dind passthrough: add per-repository allowlist (DIND_HOST_PASSTHROUGH_IMAGES)

[konard]

Summary

Adds DIND_HOST_PASSTHROUGH_IMAGES — a per-repository (image-name) allowlist for dind-box host-image passthrough (issue #97). It scopes passthrough to specific repositories / image names, one level finer than the registry allowlist (DIND_HOST_PASSTHROUGH_REGISTRIES), so a deployment can seed the inner daemon with only the images it owns rather than every public image on the host.

Fixes #97.

Behavior

• Empty / unset (default) → unchanged: mode (off/public/all) + registry filter only.
• Non-empty → a host image must match the mode filter and at least one space-separated pattern (shell glob). It only ever narrows the eligible set — public still requires a public RepoDigest, so the security guarantee is preserved even if a local/private image matches a pattern.
• Patterns match against several normalized forms of each reference, so konard/hive-mind matches konard/hive-mind:latest and the registry-qualified docker.io/konard/hive-mind:latest alike. Globs and explicit tags work too.

# seed only hive-mind's own images into the nested daemon
DIND_HOST_PASSTHROUGH=public
DIND_HOST_PASSTHROUGH_IMAGES="konard/hive-mind konard/hive-mind-dind"
# globs / tags / registry-qualified refs also work:
DIND_HOST_PASSTHROUGH_IMAGES="docker.io/konard/hive-mind* konard/hive-mind-dind:latest"

Changes

• ubuntu/24.04/dind/dind-entrypoint.sh — new DIND_HOST_PASSTHROUGH_IMAGES var + host_image_matches_images_filter(), composed into host_image_passes_filter(); the passthrough log line now reports the active allowlist.
• experiments/preload-unit-test.sh — 5 new cases (14–18): allowlist scoping, composition with the mode gate, globs / docker.io-qualified / tagged patterns, empty-list back-compat, and direct helper-normalization checks. 41/41 pass locally.
• tests/dind/example-preload-images.sh — new integration case: all mode + an allowlist scoped to one repo copies only that repo and skips the public host image, proving the allowlist (not the mode) is what narrows the set.
• docs/dind/USAGE.md, README.md — documented the new knob (env table row + "Scoping to specific images" section).
• .changeset/dind-host-passthrough-images.md — bump: minor.

How to verify

bash experiments/preload-unit-test.sh           # 41 passed, 0 failed
DIND_IMAGE=box-dind-js tests/dind/example-preload-images.sh   # full CI integration

---

Filed from link-assistant/hive-mind#1879.

[konard]

Working session summary

Still running. I'll await the completion notification from the background monitor rather than polling repeatedly.

While waiting, here's a summary of what I've implemented for issue #97:

Summary of work completed

I added DIND_HOST_PASSTHROUGH_IMAGES — a per-repository (image-name) allowlist for dind-box host-image passthrough — and pushed it to PR #99.

Implementation (ubuntu/24.04/dind/dind-entrypoint.sh):

• New env var DIND_HOST_PASSTHROUGH_IMAGES (default empty → unchanged behavior).
• New host_image_matches_images_filter() that glob-matches each host reference against the allowlist, testing several normalized forms (tagged ref, bare repo, and docker.io/-qualified variants) so konard/hive-mind matches konard/hive-mind:latest and docker.io/konard/hive-mind:latest.
• Composed into host_image_passes_filter() so it narrows — public mode still requires a public RepoDigest, preserving the security guarantee.
• Passthrough log line now reports the active allowlist.

Tests:

• experiments/preload-unit-test.sh — 5 new cases (14–18): scoping, mode composition, globs/qualified/tagged patterns, empty-list back-compat, direct helper checks. 41/41 pass locally.
• tests/dind/example-preload-images.sh — integration case proving all mode + a one-repo allowlist copies only that repo and skips the public host image.

Docs & release:

• docs/dind/USAGE.md (env table row + "Scoping to specific images" section), README.md bullet.
• .changeset/dind-host-passthrough-images.md with bump: minor.
• Removed the stray .gitkeep PR-creation artifact.

CI checkpoints already green: changeset check, version-change guard, pr-test/js, pr-test/essentials. The remaining dind matrix jobs are building images now.

---

This summary was automatically extracted from the AI working session output.

[konard]

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost: $3.000494

📊 Context and tokens usage:

• 89.7K / 1M (9%) input tokens, 26.0K / 128K (20%) output tokens

Total: (3.3K new + 119.7K cache writes + 3.2M cache reads) input tokens, 26.0K output tokens, $3.000495 cost

🤖 Models used:

• Tool: Anthropic Claude Code
• Requested: opus
• Model: Claude Opus 4.8 (claude-opus-4-8)

📎 Log file uploaded as Gist (1569KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

✅ Ready to merge

This pull request is now ready to be merged:

• All CI checks have passed
• No merge conflicts
• No pending changes

---

Monitored by hive-mind with --auto-restart-until-mergeable flag

[konard]

https://github.com/link-foundation/box/actions/runs/27295905722 we also need to make sure we fully fix all false positives and errors found in logs of the CI/CD run.

[konard]

🤖 AI Work Session Started

Starting automated work session at 2026-06-10T22:16:58.260Z

The PR has been converted to draft mode while work is in progress.

This comment marks the beginning of an AI work session. Please wait for the session to finish, and provide your feedback.

[konard]

CI investigation — run 27295905722

I traced every failure in that run. None are caused by this PR — its own pull_request CI is fully green (run 27296460921, all pr-test/* pass, including the new DIND_HOST_PASSTHROUGH_IMAGES allowlist case in the preload integration test). That run is a push/release.yml run on the pre-PR merge commit b9e370a.

Root cause (one transient flake → a cascade of false-positive failures)

build-essentials-amd64 failed while booting BuildKit:

#1 pulling image moby/buildkit:buildx-stable-1
#1 ERROR: Get "https://registry-1.docker.io/v2/": net/http: request canceled (Client.Timeout exceeded while awaiting headers)

The docker-container buildx driver pulls moby/buildkit straight from Docker Hub on boot, and Docker Hub timed out. Because the amd64 essentials image was therefore never built/pushed, every dependent amd64 dind build then failed the cascade symptom:

ERROR: ... box-essentials:2.2.1-amd64: not found

and the existing 3× push-retry kept re-failing for the same reason (the base genuinely wasn't there). The remaining log noise (systemd-network user resolution, resolv.conf busy, update-alternatives skip warnings, policy-rc.d denied) is benign apt/dpkg output from the image build, present in passing runs too.

Fix

Added a local composite action .github/actions/setup-buildx-resilient that, before docker/setup-buildx-action, pre-pulls the pinned BuildKit image with retry + exponential backoff and pins the driver to it (driver-opts: image=moby/buildkit:buildx-stable-1), so the boot reuses the cached image instead of hitting the registry. The pre-pull is non-fatal — if it still can't pull, it falls through to setup-buildx's own boot pull, so worst-case behavior is unchanged. Wired into all 12 buildx setups in release.yml.

This absorbs exactly this class of transient Docker-Hub false positive in the release pipeline. Pushed in 90f35af.

[konard]

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost: $2.813344

📊 Context and tokens usage:

• 104.7K / 1M (10%) input tokens, 29.7K / 128K (23%) output tokens

Total: (3.1K new + 91.8K cache writes + 3.0M cache reads) input tokens, 29.7K output tokens, $2.813344 cost

🤖 Models used:

• Tool: Anthropic Claude Code
• Requested: opus
• Model: Claude Opus 4.8 (claude-opus-4-8)

📎 Log file uploaded as Gist (1478KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

🔄 Auto-restart triggered (iteration 1)

Reason: CI failures detected

Starting new session to address the issues.

---

Auto-restart-until-mergeable mode is active. This run will stop after 5 restart iterations.

[konard]

Working session summary

I'll wait for the background monitors to notify me when the re-run finishes. The job typically takes ~30 minutes to build the full chain.

---

This summary was automatically extracted from the AI working session output.

[konard]

🔄 Auto-restart-until-mergeable Log (iteration 1)

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost: $1.702415

📊 Context and tokens usage:

• 73.2K / 1M (7%) input tokens, 17.1K / 128K (13%) output tokens

Total: (3.0K new + 60.3K cache writes + 1.8M cache reads) input tokens, 17.1K output tokens, $1.702415 cost

🤖 Models used:

• Tool: Anthropic Claude Code
• Requested: opus
• Model: Claude Opus 4.8 (claude-opus-4-8)

📎 Log file uploaded as Gist (2900KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

✅ Ready to merge

This pull request is now ready to be merged:

• All CI checks have passed
• No merge conflicts
• No pending changes

---

Monitored by hive-mind with --auto-restart-until-mergeable flag