singularity/singularity-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
singularity-forge/docker/Dockerfile.sandbox

44 lines
1.5 KiB
Text
Raw Permalink Normal View History

feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360) Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so users can run GSD auto mode inside an isolated Docker sandbox (MicroVM) without risk to the host filesystem, SSH keys, or other projects. - Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000 - docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support - .env.example: template for LLM provider keys and optional tool credentials - docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow, credential injection, and network allowlisting - .dockerignore: project-root ignore file for efficient Docker builds - src/tests/docker-template.test.ts: 13 structural tests verifying all template files Fixes #1544 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
# ──────────────────────────────────────────────
chore: sync workspace state after rebrand - Rebrand commits already in history (gsd → forge) - Sync pre-existing doc, docker, and CI config updates - All rebrand artifacts verified in place: * Native crates: forge-engine, forge-ast, forge-grep * Log prefixes: [forge] across 22+ files * Binary: ~/bin/sf-run * Workspace scopes: @sf-run/*, @singularity-forge/* * Nix flake: Rust toolchain ready System ready for: nix develop && bun run build:native Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 14:54:20 +02:00
# SF Docker Sandbox Template
feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360) Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so users can run GSD auto mode inside an isolated Docker sandbox (MicroVM) without risk to the host filesystem, SSH keys, or other projects. - Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000 - docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support - .env.example: template for LLM provider keys and optional tool credentials - docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow, credential injection, and network allowlisting - .dockerignore: project-root ignore file for efficient Docker builds - src/tests/docker-template.test.ts: 13 structural tests verifying all template files Fixes #1544 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
# Base: docker/sandbox-templates:shell
chore: sync workspace state after rebrand - Rebrand commits already in history (gsd → forge) - Sync pre-existing doc, docker, and CI config updates - All rebrand artifacts verified in place: * Native crates: forge-engine, forge-ast, forge-grep * Log prefixes: [forge] across 22+ files * Binary: ~/bin/sf-run * Workspace scopes: @sf-run/*, @singularity-forge/* * Nix flake: Rust toolchain ready System ready for: nix develop && bun run build:native Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 14:54:20 +02:00
# Purpose: Isolated environment for SF auto mode
feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360) Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so users can run GSD auto mode inside an isolated Docker sandbox (MicroVM) without risk to the host filesystem, SSH keys, or other projects. - Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000 - docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support - .env.example: template for LLM provider keys and optional tool credentials - docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow, credential injection, and network allowlisting - .dockerignore: project-root ignore file for efficient Docker builds - src/tests/docker-template.test.ts: 13 structural tests verifying all template files Fixes #1544 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
# Usage: docker sandbox create --template ./docker
# ──────────────────────────────────────────────
feat(sf): align node sqlite uok runtime
2026-05-08 02:52:05 +02:00
FROM node:26-bookworm-slim
feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360) Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so users can run GSD auto mode inside an isolated Docker sandbox (MicroVM) without risk to the host filesystem, SSH keys, or other projects. - Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000 - docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support - .env.example: template for LLM provider keys and optional tool credentials - docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow, credential injection, and network allowlisting - .dockerignore: project-root ignore file for efficient Docker builds - src/tests/docker-template.test.ts: 13 structural tests verifying all template files Fixes #1544 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
chore: sync workspace state after rebrand - Rebrand commits already in history (gsd → forge) - Sync pre-existing doc, docker, and CI config updates - All rebrand artifacts verified in place: * Native crates: forge-engine, forge-ast, forge-grep * Log prefixes: [forge] across 22+ files * Binary: ~/bin/sf-run * Workspace scopes: @sf-run/*, @singularity-forge/* * Nix flake: Rust toolchain ready System ready for: nix develop && bun run build:native Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 14:54:20 +02:00
# System dependencies required by SF
feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360) Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so users can run GSD auto mode inside an isolated Docker sandbox (MicroVM) without risk to the host filesystem, SSH keys, or other projects. - Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000 - docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support - .env.example: template for LLM provider keys and optional tool credentials - docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow, credential injection, and network allowlisting - .dockerignore: project-root ignore file for efficient Docker builds - src/tests/docker-template.test.ts: 13 structural tests verifying all template files Fixes #1544 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
RUN apt-get update && apt-get install -y --no-install-recommends \
git \
curl \
ca-certificates \
openssh-client \
fix(docker): overhaul fragile setup, adopt proven container patterns (#2716) Split fake multi-stage Dockerfile into independent CI builder and runtime images. Add proper entrypoint with UID/GID remapping via PUID/PGID, sentinel-based first-boot bootstrap, pre-creation of critical file targets, and signal-forwarding privilege drop via gosu. Standardize on Node 24, split compose into minimal + full reference. Closes #9
2026-03-26 18:10:49 -04:00
gosu \
feat: implement 3 quick wins for SF self-evolution Quick Win 1: Close Self-Report Feedback Loop [9/10 impact] - Added self-report-fixer.js module with automatic fix classification - Pattern-based detection for high-confidence fixes (e.g., prompt rubrics) - Deduplication and severity-based categorization of reports - Designed for extension into triage-self-feedback pipeline Quick Win 2: Activate Continuous Model Learning [8/10 impact] - Added model-learner.js with ModelPerformanceTracker class - Per-task-type tracking: success rate, latency, cost, token efficiency - Auto-demotion for models failing >50% on specific task types - A/B testing infrastructure for hypothesis testing on low-risk tasks - Failure analysis with pattern detection (e.g., timeouts, quality issues) - Storage: .sf/model-performance.json, .sf/model-failure-log.jsonl Quick Win 3: Automate Knowledge Injection [7/10 impact] - Added knowledge-injector.js with semantic similarity scoring - Integrated into auto-prompts.js for execute-task prompts - queryKnowledge already exists in context-store.js (60% done) - Enhanced with: semantic matching, confidence filtering, contradiction detection - Tracks knowledge usage for feedback loop Integration: - Modified auto-prompts.js to inject knowledge via knowledgeInjection variable - Added getKnowledgeInjection helper for graceful degradation - All new modules pass build check and are in dist/ Status: Core infrastructure in place; ready for integration into dispatch loop. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-06 22:01:37 +02:00
libsecret-1-0 \
feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360) Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so users can run GSD auto mode inside an isolated Docker sandbox (MicroVM) without risk to the host filesystem, SSH keys, or other projects. - Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000 - docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support - .env.example: template for LLM provider keys and optional tool credentials - docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow, credential injection, and network allowlisting - .dockerignore: project-root ignore file for efficient Docker builds - src/tests/docker-template.test.ts: 13 structural tests verifying all template files Fixes #1544 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
&& rm -rf /var/lib/apt/lists/*
chore: sync workspace state after rebrand - Rebrand commits already in history (gsd → forge) - Sync pre-existing doc, docker, and CI config updates - All rebrand artifacts verified in place: * Native crates: forge-engine, forge-ast, forge-grep * Log prefixes: [forge] across 22+ files * Binary: ~/bin/sf-run * Workspace scopes: @sf-run/*, @singularity-forge/* * Nix flake: Rust toolchain ready System ready for: nix develop && bun run build:native Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 14:54:20 +02:00
# Install SF globally — version controlled via build arg
ARG SF_VERSION=latest
fix: clean provider surfaces and core build
2026-05-05 16:31:53 +02:00
RUN npm install -g singularity-forge@${SF_VERSION}
feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360) Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so users can run GSD auto mode inside an isolated Docker sandbox (MicroVM) without risk to the host filesystem, SSH keys, or other projects. - Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000 - docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support - .env.example: template for LLM provider keys and optional tool credentials - docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow, credential injection, and network allowlisting - .dockerignore: project-root ignore file for efficient Docker builds - src/tests/docker-template.test.ts: 13 structural tests verifying all template files Fixes #1544 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
# Create non-root user for sandbox isolation
Rename GSD→SF: complete rebrand from fork origin - All gsdDir/gsdRoot/gsdHome → sfDir/sfRootDir/sfHome - GSDWorkspace* → SFWorkspace* interfaces - bootstrapGsdProject → bootstrapProject - runGSDDoctor → runSFDoctor - GsdClient → SfClient, gsd-client.ts → sf-client.ts - .gsd/ → .sf/ in all tests, docs, docker, native, vscode - Auto-migration: headless detects .gsd/ → renames to .sf/ - Deleted gsd-phase-state.ts backward-compat re-export - Renamed bin/gsd-from-source → bin/sf-from-source - Updated mintlify docs, github workflows, docker configs
2026-04-15 18:33:47 +02:00
RUN groupadd --gid 1000 sf \
&& useradd --uid 1000 --gid sf --shell /bin/bash --create-home sf
feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360) Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so users can run GSD auto mode inside an isolated Docker sandbox (MicroVM) without risk to the host filesystem, SSH keys, or other projects. - Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000 - docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support - .env.example: template for LLM provider keys and optional tool credentials - docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow, credential injection, and network allowlisting - .dockerignore: project-root ignore file for efficient Docker builds - src/tests/docker-template.test.ts: 13 structural tests verifying all template files Fixes #1544 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
chore: sync workspace state after rebrand - Rebrand commits already in history (gsd → forge) - Sync pre-existing doc, docker, and CI config updates - All rebrand artifacts verified in place: * Native crates: forge-engine, forge-ast, forge-grep * Log prefixes: [forge] across 22+ files * Binary: ~/bin/sf-run * Workspace scopes: @sf-run/*, @singularity-forge/* * Nix flake: Rust toolchain ready System ready for: nix develop && bun run build:native Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 14:54:20 +02:00
# Persistent SF state directory
Rename GSD→SF: complete rebrand from fork origin - All gsdDir/gsdRoot/gsdHome → sfDir/sfRootDir/sfHome - GSDWorkspace* → SFWorkspace* interfaces - bootstrapGsdProject → bootstrapProject - runGSDDoctor → runSFDoctor - GsdClient → SfClient, gsd-client.ts → sf-client.ts - .gsd/ → .sf/ in all tests, docs, docker, native, vscode - Auto-migration: headless detects .gsd/ → renames to .sf/ - Deleted gsd-phase-state.ts backward-compat re-export - Renamed bin/gsd-from-source → bin/sf-from-source - Updated mintlify docs, github workflows, docker configs
2026-04-15 18:33:47 +02:00
RUN mkdir -p /home/sf/.sf && chown -R sf:sf /home/sf/.sf
feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360) Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so users can run GSD auto mode inside an isolated Docker sandbox (MicroVM) without risk to the host filesystem, SSH keys, or other projects. - Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000 - docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support - .env.example: template for LLM provider keys and optional tool credentials - docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow, credential injection, and network allowlisting - .dockerignore: project-root ignore file for efficient Docker builds - src/tests/docker-template.test.ts: 13 structural tests verifying all template files Fixes #1544 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
# Workspace directory — synced from host via Docker sandbox
WORKDIR /workspace
Rename GSD→SF: complete rebrand from fork origin - All gsdDir/gsdRoot/gsdHome → sfDir/sfRootDir/sfHome - GSDWorkspace* → SFWorkspace* interfaces - bootstrapGsdProject → bootstrapProject - runGSDDoctor → runSFDoctor - GsdClient → SfClient, gsd-client.ts → sf-client.ts - .gsd/ → .sf/ in all tests, docs, docker, native, vscode - Auto-migration: headless detects .gsd/ → renames to .sf/ - Deleted gsd-phase-state.ts backward-compat re-export - Renamed bin/gsd-from-source → bin/sf-from-source - Updated mintlify docs, github workflows, docker configs
2026-04-15 18:33:47 +02:00
RUN chown sf:sf /workspace
feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360) Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so users can run GSD auto mode inside an isolated Docker sandbox (MicroVM) without risk to the host filesystem, SSH keys, or other projects. - Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000 - docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support - .env.example: template for LLM provider keys and optional tool credentials - docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow, credential injection, and network allowlisting - .dockerignore: project-root ignore file for efficient Docker builds - src/tests/docker-template.test.ts: 13 structural tests verifying all template files Fixes #1544 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
Rename GSD→SF: complete rebrand from fork origin - All gsdDir/gsdRoot/gsdHome → sfDir/sfRootDir/sfHome - GSDWorkspace* → SFWorkspace* interfaces - bootstrapGsdProject → bootstrapProject - runGSDDoctor → runSFDoctor - GsdClient → SfClient, gsd-client.ts → sf-client.ts - .gsd/ → .sf/ in all tests, docs, docker, native, vscode - Auto-migration: headless detects .gsd/ → renames to .sf/ - Deleted gsd-phase-state.ts backward-compat re-export - Renamed bin/gsd-from-source → bin/sf-from-source - Updated mintlify docs, github workflows, docker configs
2026-04-15 18:33:47 +02:00
# Entrypoint handles UID/GID remapping, bootstrap, and drops to sf user
fix(docker): overhaul fragile setup, adopt proven container patterns (#2716) Split fake multi-stage Dockerfile into independent CI builder and runtime images. Add proper entrypoint with UID/GID remapping via PUID/PGID, sentinel-based first-boot bootstrap, pre-creation of critical file targets, and signal-forwarding privilege drop via gosu. Standardize on Node 24, split compose into minimal + full reference. Closes #9
2026-03-26 18:10:49 -04:00
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
COPY bootstrap.sh /usr/local/bin/bootstrap.sh
RUN chmod +x /usr/local/bin/entrypoint.sh /usr/local/bin/bootstrap.sh
feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360) Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so users can run GSD auto mode inside an isolated Docker sandbox (MicroVM) without risk to the host filesystem, SSH keys, or other projects. - Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000 - docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support - .env.example: template for LLM provider keys and optional tool credentials - docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow, credential injection, and network allowlisting - .dockerignore: project-root ignore file for efficient Docker builds - src/tests/docker-template.test.ts: 13 structural tests verifying all template files Fixes #1544 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
chore: sync workspace state after rebrand - Rebrand commits already in history (gsd → forge) - Sync pre-existing doc, docker, and CI config updates - All rebrand artifacts verified in place: * Native crates: forge-engine, forge-ast, forge-grep * Log prefixes: [forge] across 22+ files * Binary: ~/bin/sf-run * Workspace scopes: @sf-run/*, @singularity-forge/* * Nix flake: Rust toolchain ready System ready for: nix develop && bun run build:native Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 14:54:20 +02:00
# Expose default SF web UI port
feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360) Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so users can run GSD auto mode inside an isolated Docker sandbox (MicroVM) without risk to the host filesystem, SSH keys, or other projects. - Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000 - docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support - .env.example: template for LLM provider keys and optional tool credentials - docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow, credential injection, and network allowlisting - .dockerignore: project-root ignore file for efficient Docker builds - src/tests/docker-template.test.ts: 13 structural tests verifying all template files Fixes #1544 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
EXPOSE 3000
fix(docker): overhaul fragile setup, adopt proven container patterns (#2716) Split fake multi-stage Dockerfile into independent CI builder and runtime images. Add proper entrypoint with UID/GID remapping via PUID/PGID, sentinel-based first-boot bootstrap, pre-creation of critical file targets, and signal-forwarding privilege drop via gosu. Standardize on Node 24, split compose into minimal + full reference. Closes #9
2026-03-26 18:10:49 -04:00
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
Rename GSD→SF: complete rebrand from fork origin - All gsdDir/gsdRoot/gsdHome → sfDir/sfRootDir/sfHome - GSDWorkspace* → SFWorkspace* interfaces - bootstrapGsdProject → bootstrapProject - runGSDDoctor → runSFDoctor - GsdClient → SfClient, gsd-client.ts → sf-client.ts - .gsd/ → .sf/ in all tests, docs, docker, native, vscode - Auto-migration: headless detects .gsd/ → renames to .sf/ - Deleted gsd-phase-state.ts backward-compat re-export - Renamed bin/gsd-from-source → bin/sf-from-source - Updated mintlify docs, github workflows, docker configs
2026-04-15 18:33:47 +02:00
CMD ["sf", "--help"]
Reference in a new issue Copy permalink