Update sandcat

Author: adamw

.devcontainer/Dockerfile.app

@@ -22,6 +22,25 @@ RUN mise use -g node@lts \
 RUN mise use -g java@21
 RUN mise use -g sbt@1.12
 
+# If Java was installed above, bake JAVA_HOME and trust-store paths into the
+# image.  VS Code may probe the environment before the entrypoint finishes
+# importing the mitmproxy CA; having these ready avoids a race where Metals
+# (or other JVM tooling) starts without JAVA_HOME or JAVA_TOOL_OPTIONS.
+# The entrypoint will import the mitmproxy CA into the cacerts copy at runtime.
+RUN if MISE_JAVA=$(mise where java 2>/dev/null); then \
+    dir="$HOME/.local/share/sandcat"; mkdir -p "$dir"; \
+    ln -sfn "$MISE_JAVA" "$dir/java-home"; \
+    cp "$MISE_JAVA/lib/security/cacerts" "$dir/cacerts" 2>/dev/null || true; \
+    { echo ''; \
+    echo '# sandcat-java-env'; \
+    echo '_sc_java="$HOME/.local/share/sandcat/java-home"'; \
+    echo '_sc_cacerts="$HOME/.local/share/sandcat/cacerts"'; \
+    echo '[ -L "$_sc_java" ] && export JAVA_HOME="$_sc_java"'; \
+    echo '[ -f "$_sc_cacerts" ] && export JAVA_TOOL_OPTIONS="-Djavax.net.ssl.trustStore=$_sc_cacerts -Djavax.net.ssl.trustStorePassword=changeit"'; \
+    echo 'unset _sc_java _sc_cacerts'; \
+    } >> "$HOME/.bashrc"; \
+    fi
+
 # Pre-create the Claude config directory and seed onboarding flag so Claude
 # Code can use an API key from the environment without interactive setup.
 RUN mkdir -p /home/vscode/.claude \

.devcontainer/sandcat/scripts/app-init.sh

@@ -58,21 +58,6 @@ fi
 # Run vscode-user tasks: git identity and Claude Code update.
 su - vscode -c /usr/local/bin/app-user-init.sh
 
-# If app-user-init.sh set up Java (symlink + trust store), export JAVA_HOME
-# and JAVA_TOOL_OPTIONS for shells and child processes of PID 1.
-SANDCAT_JAVA_HOME="/home/vscode/.local/share/sandcat/java-home"
-if [ -L "$SANDCAT_JAVA_HOME" ]; then
-    export JAVA_HOME="$SANDCAT_JAVA_HOME"
-    echo "export JAVA_HOME=\"$SANDCAT_JAVA_HOME\"" > /etc/profile.d/sandcat-java.sh
-fi
-if [ -f /tmp/sandcat-java-cacerts-path ]; then
-    SANDCAT_CACERTS=$(cat /tmp/sandcat-java-cacerts-path)
-    JAVA_TRUST_OPTS="-Djavax.net.ssl.trustStore=$SANDCAT_CACERTS -Djavax.net.ssl.trustStorePassword=changeit"
-    export JAVA_TOOL_OPTIONS="$JAVA_TRUST_OPTS"
-    echo "export JAVA_TOOL_OPTIONS=\"$JAVA_TRUST_OPTS\"" >> /etc/profile.d/sandcat-java.sh
-    rm -f /tmp/sandcat-java-cacerts-path
-fi
-
 # Source all sandcat profile.d scripts from /etc/bash.bashrc so env vars
 # are available in non-login shells (e.g. VS Code integrated terminals).
 # Guard with a marker to avoid duplicating on container restart.

.devcontainer/sandcat/scripts/app-user-init.sh

@@ -71,17 +71,10 @@ if [ -n "$MISE_JAVA_HOME" ] && [ -f "$CA_CERT" ]; then
 EOFJSON
     fi
 
-    # Signal to app-init.sh (which runs as root) where the cacerts copy is,
-    # so it can set JAVA_TOOL_OPTIONS. Written on every start since /tmp
-    # is cleared on container restart.
-    if [ -f "$SANDCAT_CACERTS" ]; then
-        echo "$SANDCAT_CACERTS" > /tmp/sandcat-java-cacerts-path
-    fi
-
     # Write Java env vars to ~/.bashrc (on the persistent app-home volume)
     # so VS Code's userEnvProbe picks them up even after container rebuild.
-    # /etc/profile.d/ is ephemeral and works for shells, but VS Code may
-    # probe the environment before the entrypoint recreates those files.
+    # The Dockerfile bakes these into the image for first-run, but rebuilds
+    # with a changed toolchain need the runtime fallback.
     BASHRC_JAVA_MARKER="# sandcat-java-env"
     if ! grep -q "$BASHRC_JAVA_MARKER" "$HOME/.bashrc" 2>/dev/null; then
         cat >> "$HOME/.bashrc" << 'BASHRC_JAVA'