Add --pull flag to control image pull policy #86
Description
Problem
Today, bbox uses an implicit if-not-present pull policy via the ref index fast path in go-microvm. If the ref index has a hit (refs/ maps the image reference to a cached digest), no registry contact happens at all. This is great for performance but means:
- After pushing new images, you have to either
rm -rfthe cache or use--no-image-cache(which also loses all caching benefits for the run) - There's no way to say "use exactly what's cached, fail if missing" (useful for airgapped/offline environments)
Proposal
Add a --pull flag with three modes:
bbox claude-code --pull always # Always check registry for new digest
bbox claude-code --pull if-not-present # Use cache if available (default, current behavior)
bbox claude-code --pull never # Fail if image not in cachealways
Skip the ref index fast path. Still use the digest-based cache — if the registry returns the same digest, reuse the cached extraction. This means "check for updates" not "re-extract from scratch."
Implementation: pass a flag through to image.PullWithFetcher that skips the cache.LookupRef() call but still uses cache.Get(digest) after computing the digest from the fetched image.
if-not-present
Current behavior. No change needed.
never
Use cache.LookupRef() only. If it misses, return an error instead of fetching. Useful for:
- Offline/airgapped environments
- CI where images should be pre-warmed
- Testing that the cache is populated correctly
Config file support
# ~/.config/broodbox/config.yaml
image:
pull: alwaysCLI flag overrides config.
Notes
- This is a small change in go-microvm (
PullWithFetcherneeds a pull policy parameter or option) plus CLI wiring in brood-box --no-image-cacheremains orthogonal — it disables caching entirely (no read or write), while--pull alwaysstill reads/writes the cache- The
--pull always+ cache GC combination directly addresses the "I just rebuilt images" workflow: force a fresh registry check, and stale entries become unreachable for GC