@opencode-cloud/core 1.0.8 → 3.0.15

package/src/docker/README.dockerhub.md

@@ -0,0 +1,39 @@
+# opencode-cloud-sandbox
+
+Opinionated container image for AI-assisted coding with opencode.
+
+## What is included
+
+- Ubuntu 24.04 (noble)
+- Non-root user with passwordless sudo
+- mise-managed runtimes (Node.js LTS, Python 3.12, Go 1.24)
+- Rust toolchain via rustup
+- Core CLI utilities (ripgrep, eza, jq, git, etc.)
+- Cockpit web console for administration
+- opencode preinstalled with the GSD plugin
+
+## Tags
+
+- `latest`: Most recent published release
+- `X.Y.Z`: Versioned releases (recommended for pinning)
+
+## Usage
+
+Pull the image:
+
+```
+docker pull ghcr.io/prizz/opencode-cloud-sandbox:latest
+```
+
+Run the container:
+
+```
+docker run --rm -it -p 3000:3000 -p 9090:9090 ghcr.io/prizz/opencode-cloud-sandbox:latest
+```
+
+The opencode web UI is available at `http://localhost:3000`. Cockpit runs on `http://localhost:9090`.
+
+## Source
+
+- Repository: https://github.com/pRizz/opencode-cloud
+- Dockerfile: packages/core/src/docker/Dockerfile

package/src/docker/client.rs

@@ -4,12 +4,18 @@
 //! errors gracefully and provides clear error messages.
 
 use bollard::Docker;
+use std::time::Duration;
 
 use super::error::DockerError;
+use crate::host::{HostConfig, SshTunnel};
 
 /// Docker client wrapper with connection handling
 pub struct DockerClient {
     inner: Docker,
+    /// SSH tunnel for remote connections (kept alive for client lifetime)
+    _tunnel: Option<SshTunnel>,
+    /// Host name for remote connections (None = local)
+    host_name: Option<String>,
 }
 
 impl DockerClient {
@@ -21,7 +27,11 @@ impl DockerClient {
         let docker = Docker::connect_with_local_defaults()
             .map_err(|e| DockerError::Connection(e.to_string()))?;
 
-        Ok(Self { inner: docker })
+        Ok(Self {
+            inner: docker,
+            _tunnel: None,
+            host_name: None,
+        })
     }
 
     /// Create client with custom timeout (in seconds)
@@ -31,9 +41,109 @@ impl DockerClient {
     pub fn with_timeout(timeout_secs: u64) -> Result<Self, DockerError> {
         let docker = Docker::connect_with_local_defaults()
             .map_err(|e| DockerError::Connection(e.to_string()))?
-            .with_timeout(std::time::Duration::from_secs(timeout_secs));
+            .with_timeout(Duration::from_secs(timeout_secs));
 
-        Ok(Self { inner: docker })
+        Ok(Self {
+            inner: docker,
+            _tunnel: None,
+            host_name: None,
+        })
+    }
+
+    /// Create client connecting to remote Docker daemon via SSH tunnel
+    ///
+    /// Establishes an SSH tunnel to the remote host and connects Bollard
+    /// to the forwarded local port.
+    ///
+    /// # Arguments
+    /// * `host` - Remote host configuration
+    /// * `host_name` - Name of the host (for display purposes)
+    pub async fn connect_remote(host: &HostConfig, host_name: &str) -> Result<Self, DockerError> {
+        // Create SSH tunnel
+        let tunnel = SshTunnel::new(host, host_name)
+            .map_err(|e| DockerError::Connection(format!("SSH tunnel failed: {e}")))?;
+
+        // Wait for tunnel to be ready with exponential backoff
+        tunnel
+            .wait_ready()
+            .await
+            .map_err(|e| DockerError::Connection(format!("SSH tunnel not ready: {e}")))?;
+
+        // Connect Bollard to the tunnel's local port
+        let docker_url = tunnel.docker_url();
+        tracing::debug!("Connecting to remote Docker via {}", docker_url);
+
+        // Retry connection with backoff (tunnel may need a moment)
+        let max_attempts = 3;
+        let mut last_err = None;
+
+        for attempt in 0..max_attempts {
+            if attempt > 0 {
+                let delay = Duration::from_millis(100 * 2u64.pow(attempt));
+                tracing::debug!("Retry attempt {} after {:?}", attempt + 1, delay);
+                tokio::time::sleep(delay).await;
+            }
+
+            match Docker::connect_with_http(&docker_url, 120, bollard::API_DEFAULT_VERSION) {
+                Ok(docker) => {
+                    // Verify connection works
+                    match docker.ping().await {
+                        Ok(_) => {
+                            tracing::info!("Connected to Docker on {} via SSH tunnel", host_name);
+                            return Ok(Self {
+                                inner: docker,
+                                _tunnel: Some(tunnel),
+                                host_name: Some(host_name.to_string()),
+                            });
+                        }
+                        Err(e) => {
+                            tracing::debug!("Ping failed: {}", e);
+                            last_err = Some(e.to_string());
+                        }
+                    }
+                }
+                Err(e) => {
+                    tracing::debug!("Connection failed: {}", e);
+                    last_err = Some(e.to_string());
+                }
+            }
+        }
+
+        Err(DockerError::Connection(format!(
+            "Failed to connect to Docker on {}: {}",
+            host_name,
+            last_err.unwrap_or_else(|| "unknown error".to_string())
+        )))
+    }
+
+    /// Create remote client with custom timeout
+    pub async fn connect_remote_with_timeout(
+        host: &HostConfig,
+        host_name: &str,
+        timeout_secs: u64,
+    ) -> Result<Self, DockerError> {
+        let tunnel = SshTunnel::new(host, host_name)
+            .map_err(|e| DockerError::Connection(format!("SSH tunnel failed: {e}")))?;
+
+        tunnel
+            .wait_ready()
+            .await
+            .map_err(|e| DockerError::Connection(format!("SSH tunnel not ready: {e}")))?;
+
+        let docker_url = tunnel.docker_url();
+
+        let docker =
+            Docker::connect_with_http(&docker_url, timeout_secs, bollard::API_DEFAULT_VERSION)
+                .map_err(|e| DockerError::Connection(e.to_string()))?;
+
+        // Verify connection
+        docker.ping().await.map_err(DockerError::from)?;
+
+        Ok(Self {
+            inner: docker,
+            _tunnel: Some(tunnel),
+            host_name: Some(host_name.to_string()),
+        })
     }
 
     /// Verify connection to Docker daemon
@@ -57,6 +167,16 @@ impl DockerClient {
         Ok(version_str)
     }
 
+    /// Get the host name if this is a remote connection
+    pub fn host_name(&self) -> Option<&str> {
+        self.host_name.as_deref()
+    }
+
+    /// Check if this is a remote connection
+    pub fn is_remote(&self) -> bool {
+        self._tunnel.is_some()
+    }
+
     /// Access inner Bollard client for advanced operations
     pub fn inner(&self) -> &Docker {
         &self.inner
@@ -81,4 +201,13 @@ mod tests {
         let result = DockerClient::with_timeout(600);
         drop(result);
     }
+
+    #[test]
+    fn test_host_name_methods() {
+        // Local client has no host name
+        if let Ok(client) = DockerClient::new() {
+            assert!(client.host_name().is_none());
+            assert!(!client.is_remote());
+        }
+    }
 }

package/src/docker/container.rs

@@ -4,6 +4,7 @@
 //! Docker containers for the opencode-cloud service.
 
 use super::dockerfile::{IMAGE_NAME_GHCR, IMAGE_TAG_DEFAULT};
+use super::mount::ParsedMount;
 use super::volume::{
     MOUNT_CONFIG, MOUNT_PROJECTS, MOUNT_SESSION, VOLUME_CONFIG, VOLUME_PROJECTS, VOLUME_SESSION,
 };
@@ -12,7 +13,9 @@ use bollard::container::{
     Config, CreateContainerOptions, RemoveContainerOptions, StartContainerOptions,
     StopContainerOptions,
 };
-use bollard::service::{HostConfig, Mount, MountTypeEnum, PortBinding, PortMap};
+use bollard::service::{
+    HostConfig, Mount, MountPointTypeEnum, MountTypeEnum, PortBinding, PortMap,
+};
 use std::collections::HashMap;
 use tracing::debug;
 
@@ -33,28 +36,38 @@ pub const OPENCODE_WEB_PORT: u16 = 3000;
 /// * `image` - Image to use (defaults to IMAGE_NAME_GHCR:IMAGE_TAG_DEFAULT)
 /// * `opencode_web_port` - Port to bind on host for opencode web UI (defaults to OPENCODE_WEB_PORT)
 /// * `env_vars` - Additional environment variables (optional)
+/// * `bind_address` - IP address to bind on host (defaults to "127.0.0.1")
+/// * `cockpit_port` - Port to bind on host for Cockpit (defaults to 9090)
+/// * `cockpit_enabled` - Whether to enable Cockpit port mapping (defaults to true)
+/// * `bind_mounts` - User-defined bind mounts from config and CLI flags (optional)
+#[allow(clippy::too_many_arguments)]
 pub async fn create_container(
     client: &DockerClient,
     name: Option<&str>,
     image: Option<&str>,
     opencode_web_port: Option<u16>,
     env_vars: Option<Vec<String>>,
+    bind_address: Option<&str>,
+    cockpit_port: Option<u16>,
+    cockpit_enabled: Option<bool>,
+    bind_mounts: Option<Vec<ParsedMount>>,
 ) -> Result<String, DockerError> {
     let container_name = name.unwrap_or(CONTAINER_NAME);
     let default_image = format!("{IMAGE_NAME_GHCR}:{IMAGE_TAG_DEFAULT}");
     let image_name = image.unwrap_or(&default_image);
     let port = opencode_web_port.unwrap_or(OPENCODE_WEB_PORT);
+    let cockpit_port_val = cockpit_port.unwrap_or(9090);
+    let cockpit_enabled_val = cockpit_enabled.unwrap_or(true);
 
     debug!(
-        "Creating container {} from image {} with port {}",
-        container_name, image_name, port
+        "Creating container {} from image {} with port {} and cockpit_port {} (enabled: {})",
+        container_name, image_name, port, cockpit_port_val, cockpit_enabled_val
     );
 
     // Check if container already exists
     if container_exists(client, container_name).await? {
         return Err(DockerError::Container(format!(
-            "Container '{}' already exists. Remove it first with 'occ stop --remove' or use a different name.",
-            container_name
+            "Container '{container_name}' already exists. Remove it first with 'occ stop --remove' or use a different name."
         )));
     }
 
@@ -68,13 +81,12 @@ pub async fn create_container(
 
     if !super::image::image_exists(client, image_repo, image_tag).await? {
         return Err(DockerError::Container(format!(
-            "Image '{}' not found. Run 'occ pull' first to download the image.",
-            image_name
+            "Image '{image_name}' not found. Run 'occ pull' first to download the image."
         )));
     }
 
     // Create volume mounts
-    let mounts = vec![
+    let mut mounts = vec![
         Mount {
             target: Some(MOUNT_SESSION.to_string()),
             source: Some(VOLUME_SESSION.to_string()),
@@ -98,26 +110,92 @@ pub async fn create_container(
         },
     ];
 
-    // Create port bindings (localhost only for security)
+    // Add user-defined bind mounts from config/CLI
+    if let Some(ref user_mounts) = bind_mounts {
+        for parsed in user_mounts {
+            mounts.push(parsed.to_bollard_mount());
+        }
+    }
+
+    // Create port bindings (default to localhost for security)
+    let bind_addr = bind_address.unwrap_or("127.0.0.1");
     let mut port_bindings: PortMap = HashMap::new();
+
+    // opencode web port
     port_bindings.insert(
         "3000/tcp".to_string(),
         Some(vec![PortBinding {
-            host_ip: Some("127.0.0.1".to_string()),
+            host_ip: Some(bind_addr.to_string()),
             host_port: Some(port.to_string()),
         }]),
     );
 
+    // Cockpit port (if enabled)
+    // Container always listens on 9090, map to host's configured port
+    if cockpit_enabled_val {
+        port_bindings.insert(
+            "9090/tcp".to_string(),
+            Some(vec![PortBinding {
+                host_ip: Some(bind_addr.to_string()),
+                host_port: Some(cockpit_port_val.to_string()),
+            }]),
+        );
+    }
+
     // Create exposed ports map
     let mut exposed_ports = HashMap::new();
     exposed_ports.insert("3000/tcp".to_string(), HashMap::new());
+    if cockpit_enabled_val {
+        exposed_ports.insert("9090/tcp".to_string(), HashMap::new());
+    }
 
     // Create host config
-    let host_config = HostConfig {
-        mounts: Some(mounts),
-        port_bindings: Some(port_bindings),
-        auto_remove: Some(false),
-        ..Default::default()
+    // When Cockpit is enabled, add systemd-specific settings (requires Linux host)
+    // When Cockpit is disabled, use simpler tini-based config (works everywhere)
+    let host_config = if cockpit_enabled_val {
+        HostConfig {
+            mounts: Some(mounts),
+            port_bindings: Some(port_bindings),
+            auto_remove: Some(false),
+            // CAP_SYS_ADMIN required for systemd cgroup access
+            cap_add: Some(vec!["SYS_ADMIN".to_string()]),
+            // tmpfs for /run, /run/lock, and /tmp (required for systemd)
+            tmpfs: Some(HashMap::from([
+                ("/run".to_string(), "exec".to_string()),
+                ("/run/lock".to_string(), String::new()),
+                ("/tmp".to_string(), String::new()),
+            ])),
+            // cgroup mount (read-write for systemd)
+            binds: Some(vec!["/sys/fs/cgroup:/sys/fs/cgroup:rw".to_string()]),
+            // Use HOST cgroup namespace for systemd compatibility across Linux distros:
+            // - cgroups v2 (Amazon Linux 2023, Fedora 31+, Ubuntu 21.10+, Debian 11+): required
+            // - cgroups v1 (CentOS 7, Ubuntu 18.04, Debian 10): works fine
+            // - Docker Desktop (macOS/Windows VM): works fine
+            // Note: PRIVATE mode is more isolated but causes systemd to exit(255) on cgroups v2.
+            // Since we already use privileged mode, HOST namespace is acceptable.
+            cgroupns_mode: Some(bollard::models::HostConfigCgroupnsModeEnum::HOST),
+            // Privileged mode required for systemd to manage cgroups and system services
+            privileged: Some(true),
+            ..Default::default()
+        }
+    } else {
+        // Simple config for tini mode (works on macOS and Linux)
+        HostConfig {
+            mounts: Some(mounts),
+            port_bindings: Some(port_bindings),
+            auto_remove: Some(false),
+            ..Default::default()
+        }
+    };
+
+    // Build environment variables
+    // Add USE_SYSTEMD=1 when Cockpit is enabled to tell entrypoint to use systemd
+    let final_env = if cockpit_enabled_val {
+        let mut env = env_vars.unwrap_or_default();
+        env.push("USE_SYSTEMD=1".to_string());
+        Some(env)
+    } else {
+        env_vars
     };
 
     // Create container config
@@ -126,7 +204,7 @@ pub async fn create_container(
         hostname: Some(CONTAINER_NAME.to_string()),
         working_dir: Some("/workspace".to_string()),
         exposed_ports: Some(exposed_ports),
-        env: env_vars,
+        env: final_env,
         host_config: Some(host_config),
         ..Default::default()
     };
@@ -145,11 +223,10 @@ pub async fn create_container(
             let msg = e.to_string();
             if msg.contains("port is already allocated") || msg.contains("address already in use") {
                 DockerError::Container(format!(
-                    "Port {} is already in use. Stop the service using that port or use a different port with --port.",
-                    port
+                    "Port {port} is already in use. Stop the service using that port or use a different port with --port."
                 ))
             } else {
-                DockerError::Container(format!("Failed to create container: {}", e))
+                DockerError::Container(format!("Failed to create container: {e}"))
             }
         })?;
 
@@ -165,9 +242,7 @@ pub async fn start_container(client: &DockerClient, name: &str) -> Result<(), Do
         .inner()
         .start_container(name, None::<StartContainerOptions<String>>)
         .await
-        .map_err(|e| {
-            DockerError::Container(format!("Failed to start container {}: {}", name, e))
-        })?;
+        .map_err(|e| DockerError::Container(format!("Failed to start container {name}: {e}")))?;
 
     debug!("Container {} started", name);
     Ok(())
@@ -198,9 +273,9 @@ pub async fn stop_container(
             // "container already stopped" is not an error
             if msg.contains("is not running") || msg.contains("304") {
                 debug!("Container {} was already stopped", name);
-                return DockerError::Container(format!("Container '{}' is not running", name));
+                return DockerError::Container(format!("Container '{name}' is not running"));
             }
-            DockerError::Container(format!("Failed to stop container {}: {}", name, e))
+            DockerError::Container(format!("Failed to stop container {name}: {e}"))
         })?;
 
     debug!("Container {} stopped", name);
@@ -230,9 +305,7 @@ pub async fn remove_container(
         .inner()
         .remove_container(name, Some(options))
         .await
-        .map_err(|e| {
-            DockerError::Container(format!("Failed to remove container {}: {}", name, e))
-        })?;
+        .map_err(|e| DockerError::Container(format!("Failed to remove container {name}: {e}")))?;
 
     debug!("Container {} removed", name);
     Ok(())
@@ -248,8 +321,7 @@ pub async fn container_exists(client: &DockerClient, name: &str) -> Result<bool,
             status_code: 404, ..
         }) => Ok(false),
         Err(e) => Err(DockerError::Container(format!(
-            "Failed to inspect container {}: {}",
-            name, e
+            "Failed to inspect container {name}: {e}"
         ))),
     }
 }
@@ -267,8 +339,7 @@ pub async fn container_is_running(client: &DockerClient, name: &str) -> Result<b
             status_code: 404, ..
         }) => Ok(false),
         Err(e) => Err(DockerError::Container(format!(
-            "Failed to inspect container {}: {}",
-            name, e
+            "Failed to inspect container {name}: {e}"
         ))),
     }
 }
@@ -289,16 +360,113 @@ pub async fn container_state(client: &DockerClient, name: &str) -> Result<String
         Err(bollard::errors::Error::DockerResponseServerError {
             status_code: 404, ..
         }) => Err(DockerError::Container(format!(
-            "Container '{}' not found",
-            name
+            "Container '{name}' not found"
         ))),
         Err(e) => Err(DockerError::Container(format!(
-            "Failed to inspect container {}: {}",
-            name, e
+            "Failed to inspect container {name}: {e}"
         ))),
     }
 }
 
+/// Container port configuration
+#[derive(Debug, Clone)]
+pub struct ContainerPorts {
+    /// Host port for opencode web UI (mapped from container port 3000)
+    pub opencode_port: Option<u16>,
+    /// Host port for Cockpit (mapped from container port 9090)
+    pub cockpit_port: Option<u16>,
+}
+
+/// A bind mount from an existing container
+#[derive(Debug, Clone)]
+pub struct ContainerBindMount {
+    /// Source path on host
+    pub source: String,
+    /// Target path in container
+    pub target: String,
+    /// Read-only flag
+    pub read_only: bool,
+}
+
+/// Get the port bindings from an existing container
+///
+/// Returns the host ports that the container's internal ports are mapped to.
+/// Returns None for ports that aren't mapped.
+pub async fn get_container_ports(
+    client: &DockerClient,
+    name: &str,
+) -> Result<ContainerPorts, DockerError> {
+    debug!("Getting container ports: {}", name);
+
+    let info = client
+        .inner()
+        .inspect_container(name, None)
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to inspect container {name}: {e}")))?;
+
+    let port_bindings = info
+        .host_config
+        .and_then(|hc| hc.port_bindings)
+        .unwrap_or_default();
+
+    // Extract opencode port (3000/tcp -> host port)
+    let opencode_port = port_bindings
+        .get("3000/tcp")
+        .and_then(|bindings| bindings.as_ref())
+        .and_then(|bindings| bindings.first())
+        .and_then(|binding| binding.host_port.as_ref())
+        .and_then(|port_str| port_str.parse::<u16>().ok());
+
+    // Extract cockpit port (9090/tcp -> host port)
+    let cockpit_port = port_bindings
+        .get("9090/tcp")
+        .and_then(|bindings| bindings.as_ref())
+        .and_then(|bindings| bindings.first())
+        .and_then(|binding| binding.host_port.as_ref())
+        .and_then(|port_str| port_str.parse::<u16>().ok());
+
+    Ok(ContainerPorts {
+        opencode_port,
+        cockpit_port,
+    })
+}
+
+/// Get bind mounts from an existing container
+///
+/// Returns only user-defined bind mounts (excludes system mounts like cgroup).
+pub async fn get_container_bind_mounts(
+    client: &DockerClient,
+    name: &str,
+) -> Result<Vec<ContainerBindMount>, DockerError> {
+    debug!("Getting container bind mounts: {}", name);
+
+    let info = client
+        .inner()
+        .inspect_container(name, None)
+        .await
+        .map_err(|e| DockerError::Container(format!("Failed to inspect container {name}: {e}")))?;
+
+    let mounts = info.mounts.unwrap_or_default();
+
+    // Filter to only bind mounts, excluding system paths
+    let bind_mounts: Vec<ContainerBindMount> = mounts
+        .iter()
+        .filter(|m| m.typ == Some(MountPointTypeEnum::BIND))
+        .filter(|m| {
+            // Exclude system mounts (cgroup, etc.)
+            let target = m.destination.as_deref().unwrap_or("");
+            !target.starts_with("/sys/")
+        })
+        .map(|m| ContainerBindMount {
+            source: m.source.clone().unwrap_or_default(),
+            target: m.destination.clone().unwrap_or_default(),
+            read_only: m.rw.map(|rw| !rw).unwrap_or(false),
+        })
+        .collect();
+
+    Ok(bind_mounts)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -312,6 +480,6 @@ mod tests {
     #[test]
     fn default_image_format() {
         let expected = format!("{IMAGE_NAME_GHCR}:{IMAGE_TAG_DEFAULT}");
-        assert_eq!(expected, "ghcr.io/prizz/opencode-cloud:latest");
+        assert_eq!(expected, "ghcr.io/prizz/opencode-cloud-sandbox:latest");
     }
 }

package/src/docker/dockerfile.rs

@@ -1,9 +1,13 @@
 //! Embedded Dockerfile content
 //!
-//! This module contains the Dockerfile for building the opencode-cloud container image,
-//! embedded at compile time for distribution with the CLI.
+//! This module contains the Dockerfile for building the opencode-cloud-sandbox
+//! container image, embedded at compile time for distribution with the CLI.
+//!
+//! Note: The image is named "opencode-cloud-sandbox" (not "opencode-cloud") to
+//! clearly indicate this is the sandboxed container environment that the
+//! opencode-cloud CLI deploys, not the CLI tool itself.
 
-/// The Dockerfile for building the opencode-cloud container image
+/// The Dockerfile for building the opencode-cloud-sandbox container image
 pub const DOCKERFILE: &str = include_str!("Dockerfile");
 
 // =============================================================================
@@ -15,27 +19,26 @@ pub const DOCKERFILE: &str = include_str!("Dockerfile");
 // - Registry: The server hosting the image (e.g., ghcr.io, gcr.io, docker.io)
 //   When omitted, Docker Hub (docker.io) is assumed.
 // - Namespace: Usually the username or organization (e.g., prizz)
-// - Image: The image name (e.g., opencode-cloud)
+// - Image: The image name (e.g., opencode-cloud-sandbox)
 // - Tag: Version identifier (e.g., latest, v1.0.0). Defaults to "latest" if omitted.
 //
 // Examples:
-//   ghcr.io/prizz/opencode-cloud:latest  - GitHub Container Registry
-//   prizz/opencode-cloud:latest          - Docker Hub (registry omitted)
-//   gcr.io/my-project/myapp:v1.0         - Google Container Registry
+//   ghcr.io/prizz/opencode-cloud-sandbox:latest  - GitHub Container Registry
+//   prizz/opencode-cloud-sandbox:latest          - Docker Hub (registry omitted)
+//   gcr.io/my-project/myapp:v1.0                 - Google Container Registry
 //
-// We use GHCR as the primary registry since it integrates well with GitHub
-// Actions for CI/CD publishing.
+// We publish to both GHCR (primary) and Docker Hub for maximum accessibility.
 // =============================================================================
 
 /// Docker image name for GitHub Container Registry (primary registry)
 ///
 /// Format: `ghcr.io/{github-username}/{image-name}`
-pub const IMAGE_NAME_GHCR: &str = "ghcr.io/prizz/opencode-cloud";
+pub const IMAGE_NAME_GHCR: &str = "ghcr.io/prizz/opencode-cloud-sandbox";
 
-/// Docker image name for Docker Hub (fallback registry)
+/// Docker image name for Docker Hub (secondary registry)
 ///
 /// Format: `{dockerhub-username}/{image-name}` (registry prefix omitted for Docker Hub)
-pub const IMAGE_NAME_DOCKERHUB: &str = "prizz/opencode-cloud";
+pub const IMAGE_NAME_DOCKERHUB: &str = "prizz/opencode-cloud-sandbox";
 
 /// Default image tag
 pub const IMAGE_TAG_DEFAULT: &str = "latest";