@m14i/sith 1.6.0 → 1.7.0

package/README.md

@@ -10,44 +10,59 @@ Standardize and share your OpenCode setup with a fully dockerized environment, d
 
 ## Usage
 
-No installation required! Run with npx:
+### Quick Start
 
 ```bash
+# Interactive menu (recommended)
 npx @m14i/sith
-```
 
-### Interactive Menu (Default)
+# Pull prebuilt image directly
+npx @m14i/sith --pull
 
-```bash
-npx @m14i/sith
+# Run shell
+npx @m14i/sith shell
 ```
 
-This will present you with options to:
-- 🔨 Build Docker image
+### Distribution Options
 
-### Quick Build
+| Method | Command | Speed | Trust Model | Use Case |
+|--------|---------|-------|-------------|----------|
+| **Prebuilt (Recommended)** | `npx @m14i/sith --pull` | ⚡ Fast | GitHub Actions + Cosign | Production, CI/CD |
+| **Local Build** | `npx @m14i/sith --build` | 🐌 Slow | Your machine | Air-gapped, custom builds |
 
-Build the Docker image directly:
+### Commands
 
-```bash
-npx @m14i/sith docker --build
-# or
-npx @m14i/sith --build
-```
+| Command | Description |
+|---------|-------------|
+| `npx @m14i/sith` | Interactive menu with options |
+| `npx @m14i/sith --pull` | Pull prebuilt image from GHCR |
+| `npx @m14i/sith --build` | Build Docker image from scratch |
+| `npx @m14i/sith shell` | Launch interactive shell in container |
+| `npx @m14i/sith --help` | Show all available commands |
 
-### Interactive Shell
-
-Run an interactive shell in the Docker container:
+### Prebuilt Image Details
 
+**Pull and verify:**
 ```bash
-npx @m14i/sith shell
+# Pull (supports linux/amd64 and linux/arm64)
+npx @m14i/sith --pull
+
+# Or use Docker directly
+docker pull ghcr.io/merzoukemanouri/sith:latest
+
+# Verify signature (optional)
+cosign verify \
+  --certificate-identity-regexp="https://github.com/MerzoukeMansouri/sith" \
+  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+  ghcr.io/merzoukemanouri/sith:latest
 ```
 
-This will:
-- Mount current directory to `/workspace`
-- Load full Nix environment with all tools
-- Make OpenCode CLI available
-- Pass your `GITHUB_TOKEN` environment variable
+**Benefits:**
+- ✅ Fast - no build time
+- ✅ Multi-platform - amd64 and arm64
+- ✅ Signed - cosign verification
+- ✅ SBOM - supply chain transparency
+- ✅ Auto-updated - tracks releases
 
 ## Authentication
 
@@ -78,24 +93,44 @@ npx @m14i/sith shell
 export GITHUB_TOKEN=$(gh auth token)
 ```
 
-## Commands
-
-### `npx @m14i/sith` (default)
-Launches the interactive menu.
-
-### `npx @m14i/sith docker --build`
-Build the Docker image.
-
-### `npx @m14i/sith shell`
-Run interactive shell in the Docker container.
-
 ## Features
 
+- **Prebuilt Images**: Pull verified images from GitHub Container Registry
+- **Image Signing**: All images signed with cosign for supply chain security
+- **SBOM Attestation**: Software Bill of Materials included with every image
 - **Interactive Menu**: Navigate with arrow keys, select with Enter
 - **Direct Commands**: Build or shell access without menu
 - **Dockerized Environment**: Consistent setup across machines
 - **Nix Integration**: Full development environment with all tools
 - **CI-Ready**: Standardize builds across local and CI pipelines
+- **Non-root User**: Images run as non-root user (UID 1000) for better security
+
+## Security
+
+### Image Verification
+
+All Docker images published to `ghcr.io/merzoukemanouri/sith` are:
+- **Signed with cosign** using keyless signing (OIDC)
+- **Include SBOM** (Software Bill of Materials) for transparency
+- **Built automatically** via GitHub Actions with provenance
+
+See [SECURITY.md](./SECURITY.md) for detailed security practices and considerations.
+
+### Trust Model
+
+**Prebuilt Images:**
+- Built by GitHub Actions on public infrastructure
+- Signed with Sigstore keyless signing
+- Verifiable provenance chain from source to image
+- Trade-off: Trust GitHub's build infrastructure
+
+**Local Builds:**
+- Full control over build environment
+- Can inspect Dockerfile before building
+- No dependency on external registries
+- Trade-off: Slower, manual security updates
+
+For more details, see the [Docker Distribution Guide](./doc/QUICKSTART.md#docker-distribution).
 
 ## Development
 

package/dist/commands/docker.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["file:///home/runner/work/sith/sith/src/commands/docker.tsx"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAkC,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAoNxF,wBAAsB,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAehF;AAED,wBAAsB,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC,CAEpD"}
+{"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["file:///home/runner/work/sith/sith/src/commands/docker.tsx"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAkC,oBAAoB,EAAE,MAAM,aAAa,CAAC;AA6PxF,wBAAsB,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAoBhF;AAED,wBAAsB,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC,CAEpD"}

package/dist/config.d.ts

@@ -1,5 +1,6 @@
 export declare const DOCKER_CONFIG: {
     readonly imageName: "opencode-ci:latest";
+    readonly prebuiltImage: "ghcr.io/merzoukemanouri/sith:latest";
     readonly folderName: "docker";
     readonly dockerfileName: "Dockerfile";
     readonly workspaceMount: "/workspace";

package/dist/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"","sourceRoot":"","sources":["file:///home/runner/work/sith/sith/src/config.ts"],"names":[],"mappings":"AACA,eAAO,MAAM,aAAa;;;;;;CAMhB,CAAC;AAGX,eAAO,MAAM,cAAc;;;CAGjB,CAAC;AAGX,eAAO,MAAM,UAAU,mOAOb,CAAC"}
+{"version":3,"file":"","sourceRoot":"","sources":["file:///home/runner/work/sith/sith/src/config.ts"],"names":[],"mappings":"AACA,eAAO,MAAM,aAAa;;;;;;;CAOhB,CAAC;AAGX,eAAO,MAAM,cAAc;;;CAGjB,CAAC;AAGX,eAAO,MAAM,UAAU,mOAOb,CAAC"}

package/dist/index.js

@@ -35471,7 +35471,8 @@ function findProjectRoot(startDir) {
 }
 const rootDir = findProjectRoot(__dirname);
 const menuItems = [
-    { label: "Build Docker image", value: "build", icon: "🔨" },
+    { label: "Pull prebuilt image (recommended)", value: "pull", icon: "📦" },
+    { label: "Build Docker image from scratch", value: "build", icon: "🔨" },
     { label: "Exit", value: "exit", icon: "❌" },
 ];
 function Logo() {
@@ -35497,16 +35498,16 @@ function BuildingSpinner({ step }) {
 function Menu() {
     const { exit } = (0,ink__WEBPACK_IMPORTED_MODULE_1__/* .useApp */ .nm)();
     const [selectedIndex, setSelectedIndex] = (0,react__WEBPACK_IMPORTED_MODULE_0__.useState)(0);
-    const [isBuilding, setIsBuilding] = (0,react__WEBPACK_IMPORTED_MODULE_0__.useState)(false);
-    const [buildStep, setBuildStep] = (0,react__WEBPACK_IMPORTED_MODULE_0__.useState)("");
-    const [buildComplete, setBuildComplete] = (0,react__WEBPACK_IMPORTED_MODULE_0__.useState)(false);
-    const [buildError, setBuildError] = (0,react__WEBPACK_IMPORTED_MODULE_0__.useState)(null);
+    const [isProcessing, setIsProcessing] = (0,react__WEBPACK_IMPORTED_MODULE_0__.useState)(false);
+    const [processStep, setProcessStep] = (0,react__WEBPACK_IMPORTED_MODULE_0__.useState)("");
+    const [processComplete, setProcessComplete] = (0,react__WEBPACK_IMPORTED_MODULE_0__.useState)(false);
+    const [processError, setProcessError] = (0,react__WEBPACK_IMPORTED_MODULE_0__.useState)(null);
     (0,ink__WEBPACK_IMPORTED_MODULE_1__/* .useInput */ .Ge)((_input, key) => {
-        if (isBuilding) {
+        if (isProcessing) {
             return;
         }
-        // Exit on any key press when build is complete or errored
-        if (buildComplete || buildError) {
+        // Exit on any key press when process is complete or errored
+        if (processComplete || processError) {
             exit();
             return;
         }
@@ -35525,6 +35526,9 @@ function Menu() {
             case "exit":
                 exit();
                 return;
+            case "pull":
+                await handlePullCommand();
+                break;
             case "build":
                 await handleBuildCommand();
                 break;
@@ -35532,9 +35536,29 @@ function Menu() {
                 break;
         }
     }
+    async function handlePullCommand() {
+        setIsProcessing(true);
+        setProcessStep("Pulling prebuilt Docker image...");
+        try {
+            await (0,execa__WEBPACK_IMPORTED_MODULE_6__/* .execa */ .Ho)("docker", ["pull", _config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.prebuiltImage], {
+                stdio: "inherit",
+            });
+            // Tag the pulled image with local name for compatibility
+            await (0,execa__WEBPACK_IMPORTED_MODULE_6__/* .execa */ .Ho)("docker", ["tag", _config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.prebuiltImage, _config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.imageName], {
+                stdio: "inherit",
+            });
+            setIsProcessing(false);
+            setProcessComplete(true);
+            setProcessStep("");
+        }
+        catch (error) {
+            setIsProcessing(false);
+            setProcessError(error instanceof Error ? error.message : "Pull failed");
+        }
+    }
     async function handleBuildCommand() {
-        setIsBuilding(true);
-        setBuildStep("Building Docker image...");
+        setIsProcessing(true);
+        setProcessStep("Building Docker image from scratch...");
         try {
             const dockerfilePath = path__WEBPACK_IMPORTED_MODULE_3___default().join(rootDir, _config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.folderName, _config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.dockerfileName);
             if (!fs__WEBPACK_IMPORTED_MODULE_2___default().existsSync(dockerfilePath)) {
@@ -35543,44 +35567,46 @@ function Menu() {
             await (0,execa__WEBPACK_IMPORTED_MODULE_6__/* .execa */ .Ho)("docker", ["build", "-f", dockerfilePath, "-t", _config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.imageName, rootDir], {
                 stdio: "inherit",
             });
-            setIsBuilding(false);
-            setBuildComplete(true);
-            setBuildStep("");
+            setIsProcessing(false);
+            setProcessComplete(true);
+            setProcessStep("");
         }
         catch (error) {
-            setIsBuilding(false);
-            setBuildError(error instanceof Error ? error.message : "Build failed");
+            setIsProcessing(false);
+            setProcessError(error instanceof Error ? error.message : "Operation failed");
         }
     }
     // Render error state
-    if (buildError) {
+    if (processError) {
         return (react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Box */ .az, { flexDirection: "column" },
             react__WEBPACK_IMPORTED_MODULE_0___default().createElement(Logo, null),
             react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Box */ .az, { marginTop: 1 },
                 react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Text */ .EY, { color: "red" },
-                    "\u274C Build failed: ",
-                    buildError)),
+                    "\u274C Operation failed: ",
+                    processError)),
             react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Box */ .az, { marginTop: 1 },
                 react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Text */ .EY, { dimColor: true }, "Press any key to exit..."))));
     }
     // Render success state
-    if (buildComplete) {
+    if (processComplete) {
         return (react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Box */ .az, { flexDirection: "column" },
             react__WEBPACK_IMPORTED_MODULE_0___default().createElement(Logo, null),
             react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Box */ .az, { marginTop: 1 },
-                react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Text */ .EY, { color: "green" }, "\u2705 Docker image built successfully!")),
+                react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Text */ .EY, { color: "green" }, "\u2705 Docker image ready!")),
             react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Box */ .az, { marginTop: 1 },
                 react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Text */ .EY, { dimColor: true },
                     "Image: ",
                     _config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.imageName)),
+            react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Box */ .az, { marginTop: 1 },
+                react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Text */ .EY, { dimColor: true }, "Run: npx @m14i/sith shell")),
             react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Box */ .az, { marginTop: 1 },
                 react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Text */ .EY, { dimColor: true }, "Press any key to exit..."))));
     }
-    // Render building state
-    if (isBuilding) {
+    // Render processing state
+    if (isProcessing) {
         return (react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Box */ .az, { flexDirection: "column" },
             react__WEBPACK_IMPORTED_MODULE_0___default().createElement(Logo, null),
-            react__WEBPACK_IMPORTED_MODULE_0___default().createElement(BuildingSpinner, { step: buildStep }),
+            react__WEBPACK_IMPORTED_MODULE_0___default().createElement(BuildingSpinner, { step: processStep }),
             react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Box */ .az, { marginTop: 1 },
                 react__WEBPACK_IMPORTED_MODULE_0___default().createElement(ink__WEBPACK_IMPORTED_MODULE_1__/* .Text */ .EY, { dimColor: true },
                     "Root: ",
@@ -35608,10 +35634,14 @@ async function dockerCommand(options) {
         await buildDocker();
         return;
     }
+    if (options.pull) {
+        await pullDocker();
+        return;
+    }
     // Check if stdin supports raw mode (interactive terminal)
     if (!process.stdin.isTTY) {
         console.error("Error: Interactive mode requires a TTY terminal");
-        console.error("Use --build flag for non-interactive mode");
+        console.error("Use --build or --pull flag for non-interactive mode");
         process.exit(1);
     }
     // Render the interactive menu
@@ -35620,8 +35650,37 @@ async function dockerCommand(options) {
 async function runShellDirect() {
     await runShell();
 }
+async function pullDocker() {
+    console.log("📦 Pulling prebuilt Docker image...");
+    console.log();
+    try {
+        console.log(`Source: ${_config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.prebuiltImage}`);
+        console.log(`Target: ${_config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.imageName}`);
+        console.log();
+        await (0,execa__WEBPACK_IMPORTED_MODULE_6__/* .execa */ .Ho)("docker", ["pull", _config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.prebuiltImage], {
+            stdio: "inherit",
+        });
+        console.log();
+        console.log("🏷️  Tagging image for local use...");
+        await (0,execa__WEBPACK_IMPORTED_MODULE_6__/* .execa */ .Ho)("docker", ["tag", _config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.prebuiltImage, _config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.imageName], {
+            stdio: "inherit",
+        });
+        console.log();
+        console.log("✅ Docker image ready!");
+        console.log(`Image: ${_config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.imageName}`);
+        console.log();
+        console.log("Run: npx @m14i/sith shell");
+    }
+    catch (error) {
+        console.error("❌ Pull failed");
+        if (error instanceof Error) {
+            console.error(error.message);
+        }
+        process.exit(1);
+    }
+}
 async function buildDocker() {
-    console.log("🔨 Building Docker image...");
+    console.log("🔨 Building Docker image from scratch...");
     console.log();
     try {
         const dockerfilePath = path__WEBPACK_IMPORTED_MODULE_3___default().join(rootDir, _config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.folderName, _config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.dockerfileName);
@@ -35637,6 +35696,8 @@ async function buildDocker() {
         console.log();
         console.log("✅ Docker image built successfully!");
         console.log(`Image: ${_config_js__WEBPACK_IMPORTED_MODULE_5__/* .DOCKER_CONFIG */ .e6.imageName}`);
+        console.log();
+        console.log("Run: npx @m14i/sith shell");
     }
     catch (error) {
         console.error("❌ Build failed");
@@ -35694,6 +35755,7 @@ __webpack_async_result__();
 // Docker configuration
 const DOCKER_CONFIG = {
     imageName: "opencode-ci:latest",
+    prebuiltImage: "ghcr.io/merzoukemanouri/sith:latest",
     folderName: "docker",
     dockerfileName: "Dockerfile",
     workspaceMount: "/workspace",
@@ -35736,7 +35798,8 @@ function createProgram() {
         .name(PROGRAM_NAME)
         .description(PROGRAM_DESCRIPTION)
         .version(PROGRAM_VERSION)
-        .option('--build', 'Build the Docker image');
+        .option('--pull', 'Pull prebuilt Docker image (recommended)')
+        .option('--build', 'Build the Docker image from scratch');
     // Default action - show interactive menu
     program
         .action(async (options) => {
@@ -35746,7 +35809,8 @@ function createProgram() {
     program
         .command('docker')
         .description('Manage Docker environment')
-        .option('--build', 'Build the Docker image')
+        .option('--pull', 'Pull prebuilt Docker image (recommended)')
+        .option('--build', 'Build the Docker image from scratch')
         .action(async (options) => {
         await (0,_commands_docker_js__WEBPACK_IMPORTED_MODULE_1__/* .dockerCommand */ .Q)(options);
     });

package/dist/types.d.ts

@@ -8,4 +8,5 @@ export interface BuildingSpinnerProps {
 }
 export interface DockerCommandOptions {
     build?: boolean;
+    pull?: boolean;
 }

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"","sourceRoot":"","sources":["file:///home/runner/work/sith/sith/src/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB"}
+{"version":3,"file":"","sourceRoot":"","sources":["file:///home/runner/work/sith/sith/src/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB"}

package/docker/Dockerfile

@@ -1,19 +1,16 @@
 # OpenCode Docker - Nix-based Image with Token Optimization Skills
-# Version 2.2.0 - Ajout RTK + Caveman ultra pour réduction massive de tokens
-# 
+# Version 2.3.0 - Multi-stage build with non-root user and improved security
+#
 # Build: docker build -t opencode-ci:latest .
 # Run:   docker run -v $(pwd):/workspace -e GITHUB_TOKEN=$GITHUB_TOKEN opencode-ci:latest analyze
 
-# Utilise l'image officielle Nix avec version pinnée pour reproductibilité
-FROM nixos/nix:2.19.2
-
-# Metadata
-LABEL maintainer="OpenCode Automation"
-LABEL description="OpenCode CI/CD avec Nix, GitHub Copilot et skills d'optimisation de tokens (RTK + Caveman ultra)"
-LABEL version="2.2.0"
-LABEL org.opencontainers.image.source="https://github.com/your-repo/opencode-docker"
+# ============================================================================
+# Stage 1: Builder - Setup environment and install dependencies
+# ============================================================================
+FROM nixos/nix:2.19.2 AS builder
 
 # Configuration Nix pour permettre les builds
+# Note: sandbox=false required for Docker-in-Docker compatibility
 RUN echo "sandbox = false" >> /etc/nix/nix.conf && \
     echo "filter-syscalls = false" >> /etc/nix/nix.conf
 
@@ -38,12 +35,47 @@ RUN nix-shell /opt/sith/nix/shell.nix --run " \
     /root/.opencode/bin/opencode --version \
     "
 
+# ============================================================================
+# Stage 2: Runtime - Minimal runtime image with non-root user
+# ============================================================================
+FROM nixos/nix:2.19.2
+
+# Metadata
+LABEL maintainer="OpenCode Automation"
+LABEL description="OpenCode CI/CD avec Nix, GitHub Copilot et skills d'optimisation de tokens (RTK + Caveman ultra)"
+LABEL version="2.3.0"
+LABEL org.opencontainers.image.source="https://github.com/MerzoukeMansouri/sith"
+
+# Configuration Nix pour permettre les builds
+# Note: sandbox=false required for Docker-in-Docker compatibility
+RUN echo "sandbox = false" >> /etc/nix/nix.conf && \
+    echo "filter-syscalls = false" >> /etc/nix/nix.conf
+
+# Copier les fichiers de configuration des skills depuis builder
+COPY --from=builder /opt/sith/ /opt/sith/
+
+# Copier les binaires et configuration Nix depuis builder
+COPY --from=builder /nix/store /nix/store
+COPY --from=builder /root/.opencode /root/.opencode
+COPY --from=builder /root/.npmrc /root/.npmrc
+
+# Créer un utilisateur non-root pour l'exécution
+RUN adduser -D -u 1000 -s /bin/sh sith && \
+    mkdir -p /home/sith/.opencode /home/sith/.npm-global /workspace && \
+    cp -r /root/.opencode/* /home/sith/.opencode/ 2>/dev/null || true && \
+    chown -R sith:sith /home/sith /workspace /opt/sith
+
+# Copier la configuration npm pour l'utilisateur sith
+RUN echo "registry=https://registry.npmjs.org/" > /home/sith/.npmrc && \
+    chown sith:sith /home/sith/.npmrc
+
 # Configuration de l'environnement
 ENV OPENCODE_MODEL=github-copilot/claude-sonnet-4.5
 ENV OPENCODE_LOG_LEVEL=INFO
 ENV NODE_ENV=production
-ENV PATH="/root/.local/bin:/root/.npm-global/bin:${PATH}"
-ENV NPM_CONFIG_PREFIX=/root/.npm-global
+ENV PATH="/home/sith/.opencode/bin:/home/sith/.local/bin:/home/sith/.npm-global/bin:${PATH}"
+ENV NPM_CONFIG_PREFIX=/home/sith/.npm-global
+ENV HOME=/home/sith
 
 # === Token Optimization Skills Configuration ===
 # RTK (Rust Token Killer) - Désactivé par défaut (binaire non disponible publiquement)
@@ -56,9 +88,13 @@ ENV CAVEMAN_AUTO=true
 
 # Réduction totale estimée: 85-95% de tokens par session CI/CD
 
-# Healthcheck pour vérifier que l'environnement et skills sont prêts
+# Basculer vers l'utilisateur non-root
+USER sith
+
+# Healthcheck pour vérifier que l'environnement est prêt
+# Note: RTK check is conditional on RTK_ENABLED to avoid false failures
 HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
-    CMD nix-shell /opt/sith/nix/shell.nix --run "opencode --version && command -v rtk" || exit 1
+    CMD nix-shell /opt/sith/nix/shell.nix --run "opencode --version && ([ \"\$RTK_ENABLED\" = \"false\" ] || command -v rtk)" || exit 1
 
 # Répertoire de travail pour les projets
 WORKDIR /workspace

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@m14i/sith",
-  "version": "1.6.0",
+  "version": "1.7.0",
   "description": "Turn your context to the dark side. Standardize and share your OpenCode setup with a fully dockerized environment, designed for seamless collaboration and CI integration.",
   "type": "module",
   "repository": {