TazPod: Smart Entry Detail
Level 3 (Detail) — The no-args guided flow through container, vault, and shell.
Concept
When the user runs tazpod with no arguments or tazpod enter, smartEntry() executes a guided flow that handles project initialization, container lifecycle, vault unlock, and bootstrap from S3 before opening an interactive shell.
Step-by-Step Flow
File: cmd/tazpod/lifecycle.go — smartEntry() (lines 65-102)
tazpod (no args) or tazpod enter
│
▼
.tazpod/ exists?
├── No → prompt "Initialize now?" → initProject() → loadConfigs()
└── Yes → loadConfigs()
│
▼
container_name set?
├── No → error "Run 'tazpod init'"
└── Yes → ensureContainerUp()
│
▼
vault.MountPath mounted? (docker exec mountpoint -q)
├── Yes → vault already unlocked → enterShell()
└── No → continue
│
▼
local vault.tar.aes exists?
├── Yes → prompt "Unlock now?" → execInContainer("tazpod unlock") → enterShell()
└── No → prompt "Bootstrap? (login + pull + unlock)"
├── Yes → login() → pullVault() → unlock() → enterShell()
└── No → enterShell()
Branch Conditions
initProject() (if .tazpod/ missing)
Creates .tazpod/, .tazpod/vault/, .tazpod/config.yaml with defaults:
image: tazzo/tazpod-ai:latestcontainer_name: <folder>-labuser: tazpodghost_mode: true
ensureContainerUp() (if container missing/stopped)
Creates container with:
docker run -d --name <name> --cap-add SYS_ADMIN --security-opt apparmor=unconfined--dns 1.1.1.1 --dns 1.0.0.1-v <cwd>:/workspace-v ~/.ssh:/home/tazpod/.ssh:ro-e HOST_CWD=<cwd>- image +
sleep infinity
If container is stopped: docker start <name>.
If container is running: proceeds immediately.
containerUnlocked check
containerUnlocked := exec.Command("docker", "exec", cfg.ContainerName, "mountpoint", "-q", vault.MountPath).Run() == nil
Checks whether /home/tazpod/secrets is a mount point inside the container.
TD-017: This check is unreliable — sometimes returns false even when the vault is unlocked in another shell, causing unnecessary unlock prompts.
enterShell()
Runs docker exec -it -w /workspace <container> /bin/bash.
On shell exit, automatically calls lock().
Code Paths
| File | Function | Line | Role |
|---|---|---|---|
lifecycle.go | smartEntry() | 65 | Orchestrator: init → container → unlock → shell |
lifecycle.go | ensureContainerUp() | 107 | Docker container create/start |
lifecycle.go | enterShell() | 52 | docker exec + auto-lock on exit |
lifecycle.go | askYN() | 44 | Yes/No prompt helper |
init.go | initProject() | — | .tazpod/ scaffold |
Known Issues
- TD-017:
containerUnlockedcheck unreliable — may prompt unlock when vault is already open in another shell - TD-018: Default MTU 1500 causes HTTPS failures on hotspot/Tailscale connections inside the container
See Also
- Parent hub: tazpod
- Sibling details: Container Lifecycle Detail, Vault Lifecycle Detail, Config Detail
- Debt: TD-017, TD-018