fix(compose): add local infra fallback for base-builder dependency

Resolve quick-start failures when GHCR base images are unavailable by making infra containers build system-monitor locally, while preserving CI namespace/tag hardening and documenting the resilient Option 1 flow.

Fixes #114

Made-with: Cursor

Author: 0sm0s1z

.github/workflows/build-base-images.yml

@@ -103,6 +103,15 @@ jobs:
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/sirius-base-go-builder:latest-arm64
           echo "Published ghcr.io/${{ env.IMAGE_NAMESPACE }}/sirius-base-go-builder:latest (amd64 + arm64)"
 
+      - name: Verify go-builder tags resolve
+        run: |
+          set -e
+          BASE="${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/sirius-base-go-builder"
+          for TAG in latest latest-amd64 latest-arm64; do
+            echo "Verifying ${BASE}:${TAG}"
+            docker manifest inspect "${BASE}:${TAG}" > /dev/null
+          done
+
   # ─────────────────────────────────────────────────────────────────────────────
   # Build engine-tools base image (per architecture, native runners)
   #
@@ -179,3 +188,12 @@ jobs:
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/sirius-base-engine-tools:latest-amd64 \
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/sirius-base-engine-tools:latest-arm64
           echo "Published ghcr.io/${{ env.IMAGE_NAMESPACE }}/sirius-base-engine-tools:latest (amd64 + arm64)"
+
+      - name: Verify engine-tools tags resolve
+        run: |
+          set -e
+          BASE="${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/sirius-base-engine-tools"
+          for TAG in latest latest-amd64 latest-arm64; do
+            echo "Verifying ${BASE}:${TAG}"
+            docker manifest inspect "${BASE}:${TAG}" > /dev/null
+          done

.github/workflows/ci.yml

@@ -107,6 +107,27 @@ jobs:
             fi
           fi
 
+  # ─────────────────────────────────────────────────────────────────────────────
+  # Guard against accidental image namespace typos in CI/build paths.
+  # ─────────────────────────────────────────────────────────────────────────────
+  guard-registry-namespace:
+    name: "Guard Registry Namespace"
+    needs: detect-changes
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Fail on typoed GHCR namespace
+        run: |
+          set -e
+          TARGETS=".github/workflows docker-compose.yaml docker-stack.swarm.yaml scripts sirius-api sirius-engine sirius-postgres sirius-rabbitmq sirius-ui sirius-valkey"
+          if grep -R --line-number "ghcr.io/siriuscam/" $TARGETS; then
+            echo "::error::Found typoed GHCR namespace 'siriuscam'. Use '${{ env.IMAGE_NAMESPACE }}'."
+            exit 1
+          fi
+          echo "Registry namespace guard passed."
+
   # ─────────────────────────────────────────────────────────────────────────────
   # Verify base images exist in GHCR before any application build starts.
   # This catches the race condition where Build Base Images and CI both trigger
@@ -115,7 +136,7 @@ jobs:
   # ─────────────────────────────────────────────────────────────────────────────
   verify-base-images:
     name: "Verify Base Images"
-    needs: detect-changes
+    needs: [detect-changes, guard-registry-namespace]
     runs-on: blacksmith-4vcpu-ubuntu-2404
     steps:
       - name: Log in to Container Registry
@@ -128,14 +149,17 @@ jobs:
       - name: Verify base images exist
         run: |
           set -e
-          echo "Checking ghcr.io/siriusscan/sirius-base-go-builder:latest ..."
-          docker manifest inspect ghcr.io/siriusscan/sirius-base-go-builder:latest > /dev/null || {
+          BASE_GO_BUILDER="${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/sirius-base-go-builder:latest"
+          BASE_ENGINE_TOOLS="${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/sirius-base-engine-tools:latest"
+
+          echo "Checking ${BASE_GO_BUILDER} ..."
+          docker manifest inspect "${BASE_GO_BUILDER}" > /dev/null || {
             echo "::error::Base image sirius-base-go-builder:latest not found in GHCR."
             echo "::error::Run the 'Build Base Images' workflow first (Actions → Build Base Images → Run workflow)."
             exit 1
           }
-          echo "Checking ghcr.io/siriusscan/sirius-base-engine-tools:latest ..."
-          docker manifest inspect ghcr.io/siriusscan/sirius-base-engine-tools:latest > /dev/null || {
+          echo "Checking ${BASE_ENGINE_TOOLS} ..."
+          docker manifest inspect "${BASE_ENGINE_TOOLS}" > /dev/null || {
             echo "::error::Base image sirius-base-engine-tools:latest not found in GHCR."
             echo "::error::Run the 'Build Base Images' workflow first (Actions → Build Base Images → Run workflow)."
             exit 1

README.md

@@ -143,6 +143,10 @@ docker compose -f docker-compose.installer.yaml run --rm sirius-installer
 docker compose up -d
 ```
 
+Quick-start resilience: if the shared GHCR base-builder image is unavailable,
+infra services (`sirius-valkey`, `sirius-postgres`, `sirius-rabbitmq`) now
+build `system-monitor` locally during image build.
+
 #### Option 2: Local Development Overlay
 
 Use live-reload/development mounts for active code work:

docker-compose.yaml

@@ -1,5 +1,8 @@
 # SiriusScan Base Docker Compose Configuration
-# This is the base configuration that works for most environments
+# This is the base configuration that works for most environments.
+# Infra services (postgres/rabbitmq/valkey) build system-monitor locally
+# during image build so standard startup is resilient if GHCR base images
+# are unavailable.
 # Use with: docker compose up -d
 
 name: sirius

scripts/validate-ci-overhaul.sh

@@ -8,7 +8,7 @@
 #   3. Validate docker-compose configs
 #   4. Optionally run a minimal compose stack to verify startup
 #
-# Base images are tagged as ghcr.io/siriusscan/sirius-base-*:latest
+# Base images are tagged as ${REGISTRY}/${IMAGE_NAMESPACE}/sirius-base-*:latest
 # so the application Dockerfiles (which use COPY --from=...) find them
 # in the local Docker daemon without needing to pull from the registry.
 #
@@ -28,6 +28,14 @@ if [[ "${1:-}" == "--full-compose" ]]; then
   FULL_COMPOSE=true
 fi
 
+REGISTRY="${REGISTRY:-ghcr.io}"
+IMAGE_NAMESPACE="${IMAGE_NAMESPACE:-siriusscan}"
+BASE_IMAGE_TAG="${BASE_IMAGE_TAG:-latest}"
+BASE_GO_BUILDER_IMAGE="${REGISTRY}/${IMAGE_NAMESPACE}/sirius-base-go-builder:${BASE_IMAGE_TAG}"
+BASE_ENGINE_TOOLS_IMAGE="${REGISTRY}/${IMAGE_NAMESPACE}/sirius-base-engine-tools:${BASE_IMAGE_TAG}"
+BASE_GO_BUILDER_LATEST_IMAGE="${REGISTRY}/${IMAGE_NAMESPACE}/sirius-base-go-builder:latest"
+BASE_ENGINE_TOOLS_LATEST_IMAGE="${REGISTRY}/${IMAGE_NAMESPACE}/sirius-base-engine-tools:latest"
+
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 LOG_DIR="$PROJECT_ROOT/testing/logs"
@@ -72,17 +80,17 @@ log "${YELLOW}Phase 1: Base Images${NC}"
 log ""
 
 run_step "Build sirius-base-go-builder" \
-  "docker build -t ghcr.io/siriusscan/sirius-base-go-builder:latest ./base-images/go-builder/" || exit 1
+  "docker build -t ${BASE_GO_BUILDER_IMAGE} -t ${BASE_GO_BUILDER_LATEST_IMAGE} ./base-images/go-builder/" || exit 1
 
 run_step "Build sirius-base-engine-tools (this compiles Nmap from source, may take a few minutes)" \
-  "docker build -t ghcr.io/siriusscan/sirius-base-engine-tools:latest ./base-images/engine-tools/" || exit 1
+  "docker build -t ${BASE_ENGINE_TOOLS_IMAGE} -t ${BASE_ENGINE_TOOLS_LATEST_IMAGE} ./base-images/engine-tools/" || exit 1
 
 # Verify base image contents
 run_step "Verify go-builder has system-monitor and administrator" \
-  "docker run --rm ghcr.io/siriusscan/sirius-base-go-builder:latest sh -c 'test -x /usr/local/bin/system-monitor && test -x /usr/local/bin/administrator'" || exit 1
+  "docker run --rm ${BASE_GO_BUILDER_LATEST_IMAGE} sh -c 'test -x /usr/local/bin/system-monitor && test -x /usr/local/bin/administrator'" || exit 1
 
 run_step "Verify engine-tools has nmap, rustscan, pwsh" \
-  "docker run --rm ghcr.io/siriusscan/sirius-base-engine-tools:latest sh -c 'nmap --version >/dev/null && rustscan --version >/dev/null && pwsh --version >/dev/null'" || exit 1
+  "docker run --rm ${BASE_ENGINE_TOOLS_LATEST_IMAGE} sh -c 'nmap --version >/dev/null && rustscan --version >/dev/null && pwsh --version >/dev/null'" || exit 1
 
 log ""
 log "${YELLOW}Phase 2: Infrastructure Containers (use base images)${NC}"

sirius-postgres/Dockerfile

@@ -1,9 +1,15 @@
 # Custom PostgreSQL image with system monitoring
 #
-# system-monitor is sourced from the shared sirius-base-go-builder image,
-# eliminating the need for a Go build stage in this container.
-
-FROM ghcr.io/siriusscan/sirius-base-go-builder:latest AS go-binaries
+# Local fallback stage for quick-start reliability:
+# build system-monitor directly so compose up works even if GHCR base images
+# are temporarily unavailable.
+FROM golang:1.24-alpine AS go-binaries
+RUN apk add --no-cache git ca-certificates tzdata && \
+    git clone https://github.com/SiriusScan/app-system-monitor.git /tmp/system-monitor && \
+    cd /tmp/system-monitor && \
+    go mod download && \
+    CGO_ENABLED=0 GOOS=linux go build -ldflags="-w -s" -o /usr/local/bin/system-monitor main.go && \
+    rm -rf /tmp/system-monitor
 
 FROM postgres:15-alpine
 

sirius-rabbitmq/Dockerfile

@@ -1,9 +1,15 @@
 # Custom RabbitMQ image with system monitoring
 #
-# system-monitor is sourced from the shared sirius-base-go-builder image,
-# eliminating the need for a Go build stage in this container.
-
-FROM ghcr.io/siriusscan/sirius-base-go-builder:latest AS go-binaries
+# Local fallback stage for quick-start reliability:
+# build system-monitor directly so compose up works even if GHCR base images
+# are temporarily unavailable.
+FROM golang:1.24-alpine AS go-binaries
+RUN apk add --no-cache git ca-certificates tzdata && \
+    git clone https://github.com/SiriusScan/app-system-monitor.git /tmp/system-monitor && \
+    cd /tmp/system-monitor && \
+    go mod download && \
+    CGO_ENABLED=0 GOOS=linux go build -ldflags="-w -s" -o /usr/local/bin/system-monitor main.go && \
+    rm -rf /tmp/system-monitor
 
 FROM rabbitmq:3.12-management
 

sirius-valkey/Dockerfile

@@ -1,9 +1,15 @@
 # Custom Valkey image with system monitoring
 #
-# system-monitor is sourced from the shared sirius-base-go-builder image,
-# eliminating the need for a Go build stage in this container.
-
-FROM ghcr.io/siriusscan/sirius-base-go-builder:latest AS go-binaries
+# Local fallback stage for quick-start reliability:
+# build system-monitor directly so compose up works even if GHCR base images
+# are temporarily unavailable.
+FROM golang:1.24-alpine AS go-binaries
+RUN apk add --no-cache git ca-certificates tzdata && \
+    git clone https://github.com/SiriusScan/app-system-monitor.git /tmp/system-monitor && \
+    cd /tmp/system-monitor && \
+    go mod download && \
+    CGO_ENABLED=0 GOOS=linux go build -ldflags="-w -s" -o /usr/local/bin/system-monitor main.go && \
+    rm -rf /tmp/system-monitor
 
 FROM valkey/valkey:7.2-alpine