Documentation menu

Safety model

Conservative defaults — plan before mutation, dry-run before deletion, ownership-aware cleanup, and no secrets in logs.

Infrastructure tooling earns trust by being predictable when things go wrong. Hostwright’s safety posture is deliberately conservative, and the defaults reflect that.

Safety flow: validate the manifest, compute a plan, confirm destructive actions, then apply; dry-run exits before any mutation.
Nothing mutates before the plan is shown.

Principles

  • Plan before mutation. Runtime changes are computed and reviewable before they run.
  • Dry-run for cleanup. Destructive operations preview exactly what they would remove.
  • Explicit destructive confirmation. Removing real resources is an intentional, confirmed action.
  • Conservative validation. Unsafe or ambiguous manifests are refused, not guessed at.
  • No hidden runtime mutation. Nothing changes the runtime outside the planned, recorded path.
  • Ownership-tracked cleanup. No broad garbage collection — only resources Hostwright can prove it owns.
  • No secret leakage in logs. Secrets and credentials are kept out of events and log output.

Ownership

Hostwright must distinguish resources it created from resources you created by hand. Every Hostwright-created resource carries project and service ownership metadata where the runtime supports it; where it does not, Hostwright keeps an ownership ledger in its own state store.

The rule is strict: Hostwright never deletes a resource it cannot prove it owns.

ResourceCleanup rule
Owned containersRemovable, with dry-run preview.
Named volumesNever removed automatically; explicit confirmation required.
Anonymous volumesRemoved only when linked to owned containers and stale.
NetworksRemoved only with ownership proof and no attached foreign resources.
ImagesNot removed by default.

Refusing unsafe applies

Hostwright would rather stop than do something dangerous. An apply is refused when, for example:

  • the stack exceeds the configured safe memory budget;
  • a service requests amd64 emulation without an explicit policy;
  • a required macOS, network, or container feature is unavailable;
  • a port conflict exists with no declared alternative;
  • an operation would require privileged access you have not approved.

Secrets

Secrets are not committed into manifests. Local secrets are kept in the macOS Keychain rather than in Hostwright-managed plaintext, and mounts are least-privilege and read-only unless explicitly made writable.

Open questions

  • The exact ownership metadata Apple container can carry, versus what must live only in Hostwright’s ledger.
  • Whether anonymous-volume cleanup can be made safe enough to enable without confirmation.