lhumina_code/hero_skills
23
0
Fork 0
Code Issues 14 Pull requests 3 Projects Releases 1 Packages 1 Wiki Activity Actions

install_base should install native build deps (libseccomp, cmake, pkg-config, etc.) #96

New issue
Closed
opened 2026-04-20 13:41:04 +00:00 by mahmoud · 0 comments
mahmoud commented 2026-04-20 13:41:04 +00:00
Owner
Copy link

Problem

install_base today installs tools useful at runtime (curl, fzf, zoxide, yazi, p7zip, screen, rsync, mc, mosh, sccache) but not the C/C++ native toolchain + -dev packages that several Hero services transitively need through their Rust dependencies.

The symptom is always the same: cargo build --release runs fine until it hits a crate with a C build-script, then fails mid-compile with either a missing compiler, a missing cmake, or a linker error like unable to find library -lseccomp. Each failure blocks service_install_all and forces a stop → apt-get install → restart cycle that costs ~20 minutes per failure if cargo has to rewarm.

Known failures (all hit in the last 24 hours on the Hetzner box)

Service Missing on the box What pulled it
service_voice cmake usable path, C++ toolchain via cmake whisper-rs-sys's build.rs drives CMake to build whisper.cpp/ggml
service_code libseccomp-dev, libcap-ng-dev hero_code_server (formerly hero_runner_server) link-stage — sandboxing primitives for script execution
service_foundry arguable but worked today depends on XML + WebDAV — might bite if the cache warms differently

Each of those produced a different opaque cargo error and cost a round-trip to diagnose.

Proposed fix

Option A (recommended): extend install_base to include the native dev stack every Linux Hero deployment needs. One-line additions to the existing pkg_ensure block:

pkg_ensure "build-essential"
pkg_ensure "cmake"
pkg_ensure "pkg-config"
pkg_ensure "libseccomp-dev"
pkg_ensure "libcap-ng-dev"
pkg_ensure "libssl-dev"
pkg_ensure "libsqlite3-dev"
pkg_ensure "libclang-dev"
pkg_ensure "libxml2-dev"

Total install time is negligible; these are all in apt's main repo, ~60 MB combined.

Option B: split out install_dev_native as a dedicated installer function, called either:

  • unconditionally from install_core (alongside install_rust), or
  • opt-in via --with-dev flag on install_base.

A separate function is cleaner if the concern is that pure-runtime hosts (where nothing is ever built locally) shouldn't carry compiler deps — but every Hetzner box in this ecosystem builds services locally today, so that concern is mostly academic.

Recommended Option A rationale

  1. No service in Hero builds WITHOUT these deps — every Rust crate that does FFI or bindgen needs at least some of them. Splitting them off only delays the apt-get install to a later installer.
  2. install_base already mixes runtime + build-ish tools (curl, p7zip, etc. aren't strictly runtime; sccache is a build tool). Adding the rest of the build dev packages fits.
  3. Single source of truth — one installer, one place to document what's needed, no flag to remember.

If there's a reason to keep install_base lean, Option B is a clean alternative.

Bonus: preemptive native deps on macOS + Linux

A install_native_deps function that's dispatched per-platform (apt on Debian/Ubuntu, dnf on Fedora, brew on macOS) would be the ideal long-term abstraction. Out of scope for this issue — just flagging.

Pointer

The list I've been running manually after each failure:

apt-get install -y build-essential cmake pkg-config     libseccomp-dev libcap-ng-dev     libssl-dev libxml2-dev libsqlite3-dev libclang-dev

If someone wants to PR Option A, that's the batch to add to tools/modules/installers/installers.nu in the install_base function.

## Problem `install_base` today installs tools useful at runtime (curl, fzf, zoxide, yazi, p7zip, screen, rsync, mc, mosh, sccache) but **not** the C/C++ native toolchain + `-dev` packages that several Hero services transitively need through their Rust dependencies. The symptom is always the same: `cargo build --release` runs fine until it hits a crate with a C build-script, then fails mid-compile with either a missing compiler, a missing `cmake`, or a linker error like `unable to find library -lseccomp`. Each failure blocks `service_install_all` and forces a `stop → apt-get install → restart` cycle that costs ~20 minutes per failure if cargo has to rewarm. ## Known failures (all hit in the last 24 hours on the Hetzner box) | Service | Missing on the box | What pulled it | |---|---|---| | `service_voice` | `cmake` usable path, C++ toolchain via cmake | `whisper-rs-sys`'s `build.rs` drives CMake to build `whisper.cpp/ggml` | | `service_code` | `libseccomp-dev`, `libcap-ng-dev` | `hero_code_server` (formerly `hero_runner_server`) link-stage — sandboxing primitives for script execution | | `service_foundry` | arguable but worked today | depends on XML + WebDAV — might bite if the cache warms differently | Each of those produced a different opaque cargo error and cost a round-trip to diagnose. ## Proposed fix **Option A (recommended): extend `install_base`** to include the native dev stack every Linux Hero deployment needs. One-line additions to the existing `pkg_ensure` block: ```nushell pkg_ensure "build-essential" pkg_ensure "cmake" pkg_ensure "pkg-config" pkg_ensure "libseccomp-dev" pkg_ensure "libcap-ng-dev" pkg_ensure "libssl-dev" pkg_ensure "libsqlite3-dev" pkg_ensure "libclang-dev" pkg_ensure "libxml2-dev" ``` Total install time is negligible; these are all in apt's main repo, ~60 MB combined. **Option B: split out `install_dev_native`** as a dedicated installer function, called either: - unconditionally from `install_core` (alongside `install_rust`), or - opt-in via `--with-dev` flag on `install_base`. A separate function is cleaner if the concern is that pure-runtime hosts (where nothing is ever built locally) shouldn't carry compiler deps — but every Hetzner box in this ecosystem builds services locally today, so that concern is mostly academic. ## Recommended Option A rationale 1. **No service in Hero builds WITHOUT these deps** — every Rust crate that does FFI or bindgen needs at least some of them. Splitting them off only delays the apt-get install to a later installer. 2. **install_base already mixes runtime + build-ish tools** (curl, p7zip, etc. aren't strictly runtime; sccache is a build tool). Adding the rest of the build dev packages fits. 3. **Single source of truth** — one installer, one place to document what's needed, no flag to remember. If there's a reason to keep `install_base` lean, Option B is a clean alternative. ## Bonus: preemptive native deps on macOS + Linux A `install_native_deps` function that's dispatched per-platform (apt on Debian/Ubuntu, dnf on Fedora, brew on macOS) would be the ideal long-term abstraction. Out of scope for this issue — just flagging. ## Pointer The list I've been running manually after each failure: ```bash apt-get install -y build-essential cmake pkg-config libseccomp-dev libcap-ng-dev libssl-dev libxml2-dev libsqlite3-dev libclang-dev ``` If someone wants to PR Option A, that's the batch to add to `tools/modules/installers/installers.nu` in the `install_base` function.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
development_fix_livekit_config_consistency_153
develop_hero_claude
fix/client-root-scope-hint-151
main
latest
Labels
Clear labels   
prio_critical

   
prio_low

   
type_bug

   
type_contact

   
type_issue

   
type_lead

   
type_question

   
type_story

   
type_task
No labels
prio_critical
prio_low
type_bug
type_contact
type_issue
type_lead
type_question
type_story
type_task
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/hero_skills#96
No description provided.