Elacity · SashaMIT · May 28, 2026 · May 28, 2026 · May 28, 2026 · May 28, 2026
diff --git a/.github/workflows/_self-hosted-probe.yml b/.github/workflows/_self-hosted-probe.yml
@@ -0,0 +1,95 @@
+name: Self-hosted Mac runner probe
+
+# Phase 5 Day 6 — heartbeat probe for the self-hosted Vz lane.
+#
+# Purpose: surface "is a runner matching the labels we need for
+# `mac-vz-full-boot` actually online?" without anyone having to
+# fight the Settings → Actions → Runners UI. The probe is
+# DELIBERATELY tiny — it just claims the same label set, prints
+# `sw_vers + uname -a + framework presence`, and exits 0.
+#
+# Two job pairs:
+#   - probe-attempt   — gated on the `vars.MAC_VZ_FULL_BOOT_ENABLED`
+#                       repo-var so we don't pay for queue-then-timeout
+#                       on every schedule when no runner is online.
+#                       When enabled and a matching runner IS online,
+#                       this completes in seconds.
+#   - probe-fallback  — always runs on `ubuntu-latest`, just records
+#                       the variable's current value so operators can
+#                       see the gate's state in the run history.
+#
+# Triggers:
+#   - schedule        — every 6 hours; cheap heartbeat.
+#   - workflow_dispatch — operator-on-demand probe before flipping
+#                       a fragile change.
+#   - (push/PR not in the trigger list — we don't want every PR
+#     paying the 6h-budgeted minutes).
+#
+# Anchors:
+#   - docs/vz-backend/SELF_HOSTED_RUNNER_SPEC.md
+#   - docs/vz-backend/CI_RUNBOOK.md § Self-hosted lane
+
+on:
+  schedule:
+    # 00:00, 06:00, 12:00, 18:00 UTC — four times per day. The
+    # cron is intentionally NOT every-hour to keep the public
+    # runner-minutes budget visible (24 min/day vs. 144 min/day).
+    - cron: "0 0,6,12,18 * * *"
+  workflow_dispatch: {}
+
+# Cancel previous probe runs on the same trigger ref so a
+# manual dispatch during a scheduled run doesn't double-pay.
+concurrency:
+  group: self-hosted-probe
+  cancel-in-progress: true
+
+jobs:
+  probe-attempt:
+    name: Probe matching runner (self-hosted)
+    if: ${{ vars.MAC_VZ_FULL_BOOT_ENABLED == 'true' }}
+    runs-on: [self-hosted, macOS, ARM64, vz-capable]
+    # Short timeout: if no runner picks the job up within
+    # 5 minutes, treat it as "no runner online" and surface
+    # via job status (cancelled / queued past timeout). The
+    # main `mac-vz-full-boot` job keeps the 30-min budget
+    # for actual work.
+    timeout-minutes: 5
+    steps:
+      - name: macOS + Vz framework presence
+        run: |
+          set -euo pipefail
+          echo "=== sw_vers ==="
+          sw_vers
+          echo
+          echo "=== uname -a ==="
+          uname -a
+          echo
+          echo "=== Virtualization.framework ==="
+          if [ -d /System/Library/Frameworks/Virtualization.framework ]; then
+            echo "PRESENT"
+          else
+            echo "::error::Virtualization.framework not found"
+            exit 1
+          fi
+          echo
+          echo "=== runner labels (from \$RUNNER_NAME) ==="
+          echo "RUNNER_NAME=${RUNNER_NAME:-<unset>}"
+          echo "RUNNER_OS=${RUNNER_OS:-<unset>}"
+          echo "RUNNER_ARCH=${RUNNER_ARCH:-<unset>}"
+
+  probe-fallback:
+    name: Probe gate state (always runs)
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    steps:
+      - name: Report repository variable state
+        run: |
+          set -euo pipefail
+          echo "MAC_VZ_FULL_BOOT_ENABLED=${{ vars.MAC_VZ_FULL_BOOT_ENABLED }}"
+          if [ "${{ vars.MAC_VZ_FULL_BOOT_ENABLED }}" = "true" ]; then
+            echo "Day-6 full-boot lane is ENABLED."
+            echo "Check the 'probe-attempt' job above for runner availability."
+          else
+            echo "Day-6 full-boot lane is DISABLED (var unset or != 'true')."
+            echo "Set repository variable MAC_VZ_FULL_BOOT_ENABLED=true to enable."
+          fi
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,7 +2,11 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    # Run on main and on Vz-backend working branches so Phase 1+ commits
+    # get verified on Linux without waiting for a PR. The `sash/**`
+    # pattern covers the current Vz development branch
+    # (`sash/local-test`) and any future Vz sub-branches.
+    branches: [main, "sash/**", "vz/**"]
   pull_request:
     branches: [main]
 

diff --git a/.github/workflows/linux-untouched.yml b/.github/workflows/linux-untouched.yml
@@ -0,0 +1,69 @@
+name: Linux-untouched gate (Vz backend)
+
+# Enforces the Linux-untouched guarantee from docs/vz-backend/PLAN.md:
+# Phase 1+ Vz-backend commits must not modify the four protected crates
+# (elastos-crosvm, elastos-runtime, elastos-common, elastos-compute).
+#
+# Runs `scripts/check-linux-untouched.sh` against the Phase 0 baseline
+# (commit a65dad3 — the last commit before Vz work began). The script
+# itself documents how to adjust the base ref locally.
+#
+# Anchors:
+#   - docs/vz-backend/PLAN.md → "Linux-untouched: explicit guarantees"
+#   - PRINCIPLES.md #10 "One Canonical Path"
+#   - scripts/check-linux-untouched.sh
+
+on:
+  push:
+    branches: ["sash/**", "vz/**"]
+  pull_request:
+    branches: [main]
+  # Phase 5 Day 5 — allow manual one-shot triggers from the
+  # Actions UI so operators can re-run the gate after rebasing
+  # without pushing a new commit. Matches the trigger surface
+  # of the new mac-vz.yml workflow.
+  workflow_dispatch: {}
+
+jobs:
+  linux-untouched:
+    name: Protected crates not modified vs Vz baseline
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # Full history needed for `git merge-base` to find the
+          # divergence point against the baseline commit.
+          fetch-depth: 0
+
+      - name: Run protected-paths gate
+        env:
+          # Re-baselined 2026-05-28 onto Day-4-of-the-v0.3.0-rebase HEAD
+          # (`65f5f05`), the rebase's final-state commit. Earlier
+          # baselines:
+          #   - Phase 0 (`a65dad3`): pre-Vz baseline on the original
+          #     sash/local-test branch, unreachable from the rebased
+          #     branch (rooted on PR #2 / v0.3.0 main).
+          #   - Day 2 (`ded1333`): first Mac-VZ-rebase commit on
+          #     sash/local-test-v030; protected-crate cfg-gating and
+          #     the new elastos-vz crate land here.
+          #   - Day 4 (`65f5f05`, this baseline): rebase complete.
+          #     The carrier-bridge fuzz harness is restored, the v0.3.0
+          #     `carrier_invoke` ABI is in carrier_bridge.rs, the
+          #     principal-aware localhost-fs scoping is wired through.
+          #     Day 3+4 commits only touch elastos-server (NOT
+          #     protected), so the gate keeps enforcing "no future
+          #     commit modifies elastos-crosvm / elastos-runtime /
+          #     elastos-common / elastos-compute beyond what the
+          #     rebase already shipped." See
+          #     docs/mac-vz/v030-rebase/DAY_4.md.
+          VZ_BACKEND_BASELINE: 65f5f05
+        run: |
+          set -euo pipefail
+          # Make sure the baseline commit is reachable in the checkout.
+          # Shallow clones don't always have it; `fetch-depth: 0` above
+          # asks for the full history but defend against any quirks.
+          if ! git cat-file -e "${VZ_BACKEND_BASELINE}^{commit}" 2>/dev/null; then
+            git fetch origin "${VZ_BACKEND_BASELINE}" || true
+          fi
+          chmod +x scripts/check-linux-untouched.sh
+          scripts/check-linux-untouched.sh "${VZ_BACKEND_BASELINE}"