Skip to content

iseriser: auto-install pinned Zig toolchain in setup + devcontainer#70

Merged
hyperpolymath merged 2 commits into
mainfrom
claude/new-session-1fphit
Jun 26, 2026
Merged

iseriser: auto-install pinned Zig toolchain in setup + devcontainer#70
hyperpolymath merged 2 commits into
mainfrom
claude/new-session-1fphit

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

What & why

The Zig FFI bridge is half of the ABI-FFI standard, but nothing actually installed Zig:

  • .tool-versions only lists it (commented out),
  • setup.sh stops after installing just,
  • the devcontainer's postCreateCommand: just deps referenced a deps recipe that didn't exist (so it errored).

And unlike the other toolchain pieces, Zig is not distributed via GitHub releases, so it must come from ziglang.org — which is not on the agent egress allowlist by default (whereas github.com is). That's why zig couldn't be installed this session.

Change

  • scripts/install-zig.sh — idempotent, fail-soft installer for the pinned Zig 0.14.0: arch/OS-aware, uses the system CA store the agent proxy populates (never --insecure). If ziglang.org is not allowlisted the download 403s and the script exits 0 with an actionable message, so it never blocks setup or a session.
  • setup.sh — new "Step 1b: Install Zig toolchain" runs the installer.
  • Justfile — new deps recipe (install Zig + cargo fetch) backs the devcontainer's postCreateCommand: just deps, which previously errored.

Once ziglang.org is added to the session egress allowlist, future ./setup.sh runs and dev-container creates install Zig automatically — no further change needed.

Verification

  • sh -n setup.sh and sh -n scripts/install-zig.sh — clean.
  • Ran scripts/install-zig.sh in-session: it attempts https://ziglang.org/download/0.14.0/..., receives the proxy 403, prints the allowlist hint, and exits 0 (fail-soft) — confirming it won't break setup before the allowlist entry is live.

This is the reference implementation; the same three-file change is being applied across the other -iser repos.

🤖 Generated with Claude Code

https://claude.ai/code/session_019xMKB3T4Vo5FYC7Czx3JSH


Generated by Claude Code

claude added 2 commits June 26, 2026 20:14
The scaffold generator still emitted the old flat, never-compiled ABI
template: files at `src/interface/abi/{Types,Layout,Foreign}.idr` with a
namespace they didn't match, a `Layout.idr` whose `modNatNZ ... == 0`
proof does not reduce at the type level, no `Proofs.idr`, and no `.ipkg`.
Every newly-generated -iser therefore started with a broken ABI — exactly
the bug a prior session hand-fixed across the family.

Rewrite the Idris2 ABI generators to emit the verified reference pattern,
proven to compile clean under Idris2 0.7.0 (zero warnings, no
believe_me/postulate/holes):

- Nested modules at `src/interface/abi/<Mod>/ABI/{Types,Layout,Foreign,
  Proofs}.idr` so each file's path matches its namespace, plus
  `src/interface/abi/<iser>-abi.ipkg` (sourcedir=".", lists all four).
- Types: `Result` with a complete `DecEq` (explicit off-diagonals, not
  `No absurd`), a non-null `Handle` built via `choose`, and a primitive
  enum with a tag-based `Eq` that is warning-free for any arity.
- Layout: real `Divides`/`StructLayout`/`FieldsAligned` machinery and one
  concrete, provably C-ABI-compliant context layout.
- Proofs: a non-vacuous `CABICompliant` theorem (each offset pinned by
  `DivideBy k Refl`, qualified layout name so it doesn't auto-bind), the
  result-code round-trip, and a Nat-level negative control. Verified:
  perturbing a field offset makes the proof fail to typecheck.

Tests: assert the generated tree is self-consistent (every ipkg module
present at its namespace path, no leftover template tokens, old flat path
gone) and add an end-to-end test that runs `idris2 --build` on the
generated ABI when the toolchain is present (no-op otherwise, so CI
without idris2 stays green). Update the integration tests for the new
paths and the real proof module.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019xMKB3T4Vo5FYC7Czx3JSH
The Zig FFI bridge is half of the ABI-FFI standard, but nothing installed
Zig: `.tool-versions` only lists it (commented), `setup.sh` stops at
`just`, and the devcontainer's `postCreateCommand: just deps` referenced a
`deps` recipe that did not exist. Unlike the other toolchain pieces, Zig is
not distributed via GitHub releases, so it must come from ziglang.org.

Add `scripts/install-zig.sh`: an idempotent, fail-soft installer for the
pinned Zig 0.14.0 (arch/OS-aware, uses the system CA store the agent proxy
populates, never --insecure). If ziglang.org is not on the session's egress
allowlist the download 403s and the script exits 0 with an actionable
message, so it never blocks setup or a session.

Wire it in via the two paths the project already uses:
- `setup.sh` gains a "Step 1b: Install Zig toolchain" that runs it.
- a new `deps` Justfile recipe (installs Zig, warms Cargo) backs the
  devcontainer `postCreateCommand: just deps`, which previously errored.

Once ziglang.org is allowlisted, future setups and dev containers install
Zig automatically with no further change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019xMKB3T4Vo5FYC7Czx3JSH
@hyperpolymath hyperpolymath marked this pull request as ready for review June 26, 2026 21:08
@hyperpolymath hyperpolymath merged commit 13208cd into main Jun 26, 2026
20 of 22 checks passed
@hyperpolymath hyperpolymath deleted the claude/new-session-1fphit branch June 26, 2026 21:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants