Bump 0.8.1

[GyuH13]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @GyuH13, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on bumping the project version to 0.8.1 and significantly enhancing the Docker container's process management capabilities. By integrating s6-overlay and the talos system manager, the services within the containers, particularly the FastAPI agent and the ROS2 server, will benefit from improved supervision, startup, and shutdown procedures. This change lays the groundwork for a more stable and maintainable service architecture.

Highlights

• Version Bump: The project version has been updated from 0.8.0 to 0.8.1 across all relevant packages, including physical_ai_bt, physical_ai_interfaces, physical_ai_manager, physical_ai_server, physical_ai_tools, and rosbag_recorder.
• S6-Overlay Integration: S6-overlay has been integrated into the Docker images (Dockerfile.amd64, Dockerfile.arm64) to provide robust process supervision and management for services within the containers.
• Talos System Manager Support: New s6-overlay services (s6-agent and physical_ai_server) have been added to support the talos system manager, enabling better control and logging of the FastAPI agent and ROS2 server.
• Docker Compose and Image Updates: The docker-compose.yml file was modified to include a volume mount for the agent's Unix Domain Socket, and the Dockerfiles were updated to install necessary utilities (xz-utils, python3-pip), clone the talos repository, and configure the s6-overlay services.
• Reusable ROS2 Service Scripts: Common scripts for running and finishing ROS2 services have been introduced, providing a standardized way to manage ROS2 processes with graceful shutdown capabilities.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• docker/docker-compose.yml
  • Added a volume mount for the physical AI server agent socket.
  • Removed the default command: bash from the service definition.
• docker/s6-agent/dependencies
  • Added an empty dependencies file for the s6-agent service.
• docker/s6-agent/finish
  • Added a shell script to remove the s6-agent Unix Domain Socket file upon service termination.
• docker/s6-agent/run
  • Added a shell script to start the talos.agent.s6_agent FastAPI application using uvicorn with a Unix Domain Socket.
• docker/s6-agent/type
  • Added a file to define the s6-agent service as a longrun type.
• docker/s6-services/common/ros2_service_finish.sh
  • Added a reusable shell script template for gracefully stopping ROS2 services, including SIGTERM and SIGKILL handling for process groups.
• docker/s6-services/common/ros2_service_run.sh
  • Added a reusable shell script template for launching ROS2 services, handling environment setup, and recording process group IDs.
• docker/s6-services/physical_ai_server-log/consumer-for
  • Added a file to specify physical_ai_server as the consumer for its logs.
• docker/s6-services/physical_ai_server-log/pipeline-name
  • Added a file to define the log pipeline name as physical_ai_server-pipeline.
• docker/s6-services/physical_ai_server-log/run
  • Added a shell script to run the logging service for physical_ai_server using logutil-service.
• docker/s6-services/physical_ai_server-log/type
  • Added a file to define the physical_ai_server-log service as a longrun type.
• docker/s6-services/physical_ai_server/dependencies
  • Added an empty dependencies file for the physical_ai_server service.
• docker/s6-services/physical_ai_server/finish
  • Added a shell script to finish the physical_ai_server service by calling the common ROS2 service finish script.
• docker/s6-services/physical_ai_server/producer-for
  • Added a file to specify physical_ai_server-log as the producer for its logs.
• docker/s6-services/physical_ai_server/run
  • Added a shell script to run the physical_ai_server service by calling the common ROS2 service run script with a specific launch command.
• docker/s6-services/physical_ai_server/type
  • Added a file to define the physical_ai_server service as a longrun type.
• physical_ai_bt/CHANGELOG.rst
  • Updated the changelog to include version 0.8.1.
• physical_ai_bt/package.xml
  • Updated the package version from 0.8.0 to 0.8.1.
• physical_ai_bt/setup.py
  • Updated the package version from 0.8.0 to 0.8.1.
• physical_ai_interfaces/CHANGELOG.rst
  • Updated the changelog to include version 0.8.1.
• physical_ai_interfaces/package.xml
  • Updated the package version from 0.8.0 to 0.8.1.
• physical_ai_manager/CHANGELOG.rst
  • Updated the changelog to include version 0.8.1.
• physical_ai_manager/package-lock.json
  • Updated the package version from 0.8.0 to 0.8.1.
• physical_ai_manager/package.json
  • Updated the package version from 0.8.0 to 0.8.1.
• physical_ai_server/CHANGELOG.rst
  • Updated the changelog to include version 0.8.1.
  • Added an entry for the integration of s6-agent and s6-services for talos system manager support.
• physical_ai_server/Dockerfile.amd64
  • Added s6-overlay installation for process management.
  • Installed xz-utils and python3-pip.
  • Modified pip install commands to use --no-cache-dir.
  • Exported PYTHONPATH for lerobot to .bashrc.
  • Created and set permissions for the agent Unix Domain Socket directory.
  • Cloned and installed the talos system manager.
  • Copied and configured s6-agent and s6-services for s6-overlay.
  • Copied reusable ROS2 service scripts to a common library location.
  • Created and set permissions for the physical_ai_server log directory.
  • Configured s6-overlay to enable s6-agent and physical_ai_server-pipeline services.
  • Set /init as the Docker entrypoint to use s6-overlay.
• physical_ai_server/Dockerfile.arm64
  • Added s6-overlay installation for ARM64 architecture.
  • Installed xz-utils and python3-pip.
  • Modified pip install commands to use --no-cache-dir.
  • Exported PYTHONPATH for lerobot to .bashrc.
  • Created and set permissions for the agent Unix Domain Socket directory.
  • Cloned and installed the talos system manager.
  • Copied and configured s6-agent and s6-services for s6-overlay.
  • Copied reusable ROS2 service scripts to a common library location.
  • Created and set permissions for the physical_ai_server log directory.
  • Configured s6-overlay to enable s6-agent and physical_ai_server-pipeline services.
  • Set /init as the Docker entrypoint to use s6-overlay.
• physical_ai_server/package.xml
  • Updated the package version from 0.8.0 to 0.8.1.
• physical_ai_server/setup.py
  • Updated the package version from 0.8.0 to 0.8.1.
• physical_ai_tools/CHANGELOG.rst
  • Updated the changelog to include version 0.8.1.
  • Added an entry for the integration of s6-agent and s6-services for talos system manager support.
• physical_ai_tools/package.xml
  • Updated the package version from 0.8.0 to 0.8.1.
• rosbag_recorder/CHANGELOG.rst
  • Updated the changelog to include version 0.8.1.
• rosbag_recorder/package.xml
  • Updated the package version from 0.8.0 to 0.8.1.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces "s6-overlay" for service management in Docker containers and updates package versions to "0.8.1", which is a positive step for robust service handling. However, a security audit revealed critical vulnerabilities, including world-writable directory permissions for a host-mapped socket directory and potential command injection in shell scripts due to insufficient input sanitization. These issues could lead to unauthorized access or arbitrary command execution. Additionally, the review suggests improving reproducibility by pinning "git clone" to a specific commit, adjusting overly permissive file modes, and cleaning up redundant script code.

[gemini-code-assist]

The script sets permissions of /var/run/agent to 777 (world-writable), which is a critical security vulnerability. This directory is mounted from the host, making the host directory /var/run/robotis/agent_sockets/physical_ai_server world-writable. This allows any user on the host to modify, delete, or replace the Unix Domain Socket, potentially leading to Denial of Service or unauthorized access. It is recommended to use more restrictive permissions like 755.

mkdir -p /var/run/agent
chmod 755 /var/run/agent

[gemini-code-assist]

The script is vulnerable to command injection via the SERVICE_NAME environment variable. The variable is used to construct a file path for redirection on line 39 and is part of a command string executed via bash -c on line 59. If SERVICE_NAME contains shell metacharacters (e.g., ;, $(...)), they will be executed by the shell. As a 'reusable template', this script should strictly validate or sanitize its inputs.

Suggested change

	SERVICE_NAME="${SERVICE_NAME}"
	if [ -z "${SERVICE_NAME}" ]; then
	echo "Error: SERVICE_NAME environment variable must be set" >&2
	exit 1
	fi
	# Sanitize SERVICE_NAME to allow only alphanumeric characters, underscores, and hyphens
	SERVICE_NAME=$(echo "${SERVICE_NAME}" | tr -cd '[:alnum:]_-')
	if [ -z "${SERVICE_NAME}" ]; then
	echo "Error: SERVICE_NAME environment variable is invalid or empty" >&2
	exit 1
	fi

[gemini-code-assist]

Cloning the main branch of the talos repository makes the Docker build non-reproducible. Changes to the main branch can introduce unexpected issues or break the build in the future. It is strongly recommended to pin this dependency to a specific git commit hash or tag to ensure deterministic and stable builds.

[gemini-code-assist]

Cloning the main branch of the talos repository makes the Docker build non-reproducible. Changes to the main branch can introduce unexpected issues or break the build in the future. It is strongly recommended to pin this dependency to a specific git commit hash or tag to ensure deterministic and stable builds.

[gemini-code-assist]

The Dockerfile sets permissions of /var/run/agent to 777 (world-writable), which is insecure. This allows any user within the container to modify its contents, and when combined with the volume mount, also affects the host system's directory permissions. This directory creation and permission setting is also redundant, as it's handled in the docker/s6-agent/run script at service startup, and /var/run often doesn't persist from image build. It's better to manage this exclusively in the runtime script with more restrictive permissions.

RUN mkdir -p /var/run/agent && \
    chmod 755 /var/run/agent

[gemini-code-assist]

The Dockerfile sets permissions of /var/run/agent to 777 (world-writable), which is insecure. This allows any user within the container to modify its contents, and when combined with the volume mount, also affects the host system's directory permissions. This directory creation and permission setting is also redundant, as it's handled in the docker/s6-agent/run script at service startup, and /var/run often doesn't persist from image build. It's better to manage this exclusively in the runtime script with more restrictive permissions.

RUN mkdir -p /var/run/agent && \
    chmod 755 /var/run/agent

[gemini-code-assist]

For improved robustness and to prevent unexpected behavior in case of errors, it's recommended to add set -e at the beginning of this script. This ensures that the script will exit immediately if any command fails. Most other new scripts in this pull request already follow this practice.

Suggested change

	set -e

[gemini-code-assist]

These export commands are redundant because the variables are passed to the exec command on line 16 using env. Removing them will make the script cleaner and less prone to confusion.

[Copilot]

Pull request overview

Updates the repository release to 0.8.1 across ROS 2 packages and the web UI, and extends the physical_ai_server container runtime to use s6-overlay with bundled services (including an agent via Talos).

Changes:

• Bump versions to 0.8.1 across multiple packages (ROS package.xml, Python setup.py, Node package.json/lockfile).
• Add 0.8.1 entries to package changelogs.
• Introduce s6-overlay + s6-rc service definitions and switch the physical_ai_server container entrypoint to /init, with docker-compose updates for the agent socket mount.

Reviewed changes

Copilot reviewed 32 out of 33 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
rosbag_recorder/package.xml	Version bump to 0.8.1
rosbag_recorder/CHANGELOG.rst	Add 0.8.1 changelog entry
physical_ai_tools/package.xml	Version bump to 0.8.1
physical_ai_tools/CHANGELOG.rst	Add 0.8.1 changelog entry noting s6-related additions
physical_ai_server/setup.py	Python package version bump to 0.8.1
physical_ai_server/package.xml	ROS package version bump to 0.8.1
physical_ai_server/Dockerfile.arm64	Install/configure s6-overlay, Talos agent, and s6 services; set /init entrypoint
physical_ai_server/Dockerfile.amd64	Install/configure s6-overlay, Talos agent, and s6 services; set /init entrypoint
physical_ai_server/CHANGELOG.rst	Add 0.8.1 changelog entry noting s6-related additions
physical_ai_manager/package.json	Version bump to 0.8.1
physical_ai_manager/package-lock.json	Lockfile version bump to 0.8.1
physical_ai_manager/CHANGELOG.rst	Add 0.8.1 changelog entry
physical_ai_interfaces/package.xml	Version bump to 0.8.1
physical_ai_interfaces/CHANGELOG.rst	Add 0.8.1 changelog entry
physical_ai_bt/setup.py	Python package version bump to 0.8.1
physical_ai_bt/package.xml	Version bump to 0.8.1
physical_ai_bt/CHANGELOG.rst	Add 0.8.1 changelog entry
docker/s6-services/physical_ai_server/type	Define physical_ai_server s6-rc service type
docker/s6-services/physical_ai_server/run	Run script delegating to common ROS2 service runner
docker/s6-services/physical_ai_server/producer-for	Wire service output to log consumer
docker/s6-services/physical_ai_server/finish	Finish script delegating to common ROS2 service finisher
docker/s6-services/physical_ai_server/dependencies	Service dependency file (currently empty)
docker/s6-services/physical_ai_server-log/type	Define log service type
docker/s6-services/physical_ai_server-log/run	Log service run script using logutil-service
docker/s6-services/physical_ai_server-log/pipeline-name	Define pipeline name for log/service pairing
docker/s6-services/physical_ai_server-log/consumer-for	Wire log service as consumer of main service
docker/s6-services/common/ros2_service_run.sh	Common ROS2 launch wrapper for s6 services
docker/s6-services/common/ros2_service_finish.sh	Common service shutdown helper (PGID-based)
docker/s6-agent/type	Define s6-agent s6-rc service type
docker/s6-agent/run	Run uvicorn agent over UDS socket
docker/s6-agent/finish	Cleanup agent socket on stop
docker/s6-agent/dependencies	Service dependency file (currently empty)
docker/docker-compose.yml	Mount host agent socket directory into container; remove interactive shell command

Files not reviewed (1)

• physical_ai_manager/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

s6-overlay tarballs are extracted with tar -J before xz-utils is installed. This makes the Docker build rely on xz support being present in the base image; move the apt-get install xz-utils step (or otherwise ensure xz is available) before these tar -Jxpf commands to avoid non-reproducible build failures.

[Copilot]

chmod 777 /var/run/agent makes the socket directory world-writable. Prefer a tighter permission model (e.g., 0755 or 0770 with a dedicated group/user) to reduce the risk of unintended write access when the directory is bind-mounted from the host.

Suggested change

	chmod 777 /var/run/agent
	chmod 755 /var/run/agent

[Copilot]

git clone -b main ... /opt/talos makes the image build non-deterministic because the contents can change over time. Pin to a tag or a specific commit SHA (and consider shallow clone) to improve reproducibility and make rollbacks/auditing possible.

[Copilot]

s6-overlay tarballs are extracted with tar -J before xz-utils is installed. This makes the Docker build rely on xz support being present in the base image; move the apt-get install xz-utils step (or otherwise ensure xz is available) before these tar -Jxpf commands to avoid non-reproducible build failures.

[Copilot]

chmod 777 /var/run/agent makes the socket directory world-writable. Prefer a tighter permission model (e.g., 0755 or 0770 with a dedicated group/user) to reduce the risk of unintended write access when the directory is bind-mounted from the host.

Suggested change

	chmod 777 /var/run/agent
	chmod 0755 /var/run/agent

[Copilot]

git clone -b main ... /opt/talos makes the image build non-deterministic because the contents can change over time. Pin to a tag or a specific commit SHA (and consider shallow clone) to improve reproducibility and make rollbacks/auditing possible.

[Copilot]

PR title suggests a pure version bump, but this change set also introduces a new init system (s6-overlay), adds new longrun services, and changes container entrypoint behavior. Please update the PR title/description to reflect the operational change so reviewers/release notes capture the real scope.