (GPT-5.4 + Claude Opus 4.6 Max both 0.3% as of March 2026). First interactive ARC variant where agents must explore novel turn-based environments, infer goals without instructions, build internal models, plan action sequences. B-0865 extends B-0761 (Zeta-as-ARC-AGI-style-benchmark-substrate) into the SPECIFIC operational instantiation: - Starting state: freshly USB-booted Zeta cluster (1/2/3 nodes per tier) - Level catalog: declarative manifest of DevOps objectives organized in 6 tiers (Bootstrap / Multi-node / Resilience / Scale+GitOps / Adversarial / Identity+self-recovery) - Agent runtime: candidate AI agents act via kubectl / SSH / GitOps PRs / hardware-level access - Judge: deterministic acceptance-criteria evaluator + scoring rubric - Recovery / reset: boot-off-USB-again via B-0859 3-mode substrate Composes with the today's substrate-engineering cascade: - PR #5581/#5582/#5586/#5589/#5594/#5599: streams-substrate cascade - PR #5601: INJECTION-POINTS.md catalog - PR #5606: B-0857.2 install.sh universal routing - PR #5608: catalog fix-fwd - B-0852: cred-persistence (cheap reset; identity preservation) - B-0857: install.sh universal entry (USB-boot reset reproducibility) - B-0859: 3-mode USB-boot recovery substrate (the benchmark's reset) - B-0864: streams-substrate (agent-action-protocol scope) Substrate-honest framing per .claude/rules/verify-existing-substrate- before-authoring.md: B-0761 is the parent (general claim); B-0865 mints NEW substrate covering the specific operational instantiation (USB-boot + DevOps-objectives + our-own-ARC3-version). Composition explicit; parent row preserved unchanged. Distinction from canonical ARC-AGI-3: - Canonical: hand-crafted abstract grid puzzles; Core Knowledge priors only; tests fluid intelligence - Zeta B-0865: real DevOps substrate; maximal knowledge dependence (k3s + NixOS + GitOps + Longhorn); tests operational-substrate competence COMPLEMENTARY not competitive — both valid; different scopes; both test efficient exploration + goal inference + planning. P2 + GATED behind cluster-stability per operator's "this is critical we get this usb right not fast fast comes after our self healing usb is stable where we can have a stable 3 node cluster and iterate without worrying about the cluster going down or having to recreate all 3 nodes from scratch constantly." The prerequisite IS the stable substrate the benchmark runs on. 12 sub-rows queued for future decomposition (B-0865.1 through B-0865.12) covering: level-catalog manifest schema; judge runtime; 6 tiers of levels; agent-runtime substrate; scoring + leaderboard; public-surface naming review; B-0761 composition cross-link. Co-Authored-By: Claude <noreply@anthropic.com> * backlog(B-0865): append operator follow-up sharpening — leaderboard substrate + HA-k8s+observability+helm/argocd playing-field scope + AGI-vs-video-games normative positioning Operator 2026-05-27 verbatim follow-up: "This could give us a leaderboard to compete against with Zeta the usb is the playing fields HA k8s cluster with observablity and a bunch of helm/argocd apps, way better test of AGI as compared to video games." Three substantive extensions to B-0865: EXTENSION 1 — Leaderboard substrate Zeta isn't just the test environment — it's the OPPONENT + the platform. 4 competition modes named: cross-agent, vs-human-operator, vs-prior-self, vs-Zeta-autonomy-ceiling. Sharpens sub-row B-0865.10 (scoring + leaderboard) to support explicit competition-against-Zeta mode. EXTENSION 2 — Playing-field substrate-engineering scope Names the three load-bearing components: HA k8s cluster (3-node quorum target per B-0859) + observability (Prometheus/Grafana/logs/ traces) + helm/ArgoCD apps. Sharpens sub-row B-0865.1 (level-catalog manifest schema) to encode these as named substrate-types. EXTENSION 3 — AGI benchmark normative positioning 5-row comparison table: video-game-shaped tests (incl. canonical ARC abstract puzzles) vs DevOps-objectives-on-real-HA-k8s-cluster across real-world transfer / substrate realism / gaming-the-benchmark risk / operational competence measurement / substrate ecosystem alignment. Substrate-engineering claim: AGI tested in this substrate is ACTUAL AGI at operational scope, not narrow-puzzle-intelligence dressed up. Sub-row sharpenings applied: - B-0865.1: manifest encodes HA-shape + observability-state + helm/argocd-state - B-0865.10: leaderboard supports 4 competition modes - New candidate B-0865.13: public positioning + comparison-substrate with canonical ARC-AGI-3 + other agentic benchmarks Composes with .claude/rules/edge-defining-work-not-speculation.md — building this benchmark IS edge-defining work; nothing of this shape exists publicly. Carved sentence (operator 2026-05-27 keeper): "The USB is the playing field, HA k8s cluster with observability and a bunch of helm/argocd apps, way better test of AGI as compared to video games." Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Lior <lior@zeta.dev> Co-authored-by: Claude <noreply@anthropic.com>
6 tasks
Member
Author
|
Superseded by #5620 — opened as fresh branch off origin/main because force-push to this PR's branch is policy-restricted per the autonomous-loop force-push discipline. PR #5620 carries the full B-0857.2 substrate-engineering content + addresses all 3 valid Copilot findings + documents the line-114 false-positive (confirmed-on-main via |
auto-merge was automatically disabled
May 27, 2026 19:42
Pull request was closed
AceHack
added a commit
that referenced
this pull request
May 27, 2026
…pilot findings addressed (supersedes PR #5606 — clean fresh branch off origin/main, no force-push) (#5620) Supersedes PR #5606 (which had 3 valid Copilot findings + 1 false- positive that I addressed in a fix-fwd commit; that commit would have required force-push to PR #5606's branch which is policy- restricted per the autonomous-loop force-push discipline; opening a fresh PR off origin/main is the policy-respected new-branch path). PR #5606 to be closed with cross-reference to this PR after this opens. Full B-0857.2 substrate-engineering content (originally drafted across 3 commits on PR #5606 branch; squashed here for clean review): ROUTING MATRIX: - macOS (uname -s = Darwin) -> setup/macos.sh - Linux non-NixOS (no /etc/NIXOS) -> setup/linux.sh - NixOS installed (/etc/NIXOS, no docker, no /iso, no /run/initramfs) -> setup/linux.sh - NixOS docker test harness (/etc/NIXOS + /.dockerenv from B-0849 harness) -> setup/linux.sh - NixOS live-USB (/etc/NIXOS + /iso OR /run/initramfs canonical markers) -> exit 2 + message pointing to zeta-install.sh DISCRIMINATOR PRIORITY: 1. /etc/NIXOS marker -> NixOS (else linux-non-nixos) 2. /.dockerenv -> installed (Docker container short-circuit; runs FIRST so subsequent overlay check doesn't false-positive on B-0849 harness) 3. /iso present OR /run/initramfs present -> live-USB (canonical NixOS-installer-ISO markers) 4. Otherwise -> installed (safer default) COPILOT FINDINGS ADDRESSED (from PR #5606 review): Finding 1 (P1, line 16 exit contract): Was: "Exit 0 on success. Any failure is a dev-experience bug" Fixed: expanded exit-code documentation to 3 codes (0 success; 1 error; 2 intentional routing guard for NixOS live-USB — NOT a dev-experience bug). Clarified CI gate.yml asserts exit 0 in its tested environments (none are NixOS live-USB). Finding 2 (P1, line 36 name attribution): Was: "Per B-0857 operator framing (Aaron 2026-05-27):" Fixed: "Per B-0857 operator framing (2026-05-27):" — per name- attribution convention (no first names in non-history-surface source files). Finding 3 (P1, line 111 relative path): Was: "sudo bash full-ai-cluster/usb-nixos-installer/zeta-install.sh" (relative; fails if user not in repo root) Fixed: resolves $REPO_ROOT-rooted absolute path before printing the message; also resolves $INJECTION_POINTS_ABS absolute path; both paths now work regardless of caller cwd. Also references the exit-code documentation in the script header for exit 2 case. Finding 4 (P0, line 114 dead link) — FALSE POSITIVE: Copilot flagged "full-ai-cluster/INJECTION-POINTS.md does not exist in the repo" but the file DID land on origin/main at 976b352 (PR #5601, merged before PR #5606 CI ran). Verified via `git ls-tree origin/main full-ai-cluster/INJECTION-POINTS.md`. Copilot's review-base was earlier than current main. Will resolve PR #5606 thread as no-op confirmed-on-main when closing. LOCAL VALIDATION: - bash -n syntax PASS - bash tools/setup/install.sh on Darwin: routes to setup/macos.sh - bun tools/ci/docker-nixos-install-sh-test.ts: SUCCESS in 108s (B-0849 docker harness validates the /.dockerenv discriminator-2 short-circuit preserves existing harness behavior) PER OPERATOR DIRECTIVE 2026-05-27: "and again dont feel any rush this is critical we get this usb right not fast fast comes after our self healing usb is stable" + "we pay the time now while things are simple to avoid sprawling complexity later" + "we can test nixos install in quick iteration locally with docker" This PR follows all three directives: substrate-engineering-correctness- first; one sub-row scope; docker-harness-validated locally before push. Co-authored-by: Lior <lior@zeta.dev> Co-authored-by: Claude <noreply@anthropic.com>
AceHack
added a commit
that referenced
this pull request
May 27, 2026
…-entropy wording (supersedes #5608) (#5621) * fix(injection-points): KDF chain documentation — restructure for accurate markdown rendering + work-factor-not-entropy wording (addresses Copilot findings on PR #5608; supersedes #5608) Supersedes PR #5608. Two valid Copilot findings on that PR: Finding 1 (markdown rendering): My earlier fix put backslash-escaped pipes (\|\| and "\|") inside inline code spans in a table cell. Markdown code spans render backslashes literally, so readers saw "\|\|" / "\"\|\"" instead of intended "||" / "|". Finding 2 (entropy wording): "stretches low-entropy passphrase into high-entropy intermediate" is misleading — scrypt does NOT increase the underlying entropy of a weak passphrase (in information-theoretic terms, a weak passphrase remains weak). What scrypt provides is a tunable work-factor cost per guess, making brute-force memory- prohibitively expensive on GPU/ASIC. Both addressed by restructuring: - Table cell at line 116 simplified to: "AES-256-GCM; key derived via 2-layer scrypt → HKDF chain (full mechanism + parameters below)" — no pipe-in-inline-code issue - New "KDF chain detail (mechanism + parameters)" sub-section below the table with full mechanism in code blocks (markdown code blocks don't have the pipe-escaping issue inline code in table cells has) - Wording corrected: scrypt provides "tunable work-factor cost per guess" + "makes brute-force memory-prohibitively expensive on GPU/ASIC" + "scrypt is the layer that makes the IKM cryptographically suitable for HKDF input" (per OWASP guidance; per the 2026-05-27 security-review HIGH finding rationale documented in the zeta-creds-crypto.ts source) LAYER 1 — scrypt: stretched = scrypt(passphrase, salt, length=32, N=2^17, r=8, p=1, maxmem=256MB) LAYER 2 — HKDF-SHA256: ikm = concat(usbUuid_utf8, "|", stretched) key = HKDF-SHA256(ikm, salt, info="zeta-b0852-cred-persistence-v1", length=32) Operator-named threat preserved verbatim: "we can put a key on the usb too if wnated tied to the uuid so it can't be copied to uuid" — the HKDF UUID-binding defense. Why supersedes (not fix-fwd): PR #5608 used force-push-restricted branch path; new-branch path is policy-respected alternative. Pattern matches PR #5620 superseding PR #5606. Copilot thread IDs to resolve when closing #5608: - PRRT_kwDOSF9kNM6FNUvq (line 116, backslash escaping) - PRRT_kwDOSF9kNM6FNUwj (line 116, entropy wording) Co-Authored-By: Claude <noreply@anthropic.com> * fix(injection-points): address 2 Copilot findings on PR #5621 — replace brittle line-range reference with symbol+constants reference; cite OWASP cheat sheet for scrypt parameters + soften operational-cost claim Copilot caught 2 P1 findings on PR #5621 (the supersedes-#5608 fix). Both valid. Finding 1 (P1, line 124, brittle line reference): Was: `tools/installer/zeta-creds-crypto.ts:80-125` (line numbers drift; doesn't cover SCRYPT_N + SCRYPT_MAXMEM constants declared higher in the file) Fixed: `tools/installer/zeta-creds-crypto.ts` (the `deriveKey` function + the `SCRYPT_*` + `KEY_LEN` + `SALT_LEN` + `HKDF_INFO` constants declared near the top of the file) — symbol-based + constants-named; survives line-number drift. Finding 2 (P1, line 134, uncited operational + standard claims): Was: "OWASP 2026 recommended parameters: N=2^17, r=8, p=1." + "~1-2 seconds of CPU per derivation" (no citation; generalized across-machines) Fixed: - Concrete citation: [OWASP Password Storage Cheat Sheet] (https://cheatsheetseries.owasp.org/cheatsheets/ Password_Storage_Cheat_Sheet.html#scrypt) at parameter- selection date 2026-05-27 - Bump procedure named: visit cheat sheet at next security-review cadence; update both the cheat-sheet-citation date here AND the SCRYPT_N/SCRYPT_R/SCRYPT_P constants in zeta-creds-crypto.ts - Operational cost claim softened: "per the source-code comment's empirical timing context, on the maintainer's modern CPU at parameter-selection time, ~1-2 seconds of CPU per derivation" + "per-machine operational cost will vary with CPU + memory bandwidth" — substrate-honest; no across-machines generalization. Per .claude/rules/blocked-green-ci-investigate-threads.md verify- before-fix: both findings inspected via direct line-level reading; both confirmed real + fixed. Copilot thread IDs to resolve after merge: - PRRT_kwDOSF9kNM6FNhdV (line 124, brittle line reference) - PRRT_kwDOSF9kNM6FNhd3 (line 134, uncited OWASP + operational cost) Pre-existing MD060 IDE warnings (compact table column-style without spaces around pipes) NOT addressed in this commit — same warnings on all prior-merged commits to this file; not CI-blocking. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Lior <lior@zeta.dev> Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Operator directive: "zeta-install.sh there is also backlog to move this to the common install.sh we can move that forward too" + "we can test nixos install in quick iteration locally with docker" + "and again dont feel any rush this is critical we get this usb right not fast fast comes after our self healing usb is stable."
Advances B-0857 sub-target B-0857.2 (environment-detection logic in
tools/setup/install.sh) and stubs B-0857.4 (routing dispatch). The heavier B-0857.3 work (factoringzeta-install.shbody into a callablenixos-install-from-usb.sh) deferred to its own sub-row.Routing matrix after this change
uname -s = Darwinsetup/macos.sh(unchanged)/etc/NIXOSsetup/linux.sh(unchanged)/etc/NIXOS+ no/.dockerenv+ no/iso+ no/run/initramfssetup/linux.sh(NEW; runtime tooling only — NixOS-side declarative handled via nixos-rebuild)/etc/NIXOS+/.dockerenv(B-0849 harness)setup/linux.sh(NEW; discriminator-2 short-circuit preserves existing harness behavior)/etc/NIXOS+ (/isoOR/run/initramfs)exit 2+ message pointing tozeta-install.sh(NEW; explicit guard pointing to per-injection-point reference atfull-ai-cluster/INJECTION-POINTS.mdfrom PR #5601)Discriminator priority (refined per B-0849 harness composition)
/etc/NIXOSmarker → NixOS (else linux-non-nixos)/.dockerenv→ installed (Docker container short-circuit; runs FIRST so subsequent overlay-fs check doesn't false-positive on B-0849 harness)/isopresent OR/run/initramfspresent → live-USB (canonical NixOS-installer-ISO markers)Local validation (per operator's quick-iteration-via-docker directive)
bun tools/ci/docker-nixos-install-sh-test.ts # [B-0849 Phase 1] SUCCESS — docker build completed in 111sB-0849 harness passes against this PR on first try — discriminator-2 correctly short-circuits, preserving the harness's mise + bun + claude-code validation path. CI will re-run the same workflow on PR-open.
Backward compatibility
Heeding the operator's "don't rush" directive
This PR ships ONE sub-row (B-0857.2 env detection) with full local validation. Other B-0857 sub-rows (B-0857.3 factor zeta-install.sh body, B-0857.4 live-USB dispatch, B-0857.8 thin wrapper, B-0857.9 retire wrapper) stay queued for separate PRs each. Per operator: "critical we get this usb right" — bounded scope per PR, validated before ship.
Composes with
full-ai-cluster/INJECTION-POINTS.mdcatalog) — the live-USB stub message points operators to the catalogTest plan
bash -nsyntax check passes🤖 Generated with Claude Code