refactor(builder-sidecar): ephemeral builder containers launched from host

.github/workflows/ci.yml

@@ -8,10 +8,9 @@ on:
       - "oss_crs/**"
       - "oss-crs-infra/**"
       - "libCRS/**"
-
-env:
-  RUFF_PATHS: oss_crs oss-crs-infra libCRS
-  PYRIGHT_PATHS: oss_crs/src libCRS/libCRS oss-crs-infra
+      - "uv.lock"
+      - "pyproject.toml"
+      - "!**/*.md"
 
 jobs:
   verify:
@@ -23,14 +22,8 @@ jobs:
         with:
           enable-cache: true
       - run: uv sync --frozen --dev
-      - name: Ruff check
-        run: uv run ruff check $RUFF_PATHS
-      - name: Ruff format
-        run: uv run ruff format --check $RUFF_PATHS
-      - name: Pyright
-        run: uv run pyright $PYRIGHT_PATHS
-      - name: Unit Tests
-        run: uv run pytest -m "not integration" -v oss_crs
+      - name: Verify
+        run: uv run verify
 
   integration-test:
     name: Integration tests
@@ -253,7 +246,8 @@ jobs:
             echo "Found patches:"
             ls -la "$patch_dir"
           else
-            echo "WARNING: No patches found (may be expected if LLM could not fix)"
+            echo "ERROR: No patches found"
+            exit 1
           fi
 
       - name: Create smoke-c-patch workdir tarball

.gitignore

@@ -14,3 +14,5 @@ tags
 .oss-crs-workdir/
 third_party/
 .planning/
+docs/meeting/*/main.md
+docs/meeting/*/*.svg

CHANGELOG.md

@@ -7,6 +7,9 @@ stricter subset of Keep a Changelog).
 ## [Unreleased]
 
 ### Added
+- `--incremental-build` flag for `oss-crs build-target` and `oss-crs run` — creates Docker snapshots of compiled builder images for faster rebuilds across runs
+- Framework-injected builder and runner sidecars during run phase — CRS developers no longer declare them in `crs.yaml`
+- `libCRS apply-patch-test` command — applies a patch and runs the project's `test.sh` in a fresh ephemeral container
 - `--early-exit` flag to `oss-crs run` to stop on the first discovered artifact (POV or patch)
 - GitHub Actions CI pipeline with lint (ruff check), format check (ruff format), type check (pyright), unit tests, and parallel C/Java smoke tests
 - atlantis-java-main to registry/ and example/
@@ -18,6 +21,10 @@ stricter subset of Keep a Changelog).
 - `libCRS download-source target-source <dest>`: copies clean target source
 
 ### Changed
+- Builder sidecar redesigned: framework-injected ephemeral containers replace CRS-declared long-running builders. Rebuilds launch a fresh container per patch from the preserved builder image.
+- `libCRS apply-patch-build`: `--builder` no longer required (framework injects `BUILDER_MODULE`), `--builder-name` auto-detected. Response fields renamed: `retcode`, `rebuild_id`, `stdout.log`/`stderr.log`.
+- `libCRS run-pov`: `--build-id` renamed to `--rebuild-id`, `--builder` no longer required.
+- `libCRS apply-patch-test` replaces `run-test`: takes a patch file, applies it, and runs `test.sh` in a fresh container.
 - Clarified that target env `repo_path` is the effective in-container source
   path (Dockerfile final `WORKDIR`) used for `OSS_CRS_REPO_PATH`, not a host
   path override.
@@ -44,6 +51,9 @@ stricter subset of Keep a Changelog).
   future minor release.
 
 ### Removed
+- `crs.yaml`: `snapshot` field from `target_build_phase`, `run_snapshot` field from `crs_run_phase` — snapshot behavior is now operator-controlled via `--incremental-build`
+- `libCRS run-test` — replaced by `libCRS apply-patch-test`
+- `OSS_CRS_SNAPSHOT_IMAGE` environment variable
 - Removed legacy CLI alias `--target-repo-path`; use `--target-source-path`.
 - Removed `libCRS download-source target` and `download-source repo` commands.
 - Removed `SourceType.TARGET` and `SourceType.REPO` enum values from libCRS.

PLAN.md

@@ -80,11 +80,11 @@ Features that will significantly improve the platform's utility for real-world c
 
 ### Infrastructure Services
 
-| Service | Status | Design Doc | Purpose |
-|---|---|---|---|
-| **Seed Deduplication** | 📝 Planned | [seed-dedup.md](docs/design/oss-crs-infra/seed-dedup.md) | Cross-CRS seed deduplication to reduce redundant fuzzing effort |
-| **PoV Verification / Deduplication** | 📝 Planned | [pov-dedup.md](docs/design/oss-crs-infra/pov-dedup.md) | Verify crash inputs and deduplicate bugs found by multiple CRSs |
-| **WebUI Dashboard** | 📝 Planned | [webui.md](docs/design/oss-crs-infra/webui.md) | Real-time monitoring: coverage metrics, bug candidates, PoV status, LLM usage |
+| Service | Status | Purpose |
+|---|---|---|
+| **Seed Deduplication** | 📝 Planned | Cross-CRS seed deduplication to reduce redundant fuzzing effort |
+| **PoV Verification / Deduplication** | 📝 Planned | Verify crash inputs and deduplicate bugs found by multiple CRSs |
+| **WebUI Dashboard** | 📝 Planned | Real-time monitoring: coverage metrics, bug candidates, PoV status, LLM usage |
 
 ### Bug-Fixing Pipeline
 

docs/README.md

@@ -31,10 +31,7 @@ For a quick introduction and setup instructions, see the [project README](../REA
 | [Architecture Overview](design/architecture.md) | System design, component diagram, and lifecycle walkthrough |
 | [Parallel Builds and Runs](design/parallel.md) | Build/run isolation with `--build-id` and `--run-id` |
 | [libCRS](design/libCRS.md) | CRS communication library — submit/fetch seeds, PoVs, and patches |
-| [LiteLLM Integration](design/oss-crs-infra/litellm.md) | LLM proxy, per-CRS API keys, and budget enforcement |
-| [Seed Deduplication](design/oss-crs-infra/seed-dedup.md) | Cross-CRS seed deduplication service (planned) |
-| [PoV Deduplication](design/oss-crs-infra/pov-dedup.md) | Crash verification and deduplication service (planned) |
-| [WebUI](design/oss-crs-infra/webui.md) | Monitoring dashboard for campaigns (planned) |
+| [LLM Providers](llm-providers.md) | LiteLLM proxy setup for local and remote models |
 
 ## Key Concepts
 
@@ -43,8 +40,8 @@ For a quick introduction and setup instructions, see the [project README](../REA
 Every CRS campaign follows three phases managed by `oss-crs`:
 
 1. **Prepare** — Pull CRS source repositories and build Docker images (`oss-crs prepare`)
-2. **Build Target** — Compile the target project and run each CRS's target build pipeline (`oss-crs build-target`)
-3. **Run** — Launch all CRSs and shared infrastructure via Docker Compose (`oss-crs run`)
+2. **Build Target** — Compile the target project and run each CRS's target build pipeline (`oss-crs build-target`). Pass `--incremental-build` to create Docker snapshots for faster rebuilds.
+3. **Run** — Launch all CRSs and shared infrastructure via Docker Compose (`oss-crs run`). Pass `--incremental-build` to use snapshot images for ephemeral rebuild containers.
 
 ### CRS Isolation
 

docs/config/crs.md

@@ -106,8 +106,7 @@ The target build phase is a list of `BuildConfig` objects, each defining a named
 |-------|------|----------|---------|-------------|
 | `name` | `string` | Yes | - | The name of the build step |
 | `dockerfile` | `string` | Yes | - | Path to the Dockerfile (must contain "Dockerfile" or end with `.Dockerfile`). Use an `oss-crs-infra:` prefix for framework-provided builds (e.g., `oss-crs-infra:default-builder`). |
-| `outputs` | `list[string]` | No | `[]` | List of output paths. Can be empty for snapshot builds where no explicit outputs are needed. |
-| `snapshot` | `bool` | No | `false` | When `true`, creates a snapshot Docker image during the build phase. The snapshot captures the fully compiled target and is used as the base image for incremental builds. |
+| `outputs` | `list[string]` | No | `[]` | List of output paths to persist from the build. |
 | `additional_env` | `dict[string, string]` | No | `{}` | Additional environment variables to pass during the build. Keys must match `[A-Za-z_][A-Za-z0-9_]*`. |
 
 ### Example
@@ -126,24 +125,6 @@ target_build_phase:
       - cov-builder.tar.gz
 ```
 
-### Example with Snapshot Builds
-
-When using incremental builds, declare snapshot build steps that create reusable Docker images:
-
-```yaml
-target_build_phase:
-  - name: asan-snapshot
-    dockerfile: oss-crs-infra:default-builder
-    snapshot: true
-    additional_env:
-      SANITIZER: address
-  - name: coverage-snapshot
-    dockerfile: oss-crs-infra:default-builder
-    snapshot: true
-    additional_env:
-      SANITIZER: coverage
-```
-
 ### Directed Build Inputs
 
 For directed fuzzing workflows, `oss-crs build-target` can stage input artifacts into build containers:
@@ -185,8 +166,7 @@ The CRS run phase is a dictionary where each key is a module name and each value
 
 | Field | Type | Required | Default | Description |
 |-------|------|----------|---------|-------------|
-| `dockerfile` | `string` | Conditional | - | Path to the Dockerfile (must contain "Dockerfile" or end with `.Dockerfile`). Can use `oss-crs-infra:` prefix for framework-provided services. **Required** when `run_snapshot` is `false`; **optional** when `run_snapshot` is `true`. |
-| `run_snapshot` | `bool` | No | `false` | When `true`, uses the snapshot image from the build phase as this module's base image. Enables the module to use builder sidecar commands (`apply-patch-build`, `run-pov`, `run-test`). |
+| `dockerfile` | `string` | Yes | - | Path to the Dockerfile (must contain "Dockerfile" or end with `.Dockerfile`). Can use `oss-crs-infra:` prefix for framework-provided services. |
 | `additional_env` | `dict[string, string]` | No | `{}` | Additional environment variables to pass to the module. Keys must match `[A-Za-z_][A-Za-z0-9_]*`. |
 
 ### Example
@@ -203,23 +183,7 @@ crs_run_phase:
       RUNNING_TIME_ENV: "XXX2"
 ```
 
-### Example with Incremental Build Modules
-
-Builder sidecar modules use `run_snapshot: true` to start from the snapshot image. The patcher module is a regular module that communicates with builder sidecars using the `--builder` flag on libCRS commands:
-
-```yaml
-crs_run_phase:
-  patcher:
-    dockerfile: oss-crs/docker-compose/patcher.Dockerfile
-    additional_env:
-      MAX_PATCHES: "100"
-  builder-asan:
-    dockerfile: oss-crs-infra:default-builder
-    run_snapshot: true
-  builder-coverage:
-    dockerfile: oss-crs-infra:default-builder
-    run_snapshot: true
-```
+**Note:** Builder and runner sidecars are injected automatically by the framework during the run phase. CRS developers do not need to declare them in `crs_run_phase`. The `BUILDER_MODULE` environment variable is set automatically.
 
 ### `additional_env` Key Rules