Use this checklist when building or adopting your own OCI images for Waggle runtimes.
- A POSIX shell at
/bin/sh. - GNU coreutils with
base64(Waggle usesbase64 -dfor SSH payloads). - GNU findutils with
find -printf(used bylist_files). - A writable home directory for the
sandboxuser.
python3is present and runnable.pipis available for installs (prefer a venv or user install).- If you ship a venv, ensure its interpreter and pip are on PATH or set overrides.
nodeandnpmare available.- Global installs should target a writable prefix, or use overrides.
- A package manager is available if you want
install_packagesto work:apk,apt-get,dnf,yum, orzypper.
- The
sandboxuser must have permission to install packages (or expect install failures).
Waggle chooses commands in this order:
- Config overrides via
WAGGLE_RUNTIME_*env vars - Probed commands inside the VM (when available)
- Built-in fallbacks (
python3,pip install,node,npm install -g,sh,apk add --no-cache)
Overrides must be absolute paths and use simple, safe arguments. Examples:
export WAGGLE_RUNTIME_PYTHON_EXEC_COMMAND=/usr/bin/python3
export WAGGLE_RUNTIME_PYTHON_INSTALL_COMMAND="/usr/bin/pip3 install --no-cache-dir"
export WAGGLE_RUNTIME_NODE_EXEC_COMMAND=/usr/local/bin/node
export WAGGLE_RUNTIME_NODE_INSTALL_COMMAND="/usr/local/bin/npm install -g"- If
install_packagesfails, verify the package manager path and permissions. - If
executefails, verify the runtime binary exists at the resolved path. - If
list_filesis empty or errors, confirmfind -printfis available. - For Python,
install_packageswill retry in a venv when PEP 668 blocks system installs. Subsequentexecutecalls will use the venv interpreter automatically.
Waggle probes runtime capabilities (available binaries, package managers) to improve command resolution. This data is internal and not exposed over MCP by default. If we ever add an API for it, it will be redacted and opt-in to avoid leaking environment details.