@opencode-cloud/core 15.2.0 → 17.0.0

package/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "opencode-cloud-core"
-version = "15.2.0"
+version = "17.0.0"
 edition = "2024"
 rust-version = "1.89"
 license = "MIT"

package/README.md

@@ -3,9 +3,9 @@
 [![CI](https://github.com/pRizz/opencode-cloud/actions/workflows/ci.yml/badge.svg)](https://github.com/pRizz/opencode-cloud/actions/workflows/ci.yml)
 [![Mirror](https://img.shields.io/badge/mirror-gitea-blue?logo=gitea)](https://gitea.com/pRizz/opencode-cloud)
 [![crates.io](https://img.shields.io/crates/v/opencode-cloud.svg)](https://crates.io/crates/opencode-cloud)
-[![GHCR](https://img.shields.io/badge/ghcr.io-sandbox-blue?logo=github)](https://github.com/pRizz/opencode-cloud/pkgs/container/opencode-cloud-sandbox)
 [![Docker Hub](https://img.shields.io/docker/v/prizz/opencode-cloud-sandbox?label=docker&sort=semver)](https://hub.docker.com/r/prizz/opencode-cloud-sandbox)
 [![Docker Pulls](https://img.shields.io/docker/pulls/prizz/opencode-cloud-sandbox)](https://hub.docker.com/r/prizz/opencode-cloud-sandbox)
+[![GHCR](https://img.shields.io/badge/ghcr.io-sandbox-blue?logo=github)](https://github.com/pRizz/opencode-cloud/pkgs/container/opencode-cloud-sandbox)
 [![docs.rs](https://docs.rs/opencode-cloud/badge.svg)](https://docs.rs/opencode-cloud)
 [![MSRV](https://img.shields.io/badge/MSRV-1.85-blue.svg)](https://blog.rust-lang.org/2025/02/20/Rust-1.85.0.html)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
@@ -51,6 +51,16 @@ Quick deploy provisions a private EC2 instance behind a public ALB with HTTPS.
 Docs: `docs/deploy/aws.md` (includes teardown steps and S3 hosting setup for forks)
 Credentials: `docs/deploy/aws.md#retrieving-credentials`
 
+## Deploy to DigitalOcean
+
+[![Deploy on DigitalOcean](https://img.shields.io/badge/Deploy-DigitalOcean-0080FF?logo=digitalocean&logoColor=white)](https://marketplace.digitalocean.com/apps/opencode-cloud)
+
+Marketplace one-click deploy provisions a Droplet that bootstraps opencode-cloud
+on first boot (listing pending).
+
+Manual Droplet setup: `docs/deploy/digitalocean-droplet.md`
+Marketplace docs: `docs/deploy/digitalocean-marketplace.md`
+
 ## Features
 
 - **Sandboxed execution** - opencode runs inside a Docker container, isolated from your host system
@@ -77,12 +87,12 @@ The sandbox container image is named **`opencode-cloud-sandbox`** (not `opencode
 
 **Why use the CLI?** It configures volumes, ports, and upgrades safely, so you don’t have to manage `docker run` flags or image updates yourself.
 
-The image is published to both registries:
+The image is published to both registries (Docker Hub is the primary distribution):
 
 | Registry | Image |
 |----------|-------|
-| GitHub Container Registry | [`ghcr.io/prizz/opencode-cloud-sandbox`](https://github.com/pRizz/opencode-cloud/pkgs/container/opencode-cloud-sandbox) |
 | Docker Hub | [`prizz/opencode-cloud-sandbox`](https://hub.docker.com/r/prizz/opencode-cloud-sandbox) |
+| GitHub Container Registry | [`ghcr.io/prizz/opencode-cloud-sandbox`](https://github.com/pRizz/opencode-cloud/pkgs/container/opencode-cloud-sandbox) |
 
 Pull commands:
 
@@ -182,7 +192,7 @@ occ start --port 8080
 # Start and open browser
 occ start --open
 
-# Check service status
+# Check service status (includes broker health: Healthy/Degraded/Unhealthy)
 occ status
 
 # View logs
@@ -194,7 +204,7 @@ occ logs -f
 # View opencode-broker logs (systemd/journald required)
 occ logs --broker
 
-# Dump opencode-broker logs (no follow)
+# Troubleshoot broker health issues reported by `occ status`
 occ logs --broker --no-follow
 
 # Note: Broker logs require systemd/journald. This is enabled by default on supported Linux
@@ -238,6 +248,26 @@ occ mount clean --purge --force
 # Factory reset host (container, volumes, mounts, config/data)
 occ reset host --force
 
+### Container Mode
+
+When `occ` runs inside the opencode container, it will auto-detect this and switch to **container runtime**.
+Override if needed:
+
+```bash
+occ --runtime host <command>
+OPENCODE_RUNTIME=host occ <command>
+```
+
+Supported commands in container runtime:
+- `occ status`
+- `occ logs`
+- `occ user`
+- `occ update opencode`
+
+Notes:
+- Host/Docker lifecycle commands are disabled in container runtime.
+- `occ logs` and `occ update opencode` require systemd inside the container. If systemd is not available, run those commands from the host instead.
+
 ### Webapp-triggered update (command file)
 
 When running in foreground mode (for example via `occ install`, which uses `occ start --no-daemon`),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opencode-cloud/core",
-  "version": "15.2.0",
+  "version": "17.0.0",
   "description": "Core NAPI bindings for opencode-cloud (internal package)",
   "main": "index.js",
   "types": "index.d.ts",

package/src/docker/Dockerfile

@@ -1,6 +1,12 @@
 # =============================================================================
 # opencode-cloud Container Image
 # =============================================================================
+# IMPORTANT:
+# Keep scripts/service/config assets in `packages/core/src/docker/files/`
+# and COPY them into the image instead of embedding large inline shell blocks.
+# When adding files, also update `packages/core/src/docker/image.rs`
+# (`create_build_context`) so CLI-driven Docker builds include them.
+#
 # A comprehensive development environment for AI-assisted coding with opencode.
 #
 # Features:
@@ -452,61 +458,12 @@ RUN git config --global init.defaultBranch main \
     && git config --global diff.colorMoved default
 
 # Starship configuration (minimal, fast prompt)
-RUN mkdir -p /home/opencode/.config \
-    && printf '%s\n' \
-    '# Minimal starship config for fast prompt' \
-    'format = """' \
-    '$directory\' \
-    '$git_branch\' \
-    '$git_status\' \
-    '$character"""' \
-    '' \
-    '[directory]' \
-    'truncation_length = 3' \
-    'truncate_to_repo = true' \
-    '' \
-    '[git_branch]' \
-    'format = "[$branch]($style) "' \
-    'style = "bold purple"' \
-    '' \
-    '[git_status]' \
-    'format = '"'"'([$all_status$ahead_behind]($style) )'"'"'' \
-    '' \
-    '[character]' \
-    'success_symbol = "[>](bold green)"' \
-    'error_symbol = "[>](bold red)"' \
-    > /home/opencode/.config/starship.toml
+COPY --chown=opencode:opencode packages/core/src/docker/files/starship.toml /home/opencode/.config/starship.toml
 
 # Shell aliases
-RUN printf '%s\n' \
-    '' \
-    '# Modern CLI aliases' \
-    'alias ls="eza --icons"' \
-    'alias ll="eza -l --icons"' \
-    'alias la="eza -la --icons"' \
-    'alias lt="eza --tree --icons"' \
-    'alias grep="rg"' \
-    'alias top="btop"' \
-    '' \
-    '# Git aliases' \
-    'alias g="git"' \
-    'alias gs="git status"' \
-    'alias gd="git diff"' \
-    'alias gc="git commit"' \
-    'alias gp="git push"' \
-    'alias gl="git pull"' \
-    'alias gco="git checkout"' \
-    'alias gb="git branch"' \
-    'alias lg="lazygit"' \
-    '' \
-    '# Docker aliases (for Docker-in-Docker)' \
-    'alias d="docker"' \
-    'alias dc="docker compose"' \
-    '' \
-    >> /home/opencode/.bashrc
-
-# Set up pipx path
-RUN echo 'export PATH="/home/opencode/.local/bin:$PATH"' >> /home/opencode/.bashrc
+COPY --chown=opencode:opencode packages/core/src/docker/files/bashrc.extra /home/opencode/.bashrc.extra
+RUN cat /home/opencode/.bashrc.extra >> /home/opencode/.bashrc \
+    && rm /home/opencode/.bashrc.extra
 
 # -----------------------------------------------------------------------------
 # Stage 2: opencode build
@@ -535,7 +492,7 @@ USER opencode
 # commit on the main branch of https://github.com/pRizz/opencode.
 # Update it by running: ./scripts/update-opencode-commit.sh
 # Build opencode from source (BuildKit cache mounts disabled for now)
-RUN OPENCODE_COMMIT="d61147bea10a1bc7ba93c6bfa0b7d8fe55a561b5" \
+RUN OPENCODE_COMMIT="41731edead75a52aceac0b48c22474bdeafc746c" \
     && rm -rf /tmp/opencode-repo \
     && git clone --depth 1 https://github.com/pRizz/opencode.git /tmp/opencode-repo \
     && cd /tmp/opencode-repo \
@@ -575,18 +532,8 @@ ENV PATH="/opt/opencode/bin:${PATH}"
 # This allows opencode to authenticate users via PAM (same users as Cockpit)
 # NOTE: Requires root privileges to write to /etc/pam.d/
 USER root
-RUN printf '%s\n' \
-    '# PAM configuration for OpenCode authentication' \
-    '# Install to /etc/pam.d/opencode' \
-    '' \
-    '# Standard UNIX authentication' \
-    'auth required pam_unix.so' \
-    'account required pam_unix.so' \
-    '' \
-    '# Optional: Enable TOTP 2FA (uncomment when pam_google_authenticator is installed)' \
-    '# auth required pam_google_authenticator.so' \
-    > /etc/pam.d/opencode \
-    && chmod 644 /etc/pam.d/opencode
+COPY packages/core/src/docker/files/pam/opencode /etc/pam.d/opencode
+RUN chmod 644 /etc/pam.d/opencode
 
 # Verify PAM config file exists
 RUN ls -la /etc/pam.d/opencode && cat /etc/pam.d/opencode
@@ -596,38 +543,7 @@ RUN ls -la /etc/pam.d/opencode && cat /etc/pam.d/opencode
 # -----------------------------------------------------------------------------
 # Create opencode-broker service for PAM authentication
 # NOTE: Requires root privileges to write to /etc/systemd/system/
-RUN printf '%s\n' \
-    '[Unit]' \
-    'Description=OpenCode Authentication Broker' \
-    'Documentation=https://github.com/pRizz/opencode' \
-    'After=network.target' \
-    '' \
-    '[Service]' \
-    'Type=notify' \
-    'ExecStart=/usr/local/bin/opencode-broker' \
-    'ExecReload=/bin/kill -HUP $MAINPID' \
-    'Restart=always' \
-    'RestartSec=5' \
-    '' \
-    '# Security hardening' \
-    'NoNewPrivileges=false' \
-    'ProtectSystem=strict' \
-    'ProtectHome=read-only' \
-    'PrivateTmp=true' \
-    'ReadWritePaths=/run/opencode' \
-    '' \
-    '# Socket directory' \
-    'RuntimeDirectory=opencode' \
-    'RuntimeDirectoryMode=0755' \
-    '' \
-    '# Logging' \
-    'StandardOutput=journal' \
-    'StandardError=journal' \
-    'SyslogIdentifier=opencode-broker' \
-    '' \
-    '[Install]' \
-    'WantedBy=multi-user.target' \
-    > /etc/systemd/system/opencode-broker.service
+COPY packages/core/src/docker/files/opencode-broker.service /etc/systemd/system/opencode-broker.service
 
 # Enable opencode-broker service
 RUN mkdir -p /etc/systemd/system/multi-user.target.wants \
@@ -638,23 +554,7 @@ RUN mkdir -p /etc/systemd/system/multi-user.target.wants \
 # -----------------------------------------------------------------------------
 # Create opencode as a systemd service for Cockpit integration
 # NOTE: Requires root privileges to write to /etc/systemd/system/
-RUN printf '%s\n' \
-    '[Unit]' \
-    'Description=opencode Web Interface' \
-    'After=network.target opencode-broker.service' \
-    '' \
-    '[Service]' \
-    'Type=simple' \
-    'User=opencode' \
-    'WorkingDirectory=/home/opencode/workspace' \
-    'ExecStart=/opt/opencode/bin/opencode web --port 3000 --hostname 0.0.0.0' \
-    'Restart=always' \
-    'RestartSec=5' \
-    'Environment=PATH=/opt/opencode/bin:/home/opencode/.local/bin:/home/opencode/.cargo/bin:/home/opencode/.local/share/mise/shims:/home/opencode/.bun/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \
-    '' \
-    '[Install]' \
-    'WantedBy=multi-user.target' \
-    > /etc/systemd/system/opencode.service
+COPY packages/core/src/docker/files/opencode.service /etc/systemd/system/opencode.service
 
 # Enable opencode service to start at boot (manual symlink since systemctl doesn't work during build)
 RUN mkdir -p /etc/systemd/system/multi-user.target.wants \
@@ -664,15 +564,9 @@ RUN mkdir -p /etc/systemd/system/multi-user.target.wants \
 # opencode Configuration
 # -----------------------------------------------------------------------------
 # Create opencode.jsonc config file with PAM authentication enabled
-RUN mkdir -p /home/opencode/.config/opencode \
-    && printf '%s\n' \
-    '{' \
-    '  "auth": {' \
-    '    "enabled": true' \
-    '  }' \
-    '}' \
-    > /home/opencode/.config/opencode/opencode.jsonc \
-    && chown -R opencode:opencode /home/opencode/.config/opencode \
+RUN mkdir -p /home/opencode/.config/opencode
+COPY --chown=opencode:opencode packages/core/src/docker/files/opencode.jsonc /home/opencode/.config/opencode/opencode.jsonc
+RUN chown -R opencode:opencode /home/opencode/.config/opencode \
     && chmod 644 /home/opencode/.config/opencode/opencode.jsonc
 
 # Verify config file exists
@@ -684,29 +578,23 @@ RUN ls -la /home/opencode/.config/opencode/opencode.jsonc && cat /home/opencode/
 # Supports both tini (default, works everywhere) and systemd (for Cockpit on Linux)
 # Set USE_SYSTEMD=1 environment variable to use systemd init
 # Note: Entrypoint runs as root to support both modes; tini mode drops to opencode user
-RUN printf '%s\n' \
-    '#!/bin/bash' \
-    'if [ "${USE_SYSTEMD}" = "1" ]; then' \
-    '    exec /sbin/init' \
-    'else' \
-    '    # Ensure broker socket directory exists' \
-    '    install -d -m 0755 /run/opencode' \
-    '    /usr/local/bin/opencode-broker &' \
-    '    # Use runuser to switch to opencode user without password prompt' \
-    '    exec runuser -u opencode -- sh -lc "cd /home/opencode/workspace && /opt/opencode/bin/opencode web --port 3000 --hostname 0.0.0.0"' \
-    'fi' \
-    > /usr/local/bin/entrypoint.sh && chmod +x /usr/local/bin/entrypoint.sh
+COPY packages/core/src/docker/files/entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
 
 # Note: Don't set USER here - entrypoint needs root to use runuser
 # The tini mode drops privileges to opencode user via runuser
 
+# Healthcheck script asset
+COPY packages/core/src/docker/files/healthcheck.sh /usr/local/bin/healthcheck.sh
+RUN chmod +x /usr/local/bin/healthcheck.sh
+
 # -----------------------------------------------------------------------------
 # Health Check
 # -----------------------------------------------------------------------------
-# Check that opencode main page responds
+# Check broker readiness (process + socket) and opencode web response
 # Works for both tini and systemd modes
 HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
-    CMD curl -f -H "Accept: text/html" http://localhost:3000/ || exit 1
+    CMD ["/usr/local/bin/healthcheck.sh"]
 
 # -----------------------------------------------------------------------------
 # opencode Artifacts

package/src/docker/README.dockerhub.md

@@ -24,17 +24,25 @@ https://github.com/pRizz/opencode-cloud (mirror: https://gitea.com/pRizz/opencod
 Pull the image:
 
 ```
-docker pull ghcr.io/prizz/opencode-cloud-sandbox:latest
+docker pull prizz/opencode-cloud-sandbox:latest
 ```
 
 Run the container:
 
 ```
-docker run --rm -it -p 3000:3000 ghcr.io/prizz/opencode-cloud-sandbox:latest
+docker run --rm -it -p 3000:3000 prizz/opencode-cloud-sandbox:latest
 ```
 
 The opencode web UI is available at `http://localhost:3000`.
 
+## App Platform
+
+- Set `http_port` to `3000` or provide `PORT`/`OPENCODE_PORT` so the health check hits the right port.
+- App Platform storage is ephemeral. Workspace, config, and PAM users reset on redeploy unless you add external storage.
+- Logs are visible in the App Platform UI without extra setup.
+- Provide `OPENCODE_BOOTSTRAP_USER` with either `OPENCODE_BOOTSTRAP_PASSWORD` or `OPENCODE_BOOTSTRAP_PASSWORD_HASH` for first-boot access.
+- App Platform supports Linux/AMD64 images and favors smaller image sizes.
+
 ## Install the opencode-cloud CLI
 
 Cargo:

package/src/docker/files/README.md

@@ -0,0 +1,4 @@
+This directory contains files copied into the Docker image via `Dockerfile` `COPY` lines.
+When adding new files here, update the minimal build context in
+`packages/core/src/docker/image.rs` (see `create_build_context` and its helper)
+so `occ`/CLI builds include the new assets.

package/src/docker/files/bashrc.extra

@@ -0,0 +1,25 @@
+
+# Modern CLI aliases
+alias ls="eza --icons"
+alias ll="eza -l --icons"
+alias la="eza -la --icons"
+alias lt="eza --tree --icons"
+alias grep="rg"
+alias top="btop"
+
+# Git aliases
+alias g="git"
+alias gs="git status"
+alias gd="git diff"
+alias gc="git commit"
+alias gp="git push"
+alias gl="git pull"
+alias gco="git checkout"
+alias gb="git branch"
+alias lg="lazygit"
+
+# Docker aliases (for Docker-in-Docker)
+alias d="docker"
+alias dc="docker compose"
+
+export PATH="/home/opencode/.local/bin:$PATH"

package/src/docker/files/entrypoint.sh

@@ -0,0 +1,199 @@
+#!/bin/bash
+set -euo pipefail
+
+log() {
+    echo "[opencode-cloud] $*"
+}
+
+read_opencode_cloud_version() {
+    local version_file="/etc/opencode-cloud-version"
+    local version
+
+    if [ -r "${version_file}" ]; then
+        version="$(head -n 1 "${version_file}" 2>/dev/null | tr -d "\r\n")"
+    else
+        version=""
+    fi
+
+    if [ -z "${version}" ]; then
+        printf "dev"
+    else
+        printf "%s" "${version}"
+    fi
+}
+
+print_welcome_banner() {
+    local version
+    version="$(read_opencode_cloud_version)"
+
+    log "----------------------------------------------------------------------"
+    log "Welcome to opencode-cloud-sandbox"
+    log "You are running opencode-cloud v${version}"
+    log "For questions, problems, and feature requests, file an issue:"
+    log "  https://github.com/pRizz/opencode-cloud/issues"
+    log "opencode-cloud runs opencode in a Docker sandbox; use occ/opencode-cloud CLI to manage users, mounts, and updates."
+    log "Quick start: occ user add <username> | occ status | occ logs -f"
+    log "Docs: https://github.com/pRizz/opencode-cloud#readme"
+    log "----------------------------------------------------------------------"
+}
+
+OPENCODE_PORT="${OPENCODE_PORT:-${PORT:-3000}}"
+OPENCODE_HOST="${OPENCODE_HOST:-0.0.0.0}"
+export OPENCODE_PORT OPENCODE_HOST
+
+print_welcome_banner
+
+detect_droplet() {
+    local hint="${OPENCODE_CLOUD_ENV:-}"
+    if [ -n "${hint}" ]; then
+        hint="$(printf "%s" "${hint}" | tr "[:upper:]" "[:lower:]")"
+        if [[ "${hint}" == *digitalocean* || "${hint}" == *droplet* ]]; then
+            return 0
+        fi
+    fi
+    curl -fsS --connect-timeout 1 --max-time 1 http://169.254.169.254/metadata/v1/id >/dev/null 2>&1
+}
+
+collect_non_persistent_paths() {
+    local -a paths=(
+        "/home/opencode/workspace"
+        "/home/opencode/.local/share/opencode"
+        "/home/opencode/.local/state/opencode"
+        "/home/opencode/.config/opencode"
+        "/var/lib/opencode-users"
+    )
+    local -a non_persistent=()
+    local fs_type
+    for path in "${paths[@]}"; do
+        fs_type="$(stat -f -c %T "${path}" 2>/dev/null || true)"
+        case "${fs_type}" in
+            ""|overlay|overlayfs|tmpfs|ramfs|squashfs)
+                non_persistent+=("${path}")
+                ;;
+        esac
+    done
+    if [ ${#non_persistent[@]} -eq 0 ]; then
+        return 1
+    fi
+    printf "%s\n" "${non_persistent[@]}"
+    return 0
+}
+
+non_persistent_paths="$(collect_non_persistent_paths || true)"
+if [ -n "${non_persistent_paths}" ]; then
+    log "================================================================="
+    log "WARNING: Persistence is not configured for one or more paths."
+    log "Data loss is likely if the container is recreated or updated."
+    log "Non-persistent paths:"
+    while IFS= read -r path; do
+        log "  - ${path}"
+    done <<< "${non_persistent_paths}"
+    if detect_droplet; then
+        log "Detected DigitalOcean Docker Droplet environment."
+        log "By default, Docker Droplets do not configure volumes or persistence."
+        log "You will almost certainly lose data if you are not careful."
+    fi
+    log "Configure persistence: https://github.com/pRizz/opencode-cloud#readme"
+    log "================================================================="
+fi
+
+if [ "${USE_SYSTEMD:-}" = "1" ]; then
+    exec /sbin/init
+else
+    # Ensure broker socket directory exists
+    install -d -m 0755 /run/opencode
+
+    # Ensure user records directory exists (ephemeral unless mounted)
+    install -d -m 0700 /var/lib/opencode-users
+
+    restore_users() {
+        shopt -s nullglob
+        local records=(/var/lib/opencode-users/*.json)
+        if [ ${#records[@]} -eq 0 ]; then
+            return 1
+        fi
+        for record in "${records[@]}"; do
+            local username password_hash locked
+            username="$(jq -r ".username // empty" "${record}")"
+            password_hash="$(jq -r ".password_hash // empty" "${record}")"
+            locked="$(jq -r ".locked // false" "${record}")"
+            if [ -z "${username}" ]; then
+                log "Skipping invalid user record: ${record}"
+                continue
+            fi
+            if ! id -u "${username}" >/dev/null 2>&1; then
+                log "Creating user: ${username}"
+                useradd -m -s /bin/bash "${username}"
+            fi
+            if [ -n "${password_hash}" ]; then
+                usermod -p "${password_hash}" "${username}"
+            fi
+            if [ "${locked}" = "true" ]; then
+                passwd -l "${username}" >/dev/null
+            else
+                passwd -u "${username}" >/dev/null || true
+            fi
+            log "Restored user: ${username}"
+        done
+        return 0
+    }
+
+    persist_user_record() {
+        local username="$1"
+        local shadow_hash
+        shadow_hash="$(getent shadow "${username}" | cut -d: -f2)"
+        if [ -z "${shadow_hash}" ]; then
+            log "Failed to read shadow hash for ${username}"
+            return 1
+        fi
+        local status locked
+        status="$(passwd -S "${username}" | tr -s " " | cut -d" " -f2)"
+        locked="false"
+        if [ "${status}" = "L" ]; then
+            locked="true"
+        fi
+        local record_path="/var/lib/opencode-users/${username}.json"
+        umask 077
+        jq -n --arg username "${username}" --arg hash "${shadow_hash}" --argjson locked "${locked}" '{username:$username,password_hash:$hash,locked:$locked}' > "${record_path}"
+        chmod 600 "${record_path}"
+        log "Persisted user record: ${username}"
+    }
+
+    bootstrap_user() {
+        local username="${OPENCODE_BOOTSTRAP_USER:-}"
+        local password="${OPENCODE_BOOTSTRAP_PASSWORD:-}"
+        local password_hash="${OPENCODE_BOOTSTRAP_PASSWORD_HASH:-}"
+        if [ -z "${username}" ]; then
+            return 1
+        fi
+        if [ -z "${password_hash}" ] && [ -z "${password}" ]; then
+            log "OPENCODE_BOOTSTRAP_USER is set but no password or hash provided"
+            exit 1
+        fi
+        if ! id -u "${username}" >/dev/null 2>&1; then
+            log "Creating bootstrap user: ${username}"
+            useradd -m -s /bin/bash "${username}"
+        fi
+        if [ -n "${password_hash}" ]; then
+            usermod -p "${password_hash}" "${username}"
+        else
+            echo "${username}:${password}" | chpasswd
+        fi
+        persist_user_record "${username}"
+        log "Bootstrap user ready: ${username}"
+        return 0
+    }
+
+    if restore_users; then
+        log "User records restored"
+    else
+        if ! bootstrap_user; then
+            log "No persisted users and no bootstrap user configured"
+        fi
+    fi
+
+    log "Starting opencode on ${OPENCODE_HOST}:${OPENCODE_PORT}"
+    /usr/local/bin/opencode-broker &
+    # Use runuser to switch to opencode user without password prompt
+    exec runuser -u opencode -- sh -lc "cd /home/opencode/workspace && /opt/opencode/bin/opencode web --port ${OPENCODE_PORT} --hostname ${OPENCODE_HOST}"
+fi

package/src/docker/files/healthcheck.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+set -eu
+
+opencode_port="${OPENCODE_PORT:-${PORT:-3000}}"
+
+if [ -d /run/systemd/system ]; then
+    systemctl is-active --quiet opencode-broker.service
+else
+    pgrep -x opencode-broker >/dev/null
+fi
+
+test -S /run/opencode/auth.sock
+curl -fsS -H "Accept: text/html" "http://localhost:${opencode_port}/" >/dev/null

package/src/docker/files/opencode-broker.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=OpenCode Authentication Broker
+Documentation=https://github.com/pRizz/opencode
+After=network.target
+
+[Service]
+Type=notify
+ExecStart=/usr/local/bin/opencode-broker
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=always
+RestartSec=5
+
+# Security hardening
+NoNewPrivileges=false
+ProtectSystem=strict
+ProtectHome=read-only
+PrivateTmp=true
+ReadWritePaths=/run/opencode
+
+# Socket directory
+RuntimeDirectory=opencode
+RuntimeDirectoryMode=0755
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=opencode-broker
+
+[Install]
+WantedBy=multi-user.target

package/src/docker/files/opencode.jsonc

@@ -0,0 +1,5 @@
+{
+  "auth": {
+    "enabled": true
+  }
+}

package/src/docker/files/opencode.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=opencode Web Interface
+After=network.target opencode-broker.service
+
+[Service]
+Type=simple
+User=opencode
+WorkingDirectory=/home/opencode/workspace
+ExecStart=/bin/bash -lc "OPENCODE_PORT=${OPENCODE_PORT:-${PORT:-3000}}; OPENCODE_HOST=${OPENCODE_HOST:-0.0.0.0}; exec /opt/opencode/bin/opencode web --port ${OPENCODE_PORT} --hostname ${OPENCODE_HOST}"
+Restart=always
+RestartSec=5
+Environment=PATH=/opt/opencode/bin:/home/opencode/.local/bin:/home/opencode/.cargo/bin:/home/opencode/.local/share/mise/shims:/home/opencode/.bun/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+[Install]
+WantedBy=multi-user.target

package/src/docker/files/pam/opencode

@@ -0,0 +1,9 @@
+# PAM configuration for OpenCode authentication
+# Install to /etc/pam.d/opencode
+
+# Standard UNIX authentication
+auth required pam_unix.so
+account required pam_unix.so
+
+# Optional: Enable TOTP 2FA (uncomment when pam_google_authenticator is installed)
+# auth required pam_google_authenticator.so

package/src/docker/files/starship.toml

@@ -0,0 +1,21 @@
+# Minimal starship config for fast prompt
+format = """
+$directory\
+$git_branch\
+$git_status\
+$character"""
+
+[directory]
+truncation_length = 3
+truncate_to_repo = true
+
+[git_branch]
+format = "[$branch]($style) "
+style = "bold purple"
+
+[git_status]
+format = '([$all_status$ahead_behind]($style) )'
+
+[character]
+success_symbol = "[>](bold green)"
+error_symbol = "[>](bold red)"

package/src/docker/image.rs

@@ -20,6 +20,7 @@ use futures_util::StreamExt;
 use http_body_util::{Either, Full};
 use std::collections::{HashMap, HashSet, VecDeque};
 use std::env;
+use std::io::Write;
 use std::time::{SystemTime, UNIX_EPOCH};
 use tar::Builder as TarBuilder;
 use tracing::{debug, warn};
@@ -887,13 +888,55 @@ fn create_build_context() -> Result<Vec<u8>, std::io::Error> {
 
         // Add Dockerfile to archive
         let dockerfile_bytes = DOCKERFILE.as_bytes();
-        let mut header = tar::Header::new_gnu();
-        header.set_path("Dockerfile")?;
-        header.set_size(dockerfile_bytes.len() as u64);
-        header.set_mode(0o644);
-        header.set_cksum();
-
-        tar.append(&header, dockerfile_bytes)?;
+        append_bytes(&mut tar, "Dockerfile", dockerfile_bytes, 0o644)?;
+        append_bytes(
+            &mut tar,
+            "packages/core/src/docker/files/entrypoint.sh",
+            include_bytes!("files/entrypoint.sh"),
+            0o644,
+        )?;
+        append_bytes(
+            &mut tar,
+            "packages/core/src/docker/files/healthcheck.sh",
+            include_bytes!("files/healthcheck.sh"),
+            0o644,
+        )?;
+        append_bytes(
+            &mut tar,
+            "packages/core/src/docker/files/opencode-broker.service",
+            include_bytes!("files/opencode-broker.service"),
+            0o644,
+        )?;
+        append_bytes(
+            &mut tar,
+            "packages/core/src/docker/files/opencode.service",
+            include_bytes!("files/opencode.service"),
+            0o644,
+        )?;
+        append_bytes(
+            &mut tar,
+            "packages/core/src/docker/files/pam/opencode",
+            include_bytes!("files/pam/opencode"),
+            0o644,
+        )?;
+        append_bytes(
+            &mut tar,
+            "packages/core/src/docker/files/opencode.jsonc",
+            include_bytes!("files/opencode.jsonc"),
+            0o644,
+        )?;
+        append_bytes(
+            &mut tar,
+            "packages/core/src/docker/files/starship.toml",
+            include_bytes!("files/starship.toml"),
+            0o644,
+        )?;
+        append_bytes(
+            &mut tar,
+            "packages/core/src/docker/files/bashrc.extra",
+            include_bytes!("files/bashrc.extra"),
+            0o644,
+        )?;
         tar.finish()?;
 
         // Finish gzip encoding
@@ -904,11 +947,30 @@ fn create_build_context() -> Result<Vec<u8>, std::io::Error> {
     Ok(archive_buffer)
 }
 
+fn append_bytes<W: Write>(
+    tar: &mut TarBuilder<W>,
+    path: &str,
+    contents: &[u8],
+    mode: u32,
+) -> Result<(), std::io::Error> {
+    let mut header = tar::Header::new_gnu();
+    header.set_path(path)?;
+    header.set_size(contents.len() as u64);
+    header.set_mode(mode);
+    header.set_cksum();
+
+    tar.append(&header, contents)?;
+    Ok(())
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
     use bollard::models::ImageSummary;
+    use flate2::read::GzDecoder;
     use std::collections::HashMap;
+    use std::io::Cursor;
+    use tar::Archive;
 
     fn make_image_summary(
         id: &str,
@@ -944,6 +1006,39 @@ mod tests {
         assert_eq!(context[1], 0x8b, "should be gzip compressed");
     }
 
+    #[test]
+    fn build_context_includes_docker_assets() {
+        let context = create_build_context().expect("should create context");
+        let cursor = Cursor::new(context);
+        let decoder = GzDecoder::new(cursor);
+        let mut archive = Archive::new(decoder);
+        let mut found_entrypoint = false;
+        let mut found_healthcheck = false;
+
+        for entry in archive.entries().expect("should read archive entries") {
+            let entry = entry.expect("should read entry");
+            let path = entry.path().expect("should read entry path");
+            if path == std::path::Path::new("packages/core/src/docker/files/entrypoint.sh") {
+                found_entrypoint = true;
+            }
+            if path == std::path::Path::new("packages/core/src/docker/files/healthcheck.sh") {
+                found_healthcheck = true;
+            }
+            if found_entrypoint && found_healthcheck {
+                break;
+            }
+        }
+
+        assert!(
+            found_entrypoint,
+            "entrypoint asset should be in the build context"
+        );
+        assert!(
+            found_healthcheck,
+            "healthcheck asset should be in the build context"
+        );
+    }
+
     #[test]
     fn default_tag_is_latest() {
         assert_eq!(IMAGE_TAG_DEFAULT, "latest");