chore(beads): sync vz-8gf issue state

Author: lightsofapollo

.beads/issues.jsonl

@@ -183,7 +183,7 @@
 {"id":"vz-83t","title":"[vz-stack] Secrets are mounted as directories instead of files in shared VM mode","description":"When using file-based secrets in a multi-service stack (which uses shared VM mode), the secret is mounted as a directory instead of a file.\n\n## Steps to Reproduce\n```yaml\nservices:\n  db:\n    image: redis:7-alpine\n    secrets:\n      - db_password\nsecrets:\n  db_password:\n    file: ./secret.txt\n```\n\n## Expected\n- Secret file content should be at /run/secrets/db_password as a FILE\n\n## Actual\n- /run/secrets/db_password is a DIRECTORY\n\n## Debug Info\n- Host file exists: ~/.vz/stacks/\u003cname\u003e/secrets/\u003cname\u003e/db_password (is a FILE with correct content)\n- Container mount shows: /run/secrets/db_password is a directory (drwxr-xr-x)\n\n## Suspected Root Cause\nThe mount path construction might be pointing to the parent directory (secrets/) instead of the specific file (secrets/db_password)\n\nLocation to check: secrets_to_mounts() in vz-stack/src/convert.rs or how it's used in shared VM mode","status":"resolved_fixed","priority":2,"issue_type":"task","owner":"james@littlebearlabs.io","created_at":"2026-02-23T18:22:18Z","created_by":"James Lal","updated_at":"2026-02-23T18:32:47Z"}
 {"id":"vz-88v","title":"vz stack run — one-off container command","description":"Add vz stack run \u003cservice\u003e \u003ccommand...\u003e that creates a temporary container from the service definition, runs the command, captures output, and removes the container. Essential for migrations, seeds, debug shells.\n\nFiles: crates/vz-cli/src/commands/stack.rs (new subcommand), crates/vz-stack/src/executor.rs (one-off create+exec+remove flow)","status":"closed","priority":2,"issue_type":"task","owner":"james@littlebearlabs.io","created_at":"2026-02-22T14:55:28Z","created_by":"James Lal","updated_at":"2026-02-22T15:15:18Z","closed_at":"2026-02-22T15:15:18Z","close_reason":"vz stack run executes one-off commands in running service containers via control socket."}
 {"id":"vz-89d","title":"Move ImageStore from vz-oci to vz-image","description":"Move crates/vz-oci/src/store.rs to crates/vz-image/src/store.rs. Replace OciError references with ImageError. All types: ImageStore, ImageInfo, LayerDescriptor, PruneResult, LayerMediaType. Keep all tests. The store.rs is 891 lines of pure platform-independent Rust (no macOS APIs).","status":"closed","priority":1,"issue_type":"task","owner":"james@littlebearlabs.io","created_at":"2026-02-22T05:19:39Z","created_by":"James Lal","updated_at":"2026-02-22T05:25:14Z","closed_at":"2026-02-22T05:25:14Z","close_reason":"All Phase 1 work completed in single pass: vz-image crate created with store.rs, puller.rs, error.rs, resolve_* methods, and 17 passing tests","dependencies":[{"issue_id":"vz-89d","depends_on_id":"vz-f06","type":"blocks","created_at":"2026-02-21T22:20:23Z","created_by":"James Lal","metadata":"{}"}]}
-{"id":"vz-8gf","title":"VM-first primitive conformance suite across manager, gRPC, OpenAPI, and CLI","description":"Build a real-VM conformance matrix that exercises every sandbox primitive across all externally reachable surfaces. Avoid mock-only confidence for release decisions.\n\nAcceptance:\n- Primitive coverage matrix is published and complete for required operations.\n- Identical behavioral assertions run across manager, gRPC, OpenAPI, and CLI paths.\n- CI includes mandatory VM smoke lane and nightly full lane with artifacts.","status":"open","priority":0,"issue_type":"feature","owner":"james@littlebearlabs.io","created_at":"2026-02-24T18:16:07Z","created_by":"James Lal","updated_at":"2026-02-24T18:16:07Z"}
+{"id":"vz-8gf","title":"VM-first primitive conformance suite across manager, gRPC, OpenAPI, and CLI","description":"Build a real-VM conformance matrix that exercises every sandbox primitive across all externally reachable surfaces. Avoid mock-only confidence for release decisions.\n\nAcceptance:\n- Primitive coverage matrix is published and complete for required operations.\n- Identical behavioral assertions run across manager, gRPC, OpenAPI, and CLI paths.\n- CI includes mandatory VM smoke lane and nightly full lane with artifacts.","notes":"Implemented VM-first conformance matrix and parity checks across manager/gRPC/OpenAPI/CLI, updated docs, and split vm-e2e CI lanes (smoke+nightly full). Tests run: cargo check -p vz-runtime-contract|vz-linux|vz-api|vz-cli; cargo nextest run -p vz-runtime-contract|vz-linux|vz-api|vz-cli; cargo fmt --manifest-path crates/Cargo.toml --all -- --check.","status":"done","priority":0,"issue_type":"feature","owner":"james@littlebearlabs.io","created_at":"2026-02-24T18:16:07Z","created_by":"James Lal","updated_at":"2026-02-24T18:34:52Z"}
 {"id":"vz-8oh","title":"E2E test for stack port forwarding","description":"Add runtime_e2e test: 2-service stack, one with nc -l -p 8080, host connects to forwarded port and verifies data round-trip through the per-service netns.","status":"closed","priority":1,"issue_type":"task","owner":"james@littlebearlabs.io","created_at":"2026-02-21T19:13:11Z","created_by":"James Lal","updated_at":"2026-02-22T01:33:07Z","closed_at":"2026-02-22T01:33:07Z","close_reason":"All implemented, unit tests + E2E tests passing","dependencies":[{"issue_id":"vz-8oh","depends_on_id":"vz-l6w","type":"blocks","created_at":"2026-02-21T12:13:23Z","created_by":"James Lal","metadata":"{}"},{"issue_id":"vz-8oh","depends_on_id":"vz-yd1","type":"blocks","created_at":"2026-02-21T12:13:24Z","created_by":"James Lal","metadata":"{}"}]}
 {"id":"vz-8ud","title":"Expose checkpoint create/restore/fork as first-class Runtime V2 API primitives","description":"Checkpoint lineage/create/restore/fork logic exists in sandbox/runtime internals, but is not fully exposed as first-class Runtime V2 transport API primitives.\n\nRequired: wire checkpoint primitives through core managers and both transports with compatibility fingerprint validation and class/capability gates (`fs_quick` baseline, `vm_full` guarded).\n\nAcceptance:\n- Create/restore/fork checkpoint operations are callable via Runtime V2 APIs.\n- Compatibility mismatch and class-degradation ack behavior are enforced and tested.\n- Checkpoint lineage metadata is persisted and queryable through contract-consistent APIs.","status":"open","priority":1,"issue_type":"feature","owner":"james@littlebearlabs.io","created_at":"2026-02-24T18:08:45Z","created_by":"James Lal","updated_at":"2026-02-24T18:08:45Z"}
 {"id":"vz-90n","title":"Compose: security fields (cap_add, cap_drop, privileged, read_only, sysctls)","description":"Parse and apply security-related Compose service fields: (1) cap_add/cap_drop — currently hardcoded to Docker-equivalent 14 caps in bundle.rs, need to allow per-service customization, (2) privileged — run container with all capabilities, (3) read_only — mount rootfs as read-only, (4) sysctls — kernel parameter tuning via OCI spec linux.sysctl. These map directly to OCI runtime spec fields in the bundle generator.","status":"closed","priority":2,"issue_type":"feature","owner":"james@littlebearlabs.io","created_at":"2026-02-22T06:54:18Z","created_by":"James Lal","updated_at":"2026-02-22T09:29:50Z","closed_at":"2026-02-22T09:29:50Z","close_reason":"Security fields implemented. 9 new tests.","dependencies":[{"issue_id":"vz-90n","depends_on_id":"vz-6ms","type":"blocks","created_at":"2026-02-21T23:54:34Z","created_by":"James Lal","metadata":"{}"}]}