Skip to content

feat(core): use shared JS box image for project containers#281

Open
konard wants to merge 9 commits into
ProverCoderAI:mainfrom
konard:issue-267-99a3d92349cd
Open

feat(core): use shared JS box image for project containers#281
konard wants to merge 9 commits into
ProverCoderAI:mainfrom
konard:issue-267-99a3d92349cd

Conversation

@konard
Copy link
Copy Markdown
Contributor

@konard konard commented May 12, 2026
edited
Loading

Summary

Fixes #267.

Switches generated project workspace Dockerfiles from a raw ubuntu:24.04 base to the shared konard/box-js:latest Docker Hub image published by https://github.com/link-foundation/box. The docker-git bootstrap layers, SSH entrypoint, auth bridge, host-Docker-backed runtime contract, and clone/cache orchestration remain owned by docker-git.

Reproduction

Before this change, renderDockerfile(makeTemplateConfig()) emitted:

FROM ubuntu:24.04

and only knew how to rename an existing ubuntu user. That did not satisfy issue #267's requirement to reuse the shared box infrastructure, and it risked duplicate UID-1000 users when a box base already has /home/box.

CI then exposed box-specific follow-up invariants:

  • Non-interactive bash -lc commands sourced /etc/profile.d/zz-prompt.sh, and the prompt script touched /dev/tty without a controlling TTY.
  • konard/box-js inherits HOME=/home/box, WORKDIR=/home/box, and login rc files with absolute /home/box references. After renaming box -> dev, docker exec -u dev bash -lc '...' could still resolve user paths through /home/box, and login shells failed on /home/box/.deno/env.
  • The shared git mirror refresh used +refs/*:refs/*; on public GitHub repositories this enumerated refs/pull/* and timed out the login-context E2E after the cache volume was reused by the PR case.

Changes

  • Add ARG DOCKER_GIT_BASE_IMAGE=konard/box-js:latest and FROM ${DOCKER_GIT_BASE_IMAGE} to generated project Dockerfiles.
  • Keep USER root before docker-git's apt/tool/bootstrap layers so the existing setup remains valid on top of the box image.
  • Rename either box or ubuntu base users to the configured sshUser before falling back to user creation.
  • Normalize inherited image environment after user migration with HOME=/home/<sshUser>, a user-correct PATH, and WORKDIR /home/<sshUser>.
  • Rewrite moved login rc files (.profile, .bashrc, .zshrc, etc.) from /home/box or /home/ubuntu to /home/<sshUser>.
  • Keep /etc/profile.d/bun.sh runtime-relative by writing \$PATH instead of baking the base image build-time PATH.
  • Keep zz-prompt.sh inert for non-interactive shells; interactive shells still install prompt/TTY recovery hooks.
  • Restrict shared mirror refreshes to refs/heads/* and refs/tags/*, so clone-cache reuse does not fetch every GitHub pull-request ref.
  • Mirror renderer changes into packages/app/src/lib for the bundled CLI build.
  • Add regression coverage for the shared base image, base-user migration behavior, HOME/WORKDIR normalization, login rc rewriting, runtime PATH rendering, non-interactive prompt sourcing, and clone-cache ref filtering.
  • Use the Docker Hub JS box because CI confirmed ghcr.io/link-foundation/box:latest currently fails anonymous pulls with HTTP 401, while Docker Hub is publicly pullable. Registry metadata also shows the full konard/box:latest amd64 manifest is about 5.6 GiB compressed, while konard/box-js:latest is about 1.6 GiB compressed and still comes from the same shared box infrastructure.

Mathematical Guarantees

Invariants

  • forall config in TemplateConfig: baseImage(renderDockerfile(config)) = ${DOCKER_GIT_BASE_IMAGE}.
  • forall config in TemplateConfig: sshUser(config) owns /home/sshUser(config) after the user-normalization block when the base image has box, ubuntu, or neither.
  • forall config in TemplateConfig: HOME(renderDockerfile(config)) = /home/sshUser(config) and WORKDIR(renderDockerfile(config)) = /home/sshUser(config).
  • forall p in loginRc(sshUser): not contains(p, "/home/box") and not contains(p, "/home/ubuntu") for inherited base-home references covered by the generated rewrite block.
  • forall shell: nonInteractive(shell) -> source(zz-prompt.sh, shell) produces no prompt mutation and no TTY write.
  • forall r in cloneCacheRefreshRefs: r in refs/heads/* union refs/tags/*; in particular, refs/pull/* is excluded from cache refresh.
  • CORE -> SHELL boundary is preserved: this change modifies pure template rendering; runtime effects remain in generated shell scripts and Docker execution layers.

Preconditions

  • The selected DOCKER_GIT_BASE_IMAGE is Debian/Ubuntu-compatible and supports apt-based root setup.
  • The project container still runs docker-git's generated /entrypoint.sh.

Postconditions

  • Generated project containers inherit the shared link-foundation JS box runtime/tooling base.
  • docker-git-specific SSH/auth/bootstrap behavior remains rendered after the base image selection.
  • Non-interactive e2e commands can run under bash -lc without prompt/TTY side effects and with ~ and login rc paths resolving into the mounted SSH user home.
  • Reused clone-cache mirrors accelerate branch/tag object reuse without expanding the remote ref domain to every GitHub PR ref.

Complexity

  • Dockerfile and prompt rendering remain O(1) time and O(1) additional space.
  • Clone-cache refresh changes from O(|all remote refs|) to O(|heads| + |tags|) remote ref enumeration.

Verification

  • bun run --cwd packages/lib test -- tests/core/templates.test.ts
  • bun run check
  • bun run test
  • bun run build
  • bun run lint
  • bun run lint:effect
  • bun run check:dist-deps-prune
  • git diff --check

Note: this local runner does not have the docker binary installed, so local image build was not run here; Docker/E2E verification is covered by GitHub Actions on PR #281.

konard added 2 commits May 12, 2026 09:49
@konard
Initial commit with task details
45f4f3d 
Adding .gitkeep for PR creation (default mode).
This file will be removed when the task is complete.

Issue: ProverCoderAI#267
@konard
feat(core): use shared box image for project containers
4ee4bb1
@konard konard changed the title [WIP] Есть смысл юзать единные box контейнеры для работы feat(core): use shared box image for project containers May 12, 2026
@konard konard marked this pull request as ready for review May 12, 2026 10:17
@konard konard changed the title feat(core): use shared box image for project containers feat(core): use shared JS box image for project containers May 12, 2026
@konard
Copy link
Copy Markdown
Contributor Author

konard commented May 12, 2026

Working session summary

Done. PR #281 is updated and green: #281

Latest pushed head: bf18af78780766c71e0ded18b9305884305a66a1.

Key final fix:

  • Narrowed shared clone-cache mirror refresh from +refs/*:refs/* to heads/tags only in tasks.ts and the bundled app copy.
  • Added regression coverage in templates.test.ts to ensure refs/pull/* is not fetched during cache refresh.

Verification passed locally:
bun run check, bun run test, bun run build, bun run lint, bun run lint:effect, bun run check:dist-deps-prune, git diff --check.

GitHub checks passed on PR #281, including Docker E2E:
Clone cache, Login context, Runtime volumes + SSH, OpenCode, Browser command, and all static jobs.

Working tree is clean. SOURCE: n/a.

This summary was automatically extracted from the AI working session output.

@konard
Copy link
Copy Markdown
Contributor Author

konard commented May 12, 2026

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

  • Model: GPT-5.5
  • Provider: OpenAI
  • Public pricing estimate: $88.495497

📊 Context and tokens usage:

  • 1.6M / 1.1M (149%) input tokens, 125.0K / 128K (98%) output tokens

Total: (1.6M + 67.2M cached) input tokens, 125.0K output tokens, $88.495497 cost

🤖 Models used:

  • Tool: OpenAI Codex
  • Requested: gpt-5.5
  • Model: GPT-5.5 (gpt-5.5)

📎 Log file uploaded as Repository (2 chunks) (201432KB)

Now working session is ended, feel free to review and add any feedback on the solution draft.

@konard
Copy link
Copy Markdown
Contributor Author

konard commented May 12, 2026

✅ Ready to merge

This pull request is now ready to be merged:

  • All CI checks have passed
  • No merge conflicts
  • No pending changes

Monitored by hive-mind with --auto-restart-until-mergeable flag

@skulidropek
Copy link
Copy Markdown
Member

skulidropek commented May 13, 2026

@coderabbitai review

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 13, 2026

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 13, 2026
edited
Loading

Review Change Stack

📝 Walkthrough

Summary by CodeRabbit

  • Improvements
    • Docker environment now uses updated base image for better compatibility
    • Git reference fetching refined to exclude pull request refs for efficiency
    • Prompt script now properly handles interactive vs. non-interactive shell contexts
    • Enhanced user home directory and PATH configuration normalization

Walkthrough

This PR integrates unified konard/box-js container images as the standard Docker base, replaces hardcoded Ubuntu image references with parameterized build arguments, normalizes inherited box/ubuntu user accounts to the configured SSH user with proper home/path setup, restricts git mirror fetching to branch and tag refs only, and hardens prompt script execution to respect interactive shell contexts with improved TTY control. All changes are mirrored across app and lib packages and validated with new test coverage.

Changes

Container Image Standardization and Entrypoint Refinement

Layer / File(s) Summary
Base image parameterization
packages/app/src/lib/core/templates/dockerfile.ts, packages/lib/src/core/templates/dockerfile.ts		 Dockerfile prelude now sources base image from DOCKER_GIT_BASE_IMAGE argument defaulting to konard/box-js:latest via ARG and FROM ${DOCKER_GIT_BASE_IMAGE}, replacing hardcoded ubuntu:24.04; ensures USER root follows base setup.
User and environment normalization for box images
packages/app/src/lib/core/templates/dockerfile.ts, packages/lib/src/core/templates/dockerfile.ts		 User setup iterates over box and ubuntu base users, renames existing accounts to config.sshUser, rewrites inherited rc/login files to replace /home/box and /home/ubuntu with /home/${config.sshUser}, and sets HOME, PATH (with Deno/Bun toolchain), and WORKDIR accordingly. Bun profile PATH export escaped for runtime evaluation.
Git mirror fetch refspec optimization
packages/app/src/lib/core/templates-entrypoint/tasks.ts, packages/lib/src/core/templates-entrypoint/tasks.ts		 Narrows clone-cache mirror refresh git fetch from broad +refs/*:refs/* to explicit +refs/heads/*:refs/heads/* and +refs/tags/*:refs/tags/* to exclude refs/pull/*; adds CHANGE annotation documenting the behavioral shift.
Prompt script interactivity gating and TTY handling
packages/app/src/lib/core/templates-prompt.ts, packages/lib/src/core/templates-prompt.ts		 Terminal escape and sanitization commands refactored with grouped redirections. Prompt script now gates execution via case "$-" for interactive shells only, with early exit for non-interactive invocations. PROMPT_COMMAND chaining uses ${PROMPT_COMMAND-} for correct unset-variable detection. Inline invariants updated to document interactive-shell-only TTY mutations.
Test validation
packages/lib/tests/core/templates.test.ts		 Adds renderPromptScript test for non-interactive bash execution. Extends renderDockerfile assertions validating konard/box-js base image, box user renaming, HOME/PATH/WORKDIR normalization to /home/dev, inherited rc file path rewriting, and runtime $PATH escaping. Updates auth entrypoint terminal sanitization expected pattern. Adds renderEntrypoint test verifying cache mirror fetch excludes GitHub pull-request refs.

🎯 3 (Moderate) | ⏱️ ~25 minutes

🐇 A rabbit hops through docker walls,
Box containers answer the call,
No ubuntu chains,
Just organized brains,
Unified shells that won't fall! 🎭✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title 'feat(core): use shared JS box image for project containers' clearly and concisely summarizes the main change: switching from ubuntu:24.04 to a shared box image for project Dockerfiles.
Description check ✅ Passed The PR description comprehensively covers all template sections: fixes issue #267, provides detailed summary of changes with reproduction steps, lists all modifications, documents invariants and preconditions, and includes verification commands. Well-structured and complete.
Linked Issues check ✅ Passed The PR fully addresses issue #267's objective to adopt a shared box container infrastructure by switching from ubuntu:24.04 to konard/box-js:latest, reducing duplication and enabling reuse of link-foundation/box tooling.
Out of Scope Changes check ✅ Passed All changes are within scope: Dockerfile base image changes, prompt script interactive-shell handling, user migration logic, login rc file rewriting, clone-cache ref filtering, and corresponding test coverage directly support the issue #267 objective.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot requested changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/lib/tests/core/templates.test.ts`:
- Around line 60-104: Add property-based tests (using fast-check) for the new
invariants around renderDockerfile outputs used in
packages/lib/tests/core/templates.test.ts (and the other ranges noted) instead
of only example-based assertions: write fast-check properties that call
renderDockerfile(makeTemplateConfig(arbitraryConfig)) to assert (1) refspec
exclusion invariant, (2) prompt non-interactive inertness invariant, and (3)
HOME/PATH/WORKDIR normalization invariant across generated configs (assert using
expect/contains helpers like expectContainsAll); use fast-check arbitraries for
TemplateConfig inputs, keep tests synchronous (no async/await), and put
unit-style checks using the project’s Effect test utilities where applicable
rather than raw async code.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 6bbab1ae-98b5-4847-a515-ad0643df2cd0

📥 Commits

Reviewing files that changed from the base of the PR and between 65c4f84 and 0ab5a45.

📒 Files selected for processing (7)
  • packages/app/src/lib/core/templates-entrypoint/tasks.ts
  • packages/app/src/lib/core/templates-prompt.ts
  • packages/app/src/lib/core/templates/dockerfile.ts
  • packages/lib/src/core/templates-entrypoint/tasks.ts
  • packages/lib/src/core/templates-prompt.ts
  • packages/lib/src/core/templates/dockerfile.ts
  • packages/lib/tests/core/templates.test.ts

Comment thread packages/lib/tests/core/templates.test.ts
Comment on lines 60 to +104
describe("renderDockerfile", () => {
it("uses the shared JS box image as the project container base", () => {
const dockerfile = renderDockerfile(makeTemplateConfig())

expect(dockerfile).toContain("ARG DOCKER_GIT_BASE_IMAGE=konard/box-js:latest")
expect(dockerfile).toContain("FROM ${DOCKER_GIT_BASE_IMAGE}")
expect(dockerfile).toContain("USER root")
expect(dockerfile).not.toContain("FROM ubuntu:24.04")
})

it("renames the box base user to the configured SSH user", () => {
const dockerfile = renderDockerfile(makeTemplateConfig())

expect(dockerfile).toContain("for BASE_USER in box ubuntu; do")
expect(dockerfile).toContain('if [ "$BASE_USER" != "dev" ] && id -u "$BASE_USER" >/dev/null 2>&1; then')
expect(dockerfile).toContain('usermod -l dev -d /home/dev -m -s /usr/bin/zsh "$BASE_USER" || true')
})

it("normalizes inherited box image HOME and workdir to the configured SSH user", () => {
const dockerfile = renderDockerfile(makeTemplateConfig())

expectContainsAll(dockerfile, [
"ENV HOME=/home/dev",
"ENV PATH=/usr/local/bun/bin:/home/dev/.deno/bin:/home/dev/.bun/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"WORKDIR /home/dev"
])
})

it("rewrites inherited login rc files away from the base image home", () => {
const dockerfile = renderDockerfile(makeTemplateConfig())

expectContainsAll(dockerfile, [
"find /home/dev -maxdepth 2 -type f",
'-name ".profile" -o -name ".bash_profile" -o -name ".bashrc" -o -name ".zprofile" -o -name ".zshenv" -o -name ".zshrc"',
'-exec sed -i -e "s|/home/box|/home/dev|g" -e "s|/home/ubuntu|/home/dev|g" {} +;'
])
})

it("keeps the runtime PATH extension relative to the login shell environment", () => {
const dockerfile = renderDockerfile(makeTemplateConfig())

expect(dockerfile).toContain('RUN printf "export PATH=/usr/local/bun/bin:\\$PATH\\n"')
expect(dockerfile).not.toContain('RUN printf "export PATH=/usr/local/bun/bin:$PATH\\n"')
})

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major | 🏗️ Heavy lift

Add fast-check property tests for the new invariants.

The added tests are example-based only. For these new behaviors, add fast-check properties (e.g., refspec exclusion invariant, prompt non-interactive inertness invariant, HOME/PATH normalization invariant across generated configs) to satisfy the test policy.

As per coding guidelines **/*.{test,spec}.{ts,tsx}: Property-based tests (fast-check) must verify mathematical invariants; unit tests must use Effect test utilities without async/await.

Also applies to: 125-142, 359-366

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/lib/tests/core/templates.test.ts` around lines 60 - 104, Add
property-based tests (using fast-check) for the new invariants around
renderDockerfile outputs used in packages/lib/tests/core/templates.test.ts (and
the other ranges noted) instead of only example-based assertions: write
fast-check properties that call
renderDockerfile(makeTemplateConfig(arbitraryConfig)) to assert (1) refspec
exclusion invariant, (2) prompt non-interactive inertness invariant, and (3)
HOME/PATH/WORKDIR normalization invariant across generated configs (assert using
expect/contains helpers like expectContainsAll); use fast-check arbitraries for
TemplateConfig inputs, keep tests synchronous (no async/await), and put
unit-style checks using the project’s Effect test utilities where applicable
rather than raw async code.

@skulidropek skulidropek self-assigned this May 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] requested changes

Assignees

@skulidropek skulidropek

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Есть смысл юзать единные box контейнеры для работы

2 participants

@konard @skulidropek