Fix sandbox exec applying wrong entrypoint to service containers

[evanphx]

Summary

• Fix miren sandbox exec incorrectly applying the app's entrypoint to service containers with custom images (like postgres)
• Add imageMatchesAppVersion() helper to compare container images and only apply entrypoint when they match
• Add comprehensive tests for the exec server's spec(), command(), and image matching logic

Test plan

• Added unit tests for command() function
• Added unit tests for spec() function covering all entrypoint scenarios
• Added unit tests for imageMatchesAppVersion() with various image name formats
• All tests pass (go test ./servers/exec/...)
• Linter passes (golangci-lint run ./servers/exec/...)

Summary by CodeRabbit

• Bug Fixes

  • Enhanced error handling for container image retrieval with graceful fallback behavior.
  • Improved execution flow with robust fallback mechanisms when commands or entrypoints are unavailable.
  • Strengthened safety checks for entrypoint processing.

• Tests

  • Added comprehensive test suite covering command resolution, spec generation, terminal handling, and image matching scenarios.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes implement image-based gating for app entrypoint application in the exec server. A new helper function validates whether a container's image matches the app version's configured image. Enhanced fallback logic now prioritizes console commands from the app version, then the entrypoint, then defaults to /bin/sh. Comprehensive tests validate command resolution, OCI spec generation, terminal handling, and image matching scenarios.

Changes

Cohort / File(s)	Summary
Entrypoint Gating Logic servers/exec/exec.go	Introduces runtime image matching to conditionally apply app version entrypoint. Adds imageMatchesAppVersion() helper to compare container image against app version image URL (exact match or registry-prefixed suffix). Strengthens fallback chain: console command → entrypoint → /bin/sh. Includes error-tolerant container image retrieval and nil-safety checks for entrypoint access.
Test Suite servers/exec/exec_test.go	Comprehensive test coverage for exec server behavior: command resolution, OCI spec generation, terminal/PTY handling, entrypoint application policy for custom vs. app images, and image matching logic with registry prefix scenarios and edge cases.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

servers/exec/exec.go (1)

259-274: Consider adding empty string guard.

The image matching logic correctly handles exact matches and registry prefixes. However, if both containerImage and appVersionImage are empty strings, the exact match would return true, potentially applying an empty entrypoint.

While this edge case is unlikely in practice (containers should always have images, and AppVersions typically have ImageUrls), an explicit guard would make the intent clearer.

🔎 Optional improvement

 func imageMatchesAppVersion(containerImage, appVersionImage string) bool {
+	// Empty app version image means no entrypoint should be applied
+	if appVersionImage == "" {
+		return false
+	}
+
 	// Exact match
 	if containerImage == appVersionImage {
 		return true
 	}

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e0a469b and 6fa06d8.

📒 Files selected for processing (2)

• servers/exec/exec.go
• servers/exec/exec_test.go

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.go: Follow standard Go formatting conventions
Only add comments when they provide valuable context or explain 'why' something is done - avoid redundant comments that restate what the code does
Good comments should explain complex logic, document assumptions, or clarify non-obvious behavior rather than restating the code
Function/method comments should explain the purpose and any important side effects, not just restate the function name

Files:

• servers/exec/exec_test.go
• servers/exec/exec.go

🧬 Code graph analysis (1)

servers/exec/exec_test.go (3)

servers/exec/exec.go (1)

• Server (20-27)

api/core/core_v1alpha/schema.gen.go (3)

• AppVersion (82-91)
• Commands (308-311)
• Env (571-576)

api/exec/exec_v1alpha/rpc.gen.go (2)

• ShellOptions (76-78)
• WindowSize (18-20)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: build-binaries (darwin, arm64, macos-latest)
• GitHub Check: build-binaries (darwin, amd64, macos-latest)
• GitHub Check: lint
• GitHub Check: test
• GitHub Check: test-e2e

🔇 Additional comments (3)

servers/exec/exec.go (2)

110-126: LGTM! Effective fix for the service container entrypoint issue.

The image-matching logic correctly gates the application of the app's entrypoint configuration. The error-tolerant approach (logging and continuing when image retrieval fails) is appropriate, ensuring that exec operations can proceed even if image metadata is temporarily unavailable. Debug logging provides good visibility for troubleshooting mismatches.

---

221-240: LGTM! Solid nil-safety and fallback logic.

The nil check prevents panics when dealing with service containers, and the fallback chain (console command → entrypoint + shell → plain shell) is well-structured and intuitive.

servers/exec/exec_test.go (1)

1-387: Excellent test coverage! Well-structured and comprehensive.

The test suite thoroughly validates the fix across multiple dimensions:

• Command resolution with/without entrypoints
• OCI spec generation for app vs. service containers
• Terminal handling with console sizing
• Image matching logic with registry prefixes and edge cases

The tests also serve as excellent documentation, particularly TestEntrypointNotAppliedToCustomImageContainers, which explicitly captures the bug fix behavior.