feat: add custom runner image support to ProjectSettings

[quay-devel]

Summary

• Add runner_image and runner_image_pull_secret fields to ProjectSettings across the full stack: proto/gRPC, API server (model, migration, handler with input validation, presenters), CRD schema, operator, control-plane reconciler, Go/Python/TypeScript SDKs, and frontend settings UI
• Image selection follows strict precedence: ProjectSettings > agent registry > operator default
• Security controls: registry allowlist via RUNNER_IMAGE_ALLOWED_REGISTRIES, pull secret type validation (kubernetes.io/dockerconfigjson), feature flag gating (feature.custom-runner-image.enabled)
• Frontend uses port/adapter pattern with ProjectSettingsPort / ProjectSettingsAdapter, gated by workspace-scoped Unleash flag
• New imageref package with 22 table-driven unit tests (both operator and control-plane modules)
• Runner conformance test suite (run-conformance.sh) validating non-root execution, filesystem paths, health endpoints, env var isolation, OCI labels, and SUID checks
• CI pipeline updated with runner contract version label

Test plan

• All 3 Go modules pass go vet ./... (operator, control-plane, ambient-api-server)
• Frontend passes tsc --noEmit with zero errors
• 22 imageref unit tests pass in both Go modules
• 5 ProjectSettings adapter unit tests pass
• 3 amber review cycles completed — zero blockers, zero criticals remaining
• E2E: verify custom runner image settings persist and display in UI
• E2E: verify image override takes effect when creating a session
• E2E: verify registry allowlist rejects disallowed registries

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	b2d13b8
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/6a05ea2e7b94160008501b92

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5195c9a5-c37f-4635-bbac-3ab7c4ac2bc1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

CodeRabbit chat interactions are restricted to organization members for this repository. Ask an organization member to interact with CodeRabbit, or set chat.allow_non_org_members: true in your configuration.