8.0 KiB
AUTONOMOUS EXECUTION PROMPT FOR QWEN3-CODER
MISSION: Generate a production-grade Docker image for document generation that builds ON FIRST ATTEMPT with OPTIMAL CACHING and MULTI-ARCHITECTURE SUPPORT. NO ITERATION ALLOWED - OUTPUT MUST BE PERFECT.
CRITICAL PERFORMANCE CONSTRAINTS:
BUILD TIME OPTIMIZATION IS PARAMOUNT - You MUST implement advanced BuildKit caching strategies including: Multi-stage builds with proper layer isolation Dependency installation BEFORE application code to maximize cache hits Use --mount=type=cache directives for mise/npm/pip/cargo caches Separate apt-get operations into dedicated cacheable layers Implement cache mounts for ~/.cache/mise and ~/.local/share/mise BUILDKIT CONFIGURATION: Every Dockerfile instruction MUST leverage BuildKit features: dockerfile
1 2
syntax=docker/dockerfile:1.4
Enable ALL BuildKit optimizations
Use RUN --mount=type=cache for ALL tool installations Implement --cache-from and --cache-to in build.sh Enable parallel downloading with --parallel flag where applicable MULTI-ARCHITECTURE BUILD: Use docker buildx with --platform linux/amd64,linux/arm64,linux/arm/v7 Implement proper QEMU emulation setup in build.sh Use manifest lists for final image deployment SECURITY & ARCHITECTURE REQUIREMENTS:
STAGE 1 (BUILDER): Root only for minimal apt operations and user creation STAGE 2 (RUNTIME): 100% tsysdevstack user, NO ROOT CAPABILITIES LAYER ORDERING PRINCIPLE: Place infrequently changing operations at top: Base image + system packages (pinned versions) mise installation + runtime versions (pinned) Global tool installations (pinned versions) Application code/configurations CACHE BUSTING PREVENTION: Version pin EVERYTHING - no "latest" tags QA GATES - NON-NEGOTIABLE:
PRE-BUILD VALIDATION: Generate build.sh to run these checks BEFORE any docker build: bash
1 2 3 4 5 6 7 8
Dockerfile validation
docker run --rm -v $(pwd):/data hadolint/hadolint hadolint /data/Dockerfile --no-fail --verbose
Shell script validation
shellcheck run.sh build.sh test.sh
YAML validation
yamllint docker-compose.yml devcontainer.json ZERO TOLERANCE POLICY: If ANY tool reports warnings/errors, the build MUST FAIL immediately. NO EXCEPTIONS. ARTIFACT SPECIFICATIONS:
- Dockerfile - OPTIMIZED STRUCTURE:
dockerfile
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
syntax=docker/dockerfile:1.4
STAGE 1: Minimal builder with root access
FROM --platform=$BUILDPLATFORM debian:bookworm-slim AS builder
Cache busting protection - PIN EVERY VERSION
ARG DEBIAN_FRONTEND=noninteractive ENV TZ=Etc/UTC
System dependencies (pinned versions where possible)
RUN apt-get update &&
apt-get install -y --no-install-recommends
curl=7.88.1-10+deb12u5
ca-certificates=20230311
gnupg=2.2.40-1.1
build-essential=12.9
&& rm -rf /var/lib/apt/lists/*
Create unprivileged user EARLY
RUN useradd -m -u 1000 -G sudo tsysdevstack &&
mkdir -p /home/tsysdevstack/.cache &&
chown -R tsysdevstack:tsysdevstack /home/tsysdevstack
STAGE 2: Runtime environment - NO ROOT
FROM --platform=$BUILDPLATFORM debian:bookworm-slim AS runtime
Security hardening
USER tsysdevstack WORKDIR /home/tsysdevstack
Mise installation with cache optimization
RUN --mount=type=cache,target=/home/tsysdevstack/.cache/mise
--mount=type=cache,target=/home/tsysdevstack/.local/share/mise
curl https://mise.run | sh &&
/home/tsysdevstack/.local/bin/mise install node@20.11.1 python@3.11.8 rust@1.76.0 ruby@3.3.0 &&
/home/tsysdevstack/.local/bin/mise global node@20.11.1 python@3.11.8 rust@1.76.0 ruby@3.3.0
Tool installations with cache mounts and version pinning
RUN --mount=type=cache,target=/home/tsysdevstack/.cache/npm
--mount=type=cache,target=/home/tsysdevstack/.npm
npm install -g --no-fund --no-audit --no-progress
pandoc@3.1.11
mdbook@0.4.37
typst@0.11.1
marp-cli@3.1.1
markwhen@1.2.3
kroki-cli@0.18.0
quarto@1.4.539
vale@3.4.1
Final security hardening
USER tsysdevstack CMD ["/home/tsysdevstack/run.sh"] 2. build.sh - OPTIMIZED BUILD SCRIPT:
bash
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 #!/bin/bash set -euxo pipefail
PRE-BUILD QA GATES
echo "🔍 Running pre-build validation..." docker run --rm -v $(pwd):/data hadolint/hadolint hadolint /data/Dockerfile --no-fail --verbose shellcheck run.sh build.sh test.sh yamllint docker-compose.yml devcontainer.json
Setup buildx builder with caching
echo "🚀 Setting up buildx builder..." docker buildx create --use --name docs-builder --driver docker-container docker buildx inspect --bootstrap
Multi-platform build with advanced caching
echo "🏗️ Building multi-platform image..."
docker buildx build
--platform linux/amd64,linux/arm64,linux/arm/v7
--tag tsysdevstack/toolboxes-docs:latest
--tag tsysdevstack/toolboxes-docs:$(date +%Y%m%d)
--cache-from type=local,src=/tmp/.buildx-cache
--cache-to type=local,dest=/tmp/.buildx-cache-new,mode=max
--output type=image,push=false
.
Rotate cache
echo "🔄 Rotating build cache..." rm -rf /tmp/.buildx-cache mv /tmp/.buildx-cache-new /tmp/.buildx-cache
echo "✅ Build completed successfully!" 3. run.sh - SECURE EXECUTION:
bash
1 2 3 4 5 6 7 8 9 10 11 #!/bin/bash set -euxo pipefail
Security validation before execution
if [ "$(id -u)" -eq 0 ]; then echo "❌ ERROR: Running as root is not allowed!" >&2 exit 1 fi
Execute command with proper environment
exec "$@" 4. test.sh - COMPREHENSIVE VALIDATION:
bash
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 #!/bin/bash set -euxo pipefail
Test image functionality
echo "🧪 Testing document generation capabilities..."
Test pandoc
docker run --rm tsysdevstack/toolboxes-docs:latest
sh -c "pandoc --version && echo '✅ Pandoc works'"
Test mdbook
docker run --rm tsysdevstack/toolboxes-docs:latest
sh -c "mdbook --version && echo '✅ mdbook works'"
echo "🎉 All tests passed!" 5. docker-compose.yml - DEVELOPMENT OPTIMIZATION:
yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 ⌄ ⌄ ⌄ ⌄ ⌄ ⌄ version: '3.8' services: docs: build: context: . cache_from: - type: local src: /tmp/.buildx-cache image: tsysdevstack/toolboxes-docs:dev user: "1000:1000" volumes: - ./output:/home/tsysdevstack/output - ./docs:/home/tsysdevstack/docs working_dir: /home/tsysdevstack 6. devcontainer.json - DEVELOPER EXPERIENCE:
json
1 2 3 4 5 6 7 8 9 10 11 12 13 14 ⌄ ⌄ ⌄ ⌄ { "name": "TSYS Docs & Diagrams", "image": "tsysdevstack/toolboxes-docs:latest", "runArgs": ["--user=1000"], "customizations": { "vscode": { "extensions": [ "yzhang.markdown-all-in-one", "streetsidesoftware.code-spell-checker" ] } }, "remoteUser": "tsysdevstack" } EXECUTION PROTOCOL:
NO GUESSING: Research and pin exact stable versions for EVERY tool before writing CACHE FIRST: Structure Dockerfile layers from least-frequently to most-frequently changing QA FIRST: Build scripts must validate BEFORE building, not after failures PLATFORM AWARE: All builds must target all required architectures simultaneously SECURITY BY DEFAULT: Any operation requiring root must be isolated in builder stage FAIL FAST: Any QA tool warning = immediate build failure with clear error messages SUCCESS METRICS:
⚡ Build time under 5 minutes on subsequent builds (thanks to proper caching) 🐳 Image size under 500MB (multi-stage optimization) ✅ Zero QA warnings from hadolint/shellcheck/yamllint 🌐 Runs on x86_64, arm64, armv7 without modification 🔒 No root capabilities at runtime (verified by docker run --rm --user 1000 image id) FINAL INSTRUCTION: Generate ALL files COMPLETELY and CORRECTLY on FIRST ATTEMPT. NO debugging iterations allowed. This prompt contains EVERY requirement - follow it EXACTLY. Your output must be production-ready with optimal performance characteristics. BUILD SMART, NOT HARD.