Remove GitHub-specific project plumbing

.github/workflows/publish-environments.yml

@@ -1,45 +0,0 @@
-name: Publish Environments
-
-on:
-  workflow_dispatch:
-  release:
-    types:
-      - published
-
-permissions:
-  contents: read
-
-concurrency:
-  group: publish-environments-${{ github.ref }}
-  cancel-in-progress: false
-
-jobs:
-  publish:
-    runs-on: ubuntu-24.04
-    env:
-      UV_CACHE_DIR: .uv-cache
-      OCI_REGISTRY_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-      OCI_REGISTRY_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
-    steps:
-      - name: Check out source
-        uses: actions/checkout@v4
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.12"
-
-      - name: Set up uv
-        uses: astral-sh/setup-uv@v6
-
-      - name: Install project dependencies
-        run: make setup
-
-      - name: Run project checks
-        run: make check
-
-      - name: Build real runtime inputs
-        run: make runtime-materialize
-
-      - name: Publish official environments to Docker Hub
-        run: make runtime-publish-official-environments-oci

AGENTS.md

@@ -34,7 +34,7 @@ This repository ships `pyro-mcp`, an MCP-compatible package for ephemeral VM lif
 - After heavy runtime work, reclaim local space with `rm -rf build` and `git lfs prune`.
 - The pre-migration `pre-lfs-*` tag is local backup material only; do not push it or it will keep the old giant blobs reachable.
 - Public contract documentation lives in `docs/public-contract.md`.
-- Official Docker Hub publication workflow lives in `.github/workflows/publish-environments.yml`.
+- Official Docker Hub publication is performed locally with `make runtime-publish-official-environments-oci`.
 
 ## Quality Gates
 

README.md

@@ -213,7 +213,7 @@ Run with outbound internet enabled:
 
 ```bash
 pyro run debian:12 --network -- \
-  "git clone --depth 1 https://github.com/octocat/Hello-World.git hello-world && git -C hello-world rev-parse --is-inside-work-tree"
+  'python3 -c "import urllib.request; print(urllib.request.urlopen(\"https://example.com\", timeout=10).status)"'
 ```
 
 Show runtime and host diagnostics:
@@ -345,9 +345,7 @@ make dist-check
 
 Contributor runtime source artifacts are still maintained under `src/pyro_mcp/runtime_bundle/` and `runtime_sources/`.
 
-Official environment publication is automated through
-`.github/workflows/publish-environments.yml`.
-For a local publish against Docker Hub:
+Official environment publication is performed locally against Docker Hub:
 
 ```bash
 export DOCKERHUB_USERNAME='your-dockerhub-username'

runtime_sources/README.md

@@ -18,14 +18,13 @@ Materialization workflow:
 Official environment publication workflow:
 1. `make runtime-materialize`
 2. `DOCKERHUB_USERNAME=... DOCKERHUB_TOKEN=... make runtime-publish-official-environments-oci`
-3. or run the repo workflow at `.github/workflows/publish-environments.yml` with Docker Hub credentials
-4. if your uplink is slow, tune publishing with `PYRO_OCI_UPLOAD_TIMEOUT_SECONDS`, `PYRO_OCI_UPLOAD_CHUNK_SIZE_BYTES`, and `PYRO_OCI_REQUEST_TIMEOUT_SECONDS`
+3. if your uplink is slow, tune publishing with `PYRO_OCI_UPLOAD_TIMEOUT_SECONDS`, `PYRO_OCI_UPLOAD_CHUNK_SIZE_BYTES`, and `PYRO_OCI_REQUEST_TIMEOUT_SECONDS`
 
 Official end-user pulls are anonymous; registry credentials are only required for publishing.
 
 Build requirements for the real path:
 - `docker`
-- outbound network access to GitHub and Debian snapshot mirrors
+- outbound network access to the pinned upstream release hosts and Debian snapshot mirrors
 - enough disk for a kernel build plus 2G ext4 images per source profile
 
 Kernel build note:

src/pyro_mcp/cli.py

@@ -298,7 +298,7 @@ def _build_parser() -> argparse.ArgumentParser:
             """
             Examples:
               pyro run debian:12 -- git --version
-              pyro run debian:12 --network -- git ls-remote https://github.com/octocat/Hello-World.git
+              pyro run debian:12 --network -- python3 -c "import urllib.request as u; print(u.urlopen('https://example.com').status)"
 
             The guest command output and the [run] summary are written to different
             streams, so they may appear in either order. Use --json for a deterministic

src/pyro_mcp/ollama_demo.py

@@ -23,11 +23,10 @@ __all__ = ["Pyro", "run_ollama_tool_demo"]
 DEFAULT_OLLAMA_BASE_URL: Final[str] = "http://localhost:11434/v1"
 DEFAULT_OLLAMA_MODEL: Final[str] = "llama3.2:3b"
 MAX_TOOL_ROUNDS: Final[int] = 12
-CLONE_TARGET_DIR: Final[str] = "hello-world"
 NETWORK_PROOF_COMMAND: Final[str] = (
-    "rm -rf hello-world "
-    "&& git clone --depth 1 https://github.com/octocat/Hello-World.git hello-world >/dev/null "
-    "&& git -C hello-world rev-parse --is-inside-work-tree"
+    'python3 -c "import urllib.request as u; '
+    "print(u.urlopen('https://example.com').status)"
+    '"'
 )
 
 TOOL_SPECS: Final[list[dict[str, Any]]] = [

src/pyro_mcp/runtime_network_check.py

@@ -9,9 +9,9 @@ from pathlib import Path
 from pyro_mcp.api import Pyro
 
 NETWORK_CHECK_COMMAND = (
-    "rm -rf hello-world "
-    "&& git clone --depth 1 https://github.com/octocat/Hello-World.git hello-world >/dev/null "
-    "&& git -C hello-world rev-parse --is-inside-work-tree"
+    'python3 -c "import urllib.request as u; '
+    "print(u.urlopen('https://example.com').status)"
+    '"'
 )
 
 
@@ -76,7 +76,7 @@ def main() -> None:  # pragma: no cover - CLI wiring
     print(f"[network] execution_mode={result.execution_mode}")
     print(f"[network] network_enabled={result.network_enabled}")
     print(f"[network] exit_code={result.exit_code}")
-    if result.exit_code == 0 and result.stdout.strip() == "true":
+    if result.exit_code == 0 and result.stdout.strip() == "200":
         print("[network] result=success")
         return
     print("[network] result=failure")