[pull] main from boxlite-ai:main#121
Merged
pull[bot] merged 3 commits intoCrazyForks:mainfrom Apr 4, 2026
Merged
Conversation
* Add allow_net and secrets support across SDKs * Adopt NetworkSpec across SDKs and APIs * fix(test): guard test_tcp_filter.py against missing NetworkSpec Skip the entire test module during collection when boxlite.NetworkSpec is unavailable (native extension not built), preventing AttributeError during pytest collection in CI. Matches existing pattern in test_secret_substitution.py. https://claude.ai/code/session_01KVHFk3e8xxVeAP2rruYUYV * test: stabilize cli and shared integration cache * fix(ffi): align secrets JSON handling with sdk behavior * test(python): fix async harness and live allow_net coverage * fix(c): normalize macos dylib install name for tests * test(c): use mirrored registries in integration runtime * fix(runtime): disable TSI fallback for offline boxes * test(node): use mirrored registries in integration setup * test(c): use mirrored runtime helper in integration tests * test(cli): persist shared bases in warm cache * fix(test): skip integration tests when runtime unavailable in CI Guard Python test_network_spec.py against missing native extension (matches existing pattern in test_secret_substitution.py). Skip Go integration tests on ErrUnsupported/ErrUnsupportedEngine instead of failing when KVM is not available. * fix(c): add _XOPEN_SOURCE for POSIX nftw/lstat in tests Linux clang-tidy in strict C11 mode requires _XOPEN_SOURCE=500 for nftw, lstat, FTW_DEPTH, and FTW_PHYS. Add the define to CMakeLists.txt compile definitions and clang-tidy invocation flags. * fix(watchdog): set FD_CLOEXEC on pipe to prevent orphan shim processes The watchdog pipe was created with libc::pipe() which does not set FD_CLOEXEC. Between pipe creation and the shim's exec(), any child process spawned by the parent (or by threads in the tokio runtime) inherits the pipe write-end. When the parent dies, the inherited write-end keeps the pipe open, so POLLHUP never fires on the shim's watchdog thread — the shim lives forever as an orphan. Evidence: lsof showed Electron (VS Code) holding fd 90 as the write-end of an orphan shim's watchdog pipe, with 127 orphan shim processes exhausting hypervisor handles (libkrun EINVAL). Fix: use pipe2(O_CLOEXEC) on Linux, pipe() + fcntl(FD_CLOEXEC) on macOS. The read-end's CLOEXEC is harmless because pre_exec dup2() clears it on the target fd. Includes regression test that spawns a child process and verifies POLLHUP fires within 100ms after dropping the Keepalive. --------- Co-authored-by: Claude <noreply@anthropic.com>
* feat(vmm): add HypervisorProbe trait for post-failure VM diagnostics macOS Hypervisor.framework returns HV_NO_RESOURCES (0xfae94005) when the 128 VM address space limit is exhausted, but libkrun discards the specific error code and collapses all failures to EINVAL (-22). Add a HypervisorProbe trait that provides platform-abstracted post-failure diagnostics. On macOS, when krun_start_enter() fails, the HvfProbe calls hv_vm_create() directly to reproduce and identify the exact HVF error: - HV_NO_RESOURCES → ResourceExhausted with actionable message - HV_SUCCESS → not HVF-related, return original error - HV_BUSY → VM created but failed post-creation - HV_DENIED → missing entitlement This is zero-cost on the happy path — the probe only runs after failure. Changes: - Add ResourceExhausted error variant to BoxliteError - Add HypervisorProbe trait with HvfProbe (macOS) and KvmProbe (Linux) - Wire probe into KrunVmmInstance::enter() failure path - Improve EINVAL message in check_status() to list both causes - Add ResourceExhausted to FFI error codes * chore(ffi): regenerate C header for ResourceExhausted error code
The guest crate moved into the workspace (src/guest/) but clean.sh still referenced a top-level "guest" directory. The [ -d "guest" ] && pattern fails with set -e when the directory doesn't exist, causing make clean to exit 1 before completing all clean stages. The root cargo clean already handles src/guest as a workspace member, so the separate clean was unnecessary.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )