Sandbox-wide setup / uninstall — single-call bootstrap of the full stack.
Composes the supervisor OCI hooks + shield hooks + gate install phases
plus the credentials-DB encryption phase into one idempotent setup
verb and the symmetric teardown verb. Each phase runs its own
idempotent install cycle so a re-run after a pipx upgrade picks up the
new code. A one-shot legacy cleanup phase runs first to sweep systemd
units / sockets installed by pre-supervisor versions.
Higher-level frontends (terok setup, terok-executor setup) reuse
this so they install everything in one call.
SETUP_COMMANDS = (CommandDef(name='setup', help='Install supervisor hooks + shield hooks in one step', handler=_handle_sandbox_setup, args=(ArgDef(name='--no-shield', action='store_true', help='Skip shield install'), ArgDef(name='--no-vault', action='store_true', help='Skip the credentials-DB encryption phase'), ArgDef(name='--echo-passphrase', action='store_true', help='Also print any auto-generated vault passphrase to stdout (default off — the value otherwise only reaches /dev/tty, so non-interactive bootstraps must opt in to capture it)'), ArgDef(name='--passphrase-tier', default=None, help='Force credentials-DB passphrase storage to a specific tier (systemd-creds | keyring | session-file | config) instead of the auto-detect / chooser chain. Required on a non-TTY host without systemd-creds — the silent session-file fallback was removed in v0.0.100 because it minted a passphrase the operator never saw and lost it on the first reboot.'))), CommandDef(name='uninstall', help='Remove supervisor hooks + shield hooks in one step', handler=_handle_sandbox_uninstall, args=(ArgDef(name='--no-shield', action='store_true', help='Skip shield uninstall'),)))
module-attribute
__all__ = ['SETUP_COMMANDS']
module-attribute