feat(core): use shared JS box image for project containers#281
Conversation
Adding .gitkeep for PR creation (default mode). This file will be removed when the task is complete. Issue: ProverCoderAI#267
konard
changed the title
konard
changed the title
Working session summaryDone. PR #281 is updated and green: #281 Latest pushed head: Key final fix:
Verification passed locally: GitHub checks passed on PR #281, including Docker E2E: Working tree is clean. This summary was automatically extracted from the AI working session output. |
🤖 Solution Draft LogThis log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
📊 Context and tokens usage:
Total: (1.6M + 67.2M cached) input tokens, 125.0K output tokens, $88.495497 cost 🤖 Models used:
📎 Log file uploaded as Repository (2 chunks) (201432KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
✅ Ready to mergeThis pull request is now ready to be merged:
Monitored by hive-mind with --auto-restart-until-mergeable flag |
This reverts commit 45f4f3d.
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughПараметризован базовый образ, нормализованы унаследованные пользователи/окружение, ужесточена логика промпта для интерактивных оболочек, добавлена валидация/парсер SSH-пользователя и shellSingleQuote, расширены шаблонные/entrypoint и конфигурационные тесты, обновлены e2e defaults, добавлен retry в Dockerfile и CI шаг очистки диска. ИзмененияИнтеграция контейнеров Docker Box и улучшение скрипта приглашения
sequenceDiagram
participant Shell as Shell (interactive?)
participant PromptSanitizer as docker_git_terminal_sanitize
participant TTY as /dev/tty
participant PROMPT as PROMPT_COMMAND
Shell->>PromptSanitizer: case "$-" check (interactive?)
PromptSanitizer->>TTY: grouped printf write (escapes) with redirected stderr
PromptSanitizer->>TTY: grouped stty sane fallback with redirected stderr
PromptSanitizer->>PROMPT: append docker_git_prompt_apply using ${PROMPT_COMMAND-}
🎯 4 (Complex) | ⏱️ ~40 minutes Возможно связанные PRы:
Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error, 1 warning, 1 inconclusive)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/lib/tests/core/templates.test.ts`:
- Around line 60-104: Add property-based tests (using fast-check) for the new
invariants around renderDockerfile outputs used in
packages/lib/tests/core/templates.test.ts (and the other ranges noted) instead
of only example-based assertions: write fast-check properties that call
renderDockerfile(makeTemplateConfig(arbitraryConfig)) to assert (1) refspec
exclusion invariant, (2) prompt non-interactive inertness invariant, and (3)
HOME/PATH/WORKDIR normalization invariant across generated configs (assert using
expect/contains helpers like expectContainsAll); use fast-check arbitraries for
TemplateConfig inputs, keep tests synchronous (no async/await), and put
unit-style checks using the project’s Effect test utilities where applicable
rather than raw async code.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 6bbab1ae-98b5-4847-a515-ad0643df2cd0
📒 Files selected for processing (7)
packages/app/src/lib/core/templates-entrypoint/tasks.tspackages/app/src/lib/core/templates-prompt.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/src/core/templates-entrypoint/tasks.tspackages/lib/src/core/templates-prompt.tspackages/lib/src/core/templates/dockerfile.tspackages/lib/tests/core/templates.test.ts
# Conflicts: # packages/app/src/lib/core/templates-entrypoint/tasks.ts # packages/lib/src/core/templates-entrypoint/tasks.ts # packages/lib/tests/core/templates.test.ts
|
Merged current main into this PR and addressed the CodeRabbit review for property-based coverage. Added fast-check invariants for:
Local verification:
|
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (4)
packages/lib/src/core/templates/dockerfile.ts (2)
17-53: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick winДобавьте исчерпывающую TSDoc для функции renderDockerfilePrelude.
Согласно гайдлайнам, все TypeScript-функции должны включать TSDoc с параметрами, типом возврата, маркерами
@pure,@effect,@invariant,@precondition,@postconditionи@complexityв O-нотации. Функция renderDockerfilePrelude является чистой функцией CORE-слоя, генерирующей шаблон Dockerfile, и должна быть задокументирована.📝 Предлагаемое дополнение TSDoc
+/** + * Renders the Dockerfile prelude with shared base image, root user context, and apt bootstrap setup. + * + * `@returns` Dockerfile prelude string with ARG/FROM/USER directives and apt package installation + * `@pure` true + * `@effect` none (CORE layer pure renderer) + * `@invariant` rendered output contains ARG DOCKER_GIT_BASE_IMAGE and FROM ${DOCKER_GIT_BASE_IMAGE} + * `@precondition` none + * `@postcondition` output is a valid Dockerfile prelude starting with ARG and FROM directives + * `@complexity` O(1) time / O(1) space + */ const renderDockerfilePrelude = (): string =>As per coding guidelines:
**/*.{ts,tsx}: TypeScript functions must include comprehensive TSDoc with parameters, return types,@puremarker,@effectdependencies,@invariant(mathematical),@precondition,@postcondition, and@complexityO-notation.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/lib/src/core/templates/dockerfile.ts` around lines 17 - 53, Add a comprehensive TSDoc block for the renderDockerfilePrelude function: document that renderDockerfilePrelude is a pure, parameterless function in the CORE layer that returns a string containing the Dockerfile prelude; include `@returns` {string}, `@pure`, an `@effect` entry describing external effects/dependencies (none or e.g., reads dockerGitBaseImage constant), an `@invariant` describing the templated Dockerfile content contract, `@precondition` (none) and `@postcondition` (returns a non-empty Dockerfile string), and a `@complexity` tag (O(1)); place the TSDoc immediately above the renderDockerfilePrelude declaration and ensure wording follows existing project TSDoc conventions.
220-271: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick winДобавьте исчерпывающую TSDoc для функции renderDockerfileUsers.
Хотя функция имеет отличные встроенные функциональные комментарии (CHANGE/WHY/INVARIANT/COMPLEXITY), согласно гайдлайнам требуется дополнительная TSDoc с полным набором аннотаций для TypeScript-функций.
📝 Предлагаемое дополнение TSDoc
+/** + * Renders Dockerfile RUN directives for SSH user setup with inherited base-image user migration. + * + * Renames box/ubuntu base users to config.sshUser, rewrites login rc files to normalize /home/box + * and /home/ubuntu references, sets ENV HOME/PATH/WORKDIR to /home/<sshUser>, and configures + * sshd hardening (password auth disabled, pubkey only, X11 forwarding enabled). + * + * `@param` config - Template configuration containing sshUser and other deployment settings + * `@returns` Dockerfile user setup block with migration, normalization, and sshd config + * `@pure` true + * `@effect` none (CORE layer pure renderer) + * `@invariant` forall u = config.sshUser: HOME = /home/u AND WORKDIR = /home/u AND login_rc files contain no /home/box or /home/ubuntu + * `@precondition` config.sshUser is a valid POSIX username (alphanumeric + underscore/dash) + * `@postcondition` rendered Dockerfile creates/migrates user with UID/GID 1000, normalizes paths, hardens sshd + * `@complexity` O(1) time / O(1) space (fixed number of RUN directives independent of config size) + */ const renderDockerfileUsers = (config: TemplateConfig): string =>As per coding guidelines:
**/*.{ts,tsx}: TypeScript functions must include comprehensive TSDoc with parameters, return types,@puremarker,@effectdependencies,@invariant(mathematical),@precondition,@postcondition, and@complexityO-notation.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/lib/src/core/templates/dockerfile.ts` around lines 220 - 271, Add a comprehensive TSDoc block immediately above the renderDockerfileUsers function describing params and return and include the required annotations: `@param` {TemplateConfig} config (documenting config.sshUser usage and expected semantics), `@returns` {string}, `@pure`, `@effect` (list any external dependencies like filesystem/OS semantics or shell command assumptions), `@invariant` (state the HOME/tilde normalization invariant: HOME(rendered) = /home/u and login rc files contain no "/home/box"), `@precondition` (e.g., config.sshUser non-empty and valid username), `@postcondition` (e.g., generated Dockerfile ensures user exists with UID/GID 1000 and HOME set to /home/${config.sshUser}), and `@complexity` (O(1)/O(1)); ensure the doc mentions key symbols used in the function (renderDockerfileUsers, TemplateConfig, config.sshUser) so reviewers can locate the logic.packages/app/src/lib/core/templates/dockerfile.ts (2)
220-271: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick winДобавьте исчерпывающую TSDoc для функции renderDockerfileUsers.
Хотя функция имеет отличные встроенные функциональные комментарии (CHANGE/WHY/INVARIANT/COMPLEXITY), согласно гайдлайнам требуется дополнительная TSDoc с полным набором аннотаций для TypeScript-функций.
📝 Предлагаемое дополнение TSDoc
+/** + * Renders Dockerfile RUN directives for SSH user setup with inherited base-image user migration. + * + * Renames box/ubuntu base users to config.sshUser, rewrites login rc files to normalize /home/box + * and /home/ubuntu references, sets ENV HOME/PATH/WORKDIR to /home/<sshUser>, and configures + * sshd hardening (password auth disabled, pubkey only, X11 forwarding enabled). + * + * `@param` config - Template configuration containing sshUser and other deployment settings + * `@returns` Dockerfile user setup block with migration, normalization, and sshd config + * `@pure` true + * `@effect` none (CORE layer pure renderer) + * `@invariant` forall u = config.sshUser: HOME = /home/u AND WORKDIR = /home/u AND login_rc files contain no /home/box or /home/ubuntu + * `@precondition` config.sshUser is a valid POSIX username (alphanumeric + underscore/dash) + * `@postcondition` rendered Dockerfile creates/migrates user with UID/GID 1000, normalizes paths, hardens sshd + * `@complexity` O(1) time / O(1) space (fixed number of RUN directives independent of config size) + */ const renderDockerfileUsers = (config: TemplateConfig): string =>As per coding guidelines:
**/*.{ts,tsx}: TypeScript functions must include comprehensive TSDoc with parameters, return types,@puremarker,@effectdependencies,@invariant(mathematical),@precondition,@postcondition, and@complexityO-notation.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/app/src/lib/core/templates/dockerfile.ts` around lines 220 - 271, Add a comprehensive TSDoc block above the renderDockerfileUsers function: document the function description, param {TemplateConfig} config with details of fields used (e.g., sshUser), return {string}, and include the required tags: `@pure`, `@effect` (list side-effecting Dockerfile directives like user/group modifications, sed rewrite, ENV/WORKDIR creation), `@invariant` (HOME(rendered) = /home/u and no login rc contains "/home/box"), `@precondition` (config.sshUser is a valid username), `@postcondition` (generated Dockerfile normalizes HOME/PATH/WORKDIR and rewrites login files), and `@complexity` (time/space O(1)); reference the function name renderDockerfileUsers and the TemplateConfig type in the doc so reviewers can locate the implementation.
17-53: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick winДобавьте исчерпывающую TSDoc для функции renderDockerfilePrelude.
Согласно гайдлайнам, все TypeScript-функции должны включать TSDoc с параметрами, типом возврата, маркерами
@pure,@effect,@invariant,@precondition,@postconditionи@complexityв O-нотации. Функция renderDockerfilePrelude является чистой функцией CORE-слоя, генерирующей шаблон Dockerfile, и должна быть задокументирована.📝 Предлагаемое дополнение TSDoc
+/** + * Renders the Dockerfile prelude with shared base image, root user context, and apt bootstrap setup. + * + * `@returns` Dockerfile prelude string with ARG/FROM/USER directives and apt package installation + * `@pure` true + * `@effect` none (CORE layer pure renderer) + * `@invariant` rendered output contains ARG DOCKER_GIT_BASE_IMAGE and FROM ${DOCKER_GIT_BASE_IMAGE} + * `@precondition` none + * `@postcondition` output is a valid Dockerfile prelude starting with ARG and FROM directives + * `@complexity` O(1) time / O(1) space + */ const renderDockerfilePrelude = (): string =>As per coding guidelines:
**/*.{ts,tsx}: TypeScript functions must include comprehensive TSDoc with parameters, return types,@puremarker,@effectdependencies,@invariant(mathematical),@precondition,@postcondition, and@complexityO-notation.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/app/src/lib/core/templates/dockerfile.ts` around lines 17 - 53, The function renderDockerfilePrelude is missing the required comprehensive TSDoc; add a TSDoc block immediately above the renderDockerfilePrelude declaration that describes its purpose (generates the Dockerfile prelude template), documents the return type (`@returns` {string}), marks it `@pure`, lists `@effect` (e.g., reads dockerGitBaseImage constant or "none" if no external effects), specifies an `@invariant` (deterministic output for identical inputs), states `@precondition` (none or any required env assumptions), states `@postcondition` (returns a non-empty string that begins with "ARG DOCKER_GIT_BASE_IMAGE=" and contains Ubuntu apt setup and sudoers entry), and annotates `@complexity` (O(1)); reference the renderDockerfilePrelude symbol so reviewers can find the added TSDoc.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/app/src/lib/core/templates/dockerfile.ts`:
- Around line 203-205: Добавьте полную TSDoc над функцией
renderDockerfileBunProfile: опишите назначение функции (рендерит скрипт
/etc/profile.d/bun.sh с экранированным $PATH чтобы сохранить runtime-переменную,
а не подставлять её во время сборки), укажите возвращаемый тип string, пометьте
`@pure`, перечислите `@effect` зависимости (нет внешних эффектов, только
формирование строки), добавьте `@invariant` (результат всегда содержит "export
PATH=" и путь "/usr/local/bun/bin"), `@precondition` (функция не принимает
аргументов), `@postcondition` (возвращаемая строка заканчивается chmod 0644
/etc/profile.d/bun.sh), и `@complexity` O(1); поместите документацию прямо над
определением функции renderDockerfileBunProfile.
In `@packages/lib/src/core/templates/dockerfile.ts`:
- Around line 203-205: The function renderDockerfileBunProfile lacks the
required comprehensive TSDoc; add a full TSDoc block above
renderDockerfileBunProfile that explains the purpose (renders a /etc/profile.d
script that preserves the runtime $PATH by escaping $ at template time),
documents the return type (string), marks the function `@pure`, lists `@effect`
dependencies (none / no external state), states an `@invariant` (output always
contains an escaped "$PATH" and valid file path /etc/profile.d/bun.sh), includes
`@precondition` (no inputs required) and `@postcondition` (returned string is a
single RUN command writing and chmodding the file), and declares `@complexity`
O(1); reference the function name renderDockerfileBunProfile in the doc so
reviewers can locate it easily.
---
Outside diff comments:
In `@packages/app/src/lib/core/templates/dockerfile.ts`:
- Around line 220-271: Add a comprehensive TSDoc block above the
renderDockerfileUsers function: document the function description, param
{TemplateConfig} config with details of fields used (e.g., sshUser), return
{string}, and include the required tags: `@pure`, `@effect` (list side-effecting
Dockerfile directives like user/group modifications, sed rewrite, ENV/WORKDIR
creation), `@invariant` (HOME(rendered) = /home/u and no login rc contains
"/home/box"), `@precondition` (config.sshUser is a valid username), `@postcondition`
(generated Dockerfile normalizes HOME/PATH/WORKDIR and rewrites login files),
and `@complexity` (time/space O(1)); reference the function name
renderDockerfileUsers and the TemplateConfig type in the doc so reviewers can
locate the implementation.
- Around line 17-53: The function renderDockerfilePrelude is missing the
required comprehensive TSDoc; add a TSDoc block immediately above the
renderDockerfilePrelude declaration that describes its purpose (generates the
Dockerfile prelude template), documents the return type (`@returns` {string}),
marks it `@pure`, lists `@effect` (e.g., reads dockerGitBaseImage constant or "none"
if no external effects), specifies an `@invariant` (deterministic output for
identical inputs), states `@precondition` (none or any required env assumptions),
states `@postcondition` (returns a non-empty string that begins with "ARG
DOCKER_GIT_BASE_IMAGE=" and contains Ubuntu apt setup and sudoers entry), and
annotates `@complexity` (O(1)); reference the renderDockerfilePrelude symbol so
reviewers can find the added TSDoc.
In `@packages/lib/src/core/templates/dockerfile.ts`:
- Around line 17-53: Add a comprehensive TSDoc block for the
renderDockerfilePrelude function: document that renderDockerfilePrelude is a
pure, parameterless function in the CORE layer that returns a string containing
the Dockerfile prelude; include `@returns` {string}, `@pure`, an `@effect` entry
describing external effects/dependencies (none or e.g., reads dockerGitBaseImage
constant), an `@invariant` describing the templated Dockerfile content contract,
`@precondition` (none) and `@postcondition` (returns a non-empty Dockerfile string),
and a `@complexity` tag (O(1)); place the TSDoc immediately above the
renderDockerfilePrelude declaration and ensure wording follows existing project
TSDoc conventions.
- Around line 220-271: Add a comprehensive TSDoc block immediately above the
renderDockerfileUsers function describing params and return and include the
required annotations: `@param` {TemplateConfig} config (documenting config.sshUser
usage and expected semantics), `@returns` {string}, `@pure`, `@effect` (list any
external dependencies like filesystem/OS semantics or shell command
assumptions), `@invariant` (state the HOME/tilde normalization invariant:
HOME(rendered) = /home/u and login rc files contain no "/home/box"),
`@precondition` (e.g., config.sshUser non-empty and valid username),
`@postcondition` (e.g., generated Dockerfile ensures user exists with UID/GID 1000
and HOME set to /home/${config.sshUser}), and `@complexity` (O(1)/O(1)); ensure
the doc mentions key symbols used in the function (renderDockerfileUsers,
TemplateConfig, config.sshUser) so reviewers can locate the logic.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: ce051469-fe1e-44b3-8376-9b3f8b000ecf
📒 Files selected for processing (3)
packages/app/src/lib/core/templates/dockerfile.tspackages/lib/src/core/templates/dockerfile.tspackages/lib/tests/core/templates.test.ts
📜 Review details
⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)
- GitHub Check: E2E (Clone auto-open SSH)
- GitHub Check: E2E (Runtime volumes + SSH)
- GitHub Check: E2E (Login context)
- GitHub Check: E2E (Clone cache)
- GitHub Check: Test
- GitHub Check: E2E (Browser command)
- GitHub Check: Lint
- GitHub Check: E2E (OpenCode)
- GitHub Check: Final build (windows-latest)
🧰 Additional context used
📓 Path-based instructions (5)
**/*.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
**/*.{ts,tsx}: Implement Functional Core, Imperative Shell (FCIS) pattern: CORE layer contains only pure functions with immutable data and mathematical operations; SHELL layer isolates all effects (IO, network, database). Strict dependency direction: SHELL → CORE (never reverse).
Never useany,unknown,eslint-disable,ts-ignore, orastype assertions (except in rigorously justified cases with documentation). Always use exhaustive union type analysis through.exhaustive()pattern matching.
All external dependencies must be wrapped through typed interfaces and injected via Effect-TS Layer pattern. Never call external services directly from CORE functions.
Use monadic composition with Effect-TS for all effects:Effect<Success, Error, Requirements>. Compose effects throughpipe()andEffect.flatMap(). Implement dependency injection via Layer pattern. Handle errors without try/catch blocks.
All functions must be pure in the CORE layer: no side effects (logging, console output, IO operations, mutations). Separate all side effects into the SHELL layer.
Use exhaustive pattern matching with Effect.Match instead of switch statements. Example:Match.value(item).pipe(Match.when(...), Match.exhaustive).
Document all functions with comprehensive TSDoc including:@pure(true/false),@effect(required services),@invariant(mathematical invariants),@precondition,@postcondition,@complexity(time and space),@throwsNever (errors must be typed in Effect).
Use functional comment markers for code clarity: CHANGE (brief description), WHY (mathematical/architectural justification), QUOTE(ТЗ) (requirement citation), REF (RTM or message ID), SOURCE (external source with quote), FORMAT THEOREM (∀x ∈ Domain: P(x) → Q(f(x))), PURITY (CORE|SHELL), EFFECT (Effect type signature), INVARIANT (mathematical invariant), COMPLEXITY (time/space).
Define all external service dependencies as Context.Tag classes with fully typed methods returning Effect types. Example: `class Da...
Files:
packages/lib/src/core/templates/dockerfile.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/tests/core/templates.test.ts
**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx,js,jsx}: Forbidden constructs in CORE code:any,eslint-disable,ts-ignore,async/await, raw Promise chains (then/catch),Promise.all,try/catchfor logic control,console.*, switch statements (use Match with .exhaustive() instead)
All functions must use Effect-TS for composing effects:Effect<Success, Error, Requirements>. No direct async/await, Promise chains, or try/catch in product logic.
Functional comments must include: CHANGE, WHY, QUOTE(ТЗ) or n/a, REF, SOURCE or n/a, FORMAT THEOREM, PURITY (CORE|SHELL), EFFECT signature for SHELL functions, INVARIANT, and COMPLEXITY.
All data mutations must use immutable patterns (ReadonlyArray, readonly properties, Object.freeze); mutation in SHELL only when absolutely necessary and documented.
Files:
packages/lib/src/core/templates/dockerfile.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/tests/core/templates.test.ts
**/*
⚙️ CodeRabbit configuration file
**/*: Ты строгий ревьюер SPEC DRIVEN DEVELOPMENT.Перед выводами изучи README.md, другие *.md файлы, linked issues,
PR description, PR comments/discussion и релевантную кодовую базу.Сверь изменения с исходным ТЗ/спекой и обсуждением. Флагай любой уход
от спеки, недокументированное изменение поведения, отсутствие тестов
для заявленного поведения и security-риск. Если спека не видна,
попроси автора добавить ее в issue или PR description.Проверь решение с точки зрения формальной верификации: какие инварианты,
предусловия и постусловия можно доказать математически, а где доказуемость
слабая. Оцени решение с точки зрения теории игр: устойчивы ли стимулы,
нет ли выгодного обхода правил, и какое решение было бы сильнее.
Files:
packages/lib/src/core/templates/dockerfile.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/tests/core/templates.test.ts
**/*.test.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
**/*.test.{ts,tsx}: Implement property-based testing using fast-check for mathematical properties and invariants. Example:fc.property(fc.array(messageArbitrary), (messages) => isChronologicallySorted(sortMessagesByTimestamp(messages))).
Mock external dependencies in unit tests using Effect's testing utilities. Run tests without Effect runtime for speed. Example:Effect.provide(MockService), Effect.runPromise.
Files:
packages/lib/tests/core/templates.test.ts
**/*.{test,spec}.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
Property-based tests (fast-check) must verify mathematical invariants; unit tests must use Effect test utilities without async/await.
Files:
packages/lib/tests/core/templates.test.ts
🪛 Checkov (3.2.528)
packages/lib/src/core/templates/dockerfile.ts
[low] 19-19: Ensure the base image uses a non latest version tag
(CKV_DOCKER_7)
[low] 21-21: Ensure the last USER is not root
(CKV_DOCKER_8)
packages/app/src/lib/core/templates/dockerfile.ts
[low] 19-19: Ensure the base image uses a non latest version tag
(CKV_DOCKER_7)
[low] 21-21: Ensure the last USER is not root
(CKV_DOCKER_8)
🔇 Additional comments (4)
packages/lib/src/core/templates/dockerfile.ts (1)
6-15: LGTM!packages/app/src/lib/core/templates/dockerfile.ts (1)
6-15: LGTM!packages/lib/tests/core/templates.test.ts (2)
40-60: LGTM!Also applies to: 112-131, 195-210, 225-241
177-211: Отличное использование Effect-TS для проверки поведения prompt-скрипта.Тест корректно использует
Effect.effect,Command,pipeиEffect.provide(NodeContext.layer)для выполнения bash-команды и проверки, что сгенерированный prompt-скрипт остаётся безмолвным в неинтерактивном режиме без TTY. Это соответствует гайдлайнам по использованию Effect-тестовых утилит вместо async/await.Property-based проверка на строках 195-210 дополнительно верифицирует, что все интерактивные мутации (PROMPT_COMMAND, PS1, trap) расположены после non-interactive guard, что является математическим инвариантом.
As per coding guidelines:
**/*.{test,spec}.{ts,tsx}: Property-based tests (fast-check) must verify mathematical invariants; unit tests must use Effect test utilities without async/await.
|
Follow-up for CI: E2E (OpenCode) failed while running the pre-clone Also added AUTH_LOG dumping on failure so future auth bootstrap errors are visible in Actions logs. Local verification: |
|
Pushed one more CI fix for the remaining red job. What changed:
Local verification:
I also attempted the full Login Context e2e locally, but this container uses |
|
Addressed the two unresolved CodeRabbit threads on the current review. Changes:
Local verification:
Pushed as |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/e2e/login-context.sh`:
- Line 8: Добавьте краткий inline-комментарий рядом с переменной ROOT_BASE (и
упоминанием DOCKER_GIT_E2E_ROOT_BASE) объясняющий, почему дефолтный путь выбран
как /tmp/docker-git-e2e-root (например: чтобы избежать repo-relative путей и
устранить E2E-падения в OpenCode), чтобы будущие разработчики видели контекст
изменения прямо в коде.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 043785b7-4791-4837-a304-14b1bf940a00
📒 Files selected for processing (1)
scripts/e2e/login-context.sh
📜 Review details
⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)
- GitHub Check: E2E (Login context)
- GitHub Check: E2E (Runtime volumes + SSH)
- GitHub Check: E2E (OpenCode)
- GitHub Check: E2E (Clone auto-open SSH)
- GitHub Check: E2E (Clone cache)
- GitHub Check: E2E (Browser command)
- GitHub Check: Test
- GitHub Check: Lint
- GitHub Check: Final build (windows-latest)
🧰 Additional context used
📓 Path-based instructions (1)
**/*
⚙️ CodeRabbit configuration file
**/*: Ты строгий ревьюер SPEC DRIVEN DEVELOPMENT.Перед выводами изучи README.md, другие *.md файлы, linked issues,
PR description, PR comments/discussion и релевантную кодовую базу.Сверь изменения с исходным ТЗ/спекой и обсуждением. Флагай любой уход
от спеки, недокументированное изменение поведения, отсутствие тестов
для заявленного поведения и security-риск. Если спека не видна,
попроси автора добавить ее в issue или PR description.Проверь решение с точки зрения формальной верификации: какие инварианты,
предусловия и постусловия можно доказать математически, а где доказуемость
слабая. Оцени решение с точки зрения теории игр: устойчивы ли стимулы,
нет ли выгодного обхода правил, и какое решение было бы сильнее.
Files:
scripts/e2e/login-context.sh
|
Pushed a fix for the new red Root cause from the job log:
Change:
Local verification:
Pushed as |
There was a problem hiding this comment.
Actionable comments posted: 6
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/app/src/lib/core/templates/dockerfile.ts`:
- Around line 17-21: Добавьте полную TSDoc-комментарий над функцией
renderDockerfilePrelude: опишите параметры (их типы и предназначение), что
функция возвращает (строку Dockerfile-прелюдии), помяните новые поведения (ввод
ARG для базового образа, использование FROM с переменной и установку USER root),
и включите обязательные теги `@pure`, `@effect` (зависимости, если есть),
`@invariant`, `@precondition`, `@postcondition` и `@complexity` (о-большого O) в
соответствии с код-гайдлайном; используйте имя функции renderDockerfilePrelude в
комментарии, чтобы явно связать описание с реализацией.
- Around line 240-268: Добавьте формальную TSDoc над функцией
renderDockerfileUsers: опишите каждый параметр с `@param` (указать имя параметра и
тип/назначение), опишите возвращаемое значение с `@returns`, пометьте функцию как
`@pure`, перечислите внешние зависимости/побочные эффекты через `@effect`, укажите
инварианты через `@invariant`, предусловия через `@precondition` и постусловия через
`@postcondition`, а также оценку сложности через `@complexity` (Big-O). Убедитесь,
что теги соответствуют фактической сигнатуре и поведению renderDockerfileUsers
(включая имена параметров и типы), кратко и содержательно формулируйте каждое
условие и не дублируйте уже существующие комментарии.
- Around line 242-251: Здесь config.sshUser используется напрямую в
Dockerfile-шелл-командах (usermod -l ${config.sshUser}, groupmod -n
${config.sshUser}, useradd -g ${config.sshUser}, su - ${config.sshUser},
/etc/sudoers.d/${config.sshUser}) и отсутствует валидация в
TemplateConfigInputSchema; исправьте это добавлением pattern-валидации в
TemplateConfigInputSchema для поля sshUser с регулярным выражением
^[a-z_][a-z0-9_-]{0,31}$ (Unix username) либо — как
альтернативный/дополнительный защита — безопасно экранируйте/кавычьте при
интерполяции в шаблоне Dockerfile (использовать "${config.sshUser}" или
'${config.sshUser}') чтобы предотвратить возможность command injection.
In `@packages/lib/src/core/templates/dockerfile.ts`:
- Around line 240-266: Add a TSDoc block for the renderDockerfileUsers function
(which accepts a TemplateConfig) that documents the purpose, describes the
config parameter (TemplateConfig) and the returned string, and includes the
required tags: `@pure`, `@effect` (list any external deps, e.g., none or template
interpolation), `@invariant` (e.g., returns valid Dockerfile snippet),
`@precondition` (config has sshUser defined/non-empty), `@postcondition` (ENV and
WORKDIR set to /home/${config.sshUser}), and `@complexity` (O(1) or constant
time/space). Place the TSDoc immediately above the renderDockerfileUsers
declaration and ensure the descriptions are concise and accurate to satisfy the
linting rule.
- Around line 17-21: Добавьте полную TSDoc над функцией renderDockerfilePrelude:
опишите назначение функции, укажите возвращаемый тип (string), пометьте как
`@pure`, перечислите `@effect` зависимости (например переменная dockerGitBaseImage),
добавьте `@invariant` (что возвращаемая строка всегда содержит `FROM` и `USER
root`), `@precondition` (dockerGitBaseImage не пустой), `@postcondition` (результат
содержит ARG с заданным значением), и `@complexity` (O(1)); используйте краткие
разъяснения для параметризованного базового образа и верните документированный
блок над функцией renderDockerfilePrelude.
- Around line 242-248: Add POSIX username validation for config.sshUser and
ensure it's safely quoted in shell templates: update command-builders-shared.ts
to add a validator akin to parseSshPort that enforces the regex
^[a-z_][a-z0-9_-]*$ and wire it into TemplateConfigInputSchema (or validate via
an Either in resolveRepoBasics) so invalid sshUser values are rejected at
schema/resolve time; then update dockerfile.ts (places using config.sshUser in
commands like usermod -l ${config.sshUser}, groupmod -n ${config.sshUser}, and
any other shell interpolations) to emit the sshUser as a quoted/sanitized single
argument (e.g., wrap in single quotes or otherwise escape) so shell
metacharacters cannot cause injection or parsing errors.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 746498d7-6785-4fca-afa6-79d92e66393d
📒 Files selected for processing (2)
packages/app/src/lib/core/templates/dockerfile.tspackages/lib/src/core/templates/dockerfile.ts
📜 Review details
🧰 Additional context used
📓 Path-based instructions (3)
**/*.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
**/*.{ts,tsx}: Implement Functional Core, Imperative Shell (FCIS) pattern: CORE layer contains only pure functions with immutable data and mathematical operations; SHELL layer isolates all effects (IO, network, database). Strict dependency direction: SHELL → CORE (never reverse).
Never useany,unknown,eslint-disable,ts-ignore, orastype assertions (except in rigorously justified cases with documentation). Always use exhaustive union type analysis through.exhaustive()pattern matching.
All external dependencies must be wrapped through typed interfaces and injected via Effect-TS Layer pattern. Never call external services directly from CORE functions.
Use monadic composition with Effect-TS for all effects:Effect<Success, Error, Requirements>. Compose effects throughpipe()andEffect.flatMap(). Implement dependency injection via Layer pattern. Handle errors without try/catch blocks.
All functions must be pure in the CORE layer: no side effects (logging, console output, IO operations, mutations). Separate all side effects into the SHELL layer.
Use exhaustive pattern matching with Effect.Match instead of switch statements. Example:Match.value(item).pipe(Match.when(...), Match.exhaustive).
Document all functions with comprehensive TSDoc including:@pure(true/false),@effect(required services),@invariant(mathematical invariants),@precondition,@postcondition,@complexity(time and space),@throwsNever (errors must be typed in Effect).
Use functional comment markers for code clarity: CHANGE (brief description), WHY (mathematical/architectural justification), QUOTE(ТЗ) (requirement citation), REF (RTM or message ID), SOURCE (external source with quote), FORMAT THEOREM (∀x ∈ Domain: P(x) → Q(f(x))), PURITY (CORE|SHELL), EFFECT (Effect type signature), INVARIANT (mathematical invariant), COMPLEXITY (time/space).
Define all external service dependencies as Context.Tag classes with fully typed methods returning Effect types. Example: `class Da...
Files:
packages/lib/src/core/templates/dockerfile.tspackages/app/src/lib/core/templates/dockerfile.ts
**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx,js,jsx}: Forbidden constructs in CORE code:any,eslint-disable,ts-ignore,async/await, raw Promise chains (then/catch),Promise.all,try/catchfor logic control,console.*, switch statements (use Match with .exhaustive() instead)
All functions must use Effect-TS for composing effects:Effect<Success, Error, Requirements>. No direct async/await, Promise chains, or try/catch in product logic.
Functional comments must include: CHANGE, WHY, QUOTE(ТЗ) or n/a, REF, SOURCE or n/a, FORMAT THEOREM, PURITY (CORE|SHELL), EFFECT signature for SHELL functions, INVARIANT, and COMPLEXITY.
All data mutations must use immutable patterns (ReadonlyArray, readonly properties, Object.freeze); mutation in SHELL only when absolutely necessary and documented.
Files:
packages/lib/src/core/templates/dockerfile.tspackages/app/src/lib/core/templates/dockerfile.ts
**/*
⚙️ CodeRabbit configuration file
**/*: Ты строгий ревьюер SPEC DRIVEN DEVELOPMENT.Перед выводами изучи README.md, другие *.md файлы, linked issues,
PR description, PR comments/discussion и релевантную кодовую базу.Сверь изменения с исходным ТЗ/спекой и обсуждением. Флагай любой уход
от спеки, недокументированное изменение поведения, отсутствие тестов
для заявленного поведения и security-риск. Если спека не видна,
попроси автора добавить ее в issue или PR description.Проверь решение с точки зрения формальной верификации: какие инварианты,
предусловия и постусловия можно доказать математически, а где доказуемость
слабая. Оцени решение с точки зрения теории игр: устойчивы ли стимулы,
нет ли выгодного обхода правил, и какое решение было бы сильнее.
Files:
packages/lib/src/core/templates/dockerfile.tspackages/app/src/lib/core/templates/dockerfile.ts
🔇 Additional comments (4)
packages/lib/src/core/templates/dockerfile.ts (2)
6-15: LGTM!
203-216: LGTM!packages/app/src/lib/core/templates/dockerfile.ts (2)
203-216: LGTM!
264-266: LGTM!
|
Addressed the latest CodeRabbit review notes in commit 6f23fe2. What changed:
Local verification passed:
|
|
Follow-up pushed in commit 8a99997 for the CI failure. The failed E2E (Login context) log showed No space left on device while Docker was running chown -R 1000:1000 /home/dev. That recursively touched the inherited Playwright cache from the base image and inflated the layer. Fix:
Re-verified locally:
|
|
Pushed commit 107800a for the failing Test job. CI failure was an outdated assertion in packages/lib/tests/usecases/apply.test.ts that still expected the old exact Dockerfile line RUN mkdir -p . The Dockerfile now assigns TARGET_DIR and creates HOME_DIR/TARGET_DIR together to avoid recursive chown of the inherited home. The test now checks the new TARGET_DIR fragment instead. Re-verified locally:
|
|
Final status for the latest head 107800a:
Note: GitHub still reports reviewDecision as CHANGES_REQUESTED because CodeRabbit submitted an earlier CHANGES_REQUESTED review on 2026-05-13. The inline threads from that review are resolved, but the historical review state remains until the reviewer/bot updates or a maintainer dismisses it. |
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/lib/src/core/command-builders-shared.ts`:
- Around line 34-52: Add a complete TSDoc contract to every public parser in
this file (at least parseSshUser, parseSshPort, parseDockerNetworkMode,
parseGpuMode, and nonEmpty): for each function add a summary, `@param` describing
the input, `@returns` describing the Either result, and include the required
annotation tags `@pure`, `@effect`, `@invariant`, `@precondition`, `@postcondition`, and
`@complexity` with concise, accurate statements about side effects (none),
expected input constraints, guaranteed outputs (left on error, right on valid
value), and time/space complexity; ensure the TSDoc sits immediately above each
function declaration (e.g., above parseSshUser) and uses precise wording
reflecting the actual validation rules (e.g., username pattern, non-empty),
matching the function behavior.
In `@packages/lib/src/core/templates/dockerfile.ts`:
- Around line 329-334: The Dockerfile template injects config.targetDir raw into
the RUN shell, allowing shell metacharacters (e.g., $(), backticks) to be
executed; before emitting TARGET_DIR="${config.targetDir}" escape the value for
safe single-quoted shell usage (e.g., replace every single quote with '\'' and
wrap the whole value in single quotes) so the generated line becomes
TARGET_DIR='escaped-value' and not subject to shell expansion, update the code
that renders TARGET_DIR in the dockerfile template (the place that references
config.targetDir and the RUN block containing TARGET_DIR/HOME_DIR/chown) and
apply the same escaping fix to the other dockerfile template used for the app.
In `@packages/lib/tests/core/command-builders.test.ts`:
- Around line 7-33: Add property-based tests for the sshUser invariant by using
fast-check to generate many valid and invalid usernames and asserting
buildCreateCommand(...) respects the regex; specifically, write
fc.assert(fc.property(...)) cases that feed generated strings into
buildCreateCommand (referencing the function buildCreateCommand and the sshUser
property) and assert Either.isRight for strings matching
^[a-z_][a-z0-9_-]{0,31}$ (and that result.right.config.sshUser equals the input)
and Either.isLeft with the InvalidOption shape (option: "--ssh-user", reason
matching the regex message) for non-matching strings (edge lengths 0,32,33,
invalid first char, forbidden chars); use fast-check generators (e.g., custom
char/length constraints) and fc.assert/fc.property directly (no async/await) to
follow the test conventions.
In `@packages/lib/tests/shell/config.test.ts`:
- Around line 40-61: Добавьте property-based тест с fast-check that проверяет
инвариант валидации sshUser: вместо одного примера, сгенерируйте множество
невалидных юзернеймов (строки, содержащие shell-метасимволы, заглавные буквы,
длину >31 и т.п.) и для каждого записывайте config (используя
makeTemplateConfig) в tempDir и вызывайте readProjectConfig(tempDir); ожидайте
Left/ConfigDecodeError и сообщение содержит "template.sshUser must match".
Импортируйте fast-check (fc), используйте fc.property / fc.assert с подходящими
генераторами (или комбинируйте fc.oneof/filters для спецсимволов, uppercase,
слишком длинных строк), и ссыльтесь в тесте на isUnixUserName semantics by
asserting that all generated unsafe values are rejected by readProjectConfig /
the decoder.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 32d8f521-cffd-477d-908f-0fb3c7172a75
📒 Files selected for processing (20)
packages/api/Dockerfilepackages/app/src/docker-git/frontend-lib/core/command-builders-shared.tspackages/app/src/docker-git/frontend-lib/core/command-builders.tspackages/app/src/docker-git/frontend-lib/core/domain.tspackages/app/src/lib/core/command-builders-shared.tspackages/app/src/lib/core/command-builders.tspackages/app/src/lib/core/domain.tspackages/app/src/lib/core/templates/dockerfile.tspackages/app/src/lib/shell/config.tspackages/app/tests/docker-git/parser.test.tspackages/lib/src/core/command-builders-shared.tspackages/lib/src/core/command-builders.tspackages/lib/src/core/domain.tspackages/lib/src/core/templates/dockerfile.tspackages/lib/src/shell/config.tspackages/lib/tests/core/command-builders.test.tspackages/lib/tests/core/templates.test.tspackages/lib/tests/shell/config.test.tspackages/lib/tests/usecases/apply.test.tsscripts/e2e/login-context.sh
📜 Review details
🧰 Additional context used
📓 Path-based instructions (5)
**/*
⚙️ CodeRabbit configuration file
**/*: Ты строгий ревьюер SPEC DRIVEN DEVELOPMENT.Перед выводами изучи README.md, другие *.md файлы, linked issues,
PR description, PR comments/discussion и релевантную кодовую базу.Сверь изменения с исходным ТЗ/спекой и обсуждением. Флагай любой уход
от спеки, недокументированное изменение поведения, отсутствие тестов
для заявленного поведения и security-риск. Если спека не видна,
попроси автора добавить ее в issue или PR description.Проверь решение с точки зрения формальной верификации: какие инварианты,
предусловия и постусловия можно доказать математически, а где доказуемость
слабая. Оцени решение с точки зрения теории игр: устойчивы ли стимулы,
нет ли выгодного обхода правил, и какое решение было бы сильнее.
Files:
scripts/e2e/login-context.shpackages/api/Dockerfilepackages/lib/src/core/command-builders-shared.tspackages/app/src/lib/core/domain.tspackages/lib/tests/core/command-builders.test.tspackages/app/src/lib/shell/config.tspackages/lib/tests/usecases/apply.test.tspackages/app/src/docker-git/frontend-lib/core/command-builders.tspackages/app/tests/docker-git/parser.test.tspackages/lib/src/core/command-builders.tspackages/app/src/docker-git/frontend-lib/core/domain.tspackages/app/src/docker-git/frontend-lib/core/command-builders-shared.tspackages/lib/tests/shell/config.test.tspackages/lib/src/shell/config.tspackages/app/src/lib/core/command-builders-shared.tspackages/app/src/lib/core/command-builders.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/src/core/domain.tspackages/lib/tests/core/templates.test.tspackages/lib/src/core/templates/dockerfile.ts
**/*.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
**/*.{ts,tsx}: Implement Functional Core, Imperative Shell (FCIS) pattern: CORE layer contains only pure functions with immutable data and mathematical operations; SHELL layer isolates all effects (IO, network, database). Strict dependency direction: SHELL → CORE (never reverse).
Never useany,unknown,eslint-disable,ts-ignore, orastype assertions (except in rigorously justified cases with documentation). Always use exhaustive union type analysis through.exhaustive()pattern matching.
All external dependencies must be wrapped through typed interfaces and injected via Effect-TS Layer pattern. Never call external services directly from CORE functions.
Use monadic composition with Effect-TS for all effects:Effect<Success, Error, Requirements>. Compose effects throughpipe()andEffect.flatMap(). Implement dependency injection via Layer pattern. Handle errors without try/catch blocks.
All functions must be pure in the CORE layer: no side effects (logging, console output, IO operations, mutations). Separate all side effects into the SHELL layer.
Use exhaustive pattern matching with Effect.Match instead of switch statements. Example:Match.value(item).pipe(Match.when(...), Match.exhaustive).
Document all functions with comprehensive TSDoc including:@pure(true/false),@effect(required services),@invariant(mathematical invariants),@precondition,@postcondition,@complexity(time and space),@throwsNever (errors must be typed in Effect).
Use functional comment markers for code clarity: CHANGE (brief description), WHY (mathematical/architectural justification), QUOTE(ТЗ) (requirement citation), REF (RTM or message ID), SOURCE (external source with quote), FORMAT THEOREM (∀x ∈ Domain: P(x) → Q(f(x))), PURITY (CORE|SHELL), EFFECT (Effect type signature), INVARIANT (mathematical invariant), COMPLEXITY (time/space).
Define all external service dependencies as Context.Tag classes with fully typed methods returning Effect types. Example: `class Da...
Files:
packages/lib/src/core/command-builders-shared.tspackages/app/src/lib/core/domain.tspackages/lib/tests/core/command-builders.test.tspackages/app/src/lib/shell/config.tspackages/lib/tests/usecases/apply.test.tspackages/app/src/docker-git/frontend-lib/core/command-builders.tspackages/app/tests/docker-git/parser.test.tspackages/lib/src/core/command-builders.tspackages/app/src/docker-git/frontend-lib/core/domain.tspackages/app/src/docker-git/frontend-lib/core/command-builders-shared.tspackages/lib/tests/shell/config.test.tspackages/lib/src/shell/config.tspackages/app/src/lib/core/command-builders-shared.tspackages/app/src/lib/core/command-builders.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/src/core/domain.tspackages/lib/tests/core/templates.test.tspackages/lib/src/core/templates/dockerfile.ts
**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx,js,jsx}: Forbidden constructs in CORE code:any,eslint-disable,ts-ignore,async/await, raw Promise chains (then/catch),Promise.all,try/catchfor logic control,console.*, switch statements (use Match with .exhaustive() instead)
All functions must use Effect-TS for composing effects:Effect<Success, Error, Requirements>. No direct async/await, Promise chains, or try/catch in product logic.
Functional comments must include: CHANGE, WHY, QUOTE(ТЗ) or n/a, REF, SOURCE or n/a, FORMAT THEOREM, PURITY (CORE|SHELL), EFFECT signature for SHELL functions, INVARIANT, and COMPLEXITY.
All data mutations must use immutable patterns (ReadonlyArray, readonly properties, Object.freeze); mutation in SHELL only when absolutely necessary and documented.
Files:
packages/lib/src/core/command-builders-shared.tspackages/app/src/lib/core/domain.tspackages/lib/tests/core/command-builders.test.tspackages/app/src/lib/shell/config.tspackages/lib/tests/usecases/apply.test.tspackages/app/src/docker-git/frontend-lib/core/command-builders.tspackages/app/tests/docker-git/parser.test.tspackages/lib/src/core/command-builders.tspackages/app/src/docker-git/frontend-lib/core/domain.tspackages/app/src/docker-git/frontend-lib/core/command-builders-shared.tspackages/lib/tests/shell/config.test.tspackages/lib/src/shell/config.tspackages/app/src/lib/core/command-builders-shared.tspackages/app/src/lib/core/command-builders.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/src/core/domain.tspackages/lib/tests/core/templates.test.tspackages/lib/src/core/templates/dockerfile.ts
**/*.test.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
**/*.test.{ts,tsx}: Implement property-based testing using fast-check for mathematical properties and invariants. Example:fc.property(fc.array(messageArbitrary), (messages) => isChronologicallySorted(sortMessagesByTimestamp(messages))).
Mock external dependencies in unit tests using Effect's testing utilities. Run tests without Effect runtime for speed. Example:Effect.provide(MockService), Effect.runPromise.
Files:
packages/lib/tests/core/command-builders.test.tspackages/lib/tests/usecases/apply.test.tspackages/app/tests/docker-git/parser.test.tspackages/lib/tests/shell/config.test.tspackages/lib/tests/core/templates.test.ts
**/*.{test,spec}.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
Property-based tests (fast-check) must verify mathematical invariants; unit tests must use Effect test utilities without async/await.
Files:
packages/lib/tests/core/command-builders.test.tspackages/lib/tests/usecases/apply.test.tspackages/app/tests/docker-git/parser.test.tspackages/lib/tests/shell/config.test.tspackages/lib/tests/core/templates.test.ts
🪛 Checkov (3.2.528)
packages/app/src/lib/core/templates/dockerfile.ts
[low] 28-28: Ensure the base image uses a non latest version tag
(CKV_DOCKER_7)
[low] 30-30: Ensure the last USER is not root
(CKV_DOCKER_8)
packages/lib/src/core/templates/dockerfile.ts
[low] 28-28: Ensure the base image uses a non latest version tag
(CKV_DOCKER_7)
[low] 30-30: Ensure the last USER is not root
(CKV_DOCKER_8)
🔇 Additional comments (12)
scripts/e2e/login-context.sh (1)
8-10: LGTM!packages/api/Dockerfile (1)
77-88: LGTM!packages/app/src/docker-git/frontend-lib/core/domain.ts (1)
61-75: LGTM!packages/app/src/lib/core/domain.ts (1)
61-75: LGTM!packages/lib/src/core/domain.ts (1)
60-74: LGTM!packages/app/src/lib/core/command-builders-shared.ts (1)
4-12: LGTM!Also applies to: 35-53
packages/app/src/docker-git/frontend-lib/core/command-builders-shared.ts (1)
4-12: LGTM!Also applies to: 35-53
packages/app/src/docker-git/frontend-lib/core/command-builders.ts (1)
6-6: LGTM!Also applies to: 49-49
packages/app/src/lib/shell/config.ts (1)
10-15: LGTM!Also applies to: 94-106, 126-126
packages/app/src/lib/core/command-builders.ts (1)
6-6: LGTM!Also applies to: 49-49
packages/lib/tests/shell/config.test.ts (1)
1-37: LGTM!Also applies to: 62-64
packages/lib/src/core/command-builders-shared.ts (1)
3-11: LGTM!
|
Updated PR #281 for the latest CodeRabbit review (#4289505285). What changed:
Local verification passed:
@coderabbitai review |
|
✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/lib/tests/core/templates.test.ts`:
- Around line 159-160: Ассерт в тесте использует обычную строку с литералом
"${config.sshUser}" вместо подстановки значения, поэтому реальный путь не
проверяется; в выражении expect(dockerfile).not.toContain("chown -R 1000:1000
/home/${config.sshUser}") замените строку на интерполируемую (например,
использовать шаблонную строку с backticks) или конкатенацию со значением
config.sshUser так, чтобы проверка реально искала "chown -R 1000:1000
/home/<значение>".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 31f8aea1-ac14-4900-af6f-5bb1757163f8
📒 Files selected for processing (16)
packages/app/src/docker-git/frontend-lib/core/command-builders-shared.tspackages/app/src/docker-git/frontend-lib/core/command-builders.tspackages/app/src/lib/core/command-builders-shared.tspackages/app/src/lib/core/command-builders.tspackages/app/src/lib/core/shell-literals.tspackages/app/src/lib/core/templates-entrypoint/base.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/src/core/command-builders-shared.tspackages/lib/src/core/command-builders.tspackages/lib/src/core/shell-literals.tspackages/lib/src/core/templates-entrypoint/base.tspackages/lib/src/core/templates/dockerfile.tspackages/lib/tests/core/command-builders.test.tspackages/lib/tests/core/templates.test.tspackages/lib/tests/shell/config.test.tspackages/lib/tests/usecases/apply.test.ts
📜 Review details
⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)
- GitHub Check: E2E (Clone cache)
- GitHub Check: E2E (OpenCode)
- GitHub Check: E2E (Login context)
- GitHub Check: E2E (Runtime volumes + SSH)
- GitHub Check: E2E (Clone auto-open SSH)
🧰 Additional context used
📓 Path-based instructions (5)
**/*.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
**/*.{ts,tsx}: Implement Functional Core, Imperative Shell (FCIS) pattern: CORE layer contains only pure functions with immutable data and mathematical operations; SHELL layer isolates all effects (IO, network, database). Strict dependency direction: SHELL → CORE (never reverse).
Never useany,unknown,eslint-disable,ts-ignore, orastype assertions (except in rigorously justified cases with documentation). Always use exhaustive union type analysis through.exhaustive()pattern matching.
All external dependencies must be wrapped through typed interfaces and injected via Effect-TS Layer pattern. Never call external services directly from CORE functions.
Use monadic composition with Effect-TS for all effects:Effect<Success, Error, Requirements>. Compose effects throughpipe()andEffect.flatMap(). Implement dependency injection via Layer pattern. Handle errors without try/catch blocks.
All functions must be pure in the CORE layer: no side effects (logging, console output, IO operations, mutations). Separate all side effects into the SHELL layer.
Use exhaustive pattern matching with Effect.Match instead of switch statements. Example:Match.value(item).pipe(Match.when(...), Match.exhaustive).
Document all functions with comprehensive TSDoc including:@pure(true/false),@effect(required services),@invariant(mathematical invariants),@precondition,@postcondition,@complexity(time and space),@throwsNever (errors must be typed in Effect).
Use functional comment markers for code clarity: CHANGE (brief description), WHY (mathematical/architectural justification), QUOTE(ТЗ) (requirement citation), REF (RTM or message ID), SOURCE (external source with quote), FORMAT THEOREM (∀x ∈ Domain: P(x) → Q(f(x))), PURITY (CORE|SHELL), EFFECT (Effect type signature), INVARIANT (mathematical invariant), COMPLEXITY (time/space).
Define all external service dependencies as Context.Tag classes with fully typed methods returning Effect types. Example: `class Da...
Files:
packages/lib/tests/usecases/apply.test.tspackages/app/src/lib/core/shell-literals.tspackages/lib/src/core/shell-literals.tspackages/app/src/lib/core/command-builders.tspackages/lib/src/core/command-builders.tspackages/lib/src/core/templates-entrypoint/base.tspackages/lib/tests/core/command-builders.test.tspackages/app/src/docker-git/frontend-lib/core/command-builders.tspackages/lib/tests/shell/config.test.tspackages/lib/tests/core/templates.test.tspackages/app/src/lib/core/templates-entrypoint/base.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/src/core/templates/dockerfile.tspackages/app/src/lib/core/command-builders-shared.tspackages/app/src/docker-git/frontend-lib/core/command-builders-shared.tspackages/lib/src/core/command-builders-shared.ts
**/*.test.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
**/*.test.{ts,tsx}: Implement property-based testing using fast-check for mathematical properties and invariants. Example:fc.property(fc.array(messageArbitrary), (messages) => isChronologicallySorted(sortMessagesByTimestamp(messages))).
Mock external dependencies in unit tests using Effect's testing utilities. Run tests without Effect runtime for speed. Example:Effect.provide(MockService), Effect.runPromise.
Files:
packages/lib/tests/usecases/apply.test.tspackages/lib/tests/core/command-builders.test.tspackages/lib/tests/shell/config.test.tspackages/lib/tests/core/templates.test.ts
**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx,js,jsx}: Forbidden constructs in CORE code:any,eslint-disable,ts-ignore,async/await, raw Promise chains (then/catch),Promise.all,try/catchfor logic control,console.*, switch statements (use Match with .exhaustive() instead)
All functions must use Effect-TS for composing effects:Effect<Success, Error, Requirements>. No direct async/await, Promise chains, or try/catch in product logic.
Functional comments must include: CHANGE, WHY, QUOTE(ТЗ) or n/a, REF, SOURCE or n/a, FORMAT THEOREM, PURITY (CORE|SHELL), EFFECT signature for SHELL functions, INVARIANT, and COMPLEXITY.
All data mutations must use immutable patterns (ReadonlyArray, readonly properties, Object.freeze); mutation in SHELL only when absolutely necessary and documented.
Files:
packages/lib/tests/usecases/apply.test.tspackages/app/src/lib/core/shell-literals.tspackages/lib/src/core/shell-literals.tspackages/app/src/lib/core/command-builders.tspackages/lib/src/core/command-builders.tspackages/lib/src/core/templates-entrypoint/base.tspackages/lib/tests/core/command-builders.test.tspackages/app/src/docker-git/frontend-lib/core/command-builders.tspackages/lib/tests/shell/config.test.tspackages/lib/tests/core/templates.test.tspackages/app/src/lib/core/templates-entrypoint/base.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/src/core/templates/dockerfile.tspackages/app/src/lib/core/command-builders-shared.tspackages/app/src/docker-git/frontend-lib/core/command-builders-shared.tspackages/lib/src/core/command-builders-shared.ts
**/*.{test,spec}.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
Property-based tests (fast-check) must verify mathematical invariants; unit tests must use Effect test utilities without async/await.
Files:
packages/lib/tests/usecases/apply.test.tspackages/lib/tests/core/command-builders.test.tspackages/lib/tests/shell/config.test.tspackages/lib/tests/core/templates.test.ts
**/*
⚙️ CodeRabbit configuration file
**/*: Ты строгий ревьюер SPEC DRIVEN DEVELOPMENT.Перед выводами изучи README.md, другие *.md файлы, linked issues,
PR description, PR comments/discussion и релевантную кодовую базу.Сверь изменения с исходным ТЗ/спекой и обсуждением. Флагай любой уход
от спеки, недокументированное изменение поведения, отсутствие тестов
для заявленного поведения и security-риск. Если спека не видна,
попроси автора добавить ее в issue или PR description.Проверь решение с точки зрения формальной верификации: какие инварианты,
предусловия и постусловия можно доказать математически, а где доказуемость
слабая. Оцени решение с точки зрения теории игр: устойчивы ли стимулы,
нет ли выгодного обхода правил, и какое решение было бы сильнее.
Files:
packages/lib/tests/usecases/apply.test.tspackages/app/src/lib/core/shell-literals.tspackages/lib/src/core/shell-literals.tspackages/app/src/lib/core/command-builders.tspackages/lib/src/core/command-builders.tspackages/lib/src/core/templates-entrypoint/base.tspackages/lib/tests/core/command-builders.test.tspackages/app/src/docker-git/frontend-lib/core/command-builders.tspackages/lib/tests/shell/config.test.tspackages/lib/tests/core/templates.test.tspackages/app/src/lib/core/templates-entrypoint/base.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/src/core/templates/dockerfile.tspackages/app/src/lib/core/command-builders-shared.tspackages/app/src/docker-git/frontend-lib/core/command-builders-shared.tspackages/lib/src/core/command-builders-shared.ts
🪛 Checkov (3.2.528)
packages/app/src/lib/core/templates/dockerfile.ts
[low] 31-31: Ensure the base image uses a non latest version tag
(CKV_DOCKER_7)
packages/lib/src/core/templates/dockerfile.ts
[low] 31-31: Ensure the base image uses a non latest version tag
(CKV_DOCKER_7)
🔇 Additional comments (16)
packages/app/src/docker-git/frontend-lib/core/command-builders-shared.ts (1)
4-12: LGTM!Also applies to: 33-44, 47-77, 79-90, 105-116, 131-144
packages/app/src/docker-git/frontend-lib/core/command-builders.ts (1)
6-12: LGTM!Also applies to: 55-55
packages/app/src/lib/core/command-builders-shared.ts (1)
4-12: LGTM!Also applies to: 33-45, 47-77, 79-90, 105-116, 131-144
packages/app/src/lib/core/command-builders.ts (1)
6-12: LGTM!Also applies to: 55-55
packages/lib/src/core/command-builders-shared.ts (1)
3-11: LGTM!Also applies to: 32-44, 46-76, 78-89, 104-115, 130-143
packages/lib/src/core/command-builders.ts (1)
6-12: LGTM!Also applies to: 55-55
packages/lib/tests/core/command-builders.test.ts (1)
1-145: LGTM!packages/lib/tests/shell/config.test.ts (1)
1-127: LGTM!packages/lib/src/core/shell-literals.ts (1)
1-22: LGTM!packages/app/src/lib/core/shell-literals.ts (1)
1-22: LGTM!packages/app/src/lib/core/templates-entrypoint/base.ts (1)
2-10: LGTM!Also applies to: 18-18
packages/lib/src/core/templates-entrypoint/base.ts (1)
2-10: LGTM!Also applies to: 18-18
packages/lib/src/core/templates/dockerfile.ts (1)
2-2: LGTM!Also applies to: 7-17, 18-34, 216-229, 244-307, 332-356
packages/app/src/lib/core/templates/dockerfile.ts (1)
2-2: LGTM!Also applies to: 7-17, 18-34, 216-229, 244-307, 332-356
packages/lib/tests/usecases/apply.test.ts (1)
194-195: LGTM!packages/lib/tests/core/templates.test.ts (1)
1-158: LGTM!Also applies to: 162-653
|
Follow-up CI fix after the new head c537c64:
Pushed ffa9f80:
Validation before push:
@coderabbitai review |
|
I'll review the latest commits now, including the new ✅ Actions performedReview triggered.
|
|
Final status on PR #281 after latest fixes:
The Box-container migration checks are green now. |
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/app/src/lib/core/templates/dockerfile.ts`:
- Around line 336-341: The string comparison between TARGET_DIR and HOME_DIR can
be fooled by trailing slashes (e.g. "/home/user/" vs "/home/user"); normalize
both variables before the conditional chown to ensure exact path equality.
Update the RUN block handling TARGET_DIR and HOME_DIR so you strip any trailing
slashes (e.g., using shell parameter expansion like ${VAR%/}) for both HOME_DIR
and TARGET_DIR before the if test, then keep the existing conditional chown -R
1000:1000 "$TARGET_DIR" only when the normalized TARGET_DIR is neither "/" nor
equal to the normalized HOME_DIR.
In `@packages/app/src/lib/usecases/errors.ts`:
- Around line 92-98: The predicate in isAptInvalidSignatureFailure is too strict
because it requires the exact phrase "apt-get update failed"; relax it by
removing that requirement and instead return true when the normalized details
(from parameter details assigned to variable normalized) contains "invalid
signature" and "repository" and "not signed" (optionally also allow the broader
token "apt" or "apt-get" if you want to keep an explicit apt-related guard).
Update the function isAptInvalidSignatureFailure to use only the looser checks
on normalized so cases missing the exact "apt-get update failed" phrase still
match.
In `@packages/lib/src/core/templates/dockerfile.ts`:
- Around line 336-341: Строковое сравнение TARGET_DIR и $HOME_DIR допускает
различие только из‑за trailing slash, поэтому нормализуйте путь TARGET_DIR
(убрать завершающий слеш и, опционально, привести к каноничному виду) перед
проверки в условии в шаблоне (в блоке где задаются
TARGET_DIR=${targetDirLiteral} и проверяется if [ "$TARGET_DIR" != "/" ] && [
"$TARGET_DIR" != "$HOME_DIR" ]; then chown -R 1000:1000 "$TARGET_DIR"; fi),
чтобы эквивалентные пути типа /home/${config.sshUser} и /home/${config.sshUser}/
считались одинаковыми; обновите условие использовать нормализованный TARGET_DIR
или сравнение без trailing slash и добавьте регрессионный тест на случай
targetDir с завершающим слешем.
In `@packages/lib/tests/usecases/errors.test.ts`:
- Around line 45-62: Add a negative regression test in the same test suite
(packages/lib/tests/usecases/errors.test.ts) that constructs a
DockerCommandError and calls renderError but omits the full combination of apt
failure signatures (e.g., include only "W: GPG error..." or only "E: The
repository ... is not signed." but not both) and assert that the returned
message does NOT contain the disk-pressure hints ("low Docker host disk space",
"df -h", "docker builder prune -af", "docker image prune -af"); use a
descriptive it() name like "does not include disk pressure recovery hint when
apt signature pattern is incomplete" and reuse the existing helpers/constructors
renderError and DockerCommandError to keep the test consistent with the positive
case.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 72fc4062-2923-45c9-8379-754f846c8db1
📒 Files selected for processing (6)
packages/app/src/lib/core/templates/dockerfile.tspackages/app/src/lib/usecases/errors.tspackages/lib/src/core/templates/dockerfile.tspackages/lib/src/usecases/errors.tspackages/lib/tests/core/templates.test.tspackages/lib/tests/usecases/errors.test.ts
📜 Review details
🧰 Additional context used
📓 Path-based instructions (8)
**/*.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
**/*.{ts,tsx}: Implement Functional Core, Imperative Shell (FCIS) pattern: CORE layer contains only pure functions with immutable data and mathematical operations; SHELL layer isolates all effects (IO, network, database). Strict dependency direction: SHELL → CORE (never reverse).
Never useany,unknown,eslint-disable,ts-ignore, orastype assertions (except in rigorously justified cases with documentation). Always use exhaustive union type analysis through.exhaustive()pattern matching.
All external dependencies must be wrapped through typed interfaces and injected via Effect-TS Layer pattern. Never call external services directly from CORE functions.
Use monadic composition with Effect-TS for all effects:Effect<Success, Error, Requirements>. Compose effects throughpipe()andEffect.flatMap(). Implement dependency injection via Layer pattern. Handle errors without try/catch blocks.
All functions must be pure in the CORE layer: no side effects (logging, console output, IO operations, mutations). Separate all side effects into the SHELL layer.
Use exhaustive pattern matching with Effect.Match instead of switch statements. Example:Match.value(item).pipe(Match.when(...), Match.exhaustive).
Document all functions with comprehensive TSDoc including:@pure(true/false),@effect(required services),@invariant(mathematical invariants),@precondition,@postcondition,@complexity(time and space),@throwsNever (errors must be typed in Effect).
Use functional comment markers for code clarity: CHANGE (brief description), WHY (mathematical/architectural justification), QUOTE(ТЗ) (requirement citation), REF (RTM or message ID), SOURCE (external source with quote), FORMAT THEOREM (∀x ∈ Domain: P(x) → Q(f(x))), PURITY (CORE|SHELL), EFFECT (Effect type signature), INVARIANT (mathematical invariant), COMPLEXITY (time/space).
Define all external service dependencies as Context.Tag classes with fully typed methods returning Effect types. Example: `class Da...
Files:
packages/lib/tests/usecases/errors.test.tspackages/app/src/lib/usecases/errors.tspackages/lib/src/usecases/errors.tspackages/lib/src/core/templates/dockerfile.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/tests/core/templates.test.ts
**/*.test.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
**/*.test.{ts,tsx}: Implement property-based testing using fast-check for mathematical properties and invariants. Example:fc.property(fc.array(messageArbitrary), (messages) => isChronologicallySorted(sortMessagesByTimestamp(messages))).
Mock external dependencies in unit tests using Effect's testing utilities. Run tests without Effect runtime for speed. Example:Effect.provide(MockService), Effect.runPromise.
Files:
packages/lib/tests/usecases/errors.test.tspackages/lib/tests/core/templates.test.ts
**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx,js,jsx}: Forbidden constructs in CORE code:any,eslint-disable,ts-ignore,async/await, raw Promise chains (then/catch),Promise.all,try/catchfor logic control,console.*, switch statements (use Match with .exhaustive() instead)
All functions must use Effect-TS for composing effects:Effect<Success, Error, Requirements>. No direct async/await, Promise chains, or try/catch in product logic.
Functional comments must include: CHANGE, WHY, QUOTE(ТЗ) or n/a, REF, SOURCE or n/a, FORMAT THEOREM, PURITY (CORE|SHELL), EFFECT signature for SHELL functions, INVARIANT, and COMPLEXITY.
All data mutations must use immutable patterns (ReadonlyArray, readonly properties, Object.freeze); mutation in SHELL only when absolutely necessary and documented.
Files:
packages/lib/tests/usecases/errors.test.tspackages/app/src/lib/usecases/errors.tspackages/lib/src/usecases/errors.tspackages/lib/src/core/templates/dockerfile.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/tests/core/templates.test.ts
**/*.{test,spec}.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
Property-based tests (fast-check) must verify mathematical invariants; unit tests must use Effect test utilities without async/await.
Files:
packages/lib/tests/usecases/errors.test.tspackages/lib/tests/core/templates.test.ts
**/*.{sh,bash,py,js,ts,jsx,tsx,go,java,rb,php}
📄 CodeRabbit inference engine (Custom checks)
Fail if changed files introduce command injection or unsafe shell/process execution with user-controlled input
Files:
packages/lib/tests/usecases/errors.test.tspackages/app/src/lib/usecases/errors.tspackages/lib/src/usecases/errors.tspackages/lib/src/core/templates/dockerfile.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/tests/core/templates.test.ts
**/*.{py,js,ts,jsx,tsx,go,java,rb,php,sh,bash,c,cpp}
📄 CodeRabbit inference engine (Custom checks)
Fail if changed files introduce path traversal or writes outside intended project/container state directories
Files:
packages/lib/tests/usecases/errors.test.tspackages/app/src/lib/usecases/errors.tspackages/lib/src/usecases/errors.tspackages/lib/src/core/templates/dockerfile.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/tests/core/templates.test.ts
**/*.{js,ts,jsx,tsx,py,java,go,rb,php,sh,bash,yml,yaml,json,env*,toml,cfg,config,dockerfile,dockerignore}
📄 CodeRabbit inference engine (Custom checks)
Fail if changed files expose credentials, tokens, private-keys, or PII in source, generated config, logs, or CI output
Files:
packages/lib/tests/usecases/errors.test.tspackages/app/src/lib/usecases/errors.tspackages/lib/src/usecases/errors.tspackages/lib/src/core/templates/dockerfile.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/tests/core/templates.test.ts
**/*
⚙️ CodeRabbit configuration file
**/*: Ты строгий ревьюер SPEC DRIVEN DEVELOPMENT.Перед выводами изучи README.md, другие *.md файлы, linked issues,
PR description, PR comments/discussion и релевантную кодовую базу.Сверь изменения с исходным ТЗ/спекой и обсуждением. Флагай любой уход
от спеки, недокументированное изменение поведения, отсутствие тестов
для заявленного поведения и security-риск. Если спека не видна,
попроси автора добавить ее в issue или PR description.Проверь решение с точки зрения формальной верификации: какие инварианты,
предусловия и постусловия можно доказать математически, а где доказуемость
слабая. Оцени решение с точки зрения теории игр: устойчивы ли стимулы,
нет ли выгодного обхода правил, и какое решение было бы сильнее.
Files:
packages/lib/tests/usecases/errors.test.tspackages/app/src/lib/usecases/errors.tspackages/lib/src/usecases/errors.tspackages/lib/src/core/templates/dockerfile.tspackages/app/src/lib/core/templates/dockerfile.tspackages/lib/tests/core/templates.test.ts
🪛 Checkov (3.2.528)
packages/lib/src/core/templates/dockerfile.ts
[low] 31-31: Ensure the base image uses a non latest version tag
(CKV_DOCKER_7)
packages/app/src/lib/core/templates/dockerfile.ts
[low] 31-31: Ensure the base image uses a non latest version tag
(CKV_DOCKER_7)
🔇 Additional comments (1)
packages/lib/src/usecases/errors.ts (1)
91-97: Дубликат: тот же риск переузкой классификации apt-сбоя, что и в app-версии.Примените то же исправление и здесь, чтобы поведение
packages/appиpackages/libне расходилось.
2 participants
Summary
Fixes #267.
Switches generated project workspace Dockerfiles from a raw
ubuntu:24.04base to the sharedkonard/box-js:latestDocker Hub image published by https://github.com/link-foundation/box. The docker-git bootstrap layers, SSH entrypoint, auth bridge, host-Docker-backed runtime contract, and clone/cache orchestration remain owned by docker-git.Reproduction
Before this change,
renderDockerfile(makeTemplateConfig())emitted:FROM ubuntu:24.04and only knew how to rename an existing
ubuntuuser. That did not satisfy issue #267's requirement to reuse the shared box infrastructure, and it risked duplicate UID-1000 users when a box base already has/home/box.CI then exposed box-specific follow-up invariants:
bash -lccommands sourced/etc/profile.d/zz-prompt.sh, and the prompt script touched/dev/ttywithout a controlling TTY.konard/box-jsinheritsHOME=/home/box,WORKDIR=/home/box, and login rc files with absolute/home/boxreferences. After renamingbox -> dev,docker exec -u dev bash -lc '...'could still resolve user paths through/home/box, and login shells failed on/home/box/.deno/env.+refs/*:refs/*; on public GitHub repositories this enumeratedrefs/pull/*and timed out the login-context E2E after the cache volume was reused by the PR case.Changes
ARG DOCKER_GIT_BASE_IMAGE=konard/box-js:latestandFROM ${DOCKER_GIT_BASE_IMAGE}to generated project Dockerfiles.USER rootbefore docker-git's apt/tool/bootstrap layers so the existing setup remains valid on top of the box image.boxorubuntubase users to the configuredsshUserbefore falling back to user creation.HOME=/home/<sshUser>, a user-correct PATH, andWORKDIR /home/<sshUser>..profile,.bashrc,.zshrc, etc.) from/home/boxor/home/ubuntuto/home/<sshUser>./etc/profile.d/bun.shruntime-relative by writing\$PATHinstead of baking the base image build-time PATH.zz-prompt.shinert for non-interactive shells; interactive shells still install prompt/TTY recovery hooks.refs/heads/*andrefs/tags/*, so clone-cache reuse does not fetch every GitHub pull-request ref.packages/app/src/libfor the bundled CLI build.ghcr.io/link-foundation/box:latestcurrently fails anonymous pulls with HTTP 401, while Docker Hub is publicly pullable. Registry metadata also shows the fullkonard/box:latestamd64 manifest is about 5.6 GiB compressed, whilekonard/box-js:latestis about 1.6 GiB compressed and still comes from the same shared box infrastructure.Mathematical Guarantees
Invariants
forall config in TemplateConfig: baseImage(renderDockerfile(config)) = ${DOCKER_GIT_BASE_IMAGE}.forall config in TemplateConfig: sshUser(config) owns /home/sshUser(config)after the user-normalization block when the base image hasbox,ubuntu, or neither.forall config in TemplateConfig: HOME(renderDockerfile(config)) = /home/sshUser(config) and WORKDIR(renderDockerfile(config)) = /home/sshUser(config).forall p in loginRc(sshUser): not contains(p, "/home/box") and not contains(p, "/home/ubuntu")for inherited base-home references covered by the generated rewrite block.forall shell: nonInteractive(shell) -> source(zz-prompt.sh, shell)produces no prompt mutation and no TTY write.forall r in cloneCacheRefreshRefs: r in refs/heads/* union refs/tags/*; in particular,refs/pull/*is excluded from cache refresh.CORE -> SHELLboundary is preserved: this change modifies pure template rendering; runtime effects remain in generated shell scripts and Docker execution layers.Preconditions
DOCKER_GIT_BASE_IMAGEis Debian/Ubuntu-compatible and supports apt-based root setup./entrypoint.sh.Postconditions
bash -lcwithout prompt/TTY side effects and with~and login rc paths resolving into the mounted SSH user home.Complexity
O(1)time andO(1)additional space.O(|all remote refs|)toO(|heads| + |tags|)remote ref enumeration.Verification
bun run --cwd packages/lib test -- tests/core/templates.test.tsbun run checkbun run testbun run buildbun run lintbun run lint:effectbun run check:dist-deps-prunegit diff --checkNote: this local runner does not have the
dockerbinary installed, so local image build was not run here; Docker/E2E verification is covered by GitHub Actions on PR #281.