RBE Worker Toolchain Model

RBE Worker Toolchain Model

This page records the TIN-666 worker-image and toolchain model for the current GloriousFlywheel REAPI proof lane. It is a contract for what the current worker image means, and it keeps the status explicit: not broad/default RBE.

The machine-readable contract is docs/contracts/rbe-worker-toolchain-model.json. Run just rbe-worker-toolchain-model-contract-check before citing changes to this model.

The platform list is separate from this Linux worker-image contract. See docs/contracts/rbe-platform-contracts.json and run just rbe-platform-contracts-check before adding a platform identity. The candidate Darwin platform is gloriousflywheel-rbe-darwin-aarch64; it is not proved by the Linux worker image and uses its own signing-custody contract.

Current Worker

The current proof worker is the digest-pinned gf-reapi-cell image:

  • repository: ghcr.io/tinyland-inc/gf-reapi-cell
  • source package: flake.nix .#gf-reapi-cell-image
  • publication workflow: .github/workflows/publish-gf-reapi-cell.yml
  • platform: gloriousflywheel-rbe-linux-x86_64
  • browser-capable proved digest: sha256:a567696e341f6eb0589ece9efd6014a2133a4f10831bdad31e8dd84055eff8a0

The image is materialized from the locked Nix flake closure through nix2container. Proofs cite immutable image digests. Floating tags such as latest are operational handles, not proof authority.

The current closure intentionally includes:

  • common POSIX shell and archive tools
  • Node 22
  • Python 3
  • glibc and the /lib64/ld-linux-x86-64.so.2 loader bridge
  • the Nix C/C++ wrapper closure, C++ runtime libraries, and zlib
  • Chromium from locked nixpkgs for proved Playwright and Puppeteer target classes
  • CA certificates and UTC timezone data

Storage And Residency

gf-reapi-cell is a proof cell, not the durable cache backend:

  • namespace: gf-rbe
  • service: gf-reapi-cell
  • store: service-local proof CAS/action-cache under /var/lib/gf-reapi-cell
  • storage class: local-path-sting-fast-ephemeral
  • residency: scale-to-zero-between-proofs
  • capacity boundary: TIN-1249

This is proof-local storage. It is not RustFS-backed CAS/action-cache, not Attic publication authority, and not OpenTofu state authority. RustFS remains outside the trusted RBE CAS/action-cache path until its separate backend gate is repaired or replaced.

Promotion Rule

Worker-image contents are necessary but not sufficient for RBE eligibility.

A tool existing in the worker image is blocker-burn-down evidence. It does not promote a target class by itself. A target class is promoted only after a forced remote-executor proof with nonzero remote processes and evidence for:

  • target and Bazel command
  • platform identity
  • worker image digest
  • remote worker logs
  • artifact verification where applicable
  • explicit checkout and distdir authority for private consumer proofs
  • browser runtime authority and lifecycle-download skip policy for browser target classes

This keeps TIN-668 target-class eligibility separate from TIN-666 worker-image breadth.

Forbidden Inferences

Do not infer any of these from the worker image:

  • broad/default RBE
  • broad web RBE
  • broad language-family RBE for Rust, Go, C/C++, TypeScript, Playwright, Puppeteer, or SvelteKit
  • RustFS suitability as CAS/action-cache or trusted publication authority
  • repo-specific runner labels as product structure
  • action-time browser or toolchain download permission
  • embedded credentials, source checkouts, deploy keys, or GitHub App tokens

Ordinary developer and CI usage remains cache-forward unless executor-backed mode is explicitly selected.

Change Process

When the worker image gains a new tool or runtime, update this page and the JSON contract in the same PR. If the new runtime is meant to unblock a target class, also add or update the target-class proof plan in RBE Target Eligibility. The target does not become eligible until the forced proof lands and cites the new worker image digest.

GloriousFlywheel