file_sync: config-driven replacement for hardcoded auth sync
Replace the three hardcoded host→guest credential syncs (opencode,
claude, pi) with a generic `[[file_sync]]` config list. Default is
empty — users opt in to exactly what they want synced, with no
surprise about which tools banger "supports".
```toml
[[file_sync]]
host = "~/.local/share/opencode/auth.json"
guest = "~/.local/share/opencode/auth.json"
[[file_sync]]
host = "~/.aws" # directories are copied recursively
guest = "~/.aws"
[[file_sync]]
host = "~/bin/my-script"
guest = "~/bin/my-script"
mode = "0755" # optional; default 0600 for files
```
Semantics:
- Host `~/...` expands against the host user's $HOME. Absolute host
paths are used as-is.
- Guest must live under `~/` or `/root/...` — banger's work disk is
mounted at /root in the guest, so that's the syncable namespace.
Anything outside is rejected at config load.
- Validation at config load: reject empty paths, relative paths,
`..` traversal, `~user/...`, malformed mode strings. Errors name
the offending entry index.
- Missing host paths are a soft skip with a warn log (existing
behaviour). Other errors (read, mkdir, install) abort VM create.
- File entries: `install -o 0 -g 0 -m <mode>` (default 0600).
- Directory entries: walked in Go; each source file is installed
with its own source permissions preserved. The entry's `mode` is
ignored for directories.
Removed (all dead after this):
- `ensureOpencodeAuthOnWorkDisk`, `ensureClaudeAuthOnWorkDisk`,
`ensurePiAuthOnWorkDisk`, the shared `ensureAuthFileOnWorkDisk`,
their `warn*Skipped` helpers, `resolveHost{Opencode,Claude,Pi}AuthPath`,
and the work-disk relative-path + default display-path constants.
- The capability hook registering the three syncs now calls the
generic `runFileSync` once.
Seven tests exercising the old codepath deleted; six new tests cover
the new runFileSync (no-op on empty config, file copy, custom mode,
missing-host-skip, overwrite, recursive directory). Config-layer
test adds happy-path parsing and a case-per-shape table of invalid
entries (empty, relative host, guest outside /root, '..' traversal,
`~user`, bad mode).
README updated: replaces the "Credential sync" section with a
"File sync" section showing the new config shape.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
843314be5e
commit
0933deaeb1
7 changed files with 572 additions and 398 deletions
|
|
@ -14,17 +14,8 @@ import (
|
|||
)
|
||||
|
||||
const (
|
||||
workDiskGitConfigRelativePath = ".gitconfig"
|
||||
workDiskOpencodeAuthDirRelativePath = ".local/share/opencode"
|
||||
workDiskOpencodeAuthRelativePath = workDiskOpencodeAuthDirRelativePath + "/auth.json"
|
||||
workDiskClaudeAuthDirRelativePath = ".claude"
|
||||
workDiskClaudeAuthRelativePath = workDiskClaudeAuthDirRelativePath + "/.credentials.json"
|
||||
workDiskPiAuthDirRelativePath = ".pi/agent"
|
||||
workDiskPiAuthRelativePath = workDiskPiAuthDirRelativePath + "/auth.json"
|
||||
hostGlobalGitIdentitySource = "git config --global"
|
||||
hostOpencodeAuthDefaultDisplayPath = "~/" + workDiskOpencodeAuthRelativePath
|
||||
hostClaudeAuthDefaultDisplayPath = "~/" + workDiskClaudeAuthRelativePath
|
||||
hostPiAuthDefaultDisplayPath = "~/" + workDiskPiAuthRelativePath
|
||||
workDiskGitConfigRelativePath = ".gitconfig"
|
||||
hostGlobalGitIdentitySource = "git config --global"
|
||||
)
|
||||
|
||||
type gitIdentity struct {
|
||||
|
|
@ -125,51 +116,17 @@ func (d *Daemon) ensureGitIdentityOnWorkDisk(ctx context.Context, vm *model.VMRe
|
|||
return writeGitIdentity(ctx, runner, filepath.Join(workMount, workDiskGitConfigRelativePath), identity)
|
||||
}
|
||||
|
||||
func (d *Daemon) ensureOpencodeAuthOnWorkDisk(ctx context.Context, vm *model.VMRecord) error {
|
||||
return d.ensureAuthFileOnWorkDisk(
|
||||
ctx,
|
||||
vm,
|
||||
"syncing opencode auth",
|
||||
hostOpencodeAuthDefaultDisplayPath,
|
||||
resolveHostOpencodeAuthPath,
|
||||
workDiskOpencodeAuthRelativePath,
|
||||
d.warnOpencodeAuthSyncSkipped,
|
||||
)
|
||||
}
|
||||
|
||||
func (d *Daemon) ensureClaudeAuthOnWorkDisk(ctx context.Context, vm *model.VMRecord) error {
|
||||
return d.ensureAuthFileOnWorkDisk(
|
||||
ctx,
|
||||
vm,
|
||||
"syncing claude auth",
|
||||
hostClaudeAuthDefaultDisplayPath,
|
||||
resolveHostClaudeAuthPath,
|
||||
workDiskClaudeAuthRelativePath,
|
||||
d.warnClaudeAuthSyncSkipped,
|
||||
)
|
||||
}
|
||||
|
||||
func (d *Daemon) ensurePiAuthOnWorkDisk(ctx context.Context, vm *model.VMRecord) error {
|
||||
return d.ensureAuthFileOnWorkDisk(
|
||||
ctx,
|
||||
vm,
|
||||
"syncing pi auth",
|
||||
hostPiAuthDefaultDisplayPath,
|
||||
resolveHostPiAuthPath,
|
||||
workDiskPiAuthRelativePath,
|
||||
d.warnPiAuthSyncSkipped,
|
||||
)
|
||||
}
|
||||
|
||||
func (d *Daemon) ensureAuthFileOnWorkDisk(ctx context.Context, vm *model.VMRecord, stageDetail, defaultDisplayPath string, resolveHostPath func() (string, error), guestRelativePath string, warn func(model.VMRecord, string, error)) error {
|
||||
hostAuthPath, err := resolveHostPath()
|
||||
if err != nil {
|
||||
warn(*vm, defaultDisplayPath, err)
|
||||
return nil
|
||||
}
|
||||
authData, err := os.ReadFile(hostAuthPath)
|
||||
if err != nil {
|
||||
warn(*vm, hostAuthPath, err)
|
||||
// runFileSync applies every [[file_sync]] entry from the daemon config
|
||||
// to the VM's work disk. Missing host paths are skipped with a warn.
|
||||
// Other errors abort the VM create (since the user explicitly asked
|
||||
// for the sync).
|
||||
//
|
||||
// File entries: `install -o 0 -g 0 -m <mode>` (mode defaults to 0600).
|
||||
// Directory entries: walked in Go — each file is installed with its
|
||||
// source permissions, each subdir is mkdir'd. The entry's `mode`
|
||||
// field is only honoured for file entries.
|
||||
func (d *Daemon) runFileSync(ctx context.Context, vm *model.VMRecord) error {
|
||||
if len(d.config.FileSync) == 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
@ -178,61 +135,141 @@ func (d *Daemon) ensureAuthFileOnWorkDisk(ctx context.Context, vm *model.VMRecor
|
|||
runner = system.NewRunner()
|
||||
}
|
||||
|
||||
vmCreateStage(ctx, "prepare_work_disk", stageDetail)
|
||||
workMount, cleanupWork, err := system.MountTempDir(ctx, runner, vm.Runtime.WorkDiskPath, false)
|
||||
hostHome, err := os.UserHomeDir()
|
||||
if err != nil {
|
||||
return fmt.Errorf("resolve host user home: %w", err)
|
||||
}
|
||||
|
||||
// Mount the work disk once and reuse for every entry.
|
||||
var workMount string
|
||||
var cleanupWork func() error
|
||||
ensureMount := func() (string, error) {
|
||||
if workMount != "" {
|
||||
return workMount, nil
|
||||
}
|
||||
m, c, err := system.MountTempDir(ctx, runner, vm.Runtime.WorkDiskPath, false)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
workMount = m
|
||||
cleanupWork = c
|
||||
if err := d.flattenNestedWorkHome(ctx, workMount); err != nil {
|
||||
return "", err
|
||||
}
|
||||
return workMount, nil
|
||||
}
|
||||
defer func() {
|
||||
if cleanupWork != nil {
|
||||
cleanupWork()
|
||||
}
|
||||
}()
|
||||
|
||||
for _, entry := range d.config.FileSync {
|
||||
hostPath := expandHostPath(entry.Host, hostHome)
|
||||
guestRel := guestPathRelativeToRoot(entry.Guest)
|
||||
|
||||
info, err := os.Stat(hostPath)
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
d.warnFileSyncSkipped(*vm, hostPath, err)
|
||||
continue
|
||||
}
|
||||
return fmt.Errorf("file_sync: stat %s: %w", hostPath, err)
|
||||
}
|
||||
|
||||
mount, err := ensureMount()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
vmCreateStage(ctx, "prepare_work_disk", "file sync: "+entry.Host+" → "+entry.Guest)
|
||||
|
||||
target := filepath.Join(mount, guestRel)
|
||||
if _, err := runner.RunSudo(ctx, "mkdir", "-p", filepath.Dir(target)); err != nil {
|
||||
return fmt.Errorf("file_sync: mkdir %s: %w", filepath.Dir(target), err)
|
||||
}
|
||||
|
||||
if info.IsDir() {
|
||||
if err := copyHostDir(ctx, runner, hostPath, target); err != nil {
|
||||
return fmt.Errorf("file_sync: copy directory %s → %s: %w", hostPath, target, err)
|
||||
}
|
||||
continue
|
||||
}
|
||||
|
||||
mode := entry.Mode
|
||||
if mode == "" {
|
||||
mode = "0600"
|
||||
}
|
||||
if _, err := runner.RunSudo(ctx, "install", "-o", "0", "-g", "0", "-m", mode, hostPath, target); err != nil {
|
||||
return fmt.Errorf("file_sync: install %s → %s: %w", hostPath, target, err)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// copyHostDir recursively copies hostDir into guestTarget using only
|
||||
// `mkdir` (for subdirs) and `install` (for files). Each file's source
|
||||
// permissions are preserved; ownership is forced to root:root via
|
||||
// `install -o 0 -g 0`. Symlinks are followed (target content is
|
||||
// copied as a regular file). Other special types (devices, FIFOs)
|
||||
// are skipped silently.
|
||||
func copyHostDir(ctx context.Context, runner system.CommandRunner, hostDir, guestTarget string) error {
|
||||
if _, err := runner.RunSudo(ctx, "mkdir", "-p", guestTarget); err != nil {
|
||||
return err
|
||||
}
|
||||
entries, err := os.ReadDir(hostDir)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer cleanupWork()
|
||||
for _, entry := range entries {
|
||||
hostChild := filepath.Join(hostDir, entry.Name())
|
||||
guestChild := filepath.Join(guestTarget, entry.Name())
|
||||
|
||||
if err := d.flattenNestedWorkHome(ctx, workMount); err != nil {
|
||||
return err
|
||||
info, err := os.Stat(hostChild)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
switch {
|
||||
case info.IsDir():
|
||||
if err := copyHostDir(ctx, runner, hostChild, guestChild); err != nil {
|
||||
return err
|
||||
}
|
||||
case info.Mode().IsRegular():
|
||||
mode := fmt.Sprintf("%04o", info.Mode().Perm())
|
||||
if _, err := runner.RunSudo(ctx, "install", "-o", "0", "-g", "0", "-m", mode, hostChild, guestChild); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
authDir := filepath.Join(workMount, filepath.Dir(guestRelativePath))
|
||||
if _, err := runner.RunSudo(ctx, "mkdir", "-p", authDir); err != nil {
|
||||
return err
|
||||
}
|
||||
authPath := filepath.Join(workMount, guestRelativePath)
|
||||
|
||||
tmpFile, err := os.CreateTemp("", "banger-auth-*")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
tmpPath := tmpFile.Name()
|
||||
if _, err := tmpFile.Write(authData); err != nil {
|
||||
_ = tmpFile.Close()
|
||||
_ = os.Remove(tmpPath)
|
||||
return err
|
||||
}
|
||||
if err := tmpFile.Close(); err != nil {
|
||||
_ = os.Remove(tmpPath)
|
||||
return err
|
||||
}
|
||||
defer os.Remove(tmpPath)
|
||||
|
||||
_, err = runner.RunSudo(ctx, "install", "-m", "600", tmpPath, authPath)
|
||||
return err
|
||||
return nil
|
||||
}
|
||||
|
||||
func resolveHostOpencodeAuthPath() (string, error) {
|
||||
return resolveHostAuthPath(workDiskOpencodeAuthRelativePath)
|
||||
}
|
||||
|
||||
func resolveHostClaudeAuthPath() (string, error) {
|
||||
return resolveHostAuthPath(workDiskClaudeAuthRelativePath)
|
||||
}
|
||||
|
||||
func resolveHostPiAuthPath() (string, error) {
|
||||
return resolveHostAuthPath(workDiskPiAuthRelativePath)
|
||||
}
|
||||
|
||||
func resolveHostAuthPath(relativePath string) (string, error) {
|
||||
home, err := os.UserHomeDir()
|
||||
if err != nil {
|
||||
return "", err
|
||||
// expandHostPath expands a leading "~/" against the host user's
|
||||
// home. Already-absolute paths pass through unchanged.
|
||||
func expandHostPath(raw, home string) string {
|
||||
raw = strings.TrimSpace(raw)
|
||||
if strings.HasPrefix(raw, "~/") {
|
||||
return filepath.Join(home, strings.TrimPrefix(raw, "~/"))
|
||||
}
|
||||
return filepath.Join(home, relativePath), nil
|
||||
return raw
|
||||
}
|
||||
|
||||
// guestPathRelativeToRoot returns the guest path as a relative path
|
||||
// under /root (banger's work disk is mounted at /root in the guest,
|
||||
// so everything syncable lives there). "~/foo" and "/root/foo" both
|
||||
// return "foo"; config validation rejects anything outside that
|
||||
// scope, so the string prefixes are the only forms we see here.
|
||||
func guestPathRelativeToRoot(raw string) string {
|
||||
raw = strings.TrimSpace(raw)
|
||||
switch {
|
||||
case raw == "~" || raw == "/root":
|
||||
return ""
|
||||
case strings.HasPrefix(raw, "~/"):
|
||||
return strings.TrimPrefix(raw, "~/")
|
||||
case strings.HasPrefix(raw, "/root/"):
|
||||
return strings.TrimPrefix(raw, "/root/")
|
||||
}
|
||||
return raw
|
||||
}
|
||||
|
||||
func resolveHostGlobalGitIdentity(ctx context.Context, runner system.CommandRunner) (gitIdentity, error) {
|
||||
|
|
@ -298,25 +335,11 @@ func writeGitIdentity(ctx context.Context, runner system.CommandRunner, gitConfi
|
|||
return err
|
||||
}
|
||||
|
||||
func (d *Daemon) warnOpencodeAuthSyncSkipped(vm model.VMRecord, hostPath string, err error) {
|
||||
func (d *Daemon) warnFileSyncSkipped(vm model.VMRecord, hostPath string, err error) {
|
||||
if d.logger == nil || err == nil {
|
||||
return
|
||||
}
|
||||
d.logger.Warn("guest opencode auth sync skipped", append(vmLogAttrs(vm), "host_path", hostPath, "error", err.Error())...)
|
||||
}
|
||||
|
||||
func (d *Daemon) warnClaudeAuthSyncSkipped(vm model.VMRecord, hostPath string, err error) {
|
||||
if d.logger == nil || err == nil {
|
||||
return
|
||||
}
|
||||
d.logger.Warn("guest claude auth sync skipped", append(vmLogAttrs(vm), "host_path", hostPath, "error", err.Error())...)
|
||||
}
|
||||
|
||||
func (d *Daemon) warnPiAuthSyncSkipped(vm model.VMRecord, hostPath string, err error) {
|
||||
if d.logger == nil || err == nil {
|
||||
return
|
||||
}
|
||||
d.logger.Warn("guest pi auth sync skipped", append(vmLogAttrs(vm), "host_path", hostPath, "error", err.Error())...)
|
||||
d.logger.Warn("file_sync skipped", append(vmLogAttrs(vm), "host_path", hostPath, "error", err.Error())...)
|
||||
}
|
||||
|
||||
func (d *Daemon) warnGitIdentitySyncSkipped(vm model.VMRecord, source string, err error) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue