Skip to content

RFC: PTY process attachment (terminal spawns + local fd handover)#33

Open
joshuajbouw wants to merge 3 commits into
mainfrom
rfc/pty-process-attachment
Open

RFC: PTY process attachment (terminal spawns + local fd handover)#33
joshuajbouw wants to merge 3 commits into
mainfrom
rfc/pty-process-attachment

Conversation

@joshuajbouw

Copy link
Copy Markdown
Contributor

Summary

PTY-backed host-owned processes plus a local fd-handover attachment contract: an uplink (e.g. the CLI) can drive a full-screen interactive program that Astrid spawns, sandboxes, audits, and keeps alive independently of the attached terminal. Builds on the persistent-process tier (rfcs#22); the interactive complement to capsule-contributed CLI verbs (astrid#891).

Contract changes (additive amendment to astrid:[email protected])

  • spawn-request.terminal: option<terminal-config> — PTY allocation, child setsid'd with the slave as controlling terminal; merged output feeds the existing ring-buffer machinery, so read-since/write-stdin/watch drive a PTY process programmatically without any attachment. Valid on spawn-background/spawn-persistent only.
  • resize(id, rows, cols) — TIOCSWINSZ + SIGWINCH.
  • attach-terminal(id, stream, principal) — host dups the PTY master and passes it over the uplink's Unix-domain stream via SCM_RIGHTS; zero per-keystroke traffic through the bus or WASM. Gated: uplink capability, asserted-principal owner check (publish-as trust precedent; forward-compatible with astrid#852 kernel-owned binding), PTY-backed + running, AF_UNIX only. Audited per attach. The rejected alternative (uplink exec'ing binaries directly) and the remote-transport non-goal are written up.

Unresolved questions

  • Cross-interface resource dependency: astrid:process borrowing astrid:net's tcp-stream needs WIT-level confirmation (alternative: opaque proxy-minted stream token).
  • TERM stays with the existing env mechanism; geometry-only terminal-config.

…r re-check

The original gate composition was contradictory: gate 2 restricts
attach-terminal to the uplink-capability proxy, while gate 3 required the
caller to be the process creator (principal AND capsule). The proxy never
creates agent processes, and as a run-loop capsule its effective principal
is its load-time owner, not the client it bridges — so as written, no
caller could ever satisfy both gates.

Fix: attach-terminal takes the acting principal as an explicit parameter,
following the publish-as trusted-uplink assertion precedent, checked
against the process owner. Creator-capsule scoping stays unchanged for
every other id-keyed call. Forward-compatible with kernel-owned
per-connection binding (astrid#852) replacing the per-call assertion.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant