docs: roadmap cleanup; add just and difftastic#69
Merged
BrettKinny merged 5 commits intomainfrom Apr 17, 2026
Merged
Conversation
lazydocker requires Docker socket access, which conflicts with squarebox's --cap-drop=ALL security posture. Mounting the host socket would effectively give the container root on the host, and running a daemon inside the container is too heavy. Drop it rather than ship a tool that can't work out of the box.
btop reads CPU/memory totals from /proc, which reflects the host's hardware rather than the container's cgroup limits, so its headline numbers are misleading inside squarebox. Drop it rather than ship a resource monitor that lies about resources.
Adds two container-friendly tools from the roadmap as Dockerfile-tier installs, pinned via ARG with SHA256 checksums in checksums.txt: - just 1.49.0: modern task runner (casey/just) - difftastic 0.68.0: syntax-aware structural diff, binary `difft` (Wilfred/difftastic) Both are pure self-contained binaries with no daemon or host coupling, so they work cleanly inside squarebox's capability-dropped container. Also wires them into sqrbx-update, update-versions.sh, the e2e test suite, the build.yml tool smoke check, README, SECURITY, CONTRIBUTING, CLAUDE.md, and the roadmap.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates squarebox documentation and tooling metadata around the container’s default toolset, including removing lazydocker from the roadmap rationale and reflecting newly pinned Dockerfile-tier tools.
Changes:
- Add
justanddifftastic(difft) as pinned, checksum-verified Dockerfile-tier tools. - Update version/checksum automation (
update-versions.sh), update tooling (sqrbx-update), and CI/e2e checks to include the new binaries. - Refresh docs (README/SECURITY/CONTRIBUTING/CLAUDE/ROADMAP) to reflect the updated tool inventory and roadmap status.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| SECURITY.md | Updates trust-model table to include just/difftastic in the pinned Dockerfile tier. |
| scripts/update-versions.sh | Extends Dockerfile ARG updating to include JUST_VERSION and DIFFTASTIC_VERSION. |
| scripts/squarebox-update.sh | Adds just/difftastic to the managed update tool registry and version detection. |
| scripts/lib/tools.yaml | Registers just and difftastic metadata for downloads/extraction. |
| scripts/e2e-test.sh | Adds tool-presence/version checks for just and difft. |
| ROADMAP.md | Removes planned entries (incl. lazydocker) and marks just/difftastic as done. |
| README.md | Adds just and difftastic to the “What’s included” CLI tool list. |
| Dockerfile | Pins and installs just/difftastic, adds non-empty ARG validation. |
| CONTRIBUTING.md | Updates local smoke-test command list and Dockerfile-tier tool list. |
| CLAUDE.md | Updates documentation of what scripts/update-versions.sh manages. |
| checksums.txt | Adds SHA256 entries for just and difftastic release artifacts (amd64/arm64). |
| .github/workflows/build.yml | Extends CI “All tools exist” check to include just and difft. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
7
to
8
| - **direnv** — add [direnv](https://github.com/direnv/direnv) (automatic per-directory environment loading) to the default image; auto-loads `.envrc` files on `cd`, integrates with zoxide for seamless per-project environment variables | ||
| - **Zsh option** — offer Zsh with Oh My Zsh, autosuggestions, and syntax highlighting as a selectable shell in `setup.sh` alongside the Bash default; closes the biggest UX gap vs. competing dev environments |
There was a problem hiding this comment.
The PR title/description focus on removing lazydocker from the roadmap, but this change set also removes the btop roadmap item entirely and marks just/difftastic as completed (and the PR also includes non-doc changes adding those tools to the Dockerfile tier). Please confirm the intended scope: either update the PR title/description to reflect these additional changes, or restore/move the btop entry and keep roadmap changes limited to lazydocker.
Comment on lines
+82
to
+86
| # 5.13 just version | ||
| run_test "5.13 just --version" just --version | ||
|
|
||
| # 5.14 difftastic version (binary is named `difft`) | ||
| run_test "5.14 difft --version" difft --version |
There was a problem hiding this comment.
The suite header comment says it covers “5.1–5.12”, but this hunk adds 5.13/5.14. Please update the documented range (and consider renumbering the labels if you want them to remain sequential) so the test IDs stay consistent with the suite description.
Reflects the two new test IDs (5.13 just, 5.14 difft) added alongside the tool additions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
BrettKinny
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--cap-drop=ALLsecurity posture. Mounting the host socket would effectively give the container root on the host, and running a daemon inside the container is too heavy.justanddifftasticfrom the roadmap to the default image (Dockerfile tier), with matching entries intools.yaml,checksums.txt, and E2E coverage (tests 5.13, 5.14).Test plan
buildworkflow passesjust --versionanddifft --version🤖 Generated with Claude Code