appstore: carry install.json/install.sh on install + wire trust anchor#318
Merged
Conversation
Repoint the pinned app-store dependency to the commit that adds the proc.exec capability, so the daemon's manifest validation accepts CLI apps (which ship a proc.exec grant scoped to one command). Without the bump, the deployed daemon validates against a capability vocabulary that lacks proc.exec and rejects them. No daemon code changes: pilotctl/supervisor already delegate validation to app-store's manifest.Validate(). Adds a regression test asserting a proc.exec manifest validates (and that a wildcard target is still rejected). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… anchor Two changes the native-CLI (proc.exec) app delivery needs, surfaced by an end-to-end smol machines install via pilotctl: 1. pilotctl appstore install now stages install.json + install.sh into $APP (previously only manifest.json + the binary), so an asset-delivering cli adapter can read $APP/install.json and fetch/verify/stage its binaries from the R2 artifact registry. Covered by the bundle sha, no new trust surface. 2. The daemon now populates manifest.TrustedPublishers from PILOT_TRUSTED_PUBLISHERS (the reviewed publisher registry) and honors PILOT_APPSTORE_ROOT. app-store#23 enforces the trust anchor for non-sideloaded installs, but nothing wired the list — so the proc.exec daemon skipped EVERY catalogue app. Without this, upgrading the daemon to the proc.exec version bricks the existing app store. Verified: catalogue install → daemon spawn (sideloaded=false) → adapter stages smolvm from R2 → pilotctl appstore call runs a real microVM. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…r (G304) Mirror the binary-copy containment pattern: resolveUnder cleans the join and verifies the path stays under the bundle/staging root, clearing the two gosec 'path traversal via taint analysis' (G304) alerts on the aux-file carry. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
TeoSlayer
previously approved these changes
Jun 22, 2026
The aux paths are resolveUnder-confined (bundle/staging roots) and aux is a
constant allow-list ('install.json'/'install.sh'), so no traversal is possible.
gosec's SSA taint analyzer can't see resolveUnder as a sanitizer, so annotate the
file ops + the new staging-cleanup with #nosec G703 (the same pattern this file
already uses for the binary copy).
TeoSlayer
approved these changes
Jun 22, 2026
TeoSlayer
approved these changes
Jun 22, 2026
TeoSlayer
pushed a commit
that referenced
this pull request
Jun 23, 2026
…anchor) (#320) daemon: drop PILOT_TRUSTED_PUBLISHERS wiring; bump app-store (trust anchor removed) The per-publisher trust anchor is removed in app-store (the release-signed catalogue is the source of truth). So the env-var wiring added in #318 is no longer needed — a fresh node installs and runs catalogue apps with zero config. - remove the PILOT_TRUSTED_PUBLISHERS env block + the now-unused manifest import - bump github.com/pilot-protocol/app-store to the trust-anchor-removal commit - keep PILOT_APPSTORE_ROOT honoring Depends on pilot-protocol/app-store#25; re-pin go.mod to the merged app-store commit before this lands. Verified: a fresh node with NO env installs io.pilot.smolmachines from the real catalogue and boots a microVM. Co-authored-by: Alex Godoroja <alex@vulturelabs.io> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Carry install.json/install.sh on install + wire the trust anchor
Two changes the native-CLI (
proc.exec) app delivery needs, surfaced by an end-to-end smol machines install via pilotctl. Stacks on #317.pilotctl appstore installnow stagesinstall.json+install.shinto$APP(previously onlymanifest.json+ the binary), so an asset-delivering cli adapter can read$APP/install.jsonand fetch/verify/stage its binaries from the R2 artifact registry. Covered by the bundle sha — no new trust surface.manifest.TrustedPublishersfromPILOT_TRUSTED_PUBLISHERS(the reviewed publisher registry) and honorsPILOT_APPSTORE_ROOT. app-store#23 enforces the trust anchor for non-sideloaded installs, but nothing wired the list — so the proc.exec daemon skipped every catalogue app (cosift/sixtyfour included).Verified: catalogue install → daemon spawn (
sideloaded=false, full grants) → adapter stages smolvm from R2 →pilotctl appstore callruns a real microVM. A/B report: https://raw.githack.com/pilot-protocol/app-template/feat/r2-artifacts-on-cli/docs/samples/ab-report-smolvm.html🤖 Generated with Claude Code