Add Apple Container toolkit for macOS VM-isolated development #11
Conversation
deviantony
commented
Jan 15, 2026
deviantony
commented
- Create Dockerfile with zsh, starship, Claude Code plugins, and dev tools
- Add devbox-apple script for container lifecycle management (enter, stop, destroy, build)
- Include ccm script for Claude-powered commit message generation
- Add entrypoint script with tmp file cleanup for disk management
- Document setup, usage, port forwarding, and directory mounts in README
- Add Claude Code permission denials for .env and .ssh files in alapenna-ghostty
- Remove todo helper function from alapenna-ghostty toolkit
- Create Dockerfile with zsh, starship, Claude Code plugins, and dev tools - Add devbox-apple script for container lifecycle management (enter, stop, destroy, build) - Include ccm script for Claude-powered commit message generation - Add entrypoint script with tmp file cleanup for disk management - Document setup, usage, port forwarding, and directory mounts in README - Add Claude Code permission denials for .env and .ssh files in alapenna-ghostty - Remove todo helper function from alapenna-ghostty toolkit
There was a problem hiding this comment.
Pull request overview
This PR adds a new Apple Container toolkit (alapenna-container) for macOS VM-isolated development, alongside minor updates to the existing alapenna-ghostty toolkit. The new toolkit leverages Apple's native container CLI (macOS 26+) to provide enhanced isolation compared to Docker/OrbStack, with each container running in its own lightweight VM.
Changes:
- Add complete
alapenna-containertoolkit with Dockerfile, scripts, and documentation for Apple Silicon Mac development - Add permission denials for
.envand.sshfiles in Claude Code settings foralapenna-ghostty - Remove todo helper function from
alapenna-ghosttytoolkit
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
user-toolkits/alapenna-container/Dockerfile |
New Dockerfile with zsh, starship, Claude Code plugins, and dev tools based on portainer/dev-toolkit:2025.12 |
user-toolkits/alapenna-container/devbox-apple |
Container lifecycle management script for Apple container CLI with VM resource configuration |
user-toolkits/alapenna-container/scripts/ccm |
Claude-powered commit message generation script with manual fallback for large diffs |
user-toolkits/alapenna-container/scripts/entrypoint.sh |
Container entrypoint with automatic tmp cleanup for disk management |
user-toolkits/alapenna-container/README.md |
Complete documentation covering setup, usage, and troubleshooting |
user-toolkits/alapenna-ghostty/Dockerfile |
Add Claude Code permission denials and remove todo function |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | `~/.ssh` | `/root/.ssh` | read-only | | ||
| | `~/.gnupg` | `/root/.gnupg` | read-only | | ||
| | `~/tmp/dev-toolkit` | `/share-tmp` | read-write | | ||
|
|
There was a problem hiding this comment.
The documentation states that SSH and GPG directories are mounted as 'read-only', but the actual implementation in devbox-apple script copies these files into the container rather than mounting them. The table should clarify that these are copied on first creation, not mounted. Update the 'Mode' column to 'copied' or add a note explaining this distinction.
| | `~/.ssh` | `/root/.ssh` | read-only | | |
| | `~/.gnupg` | `/root/.gnupg` | read-only | | |
| | `~/tmp/dev-toolkit` | `/share-tmp` | read-write | | |
| | `~/.ssh` | `/root/.ssh` | copied | | |
| | `~/.gnupg` | `/root/.gnupg` | copied | | |
| | `~/tmp/dev-toolkit` | `/share-tmp` | read-write | | |
| Note: SSH (`~/.ssh`) and GPG (`~/.gnupg`) directories are copied into the container on first creation, not live-mounted from the host. |
| | `~/.gnupg` | `/root/.gnupg` | read-only | | ||
| | `~/tmp/dev-toolkit` | `/share-tmp` | read-write | | ||
|
|
||
| Edit `devbox` script to customize mount paths. |
There was a problem hiding this comment.
The script is named 'devbox-apple', not 'devbox'. Update the reference to match the actual script name.
| Edit `devbox` script to customize mount paths. | |
| Edit `devbox-apple` script to customize mount paths. |
|
|
||
| ```bash | ||
| # Build locally | ||
| devbox build |
There was a problem hiding this comment.
The command should be 'devbox-apple build' to match the actual script name, not 'devbox build'.
| devbox build | |
| devbox-apple build |
| # Container entrypoint - runs on every container start | ||
|
|
||
| # Clean tmp files older than 8 hours to prevent disk bloat from builds | ||
| find /tmp -mindepth 1 -mmin +480 -exec rm -rf {} \; 2>/dev/null || true |
There was a problem hiding this comment.
Using 'rm -rf {}' in find's -exec is unsafe when multiple files are found, as it can cause issues with concurrent deletions. The find command may fail with 'No such file or directory' errors if a parent directory is deleted before its children. Consider using '-delete' instead, or add '+' after {} to batch deletions, or use '-prune' to handle directories first.
| find /tmp -mindepth 1 -mmin +480 -exec rm -rf {} \; 2>/dev/null || true | |
| find /tmp -mindepth 1 -mmin +480 -delete 2>/dev/null || true |
| # Copy SSH files (if they exist) | ||
| if [[ -d "$SSH_DIR" ]]; then | ||
| for f in "$SSH_DIR"/*; do | ||
| [[ -f "$f" ]] && cat "$f" | container exec -i "$NAME" tee "/root/.ssh/$(basename "$f")" > /dev/null |
There was a problem hiding this comment.
Using 'cat' and piping to 'tee' is inefficient. Consider using 'container cp' if available, or redirect input directly: 'container exec -i "$NAME" tee "/root/.ssh/$(basename "$f")" < "$f" > /dev/null'.
| if [[ -d "$GNUPG_DIR" ]]; then | ||
| echo "Copying GPG keys..." | ||
| for f in "$GNUPG_DIR"/*; do | ||
| [[ -f "$f" ]] && cat "$f" | container exec -i "$NAME" tee "/root/.gnupg/$(basename "$f")" > /dev/null |
There was a problem hiding this comment.
Using 'cat' and piping to 'tee' is inefficient. Consider using 'container cp' if available, or redirect input directly: 'container exec -i "$NAME" tee "/root/.gnupg/$(basename "$f")" < "$f" > /dev/null'.
| echo "" | ||
| read -p "Commit? [Y/n/e/u] " choice | ||
| else | ||
| msg=$(echo "$diff" | claude -p "$prompt") |
There was a problem hiding this comment.
The script invokes 'claude' command but doesn't check if it exists before use. Consider adding a check for the claude CLI availability at the start of the script, similar to how check_container_cli() validates the container command in devbox-apple.
- Update README to clarify SSH/GPG directories are copied, not live-mounted - Fix script reference from "devbox" to "devbox-apple" in README - Add claude CLI availability check with helpful error message in ccm script
1 participant
