@getmonoceros/workbench 1.21.2 → 1.22.0

package/bundled-components/features/atlassian/component.yml

@@ -0,0 +1,52 @@
+id: atlassian
+category: feature
+displayName: Atlassian
+description: 'Rovo Dev (`acli rovodev`) and Teamwork Graph (`twg`) CLIs sharing one Atlassian account. Auth persists across rebuilds.'
+documentationURL: https://developer.atlassian.com/cloud/
+options:
+  rovodev:
+    type: boolean
+    default: true
+    description: 'Install acli (with the Rovo Dev agent).'
+    surface: yml
+  twg:
+    type: boolean
+    default: true
+    description: 'Install twg (Teamwork Graph CLI).'
+    surface: yml
+  instance:
+    type: string
+    default: ''
+    description: 'Atlassian site host (`yoursite.atlassian.net`); required by twg.'
+    surface: env
+  email:
+    type: string
+    default: ''
+    description: 'Atlassian account email; used with `apiToken` for non-interactive login.'
+    surface: env
+  apiToken:
+    type: string
+    default: ''
+    description: 'Atlassian API token (id.atlassian.com → Security → API tokens).'
+    surface: env
+  bitbucketToken:
+    type: string
+    default: ''
+    description: "Optional Bitbucket app password; only needed for twg's Bitbucket commands."
+    surface: env
+feature:
+  version: 1.0.0
+  persistentHomePaths: [.config/acli, .rovodev, .config/twg, .agents]
+  vscodeExtensions: [Atlassian.atlascode]
+briefing:
+  - whenOption: rovodev
+    text: 'Atlassian Rovo Dev — invoke via `acli rovodev`. Pre-authenticated against the Atlassian account configured in the feature options (shared with twg).'
+  - whenOption: twg
+    text: 'Atlassian Teamwork Graph CLI (`twg`) — work-data access across Jira, Confluence, Bitbucket, JSM and Assets. Pre-authenticated. Sub-skills cover status rollups, engineering work, ops health and context discovery.'
+presets:
+  twg:
+    rovodev: false
+    twg: true
+  rovodev:
+    rovodev: true
+    twg: false

package/bundled-components/features/atlassian/install.sh

@@ -0,0 +1,176 @@
+#!/usr/bin/env bash
+# Monoceros devcontainer feature: atlassian.
+#
+# Installs Atlassian CLIs that share a single Atlassian account:
+#   - Rovo Dev (acli, default on) — the `acli rovodev` AI agent
+#   - Teamwork Graph (twg, default off)
+#
+# Each tool is toggled independently via the `rovodev` / `twg`
+# options. Credentials (instance / email / apiToken) are shared
+# across both tools when set; per-tool post-create hooks under
+# /usr/local/share/monoceros/post-create.d/ perform the
+# non-interactive login on first container start.
+
+set -euo pipefail
+
+ROVODEV="${ROVODEV:-true}"
+TWG="${TWG:-true}"
+INSTANCE="${INSTANCE:-}"
+EMAIL="${EMAIL:-}"
+APITOKEN="${APITOKEN:-}"
+BITBUCKETTOKEN="${BITBUCKETTOKEN:-}"
+
+if [ "${ROVODEV}" != "true" ] && [ "${TWG}" != "true" ]; then
+  echo "[atlassian] both rovodev and twg disabled — nothing to install" >&2
+  exit 0
+fi
+
+ARCH="$(dpkg --print-architecture)"
+case "${ARCH}" in
+  amd64 | arm64) ;;
+  *)
+    echo "[atlassian] unsupported architecture: ${ARCH}" >&2
+    exit 1
+    ;;
+esac
+
+POST_CREATE_DIR=/usr/local/share/monoceros/post-create.d
+mkdir -p "${POST_CREATE_DIR}"
+
+# ─── Rovo Dev (acli) ──────────────────────────────────────────────
+if [ "${ROVODEV}" = "true" ]; then
+  ACLI_URL="https://acli.atlassian.com/linux/latest/acli_linux_${ARCH}/acli"
+  echo "[atlassian/rovodev] downloading acli for ${ARCH} from ${ACLI_URL}"
+  TMP="$(mktemp)"
+  curl -fsSL -o "${TMP}" "${ACLI_URL}"
+  install -o root -g root -m 0755 "${TMP}" /usr/local/bin/acli
+  rm -f "${TMP}"
+  acli --version >/dev/null 2>&1 || {
+    echo "[atlassian/rovodev] ERROR: install completed but \`acli\` is not on PATH" >&2
+    exit 1
+  }
+
+  HOOK="${POST_CREATE_DIR}/atlassian-rovodev.sh"
+  if [ -n "${EMAIL}" ] && [ -n "${APITOKEN}" ]; then
+    cat >"${HOOK}" <<EOF
+#!/usr/bin/env bash
+# Auto-generated by the Monoceros atlassian feature (rovodev).
+# Runs every container start. Always re-runs auth login so that
+# rotating the apiToken in the container yml propagates through on
+# the next \`monoceros apply\` without needing to delete the
+# previous credentials file by hand. acli's login is a single API
+# call; the cost is negligible compared to the container build.
+set -euo pipefail
+echo "[atlassian/rovodev] performing non-interactive Rovo Dev login for ${EMAIL}"
+echo '${APITOKEN}' | acli rovodev auth login --email '${EMAIL}' --token
+echo "[atlassian/rovodev] auth login done — on first \\\`acli rovodev run\\\` you'll be asked for your Atlassian site once; the answer persists."
+EOF
+    chmod 0755 "${HOOK}"
+    echo "[atlassian/rovodev] post-create login hook installed"
+  else
+    rm -f "${HOOK}"
+    echo "[atlassian/rovodev] no email/apiToken set — login is manual (\`acli rovodev auth login\` once in the container)"
+  fi
+fi
+
+# ─── Teamwork Graph (twg) ─────────────────────────────────────────
+if [ "${TWG}" = "true" ]; then
+  echo "[atlassian/twg] installing via official install script"
+  TMP="$(mktemp)"
+  curl -fsSL -o "${TMP}" https://teamwork-graph.atlassian.com/cli/install
+  # The official install script:
+  #   - Downloads the binary; we pin install dir to /usr/local/bin so
+  #     both root (build time) and node (runtime) have it on PATH.
+  #   - Runs a `twg consent --source direct-public-installer` step
+  #     that prompts on stdin. We feed it `yes` via a heredoc; the
+  #     extra blank lines are harmless padding in case a future
+  #     version adds more prompts. (The recorded consent lands in
+  #     /root/.config/twg/ which is not visible to the node user at
+  #     runtime — we re-record it as node in the post-create hook
+  #     below.)
+  #   - With --skip-login / --skip-skills we keep the install
+  #     non-interactive. Login + skills happen later as the node user
+  #     so they persist into the bind-mounted home.
+  #
+  # Heredoc (not `yes ... |`) deliberately: a long-lived `yes` left
+  # writing into a closed pipe after the install script exits gets
+  # SIGPIPE'd, and our own `set -o pipefail` would then propagate
+  # that 141 as a feature-install failure even though the install
+  # actually succeeded.
+  bash "${TMP}" \
+    --install-dir /usr/local/bin \
+    --skip-login \
+    --skip-skills \
+    <<'TWG_INSTALL_INPUT'
+yes
+yes
+yes
+TWG_INSTALL_INPUT
+  rm -f "${TMP}"
+
+  # The install script's mktemp + chmod +x leaves twg-bin at 0700
+  # (only root can execute it). Re-chmod so the node user can run it.
+  if [ -f /usr/local/bin/twg-bin ]; then
+    chmod 0755 /usr/local/bin/twg-bin
+  fi
+  if [ -f /usr/local/bin/twg ]; then
+    chmod 0755 /usr/local/bin/twg
+  fi
+
+  twg --version >/dev/null 2>&1 || {
+    echo "[atlassian/twg] ERROR: install completed but \`twg\` is not on PATH" >&2
+    exit 1
+  }
+
+  HOOK="${POST_CREATE_DIR}/atlassian-twg.sh"
+  if [ -n "${INSTANCE}" ] && [ -n "${EMAIL}" ] && [ -n "${APITOKEN}" ]; then
+    cat >"${HOOK}" <<EOF
+#!/usr/bin/env bash
+# Auto-generated by the Monoceros atlassian feature (twg).
+# Runs every container start. Always re-runs auth login so that
+# rotating the apiToken / bitbucketToken in the container yml
+# propagates through on the next \`monoceros apply\` without
+# needing to delete the previous credentials file by hand. twg's
+# login is a single API call; the cost is negligible compared to
+# the container build.
+set -euo pipefail
+mkdir -p "\${HOME}/.config/twg"
+echo "[atlassian/twg] configuring twg non-interactively for ${EMAIL} @ ${INSTANCE}"
+# Notes on the non-interactive login dance:
+#   - We don't try to re-record consent here as the node user. twg's
+#     \`consent\` subcommand demands a TTY; the install-time consent
+#     (recorded as root during the feature build) appears to be
+#     enough for \`twg login\` itself.
+#   - \`twg login --force\` reads Atlassian creds from TWG_USER /
+#     TWG_SITE / TWG_TOKEN. If TWG_BBC_TOKEN is set, twg uses that
+#     directly and skips the Bitbucket prompt. If empty, twg prompts
+#     interactively — we feed two blank lines via heredoc so the
+#     "Enter = skip" branch fires and we don't hang. Future twg
+#     versions adding another optional prompt are also covered by
+#     the second blank line.
+TWG_USER='${EMAIL}' \\
+TWG_SITE='${INSTANCE}' \\
+TWG_TOKEN='${APITOKEN}' \\
+TWG_BBC_TOKEN='${BITBUCKETTOKEN}' \\
+  twg login --force <<'TWG_LOGIN_INPUT'
+
+
+TWG_LOGIN_INPUT
+
+# (Re-)install twg's agent skills. Canonical install lands in
+# /home/node/.agents/skills/twg (persisted via the feature's
+# persistentHomePaths); per-agent wrapper scripts go into agent-
+# specific home dirs (.claude/skills/twg, .codex/skills/twg, …)
+# and are regenerated on each apply when those tools are present.
+echo "[atlassian/twg] (re-)installing twg skills"
+twg skills install --global --yes
+EOF
+    chmod 0755 "${HOOK}"
+    echo "[atlassian/twg] post-create login hook installed"
+  else
+    rm -f "${HOOK}"
+    echo "[atlassian/twg] missing instance/email/apiToken — login is manual (\`twg login\` once in the container)"
+  fi
+fi
+
+echo "[atlassian] done"

package/bundled-components/features/claude-code/component.yml

@@ -0,0 +1,32 @@
+id: claude-code
+name: claude
+category: feature
+displayName: Claude Code
+description: "Anthropic's CLI coding assistant. OAuth/subscription login persists across container rebuilds."
+documentationURL: https://docs.anthropic.com/en/docs/claude-code
+options:
+  version:
+    type: string
+    default: latest
+    description: 'npm-style version spec (`latest`, `^0.4`, `0.4.2`).'
+    surface: silent
+  apiKey:
+    type: string
+    default: ''
+    description: '`sk-ant-…` for API auth; empty for OAuth login on first run.'
+    surface: env
+  permissionMode:
+    type: string
+    default: auto
+    proposals: [auto, ask, edits, bypass]
+    description: 'Default Claude permission mode in this container. `auto` = Auto Mode: no per-action prompts and no recurring warning (a background classifier vets actions) — the comfortable default for an isolated container. `ask` prompts as usual; `edits` auto-accepts file edits but prompts for other commands; `bypass` skips all prompts (its one-time warning is pre-accepted). Monoceros writes this to ~/.claude/settings.json on apply; override per-project or with a CLI flag.'
+    surface: yml
+feature:
+  version: 1.2.0
+  persistentHomePaths: [.claude]
+  persistentHomeFiles:
+    - path: .claude.json
+      initialContent: "{}\n"
+  vscodeExtensions: [anthropic.claude-code]
+briefing:
+  - text: 'Anthropic Claude Code CLI (`claude`) — interactive coding assistant. Authenticated via OAuth/subscription unless `apiKey` was set, in which case it runs in API-key mode.'

package/bundled-components/features/claude-code/install.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+# Monoceros devcontainer feature: claude-code.
+#
+# Installs the Anthropic Claude Code CLI globally via the npm registry.
+# Login state lives at /home/node/.claude, which Monoceros bind-mounts
+# from <container-dir>/home/.claude on the host so it survives apply
+# rebuilds.
+#
+# If the optional `apiKey` option was passed in the container yml (or
+# inherited from monoceros-config.yml defaults.features), this script
+# writes a profile.d snippet that exports ANTHROPIC_API_KEY for every
+# shell — Claude Code picks that up and skips the OAuth flow.
+
+set -euo pipefail
+
+VERSION="${VERSION:-latest}"
+APIKEY="${APIKEY:-}"
+
+echo "[claude-code] installing @anthropic-ai/claude-code@${VERSION} (as node)"
+
+# Install as the non-root `node` user, NOT root (the feature install
+# script itself runs as root). The base image's npm global prefix
+# (/usr/local/share/npm-global) is owned by `node`, so installing as
+# node leaves the Claude package files node-owned too. That is exactly
+# what lets Claude's runtime self-updater write to them and keep itself
+# current between Monoceros `upgrade`s. Installing as root drops
+# root-owned files into that prefix that the non-root runtime user can
+# never overwrite — the perpetual "Auto-update failed: no write
+# permission to npm prefix" nag, frozen at the build-time version. See
+# ADR 0018.
+runuser -u node -- bash -lc \
+  "npm install -g --no-audit --no-fund '@anthropic-ai/claude-code@${VERSION}'"
+
+runuser -u node -- bash -lc 'claude --version' >/dev/null 2>&1 || {
+  echo "[claude-code] ERROR: install completed but \`claude\` is not on PATH" >&2
+  exit 1
+}
+
+# When an API key is configured, drop a profile.d snippet so every
+# login shell exports it. We deliberately don't use containerEnv: the
+# value would land in /proc/<pid>/environ of every process; the
+# profile.d route at least keeps it out of non-shell process env when
+# the container starts services directly.
+if [ -n "${APIKEY}" ]; then
+  cat >/etc/profile.d/claude-code-apikey.sh <<EOF
+# Auto-generated by the Monoceros claude-code feature. Sets
+# ANTHROPIC_API_KEY so Claude Code uses API auth instead of OAuth.
+export ANTHROPIC_API_KEY='${APIKEY}'
+EOF
+  chmod 0644 /etc/profile.d/claude-code-apikey.sh
+  echo "[claude-code] API key mode: ANTHROPIC_API_KEY wired via /etc/profile.d/"
+else
+  echo "[claude-code] subscription/OAuth mode: run \`claude\` once interactively to log in"
+fi
+
+echo "[claude-code] done"

package/bundled-components/features/github-cli/component.yml

@@ -0,0 +1,18 @@
+id: github-cli
+name: github
+category: feature
+displayName: GitHub CLI
+description: 'The official `gh` CLI. Login persists across container rebuilds.'
+documentationURL: https://cli.github.com/
+options:
+  apiToken:
+    type: string
+    default: ''
+    description: 'GitHub PAT (scopes: repo, read:org, gist); empty for `gh auth login` on first run.'
+    surface: env
+feature:
+  version: 1.0.0
+  persistentHomePaths: [.config/gh]
+  vscodeExtensions: [github.vscode-pull-request-github]
+briefing:
+  - text: 'GitHub CLI (`gh`) — repo, PR, issue, gist operations against github.com. Pre-authenticated; `gh auth status` reflects the active account.'

package/bundled-components/features/github-cli/install.sh

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+# Monoceros devcontainer feature: github-cli.
+#
+# Installs the official GitHub CLI (`gh`) from cli.github.com's apt
+# repository. When the `token` option is set, the value is exposed
+# as GH_TOKEN via /etc/profile.d so every login shell sees an
+# authenticated `gh`. Without a token, `gh` is installed but
+# unauthenticated; the builder can run `gh auth login` once
+# interactively and the resulting `~/.config/gh/` state is
+# persisted via Monoceros' bind-mount.
+
+set -euo pipefail
+
+APITOKEN="${APITOKEN:-}"
+
+echo "[github-cli] installing gh from cli.github.com apt repo"
+
+# Per https://cli.github.com/manual/installation (Debian/Ubuntu path).
+type -p curl >/dev/null || {
+  apt-get update
+  apt-get install -y curl
+}
+
+curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+  | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
+chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg
+
+mkdir -p -m 755 /etc/apt/sources.list.d
+ARCH="$(dpkg --print-architecture)"
+echo "deb [arch=${ARCH} signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
+  > /etc/apt/sources.list.d/github-cli.list
+
+apt-get update
+apt-get install -y --no-install-recommends gh
+
+gh --version >/dev/null 2>&1 || {
+  echo "[github-cli] ERROR: install completed but \`gh\` is not on PATH" >&2
+  exit 1
+}
+
+if [ -n "${APITOKEN}" ]; then
+  cat >/etc/profile.d/github-cli.sh <<EOF
+# Auto-generated by the Monoceros github-cli feature. Exports
+# GH_TOKEN so the GitHub CLI authenticates non-interactively.
+export GH_TOKEN='${APITOKEN}'
+EOF
+  chmod 0644 /etc/profile.d/github-cli.sh
+  echo "[github-cli] apiToken wired via /etc/profile.d/ → \`gh\` authenticated in login shells"
+else
+  echo "[github-cli] no apiToken set — run \`gh auth login\` once in the container; auth state persists under ~/.config/gh"
+fi
+
+echo "[github-cli] done"

package/bundled-components/languages/dotnet/component.yml

@@ -0,0 +1,8 @@
+id: dotnet
+category: language
+displayName: .NET
+description: 'The .NET SDK via the upstream devcontainer feature. Pin a version with `dotnet:<version>`.'
+language:
+  feature: ghcr.io/devcontainers/features/dotnet:2
+  defaultVersion: latest
+  versions: [latest, lts, 10.0, 9.0, 8.0, 7.0, 6.0]

package/bundled-components/languages/go/component.yml

@@ -0,0 +1,8 @@
+id: go
+category: language
+displayName: Go
+description: 'The Go toolchain plus golangci-lint via the upstream devcontainer feature. Pin a version with `go:<version>`.'
+language:
+  feature: ghcr.io/devcontainers/features/go:1
+  defaultVersion: latest
+  versions: [latest, 1.24, 1.23]

package/bundled-components/languages/java/component.yml

@@ -0,0 +1,17 @@
+id: java
+category: language
+displayName: Java
+description: 'A JDK plus Maven and Gradle by default (the upstream feature ships only the JDK), so a plain `languages: [java]` is build-ready. Pin a JDK major with `java:<version>`.'
+language:
+  feature: ghcr.io/devcontainers/features/java:1
+  defaultVersion: latest
+  versions: [latest, 21, 17, 11, 8]
+options:
+  installMaven:
+    type: boolean
+    default: true
+    surface: yml
+  installGradle:
+    type: boolean
+    default: true
+    surface: yml

package/bundled-components/languages/node/component.yml

@@ -0,0 +1,9 @@
+id: node
+category: language
+displayName: Node.js
+description: 'Node.js, built into the runtime image. A bare `node` installs nothing extra; pin a different major with `node:<version>`.'
+language:
+  feature: ghcr.io/devcontainers/features/node:1
+  builtin: true
+  defaultVersion: 22
+  versions: [lts, latest, 22, 20]

package/bundled-components/languages/python/component.yml

@@ -0,0 +1,8 @@
+id: python
+category: language
+displayName: Python
+description: 'CPython plus pip and common dev tooling via the upstream devcontainer feature. Pin a version with `python:<version>`.'
+language:
+  feature: ghcr.io/devcontainers/features/python:1
+  defaultVersion: latest
+  versions: [latest, 3.12, 3.11, 3.10, 3.9, 3.8]

package/bundled-components/languages/rust/component.yml

@@ -0,0 +1,8 @@
+id: rust
+category: language
+displayName: Rust
+description: 'rustup plus the stable toolchain (rust-analyzer, rust-src, rustfmt, clippy) via the upstream feature. Pin a version with `rust:<version>`.'
+language:
+  feature: ghcr.io/devcontainers/features/rust:1
+  defaultVersion: latest
+  versions: [latest, 1.87]

package/bundled-components/services/mysql/component.yml

@@ -0,0 +1,40 @@
+id: mysql
+category: service
+displayName: MySQL
+description: 'MySQL with seeded dev credentials and a readiness healthcheck. Reachable in-container as host `mysql`.'
+service:
+  image: mysql:8
+  defaultPort: 3306
+  dataMount: /var/lib/mysql
+  healthcheck:
+    test:
+      [
+        CMD,
+        mysqladmin,
+        ping,
+        -h,
+        127.0.0.1,
+        -u,
+        root,
+        '-p${MYSQL_ROOT_PASSWORD}',
+      ]
+    interval: 10s
+    timeout: 5s
+    retries: 5
+  vscodeExtensions: [cweijan.vscode-database-client2]
+  connectionEnv:
+    MYSQL_HOST: ${host}
+    MYSQL_PORT: ${port}
+    MYSQL_USER: root
+    MYSQL_PASSWORD: ${MYSQL_ROOT_PASSWORD}
+    MYSQL_DATABASE: ${MYSQL_DATABASE}
+    DATABASE_URL: mysql://root:${MYSQL_ROOT_PASSWORD}@${host}:${port}/${MYSQL_DATABASE}
+options:
+  MYSQL_ROOT_PASSWORD:
+    type: string
+    default: monoceros
+    surface: env
+  MYSQL_DATABASE:
+    type: string
+    default: monoceros
+    surface: env

package/bundled-components/services/postgres/component.yml

@@ -0,0 +1,34 @@
+id: postgres
+category: service
+displayName: PostgreSQL
+description: 'PostgreSQL with seeded dev credentials and a readiness healthcheck. Reachable in-container as host `postgres`.'
+service:
+  image: postgres:18
+  defaultPort: 5432
+  dataMount: /var/lib/postgresql
+  healthcheck:
+    test: [CMD, pg_isready, -U, '${POSTGRES_USER}', -d, '${POSTGRES_DB}']
+    interval: 10s
+    timeout: 5s
+    retries: 5
+  vscodeExtensions: [cweijan.vscode-database-client2]
+  connectionEnv:
+    PGHOST: ${host}
+    PGPORT: ${port}
+    PGUSER: ${POSTGRES_USER}
+    PGPASSWORD: ${POSTGRES_PASSWORD}
+    PGDATABASE: ${POSTGRES_DB}
+    DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${host}:${port}/${POSTGRES_DB}
+options:
+  POSTGRES_USER:
+    type: string
+    default: monoceros
+    surface: env
+  POSTGRES_PASSWORD:
+    type: string
+    default: monoceros
+    surface: env
+  POSTGRES_DB:
+    type: string
+    default: monoceros
+    surface: env

package/bundled-components/services/redis/component.yml

@@ -0,0 +1,16 @@
+id: redis
+category: service
+displayName: Redis
+description: 'Redis on the default port with a readiness healthcheck. Reachable in-container as host `redis`.'
+service:
+  image: redis:8
+  defaultPort: 6379
+  dataMount: /data
+  healthcheck:
+    test: [CMD, redis-cli, ping]
+    interval: 10s
+    timeout: 5s
+    retries: 5
+  vscodeExtensions: [cweijan.vscode-database-client2]
+  connectionEnv:
+    REDIS_URL: redis://${host}:${port}