Merge branch 'main' into onboarding

Author: EmmanuelBoidot

.github/workflows/release.yaml

@@ -11,12 +11,27 @@ permissions:
 
 jobs:
   build-assets:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04-arm  # Native arm64 -- no QEMU, ~5x faster Docker builds
     steps:
       - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: aarch64-unknown-linux-musl
+          components: llvm-tools
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          cache-targets: false
+          key: build-assets
+
+      - name: Install b3sum
+        run: cargo install b3sum --locked
+
       - name: Build VM assets
         run: python3 images/build.py
+
       - uses: actions/upload-artifact@v4
         with:
           name: vm-assets
@@ -33,6 +48,10 @@ jobs:
           path: assets/
 
       - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+        with:
+          key: build-app
+
       - uses: pnpm/action-setup@v4
         with:
           version: 9
@@ -44,7 +63,7 @@ jobs:
       - run: cd frontend && pnpm install --frozen-lockfile
 
       - name: Install cargo-auditable and cargo-sbom
-        run: cargo install cargo-auditable cargo-sbom
+        run: cargo install cargo-auditable cargo-sbom --locked
 
       - name: Import Apple certificate
         if: env.APPLE_CERTIFICATE != ''

crates/capsem-app/build.rs

@@ -18,7 +18,7 @@ fn main() {
                 match filename {
                     "vmlinuz" => println!("cargo:rustc-env=VMLINUZ_HASH={}", hash),
                     "initrd.img" => println!("cargo:rustc-env=INITRD_HASH={}", hash),
-                    "rootfs.img" | "rootfs.squashfs" => {
+                    "rootfs.squashfs" => {
                         println!("cargo:rustc-env=ROOTFS_HASH={}", hash);
                         println!("cargo:rustc-env=ROOTFS_FILENAME={}", filename);
                     }

crates/capsem-app/src/main.rs

@@ -96,20 +96,15 @@ fn resolve_assets_dir() -> Result<PathBuf> {
 }
 
 /// Resolve rootfs path, checking bundled assets first, then ~/.capsem/assets/.
-/// Supports both squashfs (new) and raw img (legacy) formats.
 fn resolve_rootfs(bundled_assets: &Path) -> Option<PathBuf> {
-    for name in &["rootfs.squashfs", "rootfs.img"] {
-        let bundled = bundled_assets.join(name);
-        if bundled.exists() {
-            return Some(bundled);
-        }
+    let bundled = bundled_assets.join("rootfs.squashfs");
+    if bundled.exists() {
+        return Some(bundled);
     }
     if let Some(download_dir) = asset_manager::default_assets_dir() {
-        for name in &["rootfs.squashfs", "rootfs.img"] {
-            let downloaded = download_dir.join(name);
-            if downloaded.exists() {
-                return Some(downloaded);
-            }
+        let downloaded = download_dir.join("rootfs.squashfs");
+        if downloaded.exists() {
+            return Some(downloaded);
         }
     }
     None
@@ -127,7 +122,7 @@ fn create_asset_manager(bundled_assets: &Path) -> Result<AssetManager> {
     AssetManager::new(download_dir, base_url, &b3sums_content)
 }
 
-/// Find the rootfs filename in the manifest (e.g. "rootfs.squashfs" or "rootfs.img").
+/// Find the rootfs filename in the manifest.
 fn rootfs_manifest_name(mgr: &AssetManager) -> Result<String> {
     mgr.manifest_filenames()
         .into_iter()
@@ -540,9 +535,8 @@ fn boot_vm(
         let rootfs_path = rootfs_override
             .map(|p| p.to_path_buf())
             .or_else(|| {
-                ["rootfs.squashfs", "rootfs.img"].iter()
-                    .map(|n| assets.join(n))
-                    .find(|p| p.exists())
+                Some(assets.join("rootfs.squashfs"))
+                    .filter(|p| p.exists())
             });
 
         if let Some(ref rootfs) = rootfs_path {

crates/capsem-core/src/asset_manager.rs

@@ -372,7 +372,7 @@ mod tests {
     const SAMPLE_B3SUMS: &str = "\
 a65f925ebe0b0cc76afe0fe4945431473cb1a32c4f47a9e9b1592e92c46c829c  vmlinuz
 cba052ee1e3fc7de5bb1af0da9f4a6472622b24788051f0e4d4ae6eabb0c3456  initrd.img
-b8199dc4a83069b99f41e1eb3829992d12777d09e2ce8295276f9d3a1abb1eee  rootfs.img
+b8199dc4a83069b99f41e1eb3829992d12777d09e2ce8295276f9d3a1abb1eee  rootfs.squashfs
 ";
 
     // ---- parse_b3sums tests ----
@@ -387,7 +387,7 @@ b8199dc4a83069b99f41e1eb3829992d12777d09e2ce8295276f9d3a1abb1eee  rootfs.img
             "a65f925ebe0b0cc76afe0fe4945431473cb1a32c4f47a9e9b1592e92c46c829c"
         );
         assert_eq!(entries[1].filename, "initrd.img");
-        assert_eq!(entries[2].filename, "rootfs.img");
+        assert_eq!(entries[2].filename, "rootfs.squashfs");
     }
 
     #[test]
@@ -466,7 +466,7 @@ b8199dc4a83069b99f41e1eb3829992d12777d09e2ce8295276f9d3a1abb1eee  rootfs.img
         )
         .unwrap();
         assert_eq!(mgr.manifest.len(), 3);
-        assert_eq!(mgr.manifest_filenames(), vec!["vmlinuz", "initrd.img", "rootfs.img"]);
+        assert_eq!(mgr.manifest_filenames(), vec!["vmlinuz", "initrd.img", "rootfs.squashfs"]);
     }
 
     #[test]

crates/capsem-core/src/vm/config.rs

@@ -436,7 +436,7 @@ mod tests {
         let kernel = temp_file("vmlinuz-disk-bad");
         let err = VmConfig::builder()
             .kernel_path(&kernel)
-            .disk_path("/nonexistent/rootfs.img")
+            .disk_path("/nonexistent/rootfs.squashfs")
             .build();
         assert!(matches!(err, Err(ConfigError::MissingDisk(_))));
     }

crates/capsem-core/tests/vm_integration.rs

@@ -32,8 +32,8 @@ fn make_config(assets: &std::path::Path) -> VmConfig {
     if assets.join("initrd.img").exists() {
         builder = builder.initrd_path(assets.join("initrd.img"));
     }
-    if assets.join("rootfs.img").exists() {
-        builder = builder.disk_path(assets.join("rootfs.img"));
+    if assets.join("rootfs.squashfs").exists() {
+        builder = builder.disk_path(assets.join("rootfs.squashfs"));
     }
 
     builder.build().expect("VmConfig should be valid with real assets")

images/build.py

@@ -1,12 +1,12 @@
 #!/usr/bin/env python3
-"""Build VM boot assets using Podman.
+"""Build VM boot assets using Podman/Docker.
 
 Extracts vmlinuz + initrd from Debian ARM64, builds a squashfs rootfs
 (zstd-compressed) with developer tools and AI CLIs pre-installed.
 Output goes to ../assets/.
 """
 
-import hashlib
+import os
 import shutil
 import subprocess
 import sys
@@ -22,22 +22,42 @@
 # Use podman, fall back to docker
 RUNTIME = "podman" if shutil.which("podman") else "docker"
 
+# In GitHub Actions with docker, use buildx + GHA cache for faster rebuilds.
+CI = bool(os.environ.get("GITHUB_ACTIONS"))
+
 
 def run(cmd: list[str], **kwargs) -> subprocess.CompletedProcess:
     print(f"  -> {' '.join(cmd)}")
     return subprocess.run(cmd, check=True, **kwargs)
 
 
+def _docker_build(tag: str, dockerfile: str, context: str):
+    """Build a container image, using BuildKit GHA cache in CI."""
+    if CI and RUNTIME == "docker":
+        run([
+            "docker", "buildx", "build",
+            "--platform", "linux/arm64",
+            "--cache-from", "type=gha,scope=" + tag,
+            "--cache-to", "type=gha,mode=max,scope=" + tag,
+            "--load",
+            "-t", tag,
+            "-f", dockerfile,
+            context,
+        ])
+    else:
+        run([
+            RUNTIME, "build",
+            "--platform", "linux/arm64",
+            "-t", tag,
+            "-f", dockerfile,
+            context,
+        ])
+
+
 def build_kernel_image():
     """Build the container image that extracts kernel + initrd."""
     print(f"Building kernel extraction image with {RUNTIME}...")
-    run([
-        RUNTIME, "build",
-        "--platform", "linux/arm64",
-        "-t", IMAGE_TAG,
-        "-f", str(SCRIPT_DIR / "Dockerfile.kernel"),
-        str(SCRIPT_DIR),
-    ])
+    _docker_build(IMAGE_TAG, str(SCRIPT_DIR / "Dockerfile.kernel"), str(SCRIPT_DIR))
 
 
 def extract_assets():
@@ -87,12 +107,11 @@ def build_agent():
     ], cwd=str(REPO_ROOT))
 
     # Copy binaries to images/ so Dockerfile.rootfs can COPY them.
-    import shutil as _shutil
     release_dir = REPO_ROOT / "target" / "aarch64-unknown-linux-musl" / "release"
     for binary_name in ["capsem-pty-agent", "capsem-net-proxy"]:
         src = release_dir / binary_name
         dst = SCRIPT_DIR / binary_name
-        _shutil.copy2(str(src), str(dst))
+        shutil.copy2(str(src), str(dst))
         print(f"  {binary_name}: {dst} ({dst.stat().st_size} bytes)")
 
 
@@ -107,13 +126,7 @@ def create_rootfs():
     print(f"  capsem-ca.crt: {ca_dst}")
 
     # 1. Build rootfs container (arm64 binaries)
-    run([
-        RUNTIME, "build",
-        "--platform", "linux/arm64",
-        "-t", ROOTFS_IMAGE_TAG,
-        "-f", str(SCRIPT_DIR / "Dockerfile.rootfs"),
-        str(SCRIPT_DIR),
-    ])
+    _docker_build(ROOTFS_IMAGE_TAG, str(SCRIPT_DIR / "Dockerfile.rootfs"), str(SCRIPT_DIR))
 
     # 2. Export container filesystem as tar
     print("Exporting rootfs filesystem...")
@@ -129,7 +142,7 @@ def create_rootfs():
     finally:
         run([RUNTIME, "rm", cid])
 
-    # 3. Create squashfs image from tar (zstd level 19 for best compression)
+    # 3. Create squashfs image from tar (zstd level 15 for good compression)
     print("Creating squashfs rootfs image (zstd compression)...")
     abs_assets = str(ASSETS_DIR.resolve())
     run([
@@ -138,19 +151,19 @@ def create_rootfs():
         "debian:bookworm-slim", "bash", "-c",
         "apt-get update && apt-get install -y squashfs-tools zstd && "
         "mkdir /rootfs && tar xf /assets/rootfs.tar -C /rootfs && "
-        "mksquashfs /rootfs /assets/rootfs.img -comp zstd -Xcompression-level 15 -b 64K -noappend",
+        "mksquashfs /rootfs /assets/rootfs.squashfs -comp zstd -Xcompression-level 15 -b 64K -noappend",
     ])
 
     # 4. Cleanup tar
     tar_path.unlink()
 
-    img_path = ASSETS_DIR / "rootfs.img"
-    print(f"  rootfs.img: {img_path} ({img_path.stat().st_size // (1024*1024)} MB)")
+    img_path = ASSETS_DIR / "rootfs.squashfs"
+    print(f"  rootfs.squashfs: {img_path} ({img_path.stat().st_size // (1024*1024)} MB)")
 
 
 def generate_checksums():
     print("Generating BLAKE3 checksums...")
-    files = [f for f in ["vmlinuz", "initrd.img", "rootfs.img"]
+    files = [f for f in ["vmlinuz", "initrd.img", "rootfs.squashfs"]
              if (ASSETS_DIR / f).exists()]
     result = subprocess.run(
         ["b3sum"] + files,
@@ -166,6 +179,8 @@ def generate_checksums():
 
 def main():
     print(f"Using container runtime: {RUNTIME}")
+    if CI:
+        print("  CI mode: Docker BuildKit GHA cache enabled")
     build_kernel_image()
     extract_assets()
     build_agent()

justfile

@@ -126,28 +126,47 @@ update-prices:
 _ensure-tools:
     #!/bin/bash
     set -euo pipefail
+    err=0
+    # Container runtime (Docker or Podman) -- needed for build-assets
+    if ! command -v docker &>/dev/null && ! command -v podman &>/dev/null; then
+        echo "ERROR: docker or podman required (for VM image builds)"
+        err=1
+    fi
+    # Musl target for cross-compiling guest binaries
+    if ! rustup target list --installed | grep -q aarch64-unknown-linux-musl; then
+        echo "Installing aarch64-unknown-linux-musl target..."
+        rustup target add aarch64-unknown-linux-musl
+    fi
+    # rust-lld linker (from llvm-tools component) -- needed for musl linking
+    if ! rustup component list --installed | grep -q llvm-tools; then
+        echo "Installing llvm-tools (provides rust-lld)..."
+        rustup component add llvm-tools
+    fi
+    # cargo-llvm-cov for coverage
     if ! command -v cargo-llvm-cov &>/dev/null; then
         echo "Installing cargo-llvm-cov..."
         cargo install cargo-llvm-cov
     fi
-    if ! rustup component list --installed | grep -q llvm-tools; then
-        echo "Installing llvm-tools-preview..."
-        rustup component add llvm-tools-preview
+    # b3sum for BLAKE3 checksums
+    if ! command -v b3sum &>/dev/null; then
+        echo "Installing b3sum..."
+        cargo install b3sum --locked
     fi
     if ! command -v podman &>/dev/null && ! command -v docker &>/dev/null; then
         echo "ERROR: Podman or Docker is required to build VM assets."
         echo "Install podman: brew install podman && podman machine init && podman machine start"
-        exit 1
+        err=1
     fi
     if ! command -v b3sum &>/dev/null; then
         echo "ERROR: b3sum is required for checksum verification."
         echo "Install it via brew: brew install b3sum"
-        exit 1
+        err=1
     fi
     if ! cargo tauri --version &>/dev/null; then
         echo "Installing Tauri CLI..."
         cargo install tauri-cli
     fi
+    if [ "$err" -ne 0 ]; then exit 1; fi
 
 _frontend:
     cd frontend && pnpm build
@@ -192,5 +211,5 @@ _pack-initrd:
     find . | cpio -o -H newc 2>/dev/null | gzip > "$INITRD"
     rm -rf "$WORKDIR"
     cd "$ROOT"
-    (cd "{{assets_dir}}" && b3sum vmlinuz initrd.img rootfs.img > B3SUMS)
+    (cd "{{assets_dir}}" && b3sum vmlinuz initrd.img rootfs.squashfs > B3SUMS)
     echo "initrd repacked (with agent + net-proxy + mcp-server + fs-watch + doctor)"