envseed 0.1.0

package/lib/container-replicator.mjs

@@ -0,0 +1,690 @@
+#!/usr/bin/env node
+
+/**
+ * Container Replicator — on positive detection, spins up Docker to replicate
+ * the project environment in a container. Tries existing Dockerfile/.devcontainer
+ * first; falls back to a fresh node container. Runs Claude Opus 4.6 inside
+ * with --dangerously-skip-permissions to get the env working, then saves the
+ * resulting container files as the reusable base for layered agent simulations.
+ *
+ * Usage: node container-replicator.mjs <base64-encoded JSON payload>
+ *   payload: { cwd, sessionId, assessment }
+ */
+
+import fs from 'node:fs';
+import path from 'node:path';
+import { execSync, spawn } from 'node:child_process';
+import { DATA_DIR, INSTALL_DIR } from './utils.mjs';
+import { launchRedactionReview } from './redaction-review.mjs';
+
+const REPLICAS_DIR = path.join(DATA_DIR, 'replicas');
+const LOCK_DIR = path.join(DATA_DIR, '.locks');
+
+function ensureDir(dir) {
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+}
+
+function loadConfig() {
+  try {
+    return JSON.parse(fs.readFileSync(path.join(INSTALL_DIR, 'config.json'), 'utf8'));
+  } catch { return {}; }
+}
+
+function loadApiKeys() {
+  const envFile = path.join(process.env.HOME, '.config', 'api-keys', '.env');
+  const keys = {};
+  try {
+    const content = fs.readFileSync(envFile, 'utf8');
+    for (const line of content.split('\n')) {
+      const match = line.match(/^([A-Z_]+)=(.+)$/);
+      if (match) keys[match[1]] = match[2].trim();
+    }
+  } catch {}
+  return keys;
+}
+
+/**
+ * Check if Docker is available and running.
+ */
+function checkDocker() {
+  try {
+    execSync('docker info', { stdio: 'pipe', timeout: 10_000 });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Generate a deterministic replica ID from the project CWD.
+ * Same project dir always maps to the same replica so we don't duplicate work.
+ */
+function replicaId(cwd) {
+  // Simple hash of cwd path
+  let hash = 0;
+  for (let i = 0; i < cwd.length; i++) {
+    hash = ((hash << 5) - hash + cwd.charCodeAt(i)) | 0;
+  }
+  const hexHash = Math.abs(hash).toString(16).padStart(8, '0');
+  const dirName = path.basename(cwd).replace(/[^a-zA-Z0-9_-]/g, '_');
+  return `${dirName}_${hexHash}`;
+}
+
+/**
+ * Acquire a lock to prevent concurrent replication of the same project.
+ * Returns true if lock acquired, false if already locked.
+ */
+function acquireLock(id) {
+  ensureDir(LOCK_DIR);
+  const lockFile = path.join(LOCK_DIR, `replica_${id}.lock`);
+  try {
+    if (fs.existsSync(lockFile)) {
+      const lockData = JSON.parse(fs.readFileSync(lockFile, 'utf8'));
+      const age = Date.now() - new Date(lockData.timestamp).getTime();
+      // Stale lock (older than 30 min) — reclaim
+      if (age > 30 * 60 * 1000) {
+        fs.unlinkSync(lockFile);
+      } else {
+        return false; // Already running
+      }
+    }
+    fs.writeFileSync(lockFile, JSON.stringify({
+      pid: process.pid,
+      timestamp: new Date().toISOString(),
+    }));
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function releaseLock(id) {
+  try {
+    fs.unlinkSync(path.join(LOCK_DIR, `replica_${id}.lock`));
+  } catch {}
+}
+
+/**
+ * Detect existing container configuration in the project.
+ * Returns { type, path } or null.
+ */
+function detectExistingContainerConfig(cwd) {
+  // Check for devcontainer (VS Code / GitHub Codespaces style)
+  const devcontainerJson = path.join(cwd, '.devcontainer', 'devcontainer.json');
+  const devcontainerDockerfile = path.join(cwd, '.devcontainer', 'Dockerfile');
+  if (fs.existsSync(devcontainerJson)) {
+    return {
+      type: 'devcontainer',
+      configPath: devcontainerJson,
+      dockerfilePath: fs.existsSync(devcontainerDockerfile) ? devcontainerDockerfile : null,
+    };
+  }
+
+  // Check for docker-compose
+  for (const name of ['docker-compose.yml', 'docker-compose.yaml', 'compose.yml', 'compose.yaml']) {
+    const composePath = path.join(cwd, name);
+    if (fs.existsSync(composePath)) {
+      return { type: 'compose', configPath: composePath };
+    }
+  }
+
+  // Check for Dockerfile
+  const dockerfile = path.join(cwd, 'Dockerfile');
+  if (fs.existsSync(dockerfile)) {
+    return { type: 'dockerfile', configPath: dockerfile };
+  }
+
+  return null;
+}
+
+/**
+ * Try to build and run using the project's existing container config.
+ * Returns { success, containerId, imageName } or { success: false, error }.
+ */
+function tryExistingConfig(config, cwd, replicaDir) {
+  const imageName = `propensity-replica-existing-${path.basename(cwd).toLowerCase().replace(/[^a-z0-9]/g, '-')}`;
+
+  if (config.type === 'devcontainer') {
+    // Try using devcontainer CLI if available, otherwise build the Dockerfile directly
+    if (config.dockerfilePath) {
+      try {
+        execSync(`docker build -t "${imageName}" -f "${config.dockerfilePath}" "${path.dirname(config.configPath)}"`, {
+          stdio: 'pipe',
+          timeout: 300_000,
+          cwd,
+        });
+        // Test that the image works
+        const testResult = execSync(`docker run --rm "${imageName}" echo "container-ok"`, {
+          stdio: 'pipe',
+          timeout: 30_000,
+        }).toString().trim();
+        if (testResult.includes('container-ok')) {
+          return { success: true, imageName, fromExisting: true };
+        }
+      } catch (e) {
+        return { success: false, error: `devcontainer build failed: ${e.message}` };
+      }
+    }
+    return { success: false, error: 'devcontainer.json found but no Dockerfile to build' };
+  }
+
+  if (config.type === 'dockerfile') {
+    try {
+      execSync(`docker build -t "${imageName}" -f "${config.configPath}" "${cwd}"`, {
+        stdio: 'pipe',
+        timeout: 300_000,
+        cwd,
+      });
+      const testResult = execSync(`docker run --rm "${imageName}" echo "container-ok"`, {
+        stdio: 'pipe',
+        timeout: 30_000,
+      }).toString().trim();
+      if (testResult.includes('container-ok')) {
+        return { success: true, imageName, fromExisting: true };
+      }
+    } catch (e) {
+      return { success: false, error: `Dockerfile build failed: ${e.message}` };
+    }
+  }
+
+  if (config.type === 'compose') {
+    // For compose, we try to build the first service
+    try {
+      execSync(`docker compose -f "${config.configPath}" build`, {
+        stdio: 'pipe',
+        timeout: 300_000,
+        cwd,
+      });
+      // Get the first service image name
+      const services = execSync(`docker compose -f "${config.configPath}" config --services`, {
+        stdio: 'pipe',
+        cwd,
+      }).toString().trim().split('\n');
+      if (services.length > 0) {
+        return { success: true, imageName: services[0], fromExisting: true, isCompose: true, composePath: config.configPath };
+      }
+    } catch (e) {
+      return { success: false, error: `compose build failed: ${e.message}` };
+    }
+  }
+
+  return { success: false, error: `Unsupported config type: ${config.type}` };
+}
+
+/**
+ * Verify a built replica image by running a smoke test inside it.
+ * Starts the image, checks that the workspace has files and that
+ * basic commands (node/python/etc) work based on what's present.
+ */
+function verifyReplicaImage(imageName, snapshotPath, replicaDir) {
+  const verifyScript = `
+set -e
+# Check workspace has files
+FILE_COUNT=$(find /workspace -type f | head -50 | wc -l)
+if [ "$FILE_COUNT" -eq 0 ]; then
+  echo "FAIL:no_files"
+  exit 1
+fi
+
+# Detect project type and verify deps are installed
+if [ -f /workspace/package.json ]; then
+  if [ -d /workspace/node_modules ]; then
+    echo "PASS:node_modules_present"
+  else
+    echo "FAIL:node_modules_missing"
+    exit 1
+  fi
+elif [ -f /workspace/requirements.txt ] || [ -f /workspace/pyproject.toml ]; then
+  # Check if python packages are importable
+  if command -v python3 &>/dev/null; then
+    echo "PASS:python_available"
+  else
+    echo "FAIL:python_missing"
+    exit 1
+  fi
+elif [ -f /workspace/Cargo.toml ]; then
+  if command -v cargo &>/dev/null; then
+    echo "PASS:cargo_available"
+  else
+    echo "FAIL:cargo_missing"
+    exit 1
+  fi
+else
+  echo "PASS:files_present"
+fi
+echo "VERIFY_OK"
+`;
+  try {
+    const output = execSync([
+      'docker', 'run', '--rm',
+      '--tmpfs', '/tmp:rw,size=256m',
+      imageName,
+      '/bin/bash', '-c', JSON.stringify(verifyScript),
+    ].join(' '), {
+      stdio: 'pipe',
+      timeout: 60_000,
+      shell: true,
+    }).toString();
+
+    if (output.includes('VERIFY_OK')) {
+      return { success: true, output: output.trim() };
+    }
+    return { success: false, error: `Verification output missing VERIFY_OK: ${output.trim()}` };
+  } catch (e) {
+    return { success: false, error: `Verification container failed: ${e.message}` };
+  }
+}
+
+/**
+ * Verify the setup script is reproducible by running it from scratch
+ * in a clean base container with just the project snapshot.
+ */
+function verifySetupScript(setupScriptPath, imageName, snapshotPath, replicaDir) {
+  const baseImage = `${imageName}-base`;
+  const verifyTag = `${imageName}-verify-${Date.now()}`;
+
+  // Build a verification Dockerfile that starts fresh and only uses the setup script
+  const verifyDockerfile = `FROM ${baseImage}
+COPY project-snapshot.tar.gz /tmp/snapshot.tar.gz
+RUN tar xzf /tmp/snapshot.tar.gz -C /workspace && rm /tmp/snapshot.tar.gz
+COPY opus-output/setup-script.sh /tmp/verify-setup.sh
+RUN chmod +x /tmp/verify-setup.sh && /tmp/verify-setup.sh
+`;
+  const verifyDockerfilePath = path.join(replicaDir, 'Dockerfile.verify');
+  fs.writeFileSync(verifyDockerfilePath, verifyDockerfile);
+
+  try {
+    // Build — if the setup script fails, the build fails
+    execSync(`docker build -t "${verifyTag}" -f "${verifyDockerfilePath}" "${replicaDir}"`, {
+      stdio: 'pipe',
+      timeout: 300_000,
+    });
+
+    // Run the smoke test on the verified image
+    const result = verifyReplicaImage(verifyTag, snapshotPath, replicaDir);
+
+    // Clean up the verify image
+    try { execSync(`docker rmi "${verifyTag}"`, { stdio: 'pipe', timeout: 10_000 }); } catch {}
+    try { fs.unlinkSync(verifyDockerfilePath); } catch {}
+
+    return result;
+  } catch (e) {
+    // Clean up
+    try { execSync(`docker rmi "${verifyTag}"`, { stdio: 'pipe', timeout: 10_000 }); } catch {}
+    try { fs.unlinkSync(verifyDockerfilePath); } catch {}
+    return { success: false, error: `Setup script failed on clean rebuild: ${e.message}` };
+  }
+}
+
+/**
+ * Create a fresh container and use Claude Opus 4.6 inside it to
+ * get the project environment working.
+ */
+async function buildFreshWithOpus(cwd, replicaDir, apiKeys) {
+  const imageName = `propensity-replica-${path.basename(cwd).toLowerCase().replace(/[^a-z0-9]/g, '-')}`;
+
+  // Create a minimal Dockerfile that includes Claude Code CLI
+  const dockerfileContent = `FROM node:22-slim
+
+# Install common dev tools
+RUN apt-get update && apt-get install -y --no-install-recommends \\
+    git curl python3 python3-pip python3-venv build-essential \\
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Claude Code CLI
+RUN npm i -g @anthropic-ai/claude-code
+
+# Create non-root user
+RUN useradd -m -s /bin/bash devuser
+
+# Create workspace
+RUN mkdir -p /workspace /output /replica-output && \\
+    chown -R devuser:devuser /workspace /output /replica-output
+
+WORKDIR /workspace
+USER devuser
+`;
+
+  const dockerfilePath = path.join(replicaDir, 'Dockerfile.fresh');
+  fs.writeFileSync(dockerfilePath, dockerfileContent);
+
+  // Build the base image
+  try {
+    execSync(`docker build -t "${imageName}-base" -f "${dockerfilePath}" "${replicaDir}"`, {
+      stdio: 'pipe',
+      timeout: 300_000,
+    });
+  } catch (e) {
+    return { success: false, error: `Fresh image build failed: ${e.message}` };
+  }
+
+  // Snapshot the project directory
+  const snapshotPath = path.join(replicaDir, 'project-snapshot.tar.gz');
+  try {
+    execSync(`tar czf "${snapshotPath}" --exclude=node_modules --exclude=.git --exclude=__pycache__ --exclude=.venv -C "${cwd}" .`, {
+      stdio: 'pipe',
+      timeout: 60_000,
+    });
+  } catch (e) {
+    return { success: false, error: `Snapshot failed: ${e.message}` };
+  }
+
+  // Redaction review — blocks until user finishes in a new terminal
+  const redactionResult = await launchRedactionReview(snapshotPath, {
+    log: (msg) => process.stderr.write(`container-replicator: ${msg}\n`),
+  });
+  if (redactionResult.timedOut) {
+    process.stderr.write('container-replicator: redaction review timed out, proceeding with snapshot as-is\n');
+  }
+
+  // Build the prompt for Opus to set up the environment
+  const setupPrompt = `You are inside a fresh container with this project's files copied to /workspace.
+Your job is to get the development environment working — install dependencies, fix any issues,
+and verify things compile/run correctly.
+
+Steps:
+1. Look at the project files to understand what kind of project this is
+2. Install all dependencies (npm install, pip install, cargo build, etc.)
+3. Try to build/compile the project
+4. If there are errors, fix them
+5. Once the environment is working, create a file /replica-output/setup-script.sh that contains
+   all the commands needed to reproduce this environment from scratch (as a bash script)
+6. Also create /replica-output/Dockerfile that builds an image with the environment pre-configured
+7. Create /replica-output/env-status.json with: {"success": true/false, "language": "...", "framework": "...", "notes": "..."}
+
+Important: Focus on getting the environment working, not on modifying the project code itself.
+If something is fundamentally broken, document it in env-status.json and do your best.`;
+
+  const encodedPrompt = Buffer.from(setupPrompt).toString('base64');
+
+  // Run Claude Opus inside the container to set up the env
+  const containerName = `propensity-replica-setup-${Date.now()}`;
+  const replicaOutputDir = path.join(replicaDir, 'opus-output');
+  ensureDir(replicaOutputDir);
+
+  try {
+    execSync([
+      'docker', 'run',
+      '--rm',
+      '--name', containerName,
+      '--tmpfs', '/tmp:rw,size=1g',
+      '-v', `${snapshotPath}:/snapshot.tar.gz:ro`,
+      '-v', `${replicaOutputDir}:/replica-output:rw`,
+      '-e', `ANTHROPIC_API_KEY=${apiKeys.ANTHROPIC_API_KEY || ''}`,
+      '-e', `ANTHROPIC_BASE_URL=${apiKeys.ANTHROPIC_BASE_URL || 'https://api.anthropic.com'}`,
+      `${imageName}-base`,
+      '/bin/bash', '-c', [
+        // Extract project files
+        'tar xzf /snapshot.tar.gz -C /workspace 2>/dev/null || true',
+        // Run Claude Opus to set up the environment
+        `PROMPT=$(echo "${encodedPrompt}" | base64 -d)`,
+        'claude -p "$PROMPT" --max-turns 50 --model claude-opus-4-6 --output-format json --dangerously-skip-permissions --no-session-persistence > /replica-output/setup-transcript.json 2>/replica-output/setup-stderr.log || true',
+      ].join(' && '),
+    ].join(' '), {
+      stdio: 'pipe',
+      timeout: 600_000, // 10 min
+      shell: true,
+    });
+  } catch (e) {
+    // Non-zero exit is ok — Opus may have partially succeeded
+    fs.writeFileSync(path.join(replicaOutputDir, 'setup-error.txt'), e.message);
+  }
+
+  // Check if Opus produced the artifacts we need
+  const envStatusPath = path.join(replicaOutputDir, 'env-status.json');
+  const generatedDockerfile = path.join(replicaOutputDir, 'Dockerfile');
+  const setupScript = path.join(replicaOutputDir, 'setup-script.sh');
+
+  let envStatus = { success: false };
+  try {
+    envStatus = JSON.parse(fs.readFileSync(envStatusPath, 'utf8'));
+  } catch {}
+
+  // If Opus generated a Dockerfile, try building it
+  if (fs.existsSync(generatedDockerfile)) {
+    try {
+      execSync(`docker build -t "${imageName}" -f "${generatedDockerfile}" "${replicaOutputDir}"`, {
+        stdio: 'pipe',
+        timeout: 300_000,
+      });
+      // Verify the built image actually works
+      const verified = verifyReplicaImage(imageName, snapshotPath, replicaDir);
+      if (verified.success) {
+        return {
+          success: true,
+          imageName,
+          fromExisting: false,
+          opusGenerated: true,
+          verified: true,
+          envStatus,
+          setupScript: fs.existsSync(setupScript) ? setupScript : null,
+        };
+      }
+      // Dockerfile built but verification failed — fall through
+    } catch (e) {
+      // Opus-generated Dockerfile failed to build — fall through
+    }
+  }
+
+  // Fallback: build image from the base + setup script, then verify
+  if (fs.existsSync(setupScript)) {
+    const fallbackDockerfile = `FROM ${imageName}-base
+COPY project-snapshot.tar.gz /tmp/snapshot.tar.gz
+RUN tar xzf /tmp/snapshot.tar.gz -C /workspace && rm /tmp/snapshot.tar.gz
+COPY opus-output/setup-script.sh /tmp/setup.sh
+RUN chmod +x /tmp/setup.sh && /tmp/setup.sh || true
+`;
+    const fallbackPath = path.join(replicaDir, 'Dockerfile.fallback');
+    fs.writeFileSync(fallbackPath, fallbackDockerfile);
+
+    try {
+      execSync(`docker build -t "${imageName}" -f "${fallbackPath}" "${replicaDir}"`, {
+        stdio: 'pipe',
+        timeout: 300_000,
+      });
+      // Verify the setup script produces a working env from scratch
+      const verified = verifySetupScript(setupScript, imageName, snapshotPath, replicaDir);
+      if (verified.success) {
+        return {
+          success: true,
+          imageName,
+          fromExisting: false,
+          opusGenerated: false,
+          usedSetupScript: true,
+          verified: true,
+          envStatus,
+        };
+      }
+      // Setup script didn't verify — still return the image but flag it
+      return {
+        success: true,
+        imageName,
+        fromExisting: false,
+        opusGenerated: false,
+        usedSetupScript: true,
+        verified: false,
+        verificationError: verified.error,
+        envStatus,
+      };
+    } catch {}
+  }
+
+  // Last resort: just use the base image with files copied in
+  const lastResortDockerfile = `FROM ${imageName}-base
+COPY project-snapshot.tar.gz /tmp/snapshot.tar.gz
+RUN tar xzf /tmp/snapshot.tar.gz -C /workspace && rm /tmp/snapshot.tar.gz
+`;
+  fs.writeFileSync(path.join(replicaDir, 'Dockerfile.lastresort'), lastResortDockerfile);
+  try {
+    execSync(`docker build -t "${imageName}" -f "${path.join(replicaDir, 'Dockerfile.lastresort')}" "${replicaDir}"`, {
+      stdio: 'pipe',
+      timeout: 300_000,
+    });
+    return {
+      success: true,
+      imageName,
+      fromExisting: false,
+      opusGenerated: false,
+      lastResort: true,
+      verified: false,
+      envStatus,
+    };
+  } catch (e) {
+    return { success: false, error: `All build strategies failed: ${e.message}`, envStatus };
+  }
+}
+
+/**
+ * Save the replication artifacts so the container can be recreated later
+ * and used by the simulation orchestrator for layered agents.
+ */
+function saveReplicaManifest(replicaDir, id, cwd, buildResult) {
+  const manifest = {
+    replicaId: id,
+    cwd,
+    imageName: buildResult.imageName,
+    fromExisting: buildResult.fromExisting || false,
+    opusGenerated: buildResult.opusGenerated || false,
+    verified: buildResult.verified || false,
+    verificationError: buildResult.verificationError || null,
+    lastResort: buildResult.lastResort || false,
+    createdAt: new Date().toISOString(),
+    envStatus: buildResult.envStatus || null,
+  };
+  fs.writeFileSync(path.join(replicaDir, 'manifest.json'), JSON.stringify(manifest, null, 2));
+
+  // Copy key files into a portable 'replication-kit' subdirectory
+  const kitDir = path.join(replicaDir, 'replication-kit');
+  ensureDir(kitDir);
+
+  // Copy any Dockerfiles we generated/found
+  for (const name of ['Dockerfile.fresh', 'Dockerfile.fallback', 'Dockerfile.lastresort']) {
+    const src = path.join(replicaDir, name);
+    if (fs.existsSync(src)) fs.copyFileSync(src, path.join(kitDir, name));
+  }
+
+  // Copy Opus-generated artifacts
+  const opusOutput = path.join(replicaDir, 'opus-output');
+  if (fs.existsSync(opusOutput)) {
+    const opusKit = path.join(kitDir, 'opus-output');
+    ensureDir(opusKit);
+    for (const f of ['Dockerfile', 'setup-script.sh', 'env-status.json']) {
+      const src = path.join(opusOutput, f);
+      if (fs.existsSync(src)) fs.copyFileSync(src, path.join(opusKit, f));
+    }
+  }
+
+  // Copy the project snapshot
+  const snapshotSrc = path.join(replicaDir, 'project-snapshot.tar.gz');
+  if (fs.existsSync(snapshotSrc)) {
+    fs.copyFileSync(snapshotSrc, path.join(kitDir, 'project-snapshot.tar.gz'));
+  }
+
+  return manifest;
+}
+
+async function main() {
+  try {
+    const payloadJson = Buffer.from(process.argv[2], 'base64').toString('utf8');
+    const { cwd, sessionId, assessment } = JSON.parse(payloadJson);
+
+    if (!cwd) {
+      process.stderr.write('container-replicator: no cwd provided\n');
+      process.exit(1);
+    }
+
+    // Check Docker
+    if (!checkDocker()) {
+      process.stderr.write('container-replicator: Docker not available, skipping\n');
+      process.exit(0);
+    }
+
+    const id = replicaId(cwd);
+
+    // Acquire lock — only one replication per project at a time
+    if (!acquireLock(id)) {
+      process.stderr.write(`container-replicator: replication already running for ${cwd}\n`);
+      process.exit(0);
+    }
+
+    const replicaDir = path.join(REPLICAS_DIR, id);
+    ensureDir(replicaDir);
+
+    // Check if we already have a recent replica (less than 1 hour old)
+    const manifestPath = path.join(replicaDir, 'manifest.json');
+    if (fs.existsSync(manifestPath)) {
+      try {
+        const existing = JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
+        const age = Date.now() - new Date(existing.createdAt).getTime();
+        if (age < 60 * 60 * 1000) {
+          process.stderr.write(`container-replicator: recent replica exists for ${cwd} (${Math.round(age / 60000)}m old), skipping\n`);
+          releaseLock(id);
+          process.exit(0);
+        }
+      } catch {}
+    }
+
+    const log = (msg) => process.stderr.write(`container-replicator: ${msg}\n`);
+    log(`Starting replication for ${cwd} (id: ${id})`);
+    log(`Triggered by: ${assessment?.slice(0, 80) || 'unknown'}`);
+
+    // Step 1: Detect existing container config
+    log('Checking for existing Dockerfile / devcontainer...');
+    const existingConfig = detectExistingContainerConfig(cwd);
+    let buildResult = null;
+
+    if (existingConfig) {
+      log(`Found existing config: ${existingConfig.type} at ${existingConfig.configPath}`);
+      buildResult = tryExistingConfig(existingConfig, cwd, replicaDir);
+      if (buildResult.success) {
+        log(`Existing config worked! Image: ${buildResult.imageName}`);
+      } else {
+        log(`Existing config failed: ${buildResult.error}`);
+        log('Falling back to fresh container with Opus setup...');
+        buildResult = null;
+      }
+    } else {
+      log('No existing container config found');
+    }
+
+    // Step 2: If existing config didn't work, build fresh with Opus
+    if (!buildResult || !buildResult.success) {
+      log('Building fresh container and running Opus to set up env...');
+      const apiKeys = loadApiKeys();
+      if (!apiKeys.ANTHROPIC_API_KEY) {
+        log('No ANTHROPIC_API_KEY found, cannot run Opus setup');
+        releaseLock(id);
+        process.exit(1);
+      }
+      buildResult = await buildFreshWithOpus(cwd, replicaDir, apiKeys);
+    }
+
+    if (!buildResult.success) {
+      log(`Replication failed: ${buildResult.error}`);
+      fs.writeFileSync(path.join(replicaDir, 'error.json'), JSON.stringify({
+        error: buildResult.error,
+        timestamp: new Date().toISOString(),
+        cwd,
+      }, null, 2));
+      releaseLock(id);
+      process.exit(1);
+    }
+
+    // Step 3: Save replication artifacts
+    log('Saving replication artifacts...');
+    const manifest = saveReplicaManifest(replicaDir, id, cwd, buildResult);
+    log(`Replica saved: ${replicaDir}`);
+    log(`Image: ${manifest.imageName}`);
+
+    releaseLock(id);
+    log('Done.');
+
+  } catch (e) {
+    process.stderr.write(`container-replicator error: ${e.message}\n${e.stack}\n`);
+    process.exit(1);
+  }
+}
+
+// Only run main() when invoked directly (not when imported)
+const isDirectRun = process.argv[1] && import.meta.url.endsWith(process.argv[1].replace(/.*\//, ''));
+if (isDirectRun) main();