feat(b-0857.2): install.sh NixOS routing — full state with 3 Copilot findings addressed (supersedes #5606)#5620
Merged
AceHack merged 1 commit intoMay 27, 2026
Conversation
…pilot findings addressed (supersedes PR #5606 — clean fresh branch off origin/main, no force-push) Supersedes PR #5606 (which had 3 valid Copilot findings + 1 false- positive that I addressed in a fix-fwd commit; that commit would have required force-push to PR #5606's branch which is policy- restricted per the autonomous-loop force-push discipline; opening a fresh PR off origin/main is the policy-respected new-branch path). PR #5606 to be closed with cross-reference to this PR after this opens. Full B-0857.2 substrate-engineering content (originally drafted across 3 commits on PR #5606 branch; squashed here for clean review): ROUTING MATRIX: - macOS (uname -s = Darwin) -> setup/macos.sh - Linux non-NixOS (no /etc/NIXOS) -> setup/linux.sh - NixOS installed (/etc/NIXOS, no docker, no /iso, no /run/initramfs) -> setup/linux.sh - NixOS docker test harness (/etc/NIXOS + /.dockerenv from B-0849 harness) -> setup/linux.sh - NixOS live-USB (/etc/NIXOS + /iso OR /run/initramfs canonical markers) -> exit 2 + message pointing to zeta-install.sh DISCRIMINATOR PRIORITY: 1. /etc/NIXOS marker -> NixOS (else linux-non-nixos) 2. /.dockerenv -> installed (Docker container short-circuit; runs FIRST so subsequent overlay check doesn't false-positive on B-0849 harness) 3. /iso present OR /run/initramfs present -> live-USB (canonical NixOS-installer-ISO markers) 4. Otherwise -> installed (safer default) COPILOT FINDINGS ADDRESSED (from PR #5606 review): Finding 1 (P1, line 16 exit contract): Was: "Exit 0 on success. Any failure is a dev-experience bug" Fixed: expanded exit-code documentation to 3 codes (0 success; 1 error; 2 intentional routing guard for NixOS live-USB — NOT a dev-experience bug). Clarified CI gate.yml asserts exit 0 in its tested environments (none are NixOS live-USB). Finding 2 (P1, line 36 name attribution): Was: "Per B-0857 operator framing (Aaron 2026-05-27):" Fixed: "Per B-0857 operator framing (2026-05-27):" — per name- attribution convention (no first names in non-history-surface source files). Finding 3 (P1, line 111 relative path): Was: "sudo bash full-ai-cluster/usb-nixos-installer/zeta-install.sh" (relative; fails if user not in repo root) Fixed: resolves $REPO_ROOT-rooted absolute path before printing the message; also resolves $INJECTION_POINTS_ABS absolute path; both paths now work regardless of caller cwd. Also references the exit-code documentation in the script header for exit 2 case. Finding 4 (P0, line 114 dead link) — FALSE POSITIVE: Copilot flagged "full-ai-cluster/INJECTION-POINTS.md does not exist in the repo" but the file DID land on origin/main at 976b352 (PR #5601, merged before PR #5606 CI ran). Verified via `git ls-tree origin/main full-ai-cluster/INJECTION-POINTS.md`. Copilot's review-base was earlier than current main. Will resolve PR #5606 thread as no-op confirmed-on-main when closing. LOCAL VALIDATION: - bash -n syntax PASS - bash tools/setup/install.sh on Darwin: routes to setup/macos.sh - bun tools/ci/docker-nixos-install-sh-test.ts: SUCCESS in 108s (B-0849 docker harness validates the /.dockerenv discriminator-2 short-circuit preserves existing harness behavior) PER OPERATOR DIRECTIVE 2026-05-27: "and again dont feel any rush this is critical we get this usb right not fast fast comes after our self healing usb is stable" + "we pay the time now while things are simple to avoid sprawling complexity later" + "we can test nixos install in quick iteration locally with docker" This PR follows all three directives: substrate-engineering-correctness- first; one sub-row scope; docker-harness-validated locally before push. Co-Authored-By: Claude <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
7 tasks
There was a problem hiding this comment.
Pull request overview
Adds NixOS-aware environment routing to tools/setup/install.sh, distinguishing macOS, non-NixOS Linux, NixOS installed, NixOS docker test harness, and NixOS live-USB. Live-USB now exits 2 with a guidance message pointing to the existing zeta-install.sh. Supersedes #5606 with three Copilot findings addressed (exit-code contract, name attribution, absolute paths).
Changes:
- New
detect_linux_flavorhelper with 4-step discriminator (NIXOS marker → docker → live-USB markers → installed default). - Linux case dispatches by flavor; live-USB prints an absolute-path-rooted message and exits 2.
- Header documents 3 exit codes and the B-0857.2 routing matrix.
AceHack
deleted the
feat/b-0857-2-install-sh-nixos-routing-resubmit-with-3-copilot-fixes-2026-05-27
branch
AceHack
added a commit
that referenced
this pull request
May 27, 2026
…-entropy wording (supersedes #5608) (#5621) * fix(injection-points): KDF chain documentation — restructure for accurate markdown rendering + work-factor-not-entropy wording (addresses Copilot findings on PR #5608; supersedes #5608) Supersedes PR #5608. Two valid Copilot findings on that PR: Finding 1 (markdown rendering): My earlier fix put backslash-escaped pipes (\|\| and "\|") inside inline code spans in a table cell. Markdown code spans render backslashes literally, so readers saw "\|\|" / "\"\|\"" instead of intended "||" / "|". Finding 2 (entropy wording): "stretches low-entropy passphrase into high-entropy intermediate" is misleading — scrypt does NOT increase the underlying entropy of a weak passphrase (in information-theoretic terms, a weak passphrase remains weak). What scrypt provides is a tunable work-factor cost per guess, making brute-force memory- prohibitively expensive on GPU/ASIC. Both addressed by restructuring: - Table cell at line 116 simplified to: "AES-256-GCM; key derived via 2-layer scrypt → HKDF chain (full mechanism + parameters below)" — no pipe-in-inline-code issue - New "KDF chain detail (mechanism + parameters)" sub-section below the table with full mechanism in code blocks (markdown code blocks don't have the pipe-escaping issue inline code in table cells has) - Wording corrected: scrypt provides "tunable work-factor cost per guess" + "makes brute-force memory-prohibitively expensive on GPU/ASIC" + "scrypt is the layer that makes the IKM cryptographically suitable for HKDF input" (per OWASP guidance; per the 2026-05-27 security-review HIGH finding rationale documented in the zeta-creds-crypto.ts source) LAYER 1 — scrypt: stretched = scrypt(passphrase, salt, length=32, N=2^17, r=8, p=1, maxmem=256MB) LAYER 2 — HKDF-SHA256: ikm = concat(usbUuid_utf8, "|", stretched) key = HKDF-SHA256(ikm, salt, info="zeta-b0852-cred-persistence-v1", length=32) Operator-named threat preserved verbatim: "we can put a key on the usb too if wnated tied to the uuid so it can't be copied to uuid" — the HKDF UUID-binding defense. Why supersedes (not fix-fwd): PR #5608 used force-push-restricted branch path; new-branch path is policy-respected alternative. Pattern matches PR #5620 superseding PR #5606. Copilot thread IDs to resolve when closing #5608: - PRRT_kwDOSF9kNM6FNUvq (line 116, backslash escaping) - PRRT_kwDOSF9kNM6FNUwj (line 116, entropy wording) Co-Authored-By: Claude <noreply@anthropic.com> * fix(injection-points): address 2 Copilot findings on PR #5621 — replace brittle line-range reference with symbol+constants reference; cite OWASP cheat sheet for scrypt parameters + soften operational-cost claim Copilot caught 2 P1 findings on PR #5621 (the supersedes-#5608 fix). Both valid. Finding 1 (P1, line 124, brittle line reference): Was: `tools/installer/zeta-creds-crypto.ts:80-125` (line numbers drift; doesn't cover SCRYPT_N + SCRYPT_MAXMEM constants declared higher in the file) Fixed: `tools/installer/zeta-creds-crypto.ts` (the `deriveKey` function + the `SCRYPT_*` + `KEY_LEN` + `SALT_LEN` + `HKDF_INFO` constants declared near the top of the file) — symbol-based + constants-named; survives line-number drift. Finding 2 (P1, line 134, uncited operational + standard claims): Was: "OWASP 2026 recommended parameters: N=2^17, r=8, p=1." + "~1-2 seconds of CPU per derivation" (no citation; generalized across-machines) Fixed: - Concrete citation: [OWASP Password Storage Cheat Sheet] (https://cheatsheetseries.owasp.org/cheatsheets/ Password_Storage_Cheat_Sheet.html#scrypt) at parameter- selection date 2026-05-27 - Bump procedure named: visit cheat sheet at next security-review cadence; update both the cheat-sheet-citation date here AND the SCRYPT_N/SCRYPT_R/SCRYPT_P constants in zeta-creds-crypto.ts - Operational cost claim softened: "per the source-code comment's empirical timing context, on the maintainer's modern CPU at parameter-selection time, ~1-2 seconds of CPU per derivation" + "per-machine operational cost will vary with CPU + memory bandwidth" — substrate-honest; no across-machines generalization. Per .claude/rules/blocked-green-ci-investigate-threads.md verify- before-fix: both findings inspected via direct line-level reading; both confirmed real + fixed. Copilot thread IDs to resolve after merge: - PRRT_kwDOSF9kNM6FNhdV (line 124, brittle line reference) - PRRT_kwDOSF9kNM6FNhd3 (line 134, uncited OWASP + operational cost) Pre-existing MD060 IDE warnings (compact table column-style without spaces around pipes) NOT addressed in this commit — same warnings on all prior-merged commits to this file; not CI-blocking. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Lior <lior@zeta.dev> Co-authored-by: Claude <noreply@anthropic.com>
This was referenced May 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Supersedes #5606 (which had 3 valid Copilot findings + 1 false-positive). Fresh branch off origin/main; no force-push (policy-respected new-branch path per the autonomous-loop force-push discipline).
PR #5606 will be closed with cross-reference to this PR.
Routing matrix (unchanged from #5606)
Copilot findings addressed (from PR #5606)
Finding 1 (P1, line 16) — exit-code contract reconciled
Was: "Exit 0 on success. Any failure is a dev-experience bug" but live-USB branch intentionally exit 2.
Fixed: expanded exit-code documentation to 3 codes (0 success; 1 error; 2 intentional routing guard for NixOS live-USB — NOT a dev-experience bug). Clarified that CI `gate.yml` asserts exit 0 in its tested environments (none of which are NixOS live-USB).
Finding 2 (P1, line 36) — name attribution
Was: "Per B-0857 operator framing (Aaron 2026-05-27):"
Fixed: "Per B-0857 operator framing (2026-05-27):" per name-attribution convention.
Finding 3 (P1, line 111) — relative path
Was: "sudo bash full-ai-cluster/usb-nixos-installer/zeta-install.sh" (relative; fails if user not in repo root).
Fixed: resolves `$REPO_ROOT`-rooted absolute path before printing the message; also resolves `$INJECTION_POINTS_ABS` absolute path; both paths now work regardless of caller cwd.
Finding 4 (P0, line 114) — FALSE POSITIVE
Copilot flagged "`full-ai-cluster/INJECTION-POINTS.md` does not exist in the repo" but the file DID land on origin/main at `976b3521a` (PR #5601, merged before PR #5606 CI ran). Verified via `git ls-tree origin/main full-ai-cluster/INJECTION-POINTS.md`. Copilot's review-base predated #5601 merge.
Local validation
Why new-branch path (not force-push)
Per autonomous-loop force-push discipline: force-push requires explicit operator authorization. Earlier rebase rewrote PR #5606's branch SHAs locally; pushing those would have required force-push. The policy-respected alternative is the new-branch path (this PR).
Test plan
🤖 Generated with Claude Code