Skip to content

Infra/mlo 3 hermetic workspaces docker #635

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Lemniscate-world merged 2 commits into from
Apr 1, 2026
Merged

Infra/mlo 3 hermetic workspaces docker #635

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
11552cf
infra: add hermetic docker workspace for MLO-3
P3niel Mar 8, 2026
7644db7
chore: add Makefile commands for docker, tests, and security
P3niel Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .dockerignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
.git
.github
.venv
venv
__pycache__
.pytest_cache
.coverage
.coverage.*
htmlcov
build
neuraldbg.egg-info
artifacts
data
models
outputs
*.log
Comment on lines +1 to +16
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Add .env and secrets patterns to prevent accidental inclusion in Docker images.

The .dockerignore file should exclude .env, .env.*, and secrets/ to prevent sensitive data from being copied into Docker images via the COPY . . instruction in the Dockerfile.

Proposed fix 
 data
 models
 outputs
 *.log
+.env
+.env.*
+secrets/

Based on learnings: "Certain files MUST be in .gitignore and NEVER committed publicly: ... .env, and API keys/tokens"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
.git
.github
.venv
venv
__pycache__
.pytest_cache
.coverage
.coverage.*
htmlcov
build
neuraldbg.egg-info
artifacts
data
models
outputs
*.log
.git
.github
.venv
venv
__pycache__
.pytest_cache
.coverage
.coverage.*
htmlcov
build
neuraldbg.egg-info
artifacts
data
models
outputs
*.log
.env
.env.*
secrets/
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.dockerignore around lines 1 - 16, Update the .dockerignore contents to
prevent sensitive files from being included in images by adding patterns for
environment and secret files; specifically add entries for ".env", ".env.*", and
"secrets/" (and optionally "secrets/**") so that COPY . . in the Dockerfile
cannot accidentally package these files.

6 changes: 6 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,12 @@ venv/
# Generated artifacts
artifacts/*
!artifacts/.gitkeep
data/*
!data/.gitkeep
models/*
!models/.gitkeep
outputs/*
!outputs/.gitkeep

# Private logs and tracking
SESSION_SUMMARY.md
Expand Down
22 changes: 22 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
FROM python:3.12-slim
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai bot Mar 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: This workspace is not actually hermetic because the base image and critical Python tooling are left unpinned. A rebuild later can resolve different images or wheels and break reproducibility without any repo change.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At Dockerfile, line 1:

<comment>This workspace is not actually hermetic because the base image and critical Python tooling are left unpinned. A rebuild later can resolve different images or wheels and break reproducibility without any repo change.</comment>

<file context>
@@ -0,0 +1,22 @@
+FROM python:3.12-slim
+
+ENV PIP_NO_CACHE_DIR=1 \
</file context>
Fix with Cubic


ENV PIP_NO_CACHE_DIR=1 \
PYTHONDONTWRITEBYTECODE=1 \
PYTHONUNBUFFERED=1

WORKDIR /workspace

COPY requirements.txt requirements-dev.txt ./

RUN apt-get update && \

Check warning on line 11 in Dockerfile

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Merge this RUN instruction with the consecutive ones. 


See more on https://sonarcloud.io/project/issues?id=LambdaSection_NeuralDBG&issues=AZz7G6ZU4qxQot7sA-ya&open=AZz7G6ZU4qxQot7sA-ya&pullRequest=635
apt-get install -y --no-install-recommends build-essential git && \
rm -rf /var/lib/apt/lists/*

RUN python -m pip install --upgrade pip && \
python -m pip install --index-url https://download.pytorch.org/whl/cpu --extra-index-url https://pypi.org/simple torch && \
python -m pip install -r requirements.txt && \
python -m pip install -r requirements-dev.txt

COPY . .

CMD ["bash"]
71 changes: 71 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
SHELL := /bin/bash

PYTHON := $(shell if [ -x .venv/bin/python ]; then echo .venv/bin/python; elif command -v python3 >/dev/null 2>&1; then echo python3; else echo python; fi)
COMPOSE := docker-compose
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai bot Mar 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Hardcoding docker-compose breaks the Make targets on hosts that only have the standard Compose v2 plugin.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At Makefile, line 4:

<comment>Hardcoding `docker-compose` breaks the Make targets on hosts that only have the standard Compose v2 plugin.</comment>

<file context>
@@ -0,0 +1,71 @@
+SHELL := /bin/bash
+
+PYTHON := $(shell if [ -x .venv/bin/python ]; then echo .venv/bin/python; elif command -v python3 >/dev/null 2>&1; then echo python3; else echo python; fi)
+COMPOSE := docker-compose
+
+.PHONY: help install install-dev up down build rebuild shell test test-docker coverage bandit safety security precommit clean
</file context>
Fix with Cubic


.PHONY: help install install-dev up down build rebuild shell test test-docker coverage bandit safety security precommit clean

help:
@echo "NeuralDBG Make targets:"
@echo " make install - install runtime dependencies"
@echo " make install-dev - install runtime + dev dependencies"
@echo " make build - build Docker dev image"
@echo " make up - start Docker dev service"
@echo " make down - stop Docker dev service"
@echo " make shell - open shell in running dev container"
@echo " make test - run pytest locally"
@echo " make test-docker - run pytest in Docker container"
@echo " make coverage - run coverage with gate >= 60%"
@echo " make bandit - run Bandit security scan"
@echo " make safety - run Safety dependency scan"
@echo " make security - run Bandit + Safety"
@echo " make precommit - run pre-commit hooks on all files"
@echo " make clean - remove local QA artifacts"

install:
$(PYTHON) -m pip install --upgrade pip
$(PYTHON) -m pip install --index-url https://download.pytorch.org/whl/cpu --extra-index-url https://pypi.org/simple torch
$(PYTHON) -m pip install -r requirements.txt

install-dev: install
$(PYTHON) -m pip install -r requirements-dev.txt

build:
$(COMPOSE) build neuraldbg-dev

rebuild:
$(COMPOSE) build --no-cache neuraldbg-dev

up:
$(COMPOSE) up -d

down:
$(COMPOSE) down

shell:
$(COMPOSE) exec neuraldbg-dev bash

test:
$(PYTHON) -m pytest

test-docker:
$(COMPOSE) run --rm neuraldbg-dev bash -lc "pytest"

coverage:
$(PYTHON) -m coverage run --source=neuraldbg -m pytest
$(PYTHON) -m coverage report --show-missing --fail-under=60

bandit:
$(PYTHON) -m bandit -r . -ll -x tests,*/tests/*,.venv,venv,__pycache__

safety:
$(PYTHON) -m safety check --full-report

security: bandit safety

precommit:
$(PYTHON) -m pre_commit run --all-files

clean:
rm -rf .pytest_cache htmlcov .mypy_cache
rm -f .coverage .coverage.*
46 changes: 46 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,52 @@ Unlike traditional monitoring tools (TensorBoard, Weights & Biases), NeuralDBG f
pip install neuraldbg
```

### Docker Development (Hermetic Workspace)

Use Docker to keep a reproducible local environment across machines and contributors.

```bash
# Build image
docker-compose build

# Start the dev container (one-command startup)
docker-compose up -d

# Open a shell in the running workspace
docker-compose exec neuraldbg-dev bash
```

Equivalent shortcuts via `Makefile`:

```bash
make build
make up
make shell
```

Run tests inside Docker:

```bash
docker-compose run --rm neuraldbg-dev bash -lc "pytest"
```

Or:

```bash
make test-docker
```

Persistent volumes are mounted to:
- `/data` (host: `./data`)
- `/models` (host: `./models`)
- `/outputs` (host: `./outputs`)

Stop containers:

```bash
docker-compose down
```

### Basic Usage

```python
Expand Down
1 change: 1 addition & 0 deletions data/.gitkeep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@

16 changes: 16 additions & 0 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
version: "3.9"

services:
neuraldbg-dev:
build:
context: .
dockerfile: Dockerfile
working_dir: /workspace
command: bash -lc "sleep infinity"
tty: true
stdin_open: true
volumes:
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai bot Mar 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Add a host-user mapping for the bind-mounted workspace; otherwise container writes will leave root-owned files in the repo.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At docker-compose.yml, line 12:

<comment>Add a host-user mapping for the bind-mounted workspace; otherwise container writes will leave root-owned files in the repo.</comment>

<file context>
@@ -0,0 +1,16 @@
+    command: bash -lc "sleep infinity"
+    tty: true
+    stdin_open: true
+    volumes:
+      - ./:/workspace
+      - ./data:/data
</file context>
Fix with Cubic

- ./:/workspace
- ./data:/data
- ./models:/models
- ./outputs:/outputs
Comment on lines +8 to +16
Copy link
Copy Markdown

@qodo-code-review qodo-code-review bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Root-owned bind mount 🐞 Bug ⛯ Reliability

The dev container runs as root while bind-mounting ./ into /workspace, so running
pytest/coverage inside Docker will create root-owned files on the host (e.g., .pytest_cache,
htmlcov, .coverage) and can break local cleanup/editing without sudo. This is triggered directly
by make test-docker / docker-compose run workflows.
Agent Prompt 
### Issue description
The docker-compose dev workflow bind-mounts the repo into the container, but the container runs as root, causing root-owned artifacts to be created on the host when running tests/tools in Docker.

### Issue Context
This is especially problematic because the Makefile’s `test-docker` path runs `pytest` inside the container, which writes `.pytest_cache` and potentially other files to the bind-mounted workspace.

### Fix Focus Areas
- docker-compose.yml[8-16]
- Dockerfile[1-22]
- Makefile[51-52]

### Implementation notes
- Add a non-root user in the Dockerfile and set `USER` to it.
- Optionally accept build args for UID/GID and create the user with those IDs.
- Alternatively/additionally set `user:` in `docker-compose.yml` to `${UID}:${GID}` (with defaults) so the container runs with host-like permissions.
- Ensure `/data`, `/models`, `/outputs` remain writable for that user.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

1 change: 1 addition & 0 deletions models/.gitkeep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@

1 change: 1 addition & 0 deletions outputs/.gitkeep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@

5 changes: 5 additions & 0 deletions requirements-dev.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pytest>=8.0.0,<9.0.0
coverage>=7.0.0,<8.0.0
bandit>=1.7.0,<2.0.0
safety>=3.0.0,<4.0.0
pre-commit>=3.0.0,<4.0.0
Comment on lines +1 to +5
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether dependency resolution is deterministic or range-based.

echo "== Dependency manifests =="
fd 'requirements.*\.txt|constraints.*\.txt|poetry\.lock|Pipfile\.lock|uv\.lock'

echo
echo "== Version specifiers inside requirements files =="
rg -n '^[a-zA-Z0-9_.-]+(>=|<=|~=|>|<)' --glob 'requirements*.txt' --glob 'constraints*.txt'

echo
echo "== Install commands (Dockerfile / Makefile / scripts) =="
rg -n 'pip install .*requirements(-dev)?\.txt|--require-hashes|-c constraints' Dockerfile Makefile

Repository: LambdaSection/NeuralDBG

Length of output: 749

Dependency resolution is not deterministic; add a lock file to guarantee reproducible builds.

The project lacks a lock mechanism (no poetry.lock, requirements.lock, or constraints file). While requirements-dev.txt uses bounded ranges (e.g., >=8.0.0,<9.0.0), requirements.txt uses unbounded ranges (numpy>=1.26.0 with no upper bound). For a truly hermetic workspace, install commands in the Dockerfile and Makefile should pin exact versions or resolve dependencies through a generated lock file with --require-hashes to ensure every rebuild is identical.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@requirements-dev.txt` around lines 1 - 5, Project lacks a deterministic
lockfile causing non-reproducible installs; generate and commit a lock file and
update install targets to use it. Create a lock (e.g., requirements.lock or
constraints.txt or use poetry.lock if using Poetry) by resolving exact versions
(pip-compile or poetry lock) and include hashes (pip --require-hashes or
pip-compile --generate-hashes); then update the install commands in Dockerfile
and Makefile to install from the lock (pip install -r requirements.lock or pip
install --constraint constraints.txt) instead of unbounded
requirements.txt/requirements-dev.txt so rebuilds are reproducible. Ensure
unique symbols to change: requirements-dev.txt, requirements.txt, generated lock
file name, Dockerfile install commands, and Makefile install target.

1 change: 1 addition & 0 deletions requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
numpy>=1.26.0
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai bot Mar 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: numpy>=1.26.0 drops Python 3.8 support, so installs will fail on a version this project still advertises as supported.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At requirements.txt, line 1:

<comment>`numpy>=1.26.0` drops Python 3.8 support, so installs will fail on a version this project still advertises as supported.</comment>

<file context>
@@ -0,0 +1 @@
+numpy>=1.26.0
</file context>
Suggested change
numpy>=1.26.0
numpy>=1.24.0,<1.26.0; python_version < "3.9"
numpy>=1.26.0; python_version >= "3.9"
Fix with Cubic

Loading