Git config

[koudis]

Summary by CodeRabbit

• New Features

  • Build Resources agent enabled by default to install common build toolchains and perform readiness checks.
  • Two-layer Docker image model: shared base image + per-project instance images for faster, leaner builds.
  • Host ~/.gitconfig forwarding into builds and optional injection of a local Claude memory file into images.
  • New --docker-restart-policy flag to control container restart behavior; applied to created containers.

• Documentation

  • Specs expanded to cover two-layer architecture, agents, git-config injection, and restart-policy rules.

• Tests

  • Expanded unit/integration tests covering build/purge/stop flows, two-layer builds, and agent health checks.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR implements a two-layer Docker image architecture for the bootstrap-ai-coding system, replacing a monolithic approach with a shared base image (bac-base:latest) containing agent installations and optional git config, and per-project instance images containing SSH keys and sshd configuration. It introduces a new build-resources pseudo-agent for toolchain installation, manifest-based rebuild detection to avoid unnecessary rebuilds when agent configuration hasn't changed, and adds testable stop and purge operations.

Changes

Two-Layer Docker Architecture & Build Resources

Layer / File(s)	Summary
Constants & Image Naming internal/constants/constants.go	Adds BaseImageName ("bac-base"), BaseImageTag ("bac-base:latest"), BuildResourcesAgentName ("build-resources"), and GitConfigPerm (0o444). Updates DefaultAgents to include build-resources alongside Claude Code and Augment Code.
Design & Specification Documents .kiro/specs/bootstrap-ai-coding/...	Comprehensive specification of two-layer architecture, git config forwarding, build-resources agent requirements, manifest-based build detection, and implementation task roadmap.
Build Resources Agent Implementation internal/agents/buildresources/*	New pseudo-agent installing Python 3, uv, CMake, build-essential, OpenJDK, and Go system-wide during base image build. No credential store; HealthCheck verifies installed tool versions. Unit and integration tests added.
Docker Builder Two-Layer Split internal/docker/builder.go, builder_test.go	Replaces single NewDockerfileBuilder with NewBaseImageBuilder (installs agents, D-Bus/gnome-keyring, optional base64-encoded git config injection) and NewInstanceImageBuilder (SSH keys, sshd hardening, CMD). Adds RunAsUser helper for per-user command execution. Tests updated for two-layer invariants and gitconfig injection.
Build Decision Logic internal/cmd/builds.go, builds_test.go	Implements DetermineBuildsWithAPI, DetermineBuildsAPI interface, and ErrManifestMismatch to decide whether to rebuild base and/or instance based on bac.manifest and enabledIDs. Tests cover mismatch and presence/absence scenarios.
Start Flow Integration internal/cmd/root.go	Refactors runStart to use determineBuilds for layer selection, conditionally build base image with host git config and manifest label, build instance image from base, handle agents with empty credential stores (skip credential setup), and update volume mounts to exclude agents without credentials.
Restart Policy & Runner internal/cmd/root.go, internal/docker/runner.go, tests	Adds --docker-restart-policy CLI flag with ValidRestartPolicies/ValidateRestartPolicy, threads value into ContainerSpec.RestartPolicy, adds ResolveRestartPolicy and applies to created containers; includes validation/unit tests.
Stop and Purge Operations internal/cmd/stop.go, stop_test.go, internal/cmd/purge.go, purge_test.go	Implements testable RunStopWith to stop container and remove SSH known_hosts/config entries while preserving images. Implements RunPurgeWith to remove all bac-managed containers and images using label filtering. Both provide Docker API interfaces for unit testing.
Tests & Integration internal/agents/claude/*, augment/*, internal/docker/integration_test.go	Update Claude and Augment agent test helpers to build base and instance images separately using new builders. Removes hard-coded SSH key test constants. Adds comprehensive integration test for two-layer build/rebuild cycle with container lifecycle verification.
Configuration .gitignore, main.go	Removes bootstrap-ai-coding entry from .gitignore. Adds blank import for internal/agents/buildresources to enable agent registration.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 A base and instance, two layers so fine,
Where build-resources installs toolchains divine!
Git configs whisper through base64 streams,
While manifests guard the rebuild schemes. ✨
From monolith split to cached perfection,
The docker dance reaches new direction! 🐳

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch git_config

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (2)

internal/cmd/purge_test.go (1)

111-137: 💤 Low value

Test name implies more validation than is actually performed.

The test TestPurgeAlsoStopsAndRemovesContainers claims to verify that "purge stops and removes containers before removing images," but the mock's ContainerStop and ContainerRemove methods don't record their calls. The test only verifies that the image is still removed when containers exist—not that the container operations were actually invoked.

Consider tracking stoppedContainerIDs and removedContainerIDs in the mock to assert the complete flow.

♻️ Proposed enhancement to track container operations

 type mockPurgeDockerAPI struct {
 	containers []container.Summary
 	images     []image.Summary

 	removedImageIDs []string
+	stoppedContainerIDs []string
+	removedContainerIDs []string
 }

-func (m *mockPurgeDockerAPI) ContainerStop(_ context.Context, _ string, _ container.StopOptions) error {
+func (m *mockPurgeDockerAPI) ContainerStop(_ context.Context, containerID string, _ container.StopOptions) error {
+	m.stoppedContainerIDs = append(m.stoppedContainerIDs, containerID)
 	return nil
 }

-func (m *mockPurgeDockerAPI) ContainerRemove(_ context.Context, _ string, _ container.RemoveOptions) error {
+func (m *mockPurgeDockerAPI) ContainerRemove(_ context.Context, containerID string, _ container.RemoveOptions) error {
+	m.removedContainerIDs = append(m.removedContainerIDs, containerID)
 	return nil
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/cmd/purge_test.go` around lines 111 - 137, The test
TestPurgeAlsoStopsAndRemovesContainers claims to verify container stop/remove
calls but the mockPurgeDockerAPI doesn't record ContainerStop/ContainerRemove
invocations; update mockPurgeDockerAPI to add fields stoppedContainerIDs and
removedContainerIDs, append the container ID in the mock implementations of
ContainerStop and ContainerRemove respectively, then extend the test to assert
that stoppedContainerIDs and removedContainerIDs contain "container-1" (in
addition to the existing assertions on removedImageIDs) to ensure the full purge
flow was exercised.

internal/cmd/stop.go (1)

9-10: 💤 Low value

Unused import github.com/docker/docker/api/types/image.

The image package is imported but not used in RunStopWith. It's only part of the interface definition for ImageRemove, which is not called in this file.

♻️ Remove unused import

 import (
 	"context"
 	"fmt"
 	"os"
 	"strings"

 	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/image"

 	"github.com/koudis/bootstrap-ai-coding/internal/datadir"
 	"github.com/koudis/bootstrap-ai-coding/internal/naming"
 	sshpkg "github.com/koudis/bootstrap-ai-coding/internal/ssh"
 )

Note: If the interface definition in this file requires the import, this can be skipped.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/cmd/stop.go` around lines 9 - 10, Remove the unused import
"github.com/docker/docker/api/types/image" from the imports in stop.go; the
image package is not referenced in RunStopWith (or elsewhere in this file) so
simply delete that import to fix the unused-import compilation error—leave the
import of "github.com/docker/docker/api/types/container" and keep any interface
definitions intact if they rely on types elsewhere.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.kiro/specs/bootstrap-ai-coding/requirements-core.md:
- Line 415: The spec change moved responsibility for reading the host
~/.gitconfig out of DockerfileBuilder into the startup/CLI; update the wording
and implementation notes so DockerfileBuilder (and its API symbol
DockerfileBuilder) no longer performs filesystem I/O (do not use
hostinfo.Info.HomeDir inside DockerfileBuilder) and instead accept the pre-read
gitConfig string parameter already present on the base builder API; ensure the
requirement text references injecting the provided gitConfig into the
Container_Image at <Container_User_Home>/.gitconfig and clarify that reading
~/.gitconfig is performed by the CLI/startup layer that supplies gitConfig to
DockerfileBuilder rather than by DockerfileBuilder itself.

In @.kiro/specs/bootstrap-ai-coding/requirements-two-layer-image.md:
- Around line 15-16: The shared base image (bac-base:latest / Base_Image)
currently embeds user-specific state like Container_User and Host_Git_Config
which can leak between different host users when the same Docker daemon is
reused; either scope the Base_Image cache/key by host user inputs (e.g., include
UID/GID and relevant host git config or user identifier in the image tag/cache
key used when creating Base_Image) or remove all host-specific artifacts
(Container_User, Host_Git_Config, home dir files, .gitconfig, SSH keys) from
Base_Image and instead inject them only into the per-project Instance_Image
built FROM Base_Image; update the image build/reuse logic to use the chosen
approach so TL-3 reuse requires matching user-scoped inputs, and ensure any
references to Container_User and Host_Git_Config are handled at Instance_Image
creation time.

In `@internal/agents/augment/integration_test.go`:
- Around line 123-151: The tests are using a global constants.BaseImageTag
(bac-base:latest) causing races; change the build to use a suite-unique base tag
and pass that tag into the instance image builder instead of sharedImageTag.
Concretely, generate a uniqueBaseTag (e.g., constants.BaseImageTag +
suite-specific suffix or UUID), set baseSpec.ImageTag = uniqueBaseTag before
calling docker.BuildImage, and update the instanceBuilder creation/path so the
instance image uses that same uniqueBaseTag (plumb the tag into
docker.NewInstanceImageBuilder or into instanceBuilder.Finalize/Build as
appropriate) ensuring docker.BuildImage and the ContainerSpec for the instance
reference the suite-specific tag rather than
constants.BaseImageTag/sharedImageTag.

In `@internal/cmd/root.go`:
- Around line 500-506: The code compares buildErr to ErrManifestMismatch using
== which fails for wrapped errors; change the check to use errors.Is(buildErr,
ErrManifestMismatch) in the block handling determineBuilds (reference:
determineBuilds return, buildErr variable and ErrManifestMismatch sentinel) and
keep the same logging/return behavior when the sentinel matches, importing the
errors package if not already present.

In `@internal/docker/builder.go`:
- Around line 161-166: The current b.Run(fmt.Sprintf(...)) call in builder.go
uses fmt.Sprintf("%q", hostKeyPriv/hostKeyPub) which double-quotes and escapes
newlines, producing malformed SSH key files; fix it by writing the raw key bytes
into the container without Go-quoting: encode hostKeyPriv and hostKeyPub with
base64 in Go (e.g., base64.StdEncoding.EncodeToString) and update the b.Run
command to echo the base64 and pipe through base64 -d to write to privPath and
pubPath (or alternatively use a shell heredoc like cat <<'EOF' to write the raw
string), and keep the chmod operations as-is so SSH keys are created with
correct content and permissions; modify the code around the b.Run(...)
invocation that references hostKeyPriv, hostKeyPub, privPath, pubPath and remove
the "%q" formatting.

---

Nitpick comments:
In `@internal/cmd/purge_test.go`:
- Around line 111-137: The test TestPurgeAlsoStopsAndRemovesContainers claims to
verify container stop/remove calls but the mockPurgeDockerAPI doesn't record
ContainerStop/ContainerRemove invocations; update mockPurgeDockerAPI to add
fields stoppedContainerIDs and removedContainerIDs, append the container ID in
the mock implementations of ContainerStop and ContainerRemove respectively, then
extend the test to assert that stoppedContainerIDs and removedContainerIDs
contain "container-1" (in addition to the existing assertions on
removedImageIDs) to ensure the full purge flow was exercised.

In `@internal/cmd/stop.go`:
- Around line 9-10: Remove the unused import
"github.com/docker/docker/api/types/image" from the imports in stop.go; the
image package is not referenced in RunStopWith (or elsewhere in this file) so
simply delete that import to fix the unused-import compilation error—leave the
import of "github.com/docker/docker/api/types/container" and keep any interface
definitions intact if they rely on types elsewhere.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 534d6977-c516-4454-845b-ca82aa65c55d

📥 Commits

Reviewing files that changed from the base of the PR and between 79c2925 and 556a7ca.

📒 Files selected for processing (25)

• .gitignore
• .kiro/specs/bootstrap-ai-coding/design-architecture.md
• .kiro/specs/bootstrap-ai-coding/requirements-agents.md
• .kiro/specs/bootstrap-ai-coding/requirements-core.md
• .kiro/specs/bootstrap-ai-coding/requirements-two-layer-image.md
• .kiro/specs/bootstrap-ai-coding/tasks.md
• internal/agents/augment/augment_test.go
• internal/agents/augment/integration_test.go
• internal/agents/buildresources/buildresources.go
• internal/agents/buildresources/buildresources_test.go
• internal/agents/buildresources/integration_test.go
• internal/agents/claude/claude_test.go
• internal/agents/claude/integration_test.go
• internal/cmd/builds.go
• internal/cmd/builds_test.go
• internal/cmd/purge.go
• internal/cmd/purge_test.go
• internal/cmd/root.go
• internal/cmd/stop.go
• internal/cmd/stop_test.go
• internal/constants/constants.go
• internal/docker/builder.go
• internal/docker/builder_test.go
• internal/docker/integration_test.go
• main.go

💤 Files with no reviewable changes (1)

• .gitignore

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

internal/agents/claude/claude_test.go (1)

316-320: ⚡ Quick win

Make this assertion deterministic by controlling HOME in-test.

Allowing both 3 and 4 weakens regression signal and makes behavior environment-dependent. Set HOME to a temp dir (no .claude/CLAUDE.md) and assert exactly 3 here; add a separate test that creates ~/.claude/CLAUDE.md and asserts 4.

🧪 Suggested test hardening

 func TestClaudeInstallNodeAlreadyInstalled(t *testing.T) {
+	home := t.TempDir()
+	t.Setenv("HOME", home)
+
 	a, err := agent.Lookup(constants.ClaudeCodeAgentName)
 	require.NoError(t, err)
@@
 	linesAfter := len(b.Lines())
 	added := linesAfter - linesBefore
-	require.True(t, added == 3 || added == 4,
-		"must add 3 RUN steps (prereqs + npm + symlink) plus optionally 1 memory injection step, got %d", added)
+	require.Equal(t, 3, added,
+		"must add exactly 3 RUN steps (prereqs + npm + symlink) when no host CLAUDE.md is present")
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/agents/claude/claude_test.go` around lines 316 - 320, The assertion
on added (computed from linesAfter := len(b.Lines()) and linesBefore) is
nondeterministic because it depends on the real HOME; instead set the HOME env
inside the test to a temp dir without ~/.claude/CLAUDE.md and assert added == 3,
and add a separate test that creates a ~/.claude/CLAUDE.md in a temp HOME and
then asserts added == 4; update the test harness to use os.Setenv("HOME",
tmpDir) (and restore afterwards) around the code that computes linesAfter so the
require.True/require.Equal check becomes deterministic.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/agents/claude/claude.go`:
- Around line 47-52: The code currently always calls a.injectMemory(b) which
bakes the host CLAUDE.md into the shared image; change this to be opt-in or
moved to the per-instance layer: add a boolean config flag (e.g., BakeHostMemory
or EnableHostMemory) on the agent/agent options struct and check it before
calling a.injectMemory(b) so the call only occurs when explicitly enabled, or
instead remove the injectMemory call here and invoke injectMemory when creating
per-instance overlays (so the file is added at runtime per container rather than
baked into the base image); update references to a.injectMemory(b), the agent
options struct, and the image build path accordingly.
- Around line 78-85: The generated shell command built in the
b.Run(fmt.Sprintf(...)) call is unsafe because unquoted values
(containerClaudeDir, encoded, containerMemoryFile, b.Username()) can contain
spaces or metacharacters; change the construction to properly shell-quote or
escape each interpolated value before passing to fmt.Sprintf (e.g., use
fmt.Sprintf("%q", val) or strconv.Quote for containerClaudeDir, encoded,
containerMemoryFile and b.Username()), or build the command to use a safe
here-doc/printf approach instead so the final b.Run invocation receives a
single, shell-safe command string that does not allow word-splitting or token
injection.

---

Nitpick comments:
In `@internal/agents/claude/claude_test.go`:
- Around line 316-320: The assertion on added (computed from linesAfter :=
len(b.Lines()) and linesBefore) is nondeterministic because it depends on the
real HOME; instead set the HOME env inside the test to a temp dir without
~/.claude/CLAUDE.md and assert added == 3, and add a separate test that creates
a ~/.claude/CLAUDE.md in a temp HOME and then asserts added == 4; update the
test harness to use os.Setenv("HOME", tmpDir) (and restore afterwards) around
the code that computes linesAfter so the require.True/require.Equal check
becomes deterministic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: f68213fb-e15f-44ca-9726-3277fd904e6c

📥 Commits

Reviewing files that changed from the base of the PR and between 556a7ca and ca8d268.

📒 Files selected for processing (3)

• internal/agents/buildresources/buildresources.go
• internal/agents/claude/claude.go
• internal/agents/claude/claude_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• internal/agents/buildresources/buildresources.go

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

.kiro/specs/bootstrap-ai-coding/design-build-resources.md (2)

176-202: 💤 Low value

Add language specifiers to Dockerfile code blocks.

The fenced code blocks at lines 176 and 195 represent Dockerfile content but lack language identifiers. Adding dockerfile improves syntax highlighting and resolves lint warnings.

📝 Suggested fix

 **Base_Image (`bac-base:latest`):**
-```
+```dockerfile
 FROM ubuntu:26.04
 ...

 **Instance_Image (`bac-<name>:latest`):**
-```
+```dockerfile
 FROM bac-base:latest
 ...

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.kiro/specs/bootstrap-ai-coding/design-build-resources.md around lines 176 -
202, The two fenced code blocks that show Dockerfile content (the blocks
beginning with "FROM ubuntu:26.04" and "FROM bac-base:latest") are missing
language specifiers; update each fence to include the dockerfile language
identifier (i.e., change ``` to ```dockerfile) so the blocks for the Dockerfiles
(base image and Instance_Image/bac-<name>) get proper syntax highlighting and
satisfy the linter.

---

147-149: 💤 Low value

Fix duplicate list numbering.

Items 7 appears twice in the design decisions list (lines 147 and 149). The second "7." should be "8.".

📝 Suggested fix

 7. **`goVersion` private constant:** The Go version is declared as a private `const goVersion` in the agent package, making it easy to bump without searching through string literals.

-7. **Default inclusion:** Added to `constants.DefaultAgents` so it's always present unless the user explicitly overrides `--agents`. This means `go run . /path` installs Claude Code + Augment Code + Build Resources by default.
+8. **Default inclusion:** Added to `constants.DefaultAgents` so it's always present unless the user explicitly overrides `--agents`. This means `go run . /path` installs Claude Code + Augment Code + Build Resources by default.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.kiro/specs/bootstrap-ai-coding/design-build-resources.md around lines 147 -
149, The numbered list in the design decisions duplicates "7." — update the
second occurrence to "8." so the sequence reads correctly; specifically edit the
two consecutive list entries that reference the `goVersion` private constant and
the `constants.DefaultAgents` default inclusion so the first remains "7." and
the next becomes "8." to fix the numbering.

.kiro/specs/bootstrap-ai-coding/tasks.md (1)

5-7: 💤 Low value

Add language specifier to fenced code block.

The fenced code block lacks a language identifier, which triggers markdown lint warnings. Since this is a simple text diagram, you can use text or plaintext.

📝 Suggested fix

-```
+```text
 Task 1 (constants) → Task 2 (ContainerSpec) → Task 3 (runner) → Task 4 (cmd flags) → Task 5 (tests)

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.kiro/specs/bootstrap-ai-coding/tasks.md around lines 5 - 7, The fenced code
block in the tasks.md diagram is missing a language identifier and triggers
markdown-lint warnings; open .kiro/specs/bootstrap-ai-coding/tasks.md, locate
the fenced code block containing "Task 1 (constants) → Task 2 (ContainerSpec) →
Task 3 (runner) → Task 4 (cmd flags) → Task 5 (tests)" and add a language tag
such as text (i.e., change the opening totext) so the block is
recognized and the lint warning is resolved.

</details>

</blockquote></details>
<details>
<summary>.kiro/specs/bootstrap-ai-coding/design-components.md (1)</summary><blockquote>

`201-204`: _💤 Low value_

**Add language specifier to Dockerfile example block.**

The code block showing the generated Dockerfile user creation lacks a language identifier.




<details>
<summary>📝 Suggested fix</summary>

```diff
 **Generated Dockerfile user creation example** (values from `*hostinfo.Info`):
-```
+```dockerfile
 RUN useradd --create-home --home-dir /home/alice --uid 1000 --gid 1000 --shell /bin/bash alice
 ```
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.kiro/specs/bootstrap-ai-coding/design-components.md around lines 201 - 204,
The fenced code block containing the Dockerfile example (the block that wraps
the line starting with "RUN useradd --create-home --home-dir /home/alice --uid
1000 --gid 1000 --shell /bin/bash alice") should include a language specifier;
update the opening fence to ```dockerfile so the snippet is highlighted as a
Dockerfile example.

</details>

</blockquote></details>
<details>
<summary>internal/cmd/root_test.go (1)</summary><blockquote>

`374-386`: _⚡ Quick win_

**Improve valid-branch coverage in the restart-policy property test.**

This property mostly samples invalid strings, so the accepted-path is rarely exercised. Add a small deterministic test to assert all declared valid policies are accepted.
 

<details>
<summary>Suggested test addition</summary>

```diff
+func TestRestartPolicyAllValidValuesAccepted(t *testing.T) {
+	for policy, isValid := range cmd.ValidRestartPolicies {
+		if !isValid {
+			continue
+		}
+		require.NoError(t, cmd.ValidateRestartPolicy(policy),
+			"valid policy %q must be accepted", policy)
+	}
+}
```
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/cmd/root_test.go` around lines 374 - 386, The property test
TestPropertyRestartPolicyValidationAcceptsIffValid rarely exercises the valid
branch because rapid mostly generates invalid strings; add a deterministic unit
check that iterates over cmd.ValidRestartPolicies and calls
cmd.ValidateRestartPolicy for each entry, asserting no error for each valid
policy. Place this small loop-based test either in the same test function after
the rapid.Check or as a new Test that references cmd.ValidRestartPolicies and
cmd.ValidateRestartPolicy so every declared valid policy is explicitly verified.
```

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.kiro/specs/bootstrap-ai-coding/design-data-models.md:

• Around line 141-149: The fenced warning code block currently has no language
  tag which triggers markdownlint MD040; update the fenced block around the
  integration test warning to include the plain text language identifier by
  changing the opening fence from totext so the block reads as a
  plain-text fenced code block (the warning block that starts with "WARNING:
  Integration tests interact with the local Docker daemon.").

---

Nitpick comments:
In @.kiro/specs/bootstrap-ai-coding/design-build-resources.md:

• Around line 176-202: The two fenced code blocks that show Dockerfile content
  (the blocks beginning with "FROM ubuntu:26.04" and "FROM bac-base:latest") are
  missing language specifiers; update each fence to include the dockerfile
  language identifier (i.e., change todockerfile) so the blocks for the
  Dockerfiles (base image and Instance_Image/bac-) get proper syntax
  highlighting and satisfy the linter.
• Around line 147-149: The numbered list in the design decisions duplicates "7."
  — update the second occurrence to "8." so the sequence reads correctly;
  specifically edit the two consecutive list entries that reference the
  goVersion private constant and the constants.DefaultAgents default inclusion
  so the first remains "7." and the next becomes "8." to fix the numbering.

In @.kiro/specs/bootstrap-ai-coding/design-components.md:

• Around line 201-204: The fenced code block containing the Dockerfile example
  (the block that wraps the line starting with "RUN useradd --create-home
  --home-dir /home/alice --uid 1000 --gid 1000 --shell /bin/bash alice") should
  include a language specifier; update the opening fence to ```dockerfile so the
  snippet is highlighted as a Dockerfile example.

In @.kiro/specs/bootstrap-ai-coding/tasks.md:

• Around line 5-7: The fenced code block in the tasks.md diagram is missing a
  language identifier and triggers markdown-lint warnings; open
  .kiro/specs/bootstrap-ai-coding/tasks.md, locate the fenced code block
  containing "Task 1 (constants) → Task 2 (ContainerSpec) → Task 3 (runner) → Task
  4 (cmd flags) → Task 5 (tests)" and add a language tag such as text (i.e.,
  change the opening totext) so the block is recognized and the lint
  warning is resolved.

In @internal/cmd/root_test.go:

• Around line 374-386: The property test
  TestPropertyRestartPolicyValidationAcceptsIffValid rarely exercises the valid
  branch because rapid mostly generates invalid strings; add a deterministic unit
  check that iterates over cmd.ValidRestartPolicies and calls
  cmd.ValidateRestartPolicy for each entry, asserting no error for each valid
  policy. Place this small loop-based test either in the same test function after
  the rapid.Check or as a new Test that references cmd.ValidRestartPolicies and
  cmd.ValidateRestartPolicy so every declared valid policy is explicitly verified.

</details>

<details>
<summary>🪄 Autofix (Beta)</summary>

Fix all unresolved CodeRabbit comments on this PR:

- [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended)
- [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: defaults

**Review profile**: CHILL

**Plan**: Pro Plus

**Run ID**: `55b6a152-2df1-4f51-b776-237a160b8352`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between ca8d268a2d48072ffce382de9a4989e60e7cc604 and c20fad94e406cd65e392df0b5a1b7a7101a7eee7.

</details>

<details>
<summary>📒 Files selected for processing (16)</summary>

* `.kiro/specs/bootstrap-ai-coding/design-architecture.md`
* `.kiro/specs/bootstrap-ai-coding/design-build-resources.md`
* `.kiro/specs/bootstrap-ai-coding/design-components.md`
* `.kiro/specs/bootstrap-ai-coding/design-data-models.md`
* `.kiro/specs/bootstrap-ai-coding/design-docker.md`
* `.kiro/specs/bootstrap-ai-coding/design-properties.md`
* `.kiro/specs/bootstrap-ai-coding/design.md`
* `.kiro/specs/bootstrap-ai-coding/requirements-cli-combinations.md`
* `.kiro/specs/bootstrap-ai-coding/requirements-core.md`
* `.kiro/specs/bootstrap-ai-coding/tasks.md`
* `internal/cmd/root.go`
* `internal/cmd/root_test.go`
* `internal/constants/constants.go`
* `internal/docker/builder.go`
* `internal/docker/runner.go`
* `internal/docker/runner_restart_test.go`

</details>

<details>
<summary>✅ Files skipped from review due to trivial changes (2)</summary>

* .kiro/specs/bootstrap-ai-coding/design.md
* .kiro/specs/bootstrap-ai-coding/design-properties.md

</details>

<details>
<summary>🚧 Files skipped from review as they are similar to previous changes (3)</summary>

* internal/constants/constants.go
* internal/docker/builder.go
* .kiro/specs/bootstrap-ai-coding/design-architecture.md

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->