Skip to content

feat(deps): file-based secure-exec deps with transient publish-time version swap#1587

Closed
NathanFlurry wants to merge 1 commit into
mainfrom
registry-dep-track
Closed

feat(deps): file-based secure-exec deps with transient publish-time version swap#1587
NathanFlurry wants to merge 1 commit into
mainfrom
registry-dep-track

Conversation

@NathanFlurry

@NathanFlurry NathanFlurry commented Jul 2, 2026

Copy link
Copy Markdown
Member
  • The committed dependency state is now permanently FILE-BASED: every @secure-exec/* npm dep is link:../secure-exec/..., every secure-exec-* crate a path dep, and every @agentos-software/* registry package a link: into ../secure-exec/registry/{software,agent}/* — local development needs no mode flipping
  • New committed secure-exec.ref pins the secure-exec sha; just secure-exec-bump [sha] advances it, and CI materializes + builds the sibling at that sha (prepare-build, cached per sha)
  • CI gate verify-file-deps (plus the inverted check-no-escaping-local-deps, which now sanctions exactly the ../secure-exec escape) rejects any branch that commits published-version pins
  • Publish workflows swap to real versions transiently via secure-exec-dep.mjs release-swap: previews auto-cut (or reuse) a secure-exec preview at the committed ref (agentos-dep-<sha7> branch/dist-tag, needs the SECURE_EXEC_DISPATCH_TOKEN secret); releases require --secure-exec-version <v> to be a real secure-exec release verified on npm AND crates.io
  • Dependency tracks split: secure-exec-* recipes manage the runtime track, new agentos-pkgs-local/pinned/status/set-version/update recipes manage the per-package-versioned registry track
  • Rewrite the Building Binaries docs page for the new registry recipes, add a Publishing Packages docs page, and update CLAUDE.md + the preview-publish skill for the new model

Pairs with rivet-dev/secure-exec#222 (which also makes secure-exec previews publish the registry packages under the branch dist-tag).

@railway-app railway-app Bot temporarily deployed to agentos / agentos-pr-1587 July 2, 2026 21:45 Destroyed
@railway-app railway-app Bot temporarily deployed to agentos / agentos-pr-1587 July 2, 2026 22:03 Destroyed
@NathanFlurry NathanFlurry changed the title feat(deps): split registry package track from secure-exec runtime deps feat(deps): file-based secure-exec deps with transient publish-time version swap Jul 2, 2026
@railway-app

railway-app Bot commented Jul 2, 2026

Copy link
Copy Markdown

🚅 Deployed to the agentos-pr-1587 environment in agentos

Service Status Web Updated (UTC)
agentos 😴 Sleeping (View Logs) Web Jul 2, 2026 at 11:07 pm

🚅 Environment agentos-pr-1587 in rivet-frontend has no services deployed.

@railway-app railway-app Bot temporarily deployed to agentos / agentos-pr-1587 July 2, 2026 22:25 Destroyed
@railway-app railway-app Bot temporarily deployed to agentos / agentos-pr-1587 July 2, 2026 22:26 Destroyed
@railway-app railway-app Bot temporarily deployed to agentos / agentos-pr-1587 July 2, 2026 22:57 Destroyed
@NathanFlurry

Copy link
Copy Markdown
Member Author

Superseded by the forklift stack: #1590 (file-based deps model) + #1591 (fully dynamic default software).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant