Improve rust image upgrades and built-in browser tooling

.github/workflows/ci.yml

@@ -44,6 +44,10 @@ jobs:
           chmod +x scripts/version-check.sh
           ./scripts/version-check.sh
 
+      - name: Test versions-up build args
+        shell: bash
+        run: bash ./tests/version-upgrade.sh
+
   smoke:
     name: Installer Smoke Test
     runs-on: ubuntu-latest
@@ -54,7 +58,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: "22"
+          node-version: "24"
 
       - name: Resolve tool versions
         id: versions
@@ -85,6 +89,23 @@ jobs:
             ATLAS_CLI_VERSION="${{ steps.versions.outputs.atlas_cli_version }}" \
             COPILOT_API_VERSION="${{ steps.versions.outputs.copilot_api_version }}"
 
+      - name: Smoke rust runtime and browser tooling
+        shell: bash
+        run: |
+          set -euo pipefail
+          docker run --rm deva-smoke:ci-rust bash -lc '
+            bwrap --version
+            go version | grep "go1.26.2"
+            playwright --version
+            playwright-mcp --help >/dev/null
+            playwright install --list
+            if command -v google-chrome >/dev/null 2>&1; then
+              google-chrome --version
+            else
+              echo "google-chrome not installed on $(dpkg --print-architecture)"
+            fi
+          '
+
       - name: Install and launch each agent without a TTY
         shell: bash
         run: |

.github/workflows/nightly-images.yml

@@ -8,6 +8,9 @@ on:
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: thevibeworks/deva
+  GO_VERSION: 1.26.2
+  PLAYWRIGHT_VERSION: 1.59.1
+  PLAYWRIGHT_MCP_VERSION: 0.0.70
 
 permissions:
   contents: read
@@ -35,7 +38,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: "22"
+          node-version: "24"
 
       - name: Resolve versions
         id: versions
@@ -59,7 +62,7 @@ jobs:
 
   build-base:
     name: Build Nightly Base Image
-    needs: resolve-versions
+    needs: [resolve-versions, build-core]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -107,10 +110,60 @@ jobs:
             GEMINI_CLI_VERSION=${{ needs.resolve-versions.outputs.gemini_cli_version }}
             ATLAS_CLI_VERSION=${{ needs.resolve-versions.outputs.atlas_cli_version }}
             COPILOT_API_VERSION=${{ needs.resolve-versions.outputs.copilot_api_version }}
+            GO_VERSION=${{ env.GO_VERSION }}
+
+  build-core:
+    name: Build Nightly Core Image
+    needs: resolve-versions
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta-core
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=nightly-core
+            type=raw,value=nightly-${{ needs.resolve-versions.outputs.stamp }}-core
+          labels: |
+            org.opencontainers.image.title=deva-nightly-core
+            org.opencontainers.image.description=Nightly deva core image for downstream profile builds
+
+      - name: Build and push core image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          target: agent-base
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta-core.outputs.tags }}
+          labels: ${{ steps.meta-core.outputs.labels }}
+          cache-from: type=gha,scope=nightly-core
+          cache-to: type=gha,mode=max,scope=nightly-core
+          build-args: |
+            COPILOT_API_VERSION=${{ needs.resolve-versions.outputs.copilot_api_version }}
+            GO_VERSION=${{ env.GO_VERSION }}
 
   build-rust:
     name: Build Nightly Rust Image
-    needs: [resolve-versions, build-base]
+    needs: [resolve-versions, build-core]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -153,18 +206,26 @@ jobs:
           cache-from: type=gha,scope=nightly-rust
           cache-to: type=gha,mode=max,scope=nightly-rust
           build-args: |
-            BASE_IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:nightly-${{ needs.resolve-versions.outputs.stamp }}
+            BASE_IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:nightly-${{ needs.resolve-versions.outputs.stamp }}-core
+            CLAUDE_CODE_VERSION=${{ needs.resolve-versions.outputs.claude_code_version }}
+            CODEX_VERSION=${{ needs.resolve-versions.outputs.codex_version }}
+            GEMINI_CLI_VERSION=${{ needs.resolve-versions.outputs.gemini_cli_version }}
+            ATLAS_CLI_VERSION=${{ needs.resolve-versions.outputs.atlas_cli_version }}
+            PLAYWRIGHT_VERSION=${{ env.PLAYWRIGHT_VERSION }}
+            PLAYWRIGHT_MCP_VERSION=${{ env.PLAYWRIGHT_MCP_VERSION }}
 
   summary:
     name: Nightly Summary
-    needs: [resolve-versions, build-base, build-rust]
+    needs: [resolve-versions, build-core, build-base, build-rust]
     runs-on: ubuntu-latest
     steps:
       - name: Publish summary
         run: |
           cat <<EOF >> "$GITHUB_STEP_SUMMARY"
           ## Published Nightly Images
 
+          - \`ghcr.io/thevibeworks/deva:nightly-core\`
+          - \`ghcr.io/thevibeworks/deva:nightly-${{ needs.resolve-versions.outputs.stamp }}-core\`
           - \`ghcr.io/thevibeworks/deva:nightly\`
           - \`ghcr.io/thevibeworks/deva:nightly-${{ needs.resolve-versions.outputs.stamp }}\`
           - \`ghcr.io/thevibeworks/deva:nightly-rust\`

.github/workflows/release.yml

@@ -14,6 +14,9 @@ on:
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: thevibeworks/deva
+  GO_VERSION: 1.26.2
+  PLAYWRIGHT_VERSION: 1.59.1
+  PLAYWRIGHT_MCP_VERSION: 0.0.70
 
 jobs:
   prepare:
@@ -51,7 +54,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: "22"
+          node-version: "24"
 
       - name: Resolve versions
         id: versions
@@ -73,7 +76,7 @@ jobs:
 
   build-and-push:
     name: Build and Push Docker Image
-    needs: [prepare, resolve-versions]
+    needs: [prepare, resolve-versions, build-and-push-core]
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -123,11 +126,66 @@ jobs:
             GEMINI_CLI_VERSION=${{ needs.resolve-versions.outputs.gemini_cli_version }}
             ATLAS_CLI_VERSION=${{ needs.resolve-versions.outputs.atlas_cli_version }}
             COPILOT_API_VERSION=${{ needs.resolve-versions.outputs.copilot_api_version }}
+            GO_VERSION=${{ env.GO_VERSION }}
+
+  build-and-push-core:
+    name: Build and Push Core Image
+    needs: [prepare, resolve-versions]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.prepare.outputs.release_tag }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata for core image
+        id: meta-core
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=${{ needs.prepare.outputs.release_tag }}-core
+            type=raw,value=core
+          labels: |
+            org.opencontainers.image.title=deva-core
+            org.opencontainers.image.description=Stable deva core image for downstream profile builds
+
+      - name: Build and push core image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          target: agent-base
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta-core.outputs.tags }}
+          labels: ${{ steps.meta-core.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            COPILOT_API_VERSION=${{ needs.resolve-versions.outputs.copilot_api_version }}
+            GO_VERSION=${{ env.GO_VERSION }}
 
   build-and-push-rust:
     name: Build and Push Rust Profile Image
     runs-on: ubuntu-latest
-    needs: [prepare, build-and-push]
+    needs: [prepare, resolve-versions, build-and-push-core]
     permissions:
       contents: read
       packages: write
@@ -171,12 +229,18 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: |
-            BASE_IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.prepare.outputs.release_tag }}
+            BASE_IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.prepare.outputs.release_tag }}-core
+            CLAUDE_CODE_VERSION=${{ needs.resolve-versions.outputs.claude_code_version }}
+            CODEX_VERSION=${{ needs.resolve-versions.outputs.codex_version }}
+            GEMINI_CLI_VERSION=${{ needs.resolve-versions.outputs.gemini_cli_version }}
+            ATLAS_CLI_VERSION=${{ needs.resolve-versions.outputs.atlas_cli_version }}
+            PLAYWRIGHT_VERSION=${{ env.PLAYWRIGHT_VERSION }}
+            PLAYWRIGHT_MCP_VERSION=${{ env.PLAYWRIGHT_MCP_VERSION }}
 
   release:
     name: Create GitHub Release
     runs-on: ubuntu-latest
-    needs: [prepare, build-and-push, build-and-push-rust]
+    needs: [prepare, build-and-push-core, build-and-push, build-and-push-rust]
     permissions:
       contents: write
     steps:

Dockerfile

@@ -30,7 +30,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
         openssh-client rsync \
         shellcheck bat fd-find silversearcher-ag \
         vim \
-        procps psmisc zsh socat \
+        procps psmisc zsh socat bubblewrap \
         libevent-dev libncurses-dev bison
 
 # Prevent noisy setlocale warnings at shell startup
@@ -43,7 +43,7 @@ RUN git lfs install --system
 # Install language runtimes in parallel-friendly layers
 FROM base AS runtimes
 
-ARG NODE_MAJOR=22
+ARG NODE_MAJOR=24
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     curl -fsSL https://deb.nodesource.com/setup_${NODE_MAJOR}.x | bash - && \
@@ -60,12 +60,13 @@ RUN curl -LsSf https://astral.sh/uv/install.sh | sh
 # Pre-install Python 3.14t (free-threaded) for uv
 RUN /root/.local/bin/uv python install 3.14t
 
+ARG GO_VERSION=1.26.2
 RUN --mount=type=cache,target=/tmp/go-cache,sharing=locked \
     ARCH=$(dpkg --print-architecture) && \
     GO_ARCH=$([ "$ARCH" = "amd64" ] && echo "amd64" || echo "arm64") && \
     cd /tmp/go-cache && \
-    wget -q https://go.dev/dl/go1.22.0.linux-${GO_ARCH}.tar.gz && \
-    tar -C /usr/local -xzf go1.22.0.linux-${GO_ARCH}.tar.gz
+    wget -q "https://go.dev/dl/go${GO_VERSION}.linux-${GO_ARCH}.tar.gz" && \
+    tar -C /usr/local -xzf "go${GO_VERSION}.linux-${GO_ARCH}.tar.gz"
 
 # Install Copilot API (ericc-ch fork with latest features)
 # Placed at end of runtimes stage to avoid invalidating cache for stable runtimes

Dockerfile.rust

@@ -12,19 +12,24 @@ ARG CLAUDE_CODE_VERSION=2.1.81
 ARG CODEX_VERSION=0.116.0
 ARG GEMINI_CLI_VERSION=0.35.0
 ARG ATLAS_CLI_VERSION=v0.1.4
+ARG PLAYWRIGHT_VERSION=1.59.1
+ARG PLAYWRIGHT_MCP_VERSION=0.0.70
 ARG RUST_TOOLCHAINS="stable"
 ARG RUST_TARGETS="wasm32-unknown-unknown"
 
 LABEL org.opencontainers.image.claude_code_version=${CLAUDE_CODE_VERSION}
 LABEL org.opencontainers.image.codex_version=${CODEX_VERSION}
 LABEL org.opencontainers.image.gemini_cli_version=${GEMINI_CLI_VERSION}
 LABEL org.opencontainers.image.atlas_cli_version=${ATLAS_CLI_VERSION}
+LABEL org.opencontainers.image.playwright_version=${PLAYWRIGHT_VERSION}
+LABEL org.opencontainers.image.playwright_mcp_version=${PLAYWRIGHT_MCP_VERSION}
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 ENV RUSTUP_HOME=/opt/rustup \
     CARGO_HOME=/opt/cargo \
-    PATH=/opt/cargo/bin:$PATH
+    PATH=/opt/cargo/bin:$PATH \
+    PLAYWRIGHT_BROWSERS_PATH=/home/deva/.cache/ms-playwright
 
 USER root
 
@@ -47,6 +52,20 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     apt-get update && \
     apt-get install -y --no-install-recommends clickhouse-client
 
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    set -euxo pipefail && \
+    ARCH=$(dpkg --print-architecture) && \
+    if [ "$ARCH" = "amd64" ]; then \
+        mkdir -p /etc/apt/keyrings && \
+        curl -fsSL https://dl.google.com/linux/linux_signing_key.pub | gpg --dearmor -o /etc/apt/keyrings/google-chrome.gpg && \
+        echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/google-chrome.gpg] https://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google-chrome.list && \
+        apt-get update && \
+        apt-get install -y --no-install-recommends google-chrome-stable; \
+    else \
+        echo "Skipping google-chrome-stable on unsupported architecture: $ARCH"; \
+    fi
+
 RUN --mount=type=cache,target=/tmp/rust-cache,sharing=locked \
     set -euxo pipefail && \
     mkdir -p "$RUSTUP_HOME" "$CARGO_HOME" && \
@@ -80,9 +99,17 @@ RUN echo 'export PATH="/opt/cargo/bin:$PATH"' >> "$DEVA_HOME/.zshrc" && \
     echo 'alias cl="cargo clippy"' >> "$DEVA_HOME/.zshrc"
 
 USER $DEVA_USER
+WORKDIR $DEVA_HOME
 
+COPY --chown=deva:deva scripts/install-browser-tooling.sh /tmp/install-browser-tooling.sh
 COPY --chown=deva:deva scripts/install-agent-tooling.sh /tmp/install-agent-tooling.sh
 
+RUN --mount=type=cache,target=/home/deva/.npm,uid=${DEVA_UID},gid=${DEVA_GID},sharing=locked \
+    --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    bash /tmp/install-browser-tooling.sh && \
+    rm -f /tmp/install-browser-tooling.sh
+
 RUN --mount=type=cache,target=/home/deva/.npm,uid=${DEVA_UID},gid=${DEVA_GID},sharing=locked \
     bash /tmp/install-agent-tooling.sh && \
     rm -f /tmp/install-agent-tooling.sh