fix(docker): allow swap and network configuration

- resolves memswap_limit from RAM as a finite RAM+swap ceiling

- passes configurable Docker network settings into build and auth run commands

- normalizes CRLF in skiller patch matching

Author: skulidropek

packages/app/src/docker-git/frontend-lib/core/resource-limits.ts

@@ -14,6 +14,7 @@ import {
 const mebibyte = 1024 ** 2
 const minimumResolvedCpuLimit = 0.25
 const minimumResolvedRamLimitMib = 512
+const minimumResolvedSwapLimitMib = 1
 const precisionScale = 100
 
 type HostResources = {
@@ -24,12 +25,26 @@ type HostResources = {
 export type ResolvedComposeResourceLimits = {
   readonly cpuLimit: number
   readonly ramLimit: string
+  readonly swapLimit: string
 }
 
 const cpuAbsolutePattern = /^\d+(?:\.\d+)?$/u
+const ramLimitPattern = /^(\d+(?:\.\d+)?)(b|k|kb|m|mb|g|gb|t|tb)$/iu
 const ramAbsolutePattern = /^\d+(?:\.\d+)?(?:b|k|kb|m|mb|g|gb|t|tb)$/iu
 const percentPattern = /^\d+(?:\.\d+)?%$/u
 
+const ramUnitMibFactors: Readonly<Record<string, number>> = {
+  b: 1 / mebibyte,
+  k: 1 / 1024,
+  kb: 1 / 1024,
+  m: 1,
+  mb: 1,
+  g: 1024,
+  gb: 1024,
+  t: 1024 * 1024,
+  tb: 1024 * 1024
+}
+
 const normalizePrecision = (value: number): number => Math.round(value * precisionScale) / precisionScale
 
 const missingLimit = (): string | undefined => undefined
@@ -134,6 +149,34 @@ const resolvePercentRamLimit = (percent: number, totalMemoryBytes: number): stri
   return `${targetMib}m`
 }
 
+const parseRamLimitMib = (value: string): number | null => {
+  const match = ramLimitPattern.exec(value)
+  if (match === null) {
+    return null
+  }
+
+  const amount = Number(match[1] ?? "0")
+  const unit = (match[2] ?? "m").toLowerCase()
+  const factor = ramUnitMibFactors[unit]
+  return !Number.isFinite(amount) || amount <= 0 || factor === undefined
+    ? null
+    : amount * factor
+}
+
+// CHANGE: allow project containers to use WSL swap without removing hard RAM limits
+// WHY: Docker Compose `memswap_limit` is RAM+swap total; setting it equal to RAM disables extra swap
+// SOURCE: n/a
+// FORMAT THEOREM: forall r: valid_ram(r) -> swap_limit(r) >= 2 * ram_limit(r)
+// PURITY: CORE
+// INVARIANT: generated containers keep a finite memory+swap ceiling
+// COMPLEXITY: O(1)/O(1)
+const resolveSwapLimit = (ramLimit: string): string => {
+  const ramMib = parseRamLimitMib(ramLimit)
+  return ramMib === null
+    ? ramLimit
+    : `${Math.max(minimumResolvedSwapLimitMib, Math.ceil(ramMib * 2))}m`
+}
+
 export const resolveComposeResourceLimits = (
   template: Pick<TemplateConfig, "cpuLimit" | "ramLimit">,
   hostResources: HostResources
@@ -143,13 +186,16 @@ export const resolveComposeResourceLimits = (
   const cpuPercent = parsePercent(cpuLimitIntent)
   const ramPercent = parsePercent(ramLimitIntent)
 
+  const ramLimit = ramPercent === null
+    ? ramLimitIntent
+    : resolvePercentRamLimit(ramPercent, hostResources.totalMemoryBytes)
+
   return {
     cpuLimit: cpuPercent === null
       ? Number(cpuLimitIntent)
       : resolvePercentCpuLimit(cpuPercent, hostResources.cpuCount),
-    ramLimit: ramPercent === null
-      ? ramLimitIntent
-      : resolvePercentRamLimit(ramPercent, hostResources.totalMemoryBytes)
+    ramLimit,
+    swapLimit: resolveSwapLimit(ramLimit)
   }
 }
 

packages/app/src/lib/core/resource-limits.ts

@@ -14,6 +14,7 @@ import {
 const mebibyte = 1024 ** 2
 const minimumResolvedCpuLimit = 0.25
 const minimumResolvedRamLimitMib = 512
+const minimumResolvedSwapLimitMib = 1
 const precisionScale = 100
 
 type HostResources = {
@@ -24,12 +25,26 @@ type HostResources = {
 export type ResolvedComposeResourceLimits = {
   readonly cpuLimit: number
   readonly ramLimit: string
+  readonly swapLimit: string
 }
 
 const cpuAbsolutePattern = /^\d+(?:\.\d+)?$/u
+const ramLimitPattern = /^(\d+(?:\.\d+)?)(b|k|kb|m|mb|g|gb|t|tb)$/iu
 const ramAbsolutePattern = /^\d+(?:\.\d+)?(?:b|k|kb|m|mb|g|gb|t|tb)$/iu
 const percentPattern = /^\d+(?:\.\d+)?%$/u
 
+const ramUnitMibFactors: Readonly<Record<string, number>> = {
+  b: 1 / mebibyte,
+  k: 1 / 1024,
+  kb: 1 / 1024,
+  m: 1,
+  mb: 1,
+  g: 1024,
+  gb: 1024,
+  t: 1024 * 1024,
+  tb: 1024 * 1024
+}
+
 const normalizePrecision = (value: number): number => Math.round(value * precisionScale) / precisionScale
 
 const missingLimit = (): string | undefined => undefined
@@ -134,6 +149,34 @@ const resolvePercentRamLimit = (percent: number, totalMemoryBytes: number): stri
   return `${targetMib}m`
 }
 
+const parseRamLimitMib = (value: string): number | null => {
+  const match = ramLimitPattern.exec(value)
+  if (match === null) {
+    return null
+  }
+
+  const amount = Number(match[1] ?? "0")
+  const unit = (match[2] ?? "m").toLowerCase()
+  const factor = ramUnitMibFactors[unit]
+  return !Number.isFinite(amount) || amount <= 0 || factor === undefined
+    ? null
+    : amount * factor
+}
+
+// CHANGE: allow project containers to use WSL swap without removing hard RAM limits
+// WHY: Docker Compose `memswap_limit` is RAM+swap total; setting it equal to RAM disables extra swap
+// SOURCE: n/a
+// FORMAT THEOREM: forall r: valid_ram(r) -> swap_limit(r) >= 2 * ram_limit(r)
+// PURITY: CORE
+// INVARIANT: generated containers keep a finite memory+swap ceiling
+// COMPLEXITY: O(1)/O(1)
+const resolveSwapLimit = (ramLimit: string): string => {
+  const ramMib = parseRamLimitMib(ramLimit)
+  return ramMib === null
+    ? ramLimit
+    : `${Math.max(minimumResolvedSwapLimitMib, Math.ceil(ramMib * 2))}m`
+}
+
 export const resolveComposeResourceLimits = (
   template: Pick<TemplateConfig, "cpuLimit" | "ramLimit">,
   hostResources: HostResources
@@ -143,13 +186,16 @@ export const resolveComposeResourceLimits = (
   const cpuPercent = parsePercent(cpuLimitIntent)
   const ramPercent = parsePercent(ramLimitIntent)
 
+  const ramLimit = ramPercent === null
+    ? ramLimitIntent
+    : resolvePercentRamLimit(ramPercent, hostResources.totalMemoryBytes)
+
   return {
     cpuLimit: cpuPercent === null
       ? Number(cpuLimitIntent)
       : resolvePercentCpuLimit(cpuPercent, hostResources.cpuCount),
-    ramLimit: ramPercent === null
-      ? ramLimitIntent
-      : resolvePercentRamLimit(ramPercent, hostResources.totalMemoryBytes)
+    ramLimit,
+    swapLimit: resolveSwapLimit(ramLimit)
   }
 }
 

packages/app/src/lib/core/templates/docker-compose.ts

@@ -73,7 +73,7 @@ const renderAgentAutoEnv = (agentAuto: boolean | undefined): string =>
 const renderResourceLimits = (resourceLimits: ResolvedComposeResourceLimits | undefined): string =>
   resourceLimits === undefined
     ? ""
-    : `    cpus: ${resourceLimits.cpuLimit}\n    mem_limit: "${resourceLimits.ramLimit}"\n    memswap_limit: "${resourceLimits.ramLimit}"\n`
+    : `    cpus: ${resourceLimits.cpuLimit}\n    mem_limit: "${resourceLimits.ramLimit}"\n    memswap_limit: "${resourceLimits.swapLimit}"\n`
 
 const renderGpu = (gpu: TemplateConfig["gpu"]): string =>
   gpu === "all"
@@ -121,7 +121,7 @@ const buildPlaywrightFragments = (
 
 const isResolvedComposeResourceLimits = (
   value: ResolvedComposeResourceLimits | ComposeResourceLimits
-): value is ResolvedComposeResourceLimits => "cpuLimit" in value && "ramLimit" in value
+): value is ResolvedComposeResourceLimits => "cpuLimit" in value && "ramLimit" in value && "swapLimit" in value
 
 const normalizeComposeResourceLimits = (
   resourceLimits: ResolvedComposeResourceLimits | ComposeResourceLimits | undefined

packages/app/src/lib/shell/docker-auth.ts

@@ -14,6 +14,7 @@ export type DockerAuthSpec = {
   readonly cwd: string
   readonly image: string
   readonly volume: DockerVolume
+  readonly network?: string
   readonly entrypoint?: string
   readonly user?: string
   readonly env?: string | ReadonlyArray<string>
@@ -197,6 +198,10 @@ const appendEnvArgs = (base: Array<string>, env: string | ReadonlyArray<string>)
 
 const buildDockerArgs = (spec: DockerAuthSpec): ReadonlyArray<string> => {
   const base: Array<string> = ["run", "--rm"]
+  const dockerNetwork = (spec.network ?? resolveDockerEnvValue("DOCKER_GIT_AUTH_DOCKER_NETWORK") ?? "host").trim()
+  if (dockerNetwork.length > 0) {
+    base.push("--network", dockerNetwork)
+  }
   const dockerUser = (spec.user ?? "").trim() || resolveDefaultDockerUser()
   if (dockerUser !== null) {
     base.push("--user", dockerUser)

packages/app/src/lib/usecases/docker-image.ts

@@ -15,6 +15,7 @@ export type DockerImageSpec = {
   readonly imageDir: string
   readonly dockerfile: string
   readonly buildLabel: string
+  readonly buildNetwork?: string
 }
 
 // CHANGE: ensure a docker image is available locally
@@ -66,9 +67,10 @@ export const ensureDockerImage = (
     yield* _(fs.makeDirectory(imagePath, { recursive: true }))
     yield* _(fs.writeFileString(dockerfilePath, spec.dockerfile))
     yield* _(Effect.log(`Building ${spec.buildLabel} image (${spec.imageName})...`))
+    const networkArgs = spec.buildNetwork === undefined ? [] : ["--network", spec.buildNetwork]
     yield* _(
       runCommandWithExitCodes(
-        { cwd, command: "docker", args: ["build", "-t", spec.imageName, imagePath] },
+        { cwd, command: "docker", args: ["build", ...networkArgs, "-t", spec.imageName, imagePath] },
         [0],
         (exitCode) => new CommandFailedError({ command: `docker build (${spec.buildLabel})`, exitCode })
       )

packages/app/src/lib/usecases/github-auth-image.ts

@@ -16,16 +16,16 @@ export const ghImageDir = ".docker-git/.orch/auth/gh/.image"
 export const renderGhDockerfile = (): string =>
   String.raw`FROM ubuntu:24.04
 ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update \
-  && apt-get install -y --no-install-recommends ca-certificates curl gnupg bsdutils \
+RUN apt-get -o Acquire::Retries=3 update \
+  && apt-get -o Acquire::Retries=3 install -y --no-install-recommends ca-certificates curl gnupg bsdutils \
   && mkdir -p /etc/apt/keyrings \
-  && curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+  && curl -fsSL --retry 5 --retry-all-errors --retry-delay 2 https://cli.github.com/packages/githubcli-archive-keyring.gpg \
     | gpg --dearmor -o /etc/apt/keyrings/githubcli-archive-keyring.gpg \
   && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
   && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
     > /etc/apt/sources.list.d/github-cli.list \
-  && apt-get update \
-  && apt-get install -y --no-install-recommends gh git \
+  && apt-get -o Acquire::Retries=3 update \
+  && apt-get -o Acquire::Retries=3 install -y --no-install-recommends gh git \
   && rm -rf /var/lib/apt/lists/*
 ENTRYPOINT ["gh"]
 `
@@ -50,6 +50,7 @@ export const ensureGhAuthImage = (
     imageName: ghImageName,
     imageDir: ghImageDir,
     dockerfile: renderGhDockerfile(),
-    buildLabel
+    buildLabel,
+    buildNetwork: "host"
   })
 /* jscpd:ignore-end */

packages/app/src/lib/usecases/gitlab-auth-image.ts

@@ -18,8 +18,8 @@ const glabPackageBaseUrl = `https://gitlab.com/api/v4/projects/gitlab-org%2Fcli/
 export const renderGlabDockerfile = (): string =>
   String.raw`FROM ubuntu:24.04
 ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update \
-  && apt-get install -y --no-install-recommends ca-certificates curl git bsdutils \
+RUN apt-get -o Acquire::Retries=3 update \
+  && apt-get -o Acquire::Retries=3 install -y --no-install-recommends ca-certificates curl git bsdutils \
   && ARCH="$(dpkg --print-architecture)" \
   && case "$ARCH" in \
       amd64) GLAB_ARCH="amd64" ;; \
@@ -52,5 +52,6 @@ export const ensureGlabAuthImage = (
     imageName: gitlabImageName,
     imageDir: gitlabImageDir,
     dockerfile: renderGlabDockerfile(),
-    buildLabel
+    buildLabel,
+    buildNetwork: "host"
   })

packages/lib/src/core/resource-limits.ts

@@ -13,6 +13,7 @@ import {
 const mebibyte = 1024 ** 2
 const minimumResolvedCpuLimit = 0.25
 const minimumResolvedRamLimitMib = 512
+const minimumResolvedSwapLimitMib = 1
 const precisionScale = 100
 
 type HostResources = {
@@ -23,12 +24,26 @@ type HostResources = {
 export type ResolvedComposeResourceLimits = {
   readonly cpuLimit: number
   readonly ramLimit: string
+  readonly swapLimit: string
 }
 
 const cpuAbsolutePattern = /^\d+(?:\.\d+)?$/u
+const ramLimitPattern = /^(\d+(?:\.\d+)?)(b|k|kb|m|mb|g|gb|t|tb)$/iu
 const ramAbsolutePattern = /^\d+(?:\.\d+)?(?:b|k|kb|m|mb|g|gb|t|tb)$/iu
 const percentPattern = /^\d+(?:\.\d+)?%$/u
 
+const ramUnitMibFactors: Readonly<Record<string, number>> = {
+  b: 1 / mebibyte,
+  k: 1 / 1024,
+  kb: 1 / 1024,
+  m: 1,
+  mb: 1,
+  g: 1024,
+  gb: 1024,
+  t: 1024 * 1024,
+  tb: 1024 * 1024
+}
+
 const normalizePrecision = (value: number): number => Math.round(value * precisionScale) / precisionScale
 
 const missingLimit = (): string | undefined => undefined
@@ -133,6 +148,34 @@ const resolvePercentRamLimit = (percent: number, totalMemoryBytes: number): stri
   return `${targetMib}m`
 }
 
+const parseRamLimitMib = (value: string): number | null => {
+  const match = ramLimitPattern.exec(value)
+  if (match === null) {
+    return null
+  }
+
+  const amount = Number(match[1] ?? "0")
+  const unit = (match[2] ?? "m").toLowerCase()
+  const factor = ramUnitMibFactors[unit]
+  return !Number.isFinite(amount) || amount <= 0 || factor === undefined
+    ? null
+    : amount * factor
+}
+
+// CHANGE: allow project containers to use WSL swap without removing hard RAM limits
+// WHY: Docker Compose `memswap_limit` is RAM+swap total; setting it equal to RAM disables extra swap
+// SOURCE: n/a
+// FORMAT THEOREM: forall r: valid_ram(r) -> swap_limit(r) >= 2 * ram_limit(r)
+// PURITY: CORE
+// INVARIANT: generated containers keep a finite memory+swap ceiling
+// COMPLEXITY: O(1)/O(1)
+const resolveSwapLimit = (ramLimit: string): string => {
+  const ramMib = parseRamLimitMib(ramLimit)
+  return ramMib === null
+    ? ramLimit
+    : `${Math.max(minimumResolvedSwapLimitMib, Math.ceil(ramMib * 2))}m`
+}
+
 export const resolveComposeResourceLimits = (
   template: Pick<TemplateConfig, "cpuLimit" | "ramLimit">,
   hostResources: HostResources
@@ -142,13 +185,16 @@ export const resolveComposeResourceLimits = (
   const cpuPercent = parsePercent(cpuLimitIntent)
   const ramPercent = parsePercent(ramLimitIntent)
 
+  const ramLimit = ramPercent === null
+    ? ramLimitIntent
+    : resolvePercentRamLimit(ramPercent, hostResources.totalMemoryBytes)
+
   return {
     cpuLimit: cpuPercent === null
       ? Number(cpuLimitIntent)
       : resolvePercentCpuLimit(cpuPercent, hostResources.cpuCount),
-    ramLimit: ramPercent === null
-      ? ramLimitIntent
-      : resolvePercentRamLimit(ramPercent, hostResources.totalMemoryBytes)
+    ramLimit,
+    swapLimit: resolveSwapLimit(ramLimit)
   }
 }
 

packages/lib/src/core/templates/docker-compose.ts

@@ -72,7 +72,7 @@ const renderAgentAutoEnv = (agentAuto: boolean | undefined): string =>
 const renderResourceLimits = (resourceLimits: ResolvedComposeResourceLimits | undefined): string =>
   resourceLimits === undefined
     ? ""
-    : `    cpus: ${resourceLimits.cpuLimit}\n    mem_limit: "${resourceLimits.ramLimit}"\n    memswap_limit: "${resourceLimits.ramLimit}"\n`
+    : `    cpus: ${resourceLimits.cpuLimit}\n    mem_limit: "${resourceLimits.ramLimit}"\n    memswap_limit: "${resourceLimits.swapLimit}"\n`
 
 const renderGpu = (gpu: TemplateConfig["gpu"]): string =>
   gpu === "all"
@@ -120,7 +120,7 @@ const buildPlaywrightFragments = (
 
 const isResolvedComposeResourceLimits = (
   value: ResolvedComposeResourceLimits | ComposeResourceLimits
-): value is ResolvedComposeResourceLimits => "cpuLimit" in value && "ramLimit" in value
+): value is ResolvedComposeResourceLimits => "cpuLimit" in value && "ramLimit" in value && "swapLimit" in value
 
 const normalizeComposeResourceLimits = (
   resourceLimits: ResolvedComposeResourceLimits | ComposeResourceLimits | undefined