ci(experiment): tighten readiness gate; fix gha cache; sync skill

Author: kantord

.claude/skills/devcontainer-dev/SKILL.md

@@ -72,6 +72,22 @@ The readiness banner is what you care about. It gates on **three** signals simul
 
 Only once all three are true does the banner fire and the host's browser auto-open.
 
+> **Process running ≠ UI rendered.** The three gates above tell you the
+> backing processes are alive, not that Electron has actually painted.
+> A devcontainer-in-CI proof captured a blank screen because all three
+> gates passed while the window was still mid-first-paint. For
+> agent-grade readiness (e.g. before driving the app via `xdotool` or
+> taking a screenshot to feed to a vision model), add this gate:
+>
+> ```bash
+> docker exec -u node "$CONTAINER" bash -c \
+>   'DISPLAY=:99 xdotool search --class ToolHive >/dev/null 2>&1'
+> ```
+>
+> `xdotool search --class` only succeeds once the main window is mapped
+> on Xvfb. A short settling sleep (~2s) after that first match is cheap
+> insurance against catching a partially rendered frame.
+
 ---
 
 ## Per-worktree isolation
@@ -146,13 +162,33 @@ All commands run via `docker exec` against the container with `DISPLAY=:99` set
 
 ### See the screen (screenshots)
 
+Use the project's helper script — it auto-finds the container, captures the
+root window, and streams the PNG out to the host. Prints the absolute host
+path on stdout so it composes:
+
 ```bash
-# Take a PNG of the whole virtual framebuffer
+SHOT=$(scripts/devcontainer-screenshot.sh)
+# or with an explicit path:
+scripts/devcontainer-screenshot.sh /tmp/shot.png
+```
+
+**Why a helper script and not just `docker cp`?** `/tmp` (and possibly
+other paths) inside the devcontainer is mounted as `tmpfs`. Docker's
+`docker cp` cannot read from tmpfs mounts — it only traverses the
+container's overlay layers — so the obvious one-liner
+
+```bash
+# DON'T — silently broken: import succeeds, ls confirms the file,
+# but docker cp says "Could not find the file in container".
 docker exec "$CONTAINER" bash -c 'DISPLAY=:99 import -window root /tmp/shot.png'
-# Copy it to the host for viewing / feeding to a vision model
 docker cp "$CONTAINER:/tmp/shot.png" /tmp/shot.png
 ```
 
+**fails everywhere** (CI and local). The helper bypasses `docker cp` by
+streaming the file via `docker exec cat` (see `scripts/devcontainer-steal.sh`
+for the generic version — use that one to extract any tmpfs file, e.g. logs
+or generated artifacts, not just screenshots).
+
 `import` is from ImageMagick. For a specific window only, use `xwininfo` to get the WID then `import -window <WID>`.
 
 ### See the window tree (what's there, where, which is focused)

.codex/skills/devcontainer-dev/SKILL.md

@@ -72,6 +72,22 @@ The readiness banner is what you care about. It gates on **three** signals simul
 
 Only once all three are true does the banner fire and the host's browser auto-open.
 
+> **Process running ≠ UI rendered.** The three gates above tell you the
+> backing processes are alive, not that Electron has actually painted.
+> A devcontainer-in-CI proof captured a blank screen because all three
+> gates passed while the window was still mid-first-paint. For
+> agent-grade readiness (e.g. before driving the app via `xdotool` or
+> taking a screenshot to feed to a vision model), add this gate:
+>
+> ```bash
+> docker exec -u node "$CONTAINER" bash -c \
+>   'DISPLAY=:99 xdotool search --class ToolHive >/dev/null 2>&1'
+> ```
+>
+> `xdotool search --class` only succeeds once the main window is mapped
+> on Xvfb. A short settling sleep (~2s) after that first match is cheap
+> insurance against catching a partially rendered frame.
+
 ---
 
 ## Per-worktree isolation
@@ -146,13 +162,33 @@ All commands run via `docker exec` against the container with `DISPLAY=:99` set
 
 ### See the screen (screenshots)
 
+Use the project's helper script — it auto-finds the container, captures the
+root window, and streams the PNG out to the host. Prints the absolute host
+path on stdout so it composes:
+
 ```bash
-# Take a PNG of the whole virtual framebuffer
+SHOT=$(scripts/devcontainer-screenshot.sh)
+# or with an explicit path:
+scripts/devcontainer-screenshot.sh /tmp/shot.png
+```
+
+**Why a helper script and not just `docker cp`?** `/tmp` (and possibly
+other paths) inside the devcontainer is mounted as `tmpfs`. Docker's
+`docker cp` cannot read from tmpfs mounts — it only traverses the
+container's overlay layers — so the obvious one-liner
+
+```bash
+# DON'T — silently broken: import succeeds, ls confirms the file,
+# but docker cp says "Could not find the file in container".
 docker exec "$CONTAINER" bash -c 'DISPLAY=:99 import -window root /tmp/shot.png'
-# Copy it to the host for viewing / feeding to a vision model
 docker cp "$CONTAINER:/tmp/shot.png" /tmp/shot.png
 ```
 
+**fails everywhere** (CI and local). The helper bypasses `docker cp` by
+streaming the file via `docker exec cat` (see `scripts/devcontainer-steal.sh`
+for the generic version — use that one to extract any tmpfs file, e.g. logs
+or generated artifacts, not just screenshots).
+
 `import` is from ImageMagick. For a specific window only, use `xwininfo` to get the WID then `import -window <WID>`.
 
 ### See the window tree (what's there, where, which is focused)

.cursor/skills/devcontainer-dev/SKILL.md

@@ -72,6 +72,22 @@ The readiness banner is what you care about. It gates on **three** signals simul
 
 Only once all three are true does the banner fire and the host's browser auto-open.
 
+> **Process running ≠ UI rendered.** The three gates above tell you the
+> backing processes are alive, not that Electron has actually painted.
+> A devcontainer-in-CI proof captured a blank screen because all three
+> gates passed while the window was still mid-first-paint. For
+> agent-grade readiness (e.g. before driving the app via `xdotool` or
+> taking a screenshot to feed to a vision model), add this gate:
+>
+> ```bash
+> docker exec -u node "$CONTAINER" bash -c \
+>   'DISPLAY=:99 xdotool search --class ToolHive >/dev/null 2>&1'
+> ```
+>
+> `xdotool search --class` only succeeds once the main window is mapped
+> on Xvfb. A short settling sleep (~2s) after that first match is cheap
+> insurance against catching a partially rendered frame.
+
 ---
 
 ## Per-worktree isolation
@@ -146,13 +162,33 @@ All commands run via `docker exec` against the container with `DISPLAY=:99` set
 
 ### See the screen (screenshots)
 
+Use the project's helper script — it auto-finds the container, captures the
+root window, and streams the PNG out to the host. Prints the absolute host
+path on stdout so it composes:
+
 ```bash
-# Take a PNG of the whole virtual framebuffer
+SHOT=$(scripts/devcontainer-screenshot.sh)
+# or with an explicit path:
+scripts/devcontainer-screenshot.sh /tmp/shot.png
+```
+
+**Why a helper script and not just `docker cp`?** `/tmp` (and possibly
+other paths) inside the devcontainer is mounted as `tmpfs`. Docker's
+`docker cp` cannot read from tmpfs mounts — it only traverses the
+container's overlay layers — so the obvious one-liner
+
+```bash
+# DON'T — silently broken: import succeeds, ls confirms the file,
+# but docker cp says "Could not find the file in container".
 docker exec "$CONTAINER" bash -c 'DISPLAY=:99 import -window root /tmp/shot.png'
-# Copy it to the host for viewing / feeding to a vision model
 docker cp "$CONTAINER:/tmp/shot.png" /tmp/shot.png
 ```
 
+**fails everywhere** (CI and local). The helper bypasses `docker cp` by
+streaming the file via `docker exec cat` (see `scripts/devcontainer-steal.sh`
+for the generic version — use that one to extract any tmpfs file, e.g. logs
+or generated artifacts, not just screenshots).
+
 `import` is from ImageMagick. For a specific window only, use `xwininfo` to get the WID then `import -window <WID>`.
 
 ### See the window tree (what's there, where, which is focused)

.github/workflows/experiment-devcontainer-proof.yml

@@ -46,6 +46,12 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
+      - name: Set up Docker Buildx
+        # Required so BuildKit's `gha` cache backend is available below.
+        # Without this, `cacheFrom: type=gha` fails with
+        # "unknown cache importer: gha" and the build goes fully cold.
+        uses: docker/setup-buildx-action@v3
+
       - name: Build & start devcontainer (cached via gha)
         uses: devcontainers/ci@v0.3
         with:
@@ -95,12 +101,23 @@ jobs:
           C=${{ steps.container.outputs.id }}
           T_START=$(date +%s)
           for i in $(seq 1 120); do
-            # See devcontainer-dev skill — bracket trick avoids pgrep self-match.
-            if docker exec "$C" bash -c '
+            # Process gates AND a window-mapped check via xdotool. The previous
+            # version only checked process presence, which is not the same as
+            # "UI has rendered" — the first proof run captured a blank screen
+            # because Electron was alive but had not painted yet. The
+            # `xdotool search --class ToolHive` call only succeeds once the
+            # app's main window is mapped on Xvfb. Bracket trick on pgrep
+            # avoids self-match (see devcontainer-dev skill).
+            if docker exec -u node "$C" bash -c '
                 curl -fsS http://localhost:6080/ >/dev/null 2>&1 \
                 && pgrep -f "[e]lectron/dist/electron" >/dev/null \
-                && pgrep -f "[t]hv serve" >/dev/null
+                && pgrep -f "[t]hv serve" >/dev/null \
+                && DISPLAY=:99 xdotool search --class ToolHive >/dev/null 2>&1
               '; then
+              # Settling pause — the window may be mid-first-paint when
+              # xdotool first finds it. Cheap insurance against a partially
+              # rendered screenshot.
+              sleep 2
               NOW=$(date +%s)
               ELAPSED=$(( NOW - T_START ))
               SINCE_T1=$(( NOW - ${{ steps.t1.outputs.epoch }} ))