test(shell): cover controller compose preparation

Author: rikohomeless

docker-compose.api.yml

@@ -37,7 +37,7 @@ services:
       - docker_git_projects:${DOCKER_GIT_PROJECTS_ROOT:-/home/dev/.docker-git}
       - docker_git_docker_data:/var/lib/docker
       - /var/run/docker.sock:/var/run/docker.sock
-    privileged: true
+    privileged: ${DOCKER_GIT_CONTROLLER_PRIVILEGED:-false}
     cgroup: host
     init: true
     restart: unless-stopped

docker-compose.yml

@@ -37,7 +37,7 @@ services:
       - docker_git_projects:${DOCKER_GIT_PROJECTS_ROOT:-/home/dev/.docker-git}
       - docker_git_docker_data:/var/lib/docker
       - /var/run/docker.sock:/var/run/docker.sock
-    privileged: true
+    privileged: ${DOCKER_GIT_CONTROLLER_PRIVILEGED:-false}
     cgroup: host
     init: true
     restart: unless-stopped

packages/api/README.md

@@ -11,11 +11,18 @@ This is now the intended controller plane:
 
 ## Runtime contract: host-Docker-backed
 
-`docker-git` is host-Docker-backed, not isolated. The controller container
-created from this package binds the host socket
+`docker-git` is host-Docker-backed by default. The primary controller
+container created from this package binds the host socket
 (`/var/run/docker.sock:/var/run/docker.sock`, see `docker-compose.yml`) and
-uses it to spawn per-project containers. There is no Docker-in-Docker
-runtime; the daemon is always the host's daemon.
+uses it to spawn per-project containers. `DOCKER_GIT_DOCKER_RUNTIME=isolated`
+is an opt-in fallback for environments that explicitly require an embedded
+controller daemon.
+
+Security note: binding `/var/run/docker.sock` gives the controller container
+root-equivalent control over the host Docker daemon, including the ability to
+create containers and mount host paths. This is an intended trade-off for the
+host-backed architecture; run the controller only in trusted environments and
+review the threat model before exposing the API.
 
 The host CLI (`packages/app`) also talks to that same daemon directly when
 it bootstraps the controller. Three failure modes look identical at first
@@ -61,8 +68,9 @@ Optional env:
 
 - `DOCKER_GIT_API_BIND_HOST` (default: `127.0.0.1`)
 - `DOCKER_GIT_API_PORT` (default: `3334`)
-- `DOCKER_GIT_DOCKER_RUNTIME` (default: `host`; set to `isolated` to use an embedded controller daemon)
+- `DOCKER_GIT_DOCKER_RUNTIME` (default: `host`; set to `isolated` as an optional fallback to use an embedded controller daemon)
 - `DOCKER_GIT_CONTROLLER_DOCKER_HOST` (default: `unix:///var/run/docker.sock`; socket path inside the controller)
+- `DOCKER_GIT_CONTROLLER_PRIVILEGED` (default: `false`; set to `true` only when using `DOCKER_GIT_DOCKER_RUNTIME=isolated`)
 - `DOCKER_GIT_DOCKERD_TCP_HOST` (default: `tcp://0.0.0.0:2375`; reachable only inside Docker networks unless explicitly published)
 - `DOCKER_GIT_DOCKERD_DEFAULT_CGROUPNS_MODE` (default: `host`; keeps nested project containers compatible with cgroup v2 DinD)
 - `DOCKER_GIT_PROJECT_DOCKER_HOST` (default: empty; unset uses host socket in project containers when mounted)

packages/app/src/docker-git/controller-compose.ts

@@ -2,7 +2,7 @@ import type * as CommandExecutor from "@effect/platform/CommandExecutor"
 import type { PlatformError } from "@effect/platform/Error"
 import * as FileSystem from "@effect/platform/FileSystem"
 import * as Path from "@effect/platform/Path"
-import { Effect } from "effect"
+import { Duration, Effect } from "effect"
 
 import { computeLocalControllerRevision, controllerRevisionEnvKey } from "./controller-revision.js"
 import { runCommandWithCapturedOutput } from "./frontend-lib/shell/command-runner.js"
@@ -97,6 +97,7 @@ const skillerSubmoduleCommand = [
   "--checkout",
   skillerSubmodulePath
 ]
+const skillerSubmoduleInitTimeout = Duration.seconds(60)
 
 const formatSkillerSubmoduleFailure = (rootDir: string, exitCode: number, output: string): ControllerBootstrapError =>
   controllerBootstrapError(
@@ -121,6 +122,18 @@ const runSkillerSubmoduleInit = (
     [0],
     (exitCode, output) => formatSkillerSubmoduleFailure(rootDir, exitCode, output)
   ).pipe(
+    Effect.timeoutFail({
+      duration: skillerSubmoduleInitTimeout,
+      onTimeout: () =>
+        controllerBootstrapError(
+          [
+            "Timed out while initializing Skiller submodule before building docker-git controller.",
+            `Command: git ${skillerSubmoduleCommand.join(" ")}`,
+            `Working directory: ${rootDir}`,
+            "Timeout: 60 seconds"
+          ].join("\n")
+        )
+    }),
     Effect.mapError((error): ControllerBootstrapError =>
       error._tag === "ControllerBootstrapError"
         ? error

packages/app/tests/docker-git/controller-compose.test.ts

@@ -0,0 +1,206 @@
+import { NodeContext } from "@effect/platform-node"
+import * as FileSystem from "@effect/platform/FileSystem"
+import * as Path from "@effect/platform/Path"
+import { describe, expect, it } from "@effect/vitest"
+import { Effect } from "effect"
+import * as fc from "fast-check"
+
+import {
+  controllerBuildSkillerEnvKey,
+  controllerGpuModeEnvKey,
+  ensureSkillerSubmoduleInitialized,
+  prepareControllerRevision
+} from "../../src/docker-git/controller-compose.js"
+import { controllerRevisionEnvKey } from "../../src/docker-git/controller-revision.js"
+import { commandExecutorLayer } from "./fixtures/command-executor.js"
+
+const expectedSkillerSubmoduleCommand =
+  "git submodule update --init --checkout third_party/skiller-desktop-skills-manager"
+const skillerPackageRelativePath = "third_party/skiller-desktop-skills-manager/package.json"
+
+const temporaryControllerRoot = Effect.gen(function*(_) {
+  const fs = yield* _(FileSystem.FileSystem)
+  return yield* _(fs.makeTempDirectoryScoped({ prefix: "docker-git-controller-compose-" }))
+})
+
+const writeRootFile = (
+  rootDir: string,
+  relativePath: string,
+  contents: string
+) =>
+  Effect.all({
+    fs: FileSystem.FileSystem,
+    path: Path.Path
+  }).pipe(
+    Effect.flatMap(({ fs, path }) => {
+      const absolutePath = path.join(rootDir, relativePath)
+      return fs.makeDirectory(path.dirname(absolutePath), { recursive: true }).pipe(
+        Effect.zipRight(fs.writeFileString(absolutePath, contents))
+      )
+    })
+  )
+
+const writeMinimalCompose = (rootDir: string) =>
+  writeRootFile(rootDir, "docker-compose.yml", "services:\n  api:\n    image: docker-git-api\n")
+
+const writeSkillerPackage = (rootDir: string) =>
+  writeRootFile(rootDir, skillerPackageRelativePath, "{\"name\":\"skiller-desktop-skills-manager\"}\n")
+
+const withWorkingDirectory = (nextCwd: string) =>
+  Effect.acquireRelease(
+    Effect.sync(() => {
+      const previousCwd = process.cwd()
+      process.chdir(nextCwd)
+      return previousCwd
+    }),
+    (previousCwd) =>
+      Effect.sync(() => {
+        process.chdir(previousCwd)
+      })
+  )
+
+const setOptionalEnv = (key: string, value: string | undefined): void => {
+  if (value === undefined) {
+    Reflect.deleteProperty(process.env, key)
+    return
+  }
+  process.env[key] = value
+}
+
+const withControllerEnv = (entries: ReadonlyArray<readonly [string, string | undefined]>) =>
+  Effect.acquireRelease(
+    Effect.sync(() => {
+      const previousEntries: Array<readonly [string, string | undefined]> = entries.map(([
+        key
+      ]) => [key, process.env[key]])
+      for (const [key, value] of entries) {
+        setOptionalEnv(key, value)
+      }
+      return previousEntries
+    }),
+    (previousEntries) =>
+      Effect.sync(() => {
+        for (const [key, value] of previousEntries) {
+          setOptionalEnv(key, value)
+        }
+      })
+  )
+
+type PreparedRevision = {
+  readonly persistedRevision: string | undefined
+  readonly revision: string
+}
+
+type ControllerBuildSkillerFixtureMode = "0" | "1" | undefined
+
+type PrepareRevisionFixture = {
+  readonly buildSkillerMode: ControllerBuildSkillerFixtureMode
+  readonly includeSkillerPackage: boolean
+}
+
+const controllerBuildSkillerFixtureModeArbitrary = fc.constantFrom<ControllerBuildSkillerFixtureMode>(
+  undefined,
+  "0",
+  "1"
+)
+const prepareRevisionFixtureArbitrary: fc.Arbitrary<PrepareRevisionFixture> = fc
+  .record({
+    buildSkillerMode: controllerBuildSkillerFixtureModeArbitrary,
+    includeSkillerPackage: fc.boolean()
+  })
+  .filter(({ buildSkillerMode, includeSkillerPackage }) => buildSkillerMode === "0" || includeSkillerPackage)
+const controllerRevisionPattern = /^[a-f0-9]{16}-none-skiller[01]$/u
+
+const prepareRevisionInTemporaryRoot = ({
+  buildSkillerMode,
+  includeSkillerPackage
+}: PrepareRevisionFixture) =>
+  Effect.scoped(
+    Effect.gen(function*(_) {
+      const rootDir = yield* _(temporaryControllerRoot)
+      yield* _(writeMinimalCompose(rootDir))
+      if (includeSkillerPackage) {
+        yield* _(writeSkillerPackage(rootDir))
+      }
+      yield* _(withWorkingDirectory(rootDir))
+      yield* _(
+        withControllerEnv([
+          [controllerBuildSkillerEnvKey, buildSkillerMode],
+          [controllerGpuModeEnvKey, undefined],
+          [controllerRevisionEnvKey, undefined]
+        ])
+      )
+
+      const revision = yield* _(prepareControllerRevision())
+      return { persistedRevision: process.env[controllerRevisionEnvKey], revision }
+    })
+  ).pipe(Effect.provide(NodeContext.layer))
+
+const expectPreparedRevision = (prepared: PreparedRevision, pattern: RegExp): void => {
+  expect(prepared.revision).toMatch(pattern)
+  expect(prepared.persistedRevision).toBe(prepared.revision)
+}
+
+const expectedSkillerSuffixForMode = (buildSkillerMode: ControllerBuildSkillerFixtureMode): string =>
+  buildSkillerMode === "0" ? "skiller0" : "skiller1"
+
+const expectPreparedRevisionInvariants = (fixture: PrepareRevisionFixture, prepared: PreparedRevision): void => {
+  expectPreparedRevision(prepared, controllerRevisionPattern)
+  expect(prepared.revision.endsWith(expectedSkillerSuffixForMode(fixture.buildSkillerMode))).toBe(true)
+}
+
+const assertControllerComposeProperty = <PropertyArgs>(property: fc.IAsyncProperty<PropertyArgs>) =>
+  Effect.tryPromise({
+    catch: (cause) => cause,
+    try: () => fc.assert(property, { numRuns: 25 })
+  })
+
+describe("controller compose preparation", () => {
+  it.effect("does not initialize the Skiller submodule when package metadata already exists", () =>
+    Effect.scoped(
+      Effect.gen(function*(_) {
+        const rootDir = yield* _(temporaryControllerRoot)
+        yield* _(writeSkillerPackage(rootDir))
+
+        yield* _(ensureSkillerSubmoduleInitialized(rootDir))
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("reports a typed failure when submodule initialization cannot provide package metadata", () =>
+    Effect.scoped(
+      Effect.gen(function*(_) {
+        const rootDir = yield* _(temporaryControllerRoot)
+        const startedCommands: Array<string> = []
+
+        const error = yield* _(
+          ensureSkillerSubmoduleInitialized(rootDir).pipe(
+            Effect.provide(commandExecutorLayer((command) => {
+              startedCommands.push([command.command, ...command.args].join(" "))
+              return { exitCode: 128, stderr: "fatal: no submodule mapping found", stdout: "" }
+            })),
+            Effect.provide(NodeContext.layer),
+            Effect.flip
+          )
+        )
+
+        expect(error._tag).toBe("ControllerBootstrapError")
+        expect(error.message).toContain(expectedSkillerSubmoduleCommand)
+        expect(startedCommands).toEqual([expectedSkillerSubmoduleCommand])
+      })
+    ).pipe(Effect.provide(NodeContext.layer)))
+
+  it.effect("prepares and persists host controller revisions for Skiller build modes", () =>
+    assertControllerComposeProperty(
+      fc.asyncProperty(prepareRevisionFixtureArbitrary, (fixture) =>
+        Effect.runPromise(
+          prepareRevisionInTemporaryRoot(fixture).pipe(
+            Effect.tap((prepared) =>
+              Effect.sync(() => {
+                expectPreparedRevisionInvariants(fixture, prepared)
+              })
+            ),
+            Effect.asVoid
+          )
+        ))
+    ))
+})