feat(linux-port): bootstrap MVP boxctl, config loader, supervisor, firewall skeleton, and systemd units

.box-test-subscription.env.example

@@ -0,0 +1 @@
+BOX_TEST_SUBSCRIPTION_URL=

.github/workflows/ci.yml

@@ -0,0 +1,125 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - '**'
+    tags:
+      - 'v*'
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  lint-and-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Bash syntax checks
+        run: ./tests/lint_shell.sh syntax
+
+      - name: ShellCheck (if available)
+        run: |
+          if command -v shellcheck >/dev/null 2>&1; then
+            ./tests/lint_shell.sh shellcheck
+          else
+            echo "shellcheck not available; skipping"
+          fi
+
+      - name: Mock integration tests
+        run: |
+          ./tests/integration/test_phase2.sh
+          ./tests/integration/test_policy.sh
+          ./tests/integration/test_updater.sh
+
+      - name: Real-kernel integration tests (skip-capable)
+        continue-on-error: true
+        run: |
+          set -o pipefail
+          : > real-kernel.log
+          sudo ./tests/integration/test_real_kernel.sh | tee real-kernel.log
+
+      - name: Upload real-kernel log
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: real-kernel-log
+          path: real-kernel.log
+
+  build-arch-package:
+    runs-on: ubuntu-latest
+    needs:
+      - lint-and-tests
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build Arch package in container
+        run: |
+          docker run --rm \
+            -v "$PWD":/work \
+            -w /work \
+            archlinux:base-devel \
+            bash -lc '
+              set -euo pipefail
+              # Avoid relying on distro default unprivileged accounts (for example `nobody`)
+              # because some base images can mark them as expired.
+              useradd -m -U builder
+              chown -R builder:builder /work
+              su builder -s /bin/bash -c "cd /work/packaging/arch && makepkg --nodeps --noconfirm -f"
+            '
+
+      - name: Capture package path
+        id: pkg
+        run: |
+          pkg_path="$(ls -1 packaging/arch/*.pkg.tar.* | head -n 1)"
+          echo "package_path=${pkg_path}" >> "${GITHUB_OUTPUT}"
+          echo "Built package: ${pkg_path}"
+
+      - name: Upload Arch package artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: box4linux-arch-pkg
+          path: ${{ steps.pkg.outputs.package_path }}
+
+  smoke-package:
+    runs-on: ubuntu-latest
+    needs:
+      - build-arch-package
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download Arch package artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: box4linux-arch-pkg
+          path: ./dist
+
+      - name: Package smoke test
+        run: |
+          pkg_path="$(ls -1 ./dist/*.pkg.tar.* | head -n 1)"
+          ./tests/integration/test_arch_package_smoke.sh "${pkg_path}"
+
+  release:
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/v')
+    needs:
+      - smoke-package
+    permissions:
+      contents: write
+    steps:
+      - name: Download Arch package artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: box4linux-arch-pkg
+          path: ./dist
+
+      - name: Publish release assets
+        uses: softprops/action-gh-release@v2
+        with:
+          files: ./dist/*.pkg.tar.*
+          generate_release_notes: true

.gitignore

@@ -0,0 +1,22 @@
+# OS / editor
+.DS_Store
+Thumbs.db
+.idea/
+.vscode/
+*.swp
+*.swo
+*~
+
+# Box references
+box-reference/
+
+# Local Linux dev runtime state
+.box-dev/
+
+# Arch packaging build artifacts
+packaging/arch/*.pkg.tar.*
+packaging/arch/pkg/
+packaging/arch/src/
+
+# Local docker/vm test secrets
+.box-test-subscription.env