# Migration — build-machines → ext.vm-packer

Maps `the-custodian/infra/build-machines/` to sand-boxer `profile.vm-haskell-build`.

## What moved

| Legacy (build-machines) | sand-boxer v0 |
|-------------------------|---------------|
| Packer OVA build | **Unchanged** — operator runs Packer in the-custodian |
| VM boot + build-agent registration | **Unchanged** — systemd agent on VM |
| `make remote-build PROJECT=` | `sandboxer create` + SSH into `reachability.remote_dir` |
| Isolated workspace `/build/<project>` | `/build/sbx-<sandbox_id>/` per create |
| `make bridge-status` | `ssh -p 12222 build@localhost` or `sandboxer inspect` (future) |

## v0 attach workflow

1. Build/import VM per [build-machines README](~/the-custodian/infra/build-machines/README.md).
2. Ensure tunnel is up (`make bridge-status` in build-machines).
3. Create sand-boxer workspace:

```bash
export SANDBOXER_VM_TUNNEL_PORT=12222   # or use SSH alias

sandboxer create \
  --profile profile.vm-haskell-build \
  --input vm=haskell-build \
  --input repo=~/projects/my-haskell-app \
  --host localhost
```

4. Run builds on VM:

```bash
ssh haskell-build "cd <remote_dir> && source ~/.ghcup/env && cabal build all"
```

5. Destroy workspace (VM stays running):

```bash
sandboxer destroy <sandbox_id>
```

## Inputs

| Input | Purpose |
|-------|---------|
| `vm` | SSH config alias (e.g. `haskell-build`) |
| `ssh_target` | Alias for `vm` |
| `tunnel_port` | Local reverse-tunnel port (default via `SANDBOXER_VM_TUNNEL_PORT`) |
| `repo` | Optional rsync source to workspace |
| `workspace_dir` | Override workspace path on VM |

## Not migrated yet

- Automated Packer `create` trigger from sand-boxer API
- State Hub capability-catalog sync from build-agent (agent unchanged)
- Port registry automation (`port-registry.yml`)
- `make remote-build` Makefile targets in the-custodian (add shim in follow-on if needed)

## Runbook

`docs/runbooks/profile-vm-haskell-build.md`