CI staging, agent lifecycle, and OpenClaw integration

[justinmoon]

Summary

• Stage server and relay for remote guest tests
• Fix staged pika_core manifest population and Linux Rust CI lanes (x86 microvm)
• Codify linux-builder staged rust repair scripts
• Agent lifecycle hardening: explicit microvm agent selection, readiness polling, guest cleanup
• Default app agent flow to OpenClaw with typed agent startup lifecycle
• Fix Android AgentKind imports and mock spawner handlers

Test plan

• CI passes on all lanes
• Remote guest tests work with staged server/relay

🤖 Generated with Claude Code

---

Summary by CodeRabbit

• New Features

  • New microVM-based demo targets and updated demo scaffolding.
  • Optional fixture binary overrides via environment variables for tests.
  • CI/workspace now stages additional agent and test crates and can expose built server/relay binaries.

• Improvements

  • Host ownership propagation into guest deployments for correct mount ownership.
  • Guest runtime now ensures writable mounts match host ownership.

• Tests

  • Expanded tests to cover fixture overrides and ownership embedding in generated outputs.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds host UID/GID propagation to guest flake rendering (local and remote resolution), fixture-binary override support for test artifacts, exposes relay/server artifacts in nix CI outputs, updates demo targets to microVM-based flows, and adjusts guest module ownership handling and related tests/infrastructure.

Changes

Cohort / File(s)	Summary
Host ownership & guest flake rendering crates/pikaci/src/executor.rs	Adds host_uid/host_gid to render_guest_flake signature; adds render_local_guest_flake wrapper and remote_ownership_ids (env/SSH UID:GID detection); updates materialize_* runner flows and tests to propagate ownership.
Fixture binary override & tests crates/pikahut/src/component.rs	Adds PIKA_FIXTURE_RELAY_CMD_ENV/PIKA_FIXTURE_SERVER_CMD_ENV, fixture_binary_override(_value) helpers; uses overrides for relay/server startup; adds unit tests and temp-file fixture scaffolding.
Nix CI & workspace artifacts flake.nix, nix/ci/linux-rust.nix, nix/ci/pika-core-workspace/Cargo.toml	Adds copies of new crates into workspace output, adds optional pikaRelayPkg input and symlink exposure for pika-relay, exposes fixture env vars to runtime, and adds workspace members for new crates.
Guest module ownership handling nix/pikaci/guest-module.nix	Computes pikaciGroupName from hostGid, replaces hard-coded group, adds ensure_writable_mount() helper to enforce mount ownership, and narrows chown usage to targeted paths.
Test infra: staged fixture support rust/tests/support/infra.rs	Supports prebuilt pika-server via PIKA_FIXTURE_SERVER_CMD (path validation and build short-circuit); retains cargo build fallback.
Demo targets & help text justfile	Replaces Pi/OpenClaw demo targets with microVM-based targets (agent-microvm*, agent-demo-acp), updates help text and log-targets to reflect microVM demos.
CI planning docs todos/pikaci-staged-ci-plan.md	Documents staged CI plan: narrow synthetic dummy workspace source, workspaceDummySrc, explicit test targeting, and separation between staged build and dummy deps.
Tests & call-site updates crates/..., rust/tests/...	Multiple test updates and call-site signature changes to provide host UID/GID when invoking guest-flake rendering; parsing/error-path handling added for remote detection.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• pikaci: stage linux rust prepare/execute lane #492: Touches the same render_guest_flake implementation and call sites; likely overlaps where GuestFlakePaths and host ownership handling intersect.
• Add pikaci VM-backed CI lanes #484: Modifies crates/pikaci/src/executor.rs and related runner/flake flows; closely related to materialize and rendering changes here.
• pikaci: staged Linux Rust lane on x86 microvm #557: Previously changed render_guest_flake signature and flow; this PR further extends that API with host UID/GID propagation and ownership helpers.

Poem

🐰 I hopped through code with gentle paws,

embedding UIDs and tiny laws.
Fixtures found by env or ssh,
microVMs hum, all tests afresh,
a crunchy carrot of CI applause 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 54.55% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title partially relates to the changeset. It mentions OpenClaw integration and agent lifecycle, which are addressed in some of the changes, but the title omits the primary focus on CI staging and manifest fixes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pr/pika-7e0b5a

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

crates/pikaci/src/executor.rs (1)

1705-1720: Consider handling partial environment variable configuration.

Currently, if only one of REMOTE_MICROVM_HOST_UID_ENV or REMOTE_MICROVM_HOST_GID_ENV is set, the function silently falls through to SSH-based detection. This could be confusing if a user sets one but forgets the other.

Consider either:

1. Emitting a warning when only one is set, or
2. Returning an error for partial configuration

💡 Optional: warn on partial configuration

 fn remote_ownership_ids(remote_host: &str) -> anyhow::Result<(u32, u32)> {
-    if let (Ok(host_uid), Ok(host_gid)) = (
-        std::env::var(REMOTE_MICROVM_HOST_UID_ENV),
-        std::env::var(REMOTE_MICROVM_HOST_GID_ENV),
-    ) {
+    let uid_env = std::env::var(REMOTE_MICROVM_HOST_UID_ENV);
+    let gid_env = std::env::var(REMOTE_MICROVM_HOST_GID_ENV);
+    match (&uid_env, &gid_env) {
+        (Ok(host_uid), Ok(host_gid)) => {
             return Ok((
                 host_uid
                     .trim()
                     .parse::<u32>()
                     .with_context(|| format!("parse {REMOTE_MICROVM_HOST_UID_ENV}"))?,
                 host_gid
                     .trim()
                     .parse::<u32>()
                     .with_context(|| format!("parse {REMOTE_MICROVM_HOST_GID_ENV}"))?,
             ));
+        }
+        (Ok(_), Err(_)) | (Err(_), Ok(_)) => {
+            eprintln!("[pikaci] warning: only one of {REMOTE_MICROVM_HOST_UID_ENV}/{REMOTE_MICROVM_HOST_GID_ENV} is set; falling back to SSH detection");
+        }
+        _ => {}
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/pikaci/src/executor.rs` around lines 1705 - 1720, The function
remote_ownership_ids currently treats a partial environment config as if no envs
were set; change it to detect when only one of REMOTE_MICROVM_HOST_UID_ENV or
REMOTE_MICROVM_HOST_GID_ENV is present and return an explicit error instead of
falling back to SSH detection. Update remote_ownership_ids to read each env
separately, and if exactly one is Some(_) return an anyhow::Error (e.g., using
anyhow::bail! or anyhow::anyhow!) indicating which variable is missing and that
both must be set; otherwise continue with the current parsing logic when both
are present or proceed to SSH when neither is set. Ensure error messages
reference REMOTE_MICROVM_HOST_UID_ENV and REMOTE_MICROVM_HOST_GID_ENV so callers
can act on the partial configuration.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@crates/pikaci/src/executor.rs`:
- Around line 1705-1720: The function remote_ownership_ids currently treats a
partial environment config as if no envs were set; change it to detect when only
one of REMOTE_MICROVM_HOST_UID_ENV or REMOTE_MICROVM_HOST_GID_ENV is present and
return an explicit error instead of falling back to SSH detection. Update
remote_ownership_ids to read each env separately, and if exactly one is Some(_)
return an anyhow::Error (e.g., using anyhow::bail! or anyhow::anyhow!)
indicating which variable is missing and that both must be set; otherwise
continue with the current parsing logic when both are present or proceed to SSH
when neither is set. Ensure error messages reference REMOTE_MICROVM_HOST_UID_ENV
and REMOTE_MICROVM_HOST_GID_ENV so callers can act on the partial configuration.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 20ea539c-294f-4d2a-8810-f1ed475bd076

📥 Commits

Reviewing files that changed from the base of the PR and between bc4e869 and 987a4c9.

⛔ Files ignored due to path filters (1)

• nix/ci/pika-core-workspace/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (9)

• crates/pikaci/src/executor.rs
• crates/pikahut/src/component.rs
• flake.nix
• justfile
• nix/ci/linux-rust.nix
• nix/ci/pika-core-workspace/Cargo.toml
• nix/pikaci/guest-module.nix
• rust/tests/support/infra.rs
• todos/pikaci-staged-ci-plan.md

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional findings.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@justfile`:
- Around line 1004-1011: The recipe agent-microvm currently manually sources
.env with a set -a / source .env / set +a block which re-exports and can
override caller-provided env vars; remove that conditional block so the recipe
simply keeps set -euo pipefail and calls ./scripts/demo-agent-microvm.sh {{ ARGS
}} (dotenv-load enabled earlier will already load .env without re-exporting),
making the behavior consistent with agent-microvm-acp and preserving caller
precedence.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 66ea542b-a407-48a6-83cc-53df226c817a

📥 Commits

Reviewing files that changed from the base of the PR and between 987a4c9 and 7827313.

📒 Files selected for processing (1)

• justfile

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

In just, when set dotenv-load := trueis enabled, are.envvariables already exported to recipes, and do environment variables passed tojusttake precedence over.env values?

💡 Result:

Yes.

• With set dotenv-load := true, .env entries are loaded as environment variables (not just variables) and are available inside recipes/backticks via $VARIABLE_NAME. [1]
• By default, existing environment variables win over .env values. .env only overrides them if you explicitly enable set dotenv-override := true. [1]

So: env vars passed to just (e.g., FOO=bar just …) take precedence unless dotenv-override is set. [1]

Sources: [1]

---

🏁 Script executed:

head -20 justfile

Repository: sledtools/pika

Length of output: 686

---

🏁 Script executed:

rg "agent-microvm-acp" justfile -A 5 -B 2

Repository: sledtools/pika

Length of output: 853

---

🏁 Script executed:

sed -n '1004,1011p' justfile

Repository: sledtools/pika

Length of output: 243

---

Remove the manual .env sourcing from this recipe.

Line 2 enables dotenv-load, so .env is already loaded before the recipe runs. The manual sourcing in lines 1006-1010 with set -a re-exports these variables inside the recipe, which changes environment variable precedence and can override caller-provided values—unlike agent-microvm-acp and the rest of the file.

♻️ Proposed simplification

 agent-microvm *ARGS="":
-    set -euo pipefail; \
-    if [ -f .env ]; then \
-      set -a; \
-      source .env; \
-      set +a; \
-    fi; \
-    ./scripts/demo-agent-microvm.sh {{ ARGS }}
+    ./scripts/demo-agent-microvm.sh {{ ARGS }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	agent-microvm *ARGS="":
	set -euo pipefail; \
	if [ -f .env ]; then \
	set -a; \
	source .env; \
	set +a; \
	fi; \
	./scripts/demo-agent-microvm.sh {{ ARGS }}
	agent-microvm *ARGS="":
	./scripts/demo-agent-microvm.sh {{ ARGS }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@justfile` around lines 1004 - 1011, The recipe agent-microvm currently
manually sources .env with a set -a / source .env / set +a block which
re-exports and can override caller-provided env vars; remove that conditional
block so the recipe simply keeps set -euo pipefail and calls
./scripts/demo-agent-microvm.sh {{ ARGS }} (dotenv-load enabled earlier will
already load .env without re-exporting), making the behavior consistent with
agent-microvm-acp and preserving caller precedence.