@opencode-cloud/core 13.0.1 → 14.0.0

package/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "opencode-cloud-core"
-version = "13.0.1"
+version = "14.0.0"
 edition = "2024"
 rust-version = "1.89"
 license = "MIT"

package/README.md

@@ -191,6 +191,16 @@ occ logs
 # Follow logs in real-time
 occ logs -f
 
+# View opencode-broker logs (systemd/journald required)
+occ logs --broker
+
+# Dump opencode-broker logs (no follow)
+occ logs --broker --no-follow
+
+# Note: Broker logs require systemd/journald. This is enabled by default on supported Linux
+# hosts. Docker Desktop/macOS/Windows use Tini, so broker logs aren't available there.
+# Existing containers may need to be recreated after upgrading.
+
 # Stop the service
 occ stop
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opencode-cloud/core",
-  "version": "13.0.1",
+  "version": "14.0.0",
   "description": "Core NAPI bindings for opencode-cloud (internal package)",
   "main": "index.js",
   "types": "index.d.ts",

package/src/config/schema.rs

@@ -100,13 +100,10 @@ pub struct Config {
     /// Enable Cockpit web console (default: false)
     ///
     /// When enabled:
-    /// - Container uses systemd as init (required for Cockpit)
     /// - Requires Linux host with native Docker (does NOT work on macOS Docker Desktop)
     /// - Cockpit web UI accessible at cockpit_port
     ///
     /// When disabled (default):
-    /// - Container uses tini as init (lightweight, works everywhere)
-    /// - Works on macOS, Linux, and Windows
     /// - No Cockpit web UI
     #[serde(default = "default_cockpit_enabled")]
     pub cockpit_enabled: bool,

package/src/docker/Dockerfile

@@ -35,7 +35,7 @@
 FROM ubuntu:25.10 AS base
 
 # OCI Labels for image metadata
-LABEL org.opencontainers.image.title="opencode-cloud"
+LABEL org.opencontainers.image.title="opencode-cloud-sandbox"
 # NOTE: This exact label format is parsed by scripts/extract-oci-description.py
 # (called from .github/workflows/docker-publish.yml) to populate multi-arch
 # manifest annotations for GHCR. If you change this line (format, quoting, or
@@ -535,7 +535,7 @@ USER opencode
 # commit on the main branch of https://github.com/pRizz/opencode.
 # Update it by running: ./scripts/update-opencode-commit.sh
 # Build opencode from source (BuildKit cache mounts disabled for now)
-RUN OPENCODE_COMMIT="ce0a5f0f2a8abfb9a00e335a41e7cfd3487dbb18" \
+RUN OPENCODE_COMMIT="3010d7e55e1f26a18684234ea12428d3f91db392" \
     && rm -rf /tmp/opencode-repo \
     && git clone --depth 1 https://github.com/pRizz/opencode.git /tmp/opencode-repo \
     && cd /tmp/opencode-repo \

package/src/docker/client.rs

@@ -4,11 +4,15 @@
 //! errors gracefully and provides clear error messages.
 
 use bollard::Docker;
+use std::path::PathBuf;
 use std::time::Duration;
 
 use super::error::DockerError;
 use crate::host::{HostConfig, SshTunnel};
 
+/// Default Unix socket path used when `DOCKER_HOST` does not specify a socket.
+const DEFAULT_UNIX_SOCKET: &str = "/var/run/docker.sock";
+
 /// Docker client wrapper with connection handling
 pub struct DockerClient {
     inner: Docker,
@@ -16,6 +20,22 @@ pub struct DockerClient {
     _tunnel: Option<SshTunnel>,
     /// Host name for remote connections (None = local)
     host_name: Option<String>,
+    /// Connection info for raw HTTP calls that bypass Bollard models.
+    endpoint: DockerEndpoint,
+}
+
+/// Docker API endpoint details for raw HTTP calls.
+///
+/// We keep this alongside the Bollard client because some Docker API responses
+/// (notably `/system/df` in API v1.52+) do not deserialize cleanly into the
+/// Bollard-generated models. The CLI uses this endpoint to fetch and parse
+/// those responses directly.
+#[derive(Clone, Debug)]
+pub enum DockerEndpoint {
+    /// Unix domain socket path (local Docker).
+    Unix(PathBuf),
+    /// HTTP base URL (remote Docker via SSH tunnel).
+    Http(String),
 }
 
 impl DockerClient {
@@ -24,6 +44,7 @@ impl DockerClient {
     /// Uses platform-appropriate socket (Unix socket on Linux/macOS).
     /// Returns a clear error if Docker is not running or accessible.
     pub fn new() -> Result<Self, DockerError> {
+        let endpoint = Self::resolve_local_endpoint();
         let docker = Docker::connect_with_local_defaults()
             .map_err(|e| DockerError::Connection(e.to_string()))?;
 
@@ -31,6 +52,7 @@ impl DockerClient {
             inner: docker,
             _tunnel: None,
             host_name: None,
+            endpoint,
         })
     }
 
@@ -39,6 +61,7 @@ impl DockerClient {
     /// Use for long-running operations like image builds.
     /// Default timeout is 120 seconds; build timeout should be 600+ seconds.
     pub fn with_timeout(timeout_secs: u64) -> Result<Self, DockerError> {
+        let endpoint = Self::resolve_local_endpoint();
         let docker = Docker::connect_with_local_defaults()
             .map_err(|e| DockerError::Connection(e.to_string()))?
             .with_timeout(Duration::from_secs(timeout_secs));
@@ -47,6 +70,7 @@ impl DockerClient {
             inner: docker,
             _tunnel: None,
             host_name: None,
+            endpoint,
         })
     }
 
@@ -62,6 +86,7 @@ impl DockerClient {
         // Create SSH tunnel
         let tunnel = SshTunnel::new(host, host_name)
             .map_err(|e| DockerError::Connection(format!("SSH tunnel failed: {e}")))?;
+        let endpoint = Self::endpoint_from_tunnel(&tunnel);
 
         // Wait for tunnel to be ready with exponential backoff
         tunnel
@@ -94,6 +119,7 @@ impl DockerClient {
                                 inner: docker,
                                 _tunnel: Some(tunnel),
                                 host_name: Some(host_name.to_string()),
+                                endpoint,
                             });
                         }
                         Err(e) => {
@@ -124,6 +150,7 @@ impl DockerClient {
     ) -> Result<Self, DockerError> {
         let tunnel = SshTunnel::new(host, host_name)
             .map_err(|e| DockerError::Connection(format!("SSH tunnel failed: {e}")))?;
+        let endpoint = Self::endpoint_from_tunnel(&tunnel);
 
         tunnel
             .wait_ready()
@@ -143,6 +170,7 @@ impl DockerClient {
             inner: docker,
             _tunnel: Some(tunnel),
             host_name: Some(host_name.to_string()),
+            endpoint,
         })
     }
 
@@ -177,10 +205,40 @@ impl DockerClient {
         self._tunnel.is_some()
     }
 
+    /// Return the endpoint details used for raw Docker API calls.
+    ///
+    /// This exists to support endpoints whose response schemas are newer than
+    /// the Bollard-generated models (e.g., `/system/df` in newer Docker APIs).
+    pub fn endpoint(&self) -> &DockerEndpoint {
+        &self.endpoint
+    }
+
     /// Access inner Bollard client for advanced operations
     pub fn inner(&self) -> &Docker {
         &self.inner
     }
+
+    /// Resolve the local Unix socket path used by the Docker client.
+    ///
+    /// Bollard's `connect_with_local_defaults` only honors `DOCKER_HOST` when it
+    /// starts with `unix://`. We mirror that logic so our raw HTTP calls use the
+    /// same socket, which is necessary because Bollard's `/system/df` models
+    /// don't match newer Docker API responses.
+    fn resolve_local_endpoint() -> DockerEndpoint {
+        let socket = std::env::var("DOCKER_HOST")
+            .ok()
+            .and_then(|host| host.strip_prefix("unix://").map(|path| path.to_string()))
+            .unwrap_or_else(|| DEFAULT_UNIX_SOCKET.to_string());
+        DockerEndpoint::Unix(PathBuf::from(socket))
+    }
+
+    /// Build an HTTP base URL for a Docker daemon reachable via SSH tunnel.
+    ///
+    /// We store this so the CLI can query `/system/df` directly when Bollard's
+    /// data-usage models are out of date.
+    fn endpoint_from_tunnel(tunnel: &SshTunnel) -> DockerEndpoint {
+        DockerEndpoint::Http(format!("http://127.0.0.1:{}", tunnel.local_port()))
+    }
 }
 
 #[cfg(test)]

package/src/docker/container.rs

@@ -45,6 +45,7 @@ fn has_env_key(env: &[String], key: &str) -> bool {
 /// * `bind_address` - IP address to bind on host (defaults to "127.0.0.1")
 /// * `cockpit_port` - Port to bind on host for Cockpit (defaults to 9090)
 /// * `cockpit_enabled` - Whether to enable Cockpit port mapping (defaults to false)
+/// * `systemd_enabled` - Whether to use systemd as init (defaults to false)
 /// * `bind_mounts` - User-defined bind mounts from config and CLI flags (optional)
 #[allow(clippy::too_many_arguments)]
 pub async fn create_container(
@@ -56,6 +57,7 @@ pub async fn create_container(
     bind_address: Option<&str>,
     cockpit_port: Option<u16>,
     cockpit_enabled: Option<bool>,
+    systemd_enabled: Option<bool>,
     bind_mounts: Option<Vec<ParsedMount>>,
 ) -> Result<String, DockerError> {
     let container_name = name.unwrap_or(CONTAINER_NAME);
@@ -64,10 +66,16 @@ pub async fn create_container(
     let port = opencode_web_port.unwrap_or(OPENCODE_WEB_PORT);
     let cockpit_port_val = cockpit_port.unwrap_or(9090);
     let cockpit_enabled_val = cockpit_enabled.unwrap_or(false);
+    let systemd_enabled_val = systemd_enabled.unwrap_or(false);
 
     debug!(
-        "Creating container {} from image {} with port {} and cockpit_port {} (enabled: {})",
-        container_name, image_name, port, cockpit_port_val, cockpit_enabled_val
+        "Creating container {} from image {} with port {} and cockpit_port {} (enabled: {}, systemd: {})",
+        container_name,
+        image_name,
+        port,
+        cockpit_port_val,
+        cockpit_enabled_val,
+        systemd_enabled_val
     );
 
     // Check if container already exists
@@ -162,9 +170,9 @@ pub async fn create_container(
     }
 
     // Create host config
-    // When Cockpit is enabled, add systemd-specific settings (requires Linux host)
-    // When Cockpit is disabled, use simpler tini-based config (works everywhere)
-    let host_config = if cockpit_enabled_val {
+    // When systemd is enabled, add systemd-specific settings (requires Linux host)
+    // When systemd is disabled, use simpler tini-based config (works everywhere)
+    let host_config = if systemd_enabled_val {
         HostConfig {
             mounts: Some(mounts),
             port_bindings: Some(port_bindings),
@@ -217,8 +225,8 @@ pub async fn create_container(
     if !has_env_key(&env, "XDG_CACHE_HOME") {
         env.push("XDG_CACHE_HOME=/home/opencode/.cache".to_string());
     }
-    // Add USE_SYSTEMD=1 when Cockpit is enabled to tell entrypoint to use systemd
-    if cockpit_enabled_val && !has_env_key(&env, "USE_SYSTEMD") {
+    // Add USE_SYSTEMD=1 when systemd is enabled to tell entrypoint to use systemd
+    if systemd_enabled_val && !has_env_key(&env, "USE_SYSTEMD") {
         env.push("USE_SYSTEMD=1".to_string());
     }
     let final_env = if env.is_empty() { None } else { Some(env) };

package/src/docker/image.rs

@@ -70,9 +70,9 @@ pub async fn image_exists(
     }
 }
 
-/// Remove all images whose tags or digests contain the provided name fragment
+/// Remove all images whose tags, digests, or labels match the provided name fragment
 ///
-/// Returns the number of image references removed.
+/// Returns the number of images removed.
 pub async fn remove_images_by_name(
     client: &DockerClient,
     name_fragment: &str,
@@ -82,8 +82,8 @@ pub async fn remove_images_by_name(
 
     let images = list_docker_images(client).await?;
 
-    let references = collect_image_references(&images, name_fragment);
-    remove_image_references(client, references, force).await
+    let image_ids = collect_image_ids(&images, name_fragment);
+    remove_image_ids(client, image_ids, force).await
 }
 
 /// List all local Docker images (including intermediate layers).
@@ -98,47 +98,87 @@ async fn list_docker_images(
         .map_err(|e| DockerError::Image(format!("Failed to list images: {e}")))
 }
 
-/// Collect tags and digests that contain the provided name fragment.
-fn collect_image_references(
+const LABEL_TITLE: &str = "org.opencontainers.image.title";
+const LABEL_SOURCE: &str = "org.opencontainers.image.source";
+const LABEL_URL: &str = "org.opencontainers.image.url";
+
+const LABEL_TITLE_VALUE: &str = "opencode-cloud-sandbox";
+const LABEL_SOURCE_VALUE: &str = "https://github.com/pRizz/opencode-cloud";
+const LABEL_URL_VALUE: &str = "https://github.com/pRizz/opencode-cloud";
+
+/// Collect image IDs that contain the provided name fragment or match opencode labels.
+fn collect_image_ids(
     images: &[bollard::models::ImageSummary],
     name_fragment: &str,
 ) -> HashSet<String> {
-    let mut references = HashSet::new();
+    let mut image_ids = HashSet::new();
     for image in images {
-        for tag in &image.repo_tags {
-            if tag != "<none>:<none>" && tag.contains(name_fragment) {
-                references.insert(tag.to_string());
-            }
-        }
-
-        for digest in &image.repo_digests {
-            if digest.contains(name_fragment) {
-                references.insert(digest.to_string());
-            }
+        if image_matches_fragment_or_labels(image, name_fragment) {
+            image_ids.insert(image.id.clone());
         }
     }
-    references
+    image_ids
+}
+
+fn image_matches_fragment_or_labels(
+    image: &bollard::models::ImageSummary,
+    name_fragment: &str,
+) -> bool {
+    let tag_match = image
+        .repo_tags
+        .iter()
+        .any(|tag| tag != "<none>:<none>" && tag.contains(name_fragment));
+    let digest_match = image
+        .repo_digests
+        .iter()
+        .any(|digest| digest.contains(name_fragment));
+    let label_match = image_labels_match(&image.labels);
+
+    tag_match || digest_match || label_match
 }
 
-/// Remove image references (tags/digests), returning the number removed.
-async fn remove_image_references(
+fn image_labels_match(labels: &HashMap<String, String>) -> bool {
+    labels
+        .get(LABEL_SOURCE)
+        .is_some_and(|value| value == LABEL_SOURCE_VALUE)
+        || labels
+            .get(LABEL_URL)
+            .is_some_and(|value| value == LABEL_URL_VALUE)
+        || labels
+            .get(LABEL_TITLE)
+            .is_some_and(|value| value == LABEL_TITLE_VALUE)
+}
+
+/// Remove image IDs, returning the number removed.
+async fn remove_image_ids(
     client: &DockerClient,
-    references: HashSet<String>,
+    image_ids: HashSet<String>,
     force: bool,
 ) -> Result<usize, DockerError> {
-    if references.is_empty() {
+    if image_ids.is_empty() {
         return Ok(0);
     }
 
     let remove_options = RemoveImageOptionsBuilder::new().force(force).build();
     let mut removed = 0usize;
-    for reference in references {
-        client
+    for image_id in image_ids {
+        let result = client
             .inner()
-            .remove_image(&reference, Some(remove_options.clone()), None)
-            .await
-            .map_err(|e| DockerError::Image(format!("Failed to remove image {reference}: {e}")))?;
-        removed += 1;
+            .remove_image(&image_id, Some(remove_options.clone()), None)
+            .await;
+        match result {
+            Ok(_) => removed += 1,
+            Err(bollard::errors::Error::DockerResponseServerError {
+                status_code: 404, ..
+            }) => {
+                debug!("Docker image already removed: {}", image_id);
+            }
+            Err(err) => {
+                return Err(DockerError::Image(format!(
+                    "Failed to remove image {image_id}: {err}"
+                )));
+            }
+        }
     }
 
     Ok(removed)
@@ -867,6 +907,32 @@ fn create_build_context() -> Result<Vec<u8>, std::io::Error> {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use bollard::models::ImageSummary;
+    use std::collections::HashMap;
+
+    fn make_image_summary(
+        id: &str,
+        tags: Vec<&str>,
+        digests: Vec<&str>,
+        labels: HashMap<String, String>,
+    ) -> ImageSummary {
+        ImageSummary {
+            id: id.to_string(),
+            parent_id: String::new(),
+            repo_tags: tags.into_iter().map(|tag| tag.to_string()).collect(),
+            repo_digests: digests
+                .into_iter()
+                .map(|digest| digest.to_string())
+                .collect(),
+            created: 0,
+            size: 0,
+            shared_size: -1,
+            labels,
+            containers: 0,
+            manifests: None,
+            descriptor: None,
+        }
+    }
 
     #[test]
     fn create_build_context_succeeds() {
@@ -980,4 +1046,24 @@ mod tests {
         assert!(!is_error_line("Compiling foo v1.0"));
         assert!(!is_error_line("Successfully installed"));
     }
+
+    #[test]
+    fn collect_image_ids_matches_labels() {
+        let mut labels = HashMap::new();
+        labels.insert(LABEL_SOURCE.to_string(), LABEL_SOURCE_VALUE.to_string());
+
+        let images = vec![
+            make_image_summary("sha256:opencode", vec![], vec![], labels),
+            make_image_summary(
+                "sha256:other",
+                vec!["busybox:latest"],
+                vec![],
+                HashMap::new(),
+            ),
+        ];
+
+        let ids = collect_image_ids(&images, "opencode-cloud-sandbox");
+        assert!(ids.contains("sha256:opencode"));
+        assert!(!ids.contains("sha256:other"));
+    }
 }

package/src/docker/mod.rs

@@ -29,7 +29,7 @@ mod version;
 pub mod volume;
 
 // Core types
-pub use client::DockerClient;
+pub use client::{DockerClient, DockerEndpoint};
 pub use error::DockerError;
 pub use progress::ProgressReporter;
 
@@ -71,6 +71,39 @@ pub use volume::{
     VOLUME_USERS, ensure_volumes_exist, remove_all_volumes, remove_volume, volume_exists,
 };
 
+/// Determine whether the Docker host supports systemd-in-container.
+///
+/// Returns true only for Linux hosts that are not Docker Desktop and not rootless.
+pub async fn docker_supports_systemd(client: &DockerClient) -> Result<bool, DockerError> {
+    let info = client.inner().info().await.map_err(DockerError::from)?;
+
+    let os_type = info.os_type.unwrap_or_default();
+    if os_type.to_lowercase() != "linux" {
+        return Ok(false);
+    }
+
+    let operating_system = match info.operating_system {
+        Some(value) => value,
+        None => return Ok(false),
+    };
+    if operating_system.to_lowercase().contains("docker desktop") {
+        return Ok(false);
+    }
+
+    let security_options = match info.security_options {
+        Some(options) => options,
+        None => return Ok(false),
+    };
+    let is_rootless = security_options
+        .iter()
+        .any(|opt| opt.to_lowercase().contains("name=rootless"));
+    if is_rootless {
+        return Ok(false);
+    }
+
+    Ok(true)
+}
+
 // Bind mount parsing and validation
 pub use mount::{MountError, ParsedMount, check_container_path_warning, validate_mount_path};
 
@@ -95,8 +128,10 @@ pub use state::{ImageState, clear_state, get_state_path, load_state, save_state}
 /// * `env_vars` - Additional environment variables (optional)
 /// * `bind_address` - IP address to bind on host (defaults to "127.0.0.1")
 /// * `cockpit_port` - Port to bind on host for Cockpit (defaults to 9090)
-/// * `cockpit_enabled` - Whether to enable Cockpit port mapping (defaults to true)
+/// * `cockpit_enabled` - Whether to enable Cockpit port mapping (defaults to false)
+/// * `systemd_enabled` - Whether to use systemd as init (defaults to false)
 /// * `bind_mounts` - User-defined bind mounts from config and CLI flags (optional)
+#[allow(clippy::too_many_arguments)]
 pub async fn setup_and_start(
     client: &DockerClient,
     opencode_web_port: Option<u16>,
@@ -104,6 +139,7 @@ pub async fn setup_and_start(
     bind_address: Option<&str>,
     cockpit_port: Option<u16>,
     cockpit_enabled: Option<bool>,
+    systemd_enabled: Option<bool>,
     bind_mounts: Option<Vec<mount::ParsedMount>>,
 ) -> Result<String, DockerError> {
     // Ensure volumes exist first
@@ -132,6 +168,7 @@ pub async fn setup_and_start(
             bind_address,
             cockpit_port,
             cockpit_enabled,
+            systemd_enabled,
             bind_mounts,
         )
         .await?