feat: implement nono sideload#1190
Conversation
PR Review SummarySize
Affected crates
Blast radius — ModerateThis PR touches: source code,CI / build tooling Updated automatically on each push to this PR. |
73ea968 to
c95ec75
Compare
c95ec75 to
7b99c9c
Compare
There was a problem hiding this comment.
Code Review
This pull request introduces a new sideload feature to the nono-cli tool, enabling the installation of packs from a local directory without registry attestation or cryptographic verification for development and testing. It adds a sideload subcommand, a Cargo feature flag, integration tests, and documentation, along with safety guards like compile-time errors for release builds and lockfile validation to prevent production binaries from loading sideloaded packs. A critical security review comment was kept, which identifies a potential path traversal vulnerability in build_local_downloads where artifact paths are joined without validation, potentially allowing arbitrary file reads.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
7b99c9c to
470f2c1
Compare
0c4c6bb to
cdc73b8
Compare
|
would this be useful for you @intentionally-left-nil , its script that installs the package locally and prints out the profile name to use? https://github.com/always-further/nono-packs/blob/main/scripts/dev-install.sh |
|
@lukehinds the script is mentioned in the original bug report, but to expand: Even if the files are put in the correct place, nono's runtime still treats registry packs different than local packs for certain cases. For example, '$PACK_DIR' doesn't get expanded unless it's a registry pack |
c2f2c34 to
fc13073
Compare
fc13073 to
fba88f0
Compare
|
Hello, this overlaps with a distribution-side PR I have open (#1389, for #1388), and I think the two sit at different points on the same dial rather than competing, so let me share how I ended up covering a similar need. This PR #1190 optimises the tight inner loop: edit the pack, test it immediately, no publish step, attestation off, kept safe by confining it to a non-production compile-time build. That is the right shape for pack authoring. For my case I got a live loop without a dev-only build. #1389 lets nono pull packs from a static (nginx-servable) tree with signatures off and integrity kept via per-artifact SHA-256. On top of that I run a file watcher (watch-exec) on the pack sources that re-runs One detail that might be useful to you: because the pack goes through the normal To be clear, this is not a replacement for your PR, it has more moving parts (watcher + HTTP server + publish/pull round-trip) than editing files in place, and yours is the better fit for pure authoring iteration. Just sharing a second route in case it helps. 😀 Nice work on this, by the way. Gating the whole thing behind a compile-time flag with a loud runtime warning, so a production binary simply cannot load sideloaded packs, is a clean way to keep the dev ergonomics without weakening the default posture. |
|
@vjeantet As long as nono is comfortable shipping a config like yours, I think that's a useful path (and also it would remove downsides like needing to recompile). As long as there's a dev flow to install from a local directory I'm happy! |
When developing a registry pack, it's not easy to test the behavior of the pack, because nono requires the pack to have proper lockfiles and attestation. To solve for this developer case, without harming the security of production nono users, this commit introduces a new compile-time build flag called sideload, which is disabled for production builds. When nono is compiled with sideload, it introduces a new CLI command, nono sideload. This command copies the path into the correct registry location and updates the lockfile like normal. Additionally, other commands like nono run disable attestation Signed-off-by: Anil Kulkarni <anil@terminal.space>
Signed-off-by: Anil Kulkarni <anil@terminal.space>
fba88f0 to
4a42053
Compare
When developing a registry pack, it's not easy to test the behavior of the pack, because nono requires the pack to have proper lockfiles and attestation.
To solve for this developer case, without harming the security of production nono users, this commit introduces a new compile-time build flag called sideload, which is disabled for production builds.
When nono is compiled with sideload, it introduces a new CLI command, nono sideload. This command copies the path into the correct registry location and updates the lockfile like normal. Additionally, other commands like nono run disable attestation
Linked Issue
Closes #1188
Summary
Test Plan
Checklist
CHANGELOG.mdif needed