fix(isolation): mount git identity into docker containers; cross-check premature docker status (#1939)#1940
Conversation
Adding .gitkeep for PR creation (default mode). This file will be removed when the task is complete. Issue: #1939
|
It actually was able to create the comment - #1596 (comment), so may be we did correctly mount it. |
…k premature docker status (#1939) A `--isolation docker` solve run failed at the system-check stage with "Git identity not configured" even though gh was authenticated (account konard). The native start-command (`$`) invocation mounted only ~/.config/gh, ~/.claude and ~/.claude.json — no git identity — so git user.name/user.email were unset inside the container and solve aborted before any work. Fixes (all in this PR on branch issue-1939-f81a3d54f708): - getDockerIsolationAuthMounts now mounts the host git identity (~/.gitconfig and XDG ~/.config/git, honoring GIT_CONFIG_GLOBAL/XDG_CONFIG_HOME) for every tool, alongside gh. Missing host paths are skipped. (problem 3, root cause) - ensureHostGitIdentityForIsolation (new) self-heals the bot host: when no git identity is mountable it derives one from the authenticated gh account via gh-setup-git-identity, else emits one actionable warning. Wired into the telegram-bot docker-isolation preflight, best-effort, never throws. - isUnknownDockerExitCode + a docker-only cross-check in isSessionRunning and getIsolationSessionState keep an ambiguous "executed"/-1 docker session running until docker inspect confirms the container exited, so a still-running container is no longer reported as a finished/failed execution. (problem 1) - logDockerIsolationPostLaunchDiagnostics (verbose) records $ --status, live container state and local image presence after launch so the premature status (problem 1) and image re-pull (problem 2) are observable next iteration. Adds tests/test-issue-1939-docker-isolation.mjs (25 assertions) and a full case study under docs/case-studies/issue-1939 with timeline, root-cause analysis and captured logs. The premature-terminal-status behaviour is also reported upstream to link-foundation/start.
konard
changed the title
--isolation docker is not working…ue-1939 follow-up
🤖 Solution Draft LogThis log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
📊 Context and tokens usage:Claude Opus 4.8: (3 sub-sessions)
Total: (20.3K new + 283.4K cache writes + 10.7M cache reads) input tokens, 108.6K output tokens, $9.960528 cost 🤖 Models used:
📎 Log file uploaded as Gist (5669KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
🔄 Auto-restart 1/5Detected uncommitted changes from previous run. Starting new session to review and commit or discard them. Uncommitted files: Auto-restart will stop after changes are committed or discarded, or after 4 more iterations. Please wait until working session will end and give your feedback. |
Working session summaryAll 25 tests pass, the branch is in sync with SummaryThe auto-restart was triggered by a single uncommitted file:
I removed it with I also verified the underlying PR #1940 is healthy:
No commit/push was needed — removing an untracked artifact leaves no tracked changes, and the PR's actual fix was already committed and pushed in the prior commits ( PR: #1940 This summary was automatically extracted from the AI working session output. |
🔄 Auto-restart 1/5 LogThis log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
📊 Context and tokens usage:
Total: (3.0K new + 23.8K cache writes + 159.5K cache reads) input tokens, 2.7K output tokens, $0.312151 cost 🤖 Models used:
📎 Log file uploaded as Gist (6072KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
✅ Ready to mergeThis pull request is now ready to be merged:
Monitored by hive-mind with --auto-restart-until-mergeable flag |
This reverts commit a4d65f5.
|
Double check everything, and also check that #1940 (comment) was addressed. |
|
🤖 AI Work Session Started Starting automated work session at 2026-06-17T07:52:55.251Z The PR has been converted to draft mode while work is in progress. This comment marks the beginning of an AI work session. Please wait for the session to finish, and provide your feedback. |
…ted (#1939) Address PR review feedback: @konard observed the isolated solve was able to post its failure comment to issue #1596, suggesting gh credentials reached the container. Confirm and document this — the posted comment is positive proof the .config/gh mount worked, isolating the defect to the missing git identity, which is exactly what the fix adds.
…inal.log (#1939) The case study README and PR description both reference raw/failed-session-terminal.log as primary evidence, but the global '*.log' gitignore rule silently dropped it, so every 'log line N' citation pointed at a missing file. Negate the ignore for docs/case-studies/**/*.log and commit the 194-line operator terminal transcript extracted from the issue body.
Re: #1940 (comment) — addressed ✅You're right, and that observation actually confirms the diagnosis rather than contradicting it:
That's why this PR adds a Double-check results
|
🤖 Solution Draft LogThis log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
📊 Context and tokens usage:
Total: (6.2K new + 67.6K cache writes + 2.2M cache reads) input tokens, 15.1K output tokens, $1.939643 cost 🤖 Models used:
📎 Log file uploaded as Gist (1324KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
✅ Ready to mergeThis pull request is now ready to be merged:
Monitored by hive-mind with --auto-restart-until-mergeable flag |
|
Use latest version https://github.com/link-foundation/start, and double check our solution fully implements fix for #1939 |
|
🤖 AI Work Session Started Starting automated work session at 2026-06-17T12:47:21.932Z The PR has been converted to draft mode while work is in progress. This comment marks the beginning of an AI work session. Please wait for the session to finish, and provide your feedback. |
…docker status) (#1939) The detached-docker premature-status bug reported upstream as link-foundation/start#136 was fixed and released in start-command 0.29.1 (issue closed as completed 2026-06-17). Pin start-command@0.29.1 in both Dockerfile and Dockerfile.dind so the fixed $ binary ships in the images. The downstream isUnknownDockerExitCode cross-check is retained as defense-in-depth for hosts still running an older $. Refresh the case study and npm metadata to record the upstream resolution and the version pin.
Re: #1940 (comment) — use latest
|
| Req | Problem | Status |
|---|---|---|
| R1 | Premature executed/-1 status, unfollowable live log |
✅ Fixed upstream in 0.29.1 (now pinned) + downstream cross-check (isSessionRunning / getIsolationSessionState) as defense-in-depth |
| R3 | "Credentials not mounted" → actually ❌ Git identity not configured |
✅ ~/.gitconfig + XDG ~/.config/git mounted for every tool; ensureHostGitIdentityForIsolation self-heals from the authed gh account. (gh auth itself was already crossing the boundary — proven by the posted #1596 comment) |
| R2 | hive-mind image re-downloaded inside DinD | ◾ Environmental/deployment (host-passthrough, tracked in #1914); detected & reported loudly via preflight + new post-launch diagnostic |
| R4 | Fix everywhere | ✅ Shared getDockerIsolationAuthMounts → all isolation callers inherit it |
| R5 | Case study | ✅ docs/case-studies/issue-1939/ (timeline, root causes, raw logs) — updated to record the upstream resolution |
| R6 | Debug/verbose for next iteration | ✅ logDockerIsolationPostLaunchDiagnostics |
| R7 | Report upstream | ✅ #136 filed and now fixed in 0.29.1 |
| R8 | Single PR on this branch | ✅ |
Verification
tests/test-issue-1939-docker-isolation.mjs: 25/25 pass. Related green too:test-isolation-runner,test-issue-1860(33),test-session-monitor-isolation(8).npm run lintclean; prettier-formatted.- Branch
issue-1939-f81a3d54f708: 0 commits behindorigin/main, working tree clean.
Latest commit: a700dbd9.
🤖 Solution Draft LogThis log file contains the complete execution trace of the AI solution draft process. 💰 Cost estimation:
📊 Context and tokens usage:
Total: (5.4K new + 101.9K cache writes + 6.7M cache reads) input tokens, 29.3K output tokens, $4.736062 cost 🤖 Models used:
📎 Log file uploaded as Gist (2591KB)Now working session is ended, feel free to review and add any feedback on the solution draft. |
✅ Ready to mergeThis pull request is now ready to be merged:
Monitored by hive-mind with --auto-restart-until-mergeable flag |
1 participant
Summary
Fixes #1939 (continuation of #1860). A
solvetask launched with--isolation dockerinside a Docker-in-Docker host(
konard/hive-mind-dind:2.0.2) failed and surfaced three distinct problems.This PR fixes the ones that live in Hive Mind code, adds debug/verbose
diagnostics so the rest is observable next iteration, reports the upstream
start-command bug, and ships a full case study.
Root cause (Problem 3 — definite)
The native start-command (
$) docker invocation mounted only~/.config/gh,~/.claude, and~/.claude.json— no git identity. Inside the containerghwas fully authenticated (✓ Logged in to github.com account konard) yetgit config user.name/user.emailwere unset, sosolveaborted at thesystem-check stage with
❌ Git identity not configured. "Credentials notmounted" in the title is exactly this: the git identity credential never
reached the container.
What changed
getDockerIsolationAuthMounts,src/isolation-runner.lib.mjs):~/.gitconfigand the XDG~/.config/gitare now mounted alongside
gh, honoringGIT_CONFIG_GLOBAL/XDG_CONFIG_HOME.Missing host paths are skipped. Because this lives in the shared mount builder,
every isolation caller inherits the fix.
ensureHostGitIdentityForIsolation, new):when the bot host has no mountable git identity it derives one from the
authenticated
ghaccount (gh-setup-git-identity/repairGitIdentity),else emits one actionable warning naming the exact downstream failure. Wired
into the telegram-bot docker-isolation preflight; best-effort, never throws.
start-command@0.29.1(Dockerfile,Dockerfile.dind): the upstreampremature-status bug (Problem 1) reported as
link-foundation/start#136
was fixed and released in start-command 0.29.1 (issue closed as completed
2026-06-17). Both Hive Mind images now pin that version so the fixed$binary ships, instead of installing
start-commandunpinned.isUnknownDockerExitCodeplus a docker-only cross-check inisSessionRunningand
getIsolationSessionStatekeep an ambiguousexecuted/-1docker session"running" until
docker inspectconfirms the container has actually exited.Retained alongside the upstream fix so an older
$on an operator's PATHcannot resurrect the bug. Real exit codes and non-docker backends are
unaffected.
logDockerIsolationPostLaunchDiagnosticsrecords$ --status, live containerstate, and local image presence after a docker launch, so the premature status
and any image re-pull are observable from data next iteration.
link-foundation/start#136
for the detached docker session that reports a terminal status (
executed)with
exitCode -1while its container is still running — with a reproducer,the consumer-side workaround, and a code-level fix suggestion. The maintainer
fixed it in start-command 0.29.1 (issue closed as completed), which this PR
now pins in both images.
How to reproduce
Run a
solvetask with--isolation dockeron a host that hasghauth but no~/.gitconfig(user.name/user.emailunset). The isolatedsolveabortswith
❌ Git identity not configuredeven thoughghis authenticated. The fullcaptured terminal transcript is in
docs/case-studies/issue-1939/raw/failed-session-terminal.log.Tests
tests/test-issue-1939-docker-isolation.mjs(25 assertions) — gitidentity mounted for claude+codex, env overrides, missing-identity skipped,
ensureHostGitIdentityForIsolation(present / self-heal / unrepairable),isUnknownDockerExitCode, and thegetIsolationSessionStatecross-check(ambiguous-but-alive stays running, ambiguous-and-gone completes, real exit
code trusted, screen backend unaffected).
tests/test-issue-1860-docker-isolation.mjs(33 assertions) still passes.npm run lintclean; prettier-formatted.Case study
docs/case-studies/issue-1939/README.md— reconstructed timeline, all requirements, root cause per problem pinned to log
evidence, solution plans, alternatives considered, existing-library check, and
the upstream follow-up.
Fixes #1939