overthinkos/local-infra
ov-dev/skills/local-infra/SKILL.md
Go file map for the target:local execution surface. Files: local_spec.go, deploy_target_local.go, unified_targets_local.go, ssh_managed_config.go, hostdistro.go, install_ledger.go, builder_run.go, shell_profile.go, reverse_ops.go, service_render.go, deploy_ref.go. MUST be invoked before reading or modifying any of those files, or when debugging target:local deploy behaviour (ledger state, sudo batching, managed-block insertion, glibc preflight, ssh-config fragment, ref resolution).
development
Updated May 10, 2026
$ install --global
skillsauthnpx skillsauth add overthinkos/overthink-plugins local-infraInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 10, 2026, 5:27 AM197.3s1 file scanned
SKILL.md
- name:
- local-infra
- description:
- |
- Go file map for the target:
- local execution surface. Files: local_spec.go,
- debugging target:
- local deploy behaviour (ledger state, sudo batching,
Local Infra — Go files that support target:local deployments
Overview
The InstallPlan IR (see /ov-dev:install-plan) is the central data type. LocalDeployTarget (the executor) consumes the IR and invokes a handful of supporting files for each concrete concern: distro detection, ledger I/O, builder-container invocation, shell profile writes, ReverseOp execution, service rendering, ref resolution, and the managed ssh-config fragment that VMs publish on create.
Renamed from host-infra in the local-cutover. HostDeployTarget → LocalDeployTarget, HostUnifiedTarget → LocalUnifiedTarget, LocalDeployExecutor → ShellExecutor, findHostSpec → findLocalSpec (relocated from k8s_cmd.go to local_spec.go).
File map
| File | Purpose | Key exports |
|---|---|---|
| ov/local_spec.go | LocalSpec struct + findLocalSpec lookup | LocalSpec, findLocalSpec |
| ov/deploy_target_local.go | LocalDeployTarget.Emit IR consumer | LocalDeployTarget |
| ov/unified_targets_local.go | LocalUnifiedTarget adapter (Add/Del/Test/Update/Status/Shell/Rebuild) | LocalUnifiedTarget |
| ov/ssh_managed_config.go | ~/.config/ov/ssh_config fragment writer (managed-block protocol) | WriteVmSshStanza, RemoveVmSshStanza, ListVmSshAliases, EnsureSshConfigInclude, RemoveSshConfigInclude, VmSshAlias, SshFragmentPath, SshConfigPath |
| ov/deploy_executor_ssh.go | Credential-free SSHExecutor (no -i, no host-key overrides) | SSHExecutor |
| ov/deploy_executor.go | ShellExecutor (was LocalDeployExecutor) — local shell venue | ShellExecutor |
| ov/hostdistro.go | Detect host distro from /etc/os-release; glibc preflight | HostDistro, DetectHostDistro, DetectHostGlibc, CompareGlibc, distroIDAliases |
| ov/install_ledger.go | Flock-serialized JSON ledger at ~/.config/overthink/installed/ | LedgerPaths, LedgerLock, DeployRecord, LayerRecord, StepRecord, AcquireLedgerLock, AddLayerDeployment, RemoveLayerDeployment |
| ov/builder_run.go | podman run <builder> wrapper for compile-needing layers | BuilderRun, BuilderRunOpts, UserScopeBindMounts, UserScopeEnv |
| ov/shell_profile.go | bash/zsh/fish detection + managed-block fencing + env.d I/O | ShellKind, DetectLoginShell, EnvdDir, WriteEnvdFile, RemoveEnvdFile, EnsureManagedBlock, RemoveManagedBlock, ShellInitFilePath |
| ov/reverse_ops.go | Execute ReverseOp slices in LIFO order via per-kind handlers | runReverseOps, ReverseExecutor interface, 15 reverse handlers |
| ov/service_render.go | Render ServiceEntry → systemd unit / supervisord INI | ServiceEntry, ServiceOverrides, RenderService, RenderedService |
| ov/deploy_ref.go | Unified 4-form ref resolver | DeployRef, RefKind, RefSource, ResolveDeployRef, classifyYAMLFile |
Credential-free SSHExecutor
SSHExecutor carries User, Host, Port, Args, ConnectTimeout — no KeyPath, no KnownHostsFile, no host-key overrides. sshBaseArgs emits only -o LogLevel=ERROR + -o ConnectTimeout=… plus optional -p <port> plus the deployment's pass-through Args plus the destination. ssh(1) reads ~/.ssh/config + ssh-agent for everything else.
For VM destinations the Host field is the managed alias ov-<vmname>, written into ~/.config/ov/ssh_config by ov vm create. Both User and Port are left empty — the alias's Host stanza supplies them.
Managed ssh-config fragment
Pattern mirrors ov/shell_profile.go (the env.d managed block in ~/.profile / ~/.zshenv / ~/.config/fish/conf.d/overthink.fish):
- Fence markers:
# overthink:begin (managed by ov; do not edit inside this block)…# overthink:end. WriteVmSshStanzawrites/replaces a Host stanza inside the managed block at~/.config/ov/ssh_config. Multiple stanzas coexist, sorted by alias for deterministic output.EnsureSshConfigIncludeensuresInclude ~/.config/ov/ssh_configis present in~/.ssh/config(also fenced).RemoveVmSshStanzareturns the count of remaining stanzas; when zero the fragment file is deleted.RemoveSshConfigIncludestrips the Include line; when~/.ssh/configbecomes empty after stripping, the file is deleted.VmSshAlias("arch-vm")→"ov-arch-vm". Unique within the managed fragment.
Ledger at ~/.config/overthink/installed/
Unchanged from host-infra — every target:local deploy writes a DeployRecord and per-layer LayerRecords with deployed_by: refcount semantics. See file map above; the JSON shapes did not change.
Cross-References
/ov-dev:install-plan— the IR these files support; full step-kind catalogue./ov-dev:go— overall Go code map; Kong framework; mode-purity invariant./ov-advanced:local-deploy— user-facing target:local surface./ov-core:deploy— command family overview./ov-build:layer— unifiedservice:schema authored by layer authors.
When to Use This Skill
MUST be invoked when reading or modifying any of the listed files; when debugging target:local ledger state or ssh-config fragment behavior; when adding a new ReverseOpKind handler, a new shell to the detection map, or a new distro ID alias; or when extending the ref resolver to accept a new ref form.
Related Skills
overthinkos/charly
tools
VerifiedTrustedCommunity
OpenCharly CLI (charly) binary installed into container/VM images for in-container use. Use when working with charly binary deployment inside containers, native D-Bus support, or the full charly toolchain (charly binary + virtualization + gocryptfs + socat).
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-cachyos
development
VerifiedTrustedCommunity
Operator CachyOS workstation profile — a kind:local template + target:local deploy that installs the full dev stack (30 candies) onto a CachyOS host via ShellExecutor. Lives in the overthinkos/cachyos submodule. MUST be invoked before editing or applying the charly-cachyos workstation profile.
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-fedora
tools
VerifiedTrustedCommunity
Fedora box with the full charly toolchain using shared candies. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Same candy list as charly-arch. Includes NVIDIA GPU runtime. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-fedora box.
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-arch
tools
VerifiedTrustedCommunity
Arch Linux box with the full charly toolchain. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Composes /charly-coder:charly-mcp so the box is reachable as an MCP gateway on port 18765. NVIDIA GPU runtime composed in. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-arch box.
SKILL.mdUpdated Jun 10, 2026