Keep your friends close, your supply chain in a VM.

Author: eshlox

.github/CODEOWNERS

@@ -0,0 +1,12 @@
+* @eshlox
+
+/.github/ @eshlox
+/bin/ @eshlox
+/defaults/ @eshlox
+/install.sh @eshlox
+/lib/ @eshlox
+/scripts/ @eshlox
+/tests/ @eshlox
+/LICENSE @eshlox
+/README.md @eshlox
+/SECURITY.md @eshlox

.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "ci"

.github/workflows/check.yml

@@ -0,0 +1,43 @@
+name: Check
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: check-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    name: check
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Checkout
+        env:
+          REPOSITORY: ${{ github.repository }}
+          SERVER_URL: ${{ github.server_url }}
+          SHA: ${{ github.sha }}
+        run: |
+          set -euo pipefail
+          git init .
+          git remote add origin "$SERVER_URL/$REPOSITORY.git"
+          git -c protocol.version=2 fetch --no-tags --depth=1 origin "$SHA"
+          git checkout --detach FETCH_HEAD
+
+      - name: Install test tools
+        run: |
+          set -euo pipefail
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends shellcheck gnupg
+
+      - name: Run checks
+        run: bash scripts/check.sh

.gitignore

@@ -0,0 +1,2 @@
+.DS_Store
+*.tmp

CONTRIBUTING.md

@@ -0,0 +1,41 @@
+# Contributing
+
+DVM is intentionally small. Contributions should keep the core easy to audit and avoid
+turning the project into a general VM platform or package manager.
+
+## Scope
+
+Good fits:
+
+- VM lifecycle helpers around Lima
+- safe setup reruns across VMs
+- SSH and GPG workflows for project VMs
+- documentation that improves installation, release verification, or safe usage
+- focused tests for shell behavior
+
+Avoid:
+
+- default language/toolchain installers
+- remote install scripts or `curl | sh` patterns
+- host directory mounts that weaken project isolation by default
+- large framework dependencies
+- features that are better handled by user setup scripts
+
+## Development
+
+Run checks before opening a pull request:
+
+```bash
+bash scripts/check.sh
+```
+
+Shell code should be Bash, pass `bash -n`, and pass ShellCheck when ShellCheck is
+available. Keep behavior explicit and prefer small functions over broad abstractions.
+
+## Security
+
+Do not report vulnerabilities in public issues. Follow [SECURITY.md](SECURITY.md).
+
+Changes that affect installation, updating, release verification, SSH, GPG, deletion
+safety, or setup script execution should include tests or a clear explanation of the
+remaining risk.

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Przemysław Kołodziejczyk (eshlox)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.