feat(MM-66): add Docker image derived from Nix build #4

+345

6 changed files

Diff round #0

expand all

CLAUDE.md

docs

design-plans

2026-03-08-MM-66.md

test-plans

2026-03-08-MM-66.md

flake.nix

nix

docker.nix

tests

verify-mm66.sh

CLAUDE.md

··· 11 ## Commands 12 - `nix develop --impure --accept-flake-config` - Enter dev shell (flags required; --impure for devenv CWD detection, --accept-flake-config activates the Cachix binary cache in nixConfig — without it, a cold build takes 20+ minutes) 13 - `nix build .#relay --accept-flake-config` - Build relay binary (output at ./result/bin/relay) 14 - `cargo build` - Build all crates 15 - `cargo test` - Run all tests 16 - `cargo clippy` - Lint ··· 30 - `crates/repo-engine/` - ATProto repo engine 31 - `crates/crypto/` - Cryptographic operations 32 - `crates/common/` - Shared types and utilities 33 - `docs/` - Specs, design plans, implementation plans 34 35 ## Conventions

··· 11 ## Commands 12 - `nix develop --impure --accept-flake-config` - Enter dev shell (flags required; --impure for devenv CWD detection, --accept-flake-config activates the Cachix binary cache in nixConfig — without it, a cold build takes 20+ minutes) 13 - `nix build .#relay --accept-flake-config` - Build relay binary (output at ./result/bin/relay) 14 + - `nix build .#docker-image --accept-flake-config` - Build Docker image tarball (Linux only; `docker-image` is not exposed on macOS — use a remote Linux builder or CI) 15 - `cargo build` - Build all crates 16 - `cargo test` - Run all tests 17 - `cargo clippy` - Lint ··· 31 - `crates/repo-engine/` - ATProto repo engine 32 - `crates/crypto/` - Cryptographic operations 33 - `crates/common/` - Shared types and utilities 34 + - `nix/` - Nix build helpers (docker.nix produces the relay container image) 35 - `docs/` - Specs, design plans, implementation plans 36 37 ## Conventions

+141

docs/design-plans/2026-03-08-MM-66.md

···

··· 1 + # MM-66: Docker Image Derived from Nix Build 2 + 3 + ## Summary 4 + 5 + MM-66 packages the `relay` binary into a Docker image using Nix's `dockerTools.buildLayeredImage`, so the relay can be deployed to any container runtime without manually managing a `Dockerfile` or base OS. The image is produced entirely from the Nix store — no Docker daemon is needed at build time — and includes only the closure of derivations the relay actually needs at runtime: the binary itself, the SQLite shared library, Mozilla CA certificates, and the IANA timezone database. Because every input is a pinned Nix derivation, the image is reproducible: the same `flake.lock` always produces the same bytes. 6 + 7 + The work is deliberately narrow. A new file, `nix/docker.nix`, holds the image derivation as a self-contained Nix function, and `flake.nix` is extended to expose `docker-image` as a flake output on Linux targets only. Darwin systems are explicitly excluded because `dockerTools.buildLayeredImage` produces Linux container images, and exposing them on macOS would mislead `nix build` callers. The relay binary itself is unchanged; the HTTP layer and `/_health` endpoint verification are deferred to a later ticket. Delivery here is purely the packaging artifact: a tarball that `docker load` accepts and that produces a `relay:latest` image under 50 MB. 8 + 9 + ## Definition of Done 10 + 11 + `nix/docker.nix` contains a `buildLayeredImage` derivation that wraps the existing `.#relay` crane build output. `flake.nix` exposes `packages.x86_64-linux.docker-image` and `packages.aarch64-linux.docker-image`. Running `nix build .#docker-image` produces a tarball that can be loaded via `docker load < result`. The image includes the relay binary, SQLite runtime libraries, CA certificates, and timezone data, targeting under 50 MB. The `/_health` acceptance criterion is deferred — this ticket delivers packaging only, not relay HTTP functionality. 12 + 13 + ## Acceptance Criteria 14 + 15 + ### MM-66.AC1: docker-image outputs exist in the flake 16 + - **MM-66.AC1.1 Success:** `nix flake show --accept-flake-config` (on Linux) lists `packages.x86_64-linux.docker-image` 17 + - **MM-66.AC1.2 Success:** `nix flake show --accept-flake-config` (on Linux) lists `packages.aarch64-linux.docker-image` 18 + - **MM-66.AC1.3 Negative:** `packages.aarch64-darwin.docker-image` and `packages.x86_64-darwin.docker-image` are not present in `nix flake show` output 19 + 20 + ### MM-66.AC2: Image builds and loads 21 + - **MM-66.AC2.1 Success:** `nix build .#docker-image --accept-flake-config` completes without error on x86_64-linux 22 + - **MM-66.AC2.2 Success:** `nix build .#packages.aarch64-linux.docker-image --accept-flake-config` completes without error on an aarch64-linux or x86_64-linux system 23 + - **MM-66.AC2.3 Success:** `docker load < result` completes without error 24 + - **MM-66.AC2.4 Success:** `docker images` shows `relay:latest` after loading 25 + 26 + ### MM-66.AC3: Image contents 27 + - **MM-66.AC3.1 Success:** `docker run --rm relay:latest` exits without a "no such file" or dynamic linker error (relay binary and libsqlite3.so are present) 28 + - **MM-66.AC3.2 Success:** `docker inspect relay:latest` shows `SSL_CERT_FILE` env var pointing to a cacert store path 29 + - **MM-66.AC3.3 Success:** `docker inspect relay:latest` shows `TZDIR` env var pointing to a tzdata store path 30 + - **MM-66.AC3.4 Success:** `nix/docker.nix` exists and is tracked by git (`git ls-files nix/docker.nix` returns it) 31 + 32 + ### MM-66.AC4: Image size 33 + - **MM-66.AC4.1 Success:** `docker images relay` shows image size under 50 MB 34 + 35 + ### MM-66.AC5: Scope boundaries 36 + - **MM-66.AC5.1 Negative:** `docker run relay:latest` does not require a running HTTP server to start (relay is a stub; no HTTP health check in this ticket) 37 + 38 + ## Glossary 39 + 40 + - **derivation**: The fundamental Nix build unit — a description of inputs, a builder script, and a set of outputs that land in the Nix store under a content-addressed path. Everything in a Nix build (compilers, libraries, binaries, Docker images) is a derivation. 41 + - **flake**: A Nix project format that pins all inputs in a `flake.lock` file and exposes a structured set of outputs (packages, dev shells, etc.) under a standard schema. `flake.nix` is the entry point. 42 + - **flake output**: A named value exported by a flake, addressable as `.#name` on the command line (e.g., `.#docker-image`). Outputs are organized by category (`packages`, `devShells`, etc.) and by system. 43 + - **`forEachSystem`**: A helper defined in this flake that maps a function over every supported system string (e.g., `x86_64-linux`, `aarch64-darwin`), producing one set of outputs per platform. 44 + - **`pkgs.lib.optionalAttrs`**: A nixpkgs library function that returns an attribute set only when a condition is true, and an empty set otherwise. Used here to gate `docker-image` to Linux systems. 45 + - **`pkgs.stdenv.isLinux`**: A boolean in nixpkgs that is `true` when the package set is being evaluated for a Linux target system. 46 + - **crane**: A Nix library for building Rust crates. It handles Cargo dependency caching via a separate `buildDepsOnly` derivation so that source-only changes do not trigger a full dependency rebuild. 47 + - **`buildLayeredImage`** (`dockerTools.buildLayeredImage`): A nixpkgs function that assembles a Docker image from a list of Nix derivations, splitting them across multiple filesystem layers to maximize layer reuse in container registries. Produces a `.tar.gz` tarball rather than requiring a Docker daemon. 48 + - **Nix store**: The immutable, content-addressed directory (typically `/nix/store`) where all derivation outputs live. Paths are of the form `/nix/store/<hash>-<name>`. 49 + - **store path**: A specific output directory inside the Nix store, uniquely identified by the hash of its build inputs. Nix embeds these paths directly into build artifacts (e.g., into the `Entrypoint` of a Docker image config). 50 + - **`pkgs.sqlite.out`**: The `out` output of the `sqlite` derivation — the split that contains the runtime shared library (`libsqlite3.so`) rather than headers or development files. nixpkgs splits some packages into multiple outputs (`out`, `dev`, `doc`) to reduce closure size. 51 + - **`cacert`** (`pkgs.cacert`): A nixpkgs package containing the Mozilla CA certificate bundle. Required for TLS verification in containerized environments that lack a system certificate store. 52 + - **`tzdata`** (`pkgs.tzdata`): A nixpkgs package containing the IANA timezone database. Required at runtime for any Rust code that resolves timezone names. 53 + - **`SSL_CERT_FILE`**: An environment variable recognised by OpenSSL and most TLS stacks that points to the CA certificate bundle file. Set in the Docker image config to the cacert store path. 54 + - **`TZDIR`**: An environment variable recognised by the C library and Rust's `time`/`chrono` crates that points to the timezone database directory. Set in the Docker image config to the tzdata store path. 55 + - **`cargoArtifacts`**: Crane's name for the pre-built dependency artifact set produced by `buildDepsOnly`. Passed into `buildPackage` so incremental rebuilds skip recompiling dependencies. 56 + - **closure**: In Nix, the full set of store paths that a derivation depends on transitively. The Docker image's closure is exactly what ends up in its filesystem layers. 57 + - **`self.shortRev`**: A flake variable holding the short git commit hash of the repository at build time. Mentioned in the tag strategy as a future replacement for `"latest"` to produce traceable image tags. 58 + - **stub**: Used in this document to mean the relay binary currently compiles and exits but does not serve HTTP traffic. The Docker packaging is tested against this stub rather than a fully functional server. 59 + 60 + ## Architecture 61 + 62 + Minimal two-file change. `nix/docker.nix` is a new Nix package expression; `flake.nix` is extended to expose it as a flake output on Linux systems. 63 + 64 + ``` 65 + repo root/ 66 + ├── flake.nix # extend forEachSystem — add docker-image on Linux 67 + └── nix/ 68 + └── docker.nix # new — buildLayeredImage derivation 69 + ``` 70 + 71 + `nix/docker.nix` is a function `{ pkgs, relay }:` that returns a `dockerTools.buildLayeredImage` derivation. The function receives `pkgs` (the nixpkgs instance for the target system) and `relay` (the crane-built binary derivation from `flake.nix`). This is the standard nixpkgs package expression pattern: a function that takes its dependencies as arguments. 72 + 73 + `flake.nix` extends the existing `forEachSystem` lambda using `pkgs.lib.optionalAttrs pkgs.stdenv.isLinux { ... }`. On Linux systems (`x86_64-linux`, `aarch64-linux`), the lambda returns `relay`, `default`, and `docker-image`. On Darwin systems, it returns only `relay` and `default`. No additional `genAttrs` or helper function is needed. 74 + 75 + The resulting new flake outputs: 76 + - `packages.x86_64-linux.docker-image` 77 + - `packages.aarch64-linux.docker-image` 78 + 79 + **Image contents:** 80 + 81 + | Derivation | Purpose | 82 + |---|---| 83 + | `relay` | The crane-built binary; store path used as `Entrypoint` | 84 + | `pkgs.sqlite.out` | Runtime `libsqlite3.so`; `.out` output carries shared libraries, not headers | 85 + | `pkgs.cacert` | Mozilla CA bundle; referenced via `SSL_CERT_FILE` env var | 86 + | `pkgs.tzdata` | IANA timezone database; referenced via `TZDIR` env var | 87 + 88 + `config.Entrypoint = [ "${relay}/bin/relay" ]` — Nix evaluates the store path at build time, so the entrypoint is always tied to the exact derivation. `ExposedPorts` is omitted until the relay has a known HTTP port. `tag = "latest"` is a placeholder; it can be wired to `self.shortRev` for reproducible tagging once the relay is deployed. 89 + 90 + **Build workflow on Linux:** 91 + ```bash 92 + nix build .#docker-image --accept-flake-config # produces ./result 93 + docker load < result # loads relay:latest 94 + docker run --rm relay:latest 95 + ``` 96 + 97 + On macOS, `nix build .#docker-image` fails — `docker-image` is not exposed for Darwin systems. Use `nix build .#packages.aarch64-linux.docker-image` with a remote Linux builder, or rely on CI. 98 + 99 + ## Existing Patterns 100 + 101 + The function-per-file pattern (`{ pkgs, relay }:` returning a derivation) mirrors how nixpkgs package expressions are structured. It is the same approach used by the existing `flake.nix` to wire `crane` and `rust-overlay`. 102 + 103 + The `pkgs.lib.optionalAttrs pkgs.stdenv.isLinux { ... }` conditional follows the same `forEachSystem` structure established in MM-64 for multi-platform flake outputs, and the same `commonArgs` / `buildPackage` pattern established in MM-65 for the relay crane build. The `nix/` subdirectory is introduced here as the canonical location for distribution-channel derivations (Docker image, and in the future, NixOS module). 104 + 105 + ## Implementation Phases 106 + 107 +  108 + ### Phase 1: Write derivation files 109 + **Goal:** Create `nix/docker.nix` and extend `flake.nix` so the docker-image output is exposed on Linux. 110 + 111 + **Components:** 112 + - `nix/docker.nix` — function `{ pkgs, relay }:` returning `pkgs.dockerTools.buildLayeredImage` with `contents = [ relay pkgs.sqlite.out pkgs.cacert pkgs.tzdata ]`, `Entrypoint`, and `Env` for `SSL_CERT_FILE` and `TZDIR` 113 + - `flake.nix` — extend the `forEachSystem` return value with `// pkgs.lib.optionalAttrs pkgs.stdenv.isLinux { docker-image = import ./nix/docker.nix { inherit pkgs relay; }; }` 114 + 115 + **Dependencies:** None (MM-65 relay build is already in `flake.nix`) 116 + 117 + **Done when:** `nix flake show --accept-flake-config` (on Linux) lists `packages.x86_64-linux.docker-image` and `packages.aarch64-linux.docker-image`; file `nix/docker.nix` exists and is tracked by git 118 +  119 + 120 +  121 + ### Phase 2: Build verification 122 + **Goal:** Confirm the image builds, loads, and runs on Linux; verify size target. 123 + 124 + **Components:** 125 + - CI or Linux shell verification: `nix build .#docker-image --accept-flake-config` succeeds 126 + - `docker load < result` loads without error; `docker images` shows `relay:latest` 127 + - `docker run --rm relay:latest` exits (relay is currently a stub) 128 + - Image size reported by `docker images` is under 50 MB 129 + 130 + **Dependencies:** Phase 1 131 + 132 + **Done when:** All four verification steps above pass on an x86_64-linux or aarch64-linux system; CLAUDE.md updated to note that `docker-image` is Linux-only and macOS requires a remote builder or CI 133 +  134 + 135 + ## Additional Considerations 136 + 137 + **macOS builds:** `nix build .#docker-image` will fail on Darwin — `docker-image` is intentionally not exposed for Darwin systems. Developers on macOS who need to build Docker images locally must configure a remote Linux builder (nix-darwin's `linux-builder` feature provides an aarch64-linux VM via Apple's Virtualization framework) or delegate to CI. 138 + 139 + **Tag strategy:** `tag = "latest"` is a placeholder. Once the relay has a release process, wire this to `self.shortRev or "dev"` in `flake.nix` to produce reproducible, traceable tags. 140 + 141 + **`/_health` deferral:** The acceptance criterion requiring `docker run` to respond to `/_health` is intentionally out of scope. It will be verified once the relay gains an HTTP server in a later ticket. The Docker packaging design is independent of relay HTTP functionality.

+108

docs/test-plans/2026-03-08-MM-66.md

···

··· 1 + # MM-66 Human Test Plan 2 + 3 + **Feature:** Docker image derived from Nix build 4 + **Implementation plan:** `docs/implementation-plans/2026-03-08-MM-66/` 5 + **Generated:** 2026-03-08 6 + 7 + ## Prerequisites 8 + 9 + - A Linux system (x86_64-linux or aarch64-linux) with: 10 + - Nix installed (with flakes enabled) 11 + - Docker daemon running 12 + - The repository checked out at commit `7bb5376fbec84feab775f57cb4c4d2fb02307686` or later 13 + - Run the automated checks first: `bash tests/verify-mm66.sh` — all checks must pass before proceeding 14 + 15 + ## Phase 1: Flake Output Verification (AC1.1, AC1.2) 16 + 17 + | Step | Action | Expected | 18 + |------|--------|----------| 19 + | 1.1 | Run `nix flake show --accept-flake-config 2>/dev/null \| grep docker-image` | Output includes a line showing `docker-image` under the `x86_64-linux` packages section (e.g., `docker-image: package 'docker-image.tar.gz'` nested under `packages` > `x86_64-linux`) | 20 + | 1.2 | Inspect the same output for `aarch64-linux` | Output includes a line showing `docker-image` under the `aarch64-linux` packages section | 21 + | 1.3 | Confirm no `docker-image` appears under `aarch64-darwin` or `x86_64-darwin` sections | No `docker-image` lines appear in Darwin system sections (cross-validates AC1.3 on Linux) | 22 + 23 + ## Phase 2: Image Build (AC2.1, AC2.2) 24 + 25 + | Step | Action | Expected | 26 + |------|--------|----------| 27 + | 2.1 | Run `nix build .#docker-image --accept-flake-config` on x86_64-linux | Command exits with status 0. A `result` symlink appears in the project root pointing to a path like `/nix/store/...-docker-image.tar.gz` | 28 + | 2.2 | Run `ls -lh result` | The file is a gzipped tarball (`.tar.gz`). Note the file size for later comparison with AC4.1 | 29 + | 2.3 | (If aarch64-linux or binfmt available) Run `nix build .#packages.aarch64-linux.docker-image --accept-flake-config` | Command exits with status 0. A `result` symlink appears for the aarch64 image. If no aarch64 system or binfmt is available, skip and note as untested | 30 + 31 + ## Phase 3: Image Load and Inspect (AC2.3, AC2.4) 32 + 33 + | Step | Action | Expected | 34 + |------|--------|----------| 35 + | 3.1 | Run `docker load < result` | Output contains `Loaded image: relay:latest` | 36 + | 3.2 | Run `docker images relay` | Output shows at least one row with REPOSITORY `relay` and TAG `latest` | 37 + 38 + ## Phase 4: Image Contents Validation (AC3.1, AC3.2, AC3.3) 39 + 40 + | Step | Action | Expected | 41 + |------|--------|----------| 42 + | 4.1 | Run `docker run --rm relay:latest` | Container exits. There must be NO errors like `no such file or directory` or `error while loading shared libraries: libsqlite3.so`. A non-zero exit code is acceptable because the relay binary is a stub with no configuration to connect to | 43 + | 4.2 | Run `docker inspect relay:latest \| grep -E 'SSL_CERT_FILE'` | Output shows an environment variable line containing `SSL_CERT_FILE=/nix/store/...-nss-cacert-.../etc/ssl/certs/ca-bundle.crt` (the exact Nix store hash will vary) | 44 + | 4.3 | Run `docker inspect relay:latest \| grep -E 'TZDIR'` | Output shows an environment variable line containing `TZDIR=/nix/store/...-tzdata-.../share/zoneinfo` (the exact Nix store hash will vary) | 45 + 46 + ## Phase 5: Image Size (AC4.1) 47 + 48 + | Step | Action | Expected | 49 + |------|--------|----------| 50 + | 5.1 | Run `docker images relay --format "table {{.Repository}}\t{{.Tag}}\t{{.Size}}"` | The SIZE column shows a value under 50 MB. The image should be relatively small since it is a minimal Nix closure containing only the relay binary, sqlite, cacert, and tzdata | 51 + 52 + ## Phase 6: Scope Boundary (AC5.1) 53 + 54 + | Step | Action | Expected | 55 + |------|--------|----------| 56 + | 6.1 | Run `docker run --rm relay:latest` (same as step 4.1) | The container exits immediately. It does NOT attempt to start an HTTP server, listen on any port, or block waiting for connections. This confirms the relay is a packaging-only stub | 57 + | 6.2 | Run `docker run --rm -d relay:latest && sleep 2 && docker ps \| grep relay` | No running container appears in `docker ps` output — the relay exited immediately, confirming no long-running server process | 58 + 59 + ## End-to-End: Full Build-to-Run Pipeline 60 + 61 + **Purpose:** Validate the complete workflow a developer or CI system would follow to build and verify the Docker image from a clean state. 62 + 63 + 1. Start from a clean state: `docker rmi relay:latest 2>/dev/null; rm -f result` 64 + 2. Run automated checks: `bash tests/verify-mm66.sh` — verify exit code 0 65 + 3. Build the image: `nix build .#docker-image --accept-flake-config` 66 + 4. Verify the result symlink exists: `ls -lh result` 67 + 5. Load into Docker: `docker load < result` 68 + 6. Verify loaded: `docker images relay` — shows `relay:latest` 69 + 7. Run the container: `docker run --rm relay:latest` — exits without linker errors 70 + 8. Inspect environment: `docker inspect relay:latest | jq '.[0].Config.Env'` — shows both `SSL_CERT_FILE` and `TZDIR` 71 + 9. Check size: `docker images relay --format '{{.Size}}'` — under 50 MB 72 + 10. Clean up: `docker rmi relay:latest; rm -f result` 73 + 74 + **Expected:** All steps succeed. The pipeline demonstrates that the Nix flake produces a valid, loadable, runnable Docker image with correct environment configuration and acceptable size. 75 + 76 + ## Human Verification Required 77 + 78 + | Criterion | Why Manual | Steps | 79 + |-----------|-----------|-------| 80 + | AC1.1 | Requires Linux Nix evaluation to confirm x86_64-linux output is present | Phase 1, Step 1.1 | 81 + | AC1.2 | Requires Linux Nix evaluation to confirm aarch64-linux output is present | Phase 1, Step 1.2 | 82 + | AC2.1 | `nix build` of docker-image only works on Linux; macOS has no `docker-image` output | Phase 2, Step 2.1 | 83 + | AC2.2 | Requires aarch64-linux system or binfmt QEMU support for cross-arch build | Phase 2, Step 2.3 | 84 + | AC2.3 | Requires Docker daemon to load the image tarball | Phase 3, Step 3.1 | 85 + | AC2.4 | Requires Docker daemon to list loaded images | Phase 3, Step 3.2 | 86 + | AC3.1 | Requires Docker daemon to run the container and verify no linker errors | Phase 4, Step 4.1 | 87 + | AC3.2 | Requires Docker daemon to inspect image config for SSL_CERT_FILE | Phase 4, Step 4.2 | 88 + | AC3.3 | Requires Docker daemon to inspect image config for TZDIR | Phase 4, Step 4.3 | 89 + | AC4.1 | Requires Docker daemon to check loaded image size | Phase 5, Step 5.1 | 90 + | AC5.1 | Requires Docker daemon to confirm relay is a stub (exits immediately, no server) | Phase 6, Steps 6.1-6.2 | 91 + 92 + ## Traceability 93 + 94 + | Acceptance Criterion | Automated Test | Manual Step | 95 + |----------------------|----------------|-------------| 96 + | AC1.1 | — | Phase 1, Step 1.1 | 97 + | AC1.2 | — | Phase 1, Step 1.2 | 98 + | AC1.3 | `tests/verify-mm66.sh` lines 16-51 | Phase 1, Step 1.3 (cross-validation) | 99 + | AC2.1 | — | Phase 2, Step 2.1 | 100 + | AC2.2 | — | Phase 2, Step 2.3 | 101 + | AC2.3 | — | Phase 3, Step 3.1 | 102 + | AC2.4 | — | Phase 3, Step 3.2 | 103 + | AC3.1 | — | Phase 4, Step 4.1 | 104 + | AC3.2 | — | Phase 4, Step 4.2 | 105 + | AC3.3 | — | Phase 4, Step 4.3 | 106 + | AC3.4 | `tests/verify-mm66.sh` lines 56-65 | — | 107 + | AC4.1 | — | Phase 5, Step 5.1 | 108 + | AC5.1 | — | Phase 6, Steps 6.1-6.2 |

flake.nix

··· 48 in { 49 inherit relay; 50 default = relay; 51 } 52 ); 53

··· 48 in { 49 inherit relay; 50 default = relay; 51 + } // pkgs.lib.optionalAttrs pkgs.stdenv.isLinux { 52 + docker-image = import ./nix/docker.nix { inherit pkgs relay; }; 53 } 54 ); 55

+13

nix/docker.nix

···

··· 1 + { pkgs, relay }: 2 + pkgs.dockerTools.buildLayeredImage { 3 + name = "relay"; 4 + tag = "latest"; 5 + contents = [ relay pkgs.sqlite.out pkgs.cacert pkgs.tzdata ]; 6 + config = { 7 + Entrypoint = [ "${relay}/bin/relay" ]; 8 + Env = [ 9 + "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" 10 + "TZDIR=${pkgs.tzdata}/share/zoneinfo" 11 + ]; 12 + }; 13 + }

+79

tests/verify-mm66.sh

···

··· 1 + #!/usr/bin/env bash 2 + 3 + set -euo pipefail 4 + 5 + PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" 6 + 7 + echo "==================================================" 8 + echo "MM-66 Automated Verification Tests" 9 + echo "==================================================" 10 + echo 11 + 12 + # Track pass/fail status 13 + FAILED=0 14 + 15 + # AC1.3: Verify docker-image is absent for Darwin systems 16 + echo "AC1.3: Checking docker-image platform availability..." 17 + 18 + # First, try nix flake show 19 + if nix flake show --accept-flake-config 2>/dev/null | grep -q docker-image; then 20 + echo " nix flake show: Available" 21 + # Check that docker-image only appears under Linux systems 22 + DARWIN_DOCKER=$(nix flake show --accept-flake-config 2>/dev/null | grep -A 5 "aarch64-darwin\|x86_64-darwin" | grep -c "docker-image" || true) 23 + LINUX_DOCKER=$(nix flake show --accept-flake-config 2>/dev/null | grep -A 5 "aarch64-linux\|x86_64-linux" | grep -c "docker-image" || true) 24 + 25 + if [ "$DARWIN_DOCKER" -eq 0 ] && [ "$LINUX_DOCKER" -gt 0 ]; then 26 + echo " PASS: docker-image present only on Linux systems (aarch64-linux, x86_64-linux)" 27 + else 28 + echo " FAIL: docker-image incorrectly appearing on Darwin or missing from Linux" 29 + FAILED=1 30 + fi 31 + else 32 + # Fallback: Use nix eval to check package attributes per system 33 + echo " nix flake show: Unavailable (expected due to devenv CWD detection issue), using fallback" 34 + 35 + # Check Darwin systems do NOT have docker-image 36 + DARWIN_PACKAGES=$(nix eval --json ".#packages.aarch64-darwin" --apply 'builtins.attrNames' 2>/dev/null || echo "[]") 37 + if echo "$DARWIN_PACKAGES" | grep -q "docker-image"; then 38 + echo " FAIL: docker-image incorrectly present on aarch64-darwin" 39 + FAILED=1 40 + else 41 + echo " PASS: docker-image absent from aarch64-darwin" 42 + fi 43 + 44 + # Check Linux systems DO have docker-image 45 + LINUX_PACKAGES=$(nix eval --json ".#packages.x86_64-linux" --apply 'builtins.attrNames' 2>/dev/null || echo "[]") 46 + if echo "$LINUX_PACKAGES" | grep -q "docker-image"; then 47 + echo " PASS: docker-image present on x86_64-linux" 48 + else 49 + echo " WARN: docker-image not detected on x86_64-linux (may be due to evaluation context)" 50 + fi 51 + fi 52 + 53 + echo 54 + 55 + # AC3.4: Verify nix/docker.nix is tracked by git 56 + echo "AC3.4: Checking nix/docker.nix git tracking..." 57 + 58 + cd "$PROJECT_ROOT" 59 + 60 + if git ls-files nix/docker.nix | grep -q "nix/docker.nix"; then 61 + echo " PASS: nix/docker.nix is tracked by git" 62 + else 63 + echo " FAIL: nix/docker.nix is not tracked by git" 64 + FAILED=1 65 + fi 66 + 67 + echo 68 + 69 + # Summary 70 + echo "==================================================" 71 + if [ $FAILED -eq 0 ]; then 72 + echo "Result: ALL CHECKS PASSED" 73 + echo "==================================================" 74 + exit 0 75 + else 76 + echo "Result: SOME CHECKS FAILED" 77 + echo "==================================================" 78 + exit 1 79 + fi

History

4 rounds 0 comments

malpercio.dev submitted #3 8d

diff interdiff

9 commits

expand

a7f42d6f

docs: add MM-66 Docker image design plan

759125b0

feat(MM-66): add nix/docker.nix and expose docker-image on Linux

41ffa57d

docs(MM-66): note docker-image is Linux-only in CLAUDE.md

05533f44

docs(MM-66): add nix/ directory to project structure in CLAUDE.md

7bb5376f

test(MM-66): add automated verification script for AC1.3 and AC3.4

a87f1ee7

docs: add test plan for MM-66 Docker image

3a65e423

docs(MM-66): commit implementation plans and ignore nix result symlink

92c0603a

fix(MM-66): address PR review — verify-mm66.sh silent failures, comments, CLAUDE.md

c59a5fa3

docs(MM-66): note NixOS Docker sysctl issue in test plan step 4.1

expand 0 comments

pull request successfully merged

malpercio.dev submitted #2 8d

diff interdiff

8 commits

expand

a7f42d6f

docs: add MM-66 Docker image design plan

759125b0

feat(MM-66): add nix/docker.nix and expose docker-image on Linux

41ffa57d

docs(MM-66): note docker-image is Linux-only in CLAUDE.md

05533f44

docs(MM-66): add nix/ directory to project structure in CLAUDE.md

7bb5376f

test(MM-66): add automated verification script for AC1.3 and AC3.4

a87f1ee7

docs: add test plan for MM-66 Docker image

3a65e423

docs(MM-66): commit implementation plans and ignore nix result symlink

92c0603a

fix(MM-66): address PR review — verify-mm66.sh silent failures, comments, CLAUDE.md

expand 0 comments

malpercio.dev submitted #1 8d

diff interdiff

7 commits

expand

a7f42d6f

docs: add MM-66 Docker image design plan

759125b0

feat(MM-66): add nix/docker.nix and expose docker-image on Linux

41ffa57d

docs(MM-66): note docker-image is Linux-only in CLAUDE.md

05533f44

docs(MM-66): add nix/ directory to project structure in CLAUDE.md

7bb5376f

test(MM-66): add automated verification script for AC1.3 and AC3.4

a87f1ee7

docs: add test plan for MM-66 Docker image

3a65e423

docs(MM-66): commit implementation plans and ignore nix result symlink

expand 0 comments

malpercio.dev submitted #0 8d

6 commits

expand

a7f42d6f

docs: add MM-66 Docker image design plan

759125b0

feat(MM-66): add nix/docker.nix and expose docker-image on Linux

41ffa57d

docs(MM-66): note docker-image is Linux-only in CLAUDE.md

05533f44

docs(MM-66): add nix/ directory to project structure in CLAUDE.md

7bb5376f

test(MM-66): add automated verification script for AC1.3 and AC3.4

a87f1ee7

docs: add test plan for MM-66 Docker image

expand 0 comments

feat(MM-66): add Docker image derived from Nix build #4

Summary#

Test Plan#

History