docs(secure-agent-setup): add Linux Mint 22 / Ubuntu Noble shortcut#12
Merged
Conversation
The pinned bubblewrap (0.11.1) and socat (1.8.1.1) versions in `tools/agent-isolation/pinned-versions.toml` are the upstream releases that have aged past the framework's 7-day cooldown — they are NOT in Ubuntu Noble's main repos. Noble ships: bubblewrap 0.9.0 (0.9.0-1ubuntu0.1) socat 1.8.0.0 (1.8.0.0-4build3) Both pre-date the framework's pins by months and are well past the cooldown, so they're a legitimate adopter choice on Mint 22. Ubuntu 24.04 — but the framework's main install path documents the upstream pins, which leaves Mint/Noble adopters without a cl story. This commit adds a *Distro-specific shortcut* section under \`Install commands\` that: - Documents the apt-shipped versions and their \`apt_pin\` s - Calls out the trade-off explicitly (older feature set, but apt- managed security backports, no source build). - Notes that the framework's \`.claude/settings.json\` works unchanged — the sandbox API has been stable since bubblewr 0.6.x. - Tells the user how to silence the drift the check script w report against the upstream pins (a \`pinned-versions.local.toml\`, matching Claude Code's own \`settings.local.json\` convent - Closes with the rationale for keeping this as a "shortcut" rather than the canonical path. No change to \`pinned-versions.toml\` itself — the framework default pin still tracks the upstream release stream, which is the right thing to track for the weekly check-tool-updates routi Generated-by: Claude Code (Claude Opus 4.7)
9b92b6d to
698ef2c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stacked on #11. Adds a
Distro-specific shortcutsection underInstall commandsfor the case where the framework's upstream pins (bubblewrap 0.11.1,socat 1.8.1.1) are not in the adopter's main repos — Ubuntu Noble (and its Mint 22.x downstream) shipbubblewrap 0.9.0andsocat 1.8.0.0instead, both well past the 7-day cooldown and a legitimate adopter choice.The framework's
pinned-versions.tomlis unchanged — the upstream pin is still what the weekly check-tool-updates routine compares against. The new section just documents the apt-pinned alternative for adopters who don't want a source build.This PR's diff currently includes #11's content too (since it branches from
secure-agent-setup). Once #11 merges, this PR's diff against main collapses to just the new section.🤖 Generated with Claude Code