Entity: TazPod (Operator Environment)
This page is the repository hub for the TazPod CLI and its containerized execution model.
Overview
tazpod/ is the operator continuity layer of TazLab. It combines a disposable container runtime, an encrypted vault (vault.tar.aes), a RAM-only secret lifecycle, and persistent project-local state under .tazpod/.
Repository Structure
tazpod/
├── cmd/tazpod/ # CLI command dispatch and lifecycle
│ ├── main.go # Entrypoint, command dispatcher
│ ├── lifecycle.go # up/down/enter/smartEntry/ensureContainerUp
│ ├── vault_cmd.go # unlock/lock/save/login/loadConfigs
│ ├── sync.go # syncDaemon/pull/push
│ ├── config.go # Config struct definitions
│ ├── init.go # initProject()
│ ├── vpn.go # vpn command (legacy/untrusted)
│ └── help.go # help/usage
├── internal/
│ ├── crypto/crypto.go # AES-256-GCM + PBKDF2
│ ├── vault/vault.go # Unlock/Save/TarDir/Untar, path constants
│ └── utils/
│ ├── utils.go # RunCmd/RunOutput/IsMounted/FileExists
│ └── s3.go # S3 client, UploadFile/DownloadFile
├── .tazpod/
│ ├── Dockerfile.base # Ubuntu 24.04 + dev tools + shell tools
│ ├── Dockerfile.aws # + AWS CLI v2
│ ├── Dockerfile.k8s # + kubectl, helm, flux, talosctl, terraform
│ ├── Dockerfile.ai # + AI agents (pi, gemini-cli, opencode)
│ └── config.yaml # Project-local configuration
├── dotfiles/
│ ├── .bashrc # Shell init, symlinks, OpenCode seeding
│ ├── .tmux.conf # Mouse, vi-mode, OSC 52 clipboard
│ └── .config/ # Starship, Zellij, OpenCode TUI, nvim
├── .github/workflows/
│ └── build-push.yml # CI: conditional build per layer
├── Taskfile.yml # Build tasks
└── VERSION # Current version
Quick Facts
| Property | Value |
|---|---|
| Repository | tazpod/ |
| Language | Go 1.24 |
| Default branch | master |
| Current version | 0.3.35 |
| Vault path | .tazpod/vault/vault.tar.aes |
| Default image | tazzo/tazpod-ai:latest |
| Default container | tazpod-lab |
| S3 bucket | tazlab-storage (eu-central-1) |
Canonical Starting Pages for Agents
Architecture & Concepts
- Architecture — Runtime contract, CLI model, persistence boundaries
- Image Hierarchy — 4-layer Docker build chain
- Nomadic Workflow — Recovery and host-to-host restoration
Secrets & Vault
- Vault Security — AES-256 encryption, RAM enclave, AWS bridge
- Vault Lifecycle Detail — Unlock/lock/save/push/pull step-by-step
- Sync Daemon — Background auto-save/push
- Sync Daemon Detail — 5-min cycle, SIGTERM, log path
- Crypto Detail — AES-256-GCM, PBKDF2, output format
CLI & Container Lifecycle
- Smart Entry Detail — The no-args guided flow
- Container Lifecycle Detail — Docker create/start/stop/remove
- Code Structure Detail — Package tree, function inventory, call chains
- Config Detail —
.tazpod/config.yamlfields - S3 Detail — S3 client for vault persistence
Tooling & Automation
- Dotfiles Detail — bashrc, tmux, starship, OpenCode seeding
- CI Detail — Conditional build pipeline per layer
- CLI Reference — Full command table
Known Issues / Technical Debt
| TD | Area | Summary |
|---|---|---|
| TD-017 | smartEntry() | containerUnlocked check unreliable — prompts unlock when vault already open |
| TD-018 | Container lifecycle | Default bridge MTU (1500) causes TLS blackouts on hotspot/Tailscale |
| TD-022 | save() UX | Success message even when RAM vault not mounted; push vault cwd-sensitive |
| TD-021 | Vault recovery | Bootstrap anchor gap: operator files absent even when S3 lineage is coherent |
| TD-006 | Local network | Hotspot IPv6 unverified/unreliable for validation runs |
| TD-027 | Vault auto-lock | Fixed v0.3.22 — marker files in /tmp/.tazpod-shells/ lock vault only when the last interactive shell exits |
Relationships
- Infrastructure target: ephemeral-castle
- GitOps target: tazlab-k8s
- Semantic memory: mnemosyne-mcp-server
- Blog posts:
tazpod-rising-go-cli-zero-trust,tazpod-v2-ram-vault-evolution,tazpod-zero-credentials-aws-sso