docs(readme): walk back unimplemented claims, link 28ms proof#5
Merged
Conversation
The README documented four pool_security knobs (per_user_uid, pid_namespace, workspace_permissions, hidepid) that are declared in PoolSecurityProviderConfig but never read by the Docker provider. Setting them in YAML has no effect today. Removed the misleading config example and added an explicit "Coming in v0.2" callout that names the four flags. Tracked in the roadmap. Live preview is also scoped honestly: docker.go hardcodes Traefik labels for port 3000, but the SDK's get_preview_url(port) accepts any int. Comparison table, hero copy, and Live Preview section now say "port 3000 today; configurable ports on the roadmap." File API count corrected from "9 methods" to "8 file methods + exec" to match sdk/python/stacyvm/sandbox.py. 28ms snapshot-restore claim retained and now links docs/snapshot-restore.md (methodology) and scripts/benchmark.sh (reproduce). The stale "~100-200ms" comment at firecracker.go:301 is out of scope for this PR — separate fix. No code changes. No behavior changes. Documentation only. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
Preview deployment for your docs. Learn more about Mintlify Previews.
|
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
README honesty pass. No code changes.
Why
An internal audit found three places where the README overclaims:
pool_securityknobs are dead config.PerUserUID,PIDNamespace,WorkspacePermissions,HidePIDare declared inPoolSecurityProviderConfig(internal/providers/docker.go:47-50) and defaulted via viper (internal/config/config.go:261-264) but never read by the Docker provider. Setting them today has no effect. The README presents them as security guarantees, which is the most credibility-damaging thing in the file.docker.gohardcodes Traefik labels for port 3000. The SDK accepts any port and silently builds non-routing URLs for everything else.What this PR does
pool_securityYAML example from the Pool mode sectiondocs/snapshot-restore.mdandscripts/benchmark.shlinks to the 28ms roadmap entry so the claim is reproducibleWhat this PR does NOT do
pool_securityknobs still exist in the config struct and still do nothing — fixing them is a separate PR (v0.2).~100-200mscomment atinternal/providers/firecracker.go:301. Separate code-side fix.Follow-ups (tracked separately)
per_user_uid,pid_namespace,workspace_permissions,hidepidin Docker provider (v0.2)firecracker.go:301BENCHMARKS.mdwith full reproduction methodologyReview focus
The "Pool mode hardening" section rewrite is the most opinionated change. Three things to red-pen: