Skip to content

fix(cerro-torre): make the full Ada container build compile end-to-end#42

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/cerro-torre-full-build
May 15, 2026
Merged

fix(cerro-torre): make the full Ada container build compile end-to-end#42
hyperpolymath merged 1 commit into
mainfrom
claude/cerro-torre-full-build

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 15, 2026

Summary

Follow-up to the stapeln#17 maintenance pass. The non-blocking
container-stack-smoke canary (#38/#39) surfaced that cerro-torre's
full upstream Ada build never compiles to completion — the issue
explicitly scoped out of #17. This PR fixes the real root causes so the
image builds end-to-end.

Root cause(s) & fix

Reproduced locally with alr build on Ubuntu 24.04 (the exact
ada-builder base image), since the in-container docker build is
blocked here by environment network policy (see Blocker below).

  1. proven pin → hard failure at manifest load. alire.toml pinned
    proven to ../proven/bindings/ada, a path that exists nowhere in
    the repo. alr build aborted immediately with
    Pin path is not a valid directory. proven is entirely unused — the
    with "proven" in cerro_torre.gpr and every with Proven.* in the
    sources are commented out. Disabled the dependency and removed the dead
    pin. (This is the specific "Ada/proven" failure the task described.)

  2. Unused heavy crates → toolchain-incompatible builds.
    gnatcoll / ada_toml / json were declared in alire.toml but
    never with-ed by any source (the code uses the in-tree CT_JSON
    package). Resolving them dragged in libgpr/xmlada, which fail to
    compile against the build toolchain (gpr-*.adb: "time_t" undefined
    under external GNAT 14; NO_IMPLEMENTATION_EXTENSIONS violations in
    json_ada under Alire's GNAT 15). Disabled until actually consumed.

  3. Genuine pre-existing source defects in the complete feature set
    (importer/exporter code that had never compiled):

    • String_Access ambiguity between GNAT.OS_Lib and the unit-level
      use Ada.Strings.Unbounded (cerro_cli.adb, cerro_export_oci.adb,
      cerro_import_debian.adb) — now qualified as GNAT.OS_Lib.String_Access.
    • To_String (M.Metadata.Version) applied to the Version record
      instead of …Version.Upstream (the convention already used elsewhere
      in the same file).
    • Bytes_To_Hex (M.Provenance.Upstream_Hash.Digest) applied to an
      already-hex Unbounded_String rather than a raw SHA256_Digest
      replaced with To_String.
    • Unqualified aggregate in a Vectors.Append call — type-qualified as
      Dependency_Reference'(…).

  4. Containerfile correctness:

    • The alr release zip lays the binary out as bin/alr, so the old
      unzip -d /usr/local/bin + chmod /usr/local/bin/alr would fail
      (No such file or directory). Now installs the located binary
      (layout-robust).
    • COPY tests/ tests/tests is a Source_Dir of cerro_torre.gpr
      for every Feature_Set (it holds the ct_test_* mains), so the
      project does not build without it.
    • alr -n build so the toolchain is auto-provisioned without blocking
      on stdin in a non-TTY build.

Verification

alr build in a clean context mirroring the Containerfile's COPY set
(alire.toml, cerro_torre.gpr, src/, tests/; no system gnat, so
Alire auto-selects+downloads gnat_native/gprbuild exactly as the
container would) now succeeds end-to-end and produces a working ct:

Success: Build finished successfully.
$ ./bin/ct --version
Cerro Torre 0.1.0-alpha

Blocker (environment, not code)

The full in-container docker build could not be demonstrated in
this environment due to network-policy constraints (not Containerfile
defects):

  • cgr.dev/chainguard/wolfi-base (runtime stage) → 403 Forbidden.
  • docker.io/library/ubuntu:24.04 → intermittent 429 unauthenticated
    pull-rate limit.
  • Inside a fresh container, curl https://github.com/... fails with
    self-signed certificate in certificate chain: the egress TLS-inspecting
    proxy's root CA is trusted on the host but not in the container image. Per
    instructions this was reported rather than worked around (no curl -k /
    CA injection).

The Ada/proven root cause itself is fully fixed and verified via the
host reproduction on the identical Ubuntu 24.04 base.

Test plan

  • container-stack-smoke canary builds cerro-torre/Containerfile
    with docker + podman in CI (where the registry/proxy constraints
    above do not apply).
  • ct --version runs in the resulting image.

https://claude.ai/code/session_01744NnsooPgw5S6JK11fAaw

Generated by Claude Code

@claude
fix(cerro-torre): make the full Ada container build compile end-to-end
a0af3b7 
The stapeln#17 smoke canary surfaced that cerro-torre's full upstream
Ada build never compiles to completion. Root causes, all fixed here:

- alire.toml: the `proven` dependency was pinned to ../proven/bindings/ada,
  a path that exists nowhere in the repo, so `alr build` aborted at
  manifest load ("Pin path is not a valid directory"). `proven` is unused
  (commented out in cerro_torre.gpr and every `with Proven.*`). Disabled
  the dependency and removed the dead pin.
- alire.toml: gnatcoll/ada_toml/json were declared but never `with`-ed by
  any source (code uses the in-tree CT_JSON). Resolving them pulled in
  libgpr/xmlada, which fail to compile against the build toolchain.
  Disabled until actually consumed.
- src: genuine semantic defects in the `complete` feature set that had
  never compiled — `String_Access` ambiguity between GNAT.OS_Lib and
  Ada.Strings.Unbounded (cerro_cli, cerro_export_oci, cerro_import_debian),
  To_String applied to the Version record instead of Version.Upstream,
  Bytes_To_Hex applied to an already-hex Unbounded_String, and an
  unqualified aggregate in a Vectors.Append call.
- Containerfile: the alr release zip lays the binary out as bin/alr, so
  the old `unzip -d /usr/local/bin` + `chmod /usr/local/bin/alr` failed;
  install the located binary instead. Also COPY tests/ (a Source_Dir of
  cerro_torre.gpr for every Feature_Set) and run `alr -n build` so the
  toolchain is auto-provisioned non-interactively.

Verified by reproducing `alr build` on Ubuntu 24.04 (the container base):
the full build now succeeds and produces a working `ct` binary.

https://claude.ai/code/session_01744NnsooPgw5S6JK11fAaw
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 15, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@hyperpolymath hyperpolymath mentioned this pull request May 15, 2026
Merged
3 tasks
@hyperpolymath hyperpolymath marked this pull request as ready for review May 15, 2026 19:44
@hyperpolymath hyperpolymath merged commit 852d01b into main May 15, 2026
35 of 38 checks passed
@hyperpolymath hyperpolymath deleted the claude/cerro-torre-full-build branch May 15, 2026 19:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyperpolymath @claude