feat: implement remote evaluation infrastructure with Docker Compose

Add comprehensive containerized infrastructure for running Codebuff evaluations
in CI/CD environments with full isolation and reliability.

Author: brandonkachen

.github/workflows/remote-evals.yml

@@ -0,0 +1,135 @@
+name: Remote Evaluations
+
+on:
+  push:
+    branches: ['**']
+  workflow_dispatch:
+    inputs:
+      eval_file:
+        description: 'Eval file to run (e.g., eval-codebuff.json)'
+        required: false
+        default: 'eval-codebuff.json'
+        type: string
+      commit_index:
+        description: 'Commit index to evaluate (0-based)'
+        required: false
+        default: '0'
+        type: string
+      mode:
+        description: 'Auth mode (seed or bypass)'
+        required: false
+        default: 'bypass'
+        type: choice
+        options:
+          - 'bypass'
+          - 'seed'
+
+jobs:
+  remote-evals:
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check commit message
+        id: check_commit
+        env:
+          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+        run: |
+          shopt -s nocasematch
+          if [[ "$COMMIT_MESSAGE" == *"[remote-eval]"* ]] || [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            echo "should_run_evals=true" >> $GITHUB_OUTPUT
+            echo "Will run remote evaluations"
+          else
+            echo "should_run_evals=false" >> $GITHUB_OUTPUT
+            echo "Skipping remote evaluations (add [remote-eval] to commit message to trigger)"
+          fi
+
+      - name: Set up Bun
+        if: steps.check_commit.outputs.should_run_evals == 'true'
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: '1.2.12'
+
+      - name: Install dependencies
+        if: steps.check_commit.outputs.should_run_evals == 'true'
+        run: bun install --frozen-lockfile
+
+      - name: Run remote evaluation
+        if: steps.check_commit.outputs.should_run_evals == 'true'
+        env:
+          EVAL_FILE: ${{ inputs.eval_file || 'eval-codebuff.json' }}
+          COMMIT_INDEX: ${{ inputs.commit_index || '0' }}
+          MODE: ${{ inputs.mode || 'bypass' }}
+        run: |
+          echo "🚀 Starting remote evaluation..."
+          bash evals/scripts/run-remote-parameterized.sh "$MODE" "$EVAL_FILE" "$COMMIT_INDEX"
+
+      - name: Upload evaluation logs
+        if: always() && steps.check_commit.outputs.should_run_evals == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: remote-eval-logs-${{ github.sha }}
+          path: |
+            evals/test-repos/
+            debug/
+          retention-days: 7
+
+      - name: Cleanup containers
+        if: always() && steps.check_commit.outputs.should_run_evals == 'true'
+        run: |
+          echo "🧹 Cleaning up Docker containers..."
+          docker compose -f evals/docker-compose.evals.yml down -v || true
+          docker system prune -f || true
+
+  # Optional: Matrix job to run multiple evaluations in parallel
+  remote-evals-matrix:
+    runs-on: ubuntu-latest
+    timeout-minutes: 90
+    if: contains(github.event.head_commit.message, '[remote-eval-all]') || (github.event_name == 'workflow_dispatch' && inputs.mode == 'matrix')
+    
+    strategy:
+      fail-fast: false
+      matrix:
+        eval:
+          - { file: 'eval-codebuff.json', index: '0' }
+          - { file: 'eval-codebuff.json', index: '1' }
+          - { file: 'eval-manifold.json', index: '0' }
+        
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: '1.2.12'
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Run evaluation matrix
+        env:
+          EVAL_FILE: ${{ matrix.eval.file }}
+          COMMIT_INDEX: ${{ matrix.eval.index }}
+        run: |
+          echo "🚀 Running matrix evaluation..."
+          bash evals/scripts/run-remote-parameterized.sh "bypass" "$EVAL_FILE" "$COMMIT_INDEX"
+
+      - name: Upload matrix evaluation results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: remote-eval-matrix-${{ matrix.eval.file }}-${{ matrix.eval.index }}-${{ github.sha }}
+          path: |
+            evals/test-repos/
+            debug/
+          retention-days: 7
+
+      - name: Cleanup containers
+        if: always()
+        run: |
+          docker compose -f evals/docker-compose.evals.yml down -v || true
+          docker system prune -f || true

backend/src/index.ts

@@ -19,6 +19,7 @@ import {
   sendRequestReconnect,
   waitForAllClientsDisconnected,
   listen as webSocketListen,
+  isWebSocketReady,
 } from './websockets/server'
 
 const app = express()
@@ -31,7 +32,11 @@ app.get('/', (req, res) => {
 })
 
 app.get('/healthz', (req, res) => {
-  res.send('ok')
+  if (isWebSocketReady()) {
+    res.send('ok')
+  } else {
+    res.status(503).send('starting')
+  }
 })
 
 app.post('/api/usage', usageHandler)

backend/src/websockets/auth.ts

@@ -11,6 +11,12 @@ export interface UserInfo {
 export async function getUserIdFromAuthToken(
   authToken: string,
 ): Promise<string | undefined> {
+  // Test-only auth bypass
+  const bypass = process.env.CODEBUFF_TEST_AUTH_TOKEN
+  if (process.env.NODE_ENV === 'test' && bypass && authToken === bypass) {
+    return 'test-user'
+  }
+
   const user = await db
     .select({ id: schema.user.id })
     .from(schema.user)
@@ -25,6 +31,12 @@ export async function getUserIdFromAuthToken(
 export async function getUserInfoFromAuthToken(
   authToken: string,
 ): Promise<UserInfo | undefined> {
+  // Test-only auth bypass
+  const bypass = process.env.CODEBUFF_TEST_AUTH_TOKEN
+  if (process.env.NODE_ENV === 'test' && bypass && authToken === bypass) {
+    return { id: 'test-user', email: 'evals@test.local', discord_id: null }
+  }
+
   const user = await db
     .select({
       id: schema.user.id,

backend/src/websockets/server.ts

@@ -18,6 +18,8 @@ export const SWITCHBOARD = new Switchboard()
 // if a connection doesn't ping for this long, we assume the other side is toast
 const CONNECTION_TIMEOUT_MS = 60 * 1000
 
+let wsReady = false
+
 export class MessageParseError extends Error {
   details?: unknown
   constructor(message: string, details?: unknown) {
@@ -87,6 +89,7 @@ export function listen(server: HttpServer, path: string) {
   let deadConnectionCleaner: NodeJS.Timeout | undefined
   wss.on('listening', () => {
     logger.info(`Web socket server listening on ${path}.`)
+    wsReady = true
     deadConnectionCleaner = setInterval(function ping() {
       const now = Date.now()
       try {
@@ -175,3 +178,7 @@ export function sendRequestReconnect() {
 export function waitForAllClientsDisconnected() {
   return SWITCHBOARD.waitForAllClientsDisconnected()
 }
+
+export function isWebSocketReady() {
+  return wsReady
+}

evals/README.md

@@ -0,0 +1,136 @@
+# Remote Evaluation Infrastructure
+
+This directory contains the infrastructure for running Codebuff evaluations in containerized environments (Docker Compose) for CI/CD and local testing.
+
+## Quick Start
+
+### Option 1: Using Drizzle Seed (Recommended)
+```bash
+bash evals/scripts/run-remote.sh seed
+```
+
+### Option 2: Using Test Auth Bypass (Faster)
+```bash
+bash evals/scripts/run-remote.sh bypass
+```
+
+## Prerequisites
+
+- Docker and Docker Compose
+- Bun runtime
+- Optional: `npm install -g codebuff` (or set `CODEBUFF_SKIP_BINARY_CHECK=1`)
+
+## Architecture
+
+- **evals/docker-compose.evals.yml**: Orchestrates PostgreSQL database and backend services
+- **evals/backend.Dockerfile**: Backend container definition
+- **evals/seeds/seed-evals.ts**: Drizzle-based database seeding for test users/sessions
+- **evals/scripts/run-remote.sh**: Main runner script with teardown
+- **evals/scripts/wait-for-healthz.sh**: Health check waiting utility
+
+## Key Features
+
+### SDK Enhancements
+- **Binary Check Skip**: Set `CODEBUFF_SKIP_BINARY_CHECK=1` to skip codebuff CLI requirement
+- **WebSocket URL Override**: Set `CODEBUFF_WEBSOCKET_URL=ws://127.0.0.1:4242/ws` to target ephemeral backend
+
+### Backend Enhancements
+- **Test Auth Bypass**: Set `CODEBUFF_TEST_AUTH_TOKEN` + `NODE_ENV=test` for quick auth
+- **WebSocket-Ready Health Check**: `/healthz` returns 503 until WebSocket server is accepting connections
+
+### Container Strategy
+- **Loopback Binding**: Backend bound to `127.0.0.1:4242` only (no public exposure)
+- **Optimized PostgreSQL**: Fast settings for CI (fsync=off, etc.)
+- **Build Context**: Uses repo root with Dockerfile in evals/ for clean separation
+
+## Environment Variables
+
+- `CODEBUFF_WEBSOCKET_URL`: Override WebSocket URL (e.g., `ws://127.0.0.1:4242/ws`)
+- `CODEBUFF_SKIP_BINARY_CHECK=1`: Skip SDK binary presence check
+- `CODEBUFF_TEST_AUTH_TOKEN`: Enable test-only auth bypass (when NODE_ENV=test)
+- `CODEBUFF_API_KEY`: API key for SDK authentication (set by scripts)
+
+## GitHub Actions Integration
+
+### Automatic Trigger
+Add `[remote-eval]` to your commit message to trigger remote evaluations:
+```bash
+git commit -m "fix: terminal CWD handling [remote-eval]"
+```
+
+### Manual Trigger
+Go to Actions → Remote Evaluations → Run workflow:
+- **Eval file**: `eval-codebuff.json` (default)
+- **Commit index**: `0` (default) 
+- **Mode**: `bypass` or `seed`
+
+### Matrix Evaluations
+Add `[remote-eval-all]` to run multiple evaluations in parallel:
+```bash
+git commit -m "major: refactor terminal logic [remote-eval-all]"
+```
+
+### Workflow Files
+- `.github/workflows/remote-evals.yml` - Main remote evaluation workflow
+- Uses our containerized infrastructure with Docker Compose
+- Uploads artifacts and logs automatically
+- Handles cleanup and error reporting
+
+### Usage in CI
+
+```yaml
+# Single evaluation
+- name: Run remote eval (bypass mode)
+  run: bash evals/scripts/run-remote-parameterized.sh bypass eval-codebuff.json 0
+
+# With database seeding  
+- name: Run remote eval (seed mode)
+  run: bash evals/scripts/run-remote-parameterized.sh seed eval-manifold.json 1
+```
+
+## Manual Usage
+
+1. Start services:
+   ```bash
+   docker compose -f evals/docker-compose.evals.yml up -d --build db backend
+   ```
+
+2. Wait for readiness:
+   ```bash
+   evals/scripts/wait-for-healthz.sh http://127.0.0.1:4242/healthz 90
+   ```
+
+3. Seed database and capture API key:
+   ```bash
+   KEY_LINE=$(docker compose -f evals/docker-compose.evals.yml run --rm seeder | tail -n1)
+   export CODEBUFF_API_KEY="${KEY_LINE#CODEBUFF_API_KEY=}"
+   ```
+
+4. Run evaluation:
+   ```bash
+   export CODEBUFF_WEBSOCKET_URL=ws://127.0.0.1:4242/ws
+   export CODEBUFF_SKIP_BINARY_CHECK=1
+   bun scripts/git-evals/run-single-eval.ts --prompt "Your test prompt"
+   ```
+
+5. Cleanup:
+   ```bash
+   docker compose -f evals/docker-compose.evals.yml down -v
+   ```
+
+## Troubleshooting
+
+- **Connection Issues**: Check that `CODEBUFF_WEBSOCKET_URL=ws://127.0.0.1:4242/ws` is set
+- **Auth Failures**: Verify `CODEBUFF_API_KEY` is properly captured from seeder output
+- **Backend Not Ready**: Ensure `/healthz` returns 200 before proceeding
+- **Port Conflicts**: Backend binds to `127.0.0.1:4242` - ensure port is available
+
+## Implementation Details
+
+Based on the remote-eval-infra-plan.md specification:
+- Monorepo + Bun compatible
+- Docker-agnostic backend (Dockerfile lives in evals/)
+- Idempotent Drizzle seeding with deterministic IDs
+- WS readiness validation in health checks
+- Test-only auth bypass for fast smoke tests
+- Comprehensive error logging and cleanup

evals/backend.Dockerfile

@@ -0,0 +1,6 @@
+FROM oven/bun:1.1.34 as base
+WORKDIR /app
+COPY . .
+RUN bun install --frozen-lockfile
+EXPOSE 4242
+CMD ["bun", "--cwd", "backend", "dev"]