Docker Rebuild Windows - Operational Discipline

Principle

Never rebuild mid-week during founder deep-work blocks. Batch image mutations into scheduled windows.

Scheduled Window

Sunday 9:45 PM PT (after Review agent runs)

Exception: Critical security patch or total system failure only.

---

Change Classification Framework

🧊 IMAGE MUTATION (Docker Rebuild Required)

Time cost: ~5 minutes + restart
Batch these: Accumulate in pending-rebuilds.md, execute during window

Triggers:

• Python/Node SDK installs (Zoho, Xero, Discord, pandas, numpy)
• System libraries (libmagic, PDF parsing, OpenSSL, TLS)
• gcloud CLI
• ChromaDB, FAISS, SQLite, PostgreSQL drivers
• Embedding libraries (SentenceTransformers, tokenizers)
• Security libs (HTML sanitizers, BeautifulSoup, malware scanner)
• Headless Chromium
• OAuth browserless flow tools

Examples from Master Plan:

Phase	Capability	Why Rebuild
3	Zoho Creator connector	Node SDK
5	ChromaDB	Native libs
5	Embeddings	Tokenizer deps
6	SQLite/Postgres layer	DB driver
6	Reconciliation assist	pandas
6	Anomaly detection	Stats libs
Security	HTML parsing	bs4/lxml

Expected total over 12 months: ~5 rebuilds (if disciplined)

---

🟡 RUNTIME MUTATION (Container Restart Only)

Time cost: 3-10 seconds
Safe to do immediately

Examples:

• All .md files (soul.md, identity.md, user.md, reference/, working/)
• Cron schedules
• Agent prompts
• OAuth tokens (Zoho, Gmail, Calendar)
• Cost caps
• API keys
• Agent schedules
• Comms drafts
• Zoho CRM access scopes
• Discord bot config
• Pub/Sub config
• Cloudflare tunnel
• Asana project mappings

---

🟣 INFRA MUTATION (Cloud-Side, No Rebuild)

Time cost: Instant to 5 minutes (propagation)
Safe to do immediately

Examples:

• Enable Google APIs (Sheets, Drive, etc.)
• DNS changes
• OAuth scopes
• IAM role changes
• Zoho app permissions
• Brave Search API key
• Discord bot token regen
• SMTP relay change
• Gmail label filter rules

---

Current Status

Pending Rebuilds

(Track in pending-rebuilds.md - moved to rebuild queue during window)

Queue cleared: Feb 14, 2026 rebuild completed all pending items.

Last Rebuild

Date: Feb 14, 2026
Reason: Agent analysis infrastructure + foundational capabilities (data science, CLI tools, terminal multiplexers, archive utilities)
Packages added:

• Data science: python3-pandas python3-numpy python3-bs4 python3-lxml
• YouTube/Media: youtube-transcript-api yt-dlp (pip)
• CLI tools: jq ripgrep tree htop rsync
• Terminal: tmux screen expect
• Archive: zip unzip

Verified versions:

• pandas 1.5.3, numpy 1.24.2, bs4 4.11.2, lxml
• yt-dlp 2026.02.04
• jq 1.6, ripgrep 13.0.0, tree 2.1.0, htop 3.2.2, rsync 3.2.7
• tmux 3.3a, screen 4.09.00, expect 5.45.4
• zip 3.0, unzip 6.00

Note: Mid-week rebuild (Friday) at Quan's explicit request. Batched 6 queued capabilities from pending-rebuilds.md (queued Feb 13-14). All services auto-recovered.

Next Scheduled Window

Sunday, Feb 16, 2026 @ 9:45 PM PT

---

Decision Tree

Before requesting Minnie capability:

1. Will this survive container restart?

   • YES → Image mutation → Queue for rebuild window
   • NO → Runtime mutation → Do now (restart safe)
   • EXTERNAL → Infra mutation → Do now (cloud-side)

2. Is it urgent (blocks critical path)?

   • YES + Image → Emergency rebuild (document reason)
   • NO + Image → Queue for Sunday

3. Can it be externalized?

   • Cloud config?
   • Mounted volume?
   • API-only?

---

Rebuild Protocol

When queued rebuild is ready (Sunday 9:45 PM):

1. Review pending-rebuilds.md
2. Update OPENCLAW_DOCKER_APT_PACKAGES in one batch
3. Run REBUILD-IMAGE.sh
4. Test all new capabilities
5. Clear pending-rebuilds.md
6. Update "Last Rebuild" section above

Emergency rebuild:

• Document why it couldn't wait
• Note founder attention cost
• Review if pattern suggests better architecture

---

Post-Rebuild Hygiene

After any rebuild, immediately run:

1. Container Startup Checklist

# Inside container (critical - do this first)
/home/node/.openclaw/workspace/tools/setup-ssh-symlinks.sh

Why: SSH keys stored in persistent volume need symlinks to ~/.ssh/ for git to work. Container rebuilds wipe ephemeral directories.

See CONTAINER-STARTUP.md for full checklist.

2. Docker Build Cache Cleanup

# On host
docker builder prune -af

Why: Rebuilds leave stale build cache (intermediate layers, failed attempts, superseded installs). Over time this accumulates "invisible disk drift" (5-10GB per quarter).

What it removes: Build cache only (safe to prune)
What it preserves: Running containers, volumes, active images

Example: Feb 13 cleanup reclaimed 8.9GB of PyTorch layers, Chromium deps, and apt caches from prior iterations.

Critical distinction:

• Build cache = safe to prune (temporary build artifacts)
• Persistent volumes = data (meeting embeddings, email archives) — never prune

Run this after Sunday rebuild windows to prevent mid-phase capacity surprises.

---

Founder Energy Constraint

From Loss Function:
Execution may never degrade coherence beyond threshold. Mid-week rebuilds fragment deep-work blocks.

This system enforces: Batch infrastructure entropy into Sunday night maintenance window, preserving Monday-Friday founder attention for strategic work.

---

Created: Feb 13, 2026
Next review: After first 3 scheduled windows (refine cadence if needed)