Create /sloptrap-tools/ volumes for each projects, to avoid polluting the agents HOME

2026-05-10 12:37:40 +02:00
parent 650782f503
commit db1211ebb4
5 changed files with 101 additions and 20 deletions
--- a/57
+++ b/57
@@ -236,6 +236,9 @@ CODEX_AUTH_FILE_HOST=""
 CODEX_STATE_KEY=""
 CODEX_HOME_BOOTSTRAP=false
 NEED_LOGIN=false
+SLOPTRAP_TOOLS_HOME_CONT="/sloptrap-tools"
+SLOPTRAP_TOOLS_BIN_CONT="/sloptrap-tools/bin"
+SLOPTRAP_TOOLS_VOLUME=""
 IGNORE_STUB_BASE=""
 IGNORE_HELPER_ROOT=""
 ALLOW_HOST_NETWORK=false
@@ -341,11 +344,15 @@ ARG OPENCODE_BIN=opencode
 ARG OPENCODE_CONF=config/config.toml
 COPY ${OPENCODE_BIN} /usr/local/bin/opencode
 RUN chmod 0755 /usr/local/bin/opencode \
+ && mkdir -p /sloptrap-tools/bin \
+ && chmod 0777 /sloptrap-tools /sloptrap-tools/bin \
 && chown -R sloptrap:sloptrap /home/sloptrap

 WORKDIR /workspace

-ENV SHELL=/bin/bash HOME=/home/sloptrap
+ENV SHELL=/bin/bash HOME=/home/sloptrap \
+    SLOPTRAP_TOOLS_HOME=/sloptrap-tools \
+    PATH=/sloptrap-tools/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 ENTRYPOINT ["opencode"]
 DOCKERFILE_EOF
 )
@@ -376,11 +383,15 @@ ARG CODEX_BIN=codex
 ARG CODEX_CONF=config/config.toml
 COPY ${CODEX_BIN} /usr/local/bin/codex
 RUN chmod 0755 /usr/local/bin/codex \
+ && mkdir -p /sloptrap-tools/bin \
+ && chmod 0777 /sloptrap-tools /sloptrap-tools/bin \
 && chown -R sloptrap:sloptrap /home/sloptrap

 WORKDIR /workspace

-ENV SHELL=/bin/bash HOME=/home/sloptrap
+ENV SHELL=/bin/bash HOME=/home/sloptrap \
+    SLOPTRAP_TOOLS_HOME=/sloptrap-tools \
+    PATH=/sloptrap-tools/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 ENTRYPOINT ["/usr/local/bin/codex"]
 EOF
  fi
@@ -1036,6 +1047,9 @@ print_config() {
     info_line "runtime_flags=%s\n" "$CODEX_ARGS_DISPLAY"
   fi
   info_line "host_alias=%s\n" "${SLOPTRAP_HOST_ALIAS:-}"
+   info_line "tools_volume=%s\n" "$SLOPTRAP_TOOLS_VOLUME"
+   info_line "tools_home=%s\n" "$SLOPTRAP_TOOLS_HOME_CONT"
+   info_line "tools_bin=%s\n" "$SLOPTRAP_TOOLS_BIN_CONT"
   info_line "needs_login=%s\n" "$NEED_LOGIN"
   info_line "ignore_stub_base=%s\n" "$IGNORE_STUB_BASE"
   if [[ ${#SLOPTRAP_IGNORE_ENTRIES[@]} -gt 0 ]]; then
@@ -1098,6 +1112,8 @@ Current resolved sloptrap state:
 - name=$PROJECT_NAME (project/image/container label)
 - packages_extra=${PACKAGES_EXTRA:-none} (Debian packages added at build time)
 - network_mode=$network_mode (host when host networking is enabled; otherwise isolated)
+- tools_home=$SLOPTRAP_TOOLS_HOME_CONT (writable install prefix for third-party tools)
+- tools_bin=$SLOPTRAP_TOOLS_BIN_CONT (already on the default PATH)
 EOF
 )
   if [[ -n $SLOPTRAP_HOST_ALIAS ]]; then
@@ -1122,6 +1138,7 @@ SLOPTRAP_CODEX_BIN_NAME=""
 SLOPTRAP_CODEX_URL=""
 SLOPTRAP_CODEX_ARCHIVE=""
 SLOPTRAP_CODEX_HOME_CONT=""
+SLOPTRAP_RUNTIME_PATH=""
 SLOPTRAP_VOLUME_LABEL=""
 SLOPTRAP_WORKDIR=${SLOPTRAP_WORKDIR-}
 SLOPTRAP_NETWORK_NAME=""
@@ -1314,6 +1331,7 @@ ensure_opencode_config() {
      enabled_providers: [$provider_id],
      share: "disabled",
      autoupdate: false,
+      lsp: true,
      provider: {
        ($provider_id): {
          npm: "@ai-sdk/openai-compatible",
@@ -1328,7 +1346,7 @@ ensure_opencode_config() {
              name: $model_id,
              limit: {
                context: $context_limit,
-                output: 32768
+                output: 16384
              },
              cost: {
                input: 0.0221,
@@ -1344,9 +1362,10 @@ ensure_opencode_config() {
      },
      model: $model_ref,
      compaction: {
+        threshold: 0.95,
+        strategy: "summarize",
        auto: true,
-        prune: true,
-        reserved: 12000
+        prune: true
      },
      watcher: {
        ignore: [
@@ -1363,14 +1382,14 @@ ensure_opencode_config() {
        grep: "allow",
        list: "allow",
        bash: "allow",
-        task: "allow",
+        task: "deny",
        question: "allow",
        webfetch: "allow",
        websearch: "allow",
        codesearch: "allow",
        external_directory: "allow",
-        doom_loop: "ask"
-      }
+        doom_loop: "deny"
+      },
      "instructions": [
        "AGENTS.md"
      ]
@@ -1654,6 +1673,10 @@ prepare_container_runtime() {
  if [[ "$BACKEND" == "opencode" ]]; then
    OPENCODE_CONFIG_CONT="$SLOPTRAP_CODEX_HOME_CONT/config/opencode/opencode.json"
  fi
+  SLOPTRAP_TOOLS_HOME_CONT="/sloptrap-tools"
+  SLOPTRAP_TOOLS_BIN_CONT="$SLOPTRAP_TOOLS_HOME_CONT/bin"
+  SLOPTRAP_RUNTIME_PATH="$SLOPTRAP_TOOLS_BIN_CONT:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+  SLOPTRAP_TOOLS_VOLUME=$(sanitize_engine_name "${PROJECT_NAME}-sloptrap-tools-${CODEX_STATE_KEY:0:12}")
  SLOPTRAP_CODEX_UID=$(get_env_default "SLOPTRAP_CODEX_UID" "1337")
  SLOPTRAP_CODEX_GID=$(get_env_default "SLOPTRAP_CODEX_GID" "1337")
  local default_network="bridge"
@@ -1672,8 +1695,8 @@ prepare_container_runtime() {
    ensure_host_loopback_network_access
  fi
  SLOPTRAP_LIMITS_PID=$(get_env_default "SLOPTRAP_LIMITS_PID" "4096")
-  SLOPTRAP_LIMITS_RAM=$(get_env_default "SLOPTRAP_LIMITS_RAM" "4096m")
-  SLOPTRAP_LIMITS_SWP=$(get_env_default "SLOPTRAP_LIMITS_SWP" "4096m")
+  SLOPTRAP_LIMITS_RAM=$(get_env_default "SLOPTRAP_LIMITS_RAM" "16384m")
+  SLOPTRAP_LIMITS_SWP=$(get_env_default "SLOPTRAP_LIMITS_SWP" "16384m")
  SLOPTRAP_LIMITS_SHM=$(get_env_default "SLOPTRAP_LIMITS_SHM" "4096m")
  SLOPTRAP_LIMITS_CPU=$(get_env_default "SLOPTRAP_LIMITS_CPU" "8")
  SLOPTRAP_TMPFS_PATHS=$(get_env_default "SLOPTRAP_TMPFS_PATHS" "/tmp:exec /run /run/lock")
@@ -1717,6 +1740,9 @@ prepare_container_runtime() {
    -v "$SLOPTRAP_SHARED_DIR_ABS:$SLOPTRAP_WORKDIR$SLOPTRAP_VOLUME_LABEL"
    -v "$CODEX_STATE_HOME_HOST:$SLOPTRAP_CODEX_HOME_CONT$SLOPTRAP_VOLUME_LABEL"
  )
+  local -a mount_opts=(
+    --mount "type=volume,source=$SLOPTRAP_TOOLS_VOLUME,target=$SLOPTRAP_TOOLS_HOME_CONT"
+  )
  
  # Add opencode state mount if using opencode backend
  if [[ "$BACKEND" == "opencode" ]]; then
@@ -1729,6 +1755,8 @@ prepare_container_runtime() {
    -e "XDG_CACHE_HOME=$SLOPTRAP_CODEX_HOME_CONT/cache"
    -e "XDG_STATE_HOME=$SLOPTRAP_CODEX_HOME_CONT/state"
    -e "CODEX_HOME=$SLOPTRAP_CODEX_HOME_CONT"
+    -e "PATH=$SLOPTRAP_RUNTIME_PATH"
+    -e "SLOPTRAP_TOOLS_HOME=$SLOPTRAP_TOOLS_HOME_CONT"
    -e "SLOPTRAP_WORKDIR=$SLOPTRAP_WORKDIR"
    -e "SLOPTRAP_HELPER_DIR=/tmp/sloptrap-helper"
  )
@@ -1783,6 +1811,7 @@ prepare_container_runtime() {
    "${resource_opts[@]}"
    "${rootfs_flag[@]}"
    "${tmpfs_opts[@]}"
+    "${mount_opts[@]}"
    "${volume_opts[@]}"
    "${env_args[@]}"
    "${IGNORE_MOUNT_ARGS[@]}"
@@ -1943,11 +1972,13 @@ clean_environment() {
  if $DRY_RUN; then
    print_command "$CONTAINER_ENGINE" rm -f "$SLOPTRAP_CONTAINER_NAME"
    print_command "$CONTAINER_ENGINE" rmi "$SLOPTRAP_IMAGE_NAME"
+    print_command "$CONTAINER_ENGINE" volume rm -f "$SLOPTRAP_TOOLS_VOLUME"
    print_command rm -rf "$helper_root"
    return 0
  fi
  "$CONTAINER_ENGINE" rm -f "$SLOPTRAP_CONTAINER_NAME" >/dev/null 2>&1 || true
  "$CONTAINER_ENGINE" rmi "$SLOPTRAP_IMAGE_NAME" >/dev/null 2>&1 || true
+  "$CONTAINER_ENGINE" volume rm -f "$SLOPTRAP_TOOLS_VOLUME" >/dev/null 2>&1 || true
  rm -rf "$helper_root"
 }

@@ -1991,11 +2022,11 @@ run_codex() {
  if ! $DRY_RUN; then
    status_line "Running %s\n" "$SLOPTRAP_IMAGE_NAME"
  fi
+  local runtime_prompt
+  runtime_prompt=$(build_runtime_context_prompt)
  if [[ "$BACKEND" == "opencode" ]]; then
-    run_codex_command
+    run_codex_command --prompt "$runtime_prompt"
  else
-    local runtime_prompt
-    runtime_prompt=$(build_runtime_context_prompt)
    run_codex_command "$runtime_prompt"
  fi
 }