Improve CLI docs: detail registries, sources, and new devbox verify/apply commands. Add apply to configure registries/sources and reconcile packages from lockfile. Add verify to ensure box matches lockfile. Update lockfile to include registries/sources. Update Docker client for verification/application.

Author: itzCozi

docs/src/content/docs/docs/cli.md

@@ -286,7 +286,11 @@ devbox lock <project> [-o, --output <path>]
   - Installed package snapshots:
     - apt: manually installed packages pinned as `name=version`
     - pip: `pip freeze` output
-    - npm/yarn/pnpm: globally installed packages as `name@version`
+    - npm/yarn/pnpm: globally installed packages as `name@version` (Yarn global versions are detected from Yarn's global dir)
+  - Registries and sources for reproducibility:
+    - pip: `index-url` and `extra-index-url`
+    - npm/yarn/pnpm: global registry URLs
+    - apt: `sources.list` lines, snapshot base URL if present, and OS release codename
 - If `devbox.json` exists in the workspace, includes its `setup_commands` for context.
 
 This snapshot is meant for sharing and audit. It does not currently drive `devbox up` automatically; continue to use `devbox.json` plus the simple `devbox.lock` command list for replay. A future `devbox restore` may apply `devbox.lock.json` directly.
@@ -328,15 +332,82 @@ devbox lock myproject -o ./env/devbox.lock.json
     "apt": ["git=1:2.34.1-..."],
     "pip": ["requests==2.32.3"],
     "npm": ["typescript@5.6.2"],
-    "yarn": [],
+    "yarn": ["eslint@9.1.0"],
     "pnpm": []
   },
+  "registries": {
+    "pip_index_url": "https://pypi.org/simple",
+    "pip_extra_index_urls": ["https://mirror.example/simple"],
+    "npm_registry": "https://registry.npmjs.org/",
+    "yarn_registry": "https://registry.yarnpkg.com",
+    "pnpm_registry": "https://registry.npmjs.org/"
+  },
+  "apt_sources": {
+    "snapshot_url": "https://snapshot.debian.org/archive/debian/20240915T000000Z/",
+    "sources_lists": [
+      "deb https://snapshot.debian.org/archive/debian/20240915T000000Z/ bullseye main"
+    ],
+    "pinned_release": "jammy"
+  },
   "setup_commands": [
     "apt install -y python3 python3-pip"
   ]
 }
 ```
 
+---
+
+### `devbox verify`
+
+Validate that the running box matches the `devbox.lock.json` exactly. Fails fast on any drift.
+
+**Syntax:**
+```bash
+devbox verify <project>
+```
+
+**Checks:**
+- Package sets: apt, pip, npm, yarn, pnpm (exact set match)
+- Registries: pip index/extra-index, npm/yarn/pnpm registry URLs
+- Apt sources: sources.list lines, snapshot base URL (if present), OS release codename
+
+Returns non-zero on any mismatch and prints a concise drift report.
+
+**Example:**
+```bash
+devbox verify myproject
+```
+
+---
+
+### `devbox apply`
+
+Apply the `devbox.lock.json` to the running box: configure registries and apt sources, then reconcile package sets to match the lock.
+
+**Syntax:**
+```bash
+devbox apply <project>
+```
+
+**Behavior:**
+- Registries:
+  - Writes `/etc/pip.conf` with `index-url`/`extra-index-url` from lock
+  - Runs `npm/yarn/pnpm` config to set global registry URLs
+- Apt sources:
+  - Backs up and rewrites `/etc/apt/sources.list`, clears `/etc/apt/sources.list.d/*.list`
+  - Optionally sets a default release hint, then `apt update`
+- Reconciliation:
+  - APT: install exact versions from lock, remove extras, autoremove
+  - Pip: install missing exact versions, uninstall extras
+  - npm/yarn/pnpm (global): add missing exact versions, remove extras
+
+Exits non-zero if application fails at any step.
+
+**Example:**
+```bash
+devbox apply myproject
+```
+
 ## Configuration Commands
 
 ---

docs/src/content/docs/docs/configuration.md

@@ -120,12 +120,18 @@ This writes a JSON snapshot (by default to `<workspace>/devbox.lock.json`) that
 - Installed packages:
   - apt: manually installed packages pinned as `name=version`
   - pip: `pip freeze`
-  - npm/yarn/pnpm: globally installed packages `name@version`
+  - npm/yarn/pnpm: globally installed packages `name@version` (Yarn global versions are read from Yarn's global directory)
+- Registries and sources for reproducibility:
+  - pip: `index-url` and `extra-index-url`
+  - npm/yarn/pnpm: global registry URLs
+  - apt: full `sources.list` lines, snapshot base URL if present, and OS release codename
 - Any `setup_commands` from your `devbox.json` (for context)
 
 Usage notes:
 - Commit `devbox.lock.json` to your repository to share environment details with teammates.
-- This file is an authoritative snapshot for auditing/sharing. The current execution path for rebuilds remains `devbox.json` + the simple `devbox.lock` replay file. A future `devbox restore` may apply `devbox.lock.json` directly.
+- This file is an authoritative snapshot for auditing/sharing. The current execution path for rebuilds remains `devbox.json` + the simple `devbox.lock` replay file. You can now also use:
+  - `devbox verify <project>` to validate a box matches the lock (fails fast on drift)
+  - `devbox apply <project>` to configure registries/sources and reconcile package sets to the lock
 - Local app dependencies (e.g. non-global Node packages in your repo) are intentionally not included; rely on your project’s own lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt/poetry.lock, etc.).
 
 ## Initialize with Configuration

internal/commands/apply.go

@@ -0,0 +1,254 @@
+package commands
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/spf13/cobra"
+)
+
+type applyLockFile struct {
+	Version    int            `json:"version"`
+	Project    string         `json:"project"`
+	BoxName    string         `json:"box_name"`
+	Packages   lockPackages   `json:"packages"`
+	Registries lockRegistries `json:"registries"`
+	AptSources lockAptSources `json:"apt_sources"`
+}
+
+var applyCmd = &cobra.Command{
+	Use:   "apply <project>",
+	Short: "Apply devbox.lock.json: set registries and apt sources, then reconcile packages",
+	Args:  cobra.ExactArgs(1),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		projectName := args[0]
+
+		cfg, err := configManager.Load()
+		if err != nil {
+			return fmt.Errorf("failed to load config: %w", err)
+		}
+		proj, ok := cfg.GetProject(projectName)
+		if !ok {
+			return fmt.Errorf("project '%s' not found", projectName)
+		}
+
+		lockPath := filepath.Join(proj.WorkspacePath, "devbox.lock.json")
+		data, err := os.ReadFile(lockPath)
+		if err != nil {
+			return fmt.Errorf("failed to read %s: %w", lockPath, err)
+		}
+
+		var lf applyLockFile
+		if err := json.Unmarshal(data, &lf); err != nil {
+			return fmt.Errorf("invalid lockfile: %w", err)
+		}
+
+		exists, err := dockerClient.BoxExists(proj.BoxName)
+		if err != nil {
+			return err
+		}
+		if !exists {
+			return fmt.Errorf("box '%s' not found; run 'devbox up %s' first", proj.BoxName, projectName)
+		}
+		status, err := dockerClient.GetBoxStatus(proj.BoxName)
+		if err != nil {
+			return err
+		}
+		if status != "running" {
+			if err := dockerClient.StartBox(proj.BoxName); err != nil {
+				return fmt.Errorf("failed to start box: %w", err)
+			}
+		}
+
+		var applyCmds []string
+
+		if len(lf.AptSources.SourcesLists) > 0 {
+
+			heredoc := "cat > /etc/apt/sources.list <<'EOF'\n" + strings.Join(lf.AptSources.SourcesLists, "\n") + "\nEOF"
+			applyCmds = append(applyCmds,
+				"cp /etc/apt/sources.list /etc/apt/sources.list.bak 2>/dev/null || true",
+				"rm -f /etc/apt/sources.list.d/*.list 2>/dev/null || true",
+				heredoc,
+			)
+		}
+		if lf.AptSources.PinnedRelease != "" {
+			applyCmds = append(applyCmds, fmt.Sprintf("bash -lc 'echo APT::Default-Release \"%s\"; > /etc/apt/apt.conf.d/99defaultrelease'", escapeBash(lf.AptSources.PinnedRelease)))
+		}
+		if len(lf.AptSources.SourcesLists) > 0 {
+			applyCmds = append(applyCmds, "apt update -y")
+		}
+
+		if lf.Registries.PipIndexURL != "" || len(lf.Registries.PipExtraIndex) > 0 {
+			var b strings.Builder
+			b.WriteString("cat > /etc/pip.conf <<'EOF'\n[global]\n")
+			if lf.Registries.PipIndexURL != "" {
+				b.WriteString("index-url = ")
+				b.WriteString(lf.Registries.PipIndexURL)
+				b.WriteString("\n")
+			}
+			for _, u := range lf.Registries.PipExtraIndex {
+				if strings.TrimSpace(u) == "" {
+					continue
+				}
+				b.WriteString("extra-index-url = ")
+				b.WriteString(u)
+				b.WriteString("\n")
+			}
+			b.WriteString("EOF")
+			applyCmds = append(applyCmds, b.String())
+		}
+
+		if lf.Registries.NpmRegistry != "" {
+			applyCmds = append(applyCmds, fmt.Sprintf("npm config set registry %s -g", lf.Registries.NpmRegistry))
+		}
+		if lf.Registries.YarnRegistry != "" {
+			applyCmds = append(applyCmds, fmt.Sprintf("yarn config set npmRegistryServer %s -g", lf.Registries.YarnRegistry))
+		}
+		if lf.Registries.PnpmRegistry != "" {
+			applyCmds = append(applyCmds, fmt.Sprintf("pnpm config set registry %s -g", lf.Registries.PnpmRegistry))
+		}
+
+		if err := dockerClient.ExecuteSetupCommandsWithOutput(proj.BoxName, applyCmds, false); err != nil {
+			return fmt.Errorf("failed applying registries/sources: %w", err)
+		}
+
+		curApt, curPip, curNpm, curYarn, curPnpm := dockerClient.QueryPackagesParallel(proj.BoxName)
+
+		actions := buildReconcileActions(lf.Packages, curApt, curPip, curNpm, curYarn, curPnpm)
+		if len(actions) > 0 {
+			if err := dockerClient.ExecuteSetupCommandsWithOutput(proj.BoxName, actions, true); err != nil {
+				return fmt.Errorf("failed to reconcile packages: %w", err)
+			}
+		}
+
+		fmt.Println("✅ Applied lockfile: registries/sources configured and packages reconciled")
+		return nil
+	},
+}
+
+func escapeBash(s string) string {
+	return strings.ReplaceAll(s, "'", "'\\''")
+}
+
+func parseMap(list []string, sep string) map[string]string {
+	m := map[string]string{}
+	for _, line := range list {
+		s := strings.TrimSpace(line)
+		if s == "" {
+			continue
+		}
+		if sep == "==" {
+			if i := strings.Index(s, "=="); i != -1 {
+				name := strings.ToLower(strings.TrimSpace(s[:i]))
+				ver := strings.TrimSpace(s[i+2:])
+				m[name] = ver
+			}
+			continue
+		}
+		if sep == "@" {
+
+			idx := strings.LastIndex(s, "@")
+			if idx > 0 {
+				name := strings.ToLower(strings.TrimSpace(s[:idx]))
+				ver := strings.TrimSpace(s[idx+1:])
+				m[name] = ver
+			}
+			continue
+		}
+		if sep == "=" {
+			if i := strings.Index(s, "="); i != -1 {
+				name := strings.ToLower(strings.TrimSpace(s[:i]))
+				ver := strings.TrimSpace(s[i+1:])
+				m[name] = ver
+			}
+		}
+	}
+	return m
+}
+
+func keysNotIn(a, b map[string]string) []string {
+	var out []string
+	for k := range a {
+		if _, ok := b[k]; !ok {
+			out = append(out, k)
+		}
+	}
+	return out
+}
+
+func buildReconcileActions(lockPkgs lockPackages, curApt, curPip, curNpm, curYarn, curPnpm []string) []string {
+	var cmds []string
+
+	lockA := parseMap(lockPkgs.Apt, "=")
+	curA := parseMap(curApt, "=")
+	lockP := parseMap(lockPkgs.Pip, "==")
+	curP := parseMap(curPip, "==")
+	lockN := parseMap(lockPkgs.Npm, "@")
+	curN := parseMap(curNpm, "@")
+	lockY := parseMap(lockPkgs.Yarn, "@")
+	curY := parseMap(curYarn, "@")
+	lockQ := parseMap(lockPkgs.Pnpm, "@")
+	curQ := parseMap(curPnpm, "@")
+
+	var aptInstall []string
+	for name, ver := range lockA {
+		if curVer, ok := curA[name]; !ok || curVer != ver {
+			aptInstall = append(aptInstall, fmt.Sprintf("%s=%s", name, ver))
+		}
+	}
+	if len(aptInstall) > 0 {
+		cmds = append(cmds, "apt update -y", "DEBIAN_FRONTEND=noninteractive apt-get install -y "+strings.Join(aptInstall, " "))
+	}
+
+	for _, extra := range keysNotIn(curA, lockA) {
+		cmds = append(cmds, fmt.Sprintf("apt-get remove -y %s", extra))
+	}
+	if len(keysNotIn(curA, lockA)) > 0 {
+		cmds = append(cmds, "apt-get autoremove -y")
+	}
+
+	for name, ver := range lockP {
+		if curVer, ok := curP[name]; !ok || curVer != ver {
+			cmds = append(cmds, fmt.Sprintf("python3 -m pip install %s==%s", name, ver))
+		}
+	}
+	for _, extra := range keysNotIn(curP, lockP) {
+		cmds = append(cmds, fmt.Sprintf("python3 -m pip uninstall -y %s", extra))
+	}
+
+	for name, ver := range lockN {
+		if curVer, ok := curN[name]; !ok || curVer != ver {
+			cmds = append(cmds, fmt.Sprintf("npm i -g %s@%s", name, ver))
+		}
+	}
+	for _, extra := range keysNotIn(curN, lockN) {
+		cmds = append(cmds, fmt.Sprintf("npm rm -g %s", extra))
+	}
+
+	for name, ver := range lockY {
+		if curVer, ok := curY[name]; !ok || curVer != ver {
+			cmds = append(cmds, fmt.Sprintf("yarn global add %s@%s", name, ver))
+		}
+	}
+	for _, extra := range keysNotIn(curY, lockY) {
+		cmds = append(cmds, fmt.Sprintf("yarn global remove %s", extra))
+	}
+
+	for name, ver := range lockQ {
+		if curVer, ok := curQ[name]; !ok || curVer != ver {
+			cmds = append(cmds, fmt.Sprintf("pnpm add -g %s@%s", name, ver))
+		}
+	}
+	for _, extra := range keysNotIn(curQ, lockQ) {
+		cmds = append(cmds, fmt.Sprintf("pnpm remove -g %s", extra))
+	}
+
+	return cmds
+}
+
+func init() {
+	rootCmd.AddCommand(applyCmd)
+}