CogniPilot · jgoppert · Mar 12, 2026 · Mar 11, 2026
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -0,0 +1,31 @@
+{
+  "name": "rumoca-dev",
+  "build": {
+    "context": "..",
+    "dockerfile": "../packaging/docker/Dockerfile",
+    "target": "dev"
+  },
+  "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind",
+  "workspaceFolder": "/workspace",
+  "overrideCommand": false,
+  "forwardPorts": [
+    8888
+  ],
+  "remoteUser": "root",
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "rust-lang.rust-analyzer",
+        "tamasfe.even-better-toml",
+        "ms-python.python",
+        "ms-toolsai.jupyter",
+        "julialang.language-julia"
+      ],
+      "settings": {
+        "python.defaultInterpreterPath": "/opt/rumoca/python/bin/python",
+        "julia.executablePath": "/opt/julia/bin/julia",
+        "terminal.integrated.defaultProfile.linux": "bash"
+      }
+    }
+  }
+}
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,14 @@
+.git
+.github
+target
+dev
+pkg
+.vscode
+.claude
+build
+dist
+__pycache__
+*.egg-info
+*.html
+*.swp
+*.swo
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -130,6 +130,34 @@ jobs:
       - name: Build all binaries
         run: cargo build --verbose --bin rumoca --bin rumoca-lsp
 
+  docker-ci-smoke:
+    name: Docker CI Image Smoke
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build packaged CI image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: packaging/docker/Dockerfile
+          target: ci
+          tags: rumoca-ci:test
+          load: true
+          cache-from: type=gha,scope=rumoca-docker-ci
+          cache-to: type=gha,mode=min,scope=rumoca-docker-ci
+
+      - name: Run packaged CI smoke
+        shell: bash
+        run: |
+          RUMOCA_DOCKER_SKIP_BUILD=1 \
+          RUMOCA_CI_IMAGE=rumoca-ci:test \
+          bash packaging/docker/smoke/ci.sh
+
   coverage-gate:
     name: Coverage Gate
     runs-on: ubuntu-24.04

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -0,0 +1,171 @@
+name: Docker Publish
+
+on:
+  schedule:
+    - cron: '23 4 * * *'
+  workflow_dispatch:
+  push:
+    tags:
+      - 'v*'
+
+env:
+  CARGO_TERM_COLOR: always
+  RUST_BACKTRACE: 1
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  publish-docker-branch-images:
+    name: Publish Docker Branch Image (${{ matrix.target }})
+    if: github.event_name != 'push'
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        target: [core, ci, dev]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: main
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Resolve GHCR image names
+        id: image
+        shell: bash
+        run: |
+          owner_lc="$(printf '%s' "${GITHUB_REPOSITORY_OWNER}" | tr '[:upper:]' '[:lower:]')"
+          image_name="ghcr.io/${owner_lc}/rumoca-${{ matrix.target }}"
+          echo "image_name=${image_name}" >> "$GITHUB_OUTPUT"
+          echo "sha_tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push packaged Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: packaging/docker/Dockerfile
+          target: ${{ matrix.target }}
+          push: true
+          provenance: false
+          sbom: false
+          tags: |
+            ${{ steps.image.outputs.image_name }}:main
+            ${{ steps.image.outputs.image_name }}:${{ steps.image.outputs.sha_tag }}
+          cache-from: type=gha,scope=rumoca-docker-${{ matrix.target }}
+          cache-to: type=gha,mode=min,scope=rumoca-docker-${{ matrix.target }}
+
+  publish-docker-release-images:
+    name: Publish Docker Release Image (${{ matrix.target }})
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        target: [core, ci, dev]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Verify tag commit is on main
+        shell: bash
+        run: |
+          git fetch origin main --depth=1
+          if ! git merge-base --is-ancestor "${GITHUB_SHA}" origin/main; then
+            echo "::error::Release tag ${GITHUB_REF_NAME} does not point to a commit on origin/main"
+            exit 1
+          fi
+          echo "Verified ${GITHUB_REF_NAME} on origin/main"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Resolve GHCR image names
+        id: image
+        shell: bash
+        run: |
+          owner_lc="$(printf '%s' "${GITHUB_REPOSITORY_OWNER}" | tr '[:upper:]' '[:lower:]')"
+          image_name="ghcr.io/${owner_lc}/rumoca-${{ matrix.target }}"
+          echo "image_name=${image_name}" >> "$GITHUB_OUTPUT"
+          echo "release_tag=${GITHUB_REF_NAME}" >> "$GITHUB_OUTPUT"
+          echo "sha_tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push packaged Docker release image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: packaging/docker/Dockerfile
+          target: ${{ matrix.target }}
+          push: true
+          provenance: false
+          sbom: false
+          tags: |
+            ${{ steps.image.outputs.image_name }}:${{ steps.image.outputs.release_tag }}
+            ${{ steps.image.outputs.image_name }}:${{ steps.image.outputs.sha_tag }}
+            ${{ steps.image.outputs.image_name }}:main
+            ${{ steps.image.outputs.image_name }}:latest
+          cache-from: type=gha,scope=rumoca-docker-${{ matrix.target }}
+          cache-to: type=gha,mode=min,scope=rumoca-docker-${{ matrix.target }}
+
+  upload-docker-release-tarball:
+    name: Upload Docker Release Tarball
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+    needs: [publish-docker-release-images]
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      packages: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Export canonical dev tarball
+        shell: bash
+        run: |
+          mkdir -p target/docker/release
+          archive="target/docker/release/rumoca-dev-${GITHUB_REF_NAME}.tar.gz"
+          packaging/docker/export-image.sh dev "${archive}"
+          sha256sum "${archive}" > "${archive}.sha256"
+
+      - name: Wait for GitHub release
+        shell: bash
+        run: |
+          set -euo pipefail
+          for attempt in $(seq 1 60); do
+            if gh release view "${GITHUB_REF_NAME}" >/dev/null 2>&1; then
+              echo "Release ${GITHUB_REF_NAME} is available"
+              exit 0
+            fi
+            echo "Waiting for release ${GITHUB_REF_NAME} to exist (attempt ${attempt}/60)"
+            sleep 10
+          done
+          echo "::error::Release ${GITHUB_REF_NAME} was not created in time"
+          exit 1
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload Docker tarball assets
+        shell: bash
+        run: |
+          gh release upload "${GITHUB_REF_NAME}" \
+            target/docker/release/rumoca-dev-${GITHUB_REF_NAME}.tar.gz \
+            target/docker/release/rumoca-dev-${GITHUB_REF_NAME}.tar.gz.sha256 \
+            --clobber
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}