feat: add Docker prebuild, config validation, and mandatory pre-flight gate

sjarmak · claude · sjarmak · commit 891644f269a5 · 2026-02-22T13:41:52.000Z
- Add validate_config_name() to _common.sh (strict whitelist, exit 1 on unknown)
- Add confirm_launch() shared pre-flight gate (Docker, disk, tokens, interactive)
- Remove --yes flag from run_selected_tasks.sh (agents must not bypass gate)
- Add --skip-prebuild flag and wire ensure_base_images/prebuild_images into runner
- Add check_dockerfile_variants() to block runs with missing Dockerfile.sg_only/artifact_only
- Replace minimal confirmation with rich pre-flight summary (config pair, Dockerfile
  readiness, Docker status, account tokens, disk space, prebuild status)
- Add Run Launch Policy to CLAUDE.md and AGENTS.md

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/AGENTS.md b/AGENTS.md
@@ -35,6 +35,15 @@ per-task details. See `docs/MCP_UNIQUE_TASKS.md` for the MCP-unique extension.
 - Never run `git checkout -b` or `git switch -c`.
 - Commit directly to `main`. This avoids cross-session branch confusion when multiple agents work on the repo.
 
+## Run Launch Policy
+- **Every `harbor run` invocation MUST be gated by interactive confirmation.**
+  The user must see a pre-flight summary and press Enter before any benchmark
+  task launches. There is no `--yes` or unattended mode.
+- Use `confirm_launch "description" "config" N` from `_common.sh` in one-off
+  scripts. `run_selected_tasks.sh` has its own built-in pre-flight gate.
+- **Never write a script that calls `harbor run` without a confirmation gate.**
+- **Never pass `--yes` to `run_selected_tasks.sh`** — the flag has been removed.
+
 ## Typical Skill Routing
 Use these defaults unless there is a task-specific reason not to.
 
@@ -109,7 +118,7 @@ python3 scripts/repo_health.py                      # repo health gate (before p
 ```
 
 ## Script Entrypoints
-- `configs/_common.sh` - shared run infra (parallelism, token refresh, validation hooks)
+- `configs/_common.sh` - shared run infra (parallelism, token refresh, validation hooks, `confirm_launch()`, `validate_config_name()`)
 - `configs/sdlc_suite_2config.sh` - generic SDLC runner (used by phase wrappers)
 - `configs/{build,debug,design,document,fix,secure,test}_2config.sh` - thin SDLC phase wrappers
 - `configs/run_selected_tasks.sh` - unified runner from `selected_benchmark_tasks.json`
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -35,6 +35,15 @@ per-task details. See `docs/MCP_UNIQUE_TASKS.md` for the MCP-unique extension.
 - Never run `git checkout -b` or `git switch -c`.
 - Commit directly to `main`. This avoids cross-session branch confusion when multiple agents work on the repo.
 
+## Run Launch Policy
+- **Every `harbor run` invocation MUST be gated by interactive confirmation.**
+  The user must see a pre-flight summary and press Enter before any benchmark
+  task launches. There is no `--yes` or unattended mode.
+- Use `confirm_launch "description" "config" N` from `_common.sh` in one-off
+  scripts. `run_selected_tasks.sh` has its own built-in pre-flight gate.
+- **Never write a script that calls `harbor run` without a confirmation gate.**
+- **Never pass `--yes` to `run_selected_tasks.sh`** — the flag has been removed.
+
 ## Typical Skill Routing
 Use these defaults unless there is a task-specific reason not to.
 
@@ -109,7 +118,7 @@ python3 scripts/repo_health.py                      # repo health gate (before p
 ```
 
 ## Script Entrypoints
-- `configs/_common.sh` - shared run infra (parallelism, token refresh, validation hooks)
+- `configs/_common.sh` - shared run infra (parallelism, token refresh, validation hooks, `confirm_launch()`, `validate_config_name()`)
 - `configs/sdlc_suite_2config.sh` - generic SDLC runner (used by phase wrappers)
 - `configs/{build,debug,design,document,fix,secure,test}_2config.sh` - thin SDLC phase wrappers
 - `configs/run_selected_tasks.sh` - unified runner from `selected_benchmark_tasks.json`
diff --git a/configs/_common.sh b/configs/_common.sh
@@ -88,6 +88,95 @@ baseline_config_for() {
     esac
 }
 
+# Validate a config name against the known whitelist.
+# Exits 1 with error message if unknown. Call before config_to_mcp_type().
+validate_config_name() {
+    local config_name="$1"
+    case "$config_name" in
+        baseline-local-direct|mcp-remote-direct|\
+        baseline-local-artifact|mcp-remote-artifact|\
+        baseline|sourcegraph_full|artifact_full|none)
+            return 0 ;;
+        *)
+            echo "ERROR: Unknown config name: '$config_name'" >&2
+            echo "  Valid: baseline-local-direct, mcp-remote-direct, baseline-local-artifact, mcp-remote-artifact" >&2
+            echo "  Legacy: baseline, sourcegraph_full, artifact_full, none" >&2
+            exit 1 ;;
+    esac
+}
+
+# ============================================
+# PRE-FLIGHT CONFIRMATION GATE
+# ============================================
+# Shared pre-flight check for any script that launches harbor runs.
+# Shows config, Docker status, disk, and tokens, then requires interactive
+# confirmation. MUST be called before any harbor run invocation.
+#
+# Usage: confirm_launch "description" "config_name" [n_tasks]
+#   $1 = short description (e.g., "MCP rerun: 3 SWE-Perf tasks")
+#   $2 = config name (e.g., "mcp-remote-artifact")
+#   $3 = number of tasks (default: 1)
+#
+# Exits 1 on Docker failure or low disk. Always requires Enter to proceed.
+confirm_launch() {
+    local description="${1:-Harbor run}"
+    local config_name="${2:-unknown}"
+    local n_tasks="${3:-1}"
+
+    echo "----------------------------------------------"
+    echo "PRE-FLIGHT: $description"
+    echo "----------------------------------------------"
+    echo "Config:       $config_name"
+    echo "Tasks:        $n_tasks"
+
+    # Docker daemon
+    if timeout 10 docker info >/dev/null 2>&1; then
+        echo "Docker:       OK"
+    else
+        echo "Docker:       FAIL — daemon not responding"
+        exit 1
+    fi
+
+    # Disk space
+    local _repo_root
+    _repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+    local _disk_free
+    _disk_free=$(df -BG --output=avail "$_repo_root" 2>/dev/null | tail -1 | tr -d ' G')
+    if [ -n "$_disk_free" ] && [ "$_disk_free" -lt 5 ]; then
+        echo "Disk space:   FAIL — only ${_disk_free}GB free"
+        exit 1
+    elif [ -n "$_disk_free" ] && [ "$_disk_free" -lt 20 ]; then
+        echo "Disk space:   WARN — ${_disk_free}GB free"
+    else
+        echo "Disk space:   OK (${_disk_free:-?}GB free)"
+    fi
+
+    # Token freshness (if multi-account is set up)
+    if [ "${#CLAUDE_HOMES[@]}" -gt 0 ] 2>/dev/null; then
+        echo "Accounts:     ${#CLAUDE_HOMES[@]} active"
+        for _home_dir in "${CLAUDE_HOMES[@]}"; do
+            local _creds="${_home_dir}/.claude/.credentials.json"
+            if [ -f "$_creds" ]; then
+                local _remaining
+                _remaining=$(python3 -c "
+import json, time, sys
+try:
+    d = json.load(open(sys.argv[1]))
+    exp = d.get('claudeAiOauth',{}).get('expiresAt',0)
+    rem = int((exp - time.time()*1000) / 60000)
+    print(f'{rem} min remaining')
+except: print('unknown')
+" "$_creds" 2>/dev/null)
+                echo "  $(basename "$_home_dir"): $_remaining"
+            fi
+        done
+    fi
+
+    echo "----------------------------------------------"
+    read -r -p "Press Enter to proceed, Ctrl+C to abort... " _
+    echo ""
+}
+
 # ============================================
 # VERIFIER DEBUG MODE
 # ============================================
diff --git a/configs/run_selected_tasks.sh b/configs/run_selected_tasks.sh
@@ -25,7 +25,7 @@
 #   --category CATEGORY             Run category (default: staging)
 #   --skip-completed                Skip tasks that already have result.json + task_metrics.json
 #   --dry-run                       Print tasks without running
-#   --yes                           Skip confirmation prompt (non-interactive mode)
+#   --skip-prebuild                 Skip Docker image pre-build (use when images already cached)
 #
 # Prerequisites:
 #   - configs/selected_benchmark_tasks.json in repo (or --selection-file path)
@@ -61,7 +61,7 @@ CATEGORY="${CATEGORY:-staging}"
 FULL_CONFIG="${FULL_CONFIG:-mcp-remote-direct}"
 DRY_RUN=false
 SKIP_COMPLETED=false
-YES=false
+SKIP_PREBUILD=false
 AGENT_PATH="agents.claude_baseline_agent:BaselineClaudeCodeAgent"
 
 while [[ $# -gt 0 ]]; do
@@ -114,8 +114,8 @@ while [[ $# -gt 0 ]]; do
             DRY_RUN=true
             shift
             ;;
-        --yes)
-            YES=true
+        --skip-prebuild)
+            SKIP_PREBUILD=true
             shift
             ;;
         *)
@@ -151,6 +151,10 @@ BASELINE_CONFIG=$(baseline_config_for "$FULL_CONFIG")
 BL_MCP_TYPE=$(config_to_mcp_type "$BASELINE_CONFIG")
 FULL_MCP_TYPE=$(config_to_mcp_type "$FULL_CONFIG")
 
+# Strict validation — exit immediately on unknown config names
+validate_config_name "$BASELINE_CONFIG"
+validate_config_name "$FULL_CONFIG"
+
 # ============================================
 # EXTRACT TASKS FROM SELECTION FILE
 # ============================================
@@ -250,17 +254,164 @@ if [ "$DRY_RUN" = true ]; then
             echo "  ... and $(( count - 5 )) more"
         fi
     done
+    if [ "$SKIP_PREBUILD" = false ]; then
+        echo ""
+        echo "[DRY RUN] Would pre-build Docker images for: ${!BENCHMARK_COUNTS[*]}"
+    fi
     exit 0
 fi
 
 # ============================================
-# CONFIRMATION GATE
+# DOCKERFILE VARIANT CHECK
+# ============================================
+# Verify all tasks have the required Dockerfile variant for the chosen config
+# BEFORE asking the user to confirm.
+check_dockerfile_variants() {
+    DOCKERFILE_MISSING_COUNT=0
+    DOCKERFILE_READY_COUNT=0
+    DOCKERFILE_WARNINGS=""
+
+    local _is_artifact=false
+    [[ "$FULL_CONFIG" == *artifact* ]] && _is_artifact=true
+
+    for bm in $(echo "${!BENCHMARK_TASK_DIRS[@]}" | tr ' ' '\n' | sort); do
+        while IFS= read -r task_path; do
+            [ -z "$task_path" ] && continue
+            local abs_path="$REPO_ROOT/$task_path"
+            local task_id
+            task_id=$(basename "$task_path")
+
+            # Baseline: needs environment/Dockerfile
+            if [ "$RUN_BASELINE" = true ] && [ ! -f "${abs_path}/environment/Dockerfile" ]; then
+                DOCKERFILE_WARNINGS+="  MISSING: ${task_id} — Dockerfile (baseline)"$'\n'
+                DOCKERFILE_MISSING_COUNT=$(( DOCKERFILE_MISSING_COUNT + 1 ))
+            fi
+
+            # Full/MCP: needs the variant Dockerfile
+            if [ "$RUN_FULL" = true ]; then
+                if [ "$_is_artifact" = true ]; then
+                    if [ ! -f "${abs_path}/environment/Dockerfile.artifact_only" ]; then
+                        DOCKERFILE_WARNINGS+="  MISSING: ${task_id} — Dockerfile.artifact_only"$'\n'
+                        DOCKERFILE_MISSING_COUNT=$(( DOCKERFILE_MISSING_COUNT + 1 ))
+                    else
+                        DOCKERFILE_READY_COUNT=$(( DOCKERFILE_READY_COUNT + 1 ))
+                    fi
+                else
+                    if [ ! -f "${abs_path}/environment/Dockerfile.sg_only" ]; then
+                        DOCKERFILE_WARNINGS+="  MISSING: ${task_id} — Dockerfile.sg_only"$'\n'
+                        DOCKERFILE_MISSING_COUNT=$(( DOCKERFILE_MISSING_COUNT + 1 ))
+                    else
+                        DOCKERFILE_READY_COUNT=$(( DOCKERFILE_READY_COUNT + 1 ))
+                    fi
+                fi
+            fi
+        done <<< "$(echo "${BENCHMARK_TASK_DIRS[$bm]}" | grep -v '^$')"
+    done
+}
+
+# ============================================
+# PRE-FLIGHT VERIFICATION
 # ============================================
-if [ "$YES" != true ]; then
-    echo "----------------------------------------------"
-    echo "Ready to launch $TOTAL_AGENT_RUNS agent runs ($PARALLEL_TASKS parallel)."
+echo "----------------------------------------------"
+echo "PRE-FLIGHT VERIFICATION"
+echo "----------------------------------------------"
+echo ""
+
+# 1. Config pair
+echo "Config pair:"
+if [ "$RUN_BASELINE" = true ]; then
+    echo "  Baseline: $BASELINE_CONFIG (mcp_type=$BL_MCP_TYPE)"
+fi
+if [ "$RUN_FULL" = true ]; then
+    echo "  Full:     $FULL_CONFIG (mcp_type=$FULL_MCP_TYPE)"
+fi
+echo ""
+
+# 2. Dockerfile variant readiness
+check_dockerfile_variants
+if [ "$RUN_FULL" = true ]; then
+    _variant_name="Dockerfile.sg_only"
+    [[ "$FULL_CONFIG" == *artifact* ]] && _variant_name="Dockerfile.artifact_only"
+    echo "Dockerfile variants ($_variant_name):"
+    echo "  Ready:   $DOCKERFILE_READY_COUNT / $TOTAL_TASKS"
+    if [ "$DOCKERFILE_MISSING_COUNT" -gt 0 ]; then
+        echo "  MISSING: $DOCKERFILE_MISSING_COUNT"
+        echo -e "$DOCKERFILE_WARNINGS"
+    fi
     echo ""
-    read -r -p "Press Enter to proceed, Ctrl+C to abort... " _
+fi
+
+# 3. Docker daemon
+if timeout 10 docker info >/dev/null 2>&1; then
+    echo "Docker:       OK"
+else
+    echo "Docker:       FAIL — daemon not responding"
+    exit 1
+fi
+
+# 4. Account token freshness
+if [ "${#CLAUDE_HOMES[@]}" -gt 0 ]; then
+    echo "Accounts:     ${#CLAUDE_HOMES[@]} active"
+    for _home_dir in "${CLAUDE_HOMES[@]}"; do
+        _creds="${_home_dir}/.claude/.credentials.json"
+        if [ -f "$_creds" ]; then
+            _remaining=$(python3 -c "
+import json, time, sys
+try:
+    d = json.load(open(sys.argv[1]))
+    exp = d.get('claudeAiOauth',{}).get('expiresAt',0)
+    rem = int((exp - time.time()*1000) / 60000)
+    print(f'{rem} min remaining')
+except: print('unknown')
+" "$_creds" 2>/dev/null)
+            echo "  $(basename "$_home_dir"): $_remaining"
+        fi
+    done
+else
+    echo "Accounts:     default (single account)"
+fi
+
+# 5. Disk space
+_disk_free=$(df -BG --output=avail "$REPO_ROOT" 2>/dev/null | tail -1 | tr -d ' G')
+if [ -n "$_disk_free" ] && [ "$_disk_free" -lt 5 ]; then
+    echo "Disk space:   FAIL — only ${_disk_free}GB free"
+    exit 1
+elif [ -n "$_disk_free" ] && [ "$_disk_free" -lt 20 ]; then
+    echo "Disk space:   WARN — ${_disk_free}GB free (may run low)"
+else
+    echo "Disk space:   OK (${_disk_free:-?}GB free)"
+fi
+
+# 6. Prebuild status
+if [ "$SKIP_PREBUILD" = false ]; then
+    echo "Prebuild:     enabled (${!BENCHMARK_COUNTS[*]})"
+else
+    echo "Prebuild:     SKIPPED (--skip-prebuild)"
+fi
+echo ""
+
+# 7. Critical blockers — exit before confirmation
+if [ "$DOCKERFILE_MISSING_COUNT" -gt 0 ]; then
+    echo "BLOCKED: $DOCKERFILE_MISSING_COUNT task(s) missing required Dockerfile variant."
+    echo "Fix: Run python3 scripts/generate_sgonly_dockerfiles.py for affected tasks."
+    exit 1
+fi
+
+echo "----------------------------------------------"
+echo "Ready to launch $TOTAL_AGENT_RUNS agent runs ($PARALLEL_TASKS parallel)."
+echo ""
+read -r -p "Press Enter to proceed, Ctrl+C to abort... " _
+echo ""
+
+# ============================================
+# DOCKER IMAGE PRE-BUILD
+# ============================================
+if [ "$SKIP_PREBUILD" = false ]; then
+    echo "=== Pre-building Docker images ==="
+    ensure_base_images
+    for bm in $(echo "${!BENCHMARK_COUNTS[@]}" | tr ' ' '\n' | sort); do
+        prebuild_images "$bm"
+    done
     echo ""
 fi
 
