Align docs with real guest networking runtime

2026-03-06 22:54:18 -03:00 · 2026-03-06 22:54:18 -03:00 · 8bce1ed7d4
commit 8bce1ed7d4
parent b01efa6452
3 changed files with 12 additions and 6 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@ -20,6 +20,7 @@ This repository ships `pyro-mcp`, an MCP-compatible package for ephemeral VM lif
 - Use `make network-demo` to validate deterministic VM lifecycle execution with guest networking enabled.
 - Use `make ollama-demo` to validate model-triggered lifecycle tool usage with guest networking enabled.
 - Use `make doctor` to inspect bundled runtime integrity and host prerequisites.
+- Network-enabled flows require host privilege for TAP/NAT setup; the current implementation uses `sudo -n` for `ip`, `nft`, and `iptables` when available.
 - If you need full log payloads from the Ollama demo, use `make ollama-demo OLLAMA_DEMO_FLAGS=-v`.

 ## Quality Gates
--- a/README.md
+++ b/README.md
@ -104,14 +104,21 @@ This prints bundled runtime paths, profile availability, checksum validation sta

 - Host-side network allocation and diagnostics are implemented.
 - The MCP server exposes `vm_network_info` for per-VM network metadata.
- Host TAP/NAT setup is opt-in with:
+- Primary network-enabled entrypoints:
+
+```bash
+make network-demo
+make ollama-demo
+```
+
+- Network setup requires host privilege to manage TAP/NAT state.
+- The current implementation auto-uses `sudo -n` for `ip`, `nft`, and `iptables` commands when available.
+- Manual opt-in for other commands is still available with:

 ```bash
 PYRO_VM_ENABLE_NETWORK=1 make demo
 ```

- Network setup requires host privilege to manage TAP/NAT state.
- The current implementation auto-uses `sudo -n` for `ip`, `nft`, and `iptables` commands when available.
 - To validate real guest egress directly:

 ```bash
@ -134,8 +141,6 @@ The command it asks the model to run is a small public repository clone:
 ```bash
 rm -rf hello-world && git clone --depth 1 https://github.com/octocat/Hello-World.git hello-world >/dev/null && git -C hello-world rev-parse --is-inside-work-tree
 ```
-
-If the runtime is still shim-based, the summary will show `execution_mode=host_compat`.
 By default it omits log values; to include prompt content, tool args, and tool results use:

 ```bash
--- a/runtime_sources/README.md
+++ b/runtime_sources/README.md
@ -5,7 +5,7 @@ Source-of-truth inputs for `make runtime-bundle`.
 Current state:
 - `build/runtime_sources/` contains the real materialized runtime inputs used to build the packaged bundle.
 - the checked-in tracked files under `runtime_sources/linux-x86_64/` are build recipes and lock metadata, not the materialized binaries/images.
- `guest/pyro_guest_agent.py` is the guest agent artifact that should ultimately be installed into each real rootfs.
+- `guest/pyro_guest_agent.py` is the guest agent source artifact that is installed into each built rootfs.
 - real source materialization now writes into `build/runtime_sources/`, not back into the tracked placeholder files.

 Materialization workflow: