Fix runner local build ABI validation

[law-chain-hot]

Problem

Dev box creation failed in the runner before VM startup with errors like failed to create box: add port 33689:2280 failed with code 402665120. A direct C probe against the existing dev-machine static libraries returned non-BoxLite error codes, while a fresh origin/main build returned new=0 add_port=0.

That points to a stale or bad sdks/go/libboxlite.a being linked into locally built runner binaries. The Go workspace was already pointing runner at the local Go SDK; the missing guard was rebuilding and validating the static library before runner builds.

Changes

• Add scripts/build/check-libboxlite-abi.sh, a minimal C ABI smoke test for boxlite_options_new plus boxlite_options_add_port.
• Make make dist:go rebuild boxlite-c, fix Go symbols, smoke-test target/release/libboxlite.a, copy it into sdks/go/libboxlite.a, and clear the Go build cache.
• Add make dist:runner / scripts/build/build-runner-binary.sh for a Linux dev-machine runner artifact build that does not deploy or replace any EC2 binary.
• Add the same ABI smoke test to the GitHub runner binary workflow after it downloads the release libboxlite.a.
• Document that scripts/deploy/runner-update-binary.sh still downloads published release assets; unreleased main builds should be produced with make dist:runner.

Verification

• Local: bash -n scripts/build/check-libboxlite-abi.sh && bash -n scripts/build/build-runner-binary.sh.
• Local: git diff --check.
• Local: make help | rg "dist:(go|runner)".
• Dev machine: checked out fbf3cc58 in /home/brian/work/boxlite/repos/boxlite and ran OUTPUT_DIR=/home/brian/work/boxlite/tmp/runner-build-fbf3cc58 make dist:runner.
• Dev machine result: target/release/libboxlite.a smoke test returned new=0 add_port=0.
• Dev machine result: sdks/go/libboxlite.a smoke test returned new=0 add_port=0.
• Dev machine artifact: /home/brian/work/boxlite/tmp/runner-build-fbf3cc58/boxlite-runner, sha256 ab29caef2764b7359af630c537790b26338f38104b694568d15f9a3185e55ab8.
• Dev machine artifact tarball: /home/brian/work/boxlite/tmp/runner-build-fbf3cc58/boxlite-runner-v0.9.5-linux-amd64-fbf3cc58.tar.gz, sha256 f51281dbe0aba47096c150b10e62693432eb43565b221cb672cf2aab1b93f93d.

Scope

No SST deploy, no SSM command, no EC2 replacement, and no live runner binary replacement was performed.

The dashboard image/template visibility issue is separate. Current code removed the create-box image picker and hides the Images route, while the API allowlist still exists. That should be a follow-up product/API PR rather than part of this runner build-chain fix.

Summary by CodeRabbit

• Chores
  • Enhanced build infrastructure with ABI validation checks to ensure binary compatibility
  • Improved distribution automation for runner artifact generation
  • Updated build documentation and help output

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds two new Bash scripts: check-libboxlite-abi.sh, which compiles a C probe against libboxlite.a and validates the ABI, and build-runner-binary.sh, which orchestrates the full Linux amd64 runner binary build. Both are wired into the dist:go/dist:runner Make targets, the CI workflow, and help/deploy documentation.

Changes

Runner Build Pipeline

Layer / File(s)	Summary
ABI smoke-test script scripts/build/check-libboxlite-abi.sh	New script initializes paths and compiler checks, generates a C probe exercising boxlite_options_new and boxlite_options_add_port, compiles it against the static library with platform-specific link flags, and asserts the exact output new=0 add_port=0.
Runner binary build script scripts/build/build-runner-binary.sh	New script resolves VERSION/COMMIT, enforces Linux-only execution, validates required tools, invokes make dist:go and the ABI check, performs two CGO-mode Go builds for daemon assets, builds the runner binary with a Version linker flag, packages it as tar.gz, and prints sha256 checksums.
Make targets, CI workflow, and docs make/dist.mk, make/help.mk, .github/workflows/build-runner-binary.yml, scripts/deploy/runner-update-binary.sh	dist:go gains ABI check, sdks/go/libboxlite.a copy, and go clean -cache steps; CI adds a smoke-test step before the build; help.mk documents dist:runner; runner-update-binary.sh gains a comment directing unreleased-build users to make dist:runner.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• DorianZheng

Poem

🐇 Hippity-hop, the ABI won't flop,
A C probe compiled to make wrong builds stop.
The runner now bundles with checksum and tar,
new=0 add_port=0 — that's quite the gold bar!
From Make to CI, each step in a row,
This bunny approves — off to production we go! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and concisely summarizes the main change: adding ABI validation to the runner local build process. It accurately reflects the primary objective of fixing issues with stale libboxlite.a by introducing validation checks.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-runner-libboxlite-abi

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/build/build-runner-binary.sh`:
- Around line 27-30: The make command is invoked on line 38 but is not validated
in the prerequisite dependency checks (lines 27-30). Add a require_command call
for make in the same pattern as the existing require_command calls for git, go,
tar, and sha256sum to ensure users receive a guided error message if make is not
installed rather than a generic command not found error.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 6a1c8237-115a-4152-a655-d74f70fddb08

📥 Commits

Reviewing files that changed from the base of the PR and between 5575072 and fbf3cc5.

📒 Files selected for processing (6)

• .github/workflows/build-runner-binary.yml
• make/dist.mk
• make/help.mk
• scripts/build/build-runner-binary.sh
• scripts/build/check-libboxlite-abi.sh
• scripts/deploy/runner-update-binary.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add an explicit make prerequisite check.

Line 38 invokes make, but make is not validated in the dependency checks. On minimal hosts this fails with a generic command not found instead of a guided error.

Suggested patch

 require_command git "Install git"
+require_command make "Install GNU Make"
 require_command go "Install Go"
 require_command tar "Install tar"
 require_command sha256sum "Install coreutils"

Also applies to: 38-38

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/build/build-runner-binary.sh` around lines 27 - 30, The make command
is invoked on line 38 but is not validated in the prerequisite dependency checks
(lines 27-30). Add a require_command call for make in the same pattern as the
existing require_command calls for git, go, tar, and sha256sum to ensure users
receive a guided error message if make is not installed rather than a generic
command not found error.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fbf3cc587d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Gate dist:runner to amd64 before staging libboxlite

On Linux arm64 or any non-amd64 host, this make dist:go invocation builds and smoke-tests sdks/go/libboxlite.a for the host architecture, but the script later forces the cgo runner build with GOARCH=amd64 (go help environment confirms GOARCH is the target architecture). The ABI probe also runs natively, so it can pass while the subsequent amd64 cgo link consumes an arm64 archive and fails; either reject non-amd64 hosts here or build the C archive for the same target as the runner.

Useful? React with 👍 / 👎.