test(dind): assert public-mode passthrough actually copies a public host image (issue #96)

[konard]

Summary

Closes the false-positive / coverage gap in the host-image passthrough test added in #95 (tests/dind/example-preload-images.sh).

For the default public mode the suite previously only asserted the negative path — that a locally-built fixture (no RepoDigest) is not copied. The positive path the feature exists for — a genuinely public image (carrying a RepoDigest from an allowlisted registry) is copied into the inner daemon — was structurally untested: the throwaway host daemon was seeded with only the offline docker import fixture, so public mode had no eligible image at all. A "public copies nothing" regression would have shipped green, defeating the whole feature (every inner docker run re-pulls again) — the exact symptom #94 set out to fix, and the behavior downstream link-assistant/hive-mind#1879 relies on.

Fixes #96.

What changed

tests/dind/example-preload-images.sh:

• Seed the throwaway host daemon with a real public image (alpine:3.20). Pulling it from a public registry is what records a RepoDigest — docker save/docker load does not preserve one — so this is the "freely re-pullable" case public mode must pass through. The pull fails the test loudly if the network is unavailable.
• Add the missing positive assertion to the public-mode block: the public image must land in the inner daemon (docker image inspect alpine:3.20) and be logged as loaded (passthrough loading host image: alpine:3.20). The pre-existing negative assertion (local fixture skipped) is kept.

Also drops a stray root .gitkeep PR-creation artifact, and adds a patch changeset.

How it was verified

• The container integration test runs in CI (pr-test-dind), which uses overlay2 + the disk-cleanup step. Running it locally here is impractical because the sandbox Docker uses the vfs storage driver (no layer sharing), which exhausts disk while expanding the large box-dind image.

• The filter logic the new assertion depends on is covered by experiments/preload-unit-test.sh (mocked host daemon, no container needed). Case 9 already exercises precisely this path and is green:

  == Case 9: public mode copies only public-registry images ==
  [dind-entrypoint] host-image passthrough (mode=public) ...
  [dind-entrypoint] passthrough loading host image: alpine:3.20
  [dind-entrypoint] passthrough skip (filtered by mode=public): myapp:latest
    PASS: public mode saved the hub image
    PASS: public mode loaded the hub image
    PASS: public mode did NOT save the local image
  ...
  RESULT: 26 passed, 0 failed
  

  This confirms a docker.io RepoDigest image (alpine:3.20) passes public mode and emits the exact log line the new integration assertion greps for.

Before / after (test coverage)

public-mode block	before	after
local fixture (no RepoDigest) skipped	✅ asserted	✅ asserted
public image (RepoDigest) copied into inner daemon	❌ untested	✅ asserted
public image logged as loaded	❌ untested	✅ asserted

[konard]

⏳ Usage Limit Reached

The automated solution draft was interrupted because the Anthropic Claude Code usage limit was reached.

📊 Limit Information

• Tool: Anthropic Claude Code
• Limit Type: Usage limit exceeded
• Reset Time: in 2h 2m (Jun 10, 4:50 PM UTC)
• Session ID: 514aa185-c964-4b24-bbce-4a0fe7b9acbc

🔄 How to Continue

Auto-resume is enabled. The session will automatically resume (with context preserved) when the limit resets.

🤖 Models used:

• Tool: Anthropic Claude Code
• Requested: opus
• Model: Claude Opus 4.8 (claude-opus-4-8)

📎 Execution log uploaded as Gist (787KB)

• View complete execution log

---

This session was interrupted due to usage limits. The session will automatically resume when the limit resets.

[konard]

⏰ Auto Resume (on limit reset)

Auto-resuming automated work session at 2026-06-10T17:05:30.674Z

This session automatically resumed after the usage limit reset, continuing with the previous context preserved.

The PR has been converted to draft mode while work is in progress.

This is an auto-resumed session. Please wait for the session to finish, and provide your feedback.

[konard]

Working session summary

The CI log confirms the new test path ran end-to-end and passed on my exact commit:

• pulling a real public image (alpine:3.20) into the throwaway host daemon
• public-mode passthrough copied the public image and skipped the local fixture (security filter held) ← the new positive assertion held
• preload example passed

Everything is done and verified. Summary:

What I did

The issue (#96): the host-image passthrough test (tests/dind/example-preload-images.sh) had a false-positive for the default public mode — it only asserted the negative path (a locally-built fixture with no RepoDigest is skipped) and never asserted the positive path the feature exists for (a genuinely public image is copied into the inner daemon). The throwaway host daemon was seeded with only the offline fixture, so public mode had no eligible image at all; a "public copies nothing" regression would have shipped green.

Fix (commit 98a4526 on issue-96-9e584ef3ffff):

1. Seed the throwaway host daemon with a real pulled alpine:3.20 — pulling from a public registry is what records a RepoDigest (docker save/load does not preserve one), so it's the "freely re-pullable" case public mode must pass through.
2. Add the missing positive assertion: the public image must land in the inner daemon and be logged as loaded. The pre-existing negative assertion is kept.
3. Added a patch changeset; removed a stray root .gitkeep PR-creation artifact.

Verification:

• The experiments/preload-unit-test.sh harness (26 cases, all pass) confirms alpine:3.20's docker.io RepoDigest passes public mode and emits the exact log line the test greps for.
• Full CI run 27284139691 completed successfully on my exact HEAD SHA, and the pr-test / dind-js job log shows the new positive assertion executing and holding.

PR: #98 — updated title/description, marked ready for review, branch is current with main, all checks green.

A note on the user's message: I couldn't run the container integration test in this sandbox because its Docker uses the vfs storage driver (no layer sharing), which exhausts disk while expanding the large box-dind image — but CI (overlay2 + disk cleanup) ran it and it passed, so it's verified there instead.

---

This summary was automatically extracted from the AI working session output.

[konard]

🔄 Solution Draft Log (auto resume on limit reset)

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

• Public pricing estimate: $1.705046
• Calculated by Anthropic: $0.741589
• Difference: $-0.963457 (-56.51%)

📊 Context and tokens usage:

• 57.2K / 1M (6%) input tokens, 14.3K / 128K (11%) output tokens

Total: (4.4K new + 78.1K cache writes + 1.7M cache reads) input tokens, 14.3K output tokens, $1.705046 cost

🤖 Models used:

• Tool: Anthropic Claude Code
• Requested: opus
• Model: Claude Opus 4.8 (claude-opus-4-8)

Note: This session was automatically resumed after a usage limit reset, with the previous context preserved.

📎 Log file uploaded as Gist (598KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

✅ Ready to merge

This pull request is now ready to be merged:

• All CI checks have passed
• No merge conflicts
• No pending changes

---

Monitored by hive-mind with --auto-restart-until-mergeable flag