TazPod: Smart Entry Detail

Level 3 (Detail) — The no-args guided flow through container, vault, and shell.

Concept

When the user runs tazpod with no arguments or tazpod enter, smartEntry() executes a guided flow that handles project initialization, container lifecycle, vault unlock, and bootstrap from S3 before opening an interactive shell.

Step-by-Step Flow

File: cmd/tazpod/lifecycle.gosmartEntry() (lines 65-102)

tazpod (no args) or tazpod enter
       │
       ▼
  .tazpod/ exists?
       ├── No  → prompt "Initialize now?" → initProject() → loadConfigs()
       └── Yes → loadConfigs()
       │
       ▼
  container_name set?
       ├── No  → error "Run 'tazpod init'"
       └── Yes → ensureContainerUp()
       │
       ▼
  vault.MountPath mounted? (docker exec mountpoint -q)
       ├── Yes → vault already unlocked → enterShell()
       └── No  → continue
       │
       ▼
  local vault.tar.aes exists?
       ├── Yes → prompt "Unlock now?" → execInContainer("tazpod unlock") → enterShell()
       └── No  → prompt "Bootstrap? (login + pull + unlock)"
                  ├── Yes → login() → pullVault() → unlock() → enterShell()
                  └── No  → enterShell()

Branch Conditions

initProject() (if .tazpod/ missing)

Creates .tazpod/, .tazpod/vault/, .tazpod/config.yaml with defaults:

  • image: tazzo/tazpod-ai:latest
  • container_name: <folder>-lab
  • user: tazpod
  • ghost_mode: true

ensureContainerUp() (if container missing/stopped)

Creates container with:

  • docker run -d --name <name> --cap-add SYS_ADMIN --security-opt apparmor=unconfined
  • --dns 1.1.1.1 --dns 1.0.0.1
  • -v <cwd>:/workspace
  • -v ~/.ssh:/home/tazpod/.ssh:ro
  • -e HOST_CWD=<cwd>
  • image + sleep infinity

If container is stopped: docker start <name>. If container is running: proceeds immediately.

containerUnlocked check

containerUnlocked := exec.Command("docker", "exec", cfg.ContainerName, "mountpoint", "-q", vault.MountPath).Run() == nil

Checks whether /home/tazpod/secrets is a mount point inside the container.

TD-017: This check is unreliable — sometimes returns false even when the vault is unlocked in another shell, causing unnecessary unlock prompts.

enterShell()

Runs docker exec -it -w /workspace <container> /bin/bash. On shell exit, automatically calls lock().

Code Paths

FileFunctionLineRole
lifecycle.gosmartEntry()65Orchestrator: init → container → unlock → shell
lifecycle.goensureContainerUp()107Docker container create/start
lifecycle.goenterShell()52docker exec + auto-lock on exit
lifecycle.goaskYN()44Yes/No prompt helper
init.goinitProject().tazpod/ scaffold

Known Issues

  • TD-017: containerUnlocked check unreliable — may prompt unlock when vault is already open in another shell
  • TD-018: Default MTU 1500 causes HTTPS failures on hotspot/Tailscale connections inside the container

See Also