@opencode-cloud/core 4.0.0 → 4.0.2

package/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "opencode-cloud-core"
-version = "4.0.0"
+version = "4.0.2"
 edition = "2024"
 rust-version = "1.88"
 license = "MIT"

package/README.md

@@ -8,8 +8,13 @@
 [![MSRV](https://img.shields.io/badge/MSRV-1.85-blue.svg)](https://blog.rust-lang.org/2025/02/20/Rust-1.85.0.html)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
+> [!WARNING]
+> This project is a work in progress and evolving rapidly. Use with caution.
+
 A production-ready toolkit for deploying and managing [opencode](https://github.com/anomalyco/opencode) as a persistent cloud service, **sandboxed inside a Docker container** for isolation and security.
 
+This project uses the opencode fork at https://github.com/pRizz/opencode, which adds additional authentication and security features.
+
 ## Quick install (cargo)
 
 ```bash
@@ -19,12 +24,14 @@ opencode-cloud --version
 
 ## Deploy to AWS
 
-[![Deploy to AWS](https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?templateURL=https://raw.githubusercontent.com/pRizz/opencode-cloud/main/infra/aws/cloudformation/opencode-cloud-quick.yaml)
+[![Deploy to AWS](https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png)](https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?templateURL=https://opencode-cloud-templates.s3.us-east-2.amazonaws.com/cloudformation/opencode-cloud-quick.yaml)
 
 Quick deploy provisions a private EC2 instance behind a public ALB with HTTPS.
 **A domain name is required** for ACM certificate validation.
+**A Route53 hosted zone ID is required** for automated DNS validation.
 
-Docs: `docs/deploy/aws.md` (includes teardown steps)
+Docs: `docs/deploy/aws.md` (includes teardown steps and S3 hosting setup for forks)
+Credentials: `docs/deploy/aws.md#retrieving-credentials`
 
 ## Features
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opencode-cloud/core",
-  "version": "4.0.0",
+  "version": "4.0.2",
   "description": "Core NAPI bindings for opencode-cloud (internal package)",
   "main": "index.js",
   "types": "index.d.ts",

package/src/config/schema.rs

@@ -700,7 +700,7 @@ mod tests {
     fn test_serialize_deserialize_with_mounts() {
         let config = Config {
             mounts: vec![
-                "/home/user/data:/workspace/data".to_string(),
+                "/home/user/data:/home/opencode/workspace/data".to_string(),
                 "/home/user/config:/etc/app:ro".to_string(),
             ],
             ..Config::default()
@@ -708,7 +708,10 @@ mod tests {
         let json = serde_json::to_string(&config).unwrap();
         let parsed: Config = serde_json::from_str(&json).unwrap();
         assert_eq!(parsed.mounts.len(), 2);
-        assert_eq!(parsed.mounts[0], "/home/user/data:/workspace/data");
+        assert_eq!(
+            parsed.mounts[0],
+            "/home/user/data:/home/opencode/workspace/data"
+        );
         assert_eq!(parsed.mounts[1], "/home/user/config:/etc/app:ro");
     }
 

package/src/docker/Dockerfile

@@ -104,8 +104,6 @@ RUN --mount=type=cache,target=/var/lib/apt/lists \
     netcat-openbsd=1.226-* \
     iputils-ping=3:20240117-* \
     dnsutils=1:9.18.* \
-    # Reverse proxy for opencode UI + API
-    nginx=1.24.* \
     # Compression
     zip=3.0-* \
     unzip=6.0-* \
@@ -505,7 +503,7 @@ RUN echo 'export PATH="/home/opencode/.local/bin:$PATH"' >> /home/opencode/.zshr
 # This block includes:
 # - opencode build (backend binary) + app build (frontend dist)
 # - opencode-broker build
-# - nginx config for single-endpoint UI + API proxy
+# - opencode web build + runtime
 # - PAM configuration + systemd services
 # - opencode config file
 #
@@ -517,7 +515,7 @@ RUN echo 'export PATH="/home/opencode/.local/bin:$PATH"' >> /home/opencode/.zshr
 # Clone the fork and build opencode from source (as non-root user)
 # Pin to specific commit for reproducibility
 # Build opencode from source (BuildKit cache mounts disabled for now)
-RUN OPENCODE_COMMIT="3a4eccc7e883575e0d5a508f46036a9f243c06e8" \
+RUN OPENCODE_COMMIT="9b91eb17f5ca1b0ee99cfaa0b4c87da6dbe9e784" \
     && rm -rf /tmp/opencode-repo \
     && git clone --depth 1 https://github.com/pRizz/opencode.git /tmp/opencode-repo \
     && cd /tmp/opencode-repo \
@@ -526,13 +524,15 @@ RUN OPENCODE_COMMIT="3a4eccc7e883575e0d5a508f46036a9f243c06e8" \
     && curl -fsSL https://bun.sh/install | bash -s "bun-v1.3.5" \
     && export PATH="/home/opencode/.bun/bin:${PATH}" \
     && bun install --frozen-lockfile \
-    && bun run packages/opencode/script/build.ts --single \
-    && cd packages/app \
-    && bun run build \
+    && cd packages/opencode \
+    && export VITE_OPENCODE_SERVER_URL="http://localhost:3000" \
+    && bun run build-single-ui \
     && rm -rf /home/opencode/.bun/install/cache /home/opencode/.bun/cache /home/opencode/.cache/bun \
     && cd /tmp/opencode-repo \
     && mkdir -p /home/opencode/.local/share/opencode/bin \
+    && mkdir -p /home/opencode/.local/share/opencode/ui \
     && cp /tmp/opencode-repo/packages/opencode/dist/opencode-*/bin/opencode /home/opencode/.local/share/opencode/bin/opencode \
+    && cp -R /tmp/opencode-repo/packages/opencode/dist/opencode-*/ui/. /home/opencode/.local/share/opencode/ui/ \
     && chown -R opencode:opencode /home/opencode/.local/share/opencode \
     && chmod +x /home/opencode/.local/share/opencode/bin/opencode \
     && /home/opencode/.local/share/opencode/bin/opencode --version
@@ -540,14 +540,6 @@ RUN OPENCODE_COMMIT="3a4eccc7e883575e0d5a508f46036a9f243c06e8" \
 # Add opencode to PATH
 ENV PATH="/home/opencode/.local/share/opencode/bin:${PATH}"
 
-# Copy UI assets to standard web root (requires root)
-USER root
-RUN mkdir -p /var/www/opencode \
-    && cp -R /tmp/opencode-repo/packages/app/dist/. /var/www/opencode/ \
-    && chown -R root:root /var/www/opencode \
-    && chmod 755 /var/www /var/www/opencode \
-    && chmod -R a+rX /var/www/opencode
-
 # -----------------------------------------------------------------------------
 # opencode-broker Installation
 # -----------------------------------------------------------------------------
@@ -568,49 +560,6 @@ RUN ls -la /usr/local/bin/opencode-broker \
     && test -x /usr/local/bin/opencode-broker \
     && echo "Broker installed"
 
-# -----------------------------------------------------------------------------
-# Nginx Reverse Proxy for UI + API
-# -----------------------------------------------------------------------------
-# Serve the built UI from /var/www/opencode and proxy all 3000 traffic to backend.
-RUN rm -f /etc/nginx/sites-enabled/default /etc/nginx/conf.d/default.conf 2>/dev/null || true \
-    && printf '%s\n' \
-    'server {' \
-    '  listen 3000;' \
-    '  server_name _;' \
-    '' \
-    '  location / {' \
-    '    proxy_pass http://127.0.0.1:3001;' \
-    '    proxy_http_version 1.1;' \
-    '    proxy_set_header Upgrade $http_upgrade;' \
-    '    proxy_set_header Connection "upgrade";' \
-    '    proxy_set_header Host $host;' \
-    '    proxy_set_header X-Real-IP $remote_addr;' \
-    '    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
-    '    proxy_set_header X-Forwarded-Proto $scheme;' \
-    '  }' \
-    '}' \
-    '' \
-    'server {' \
-    '  listen 3002;' \
-    '  server_name _;' \
-    '' \
-    '  root /var/www/opencode;' \
-    '  index index.html;' \
-    '' \
-    '  location /assets/ {' \
-    '    try_files $uri =404;' \
-    '  }' \
-    '' \
-    '  location ~* \.(?:js|css|png|jpg|jpeg|gif|svg|ico|webp|woff2?|ttf|map)$ {' \
-    '    try_files $uri =404;' \
-    '  }' \
-    '' \
-    '  location / {' \
-    '    try_files $uri $uri/ /index.html;' \
-    '  }' \
-    '}' \
-    > /etc/nginx/conf.d/opencode.conf
-
 # -----------------------------------------------------------------------------
 # PAM Configuration
 # -----------------------------------------------------------------------------
@@ -690,7 +639,7 @@ RUN mkdir -p /home/opencode/.npm \
 # -----------------------------------------------------------------------------
 # opencode systemd Service (2026-01-22)
 # -----------------------------------------------------------------------------
-# Create opencode as a systemd service for Cockpit integration (backend only)
+# Create opencode as a systemd service for Cockpit integration
 # NOTE: Requires root privileges to write to /etc/systemd/system/
 USER root
 RUN printf '%s\n' \
@@ -702,7 +651,7 @@ RUN printf '%s\n' \
     'Type=simple' \
     'User=opencode' \
     'WorkingDirectory=/home/opencode/workspace' \
-    'ExecStart=/home/opencode/.local/share/opencode/bin/opencode --port 3001 --hostname 0.0.0.0' \
+    'ExecStart=/home/opencode/.local/share/opencode/bin/opencode web --port 3000 --hostname 0.0.0.0' \
     'Restart=always' \
     'RestartSec=5' \
     'Environment=PATH=/home/opencode/.local/share/opencode/bin:/home/opencode/.local/bin:/home/opencode/.cargo/bin:/home/opencode/.local/share/mise/shims:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \
@@ -715,44 +664,15 @@ RUN printf '%s\n' \
 RUN mkdir -p /etc/systemd/system/multi-user.target.wants \
     && ln -sf /etc/systemd/system/opencode.service /etc/systemd/system/multi-user.target.wants/opencode.service
 
-# Nginx service for serving UI + proxying API
-RUN printf '%s\n' \
-    '[Unit]' \
-    'Description=Nginx reverse proxy for opencode UI' \
-    'After=network.target opencode.service' \
-    '' \
-    '[Service]' \
-    'Type=simple' \
-    'ExecStart=/usr/sbin/nginx -g "daemon off;"' \
-    'ExecReload=/usr/sbin/nginx -s reload' \
-    'Restart=always' \
-    'RestartSec=5' \
-    '' \
-    '[Install]' \
-    'WantedBy=multi-user.target' \
-    > /etc/systemd/system/opencode-nginx.service
-
-# Enable nginx service
-RUN mkdir -p /etc/systemd/system/multi-user.target.wants \
-    && ln -sf /etc/systemd/system/opencode-nginx.service /etc/systemd/system/multi-user.target.wants/opencode-nginx.service
-
-# Prevent the distro nginx service from also starting (port 3000 conflict)
-RUN rm -f /etc/systemd/system/multi-user.target.wants/nginx.service \
-    && ln -sf /dev/null /etc/systemd/system/nginx.service
-
 # -----------------------------------------------------------------------------
 # opencode Configuration
 # -----------------------------------------------------------------------------
-# Create opencode.jsonc config file with PAM authentication enabled and UI URL
+# Create opencode.jsonc config file with PAM authentication enabled
 RUN mkdir -p /home/opencode/.config/opencode \
     && printf '%s\n' \
     '{' \
-    '  // Container UI served via nginx on 3002' \
     '  "auth": {' \
     '    "enabled": true' \
-    '  },' \
-    '  "server": {' \
-    '    "uiUrl": "http://localhost:3002"' \
     '  }' \
     '}' \
     > /home/opencode/.config/opencode/opencode.jsonc \
@@ -776,9 +696,11 @@ RUN printf '%s\n' \
     'if [ "${USE_SYSTEMD}" = "1" ]; then' \
     '    exec /sbin/init' \
     'else' \
+    '    # Ensure broker socket directory exists' \
+    '    install -d -m 0755 /run/opencode' \
+    '    /usr/local/bin/opencode-broker &' \
     '    # Use runuser to switch to opencode user without password prompt' \
-    '    runuser -u opencode -- /home/opencode/.local/share/opencode/bin/opencode --port 3001 --hostname 0.0.0.0 &' \
-    '    exec /usr/sbin/nginx -g "daemon off;"' \
+    '    exec runuser -u opencode -- sh -lc "cd /home/opencode/workspace && /home/opencode/.local/share/opencode/bin/opencode web --port 3000 --hostname 0.0.0.0"' \
     'fi' \
     > /usr/local/bin/entrypoint.sh && chmod +x /usr/local/bin/entrypoint.sh
 
@@ -788,10 +710,10 @@ RUN printf '%s\n' \
 # -----------------------------------------------------------------------------
 # Health Check
 # -----------------------------------------------------------------------------
-# Check that opencode health endpoint responds
+# Check that opencode main page responds
 # Works for both tini and systemd modes
 HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
-    CMD curl -f http://localhost:3000/health || exit 1
+    CMD curl -f http://localhost:3000/ || exit 1
 
 # -----------------------------------------------------------------------------
 # Version File
@@ -812,8 +734,8 @@ RUN echo "${OPENCODE_CLOUD_VERSION}" > /etc/opencode-cloud-version
 # -----------------------------------------------------------------------------
 WORKDIR /home/opencode/workspace
 
-# Expose opencode ports (3000/3001/3002) and Cockpit (9090)
-EXPOSE 3000 3001 3002 9090
+# Expose opencode web (3000) and Cockpit (9090)
+EXPOSE 3000 9090
 
 # Hybrid init: entrypoint script chooses tini or systemd based on USE_SYSTEMD env
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

package/src/docker/README.dockerhub.md

@@ -28,10 +28,18 @@ docker pull ghcr.io/prizz/opencode-cloud-sandbox:latest
 Run the container:
 
 ```
-docker run --rm -it -p 3000:3000 -p 3001:3001 -p 3002:3002 -p 9090:9090 ghcr.io/prizz/opencode-cloud-sandbox:latest
+docker run --rm -it -p 3000:3000 -p 9090:9090 ghcr.io/prizz/opencode-cloud-sandbox:latest
 ```
 
-The opencode web UI is available at `http://localhost:3000`. The backend is reachable at `http://localhost:3001`, and the static UI is served at `http://localhost:3002`. Cockpit runs on `http://localhost:9090`.
+The opencode web UI is available at `http://localhost:3000`. Cockpit runs on `http://localhost:9090`.
+
+## opencode build and serve flow
+
+The Docker image builds opencode directly from the fork and runs the web server without nginx:
+
+1. `cd packages/opencode`
+2. `bun run build` to generate `packages/opencode/dist`
+3. Run the server with `./bin/opencode web`
 
 ## Source
 

package/src/docker/container.rs

@@ -20,7 +20,7 @@ use std::collections::HashMap;
 use tracing::debug;
 
 /// Default container name
-pub const CONTAINER_NAME: &str = "opencode-cloud";
+pub const CONTAINER_NAME: &str = "opencode-cloud-sandbox";
 
 /// Default port for opencode web UI
 pub const OPENCODE_WEB_PORT: u16 = 3000;
@@ -38,7 +38,7 @@ pub const OPENCODE_WEB_PORT: u16 = 3000;
 /// * `env_vars` - Additional environment variables (optional)
 /// * `bind_address` - IP address to bind on host (defaults to "127.0.0.1")
 /// * `cockpit_port` - Port to bind on host for Cockpit (defaults to 9090)
-/// * `cockpit_enabled` - Whether to enable Cockpit port mapping (defaults to true)
+/// * `cockpit_enabled` - Whether to enable Cockpit port mapping (defaults to false)
 /// * `bind_mounts` - User-defined bind mounts from config and CLI flags (optional)
 #[allow(clippy::too_many_arguments)]
 pub async fn create_container(
@@ -57,7 +57,7 @@ pub async fn create_container(
     let image_name = image.unwrap_or(&default_image);
     let port = opencode_web_port.unwrap_or(OPENCODE_WEB_PORT);
     let cockpit_port_val = cockpit_port.unwrap_or(9090);
-    let cockpit_enabled_val = cockpit_enabled.unwrap_or(true);
+    let cockpit_enabled_val = cockpit_enabled.unwrap_or(false);
 
     debug!(
         "Creating container {} from image {} with port {} and cockpit_port {} (enabled: {})",
@@ -202,7 +202,7 @@ pub async fn create_container(
     let config = Config {
         image: Some(image_name.to_string()),
         hostname: Some(CONTAINER_NAME.to_string()),
-        working_dir: Some("/workspace".to_string()),
+        working_dir: Some("/home/opencode/workspace".to_string()),
         exposed_ports: Some(exposed_ports),
         env: final_env,
         host_config: Some(host_config),
@@ -473,7 +473,7 @@ mod tests {
 
     #[test]
     fn container_constants_are_correct() {
-        assert_eq!(CONTAINER_NAME, "opencode-cloud");
+        assert_eq!(CONTAINER_NAME, "opencode-cloud-sandbox");
         assert_eq!(OPENCODE_WEB_PORT, 3000);
     }
 

package/src/docker/exec.rs

@@ -22,7 +22,7 @@ use super::{DockerClient, DockerError};
 ///
 /// # Example
 /// ```ignore
-/// let output = exec_command(&client, "opencode-cloud", vec!["whoami"]).await?;
+/// let output = exec_command(&client, "opencode-cloud-sandbox", vec!["whoami"]).await?;
 /// ```
 pub async fn exec_command(
     client: &DockerClient,
@@ -104,7 +104,7 @@ pub async fn exec_command(
 /// // Set password via chpasswd (secure, non-interactive)
 /// exec_command_with_stdin(
 ///     &client,
-///     "opencode-cloud",
+///     "opencode-cloud-sandbox",
 ///     vec!["chpasswd"],
 ///     "username:password\n"
 /// ).await?;

package/src/docker/health.rs

@@ -53,12 +53,21 @@ pub enum HealthError {
     Timeout,
 }
 
+fn format_host(bind_addr: &str) -> String {
+    if bind_addr.contains(':') && !bind_addr.starts_with('[') {
+        format!("[{bind_addr}]")
+    } else {
+        bind_addr.to_string()
+    }
+}
+
 /// Check health by querying OpenCode's /global/health endpoint
 ///
 /// Returns the health response on success (HTTP 200).
 /// Returns an error for connection issues, timeouts, or non-200 responses.
-pub async fn check_health(port: u16) -> Result<HealthResponse, HealthError> {
-    let url = format!("http://127.0.0.1:{port}/global/health");
+pub async fn check_health(bind_addr: &str, port: u16) -> Result<HealthResponse, HealthError> {
+    let host = format_host(bind_addr);
+    let url = format!("http://{host}:{port}/global/health");
 
     let client = reqwest::Client::builder()
         .timeout(Duration::from_secs(5))
@@ -95,10 +104,11 @@ pub async fn check_health(port: u16) -> Result<HealthResponse, HealthError> {
 /// If container stats fail, still returns response with container_state = "unknown".
 pub async fn check_health_extended(
     client: &DockerClient,
+    bind_addr: &str,
     port: u16,
 ) -> Result<ExtendedHealthResponse, HealthError> {
     // Get basic health info
-    let health = check_health(port).await?;
+    let health = check_health(bind_addr, port).await?;
 
     // Get container stats
     let container_name = super::CONTAINER_NAME;
@@ -155,11 +165,21 @@ mod tests {
     #[tokio::test]
     async fn test_health_check_connection_refused() {
         // Port 1 should always refuse connection
-        let result = check_health(1).await;
+        let result = check_health("127.0.0.1", 1).await;
         assert!(result.is_err());
         match result.unwrap_err() {
             HealthError::ConnectionRefused => {}
             other => panic!("Expected ConnectionRefused, got: {other:?}"),
         }
     }
+
+    #[test]
+    fn format_host_wraps_ipv6() {
+        assert_eq!(format_host("::1"), "[::1]");
+    }
+
+    #[test]
+    fn format_host_preserves_ipv4() {
+        assert_eq!(format_host("127.0.0.1"), "127.0.0.1");
+    }
 }

package/src/docker/image.rs

@@ -177,6 +177,8 @@ struct BuildLogState {
     error_log_buffer_size: usize,
     last_buildkit_vertex: Option<String>,
     last_buildkit_vertex_id: Option<String>,
+    export_vertex_id: Option<String>,
+    export_vertex_name: Option<String>,
     buildkit_logs_by_vertex_id: HashMap<String, String>,
     vertex_name_by_vertex_id: HashMap<String, String>,
 }
@@ -199,6 +201,8 @@ impl BuildLogState {
             error_log_buffer_size,
             last_buildkit_vertex: None,
             last_buildkit_vertex_id: None,
+            export_vertex_id: None,
+            export_vertex_name: None,
             buildkit_logs_by_vertex_id: HashMap::new(),
             vertex_name_by_vertex_id: HashMap::new(),
         }
@@ -255,31 +259,45 @@ fn handle_buildkit_status(
 ) {
     let latest_logs = append_buildkit_logs(&mut state.buildkit_logs_by_vertex_id, status);
     update_buildkit_vertex_names(&mut state.vertex_name_by_vertex_id, status);
-    let (vertex_id, vertex_name) =
-        match select_latest_buildkit_vertex(status, &state.vertex_name_by_vertex_id) {
-            Some((vertex_id, vertex_name)) => (vertex_id, vertex_name),
-            None => {
-                let Some(log_entry) = latest_logs.last() else {
-                    return;
-                };
-                let name = state
-                    .vertex_name_by_vertex_id
-                    .get(&log_entry.vertex_id)
-                    .cloned()
-                    .or_else(|| state.last_buildkit_vertex.clone())
-                    .unwrap_or_else(|| format_vertex_fallback_label(&log_entry.vertex_id));
-                (log_entry.vertex_id.clone(), name)
-            }
-        };
+    update_export_vertex_from_logs(
+        &latest_logs,
+        &state.vertex_name_by_vertex_id,
+        &mut state.export_vertex_id,
+        &mut state.export_vertex_name,
+    );
+    let (vertex_id, vertex_name) = match select_latest_buildkit_vertex(
+        status,
+        &state.vertex_name_by_vertex_id,
+        state.export_vertex_id.as_deref(),
+        state.export_vertex_name.as_deref(),
+    ) {
+        Some((vertex_id, vertex_name)) => (vertex_id, vertex_name),
+        None => {
+            let Some(log_entry) = latest_logs.last() else {
+                return;
+            };
+            let name = state
+                .vertex_name_by_vertex_id
+                .get(&log_entry.vertex_id)
+                .cloned()
+                .or_else(|| state.last_buildkit_vertex.clone())
+                .unwrap_or_else(|| format_vertex_fallback_label(&log_entry.vertex_id));
+            (log_entry.vertex_id.clone(), name)
+        }
+    };
     record_buildkit_logs(state, &latest_logs, &vertex_id, &vertex_name);
-    state.last_buildkit_vertex_id = Some(vertex_id);
+    state.last_buildkit_vertex_id = Some(vertex_id.clone());
     if state.last_buildkit_vertex.as_deref() != Some(&vertex_name) {
         state.last_buildkit_vertex = Some(vertex_name.clone());
     }
 
     let message = if progress.is_plain_output() {
         vertex_name
-    } else if let Some(log_entry) = latest_logs.last() {
+    } else if let Some(log_entry) = latest_logs
+        .iter()
+        .rev()
+        .find(|entry| entry.vertex_id == vertex_id)
+    {
         format!("{vertex_name} · {}", log_entry.message)
     } else {
         vertex_name
@@ -360,7 +378,17 @@ fn update_buildkit_vertex_names(
 fn select_latest_buildkit_vertex(
     status: &BuildkitStatusResponse,
     vertex_name_by_vertex_id: &HashMap<String, String>,
+    export_vertex_id: Option<&str>,
+    export_vertex_name: Option<&str>,
 ) -> Option<(String, String)> {
+    if let Some(export_vertex_id) = export_vertex_id {
+        let name = export_vertex_name
+            .map(str::to_string)
+            .or_else(|| vertex_name_by_vertex_id.get(export_vertex_id).cloned())
+            .unwrap_or_else(|| format_vertex_fallback_label(export_vertex_id));
+        return Some((export_vertex_id.to_string(), name));
+    }
+
     let mut best_runtime: Option<(u32, String, String)> = None;
     let mut fallback: Option<(String, String)> = None;
 
@@ -423,6 +451,24 @@ fn format_vertex_fallback_label(vertex_id: &str) -> String {
     format!("vertex {short}")
 }
 
+fn update_export_vertex_from_logs(
+    latest_logs: &[BuildkitLogEntry],
+    vertex_name_by_vertex_id: &HashMap<String, String>,
+    export_vertex_id: &mut Option<String>,
+    export_vertex_name: &mut Option<String>,
+) {
+    if let Some(entry) = latest_logs
+        .iter()
+        .rev()
+        .find(|log| log.message.trim_start().starts_with("exporting to image"))
+    {
+        *export_vertex_id = Some(entry.vertex_id.clone());
+        if let Some(name) = vertex_name_by_vertex_id.get(&entry.vertex_id) {
+            *export_vertex_name = Some(name.clone());
+        }
+    }
+}
+
 fn record_buildkit_logs(
     state: &mut BuildLogState,
     latest_logs: &[BuildkitLogEntry],

package/src/docker/mount.rs

@@ -64,9 +64,9 @@ impl ParsedMount {
     /// use opencode_cloud_core::docker::ParsedMount;
     ///
     /// // Read-write mount (default)
-    /// let mount = ParsedMount::parse("/home/user/data:/workspace/data").unwrap();
+    /// let mount = ParsedMount::parse("/home/user/data:/home/opencode/workspace/data").unwrap();
     /// assert_eq!(mount.host_path.to_str().unwrap(), "/home/user/data");
-    /// assert_eq!(mount.container_path, "/workspace/data");
+    /// assert_eq!(mount.container_path, "/home/opencode/workspace/data");
     /// assert!(!mount.read_only);
     ///
     /// // Read-only mount
@@ -285,7 +285,7 @@ mod tests {
 
     #[test]
     fn non_system_path_no_warning() {
-        let warning = check_container_path_warning("/workspace/data");
+        let warning = check_container_path_warning("/home/opencode/workspace/data");
         assert!(warning.is_none());
     }
 

package/src/docker/users.rs

@@ -37,7 +37,7 @@ pub struct UserInfo {
 ///
 /// # Example
 /// ```ignore
-/// create_user(&client, "opencode-cloud", "admin").await?;
+/// create_user(&client, "opencode-cloud-sandbox", "admin").await?;
 /// ```
 pub async fn create_user(
     client: &DockerClient,
@@ -80,7 +80,7 @@ pub async fn create_user(
 ///
 /// # Example
 /// ```ignore
-/// set_user_password(&client, "opencode-cloud", "admin", "secret123").await?;
+/// set_user_password(&client, "opencode-cloud-sandbox", "admin", "secret123").await?;
 /// ```
 pub async fn set_user_password(
     client: &DockerClient,

package/src/docker/volume.rs

@@ -8,23 +8,23 @@ use bollard::volume::CreateVolumeOptions;
 use std::collections::HashMap;
 use tracing::debug;
 
-/// Volume name for opencode session history
-pub const VOLUME_SESSION: &str = "opencode-cloud-session";
+/// Volume name for opencode data
+pub const VOLUME_SESSION: &str = "opencode-data";
 
 /// Volume name for project files
-pub const VOLUME_PROJECTS: &str = "opencode-cloud-projects";
+pub const VOLUME_PROJECTS: &str = "opencode-workspace";
 
 /// Volume name for opencode configuration
-pub const VOLUME_CONFIG: &str = "opencode-cloud-config";
+pub const VOLUME_CONFIG: &str = "opencode-config";
 
 /// All volume names as array for iteration
 pub const VOLUME_NAMES: [&str; 3] = [VOLUME_SESSION, VOLUME_PROJECTS, VOLUME_CONFIG];
 
-/// Mount point for session history inside container
-pub const MOUNT_SESSION: &str = "/home/opencode/.opencode";
+/// Mount point for opencode data inside container
+pub const MOUNT_SESSION: &str = "/home/opencode/.local/share";
 
 /// Mount point for project files inside container
-pub const MOUNT_PROJECTS: &str = "/workspace";
+pub const MOUNT_PROJECTS: &str = "/home/opencode/workspace";
 
 /// Mount point for configuration inside container
 pub const MOUNT_CONFIG: &str = "/home/opencode/.config";
@@ -122,9 +122,9 @@ mod tests {
 
     #[test]
     fn volume_constants_are_correct() {
-        assert_eq!(VOLUME_SESSION, "opencode-cloud-session");
-        assert_eq!(VOLUME_PROJECTS, "opencode-cloud-projects");
-        assert_eq!(VOLUME_CONFIG, "opencode-cloud-config");
+        assert_eq!(VOLUME_SESSION, "opencode-data");
+        assert_eq!(VOLUME_PROJECTS, "opencode-workspace");
+        assert_eq!(VOLUME_CONFIG, "opencode-config");
     }
 
     #[test]
@@ -137,8 +137,8 @@ mod tests {
 
     #[test]
     fn mount_points_are_correct() {
-        assert_eq!(MOUNT_SESSION, "/home/opencode/.opencode");
-        assert_eq!(MOUNT_PROJECTS, "/workspace");
+        assert_eq!(MOUNT_SESSION, "/home/opencode/.local/share");
+        assert_eq!(MOUNT_PROJECTS, "/home/opencode/workspace");
         assert_eq!(MOUNT_CONFIG, "/home/opencode/.config");
     }
 }