Fix: remove login shell from CMD to prevent spurious /home/www/.vscode-server creation

Dockerfile

@@ -65,14 +65,24 @@ ENV BASE_CMD="${BASE_CMD}"
 ENTRYPOINT ["/usr/local/bin/deployment-entrypoint"]
 
 # Set CMD from base image (passed as build arg)
-# Use bash -lc so BASE_CMD is expanded at runtime and forwarded as a proper
-# argv command for deployment-entrypoint's final `exec "$@"`.
+# Use bash -c so BASE_CMD (an ENV variable) is expanded at runtime and forwarded
+# as a proper argv command for deployment-entrypoint's final `exec "$@"`.
+# Do NOT use -l (login shell) here: a login shell sources /etc/profile and user
+# profile scripts, which in the DevPanel base image initialize VS Code Server.
+# The base image exclusively uses $APP_ROOT/.vscode as the VS Code user data
+# directory. APP_ROOT is injected at runtime by DevPanel, so it is not available
+# when a login shell runs before APP_ROOT has been set (for example, at initial
+# container startup). Without APP_ROOT, VS Code Server falls back to its default
+# home-directory path (/home/www/.vscode-server), creating that directory in the
+# container's writable layer. Removing -l prevents profile scripts from running,
+# which prevents VS Code Server from initializing prematurely and creating the
+# unwanted /home/www/.vscode-server directory.
 # This covers:
 # 1) normal startup using the base-image Apache command,
 # 2) command strings that depend on env expansion,
 # 3) predictable behavior with exec-form ENTRYPOINT while still allowing
 #    runtime CMD overrides (e.g. `docker run ... <command>`).
-CMD ["/bin/bash", "-lc", "$BASE_CMD"]
+CMD ["/bin/bash", "-c", "$BASE_CMD"]
 
 LABEL org.opencontainers.image.source="https://github.com/drupalforge/deployment" \
       org.opencontainers.image.description="Drupal Forge deployment image with S3 database import and conditional file proxy support"

tests/docker-build-test.sh

@@ -90,6 +90,23 @@ test_version() {
             failed=1
         fi
 
+        # Verify .vscode-server directory is not present in the final image.
+        # The CMD must not use a login shell (-l). Login shells source /etc/profile
+        # and user profile scripts which initialize VS Code Server in the DevPanel
+        # base image. The base image exclusively uses $APP_ROOT/.vscode as the VS
+        # Code user data directory. APP_ROOT is injected at runtime by DevPanel and
+        # is not available during a premature login-shell initialization, so VS Code
+        # Server falls back to its default home-directory path (/home/www/.vscode-server).
+        # This check catches cases where the directory is written into the final image
+        # (e.g. via ONBUILD or a login-shell RUN instruction).
+        echo -e "${YELLOW}  Verifying .vscode-server is absent from the final image...${NC}"
+        if docker run --rm --entrypoint sh "$tag" -c 'test ! -d /home/www/.vscode-server'; then
+            echo -e "${GREEN}  ✓ /home/www/.vscode-server is absent from image (correct)${NC}"
+        else
+            echo -e "${RED}  ✗ /home/www/.vscode-server found in the final image (login shell must not be used during build)${NC}"
+            failed=1
+        fi
+
         # Test CMD execution: container runs with default CMD
         echo -e "${YELLOW}  Testing CMD execution...${NC}"
         docker rm -f "$run_container_name" >/dev/null 2>&1 || true
@@ -112,6 +129,22 @@ test_version() {
 
                 if [ "$apache_running" -eq 1 ]; then
                     echo -e "${GREEN}  ✓ Apache is running${NC}"
+
+                    # Verify that the CMD did not use a login shell (-l) to start.
+                    # Login shells source /etc/profile and user profile scripts in
+                    # the DevPanel base image, which initialize VS Code Server.
+                    # The base image exclusively uses $APP_ROOT/.vscode as the VS
+                    # Code user data directory. APP_ROOT is injected at runtime by
+                    # DevPanel and is not available during a premature login-shell
+                    # initialization, so VS Code Server falls back to its default
+                    # home-directory path and creates /home/www/.vscode-server.
+                    echo -e "${YELLOW}  Verifying .vscode-server absent at runtime...${NC}"
+                    if docker exec "$run_container_name" sh -c 'test ! -d /home/www/.vscode-server'; then
+                        echo -e "${GREEN}  ✓ /home/www/.vscode-server absent at runtime (CMD does not use login shell)${NC}"
+                    else
+                        echo -e "${RED}  ✗ /home/www/.vscode-server created at runtime (CMD must not use -l login shell flag)${NC}"
+                        failed=1
+                    fi
                 else
                     logs=$(docker logs "$run_container_name" 2>&1)
                     echo -e "${RED}  ✗ Apache is not running${NC}"