Skip to content

Just Recipes

just is the task runner. Every build, test, and release workflow goes through the justfile. Run just --list to see all public recipes.

RecipeWhat it doesTime
just shellBuild/sign as needed, boot a VM, and attach a shell~10s after first build
just exec "CMD"Run a command in a fresh disposable VM, then destroy it~10s after first build
just run-serviceStart or reuse the daemon servicecontinuous
just uiTauri desktop app with hot reload and the service pathcontinuous
just dev-frontendFrontend-only dev server with mock data on port 5173continuous
just build-ui [release]Frontend build plus cargo build -p capsem-appbuild dependent

just shell is the daily VM driver. just exec "CMD" is the one-shot path for quick checks. After frontend changes intended for the desktop app, use just build-ui; the Tauri binary embeds frontend/dist at cargo build time.

RecipeWhat it doesBoots VM?
just smokeFast end-to-end gate: audit, doctor, injection, service/CLI/MCP/gateway testsYes
just testFull gate: unit, coverage, cross-compile, frontend, Python, injection, integration, benchmarks, install E2EYes
just test-gatewayGateway unit and mock-UDS testsNo
just test-gateway-e2eGateway E2E tests with real service and VMsYes
just test-installInstaller E2E plus local release glow-up in Docker/systemdNo host VM
just benchIn-VM and host lifecycle benchmarksYes

just test is the source of truth. Targeted commands are for iteration, not for declaring a sprint done.

Policy work spans parser contracts, runtime boundaries, settings UI, docs, and telemetry. Use this sequence for focused iteration:

StepCommand
Rust policy contractscargo test -p capsem-core policy_config --lib
Framed MCP policycargo test -p capsem-core net::mitm_proxy::mcp_frame --lib
Frontend policy UI/modelpnpm -C frontend test -- settings-model settings-export api settings-store
Frontend type/check gatepnpm -C frontend run check
Docs gatecd docs && pnpm run build
VM smokejust smoke
Session integrityjust inspect-session [id]
Session SQL proofjust query-session "SQL" [id]
Final gatejust test

Useful policy audit queries:

Terminal window
just query-session "
SELECT event_id, event_type, rule_id, rule_action, detection_level
FROM security_rule_events
ORDER BY timestamp_unix_ms DESC
LIMIT 20;"
Terminal window
just query-session "
SELECT m.event_id, m.server_name, m.method, m.tool_name, m.decision,
s.rule_id, s.rule_action, s.detection_level
FROM tool_calls m
LEFT JOIN security_rule_events s ON s.event_id = m.event_id
WHERE m.origin = 'mcp'
ORDER BY m.id DESC
LIMIT 20;"
Terminal window
just query-session "
SELECT n.event_id, n.domain, n.method, n.path, n.decision,
s.rule_id, s.rule_action, s.detection_level
FROM net_events n
JOIN security_rule_events s ON s.event_id = n.event_id
ORDER BY n.id DESC
LIMIT 20;"
RecipeWhat it doesTime
just build-assets code [arch]Full profile-derived rebuild: kernel + rootfs via capsem-admin (needs Docker)~10 min
just build-kernel <arch> codeKernel only through the profile-derived build rail~5 min
just build-rootfs <arch> codeRootfs only through the profile-derived build rail~8 min
just cross-compile [arch]Full Linux build in container: agent binaries + .deb package~15 min

You only need just build-assets code on first setup or when profile-owned package/root/install inputs or backend image templates change rootfs contents. Day-to-day, just shell and just exec repack the initrd without rebuilding rootfs images.

Runtime recipes run the shared generated-config path:

_check-assets -> _pack-initrd -> _materialize-config -> _ensure-service

_materialize-config invokes capsem-admin profile materialize, which writes the current-build runtime profile under target/config/ from checked-in config/ source files and assets/manifest.json.

RecipeWhat it does
just inspect-session [id]Session DB integrity check + event summary (latest by default)
just list-sessionsTable of recent sessions with event counts per table
just query-session "SQL" [id]Run raw SQL against a session DB
just update-fixture <path>Copy + scrub a real session DB as test fixture
RecipeWhat it does
just auditCheck for known vulnerabilities in Rust + npm deps
just update-depscargo update + pnpm update to latest compatible versions
just update-pricesRefresh model pricing JSON from upstream
just doctorCheck tools, colored output, structured recap (exits 1 if failures)
just doctor fixDoctor + auto-fix all fixable issues in dependency order
RecipeWhat it does
just cut-releaseRun tests, bump version, stamp changelog, commit, and create a local tag
just release [tag]Wait for CI to build + publish a pushed tag
just installBuild release package and install locally
RecipeWhat it does
just cleanRemove Rust + frontend build artifacts
just clean allDeep clean: build artifacts + container images + docker cache

Recipes automatically pull in their prerequisites. You never need to run setup steps manually.

shell -> _check-assets + _pack-initrd + _ensure-service
exec -> run-service
run-service -> _check-assets + _pack-initrd + _ensure-service
ui -> _ensure-setup + _pnpm-install + run-service
build-ui -> _pnpm-install + frontend build + cargo build -p capsem-app
smoke -> _install-tools + _pnpm-install + _check-assets + _pack-initrd + _ensure-service
test -> _install-tools + _clean-stale + _pnpm-install + _generate-settings + _check-assets + _pack-initrd
build-assets -> _install-tools + _clean-stale + doctor + capsem-admin image build
test-install -> Docker package install + generated local stable/nightly glow-up
cut-release -> test + _stamp-version

_-prefixed recipes are internal (hidden from just --list). Key internal recipes:

RecipeWhat it does
_ensure-setupChecks setup state and required tools
_install-toolsAuto-installs Rust targets, components, and cargo tools
_pack-initrdCross-compiles guest agent + repacks initrd with latest binaries
_signCodesigns the binary with virtualization entitlement
_check-assetsVerifies VM assets exist, tells you to run build-assets if not
_generate-settingsGenerates settings schema, UI metadata, and frontend mock data
_ensure-serviceBuilds/signs host binaries and starts or reuses the service