Skip to content

feat(pr-gate): support Docker compose lifecycle for integration-test-dependent repos #103

Open
Open
feat(pr-gate): support Docker compose lifecycle for integration-test-dependent repos#103
@screenleon

Description

@screenleon
screenleon
opened on May 20, 2026

Problem

pr-gate.sh dispatches reviewer agents (Codex) in a sandbox (workspace-write) that cannot access /var/run/docker.sock. For repos whose integration tests require Docker-backed services (Postgres, Redis, etc.), the gate runner cannot execute make test-integration or equivalent commands — tests either skip silently or fail with a socket permission error.

Example failure from gate run:

FAIL  — Docker Compose could not connect to the Docker API at /var/run/docker.sock

The reviewer then cannot produce a valid test-run result, causing a block verdict on every gate run regardless of code quality.

Context

  • The main Claude Code session (which calls pr-gate.sh) does have Docker access — it runs as the user who is in the docker group.
  • The Codex sandbox launched by pr-gate.sh does not inherit Docker socket access.
  • Repos with pre-started Docker services on localhost ports ARE reachable from the Codex sandbox via TCP (e.g. 127.0.0.1:5433). The socket restriction is only for starting new containers.

Proposed Solution

Add an optional --compose-file <path> (and optionally --compose-project <name>) flag to pr-gate.sh that:

  1. Before dispatching Codex reviewers: starts the specified compose stack from the main-thread process (which has Docker access), waits for declared services to be ready.
  2. Passes COMPOSE_ALREADY_STARTED=true (or equivalent) so the reviewer brief knows services are live on localhost.
  3. After all reviewer sessions complete: tears down the compose stack (only if pr-gate.sh started it — idempotent if services were already running).

This keeps Docker lifecycle management on the main thread where permissions exist, while Codex reviewers see pre-started services via localhost and can run real integration tests.

Alternatives Considered

  • Project-level wrapper script (scripts/qa-gate.sh in JapanJob): bypasses the tool boundary, creates an informal fork of gate logic outside pm-dispatch. Rejected because it obscures the root cause and diverges from the intended tool contract.
  • Manual pre-start by developer: viable short-term workaround, but not automated or reliable.
  • Changing Codex sandbox mode: risky and likely overridden by Codex CLI sandbox policy.

Acceptance Criteria

  • bash scripts/pr-gate.sh --compose-file infrastructure/docker-compose.test.yml --compose-project japanjob_test starts services, runs gate, and stops services automatically.
  • If services are already running on the target ports, the flag is a no-op for startup (does not restart or stop existing services after gate).
  • Gate result reflects actual integration test outcomes, not socket-permission failures.
  • Existing gate runs without --compose-file are unaffected.

Current Workaround

Manually start test services before running /pr-gate, then stop after:

docker compose -f infrastructure/docker-compose.test.yml -p test up -d
# run /pr-gate
docker compose -f infrastructure/docker-compose.test.yml -p test down

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions