Sync upstream

.claude/agents/sdk-sync-checker.md

@@ -0,0 +1,76 @@
+---
+name: protobuf-sdk-validator
+description: Validates that SDK implementations are synchronized with Protocol Buffer schema definitions. Use when protobuf files change, SDKs need verification, or you suspect schema drift.
+tools: Bash, Glob, Grep, Read, TodoWrite
+model: sonnet
+color: yellow
+---
+
+You validate SDK implementations against protobuf schemas to ensure synchronization.
+
+## Process
+
+### 1. Discovery
+- Find all `.proto` files in `guest-agent/rpc/proto/`
+- Identify SDK implementations in `sdk/` (python, go, rust, js, curl docs)
+- Extract services, RPCs, and message types from proto files
+
+### 2. Extract Schema
+For each message type, extract:
+- Field names, types, and numbers
+- Required/optional/repeated modifiers
+- Nested types and enums
+- Service method signatures
+
+### 3. Compare SDKs
+For each SDK, verify message/response types contain:
+- All proto fields (accounting for naming conventions)
+- Correct type mappings (bytes→hex string, string→string, repeated→array)
+- Proper optionality markers
+
+### 4. Report
+
+```markdown
+# SDK Sync Report
+
+## Summary
+Status: ✅/❌ | Protos: X | SDKs: Y | Issues: Z
+
+## Findings
+
+### [SDK Name] (path/to/file.ext)
+| Proto Message | Status | Missing Fields |
+|---------------|--------|----------------|
+| MessageName   | ❌     | field1, field2 |
+
+Details:
+- ❌ MessageName.field1: missing (proto line X, expected in SDK)
+- ❌ MessageName.field2: missing (proto line Y, expected in SDK)
+
+## Action Items
+1. [SDK]: Add field X to MessageY (file.ext:lineN)
+2. [SDK]: Fix type mismatch for field Z
+```
+
+## Type Mappings
+- `bytes` → hex `string` (Python/Go/JS/Rust), `string` JSON (cURL docs)
+- `string` → `string` (all)
+- `repeated X` → array/list/vec (language-specific)
+- `int32/uint32` → number/int types
+
+## Naming Conventions
+- Python: `snake_case`
+- Go: `PascalCase` (exported fields)
+- Rust: `snake_case`
+- JavaScript: `camelCase`
+- cURL docs: `snake_case` (JSON wire format)
+
+## Locations
+- Protos: `guest-agent/rpc/proto/*.proto`
+- Python: `sdk/python/src/dstack_sdk/dstack_client.py`
+- Go: `sdk/go/dstack/client.go`
+- Rust: `sdk/rust/types/src/dstack.rs`
+- JS: `sdk/js/src/index.ts`
+- Docs: `sdk/curl/api.md`, `sdk/curl/api-tappd.md`
+
+Focus on API surface differences. Provide specific file paths and line numbers.

.github/workflows/gateway-release.yml

@@ -51,7 +51,7 @@ jobs:
         with:
           context: gateway/dstack-app/builder
           push: true
-          tags: ${{ vars.DOCKERHUB_USERNAME }}/gateway:${{ env.VERSION }}
+          tags: ${{ vars.DOCKERHUB_ORG }}/dstack-gateway:${{ env.VERSION }}
           platforms: linux/amd64
           provenance: false
           build-args: |
@@ -61,7 +61,7 @@ jobs:
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@v1
         with:
-          subject-name: "docker.io/${{ vars.DOCKERHUB_USERNAME }}/gateway"
+          subject-name: "docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-gateway"
           subject-digest: ${{ steps.build-and-push.outputs.digest }}
           push-to-registry: true
 
@@ -72,7 +72,7 @@ jobs:
           body: |
             ## Docker Image Information
 
-            **Image**: `docker.io/${{ vars.DOCKERHUB_USERNAME }}/gateway:${{ env.VERSION }}`
+            **Image**: `docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-gateway:${{ env.VERSION }}`
 
             **Digest (SHA256)**: `${{ steps.build-and-push.outputs.digest }}`
 

.github/workflows/kms-release.yml

@@ -54,7 +54,7 @@ jobs:
         with:
           context: kms/dstack-app/builder
           push: true
-          tags: ${{ vars.DOCKERHUB_USERNAME }}/kms:${{ env.VERSION }}
+          tags: ${{ vars.DOCKERHUB_ORG }}/dstack-kms:${{ env.VERSION }}
           platforms: linux/amd64
           provenance: false
           build-args: |
@@ -65,7 +65,7 @@ jobs:
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@v1
         with:
-          subject-name: "docker.io/${{ vars.DOCKERHUB_USERNAME }}/kms"
+          subject-name: "docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-kms"
           subject-digest: ${{ steps.build-and-push.outputs.digest }}
           push-to-registry: true
 
@@ -92,7 +92,7 @@ jobs:
           body: |
             ## Docker Image Information
 
-            **Image**: `docker.io/${{ vars.DOCKERHUB_USERNAME }}/kms:${{ env.VERSION }}`
+            **Image**: `docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-kms:${{ env.VERSION }}`
 
             **Digest (SHA256)**: `${{ steps.build-and-push.outputs.digest }}`
 

.github/workflows/rust-sdk-release.yml

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: © 2025 Phala Network <dstack@phala.network>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: Publish SDK to crates.io
+on:
+  push:
+    tags: ['rust-sdk-v*']
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    environment: sdk-release
+    permissions:
+      id-token: write
+    steps:
+    - uses: actions/checkout@v5
+    - uses: rust-lang/crates-io-auth-action@v1
+      id: auth
+    - run: cargo publish -p dstack-sdk-types
+      env:
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+    - run: cargo publish -p dstack-sdk
+      env:
+        CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+

.github/workflows/rust.yml

@@ -25,7 +25,7 @@ jobs:
         components: clippy, rustfmt
 
     - name: Run Clippy
-      run: cargo clippy -- -D warnings --allow unused_variables
+      run: cargo clippy -- -D warnings -D clippy::expect_used -D clippy::unwrap_used --allow unused_variables
 
     - name: Cargo fmt check
       run: cargo fmt --check --all

.github/workflows/verifier-release.yml

@@ -0,0 +1,80 @@
+# SPDX-FileCopyrightText: © 2025 Phala Network <dstack@phala.network>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: Verifier Release
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - 'verifier-v*'
+permissions:
+  attestations: write
+  id-token: write
+  contents: write
+  packages: write
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Parse version from tag
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/verifier-v}
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+          echo "Parsed version: $VERSION"
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Get Git commit timestamps
+        run: |
+          echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+          echo "GIT_REV=$(git rev-parse HEAD)" >> $GITHUB_ENV
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v5
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+        with:
+          context: verifier
+          file: verifier/builder/Dockerfile
+          push: true
+          tags: ${{ vars.DOCKERHUB_ORG }}/dstack-verifier:${{ env.VERSION }}
+          platforms: linux/amd64
+          provenance: false
+          build-args: |
+            DSTACK_REV=${{ env.GIT_REV }}
+            DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }}.git
+            SOURCE_DATE_EPOCH=${{ env.TIMESTAMP }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: "docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-verifier"
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          push-to-registry: true
+
+      - name: GitHub Release
+        uses: softprops/action-gh-release@v1
+        with:
+          name: "Verifier Release v${{ env.VERSION }}"
+          body: |
+            ## Docker Image Information
+
+            **Image**: `docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-verifier:${{ env.VERSION }}`
+
+            **Digest (SHA256)**: `${{ steps.build-and-push.outputs.digest }}`
+
+            **Verification**: [Verify on Sigstore](https://search.sigstore.dev/?hash=${{ steps.build-and-push.outputs.digest }})

.gitignore

@@ -7,4 +7,5 @@ node_modules/
 /.cargo
 .venv
 /tmp
-.claude
+.claude/settings.local.json
+__pycache__

CHANGELOG.md

@@ -5,6 +5,39 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.5.5] - 2025-10-20
+
+### Added
+- SDK sync agent for automated protobuf schema synchronization (#366)
+- dstack-verifier CLI tool with OS image hash verification (#341)
+- built-in swap configuration support for CVMs (#348, #357, #358)
+- support for ext4 filesystem type on storage (#348)
+- size-parser crate for handling size configurations (#355)
+- init_script support in app-compose.json (#337)
+- cache for verifier (#341)
+- Add QEMU version and image name in VmConfig (#340)
+- documentation for minimum version of each compose field (#363)
+
+### Changed
+- max app compose size increased to 256K (#349)
+- default timeout increased to 3 secs for python SDK (#339)
+- auto reconnect when WireGuard gets stuck (#350)
+- put filesystem type in RTMR3 event log (#348)
+- read QEMU path from /etc/dstack/client.conf (#332)
+- refactor sys-config generation code (#351)
+- when formatting app_url, skip port if it's 443 (#326)
+- update docker organization references (#342, #343)
+- RA-TLS: add KeyCertSign and CrlSign usages for CA cert (#320)
+
+### Fixed
+- guest-agent: request demo cert lazily
+- VmConfig decode error (#347)
+- potential panic due to int overflow in dstack-mr (#345)
+- SDK issues - marked rootfs_hash optional (#339)
+
+### Removed
+- docker_config field from app-compose.json (#374)
+
 ## [0.5.4] - 2025-09-01
 
 ### Security
@@ -1237,7 +1270,8 @@ New contributors in this release:
 * @Leechael made their first contribution
 * @nanometerzhu made their first contribution
 * @h4x3rotab made their first contribution
-[unreleased]: https://github.com/Dstack-TEE/dstack/compare/v0.5.3..HEAD
+[unreleased]: https://github.com/Dstack-TEE/dstack/compare/v0.5.5..HEAD
+[0.5.5]: https://github.com/Dstack-TEE/dstack/compare/v0.5.4..v0.5.5
 [0.5.4]: https://github.com/Dstack-TEE/dstack/compare/v0.5.3..v0.5.4
 [0.5.3]: https://github.com/Dstack-TEE/dstack/compare/v0.5.2..v0.5.3
 [0.5.2]: https://github.com/Dstack-TEE/dstack/compare/v0.5.1..v0.5.2