We are reaching out to request classic confinement for our project, algokit-cli, a comprehensive open source CLI designed for developers building on the Algorand Public Ledger. algokit-cli simplifies the development process by providing tools for project initialization, smart contract deployment, local network management, and more, as detailed in our documentation.
Why do we need classic confinement?
After thorough evaluation, we’ve identified that classic confinement is essential for algokit-cli due to the following reasons:
System-Level Operations and Broad File System Access: algokit-cli requires extensive system-level access for its core functionalities, which are not feasible under strict confinement due to the following needs:
Docker Operations: Managing sandboxed versions of Algorand via docker compose, including executing arbitrary binaries for Docker container management and interacting with Algorand node software. This is crucial for sandbox management functionalities (src/algokit/core/sandbox.py).
File System Access: Unrestricted access to the file system is necessary to manage project files, configurations, and logs across various locations. This includes:
Project Setup: Handling dependencies for Python and JS based projects, requiring commands like poetry install and npm install for project-specific dependencies, with access needed to the project root and potentially global configuration directories.
Dependency Management: Interacting with package managers (npm, poetry, pipx) to install dependencies and manage project requirements, necessitating access to the user’s home directory and execution of arbitrary binaries.
Log and Artifacts Management: Storing specific configuration files in ~/.config (Mac and Linux), XDG_CONFIG_HOME (Linux if set), and APPDATA (Windows).
Integration with Development Tools: The CLI integrates with a wide array of development tools and environments, requiring:
Environment Modifications: Necessary changes to environment variables and access to tool-specific files and directories.
Tool Coordination: Similar to tools like create-react-app, it coordinates with poetry, npm, npx, pipx for project instantiation and setup based on predefined templates.
Evaluation of Strict Confinement Features
We have evaluated the strict confinement features and interfaces provided by Snapcraft, including the use of plugs for network access, home directory access, and more. However, these interfaces do not allow easy accommodation of the broad system-level access required by algokit-cli for the following reasons:
Limited Scope of Interfaces: The available interfaces do not cover the wide range of system resources and external tools algokit-cli interacts with, particularly for Docker compose and container management, and executing arbitrary binaries required for Algorand development.
Development Environment Integration: The nature of algokit-cli as a development tool necessitates a level of system access similar to traditional development environments, which goes beyond what strict confinement can provide. Which is also demonstrated on examples of other cli tools approved within Snapcraft store with classic confinement access such as aws-cli, google-cloud-cli and other similar CLI tools that focus on improving developer experience around building on a certain infrastructure.
Conclusion
Considering the requirements and precedents, classic confinement is essential for algokit-cli to function optimally for Algorand developers. We prioritize our application’s security and integrity and welcome any feedback or inquiries. Our entire codebase is open for review on GitHub.
As a new joiner i can only include 2 links in this message, hence refer to the comment below with all additional link references.
Below are the categories under which we think our CLI tool relates the most.
Tools for local, non-root user driven configuration of/switching to development workspaces/environments: The CLI provides mechanisms to initialize, configure, and manage development projects, which aligns with tools that manage development environments.
Compilers/Debug tools: AlgoKit CLI bundles invocation of related algokit tooling which performs code transpilation for smart contracts → typed clients (so that developers can interact with smart contracts from a typed client interface). The transpiler implementation is open source (maintained on 2 repos for .py and .ts versions) as well and references can be provided if needed. The CLI takes care of lazy loading and invoking it via npx. We will also be adding a compiler dependency which will allow invoking a different type of compiler that can transform python code into a low level assembly-like code representing smart contract to be deployed.
The data you provided should be sufficient for the reviewers to start the process (note I’m not in that team, just trying to make sure all data is ready upfront), the queue might be pretty full, so it might take a while til they get to your task though
algokit-cli fits within more than one of the supported categories for classic confinement as per Process for reviewing classic confinement snaps , including “compliers” and “tools for local, non-root user driven configuration of/switching to development workspaces/environments”.
@al_makerx is the name of the snap on the store just algokit? Or is there a specific algokit-cli one that is yet to be submitted to the store? Once confirmed, I will begin publisher vetting.
With this being granted, i noticed that upon re triggering of the pipeline that did a test release (wanted to do a manually triggered release prior to merging this to test the pipeline).
Currently we are distributing it only for amd64 archs, and CD pipeline fails on:
resource-forbidden: Cannot upload new revisions for name=algokit
I am pretty sure it might be due to the token expiration, but in case its not - anything specific that we need to do given that confinement is now granted? Do i need to do anything with the latest 1.11.4-beta.3 revision which was the revision we used to initiate classic confinement access. Now that its granted - any additional manual steps needed to be configured in order to make a new revision via publish snap action?
Still pretty sure its just token expiry, but regardless let me know if you may have seen similar scenarios where one can’t publish a new snap after confinement has been granted.
it looks like that the issue may be caused from a revision submission that was not submitted from one of the collaborators of the snap (as listed in the store) [1, 2]. Was the release submitted by one of the listed collaborators?
