Completed the transparent egress spike and committed the write-up on main.
Commit: 529d0bc docs: add Apple Container transparent egress spike
Doc: `docs/research/apple-container-transparent-eg…
Yes, this is the right next spike.
The previous run proved the basic isolation shape: an internal-only agent could not egress, a dual-homed sidecar could egress, and the agent could reach the…
Reran the Apple Container networking spike on macOS 26.5.1 arm64 with Apple Container 1.0.0.
Result: the core two-network sidecar shape is viable, with caveats:
- `container network create…
I could not run the Apple Container networking spike on this host yet. This machine is macOS 15.6.1 and Apple Container networking features needed for the spike require macOS 26; the container…
Remaining parts I see after this PRD/scaffold slice:
- Apple Container networking spike
- Verify real CLI behavior on the target macOS version for
container network create --internal,…
- Verify real CLI behavior on the target macOS version for
Policy direction from follow-up discussion: keep HTTPS Git access possible, but make it explicit instead of an accidental consequence of host allowlisting. Proposed shape: add a per-egress-route…
Closing this spike with the current conclusion: do not remove Docker from the sidecar runtime path yet.
The reason is security, not implementation convenience. Docker is currently providing…
Verified the next question behaviorally on the current host.
Short version: **smolvm can publish a guest port back to the host, and another smolvm guest can reach that published service through…
Agreed, sidecar-as-host-processes should be dropped from the recommendation. It removes Docker, but it turns one managed bundle into several host-level processes with more lifecycle and environment…
a981003a45
refactor: make AgentProvisionPlan the source of truth for instance_name, prompt_file, image, dockerfile, guest_home