container-superposition 0.1.6 → 0.1.7

package/overlays/pandoc/setup.sh

@@ -4,18 +4,23 @@
 set -e
 
 echo "📦 Refreshing font cache..."
-sudo fc-cache -fv
+sudo fc-cache -f
 
 echo "📦 Installing Pandoc (latest release)..."
 PANDOC_VERSION="3.6.4"
 
+# Source shared setup utilities
+# shellcheck source=setup-utils.sh
+source "$(dirname "${BASH_SOURCE[0]}")/setup-utils.sh"
+load_nvm
+
 if command -v apt-get > /dev/null 2>&1; then
     # Debian/Ubuntu — install official .deb from GitHub releases
     ARCH=$(dpkg --print-architecture)
     PANDOC_DEB="pandoc-${PANDOC_VERSION}-1-${ARCH}.deb"
     curl -fsSL "https://github.com/jgm/pandoc/releases/download/${PANDOC_VERSION}/${PANDOC_DEB}" \
         -o "/tmp/${PANDOC_DEB}"
-    sudo dpkg -i "/tmp/${PANDOC_DEB}"
+    with_apt_lock sudo dpkg -i "/tmp/${PANDOC_DEB}"
     rm "/tmp/${PANDOC_DEB}"
 elif command -v apk > /dev/null 2>&1; then
     # Alpine Linux — install via apk (version may differ from pinned release)
@@ -26,7 +31,50 @@ else
     exit 1
 fi
 
-echo "✓ pandoc $(pandoc --version | head -1)"
+if [ -x /usr/bin/pandoc ]; then
+    PANDOC_REAL_BIN="/usr/bin/pandoc"
+elif [ -x /usr/local/bin/pandoc ] && [ ! -L /usr/local/bin/pandoc ]; then
+    PANDOC_REAL_BIN="/usr/local/bin/pandoc"
+else
+    PANDOC_REAL_BIN="$(type -P pandoc || true)"
+fi
+
+if [ -z "$PANDOC_REAL_BIN" ] || [ ! -x "$PANDOC_REAL_BIN" ]; then
+    echo "❌ Could not resolve the real pandoc binary."
+    exit 1
+fi
+
+if [ "$PANDOC_REAL_BIN" = "/usr/local/bin/pandoc" ] && [ -f /usr/local/bin/pandoc ]; then
+    if grep -q 'DEFAULTS_FILE="\${HOME}/.pandoc/pandoc.yaml"' /usr/local/bin/pandoc 2>/dev/null; then
+        echo "❌ Refusing to wrap /usr/local/bin/pandoc because it is already the pandoc wrapper."
+        exit 1
+    fi
+fi
+
+echo "✓ pandoc $("$PANDOC_REAL_BIN" --version | head -1)"
+
+echo "📦 Installing pandoc wrapper with default PDF settings..."
+sudo tee /usr/local/bin/pandoc > /dev/null <<EOF
+#!/bin/sh
+REAL_PANDOC="${PANDOC_REAL_BIN}"
+DEFAULTS_FILE="\${HOME}/.pandoc/pandoc.yaml"
+
+for arg in "\$@"; do
+    case "\$arg" in
+        -d|--defaults|--defaults=*)
+            exec "\${REAL_PANDOC}" "\$@"
+            ;;
+    esac
+done
+
+if [ -f "\${DEFAULTS_FILE}" ]; then
+    exec "\${REAL_PANDOC}" --defaults "\${DEFAULTS_FILE}" "\$@"
+fi
+
+exec "\${REAL_PANDOC}" "\$@"
+EOF
+sudo chmod +x /usr/local/bin/pandoc
+echo "✓ pandoc wrapper installed: /usr/local/bin/pandoc -> ${PANDOC_REAL_BIN}"
 
 echo "📦 Installing diagram.lua Lua filter..."
 mkdir -p "$HOME/.pandoc/filters"
@@ -34,17 +82,167 @@ curl -fsSL \
     "https://raw.githubusercontent.com/pandoc-ext/diagram/main/_extensions/diagram/diagram.lua" \
     -o "$HOME/.pandoc/filters/diagram.lua"
 
+echo "📦 Writing emoji fallback Lua filter..."
+cat > "$HOME/.pandoc/filters/emoji-fallback.lua" <<'EOF'
+-- Replace emoji and flag glyphs that XeLaTeX commonly cannot render.
+--
+-- * BMP symbols (Miscellaneous Symbols U+2600-U+26FF, Dingbats U+2700-U+27BF)
+--   are routed to the fallback font via \textfallback{} so they render as
+--   real glyphs using Noto Sans Symbols 2 (declared by pandoc's fallbackfont
+--   variable in pandoc.yaml).
+--
+-- * High-plane emoji (U+1F000-U+1FAFF: 🎉 🚀 etc.) are replaced with the
+--   plain-text marker [emoji] because no common PDF font covers them fully.
+--
+-- * Flag sequences (pairs of regional-indicator letters: 🇺🇸 etc.) are
+--   replaced with the two-letter country code in brackets, e.g. [US].
+--
+-- The filter is a no-op for all non-LaTeX output formats.
+
+local REGIONAL_INDICATOR_A = 0x1F1E6
+local REGIONAL_INDICATOR_Z = 0x1F1FF
+
+local function is_regional_indicator(cp)
+    return cp >= REGIONAL_INDICATOR_A and cp <= REGIONAL_INDICATOR_Z
+end
+
+-- High-plane emoji that no standard PDF font renders reliably.
+local function is_high_plane_emoji(cp)
+    return cp >= 0x1F000 and cp <= 0x1FAFF
+end
+
+-- BMP symbol blocks absent from Carlito (and most body fonts).
+-- Characters in these ranges are routed to the \textfallback font instead.
+local function is_bmp_symbol(cp)
+    return (cp >= 0x2600 and cp <= 0x26FF)  -- Miscellaneous Symbols (⚠ ☀ ⛔ …)
+        or (cp >= 0x2700 and cp <= 0x27BF)  -- Dingbats             (✅ ❌ ✓ …)
+end
+
+-- Parse text into a list of pandoc inline elements, applying substitutions.
+-- Returns nil when no substitutions are needed.
+local function text_to_inlines(text)
+    if FORMAT ~= 'latex' then return nil end
+
+    -- Quick scan: skip AST work when there is nothing to process.
+    local needs_processing = false
+    for _, cp in utf8.codes(text) do
+        if is_regional_indicator(cp) or is_high_plane_emoji(cp) or is_bmp_symbol(cp)
+                or cp == 0x200D or cp == 0x20E3 or cp == 0xFE0F then
+            needs_processing = true
+            break
+        end
+    end
+    if not needs_processing then return nil end
+
+    local codepoints = {}
+    for _, cp in utf8.codes(text) do table.insert(codepoints, cp) end
+
+    local inlines = {}
+    local buf = {}
+
+    local function flush_buf()
+        if #buf > 0 then
+            table.insert(inlines, pandoc.Str(table.concat(buf)))
+            buf = {}
+        end
+    end
+
+    local i = 1
+    while i <= #codepoints do
+        local cp = codepoints[i]
+
+        -- Variation selectors / zero-width joiners / combining enclosing keycap
+        if cp == 0x200D or cp == 0x20E3 or cp == 0xFE0F then
+            i = i + 1
+
+        -- Flag sequences: two consecutive regional-indicator letters → [XX]
+        elseif is_regional_indicator(cp)
+                and i < #codepoints
+                and is_regional_indicator(codepoints[i + 1]) then
+            flush_buf()
+            local a = string.char((cp - REGIONAL_INDICATOR_A) + string.byte('A'))
+            local b = string.char((codepoints[i + 1] - REGIONAL_INDICATOR_A) + string.byte('A'))
+            table.insert(inlines, pandoc.Str('[' .. a .. b .. ']'))
+            i = i + 2
+
+        -- High-plane emoji → [emoji] text marker
+        elseif is_high_plane_emoji(cp) then
+            flush_buf()
+            table.insert(inlines, pandoc.Str('[emoji]'))
+            i = i + 1
+            -- Collapse consecutive emoji into one marker
+            while i <= #codepoints
+                    and (is_high_plane_emoji(codepoints[i])
+                         or codepoints[i] == 0xFE0F
+                         or codepoints[i] == 0x200D) do
+                i = i + 1
+            end
+
+        -- BMP symbols → \textfallback{char} (renders with Noto Sans Symbols 2)
+        elseif is_bmp_symbol(cp) then
+            flush_buf()
+            table.insert(inlines, pandoc.RawInline('latex',
+                '\\textfallback{' .. utf8.char(cp) .. '}'))
+            i = i + 1
+            -- Skip trailing variation selector-16 (e.g. U+FE0F after ⚠)
+            if i <= #codepoints and codepoints[i] == 0xFE0F then i = i + 1 end
+
+        else
+            table.insert(buf, utf8.char(cp))
+            i = i + 1
+        end
+    end
+    flush_buf()
+
+    -- If result is a single identical Str, nothing actually changed.
+    if #inlines == 1 and inlines[1].t == 'Str' and inlines[1].text == text then
+        return nil
+    end
+
+    return inlines
+end
+
+function Str(el)
+    local inlines = text_to_inlines(el.text)
+    if inlines == nil then return nil end
+    return inlines
+end
+
+-- In code spans / code blocks we cannot use \textfallback (verbatim context),
+-- so we simply drop the offending characters to prevent XeLaTeX warnings.
+local function strip_unsupported(el)
+    if FORMAT ~= 'latex' then return nil end
+    local changed = false
+    local out = {}
+    for _, cp in utf8.codes(el.text) do
+        if is_high_plane_emoji(cp) or is_bmp_symbol(cp)
+                or cp == 0x200D or cp == 0x20E3 or cp == 0xFE0F then
+            changed = true
+        else
+            table.insert(out, utf8.char(cp))
+        end
+    end
+    if not changed then return nil end
+    el.text = table.concat(out)
+    return el
+end
+
+function Code(el)     return strip_unsupported(el) end
+function CodeBlock(el) return strip_unsupported(el) end
+EOF
+
 echo "📦 Installing Mermaid CLI (requires Node.js)..."
 if command -v npm &>/dev/null; then
-    npm install -g @mermaid-js/mermaid-cli
-    # Point mmdc at the system Chromium (avoids Puppeteer downloading its own)
-    mkdir -p "$HOME/.config/mermaid"
-    cat > "$HOME/.config/mermaid/puppeteer-config.json" <<'EOF'
-{
-  "executablePath": "/usr/bin/chromium",
-  "args": ["--no-sandbox", "--disable-setuid-sandbox"]
-}
-EOF
+    run_spinner "Mermaid CLI" npm install -g @mermaid-js/mermaid-cli
+    # Create a chromium wrapper that always passes --no-sandbox (required in containers).
+    # This is more robust than configuring mmdc/puppeteer individually — any tool
+    # that launches chromium via PUPPETEER_EXECUTABLE_PATH gets the sandbox flags.
+    sudo tee /usr/local/bin/chromium-no-sandbox > /dev/null <<'WRAPPER'
+#!/bin/sh
+exec /usr/bin/chromium --no-sandbox --disable-setuid-sandbox "$@"
+WRAPPER
+    sudo chmod +x /usr/local/bin/chromium-no-sandbox
+    echo "✓ chromium-no-sandbox wrapper installed"
     if command -v mmdc >/dev/null 2>&1; then
         echo "✓ Mermaid CLI installed: $(command -v mmdc)"
     else
@@ -56,8 +254,12 @@ fi
 
 echo "📦 Writing default pandoc.yaml..."
 mkdir -p "$HOME/.pandoc"
+PANDOC_FILTERS_DIR="$HOME/.pandoc/filters"
 cat > "$HOME/.pandoc/pandoc.yaml" <<'EOF'
 pdf-engine: xelatex
+filters:
+  - __PANDOC_FILTERS_DIR__/emoji-fallback.lua
+  - __PANDOC_FILTERS_DIR__/diagram.lua
 
 variables:
   mainfont: "Carlito"
@@ -82,13 +284,10 @@ variables:
 # toc: true
 # toc-depth: 3
 # number-sections: true
-
-# Uncomment to enable Mermaid/diagram rendering (requires nodejs overlay):
-# lua-filter:
-#   - ~/.pandoc/filters/diagram.lua
 EOF
+sed -i "s|__PANDOC_FILTERS_DIR__|${PANDOC_FILTERS_DIR}|g" "$HOME/.pandoc/pandoc.yaml"
 
 echo ""
 echo "✓ pandoc overlay setup complete"
-echo "ℹ️  Build a PDF:  pandoc -d ~/.pandoc/pandoc.yaml doc.md -o doc.pdf"
-echo "ℹ️  With Mermaid: pandoc -d ~/.pandoc/pandoc.yaml --lua-filter ~/.pandoc/filters/diagram.lua doc.md -o doc.pdf"
+echo "ℹ️  Build a PDF:           pandoc doc.md -o doc.pdf"
+echo "ℹ️  With Mermaid diagrams: pandoc doc.md -o doc.pdf  (diagram.lua enabled by default)"

package/overlays/pandoc/verify.sh

@@ -3,11 +3,23 @@ set -e
 command -v pandoc  || { echo "✗ pandoc not found"; exit 1; }
 command -v xelatex || { echo "✗ xelatex not found"; exit 1; }
 [ -f "$HOME/.pandoc/filters/diagram.lua" ] || { echo "✗ diagram.lua not found"; exit 1; }
-[ -f "$HOME/.pandoc/pandoc.yaml" ]         || { echo "✗ pandoc.yaml not found"; exit 1; }
+[ -f "$HOME/.pandoc/filters/emoji-fallback.lua" ] || { echo "✗ emoji-fallback.lua not found"; exit 1; }
+[ -f "$HOME/.pandoc/pandoc.yaml" ] || { echo "✗ pandoc.yaml not found"; exit 1; }
 
-# Smoke test: render a trivial PDF
-echo "# Test" | pandoc --pdf-engine=xelatex -o /tmp/pandoc-verify-test.pdf && \
-    echo "✓ pandoc PDF smoke test passed" || { echo "✗ pandoc PDF render failed"; exit 1; }
+# Smoke test: render a PDF that includes generic emoji and flag sequences
+# which XeLaTeX can reject without the fallback filter.
+printf '%s\n' \
+    '# Unicode Smoke Test' \
+    '' \
+    'Status icons: ✅ ⚠️ ❌' \
+    'Activity emoji: 🎉 🚀 🧪' \
+    'Flag emoji: 🇺🇸 🇯🇵 🇧🇷' \
+    'Mixed sample: Unicode check 😀' |
+    pandoc -o /tmp/pandoc-verify-test.pdf &&
+    echo "✓ pandoc Unicode PDF smoke test passed" || {
+    echo "✗ pandoc Unicode PDF render failed"
+    exit 1
+}
 
 rm -f /tmp/pandoc-verify-test.pdf
 echo "✓ pandoc overlay: OK"

package/overlays/playwright/devcontainer.patch.json

@@ -5,5 +5,7 @@
             "version": "lts"
         }
     },
-    "postCreateCommand": "npx -y playwright install --with-deps chromium"
+    "postCreateCommand": {
+        "setup-playwright": "bash .devcontainer/scripts/setup-playwright.sh"
+    }
 }

package/overlays/playwright/setup.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+# Playwright setup script — Install Chromium browser + system dependencies
+
+set -e
+
+# Source shared setup utilities (provides load_nvm, acquire_apt_lock)
+# shellcheck source=setup-utils.sh
+source "$(dirname "${BASH_SOURCE[0]}")/setup-utils.sh"
+load_nvm
+
+echo "🎭 Setting up Playwright..."
+
+# Suppress Playwright's "WARNING: no project dependencies" banner, apt output,
+# and download progress bars.
+export DEBIAN_FRONTEND=noninteractive
+export CI=1  # suppresses interactive warnings inside playwright install
+
+# Install Chromium and its system dependencies.
+# playwright install --with-deps calls apt-get internally; we must hold the
+# shared apt lock so it does not race with other parallel setup scripts.
+acquire_apt_lock
+npx -y playwright install --with-deps chromium 2>&1 \
+    | grep -vEe '^[╔║╚]' \
+               -e '^\|[[:space:]■]*\|' \
+               -e '^(Get:|Fetched|Reading|Building dependency|Processing triggers|Setting up|Preparing to|Selecting previously|Unpacking|Need to get|After this operation|The following )' \
+               -e '(is already the newest version|set to manually installed|npm notice|debconf:|update-alternatives:)' \
+               -e '^\(Reading database'
+rc=${PIPESTATUS[0]}
+release_apt_lock
+
+if [ "$rc" -ne 0 ]; then
+    echo "❌ Playwright browser installation failed (exit $rc)"
+    exit "$rc"
+fi
+
+echo "✓ Playwright setup complete"
+echo "ℹ️  Run 'npx playwright test' to execute tests"

package/overlays/postgres/docker-compose.yml

@@ -14,6 +14,12 @@ services:
             - '${POSTGRES_PORT:-5432}:5432'
         networks:
             - devnet
+        healthcheck:
+            test: ['CMD-SHELL', 'pg_isready -U ${POSTGRES_USER:-postgres} -d ${POSTGRES_DB:-devdb}']
+            interval: 10s
+            timeout: 5s
+            retries: 5
+            start_period: 10s
 
 volumes:
     postgres-data:

package/overlays/powershell/setup.sh

@@ -5,25 +5,61 @@ set -e
 
 echo "🔧 Setting up PowerShell development environment..."
 
-# Verify PowerShell is installed
-if command -v pwsh &> /dev/null; then
-    PWSH_VERSION=$(pwsh -NoProfile -Command '$PSVersionTable.PSVersion.ToString()')
-    echo "✓ PowerShell found: v$PWSH_VERSION"
-else
+# Verify PowerShell is installed and responds within 10 s.
+# If pwsh doesn't respond quickly (e.g. shared library issue, slow startup),
+# there is no point proceeding — all subsequent pwsh calls would also hang.
+if ! command -v pwsh &>/dev/null; then
     echo "⚠️ PowerShell not found"
     exit 1
 fi
 
-# Install common PowerShell modules
-echo "📦 Installing PowerShell modules..."
+# --kill-after ensures pwsh child processes are SIGKILL-ed after grace period.
+PWSH_VERSION=$(timeout --kill-after=5s 10s \
+    pwsh -NoProfile -NonInteractive -Command '$PSVersionTable.PSVersion.ToString()' \
+    2>/dev/null) || true
+
+if [ -z "$PWSH_VERSION" ]; then
+    echo "⚠️ pwsh did not respond within 10 s — skipping module installation"
+    echo "✓ PowerShell setup complete (modules skipped)"
+    exit 0
+fi
 
-# PSScriptAnalyzer (Linting and best practices)
-pwsh -NoProfile -Command 'Install-Module -Name PSScriptAnalyzer -Force -Scope CurrentUser -AllowClobber' || echo "⚠️ PSScriptAnalyzer installation failed"
+echo "✓ PowerShell found: v$PWSH_VERSION"
+
+# Trust PSGallery non-interactively.
+# PowerShell 7+ bundles the NuGet provider — Install-PackageProvider is not
+# needed and will fail with "No match found" on PS7.  Call it only on PS5.
+echo "🔧 Configuring PSGallery..."
+timeout --kill-after=5s 60s \
+    pwsh -NoProfile -NonInteractive -Command '
+        $major = $PSVersionTable.PSVersion.Major
+        if ($major -lt 7) {
+            Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser | Out-Null
+        }
+        Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
+    ' || echo "⚠️ Failed to configure PSGallery (network may be unavailable) — skipping modules"
+
+# Install common PowerShell modules.
+# Each module runs in its own pwsh call with a per-module timeout so a slow
+# PSGallery download doesn't block the remaining modules.
+echo "📦 Installing PowerShell modules..."
 
-# Pester (Testing framework)
-pwsh -NoProfile -Command 'Install-Module -Name Pester -Force -Scope CurrentUser -AllowClobber -SkipPublisherCheck' || echo "⚠️ Pester installation failed"
+_install_psmodule() {
+    local name="$1"; shift   # remaining args passed as extra Install-Module params
+    local extra="$*"
+    timeout --kill-after=5s 90s \
+        pwsh -NoProfile -NonInteractive -Command "
+            try {
+                Install-Module -Name '$name' -Force -Scope CurrentUser -AllowClobber -Repository PSGallery $extra -ErrorAction Stop
+                Write-Host '  ✓  $name'
+            } catch {
+                Write-Host '  ⚠️  $name failed: ' + \$_
+            }
+        " 2>/dev/null || echo "  ⚠️  $name timed out"
+}
 
-# PowerShellGet (Module management)
-pwsh -NoProfile -Command 'Install-Module -Name PowerShellGet -Force -Scope CurrentUser -AllowClobber' || echo "⚠️ PowerShellGet installation failed"
+_install_psmodule PSScriptAnalyzer
+_install_psmodule Pester           -SkipPublisherCheck
+_install_psmodule PowerShellGet
 
 echo "✓ PowerShell setup complete"

package/overlays/pre-commit/setup.sh

@@ -5,10 +5,19 @@ set -e
 
 echo "🔍 Setting up pre-commit framework..."
 
-# Install pre-commit using pip
-pip install --user pre-commit
+# Install pre-commit — prefer pipx (avoids --user conflicts inside virtualenvs)
+if command -v pipx &> /dev/null; then
+    pipx install pre-commit
+elif command -v pip3 &> /dev/null; then
+    pip3 install pre-commit 2>/dev/null || pip3 install --break-system-packages pre-commit
+elif command -v pip &> /dev/null; then
+    pip install pre-commit 2>/dev/null || pip install --break-system-packages pre-commit
+else
+    echo "✗ No pip/pipx found — cannot install pre-commit"
+    exit 1
+fi
 
-# Add to PATH if not already there
+# pipx installs to ~/.local/bin
 export PATH="$HOME/.local/bin:$PATH"
 
 # Verify installation

package/overlays/prometheus/overlay.yml

@@ -20,3 +20,5 @@ ports:
       path: /
       onAutoForward: openBrowser
 order: 1
+imports:
+    - .shared/otel/instrumentation.env

package/overlays/promtail/verify.sh

@@ -6,19 +6,25 @@ echo "🔍 Verifying Promtail installation..."
 # Track overall success
 ALL_CHECKS_PASSED=true
 
-# Check if Promtail service is running
-if docker ps --format '{{.Names}}' | grep -q promtail; then
-    echo "✓ Promtail service is running"
-else
-    echo "✗ Promtail service is not running"
+# Wait for Promtail /ready endpoint (primary health signal).
+# docker ps is informational only — not reliably accessible in all devcontainers.
+PROMTAIL_READY=false
+for i in {1..40}; do
+    if curl -s -o /dev/null -w "%{http_code}" http://promtail:3101/ready 2>/dev/null | grep -q "200"; then
+        echo "✓ Promtail is ready (HTTP /ready)"
+        PROMTAIL_READY=true
+        break
+    fi
+    sleep 3
+done
+if [ "$PROMTAIL_READY" = false ]; then
+    echo "✗ Promtail /ready endpoint not responding after 120 s (http://promtail:3101/ready)"
     ALL_CHECKS_PASSED=false
 fi
 
-# Check if Promtail can access Docker socket
-if docker exec promtail test -S /var/run/docker.sock 2>/dev/null; then
-    echo "✓ Promtail has access to Docker socket"
-else
-    echo "⚠️ Promtail cannot access Docker socket"
+# Informational: check via docker ps if available.
+if docker ps --format '{{.Names}}' 2>/dev/null | grep -q promtail; then
+    echo "✓ Promtail container visible in docker ps"
 fi
 
 # Final result

package/overlays/pulumi/devcontainer.patch.json

@@ -1,7 +1,7 @@
 {
     "$schema": "https://raw.githubusercontent.com/devcontainers/spec/main/schemas/devContainer.base.schema.json",
     "features": {
-        "ghcr.io/devcontainers/features/pulumi:1": {
+        "ghcr.io/devcontainers-extra/features/pulumi:1": {
             "version": "latest"
         }
     },

package/overlays/python/setup.sh

@@ -13,6 +13,23 @@ WORKSPACE_ROOT="${PWD}"
 VENV_DIR="${WORKSPACE_ROOT}/.venv"
 
 # Create virtual environment if it doesn't exist
+# Helper: validate that the venv's Python interpreter is actually executable.
+# A stale .venv (e.g., leftover from a previous container build) can have a
+# bin/python that is a dangling symlink, causing "cannot execute: required
+# file not found" when pip or other venv scripts are invoked.
+venv_is_valid() {
+    "${VENV_DIR}/bin/python" -c "import sys" &>/dev/null
+}
+
+if [ -d "${VENV_DIR}" ]; then
+    if venv_is_valid; then
+        echo "✓ Virtual environment already exists at .venv"
+    else
+        echo "⚠️  Existing .venv is invalid (stale interpreter), recreating..."
+        rm -rf "${VENV_DIR}"
+    fi
+fi
+
 if [ ! -d "${VENV_DIR}" ]; then
     echo "📦 Creating virtual environment at .venv..."
     if ! command -v python3 >/dev/null 2>&1; then
@@ -21,49 +38,51 @@ if [ ! -d "${VENV_DIR}" ]; then
     fi
     python3 -m venv "${VENV_DIR}"
     echo "✓ Virtual environment created"
-else
-    echo "✓ Virtual environment already exists at .venv"
 fi
 
-# Activate virtual environment
+# Use the venv's Python directly to invoke pip — this is more robust than
+# calling the pip wrapper script, whose shebang can point to a stale path.
+PYTHON="${VENV_DIR}/bin/python"
+
+# Activate virtual environment for PATH and VIRTUAL_ENV
 # shellcheck source=/dev/null
 source "${VENV_DIR}/bin/activate"
 
 # Upgrade pip, setuptools, and wheel inside the venv
 echo "⬆️  Upgrading pip, setuptools, and wheel..."
-pip install --upgrade pip setuptools wheel
+"${PYTHON}" -m pip install --upgrade pip setuptools wheel
 echo "✓ pip, setuptools, and wheel upgraded"
 
 # Install overlay-specific packages (if requirements-overlay.txt exists)
 if [ -f ".devcontainer/requirements-overlay-${OVERLAY_NAME}.txt" ]; then
     echo "📦 Installing overlay packages from requirements-overlay-${OVERLAY_NAME}.txt..."
-    pip install -r ".devcontainer/requirements-overlay-${OVERLAY_NAME}.txt"
+    "${PYTHON}" -m pip install -r ".devcontainer/requirements-overlay-${OVERLAY_NAME}.txt"
     echo "✓ Overlay packages installed"
 fi
 
 # Install from root requirements.txt (project production dependencies)
 if [ -f "requirements.txt" ]; then
     echo "📦 Installing dependencies from requirements.txt..."
-    pip install -r requirements.txt
+    "${PYTHON}" -m pip install -r requirements.txt
     echo "✓ Dependencies installed from requirements.txt"
 fi
 
 # Install from requirements-dev.txt (project development dependencies)
 if [ -f "requirements-dev.txt" ]; then
     echo "📦 Installing dev dependencies from requirements-dev.txt..."
-    pip install -r requirements-dev.txt
+    "${PYTHON}" -m pip install -r requirements-dev.txt
     echo "✓ Dev dependencies installed from requirements-dev.txt"
 fi
 
 # Install project in editable mode if pyproject.toml exists (modern Python projects)
 if [ -f "pyproject.toml" ]; then
     echo "📦 Found pyproject.toml, installing project in editable mode..."
-    pip install -e .
+    "${PYTHON}" -m pip install -e .
     echo "✓ Project installed in editable mode"
 elif [ -f "setup.py" ]; then
     # Fallback for legacy Python projects
     echo "📦 Found setup.py, installing project in editable mode..."
-    pip install -e .
+    "${PYTHON}" -m pip install -e .
     echo "✓ Project installed in editable mode"
 fi
 

package/overlays/python/verify.sh

@@ -18,10 +18,12 @@ else
 fi
 
 # Check pip is installed
+# Use `python3 -m pip` instead of calling pip3 directly — the wrapper script
+# inside a .venv has a shebang that can point to a stale interpreter path.
 echo ""
 echo "2️⃣ Checking pip..."
-if command -v pip3 &> /dev/null; then
-    pip3 --version
+if python3 -m pip --version &> /dev/null; then
+    python3 -m pip --version
     echo "   ✅ pip found"
 else
     echo "   ❌ pip not found"

package/overlays/redpanda/docker-compose.yml

@@ -43,15 +43,13 @@ services:
             CONSOLE_CONFIG_FILE: |
                 kafka:
                   brokers: ["redpanda:9092"]
-                  schemaRegistry:
-                    enabled: true
-                    urls: ["http://redpanda:8081"]
+                schemaRegistry:
+                  enabled: true
+                  urls: ["http://redpanda:8081"]
                 redpanda:
                   adminApi:
                     enabled: true
                     urls: ["http://redpanda:9644"]
-                connect:
-                  enabled: false
         ports:
             - '${REDPANDA_CONSOLE_PORT:-8080}:8080'
         networks: