feat: add cached Docker images, workspace isolation, and cleanup for project containers

Three related improvements to the per-project container lifecycle:

1. Cached Docker images (startup.sh baked in via docker build)
   Instead of running startup.sh on every container start, a derived image
   is built once and tagged as pb-cache:{content-hash}. Subsequent runs
   skip the expensive system-level setup (apt-get, mise install, etc.)
   entirely. The cache invalidates automatically when dockerimage or
   startup.sh content changes.

2. Workspace isolation for concurrent agents (PB_WORKSPACE_ID)
   workspace-init.sh and workspace-cleanup.sh now receive PB_WORKSPACE_ID
   as an environment variable. Projects use this to namespace their Docker
   Compose resources (container names, volumes, networks), preventing
   collisions when multiple agents work on the same project concurrently.

3. Workspace cleanup convention (workspace-cleanup.sh)
   A new optional script runs inside the project container before it is
   removed. This tears down any resources the init script created (e.g.,
   docker compose down -v), preventing orphaned containers and volumes.
   Cleanup failures are non-fatal (logged as warnings).

Files changed:
- ProjectContainerManager: cached image build, PB_WORKSPACE_ID env var,
  cleanup script support, updated stopProjectContainer() signature
- GitCloneService: passes workspacePath to stopProjectContainer()
- multilevel-docker-architecture.md: documents caching, isolation, cleanup
- ProjectContainerManagerTest: tests for cache tags and script detection

Author: manuelkiessling

src/WorkspaceManagement/Infrastructure/Service/GitCloneService.php

@@ -137,7 +137,7 @@ public function cloneRepositoryOnBranch(string $githubUrl, string $githubToken,
     public function removeWorkspace(string $workspacePath, ?string $containerName): void
     {
         if ($containerName !== null) {
-            $this->containerManager->stopProjectContainer($containerName);
+            $this->containerManager->stopProjectContainer($containerName, $workspacePath);
         }
 
         $workspaceBaseDir = $this->resolveWorkspaceBaseDir();

src/WorkspaceManagement/Infrastructure/Service/ProjectContainerManager.php

@@ -10,11 +10,17 @@
 
 class ProjectContainerManager
 {
-    private const string DOCKERIMAGE_FILE     = '.productbuilder/dockerimage';
-    private const string STARTUP_SCRIPT       = '.productbuilder/startup.sh';
-    private const string CONTAINER_PREFIX     = 'pb-workspace-';
-    private const int CONTAINER_START_TIMEOUT = 30;
-    private const int STARTUP_SCRIPT_TIMEOUT  = 600;
+    private const string DOCKERIMAGE_FILE         = '.productbuilder/dockerimage';
+    private const string STARTUP_SCRIPT           = '.productbuilder/startup.sh';
+    private const string WORKSPACE_INIT_SCRIPT    = '.productbuilder/workspace-init.sh';
+    private const string WORKSPACE_CLEANUP_SCRIPT = '.productbuilder/workspace-cleanup.sh';
+    private const string CONTAINER_PREFIX         = 'pb-workspace-';
+    private const string CACHE_IMAGE_PREFIX       = 'pb-cache:';
+    private const int CACHE_HASH_LENGTH           = 16;
+    private const int CONTAINER_START_TIMEOUT     = 30;
+    private const int IMAGE_BUILD_TIMEOUT         = 600;
+    private const int WORKSPACE_INIT_TIMEOUT      = 600;
+    private const int WORKSPACE_CLEANUP_TIMEOUT   = 120;
 
     public function __construct(
         private readonly LoggerInterface $logger,
@@ -27,23 +33,24 @@ public function hasProjectContainerConfig(string $workspacePath): bool
     }
 
     /**
-     * Starts a project container and runs the startup script.
-     * Returns the container name.
+     * Starts a project container using a cached image (building it if needed)
+     * and runs the workspace init script. Returns the container name.
      */
     public function startProjectContainer(string $workspacePath, string $workspaceId): string
     {
-        $dockerImage   = $this->readDockerImage($workspacePath);
-        $containerName = self::CONTAINER_PREFIX . $workspaceId;
+        $baseImage      = $this->readDockerImage($workspacePath);
+        $containerName  = self::CONTAINER_PREFIX . $workspaceId;
+        $effectiveImage = $this->resolveEffectiveImage($workspacePath, $baseImage);
 
         $this->logger->info('[ProjectContainer] Starting project container', [
-            'containerName' => $containerName,
-            'dockerImage'   => $dockerImage,
-            'workspacePath' => $workspacePath,
+            'containerName'  => $containerName,
+            'baseImage'      => $baseImage,
+            'effectiveImage' => $effectiveImage,
+            'workspacePath'  => $workspacePath,
         ]);
 
-        $this->pullImage($dockerImage);
-        $this->runContainer($containerName, $dockerImage, $workspacePath);
-        $this->runStartupScript($containerName, $workspacePath);
+        $this->runContainer($containerName, $effectiveImage, $workspacePath);
+        $this->runWorkspaceInitScript($containerName, $workspacePath, $workspaceId);
 
         $this->logger->info('[ProjectContainer] Project container ready', [
             'containerName' => $containerName,
@@ -52,8 +59,15 @@ public function startProjectContainer(string $workspacePath, string $workspaceId
         return $containerName;
     }
 
-    public function stopProjectContainer(string $containerName): void
+    /**
+     * Runs the workspace cleanup script (if present), then removes the project container.
+     */
+    public function stopProjectContainer(string $containerName, string $workspacePath): void
     {
+        $workspaceId = $this->extractWorkspaceId($containerName);
+
+        $this->runWorkspaceCleanupScript($containerName, $workspacePath, $workspaceId);
+
         $this->logger->info('[ProjectContainer] Stopping project container', [
             'containerName' => $containerName,
         ]);
@@ -76,6 +90,109 @@ public function stopProjectContainer(string $containerName): void
         ]);
     }
 
+    /**
+     * @internal exposed for testing only
+     */
+    public function computeCacheTag(string $workspacePath, string $baseImage): string
+    {
+        $startupPath    = $workspacePath . '/' . self::STARTUP_SCRIPT;
+        $startupContent = is_file($startupPath) ? (string) file_get_contents($startupPath) : '';
+        $cacheKey       = hash('sha256', $baseImage . "\n" . $startupContent);
+
+        return self::CACHE_IMAGE_PREFIX . substr($cacheKey, 0, self::CACHE_HASH_LENGTH);
+    }
+
+    private function extractWorkspaceId(string $containerName): string
+    {
+        return substr($containerName, strlen(self::CONTAINER_PREFIX));
+    }
+
+    /**
+     * Returns the cached image tag if it exists, or builds it from the base
+     * image + startup.sh. If there is no startup.sh, falls back to pulling
+     * the base image directly (nothing to cache).
+     */
+    private function resolveEffectiveImage(string $workspacePath, string $baseImage): string
+    {
+        $startupPath = $workspacePath . '/' . self::STARTUP_SCRIPT;
+
+        if (!is_file($startupPath)) {
+            $this->logger->info('[ProjectContainer] No startup.sh found, using base image directly', [
+                'baseImage' => $baseImage,
+            ]);
+            $this->pullImage($baseImage);
+
+            return $baseImage;
+        }
+
+        $cacheTag = $this->computeCacheTag($workspacePath, $baseImage);
+
+        if ($this->cachedImageExists($cacheTag)) {
+            $this->logger->info('[ProjectContainer] Cache hit — using existing image', [
+                'cacheTag' => $cacheTag,
+            ]);
+
+            return $cacheTag;
+        }
+
+        $this->logger->info('[ProjectContainer] Cache miss — building cached image', [
+            'cacheTag'  => $cacheTag,
+            'baseImage' => $baseImage,
+        ]);
+
+        $this->buildCachedImage($workspacePath, $baseImage, $cacheTag);
+
+        return $cacheTag;
+    }
+
+    private function cachedImageExists(string $cacheTag): bool
+    {
+        $process = new Process(['docker', 'image', 'inspect', $cacheTag]);
+        $process->setTimeout(10);
+        $process->run();
+
+        return $process->isSuccessful();
+    }
+
+    private function buildCachedImage(string $workspacePath, string $baseImage, string $cacheTag): void
+    {
+        $dockerfileContent = sprintf(
+            "FROM %s\nCOPY %s /tmp/pb-startup.sh\nRUN bash /tmp/pb-startup.sh && rm /tmp/pb-startup.sh\n",
+            $baseImage,
+            self::STARTUP_SCRIPT,
+        );
+
+        $dockerfilePath = $workspacePath . '/.productbuilder-Dockerfile';
+        file_put_contents($dockerfilePath, $dockerfileContent);
+
+        try {
+            $process = new Process([
+                'docker', 'build',
+                '-t', $cacheTag,
+                '-f', $dockerfilePath,
+                $workspacePath,
+            ]);
+            $process->setTimeout(self::IMAGE_BUILD_TIMEOUT);
+            $process->run();
+
+            if (!$process->isSuccessful()) {
+                throw new RuntimeException(sprintf(
+                    'Failed to build cached image "%s": %s',
+                    $cacheTag,
+                    $process->getErrorOutput(),
+                ));
+            }
+
+            $this->logger->info('[ProjectContainer] Cached image built', [
+                'cacheTag' => $cacheTag,
+            ]);
+        } finally {
+            if (is_file($dockerfilePath)) {
+                unlink($dockerfilePath);
+            }
+        }
+    }
+
     private function readDockerImage(string $workspacePath): string
     {
         $filePath = $workspacePath . '/' . self::DOCKERIMAGE_FILE;
@@ -139,42 +256,87 @@ private function runContainer(string $containerName, string $dockerImage, string
         }
     }
 
-    private function runStartupScript(string $containerName, string $workspacePath): void
+    private function runWorkspaceInitScript(string $containerName, string $workspacePath, string $workspaceId): void
     {
-        $startupScriptPath = $workspacePath . '/' . self::STARTUP_SCRIPT;
+        $initScriptPath = $workspacePath . '/' . self::WORKSPACE_INIT_SCRIPT;
 
-        if (!is_file($startupScriptPath)) {
-            $this->logger->info('[ProjectContainer] No startup script found, skipping', [
-                'expected' => $startupScriptPath,
+        if (!is_file($initScriptPath)) {
+            $this->logger->info('[ProjectContainer] No workspace-init.sh found, skipping', [
+                'expected' => $initScriptPath,
             ]);
 
             return;
         }
 
-        $this->logger->info('[ProjectContainer] Running startup script', [
+        $this->logger->info('[ProjectContainer] Running workspace init script', [
             'containerName' => $containerName,
-            'script'        => self::STARTUP_SCRIPT,
+            'script'        => self::WORKSPACE_INIT_SCRIPT,
+            'workspaceId'   => $workspaceId,
         ]);
 
         $process = new Process([
             'docker', 'exec',
+            '-e', 'PB_WORKSPACE_ID=' . $workspaceId,
             '-w', $workspacePath,
             $containerName,
-            'bash', $workspacePath . '/' . self::STARTUP_SCRIPT,
+            'bash', $workspacePath . '/' . self::WORKSPACE_INIT_SCRIPT,
         ]);
-        $process->setTimeout(self::STARTUP_SCRIPT_TIMEOUT);
+        $process->setTimeout(self::WORKSPACE_INIT_TIMEOUT);
         $process->run();
 
         if (!$process->isSuccessful()) {
             throw new RuntimeException(sprintf(
-                'Startup script failed in container "%s" (exit %d): %s',
+                'Workspace init script failed in container "%s" (exit %d): %s',
                 $containerName,
                 $process->getExitCode(),
                 $process->getErrorOutput(),
             ));
         }
 
-        $this->logger->info('[ProjectContainer] Startup script completed', [
+        $this->logger->info('[ProjectContainer] Workspace init script completed', [
+            'containerName' => $containerName,
+        ]);
+    }
+
+    private function runWorkspaceCleanupScript(string $containerName, string $workspacePath, string $workspaceId): void
+    {
+        $cleanupScriptPath = $workspacePath . '/' . self::WORKSPACE_CLEANUP_SCRIPT;
+
+        if (!is_file($cleanupScriptPath)) {
+            $this->logger->info('[ProjectContainer] No workspace-cleanup.sh found, skipping', [
+                'expected' => $cleanupScriptPath,
+            ]);
+
+            return;
+        }
+
+        $this->logger->info('[ProjectContainer] Running workspace cleanup script', [
+            'containerName' => $containerName,
+            'script'        => self::WORKSPACE_CLEANUP_SCRIPT,
+            'workspaceId'   => $workspaceId,
+        ]);
+
+        $process = new Process([
+            'docker', 'exec',
+            '-e', 'PB_WORKSPACE_ID=' . $workspaceId,
+            '-w', $workspacePath,
+            $containerName,
+            'bash', $workspacePath . '/' . self::WORKSPACE_CLEANUP_SCRIPT,
+        ]);
+        $process->setTimeout(self::WORKSPACE_CLEANUP_TIMEOUT);
+        $process->run();
+
+        if (!$process->isSuccessful()) {
+            $this->logger->warning('[ProjectContainer] Workspace cleanup script failed (proceeding with teardown)', [
+                'containerName' => $containerName,
+                'exitCode'      => $process->getExitCode(),
+                'stderr'        => $process->getErrorOutput(),
+            ]);
+
+            return;
+        }
+
+        $this->logger->info('[ProjectContainer] Workspace cleanup script completed', [
             'containerName' => $containerName,
         ]);
     }