[codex] Unify SST service Docker path roots

[law-chain-hot]

Summary

• Run SST-built Go service Docker builds from the real apps workspace root (/boxlite/apps) while keeping Docker build context repo-root-relative.
• Delete duplicate OtelCollector builder-config.dev.yaml; dev and production now share builder-config.yaml.
• Add explicit Nx docker target context: ".." and file: "apps/<service>/Dockerfile" for OtelCollector, Proxy, and SshGateway.

Why

Latest origin/main failed during sst deploy --stage dev while building OtelCollectorImageOtelCollector because the Docker build ran from /boxlite but the Otel builder config expected an apps-workspace root. A single YAML path tweak would leave the same root split in place.

The scoped rule for SST service containers is now:

• Docker COPY sources are repo-root-relative because SST uses repo root as build context.
• Build commands run from /boxlite/apps, the actual Nx workspace root.
• Go workspace paths resolve from /boxlite/apps/go.work.
• No separate dev/prod Otel builder config solely to compensate for different cwd roots.

Runner is intentionally out of scope for this PR: production Runner is an EC2 instance that downloads a GitHub Release binary via SST user-data, not an SST-built service container.

Verification

Passed on remote dev machine at commit 58e6c03e:

• git diff --check
• Runner files have no diff from origin/main.
• cd apps && yarn nx build otel-collector --nxBail=true
• docker build -f apps/otel-collector/Dockerfile --target otel-collector .
• docker build -f apps/proxy/Dockerfile --target proxy .
• docker build -f apps/ssh-gateway/Dockerfile --target ssh-gateway .

These are the affected Docker images directly built by apps/infra/sst.config.ts for SST services.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Shifts the Docker build WORKDIR from /boxlite to /boxlite/apps in four app Dockerfiles (otel-collector, proxy, runner, ssh-gateway), updating all Go workspace caching, module download, source copy, and runtime artifact copy paths accordingly. All four apps' project.json files gain explicit Docker build context and file options, and the otel-collector build target switches from builder-config.dev.yaml to builder-config.yaml. Runner's Dockerfile additionally changes the runtime base image from alpine to debian:bookworm-slim and adds in-image SDK provisioning and computer-use binary compilation.

Changes

Docker build path normalization

Layer / File(s)	Summary
Dockerfile WORKDIR and path updates apps/otel-collector/Dockerfile, apps/proxy/Dockerfile, apps/runner/Dockerfile, apps/ssh-gateway/Dockerfile	WORKDIR changed to /boxlite/apps in all four build stages. Go workspace file copies, module manifest staging, go.work reconstruction, go -C module download commands, and source COPY steps all updated to align with the new directory layout. Runtime-stage artifact COPY paths adjusted to /boxlite/apps/dist/.... Runner additionally switches runtime base image to debian:bookworm-slim, adds SDK header/library provisioning, replaces prebuilt artifact copying with in-image computer-use amd64 binary build, and installs required glibc dependencies.
project.json Docker target and build configuration apps/otel-collector/project.json, apps/proxy/project.json, apps/runner/project.json, apps/ssh-gateway/project.json	All four apps' docker target options gain explicit context: .. and file: apps/*/Dockerfile fields. Otel-collector build target command is updated to reference builder-config.yaml instead of builder-config.dev.yaml.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Hop hop, the paths align,
/boxlite/apps — a cleaner shrine!
Go modules dance in tidy rows,
Debian bookworm where runner goes.
No dev.yaml to cloud the way,
The Docker warren's built to stay! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title '[codex] Unify SST service Docker path roots' is partially related to the changeset. It refers to unifying Docker paths, which is a real aspect of the changes (updating WORKDIR locations and path references across multiple Dockerfiles), but does not clearly convey the main objective of fixing the broken OtelCollector build after the monorepo layout normalization, which is the primary driver of this PR.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-otel-collector-builder-paths

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 29709874f2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/runner/Dockerfile (1)

71-89: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Drop root privileges in the runtime stage.

From Line 71 onward, the final image never sets USER, so boxlite-runner runs as root (matching the Trivy DS-0002 finding). Please run the binary as a dedicated non-root user.

Suggested patch

 FROM debian:bookworm-slim AS runner
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
   ca-certificates \
   curl \
   libx11-6 \
   libxtst6 \
   libxinerama1 \
+  passwd \
   && rm -rf /var/lib/apt/lists/*
 
+RUN groupadd --system boxlite && useradd --system --gid boxlite --home /nonexistent --shell /usr/sbin/nologin boxlite
+
 WORKDIR /usr/local/bin
 
 COPY --from=build /boxlite/apps/dist/apps/runner boxlite-runner
 
-RUN chmod +x boxlite-runner
+RUN chmod +x boxlite-runner && chown boxlite:boxlite boxlite-runner
+
+USER boxlite
 
 HEALTHCHECK CMD [ "curl", "-f", "http://localhost:3003/" ]
 
 ENTRYPOINT ["boxlite-runner"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/runner/Dockerfile` around lines 71 - 89, The runner stage executes the
boxlite-runner binary as root, which is a security vulnerability. Create a
dedicated non-root user in the runner stage (for example, using a RUN command to
add a system user or leverage an existing unprivileged user) and add a USER
directive to switch to that user before the ENTRYPOINT instruction. This ensures
the container runs with reduced privileges rather than as root.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@apps/runner/Dockerfile`:
- Around line 71-89: The runner stage executes the boxlite-runner binary as
root, which is a security vulnerability. Create a dedicated non-root user in the
runner stage (for example, using a RUN command to add a system user or leverage
an existing unprivileged user) and add a USER directive to switch to that user
before the ENTRYPOINT instruction. This ensures the container runs with reduced
privileges rather than as root.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 650f5b94-8812-4549-b4e6-201915dff886

📥 Commits

Reviewing files that changed from the base of the PR and between 8da2f75 and 432c754.

📒 Files selected for processing (9)

• apps/otel-collector/Dockerfile
• apps/otel-collector/builder-config.dev.yaml
• apps/otel-collector/project.json
• apps/proxy/Dockerfile
• apps/proxy/project.json
• apps/runner/Dockerfile
• apps/runner/project.json
• apps/ssh-gateway/Dockerfile
• apps/ssh-gateway/project.json

💤 Files with no reviewable changes (1)

• apps/otel-collector/builder-config.dev.yaml

✅ Files skipped from review due to trivial changes (1)

• apps/ssh-gateway/project.json

🚧 Files skipped from review as they are similar to previous changes (4)

• apps/proxy/project.json
• apps/runner/project.json
• apps/otel-collector/Dockerfile
• apps/ssh-gateway/Dockerfile

[DorianZheng]

LGTM