{"id":50156637,"url":"https://github.com/aarani/hpcc","last_synced_at":"2026-05-24T12:02:52.800Z","repository":{"id":356542346,"uuid":"1231277030","full_name":"aarani/hpcc","owner":"aarani","description":"Distributed compilation but it makes sense","archived":false,"fork":false,"pushed_at":"2026-05-23T12:58:35.000Z","size":1291,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-23T13:07:36.291Z","etag":null,"topics":["c-plus-plus","ccache","compiler","distcc","distributed-compilation","sandbox"],"latest_commit_sha":null,"homepage":"https://hpcc.dev/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aarani.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-06T20:06:24.000Z","updated_at":"2026-05-23T12:58:38.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/aarani/hpcc","commit_stats":null,"previous_names":["aarani/hpcc"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/aarani/hpcc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aarani%2Fhpcc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aarani%2Fhpcc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aarani%2Fhpcc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aarani%2Fhpcc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aarani","download_url":"https://codeload.github.com/aarani/hpcc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aarani%2Fhpcc/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33432867,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-23T22:14:44.296Z","status":"online","status_checked_at":"2026-05-24T02:00:06.296Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c-plus-plus","ccache","compiler","distcc","distributed-compilation","sandbox"],"created_at":"2026-05-24T12:02:52.031Z","updated_at":"2026-05-24T12:02:52.795Z","avatar_url":"https://github.com/aarani.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003e\n  \u003cpicture\u003e\n    \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"docs/logo-dark.svg\"\u003e\n    \u003cimg alt=\"hpcc — vault cube mark\" src=\"docs/logo.svg\" width=\"200\" height=\"200\"\u003e\n  \u003c/picture\u003e\n  \u003cbr /\u003e\n  hpcc\n\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eA distributed compiler cache that a regulated security team will actually approve.\u003c/strong\u003e\n  \u003cbr /\u003e\n  \u003cem\u003eSandboxed remote compilation · per-tenant KVM boundary · auditable by row.\u003c/em\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/aarani/hpcc/actions/workflows/suite.yml\"\u003e\u003cimg alt=\"Build \u0026amp; Test Suite\" src=\"https://github.com/aarani/hpcc/actions/workflows/suite.yml/badge.svg?branch=main\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/aarani/hpcc/blob/main/LICENSE\"\u003e\u003cimg alt=\"License: AGPL-3.0\" src=\"https://img.shields.io/badge/license-AGPL--3.0-blue.svg\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/aarani/hpcc/blob/main/LICENSING.md\"\u003e\u003cimg alt=\"Commercial license available\" src=\"https://img.shields.io/badge/commercial-available-green.svg\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://go.dev/\"\u003e\u003cimg alt=\"Go 1.26+\" src=\"https://img.shields.io/badge/go-1.26%2B-00ADD8?logo=go\u0026amp;logoColor=white\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://goreportcard.com/report/github.com/aarani/hpcc\"\u003e\u003cimg alt=\"Go Report Card\" src=\"https://goreportcard.com/badge/github.com/aarani/hpcc\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://pkg.go.dev/github.com/aarani/hpcc\"\u003e\u003cimg alt=\"Go Reference\" src=\"https://pkg.go.dev/badge/github.com/aarani/hpcc.svg\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://hpcc.dev\"\u003e\u003cimg alt=\"hpcc.dev\" src=\"https://img.shields.io/badge/site-hpcc.dev-0e1014\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n\u003e ⚠️ **Work in progress.** hpcc is under active development and has not been audited.\n\u003e Do not rely on it for security-sensitive or production workloads yet.\n\n## Quick start\n\n```sh\ngit clone https://github.com/aarani/hpcc.git\ncd hpcc \u0026\u0026 go build \u0026\u0026 go install\n\n# wrap a compiler invocation\nhpcc wrap cc -c hello.c -o hello.o\n\n# or wire into a Makefile\nmake CC=\"hpcc wrap cc\" CXX=\"hpcc wrap c++\"\n\n# start the daemon (foreground; supervise with systemd / launchd)\nhpcc start\n```\n\n## Server quick start\n\nBring up the distributed pieces — one scheduler, N workers, M clients\n— without hand-editing TOML. `hpcc init` writes the configs for you;\nthe generated files validate immediately.\n\n**Scheduler.** Needs a TLS cert clients can trust (public CA or your\norg's internal CA) and one tenant's IdP coordinates:\n\n```sh\nhpcc init scheduler \\\n  --cert-file /etc/hpcc/scheduler.crt \\\n  --key-file  /etc/hpcc/scheduler.key \\\n  --tenant-id acme \\\n  --issuer    https://idp.acme.example/ \\\n  --jwks-url  https://idp.acme.example/.well-known/jwks.json \\\n  --token-url https://idp.acme.example/oauth/token \\\n  --audience  hpcc\n\nhpcc scheduler\n```\n\nThe command prints a freshly-generated `worker_token`; copy it.\n\n**Workers (Linux / Firecracker).** On each worker host, paste the\ntoken from above and point at the scheduler. TLS material is\nself-signed and minted in place — the scheduler pins by SHA-256\nfingerprint at registration, so a real CA isn't needed worker-side:\n\n```sh\nhpcc init worker \\\n  --scheduler  scheduler.internal:9091 \\\n  --token      \u003cpaste from init scheduler\u003e \\\n  --public-addr worker-1.internal:9092\n\n# Host prerequisites:\n#\n#   # firecracker + jailer — no distro package; grab the upstream\n#   # tarball. arm64 hosts: swap x86_64 → aarch64 in URL + filenames.\n#   FC=v1.15.1\n#   curl -fsSL https://github.com/firecracker-microvm/firecracker/releases/download/${FC}/firecracker-${FC}-x86_64.tgz \\\n#     | sudo tar -xz -C /tmp\n#   sudo install /tmp/release-${FC}-x86_64/firecracker-${FC}-x86_64 /usr/bin/firecracker\n#   sudo install /tmp/release-${FC}-x86_64/jailer-${FC}-x86_64      /usr/bin/jailer\n#\n#   # microvm kernel + agent ship with every hpcc release. Pin HPCC\n#   # to whichever release you installed; K=6.1 is the recommended\n#   # kernel (5.10 ships as the alternative); A=amd64 or arm64.\n#   HPCC=v0.1.0-alpha; K=6.1; A=amd64\n#   sudo mkdir -p /var/lib/hpcc\n#   sudo curl -fsSL -o /var/lib/hpcc/vmlinux \\\n#     https://github.com/aarani/hpcc/releases/download/${HPCC}/vmlinux-${K}-${A}\n#   sudo curl -fsSL -o /var/lib/hpcc/hpcc-agent-linux-${A} \\\n#     https://github.com/aarani/hpcc/releases/download/${HPCC}/hpcc-agent-linux-${A}\n\nhpcc worker\n```\n\nThe generated `worker.toml` points at the standard paths above; if you\nhave firecracker installed somewhere else, edit\n`[runtime.firecracker]` to match. For a zero-isolation dev box, pass\n`--runtime really_really_dangerous` (never production).\n\n**Workers (Windows / Hyper-V).** Same paste-the-token flow, with the\nhcsshim runtime selected:\n\n```pwsh\nhpcc init worker `\n  --scheduler   scheduler.internal:9091 `\n  --token       \u003cpaste from init scheduler\u003e `\n  --public-addr worker-win-1.internal:9092 `\n  --runtime     runhcs-wcow-hypervisor\n\n# Host prerequisites (the init command tells you exactly these):\n#   Install-WindowsFeature Hyper-V -IncludeManagementTools  # reboot once\n#   Start-Service vmcompute                                  # HCS\n#   # containerd listening on \\\\.\\pipe\\containerd-containerd\n#   # hpcc-agent.exe staged at C:\\ProgramData\\hpcc\\hpcc-agent.exe\n\nhpcc worker\n```\n\nHyper-V isolation is the production value — each container runs in\nits own utility VM, the kernel boundary a regulated security review\nrecognises. For hosts without nested virt (GitHub-hosted CI runners,\ndev laptops), edit `runtime.hcsshim.isolation = \"process\"` in the\ngenerated file; you lose the kernel boundary, so this is dev-only.\n\n**Clients.** On each developer machine, point the client at the\nscheduler and authenticate against the tenant IdP:\n\n```sh\nhpcc init client \\\n  --scheduler    scheduler.internal:9091 \\\n  --tenant       acme \\\n  --image-ref    ghcr.io/example/toolchain \\\n  --image-digest sha256:abc...\n\nhpcc auth login   # prompts for username + password\nhpcc start        # daemon; supervise with systemd / launchd\n```\n\nThen point your build at `hpcc wrap cc` / `hpcc wrap c++` as in the\nclient Quick start above. The daemon falls back to local execution on\nany remote failure and prints a red warning, so a misconfigured client\nnever blocks a build.\n\n## Why?\n\n`ccache`, `sccache`, and `distcc` all assume the worker is trusted\nshared-kernel infrastructure. That assumption ends the conversation in\na regulated enterprise. hpcc inverts it: every compile runs in a\nper-tenant Firecracker microVM (Linux) or Hyper-V-isolated container\n(Windows), the worker has no NIC, the container image digest *is* the\ntoolchain identity, and every job lands a single audit row.\n\nDesign, threat model, and what's shipped vs. open all live in\n[**docs/plan.md**](docs/plan.md) and the per-phase docs under\n[`docs/plan/`](docs/plan/). Config reference:\n[`client.toml`](docs/client.toml) /\n[`scheduler.toml`](docs/scheduler.toml) /\n[`worker.toml`](docs/worker.toml).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faarani%2Fhpcc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faarani%2Fhpcc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faarani%2Fhpcc/lists"}