@opencode-cloud/core 1.0.8 → 3.0.15

package/src/docker/Dockerfile

@@ -16,6 +16,19 @@
 #
 # =============================================================================
 
+# -----------------------------------------------------------------------------
+# Version Pinning Policy
+# -----------------------------------------------------------------------------
+# - APT packages: Use major.minor.* wildcards for patch updates
+# - GitHub tools: Pin to release tags (vX.Y.Z)
+# - Cargo/Go: Pin to exact versions (@X.Y.Z)
+# - Security exceptions marked with: # UNPINNED: package - reason
+# - Self-managing installers (mise, rustup, etc.) trusted to handle versions
+#
+# To check for updates: just check-updates
+# Last version audit: 2026-01-22
+# -----------------------------------------------------------------------------
+
 # -----------------------------------------------------------------------------
 # Stage 1: Builder
 # -----------------------------------------------------------------------------
@@ -26,12 +39,13 @@ FROM ubuntu:24.04 AS builder
 ENV DEBIAN_FRONTEND=noninteractive
 ENV TZ=UTC
 
-# Install build essentials
+# Install build essentials (2026-01-22)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    build-essential \
+    build-essential=12.* \
+    # UNPINNED: ca-certificates - security-critical root certs, needs auto-updates
     ca-certificates \
-    curl \
-    git \
+    curl=8.5.* \
+    git=1:2.43.* \
     && rm -rf /var/lib/apt/lists/*
 
 # -----------------------------------------------------------------------------
@@ -59,70 +73,85 @@ ENV LC_ALL=C.UTF-8
 # -----------------------------------------------------------------------------
 # Install core system packages in logical groups for better caching
 
-# Group 1: Core utilities and build tools
+# Group 1: Core utilities and build tools (2026-01-22)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    # Signal handling
-    tini \
-    dumb-init \
+    # Init systems
+    tini=0.19.* \
+    dumb-init=1.2.* \
+    # systemd for Cockpit support
+    systemd=255.* \
+    systemd-sysv=255.* \
+    dbus=1.14.* \
     # Shell and terminal
-    zsh \
-    tmux \
+    zsh=5.9-* \
+    tmux=3.4-* \
     # Editors
-    vim \
-    neovim \
-    nano \
+    vim=2:9.1.* \
+    neovim=0.9.* \
+    nano=7.2-* \
     # Build essentials
-    build-essential \
-    pkg-config \
-    cmake \
+    build-essential=12.* \
+    pkg-config=1.8.* \
+    cmake=3.28.* \
     # Version control
-    git \
-    git-lfs \
+    git=1:2.43.* \
+    git-lfs=3.4.* \
     # Core utilities
-    curl \
-    wget \
+    curl=8.5.* \
+    wget=1.21.* \
+    # UNPINNED: ca-certificates - security-critical root certs, needs auto-updates
     ca-certificates \
+    # UNPINNED: gnupg - key management security, needs auto-updates
     gnupg \
-    lsb-release \
-    software-properties-common \
-    sudo \
+    lsb-release=12.* \
+    software-properties-common=0.99.* \
+    sudo=1.9.* \
+    # UNPINNED: openssh-client - security-critical, needs auto-updates
     openssh-client \
     # Process/system tools
-    htop \
-    procps \
-    less \
-    file \
-    tree \
+    htop=3.3.* \
+    procps=2:4.0.* \
+    less=590-* \
+    file=1:5.45-* \
+    tree=2.1.* \
     # JSON/YAML processing
-    jq \
+    jq=1.7.* \
     # Network tools
-    netcat-openbsd \
-    iputils-ping \
-    dnsutils \
+    netcat-openbsd=1.226-* \
+    iputils-ping=3:20240117-* \
+    dnsutils=1:9.18.* \
     # Compression
-    zip \
-    unzip \
-    xz-utils \
-    p7zip-full \
+    zip=3.0-* \
+    unzip=6.0-* \
+    xz-utils=5.6.* \
+    p7zip-full=16.02* \
     && rm -rf /var/lib/apt/lists/*
 
-# Group 2: Database clients
+# Mask unnecessary systemd services for container environment
+RUN systemctl mask \
+    dev-hugepages.mount \
+    sys-fs-fuse-connections.mount \
+    systemd-update-utmp.service \
+    systemd-tmpfiles-setup.service \
+    systemd-remount-fs.service
+
+# Group 2: Database clients (2026-01-22)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    sqlite3 \
-    postgresql-client \
-    default-mysql-client \
+    sqlite3=3.45.* \
+    postgresql-client=16+* \
+    default-mysql-client=1.1.* \
     && rm -rf /var/lib/apt/lists/*
 
-# Group 3: Development libraries (for compiling tools)
+# Group 3: Development libraries for compiling tools (2026-01-22)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    libssl-dev \
-    libffi-dev \
-    zlib1g-dev \
-    libbz2-dev \
-    libreadline-dev \
-    libsqlite3-dev \
-    libncurses-dev \
-    liblzma-dev \
+    libssl-dev=3.0.* \
+    libffi-dev=3.4.* \
+    zlib1g-dev=1:1.3.* \
+    libbz2-dev=1.0.* \
+    libreadline-dev=8.2-* \
+    libsqlite3-dev=3.45.* \
+    libncurses-dev=6.4+* \
+    liblzma-dev=5.6.* \
     && rm -rf /var/lib/apt/lists/*
 
 # -----------------------------------------------------------------------------
@@ -151,31 +180,36 @@ ENV PATH="/home/opencode/.local/bin:${PATH}"
 # -----------------------------------------------------------------------------
 # Shell Setup: Zsh + Oh My Zsh + Starship
 # -----------------------------------------------------------------------------
-# Install Oh My Zsh
-RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended
+# Oh My Zsh - self-managing installer, trusted to handle versions
+# Disabled temporarily to reduce Docker build time.
+# RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended
 
-# Install Starship prompt
-RUN curl -sS https://starship.rs/install.sh | sh -s -- --yes --bin-dir /home/opencode/.local/bin
+# Starship prompt - self-managing installer, trusted to handle versions
+# Disabled temporarily to reduce Docker build time.
+# RUN curl -sS https://starship.rs/install.sh | sh -s -- --yes --bin-dir /home/opencode/.local/bin
 
 # Configure zsh with starship
-RUN echo 'eval "$(starship init zsh)"' >> /home/opencode/.zshrc \
-    && echo 'export PATH="/home/opencode/.local/bin:$PATH"' >> /home/opencode/.zshrc
+# Disabled temporarily to reduce Docker build time.
+# RUN echo 'eval "$(starship init zsh)"' >> /home/opencode/.zshrc \
+#     && echo 'export PATH="/home/opencode/.local/bin:$PATH"' >> /home/opencode/.zshrc
 
 # -----------------------------------------------------------------------------
 # mise: Universal Version Manager
 # -----------------------------------------------------------------------------
-# Install mise for managing Node.js, Python, Rust, Go
+# mise - self-managing installer, trusted to handle versions
 RUN curl https://mise.run | sh \
     && echo 'eval "$(/home/opencode/.local/bin/mise activate zsh)"' >> /home/opencode/.zshrc
 
-# Install language runtimes via mise
-# Using specific LTS/stable versions for reproducibility
+# Install language runtimes via mise (2026-01-22)
+# - node@lts: mise handles LTS resolution (currently 22.x)
+# - python@3.12: pinned to minor version
+# - go@1.24: pinned to minor version (was @latest)
 RUN /home/opencode/.local/bin/mise install node@lts \
     && /home/opencode/.local/bin/mise install python@3.12 \
-    && /home/opencode/.local/bin/mise install go@latest \
+    && /home/opencode/.local/bin/mise install go@1.24 \
     && /home/opencode/.local/bin/mise use --global node@lts \
     && /home/opencode/.local/bin/mise use --global python@3.12 \
-    && /home/opencode/.local/bin/mise use --global go@latest
+    && /home/opencode/.local/bin/mise use --global go@1.24
 
 # Set up mise shims in PATH for non-interactive shells
 ENV PATH="/home/opencode/.local/share/mise/shims:${PATH}"
@@ -183,7 +217,8 @@ ENV PATH="/home/opencode/.local/share/mise/shims:${PATH}"
 # -----------------------------------------------------------------------------
 # Rust Installation
 # -----------------------------------------------------------------------------
-# Install Rust via rustup (mise rust support is experimental)
+# rustup - self-managing installer, trusted to handle versions
+# Uses stable toolchain (rustup manages toolchain versioning)
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable \
     && . /home/opencode/.cargo/env \
     && rustup component add rust-analyzer rustfmt clippy
@@ -196,17 +231,17 @@ ENV PATH="/home/opencode/.cargo/bin:${PATH}"
 # Switch to bash for mise activation (mise outputs bash-specific syntax)
 SHELL ["/bin/bash", "-c"]
 
-# Install pnpm (corepack is included with Node.js)
+# Install pnpm 10.x via corepack (2026-01-22)
 RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
     && corepack enable \
-    && corepack prepare pnpm@latest --activate
+    && corepack prepare pnpm@10.28.1 --activate
 
 # Set up pnpm global bin directory
 ENV PNPM_HOME="/home/opencode/.local/share/pnpm"
 ENV PATH="${PNPM_HOME}:${PATH}"
 RUN mkdir -p "${PNPM_HOME}"
 
-# Install uv (fast Python package manager)
+# uv - self-managing installer, trusted to handle versions (fast Python package manager)
 RUN curl -LsSf https://astral.sh/uv/install.sh | sh
 
 # Install pipx for isolated Python application installs
@@ -219,51 +254,58 @@ RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
     && pnpm add -g typescript
 
 # -----------------------------------------------------------------------------
-# Modern CLI Tools (Rust-based)
+# Modern CLI Tools (Rust-based) - pinned versions (2026-01-22)
 # -----------------------------------------------------------------------------
-# Install via cargo for latest versions
+# ripgrep 15.1.0 - fast regex search
+# eza 0.23.4 - modern ls replacement
 RUN . /home/opencode/.cargo/env \
-    && cargo install --locked \
-    ripgrep \
-    eza
+    && cargo install --locked ripgrep@15.1.0 eza@0.23.4
 
-# Install lazygit (Go-based)
-RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
-    && go install github.com/jesseduffield/lazygit@latest
+# lazygit v0.58.1 (2026-01-12) - terminal UI for git
+# Disabled temporarily to reduce Docker build time.
+# RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
+#     && go install github.com/jesseduffield/lazygit@v0.58.1
 
 # -----------------------------------------------------------------------------
 # Additional Development Tools
 # -----------------------------------------------------------------------------
-# Install fzf
-RUN git clone --depth 1 https://github.com/junegunn/fzf.git /home/opencode/.fzf \
-    && /home/opencode/.fzf/install --all --no-bash --no-fish
+# fzf v0.67.0 (2025-11-16) - fuzzy finder
+# Disabled temporarily to reduce Docker build time.
+# RUN git clone --branch v0.67.0 --depth 1 https://github.com/junegunn/fzf.git /home/opencode/.fzf \
+#     && /home/opencode/.fzf/install --all --no-bash --no-fish
 
-# Install yq (YAML processor)
-RUN curl -sL https://github.com/mikefarah/yq/releases/latest/download/yq_linux_$(dpkg --print-architecture) -o /home/opencode/.local/bin/yq \
-    && chmod +x /home/opencode/.local/bin/yq
+# yq v4.50.1 (2025-12-14) - YAML processor
+# Disabled temporarily to reduce Docker build time.
+# RUN curl -sL https://github.com/mikefarah/yq/releases/download/v4.50.1/yq_linux_$(dpkg --print-architecture) -o /home/opencode/.local/bin/yq \
+#     && chmod +x /home/opencode/.local/bin/yq
 
-# Install direnv
-USER root
-RUN apt-get update && apt-get install -y --no-install-recommends direnv \
-    && rm -rf /var/lib/apt/lists/*
-USER opencode
-RUN echo 'eval "$(direnv hook zsh)"' >> /home/opencode/.zshrc
+# Install direnv (2026-01-22)
+# Disabled temporarily to reduce Docker build time.
+# USER root
+# RUN apt-get update && apt-get install -y --no-install-recommends direnv=2.32.* \
+#     && rm -rf /var/lib/apt/lists/*
+# USER opencode
+# RUN echo 'eval "$(direnv hook zsh)"' >> /home/opencode/.zshrc
 
 # Install HTTPie
-RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
-    && pipx install httpie
-
-# Install shellcheck and shfmt
+# Disabled temporarily to reduce Docker build time.
+# RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
+#     && pipx install httpie
+
+# Install shellcheck (2026-01-22)
+# Disabled temporarily to reduce Docker build time.
+# USER root
+# RUN apt-get update && apt-get install -y --no-install-recommends shellcheck=0.9.* \
+#     && rm -rf /var/lib/apt/lists/*
+# USER opencode
+# shfmt v3.12.0 (2025-07-06) - shell formatter
+# Disabled temporarily to reduce Docker build time.
+# RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
+#     && go install mvdan.cc/sh/v3/cmd/shfmt@v3.12.0
+
+# Install btop system monitor (2026-01-22)
 USER root
-RUN apt-get update && apt-get install -y --no-install-recommends shellcheck \
-    && rm -rf /var/lib/apt/lists/*
-USER opencode
-RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
-    && go install mvdan.cc/sh/v3/cmd/shfmt@latest
-
-# Install btop (system monitor)
-USER root
-RUN apt-get update && apt-get install -y --no-install-recommends btop \
+RUN apt-get update && apt-get install -y --no-install-recommends btop=1.3.* \
     && rm -rf /var/lib/apt/lists/*
 USER opencode
 
@@ -279,67 +321,111 @@ RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | d
 USER opencode
 
 # -----------------------------------------------------------------------------
-# CI/CD Tools
-# -----------------------------------------------------------------------------
-# Install act (run GitHub Actions locally)
-RUN curl -sL https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash -s -- -b /home/opencode/.local/bin
-
-# -----------------------------------------------------------------------------
-# Rust Tooling
+# Cockpit Web Console (2026-01-22)
 # -----------------------------------------------------------------------------
-RUN . /home/opencode/.cargo/env \
-    && cargo install --locked \
-    cargo-nextest \
-    cargo-audit \
-    cargo-deny
-
-# Install mold (fast linker) via apt for easier setup
+# Cockpit provides web-based administration for the container
+# Ubuntu noble has cockpit 316 in main repos
 USER root
-RUN apt-get update && apt-get install -y --no-install-recommends mold \
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    cockpit-ws \
+    cockpit-system \
+    cockpit-bridge \
     && rm -rf /var/lib/apt/lists/*
-USER opencode
 
-# -----------------------------------------------------------------------------
-# Code Quality Tools
-# -----------------------------------------------------------------------------
-# JavaScript/TypeScript tools
-RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
-    && pnpm add -g \
-    prettier \
-    eslint \
-    @biomejs/biome
-
-# Python tools
-RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
-    && pipx install black \
-    && pipx install ruff
+# Enable Cockpit socket activation (manual symlink since systemctl doesn't work during build)
+RUN mkdir -p /etc/systemd/system/sockets.target.wants \
+    && ln -sf /lib/systemd/system/cockpit.socket /etc/systemd/system/sockets.target.wants/cockpit.socket
+
+# Configure Cockpit for HTTP (TLS terminated externally) and proxy headers
+RUN mkdir -p /etc/cockpit && \
+    printf '%s\n' \
+    '[WebService]' \
+    '# Allow HTTP connections (TLS terminated externally like opencode)' \
+    'AllowUnencrypted = true' \
+    '' \
+    '# Trust proxy headers for X-Forwarded-For, X-Forwarded-Proto' \
+    'ProtocolHeader = X-Forwarded-Proto' \
+    'ForwardedForHeader = X-Forwarded-For' \
+    '' \
+    '# Limit concurrent login attempts' \
+    'MaxStartups = 10' \
+    > /etc/cockpit/cockpit.conf
 
-# Test runners (commonly needed)
-RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
-    && pnpm add -g jest vitest
-
-# Python pytest via pipx
-RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
-    && pipx install pytest
+USER opencode
 
 # -----------------------------------------------------------------------------
-# Protocol Buffers / gRPC
+# CI/CD + tooling (disabled)
 # -----------------------------------------------------------------------------
-USER root
-RUN apt-get update && apt-get install -y --no-install-recommends protobuf-compiler \
-    && rm -rf /var/lib/apt/lists/*
-USER opencode
-
-# Install grpcurl
-RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
-    && go install github.com/fullstorydev/grpcurl/cmd/grpcurl@latest
+# NOTE: Commented out because this section adds significant time in GitHub Actions
+# builds. We will reconsider re-adding these tools later, potentially in a more
+# templated/configured Docker image optimized for build tooling.
+# -----------------------------------------------------------------------------
+# # CI/CD Tools
+# # -----------------------------------------------------------------------------
+# # act v0.2.84 (2026-01-01) - run GitHub Actions locally
+# RUN curl -sL https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash -s -- -b /home/opencode/.local/bin v0.2.84
+#
+# # -----------------------------------------------------------------------------
+# # Rust Tooling - pinned versions (2026-01-22)
+# # -----------------------------------------------------------------------------
+# # cargo-nextest 0.9.122 - fast test runner
+# # cargo-audit 0.22.0 - security audit
+# # cargo-deny 0.19.0 - dependency linter
+# RUN . /home/opencode/.cargo/env \
+#     && cargo install --locked cargo-nextest@0.9.122 cargo-audit@0.22.0 cargo-deny@0.19.0
+#
+# # Install mold fast linker (2026-01-22)
+# USER root
+# RUN apt-get update && apt-get install -y --no-install-recommends mold=2.30.* \
+#     && rm -rf /var/lib/apt/lists/*
+# USER opencode
+#
+# # -----------------------------------------------------------------------------
+# # Code Quality Tools
+# # -----------------------------------------------------------------------------
+# # JavaScript/TypeScript tools
+# RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
+#     && pnpm add -g \
+#     prettier \
+#     eslint \
+#     @biomejs/biome
+#
+# # Python tools
+# RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
+#     && pipx install black \
+#     && pipx install ruff
+#
+# # Test runners (commonly needed)
+# RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
+#     && pnpm add -g jest vitest
+#
+# # Python pytest via pipx
+# RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
+#     && pipx install pytest
+#
+# # -----------------------------------------------------------------------------
+# # Protocol Buffers / gRPC (2026-01-22)
+# # -----------------------------------------------------------------------------
+# USER root
+# RUN apt-get update && apt-get install -y --no-install-recommends protobuf-compiler=3.21.* \
+#     && rm -rf /var/lib/apt/lists/*
+# USER opencode
+#
+# # grpcurl v1.9.3 (2025-03-11) - gRPC debugging tool
+# RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
+#     && go install github.com/fullstorydev/grpcurl/cmd/grpcurl@v1.9.3
 
 # -----------------------------------------------------------------------------
 # opencode Installation
 # -----------------------------------------------------------------------------
-# Install opencode using official install script
+# opencode - self-managing installer, trusted to handle versions
 # The script installs to ~/.opencode/bin/
-RUN curl -fsSL https://opencode.ai/install | bash \
+# Retry logic added because opencode.ai API can be flaky during parallel builds
+RUN for i in 1 2 3 4 5; do \
+        curl -fsSL https://opencode.ai/install | bash && break || \
+        echo "Attempt $i failed, retrying in 10s..." && sleep 10; \
+    done \
     && ls -la /home/opencode/.opencode/bin/opencode \
     && /home/opencode/.opencode/bin/opencode --version
 
@@ -350,7 +436,38 @@ ENV PATH="/home/opencode/.opencode/bin:${PATH}"
 # GSD Plugin Installation
 # -----------------------------------------------------------------------------
 # Install the GSD (Get Shit Done) plugin for opencode
-RUN git clone https://github.com/rokicool/gsd-opencode.git /home/opencode/.config/opencode/plugins/gsd-opencode
+# Note: If this fails in container builds due to "~" path resolution, retry with
+# OPENCODE_CONFIG_DIR=/home/opencode/.config/opencode set explicitly.
+RUN npx --yes get-shit-done-cc --opencode --global
+
+# -----------------------------------------------------------------------------
+# opencode systemd Service (2026-01-22)
+# -----------------------------------------------------------------------------
+# Create opencode as a systemd service for Cockpit integration
+USER root
+RUN printf '%s\n' \
+    '[Unit]' \
+    'Description=opencode Web Interface' \
+    'After=network.target' \
+    '' \
+    '[Service]' \
+    'Type=simple' \
+    'User=opencode' \
+    'WorkingDirectory=/home/opencode/workspace' \
+    'ExecStart=/home/opencode/.opencode/bin/opencode web --port 3000 --hostname 0.0.0.0' \
+    'Restart=always' \
+    'RestartSec=5' \
+    'Environment=PATH=/home/opencode/.opencode/bin:/home/opencode/.local/bin:/home/opencode/.cargo/bin:/home/opencode/.local/share/mise/shims:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \
+    '' \
+    '[Install]' \
+    'WantedBy=multi-user.target' \
+    > /etc/systemd/system/opencode.service
+
+# Enable opencode service to start at boot (manual symlink since systemctl doesn't work during build)
+RUN mkdir -p /etc/systemd/system/multi-user.target.wants \
+    && ln -sf /etc/systemd/system/opencode.service /etc/systemd/system/multi-user.target.wants/opencode.service
+
+USER opencode
 
 # -----------------------------------------------------------------------------
 # Sensible Defaults Configuration
@@ -364,81 +481,110 @@ RUN git config --global init.defaultBranch main \
 
 # Starship configuration (minimal, fast prompt)
 RUN mkdir -p /home/opencode/.config \
-    && cat > /home/opencode/.config/starship.toml << 'STARSHIP'
-# Minimal starship config for fast prompt
-format = """
-$directory\
-$git_branch\
-$git_status\
-$character"""
-
-[directory]
-truncation_length = 3
-truncate_to_repo = true
-
-[git_branch]
-format = "[$branch]($style) "
-style = "bold purple"
-
-[git_status]
-format = '([$all_status$ahead_behind]($style) )'
-
-[character]
-success_symbol = "[>](bold green)"
-error_symbol = "[>](bold red)"
-STARSHIP
+    && printf '%s\n' \
+    '# Minimal starship config for fast prompt' \
+    'format = """' \
+    '$directory\' \
+    '$git_branch\' \
+    '$git_status\' \
+    '$character"""' \
+    '' \
+    '[directory]' \
+    'truncation_length = 3' \
+    'truncate_to_repo = true' \
+    '' \
+    '[git_branch]' \
+    'format = "[$branch]($style) "' \
+    'style = "bold purple"' \
+    '' \
+    '[git_status]' \
+    'format = '"'"'([$all_status$ahead_behind]($style) )'"'"'' \
+    '' \
+    '[character]' \
+    'success_symbol = "[>](bold green)"' \
+    'error_symbol = "[>](bold red)"' \
+    > /home/opencode/.config/starship.toml
 
 # Shell aliases
-RUN cat >> /home/opencode/.zshrc << 'ALIASES'
-
-# Modern CLI aliases
-alias ls="eza --icons"
-alias ll="eza -l --icons"
-alias la="eza -la --icons"
-alias lt="eza --tree --icons"
-alias grep="rg"
-alias top="btop"
-
-# Git aliases
-alias g="git"
-alias gs="git status"
-alias gd="git diff"
-alias gc="git commit"
-alias gp="git push"
-alias gl="git pull"
-alias gco="git checkout"
-alias gb="git branch"
-alias lg="lazygit"
-
-# Docker aliases (for Docker-in-Docker)
-alias d="docker"
-alias dc="docker compose"
-
-ALIASES
+RUN printf '%s\n' \
+    '' \
+    '# Modern CLI aliases' \
+    'alias ls="eza --icons"' \
+    'alias ll="eza -l --icons"' \
+    'alias la="eza -la --icons"' \
+    'alias lt="eza --tree --icons"' \
+    'alias grep="rg"' \
+    'alias top="btop"' \
+    '' \
+    '# Git aliases' \
+    'alias g="git"' \
+    'alias gs="git status"' \
+    'alias gd="git diff"' \
+    'alias gc="git commit"' \
+    'alias gp="git push"' \
+    'alias gl="git pull"' \
+    'alias gco="git checkout"' \
+    'alias gb="git branch"' \
+    'alias lg="lazygit"' \
+    '' \
+    '# Docker aliases (for Docker-in-Docker)' \
+    'alias d="docker"' \
+    'alias dc="docker compose"' \
+    '' \
+    >> /home/opencode/.zshrc
 
 # Set up pipx path
 RUN echo 'export PATH="/home/opencode/.local/bin:$PATH"' >> /home/opencode/.zshrc
 
+# -----------------------------------------------------------------------------
+# Entrypoint Script (Hybrid Init Support)
+# -----------------------------------------------------------------------------
+# Supports both tini (default, works everywhere) and systemd (for Cockpit on Linux)
+# Set USE_SYSTEMD=1 environment variable to use systemd init
+# Note: Entrypoint runs as root to support both modes; tini mode drops to opencode user
+USER root
+RUN printf '%s\n' \
+    '#!/bin/bash' \
+    'if [ "${USE_SYSTEMD}" = "1" ]; then' \
+    '    exec /sbin/init' \
+    'else' \
+    '    # Use runuser to switch to opencode user without password prompt' \
+    '    exec /usr/bin/tini -- runuser -u opencode -- /home/opencode/.opencode/bin/opencode web --port 3000 --hostname 0.0.0.0' \
+    'fi' \
+    > /usr/local/bin/entrypoint.sh && chmod +x /usr/local/bin/entrypoint.sh
+
+# Note: Don't set USER here - entrypoint needs root to use runuser
+# The tini mode drops privileges to opencode user via runuser
+
 # -----------------------------------------------------------------------------
 # Health Check
 # -----------------------------------------------------------------------------
-# Port 3000 must match OPENCODE_WEB_PORT in container.rs
-HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+# Check that opencode health endpoint responds
+# Works for both tini and systemd modes
+HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
     CMD curl -f http://localhost:3000/health || exit 1
 
+# -----------------------------------------------------------------------------
+# Version File
+# -----------------------------------------------------------------------------
+# Store version in file for runtime access (debugging, scripts)
+# Keep this near the end: changing the version invalidates the cache
+# and significantly slows down docker builds if placed earlier.
+USER root
+ARG OPENCODE_CLOUD_VERSION=dev
+LABEL org.opencode-cloud.version="${OPENCODE_CLOUD_VERSION}"
+RUN echo "${OPENCODE_CLOUD_VERSION}" > /etc/opencode-cloud-version
+# Note: Stay as root - entrypoint.sh needs root to run either:
+# - /sbin/init (systemd mode)
+# - runuser (tini mode, which then drops privileges to opencode user)
+
 # -----------------------------------------------------------------------------
 # Final Configuration
 # -----------------------------------------------------------------------------
 WORKDIR /home/opencode/workspace
 
-# Expose opencode web port (matches OPENCODE_WEB_PORT in container.rs)
-EXPOSE 3000
-
-# Use tini as init system for proper signal handling
-ENTRYPOINT ["/usr/bin/tini", "--"]
+# Expose opencode web port (3000) and Cockpit port (9090)
+EXPOSE 3000 9090
 
-# Default command: start opencode web interface
-# - Port 3000 must match OPENCODE_WEB_PORT in container.rs
-# - Using full path to ensure binary is found (opencode installs to ~/.opencode/bin/)
-# - --hostname 0.0.0.0 is required for Docker port mapping (default 127.0.0.1 only listens on loopback)
-CMD ["/home/opencode/.opencode/bin/opencode", "web", "--port", "3000", "--hostname", "0.0.0.0"]
+# Hybrid init: entrypoint script chooses tini or systemd based on USE_SYSTEMD env
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]