feat: Native WriteFile protocol, skill-aware claudio, and E2E skill pipeline tests

Replace shell-based write_file (sh + base64) with native WriteFile/MkdirP
protocol messages handled directly by the guest-agent in Rust. This removes
the dependency on BusyBox/shell binaries in the guest initramfs.

- Add WriteFile (11), WriteFileResponse (12), MkdirP (13), MkdirPResponse (14)
  message types to void-box-protocol
- Guest-agent handles file writes as root with auto-chown to uid 1000
- Extend claudio to discover provisioned skills (/root/.claude/skills/*.md)
  and MCP config (mcp.json), report in output, simulate MCP tool calls
- Add 6 E2E KVM tests verifying skill provisioning end-to-end

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: dpsoft

claudio/src/main.rs

@@ -16,6 +16,8 @@ use serde::Serialize;
 use void_box_protocol::{
     ExecRequest, ExecResponse, MessageType,
     TelemetryBatch, SystemMetrics, ProcessMetrics,
+    WriteFileRequest, WriteFileResponse,
+    MkdirPRequest, MkdirPResponse,
 };
 
 /// vsock port we listen on
@@ -432,6 +434,20 @@ fn handle_connection(fd: RawFd) -> Result<(), String> {
                 telemetry_stream_loop(fd);
                 return Ok(());
             }
+            11 => {
+                // WriteFile - native file write (no shell/base64 needed)
+                let request: WriteFileRequest = serde_json::from_slice(&payload)
+                    .map_err(|e| format!("Failed to parse WriteFileRequest: {}", e))?;
+                let response = handle_write_file(&request);
+                send_response(fd, MessageType::WriteFileResponse, &response)?;
+            }
+            13 => {
+                // MkdirP - create directories
+                let request: MkdirPRequest = serde_json::from_slice(&payload)
+                    .map_err(|e| format!("Failed to parse MkdirPRequest: {}", e))?;
+                let response = handle_mkdir_p(&request);
+                send_response(fd, MessageType::MkdirPResponse, &response)?;
+            }
             _ => {
                 eprintln!("Unknown message type: {}", msg_type);
             }
@@ -586,6 +602,94 @@ fn send_response<T: Serialize>(fd: RawFd, msg_type: MessageType, payload: &T) ->
     Ok(())
 }
 
+// ---------------------------------------------------------------------------
+// Native file operations (no shell/base64 required)
+// ---------------------------------------------------------------------------
+
+/// Handle a WriteFile request: write content directly to the guest filesystem.
+/// Runs as root (no privilege drop) since this is host-initiated provisioning.
+/// After writing, the file and its parent directories are chowned to uid 1000
+/// so the sandbox user can read them (e.g., when claudio runs as uid 1000).
+fn handle_write_file(request: &WriteFileRequest) -> WriteFileResponse {
+    // Create parent directories if requested
+    if request.create_parents {
+        if let Some(parent) = std::path::Path::new(&request.path).parent() {
+            if let Err(e) = std::fs::create_dir_all(parent) {
+                return WriteFileResponse {
+                    success: false,
+                    error: Some(format!("Failed to create parent dirs {}: {}", parent.display(), e)),
+                };
+            }
+            // Make parent directories readable by sandbox user (uid 1000)
+            chown_recursive(parent);
+        }
+    }
+
+    // Write the file content
+    match std::fs::write(&request.path, &request.content) {
+        Ok(()) => {
+            // Make the file readable by sandbox user (uid 1000)
+            let c_path = std::ffi::CString::new(request.path.as_str()).unwrap_or_default();
+            unsafe {
+                libc::chown(c_path.as_ptr(), 1000, 1000);
+                // Ensure file is world-readable
+                libc::chmod(c_path.as_ptr(), 0o644);
+            }
+            kmsg(&format!("Wrote {} bytes to {}", request.content.len(), request.path));
+            WriteFileResponse {
+                success: true,
+                error: None,
+            }
+        }
+        Err(e) => WriteFileResponse {
+            success: false,
+            error: Some(format!("Failed to write {}: {}", request.path, e)),
+        },
+    }
+}
+
+/// Recursively chown a path and its parents to uid 1000:1000.
+/// Only affects directories that are owned by root.
+fn chown_recursive(path: &std::path::Path) {
+    let mut current = path.to_path_buf();
+    loop {
+        if let Ok(c_path) = std::ffi::CString::new(current.to_string_lossy().as_ref()) {
+            unsafe {
+                libc::chown(c_path.as_ptr(), 1000, 1000);
+                // Ensure directory is traversable
+                libc::chmod(c_path.as_ptr(), 0o755);
+            }
+        }
+        match current.parent() {
+            Some(p) if p != current && p.to_string_lossy() != "/" => {
+                current = p.to_path_buf();
+            }
+            _ => break,
+        }
+    }
+}
+
+/// Handle a MkdirP request: create directories recursively.
+/// Runs as root (no privilege drop) since this is host-initiated provisioning.
+/// After creating, directories are chowned to uid 1000 so the sandbox user
+/// can access them.
+fn handle_mkdir_p(request: &MkdirPRequest) -> MkdirPResponse {
+    match std::fs::create_dir_all(&request.path) {
+        Ok(()) => {
+            chown_recursive(std::path::Path::new(&request.path));
+            kmsg(&format!("Created directory {}", request.path));
+            MkdirPResponse {
+                success: true,
+                error: None,
+            }
+        }
+        Err(e) => MkdirPResponse {
+            success: false,
+            error: Some(format!("Failed to create directory {}: {}", request.path, e)),
+        },
+    }
+}
+
 // ---------------------------------------------------------------------------
 // Telemetry: procfs parsing and streaming
 // ---------------------------------------------------------------------------

guest-agent/src/main.rs

@@ -12,7 +12,11 @@ use std::time::{Duration, Instant};
 
 use tracing::{info, warn};
 
-use crate::guest::protocol::{ExecRequest, ExecResponse, Message, MessageType, TelemetryBatch};
+use crate::guest::protocol::{
+    ExecRequest, ExecResponse, Message, MessageType, TelemetryBatch,
+    WriteFileRequest, WriteFileResponse,
+    MkdirPRequest, MkdirPResponse,
+};
 use crate::{Error, Result};
 
 
@@ -161,6 +165,135 @@ impl VsockDevice {
         Ok(response)
     }
 
+    /// Write a file to the guest filesystem using the native WriteFile protocol.
+    ///
+    /// This sends a WriteFile message directly to the guest-agent, which writes
+    /// the file in Rust without needing `sh`, `echo`, or `base64`. Parent
+    /// directories are created automatically. The write runs as root in the
+    /// guest (appropriate for host-initiated provisioning like skill files).
+    pub async fn send_write_file(&self, path: &str, content: &[u8]) -> Result<WriteFileResponse> {
+        let request = WriteFileRequest {
+            path: path.to_string(),
+            content: content.to_vec(),
+            create_parents: true,
+        };
+
+        let mut stream = self.connect_with_handshake().await?;
+
+        // Set generous read timeout
+        let _ = stream.set_read_timeout(Some(Duration::from_secs(30)));
+
+        let message = Message {
+            msg_type: MessageType::WriteFile,
+            payload: serde_json::to_vec(&request)?,
+        };
+        stream
+            .write_all(&message.serialize())
+            .map_err(|e| Error::Guest(format!("Failed to send WriteFile: {}", e)))?;
+
+        let response_msg = Message::read_from_sync(&mut stream)?;
+        if response_msg.msg_type != MessageType::WriteFileResponse {
+            return Err(Error::Guest(format!(
+                "Unexpected response type for WriteFile: {:?}",
+                response_msg.msg_type
+            )));
+        }
+
+        let response: WriteFileResponse = serde_json::from_slice(&response_msg.payload)?;
+        Ok(response)
+    }
+
+    /// Create directories in the guest filesystem (mkdir -p).
+    pub async fn send_mkdir_p(&self, path: &str) -> Result<MkdirPResponse> {
+        let request = MkdirPRequest {
+            path: path.to_string(),
+        };
+
+        let mut stream = self.connect_with_handshake().await?;
+
+        let _ = stream.set_read_timeout(Some(Duration::from_secs(10)));
+
+        let message = Message {
+            msg_type: MessageType::MkdirP,
+            payload: serde_json::to_vec(&request)?,
+        };
+        stream
+            .write_all(&message.serialize())
+            .map_err(|e| Error::Guest(format!("Failed to send MkdirP: {}", e)))?;
+
+        let response_msg = Message::read_from_sync(&mut stream)?;
+        if response_msg.msg_type != MessageType::MkdirPResponse {
+            return Err(Error::Guest(format!(
+                "Unexpected response type for MkdirP: {:?}",
+                response_msg.msg_type
+            )));
+        }
+
+        let response: MkdirPResponse = serde_json::from_slice(&response_msg.payload)?;
+        Ok(response)
+    }
+
+    /// Connect to the guest agent and perform a Ping/Pong handshake.
+    /// Shared helper for send_write_file, send_mkdir_p, etc.
+    async fn connect_with_handshake(&self) -> Result<VsockStream> {
+        // Short initial wait for guest kernel to boot
+        tokio::time::sleep(Duration::from_secs(2)).await;
+
+        let mut delay = Duration::from_millis(100);
+        let deadline = Instant::now() + Duration::from_secs(30);
+        const HANDSHAKE_TIMEOUT: Duration = Duration::from_secs(3);
+        let mut attempt: u32 = 0;
+
+        loop {
+            if Instant::now() >= deadline {
+                eprintln!("[vsock] deadline reached after {} connect/handshake attempts", attempt);
+                return Err(Error::Guest(
+                    "vsock: deadline reached (connect or handshake)".into(),
+                ));
+            }
+
+            attempt += 1;
+
+            let mut s = match self.connect_to_guest(GUEST_AGENT_PORT) {
+                Ok(stream) => {
+                    eprintln!("[vsock] attempt {} connect OK (cid={}, port={})", attempt, self.cid, GUEST_AGENT_PORT);
+                    stream
+                }
+                Err(e) => {
+                    eprintln!("[vsock] attempt {} connect failed: {} (retry in {:?})", attempt, e, delay);
+                    tokio::time::sleep(delay).await;
+                    delay = std::cmp::min(delay * 2, Duration::from_secs(2));
+                    continue;
+                }
+            };
+
+            // Handshake: Ping -> Pong
+            if let Err(_e) = s.set_read_timeout(Some(HANDSHAKE_TIMEOUT)) {
+                tokio::time::sleep(delay).await;
+                delay = std::cmp::min(delay * 2, Duration::from_secs(2));
+                continue;
+            }
+            let ping_msg = Message {
+                msg_type: MessageType::Ping,
+                payload: vec![],
+            };
+            if s.write_all(&ping_msg.serialize()).is_err() {
+                tokio::time::sleep(delay).await;
+                delay = std::cmp::min(delay * 2, Duration::from_secs(2));
+                continue;
+            }
+            match Message::read_from_sync(&mut s) {
+                Ok(msg) if msg.msg_type == MessageType::Pong => {
+                    return Ok(s);
+                }
+                _ => {
+                    tokio::time::sleep(delay).await;
+                    delay = std::cmp::min(delay * 2, Duration::from_secs(2));
+                }
+            }
+        }
+    }
+
     /// Open a persistent telemetry subscription to the guest agent.
     ///
     /// Connects to the guest, performs a Ping/Pong handshake, sends a

src/devices/virtio_vsock.rs

@@ -176,6 +176,38 @@ impl LocalSandbox {
         }
     }
 
+    /// Write a file to the guest filesystem using the native WriteFile protocol.
+    ///
+    /// This bypasses shell/base64 by sending a WriteFile message directly to
+    /// the guest-agent. Parent directories are created automatically.
+    /// In simulation mode (no kernel), this is a no-op success.
+    pub async fn write_file_native(&self, path: &str, content: &[u8]) -> Result<()> {
+        if self.config.kernel.is_none() {
+            // Simulation mode -- no-op
+            return Ok(());
+        }
+
+        self.ensure_started().await?;
+
+        let vm_lock = self.vm.lock().await;
+        let vm = vm_lock.as_ref().ok_or(Error::VmNotRunning)?;
+        vm.write_file(path, content).await
+    }
+
+    /// Create directories in the guest filesystem (mkdir -p).
+    /// In simulation mode (no kernel), this is a no-op success.
+    pub async fn mkdir_p(&self, path: &str) -> Result<()> {
+        if self.config.kernel.is_none() {
+            return Ok(());
+        }
+
+        self.ensure_started().await?;
+
+        let vm_lock = self.vm.lock().await;
+        let vm = vm_lock.as_ref().ok_or(Error::VmNotRunning)?;
+        vm.mkdir_p(path).await
+    }
+
     /// Internal helper for `exec_claude` -- runs claude-code with extra env.
     pub(crate) async fn exec_claude_internal(
         &self,

src/sandbox/local.rs

@@ -138,15 +138,26 @@ impl Sandbox {
         }
     }
 
-    /// Write a file in the sandbox
+    /// Write a file in the sandbox using the native WriteFile protocol.
+    ///
+    /// This sends the file content directly to the guest-agent via vsock,
+    /// which writes it in Rust without needing `sh`, `echo`, or `base64`.
+    /// Parent directories are created automatically.
     pub async fn write_file(&self, path: &str, content: &[u8]) -> Result<()> {
-        // Use base64 encoding to handle binary data safely
-        let encoded = base64_encode(content);
-        let output = self.exec("sh", &["-c", &format!("echo -n '{}' | base64 -d > {}", encoded, path)]).await?;
-        if output.success() {
-            Ok(())
-        } else {
-            Err(Error::Guest(format!("Failed to write file: {}", output.stderr_str())))
+        match &self.inner {
+            SandboxInner::Local(local) => local.write_file_native(path, content).await,
+            SandboxInner::Mock(_mock) => {
+                // Mock: no-op success
+                Ok(())
+            }
+        }
+    }
+
+    /// Create directories in the guest filesystem (mkdir -p).
+    pub async fn mkdir_p(&self, path: &str) -> Result<()> {
+        match &self.inner {
+            SandboxInner::Local(local) => local.mkdir_p(path).await,
+            SandboxInner::Mock(_mock) => Ok(()),
         }
     }
 
@@ -465,7 +476,8 @@ impl MockSandbox {
     }
 }
 
-/// Simple base64 encoding (for write_file)
+/// Simple base64 encoding (kept for potential future use).
+#[allow(dead_code)]
 fn base64_encode(data: &[u8]) -> String {
     const ALPHABET: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";