fix(inspect): harden Docker discovery with batched inspect, fix find, add tests

.githooks/pre-commit

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+# Pre-commit hook: fast gate (build + unit tests + race detection).
+# Full CI (integration, e2e, coverage thresholds) runs in CI pipeline.
+# Per DORA research: pre-commit should be <10s for fast feedback loops.
+
+set -euo pipefail
+
+echo "==> Pre-commit: build check"
+go build -o /dev/null ./cmd/
+
+echo "==> Pre-commit: unit tests with race detection"
+go test -race ./pkg/chatarchive/... ./internal/chatarchivecmd/...
+
+echo "Pre-commit checks passed."

.github/workflows/chatarchive-quality.yml

@@ -0,0 +1,78 @@
+name: Chat Archive Quality
+
+on:
+  pull_request:
+    paths:
+      - 'pkg/chatarchive/**'
+      - 'internal/chatarchivecmd/**'
+      - 'cmd/create/chat_archive.go'
+      - 'cmd/backup/chats.go'
+      - 'test/e2e/**'
+      - 'scripts/chatarchive-ci.sh'
+      - 'package.json'
+      - '.github/hooks/pre-commit'
+      - '.github/hooks/setup-hooks.sh'
+      - 'scripts/install-git-hooks.sh'
+      - '.github/workflows/chatarchive-quality.yml'
+  push:
+    branches:
+      - main
+      - develop
+    paths:
+      - 'pkg/chatarchive/**'
+      - 'internal/chatarchivecmd/**'
+      - 'cmd/create/chat_archive.go'
+      - 'cmd/backup/chats.go'
+      - 'test/e2e/**'
+      - 'scripts/chatarchive-ci.sh'
+      - 'package.json'
+      - '.github/hooks/pre-commit'
+      - '.github/hooks/setup-hooks.sh'
+      - 'scripts/install-git-hooks.sh'
+      - '.github/workflows/chatarchive-quality.yml'
+
+jobs:
+  chatarchive-ci:
+    name: Chat Archive CI (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Download Go modules
+        run: go mod download
+        shell: bash
+
+      - name: Run chat archive CI
+        run: npm run ci
+        shell: bash
+
+      - name: Upload verification summary
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: chatarchive-summary-${{ matrix.os }}
+          path: outputs/chatarchive-ci/
+
+      - name: Publish job summary
+        if: always()
+        shell: bash
+        run: |
+          if [[ -f outputs/chatarchive-ci/summary.txt ]]; then
+            cat outputs/chatarchive-ci/summary.txt >> "$GITHUB_STEP_SUMMARY"
+          fi

.github/workflows/ci.yml

@@ -161,7 +161,7 @@ PY
         run: scripts/ci/preflight.sh
 
       - name: Install golangci-lint
-        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.0.0
+        run: bash scripts/ci/install-golangci-lint.sh
 
       - name: Run lint lane
         env:
@@ -245,6 +245,10 @@ PY
         run: |
           test -f outputs/ci/unit/report.json && cat outputs/ci/unit/report.json || true
 
+      - name: Alert on unit lane report
+        if: always()
+        run: python3 scripts/ci/report-alert.py ci-unit outputs/ci/unit/report.json
+
   ci-deps-unit:
     name: ci-deps-unit
     runs-on: ubuntu-latest
@@ -295,6 +299,10 @@ PY
         run: |
           test -f outputs/ci/deps-unit/report.json && cat outputs/ci/deps-unit/report.json || true
 
+      - name: Alert on dependency-focused unit lane report
+        if: always()
+        run: python3 scripts/ci/report-alert.py ci-deps-unit outputs/ci/deps-unit/report.json
+
   ci-integration:
     name: ci-integration
     runs-on: ubuntu-latest
@@ -344,6 +352,10 @@ PY
         run: |
           test -f outputs/ci/integration/report.json && cat outputs/ci/integration/report.json || true
 
+      - name: Alert on integration lane report
+        if: always()
+        run: python3 scripts/ci/report-alert.py ci-integration outputs/ci/integration/report.json
+
   ci-e2e-smoke:
     name: ci-e2e-smoke
     runs-on: ubuntu-latest
@@ -391,6 +403,10 @@ PY
         run: |
           test -f outputs/ci/e2e-smoke/report.json && cat outputs/ci/e2e-smoke/report.json || true
 
+      - name: Alert on e2e smoke lane report
+        if: always()
+        run: python3 scripts/ci/report-alert.py ci-e2e-smoke outputs/ci/e2e-smoke/report.json
+
   ci-fuzz:
     name: ci-fuzz
     runs-on: ubuntu-latest
@@ -438,6 +454,10 @@ PY
         run: |
           test -f outputs/ci/fuzz/report.json && cat outputs/ci/fuzz/report.json || true
 
+      - name: Alert on fuzz lane report
+        if: always()
+        run: python3 scripts/ci/report-alert.py ci-fuzz outputs/ci/fuzz/report.json
+
   ci-e2e-full:
     name: ci-e2e-full
     if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
@@ -485,3 +505,7 @@ PY
         if: always()
         run: |
           test -f outputs/ci/e2e-full/report.json && cat outputs/ci/e2e-full/report.json || true
+
+      - name: Alert on e2e full lane report
+        if: always()
+        run: python3 scripts/ci/report-alert.py ci-e2e-full outputs/ci/e2e-full/report.json

.pre-commit-config.yaml

@@ -47,10 +47,10 @@ repos:
   # Local hooks for custom checks
   - repo: local
     hooks:
-      # Enforce local/CI parity lane via mage-compatible entrypoint
+      # Enforce local/CI parity lane via npm wrapper
       - id: ci-debug-parity
-        name: CI debug parity gate (magew ci:debug)
-        entry: ./magew ci:debug
+        name: CI debug parity gate (npm run ci:debug)
+        entry: npm run ci:debug --silent
         language: system
         pass_filenames: false
         require_serial: true
@@ -80,13 +80,13 @@ repos:
         pass_filenames: false
         description: Ensures code compiles successfully
 
-      # Verify E2E tests have build tags
-      - id: verify-e2e-build-tags
-        name: Verify E2E build tags
-        entry: bash -c 'for f in test/e2e/*_test.go; do head -1 "$f" | grep -q "//go:build e2e" || { echo "ERROR: $f missing //go:build e2e tag"; exit 1; }; done'
+      # Verify environment-dependent tests are build-tagged
+      - id: verify-test-build-tags
+        name: Verify test build tags
+        entry: bash scripts/ci/check-test-tags.sh
         language: system
         pass_filenames: false
-        description: Ensures all E2E tests have proper build tags
+        description: Ensures environment-dependent tests keep their explicit build tags
 
       # Check for deprecated benchmark pattern
       - id: check-benchmark-pattern

cmd/create/chat_archive.go

@@ -0,0 +1,37 @@
+// cmd/create/chat_archive.go
+//
+// Thin orchestration layer for chat-archive. Business logic lives in
+// pkg/chatarchive/ per the cmd/ vs pkg/ enforcement rule.
+
+package create
+
+import (
+	"github.com/CodeMonkeyCybersecurity/eos/internal/chatarchivecmd"
+	eos "github.com/CodeMonkeyCybersecurity/eos/pkg/eos_cli"
+	"github.com/CodeMonkeyCybersecurity/eos/pkg/eos_io"
+	"github.com/spf13/cobra"
+)
+
+// CreateChatArchiveCmd copies and deduplicates chat transcripts.
+var CreateChatArchiveCmd = &cobra.Command{
+	Use:   "chat-archive",
+	Short: "Copy and deduplicate chat transcripts into a local archive",
+	Long: `Find transcript-like files (jsonl/json/html), copy unique files into one archive,
+and write an index manifest with duplicate mappings.
+
+Examples:
+  eos create chat-archive
+  eos create chat-archive --source ~/.claude --source ~/dev
+  eos create chat-archive --exclude conversation-api --exclude .cache
+  eos create chat-archive --dry-run`,
+	RunE: eos.Wrap(runCreateChatArchive),
+}
+
+func init() {
+	CreateCmd.AddCommand(CreateChatArchiveCmd)
+	chatarchivecmd.BindFlags(CreateChatArchiveCmd)
+}
+
+func runCreateChatArchive(rc *eos_io.RuntimeContext, cmd *cobra.Command, _ []string) error {
+	return chatarchivecmd.Run(rc, cmd)
+}

docs/inspect-follow-up-issues-2026-03-21.md

@@ -0,0 +1,50 @@
+*Last Updated: 2026-03-21*
+
+# pkg/inspect Follow-Up Issues
+
+Issues discovered during adversarial review of `pkg/inspect/docker.go`.
+
+## Issue 1: output.go / terraform_modular.go — 37 staticcheck warnings (P2)
+
+**Problem**: `WriteString(fmt.Sprintf(...))` should be `fmt.Fprintf(...)` throughout output.go and terraform_modular.go.
+**Impact**: Performance (unnecessary string allocation) and lint noise.
+**Fix**: Replace all `tf.WriteString(fmt.Sprintf(...))` with `fmt.Fprintf(tf, ...)`.
+**Files**: `pkg/inspect/output.go`, `pkg/inspect/terraform_modular.go`
+**Effort**: ~30 min mechanical refactor
+
+## Issue 2: services.go — unchecked filepath.Glob error (P2)
+
+**Problem**: `pkg/inspect/services.go:381` ignores `filepath.Glob` error.
+**Impact**: Silent failure when glob patterns are invalid.
+**Fix**: Check and log the error.
+**Effort**: 5 min
+
+## Issue 3: kvm.go — goconst violations (P3)
+
+**Problem**: String constants `"active"`, `"UUID"` repeated without named constants.
+**Impact**: Violates P0 Rule #12 (no hardcoded values).
+**Fix**: Extract to constants in `kvm.go` or a `constants.go` file.
+**Effort**: 15 min
+
+## Issue 4: Pre-existing lint issues across 30+ files on this branch (P1)
+
+**Problem**: `npm run ci` fails due to 165 lint issues across the branch.
+**Impact**: Cannot merge until resolved.
+**Root cause**: Accumulated tech debt from many feature PRs merged without lint cleanup.
+**Fix**: Dedicated lint cleanup pass before PR merge.
+**Effort**: 2-4 hours
+
+## Issue 5: Inspector lacks Docker SDK integration (P3)
+
+**Problem**: All Docker operations use shell commands instead of the Docker SDK.
+**Impact**: Fragile parsing, no type safety, extra process spawns.
+**Fix**: Migrate to `github.com/docker/docker/client` SDK for container/image/network/volume operations.
+**Rationale**: CLAUDE.md P1 states "ALWAYS use Docker SDK" for container operations.
+**Effort**: 1-2 days
+
+## Issue 6: Compose file search does not guard against TOCTOU (P3)
+
+**Problem**: Between `os.Stat` size check and `os.ReadFile`, the file could be replaced.
+**Impact**: Theoretical DoS via race condition on symlink swap.
+**Fix**: Read file first, then check size of bytes read (simpler and race-free).
+**Effort**: 15 min

internal/chatarchivecmd/run.go

@@ -0,0 +1,105 @@
+package chatarchivecmd
+
+import (
+	"fmt"
+	"io"
+	"strings"
+	"time"
+
+	"github.com/CodeMonkeyCybersecurity/eos/pkg/chatarchive"
+	"github.com/CodeMonkeyCybersecurity/eos/pkg/eos_io"
+	"github.com/spf13/cobra"
+	"github.com/uptrace/opentelemetry-go-extra/otelzap"
+	"go.uber.org/zap"
+)
+
+func BindFlags(cmd *cobra.Command) {
+	cmd.Flags().StringSlice("source", chatarchive.DefaultSources(), "Source directories to scan")
+	cmd.Flags().String("dest", chatarchive.DefaultDest(), "Destination archive directory")
+	cmd.Flags().StringSlice("exclude", nil, "Path substrings to exclude from discovery (e.g. --exclude conversation-api)")
+	cmd.Flags().Bool("dry-run", false, "Show what would be archived without copying files")
+}
+
+func Run(rc *eos_io.RuntimeContext, cmd *cobra.Command) error {
+	sources, _ := cmd.Flags().GetStringSlice("source")
+	dest, _ := cmd.Flags().GetString("dest")
+	excludes, _ := cmd.Flags().GetStringSlice("exclude")
+	dryRun, _ := cmd.Flags().GetBool("dry-run")
+
+	result, err := chatarchive.Archive(rc, chatarchive.Options{
+		Sources:  sources,
+		Dest:     dest,
+		Excludes: excludes,
+		DryRun:   dryRun,
+	})
+	if err != nil {
+		return err
+	}
+
+	logger := otelzap.Ctx(rc.Ctx)
+	writeSummary(cmd.OutOrStdout(), result, dryRun, logger)
+	logger.Info("Chat archive summary",
+		zap.Int("sources_requested", result.SourcesRequested),
+		zap.Int("sources_scanned", result.SourcesScanned),
+		zap.Int("sources_missing", len(result.MissingSources)),
+		zap.Int("skipped_symlinks", result.SkippedSymlinks),
+		zap.Int("unreadable_entries", result.UnreadableEntries),
+		zap.Int("unique_files", result.UniqueFiles),
+		zap.Int("duplicates", result.Duplicates),
+		zap.Int("already_archived", result.Skipped),
+		zap.Int("empty_files", result.EmptyFiles),
+		zap.Int("failures", result.FailureCount),
+		zap.Duration("duration", result.Duration),
+		zap.Bool("dry_run", dryRun))
+	for _, failure := range result.Failures {
+		logger.Warn("Chat archive file failure",
+			zap.String("path", failure.Path),
+			zap.String("stage", failure.Stage),
+			zap.String("reason", failure.Reason))
+	}
+
+	return nil
+}
+
+func formatSummary(result *chatarchive.Result, dryRun bool) string {
+	lines := []string{
+		statusLine(dryRun),
+		fmt.Sprintf("Sources scanned: %d/%d", result.SourcesScanned, result.SourcesRequested),
+		fmt.Sprintf("Unique files: %d", result.UniqueFiles),
+		fmt.Sprintf("Duplicates in this run: %d", result.Duplicates),
+		fmt.Sprintf("Already archived: %d", result.Skipped),
+		fmt.Sprintf("Empty files ignored: %d", result.EmptyFiles),
+		fmt.Sprintf("File failures: %d", result.FailureCount),
+		fmt.Sprintf("Unreadable entries skipped: %d", result.UnreadableEntries),
+		fmt.Sprintf("Symlinks skipped: %d", result.SkippedSymlinks),
+		fmt.Sprintf("Duration: %s", result.Duration.Round(10*time.Millisecond)),
+	}
+
+	if result.ManifestPath != "" {
+		lines = append(lines, fmt.Sprintf("Manifest: %s", result.ManifestPath))
+	}
+	if result.RecoveredManifestPath != "" {
+		lines = append(lines, fmt.Sprintf("Recovered corrupt manifest: %s", result.RecoveredManifestPath))
+	}
+	if len(result.MissingSources) > 0 {
+		lines = append(lines, fmt.Sprintf("Unavailable sources: %s", strings.Join(result.MissingSources, ", ")))
+	}
+	if result.FailureCount > len(result.Failures) {
+		lines = append(lines, fmt.Sprintf("Additional failures not shown: %d", result.FailureCount-len(result.Failures)))
+	}
+
+	return strings.Join(lines, "\n")
+}
+
+func statusLine(dryRun bool) string {
+	if dryRun {
+		return "Dry run complete."
+	}
+	return "Archive complete."
+}
+
+func writeSummary(w io.Writer, result *chatarchive.Result, dryRun bool, logger otelzap.LoggerWithCtx) {
+	if _, err := fmt.Fprintln(w, formatSummary(result, dryRun)); err != nil {
+		logger.Warn("Failed to write chat archive summary", zap.Error(err))
+	}
+}