Staged Linux CI: builder repair, guest hardening, and remote output

[justinmoon]

Summary

• Narrow and then drop the staged workspaceDeps builder workaround
• Codify linux-builder staged rust repair and cut execute lane to x86 microvm
• Fix staged pika_core manifest population
• Harden staged guest network defaults (DNS, firewall, connectivity checks)
• Keep staged Linux outputs on pika-build with remote prepared output fulfillment
• Fix remote prepared output metadata

Test plan

• CI passes (pre-merge checks)
• Staged Linux Rust lane runs successfully on pika-build

🤖 Generated with Claude Code

---

Summary by CodeRabbit

• New Features

  • Added remote fulfillment support for staged outputs with SSH-based builds
  • New configuration option to disable agent allowlist probe

• Chores

  • Extended workspace exports to include pikachat-openclaw extension
  • Enhanced CI test discovery efficiency

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

The changes enable remote fulfillment capabilities in the pikaci system by making internal SSH and snapshot synchronization functions accessible within the crate, introducing remote execution pathways for staged outputs with decision logic for remote vs. local fallback, adding an agent allowlist probe disable configuration option, optimizing test executable discovery via precomputed lists, and expanding documentation for remote execution boundaries and design constraints.

Changes

Cohort / File(s)	Summary
Remote fulfillment core crates/pikaci/src/executor.rs, crates/pikaci/src/run.rs	Made ssh_nix_binary and sync_snapshot_to_remote pub(crate) to enable remote workflows. Introduced RemotePreparedOutputRealization struct, remote feasibility checks, snapshot syncing and remote build invocation logic, remote-aware decision points for fallback handling, and comprehensive test coverage for remote realization translation and execution scenarios.
Agent allowlist probe configuration rust/src/core/agent.rs, rust/src/core/config.rs, rust/tests/app_flows.rs, rust/tests/support/helpers.rs	Added disable_agent_allowlist_probe configuration option to AppConfig with corresponding agent_allowlist_probe_enabled() method. Implemented early-return logic in refresh_agent_allowlist when probe is disabled. Updated test fixtures to inject disable flag and relay URLs when notification_url is provided.
Test executable discovery optimization nix/ci/linux-rust.nix	Replaced per-target filesystem probing with awk-based lookup against precomputed PIKACI_PIKA_CORE_TEST_EXECUTABLES list. Enhanced error messaging in strict mode when executables are missing; non-strict mode skips targets gracefully.
Workspace and CI setup flake.nix	Added directory creation and copy operation for pikachat-openclaw extension into the exported workspace structure under out/pikachat-openclaw/openclaw/extensions.
Documentation and cleanup todos/pikaci-staged-ci-plan.md, justfile	Expanded Phase 6 planning with remote fulfillment evolution details, remote-host interactions, microVM integration, and design constraints emphasizing setup simplicity and language-agnostic interfaces. Removed two blank lines from justfile formatting.

Sequence Diagram

sequenceDiagram
    participant Client as Local Client
    participant Detector as Output Detector
    participant RemoteCheck as Remote Feasibility
    participant SSH as SSH Transport
    participant Remote as Remote Host
    participant Builder as Remote Builder
    
    Client->>Detector: Detect staged Linux Rust output
    Detector->>RemoteCheck: Check if remote realization possible
    RemoteCheck->>RemoteCheck: Verify remote host & snapshot dir
    
    alt Remote Available
        RemoteCheck->>SSH: Sync snapshot to remote
        SSH->>Remote: Transfer snapshot files
        Remote->>Remote: Snapshot received
        SSH->>Builder: Invoke remote nix build
        Builder->>Builder: Execute build on remote
        Builder->>SSH: Return build result
        SSH->>Client: Remote result delivered
    else Remote Unavailable
        RemoteCheck->>Client: Fallback decision or error
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• pikaci: staged linux rust CI outputs #487: Modifies the same pikaci CI surface files (nix/ci/linux-rust.nix, flake.nix, staged CI plan documentation) with overlapping architectural concerns.
• pikaci: remote prepared output prototype #515: Modifies pikaci's remote prepared-output and run.rs workflows; this PR's pub(crate) exposure of ssh_nix_binary and sync_snapshot_to_remote directly enables the remote build/sync logic introduced in that PR.
• pikaci: validate & fulfill prepared output requests #517: Touches the same remote prepared-output fulfillment area in run.rs and supporting remote helpers; closely aligned with remote workflow implementation.

Poem

🐰 Hops with glee across the network
SSH whispers secrets far and wide,
Functions shed their cloaks, now crate-wide roam,
Remote snapshots dance with builders' stride,
Off-host boundaries—our future home! ⭐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 29.63% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main changes across the PR: builder repair, guest hardening, and remote output handling for staged Linux CI.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch land/1c3a4e0a

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

Devin Review found 1 potential issue.

View 4 additional findings in Devin Review.

[devin-ai-integration]

🔴 Disabling the agent allowlist probe permanently blocks agent creation instead of bypassing the check

When disable_agent_allowlist_probe is true, refresh_agent_allowlist() sets agent_allowlist_state = AgentAllowlistState::Unknown and returns early (line 455). This creates two broken behaviors:

1. "New Agent" button never appears: sync_agent_menu_item_state() at rust/src/core/mod.rs:2912 only renders the button when the state is Allowlisted, so the button is permanently hidden.
2. ensure_agent_kind enters an infinite toast loop: At rust/src/core/agent.rs:552-555, the Unknown state triggers refresh_agent_allowlist() which immediately sets state back to Unknown and returns — the user sees "Checking agent access. Try again in a moment." every time and can never start an agent.

The intent of the config flag is clearly to skip the allowlist probe (e.g., for offline tests), so the state should be set to Allowlisted to bypass the gate, not Unknown which blocks it.

Suggested change

	self.agent_allowlist_state = AgentAllowlistState::Unknown;
	self.agent_allowlist_state = AgentAllowlistState::Allowlisted;

---

Was this helpful? React with 👍 or 👎 to provide feedback.