sandcastle: base image on nixos/nix and bake devShells.ci #11

Closed
opened 2026-07-05 03:21:02 +08:00 by weiwen · 0 comments
Owner

Blocked by: #9

Why

The .sandcastle sandbox image (.sandcastle/Dockerfile) is node:22-bookworm and has no Rust toolchain — no cargo, clippy, rustfmt, or just. Both the implementer and reviewer run in this container (see main.mts), so they currently cannot build, lint, or test the Rust code at all. We want them to run nix develop .#ci -c just check using the flake as the single source of truth (#9).

What

Rework .sandcastle/Dockerfile:

  • Base on nixos/nix (or install Nix into a base image), enabling experimental-features = nix-command flakes.
  • Copy flake.nix, flake.lock, Cargo.toml, Cargo.lock early, then RUN nix develop .#ci --command true so the toolchain + compiled deps are baked into an image layer. This is mandatory — otherwise every sandbox pays a multi-minute cold build on first just check.
  • Re-establish the plumbing that the node base currently provides:
    • OpenCode CLI (npm i -g opencode-ai@latest) — node now comes from nix, not the base image.
    • tea CLI install (keep the current curl approach).
    • configure-tea.sh helper.
    • The agent user + AGENT_UID/AGENT_GID alignment (Nix single-user store ownership needs care here).
  • main.mts onSandboxReady currently runs npm install; reconcile with the new base (node/npm must be on PATH; decide whether npm install still applies given deps come from the flake).

Bootstrapping note

This changes the very environment the agents run in. It must land + the image must be rebuilt before the just check teeth in #-CODING-STANDARDS and #-IMPL-PROMPT become real. Image rebuild is a human/out-of-loop step.

Acceptance criteria

  • Built image runs nix develop .#ci -c just check from the repo root with a warm store (no cold pi/toolchain compile at runtime).
  • OpenCode, tea, and the agent user still work as before.
  • main.mts hooks succeed against the new base.

Risk

Nix-in-Docker (store ownership, single vs multi-user, flake eval in build) is finicky. Consider ready-for-human rather than ready-for-agent.

Blocked by: #9 ## Why The `.sandcastle` sandbox image (`.sandcastle/Dockerfile`) is `node:22-bookworm` and has **no Rust toolchain** — no `cargo`, `clippy`, `rustfmt`, or `just`. Both the implementer and reviewer run in this container (see `main.mts`), so they currently cannot build, lint, or test the Rust code at all. We want them to run `nix develop .#ci -c just check` using the flake as the single source of truth (#9). ## What Rework `.sandcastle/Dockerfile`: - Base on `nixos/nix` (or install Nix into a base image), enabling `experimental-features = nix-command flakes`. - Copy `flake.nix`, `flake.lock`, `Cargo.toml`, `Cargo.lock` early, then `RUN nix develop .#ci --command true` so the toolchain + compiled deps are **baked into an image layer**. This is mandatory — otherwise every sandbox pays a multi-minute cold build on first `just check`. - Re-establish the plumbing that the node base currently provides: - OpenCode CLI (`npm i -g opencode-ai@latest`) — node now comes from nix, not the base image. - `tea` CLI install (keep the current curl approach). - `configure-tea.sh` helper. - The `agent` user + `AGENT_UID`/`AGENT_GID` alignment (Nix single-user store ownership needs care here). - `main.mts` `onSandboxReady` currently runs `npm install`; reconcile with the new base (node/npm must be on PATH; decide whether `npm install` still applies given deps come from the flake). ## Bootstrapping note This changes the very environment the agents run in. It must land + the image must be rebuilt **before** the `just check` teeth in #-CODING-STANDARDS and #-IMPL-PROMPT become real. Image rebuild is a human/out-of-loop step. ## Acceptance criteria - Built image runs `nix develop .#ci -c just check` from the repo root with a **warm** store (no cold `pi`/toolchain compile at runtime). - OpenCode, `tea`, and the `agent` user still work as before. - `main.mts` hooks succeed against the new base. ## Risk Nix-in-Docker (store ownership, single vs multi-user, flake eval in build) is finicky. Consider `ready-for-human` rather than `ready-for-agent`.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
weiwen/evie#11
No description provided.