refactor: update Dockerfiles for server and UI to streamline dependen…

[Shironex]

Fix Docker compose build process

• Modified Dockerfiles to copy package files for all workspaces, enhancing modularity.
• Changed dependency installation to skip scripts, preventing unnecessary execution during builds.
• Updated build commands to first build packages in dependency order before building the server and UI, ensuring proper build sequence.

Resolve

• Closes Docker Compose Build Error #301

Summary by CodeRabbit

• Chores

  • Consolidated container builds into a single root multi-stage Docker build; compose updated to target specific stages and per-component build files removed.
  • Narrowed .gitignore to only the compose override file.

• Bug Fixes

  • Improved external authentication detection for status display, making sign-in state more reliable.

• Documentation

  • Added comprehensive Docker deployment and authentication guidance to the README.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Removed per-app Dockerfiles, narrowed .claude ignore, added a consolidated root multi-stage Dockerfile and updated docker-compose to target UI/server stages; changed server GH auth check to call gh api user first with a gh auth status fallback.

Changes

Cohort / File(s)	Summary
Removed per-app Dockerfiles apps/server/Dockerfile, apps/ui/Dockerfile	Deleted individual two-stage Dockerfiles for server and UI.
New consolidated Dockerfile Dockerfile	Added a root multi-stage Dockerfile (BASE, server build/prod, UI build/prod) that builds both server and UI, copies workspace artifacts, creates non-root users in prod stages, configures env/ports/healthchecks, and serves UI with nginx.
Compose build targets updated docker-compose.yml	Services now build from the root Dockerfile and specify target: ui / target: server instead of per-app Dockerfiles.
Git ignore narrowed .gitignore	Replaced blanket .claude/ ignore with a rule ignoring only .claude/docker-compose.override.yml.
Server GH auth route change apps/server/src/routes/setup/routes/gh-status.ts	Reworked GitHub auth check to call gh api user --jq ".login" first; if that fails, falls back to parsing gh auth status output to determine authentication and username.
Docs updated README.md	Added Docker Compose deployment and authentication instructions, examples for mounting host dirs and configuring Claude/GitHub CLI auth.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Client
  participant Server
  participant GH_CLI as "gh CLI"
  participant GH_API as "GitHub API"

  Client->>Server: GET /setup/gh-status
  Server->>GH_CLI: exec `gh api user --jq ".login"`
  alt gh api returns login
    GH_CLI->>Server: username
    Server->>Client: 200 { authenticated: true, user: username }
  else gh api fails
    Server->>GH_CLI: exec `gh auth status`
    GH_CLI->>Server: status output
    alt status output contains username
      Server->>Client: 200 { authenticated: true, user: username }
    else
      Server->>Client: 200 { authenticated: false }
    end
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat: Add Docker containerization for secure, isolated execution #179 — Also modifies Docker build/compose setup and per-app Dockerfile usage.
• docs: Update README for clarity and feature enhancements #263 — Related README / Docker deployment documentation changes.

Suggested labels

Enhancement, Testers-Requested

Poem

🐇 I merged the builds, one Dockerfile to rule the day,
Swapped tiny files for one big, tidy play.
I asked GH politely for a name with cheer,
Fell back to status when the API wasn't near.
🥕 Happy builds and healthy checks all the way!

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	Changes include documentation additions (README.md), .gitignore modification, and gh-status.ts route changes that extend beyond the core Docker build fix scope.	Isolate Docker build fixes (#301) into a separate PR; move documentation, .gitignore, and route changes to separate focused PRs for clearer review scope.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title check	❓ Inconclusive	Title partially describes the main change (Dockerfile refactoring) but is cut off and incomplete, making it vague about what 'streamline dependen…' actually means.	Complete the title to clearly state the main objective, e.g., 'refactor: consolidate Dockerfiles into unified multi-stage build' or similar.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	The PR successfully addresses issue #301 by consolidating Dockerfiles, using multi-stage builds with npm ci --ignore-scripts to prevent husky hooks from failing during container builds.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/docker-build

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a526869 and 0a21c11.

📒 Files selected for processing (3)

• Dockerfile
• README.md
• apps/server/src/routes/setup/routes/gh-status.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/server/src/routes/setup/routes/gh-status.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: e2e

🔇 Additional comments (7)

README.md (3)

226-240: LGTM! Clear Docker deployment instructions.

The Docker deployment section provides accurate commands and correctly emphasizes security through container isolation.

---

242-252: LGTM! Appropriate authentication guidance.

The documentation correctly prioritizes Claude CLI authentication over API keys and provides clear configuration examples.

---

265-330: Mount Claude CLI and GitHub CLI config directories as read-only for improved security.

The documentation states that Claude CLI config "must be writable" because "the CLI writes debug files," but the server application only reads from these directories (~/.claude and ~/.config/gh) and never writes to them. Authentication setup happens on the host before mounting into the container.

Update the volume mounts to use the :ro flag consistently with how .gitconfig is already mounted:

volumes:
  - ~/.claude:/home/automaker/.claude:ro
  - ~/.config/gh:/home/automaker/.config/gh:ro
  - ~/.gitconfig:/home/automaker/.gitconfig:ro

Also remove the note on line 279 that claims the Claude CLI config "must be writable" since the application only reads from it.

Dockerfile (4)

11-31: LGTM! Well-structured base stage with good layer caching.

The base stage correctly separates package file copying from source code, enabling efficient Docker layer caching. The explicit listing of libs (lines 22-28) is maintainable with the helpful comment.

---

36-49: LGTM! Correctly addresses the Docker build failure.

Line 42 successfully fixes the main issue by using --ignore-scripts to skip husky during container builds, then explicitly rebuilding only the required native module (node-pty). The build sequence (line 49) correctly builds packages before the server.

---

54-117: LGTM! Production stage follows security best practices.

The server production stage implements proper security measures: non-root user (lines 75-77), correct directory ownership (line 93), and system-level git configuration (lines 95-99). The health check uses curl which was installed earlier (line 57).

---

122-140: LGTM! UI build stage mirrors server approach correctly.

The UI build consistently uses --ignore-scripts (line 128) and provides a configurable VITE_SERVER_URL build argument (line 137) with a sensible default for local development.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @Shironex, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the Dockerfiles for both the server and UI applications to significantly improve the efficiency and reliability of their build processes. By standardizing how package files are copied, skipping non-essential scripts during dependency installation, and enforcing a proper build order for internal libraries, these changes aim to create a more robust and maintainable Docker build environment, ultimately streamlining the development and deployment workflow.

Highlights

• Dependency Management: Dockerfiles now copy package.json files from all internal library workspaces, centralizing dependency resolution and enhancing modularity.
• Efficient Installation: Dependency installation (npm ci) now explicitly skips post-install scripts, preventing unnecessary execution and potential build issues during Docker builds.
• Streamlined Build Process: The build command has been updated to first build all internal library packages in dependency order before building the main application (server or UI), ensuring correct build sequencing.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors the Dockerfiles for the server and ui applications to correctly handle the npm monorepo structure. The changes streamline dependency installation and the build process by first installing all workspace dependencies and then building the shared libraries before building the applications themselves. This is a solid improvement. My review includes a suggestion to improve the maintainability of the Dockerfiles by reducing code duplication, which will be beneficial as the project grows.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/server/Dockerfile (1)

37-43: Architecture mismatch: hardcoded amd64 will fail on ARM64 platforms.

The GitHub CLI download is hardcoded to linux_amd64, but node:20-alpine supports multiple architectures. Building or running on ARM64 (e.g., Apple Silicon, AWS Graviton) will fail.

🔎 Proposed fix using Docker's TARGETARCH

+# Declare TARGETARCH for multi-arch support
+ARG TARGETARCH
+
 # Install git, curl, and GitHub CLI (pinned version for reproducible builds)
 RUN apk add --no-cache git curl && \
     GH_VERSION="2.63.2" && \
-    curl -L "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz" -o gh.tar.gz && \
+    ARCH="${TARGETARCH:-amd64}" && \
+    if [ "$ARCH" = "arm64" ]; then ARCH="arm64"; fi && \
+    curl -L "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_${ARCH}.tar.gz" -o gh.tar.gz && \
     tar -xzf gh.tar.gz && \
-    mv "gh_${GH_VERSION}_linux_amd64/bin/gh" /usr/local/bin/gh && \
-    rm -rf gh.tar.gz "gh_${GH_VERSION}_linux_amd64"
+    mv gh_${GH_VERSION}_linux_${ARCH}/bin/gh /usr/local/bin/gh && \
+    rm -rf gh.tar.gz gh_${GH_VERSION}_linux_${ARCH}

Note: TARGETARCH is automatically set by Docker BuildKit when using docker buildx build or when DOCKER_BUILDKIT=1 is set.

🧹 Nitpick comments (1)

apps/ui/Dockerfile (1)

12-21: LGTM - Package manifests properly copied for workspace dependency resolution.

The explicit copying of package.json files for all library workspaces is necessary for the global npm ci to resolve dependencies correctly. This approach also optimizes Docker layer caching.

Optional enhancement for future maintainability:

If workspaces are added frequently, consider using a script to copy package.json files dynamically, though the current explicit approach provides better visibility and control.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 61881d9 and 8f458e5.

📒 Files selected for processing (2)

• apps/server/Dockerfile
• apps/ui/Dockerfile

🔇 Additional comments (7)

apps/server/Dockerfile (4)

12-22: LGTM!

Copying all workspace package.json files is the correct approach for npm workspaces. This ensures dependency resolution works properly during npm ci.

---

24-25: Effective fix for the husky issue.

Using --ignore-scripts correctly skips the prepare lifecycle script that was causing the build failure. The comment explains the rationale well.

Note: --ignore-scripts also skips postinstall scripts for all packages. If any dependency relies on postinstall for native compilation beyond node-gyp's automatic binding, verify that the build completes successfully.

---

27-29: LGTM!

Copying the entire libs directory is necessary to support the build:packages step that follows.

---

31-32: LGTM!

The build sequence correctly builds library packages first, then the server. This ensures dependencies are available in the correct order and compensates for skipping build:packages in the prepare script.

apps/ui/Dockerfile (3)

27-29: LGTM - Source files properly copied for multi-package build.

Copying the entire libs directory is necessary for the build:packages command to build all workspace dependencies. Since this occurs only in the builder stage and the production stage copies only the final dist artifacts, there's no bloat concern.

---

31-38: LGTM - Two-phase build ensures correct dependency order.

The sequential build approach (build:packages followed by workspace-specific build) correctly handles the monorepo dependency graph. The environment variables and build arguments are properly configured for the Vite build process.

---

24-25: Fix correctly prevents husky error in web UI Docker build.

The --ignore-scripts flag appropriately skips the prepare script (which runs husky and build:packages) since the husky pre-commit hook is not needed during container builds. The explicit npm run build:packages call on line 38 ensures workspace packages are still built. This approach is correct for this web-only Docker build, as confirmed by VITE_SKIP_ELECTRON=true on line 36, which indicates the electron-builder postinstall script is also not required.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

Dockerfile (1)

21-28: Consider documenting lib path maintenance.

Hardcoding lib paths requires manual updates when new workspace packages are added. The comment "centralized - add new libs here" helps, but consider adding a note in the PR description or a README about this requirement.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8f458e5 and 6012e83.

📒 Files selected for processing (5)

• .gitignore
• Dockerfile
• apps/server/Dockerfile
• apps/ui/Dockerfile
• docker-compose.yml

💤 Files with no reviewable changes (2)

• apps/server/Dockerfile
• apps/ui/Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: e2e

🔇 Additional comments (7)

.gitignore (1)

82-83: LGTM!

Ignoring the override file within .claude/ is appropriate for local docker-compose customizations.

Dockerfile (4)

41-42: Good fix for the husky issue.

Using --ignore-scripts to skip husky/prepare scripts, then explicitly rebuilding node-pty is the correct approach to fix issue #301 while ensuring native modules work.

---

123-128: Default VITE_SERVER_URL may not work in Docker Compose.

The default http://localhost:3008 works for local development but in Docker Compose, the UI runs in a browser context where localhost refers to the user's machine, not the server container. This is actually correct for the current setup where both ports are exposed to the host.

---

138-139: nginx.conf file is present and correctly referenced.

The apps/ui/nginx.conf file exists in the repository, so the COPY command on line 139 will work as expected.

---

64-65: Confirmed: @anthropic-ai/claude-code is the correct package name and is required for server functionality.

The package exists on npm (version 2.0.76) and is essential to the application—the codebase has extensive Claude CLI integration for usage tracking, authentication, and long-running task handling across multiple services and setup flows.

docker-compose.yml (2)

14-17: LGTM!

Using the root Dockerfile with target: ui correctly references the multi-stage build.

---

27-30: LGTM!

Using the root Dockerfile with target: server correctly references the multi-stage build.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6012e83 and bad4393.

📒 Files selected for processing (1)

• apps/server/src/routes/setup/routes/gh-status.ts

🧰 Additional context used

📓 Path-based instructions (3)

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Always import from shared packages (@automaker/*), never from old relative paths

Files:

• apps/server/src/routes/setup/routes/gh-status.ts

apps/server/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Use createEventEmitter() from lib/events.ts for all server operations to emit events that stream to frontend via WebSocket

Files:

• apps/server/src/routes/setup/routes/gh-status.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Use resolveModelString() from @automaker/model-resolver to convert model aliases (haiku, sonnet, opus) to full model names

Files:

• apps/server/src/routes/setup/routes/gh-status.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: e2e

🔇 Additional comments (1)

apps/server/src/routes/setup/routes/gh-status.ts (1)

100-100: The code already handles version compatibility with a fallback mechanism.

The --jq flag on gh api is supported and documented in gh CLI, with a proper try-catch fallback to gh auth status if the API call fails. The version is captured (line 77-82) but not validated against a minimum, which is acceptable since the fallback approach ensures the code works across versions. No documentation updates are needed.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

Dockerfile (1)

110-112: Install wget explicitly for the HEALTHCHECK command.

The node:20-alpine image only includes BusyBox's minimal wget implementation, which may behave differently than the full package. For reliable health checks, install wget explicitly.

🔎 Proposed fix

Add wget to the apk install on line 57:

-RUN apk add --no-cache git curl bash && \
+RUN apk add --no-cache git curl bash wget && \

Alternatively, use curl which is already installed:

 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
-    CMD wget --no-verbose --tries=1 --spider http://localhost:3008/api/health || exit 1
+    CMD curl -f http://localhost:3008/api/health || exit 1

🧹 Nitpick comments (2)

Dockerfile (2)

70-71: Consider pinning the Claude CLI version for reproducible builds.

The GitHub CLI is pinned to version 2.63.2, but the Claude CLI is unpinned. For consistent, reproducible builds, consider specifying a version.

-RUN npm install -g @anthropic-ai/claude-code
+RUN npm install -g @anthropic-ai/claude-code@<version>

---

143-153: Consider adding a health check for the UI container for consistency.

The server stage includes a HEALTHCHECK, but the UI stage does not. For consistency and orchestration reliability (e.g., Kubernetes readiness probes, docker-compose health checks), consider adding one:

 EXPOSE 80

+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD wget --no-verbose --tries=1 --spider http://localhost:80/ || exit 1
+
 CMD ["nginx", "-g", "daemon off;"]

The apps/ui/nginx.conf is properly configured for SPA routing with try_files $uri $uri/ /index.html;, ensuring client-side routing works correctly.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 35b3d39 and 789b807.

📒 Files selected for processing (1)

• Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: e2e

🔇 Additional comments (4)

Dockerfile (4)

8-31: Well-structured base stage with good layer caching.

The approach of copying only package*.json files before installing dependencies optimizes Docker layer caching. The build dependencies (python3, make, g++) are correctly included for native module compilation (node-pty).

---

36-49: Correct fix for the Docker build failure (Issue #301).

Using npm ci --ignore-scripts to skip lifecycle scripts (husky/prepare) followed by explicit npm rebuild node-pty is the right approach. This prevents the sh: husky: not found error while ensuring native modules are still properly compiled.

---

95-97: Acceptable security trade-off for container volume mounts.

Setting safe.directory '*' at system level is permissive but appropriate for containers where host volumes may have different ownership. The commit message confirms this addresses "dubious ownership" errors with mounted projects.

Ensure this configuration aligns with your security posture—it allows git operations on any directory within the container.

---

120-138: Good use of build-time configuration for the API endpoint.

The ARG VITE_SERVER_URL with a sensible default allows overriding the API server URL at build time without modifying the Dockerfile. The --ignore-scripts flag maintains consistency with the server build approach.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

Dockerfile (1)

112-114: Health check will fail: wget is not installed.

The HEALTHCHECK command uses wget but it was never installed in this stage. Line 57 only installs git, curl, and bash. Since curl is already available, use it instead for the health check.

🔎 Proposed fix using curl

-# Health check
-HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
-    CMD wget --no-verbose --tries=1 --spider http://localhost:3008/api/health || exit 1
+# Health check
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD curl -f http://localhost:3008/api/health || exit 1

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 789b807 and a526869.

📒 Files selected for processing (1)

• Dockerfile

🔇 Additional comments (4)

Dockerfile (4)

11-31: BASE stage is well-structured and follows Docker best practices.

The common setup correctly installs build dependencies for native modules and copies package.json files before source code, enabling effective layer caching. The centralized workspace setup promotes maintainability.

---

36-49: Correctly addresses the Docker build failure from issue #301.

The --ignore-scripts flag prevents husky from being invoked during container builds, resolving the "sh: husky: not found" error. The subsequent npm rebuild node-pty ensures native modules are properly compiled. Build order is correct.

---

122-140: UI build stage correctly implements the same fix as the server.

The --ignore-scripts flag prevents husky issues during UI builds. Build args are properly configured to allow runtime customization of the API server URL. Build order is correct.

---

145-155: UI production stage follows nginx best practices.

The nginx-based serving is appropriate for a production SPA. The referenced apps/ui/nginx.conf exists and correctly implements SPA routing with the try_files directive to fallback to index.html for client-side routing.