npm - container-superposition - Versions diffs - 0.1.6 → 0.1.8 - Mend

container-superposition 0.1.6 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (238) hide show

package/README.md +24 -15
package/dist/scripts/init.js +1 -1534
package/dist/scripts/init.js.map +1 -1
package/dist/tool/cli/args.d.ts +20 -0
package/dist/tool/cli/args.d.ts.map +1 -0
package/dist/tool/cli/args.js +325 -0
package/dist/tool/cli/args.js.map +1 -0
package/dist/tool/cli/run.d.ts +2 -0
package/dist/tool/cli/run.d.ts.map +1 -0
package/dist/tool/cli/run.js +318 -0
package/dist/tool/cli/run.js.map +1 -0
package/dist/tool/commands/adopt.d.ts.map +1 -1
package/dist/tool/commands/adopt.js +1 -27
package/dist/tool/commands/adopt.js.map +1 -1
package/dist/tool/commands/doctor.d.ts +3 -0
package/dist/tool/commands/doctor.d.ts.map +1 -1
package/dist/tool/commands/doctor.js +1068 -70
package/dist/tool/commands/doctor.js.map +1 -1
package/dist/tool/commands/explain.d.ts.map +1 -1
package/dist/tool/commands/explain.js +18 -0
package/dist/tool/commands/explain.js.map +1 -1
package/dist/tool/commands/migrate.d.ts +7 -0
package/dist/tool/commands/migrate.d.ts.map +1 -0
package/dist/tool/commands/migrate.js +52 -0
package/dist/tool/commands/migrate.js.map +1 -0
package/dist/tool/questionnaire/answers.d.ts +16 -0
package/dist/tool/questionnaire/answers.d.ts.map +1 -0
package/dist/tool/questionnaire/answers.js +102 -0
package/dist/tool/questionnaire/answers.js.map +1 -0
package/dist/tool/questionnaire/composer.d.ts +3 -3
package/dist/tool/questionnaire/composer.d.ts.map +1 -1
package/dist/tool/questionnaire/composer.js +902 -37
package/dist/tool/questionnaire/composer.js.map +1 -1
package/dist/tool/questionnaire/presets.d.ts +60 -0
package/dist/tool/questionnaire/presets.d.ts.map +1 -0
package/dist/tool/questionnaire/presets.js +164 -0
package/dist/tool/questionnaire/presets.js.map +1 -0
package/dist/tool/questionnaire/questionnaire.d.ts +10 -0
package/dist/tool/questionnaire/questionnaire.d.ts.map +1 -0
package/dist/tool/questionnaire/questionnaire.js +580 -0
package/dist/tool/questionnaire/questionnaire.js.map +1 -0
package/dist/tool/schema/manifest-migrations.d.ts +5 -0
package/dist/tool/schema/manifest-migrations.d.ts.map +1 -1
package/dist/tool/schema/manifest-migrations.js +45 -0
package/dist/tool/schema/manifest-migrations.js.map +1 -1
package/dist/tool/schema/overlay-loader.d.ts.map +1 -1
package/dist/tool/schema/overlay-loader.js +25 -0
package/dist/tool/schema/overlay-loader.js.map +1 -1
package/dist/tool/schema/project-config.d.ts +14 -2
package/dist/tool/schema/project-config.d.ts.map +1 -1
package/dist/tool/schema/project-config.js +277 -34
package/dist/tool/schema/project-config.js.map +1 -1
package/dist/tool/schema/target-rules.d.ts +78 -0
package/dist/tool/schema/target-rules.d.ts.map +1 -0
package/dist/tool/schema/target-rules.js +367 -0
package/dist/tool/schema/target-rules.js.map +1 -0
package/dist/tool/schema/types.d.ts +123 -12
package/dist/tool/schema/types.d.ts.map +1 -1
package/dist/tool/utils/merge.d.ts.map +1 -1
package/dist/tool/utils/merge.js +9 -0
package/dist/tool/utils/merge.js.map +1 -1
package/dist/tool/utils/parameters.d.ts +76 -0
package/dist/tool/utils/parameters.d.ts.map +1 -0
package/dist/tool/utils/parameters.js +125 -0
package/dist/tool/utils/parameters.js.map +1 -0
package/dist/tool/utils/paths.d.ts +2 -0
package/dist/tool/utils/paths.d.ts.map +1 -0
package/dist/tool/utils/paths.js +31 -0
package/dist/tool/utils/paths.js.map +1 -0
package/docs/creating-overlays.md +151 -2
package/docs/deployment-targets.md +88 -56
package/docs/examples.md +20 -17
package/docs/filesystem-contract.md +5 -0
package/docs/minimal-and-editor.md +65 -5
package/docs/overlay-imports.md +202 -101
package/docs/overlays.md +162 -34
package/docs/quick-reference.md +99 -0
package/docs/specs/003-mkdocs2-overlay/spec.md +114 -0
package/docs/specs/004-doctor-fix/spec.md +70 -0
package/docs/specs/005-cuda-overlay/spec.md +101 -0
package/docs/specs/006-rocm-overlay/spec.md +109 -0
package/docs/specs/007-init-project-file/spec.md +66 -0
package/docs/specs/007-target-aware-generation/spec.md +126 -0
package/docs/specs/008-project-file-canonical/spec.md +83 -0
package/docs/specs/009-project-env/spec.md +147 -0
package/docs/specs/010-compose-env-materialization/spec.md +130 -0
package/docs/specs/011-overlay-parameters/spec.md +235 -0
package/overlays/.shared/README.md +105 -21
package/overlays/.shared/compose/common-healthchecks.md +60 -0
package/overlays/.shared/compose/nvidia-gpu-devcontainer.yml +22 -0
package/overlays/.shared/vscode/recommended-extensions.json +15 -11
package/overlays/alertmanager/setup.sh +4 -19
package/overlays/alertmanager/verify.sh +8 -9
package/overlays/all/README.md +43 -0
package/overlays/all/devcontainer.patch.json +6 -0
package/overlays/all/overlay.yml +14 -0
package/overlays/amp/setup.sh +5 -0
package/overlays/bun/setup.sh +10 -1
package/overlays/bun/verify.sh +6 -1
package/overlays/claude-code/setup.sh +5 -0
package/overlays/cloudflared/setup.sh +9 -12
package/overlays/codex/README.md +9 -6
package/overlays/codex/devcontainer.patch.json +7 -1
package/overlays/codex/setup.sh +5 -0
package/overlays/codex/verify.sh +8 -0
package/overlays/comfyui/.env.example +34 -0
package/overlays/comfyui/README.md +342 -0
package/overlays/comfyui/devcontainer.patch.json +15 -0
package/overlays/comfyui/docker-compose.yml +39 -0
package/overlays/comfyui/overlay.yml +20 -0
package/overlays/comfyui/setup.sh +36 -0
package/overlays/comfyui/verify.sh +103 -0
package/overlays/commitlint/setup.sh +5 -0
package/overlays/cuda/README.md +179 -0
package/overlays/cuda/devcontainer.patch.json +7 -0
package/overlays/cuda/overlay.yml +17 -0
package/overlays/cuda/setup.sh +32 -0
package/overlays/cuda/verify.sh +38 -0
package/overlays/devcontainer-cli/README.md +50 -0
package/overlays/devcontainer-cli/devcontainer.patch.json +13 -0
package/overlays/devcontainer-cli/overlay.yml +16 -0
package/overlays/devcontainer-cli/setup.sh +14 -0
package/overlays/direnv/devcontainer.patch.json +6 -0
package/overlays/direnv/setup.sh +7 -6
package/overlays/dotnet/setup.sh +14 -7
package/overlays/duckdb/devcontainer.patch.json +1 -2
package/overlays/gcloud/devcontainer.patch.json +0 -6
package/overlays/gcloud/setup.sh +51 -0
package/overlays/gemini-cli/setup.sh +5 -0
package/overlays/git-helpers/devcontainer.patch.json +2 -1
package/overlays/go/setup.sh +15 -14
package/overlays/jaeger/overlay.yml +2 -0
package/overlays/just/setup.sh +5 -17
package/overlays/k3d/README.md +201 -0
package/overlays/k3d/devcontainer.patch.json +9 -0
package/overlays/k3d/overlay.yml +19 -0
package/overlays/k3d/setup.sh +34 -0
package/overlays/k3d/verify.sh +38 -0
package/overlays/keycloak/docker-compose.yml +6 -4
package/overlays/keycloak/verify.sh +4 -3
package/overlays/kind/devcontainer.patch.json +1 -2
package/overlays/kind/setup.sh +8 -17
package/overlays/minio/setup.sh +10 -18
package/overlays/mkdocs/overlay.yml +2 -1
package/overlays/mkdocs2/README.md +135 -0
package/overlays/mkdocs2/devcontainer.patch.json +19 -0
package/overlays/mkdocs2/overlay.yml +17 -0
package/overlays/mkdocs2/setup.sh +67 -0
package/overlays/mkdocs2/verify.sh +35 -0
package/overlays/modern-cli-tools/devcontainer.patch.json +7 -1
package/overlays/modern-cli-tools/setup.sh +21 -71
package/overlays/mongodb/devcontainer.patch.json +0 -6
package/overlays/mongodb/setup.sh +59 -0
package/overlays/mysql/verify.sh +4 -3
package/overlays/nats/.env.example +1 -1
package/overlays/nats/README.md +1 -1
package/overlays/nats/docker-compose.yml +1 -1
package/overlays/ngrok/setup.sh +9 -6
package/overlays/nodejs/setup.sh +5 -0
package/overlays/ollama/.env.example +14 -0
package/overlays/ollama/README.md +325 -0
package/overlays/ollama/devcontainer.patch.json +14 -0
package/overlays/ollama/docker-compose.yml +24 -0
package/overlays/ollama/overlay.yml +22 -0
package/overlays/ollama/setup.sh +106 -0
package/overlays/ollama/verify.sh +99 -0
package/overlays/open-webui/.env.example +5 -0
package/overlays/open-webui/README.md +162 -0
package/overlays/open-webui/devcontainer.patch.json +14 -0
package/overlays/open-webui/docker-compose.yml +23 -0
package/overlays/open-webui/overlay.yml +38 -0
package/overlays/openapi-tools/devcontainer.patch.json +1 -2
package/overlays/openapi-tools/setup.sh +9 -8
package/overlays/opencode/setup.sh +5 -0
package/overlays/otel-collector/overlay.yml +2 -0
package/overlays/otel-collector/setup.sh +3 -16
package/overlays/otel-demo-nodejs/verify.sh +8 -9
package/overlays/otel-demo-python/verify.sh +16 -10
package/overlays/pandoc/README.md +22 -15
package/overlays/pandoc/devcontainer.patch.json +6 -2
package/overlays/pandoc/setup.sh +217 -18
package/overlays/pandoc/verify.sh +16 -4
package/overlays/pgvector/.env.example +6 -0
package/overlays/pgvector/README.md +215 -0
package/overlays/pgvector/devcontainer.patch.json +23 -0
package/overlays/pgvector/docker-compose.yml +32 -0
package/overlays/pgvector/overlay.yml +44 -0
package/overlays/playwright/devcontainer.patch.json +3 -1
package/overlays/playwright/setup.sh +37 -0
package/overlays/postgres/.env.example +5 -5
package/overlays/postgres/devcontainer.patch.json +4 -4
package/overlays/postgres/docker-compose.yml +15 -5
package/overlays/postgres/overlay.yml +19 -1
package/overlays/powershell/setup.sh +49 -13
package/overlays/pre-commit/setup.sh +12 -3
package/overlays/prometheus/overlay.yml +2 -0
package/overlays/promtail/verify.sh +16 -10
package/overlays/pulumi/devcontainer.patch.json +1 -1
package/overlays/python/setup.sh +28 -9
package/overlays/python/verify.sh +4 -2
package/overlays/qdrant/.env.example +4 -0
package/overlays/qdrant/README.md +216 -0
package/overlays/qdrant/devcontainer.patch.json +20 -0
package/overlays/qdrant/docker-compose.yml +25 -0
package/overlays/qdrant/overlay.yml +40 -0
package/overlays/redpanda/docker-compose.yml +3 -5
package/overlays/rocm/README.md +227 -0
package/overlays/rocm/devcontainer.patch.json +4 -0
package/overlays/rocm/overlay.yml +17 -0
package/overlays/rocm/setup.sh +45 -0
package/overlays/rocm/verify.sh +47 -0
package/overlays/rust/setup.sh +11 -18
package/overlays/skaffold/README.md +256 -0
package/overlays/skaffold/devcontainer.patch.json +9 -0
package/overlays/skaffold/overlay.yml +20 -0
package/overlays/skaffold/setup.sh +33 -0
package/overlays/skaffold/verify.sh +24 -0
package/overlays/spec-kit/setup.sh +7 -3
package/overlays/sqlite/setup.sh +14 -14
package/overlays/sqlserver/docker-compose.yml +3 -3
package/overlays/sqlserver/verify.sh +22 -5
package/overlays/tempo/verify.sh +16 -10
package/overlays/tilt/devcontainer.patch.json +1 -2
package/overlays/tilt/setup.sh +14 -4
package/overlays/windsurf-cli/setup.sh +27 -4
package/overlays/windsurf-cli/verify.sh +13 -3
package/package.json +4 -2
package/templates/scripts/setup-utils.sh +228 -0
package/tool/schema/config.schema.json +141 -9
package/tool/schema/overlay-manifest.schema.json +38 -0
package/overlays/.shared/compose/common-healthchecks.yml +0 -38
/package/overlays/otel-demo-nodejs/{Dockerfile-otel-demo-nodejs → Dockerfile} +0 -0
/package/overlays/otel-demo-nodejs/{package-otel-demo-nodejs.json → package.json} +0 -0
/package/overlays/otel-demo-nodejs/{server-otel-demo-nodejs.js → server.js} +0 -0
/package/overlays/otel-demo-nodejs/{tracing-otel-demo-nodejs.js → tracing.js} +0 -0
/package/overlays/otel-demo-python/{Dockerfile-otel-demo-python → Dockerfile} +0 -0
/package/overlays/otel-demo-python/{app-otel-demo-python.py → app.py} +0 -0
/package/overlays/otel-demo-python/{requirements-otel-demo-python.txt → requirements.txt} +0 -0

package/docs/overlay-imports.md CHANGED Viewed

@@ -4,29 +4,39 @@ Overlays can import shared configuration fragments from `overlays/.shared/` to r
 ## Overview
-Import functionality allows overlays to reference common configuration files instead of duplicating them in every overlay. This promotes DRY (Don't Repeat Yourself) principles and makes it easier to maintain consistent patterns.
+The import mechanism allows overlays to reference common configuration files instead of duplicating them. This promotes DRY principles and makes it easier to maintain consistent patterns.
+Two import fields are supported in `overlay.yml`:
+- **`imports:`** — shared devcontainer patch fragments (`.json`, `.yaml`, `.env`) applied before the overlay's own `devcontainer.patch.json`
+- **`compose_imports:`** — shared docker-compose YAML fragments (`.yml`, `.yaml`) deep-merged into `docker-compose.yml` before the overlay's own `docker-compose.yml`
 ## Shared Directory Structure
 ```
 overlays/
 ├── .shared/
-│   ├── otel/                           # OpenTelemetry configurations
-│   │   ├── otel-base-config.yaml      # Base OTEL collector config
-│   │   └── instrumentation.env        # Common env vars for instrumentation
-│   ├── compose/                        # Docker Compose patterns
-│   │   └── common-healthchecks.yml    # Standard healthcheck configurations
-│   └── vscode/                         # VS Code extension sets
-│       └── recommended-extensions.json # Commonly recommended extensions
+│   ├── README.md
+│   ├── otel/
+│   │   ├── instrumentation.env              # OTEL SDK env vars — imported by otel-collector, prometheus, jaeger
+│   │   └── otel-base-config.yaml            # Base OTEL collector pipeline config
+│   ├── compose/
+│   │   ├── nvidia-gpu-devcontainer.yml      # NVIDIA GPU passthrough for the devcontainer service
+│   │   └── common-healthchecks.md           # Standard Docker Compose healthcheck patterns (reference only)
+│   └── vscode/
+│       └── recommended-extensions.json      # Commonly recommended VS Code extensions (devcontainer patch format)
 ├── prometheus/
-│   ├── overlay.yml                     # Can import from .shared/
+│   ├── overlay.yml                          # imports: [.shared/otel/instrumentation.env]
+│   └── devcontainer.patch.json
+├── jaeger/
+│   ├── overlay.yml                          # imports: [.shared/otel/instrumentation.env]
 │   └── devcontainer.patch.json
-└── jaeger/
-    ├── overlay.yml                     # Can import from .shared/
-    └── devcontainer.patch.json
+└── ollama/
+    ├── overlay.yml                          # compose_imports: [.shared/compose/nvidia-gpu-devcontainer.yml]
+    └── docker-compose.yml
 ```
-## Using Imports
+## Using `imports` (devcontainer patch fragments)
 Add the `imports` field to your `overlay.yml` manifest:
@@ -48,101 +58,186 @@ ports:
     - 9090
 imports:
     - .shared/otel/instrumentation.env
-    - .shared/compose/common-healthchecks.yml
 ```
+**Rules:**
+- All paths **must** begin with `.shared/` — references outside `.shared/` are rejected (path traversal prevention)
+- Paths are relative to `overlays/`
+- Order is significant — fragments are applied in declaration order, then the overlay's own `devcontainer.patch.json`
+- Missing files, unsupported types, or path traversal attempts cause generation to fail with a message identifying the overlay and the broken reference
+## Using `compose_imports` (docker-compose fragments)
+Add the `compose_imports` field to your `overlay.yml` manifest to merge shared docker-compose YAML fragments into the generated `docker-compose.yml`:
+```yaml
+id: ollama
+name: Ollama
+# ... other fields ...
+compose_imports:
+    - .shared/compose/nvidia-gpu-devcontainer.yml
+```
+**Rules:**
+- All paths **must** begin with `.shared/` (same path traversal rules as `imports`)
+- Files must be `.yml` or `.yaml`
+- Fragments are deep-merged in declaration order, then the overlay's own `docker-compose.yml` is merged last (overlay wins on conflict)
+- Missing files, wrong types, or traversal attempts cause generation to fail
 ## Supported File Types
-### JSON Files (`.json`)
+### `imports:` — devcontainer patch fragments
+| Extension        | How it is merged                                                               |
+| ---------------- | ------------------------------------------------------------------------------ |
+| `.json`          | Deep-merged into `devcontainer.json` patch (same as `devcontainer.patch.json`) |
+| `.yaml` / `.yml` | Loaded and deep-merged into `devcontainer.json` patch                          |
+| `.env`           | Concatenated into `.env.example` with a `# from .shared/…` comment header      |
+| Anything else    | Rejected with a clear unsupported-type error                                   |
+### `compose_imports:` — docker-compose fragments
-Merged as devcontainer patches, just like `devcontainer.patch.json`.
+| Extension        | How it is merged                                                            |
+| ---------------- | --------------------------------------------------------------------------- |
+| `.yaml` / `.yml` | Deep-merged into `docker-compose.yml` before the overlay's own compose file |
+| Anything else    | Rejected with a clear unsupported-type error                                |
-**Example: `.shared/vscode/recommended-extensions.json`**
+### JSON import example
-```json
+```jsonc
+// overlays/.shared/vscode/recommended-extensions.json
 {
+    "$schema": "https://raw.githubusercontent.com/devcontainers/spec/main/schemas/devContainer.base.schema.json",
     "customizations": {
         "vscode": {
             "extensions": [
                 "streetsidesoftware.code-spell-checker",
                 "usernamehw.errorlens",
-                "editorconfig.editorconfig"
-            ]
-        }
-    }
+                "eamodio.gitlens",
+            ],
+        },
+    },
 }
 ```
-### YAML Files (`.yaml`, `.yml`)
-Loaded and merged as devcontainer patches. Useful for complex configurations.
-**Example: `.shared/otel/otel-base-config.yaml`**
+### YAML devcontainer import example
 ```yaml
-receivers:
-    otlp:
-        protocols:
-            grpc:
-                endpoint: 0.0.0.0:4317
-            http:
-                endpoint: 0.0.0.0:4318
+# overlays/.shared/otel/otel-base-config.yaml
+remoteEnv:
+    OTEL_SERVICE_NAME: my-service
+    OTEL_EXPORTER_OTLP_ENDPOINT: http://otel-collector:4317
 ```
-### Environment Files (`.env`)
+### ENV import example
-Merged into `.env.example` with a comment indicating the import source.
+```bash
+# overlays/.shared/otel/instrumentation.env
+# OpenTelemetry SDK Configuration
+OTEL_SERVICE_NAME=my-service
+OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4317
+OTEL_EXPORTER_OTLP_PROTOCOL=grpc
+OTEL_TRACES_SAMPLER=always_on
+OTEL_TRACES_EXPORTER=otlp
+OTEL_METRICS_EXPORTER=otlp
+OTEL_LOGS_EXPORTER=otlp
+```
-**Example: `.shared/otel/instrumentation.env`**
+When this `.env` fragment is imported, the generated `.env.example` will contain:
 ```bash
-# OpenTelemetry Configuration
+# from .shared/otel/instrumentation.env
 OTEL_SERVICE_NAME=my-service
 OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4317
-OTEL_TRACES_SAMPLER=always_on
+...
 ```
-## How Imports Work
+### YAML compose_import example
-1. **Resolution**: Imports are resolved relative to the `overlays/` directory
-2. **Order**: Imports are applied in the order listed, then the overlay's own files
-3. **Merging**:
-    - JSON/YAML: Deep merged into devcontainer configuration
-    - ENV: Concatenated into `.env.example` with source comments
-4. **Validation**: Doctor command validates that all imports exist and are valid
+```yaml
+# overlays/.shared/compose/nvidia-gpu-devcontainer.yml
+services:
+    devcontainer:
+        deploy:
+            resources:
+                reservations:
+                    devices:
+                        - driver: nvidia
+                          count: all
+                          capabilities: [gpu]
+```
-## Benefits
+When this fragment is imported via `compose_imports`, the generated `docker-compose.yml` will include the `deploy` block on the `devcontainer` service merged with contributions from all other overlays.
-### Reduced Duplication
+## Import Ordering and Conflict Resolution
-Before imports:
+### `imports` ordering
+Imports are applied in declaration order, then the overlay's own `devcontainer.patch.json` is applied last:
 ```
-prometheus/devcontainer.patch.json  (200 lines with OTEL config)
-jaeger/devcontainer.patch.json      (200 lines with OTEL config)
-grafana/devcontainer.patch.json     (200 lines with OTEL config)
+[import 1] → [import 2] → … → [import N] → [overlay own patch]
 ```
-After imports:
+- The **second** import wins over the first on key conflict
+- The **overlay's own patch always wins** over any shared fragment
+This means overlays can intentionally override shared defaults by setting the same key in their `devcontainer.patch.json`.
+### `compose_imports` ordering
+For each overlay, compose fragments are merged before the overlay's own `docker-compose.yml`, in this order:
 ```
-.shared/otel/otel-base-config.yaml  (50 lines, shared)
-prometheus/overlay.yml              (imports: [.shared/otel/otel-base-config.yaml])
-jaeger/overlay.yml                  (imports: [.shared/otel/otel-base-config.yaml])
-grafana/overlay.yml                 (imports: [.shared/otel/otel-base-config.yaml])
+[base template compose] → [overlay 1 compose_imports] → [overlay 1 docker-compose.yml] → [overlay 2 compose_imports] → [overlay 2 docker-compose.yml] → …
 ```
-### Consistency
+- Each overlay's `docker-compose.yml` wins over its own `compose_imports`
+- Later overlays win over earlier overlays on key conflict
+## Worked Example: OTEL Instrumentation
-All overlays using the same shared config stay in sync automatically.
+Many observability overlays need OTEL environment variables. With imports, these are defined once:
-### Maintainability
+**`overlays/.shared/otel/instrumentation.env`** — shared once
-Update shared configuration once, all importing overlays benefit.
+**`overlays/otel-collector/overlay.yml`:**
-## Validation
+```yaml
+imports:
+    - .shared/otel/instrumentation.env
+```
-The `doctor` command validates imports:
+**`overlays/prometheus/overlay.yml`:**
+```yaml
+imports:
+    - .shared/otel/instrumentation.env
+```
+**`overlays/jaeger/overlay.yml`:**
+```yaml
+imports:
+    - .shared/otel/instrumentation.env
+```
+When any of these overlays is used, the generated `.env.example` will contain the OTEL environment variables with a comment indicating they came from the shared fragment.
+## Security: Path Traversal Prevention
+Import paths are validated before any file is read:
+1. The path **must** begin with `.shared/`
+2. The resolved absolute path **must** remain inside `overlays/.shared/`
+Any import that fails either check causes generation to abort with an error identifying the overlay and the rejected path. References like `../secret.json`, `/etc/passwd`, or `other-overlay/file.json` are all rejected.
+## Validation via Doctor
+The `doctor` command validates all imports for every overlay:
 ```bash
 container-superposition doctor
@@ -150,60 +245,66 @@ container-superposition doctor
 Checks performed:
-- Import files exist
-- File types are supported (`.json`, `.yaml`, `.yml`, `.env`)
-- No broken import references
+- Import path starts with `.shared/` (path traversal check)
+- Import path resolves within `overlays/.shared/` (traversal check)
+- Import file exists on disk
+- File type is one of `.json`, `.yaml`, `.yml`, `.env` (for `imports:`)
+- File type is one of `.yaml`, `.yml` (for `compose_imports:`)
-## Creating Shared Configurations
+Broken references are reported with the overlay ID and the bad path so maintainers can fix them quickly.
-1. **Identify common patterns** across overlays
-2. **Extract to `.shared/` subdirectory** with descriptive path
-3. **Update overlays** to import the shared file
-4. **Test** that composition works correctly
-5. **Document** the shared file's purpose in `.shared/README.md`
+## Viewing Imports in `explain`
-## Example: OTEL Instrumentation
+When an overlay has imports, they are shown in the `explain` output:
-Many observability overlays need OTEL instrumentation. Instead of duplicating these environment variables:
+```bash
+container-superposition explain prometheus
+```
+```
+Shared Imports:
+  (Fragments from overlays/.shared/ applied before this overlay)
+  📎 .shared/otel/instrumentation.env
+```
-**Create:** `overlays/.shared/otel/instrumentation.env`
+When an overlay has compose_imports, they are also shown:
 ```bash
-# OpenTelemetry SDK Configuration
-OTEL_SERVICE_NAME=my-service
-OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4317
-OTEL_EXPORTER_OTLP_PROTOCOL=grpc
-OTEL_RESOURCE_ATTRIBUTES=deployment.environment=development
-OTEL_TRACES_SAMPLER=always_on
-OTEL_TRACES_EXPORTER=otlp
-OTEL_METRICS_EXPORTER=otlp
-OTEL_LOGS_EXPORTER=otlp
+container-superposition explain ollama
+```
+```
+Shared Compose Imports:
+  (docker-compose fragments from overlays/.shared/ merged before this overlay)
+  🐳 .shared/compose/nvidia-gpu-devcontainer.yml
 ```
-**Import in overlays:**
+## Creating Shared Configurations
-```yaml
-# overlays/prometheus/overlay.yml
-imports:
-    - .shared/otel/instrumentation.env
+1. **Identify common patterns** across multiple overlays
+2. **Create `overlays/.shared/<category>/<name>.<ext>`** — use descriptive paths, one concern per file
+3. **Update overlays** to reference the fragment via `imports:` or `compose_imports:` in their `overlay.yml`
+4. **Update `.shared/README.md`** to document the fragment's purpose and which overlays use it
+5. **Test** with `npm test` and `container-superposition doctor` to verify
-# overlays/jaeger/overlay.yml
-imports:
-    - .shared/otel/instrumentation.env
-```
+## Downstream Impact Awareness
+A single change to a shared fragment affects every overlay that imports it. Before editing a shared fragment:
-Now all OTEL-compatible overlays share the same instrumentation configuration!
+- Check `.shared/README.md` to see which overlays import it
+- Use `grep -r "fragment-name" overlays/*/overlay.yml` to find all importers
+- Run the full test suite after any shared fragment change
 ## Best Practices
-1. **Keep shared files focused** - One concern per file
-2. **Use descriptive paths** - `.shared/otel/instrumentation.env` not `.shared/env1.env`
-3. **Document shared files** - Add comments explaining purpose and usage
-4. **Version carefully** - Changes to shared files affect all importing overlays
-5. **Test imports** - Verify overlay composition works after adding imports
+1. **One concern per file** — `instrumentation.env` not `all-the-things.env`
+2. **Descriptive category paths** — `.shared/otel/` not `.shared/misc/`
+3. **Comment your fragments** — explain purpose and usage at the top of each file
+4. **Keep fragments small** — big shared files create tight coupling
+5. **Overlay-specific overrides are fine** — an overlay's own patch always wins; diverging from a shared baseline is expected and supported
 ## See Also
 - [Creating Overlays](creating-overlays.md)
-- [Overlay Metadata](overlay-metadata-archive.md)
-- [Doctor Command](../README.md#doctor-command)
+- `overlays/.shared/README.md` — shared fragment catalogue with usage details
+- CONTRIBUTING.md — overlay authoring guide