sandcastle: base image on nixos/nix and bake devShells.ci #11
Labels
No labels
in-review
ready-for-agent
ready-for-human
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
weiwen/evie#11
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Blocked by: #9
Why
The
.sandcastlesandbox image (.sandcastle/Dockerfile) isnode:22-bookwormand has no Rust toolchain — nocargo,clippy,rustfmt, orjust. Both the implementer and reviewer run in this container (seemain.mts), so they currently cannot build, lint, or test the Rust code at all. We want them to runnix develop .#ci -c just checkusing the flake as the single source of truth (#9).What
Rework
.sandcastle/Dockerfile:nixos/nix(or install Nix into a base image), enablingexperimental-features = nix-command flakes.flake.nix,flake.lock,Cargo.toml,Cargo.lockearly, thenRUN nix develop .#ci --command trueso the toolchain + compiled deps are baked into an image layer. This is mandatory — otherwise every sandbox pays a multi-minute cold build on firstjust check.npm i -g opencode-ai@latest) — node now comes from nix, not the base image.teaCLI install (keep the current curl approach).configure-tea.shhelper.agentuser +AGENT_UID/AGENT_GIDalignment (Nix single-user store ownership needs care here).main.mtsonSandboxReadycurrently runsnpm install; reconcile with the new base (node/npm must be on PATH; decide whethernpm installstill applies given deps come from the flake).Bootstrapping note
This changes the very environment the agents run in. It must land + the image must be rebuilt before the
just checkteeth in #-CODING-STANDARDS and #-IMPL-PROMPT become real. Image rebuild is a human/out-of-loop step.Acceptance criteria
nix develop .#ci -c just checkfrom the repo root with a warm store (no coldpi/toolchain compile at runtime).tea, and theagentuser still work as before.main.mtshooks succeed against the new base.Risk
Nix-in-Docker (store ownership, single vs multi-user, flake eval in build) is finicky. Consider
ready-for-humanrather thanready-for-agent.