Update sandcat

adamw · adamw · commit a2a1ad60323c · 2026-02-23T08:40:15.000Z
diff --git a/.devcontainer/Dockerfile.app b/.devcontainer/Dockerfile.app
@@ -23,6 +23,25 @@ RUN mise use -g node@lts \
 RUN mise use -g java@21
 RUN mise use -g sbt
 
+# If Java was installed above, bake JAVA_HOME and JAVA_TOOL_OPTIONS into
+# .bashrc so VS Code's env probe picks them up before the entrypoint runs.
+# Without JAVA_HOME, JVM tooling like Metals fails to find the JDK.
+# JAVA_TOOL_OPTIONS points to a trust store copy that the entrypoint will
+# populate with the mitmproxy CA at runtime; until then it holds the default
+# Java CAs (harmless — equivalent to not setting it at all).
+# A version-independent symlink is used so .bashrc doesn't need updating
+# when the Java version changes — only the symlink target is updated.
+RUN if MISE_JAVA=$(mise where java 2>/dev/null); then \
+    dir="$HOME/.local/share/sandcat"; mkdir -p "$dir"; \
+    ln -sfn "$MISE_JAVA" "$dir/java-home"; \
+    cp "$MISE_JAVA/lib/security/cacerts" "$dir/cacerts" 2>/dev/null || true; \
+    { echo ''; \
+    echo '# sandcat-java-env'; \
+    echo '[ -L "$HOME/.local/share/sandcat/java-home" ] && export JAVA_HOME="$HOME/.local/share/sandcat/java-home"'; \
+    echo '[ -f "$HOME/.local/share/sandcat/cacerts" ] && export JAVA_TOOL_OPTIONS="-Djavax.net.ssl.trustStore=$HOME/.local/share/sandcat/cacerts -Djavax.net.ssl.trustStorePassword=changeit"'; \
+    } >> "$HOME/.bashrc"; \
+    fi
+
 # Pre-create the Claude config directory and seed onboarding flag so Claude
 # Code can use an API key from the environment without interactive setup.
 RUN mkdir -p /home/vscode/.claude \
diff --git a/.devcontainer/sandcat/scripts/app-init.sh b/.devcontainer/sandcat/scripts/app-init.sh
@@ -1,24 +1,22 @@
 #!/bin/bash
 #
 # Entrypoint for containers that share the wg-client's network namespace.
-# Installs the mitmproxy CA cert, loads env vars and secret placeholders
-# from sandcat.env, then hands off to the container's main command.
+# Installs the mitmproxy CA cert, disables commit signing, loads env vars
+# and secret placeholders from sandcat.env, runs vscode-user setup (git
+# identity, Java trust store, Claude Code update), then drops to vscode
+# and exec's the container's main command.
 #
 set -e
 
 CA_CERT="/mitmproxy-config/mitmproxy-ca-cert.pem"
 
-# The CA cert should already exist (wg-client depends_on mitmproxy healthy),
-# but wait briefly in case of a slight race on the shared volume.
-elapsed=0
-while [ ! -f "$CA_CERT" ]; do
-    if [ "$elapsed" -ge 30 ]; then
-        echo "Timed out waiting for mitmproxy CA cert" >&2
-        exit 1
-    fi
-    sleep 1
-    elapsed=$((elapsed + 1))
-done
+# The CA cert is guaranteed to exist: app depends_on wg-client (healthy),
+# which depends_on mitmproxy (healthy), whose healthcheck requires the
+# WireGuard config — generated after the CA.
+if [ ! -f "$CA_CERT" ]; then
+    echo "mitmproxy CA cert not found at $CA_CERT" >&2
+    exit 1
+fi
 
 cp "$CA_CERT" /usr/local/share/ca-certificates/mitmproxy.crt
 update-ca-certificates
@@ -55,24 +53,9 @@ else
     echo "No $SANDCAT_ENV found — env vars and secret substitution disabled"
 fi
 
-# Run vscode-user tasks: git identity and Claude Code update.
+# Run vscode-user tasks: git identity, Java trust store, Claude Code update.
 su - vscode -c /usr/local/bin/app-user-init.sh
 
-# If app-user-init.sh set up Java (symlink + trust store), export JAVA_HOME
-# and JAVA_TOOL_OPTIONS for shells and child processes of PID 1.
-SANDCAT_JAVA_HOME="/home/vscode/.local/share/sandcat/java-home"
-if [ -L "$SANDCAT_JAVA_HOME" ]; then
-    export JAVA_HOME="$SANDCAT_JAVA_HOME"
-    echo "export JAVA_HOME=\"$SANDCAT_JAVA_HOME\"" > /etc/profile.d/sandcat-java.sh
-fi
-if [ -f /tmp/sandcat-java-cacerts-path ]; then
-    SANDCAT_CACERTS=$(cat /tmp/sandcat-java-cacerts-path)
-    JAVA_TRUST_OPTS="-Djavax.net.ssl.trustStore=$SANDCAT_CACERTS -Djavax.net.ssl.trustStorePassword=changeit"
-    export JAVA_TOOL_OPTIONS="$JAVA_TRUST_OPTS"
-    echo "export JAVA_TOOL_OPTIONS=\"$JAVA_TRUST_OPTS\"" >> /etc/profile.d/sandcat-java.sh
-    rm -f /tmp/sandcat-java-cacerts-path
-fi
-
 # Source all sandcat profile.d scripts from /etc/bash.bashrc so env vars
 # are available in non-login shells (e.g. VS Code integrated terminals).
 # Guard with a marker to avoid duplicating on container restart.
diff --git a/.devcontainer/sandcat/scripts/app-user-init.sh b/.devcontainer/sandcat/scripts/app-user-init.sh
@@ -23,7 +23,7 @@ git config --global commit.gpgsign false
 # store. Java uses its own cacerts and ignores the system CA store.
 CA_CERT="/mitmproxy-config/mitmproxy-ca-cert.pem"
 
-# Ensure mise is on PATH.  `su - vscode` resets the environment and sources
+# Ensure mise is on PATH. `su - vscode` resets the environment and sources
 # only the first of ~/.bash_profile, ~/.bash_login, ~/.profile.  If
 # ~/.bash_profile exists (e.g. created by VS Code on a persistent volume),
 # ~/.profile — where the Dockerfile adds mise — is never read.
@@ -33,8 +33,8 @@ fi
 
 MISE_JAVA_HOME="$(mise where java 2>/dev/null || true)"
 if [ -n "$MISE_JAVA_HOME" ] && [ -f "$CA_CERT" ]; then
-    # Create a version-independent symlink so JAVA_HOME (exported via
-    # /etc/profile.d/) doesn't depend on the mise Java version.
+    # Create a version-independent symlink so JAVA_HOME doesn't depend
+    # on the mise Java version.
     SANDCAT_DIR="$HOME/.local/share/sandcat"
     mkdir -p "$SANDCAT_DIR"
     ln -sfn "$MISE_JAVA_HOME" "$SANDCAT_DIR/java-home"
@@ -69,30 +69,7 @@ if [ -n "$MISE_JAVA_HOME" ] && [ -f "$CA_CERT" ]; then
   }
 }
 EOFJSON
-    fi
-
-    # Signal to app-init.sh (which runs as root) where the cacerts copy is,
-    # so it can set JAVA_TOOL_OPTIONS. Written on every start since /tmp
-    # is cleared on container restart.
-    if [ -f "$SANDCAT_CACERTS" ]; then
-        echo "$SANDCAT_CACERTS" > /tmp/sandcat-java-cacerts-path
-    fi
-
-    # Write Java env vars to ~/.bashrc (on the persistent app-home volume)
-    # so VS Code's userEnvProbe picks them up even after container rebuild.
-    # /etc/profile.d/ is ephemeral and works for shells, but VS Code may
-    # probe the environment before the entrypoint recreates those files.
-    BASHRC_JAVA_MARKER="# sandcat-java-env"
-    if ! grep -q "$BASHRC_JAVA_MARKER" "$HOME/.bashrc" 2>/dev/null; then
-        cat >> "$HOME/.bashrc" << 'BASHRC_JAVA'
 
-# sandcat-java-env
-_sc_java="$HOME/.local/share/sandcat/java-home"
-_sc_cacerts="$HOME/.local/share/sandcat/cacerts"
-[ -L "$_sc_java" ] && export JAVA_HOME="$_sc_java"
-[ -f "$_sc_cacerts" ] && export JAVA_TOOL_OPTIONS="-Djavax.net.ssl.trustStore=$_sc_cacerts -Djavax.net.ssl.trustStorePassword=changeit"
-unset _sc_java _sc_cacerts
-BASHRC_JAVA
     fi
 fi
 
