feat(release): add Arch packaging/CI smoke tests and harden real-kernel firewall validation

Author: JadenJSJ

.github/workflows/ci.yml

@@ -0,0 +1,130 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - '**'
+    tags:
+      - 'v*'
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  lint-and-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Bash syntax checks
+        run: |
+          bash -n \
+            cmd/boxctl \
+            lib/*.sh \
+            lib/firewall/*.sh \
+            lib/supervisor/*.sh \
+            tests/integration/test_phase2.sh \
+            tests/integration/test_real_kernel.sh \
+            tests/integration/test_arch_package_smoke.sh \
+            tests/fixtures/mockbin/ip \
+            tests/fixtures/mockbin/iptables \
+            packaging/scripts/systemd-lifecycle.sh \
+            packaging/arch/box4linux.install
+
+      - name: ShellCheck (if available)
+        run: |
+          if command -v shellcheck >/dev/null 2>&1; then
+            shellcheck \
+              cmd/boxctl \
+              lib/*.sh \
+              lib/firewall/*.sh \
+              lib/supervisor/*.sh \
+              tests/integration/test_phase2.sh \
+              tests/integration/test_real_kernel.sh \
+              tests/integration/test_arch_package_smoke.sh \
+              packaging/scripts/systemd-lifecycle.sh
+            shellcheck -s sh packaging/arch/box4linux.install
+          else
+            echo "shellcheck not available; skipping"
+          fi
+
+      - name: Mock integration tests
+        run: ./tests/integration/test_phase2.sh
+
+      - name: Real-kernel integration tests (skip-capable)
+        run: sudo ./tests/integration/test_real_kernel.sh
+
+  build-arch-package:
+    runs-on: ubuntu-latest
+    needs:
+      - lint-and-tests
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build Arch package in container
+        run: |
+          docker run --rm \
+            -v "$PWD":/work \
+            -w /work \
+            archlinux:base-devel \
+            bash -lc '
+              set -euo pipefail
+              pacman -Syu --noconfirm --needed base-devel bash coreutils tar zstd
+              chmod -R a+rwX /work
+              su nobody -s /bin/bash -c "cd /work/packaging/arch && makepkg --nodeps --noconfirm -f"
+            '
+
+      - name: Capture package path
+        id: pkg
+        run: |
+          pkg_path="$(ls -1 packaging/arch/*.pkg.tar.* | head -n 1)"
+          echo "package_path=${pkg_path}" >> "${GITHUB_OUTPUT}"
+          echo "Built package: ${pkg_path}"
+
+      - name: Upload Arch package artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: box4linux-arch-pkg
+          path: ${{ steps.pkg.outputs.package_path }}
+
+  smoke-package:
+    runs-on: ubuntu-latest
+    needs:
+      - build-arch-package
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download Arch package artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: box4linux-arch-pkg
+          path: ./dist
+
+      - name: Package smoke test
+        run: |
+          pkg_path="$(ls -1 ./dist/*.pkg.tar.* | head -n 1)"
+          ./tests/integration/test_arch_package_smoke.sh "${pkg_path}"
+
+  release:
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/v')
+    needs:
+      - smoke-package
+    permissions:
+      contents: write
+    steps:
+      - name: Download Arch package artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: box4linux-arch-pkg
+          path: ./dist
+
+      - name: Publish release assets
+        uses: softprops/action-gh-release@v2
+        with:
+          files: ./dist/*.pkg.tar.*
+          generate_release_notes: true

.gitignore

@@ -12,3 +12,8 @@ box-reference/
 
 # Local Linux dev runtime state
 .box-dev/
+
+# Arch packaging build artifacts
+packaging/arch/*.pkg.tar.*
+packaging/arch/pkg/
+packaging/arch/src/

README.md

@@ -1,13 +1,14 @@
 # box4linux workspace
 
-Linux-native control plane (phase 2) lives in:
+Linux-native control plane lives in:
 - `cmd/boxctl`
 - `lib/common.sh`
 - `lib/config.sh`
 - `lib/supervisor/`
 - `lib/firewall/`
 - `systemd/`
 - `tests/integration/`
+- `packaging/arch/`
 
 Android reference artifacts are kept untouched in `box-reference/`.
 
@@ -26,60 +27,106 @@ Android reference artifacts are kept untouched in `box-reference/`.
    - `./cmd/boxctl firewall dry-run`
 4. Run integration checks:
    - `./tests/integration/test_phase2.sh`
-   - `sudo ./tests/integration/test_real_kernel.sh` (skips automatically when root/CAP_SYS_ADMIN/CAP_NET_ADMIN or backend tooling is unavailable)
+   - `sudo ./tests/integration/test_real_kernel.sh`
 
-## Systemd units
+## Arch Package Build/Install
 
-- `systemd/box.service`
-- `systemd/box-firewall.service`
+Build package from repo root:
+- `cd packaging/arch && makepkg --noconfirm -f`
 
-Copy/symlink these to your systemd unit path and ensure `boxctl` is installed as `/usr/bin/boxctl`.
+Install package:
+- `sudo pacman -U ./box4linux-*.pkg.tar.zst`
 
-## Phase 3 notes
+Installed layout:
+- `/usr/bin/boxctl`
+- `/usr/lib/box4linux/cmd/boxctl`
+- `/usr/lib/box4linux/lib/...`
+- `/etc/box/box.toml`
+- `/usr/lib/systemd/system/box.service`
+- `/usr/lib/systemd/system/box-firewall.service`
+- `/usr/share/doc/box4linux/`
+
+Config upgrade behavior:
+- Package marks `/etc/box/box.toml` as backup config.
+- Local edits are preserved across upgrades.
+- New template versions land as `.pacnew` when needed.
+
+## Service Lifecycle (Packaged Install)
+
+Use helper script from package docs:
+- `sudo /usr/share/doc/box4linux/systemd-lifecycle.sh enable`
+- `sudo /usr/share/doc/box4linux/systemd-lifecycle.sh status`
+- `sudo /usr/share/doc/box4linux/systemd-lifecycle.sh disable`
+
+Manual equivalent:
+- `sudo systemctl daemon-reload`
+- `sudo systemctl enable --now box.service box-firewall.service`
+- `sudo systemctl disable --now box-firewall.service box.service`
+
+## Packaged Operational Quickstart
+
+1. Verify command and units:
+   - `boxctl service status --json`
+   - `boxctl firewall status --json`
+2. Preview firewall operations:
+   - `boxctl firewall dry-run`
+3. Start runtime:
+   - `sudo systemctl start box.service`
+4. Renew firewall policy safely:
+   - `sudo systemctl reload box-firewall.service`
+
+## CI/Release Flow
+
+Workflow file: `.github/workflows/ci.yml`
+
+On push/PR:
+- `bash -n` checks on shell scripts
+- `shellcheck` when available
+- mock integration: `./tests/integration/test_phase2.sh`
+- privileged integration: `sudo ./tests/integration/test_real_kernel.sh` (suite prints `SKIP` when capabilities/tooling are unavailable)
+- Arch package build in Arch container
+- package smoke test: `./tests/integration/test_arch_package_smoke.sh <pkg>`
+
+On tags (`v*`):
+- built package artifact is published to GitHub Releases
+
+## Phase 3 Notes
 
 - Supported cores: `mihomo`, `sing-box`
-- Core overlay mutators render runtime configs under `/run/box/rendered` (or dev fallback).
+- Runtime overlays rendered under `/run/box/rendered` (or dev fallback)
 - Firewall backends:
-  - `iptables`: parity path with staged apply/rollback
-  - `nftables`: MVP parity path with staged apply/rollback
-- Supported modes on both backends: `tun`, `tproxy`, `redirect`, `mixed`, `enhance`.
-- DNS strategy handling: `tproxy`, `redirect`, `disable`.
-- Tailscale coexistence defaults to `dns_coexist_mode=preserve_tailnet`.
-- Coexistence mode semantics:
-  - `preserve_tailnet`: apply tailscale bypass (`tailscale0`, `100.64.0.0/10`) and MagicDNS resolver exclusion (`100.100.100.100:53`).
-  - `strict_box`: do not add tailscale bypass/MagicDNS exclusion rules; still never delete non-BOX routes/rules.
-- Tailscale safeguards include:
-  - bypass `tailscale0`
-  - bypass `100.64.0.0/10` and preserve `fd7a:115c:a1e0::/48` by not touching ip6tables in this backend
-  - bypass `100.100.100.100:53` (MagicDNS resolver)
-  - preserve table `52` / fwmark `0x80000/0xff0000` ownership
-- Route convergence: renew/reapply prunes stale BOX fwmark rules for the same fwmark+table (any old pref) and installs exactly one rule with current `route_pref`.
-- `enable|renew|disable` paths are idempotent and lock-protected.
-- `boxctl firewall dry-run` prints intended backend operations without applying.
-- `BOX_TRACE_COMMANDS=1` logs external command execution with `component`, `action`, and command string.
-- `boxctl firewall status --json` is side-effect free and includes stable diagnostics:
-  - `backend` / `backend_selected`
-  - `backend_available`
-  - `mode`
-  - `dns_hijack_mode`
-  - `dns_coexist_mode`
-  - `dns_coexist_mode_active`
-  - `cap_ipv4`, `cap_ipv6`, `cap_tproxy`
-  - `dry_run_supported`
-  - `last_error`
-
-## Backend capability notes
+  - `iptables` (mature path)
+  - `nftables` (MVP parity)
+- Supported modes on both backends: `tun`, `tproxy`, `redirect`, `mixed`, `enhance`
+- DNS strategies: `tproxy`, `redirect`, `disable`
+- Coexistence modes:
+  - `preserve_tailnet` (default): apply tailscale and MagicDNS bypasses
+  - `strict_box`: skip tailscale/MagicDNS bypass insertion
+- Route convergence: renew/reapply prunes stale BOX fwmark rules and enforces one current `route_pref` rule
+- Idempotent + lock-protected: `enable|renew|disable`
+- `BOX_TRACE_COMMANDS=1` logs external command executions with component/action context
+- `boxctl firewall status --json` exposes stable diagnostics (backend, capabilities, coexist fields, errors)
+
+## Backend Capability Notes
 
 - `iptables`:
   - `cap_ipv4=true`
-  - `cap_ipv6=false` (no ip6tables graph yet)
+  - `cap_ipv6=false` (full ip6tables graph pending)
 - `nftables`:
   - `cap_ipv4=true`
-  - `cap_ipv6=false` (full IPv6 interception/hijack graph still pending)
+  - `cap_ipv6=false` (full IPv6 interception/hijack graph pending)
+
+## Rollback/Uninstall
+
+Safe uninstall (keeps config backups/data unless manually removed):
+- `sudo pacman -R box4linux`
+
+Optional manual purge of local state:
+- `sudo rm -rf /etc/box /var/lib/box /run/box /var/log/box`
 
 ## Remaining TODO
 
-- Full UID/GID/interface/MAC policy graph in firewall (currently placeholder stage).
-- Full kernel-capability probing for nft/iptables modules across all distro variants.
+- Full UID/GID/interface/MAC policy graph in firewall.
+- Full IPv6 interception/hijack parity.
 - API-based reload hooks for `mihomo` and `sing-box`.
-- Explicit IPv6 tailnet bypass/interception parity for both backends.
+- Broader kernel-capability probing across distro variants.

cmd/boxctl

@@ -5,7 +5,32 @@
 set -euo pipefail
 
 CMD_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-LIB_DIR="$(cd "${CMD_DIR}/../lib" && pwd)"
+LIB_DIR_CANDIDATES=(
+  "${BOX_LIB_DIR:-}"
+  "${CMD_DIR}/../lib"
+  "/usr/lib/box4linux/lib"
+)
+LIB_DIR=""
+
+find_lib_dir() {
+  local candidate
+  for candidate in "${LIB_DIR_CANDIDATES[@]}"; do
+    [[ -n "${candidate}" ]] || continue
+    if [[ -f "${candidate}/common.sh" ]]; then
+      LIB_DIR="${candidate}"
+      export BOX_LIB_DIR="${LIB_DIR}"
+      return 0
+    fi
+  done
+  return 1
+}
+
+if ! find_lib_dir; then
+  printf 'failed to locate box4linux lib directory; checked:\n' >&2
+  local_candidate_list="$(printf '  %s\n' "${LIB_DIR_CANDIDATES[@]}")"
+  printf '%s' "${local_candidate_list}" >&2
+  exit 1
+fi
 
 source "${LIB_DIR}/common.sh"
 source "${LIB_DIR}/config.sh"