feat(build): implement multi-stage maintainer parent image and dual-tag cloud build

.gcp/release-docker.yml

@@ -35,7 +35,7 @@ steps:
         echo "Determined image tag: $$FINAL_TAG"
         echo "$$FINAL_TAG" > /workspace/image_tag.txt
 
-  # Step 5: Build sandbox container image
+  # Step 5: Build sandbox container image (Final stage)
   - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
     id: 'Build sandbox Docker image'
     entrypoint: 'bash'
@@ -43,11 +43,24 @@ steps:
       - '-c'
       - |-
         export GEMINI_SANDBOX_IMAGE_TAG=$$(cat /workspace/image_tag.txt)
-        echo "Using Docker image tag for build: $$GEMINI_SANDBOX_IMAGE_TAG"
         npm run build:sandbox -- --output-file /workspace/final_image_uri.txt
     env:
       - 'GEMINI_SANDBOX=$_CONTAINER_TOOL'
 
+  # Step 6: Build maintainer container image (Maintainer stage)
+  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
+    id: 'Build maintainer Docker image'
+    entrypoint: 'bash'
+    args:
+      - '-c'
+      - |-
+        export TAG=$$(cat /workspace/image_tag.txt)
+        IMAGE_BASE="us-docker.pkg.dev/gemini-code-dev/gemini-cli/maintainer"
+        docker build --target maintainer -t "$${IMAGE_BASE}:$${TAG}" .
+        docker push "$${IMAGE_BASE}:$${TAG}"
+    env:
+      - 'GEMINI_SANDBOX=$_CONTAINER_TOOL'
+
   # Step 8: Publish sandbox container image
   - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
     id: 'Publish sandbox Docker image'
@@ -57,8 +70,6 @@ steps:
       - |-
         set -e
         FINAL_IMAGE_URI=$$(cat /workspace/final_image_uri.txt)
-
-        echo "Pushing sandbox image: $${FINAL_IMAGE_URI}"
         $_CONTAINER_TOOL push "$${FINAL_IMAGE_URI}"
     env:
       - 'GEMINI_SANDBOX=$_CONTAINER_TOOL'

.gemini/skills/offload/NEXT_MISSION.md

@@ -0,0 +1,24 @@
+# Mission: GCE Container-First Refactor 🚀
+
+## Current State
+- **Architecture**: Persistent GCE VM (`gcli-offload-mattkorwel`) with Fast-Path SSH (`gcli-worker`).
+- **Logic**: Decoupled scripts in `~/.offload/scripts`, using Git Worktrees for concurrency.
+- **Auth**: Scoped GitHub PATs mirrored via setup.
+
+## The Goal (Container-OS Transition)
+Shift from a "Manual VM" to an "Invisible VM" (Container-Optimized OS) that runs our Sandbox Docker image directly.
+
+## Planned Changes
+1. **Multi-Stage Dockerfile**: 
+   - Optimize `Dockerfile.gemini-maintainer` to include `tsx`, `vitest`, `gh`, and a pre-warmed repository.
+   - Base it on the existing `google-gemini-cli-sandbox`.
+2. **Setup Script (`setup.ts`)**:
+   - Refactor `provision` to use `gcloud compute instances create-with-container`.
+   - Configure the VM to launch the container as the primary entrypoint.
+3. **Orchestrator (`orchestrator.ts`)**:
+   - Update SSH logic to include the `--container` flag.
+   - Ensure `rsync` still maps to the persistent home directory that is mounted into the container.
+
+## How to Resume
+1. Load the checkpoint: `/checkpoint load offload-container-refactor` (if available).
+2. Tell Gemini: *"Read .gemini/skills/offload/NEXT_MISSION.md and start Phase 1: The Multi-Stage Dockerfile."*

Dockerfile

@@ -1,21 +1,26 @@
-FROM docker.io/library/node:20-slim
+# --- STAGE 1: Base Runtime ---
+FROM docker.io/library/node:20-slim AS base
 
-ARG SANDBOX_NAME="gemini-cli-sandbox"
 ARG CLI_VERSION_ARG
-ENV SANDBOX="$SANDBOX_NAME"
 ENV CLI_VERSION=$CLI_VERSION_ARG
 
-# install minimal set of packages, then clean up
 RUN apt-get update && apt-get install -y --no-install-recommends \
   python3 \
-  make \
-  g++ \
-  man-db \
   curl \
   dnsutils \
   less \
   jq \
-  bc \
+  ca-certificates \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+
+# --- STAGE 2: Maintainer (Parent of Sandbox) ---
+FROM base AS maintainer
+
+# Install "Maintainer Bloat" - tools needed for development and offloading
+RUN apt-get update && apt-get install -y --no-install-recommends \
+  make \
+  g++ \
   gh \
   git \
   unzip \
@@ -25,21 +30,31 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
   psmisc \
   lsof \
   socat \
-  ca-certificates \
+  build-essential \
+  libsecret-1-dev \
+  libkrb5-dev \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
-# set up npm global package folder under /usr/local/share
+# Install global dev tools
-# give it to non-root user node, already set up in base image
+RUN npm install -g tsx vitest
+
+# Set up npm global package folder
 RUN mkdir -p /usr/local/share/npm-global \
   && chown -R node:node /usr/local/share/npm-global
 ENV NPM_CONFIG_PREFIX=/usr/local/share/npm-global
 ENV PATH=$PATH:/usr/local/share/npm-global/bin
 
-# switch to non-root user node
+# --- STAGE 3: Sandbox (Final CLI Image) ---
+FROM maintainer AS sandbox
+
+ARG SANDBOX_NAME="gemini-cli-sandbox"
+ENV SANDBOX="$SANDBOX_NAME"
+
+# Switch to non-root user node
 USER node
 
-# install gemini-cli and clean up
+# Install gemini-cli and clean up
 COPY packages/cli/dist/google-gemini-cli-*.tgz /tmp/gemini-cli.tgz
 COPY packages/core/dist/google-gemini-cli-core-*.tgz /tmp/gemini-core.tgz
 RUN npm install -g /tmp/gemini-core.tgz \
@@ -49,5 +64,5 @@ RUN npm install -g /tmp/gemini-core.tgz \
   && npm cache clean --force \
   && rm -f /tmp/gemini-{cli,core}.tgz
 
-# default entrypoint when none specified
+# Default entrypoint
 CMD ["gemini"]