From f161e3cb629adb604917473fc24a7aae110fbc32 Mon Sep 17 00:00:00 2001
From: Jarvis <jarvis@mosaicstack.dev>
Date: Mon, 30 Mar 2026 19:54:28 -0500
Subject: [PATCH] feat(ci): add Docker build+push pipeline for gateway and web
 images

---
 .woodpecker/ci.yml                            | 38 +++++++++++++++++++
 .../scratchpads/ci-docker-publish-20260330.md | 30 +++++++++++++++
 plugins/macp/src/index.ts                     | 10 +++--
 plugins/macp/src/macp-runtime.ts              | 10 ++++-
 4 files changed, 84 insertions(+), 4 deletions(-)
 create mode 100644 docs/scratchpads/ci-docker-publish-20260330.md

diff --git a/.woodpecker/ci.yml b/.woodpecker/ci.yml
index 2dfe430..2fe0df1 100644
--- a/.woodpecker/ci.yml
+++ b/.woodpecker/ci.yml
@@ -59,3 +59,41 @@ steps:
       - lint
       - format
       - test
+
+  publish-gateway:
+    image: woodpeckerci/plugin-docker-buildx
+    settings:
+      registry: git.mosaicstack.dev
+      repo: git.mosaicstack.dev/mosaic/mosaic-stack-gateway
+      dockerfile: docker/gateway.Dockerfile
+      tags:
+        - latest
+        - ${CI_COMMIT_SHA}
+      username:
+        from_secret: REGISTRY_USERNAME
+      password:
+        from_secret: REGISTRY_PASSWORD
+    when:
+      - event: push
+        branch: main
+    depends_on:
+      - build
+
+  publish-web:
+    image: woodpeckerci/plugin-docker-buildx
+    settings:
+      registry: git.mosaicstack.dev
+      repo: git.mosaicstack.dev/mosaic/mosaic-stack-web
+      dockerfile: docker/web.Dockerfile
+      tags:
+        - latest
+        - ${CI_COMMIT_SHA}
+      username:
+        from_secret: REGISTRY_USERNAME
+      password:
+        from_secret: REGISTRY_PASSWORD
+    when:
+      - event: push
+        branch: main
+    depends_on:
+      - build
diff --git a/docs/scratchpads/ci-docker-publish-20260330.md b/docs/scratchpads/ci-docker-publish-20260330.md
new file mode 100644
index 0000000..b8ee848
--- /dev/null
+++ b/docs/scratchpads/ci-docker-publish-20260330.md
@@ -0,0 +1,30 @@
+# Scratchpad: CI Docker Publish (2026-03-30)
+
+- Objective: Add Woodpecker Docker build+push steps for gateway and web images on `main` pushes.
+- Scope: `.woodpecker/ci.yml`.
+- Constraints:
+  - Use existing Dockerfiles at `docker/gateway.Dockerfile` and `docker/web.Dockerfile`.
+  - Publish to `git.mosaicstack.dev` with `from_secret` credentials.
+  - Tag both `latest` and `${CI_COMMIT_SHA}`.
+  - Do not run publish steps on pull requests.
+- ASSUMPTION: Publishing `latest` is required by the task for registry convenience, even though immutable tags remain the safer deployment reference.
+- Findings:
+  - Existing pipeline already has `build` after `lint`, `format`, and `test`.
+  - `apps/gateway/package.json` uses `tsc` for `build`; no Prisma dependency or `prisma generate` hook is present.
+- Plan:
+  1. Patch `.woodpecker/ci.yml` to keep `build` as the quality gate successor and add `publish-gateway` plus `publish-web`.
+  2. Validate YAML and run repo quality gates relevant to the change.
+  3. Review the diff, then commit/push/PR if validation passes.
+- Verification:
+  - `python3 -c "import yaml; yaml.safe_load(open('.woodpecker/ci.yml'))" && echo "YAML valid"`
+  - `pnpm lint`
+  - `pnpm typecheck`
+  - `pnpm format:check`
+  - `docker compose up -d`
+  - `pnpm --filter @mosaic/db db:push`
+  - `pnpm test`
+  - `pnpm build`
+  - Manual review of `.woodpecker/ci.yml` diff: publish steps are main-only, depend on `build`, and use secret-backed registry auth plus dual tags.
+- Risks:
+  - Pipeline behavior beyond YAML validation cannot be fully proven locally; remote Woodpecker execution will be the final situational check after push.
+  - Repo baseline required two existing `plugins/macp` files to be reformatted before `pnpm format:check` would pass.
diff --git a/plugins/macp/src/index.ts b/plugins/macp/src/index.ts
index 674c542..622e548 100644
--- a/plugins/macp/src/index.ts
+++ b/plugins/macp/src/index.ts
@@ -9,10 +9,14 @@ const ocRequire = createRequire(import.meta.url);
 const sdkRoot = path.dirname(ocRequire.resolve('openclaw/dist/plugin-sdk/index.js'));
 
 // Dynamic imports for runtime SDK functions
-const { registerAcpRuntimeBackend, unregisterAcpRuntimeBackend } = await import(
+const { registerAcpRuntimeBackend, unregisterAcpRuntimeBackend } = (await import(
   `${sdkRoot}/acp-runtime.js`
-) as {
-  registerAcpRuntimeBackend: (backend: { id: string; runtime: any; healthy: () => boolean }) => void;
+)) as {
+  registerAcpRuntimeBackend: (backend: {
+    id: string;
+    runtime: any;
+    healthy: () => boolean;
+  }) => void;
   unregisterAcpRuntimeBackend: (id: string) => void;
 };
 
diff --git a/plugins/macp/src/macp-runtime.ts b/plugins/macp/src/macp-runtime.ts
index 2d8f95c..7287630 100644
--- a/plugins/macp/src/macp-runtime.ts
+++ b/plugins/macp/src/macp-runtime.ts
@@ -82,7 +82,15 @@ const MACP_CAPABILITIES: AcpRuntimeCapabilities = {
 
 const DEFAULT_REPO_ROOT = '~/src/mosaic-stack';
 const ORCHESTRATOR_RUN_PATH = '~/.config/mosaic/bin/mosaic-orchestrator-run';
-const PI_RUNNER_PATH = path.join(os.homedir(), 'src', 'mosaic-stack', 'tools', 'macp', 'dispatcher', 'pi_runner.ts');
+const PI_RUNNER_PATH = path.join(
+  os.homedir(),
+  'src',
+  'mosaic-stack',
+  'tools',
+  'macp',
+  'dispatcher',
+  'pi_runner.ts',
+);
 
 function expandHome(rawPath: string): string {
   if (rawPath === '~') {