fraqtal/agentic-dev-template
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
agentic-dev-template/README.md
Danijel Martinek 7737358509 fix(sandcastle): make Dockerfile match sandcastle's expected shape + document macOS keychain quirk 
Two separate sandbox blockers surfaced when the user tried
`pnpm work decompose --execute`:

1. **Container died on exec** — our Dockerfile had:
     - WORKDIR /workspace + CMD ["bash"]
     - No `agent` user (sandcastle exec's as UID:GID it built with)
     - node:22-bookworm-slim (missing some build deps the install
       script wants)
   Sandcastle expects:
     - A non-root `agent` user with home at /home/agent (sandcastle
       does `git config --global --add safe.directory /home/agent/workspace`,
       which fails if the user doesn't exist or the container exited)
     - ENTRYPOINT ["sleep", "infinity"] so the container survives
       the gap between sandcastle creating it and exec'ing in
   Replaced .sandcastle/Dockerfile with the shape `sandcastle init`
   would generate (verified against
   node_modules/@ai-hero/sandcastle/dist/InitService.js):
     - node:22-bookworm (full, not slim) for build tooling
     - apt-get installs git + curl + jq
     - corepack-pinned pnpm@9
     - ARG AGENT_UID=1000 + AGENT_GID=1000; sandcastle's
       build-image passes the host's UID/GID by default
     - `groupmod -o -g $AGENT_GID node` + `usermod -o ... node` —
       the `-o` (non-unique) flag is required because macOS hosts
       have UID:501 GID:20, and GID 20 collides with Debian's
       `dialout` group in the base image (without -o, groupmod
       fails with "GID '20' already exists")
     - USER ${AGENT_UID}:${AGENT_GID}, then install Claude Code CLI
       via the official installer
     - ENV PATH includes /home/agent/.local/bin
     - WORKDIR /home/agent (sandcastle overrides per-run anyway)
     - ENTRYPOINT ["sleep", "infinity"] keeps the container alive

2. **"Not logged in · Please run /login"** inside the container —
   Claude Code on macOS stores credentials in the Keychain, NOT in
   ~/.claude/.credentials.json. Sandcastle's bind-mount of ~/.claude
   finds nothing usable. Documented the workaround:
     - README.md "Sandcastle setup (one-time)" — macOS-specific
       block with the `security find-generic-password ... > ~/.claude/.credentials.json`
       one-liner + chmod 600 + the security trade-off (plaintext
       file vs keychain isolation)
     - docs/guides/runbook.md "Using Sandcastle → Prerequisites" —
       step 3 (Authentication) gets a "macOS quirk" subsection with
       the same extraction one-liner + the API-key fallback as the
       alternative path
     - scripts/work/{dispatch,decompose}.mjs — when the sandcastle
       error matches /Not logged in|Please run \/login/ AND we're on
       darwin, the dispatcher prints the keychain-extraction
       commands + the API-key fallback inline above the generic
       "See runbook" line, so future agents discover the fix at the
       failure site

The image rebuilds clean (`pnpm exec sandcastle docker
build-image`) at ~1.95GB and the container survives sandcastle's
exec — confirmed by reaching the "Not logged in" stage (which is
the next-layer issue, not the Dockerfile issue).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 18:02:34 +02:00

115 lines
5.5 KiB
Markdown
Raw Permalink Blame History

# Clean Architecture Monorepo Template
Turborepo + pnpm monorepo organised by vertical features, with an **agent-first workflow** and **five conformance gates**.
This template is built for **agent-driven development**. [Sandcastle](https://github.com/mattpocock/sandcastle) is the orchestration substrate; `pnpm work dispatch` is the entry point. See [ADR-019](./docs/decisions/adr-019-sandcastle-for-agent-orchestration.md) for the decision rationale and [`docs/guides/runbook.md`](./docs/guides/runbook.md) for end-to-end usage.
## Start here
Read [`docs/guides/runbook.md`](./docs/guides/runbook.md) — day-1 onboarding (prerequisites, env vars, daily commands, troubleshooting, **Using Sandcastle for agent dispatch**).
## Quick reference
```bash
pnpm install # Install + auto-wire husky pre-commit hooks
pnpm dev # All dev servers (web-next:3000, cms:3001, web-tanstack:3002, storybook:6006)
pnpm test # All tests
pnpm typecheck # TypeScript across all packages
pnpm lint # ESLint (incl. 8 conformance/* rules)
pnpm conformance # Cross-feature event closure
pnpm fallow # Whole-codebase: dead exports, dupes, complexity
pnpm turbo boundaries # Workspace dependency graph
pnpm work status # docs/work/ epic + story state
docker compose up -d # Start PostgreSQL
```
## Sandcastle setup (one-time)
Required only if you'll use `pnpm work dispatch --execute` or `pnpm work decompose <id> --execute` (agent dispatch). The dispatch loop runs the implementer / reviewer / decomposer agents inside an isolated Docker sandbox; the image is built once locally.
```bash
# 1. Ensure Docker is running
docker info >/dev/null
# 2. Build the sandcastle image (reads .sandcastle/Dockerfile)
pnpm exec sandcastle docker build-image
# Tags as: sandcastle:template-vertical (derived from the root package.json name)
# 3. Pick ONE auth path:
# (a) Recommended — Claude Pro/Max subscription:
claude login # one-time; ~/.claude/ becomes the auth source
# (b) Fallback — API key:
export ANTHROPIC_API_KEY=sk-ant-...
```
**macOS users**: subscription auth needs an extra step. Claude Code stores credentials in the macOS Keychain by default, so the host's `~/.claude/` directory has no `.credentials.json` for the sandbox to read. Two workarounds:
```bash
# (preferred for macOS subscription users) extract keychain -> file once:
security find-generic-password -s "Claude Code-credentials" -a "$USER" -w \
> ~/.claude/.credentials.json
chmod 600 ~/.claude/.credentials.json
# Trade-off: credentials now live as a plaintext file at the path; refresh
# when the token expires (re-run the same one-liner). The file is in your
# home directory — chmod 600 + your home permissions are the protection.
# OR fall back to API key — no host changes needed:
export ANTHROPIC_API_KEY=sk-ant-...
```
Linux + WSL users with `claude login` write `~/.claude/.credentials.json` directly; nothing extra needed.
After the image exists, dispatch flows work without further setup:
```bash
pnpm work dispatch # print plan (safe anywhere)
pnpm work dispatch --execute # actually dispatch via sandcastle
pnpm work decompose <prd-id> # print decompose plan
pnpm work decompose <prd-id> --execute # decompose an approved PRD
```
To rebuild the image after changing `.sandcastle/Dockerfile`:
```bash
pnpm exec sandcastle docker remove-image
pnpm exec sandcastle docker build-image
```
See [`docs/guides/runbook.md` → Using Sandcastle](./docs/guides/runbook.md#using-sandcastle-for-agent-dispatch) for the full dispatch lifecycle, auth modes, and troubleshooting.
## Documentation map
- **[`docs/guides/runbook.md`](./docs/guides/runbook.md)** — start here
- **[`CLAUDE.md`](./CLAUDE.md)** — full conventions reference
- **[`AGENTS.md`](./AGENTS.md)** — package map + boundary rules
- **[`docs/guides/conformance-quickref.md`](./docs/guides/conformance-quickref.md)** — manifest + 5-gate daily reference
- **[`docs/architecture/agent-first-workflow-and-conformance.md`](./docs/architecture/agent-first-workflow-and-conformance.md)** — full design
- **[`docs/architecture/feature-conformance-explainer.html`](./docs/architecture/feature-conformance-explainer.html)** — interactive explainer
## Scaffolding
```bash
pnpm turbo gen feature <name> # Scaffold a feature (manifest + contracts + tests)
pnpm turbo gen event # Event contract or handler (requires gen core-package events)
pnpm turbo gen job # Background job
pnpm turbo gen realtime # Realtime channel (requires gen core-package realtime)
pnpm turbo gen core-package <name> # Optional core: events / realtime / trpc / ui / audit
pnpm turbo gen core-ui-component <name> # Atomic-design component
```
**Generator-first is non-negotiable** — hand-rolled feature/event/job/realtime/component code is rejected by reviewer agents and may fail the CI scaffold-drift check.
## Optional packages
Five core packages scaffold on demand:
```bash
pnpm turbo gen core-package realtime # Socket.IO realtime layer (ADR-016)
pnpm turbo gen core-package events # Cross-feature events + Payload jobs (ADR-015)
pnpm turbo gen core-package trpc # tRPC server setup
pnpm turbo gen core-package ui # Design system
pnpm turbo gen core-package audit # DPA-compliant audit logging (ADR-018)
```
See [`docs/architecture/template-tiers.md`](./docs/architecture/template-tiers.md) for the full tier list.
Reference in New Issue View Git Blame Copy Permalink