thevibeworks
diff --git a/‎.deva.example‎
Lines changed: 28 additions & 0 deletions b/‎.deva.example‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 59 additions & 20 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 59 additions & 20 deletions
diff --git a/‎.github/workflows/nightly-images.yml‎
Lines changed: 46 additions & 2 deletions b/‎.github/workflows/nightly-images.yml‎
Lines changed: 46 additions & 2 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 64 additions & 29 deletions b/‎.github/workflows/release.yml‎
Lines changed: 64 additions & 29 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 12 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 12 additions & 0 deletions
@@ -49,6 +49,34 @@ EPHEMERAL=false
 #
 # 6. Disable ephemeral containers (persistent):
 #    EPHEMERAL=false
+#
+# 7. Enable Codex browser MCP for this project:
+#    DEFAULT_AGENT=codex
+#    CODEX_BROWSER_MCP=true
+#
+#    Optional session-only Codex config overrides:
+#    CODEX_CONFIG=features.apps=false
+#    CODEX_CONFIG=features.plugins=false
+
+# Hybrid Agent Setup:
+#
+# Hybrid is the DEFAULT. deva walks every populated subdir under
+# ~/.config/deva/ (claude, codex, gemini) and mounts each agent's
+# canonical entries into the container. Populated = you either
+# hand-created the subdir or autolink symlinked it from legacy
+# ~/.claude, ~/.codex, ~/.gemini on first run.
+#
+# No .deva entries required for the common case. To opt OUT of
+# hybrid for a single invocation, pass --config-home DIR to
+# isolate that run to a single home.
+#
+# Use VOLUME= only when you want to mount host paths OUTSIDE
+# ~/.config/deva/ (e.g. a shared secrets vault) at an agent target.
+# VOLUME= entries win over the default per-agent mount at the same
+# container target (first-writer-wins; CLI -v beats .deva).
+#
+# Auth credentials inside mounted agent dirs ride along — hybrid
+# only makes sense if you trust every agent equally.
 
 # Project-Specific Config (.deva in project root):
 #
 
@@ -44,32 +44,40 @@ jobs:
           chmod +x scripts/version-check.sh
           ./scripts/version-check.sh
 
+      - name: Unit tests (release-utils.sh)
+        run: bash tests/test_release_utils.sh
+
   smoke:
     name: Installer Smoke Test
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: "22"
-
-      - name: Resolve tool versions
-        id: versions
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: bash ./scripts/resolve-tool-versions.sh
+      - name: Load pinned versions
+        id: pins
+        shell: bash
+        run: |
+          set -euo pipefail
+          source ./scripts/version-pins.sh
+          load_version_pins
+          emit_github_outputs "$GITHUB_OUTPUT"
 
       - name: Build local smoke image
         run: |
           docker build -t deva-smoke:ci \
-            --build-arg CLAUDE_CODE_VERSION="${{ steps.versions.outputs.claude_code_version }}" \
-            --build-arg CODEX_VERSION="${{ steps.versions.outputs.codex_version }}" \
-            --build-arg GEMINI_CLI_VERSION="${{ steps.versions.outputs.gemini_cli_version }}" \
-            --build-arg ATLAS_CLI_VERSION="${{ steps.versions.outputs.atlas_cli_version }}" \
-            --build-arg COPILOT_API_VERSION="${{ steps.versions.outputs.copilot_api_version }}" \
+            --build-arg NODE_MAJOR="${{ steps.pins.outputs.node_major }}" \
+            --build-arg GO_VERSION="${{ steps.pins.outputs.go_version }}" \
+            --build-arg PYTHON_VERSION="${{ steps.pins.outputs.python_version }}" \
+            --build-arg DELTA_VERSION="${{ steps.pins.outputs.delta_version }}" \
+            --build-arg TMUX_VERSION="${{ steps.pins.outputs.tmux_version }}" \
+            --build-arg TMUX_SHA256="${{ steps.pins.outputs.tmux_sha256 }}" \
+            --build-arg CLAUDE_CODE_VERSION="${{ steps.pins.outputs.claude_code_version }}" \
+            --build-arg CLAUDE_TRACE_VERSION="${{ steps.pins.outputs.claude_trace_version }}" \
+            --build-arg CODEX_VERSION="${{ steps.pins.outputs.codex_version }}" \
+            --build-arg GEMINI_CLI_VERSION="${{ steps.pins.outputs.gemini_cli_version }}" \
+            --build-arg ATLAS_CLI_VERSION="${{ steps.pins.outputs.atlas_cli_version }}" \
+            --build-arg COPILOT_API_VERSION="${{ steps.pins.outputs.copilot_api_version }}" \
             .
 
       - name: Build core and rust images via Makefile
@@ -79,11 +87,22 @@ jobs:
             TAG=ci \
             CORE_TAG=ci-core \
             RUST_TAG=ci-rust \
-            CLAUDE_CODE_VERSION="${{ steps.versions.outputs.claude_code_version }}" \
-            CODEX_VERSION="${{ steps.versions.outputs.codex_version }}" \
-            GEMINI_CLI_VERSION="${{ steps.versions.outputs.gemini_cli_version }}" \
-            ATLAS_CLI_VERSION="${{ steps.versions.outputs.atlas_cli_version }}" \
-            COPILOT_API_VERSION="${{ steps.versions.outputs.copilot_api_version }}"
+            NODE_MAJOR="${{ steps.pins.outputs.node_major }}" \
+            GO_VERSION="${{ steps.pins.outputs.go_version }}" \
+            PYTHON_VERSION="${{ steps.pins.outputs.python_version }}" \
+            DELTA_VERSION="${{ steps.pins.outputs.delta_version }}" \
+            TMUX_VERSION="${{ steps.pins.outputs.tmux_version }}" \
+            TMUX_SHA256="${{ steps.pins.outputs.tmux_sha256 }}" \
+            CLAUDE_CODE_VERSION="${{ steps.pins.outputs.claude_code_version }}" \
+            CLAUDE_TRACE_VERSION="${{ steps.pins.outputs.claude_trace_version }}" \
+            CODEX_VERSION="${{ steps.pins.outputs.codex_version }}" \
+            GEMINI_CLI_VERSION="${{ steps.pins.outputs.gemini_cli_version }}" \
+            ATLAS_CLI_VERSION="${{ steps.pins.outputs.atlas_cli_version }}" \
+            COPILOT_API_VERSION="${{ steps.pins.outputs.copilot_api_version }}" \
+            PLAYWRIGHT_VERSION="${{ steps.pins.outputs.playwright_version }}" \
+            RUST_TOOLCHAINS="${{ steps.pins.outputs.rust_toolchains }}" \
+            RUST_DEFAULT_TOOLCHAIN="${{ steps.pins.outputs.rust_default_toolchain }}" \
+            RUST_TARGETS="${{ steps.pins.outputs.rust_targets }}"
 
       - name: Install and launch each agent without a TTY
         shell: bash
@@ -127,6 +146,26 @@ jobs:
           grep -F -- "$bridge_dir:/deva-host-chrome-bridge" <<<"$dry_run"
           grep -F -- "$profile_dir/Extensions:/home/deva/.config/google-chrome/Default/Extensions:ro" <<<"$dry_run"
 
+      - name: Smoke bind mount shape guard
+        shell: bash
+        run: |
+          set -euo pipefail
+          DEVA_DOCKER_IMAGE=deva-smoke \
+          DEVA_DOCKER_TAG=ci \
+          ./scripts/test-mount-shape.sh
+
+      - name: Smoke agent tooling installer
+        shell: bash
+        run: |
+          set -euo pipefail
+          ./scripts/test-install-agent-tooling.sh
+
+      - name: Smoke version targets
+        shell: bash
+        run: |
+          set -euo pipefail
+          ./scripts/test-version-targets.sh
+
       - name: Smoke Chrome bridge entrypoint symlink
         shell: bash
         run: |
 
@@ -18,6 +18,34 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  load-version-pins:
+    name: Load Pinned Toolchain Versions
+    runs-on: ubuntu-latest
+    outputs:
+      node_major: ${{ steps.pins.outputs.node_major }}
+      go_version: ${{ steps.pins.outputs.go_version }}
+      python_version: ${{ steps.pins.outputs.python_version }}
+      delta_version: ${{ steps.pins.outputs.delta_version }}
+      tmux_version: ${{ steps.pins.outputs.tmux_version }}
+      tmux_sha256: ${{ steps.pins.outputs.tmux_sha256 }}
+      claude_trace_version: ${{ steps.pins.outputs.claude_trace_version }}
+      playwright_version: ${{ steps.pins.outputs.playwright_version }}
+      rust_toolchains: ${{ steps.pins.outputs.rust_toolchains }}
+      rust_default_toolchain: ${{ steps.pins.outputs.rust_default_toolchain }}
+      rust_targets: ${{ steps.pins.outputs.rust_targets }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Load pins
+        id: pins
+        shell: bash
+        run: |
+          set -euo pipefail
+          source ./scripts/version-pins.sh
+          load_version_pins
+          emit_github_outputs "$GITHUB_OUTPUT"
+
   resolve-versions:
     name: Resolve Latest Tool Versions
     runs-on: ubuntu-latest
@@ -59,7 +87,7 @@ jobs:
 
   build-base:
     name: Build Nightly Base Image
-    needs: resolve-versions
+    needs: [load-version-pins, resolve-versions]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -102,15 +130,22 @@ jobs:
           cache-from: type=gha,scope=nightly-base
           cache-to: type=gha,mode=max,scope=nightly-base
           build-args: |
+            NODE_MAJOR=${{ needs.load-version-pins.outputs.node_major }}
+            GO_VERSION=${{ needs.load-version-pins.outputs.go_version }}
+            PYTHON_VERSION=${{ needs.load-version-pins.outputs.python_version }}
+            DELTA_VERSION=${{ needs.load-version-pins.outputs.delta_version }}
+            TMUX_VERSION=${{ needs.load-version-pins.outputs.tmux_version }}
+            TMUX_SHA256=${{ needs.load-version-pins.outputs.tmux_sha256 }}
             CLAUDE_CODE_VERSION=${{ needs.resolve-versions.outputs.claude_code_version }}
+            CLAUDE_TRACE_VERSION=${{ needs.load-version-pins.outputs.claude_trace_version }}
             CODEX_VERSION=${{ needs.resolve-versions.outputs.codex_version }}
             GEMINI_CLI_VERSION=${{ needs.resolve-versions.outputs.gemini_cli_version }}
             ATLAS_CLI_VERSION=${{ needs.resolve-versions.outputs.atlas_cli_version }}
             COPILOT_API_VERSION=${{ needs.resolve-versions.outputs.copilot_api_version }}
 
   build-rust:
     name: Build Nightly Rust Image
-    needs: [resolve-versions, build-base]
+    needs: [load-version-pins, resolve-versions, build-base]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -154,6 +189,15 @@ jobs:
           cache-to: type=gha,mode=max,scope=nightly-rust
           build-args: |
             BASE_IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:nightly-${{ needs.resolve-versions.outputs.stamp }}
+            CLAUDE_CODE_VERSION=${{ needs.resolve-versions.outputs.claude_code_version }}
+            CLAUDE_TRACE_VERSION=${{ needs.load-version-pins.outputs.claude_trace_version }}
+            CODEX_VERSION=${{ needs.resolve-versions.outputs.codex_version }}
+            GEMINI_CLI_VERSION=${{ needs.resolve-versions.outputs.gemini_cli_version }}
+            ATLAS_CLI_VERSION=${{ needs.resolve-versions.outputs.atlas_cli_version }}
+            PLAYWRIGHT_VERSION=${{ needs.load-version-pins.outputs.playwright_version }}
+            RUST_TOOLCHAINS=${{ needs.load-version-pins.outputs.rust_toolchains }}
+            RUST_DEFAULT_TOOLCHAIN=${{ needs.load-version-pins.outputs.rust_default_toolchain }}
+            RUST_TARGETS=${{ needs.load-version-pins.outputs.rust_targets }}
 
   summary:
     name: Nightly Summary
 
@@ -35,45 +35,64 @@ jobs:
           [ -n "$release_tag" ] || { echo "error: empty release tag" >&2; exit 1; }
           echo "release_tag=$release_tag" >> "$GITHUB_OUTPUT"
 
-  resolve-versions:
-    name: Resolve Tool Versions
+  load-version-pins:
+    name: Load Pinned Tool Versions
     runs-on: ubuntu-latest
+    needs: prepare
     outputs:
-      claude_code_version: ${{ steps.versions.outputs.claude_code_version }}
-      codex_version: ${{ steps.versions.outputs.codex_version }}
-      gemini_cli_version: ${{ steps.versions.outputs.gemini_cli_version }}
-      atlas_cli_version: ${{ steps.versions.outputs.atlas_cli_version }}
-      copilot_api_version: ${{ steps.versions.outputs.copilot_api_version }}
+      node_major: ${{ steps.pins.outputs.node_major }}
+      go_version: ${{ steps.pins.outputs.go_version }}
+      python_version: ${{ steps.pins.outputs.python_version }}
+      delta_version: ${{ steps.pins.outputs.delta_version }}
+      tmux_version: ${{ steps.pins.outputs.tmux_version }}
+      tmux_sha256: ${{ steps.pins.outputs.tmux_sha256 }}
+      claude_code_version: ${{ steps.pins.outputs.claude_code_version }}
+      claude_trace_version: ${{ steps.pins.outputs.claude_trace_version }}
+      codex_version: ${{ steps.pins.outputs.codex_version }}
+      gemini_cli_version: ${{ steps.pins.outputs.gemini_cli_version }}
+      atlas_cli_version: ${{ steps.pins.outputs.atlas_cli_version }}
+      copilot_api_version: ${{ steps.pins.outputs.copilot_api_version }}
+      playwright_version: ${{ steps.pins.outputs.playwright_version }}
+      rust_toolchains: ${{ steps.pins.outputs.rust_toolchains }}
+      rust_default_toolchain: ${{ steps.pins.outputs.rust_default_toolchain }}
+      rust_targets: ${{ steps.pins.outputs.rust_targets }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-
-      - name: Setup Node
-        uses: actions/setup-node@v4
         with:
-          node-version: "22"
+          ref: ${{ needs.prepare.outputs.release_tag }}
 
-      - name: Resolve versions
-        id: versions
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: bash ./scripts/resolve-tool-versions.sh
+      - name: Load pins
+        id: pins
+        shell: bash
+        run: |
+          set -euo pipefail
+          source ./scripts/version-pins.sh
+          load_version_pins
+          emit_github_outputs "$GITHUB_OUTPUT"
 
       - name: Summary
         run: |
           cat <<EOF >> "$GITHUB_STEP_SUMMARY"
-          ## Release Tool Versions
+          ## Release Tool Versions (Pinned)
 
-          - Claude Code: \`${{ steps.versions.outputs.claude_code_version }}\`
-          - Codex: \`${{ steps.versions.outputs.codex_version }}\`
-          - Gemini CLI: \`${{ steps.versions.outputs.gemini_cli_version }}\`
-          - Atlas CLI: \`${{ steps.versions.outputs.atlas_cli_version }}\`
-          - Copilot API: \`${{ steps.versions.outputs.copilot_api_version }}\`
+          - Node major: \`${{ steps.pins.outputs.node_major }}\`
+          - Go: \`${{ steps.pins.outputs.go_version }}\`
+          - Python: \`${{ steps.pins.outputs.python_version }}\`
+          - Delta: \`${{ steps.pins.outputs.delta_version }}\`
+          - Claude Code: \`${{ steps.pins.outputs.claude_code_version }}\`
+          - Claude Trace: \`${{ steps.pins.outputs.claude_trace_version }}\`
+          - Codex: \`${{ steps.pins.outputs.codex_version }}\`
+          - Gemini CLI: \`${{ steps.pins.outputs.gemini_cli_version }}\`
+          - Atlas CLI: \`${{ steps.pins.outputs.atlas_cli_version }}\`
+          - Copilot API: \`${{ steps.pins.outputs.copilot_api_version }}\`
+          - Playwright: \`${{ steps.pins.outputs.playwright_version }}\`
+          - Rust toolchains: \`${{ steps.pins.outputs.rust_toolchains }}\`
           EOF
 
   build-and-push:
     name: Build and Push Docker Image
-    needs: [prepare, resolve-versions]
+    needs: [prepare, load-version-pins]
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -118,16 +137,23 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: |
-            CLAUDE_CODE_VERSION=${{ needs.resolve-versions.outputs.claude_code_version }}
-            CODEX_VERSION=${{ needs.resolve-versions.outputs.codex_version }}
-            GEMINI_CLI_VERSION=${{ needs.resolve-versions.outputs.gemini_cli_version }}
-            ATLAS_CLI_VERSION=${{ needs.resolve-versions.outputs.atlas_cli_version }}
-            COPILOT_API_VERSION=${{ needs.resolve-versions.outputs.copilot_api_version }}
+            NODE_MAJOR=${{ needs.load-version-pins.outputs.node_major }}
+            GO_VERSION=${{ needs.load-version-pins.outputs.go_version }}
+            PYTHON_VERSION=${{ needs.load-version-pins.outputs.python_version }}
+            DELTA_VERSION=${{ needs.load-version-pins.outputs.delta_version }}
+            TMUX_VERSION=${{ needs.load-version-pins.outputs.tmux_version }}
+            TMUX_SHA256=${{ needs.load-version-pins.outputs.tmux_sha256 }}
+            CLAUDE_CODE_VERSION=${{ needs.load-version-pins.outputs.claude_code_version }}
+            CLAUDE_TRACE_VERSION=${{ needs.load-version-pins.outputs.claude_trace_version }}
+            CODEX_VERSION=${{ needs.load-version-pins.outputs.codex_version }}
+            GEMINI_CLI_VERSION=${{ needs.load-version-pins.outputs.gemini_cli_version }}
+            ATLAS_CLI_VERSION=${{ needs.load-version-pins.outputs.atlas_cli_version }}
+            COPILOT_API_VERSION=${{ needs.load-version-pins.outputs.copilot_api_version }}
 
   build-and-push-rust:
     name: Build and Push Rust Profile Image
     runs-on: ubuntu-latest
-    needs: [prepare, build-and-push]
+    needs: [prepare, load-version-pins, build-and-push]
     permissions:
       contents: read
       packages: write
@@ -172,6 +198,15 @@ jobs:
           cache-to: type=gha,mode=max
           build-args: |
             BASE_IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.prepare.outputs.release_tag }}
+            CLAUDE_CODE_VERSION=${{ needs.load-version-pins.outputs.claude_code_version }}
+            CLAUDE_TRACE_VERSION=${{ needs.load-version-pins.outputs.claude_trace_version }}
+            CODEX_VERSION=${{ needs.load-version-pins.outputs.codex_version }}
+            GEMINI_CLI_VERSION=${{ needs.load-version-pins.outputs.gemini_cli_version }}
+            ATLAS_CLI_VERSION=${{ needs.load-version-pins.outputs.atlas_cli_version }}
+            PLAYWRIGHT_VERSION=${{ needs.load-version-pins.outputs.playwright_version }}
+            RUST_TOOLCHAINS=${{ needs.load-version-pins.outputs.rust_toolchains }}
+            RUST_DEFAULT_TOOLCHAIN=${{ needs.load-version-pins.outputs.rust_default_toolchain }}
+            RUST_TARGETS=${{ needs.load-version-pins.outputs.rust_targets }}
 
   release:
     name: Create GitHub Release
 
@@ -14,6 +14,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `docs/tmux-bridge-agent-comms.md` explaining the two-layer bridge composition, read-before-act guard, and socket detection order
 - CI smoke test exercising the full `tmux-bridge` CLI surface (list/name/resolve/read/type/read-guard) against an ephemeral tmux server inside the built image
 
+### Fixed
+- deva no longer adds a redundant project-local `.claude` child bind mount on top of the workspace mount
+- startup now rejects recursive child bind mounts that simply rebind a subtree already covered by a parent bind mount
+- shared agent tooling installs now switch out of inaccessible working directories before pinned atlas go-install fallback
+- `claude-trace` installs are now pinned instead of silently following the latest npm publish
+- atlas-cli installs now honor `ATLAS_CLI_VERSION` exactly instead of drifting to upstream `latest`
+
+### Changed
+- default Makefile builds now use pinned tool versions; `versions-up` remains the explicit upgrade path
+- Rust image rebuild paths now forward the selected agent CLI versions instead of silently reinstalling Dockerfile defaults
+- `versions` and `versions-up` now treat Makefile defaults as defaults instead of forcing them as fake "latest" overrides
+
 ## [0.10.0] - 2026-03-24
 
 ### Added