Add guest-only workspace secrets

Add explicit workspace secrets across the CLI, SDK, and MCP, with create-time secret definitions and per-call secret-to-env mapping for exec, shell open, and service start. Persist only safe secret metadata in workspace records, materialize secret files under /run/pyro-secrets, and redact secret values from exec output, shell reads, service logs, and surfaced errors. Fix the remaining real-guest shell gap by shipping bundled guest init alongside the guest agent and patching both into guest-backed workspace rootfs images before boot. The new init mounts devpts so PTY shells work on Firecracker guests, while reset continues to recreate the sandbox and re-materialize secrets from stored task-local secret material. Validation: uv lock; UV_CACHE_DIR=.uv-cache make check; UV_CACHE_DIR=.uv-cache make dist-check; and a real guest-backed Firecracker smoke covering workspace create with secrets, secret-backed exec, shell, service, reset, and delete.
2026-03-12 15:43:34 -03:00 · 2026-03-12 15:43:34 -03:00 · fc72fcd3a1
commit fc72fcd3a1
parent 18b8fd2a7d
32 changed files with 1980 additions and 181 deletions
--- a/src/pyro_mcp/runtime_bundle/linux-x86_64/manifest.json
+++ b/src/pyro_mcp/runtime_bundle/linux-x86_64/manifest.json
@ -25,7 +25,11 @@
  "guest": {
    "agent": {
      "path": "guest/pyro_guest_agent.py",
-      "sha256": "58dd2e09d05538228540d8c667b1acb42c2e6c579f7883b70d483072570f2499"
+      "sha256": "76a0bd05b523bb952ab9eaf5a3f2e0cbf1fc458d1e44894e2c0d206b05896328"
+    },
+    "init": {
+      "path": "guest/pyro-init",
+      "sha256": "96e3653955db049496cc9dc7042f3778460966e3ee7559da50224ab92ee8060b"
    }
  },
  "platform": "linux-x86_64",