docs: update project knowledge base
Update AGENTS.md with current patch chain state, KWin integration status, and consolidated patch governance. Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
This commit is contained in:
@@ -19,6 +19,56 @@ human-initiated operations. Durable Red Bear state belongs in `local/patches/`,
|
||||
The current baseline is **Red Bear OS 0.1.0** (Redox snapshot at build-system commit `f55acba68`).
|
||||
All recipe sources are pinned and archived in `sources/redbear-0.1.0/`.
|
||||
|
||||
## NO SILENT UPSTREAM PULLS — OFFLINE-FIRST POLICY
|
||||
|
||||
**Red Bear OS is offline-first by default. No script, build target, or tool may silently pull
|
||||
from any upstream repository without explicit user instruction.**
|
||||
|
||||
This policy exists because silent upstream pulls are the root cause of stale and orphaned patches.
|
||||
When sources change underneath wired patches, those patches break. The only safe workflow is:
|
||||
frozen sources → patches applied atomically → build.
|
||||
|
||||
### Rules
|
||||
|
||||
1. **`REPO_OFFLINE` defaults to `1`** (offline). Set `REPO_OFFLINE=0` to explicitly allow online
|
||||
fetching for non-protected development recipes only.
|
||||
2. **`REDBEAR_RELEASE`** unconditionally forces offline mode — no network access during release
|
||||
builds, even with `REPO_OFFLINE=0`.
|
||||
3. **Protected recipes** (kernel, relibc, base, bootloader, all Red Bear custom recipes) are
|
||||
**always offline** — they use archived sources from `sources/redbear-<release>/`.
|
||||
4. **`GNU_CONFIG_GET`** (wget for `config.sub`) is gated by `COOKBOOK_OFFLINE` — no download
|
||||
when offline.
|
||||
5. **Manual scripts** (`fetch-firmware.sh`, `fetch-all-sources.sh`, `provision-release.sh`)
|
||||
may pull from upstream but MUST be explicitly invoked by the user. They are never called by
|
||||
`make all` or `make live`.
|
||||
6. **Toolchain downloads** (`mk/prefix.mk`) are the only ungated network access — they download
|
||||
the cross-compiler toolchain from `static.redox-os.org`. These are one-time prerequisites,
|
||||
not per-recipe source fetches.
|
||||
|
||||
### What Counts as a Silent Upstream Pull
|
||||
|
||||
Any of the following that runs without the user explicitly requesting it:
|
||||
- `git clone`, `git fetch`, `git pull` against any remote
|
||||
- `wget` or `curl` downloading source code or build artifacts
|
||||
- Any HTTP request to `gitlab.redox-os.org`, `github.com`, `static.redox-os.org`, or any other
|
||||
upstream hosting service
|
||||
|
||||
### What Does NOT Count
|
||||
|
||||
- Toolchain setup (`make prefix`) — one-time cross-compiler download
|
||||
- QEMU firmware for non-x86 targets (`mk/qemu.mk` ARM/Raspberry Pi U-Boot) — not used in
|
||||
standard x86_64 builds
|
||||
- `make fetch` — explicit user action, gated by `REDBEAR_RELEASE`
|
||||
|
||||
### Enforcement
|
||||
|
||||
- Violations are bugs. If you find a script or build target that silently pulls from upstream,
|
||||
fix it immediately: add an offline gate, or move the fetch to a manual-only script.
|
||||
- The cookbook tool (`src/cook/fetch.rs`) enforces offline mode for protected recipes regardless
|
||||
of `COOKBOOK_OFFLINE`.
|
||||
- `COOKBOOK_OFFLINE=true` is the default in the Rust cookbook config parser when the environment
|
||||
variable is not set.
|
||||
|
||||
## STRUCTURE
|
||||
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user