Resolves F17 in docker-build-optimization-roadmap.
Root cause:
Gitea's app.ini ROOT_URL was http://localhost:3300/. Gitea bakes
ROOT_URL into the dist.tarball field of every published package's
metadata. Inside a Docker container, 'localhost' is the container
itself, not the host \u2014 so any 'pnpm install' that needed to fetch
a tarball would ECONNREFUSED, even though the registry metadata
itself was reachable via host.docker.internal.
Server-side fix (not in git, requires manual replication on each dev
machine; documented in roadmap \u00a73 A-pre-6):
- Edit /opt/homebrew/var/gitea/custom/conf/app.ini:
ROOT_URL = http://host.docker.internal:3300/
- brew services restart gitea
- sudo sh -c 'echo "127.0.0.1 host.docker.internal" >> /etc/hosts'
Repo-side fix (this commit):
- switch-network.sh: add host.docker.internal to NO_PROXY +
NPM_CONFIG_NOPROXY when NETWORK=corp. Required so host-side curl/
pnpm/npm bypass the corporate proxy (cso.proxy.att.com) when
resolving host.docker.internal. Without this, host installs fail
with the corp proxy's 'Unknown Host' 504 page.
Republished all 64 @bytelyst/* packages so tarball URLs reflect the
new ROOT_URL:
- .publish-manifest.json: 64 entries with new content hashes
- packages/*/package.json: 64 patch-version bumps
(auto-bumped by publish-outdated-packages.sh because previous
versions already existed in registry)
Verification:
curl http://localhost:3300/.../@bytelyst%2Ferrors | jq .dist.tarball
→ http://host.docker.internal:3300/.../errors-0.1.11.tgz (was localhost:3300)
workspace:* refs across all 64 packages: 0
Unblocks: A0-V on every pilot. Verified PASSING on learning_ai_clock:
backend cold build: 59.2 s
web cold build: 3:13 (193 s)
Both via Gitea registry, no docker-prep.sh tarballs needed.
Eliminates the three operational pain points hit in the last
owner-rename incident:
1. Owner-rename drift across 14 repos
- npmrc.template now uses ${GITEA_NPM_OWNER:-learning_ai_user}
- switch-network.sh exports GITEA_NPM_OWNER on shell start
- Future renames are a one-line env change, not 14 git commits
2. Stale shell-env tokens (file rotated, env didn't)
- scripts/gitea/token.sh: status|print|validate|rotate subcommands
- 'eval "$(bash scripts/gitea/token.sh print --export)"' refreshes
any shell without re-sourcing ~/.zshrc
- rotate uses Gitea API + macOS Keychain for admin creds
3. No pre-deploy validation
- scripts/gitea/doctor.sh: NETWORK + DNS + token consistency +
registry HTTP 200 + optional package@version probe
- Run before any deploy that needs @bytelyst/* from Gitea
- NETWORK=corp → GITEA_NPM_HOST=localhost (local Gitea Docker)
- NETWORK=home → GITEA_NPM_HOST from ~/.gitea_vm_host (Azure VM)
- Fallback: localhost if ~/.gitea_vm_host doesn't exist
This enables all repo .npmrc files to use ${GITEA_NPM_HOST}:3300
instead of hardcoded localhost:3300, matching the existing
.npmrc.docker pattern used during Docker builds.
- Add NO_PROXY/no_proxy/NPM_CONFIG_NOPROXY=localhost,127.0.0.1 when
NETWORK=corp so local services (Gitea npm registry, Cosmos emulator,
Azurite) bypass the corporate proxy. Previously NO_PROXY was only set
in .zshrc line 5, making the script not self-contained.
- Add GITEA_NPM_TOKEN auto-load from ~/.gitea_npm_token file
(regardless of NETWORK). Reads are public, but publish needs the
token. This ensures local pnpm install resolves @bytelyst/* auth.
- Unset NO_PROXY/no_proxy/NPM_CONFIG_NOPROXY when NETWORK=home.
Single env var NETWORK=corp|home controls all proxy config.
Source from ~/.zshrc — sets http_proxy, NPM_CONFIG_REGISTRY,
PIP_TRUSTED_HOST, NODE_TLS_REJECT_UNAUTHORIZED automatically.
No more ~/.npmrc rewriting.
- Replace hardcoded /Users/sd9235/ paths with $HOME in all SKILLS docs
- Use WORKSPACE_DIR variable in backup-main.sh (auto-resolves from script location)
- Genericize 'Forcepoint CertChecker' / 'corporate proxy' to 'SSL-intercepting proxy'
- Add scripts/switch-network.sh for toggling npm between corporate proxy and home
- No functional code changes — only comments, docs, and paths
