From 7137623f6a68882880fdeb89cf2ef06b41419a46 Mon Sep 17 00:00:00 2001
From: jedarden <github@jedarden.com>
Date: Fri, 22 May 2026 15:16:10 -0400
Subject: [PATCH] Evolver: Add nsjail and missing language runtimes (Rust,
 Java) to container

The evolver's validation pipeline supports Rust and Java bots, but the
container image was missing rustc and javac runtimes. Additionally, nsjail
was documented as part of the sandbox stage but not installed.

Changes:
- Add nsjail package (from Alpine community repo) for sandbox isolation
- Add openjdk-17-jdk for Java bot validation
- Install Rust toolchain (rustc) via rustup to /opt/rust for shared access
- Set PATH to include Rust binaries for the acb user

The validator already had graceful fallback when nsjail wasn't found in PATH,
but with nsjail installed, the sandbox stage now provides proper CPU/memory
resource limits during smoke testing.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 cmd/acb-evolver/Dockerfile | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/cmd/acb-evolver/Dockerfile b/cmd/acb-evolver/Dockerfile
index 368f0db..425232d 100644
--- a/cmd/acb-evolver/Dockerfile
+++ b/cmd/acb-evolver/Dockerfile
@@ -43,7 +43,8 @@ WORKDIR /app
 
 # Install language runtimes for bot validation:
 # - go (included in base image)
-# - python3, nodejs (typescript), rust (rustup-init), java, php
+# - python3, nodejs (typescript), rust (rustup), java, php
+# - nsjail for sandbox isolation during validation
 # - ca-certificates for HTTPS (LLM calls, K8s API)
 RUN apk --no-cache add \
     ca-certificates \
@@ -52,9 +53,22 @@ RUN apk --no-cache add \
     py3-pip \
     nodejs \
     npm \
+    openjdk-17-jdk \
+    nsjail \
     curl \
     bash
 
+# Create non-root user first (before Rust installation)
+RUN addgroup -g 1000 acb && adduser -D -u 1000 -G acb acb
+
+# Install Rust toolchain (rustc) for validating Rust bots
+# Install to /opt/rust so it's accessible to all users
+RUN mkdir -p /opt/rust && \
+    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal --no-modify-path && \
+    cp -r /root/.cargo/* /opt/rust/ && \
+    rm -rf /root/.cargo && \
+    chown -R acb:acb /opt/rust
+
 # Install TypeScript compiler globally
 RUN npm install -g typescript ts-node
 
@@ -62,8 +76,8 @@ RUN npm install -g typescript ts-node
 COPY --from=builder /acb-evolver /app/acb-evolver
 COPY --from=builder /acb-map-evolver /app/acb-map-evolver
 
-# Create non-root user
-RUN addgroup -g 1000 acb && adduser -D -u 1000 -G acb acb
+# Set PATH to include Rust binaries and switch to non-root user
+ENV PATH="/opt/rust/bin:${PATH}"
 USER acb
 
 # Environment variables (set at runtime)