docs(harness): wire altimate-code symlink + binary shim into sandbox contract#1934
Closed
saravmajestic wants to merge 3 commits intomasterfrom
Closed
docs(harness): wire altimate-code symlink + binary shim into sandbox contract#1934saravmajestic wants to merge 3 commits intomasterfrom
saravmajestic wants to merge 3 commits intomasterfrom
Conversation
…contract
The dev-workflow skill already had a Harness Sandbox Contract section
from a prior pass, but it was missing two things the matching pod
template (in AltimateAI/harness) now does:
1. Clone altimate-code alongside at /workspace/altimate-code, install
its bun deps, and symlink the @altimateai/{altimate-code,dbt-tools,drivers}
workspace packages into this extension's node_modules. Mirrors the
pattern that wires altimate-mcp-engine into vscode-altimate-mcp-server.
2. Drop a small `altimate` shim in ~/.local/bin that runs the local
opencode source via bun, so any future runtime-spawn use resolves
to the local clone.
Also fixed in the contract:
- base_image: switched to vscode-altimate-mcp-server-base:latest (which
exists in ACR and has all needed tools — code-server, yarn, node, bun).
The previous value pointed at vscode-dbt-power-user-base:latest which
was never built.
- install-webview-deps: switched from `yarn install` to `npm install`.
webview_panels is npm-managed per package.json's `install:panels`
script; using yarn was creating a competing yarn.lock.
- compile step: replaced `yarn compile` (tsc only) with `yarn webpack`
(the actual extension build).
- code-server settings: removed `altimate.onboardedMcpServer` (mcp-server's
setting) — set `dbt.altimateAiKey` placeholder instead.
Companion change in AltimateAI/harness adds the matching pod template
(pod-vscode-dbt-power-user.yaml) that runs all of the above.
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughReplaces the sandbox harness contract with a two‑phase lifecycle and updates the setup flow: new base image, granular multi-step install/build commands, on‑demand bun/webpack installs, workspace package symlinking and an ChangesSandbox Harness lifecycle & setup
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.claude/skills/dev-workflow/SKILL.md:
- Around line 369-380: The exported PATH in the expose-altimate-binary cmd block
is only appended to ~/.bashrc and won't affect the code-server daemon
environment; update the code-server start_command to prepend $HOME/.local/bin to
PATH so the shim is visible to spawned processes (ensure the start_command
includes something like PATH="$HOME/.local/bin:$PATH" before launching
code-server), keep the existing shim creation in the expose-altimate-binary
block (the printf/chmod/grep steps and the altimate shim) and reference the same
$HOME/.local/bin location in the start_command so spawn("altimate", ...)
resolves at runtime.
- Around line 337-384: The pipeline commands in tasks like
install-extension-deps, install-webview-deps, install-altimate-code-deps, and
initial-extension-build can hide failures because piping to tail masks the
original command's exit code; update each task to run the install/build under a
shell with pipefail enabled (e.g. run via bash -c 'set -o pipefail; <command> |
tail -n X' or otherwise capture the primary command's exit status and propagate
it) so that yarn/npm/bun failures cause the step to fail rather than being
swallowed by tail.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 411361f6-e56e-47da-a5ed-7299058efbbe
📒 Files selected for processing (1)
.claude/skills/dev-workflow/SKILL.md
Comment on lines
+337
to
+384
| - name: install-extension-deps | ||
| cmd: yarn install --frozen-lockfile 2>&1 | tail -5 || yarn install 2>&1 | tail -5 | ||
| # webview_panels is npm-managed (per package.json scripts: install:panels | ||
| # uses `npm install --prefix ./webview_panels`), so use npm here too — | ||
| # using yarn would create a competing yarn.lock and drift the install. | ||
| - name: install-webview-deps | ||
| cmd: cd webview_panels && (yarn install --immutable 2>&1 | tail -5 || yarn install 2>&1 | tail -5) | ||
| - name: compile-extension | ||
| cmd: yarn compile | ||
| cmd: cd webview_panels && (npm ci 2>&1 | tail -5 || npm install 2>&1 | tail -5) | ||
| # altimate-code is cloned alongside at /workspace/altimate-code by the | ||
| # init-clone container. We install its bun deps and symlink the three | ||
| # @altimateai/* workspace pkgs into this extension's node_modules so any | ||
| # build-time consumer (rspack/webpack alias, direct import) resolves to | ||
| # the local source. The `altimate` shim on PATH covers the runtime case. | ||
| - name: install-altimate-code-deps | ||
| cmd: | | ||
| if [ -d /workspace/altimate-code ]; then | ||
| cd /workspace/altimate-code && \ | ||
| (~/.bun/bin/bun install 2>&1 | tail -5 || bun install 2>&1 | tail -5) | ||
| fi | ||
| - name: link-altimate-code-pkgs | ||
| cmd: | | ||
| if [ -d /workspace/altimate-code ]; then | ||
| mkdir -p /workspace/vscode-dbt-power-user/node_modules/@altimateai | ||
| for pkg in altimate-code dbt-tools drivers; do | ||
| src="" | ||
| case "$pkg" in | ||
| altimate-code) src=/workspace/altimate-code/packages/opencode ;; | ||
| dbt-tools) src=/workspace/altimate-code/packages/dbt-tools ;; | ||
| drivers) src=/workspace/altimate-code/packages/drivers ;; | ||
| esac | ||
| [ -d "$src" ] && ln -sfn "$src" /workspace/vscode-dbt-power-user/node_modules/@altimateai/$pkg | ||
| done | ||
| fi | ||
| - name: expose-altimate-binary | ||
| cmd: | | ||
| if [ -d /workspace/altimate-code ]; then | ||
| mkdir -p $HOME/.local/bin | ||
| printf '%s\n' \ | ||
| '#!/bin/bash' \ | ||
| '# Sandbox shim — runs altimate-code from local clone, not npm.' \ | ||
| 'exec bun run --cwd /workspace/altimate-code/packages/opencode --conditions=browser src/index.ts "$@"' \ | ||
| > $HOME/.local/bin/altimate | ||
| chmod +x $HOME/.local/bin/altimate | ||
| grep -q '\.local/bin' "$HOME/.bashrc" 2>/dev/null || echo 'export PATH="$HOME/.local/bin:$PATH"' >> "$HOME/.bashrc" | ||
| fi | ||
| # `yarn webpack` runs panel:webviews + webpack --mode development. This is | ||
| # the actual extension build (yarn compile only does tsc, not bundling). | ||
| - name: initial-extension-build | ||
| cmd: yarn webpack 2>&1 | tail -10 |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify all pipeline-to-tail commands and whether pipefail is present nearby.
rg -n -C2 '\|\s*tail\s*-[0-9]+' .claude/skills/dev-workflow/SKILL.md
rg -n 'set -o pipefail' .claude/skills/dev-workflow/SKILL.mdRepository: AltimateAI/vscode-dbt-power-user
Length of output: 1195
🏁 Script executed:
# Check the file structure and broader context
head -50 .claude/skills/dev-workflow/SKILL.md
grep -n "cmd:" .claude/skills/dev-workflow/SKILL.md | head -20Repository: AltimateAI/vscode-dbt-power-user
Length of output: 2461
🏁 Script executed:
# Check the full setup_commands section to see all commands and any context about execution
sed -n '330,400p' .claude/skills/dev-workflow/SKILL.md
# Search for any pipefail or shell configuration in this file
grep -n "pipefail\|set -e\|bash -" .claude/skills/dev-workflow/SKILL.md
# Look for any documentation about how commands are executed in SKILL files
find . -name "*.md" -type f | xargs grep -l "setup_commands\|cmd:" 2>/dev/null | head -5Repository: AltimateAI/vscode-dbt-power-user
Length of output: 3747
🏁 Script executed:
# Search for SKILL executor documentation or configuration
find . -name "*.json" -o -name "*.md" -o -name "*.yaml" | xargs grep -l "setup_commands\|SKILL" 2>/dev/null | grep -v node_modules | head -10
# Check if there's any executor code or documentation
find . -type f \( -name "*.py" -o -name "*.js" -o -name "*.ts" \) | xargs grep -l "setup_commands" 2>/dev/null | head -5
# Look for any .bashrc or shell rc files that might apply to command execution
find . -name ".bashrc" -o -name ".bash_profile" -o -name "bashrc" 2>/dev/null
# Check if there are other SKILL.md files that might show patterns
find . -name "SKILL.md" -type f | head -5Repository: AltimateAI/vscode-dbt-power-user
Length of output: 154
🏁 Script executed:
# Search for any documentation about how commands are executed
find . -type f \( -name "*.md" -o -name "*.txt" \) | xargs grep -i "executor\|setup_commands" 2>/dev/null | grep -v node_modules | head -20
# Check if Claude skill format is documented anywhere
find . -name "*.md" | xargs grep -i "claude.*skill\|skill.*format" 2>/dev/null | head -10
# Look for other setup_commands or cmd patterns in the repo to understand conventions
find . -name "*.md" -path "*/.claude/*" -type fRepository: AltimateAI/vscode-dbt-power-user
Length of output: 534
🏁 Script executed:
# Check for any executor-related code in the repository root
ls -la .claude/ 2>/dev/null || echo "No .claude directory found at root"
# Look at the exact structure of .claude
find ./.claude -type f | head -20
# Search for any Python or JavaScript code that might load/execute SKILL.md
find . -type f \( -name "*.py" -o -name "*.js" -o -name "*.ts" \) -path "*skill*" 2>/dev/null | head -10
# Check for any Makefile, script, or config that might hint at execution
find . -maxdepth 2 -type f \( -name "Makefile" -o -name "*.sh" -o -name "*.yml" -o -name "*.yaml" \) | xargs grep -l "cmd\|setup" 2>/dev/null | head -5Repository: AltimateAI/vscode-dbt-power-user
Length of output: 421
🏁 Script executed:
# Check the .claude/settings.json to understand configuration
cat .claude/settings.json
# Look for any patterns of error handling or conditional execution in the SKILL.md
grep -n "exit\|return\|&&\|\|\||set -" .claude/skills/dev-workflow/SKILL.md
# Check if any of the multiline cmd blocks use 'set' commands
sed -n '350,360p' .claude/skills/dev-workflow/SKILL.md
sed -n '370,380p' .claude/skills/dev-workflow/SKILL.mdRepository: AltimateAI/vscode-dbt-power-user
Length of output: 23679
Install/build failures can be silently ignored due to | tail pipelines.
Several setup commands pipe to tail without enabling pipefail, so a failing yarn/npm/bun step will still return success via the tail exit code. This can leave the sandbox marked "code-ready" with broken dependencies.
Suggested fix
- name: install-extension-deps
- cmd: yarn install --frozen-lockfile 2>&1 | tail -5 || yarn install 2>&1 | tail -5
+ cmd: bash -c 'set -o pipefail; yarn install --frozen-lockfile 2>&1 | tail -5 || yarn install 2>&1 | tail -5'
- name: install-webview-deps
- cmd: cd webview_panels && (npm ci 2>&1 | tail -5 || npm install 2>&1 | tail -5)
+ cmd: bash -c 'set -o pipefail; cd webview_panels && (npm ci 2>&1 | tail -5 || npm install 2>&1 | tail -5)'
- name: install-altimate-code-deps
- cmd: |
- if [ -d /workspace/altimate-code ]; then
- cd /workspace/altimate-code && \
- (~/.bun/bin/bun install 2>&1 | tail -5 || bun install 2>&1 | tail -5)
- fi
+ cmd: |
+ bash -c 'set -o pipefail
+ if [ -d /workspace/altimate-code ]; then
+ cd /workspace/altimate-code && \
+ (~/.bun/bin/bun install 2>&1 | tail -5 || bun install 2>&1 | tail -5)
+ fi'
- name: initial-extension-build
- cmd: yarn webpack 2>&1 | tail -10
+ cmd: bash -c 'set -o pipefail; yarn webpack 2>&1 | tail -10'🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.claude/skills/dev-workflow/SKILL.md around lines 337 - 384, The pipeline
commands in tasks like install-extension-deps, install-webview-deps,
install-altimate-code-deps, and initial-extension-build can hide failures
because piping to tail masks the original command's exit code; update each task
to run the install/build under a shell with pipefail enabled (e.g. run via bash
-c 'set -o pipefail; <command> | tail -n X' or otherwise capture the primary
command's exit status and propagate it) so that yarn/npm/bun failures cause the
step to fail rather than being swallowed by tail.
Comment on lines
+369
to
+380
| - name: expose-altimate-binary | ||
| cmd: | | ||
| if [ -d /workspace/altimate-code ]; then | ||
| mkdir -p $HOME/.local/bin | ||
| printf '%s\n' \ | ||
| '#!/bin/bash' \ | ||
| '# Sandbox shim — runs altimate-code from local clone, not npm.' \ | ||
| 'exec bun run --cwd /workspace/altimate-code/packages/opencode --conditions=browser src/index.ts "$@"' \ | ||
| > $HOME/.local/bin/altimate | ||
| chmod +x $HOME/.local/bin/altimate | ||
| grep -q '\.local/bin' "$HOME/.bashrc" 2>/dev/null || echo 'export PATH="$HOME/.local/bin:$PATH"' >> "$HOME/.bashrc" | ||
| fi |
Contributor
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify PATH handling is only in .bashrc and not guaranteed in start_command.
rg -n -C2 '\.local/bin|PATH=' .claude/skills/dev-workflow/SKILL.md
rg -n -C6 '^start_command:' .claude/skills/dev-workflow/SKILL.mdRepository: AltimateAI/vscode-dbt-power-user
Length of output: 2834
🏁 Script executed:
# Check how start_command is invoked by harness
rg -n -B5 -A10 'start_command:' .claude/skills/dev-workflow/SKILL.md
# Look for any other environment variable configurations
rg -n 'env\s|PATH|bash' .claude/skills/dev-workflow/SKILL.md | head -30Repository: AltimateAI/vscode-dbt-power-user
Length of output: 3214
🏁 Script executed:
# Check if there are other environment variable settings in start_command sections
rg -n 'start_command|env ' .claude/skills/dev-workflow/SKILL.md
# Look for harness documentation or comments about how start_command is executed
rg -n -B10 'start_command:' .claude/skills/dev-workflow/SKILL.md | head -40
# Check if there's any reference to code-server or child process spawning
rg -n 'spawn|exec|code-server' .claude/skills/dev-workflow/SKILL.mdRepository: AltimateAI/vscode-dbt-power-user
Length of output: 6782
~/.local/bin not guaranteed in code-server process environment.
The export PATH=... appended to ~/.bashrc (line 379) won't be inherited by code-server's daemon process or its children. Interactive shell initialization is not invoked for daemon processes, so spawn("altimate", ...) will fail to resolve the shim even though it exists on disk.
Add the PATH override directly to start_command:
Suggested fix
-start_command: >
+start_command: >
+ env PATH=$HOME/.local/bin:$PATH
code-server
--bind-addr 0.0.0.0:3001
--auth none
--disable-telemetry
--disable-workspace-trust
--log debug🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.claude/skills/dev-workflow/SKILL.md around lines 369 - 380, The exported
PATH in the expose-altimate-binary cmd block is only appended to ~/.bashrc and
won't affect the code-server daemon environment; update the code-server
start_command to prepend $HOME/.local/bin to PATH so the shim is visible to
spawned processes (ensure the start_command includes something like
PATH="$HOME/.local/bin:$PATH" before launching code-server), keep the existing
shim creation in the expose-altimate-binary block (the printf/chmod/grep steps
and the altimate shim) and reference the same $HOME/.local/bin location in the
start_command so spawn("altimate", ...) resolves at runtime.
Bundle Size Reportdarwin-arm64: 74.2 MB
linux-x64: 75.9 MB
win32-x64: 76.8 MB
|
- The power-user repo uses rsbuild, not webpack: switch initial-extension-build setup_command from `yarn webpack` (which does not exist) to `yarn build-dev`. Same fix applied to the watcher restart hint and the troubleshooting note. - NODE_OPTIONS=--max-old-space-size=8192 added to build + watch — the default 4GB Node heap OOMs during rsbuild + vite execution. - Inline unzip + bun install in install-altimate-code-deps for base images that don't ship them. Removes the silent skip path that previously left altimate-code workspace deps uninstalled. Verified by spawning sandbox-bdf616 against this skill ref and confirming end-to-end: bun deps install, symlinks reflect source-of- truth edits, `altimate` CLI shim resolves to the local clone.
Two follow-ups after live Playwright verification: - Add `install-webpack-peer` setup_command. ts-loader (used in rsbuild config) declares webpack as a peerDependency, but package.json doesn't list it, so the install never lands and build fails with "Cannot find module 'webpack'". - Versioned extension symlink: derive `publisher.name-version` from package.json. code-server's obsolete-extension scanner re-marks bare symlinks as removed on every boot, so the directory name must encode the version (this gotcha is already in the docker workflow notes). Verified via Playwright in sandbox-bdf616 — extension activates and the DBT POWER USER sidebar renders.
Contributor
✅ Tests — All Passed |
Collaborator
Author
|
Not needed anymore |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates the existing Harness Sandbox Contract section in
.claude/skills/dev-workflow/SKILL.mdto teach the harness CLI how to spawn this repo as a sandbox pod with altimate-code symlinked alongside — same pattern that wiresaltimate-mcp-engineintovscode-altimate-mcp-servertoday.What changes inside the sandbox
/workspace/altimate-codeby the init-clone container.node_modules:altimate-code/packages/opencode→node_modules/@altimateai/altimate-codealtimate-code/packages/dbt-tools→node_modules/@altimateai/dbt-toolsaltimate-code/packages/drivers→node_modules/@altimateai/driversaltimateshim on PATH at~/.local/bin/altimateruns the local opencode source via bun. Any futurespawn("altimate", …)resolves to the local clone, not npm-installed.yarn watch— no per-package publish/install loop.Other contract fixes
The previous contract had a few rough edges that would have prevented a clean spawn:
base_imagevscode-dbt-power-user-base:latestvscode-altimate-mcp-server-base:latestinstall-webview-depsyarn installnpm installwebview_panelsis npm-managed perinstall:panelsscript in package.json. Using yarn was drifting the lockfile.compile-extensionyarn compileyarn webpackyarn compileonly runstsc. The actual extension bundle comes fromyarn webpack.{"altimate.onboardedMcpServer": true}{"dbt.altimateAiKey": ""}Companion PR in AltimateAI/harness
This skill is the human-readable + machine-readable spec; the matching pod template lives in AltimateAI/harness and runs all of these
setup_commandsin sequence. Both PRs are needed forharness spawn vscode-dbt-power-userto work end-to-end.Test plan
harness spawn vscode-dbt-power-user --ref masterreaches code-ready in <30sharness exec vscode-dbt-power-user "ls -la node_modules/@altimateai/"shows three symlinks pointing at/workspace/altimate-code/packages/{opencode,dbt-tools,drivers}harness exec vscode-dbt-power-user "altimate --help"runs from the local cloneharness forward vscode-dbt-power-useron port 3001 with the extension loaded.tsfile in/workspace/altimate-code/packages/opencode/src/→ reload code-server → change is picked upSummary by CodeRabbit