Files
elizaos--eliza/packages/os/scripts/generate-confidential-artifacts.mjs
wehub-resource-sync 426e9eeabd
Benchmark Bridge Tests / benchmark (bunx @biomejs/biome check packages/lifeops-bench/src, benchmark-lint) (push) Waiting to run
Benchmark Bridge Tests / benchmark (bunx vitest run --config packages/lifeops-bench/vitest.config.ts --root packages/lifeops-bench --passWithNoTests, benchmark-tests) (push) Waiting to run
Build Agent Image / build-and-push (push) Waiting to run
Chat shell gestures / Chat shell gesture + parity e2e (push) Waiting to run
ci / test (push) Waiting to run
ci / lint-and-format (push) Waiting to run
ci / build (push) Waiting to run
ci / dev-startup (push) Waiting to run
Cloud Gateway Discord / Test (push) Waiting to run
Cloud Gateway Webhook / Test (push) Waiting to run
Cloud Tests / lint-and-types (push) Waiting to run
Cloud Tests / unit-tests (push) Waiting to run
Cloud Tests / integration-tests (push) Waiting to run
Cloud Tests / e2e-tests (push) Blocked by required conditions
CodeQL Advanced / Analyze (javascript-typescript) (push) Waiting to run
Deploy Apps Worker (Product 2) / Determine environment (push) Waiting to run
Deploy Apps Worker (Product 2) / Deploy apps worker to apps-control host (${{ needs.determine-env.outputs.environment }}) (push) Blocked by required conditions
Deploy Eliza Provisioning Worker / Determine environment (push) Waiting to run
Deploy Eliza Provisioning Worker / Deploy worker to Hetzner host (${{ needs.determine-env.outputs.environment }} @ ${{ needs.determine-env.outputs.deployment_sha }}) (push) Blocked by required conditions
Dev Smoke / Classify changed paths (push) Waiting to run
Dev Smoke / bun run dev onboarding chat (push) Blocked by required conditions
Dev Smoke / Vite HMR dependency-level smoke (push) Blocked by required conditions
Electrobun Submodule Guard / electrobun gitlink is fetchable (push) Waiting to run
gitleaks / gitleaks (push) Waiting to run
Markdown Links / Relative Markdown Links (push) Waiting to run
Publish @elizaos/example-code / check_npm (push) Waiting to run
Publish @elizaos/example-code / publish_npm (push) Blocked by required conditions
Publish @elizaos/plugin-elizacloud / verify_version (push) Waiting to run
Publish @elizaos/plugin-elizacloud / publish_npm (push) Blocked by required conditions
Quality (Extended) / Homepage Build (PR smoke) (push) Waiting to run
Quality (Extended) / Comment-only diff guard (push) Waiting to run
Quality (Extended) / Format + Type Safety Ratchet (push) Waiting to run
Quality (Extended) / Develop Gate (secret scan + UI determinism) (push) Waiting to run
Quality (Extended) / Develop Gate (lint) (push) Waiting to run
Sandbox Live Smoke / Sandbox live smoke (push) Waiting to run
Snap Build & Test / Build Snap (amd64) (push) Waiting to run
Snap Build & Test / Build Snap (arm64) (push) Waiting to run
supply-chain / sbom (push) Waiting to run
supply-chain / vulnerability-scan (push) Waiting to run
Build, Push & Deploy to Phala Cloud / build-and-push (push) Waiting to run
Test Packaging / Validate Packaging Configs (push) Waiting to run
Test Packaging / PyPI on Python ${{ matrix.python }} (push) Waiting to run
Test Packaging / Pack & Test JS Tarballs (push) Waiting to run
Test Packaging / elizaos CLI global-install smoke (node + bun) (push) Waiting to run
UI Fixture E2E / ui-fixture-e2e (push) Waiting to run
UI Fixture E2E / fixture-e2e (push) Waiting to run
UI Story Gate / story-gate (push) Waiting to run
vault-ci / test (macos-latest) (push) Waiting to run
vault-ci / test (ubuntu-latest) (push) Waiting to run
vault-ci / test (windows-latest) (push) Waiting to run
vault-ci / app-core wiring tests (push) Waiting to run
verify-patches / verify patches/CHECKSUMS.sha256 (push) Waiting to run
Voice Benchmark Smoke / voice-emotion fixture smoke (push) Waiting to run
Voice Benchmark Smoke / voiceagentbench fixture smoke (push) Waiting to run
Voice Benchmark Smoke / voicebench-quality unit smoke (push) Waiting to run
Voice Benchmark Smoke / voicebench TypeScript unit (no audio) (push) Waiting to run
Voice Benchmark Smoke / voice bench smoke summary (push) Blocked by required conditions
Windows CI / windows ([bun run --cwd packages/app-core test bun run --cwd packages/elizaos test bun run --cwd packages/cloud/shared test], app-and-cli) (push) Waiting to run
Windows CI / windows ([bun run --cwd packages/scenario-runner test bun run --cwd packages/vault test bun run --cwd packages/security test bun run --cwd plugins/plugin-coding-tools test], framework-packages) (push) Waiting to run
Windows CI / windows ([bun run --cwd plugins/plugin-elizacloud test bun run --cwd plugins/plugin-discord test bun run --cwd plugins/plugin-anthropic test bun run --cwd plugins/plugin-openai test bun run --cwd plugins/plugin-app-control test bun run --cwd plugins/pl… (push) Waiting to run
Windows CI / windows ([node packages/scripts/run-turbo.mjs run build --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/agent --concurrency=4 node packages/scripts/run-bash-linux-only.mjs scripts/verify-riscv64-buildpaths.sh node packages/scripts/run… (push) Waiting to run
Windows CI / windows ([node packages/scripts/run-turbo.mjs run typecheck --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/cloud-shared --concurrency=4 bun run --cwd packages/core test bun run --cwd packages/shared test], core-runtime, 75) (push) Waiting to run
Test Packaging / Build & Test PyPI Package (push) Waiting to run
Voice Workbench / headless workbench (mocked backends) (push) Has been cancelled
Voice Workbench / real acoustic lane (nightly, provisioned only) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:43:05 +08:00

83 lines
3.0 KiB
JavaScript

#!/usr/bin/env node
// OS-3 enforcement-artifact generator (plan §3-§4).
//
// Turns confidential-policy.json into the static, boot-consumable files the
// reproducible image installs into the rootfs:
//
// packages/os/linux/confidential/cmdline.conf kernel-cmdline fragment
// packages/os/linux/confidential/sysctl.d/99-confidential.conf sysctl drop-in
// packages/os/linux/confidential/masked-units.txt systemd masked units
//
// The mapping (which policy setting produces which line) lives in
// confidential-enforcement-map.mjs so the generator and the checker share one
// source of truth. Re-run this whenever the policy changes; the
// check-confidential-artifacts.mjs gate fails closed if the artifacts drift.
//
// Runner: plain `node` (no third-party deps).
// node packages/os/scripts/generate-confidential-artifacts.mjs
import { mkdir, writeFile } from "node:fs/promises";
import path from "node:path";
import { pathToFileURL } from "node:url";
import {
ARTIFACT_HEADER,
expectedCmdlineTokens,
expectedMaskedUnits,
expectedSysctlEntries,
} from "./confidential-enforcement-map.mjs";
import { parseArgs, readJson, repoRoot } from "./os-release-lib.mjs";
const CONFIDENTIAL_DIR = path.join(repoRoot, "packages/os/linux/confidential");
const DEFAULT_POLICY = path.join(
CONFIDENTIAL_DIR,
"policy/confidential-policy.json",
);
export const ARTIFACT_PATHS = {
cmdline: path.join(CONFIDENTIAL_DIR, "cmdline.conf"),
sysctl: path.join(CONFIDENTIAL_DIR, "sysctl.d/99-confidential.conf"),
masked: path.join(CONFIDENTIAL_DIR, "masked-units.txt"),
};
// Render the exact bytes for each artifact from the policy. Pure (no I/O) so the
// checker can compare against on-disk bytes without re-implementing formatting.
export function renderArtifacts(policy) {
const cmdline = [
...ARTIFACT_HEADER("cmdline.conf"),
...expectedCmdlineTokens(policy),
"",
].join("\n");
const sysctl = [
...ARTIFACT_HEADER("sysctl.d/99-confidential.conf"),
...expectedSysctlEntries(policy),
"",
].join("\n");
const masked = [
...ARTIFACT_HEADER("masked-units.txt"),
...expectedMaskedUnits(policy),
"",
].join("\n");
return { cmdline, sysctl, masked };
}
async function main() {
const args = parseArgs(process.argv.slice(2));
const policyPath =
typeof args.policy === "string" ? args.policy : DEFAULT_POLICY;
const policy = await readJson(policyPath);
const rendered = renderArtifacts(policy);
await mkdir(path.dirname(ARTIFACT_PATHS.sysctl), { recursive: true });
await writeFile(ARTIFACT_PATHS.cmdline, rendered.cmdline);
await writeFile(ARTIFACT_PATHS.sysctl, rendered.sysctl);
await writeFile(ARTIFACT_PATHS.masked, rendered.masked);
console.log(`confidential enforcement artifacts written from ${policyPath}:`);
console.log(` ${ARTIFACT_PATHS.cmdline}`);
console.log(` ${ARTIFACT_PATHS.sysctl}`);
console.log(` ${ARTIFACT_PATHS.masked}`);
}
if (import.meta.url === pathToFileURL(process.argv[1]).href) {
await main();
}