test 2

binarypie · binarypie · commit 629a01910ec4 · 2026-06-28T18:54:04.000Z
diff --git a/dot_files/devcube/Containerfile b/dot_files/devcube/Containerfile
@@ -258,27 +258,33 @@ RUN mkdir -p /etc/profile.d /etc/fish/conf.d \
 # =============================================================================
 # LAYER 14: Bake the Neovim configuration + pre-install plugins
 # =============================================================================
-# The full LazyVim config is baked into $HOME/.config/nvim. Personal overrides
-# are bind-mounted at runtime from the host (~/.config/hypercube/nvim) and
-# layered on top via the runtimepath (see lua/config/lazy.lua).
+# The full LazyVim config is baked into a PRISTINE, non-volume path under
+# /usr/share/hypercube/config. The entrypoint syncs it into $HOME/.config/nvim
+# on every start, so config updates ship with the image instead of going stale
+# on the persisted (copy-up-seeded) home volume. Personal overrides are
+# bind-mounted at runtime from the host (~/.config/hypercube/nvim) and layered
+# on top via the runtimepath (see lua/config/lazy.lua).
 # NOTE: the build context is dot_files/, so the nvim config lives under nvim/.
-COPY nvim/config/ /root/.config/nvim/
+COPY nvim/config/ /usr/share/hypercube/config/nvim/
 
 # Pre-install all plugins + build treesitter parsers so first launch is fast and
-# offline. HOME=/root and PATH already include the brew nvim binary.
-RUN nvim --headless "+Lazy! sync" +qa
+# offline. Point nvim at the pristine config via XDG_CONFIG_HOME; plugins still
+# land in stdpath('data') = /root/.local/share/nvim, which IS on the home volume
+# (seeded via copy-up on first run, matching the baked lazy-lock.json).
+RUN XDG_CONFIG_HOME=/usr/share/hypercube/config nvim --headless "+Lazy! sync" +qa
 
 # =============================================================================
 # LAYER 14b: Bake the shell / multiplexer / orchestrator configs
 # =============================================================================
 # fish + starship give a good in-container shell/prompt; zellij + workmux drive
-# the parallel-agent workflow. These seed into the persisted home volume on
-# first run (podman copy-up), like the nvim config above. starship.toml lands at
-# the exact path dot_files/fish/config.fish hardcodes for STARSHIP_CONFIG, so
-# fish needs no edits (and it lives outside /root, so it's always present).
-COPY fish/     /root/.config/fish/
-COPY zellij/   /root/.config/zellij/
-COPY workmux/  /root/.config/workmux/
+# the parallel-agent workflow. Like the nvim config above, these are baked into
+# the pristine /usr/share/hypercube/config path and synced into $HOME/.config by
+# the entrypoint on every start (so config updates ship with the image rather
+# than going stale on the home volume). starship.toml already lives here at the
+# exact path dot_files/fish/config.fish hardcodes for STARSHIP_CONFIG.
+COPY fish/     /usr/share/hypercube/config/fish/
+COPY zellij/   /usr/share/hypercube/config/zellij/
+COPY workmux/  /usr/share/hypercube/config/workmux/
 COPY starship/ /usr/share/hypercube/config/starship/
 
 # Make fish root's login shell so every interactive shell in the container
diff --git a/dot_files/devcube/Justfile b/dot_files/devcube/Justfile
@@ -6,6 +6,8 @@
 local_image := "localhost/devcube"
 remote_image := "ghcr.io/binarypie-dev/devcube:latest"
 # Throwaway volumes so local testing never touches the real per-project state.
+# Passing DEVCUBE_VOLUME explicitly forces this single fixed home volume instead
+# of the wrapper's per-project derivation, keeping local testing predictable.
 test_volume := "hypercube-devcube-test"
 test_wt_prefix := "devcube-wt-test"
 
@@ -80,6 +82,11 @@ test-build: build
     # The entrypoint must pin $SHELL to fish so workmux drops new worktrees into
     # fish (its default-shell fallback is /bin/sh otherwise).
     podman run --rm {{local_image}} sh -c '[ "$SHELL" = "$(command -v fish)" ]'
+    # Baked config lives at the pristine path, NOT under /root (the home volume),
+    # so config updates ship with the image instead of going stale on the volume.
+    podman run --rm --entrypoint sh {{local_image}} -c 'for c in nvim fish zellij workmux; do test -d /usr/share/hypercube/config/$c || exit 1; done && ! test -e /root/.config/nvim'
+    # ...and the entrypoint syncs it into /root/.config on every start.
+    podman run --rm {{local_image}} sh -c 'test -d /root/.config/nvim && test -f /root/.config/fish/config.fish && test -d /root/.config/zellij && test -d /root/.config/workmux'
     @echo ""
     @echo "All tests passed!"
 
diff --git a/dot_files/devcube/README.md b/dot_files/devcube/README.md
@@ -42,8 +42,10 @@ Linux desktop, a remote box, and macOS — no distrobox required.
 | `devc codex`      | OpenAI Codex CLI, run directly |
 | `devc agy`        | Antigravity CLI, run directly |
 
-All entry points share one home volume, so an AI login from any of them works in
-all of them.
+Within a project, all entry points share that project's home volume, so an AI
+login from any of them works in all of them. The home volume is **per-project**
+(derived from the launch path), so logins and state never leak between
+workspaces — you log in once per project.
 
 ### Parallel agents
 
@@ -88,17 +90,20 @@ only what's needed. The mounts:
 
 | Mounted in | Purpose |
 |---|---|
-| named volume `hypercube-devcube-home` → `/root` | plugin/mason updates, sessions, shada, **and AI-CLI auth** — seeded from the image on first run, persisted after |
+| per-project volume `hypercube-devcube-home-<proj>-<hash>` → `/root` | plugin/mason updates, sessions, shada, **and AI-CLI auth** — seeded from the image on first run, persisted after; one per project so creds never leak between workspaces |
 | current directory | the project you're editing |
 | per-project volume `devcube-wt-<proj>-<hash>` → `/worktrees` | worktrees + workmux state (orchestrators only) |
 | `~/.config/hypercube/nvim` | **your** plugin overrides, layered on top of the baked config |
 | `~/.gitconfig` (ro) | commit identity |
 | `$SSH_AUTH_SOCK` (Linux) | SSH agent for git/gh |
 
-Everything else (the LazyVim config, plugins, AI CLIs, zellij/workmux/fish/
-starship config) lives in the image. The container runs as `--user 0:0` so files
-you edit are owned by your host user under rootless podman. Multiple sessions run
-concurrently.
+The AI CLIs and nvim plugins live in the image and seed onto the home volume on
+first run. The **baked config** (LazyVim, zellij, workmux, fish, starship) is
+image-owned: it's stored at a pristine path and synced into `/root/.config` by
+the entrypoint on **every** start, so config updates ship with `podman pull` —
+no volume reset needed (plugin *version* bumps still want `:Lazy update`). The
+container runs as `--user 0:0` so files you edit are owned by your host user
+under rootless podman. Multiple sessions run concurrently.
 
 Clipboard uses **OSC 52** through the terminal, so yank/paste works locally
 (Ghostty) and over SSH without forwarding a Wayland/pbcopy socket.
@@ -114,8 +119,8 @@ devc nvim file.rs      # ...or just the editor
 | Command | Description |
 |---------|-------------|
 | `ujust devcube-setup`   | pull image + install the `devc` wrapper |
-| `ujust devcube-upgrade` | pull the latest image + refresh the wrapper |
-| `ujust devcube-reset`   | drop the home volume to re-seed (clears plugin state + AI logins); optionally prune per-project worktree volumes |
+| `ujust devcube-upgrade` | pull the latest image + refresh the wrapper (baked config refreshes itself on next launch) |
+| `ujust devcube-reset`   | drop all per-project home volumes to re-seed (clears plugin state + AI logins); optionally prune per-project worktree volumes |
 | `ujust devcube-shell`   | debug shell inside a throwaway container |
 
 ## Setup (macOS / any podman host)
diff --git a/dot_files/devcube/entrypoint.sh b/dot_files/devcube/entrypoint.sh
@@ -26,6 +26,35 @@ if [ -z "${TERM:-}" ] || ! infocmp "$TERM" >/dev/null 2>&1; then
     export TERM=xterm-256color
 fi
 
+# Refresh image-baked editor/shell/multiplexer config into the home volume on
+# every start, so config updates ship with `podman pull` instead of forcing a
+# volume wipe. Only these fully image-owned dirs are replaced; auth + state
+# (~/.local, ~/.claude, ~/.cache, plugin downloads + lazy-lock, shell history,
+# zellij session serialization) live elsewhere on the volume and are untouched.
+# rm -rf + cp -a (not rsync, which isn't installed) so files removed from the
+# image also drop from the dir. The personal nvim override (~/.config/hypercube/
+# nvim) is a different dir and is never touched.
+config_src="/usr/share/hypercube/config"
+for c in nvim fish zellij workmux; do
+    src="$config_src/$c"
+    dest="$HOME/.config/$c"
+    [ -d "$src" ] || continue
+    mkdir -p "$HOME/.config"
+    # fish writes its universal variables (set -U, e.g. fish_user_paths/colors)
+    # to $dest/fish_variables -- that's runtime STATE, not baked config, so carry
+    # it across the refresh rather than wiping it with the config dir.
+    saved=""
+    if [ "$c" = fish ] && [ -f "$dest/fish_variables" ]; then
+        saved="$(mktemp)" && cp -a "$dest/fish_variables" "$saved"
+    fi
+    rm -rf "$dest"
+    cp -a "$src" "$dest"
+    if [ -n "$saved" ]; then
+        cp -a "$saved" "$dest/fish_variables"
+        rm -f "$saved"
+    fi
+done
+
 if [ $# -eq 0 ]; then
     exec nvim
 else
diff --git a/dot_files/devcube/scripts/devcube.sh b/dot_files/devcube/scripts/devcube.sh
@@ -14,8 +14,10 @@
 #   devc agy        -> Antigravity CLI, run directly
 #
 # Extra args after the tool are passed through (e.g. `devc nvim file.rs`,
-# `devc claude --resume`). All entry points share the same home volume, so
-# AI-CLI logins persist across them -- log in once and every tool is authed.
+# `devc claude --resume`). Within one project all entry points share that
+# project's home volume, so an AI-CLI login from any of them works in all of
+# them -- but the home volume is PER-PROJECT (derived from the launch path like
+# the worktree volume below), so creds/state never leak between workspaces.
 #
 # zellij/workmux run the parallel-agent flow: each `workmux add <branch>`
 # creates a git worktree on a PER-PROJECT named volume mounted at /worktrees,
@@ -29,9 +31,12 @@
 # SSH agent, terminal). Portable across Linux and macOS.
 #
 # Env overrides:
-#   DEVCUBE_IMAGE      container image (default ghcr.io/binarypie-dev/devcube:latest)
-#   DEVCUBE_VOLUME     named volume holding state + AI auth (default hypercube-devcube-home)
-#   DEVCUBE_WT_PREFIX  prefix for the per-project worktree volume (default devcube-wt)
+#   DEVCUBE_IMAGE        container image (default ghcr.io/binarypie-dev/devcube:latest)
+#   DEVCUBE_VOLUME       exact home-volume name (default: a per-project name derived
+#                        from DEVCUBE_HOME_PREFIX + the launch path). Set this to
+#                        force a single fixed volume (the test harness does this).
+#   DEVCUBE_HOME_PREFIX  prefix for the per-project home volume (default hypercube-devcube-home)
+#   DEVCUBE_WT_PREFIX    prefix for the per-project worktree volume (default devcube-wt)
 set -euo pipefail
 
 # The tool to run is the first argument; default to the workmux workspace.
@@ -48,7 +53,6 @@ nvim | claude | codex | agy | zellij | workmux)
 esac
 
 IMAGE="${DEVCUBE_IMAGE:-ghcr.io/binarypie-dev/devcube:latest}"
-VOLUME="${DEVCUBE_VOLUME:-hypercube-devcube-home}"
 OVERRIDE_DIR="$HOME/.config/hypercube/nvim"
 
 # Personal overrides are layered on top of the baked config. Ensure the dir
@@ -70,6 +74,21 @@ if [ "$TOOL" = workmux ] && [ -z "$git_root" ]; then
 	exit 1
 fi
 
+# Stable, repo-root-derived names so a project's state persists across restarts,
+# is shared no matter which subdir you launch from, and never collides with
+# another project's. cksum is available on both Linux and macOS (the wrapper
+# stays portable). Used for the per-project home volume here and the per-project
+# worktree volume + zellij session name in the orchestrator case below.
+slug="$(basename "$project_dir" | tr -c 'a-zA-Z0-9_.-' '-')"
+phash="$(printf '%s' "$project_dir" | cksum | cut -d' ' -f1)"
+
+# Home volume: PER-PROJECT by default so AI auth + state stay isolated between
+# workspaces. DEVCUBE_VOLUME forces an exact name (the test harness relies on
+# this); otherwise the name is derived from DEVCUBE_HOME_PREFIX + project, just
+# like the worktree volume.
+HOME_PREFIX="${DEVCUBE_HOME_PREFIX:-hypercube-devcube-home}"
+VOLUME="${DEVCUBE_VOLUME:-${HOME_PREFIX}-${slug}-${phash}}"
+
 # Where the project shows up inside the container. By default it's mounted at
 # its own host path (identity) so file paths line up on both sides. The
 # orchestrators override this below.
@@ -82,18 +101,14 @@ container_cmd=("$TOOL")
 extra=()
 case "$TOOL" in
 zellij | workmux)
-	# Stable, repo-root-derived names so a project's worktrees + workmux state
-	# persist across restarts, are shared no matter which subdir you launch from,
-	# and never collide with another project's. cksum is available on both Linux
-	# and macOS (the wrapper stays portable).
-	slug="$(basename "$project_dir" | tr -c 'a-zA-Z0-9_.-' '-')"
-	phash="$(printf '%s' "$project_dir" | cksum | cut -d' ' -f1)"
+	# Per-project worktree volume + zellij session name, from the same slug/phash
+	# computed above so a project's worktrees + workmux state persist across
+	# restarts and never collide with another project's.
 	wt_volume="${DEVCUBE_WT_PREFIX:-devcube-wt}-${slug}-${phash}"
 	# Stable, per-project zellij session name so closing the devcube (Ctrl+Space
-	# q -> Save) and reopening it resumes the SAME session. The home volume
-	# (/root) is shared across every project, so the name must be unique per
-	# project -> include phash. zellij session names can't contain '.', so the
-	# slug's dots are squashed to '-' (the volume name keeps them; it's separate).
+	# q -> Save) and reopening it resumes the SAME session. zellij session names
+	# can't contain '.', so the slug's dots are squashed to '-' (the volume names
+	# keep them; they're separate).
 	session="devcube-$(printf '%s' "$slug" | tr '.' '-')-${phash}"
 	# Mount the project at a fixed /workspace -- a stable, branch-independent path
 	# regardless of which branch the host checkout is on -- kept separate from the
@@ -131,9 +146,11 @@ args=(
 	-e TERM
 	-e COLORTERM
 	"${extra[@]}"
-	# State + plugin updates + AI auth. Empty volume is seeded from the image's
-	# /root on first run (podman copy-up); never use a fixed container --name so
-	# multiple sessions can run concurrently.
+	# Per-project home volume: AI auth + plugin/state updates + shell history.
+	# Empty volume is seeded from the image's /root on first run (podman copy-up);
+	# baked config (nvim/fish/zellij/workmux) is NOT here -- the entrypoint syncs
+	# it from the image on every start so config updates ship without a wipe.
+	# Never use a fixed container --name so multiple sessions run concurrently.
 	-v "${VOLUME}:/root"
 	# The project -- the git repo root, or the launch dir when not in a repo.
 	# Mounted at its host path for the direct tools, or at /workspace for the
diff --git a/dot_files/devcube/zj-quit.sh b/dot_files/devcube/zj-quit.sh
@@ -4,9 +4,10 @@
 # Launched in a floating zellij pane (see dot_files/zellij/config.kdl). It asks
 # whether to keep the session before dropping back to your host shell:
 #
-#   Save     -> Quit the session. With session_serialization on, zellij keeps it
-#               as a resurrectable session; the next `devc` reattaches to it
-#               (same tabs / worktrees / panes). See devcube-session.sh.
+#   Save     -> End the session via `kill-session`. With session_serialization
+#               on, zellij keeps it as a resurrectable session; the next `devc`
+#               reattaches to it (same tabs / worktrees / panes). See
+#               devcube-session.sh.
 #   Discard  -> Delete this session (and its serialized state) outright, so the
 #               next `devc` starts fresh from the workmux layout.
 #   Cancel   -> Close this prompt and stay where you are.
@@ -32,17 +33,27 @@ choice="$(
 
 case "$choice" in
 Save*)
-	# Quit -> resurrectable (serialization is enabled in config.kdl).
-	exec zellij action quit
+	# End this session but KEEP it resurrectable. There is no `zellij action
+	# quit` CLI subcommand (Quit is only a keybinding action), so use
+	# kill-session: it terminates the session -- dropping you back to the host
+	# shell -- while leaving the serialized snapshot on disk (serialization is
+	# enabled in config.kdl), so the next `devc` resurrects it. delete-session
+	# (below) is the one that removes that snapshot.
+	if [ -n "$session" ]; then
+		exec zellij kill-session "$session"
+	else
+		# ZELLIJ_SESSION_NAME is always set inside a pane; this is just a guard.
+		exec zellij kill-session
+	fi
 	;;
 Discard*)
 	# Kill the running session AND remove its serialized copy in one shot, so
-	# nothing is left to resurrect. Fall back to a plain quit if, for whatever
+	# nothing is left to resurrect. Fall back to a plain kill if, for whatever
 	# reason, we don't know our own session name.
 	if [ -n "$session" ]; then
 		exec zellij delete-session "$session" --force
 	else
-		exec zellij action quit
+		exec zellij kill-session
 	fi
 	;;
 *)
diff --git a/system_files/shared/usr/share/ublue-os/just/61-devcube.just b/system_files/shared/usr/share/ublue-os/just/61-devcube.just
@@ -5,13 +5,15 @@
 # toolchain, and zellij + workmux ship as a single portable podman image. A thin
 # wrapper at ~/.local/bin/devc runs it: `devc` opens the workmux parallel-agent
 # workspace, and `devc nvim` / `devc claude` / `devc codex` / `devc agy` /
-# `devc zellij` launch a single tool. One home volume is shared across them, so
-# AI logins persist. Personal plugin overrides live in
+# `devc zellij` launch a single tool. Each project gets its OWN home volume
+# (derived from the launch path), so AI logins persist per workspace and never
+# leak between projects. Personal plugin overrides live in
 # ~/.config/hypercube/nvim/lua/plugins/.
 
 image := "ghcr.io/binarypie-dev/devcube:latest"
 wrapper := "/usr/share/hypercube/config/devcube/scripts/devcube.sh"
-volume := "hypercube-devcube-home"
+# Per-project home volumes share this prefix (see devcube.sh DEVCUBE_HOME_PREFIX).
+volume_prefix := "hypercube-devcube-home"
 
 # Pull the image and install the devc wrapper to ~/.local/bin
 devcube-setup:
@@ -41,21 +43,21 @@ devcube-upgrade:
     install -m 0755 {{wrapper}} "$HOME/.local/bin/devc"
 
     echo "Done!"
-    echo "Tip: run ':Lazy update' inside nvim to update plugins. Baked config"
-    echo "updates (zellij/workmux/fish) only apply to a fresh home volume — run"
-    echo "'ujust devcube-reset' to re-seed (this clears AI logins)."
+    echo "Baked config (nvim/fish/zellij/workmux) refreshes automatically on the"
+    echo "next launch — no reset needed. For nvim plugin updates run ':Lazy update'"
+    echo "(or ':Lazy restore' to match the image's pinned versions) inside nvim."
 
-# Reset persisted state so the next launch re-seeds from the image.
-# WARNING: removes plugin state, sessions, AND AI CLI logins stored in the volume.
+# WARNING: removes plugin state, sessions, AND AI CLI logins stored in the volumes.
+# Reset persisted state in all per-project home volumes so the next launch re-seeds.
 devcube-reset:
     #!/usr/bin/bash
     set -euo pipefail
 
-    read -p "Remove the {{volume}} volume (plugin state + AI logins)? [y/N] " -n 1 -r
+    read -p "Remove ALL per-project home volumes ({{volume_prefix}}-*) (plugin state + AI logins)? [y/N] " -n 1 -r
     echo
     if [[ $REPLY =~ ^[Yy]$ ]]; then
-        podman volume rm -f {{volume}} 2>/dev/null || true
-        echo "Volume removed. The next 'devc' launch will re-seed from the image."
+        podman volume ls -q | grep '^{{volume_prefix}}' | xargs -r podman volume rm -f
+        echo "Home volumes removed. The next 'devc' launch will re-seed from the image."
     fi
 
     read -p "Also remove ALL per-project worktree volumes (devcube-wt-*)? [y/N] " -n 1 -r
@@ -67,13 +69,14 @@ devcube-reset:
         echo "Kept per-project worktree volumes."
     fi
 
-# Open a debug shell inside a throwaway devcube container
+# No home volume is mounted (state is per-project, and this is a scratch shell),
+# so /root is ephemeral, though the entrypoint still lays down the baked config.
+# Open a debug shell inside a throwaway devcube container.
 devcube-shell:
     #!/usr/bin/bash
     set -euo pipefail
     exec podman run --rm -it --init \
         --user 0:0 --security-opt label=disable \
         -e DEVCUBE=1 -e TERM \
-        -v {{volume}}:/root \
         -v "$(pwd):$(pwd):rw" -w "$(pwd)" \
         {{image}} bash
