AUTONOMOUS EXECUTION PROMPT FOR QWEN3-CODER MISSION: Generate a production-grade Docker image for document generation that builds ON FIRST ATTEMPT with OPTIMAL CACHING and MULTI-ARCHITECTURE SUPPORT. NO ITERATION ALLOWED - OUTPUT MUST BE PERFECT. CRITICAL PERFORMANCE CONSTRAINTS: BUILD TIME OPTIMIZATION IS PARAMOUNT - You MUST implement advanced BuildKit caching strategies including: Multi-stage builds with proper layer isolation Dependency installation BEFORE application code to maximize cache hits Use --mount=type=cache directives for mise/npm/pip/cargo caches Separate apt-get operations into dedicated cacheable layers Implement cache mounts for ~/.cache/mise and ~/.local/share/mise BUILDKIT CONFIGURATION: Every Dockerfile instruction MUST leverage BuildKit features: dockerfile 1 2 # syntax=docker/dockerfile:1.4 # Enable ALL BuildKit optimizations Use RUN --mount=type=cache for ALL tool installations Implement --cache-from and --cache-to in build.sh Enable parallel downloading with --parallel flag where applicable MULTI-ARCHITECTURE BUILD: Use docker buildx with --platform linux/amd64,linux/arm64,linux/arm/v7 Implement proper QEMU emulation setup in build.sh Use manifest lists for final image deployment SECURITY & ARCHITECTURE REQUIREMENTS: STAGE 1 (BUILDER): Root only for minimal apt operations and user creation STAGE 2 (RUNTIME): 100% tsysdevstack user, NO ROOT CAPABILITIES LAYER ORDERING PRINCIPLE: Place infrequently changing operations at top: Base image + system packages (pinned versions) mise installation + runtime versions (pinned) Global tool installations (pinned versions) Application code/configurations CACHE BUSTING PREVENTION: Version pin EVERYTHING - no "latest" tags QA GATES - NON-NEGOTIABLE: PRE-BUILD VALIDATION: Generate build.sh to run these checks BEFORE any docker build: bash 1 2 3 4 5 6 7 8 # Dockerfile validation docker run --rm -v $(pwd):/data hadolint/hadolint hadolint /data/Dockerfile --no-fail --verbose # Shell script validation shellcheck run.sh build.sh test.sh # YAML validation yamllint docker-compose.yml devcontainer.json ZERO TOLERANCE POLICY: If ANY tool reports warnings/errors, the build MUST FAIL immediately. NO EXCEPTIONS. ARTIFACT SPECIFICATIONS: 1. Dockerfile - OPTIMIZED STRUCTURE: dockerfile 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 # syntax=docker/dockerfile:1.4 # STAGE 1: Minimal builder with root access FROM --platform=$BUILDPLATFORM debian:bookworm-slim AS builder # Cache busting protection - PIN EVERY VERSION ARG DEBIAN_FRONTEND=noninteractive ENV TZ=Etc/UTC # System dependencies (pinned versions where possible) RUN apt-get update && \ apt-get install -y --no-install-recommends \ curl=7.88.1-10+deb12u5 \ ca-certificates=20230311 \ gnupg=2.2.40-1.1 \ build-essential=12.9 \ && rm -rf /var/lib/apt/lists/* # Create unprivileged user EARLY RUN useradd -m -u 1000 -G sudo tsysdevstack && \ mkdir -p /home/tsysdevstack/.cache && \ chown -R tsysdevstack:tsysdevstack /home/tsysdevstack # STAGE 2: Runtime environment - NO ROOT FROM --platform=$BUILDPLATFORM debian:bookworm-slim AS runtime # Security hardening USER tsysdevstack WORKDIR /home/tsysdevstack # Mise installation with cache optimization RUN --mount=type=cache,target=/home/tsysdevstack/.cache/mise \ --mount=type=cache,target=/home/tsysdevstack/.local/share/mise \ curl https://mise.run | sh && \ /home/tsysdevstack/.local/bin/mise install node@20.11.1 python@3.11.8 rust@1.76.0 ruby@3.3.0 && \ /home/tsysdevstack/.local/bin/mise global node@20.11.1 python@3.11.8 rust@1.76.0 ruby@3.3.0 # Tool installations with cache mounts and version pinning RUN --mount=type=cache,target=/home/tsysdevstack/.cache/npm \ --mount=type=cache,target=/home/tsysdevstack/.npm \ npm install -g --no-fund --no-audit --no-progress \ pandoc@3.1.11 \ mdbook@0.4.37 \ typst@0.11.1 \ marp-cli@3.1.1 \ markwhen@1.2.3 \ kroki-cli@0.18.0 \ quarto@1.4.539 \ vale@3.4.1 # Final security hardening USER tsysdevstack CMD ["/home/tsysdevstack/run.sh"] 2. build.sh - OPTIMIZED BUILD SCRIPT: bash 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 #!/bin/bash set -euxo pipefail # PRE-BUILD QA GATES echo "๐Ÿ” Running pre-build validation..." docker run --rm -v $(pwd):/data hadolint/hadolint hadolint /data/Dockerfile --no-fail --verbose shellcheck run.sh build.sh test.sh yamllint docker-compose.yml devcontainer.json # Setup buildx builder with caching echo "๐Ÿš€ Setting up buildx builder..." docker buildx create --use --name docs-builder --driver docker-container docker buildx inspect --bootstrap # Multi-platform build with advanced caching echo "๐Ÿ—๏ธ Building multi-platform image..." docker buildx build \ --platform linux/amd64,linux/arm64,linux/arm/v7 \ --tag tsysdevstack/toolboxes-docs:latest \ --tag tsysdevstack/toolboxes-docs:$(date +%Y%m%d) \ --cache-from type=local,src=/tmp/.buildx-cache \ --cache-to type=local,dest=/tmp/.buildx-cache-new,mode=max \ --output type=image,push=false \ . # Rotate cache echo "๐Ÿ”„ Rotating build cache..." rm -rf /tmp/.buildx-cache mv /tmp/.buildx-cache-new /tmp/.buildx-cache echo "โœ… Build completed successfully!" 3. run.sh - SECURE EXECUTION: bash 1 2 3 4 5 6 7 8 9 10 11 #!/bin/bash set -euxo pipefail # Security validation before execution if [ "$(id -u)" -eq 0 ]; then echo "โŒ ERROR: Running as root is not allowed!" >&2 exit 1 fi # Execute command with proper environment exec "$@" 4. test.sh - COMPREHENSIVE VALIDATION: bash 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 #!/bin/bash set -euxo pipefail # Test image functionality echo "๐Ÿงช Testing document generation capabilities..." # Test pandoc docker run --rm tsysdevstack/toolboxes-docs:latest \ sh -c "pandoc --version && echo 'โœ… Pandoc works'" # Test mdbook docker run --rm tsysdevstack/toolboxes-docs:latest \ sh -c "mdbook --version && echo 'โœ… mdbook works'" echo "๐ŸŽ‰ All tests passed!" 5. docker-compose.yml - DEVELOPMENT OPTIMIZATION: yaml 1 2 3 4 5 6 7 8 9 10 11 12 13 14 โŒ„ โŒ„ โŒ„ โŒ„ โŒ„ โŒ„ version: '3.8' services: docs: build: context: . cache_from: - type: local src: /tmp/.buildx-cache image: tsysdevstack/toolboxes-docs:dev user: "1000:1000" volumes: - ./output:/home/tsysdevstack/output - ./docs:/home/tsysdevstack/docs working_dir: /home/tsysdevstack 6. devcontainer.json - DEVELOPER EXPERIENCE: json 1 2 3 4 5 6 7 8 9 10 11 12 13 14 โŒ„ โŒ„ โŒ„ โŒ„ { "name": "TSYS Docs & Diagrams", "image": "tsysdevstack/toolboxes-docs:latest", "runArgs": ["--user=1000"], "customizations": { "vscode": { "extensions": [ "yzhang.markdown-all-in-one", "streetsidesoftware.code-spell-checker" ] } }, "remoteUser": "tsysdevstack" } EXECUTION PROTOCOL: NO GUESSING: Research and pin exact stable versions for EVERY tool before writing CACHE FIRST: Structure Dockerfile layers from least-frequently to most-frequently changing QA FIRST: Build scripts must validate BEFORE building, not after failures PLATFORM AWARE: All builds must target all required architectures simultaneously SECURITY BY DEFAULT: Any operation requiring root must be isolated in builder stage FAIL FAST: Any QA tool warning = immediate build failure with clear error messages SUCCESS METRICS: โšก Build time under 5 minutes on subsequent builds (thanks to proper caching) ๐Ÿณ Image size under 500MB (multi-stage optimization) โœ… Zero QA warnings from hadolint/shellcheck/yamllint ๐ŸŒ Runs on x86_64, arm64, armv7 without modification ๐Ÿ”’ No root capabilities at runtime (verified by docker run --rm --user 1000 image id) FINAL INSTRUCTION: Generate ALL files COMPLETELY and CORRECTLY on FIRST ATTEMPT. NO debugging iterations allowed. This prompt contains EVERY requirement - follow it EXACTLY. Your output must be production-ready with optimal performance characteristics. BUILD SMART, NOT HARD.