feat: recombine DD + bastion into workspace, scaffold EE capture, sidebar categories#164
Merged
feat: recombine DD + bastion into workspace, scaffold EE capture, sidebar categories#164
Conversation
…ebar categories
The "one big chunk" from the plan: three things that are simpler done
together than apart because they all touch bastion's public shape and
DD's boot path.
(1) Recombine into a monorepo workspace.
- `Cargo.toml` at the repo root becomes a workspace manifest.
- `crates/dd/` — the `devopsdefender` binary (cp + agent modes). All
of `src/` moves here verbatim; no code changes.
- `crates/bastion/` — the `bastion` binary, seeded from
`devopsdefender/bastion` at the v0.2 tag. Deployed as a workload
onto existing DD agents via `dd-deploy` the same way it was before.
- `crates/dd-common/` — shared types; starts with `BlockRecord` as a
proper Rust type that bastion emits and any later aggregator
(Tauri app, CP proxy) will consume.
`apps/bastion/workload.json` flips `github_release.repo` from
`devopsdefender/bastion` to `devopsdefender/dd` — DD's release asset
now carries both `devopsdefender` and `bastion.x86_64` binaries. The
bastion repo will be archived with a redirect README in a follow-up.
Two release tracks:
- `.github/workflows/release.yml` (existing, adjusted): builds both
binaries on `dd-v*` tags and publishes them together. CP+agent
redeploy path unchanged.
- `.github/workflows/release-bastion.yml` (new): triggers on
`bastion-v*` tags; rebuilds just the bastion binary; publishes a
GH release. A follow-up workflow can dd-deploy from there onto live
agents.
(2) EE capture scaffold.
- `crates/bastion/src/capture.rs` (new) — binds a unix socket at
`--capture-socket <path>`, accepts connections, parses LDJSON
records emitted by a (future) patched easyenclave: `spawn`, `out`,
`exit`.
- `crates/bastion/src/bin/bastion.rs` — new `--capture-socket` flag.
- `apps/bastion/workload.json` — cmd includes
`--capture-socket /run/ee/capture.sock` so bastion is ready to
listen as soon as EE's upstream patch lands.
- This PR keeps the handler as a logger-only scaffold; the next PR
wires `spawn`/`out`/`exit` into `Manager` as workload-kind sessions
once EE is emitting and the sidebar rendering is proven.
(3) Sidebar categories.
- `BlockRecord` and `SessionInfo` gain a `kind: String` ("shell" |
"workload" | future: "claude", "codex"). Existing shell path sets
`kind = "shell"` everywhere a session/block is constructed.
- Inline SPA (`crates/bastion/src/page.html`) now groups the sidebar:
Shells / Workloads / Claude / Codex, with empty-state text per
category. Only shells show a close (`×`) button — other kinds are
owned by their respective sources.
Builds clean; `cargo test --workspace` passes (21 devopsdefender +
5 bastion including 4 new capture-parser tests); clippy
`-D warnings` clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Plain `apps/bastion/workload.json` pointing at `devopsdefender/dd`
with no tag made easyenclave fetch from `latest` — which predates
this PR and therefore has no `bastion.x86_64` asset. Preview CP
panicked on boot with:
easyenclave: FATAL: failed to fetch asset for bastion:
devopsdefender/dd: asset bastion.x86_64 not found
Kernel panic - not syncing: Attempted to kill init!
Rename to `.tmpl` so `bake` substitutes variables (same pattern as
`apps/dd-agent/workload.json.tmpl`), and add `"tag": "${DD_RELEASE_TAG}"`
so every environment pulls the binary matching its deploy (PR preview
tag, `latest`, or a manual rollback tag).
DD preview readyURL: https://pr-164.devopsdefender.com Browser login: visit https://pr-164.devopsdefender.com — Cloudflare Access routes you Machine-to-machine: GitHub Actions workflows in the Register endpoint for a local agent: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The "one big chunk" from the plan — three things that are simpler done together than apart because they all touch bastion's public shape and DD's boot path.
(1) Recombine into a monorepo workspace
`apps/bastion/workload.json` flips `github_release.repo` to `devopsdefender/dd`. DD's release asset now carries both binaries. bastion repo to be archived in a follow-up.
Two release tracks:
(2) EE capture scaffold
(3) Sidebar categories
Test plan
Follow-ups (explicit non-goals here)
🤖 Generated with Claude Code