docs: update AGENTS.md with & && fix, backgrounded dockerd, label binding

manascb1344 · manascb1344 · commit e97f39c80b48 · 2026-05-03T16:58:20.000+05:30
diff --git a/AGENTS.md b/AGENTS.md
@@ -1,7 +1,7 @@
 # PROJECT KNOWLEDGE BASE
 
-**Generated:** 2026-05-01T14:46:59Z
-**Commit:** 66ad287
+**Generated:** 2026-05-03T10:30:00Z
+**Commit:** 43825b0
 **Branch:** main
 
 ## OVERVIEW
@@ -79,9 +79,13 @@ Ephemeral self-hosted GitHub Actions runner on Modal. Each job gets a fresh Moda
 - **NEVER** skip HMAC signature verification — every webhook must be validated
 - **NEVER** read env vars outside `runner/config.py` — centralize all config there
 - `debug_endpoint` is protected by `requires_proxy_auth=True` — keep it that way
+- **NEVER** chain `& &&` in SANDBOX_CMD — `&` terminates the command, `&&` is then a syntax error (was a bug — fixed in 8b9857f)
+- **NEVER** use `sleep infinity` for sandbox keepalive — Modal treats it as an active command, preventing `idle_timeout` from triggering (resource leak)
+- **ALWAYS** add unique `job-${{ github.run_id }}` label to workflow `runs-on` for 1:1 runner binding (was a bug — fixed in 8b9857f)
 
 ## UNIQUE STYLES
 - **Docker-in-Sandbox**: `START_DOCKERD_SH` inline script sets up NAT/iptables-legacy for gVisor compat. Uses `experimental_options={"enable_docker": True}`.
+- **Backgrounded dockerd**: Dockerd wait + image load run in background (`&` in subshell). Runner starts immediately without waiting for Docker. Non-Docker jobs skip 60s startup. Docker jobs get dockerd when ready.
 - **Image layering**: 3-layer image build (system+Docker → Python deps → runner binary) for cache efficiency
 - **JIT config flow**: Webhook → HMAC verify → generate-jitconfig API → spawn sandbox with `GHA_JIT_CONFIG` env
 - **Webhook secret rotation**: Supports `WEBHOOK_SECRET_OLD` for zero-downtime rotation
@@ -102,7 +106,7 @@ make logs            # modal app logs modal-github-runner
 - `app.py` is a thin import shim for backwards compat — real app lives in `runner/main.py`
 - Modal secret name is "github-full-secret" (not "github-secret")
 - Sandbox timeout is 3 hours (10800s) for long-running jobs
-- `SANDBOX_CMD` starts dockerd, waits up to 60s for Docker ready, loads pre-pulled node:22-alpine image, then runs `./run.sh --jitconfig`
+- `SANDBOX_CMD` starts dockerd in background, immediately runs `./run.sh --jitconfig`. Dockerd wait + image load are backgrounded — non-Docker jobs skip the 60s wait entirely. Sandbox terminates cleanly after runner exits.
 - Pre-pulled `node:22-alpine` image via crane in image build for faster Docker loads
 - `MODAL_IMAGE_BUILDER_VERSION=2025.06` set as env default for Docker-in-Sandbox support
 - Tests use `_delivery_counter` global for unique delivery IDs across test runs
