Add Nimbalyst stack, chatmock-shim docs, and OpenHands BYOK config

[devin-ai-integration]

Summary

Captures three session artifacts as first-class entries in this infra repo so they survive outside chat/VPS-local files:

• stacks/nimbalyst/ — Dockerfile + docker-compose for the web-desktop Cursor-Cloud-Agents replacement at https://nimbalyst.garzaos.cloud. linuxserver/webtop base + Codex CLI + Claude Code CLI baked in, with OPENAI_BASE_URL hoisted to /etc/profile.d and Codex config.toml seeded via /custom-cont-init.d. All 5 end-to-end assertions passed (see TEST-REPORT.md).
• services/chatmock-shim/ — documentation of the two custom patches applied on top of upstream chatmock:
  1. model_registry.py — aliases chatgpt-4o / gpt-4o / chatgpt onto the upstream gpt-5.4, so LiteLLM-based callers can pick a slug that routes to /v1/chat/completions (not the reasoning-only /v1/responses).
  2. responses_api.py — strips temperature/top_p/etc. before forwarding to upstream ChatGPT, which rejects those params on gpt-5* models.
• services/openhands-byok/ — BYOK + MCP config for OpenHands Cloud pointed at the chatmock shim. Documents the openai/chatgpt-4o slug choice (not openai/gpt-5.4 — that loops on empty output) and the three MCP tools added: E2B (STDIO), Firecrawl (SHTTP), Tavily (SHTTP). All 4 LLM-path assertions passed.

All secrets were scrubbed — API keys and basic-auth passwords were replaced with ${VAR} placeholders in every file before commit (grep -rE clean for sk-garza-* / fc-* / tvly-* / e2b_* / raw passwords).

Review & Testing Checklist for Human

• Spot-check stacks/nimbalyst/Dockerfile and docker-compose.yml — confirm ${CUSTOM_LLM_API_KEY} / ${NIMBALYST_BASIC_AUTH_PASSWORD} are the only remaining placeholders. Do NOT rebuild the image from this committed Dockerfile as-is — inject real values via environment at build/run time on the VPS.
• Confirm services/chatmock-shim/README.md matches the actual patches currently running on VPS 1589219 at /opt/chatgpt-proxies/chatmock/ (lines 44-47 of model_registry.py, lines 91-95 of responses_api.py).
• Sanity check the MCP config table in services/openhands-byok/README.md vs. what's live at https://app.all-hands.dev/settings/mcp.

Notes

• The three MCP tool configurations have been applied to OpenHands Cloud but the end-to-end "agent actually calls the tool" verification is not yet in TEST-REPORT.md — only the LLM path (PONG round-trip) is documented there. A follow-up conversation exercising each of E2B / Firecrawl / Tavily is still pending.
• services/chatmock-shim/INSTALL-PLAN.md is the original provisioning walkthrough; it's descriptive (no secrets) but does reference the separate shim VPS IP via ${SHIM_VPS_IP}.
• No pre-commit config in this repo, so no hooks were run.

Link to Devin session: https://app.devin.ai/sessions/68ec8727b8b84f5296095f7bf0155627
Requested by: @itsablabla

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[kilo-code-bot]

CRITICAL: Shell expansion happens at build time, not runtime — ${CUSTOM_LLM_API_KEY} will expand to an empty string (no ARG or ENV declares it at this stage), so /etc/profile.d/garza-llm.sh will contain export OPENAI_API_KEY= literally.

When a login shell sources this file it overwrites whatever the container runtime injected via the environment: block in docker-compose.yml, effectively clearing the API key for every terminal session.

Fix: use single quotes or a heredoc with a quoted delimiter so the variable reference is preserved verbatim:

RUN printf '%s\n' \
      'export OPENAI_BASE_URL=https://llm.garzaos.cloud/v1' \
      'export OPENAI_API_BASE=https://llm.garzaos.cloud/v1' \
      'export OPENAI_API_KEY=$CUSTOM_LLM_API_KEY' \
      > /etc/profile.d/garza-llm.sh && chmod 0644 /etc/profile.d/garza-llm.sh

(Single-quoted strings passed to printf '%s\n' are already literal — the ${...} form inside a double-quoted outer shell context is what causes the premature expansion here. The entire printf command is double-quoted by the surrounding RUN shell, so ${CUSTOM_LLM_API_KEY} is subject to build-time expansion. Stripping the braces to $CUSTOM_LLM_API_KEY within single quotes prevents that.)

[kilo-code-bot]

CRITICAL: Same build-time shell expansion issue as line 51. ${OPENAI_API_KEY:0:15} is expanded by the RUN shell at image-build time (where OPENAI_API_KEY is unset), so gtest will always print OPENAI_API_KEY=... (empty prefix) regardless of what key is injected at runtime.

Fix — preserve the variable reference as a literal string by escaping the $:

      'echo OPENAI_API_KEY=${OPENAI_API_KEY:0:15}...' \

should be:

      'echo OPENAI_API_KEY=\${OPENAI_API_KEY:0:15}...' \

or use a COPY-based script file instead of inline printf to avoid the quoting complexity entirely.

[kilo-code-bot]

WARNING: sandbox_mode = "danger-full-access" is baked into the default config.toml that gets seeded for every new user. Combined with approval_policy = "never" on the same file (line 63), Codex will silently execute any shell command with no sandboxing and no human confirmation prompt.

Anyone who can reach the web-desktop at https://nimbalyst.garzaos.cloud (basic-auth is the only gate) can issue a single Codex task that exfiltrates /config — including auth.json — or destroys the volume. Consider using approval_policy = "unless-allow-listed" and sandbox_mode = "workspace-write" as safer defaults, or at minimum document the risk prominently.

[kilo-code-bot]

WARNING: seccomp:unconfined disables all syscall filtering for this container, significantly expanding the kernel attack surface. The AppImage extraction is done at build time (--appimage-extract in the RUN step), so FUSE is not needed at runtime. Consider removing seccomp:unconfined or replacing it with a targeted seccomp profile that only allows the specific syscalls the Electron/KasmVNC stack actually requires.

[kilo-code-bot]

WARNING: The Nimbalyst AppImage is fetched from a latest download URL with no version pin and no checksum verification. A breaking upstream release or a supply-chain compromise would be silently picked up on every image rebuild.

Consider pinning to a specific release tag (e.g. .../releases/download/v1.2.3/Nimbalyst-Linux.AppImage) and adding a SHA-256 verification step:

    && echo "<expected-sha256>  Nimbalyst.AppImage" | sha256sum -c -

[kilo-code-bot]

Code Review Summary

Status: 5 Issues Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	2
WARNING	3
SUGGESTION	0

Issue Details (click to expand)

CRITICAL

File	Line	Issue
stacks/nimbalyst/Dockerfile	51	${CUSTOM_LLM_API_KEY} expands to empty at build time — profile.d script writes export OPENAI_API_KEY= (blank), breaking API key for all login shells
stacks/nimbalyst/Dockerfile	84	${OPENAI_API_KEY:0:15} in gtest expands to empty at build time — diagnostic output always shows blank key regardless of runtime injection

WARNING

File	Line	Issue
stacks/nimbalyst/Dockerfile	64	sandbox_mode = "danger-full-access" + approval_policy = "never" baked into default config — anyone reaching the web-desktop can run arbitrary unrestricted commands via Codex
stacks/nimbalyst/docker-compose.yml	11	seccomp:unconfined disables all syscall filtering; AppImage extraction is done at build time so FUSE is not needed at runtime — this can likely be removed
stacks/nimbalyst/Dockerfile	18	AppImage fetched from latest URL with no version pin or SHA-256 verification — supply-chain changes picked up silently on rebuild

Other Observations (not in diff)

File	Note
services/openhands-byok/TEST-REPORT.md	Screenshot referenced as /home/ubuntu/openhands-pong-success.png — absolute local path; image will not render on GitHub
stacks/nimbalyst/TEST-REPORT.md	Same issue: screenshot path /home/ubuntu/nimbalyst-pong-proof.png is a local filesystem path, not a URL or repo-relative path
services/chatmock-shim/INSTALL-PLAN.md	§0 explicitly warns that running these tokens on a public VPS is against openai-oauth's policy. The committed README for chatmock-shim confirms the service is publicly exposed behind Traefik. This is a deliberate owner decision but worth a conscious sign-off.

Files Reviewed (8 files)

• stacks/nimbalyst/Dockerfile — 2 critical, 2 warnings
• stacks/nimbalyst/docker-compose.yml — 1 warning
• stacks/nimbalyst/README.md — no issues
• stacks/nimbalyst/TEST-PLAN.md — no issues
• stacks/nimbalyst/TEST-REPORT.md — 1 observation (broken screenshot path)
• services/chatmock-shim/README.md — no issues
• services/chatmock-shim/INSTALL-PLAN.md — 1 observation (policy note)
• services/openhands-byok/README.md — no issues
• services/openhands-byok/TEST-PLAN.md — no issues
• services/openhands-byok/TEST-REPORT.md — 1 observation (broken screenshot path)

Fix these issues in Kilo Cloud

---

_{Reviewed by claude-4.6-sonnet-20260217 · 377,211 tokens}

[devin-ai-integration]

Devin Review found 1 potential issue.

View 5 additional findings in Devin Review.

[devin-ai-integration]

🔴 Profile script overwrites OPENAI_API_KEY with empty string because CUSTOM_LLM_API_KEY is not a container env var

The baked-in profile script /etc/profile.d/garza-llm.sh (line 50) contains export OPENAI_API_KEY=${CUSTOM_LLM_API_KEY}. Because the printf argument is single-quoted, the literal ${CUSTOM_LLM_API_KEY} is written into the file. At runtime, docker-compose.yml:19 correctly sets OPENAI_API_KEY from the host's CUSTOM_LLM_API_KEY, but only OPENAI_API_KEY exists as a container environment variable — CUSTOM_LLM_API_KEY itself is never injected into the container. When any login shell (or non-login shell via stacks/nimbalyst/Dockerfile:54-55 bashrc hook) sources this profile script, ${CUSTOM_LLM_API_KEY} expands to empty, overwriting the correct OPENAI_API_KEY with an empty string. This breaks Codex CLI and every tool that reads OPENAI_API_KEY in interactive shells. The gtest helper (stacks/nimbalyst/Dockerfile:78) also explicitly sources this file, so it would clobber the key too.

Prompt for agents

The profile script at /etc/profile.d/garza-llm.sh references CUSTOM_LLM_API_KEY, but docker-compose.yml only injects OPENAI_API_KEY into the container (mapping the host CUSTOM_LLM_API_KEY to it). When the profile script is sourced in a shell session, CUSTOM_LLM_API_KEY is undefined, so OPENAI_API_KEY gets set to empty.

Two possible fixes:

1. In stacks/nimbalyst/docker-compose.yml, also pass CUSTOM_LLM_API_KEY through as a container env var so the profile script can resolve it:
   environment:
     CUSTOM_LLM_API_KEY: "${CUSTOM_LLM_API_KEY}"

2. In stacks/nimbalyst/Dockerfile line 50, change the profile script to reference the variable that Docker actually sets:
   'export OPENAI_API_KEY="${OPENAI_API_KEY}"'
   This preserves the Docker-injected value when re-exporting in login shells. It is a no-op if the variable is already set, but at least it will not clobber it with empty.

Option 1 is probably safer because it ensures the original secret name is available inside the container for any script that references it.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[capy-ai]

Added 1 comment

[capy-ai]

[🟠 High] [🔵 Bug]

/etc/profile.d/garza-llm.sh is written with a literal CUSTOM_LLM_API_KEY placeholder, but the container is only given OPENAI_API_KEY at runtime. When a login shell or gtest sources that script, shell expansion resolves the missing CUSTOM_LLM_API_KEY to empty and clobbers the working key, so the stack's primary codex exec path loses authentication. Use the already-injected OPENAI_API_KEY when generating the profile script, or create the script during container init from the runtime env instead of reassigning from an undefined variable.

# stacks/nimbalyst/Dockerfile
'export OPENAI_API_KEY=${CUSTOM_LLM_API_KEY}' \
# stacks/nimbalyst/docker-compose.yml
OPENAI_API_KEY: "${CUSTOM_LLM_API_KEY}"