[AAASM-3527] 🐛 (aa-runtime): Fix Docker image entrypoint (/aa-runtime was a directory)

[Chisanan232]

Description

aa-runtime/Dockerfile produced an image whose ENTRYPOINT ["/aa-runtime"] resolved to a directory instead of the binary, so the published sidecar could not start:

exec /aa-runtime: is a directory

Root cause. The image builds with context: . (repo root). COPY . . brings the repo's aa-runtime/ source directory into the builder as /app/aa-runtime. The builder step then ran cp target/$TARGET/release/aa-runtime /app/aa-runtime — but /app/aa-runtime already existed as a directory, so the binary was placed inside it as /app/aa-runtime/aa-runtime. The final stage's COPY --from=builder /app/aa-runtime /aa-runtime therefore copied that directory into the runtime image, and the entrypoint pointed at a directory.

Fix. Copy the built binary to /aa-runtime-bin (outside /app), a path that no source directory in the build context can shadow, and COPY that single file into the final image. Also added a root .dockerignore (excludes target/, .git/, .github/, node_modules/) as defense-in-depth so the context stays lean and a host-built artifact can never be pulled in.

Before / after evidence

Built docker build -f aa-runtime/Dockerfile -t aa-runtime-test . from the repo root, then inspected the final image filesystem (distroless, no shell) via docker export:

$ docker export $(docker create aa-runtime-test) | tar -tvf - | grep aa-runtime
-rwxr-xr-x  0 0 0  9339280 21 Jun 22:31 aa-runtime

The /aa-runtime entry is now a regular executable file (-rwxr-xr-x, 9.3 MB) — before the fix it was a directory (d...).

Running the container executes the binary (no is a directory):

$ docker run --rm aa-runtime-test            # entrypoint runs the binary
thread 'main' panicked at aa-runtime/src/main.rs:15: "AA_AGENT_ID is required but not set"

$ docker run --rm -e AA_AGENT_ID=test-agent -e AA_POLICY_PATH="" aa-runtime-test
# boots and keeps running (timeout-killed) — no exec error

The runtime reaches its own main.rs config-loading logic, proving the entrypoint is the executable.

Type of Change

• 🐛 Bug fix
• 🔧 Configuration / CI change

Breaking Changes

• No

Related Issues

• Related Jira ticket: AAASM-3527

Closes AAASM-3527

Testing

• Manual testing performed (real docker build + filesystem inspection + container start, see evidence above)
• No unit tests required (Dockerfile/build-packaging change; correctness proven by building and running the image)

Checklist

• Code follows project style guidelines
• Self-review of the diff completed
• Commits are small and follow the Gitmoji convention

[Chisanan232]

🤖 Claude Code — PR review (record)

CI: ✅ all green (Analyze rust/python/js-ts, Build language images, CodeQL).

Scope vs AAASM-3527: ✅ fully covers it. Root cause correctly identified — COPY . . with no .dockerignore pulled the repo's aa-runtime/ source dir into the builder as /app/aa-runtime, so the built binary cp'd to that path landed inside the directory and the final COPY shipped the directory → exec /aa-runtime: is a directory. Fix: stage the binary at a collision-free path (/aa-runtime-bin) then COPY it to /aa-runtime, plus a root .dockerignore. Verified by build: docker build succeeds and /aa-runtime is now a 9.3 MB executable file (not a directory); the container boots the runtime (panics only on missing AA_AGENT_ID, i.e. real app logic — no "is a directory").

Verdict: ✅ Ready to approve & merge. Closes AAASM-3527. This also unblocks the Docker smoke's Tier-B (sidecar-up) path.