commit: Sync main with develop - Infrastructure & DevOps Modernization

.codex/README.md

@@ -0,0 +1,33 @@
+# Codex Policy Notes (Strict Workspace Safety)
+
+This repository uses a strict Codex approval policy for cross-platform use on:
+
+- Windows 11 (`powershell` / `pwsh`)
+- Devcontainer environments
+
+## Intent
+
+- Keep `approval_policy = "untrusted"` and `sandbox_mode = "workspace-write"`.
+- Keep network access disabled in workspace sandbox (`network_access = false`).
+- Use a narrow allowlist in `.codex/rules/default.rules` for expected low-risk workflows.
+
+## Important Limitation
+
+`allow` rules are convenience controls for command prefixes. They are **not** a workspace-path guard and do not prove a command is read-only.
+
+Because of that, this repo does **not** allow broad command prefixes such as:
+
+- generic shell wrappers (for example `pwsh -Command ...`, `bash -lc ...`)
+- broad read command families (`ls`, `cat`, `find`, etc.)
+
+Extra read commands may still require approval by design.
+
+## Expected No-Prompt Commands
+
+- Selected git read operations (`status`, `diff`, `log`, `show`, `rev-parse`, `branch --show-current`, `ls-files`)
+- Repo check script (`Invoke-RepoChecks.ps1`) in `pwsh` and `powershell`
+- Direct analyzer/test commandlets:
+  - `Invoke-ScriptAnalyzer`
+  - `Invoke-Pester`
+
+All other commands are intentionally reviewed case-by-case.

.codex/config.toml

@@ -0,0 +1,45 @@
+model = "gpt-5.3-codex"
+model_reasoning_effort = "high"
+model_verbosity = "high"
+
+approval_policy = "untrusted"
+sandbox_mode = "workspace-write"
+allow_login_shell = false
+
+cli_auth_credentials_store = "auto"
+web_search = "live"
+
+[features]
+multi_agent = true
+
+[agents]
+max_threads = 4
+max_depth = 1
+
+[shell_environment_policy]
+inherit = "core"
+ignore_default_excludes = false
+
+[sandbox_workspace_write]
+network_access = false
+
+[history]
+persistence = "save-all"
+max_bytes = 5242880
+
+# Profiles are currently experimental in Codex docs.
+[profiles.ci_safe]
+model = "gpt-5.3-codex"
+model_reasoning_effort = "high"
+model_verbosity = "medium"
+approval_policy = "never"
+sandbox_mode = "read-only"
+allow_login_shell = false
+web_search = "disabled"
+
+[profiles.ci_safe.shell_environment_policy]
+inherit = "core"
+ignore_default_excludes = false
+
+[profiles.ci_safe.history]
+persistence = "none"

.codex/rules/default.rules

@@ -0,0 +1,26 @@
+# Conservative allowlist for low-risk, high-frequency commands.
+prefix_rule(pattern=["git", "status"], decision="allow")
+prefix_rule(pattern=["git", "diff"], decision="allow")
+prefix_rule(pattern=["git", "log"], decision="allow")
+prefix_rule(pattern=["git", "show"], decision="allow")
+prefix_rule(pattern=["git", "rev-parse"], decision="allow")
+prefix_rule(pattern=["git", "branch", "--show-current"], decision="allow")
+prefix_rule(pattern=["git", "ls-files"], decision="allow")
+
+# Shared repo validation workflow.
+prefix_rule(pattern=["pwsh", "-NoProfile", "-File", ".\\Invoke-RepoChecks.ps1"], decision="allow")
+prefix_rule(pattern=["pwsh", "-NoProfile", "-File", "./Invoke-RepoChecks.ps1"], decision="allow")
+prefix_rule(pattern=["pwsh", "-NoProfile", "-ExecutionPolicy", "Bypass", "-File", ".\\Invoke-RepoChecks.ps1"], decision="allow")
+prefix_rule(pattern=["powershell", "-NoProfile", "-File", ".\\Invoke-RepoChecks.ps1"], decision="allow")
+prefix_rule(pattern=["powershell", "-NoProfile", "-ExecutionPolicy", "Bypass", "-File", ".\\Invoke-RepoChecks.ps1"], decision="allow")
+
+# Direct analyzer/test commandlets in both PowerShell 7 and Windows PowerShell.
+prefix_rule(pattern=["pwsh", "-NoProfile", "-Command", "Invoke-ScriptAnalyzer"], decision="allow")
+prefix_rule(pattern=["powershell", "-NoProfile", "-Command", "Invoke-ScriptAnalyzer"], decision="allow")
+prefix_rule(pattern=["pwsh", "-NoProfile", "-Command", "Invoke-Pester"], decision="allow")
+prefix_rule(pattern=["powershell", "-NoProfile", "-Command", "Invoke-Pester"], decision="allow")
+
+# Hard blocks for destructive patterns that should never auto-run.
+prefix_rule(pattern=["git", "reset", "--hard"], decision="forbidden")
+prefix_rule(pattern=["git", "clean", "-fdx"], decision="forbidden")
+prefix_rule(pattern=["rm", "-rf"], decision="forbidden")

.devcontainer/.dockerignore

@@ -0,0 +1,3 @@
+*
+!Dockerfile
+!.dockerignore

.devcontainer/Dockerfile

@@ -0,0 +1,149 @@
+# syntax=docker/dockerfile:1
+FROM cgr.dev/chainguard/wolfi-base:latest
+
+ARG PS_VERSION=7.5.4
+ARG PESTER_VERSION=5.7.1
+ARG PSSA_VERSION=1.24.0
+ARG TARGETARCH
+ARG ENABLE_AI_TOOLS=true
+ARG BUILDKIT_INLINE_CACHE=1
+ARG IMAGE_TITLE="PowerShell Dev Container"
+ARG IMAGE_DESCRIPTION="Wolfi-based PowerShell development container"
+ARG IMAGE_SOURCE="https://github.com/thetechgy/ArchiTechLabs-Script-Hub"
+ARG IMAGE_LICENSES="MIT"
+ARG VCS_REF="unknown"
+ARG BUILD_DATE="unknown"
+
+LABEL org.opencontainers.image.title="${IMAGE_TITLE}" \
+      org.opencontainers.image.description="${IMAGE_DESCRIPTION}" \
+      org.opencontainers.image.source="${IMAGE_SOURCE}" \
+      org.opencontainers.image.licenses="${IMAGE_LICENSES}" \
+      org.opencontainers.image.revision="${VCS_REF}" \
+      org.opencontainers.image.created="${BUILD_DATE}"
+
+# -----------------------------
+# Base OS packages (always needed)
+# -----------------------------
+RUN apk add --no-cache \
+    bash \
+    ca-certificates \
+    curl \
+    git \
+    gnupg-gpgconf \
+    openssh-client \
+    icu-libs \
+    libstdc++ \
+    libgcc
+
+# -----------------------------
+# Install PowerShell
+# -----------------------------
+RUN : "${TARGETARCH:?TARGETARCH must be set by BuildKit}" \
+    && case "${TARGETARCH}" in \
+    amd64) PS_ARCH="x64" ;; \
+    arm64) PS_ARCH="arm64" ;; \
+    *) echo "Unsupported TARGETARCH=${TARGETARCH}" && exit 1 ;; \
+    esac \
+    && PS_TARBALL="powershell-${PS_VERSION}-linux-${PS_ARCH}.tar.gz" \
+    && mkdir -p "/opt/microsoft/powershell/${PS_VERSION}" \
+    && curl -fsSL -o "/tmp/${PS_TARBALL}" \
+    "https://github.com/PowerShell/PowerShell/releases/download/v${PS_VERSION}/${PS_TARBALL}" \
+    && curl -fsSL -o /tmp/hashes.sha256 \
+    "https://github.com/PowerShell/PowerShell/releases/download/v${PS_VERSION}/hashes.sha256" \
+    && PS_EXPECTED_SHA256="" \
+    && while IFS= read -r checksum_line; do \
+        case "${checksum_line}" in \
+            *"${PS_TARBALL}"*) PS_EXPECTED_SHA256="${checksum_line%% *}"; break ;; \
+        esac; \
+    done < /tmp/hashes.sha256 \
+    && [ -n "${PS_EXPECTED_SHA256}" ] \
+    && PS_EXPECTED_SHA256="$(printf '%s' "${PS_EXPECTED_SHA256}" | tr '[:upper:]' '[:lower:]')" \
+    && set -- $(sha256sum "/tmp/${PS_TARBALL}") \
+    && PS_ACTUAL_SHA256="$1" \
+    && if [ "${PS_ACTUAL_SHA256}" != "${PS_EXPECTED_SHA256}" ]; then \
+        echo "Checksum mismatch for ${PS_TARBALL}" >&2; \
+        echo "Expected: ${PS_EXPECTED_SHA256}" >&2; \
+        echo "Actual:   ${PS_ACTUAL_SHA256}" >&2; \
+        exit 1; \
+    fi \
+    && tar -xzf "/tmp/${PS_TARBALL}" -C "/opt/microsoft/powershell/${PS_VERSION}" \
+    && rm -f "/tmp/${PS_TARBALL}" /tmp/hashes.sha256 \
+    && chmod 755 "/opt/microsoft/powershell/${PS_VERSION}/pwsh" \
+    && chmod -R a+rX "/opt/microsoft/powershell/${PS_VERSION}" \
+    && mkdir -p /usr/local/bin \
+    && ln -sf "/opt/microsoft/powershell/${PS_VERSION}/pwsh" /usr/local/bin/pwsh \
+    && ln -sf "/opt/microsoft/powershell/${PS_VERSION}/pwsh" /usr/bin/pwsh \
+    && pwsh -NoLogo -NoProfile -Command '$PSVersionTable.PSVersion.ToString()'
+
+# -----------------------------
+# PowerShell tooling (always needed)
+# -----------------------------
+RUN pwsh -NoLogo -NoProfile -Command "\
+    Set-PSRepository -Name PSGallery -InstallationPolicy Trusted; \
+    Install-Module Pester -RequiredVersion ${PESTER_VERSION} -Scope AllUsers -Force -AllowClobber; \
+    Install-Module PSScriptAnalyzer -RequiredVersion ${PSSA_VERSION} -Scope AllUsers -Force -AllowClobber; \
+    Import-Module Pester -RequiredVersion ${PESTER_VERSION} -Force; \
+    Import-Module PSScriptAnalyzer -RequiredVersion ${PSSA_VERSION} -Force; \
+    "
+
+# -----------------------------
+# Non-root user for devcontainers
+# -----------------------------
+RUN adduser -D -u 1000 vscode \
+    && mkdir -p /home/vscode \
+    && chown -R vscode:vscode /home/vscode
+
+# Avoid git dubious-ownership warnings for the fixed devcontainer workspace path.
+RUN git config --system --add safe.directory /workspace
+
+# -----------------------------
+# AI tooling + CLIs (optional)
+# -----------------------------
+RUN if [ "${ENABLE_AI_TOOLS}" = "true" ]; then \
+    echo 'Installing AI assist tooling + Node + Codex + Claude...' && \
+    apk add --no-cache \
+    nodejs-22 \
+    npm \
+    bubblewrap \
+    socat \
+    procps \
+    gh \
+    delta \
+    fzf \
+    ripgrep \
+    fd \
+    jq \
+    yq \
+    patch \
+    diffutils \
+    sed \
+    gawk \
+    coreutils \
+    findutils \
+    tree \
+    gzip \
+    unzip \
+    xz \
+    && mkdir -p /etc/profile.d \
+    && printf '%s\n' \
+    'export PATH="$HOME/.local/bin:$PATH"' \
+    > /etc/profile.d/00-devcontainer-paths.sh \
+    && su -s /bin/bash vscode -c ' \
+    set -euo pipefail; \
+    export PATH="$HOME/.local/bin:$PATH"; \
+    mkdir -p "$HOME/.local" "$HOME/.npm"; \
+    npm config set prefix "$HOME/.local"; \
+    npm config set cache "$HOME/.npm"; \
+    node --version; npm --version; \
+    npm i -g @openai/codex@latest; \
+    codex --version || true; \
+    mkdir -p "$HOME/.local/bin"; \
+    curl -fsSL https://claude.ai/install.sh | bash; \
+    command -v claude >/dev/null 2>&1 && claude --version || true; \
+    ' \
+    ; else \
+    echo 'AI tooling disabled (ENABLE_AI_TOOLS=false)'; \
+    fi
+
+USER vscode
+WORKDIR /workspaces