cgwalters

Updating fuser crate and optimizing FUSE lowlevel API

2026-06-02 22:14 UTC · opencode v1.15.11 · anthropic/claude-sonnet-4-6, anthropic/claude-opus-4-8

Cost: $43.1774 Tokens: 724 in / 259.2k out

---

User

cgwalters

Agent-Directed Tool Result Trimming: Design and Caching Trade-offs

(AI: Significant AI usage went into generating and writing this)

The Problem

In long agentic sessions, tool outputs (build logs, file reads, search results) accumulate in the context window. Most content is consumed once — the agent reads it, acts on it, and never references it again (for example, a successful build may output a lot of text when the agent only needs to know "the build worked"). But it stays in context, consuming tokens on every subsequent LLM call and pushing the session toward compaction or context overflow.

Various agent frameworks like pi and goose impose hard output caps on their built-in tools (e.g. 50KB / 2000 lines for shell/bash), but that's not consistent across all tools. MCP servers may have their own limits, or may not.

cgwalters

Simplifying OpenShell: Structural Network Isolation via Proxy Sidecar

(This document has heavy AI generation, but is a result of a fair bit of interactive design/research work with cgwalters, plus of course big tip to paude and other projects which already blazed this trail around network proxying)

Motivation

OpenShell's current inner sandboxing — Landlock, seccomp, network namespaces, iptables, and TOFU binary verification, all running inside the sandbox container — is simultaneously too much and too little.

cgwalters

This document is fully generated by Opus 4.6 with OpenCode.

---

bootc vs Kairos: Running a Hello-World Apache in QEMU

A new-user comparison of getting a "hello world" Apache httpd system running in QEMU using bootc and Kairos, written March 2026.

Kairos v4.0.1 / Hadron v0.0.4; bootc from current main branch.

cgwalters

Efficiently debugging and testing Github Actions without spamming a pull request

Debugging Github Actions can be painful. First of all, I think a good practice is to avoid having substantial amounts of code in the action itself. Repositories under the bootc-dev organization lean into using Justfile as an entrypoint, and most GHA flows invoke just <task> which means it's also easier to reproduce locally.

But still though, some things (especially nontrivial workflows that e.g. lean into using artifacts across jobs) are nontrivial to test locally.

The "force push to git main" trick

So here's the trick: instead of continually force pushing to a PR (and spamming everyone with notifications about pushes there) what I do instead is force push to the main branch of my fork of the repository - then monitor action runs from there.

cgwalters

Container Root Directory Handling: A Deep Investigation

Assisted-by: OpenCode (Opus 4.5)

Executive Summary

OCI container layer tars may or may not include a root directory entry (./ or /). This is a known specification gap in the OCI image-spec. When root entries exist, container runtimes ignore them - both Podman and Docker explicitly skip root directory entries during extraction. The mode difference (0555 vs 0755) comes from hardcoded defaults used when creating the extraction directory before extraction begins:

Runtime	Root Mode	Root Mtime	Honors Tar Root Entry?

cgwalters

OCI Distribution Specification Extension: Uncompressed Blob Signaling

Status: Draft Proposal Version: 0.3.0 Last Updated: 2025-11-14

Abstract

This extension enables registries to serve uncompressed blob representations while maintaining cryptographic integrity verification. It defines a two-phase client-server negotiation mechanism using HTTP headers to signal capability and intent.

cgwalters

```
osa import oci-archive:fedora-coreos.ociarchive 
+ podman run --rm -ti --security-opt=label=disable --privileged --userns=keep-id:uid=1000,gid=1000 -v=/var/home/walters/builds/fcos:/srv/ --device=/dev/kvm --device=/dev/fuse --tmpfs=/tmp -v=/var/tmp:/var/tmp --name=cosa quay.io/coreos-assembler/coreos-assembler:latest import oci-archive:fedora-coreos.ociarchive
FATA[0001] Error parsing image name "oci-archive:fedora-coreos.ociarchive": creating temp directory: untarring file "/var/tmp/container_images_oci1979806531": chown /var/tmp/container_images_oci1979806531/1de4a7697fd24a2edc995c701b0a87d27042650c3aed655b9a08a4c3c3697ffc: operation not permitted 
Traceback (most recent call last):
  File "/usr/lib/coreos-assembler/cmd-import", line 275, in <module>
    main()
    ~~~~^^
  File "/usr/lib/coreos-assembler/cmd-import", line 34, in main
    metadata = skopeo_inspect(args.srcimg)

cgwalters

```
$ diff --git i/go.mod w/go.mod
index 9dc4189d43..7ac74ebc2b 100644
--- i/go.mod
+++ w/go.mod

@@ -191,3 +192,5 @@ require (
        gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
        tags.cncf.io/container-device-interface/specs-go v1.0.0 // indirect
 )

cgwalters

```
$ podman build --jobs=4 -t localhost/bootc-integration -f hack/Containerfile 
[2/2] STEP 1/3: FROM localhost/bootc
[1/2] STEP 1/3: FROM scratch AS context
[1/2] STEP 2/3: COPY hack /hack
[2/2] STEP 2/3: ARG variant=
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x600 pc=0x557003d434cf]

goroutine 87 gp=0xc000602a80 m=13 mp=0xc000580808 [running]: