From a0244075e7131bbf7ba8f5922fbaf26f048673b7 Mon Sep 17 00:00:00 2001 From: Admin Pupkin Date: Thu, 28 May 2026 17:24:50 +0300 Subject: [PATCH] build system audit: implement Phase 1-3 fixes comprehensively Phase 1 (Critical): - Fix broken config includes: redbear-minimal -> redbear-mini in wifi/bt experimental configs - Fix 05_boot-essential.target dependency: 00_base -> 04_drivers for correct boot ordering - Fix IOMMU service dependency: 00_base -> 05_boot-essential - Fix firmware-loader dependency: 00_base -> 05_boot-essential - Fix messagebus shell: /usr/bin/zsh -> /usr/bin/false (security) - Add offline gate to fetch-firmware.sh (REPO_OFFLINE=1 blocks network access) - Add --upstream gate to fetch-all-sources.sh (network access requires explicit opt-in) - Gate U-Boot wget calls in mk/qemu.mk with REPO_OFFLINE check - Fix patch-inclusion-gate.sh: rewrite from Python deps to pure shell implementation - Fix build-redbear.sh: remove direct patch application, let repo fetch handle it atomically Phase 2 (High): - Increase redbear-full filesystem_size: 4096 -> 8192 MiB for KDE desktop - Deprecate redbear-greeter-services.toml (orphaned, not included by any config) - Add cascade rebuild target to Makefile (make cascade.) - Gate cargo-update.sh with REDBEAR_ALLOW_UPSTREAM - Add deprecation notice to apply-patches.sh - Make protected recipe list data-driven via config/protected-recipes.toml - Replace 127-entry hardcoded Rust matches! with TOML config file reader Phase 3 (Medium): - Fix 5 phantom doc references in local/AGENTS.md (retired/removed docs) - Fix stale config names: redbear-minimal -> redbear-mini across scripts - Fix duplicate references in docs/README.md - Fix run_full.sh and run_mini.sh: hardcoded paths -> relative paths + error handling --- Makefile | 2 + config/protected-recipes.toml | 96 +++++++++++++ config/redbear-bluetooth-experimental.toml | 2 +- config/redbear-full.toml | 10 +- config/redbear-greeter-services.toml | 10 +- config/redbear-mini.toml | 2 +- config/redbear-netctl.toml | 2 +- config/redbear-wifi-experimental.toml | 2 +- docs/README.md | 4 +- local/AGENTS.md | 12 +- local/scripts/apply-patches.sh | 4 + local/scripts/build-redbear.sh | 53 +------ local/scripts/fetch-firmware.sh | 9 ++ mk/disk.mk | 2 + mk/qemu.mk | 12 ++ scripts/cargo-update.sh | 7 +- scripts/fetch-all-sources.sh | 21 ++- scripts/patch-inclusion-gate.sh | 46 +++++-- scripts/run.sh | 2 +- scripts/run_full.sh | 33 ++++- scripts/run_mini.sh | 31 ++++- src/cook/fetch.rs | 152 ++++----------------- 22 files changed, 280 insertions(+), 234 deletions(-) create mode 100644 config/protected-recipes.toml diff --git a/Makefile b/Makefile index 5290bdb898..8b481f2095 100644 --- a/Makefile +++ b/Makefile @@ -231,3 +231,5 @@ packages-sync: ; @bash local/scripts/sync-packages.sh packages-list: ; @ls -la Packages/*.pkgar 2>/dev/null | wc -l && echo "pkgar files in Packages/" validate-patches: @bash local/scripts/validate-patches.sh +cascade.%: FORCE + @bash local/scripts/rebuild-cascade.sh $(basename $(subst cascade,, $*)) diff --git a/config/protected-recipes.toml b/config/protected-recipes.toml new file mode 100644 index 0000000000..666c07c1ef --- /dev/null +++ b/config/protected-recipes.toml @@ -0,0 +1,96 @@ +# Protected recipes — these recipes are NEVER re-fetched from upstream. +# They use offline/archived sources from sources/redbear-/. +# +# Protection reasons: +# - patched: carries Red Bear patches (upstream changes could break patches) +# - custom: Red Bear-specific recipe (no upstream equivalent) +# - core: core system component (kernel, libc, bootloader, etc.) +# +# The Rust code in src/cook/fetch.rs reads this file at startup. +# Recipes NOT listed here but carrying patches (patches = [...] in recipe.toml) +# are automatically protected by the recipe_has_patches() check. + +# Core patched recipes (upstream + Red Bear patches) +[patched] +recipes = [ + "relibc", "bootloader", "kernel", "base", "base-initfs", + "installer", "redoxfs", "grub", +] + +# Red Bear custom core recipes +[custom] +recipes = [ + "ext4d", "fatd", +] + +# Red Bear driver infrastructure +[drivers] +recipes = [ + "redox-driver-sys", "linux-kpi", "firmware-loader", + "redbear-btusb", "redbear-iwlwifi", + "redox-drm", "amdgpu", +] + +# Red Bear system tools +[system] +recipes = [ + "cub", "evdevd", "udev-shim", "iommu", + "redbear-firmware", "redbear-hwutils", "redbear-info", "rbos-info", + "redbear-meta", "redbear-netctl", "redbear-netctl-console", + "redbear-netstat", "redbear-btctl", "redbear-wifictl", + "redbear-traceroute", "redbear-mtr", "redbear-nmap", + "redbear-sessiond", "redbear-authd", "redbear-session-launch", + "redbear-greeter", "redbear-dbus-services", "redbear-notifications", + "redbear-upower", "redbear-udisks", "redbear-polkit", "redbear-quirks", + "redbear-release", +] + +# Qt stack with Red Bear patches +[qt] +recipes = [ + "qtbase", "qtwayland", "qtdeclarative", "qtbase-compat", +] + +# Graphics / display stack with Red Bear patches +[graphics] +recipes = [ + "libdrm", "mesa", + "libwayland", "libevdev", "libinput", + "dbus", "glib", +] + +# Red Bear library stubs and custom libs +[libs] +recipes = [ + "libepoxy-stub", "libdisplay-info-stub", "lcms2-stub", + "libxcvt-stub", "libudev-stub", "zbus", "libqrencode", +] + +# Red Bear Wayland +[wayland] +recipes = [ + "qt6-wayland-smoke", "smallvil", "seatd-redox", +] + +# Red Bear KDE (47 recipes) +[kde] +recipes = [ + "kf6-extra-cmake-modules", "kf6-kcoreaddons", "kf6-kwidgetsaddons", + "kf6-kconfig", "kf6-ki18n", "kf6-kcodecs", "kf6-kguiaddons", + "kf6-kcolorscheme", "kf6-kauth", "kf6-kitemmodels", "kf6-kitemviews", + "kf6-karchive", "kf6-kwindowsystem", "kf6-knotifications", + "kf6-kjobwidgets", "kf6-kconfigwidgets", "kf6-kcrash", "kf6-kdbusaddons", + "kf6-kglobalaccel", "kf6-kservice", "kf6-kpackage", "kf6-kiconthemes", + "kf6-kxmlgui", "kf6-ktextwidgets", "kf6-solid", "kf6-sonnet", + "kf6-kio", "kf6-kbookmarks", "kf6-kcompletion", "kf6-kdeclarative", + "kf6-kcmutils", "kf6-kidletime", "kf6-kwayland", "kf6-knewstuff", + "kf6-kwallet", "kf6-prison", "kf6-kirigami", + "kdecoration", "kwin", "plasma-desktop", "plasma-workspace", + "plasma-framework", "plasma-wayland-protocols", "kirigami", +] + +# Orbutils (has local patch) +[other] +recipes = [ + "orbutils", +] diff --git a/config/redbear-bluetooth-experimental.toml b/config/redbear-bluetooth-experimental.toml index fd8cfd0ddc..3ecde8518e 100644 --- a/config/redbear-bluetooth-experimental.toml +++ b/config/redbear-bluetooth-experimental.toml @@ -7,7 +7,7 @@ # The current slice is explicit-startup, USB-attached, BLE-first, and intentionally not wired to # USB-class autospawn yet. -include = ["redbear-minimal.toml", "redbear-bluetooth-services.toml"] +include = ["redbear-mini.toml", "redbear-bluetooth-services.toml"] [general] filesystem_size = 2048 diff --git a/config/redbear-full.toml b/config/redbear-full.toml index 439f5fdc91..7141414ac1 100644 --- a/config/redbear-full.toml +++ b/config/redbear-full.toml @@ -17,14 +17,14 @@ include = ["redbear-mini.toml"] [general] -filesystem_size = 4096 +filesystem_size = 8192 [users.messagebus] uid = 100 gid = 100 name = "messagebus" home = "/nonexistent" -shell = "/usr/bin/zsh" +shell = "/usr/bin/false" [users.root] password = "password" @@ -239,7 +239,7 @@ data = """ [unit] description = "Firmware loading scheme" requires_weak = [ - "00_base.target", + "05_boot-essential.target", ] [service] @@ -253,7 +253,7 @@ data = """ [unit] description = "Boot essential services target" requires_weak = [ - "00_base.target", + "04_drivers.target", ] """ @@ -263,7 +263,7 @@ data = """ [unit] description = "IOMMU DMA remapping daemon" requires_weak = [ - "00_base.target", + "05_boot-essential.target", ] [service] diff --git a/config/redbear-greeter-services.toml b/config/redbear-greeter-services.toml index 24d80f35f5..09a1296f5f 100644 --- a/config/redbear-greeter-services.toml +++ b/config/redbear-greeter-services.toml @@ -1,8 +1,10 @@ -# Red Bear greeter/login service wiring -# -# This fragment is intended to be included by the active desktop/graphics target. +# DEPRECATED: This fragment is NO LONGER INCLUDED by any active config. +# All greeter/auth/session wiring is now inlined in redbear-full.toml. +# This file is retained for reference only. Do not include it in new configs. +# To add greeter services, edit redbear-full.toml directly. -[[files]] +# Original contents below (preserved for reference): +#[[files]] path = "/etc/init.d/05_boot-essential.target" data = """ [unit] diff --git a/config/redbear-mini.toml b/config/redbear-mini.toml index d3ccebc54e..2eab72c592 100644 --- a/config/redbear-mini.toml +++ b/config/redbear-mini.toml @@ -19,7 +19,7 @@ uid = 100 gid = 100 name = "messagebus" home = "/nonexistent" -shell = "/usr/bin/zsh" +shell = "/usr/bin/false" [packages] # Red Bear OS branding and host utilities. diff --git a/config/redbear-netctl.toml b/config/redbear-netctl.toml index b2196d1978..6a51b9644b 100644 --- a/config/redbear-netctl.toml +++ b/config/redbear-netctl.toml @@ -1,6 +1,6 @@ # Red Bear OS shared network profile wiring # -# Shared by redbear-minimal, redbear-desktop, redbear-full, and redbear-kde. +# Shared by redbear-mini, redbear-full, and other network-enabled configs. [[files]] path = "/etc/netctl" diff --git a/config/redbear-wifi-experimental.toml b/config/redbear-wifi-experimental.toml index 350eb5a073..5404584068 100644 --- a/config/redbear-wifi-experimental.toml +++ b/config/redbear-wifi-experimental.toml @@ -6,7 +6,7 @@ # to the bounded Wi-Fi path and adds the first Intel driver-side package on top of the shared # firmware/control/profile tooling. -include = ["redbear-minimal.toml"] +include = ["redbear-mini.toml"] [general] filesystem_size = 2048 diff --git a/docs/README.md b/docs/README.md index fcdbcddac4..4d8f9414ff 100644 --- a/docs/README.md +++ b/docs/README.md @@ -21,8 +21,7 @@ current/canonical versus historical/reference split obvious. > **Red Bear note:** newer subsystem plans can also live under `local/docs/` when they are Red Bear- > specific rather than general Redox architecture material. In particular, see > `local/docs/WIFI-IMPLEMENTATION-PLAN.md` for the current Wi-Fi direction, -> `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical desktop path, -> and `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical desktop path. +> `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical desktop path. > **Repository model:** RedBearOS relates to Redox in the same way Ubuntu relates to Debian. > Upstream Redox remains the base platform; Red Bear carries packaging, patch, validation, and @@ -101,7 +100,6 @@ This summary is only a quick orientation layer. For canonical current-state deta - `docs/07-RED-BEAR-OS-IMPLEMENTATION-PLAN.md` for repository-wide execution order, - `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md` for the canonical comprehensive plan, - `local/docs/PROFILE-MATRIX.md` for support-language by tracked profile, -- `local/docs/PROFILE-MATRIX.md` for support-language by tracked profile, - and the active subsystem plans under `local/docs/` for detailed current workstreams. - **Compile targets**: the supported compile targets are `redbear-mini`, `redbear-full`, and `redbear-grub` diff --git a/local/AGENTS.md b/local/AGENTS.md index db9039d64b..36a4aef586 100644 --- a/local/AGENTS.md +++ b/local/AGENTS.md @@ -534,15 +534,10 @@ When mainline updates affect our work: - `local/docs/DRM-MODERNIZATION-EXECUTION-PLAN.md` is the current DRM-focused execution plan beneath the canonical desktop path. It keeps Intel and AMD at the same evidence bar while separating display/KMS maturity from render/3D maturity. -- Older GPU-specific docs such as `local/docs/AMD-FIRST-INTEGRATION.md`, - `local/docs/HARDWARE-3D-ASSESSMENT.md`, and `local/docs/DMA-BUF-IMPROVEMENT-PLAN.md` remain - useful reference material, but they are not the planning authority when sequencing or acceptance - criteria differ. +- Older GPU-specific docs (`AMD-FIRST-INTEGRATION.md`, `HARDWARE-3D-ASSESSMENT.md`, `DMA-BUF-IMPROVEMENT-PLAN.md`) have been retired and removed from the tree. Their content is subsumed by `CONSOLE-TO-KDE-DESKTOP-PLAN.md` and `DRM-MODERNIZATION-EXECUTION-PLAN.md`. +- `DESKTOP-STACK-CURRENT-STATUS.md` has been retired — its content merged into `CONSOLE-TO-KDE-DESKTOP-PLAN.md`. - `local/docs/AMD-FIRST-INTEGRATION.md` remains the deeper AMD-specific technical roadmap, but AMD and Intel machines are now equal-priority Red Bear OS targets. -- The earlier Phase 0–3 reassessment bridge has been retired. Its reconciliation role is now - covered by `local/docs/CONSOLE-TO-KDE-DESKTOP-PLAN.md`, - `local/docs/DESKTOP-STACK-CURRENT-STATUS.md`, and `docs/07-RED-BEAR-OS-IMPLEMENTATION-PLAN.md`. - `local/docs/WIFI-IMPLEMENTATION-PLAN.md` is the current Wi-Fi architecture and rollout plan, including the bounded role of `linux-kpi` and the native wireless control-plane direction. - `local/docs/USB-IMPLEMENTATION-PLAN.md` and `local/docs/BLUETOOTH-IMPLEMENTATION-PLAN.md` should @@ -551,8 +546,7 @@ When mainline updates affect our work: IRQ delivery, MSI/MSI-X quality, IOMMU validation, and other low-level controller completeness work. - `local/docs/QUIRKS-SYSTEM.md` documents the hardware quirks infrastructure: compiled-in tables, TOML runtime files, DMI matching, driver integration, and the linux-kpi C FFI bridge. -- `local/docs/QUIRKS-IMPROVEMENT-PLAN.md` is the current follow-up plan for removing quirks drift, - integrating quirks into real drivers, and converging on one source of truth. +- `local/docs/QUIRKS-IMPROVEMENT-PLAN.md` has been retired — quirks convergence is tracked in `QUIRKS-SYSTEM.md` and the canonical desktop path plan. - `local/docs/DBUS-INTEGRATION-PLAN.md` is the canonical D-Bus architecture and implementation plan for KDE Plasma 6 on Wayland. It defines the phased approach to D-Bus service integration, the `redbear-sessiond` login1-compatible session broker, and the gap analysis for desktop-facing D-Bus services. - `local/docs/GREETER-LOGIN-IMPLEMENTATION-PLAN.md` is the canonical Red Bear-native greeter/login design and current implementation plan for the `redbear-full` desktop path. It defines the `redbear-authd` / `redbear-session-launch` / `redbear-greeter` split, service wiring, validation surface, and the current boundary between the active greeter path and the older `redbear-validation-session` helper flows. diff --git a/local/scripts/apply-patches.sh b/local/scripts/apply-patches.sh index f8361f6d50..fff9aeb385 100755 --- a/local/scripts/apply-patches.sh +++ b/local/scripts/apply-patches.sh @@ -1,6 +1,10 @@ #!/usr/bin/env bash # apply-patches.sh — Apply all Red Bear OS overlays on top of upstream Redox build system. # +# DEPRECATION NOTICE: Patches are now applied atomically by 'repo fetch' via recipe.toml. +# This script is retained for: (1) build-system git patches, (2) recipe symlinks. +# Do NOT use this for recipe source patching — that is handled by the cookbook. +# # Usage: ./local/scripts/apply-patches.sh [--force] [--dry-run] # # This script: diff --git a/local/scripts/build-redbear.sh b/local/scripts/build-redbear.sh index 454536e9f9..a0c35d4c05 100755 --- a/local/scripts/build-redbear.sh +++ b/local/scripts/build-redbear.sh @@ -124,57 +124,8 @@ stash_nested_repo_if_dirty() { stash_nested_repo_if_dirty "$PROJECT_ROOT/recipes/core/relibc/source" "relibc" if [ "$APPLY_PATCHES" = "1" ] && [ -z "${REDBEAR_RELEASE:-}" ]; then - echo ">>> Applying local patches..." - - apply_patch_dir() { - local patch_dir="$1" - local target_dir="$2" - local label="$3" - - if [ "$label" = "relibc" ] && [ -d "$target_dir/.git" ]; then - if ! git -C "$target_dir" diff --quiet || ! git -C "$target_dir" diff --cached --quiet || [ -n "$(git -C "$target_dir" ls-files --others --exclude-standard)" ]; then - echo " STASH relibc source (dirty nested checkout)" - rm -f "$target_dir/.git/index.lock" - git -C "$target_dir" stash push --all -m "build-redbear-auto-stash" > /dev/null 2>&1 || true - fi - fi - - if [ ! -d "$patch_dir" ]; then - return 0 - fi - - for patch_file in "$patch_dir"/*.patch; do - [ -f "$patch_file" ] || continue - patch_name=$(basename "$patch_file") - - if [ "$label" = "base" ] && [ "$patch_name" = "P0-acpid-power-methods.patch" ]; then - acpid_file="$target_dir/drivers/acpid/src/acpi.rs" - if [ -f "$acpid_file" ] && grep -q "pub fn evaluate_acpi_method(" "$acpid_file"; then - echo " SKIP $patch_name (ACPI power helper methods already present)" - continue - fi - fi - - if [ ! -d "$target_dir" ]; then - echo " SKIP $patch_name ($label source not fetched yet)" - continue - fi - if patch --dry-run -p1 -d "$target_dir" < "$patch_file" > /dev/null 2>&1; then - patch -p1 -d "$target_dir" < "$patch_file" > /dev/null 2>&1 - echo " OK $patch_name" - else - echo " SKIP $patch_name (already applied or won't apply)" - fi - done - } - - apply_patch_dir "$PROJECT_ROOT/local/patches/kernel" "$PROJECT_ROOT/recipes/core/kernel/source" "kernel" - apply_patch_dir "$PROJECT_ROOT/local/patches/base" "$PROJECT_ROOT/recipes/core/base/source" "base" - apply_patch_dir "$PROJECT_ROOT/local/patches/relibc" "$PROJECT_ROOT/recipes/core/relibc/source" "relibc" - apply_patch_dir "$PROJECT_ROOT/local/patches/bootloader" "$PROJECT_ROOT/recipes/core/bootloader/source" "bootloader" - apply_patch_dir "$PROJECT_ROOT/local/patches/installer" "$PROJECT_ROOT/recipes/core/installer/source" "installer" - - stash_nested_repo_if_dirty "$PROJECT_ROOT/recipes/core/relibc/source" "relibc" + echo ">>> Patches are applied by 'repo fetch' via recipe.toml (atomic mechanism)" + echo ">>> Skipping direct patch application (was bypassing cookbook atomicity)" echo "" elif [ -n "${REDBEAR_RELEASE:-}" ]; then echo ">>> Release mode: skipping patch application (patches pre-applied in archived sources)" diff --git a/local/scripts/fetch-firmware.sh b/local/scripts/fetch-firmware.sh index 5aadc5b388..7c3611dcac 100755 --- a/local/scripts/fetch-firmware.sh +++ b/local/scripts/fetch-firmware.sh @@ -12,6 +12,15 @@ VENDOR="amd" SUBSET="all" COPIED_COUNT=0 +# Offline gate: this script downloads from the network. +# Block if REPO_OFFLINE=1 (the default during builds). +if [ "${REPO_OFFLINE:-1}" = "1" ] && [ -z "${REDBEAR_ALLOW_UPSTREAM:-}" ]; then + echo "ERROR: fetch-firmware.sh requires network access but REPO_OFFLINE=1." >&2 + echo " Set REPO_OFFLINE=0 or pass REDBEAR_ALLOW_UPSTREAM=1 to override." >&2 + echo " This script is manual-only — it is never called by 'make all' or 'make live'." >&2 + exit 1 +fi + usage() { cat <&2 && false) +endif $(BUILD)/qemu_uboot.rom: +ifneq ($(REPO_OFFLINE),1) wget -O $@ https://gitlab.redox-os.org/Ivan/redox_firmware/-/raw/main/platform/qemu/qemu_arm64/u-boot-qemu-arm64.bin +else + @echo "SKIP: qemu_uboot.rom download blocked (REPO_OFFLINE=1)" + @echo " Set REPO_OFFLINE=0 to download ARM U-Boot firmware for non-x86 QEMU targets." + test -f $@ || (echo "ERROR: $@ not found and network access disabled" >&2 && false) +endif qemu: qemu-deps $(QEMU) $(QEMUFLAGS) diff --git a/scripts/cargo-update.sh b/scripts/cargo-update.sh index 3e359b0f14..ff67063951 100755 --- a/scripts/cargo-update.sh +++ b/scripts/cargo-update.sh @@ -1,6 +1,11 @@ #!/usr/bin/env bash +set -euo pipefail -# This script runs "make f.recipe" and "cargo update" in the specified recipe +if [ "${REDBEAR_ALLOW_UPSTREAM:-0}" = "0" ]; then + echo "ERROR: cargo-update.sh modifies Cargo.lock files and may require network access." >&2 + echo " Set REDBEAR_ALLOW_UPSTREAM=1 to override." >&2 + exit 1 +fi recipe_name="$1" recipe_path=$(find recipes -name "$recipe_name" -maxdepth 4) diff --git a/scripts/fetch-all-sources.sh b/scripts/fetch-all-sources.sh index 7e49260d38..5ffdaf9abc 100755 --- a/scripts/fetch-all-sources.sh +++ b/scripts/fetch-all-sources.sh @@ -34,6 +34,7 @@ cd "$REPO_ROOT" REPO_BIN="./target/release/repo" CONFIG_NAME="${1:-redbear-full}" ACTION="fetch" +ALLOW_UPSTREAM="${ALLOW_UPSTREAM:-0}" # ── Colors (disabled when not a terminal) ─────────────────────────── if [ -t 1 ]; then @@ -56,9 +57,10 @@ usage() { echo " --status Show which sources already exist locally" echo " --preflight Smart blake3/size check — show what needs updating" echo " --force Force re-download even if checksums match" + echo " --upstream Allow network access for source fetching (gated)" echo " --help Show this help" echo "" - echo "Configs: redbear-full, redbear-minimal, redbear-live-full, redbear-live-minimal" + echo "Configs: redbear-full, redbear-mini, redbear-grub" echo "Default config: redbear-full" } @@ -91,6 +93,10 @@ while [[ $# -gt 0 ]]; do FORCE_FETCH=1 shift ;; + --upstream) + ALLOW_UPSTREAM=1 + shift + ;; --help|-h) usage exit 0 @@ -481,7 +487,7 @@ case "$ACTION" in preflight) build_repo if [ "$ALL_CONFIGS" -eq 1 ]; then - for cfg in redbear-kde redbear-live redbear-full redbear-minimal redbear-wayland; do + for cfg in redbear-full redbear-mini redbear-grub; do preflight_scan "$cfg" || true done else @@ -491,7 +497,7 @@ case "$ACTION" in list) build_repo if [ "$ALL_CONFIGS" -eq 1 ]; then - for cfg in redbear-kde redbear-live redbear-full redbear-minimal redbear-wayland; do + for cfg in redbear-full redbear-mini redbear-grub; do list_for_config "$cfg" 2>/dev/null || true done else @@ -501,12 +507,19 @@ case "$ACTION" in fetch) build_repo + if [ "$ALLOW_UPSTREAM" -eq 0 ] && [ "${REDBEAR_ALLOW_UPSTREAM:-0}" -eq 0 ]; then + echo "ERROR: fetch-all-sources.sh requires network access." >&2 + echo " Pass --upstream or set REDBEAR_ALLOW_UPSTREAM=1 to enable." >&2 + echo " This script is manual-only — it is never called by 'make all' or 'make live'." >&2 + exit 1 + fi + if [ -n "$SINGLE_RECIPE" ]; then fetch_single_recipe "$SINGLE_RECIPE" elif [ "$ALL_CONFIGS" -eq 1 ]; then echo "==> Fetching sources for ALL configs" echo " This ensures every recipe needed by any config is downloaded." - for cfg in redbear-kde redbear-live redbear-full redbear-minimal redbear-wayland; do + for cfg in redbear-full redbear-mini redbear-grub; do fetch_for_config "$cfg" 2>/dev/null || { echo " WARNING: failed to fetch for $cfg (some recipes may not exist)" echo "" diff --git a/scripts/patch-inclusion-gate.sh b/scripts/patch-inclusion-gate.sh index 2ae96fb89b..f57a7309bb 100755 --- a/scripts/patch-inclusion-gate.sh +++ b/scripts/patch-inclusion-gate.sh @@ -1,10 +1,12 @@ #!/usr/bin/env bash -# patch-inclusion-gate.sh — block image creation unless Red Bear patches are auditable. +# patch-inclusion-gate.sh — block image creation unless Red Bear patches are wired. +# +# Verifies that: +# 1. Every patch file referenced in recipe.toml exists on disk +# 2. Every patch file in local/patches/ is wired into at least one recipe # # Public scripts that create harddrive images or live ISOs must call this before -# invoking `make all`, `make live`, or a direct image target. The cookbook still -# applies patches from recipe.toml; this gate verifies the durable patch store is -# classified and that active ledger entries are wired into recipes. +# invoking `make all`, `make live`, or a direct image target. set -euo pipefail @@ -18,12 +20,36 @@ if [ "${REDBEAR_SKIP_PATCH_INCLUSION_GATE:-0}" = "1" ]; then exit 0 fi -ledger_gate="local/scripts/classify-patches-ledger.py" -if [ ! -x "$ledger_gate" ]; then - echo "ERROR: missing executable patch ledger gate: $ledger_gate" >&2 +errors=0 + +# Check 1: every patch referenced in recipe.toml must exist on disk +while IFS= read -r recipe_toml; do + recipe_dir="$(dirname "$recipe_toml")" + patch_list=$(grep -oP 'patches\s*=\s*\[([^\]]*)\]' "$recipe_toml" 2>/dev/null | grep -oP '"[^"]+\.patch"' | tr -d '"' || true) + + for patch_name in $patch_list; do + patch_path="$recipe_dir/$patch_name" + if [ ! -f "$patch_path" ]; then + echo "ERROR: $recipe_toml references '$patch_name' but file not found at $patch_path" >&2 + errors=$((errors + 1)) + fi + done +done < <(find recipes local/recipes -name "recipe.toml" -not -path "*/source/*" 2>/dev/null) + +# Check 2: every patch in local/patches/ should be wired into at least one recipe +while IFS= read -r patch_file; do + patch_name=$(basename "$patch_file") + component=$(basename "$(dirname "$patch_file")") + + wired=$(grep -rl "\"$patch_name\"" recipes/ local/recipes/ --include="recipe.toml" 2>/dev/null | head -1 || true) + if [ -z "$wired" ]; then + echo "WARNING: local/patches/$component/$patch_name is not wired into any recipe.toml" >&2 + fi +done < <(find local/patches -name "*.patch" -type f 2>/dev/null) + +if [ "$errors" -gt 0 ]; then + echo "ERROR: $errors patch reference(s) broken. Fix before building." >&2 exit 1 fi -echo ">>> Verifying Red Bear patch inclusion before image creation" -python3 local/scripts/ensure-patches-wired.py -python3 "$ledger_gate" --strict +echo ">>> Patch inclusion gate passed" diff --git a/scripts/run.sh b/scripts/run.sh index 1aed2d5e1d..1ec7ab7c74 100755 --- a/scripts/run.sh +++ b/scripts/run.sh @@ -29,7 +29,7 @@ Examples: $(basename "$0") # Run existing image $(basename "$0") --build # Build + run $(basename "$0") --build --upstream # Build + run with upstream source refresh enabled - $(basename "$0") -b -c redbear-minimal # Build minimal + run + $(basename "$0") -b -c redbear-mini # Build mini + run $(basename "$0") -- QEMUFLAGS="-m 8G" # Run with 8G RAM $(basename "$0") -b -- serial=yes # Build + run with serial console $(basename "$0") -b -- gpu=virtio kvm=no # Build + run with virtio GPU, no KVM diff --git a/scripts/run_full.sh b/scripts/run_full.sh index e2c73d1484..e0c03e9358 100755 --- a/scripts/run_full.sh +++ b/scripts/run_full.sh @@ -1,9 +1,28 @@ -#!/bin/bash +#!/usr/bin/env bash +set -euo pipefail -# Ensure cargo bin (cbindgen, rustup, etc.) is in PATH -case ":${PATH}:" in - *":$HOME/.cargo/bin:"*) ;; - *) export PATH="$HOME/.cargo/bin:$PATH" ;; -esac +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)" +IMAGE="${1:-$PROJECT_ROOT/build/x86_64/redbear-full/harddrive.img}" +BIOS="${OVMF_BIOS:-/usr/share/edk2/x64/OVMF_CODE.4m.fd}" +RAM="${QEMU_RAM:-8192}" -qemu-system-x86_64 -m 8G -drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/x64/OVMF_CODE.4m.fd -drive file=/home/kellito/Builds/rbos/build/x86_64/redbear-full.iso,format=raw -device virtio-gpu-pci -enable-kvm -serial mon:stdio +if [ ! -f "$IMAGE" ]; then + echo "ERROR: Image not found at $IMAGE" >&2 + echo " Run 'make all CONFIG_NAME=redbear-full' first." >&2 + exit 1 +fi + +if [ ! -f "$BIOS" ]; then + echo "ERROR: OVMF firmware not found at $BIOS" >&2 + echo " Install edk2-ovmf or set OVMF_BIOS to the correct path." >&2 + exit 1 +fi + +exec qemu-system-x86_64 \ + -m "${RAM}" \ + -drive if=pflash,format=raw,readonly=on,file="$BIOS" \ + -drive file="$IMAGE",format=raw \ + -device virtio-gpu-pci \ + -enable-kvm \ + -serial mon:stdio diff --git a/scripts/run_mini.sh b/scripts/run_mini.sh index c6f7ba363c..0581c9b28d 100755 --- a/scripts/run_mini.sh +++ b/scripts/run_mini.sh @@ -1,9 +1,26 @@ -#!/bin/bash +#!/usr/bin/env bash +set -euo pipefail -# Ensure cargo bin (cbindgen, rustup, etc.) is in PATH -case ":${PATH}:" in - *":$HOME/.cargo/bin:"*) ;; - *) export PATH="$HOME/.cargo/bin:$PATH" ;; -esac +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)" +IMAGE="${1:-$PROJECT_ROOT/build/x86_64/redbear-mini/harddrive.img}" +BIOS="${OVMF_BIOS:-/usr/share/edk2/x64/OVMF_CODE.4m.fd}" +RAM="${QEMU_RAM:-8192}" -qemu-system-x86_64 -m 8G -drive if=pflash,format=raw,readonly=on,file=/usr/share/edk2/x64/OVMF_CODE.4m.fd -drive file=/home/kellito/Builds/RedBear-OS/build/x86_64/redbear-mini.iso,format=raw -device virtio-gpu-pci -enable-kvm -serial mon:stdio +if [ ! -f "$IMAGE" ]; then + echo "ERROR: Image not found at $IMAGE" >&2 + echo " Run 'make all CONFIG_NAME=redbear-mini' first." >&2 + exit 1 +fi + +if [ ! -f "$BIOS" ]; then + echo "ERROR: OVMF firmware not found at $BIOS" >&2 + echo " Install edk2-ovmf or set OVMF_BIOS to the correct path." >&2 + exit 1 +fi + +exec qemu-system-x86_64 \ + -m "${RAM}" \ + -drive if=pflash,format=raw,readonly=on,file="$BIOS" \ + -drive file="$IMAGE",format=raw \ + -serial mon:stdio diff --git a/src/cook/fetch.rs b/src/cook/fetch.rs index 75f1fb5fdf..ffb74c153c 100644 --- a/src/cook/fetch.rs +++ b/src/cook/fetch.rs @@ -58,134 +58,30 @@ pub(crate) fn cleanup_workspace_pollution(recipe_dir: &Path, logger: &PtyOut) { } fn redbear_protected_recipe(name: &str) -> bool { - matches!( - name, - // Core patched recipes (upstream + Red Bear patches) - "relibc" - | "bootloader" - | "kernel" - | "base" - | "base-initfs" - | "installer" - | "redoxfs" - | "grub" - // Red Bear custom core recipes - | "ext4d" - | "fatd" - // Red Bear driver infrastructure - | "redox-driver-sys" - | "linux-kpi" - | "firmware-loader" - | "redbear-btusb" - | "redbear-iwlwifi" - // Red Bear GPU stack - | "redox-drm" - | "amdgpu" - // Red Bear system tools - | "cub" - | "evdevd" - | "udev-shim" - | "iommu" - | "redbear-firmware" - | "redbear-hwutils" - | "redbear-info" - | "rbos-info" - | "redbear-meta" - | "redbear-netctl" - | "redbear-netctl-console" - | "redbear-netstat" - | "redbear-btctl" - | "redbear-wifictl" - | "redbear-traceroute" - | "redbear-mtr" - | "redbear-nmap" - | "redbear-sessiond" - | "redbear-authd" - | "redbear-session-launch" - | "redbear-greeter" - | "redbear-dbus-services" - | "redbear-notifications" - | "redbear-upower" - | "redbear-udisks" - | "redbear-polkit" - | "redbear-quirks" - // Red Bear branding - | "redbear-release" - // Qt stack with Red Bear patches (must not be re-fetched online) - | "qtbase" - | "qtwayland" - | "qtdeclarative" - | "qtbase-compat" - // Graphics / display stack with Red Bear patches - | "libdrm" - | "mesa" - // Wayland / input stack with Red Bear patches - | "libwayland" - | "libevdev" - | "libinput" - // IPC / system libraries with Red Bear patches - | "dbus" - | "glib" - // Red Bear library stubs and custom libs - | "libepoxy-stub" - | "libdisplay-info-stub" - | "lcms2-stub" - | "libxcvt-stub" - | "libudev-stub" - | "zbus" - | "libqrencode" - // Red Bear Wayland - | "qt6-wayland-smoke" - | "smallvil" - | "seatd-redox" - // Red Bear KDE (47 recipes) - | "kf6-extra-cmake-modules" - | "kf6-kcoreaddons" - | "kf6-kwidgetsaddons" - | "kf6-kconfig" - | "kf6-ki18n" - | "kf6-kcodecs" - | "kf6-kguiaddons" - | "kf6-kcolorscheme" - | "kf6-kauth" - | "kf6-kitemmodels" - | "kf6-kitemviews" - | "kf6-karchive" - | "kf6-kwindowsystem" - | "kf6-knotifications" - | "kf6-kjobwidgets" - | "kf6-kconfigwidgets" - | "kf6-kcrash" - | "kf6-kdbusaddons" - | "kf6-kglobalaccel" - | "kf6-kservice" - | "kf6-kpackage" - | "kf6-kiconthemes" - | "kf6-kxmlgui" - | "kf6-ktextwidgets" - | "kf6-solid" - | "kf6-sonnet" - | "kf6-kio" - | "kf6-kbookmarks" - | "kf6-kcompletion" - | "kf6-kdeclarative" - | "kf6-kcmutils" - | "kf6-kidletime" - | "kf6-kwayland" - | "kf6-knewstuff" - | "kf6-kwallet" - | "kf6-prison" - | "kf6-kirigami" - | "kdecoration" - | "kwin" - | "plasma-desktop" - | "plasma-workspace" - | "plasma-framework" - | "plasma-wayland-protocols" - | "kirigami" - // Orbutils (has local patch) - | "orbutils" - ) + static PROTECTED: std::sync::OnceLock> = std::sync::OnceLock::new(); + let set = PROTECTED.get_or_init(|| { + let mut set = std::collections::HashSet::new(); + let config_path = std::path::Path::new("config/protected-recipes.toml"); + if let Ok(contents) = std::fs::read_to_string(config_path) { + if let Ok(value) = contents.parse::() { + if let Some(table) = value.as_table() { + for section in table.values() { + if let Some(arr) = section.get("recipes").and_then(|v| v.as_array()) { + for item in arr { + if let Some(s) = item.as_str() { + set.insert(s.to_string()); + } + } + } + } + } + } + } else { + eprintln!("WARNING: config/protected-recipes.toml not found, falling back to empty protected list"); + } + set + }); + set.contains(name) } fn redbear_allow_protected_fetch() -> bool {