@opencode-cloud/core 1.0.7 → 1.0.10

package/src/docker/Dockerfile

@@ -16,6 +16,19 @@
 #
 # =============================================================================
 
+# -----------------------------------------------------------------------------
+# Version Pinning Policy
+# -----------------------------------------------------------------------------
+# - APT packages: Use major.minor.* wildcards for patch updates
+# - GitHub tools: Pin to release tags (vX.Y.Z)
+# - Cargo/Go: Pin to exact versions (@X.Y.Z)
+# - Security exceptions marked with: # UNPINNED: package - reason
+# - Self-managing installers (mise, rustup, etc.) trusted to handle versions
+#
+# To check for updates: just check-updates
+# Last version audit: 2026-01-22
+# -----------------------------------------------------------------------------
+
 # -----------------------------------------------------------------------------
 # Stage 1: Builder
 # -----------------------------------------------------------------------------
@@ -26,12 +39,13 @@ FROM ubuntu:24.04 AS builder
 ENV DEBIAN_FRONTEND=noninteractive
 ENV TZ=UTC
 
-# Install build essentials
+# Install build essentials (2026-01-22)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    build-essential \
+    build-essential=12.* \
+    # UNPINNED: ca-certificates - security-critical root certs, needs auto-updates
     ca-certificates \
-    curl \
-    git \
+    curl=8.5.* \
+    git=1:2.43.* \
     && rm -rf /var/lib/apt/lists/*
 
 # -----------------------------------------------------------------------------
@@ -39,6 +53,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 # -----------------------------------------------------------------------------
 FROM ubuntu:24.04 AS runtime
 
+# Version passed at build time (must be after FROM to be available in this stage)
+# Default "dev" for local builds; CI sets actual version via --build-arg
+ARG OPENCODE_CLOUD_VERSION=dev
+
 # OCI Labels for image metadata
 LABEL org.opencontainers.image.title="opencode-cloud"
 LABEL org.opencontainers.image.description="AI-assisted development environment with opencode"
@@ -47,6 +65,8 @@ LABEL org.opencontainers.image.source="https://github.com/pRizz/opencode-cloud"
 LABEL org.opencontainers.image.vendor="pRizz"
 LABEL org.opencontainers.image.licenses="MIT"
 LABEL org.opencontainers.image.base.name="ubuntu:24.04"
+# Version label for CLI compatibility checks (set via --build-arg OPENCODE_CLOUD_VERSION)
+LABEL org.opencode-cloud.version="${OPENCODE_CLOUD_VERSION}"
 
 # Environment configuration
 ENV DEBIAN_FRONTEND=noninteractive
@@ -59,70 +79,85 @@ ENV LC_ALL=C.UTF-8
 # -----------------------------------------------------------------------------
 # Install core system packages in logical groups for better caching
 
-# Group 1: Core utilities and build tools
+# Group 1: Core utilities and build tools (2026-01-22)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    # Signal handling
-    tini \
-    dumb-init \
+    # Init systems
+    tini=0.19.* \
+    dumb-init=1.2.* \
+    # systemd for Cockpit support
+    systemd=255.* \
+    systemd-sysv=255.* \
+    dbus=1.14.* \
     # Shell and terminal
-    zsh \
-    tmux \
+    zsh=5.9-* \
+    tmux=3.4-* \
     # Editors
-    vim \
-    neovim \
-    nano \
+    vim=2:9.1.* \
+    neovim=0.9.* \
+    nano=7.2-* \
     # Build essentials
-    build-essential \
-    pkg-config \
-    cmake \
+    build-essential=12.* \
+    pkg-config=1.8.* \
+    cmake=3.28.* \
     # Version control
-    git \
-    git-lfs \
+    git=1:2.43.* \
+    git-lfs=3.4.* \
     # Core utilities
-    curl \
-    wget \
+    curl=8.5.* \
+    wget=1.21.* \
+    # UNPINNED: ca-certificates - security-critical root certs, needs auto-updates
     ca-certificates \
+    # UNPINNED: gnupg - key management security, needs auto-updates
     gnupg \
-    lsb-release \
-    software-properties-common \
-    sudo \
+    lsb-release=12.* \
+    software-properties-common=0.99.* \
+    sudo=1.9.* \
+    # UNPINNED: openssh-client - security-critical, needs auto-updates
     openssh-client \
     # Process/system tools
-    htop \
-    procps \
-    less \
-    file \
-    tree \
+    htop=3.3.* \
+    procps=2:4.0.* \
+    less=590-* \
+    file=1:5.45-* \
+    tree=2.1.* \
     # JSON/YAML processing
-    jq \
+    jq=1.7.* \
     # Network tools
-    netcat-openbsd \
-    iputils-ping \
-    dnsutils \
+    netcat-openbsd=1.226-* \
+    iputils-ping=3:20240117-* \
+    dnsutils=1:9.18.* \
     # Compression
-    zip \
-    unzip \
-    xz-utils \
-    p7zip-full \
+    zip=3.0-* \
+    unzip=6.0-* \
+    xz-utils=5.6.* \
+    p7zip-full=16.02* \
     && rm -rf /var/lib/apt/lists/*
 
-# Group 2: Database clients
+# Mask unnecessary systemd services for container environment
+RUN systemctl mask \
+    dev-hugepages.mount \
+    sys-fs-fuse-connections.mount \
+    systemd-update-utmp.service \
+    systemd-tmpfiles-setup.service \
+    systemd-remount-fs.service
+
+# Group 2: Database clients (2026-01-22)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    sqlite3 \
-    postgresql-client \
-    default-mysql-client \
+    sqlite3=3.45.* \
+    postgresql-client=16+* \
+    default-mysql-client=1.1.* \
     && rm -rf /var/lib/apt/lists/*
 
-# Group 3: Development libraries (for compiling tools)
+# Group 3: Development libraries for compiling tools (2026-01-22)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    libssl-dev \
-    libffi-dev \
-    zlib1g-dev \
-    libbz2-dev \
-    libreadline-dev \
-    libsqlite3-dev \
-    libncurses-dev \
-    liblzma-dev \
+    libssl-dev=3.0.* \
+    libffi-dev=3.4.* \
+    zlib1g-dev=1:1.3.* \
+    libbz2-dev=1.0.* \
+    libreadline-dev=8.2-* \
+    libsqlite3-dev=3.45.* \
+    libncurses-dev=6.4+* \
+    liblzma-dev=5.6.* \
     && rm -rf /var/lib/apt/lists/*
 
 # -----------------------------------------------------------------------------
@@ -151,10 +186,10 @@ ENV PATH="/home/opencode/.local/bin:${PATH}"
 # -----------------------------------------------------------------------------
 # Shell Setup: Zsh + Oh My Zsh + Starship
 # -----------------------------------------------------------------------------
-# Install Oh My Zsh
+# Oh My Zsh - self-managing installer, trusted to handle versions
 RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended
 
-# Install Starship prompt
+# Starship prompt - self-managing installer, trusted to handle versions
 RUN curl -sS https://starship.rs/install.sh | sh -s -- --yes --bin-dir /home/opencode/.local/bin
 
 # Configure zsh with starship
@@ -164,18 +199,20 @@ RUN echo 'eval "$(starship init zsh)"' >> /home/opencode/.zshrc \
 # -----------------------------------------------------------------------------
 # mise: Universal Version Manager
 # -----------------------------------------------------------------------------
-# Install mise for managing Node.js, Python, Rust, Go
+# mise - self-managing installer, trusted to handle versions
 RUN curl https://mise.run | sh \
     && echo 'eval "$(/home/opencode/.local/bin/mise activate zsh)"' >> /home/opencode/.zshrc
 
-# Install language runtimes via mise
-# Using specific LTS/stable versions for reproducibility
+# Install language runtimes via mise (2026-01-22)
+# - node@lts: mise handles LTS resolution (currently 22.x)
+# - python@3.12: pinned to minor version
+# - go@1.24: pinned to minor version (was @latest)
 RUN /home/opencode/.local/bin/mise install node@lts \
     && /home/opencode/.local/bin/mise install python@3.12 \
-    && /home/opencode/.local/bin/mise install go@latest \
+    && /home/opencode/.local/bin/mise install go@1.24 \
     && /home/opencode/.local/bin/mise use --global node@lts \
     && /home/opencode/.local/bin/mise use --global python@3.12 \
-    && /home/opencode/.local/bin/mise use --global go@latest
+    && /home/opencode/.local/bin/mise use --global go@1.24
 
 # Set up mise shims in PATH for non-interactive shells
 ENV PATH="/home/opencode/.local/share/mise/shims:${PATH}"
@@ -183,7 +220,8 @@ ENV PATH="/home/opencode/.local/share/mise/shims:${PATH}"
 # -----------------------------------------------------------------------------
 # Rust Installation
 # -----------------------------------------------------------------------------
-# Install Rust via rustup (mise rust support is experimental)
+# rustup - self-managing installer, trusted to handle versions
+# Uses stable toolchain (rustup manages toolchain versioning)
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable \
     && . /home/opencode/.cargo/env \
     && rustup component add rust-analyzer rustfmt clippy
@@ -196,17 +234,17 @@ ENV PATH="/home/opencode/.cargo/bin:${PATH}"
 # Switch to bash for mise activation (mise outputs bash-specific syntax)
 SHELL ["/bin/bash", "-c"]
 
-# Install pnpm (corepack is included with Node.js)
+# Install pnpm 10.x via corepack (2026-01-22)
 RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
     && corepack enable \
-    && corepack prepare pnpm@latest --activate
+    && corepack prepare pnpm@10.28.1 --activate
 
 # Set up pnpm global bin directory
 ENV PNPM_HOME="/home/opencode/.local/share/pnpm"
 ENV PATH="${PNPM_HOME}:${PATH}"
 RUN mkdir -p "${PNPM_HOME}"
 
-# Install uv (fast Python package manager)
+# uv - self-managing installer, trusted to handle versions (fast Python package manager)
 RUN curl -LsSf https://astral.sh/uv/install.sh | sh
 
 # Install pipx for isolated Python application installs
@@ -219,32 +257,31 @@ RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
     && pnpm add -g typescript
 
 # -----------------------------------------------------------------------------
-# Modern CLI Tools (Rust-based)
+# Modern CLI Tools (Rust-based) - pinned versions (2026-01-22)
 # -----------------------------------------------------------------------------
-# Install via cargo for latest versions
+# ripgrep 15.1.0 - fast regex search
+# eza 0.23.4 - modern ls replacement
 RUN . /home/opencode/.cargo/env \
-    && cargo install --locked \
-    ripgrep \
-    eza
+    && cargo install --locked ripgrep@15.1.0 eza@0.23.4
 
-# Install lazygit (Go-based)
+# lazygit v0.58.1 (2026-01-12) - terminal UI for git
 RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
-    && go install github.com/jesseduffield/lazygit@latest
+    && go install github.com/jesseduffield/lazygit@v0.58.1
 
 # -----------------------------------------------------------------------------
 # Additional Development Tools
 # -----------------------------------------------------------------------------
-# Install fzf
-RUN git clone --depth 1 https://github.com/junegunn/fzf.git /home/opencode/.fzf \
+# fzf v0.67.0 (2025-11-16) - fuzzy finder
+RUN git clone --branch v0.67.0 --depth 1 https://github.com/junegunn/fzf.git /home/opencode/.fzf \
     && /home/opencode/.fzf/install --all --no-bash --no-fish
 
-# Install yq (YAML processor)
-RUN curl -sL https://github.com/mikefarah/yq/releases/latest/download/yq_linux_$(dpkg --print-architecture) -o /home/opencode/.local/bin/yq \
+# yq v4.50.1 (2025-12-14) - YAML processor
+RUN curl -sL https://github.com/mikefarah/yq/releases/download/v4.50.1/yq_linux_$(dpkg --print-architecture) -o /home/opencode/.local/bin/yq \
     && chmod +x /home/opencode/.local/bin/yq
 
-# Install direnv
+# Install direnv (2026-01-22)
 USER root
-RUN apt-get update && apt-get install -y --no-install-recommends direnv \
+RUN apt-get update && apt-get install -y --no-install-recommends direnv=2.32.* \
     && rm -rf /var/lib/apt/lists/*
 USER opencode
 RUN echo 'eval "$(direnv hook zsh)"' >> /home/opencode/.zshrc
@@ -253,17 +290,18 @@ RUN echo 'eval "$(direnv hook zsh)"' >> /home/opencode/.zshrc
 RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
     && pipx install httpie
 
-# Install shellcheck and shfmt
+# Install shellcheck (2026-01-22)
 USER root
-RUN apt-get update && apt-get install -y --no-install-recommends shellcheck \
+RUN apt-get update && apt-get install -y --no-install-recommends shellcheck=0.9.* \
     && rm -rf /var/lib/apt/lists/*
 USER opencode
+# shfmt v3.12.0 (2025-07-06) - shell formatter
 RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
-    && go install mvdan.cc/sh/v3/cmd/shfmt@latest
+    && go install mvdan.cc/sh/v3/cmd/shfmt@v3.12.0
 
-# Install btop (system monitor)
+# Install btop system monitor (2026-01-22)
 USER root
-RUN apt-get update && apt-get install -y --no-install-recommends btop \
+RUN apt-get update && apt-get install -y --no-install-recommends btop=1.3.* \
     && rm -rf /var/lib/apt/lists/*
 USER opencode
 
@@ -278,24 +316,58 @@ RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | d
     && rm -rf /var/lib/apt/lists/*
 USER opencode
 
+# -----------------------------------------------------------------------------
+# Cockpit Web Console (2026-01-22)
+# -----------------------------------------------------------------------------
+# Cockpit provides web-based administration for the container
+# Ubuntu noble has cockpit 316 in main repos
+USER root
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    cockpit-ws \
+    cockpit-system \
+    cockpit-bridge \
+    && rm -rf /var/lib/apt/lists/*
+
+# Enable Cockpit socket activation (manual symlink since systemctl doesn't work during build)
+RUN mkdir -p /etc/systemd/system/sockets.target.wants \
+    && ln -sf /lib/systemd/system/cockpit.socket /etc/systemd/system/sockets.target.wants/cockpit.socket
+
+# Configure Cockpit for HTTP (TLS terminated externally) and proxy headers
+RUN mkdir -p /etc/cockpit && \
+    printf '%s\n' \
+    '[WebService]' \
+    '# Allow HTTP connections (TLS terminated externally like opencode)' \
+    'AllowUnencrypted = true' \
+    '' \
+    '# Trust proxy headers for X-Forwarded-For, X-Forwarded-Proto' \
+    'ProtocolHeader = X-Forwarded-Proto' \
+    'ForwardedForHeader = X-Forwarded-For' \
+    '' \
+    '# Limit concurrent login attempts' \
+    'MaxStartups = 10' \
+    > /etc/cockpit/cockpit.conf
+
+USER opencode
+
 # -----------------------------------------------------------------------------
 # CI/CD Tools
 # -----------------------------------------------------------------------------
-# Install act (run GitHub Actions locally)
-RUN curl -sL https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash -s -- -b /home/opencode/.local/bin
+# act v0.2.84 (2026-01-01) - run GitHub Actions locally
+RUN curl -sL https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash -s -- -b /home/opencode/.local/bin v0.2.84
 
 # -----------------------------------------------------------------------------
-# Rust Tooling
+# Rust Tooling - pinned versions (2026-01-22)
 # -----------------------------------------------------------------------------
+# cargo-nextest 0.9.122 - fast test runner
+# cargo-audit 0.22.0 - security audit
+# cargo-deny 0.19.0 - dependency linter
 RUN . /home/opencode/.cargo/env \
-    && cargo install --locked \
-    cargo-nextest \
-    cargo-audit \
-    cargo-deny
+    && cargo install --locked cargo-nextest@0.9.122 cargo-audit@0.22.0 cargo-deny@0.19.0
 
-# Install mold (fast linker) via apt for easier setup
+# Install mold fast linker (2026-01-22)
 USER root
-RUN apt-get update && apt-get install -y --no-install-recommends mold \
+RUN apt-get update && apt-get install -y --no-install-recommends mold=2.30.* \
     && rm -rf /var/lib/apt/lists/*
 USER opencode
 
@@ -323,21 +395,21 @@ RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
     && pipx install pytest
 
 # -----------------------------------------------------------------------------
-# Protocol Buffers / gRPC
+# Protocol Buffers / gRPC (2026-01-22)
 # -----------------------------------------------------------------------------
 USER root
-RUN apt-get update && apt-get install -y --no-install-recommends protobuf-compiler \
+RUN apt-get update && apt-get install -y --no-install-recommends protobuf-compiler=3.21.* \
     && rm -rf /var/lib/apt/lists/*
 USER opencode
 
-# Install grpcurl
+# grpcurl v1.9.3 (2025-03-11) - gRPC debugging tool
 RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
-    && go install github.com/fullstorydev/grpcurl/cmd/grpcurl@latest
+    && go install github.com/fullstorydev/grpcurl/cmd/grpcurl@v1.9.3
 
 # -----------------------------------------------------------------------------
 # opencode Installation
 # -----------------------------------------------------------------------------
-# Install opencode using official install script
+# opencode - self-managing installer, trusted to handle versions
 # The script installs to ~/.opencode/bin/
 RUN curl -fsSL https://opencode.ai/install | bash \
     && ls -la /home/opencode/.opencode/bin/opencode \
@@ -352,6 +424,35 @@ ENV PATH="/home/opencode/.opencode/bin:${PATH}"
 # Install the GSD (Get Shit Done) plugin for opencode
 RUN git clone https://github.com/rokicool/gsd-opencode.git /home/opencode/.config/opencode/plugins/gsd-opencode
 
+# -----------------------------------------------------------------------------
+# opencode systemd Service (2026-01-22)
+# -----------------------------------------------------------------------------
+# Create opencode as a systemd service for Cockpit integration
+USER root
+RUN printf '%s\n' \
+    '[Unit]' \
+    'Description=opencode Web Interface' \
+    'After=network.target' \
+    '' \
+    '[Service]' \
+    'Type=simple' \
+    'User=opencode' \
+    'WorkingDirectory=/home/opencode/workspace' \
+    'ExecStart=/home/opencode/.opencode/bin/opencode web --port 3000 --hostname 0.0.0.0' \
+    'Restart=always' \
+    'RestartSec=5' \
+    'Environment=PATH=/home/opencode/.opencode/bin:/home/opencode/.local/bin:/home/opencode/.cargo/bin:/home/opencode/.local/share/mise/shims:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \
+    '' \
+    '[Install]' \
+    'WantedBy=multi-user.target' \
+    > /etc/systemd/system/opencode.service
+
+# Enable opencode service to start at boot (manual symlink since systemctl doesn't work during build)
+RUN mkdir -p /etc/systemd/system/multi-user.target.wants \
+    && ln -sf /etc/systemd/system/opencode.service /etc/systemd/system/multi-user.target.wants/opencode.service
+
+USER opencode
+
 # -----------------------------------------------------------------------------
 # Sensible Defaults Configuration
 # -----------------------------------------------------------------------------
@@ -364,81 +465,105 @@ RUN git config --global init.defaultBranch main \
 
 # Starship configuration (minimal, fast prompt)
 RUN mkdir -p /home/opencode/.config \
-    && cat > /home/opencode/.config/starship.toml << 'STARSHIP'
-# Minimal starship config for fast prompt
-format = """
-$directory\
-$git_branch\
-$git_status\
-$character"""
-
-[directory]
-truncation_length = 3
-truncate_to_repo = true
-
-[git_branch]
-format = "[$branch]($style) "
-style = "bold purple"
-
-[git_status]
-format = '([$all_status$ahead_behind]($style) )'
-
-[character]
-success_symbol = "[>](bold green)"
-error_symbol = "[>](bold red)"
-STARSHIP
+    && printf '%s\n' \
+    '# Minimal starship config for fast prompt' \
+    'format = """' \
+    '$directory\' \
+    '$git_branch\' \
+    '$git_status\' \
+    '$character"""' \
+    '' \
+    '[directory]' \
+    'truncation_length = 3' \
+    'truncate_to_repo = true' \
+    '' \
+    '[git_branch]' \
+    'format = "[$branch]($style) "' \
+    'style = "bold purple"' \
+    '' \
+    '[git_status]' \
+    'format = '"'"'([$all_status$ahead_behind]($style) )'"'"'' \
+    '' \
+    '[character]' \
+    'success_symbol = "[>](bold green)"' \
+    'error_symbol = "[>](bold red)"' \
+    > /home/opencode/.config/starship.toml
 
 # Shell aliases
-RUN cat >> /home/opencode/.zshrc << 'ALIASES'
-
-# Modern CLI aliases
-alias ls="eza --icons"
-alias ll="eza -l --icons"
-alias la="eza -la --icons"
-alias lt="eza --tree --icons"
-alias grep="rg"
-alias top="btop"
-
-# Git aliases
-alias g="git"
-alias gs="git status"
-alias gd="git diff"
-alias gc="git commit"
-alias gp="git push"
-alias gl="git pull"
-alias gco="git checkout"
-alias gb="git branch"
-alias lg="lazygit"
-
-# Docker aliases (for Docker-in-Docker)
-alias d="docker"
-alias dc="docker compose"
-
-ALIASES
+RUN printf '%s\n' \
+    '' \
+    '# Modern CLI aliases' \
+    'alias ls="eza --icons"' \
+    'alias ll="eza -l --icons"' \
+    'alias la="eza -la --icons"' \
+    'alias lt="eza --tree --icons"' \
+    'alias grep="rg"' \
+    'alias top="btop"' \
+    '' \
+    '# Git aliases' \
+    'alias g="git"' \
+    'alias gs="git status"' \
+    'alias gd="git diff"' \
+    'alias gc="git commit"' \
+    'alias gp="git push"' \
+    'alias gl="git pull"' \
+    'alias gco="git checkout"' \
+    'alias gb="git branch"' \
+    'alias lg="lazygit"' \
+    '' \
+    '# Docker aliases (for Docker-in-Docker)' \
+    'alias d="docker"' \
+    'alias dc="docker compose"' \
+    '' \
+    >> /home/opencode/.zshrc
 
 # Set up pipx path
 RUN echo 'export PATH="/home/opencode/.local/bin:$PATH"' >> /home/opencode/.zshrc
 
+# -----------------------------------------------------------------------------
+# Entrypoint Script (Hybrid Init Support)
+# -----------------------------------------------------------------------------
+# Supports both tini (default, works everywhere) and systemd (for Cockpit on Linux)
+# Set USE_SYSTEMD=1 environment variable to use systemd init
+# Note: Entrypoint runs as root to support both modes; tini mode drops to opencode user
+USER root
+RUN printf '%s\n' \
+    '#!/bin/bash' \
+    'if [ "${USE_SYSTEMD}" = "1" ]; then' \
+    '    exec /sbin/init' \
+    'else' \
+    '    # Use runuser to switch to opencode user without password prompt' \
+    '    exec /usr/bin/tini -- runuser -u opencode -- /home/opencode/.opencode/bin/opencode web --port 3000 --hostname 0.0.0.0' \
+    'fi' \
+    > /usr/local/bin/entrypoint.sh && chmod +x /usr/local/bin/entrypoint.sh
+
+# Note: Don't set USER here - entrypoint needs root to use runuser
+# The tini mode drops privileges to opencode user via runuser
+
 # -----------------------------------------------------------------------------
 # Health Check
 # -----------------------------------------------------------------------------
-# Port 3000 must match OPENCODE_WEB_PORT in container.rs
-HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+# Check that opencode health endpoint responds
+# Works for both tini and systemd modes
+HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
     CMD curl -f http://localhost:3000/health || exit 1
 
+# -----------------------------------------------------------------------------
+# Version File
+# -----------------------------------------------------------------------------
+# Store version in file for runtime access (debugging, scripts)
+USER root
+ARG OPENCODE_CLOUD_VERSION=dev
+RUN echo "${OPENCODE_CLOUD_VERSION}" > /etc/opencode-cloud-version
+USER opencode
+
 # -----------------------------------------------------------------------------
 # Final Configuration
 # -----------------------------------------------------------------------------
 WORKDIR /home/opencode/workspace
 
-# Expose opencode web port (matches OPENCODE_WEB_PORT in container.rs)
-EXPOSE 3000
-
-# Use tini as init system for proper signal handling
-ENTRYPOINT ["/usr/bin/tini", "--"]
+# Expose opencode web port (3000) and Cockpit port (9090)
+EXPOSE 3000 9090
 
-# Default command: start opencode web interface
-# - Port 3000 must match OPENCODE_WEB_PORT in container.rs
-# - Using full path to ensure binary is found (opencode installs to ~/.opencode/bin/)
-# - --hostname 0.0.0.0 is required for Docker port mapping (default 127.0.0.1 only listens on loopback)
-CMD ["/home/opencode/.opencode/bin/opencode", "web", "--port", "3000", "--hostname", "0.0.0.0"]
+# Hybrid init: entrypoint script chooses tini or systemd based on USE_SYSTEMD env
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]