Merge pull request #473 from DecapodLabs/agent/codex/code_01kk3za2ft9n96jq-master-cleanup-override

Avoid dirtying protected host checkouts with OVERRIDE writes

Author: alexhraber

.decapod/OVERRIDE.md

@@ -127,17 +127,10 @@
 
 ### plugins/HEARTBEAT.md
 
-### plugins/TEAMMATE.md
+### plugins/APTITUDE.md
 
 ### plugins/VERIFY.md
 
 ### plugins/DECIDE.md
 
 ### plugins/AUTOUPDATE.md
-
-### plugins/CONTAINER.md
-## Runtime Guard Override (auto-generated)
-DECAPOD_CONTAINER_RUNTIME_DISABLED=true
-reason: No docker/podman runtime found during validation self-heal.
-remediation: Install Docker or Podman, then remove this override if you want strict container gating restored.
-warning: disabling isolated containers increases risk of concurrent agents stepping on each other.

src/lib.rs

@@ -3054,42 +3054,23 @@ fn heal_override_checksum(
 fn heal_container_runtime_override(
     project_root: &Path,
 ) -> Result<Option<ValidationHealAction>, error::DecapodError> {
-    let override_path = project_root.join(".decapod").join("OVERRIDE.md");
-    let existing = if override_path.exists() {
-        fs::read_to_string(&override_path).map_err(error::DecapodError::IoError)?
-    } else {
-        String::new()
-    };
-    if existing.contains(container::CONTAINER_DISABLE_MARKER) {
-        return Ok(None);
-    }
-
-    let mut content = existing;
-    if !content.ends_with('\n') && !content.is_empty() {
-        content.push('\n');
+    match container::heal_container_runtime_override(
+        project_root,
+        "No docker/podman runtime found during validation self-heal.",
+        "Install Docker or Podman, then remove this override if you want strict container gating restored.",
+    )? {
+        container::ContainerRuntimeOverrideHeal::Added => Ok(Some(ValidationHealAction {
+            action: "heal_container_runtime_override".to_string(),
+            outcome: "updated".to_string(),
+            detail: "Disabled strict container-runtime enforcement because no local container runtime is available.".to_string(),
+        })),
+        container::ContainerRuntimeOverrideHeal::Cleared => Ok(Some(ValidationHealAction {
+            action: "heal_container_runtime_override".to_string(),
+            outcome: "cleared".to_string(),
+            detail: "Removed stale container-runtime override because Docker/Podman support is available.".to_string(),
+        })),
+        container::ContainerRuntimeOverrideHeal::Unchanged => Ok(None),
     }
-    content.push_str(
-        "\n### plugins/CONTAINER.md\n\
-## Runtime Guard Override (auto-generated)\n",
-    );
-    content.push_str(container::CONTAINER_DISABLE_MARKER);
-    content.push('\n');
-    content.push_str("reason: No docker/podman runtime found during validation self-heal.\n");
-    content.push_str("remediation: Install Docker or Podman, then remove this override if you want strict container gating restored.\n");
-    content.push_str("warning: disabling isolated containers increases risk of concurrent agents stepping on each other.\n");
-    let parent = override_path.parent().ok_or_else(|| {
-        error::DecapodError::ValidationError(
-            "OVERRIDE.md path missing parent directory".to_string(),
-        )
-    })?;
-    fs::create_dir_all(parent).map_err(error::DecapodError::IoError)?;
-    atomic_write_file(&override_path, &content)?;
-
-    Ok(Some(ValidationHealAction {
-        action: "heal_container_runtime_override".to_string(),
-        outcome: "updated".to_string(),
-        detail: "Disabled strict container-runtime enforcement because no local container runtime is available.".to_string(),
-    }))
 }
 
 fn attempt_validation_failure_heal(
@@ -3233,6 +3214,9 @@ fn run_validate_command(
     if let Some(action) = heal_agents_contract(project_root)? {
         heal_actions.push(action);
     }
+    if let Some(action) = heal_container_runtime_override(project_root)? {
+        heal_actions.push(action);
+    }
 
     let mut report = run_validation_bounded(&store, &decapod_root, validate_cli.verbose)?;
     for _ in 0..2 {

src/plugins/container.rs

@@ -92,6 +92,12 @@ pub struct RunSummary {
 
 pub(crate) const CONTAINER_DISABLE_MARKER: &str = "DECAPOD_CONTAINER_RUNTIME_DISABLED=true";
 
+pub(crate) enum ContainerRuntimeOverrideHeal {
+    Added,
+    Cleared,
+    Unchanged,
+}
+
 pub fn run_container_cli(store: &Store, cli: ContainerCli) -> Result<(), error::DecapodError> {
     let summary = match cli.command {
         ContainerCommand::Run {
@@ -218,15 +224,6 @@ fn run_container(
     local_only: bool,
 ) -> Result<RunSummary, error::DecapodError> {
     let repo = resolve_repo_path(repo_override)?;
-    if container_runtime_disabled(&repo)? {
-        return Err(error::DecapodError::ValidationError(
-            "Container subsystem is disabled by .decapod/OVERRIDE.md. \
-Remove the disable marker after installing Docker/Podman and configuring a dedicated local SSH key. \
-Warning: running without isolated containers means concurrent agents can step on each other."
-                .to_string(),
-        ));
-    }
-
     let docker = match find_container_runtime() {
         Ok(runtime) => runtime,
         Err(_) => {
@@ -235,15 +232,21 @@ Warning: running without isolated containers means concurrent agents can step on
                 "No docker/podman runtime found",
                 "Install Docker or Podman first, then re-run the task.",
             )?;
-            return Err(error::DecapodError::ValidationError(
-                "No container runtime found (docker/podman).\n\
+            let message = "No container runtime found (docker/podman).\n\
 Please install Docker or Podman.\n\
 I also wrote .decapod/OVERRIDE.md with container runtime disabled so agent runs stay safe by default.\n\
-Warning: without isolated containers, concurrent agents can step on each other."
-                    .to_string(),
-            ));
+Warning: without isolated containers, concurrent agents can step on each other.";
+            return Err(error::DecapodError::ValidationError(message.to_string()));
         }
     };
+    clear_container_runtime_override(&repo)?;
+    if container_runtime_disabled(&repo)? {
+        return Err(error::DecapodError::ValidationError(
+            "Container subsystem is disabled by .decapod/OVERRIDE.md even though a runtime is available. \
+Clear the disable marker or let Decapod self-heal the override file before retrying."
+                .to_string(),
+        ));
+    }
 
     ensure_container_runtime_access(&docker)?;
 
@@ -418,11 +421,94 @@ fn container_runtime_disabled(repo_root: &Path) -> Result<bool, error::DecapodEr
     Ok(content.contains(CONTAINER_DISABLE_MARKER))
 }
 
+fn clear_container_runtime_override(repo_root: &Path) -> Result<bool, error::DecapodError> {
+    let path = override_file_path(repo_root);
+    if !path.exists() {
+        return Ok(false);
+    }
+    let content = fs::read_to_string(&path).map_err(error::DecapodError::IoError)?;
+    if !content.contains(CONTAINER_DISABLE_MARKER) {
+        return Ok(false);
+    }
+
+    let lines: Vec<&str> = content.lines().collect();
+    let marker_index = lines
+        .iter()
+        .position(|line| line.trim() == CONTAINER_DISABLE_MARKER)
+        .ok_or_else(|| {
+            error::DecapodError::ValidationError(
+                "container override marker exists but could not be located".to_string(),
+            )
+        })?;
+
+    let mut start = marker_index;
+    while start > 0 {
+        let candidate = lines[start - 1].trim();
+        if candidate == "### plugins/CONTAINER.md" {
+            start -= 1;
+            break;
+        }
+        if candidate.is_empty() {
+            start -= 1;
+            continue;
+        }
+        break;
+    }
+
+    let mut end = marker_index + 1;
+    while end < lines.len() {
+        let candidate = lines[end].trim();
+        if candidate.starts_with("reason:")
+            || candidate.starts_with("remediation:")
+            || candidate.starts_with("warning:")
+            || candidate == "## Runtime Guard Override (auto-generated)"
+            || candidate.is_empty()
+        {
+            end += 1;
+            continue;
+        }
+        break;
+    }
+
+    let mut rebuilt: Vec<&str> = Vec::with_capacity(lines.len().saturating_sub(end - start));
+    rebuilt.extend_from_slice(&lines[..start]);
+    rebuilt.extend_from_slice(&lines[end..]);
+    let mut cleaned = rebuilt.join("\n");
+    if !cleaned.is_empty() {
+        cleaned.push('\n');
+    }
+    fs::write(path, cleaned).map_err(error::DecapodError::IoError)?;
+    Ok(true)
+}
+
+pub(crate) fn heal_container_runtime_override(
+    repo_root: &Path,
+    reason: &str,
+    remediation: &str,
+) -> Result<ContainerRuntimeOverrideHeal, error::DecapodError> {
+    match find_container_runtime() {
+        Ok(runtime) if ensure_container_runtime_access(&runtime).is_ok() => {
+            if clear_container_runtime_override(repo_root)? {
+                Ok(ContainerRuntimeOverrideHeal::Cleared)
+            } else {
+                Ok(ContainerRuntimeOverrideHeal::Unchanged)
+            }
+        }
+        _ => {
+            if disable_container_runtime_override(repo_root, reason, remediation)? {
+                Ok(ContainerRuntimeOverrideHeal::Added)
+            } else {
+                Ok(ContainerRuntimeOverrideHeal::Unchanged)
+            }
+        }
+    }
+}
+
 fn disable_container_runtime_override(
     repo_root: &Path,
     reason: &str,
     remediation: &str,
-) -> Result<(), error::DecapodError> {
+) -> Result<bool, error::DecapodError> {
     let path = override_file_path(repo_root);
     if let Some(parent) = path.parent() {
         fs::create_dir_all(parent).map_err(error::DecapodError::IoError)?;
@@ -433,7 +519,7 @@ fn disable_container_runtime_override(
         String::new()
     };
     if content.contains(CONTAINER_DISABLE_MARKER) {
-        return Ok(());
+        return Ok(false);
     }
     if !content.ends_with('\n') && !content.is_empty() {
         content.push('\n');
@@ -449,7 +535,7 @@ fn disable_container_runtime_override(
     content.push_str(&format!("remediation: {}\n", remediation));
     content.push_str("warning: disabling isolated containers increases risk of concurrent agents stepping on each other.\n");
     fs::write(path, content).map_err(error::DecapodError::IoError)?;
-    Ok(())
+    Ok(true)
 }
 
 fn repo_root_from_store(store: &Store) -> Result<PathBuf, error::DecapodError> {
@@ -1354,4 +1440,29 @@ mod tests {
         assert!(container_runtime_disabled(&root).expect("disabled check"));
         let _ = fs::remove_dir_all(root);
     }
+
+    #[test]
+    fn clear_override_strips_container_runtime_disabled_marker() {
+        let root = std::env::temp_dir().join(format!(
+            "decapod-container-clear-{}",
+            Ulid::new().to_string().to_lowercase()
+        ));
+        fs::create_dir_all(&root).expect("mkdir");
+        let wrote = disable_container_runtime_override(&root, "test-reason", "test-remediation")
+            .expect("disable override");
+        assert!(wrote, "override should be written");
+        let cleared = clear_container_runtime_override(&root).expect("clear override");
+        assert!(cleared, "disable marker should be removed");
+        assert!(
+            !container_runtime_disabled(&root).expect("disabled check"),
+            "container disable marker should be cleared"
+        );
+        let content = fs::read_to_string(root.join(".decapod").join("OVERRIDE.md")).expect("read");
+        assert!(
+            !content.contains(CONTAINER_DISABLE_MARKER),
+            "override should no longer contain the disable marker"
+        );
+
+        let _ = fs::remove_dir_all(root);
+    }
 }

tests/validate_termination.rs

@@ -237,6 +237,72 @@ fn validate_json_reports_self_heal_and_structured_summary() {
     assert!(payload["self_heal"].is_array());
 }
 
+#[test]
+fn validate_clears_stale_container_override_when_runtime_is_available() {
+    let (_tmp, dir, password) = setup_repo();
+    let override_path = dir.join(".decapod").join("OVERRIDE.md");
+    fs::write(
+        &override_path,
+        concat!(
+            "### plugins/CONTAINER.md\n",
+            "## Runtime Guard Override (auto-generated)\n",
+            "DECAPOD_CONTAINER_RUNTIME_DISABLED=true\n",
+            "reason: stale test marker\n",
+            "remediation: remove when runtime is healthy\n",
+            "warning: disabling isolated containers increases risk of concurrent agents stepping on each other.\n",
+        ),
+    )
+    .expect("write override");
+
+    let fake_bin = dir.join("fake-bin");
+    fs::create_dir_all(&fake_bin).expect("mkdir fake-bin");
+    let fake_docker = fake_bin.join("docker");
+    fs::write(
+        &fake_docker,
+        "#!/bin/sh\nif [ \"$1\" = \"info\" ]; then exit 0; fi\nexit 0\n",
+    )
+    .expect("write fake docker");
+    let chmod = Command::new("chmod")
+        .args(["+x", fake_docker.to_str().expect("fake docker path")])
+        .status()
+        .expect("chmod fake docker");
+    assert!(chmod.success(), "chmod should succeed");
+
+    let path = std::env::var("PATH").unwrap_or_default();
+    let runtime_path = format!("{}:{}", fake_bin.display(), path);
+    let validate = run_decapod(
+        &dir,
+        &["validate", "--format", "json"],
+        &[
+            ("DECAPOD_AGENT_ID", "unknown"),
+            ("DECAPOD_SESSION_PASSWORD", &password),
+            ("DECAPOD_VALIDATE_SKIP_GIT_GATES", "1"),
+            ("PATH", &runtime_path),
+        ],
+    );
+    assert!(
+        validate.status.success(),
+        "validate should clear stale runtime override; stderr:\n{}",
+        String::from_utf8_lossy(&validate.stderr)
+    );
+
+    let payload: Value =
+        serde_json::from_slice(&validate.stdout).expect("validate json payload should parse");
+    let heals = payload["self_heal"].as_array().expect("self_heal array");
+    assert!(
+        heals.iter().any(|action| {
+            action["action"] == "heal_container_runtime_override" && action["outcome"] == "cleared"
+        }),
+        "expected stale container override to be cleared; payload: {payload}"
+    );
+
+    let override_content = fs::read_to_string(&override_path).expect("read override");
+    assert!(
+        !override_content.contains("DECAPOD_CONTAINER_RUNTIME_DISABLED=true"),
+        "container disable marker should be removed"
+    );
+}
+
 #[test]
 fn validate_parallel_contention_emits_typed_reasoned_diagnostics() {
     let (_tmp, dir, password) = setup_repo();