Skip to content

Build Alpha.5 local rig profiles and flight sheets#4

Draft
Deadbytes101 wants to merge 25 commits into
rigos-alpha2-mbrfrom
rigos-alpha5-local-config
Draft

Build Alpha.5 local rig profiles and flight sheets#4
Deadbytes101 wants to merge 25 commits into
rigos-alpha2-mbrfrom
rigos-alpha5-local-config

Conversation

@Deadbytes101

@Deadbytes101 Deadbytes101 commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Summary

Adds the Alpha.5 local rig profile and Flight Sheet engine on top of the immutable Alpha.4 MBR appliance work.

This remains a stacked draft PR with base rigos-alpha2-mbr. It must remain draft until image and physical gates are complete.

Scope

  • strict local rig.conf machine profile
  • native RIGOS Flight Sheet schema
  • offline one-way Hive-style importer
  • exact verified boot USB attestation and read-only EFI staging
  • machine-local identity resolution
  • atomic revision commit and runtime rollback
  • timezone application
  • miner manual or on-boot policy
  • rigos.nomine=1 safety gate
  • firstboot recovery and confirmation UI
  • Alpha.5 build and verification wiring

Product contract

  • no Hive API
  • no cloud account
  • no remote shell
  • no license server
  • no forced pool
  • no watchdog in config v1
  • no multi-miner orchestration
  • no source file mutation on EFI
  • no service mutation before validation and local confirmation

Source gate

Passed on head c772bcc26279e9becafe3ae2f1561eba289c2f16 in WSL with an isolated Linux CARGO_TARGET_DIR.

Current head 0288897ec0f8ae360214618c3c3f4af351677b1f contains one build-only follow-up that qualifies the Rust container image as docker.io/library/rust:1.85.1-bookworm for deterministic Podman resolution. Reverification is required before the image build continues.

Previous passing evidence

  • rustfmt check passed
  • clippy with warnings denied passed
  • workspace tests passed
  • complete Hive compatibility tests passed
  • schema checks passed
  • release build verification passed
  • scripts/verify.sh reported RIGOS verification passed
  • final marker RIGOS_ALPHA5_VERIFY_OK
  • final WSL exit code 0

Alpha.4 artifact SHA-256 remains immutable at 25b275b267c7917e5f27bbe5a72681b108a3bb574556d80d5c4053e5fcefd2d3.

Image build

Build only from a verified head and a tracked-clean commit.

podman build -t rigos-usb-builder -f build/usb/Dockerfile .
podman run --rm --privileged \
  -v "$PWD:/source" -v /var/tmp/rigos-build:/work rigos-usb-builder
sha256sum -c dist/usb/rigos-usb-amd64-0.0.4-alpha.5.img.sha256

Expected authoritative artifact

dist/usb/rigos-usb-amd64-0.0.4-alpha.5.img

Dependencies

Gates still pending

  • reverify current head
  • build Alpha.5 image
  • verify generated checksum
  • appliance verifier on built image
  • QEMU SeaBIOS
  • QEMU OVMF
  • physical negative state gate
  • state dependency resolution
  • physical positive config import
  • reboot persistence
  • miner start and accepted share
  • internal disk unchanged proof

Do not merge or mark ready yet.

@Deadbytes101 Deadbytes101 left a comment

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Static review on the pushed Alpha.5 head found three blockers before image acceptance.

  1. rigos-config revalidation calls rigos-state-init --dry-run, but layout validation still rejects every mounted non-root child. After successful state initialization partition 4 is mounted at /var/lib/rigos, so the revalidation path can fail with UnexpectedWritableMount and block config import on the exact verified USB. Add an attestation-only validation mode that explicitly permits the already verified state mount, or separate immutable identity validation from writable-mount checks. Lock this with a test where ROOT_A and RIGOS_STATE are both mounted on the same USB.

  2. The importer expects a flattened object. The real Hive-style Flight Sheet fixture supplied for this work stores the miner data inside items[0]. The current synthetic fixture therefore does not prove compatibility with the target format. Add strict envelope parsing for exactly one supported XMRig item or define deterministic item selection with ambiguity rejection. Preserve the credential-free synthetic fixture but match the real nesting and member-fragment syntax.

  3. string_list filters non-string pool entries and bool_list coerces invalid or mismatched TLS entries to false. This violates the fail-closed import contract and can change pool ordering or TLS meaning. Reject mixed types and require either one boolean applied to all pools or an array with exactly the pool count.

Additional status

  • stacked base and head are correct
  • PR remains draft
  • no workflow runs are currently attached to the pushed head
  • GitHub reports 7 commits ahead of the Alpha.4 base, consisting of the two seed branch commits plus the five pushed implementation commits
  • positive physical validation remains blocked by Issue #3

Do not merge or mark ready until these blockers and the image gates pass.

@Deadbytes101 Deadbytes101 left a comment

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review of 24c62ba181abd2f1aaa0bf6c989dd57d47701bcb

Accepted fixes

  • exact verified state mount is now permitted only in the attestation-only path while the normal layout validator still rejects it
  • the importer now rejects empty or ambiguous items, mixed pool URL types, non-boolean TLS values, TLS array length mismatch, and URL scheme conflicts
  • the synthetic fixture now has a one-item envelope

One original compatibility blocker remains incomplete

The real Hive-style input places algo, url, pass, template, cpu_config, and user_config inside items[0].miner_config. The importer currently reads those keys from items[0] itself. That silently falls back to algorithm auto, worker template {node_name}, and default CPU policy for the target fixture. Add strict parsing of exactly one miner_config object and lock these semantics

  • url must be %URL%
  • template must be %WAL%
  • pass may map %WORKER_NAME% to the RIGOS worker template
  • algo, cpu_config, and user_config come from miner_config
  • nested keys must use an explicit allowlist and dangerous nested fields must fail
  • the synthetic fixture must preserve the same nesting as the compatibility target

Additional firstboot blockers found during the follow-up review

  1. rigos-firstboot checks for state ready or grown before running passwd. The image build locks rigosadmin initially. On the known limited_capacity path the operator sees the negative gate and is then left without a usable local administrator login for Issue #3 diagnostics. Keep configuration and mining blocked, but establish the local administrator password before the state-dependent config flow or provide an explicit local recovery path.

  2. External identity mapping is written but not read by firstboot. resolve_identity scans only identity files, so confirmed wal_id mappings are never reused. Also, selecting an existing identity whose alias differs from a native sheet reference returns that record without updating the proposal reference, causing build_runtime to reject the transaction. Add the confirmed mapping lookup and update the in-memory proposal only after explicit operator confirmation.

PR should remain draft. No review thread was replied to or resolved, and no PR status was changed.

Copy link
Copy Markdown
Owner Author

Direct GitHub update applied without requiring a local patch download.

Current head 67c64715b43e3ce4062c7727182da106e2cf757a

Changes since e3ff13751fb3973130e9de5304c9c7810f18e5b2

  • added strict Hive compatibility adapter for cpu, fork, and hugepages
  • routed runtime import preparation through the adapter
  • updated the credential-free fixture to the real nested shape
  • added compatibility tests for CPU markers, fork validation, huge-pages mapping, conflicts, and unknown nested fields

The PR remains open and draft. No review thread was resolved and no PR status was changed.

Remote CI is not configured on this head, so build authorization still requires a fresh local pull followed by fmt, clippy, workspace tests, Linux-target check, schema verification, and scripts/verify.sh in the known-good environment.

Copy link
Copy Markdown
Owner Author

Applied the rustfmt-only follow-up directly on GitHub after the Windows verification exposed formatting drift.

Current head c772bcc26279e9becafe3ae2f1561eba289c2f16

The PR remains open and draft. No review thread was replied to or resolved and no PR status was changed.

Local Windows results already show clippy and workspace tests passing, including all five Hive compatibility tests. Final verification should now be rerun after pull, with scripts/verify.sh executed under WSL or the known-good Podman environment where Cargo is available.

Copy link
Copy Markdown
Owner Author

Local WSL verification status correction for head c772bcc26279e9becafe3ae2f1561eba289c2f16

The run did not complete successfully. Workspace checks and the new Hive compatibility tests passed, but scripts/verify.sh later reused a Linux test binary linked against newer GLIBC and failed on Ubuntu 22.04 with missing GLIBC_2.38 and GLIBC_2.39. The final exit code was 1 and the success marker was not reached.

This is an environment artifact-cache contamination issue, not a reported source-test failure. Re-run with an isolated WSL CARGO_TARGET_DIR in the WSL home directory before authorizing the Alpha.5 image build.

PR remains open and draft. No review thread or PR status was changed.

Copy link
Copy Markdown
Owner Author

Latest local WSL verification update for head c772bcc26279e9becafe3ae2f1561eba289c2f16

The isolated WSL target directory fixed the previous GLIBC contamination. Workspace clippy and tests now pass, including the complete Hive compatibility suite.

The full verification still stopped in scripts/verify.sh because rg was not installed in WSL. The missing ripgrep command caused the final MBR declaration check to fail and the run exited 1.

Install ripgrep in WSL and rerun the same isolated verification command. PR remains open and draft. No review thread or PR status was changed.

Copy link
Copy Markdown
Owner Author

Alpha.5 source verification passed on head c772bcc26279e9becafe3ae2f1561eba289c2f16.

Verified in WSL with an isolated Linux CARGO_TARGET_DIR after installing the required toolchain dependencies.

  • rustfmt check passed
  • clippy with warnings denied passed
  • workspace tests passed
  • Hive compatibility tests passed
  • schema checks passed
  • release build verification passed
  • scripts/verify.sh reported RIGOS verification passed
  • final marker RIGOS_ALPHA5_VERIFY_OK
  • final WSL exit code 0

Source gate is closed and the Alpha.5 image build is authorized.

Next gates remain image build, appliance verifier, QEMU SeaBIOS, QEMU OVMF, and physical negative state gate. PR remains open and draft. No review thread or PR status was changed.

Copy link
Copy Markdown
Owner Author

Alpha.5 image build was not started in the latest local attempt. Linux build commands were entered directly in Windows PowerShell, and Podman is not installed in that shell. No repository or source failure was observed.

Next action is to install Podman inside WSL and run the documented builder from WSL against verified head c772bcc26279e9becafe3ae2f1561eba289c2f16.

PR remains open and draft. Build gate is still pending.

Copy link
Copy Markdown
Owner Author

Fixed the Podman short-name build failure directly on the branch.

New head 0288897ec0f8ae360214618c3c3f4af351677b1f

Change

  • build/usb/Dockerfile now uses docker.io/library/rust:1.85.1-bookworm

This removes dependence on host unqualified-search-registries configuration and makes the documented Podman build deterministic on the current WSL installation.

The previous build did not start and exited 125 before creating the builder container. Pull the new head, rerun source verification for the new commit, then rerun the image build. PR remains open and draft.

Copy link
Copy Markdown
Owner Author

The latest run reached image assembly but did not close the build gate.

Observed result

  • source reverification passed
  • live-build completed successfully
  • raw 2.5 GiB MBR image was assembled
  • BIOS and removable UEFI GRUB installation completed
  • appliance verification failed before checksum export because the verifier tried to inspect rigos-miner.service without extracting that unit from the squashfs
  • final exit code was 1

Fixed directly on the branch in 285d1599be5ad9e78c06a955fc3ff551ef36563d.

scripts/verify-usb-appliance.sh now extracts both rigos-miner.service and rigos-profile-apply.service before validating their policy gates.

Pull the new head, reverify it, and rerun the image build. PR remains open and draft.

Copy link
Copy Markdown
Owner Author

Alpha.5 build update for head 285d1599be5ad9e78c06a955fc3ff551ef36563d

Passed

  • source reverification
  • raw MBR image build
  • BIOS GRUB installation
  • UEFI GRUB installation
  • appliance verifier
  • recovery ISO verifier

The last checksum command was run from the wrong directory. Run it from dist/usb to finish the build gate. PR remains open and draft.

Copy link
Copy Markdown
Owner Author

Physical flash preflight evidence captured with Rufus for the Alpha.5 raw image.

Observed on the 28.7 GB removable USB target

  • raw image recognized as a bootable disk image
  • GRUB 2.0 MBR detected
  • MBR disk identifier 0x5249474F
  • exactly four partitions detected
  • partition 1 FAT32 LBA, 256 MiB, start LBA 2048, active
  • partition 2 Linux ext4, 1 GiB, start LBA 526336
  • partition 3 Linux ext4, 1 GiB, start LBA 2623488
  • partition 4 Linux ext4, 256 MiB, start LBA 4720640

This matches the Alpha.5 image layout contract. This evidence confirms image recognition and target layout, but does not by itself close BIOS, UEFI, firstboot, state, or internal-disk safety gates. PR remains open and draft.

Copy link
Copy Markdown
Owner Author

Physical boot evidence captured for Alpha.5.

Observed on hardware

  • RIGOS FIRST BOOT UI rendered correctly on the local display
  • local administrator password setup prompt appeared
  • persistent state reported limited_capacity
  • the UI explicitly blocked configuration and mining until the verified USB state is ready
  • boot continued to multi-user target

This closes the physical negative state gate. The result also confirms the firstboot screen path is visible on hardware. It does not close the positive configuration, reboot persistence, accepted-share, internal-disk safety, or exact firmware-mode gates.

Issue #3 remains the blocker for positive physical Alpha.5 validation. PR remains open and draft.

Copy link
Copy Markdown
Owner Author

Fixed the physical tty1 handoff bug observed after the limited_capacity firstboot gate.

Root cause

  • rigos-firstboot.service declared Conflicts=getty@tty1.service
  • it also used RemainAfterExit=yes
  • when firstboot exited after showing the blocked-state dialog, tty1 had no login process and remained on a blinking cursor

Fix

  • removed the conflict with getty@tty1.service
  • kept ordering with Before=getty@tty1.service
  • removed RemainAfterExit=yes
  • added an integration test that rejects either regression

Commits

  • f6986c64a64646ae415d550eeaa29470d397e104
  • b135dfa6fe38dcb5afc2858d876c11f799b20563

The current Alpha.5 image predates this fix and must not be treated as the final physical-validation image. Pull the new head, run source verification, rebuild, verify the image, and reflash before retesting tty1. PR remains draft.

Copy link
Copy Markdown
Owner Author

TTY1 handoff fix source verification passed on head b135dfa6fe38dcb5afc2858d876c11f799b20563. Rebuild and physical reflash are now authorized. The rebuilt image must replace the previous Alpha.5 artifact, pass checksum and appliance verification, then be flashed to the test USB for physical confirmation that tty1 reaches the login prompt after the blocked firstboot dialog. PR remains open and draft.

Copy link
Copy Markdown
Owner Author

TTY1-fix rebuild reached successful artifact generation on head b135dfa6fe38dcb5afc2858d876c11f799b20563.

Passed

  • BIOS GRUB installation
  • UEFI GRUB installation
  • USB appliance verifier
  • recovery ISO verifier
  • image checksum
  • recovery ISO checksum

The wrapper then exited 127 because jq is not installed in the host WSL environment, so the final manifest source-commit and artifact-hash cross-check did not run. The artifacts do not need to be rebuilt. Run the final manifest cross-check with Python or install jq, then reflash and physically retest tty1. PR remains open and draft.

Copy link
Copy Markdown
Owner Author

Physical tty1 handoff retest passed on head b135dfa6fe38dcb5afc2858d876c11f799b20563 with rebuilt image SHA-256 ae74eee193c1fc9c63de1d75914a2874ed531a591217ccae8b9b96ba71d6948e.

Observed on hardware

  • firstboot completed its blocked-state path
  • tty1 was released correctly
  • Debian GNU/Linux 12 debian tty1 login prompt appeared
  • rigosadmin authenticated successfully
  • interactive shell prompt reached as rigosadmin@debian

This closes the physical tty1 handoff bug and its regression gate. Issue #3 remains open because persistent state still reports limited_capacity, so positive configuration and mining validation remain blocked. PR remains open and draft.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant