fix(install): revert prebuilt image, use canonical A0 plugin pattern (v1.4.3)

[notabotchef]

Summary

The v1.4.0 prebuilt-image install path is broken in production. Three docker-publish runs in a row failed for different reasons:

v1.4.0/v1.4.1: /bin/sh: 1: pip: not found
v1.4.2:        /usr/bin/python3: No module named pip
v1.4.2 retry:  Cannot uninstall cryptography 46.0.7 (apt-managed)

Root cause is upstream: the Dockerfile was FROM frdel/agent-zero-run:latest, which is an outdated base. The current Agent Zero base is agent0ai/agent-zero-base:latest. The frdel image ships python3 without the pip module, has python3-cryptography 46.0.7 installed via apt with no pip record file, and the pessimistic version pin (<45.0) made pip try to downgrade the apt-managed package.

The ghcr.io/notabotchef/phantom-bridge package was never published successfully — anyone following the v1.4.0/v1.4.1/v1.4.2 install instructions hits pull access denied and a broken stack.

Fix

Revert to the install pattern A0 documents for every plugin (per agent0ai/agent-zero docs/developer/plugins.md): clone into usr/plugins/, expose port 6080 via a compose override, click Execute in A0's Plugin List UI to run execute.py. This is the flow phantom-bridge has worked with for the entire 1.x line; v1.4.0 tried to "improve" it with a prebuilt image and that turned out to be the wrong tradeoff.

New Quick Start (3 commands)

git clone https://github.com/notabotchef/phantom-bridge.git \
    ./a0-data/usr/plugins/phantom_bridge
curl -O https://raw.githubusercontent.com/notabotchef/phantom-bridge/main/docker-compose.override.yml
docker compose up -d

Then open A0 → Plugins → click Execute on Phantom Bridge.

Changes

• docker-compose.override.yml — removed the broken image: reference and the smart-entrypoint indirection. Now only adds the noVNC port mapping (${PHANTOM_NOVNC_PORT:-6080}:6080) and the plugin volume mount. Your existing A0 image stays in use.

• execute.py — hardened to bootstrap python3-pip via apt if the base image doesn't ship it (some don't), uses --break-system-packages for PEP 668, and --ignore-installed so pip doesn't fight with apt-managed packages like python3-cryptography. Now also checks cryptography import in addition to websockets, and only installs what's actually missing.

• README.md — Quick Start rewritten to the canonical 3-command flow. What's New entry is honest about v1.4.0–v1.4.2 being broken and tells users to pull the latest override.

• .github/workflows/docker-publish.yml — gated to manual workflow_dispatch only. Stops failing on every push. Dockerfile and entrypoint stay in the repo for anyone who wants to fork and rebuild against agent0ai/agent-zero-base.

• plugin.yaml — 1.4.3

Test plan

• python3 -m py_compile execute.py — clean
• python3 -c "import yaml; yaml.safe_load(...)" on all 3 yaml files — clean
• Quick Start steps re-read end to end on a fresh shell
• Real install on a fresh A0 instance — this is the actual verification. Steps: clone into ./a0-data/usr/plugins/phantom_bridge, drop the override, docker compose up -d, click Execute in the UI, verify Phantom Bridge sidebar opens.

Files

• docker-compose.override.yml — drop broken image ref
• execute.py — pip bootstrap + cryptography check
• README.md — Quick Start rewrite + What's New entry
• .github/workflows/docker-publish.yml — manual dispatch only
• plugin.yaml — 1.4.3

Action items after merge

• Edit v1.4.0, v1.4.1, v1.4.2 release notes to add a warning pointing to v1.4.3
• Close fix(docker): apt install python3-pip first — v1.4.3 round 2 #6 (the round-2 Dockerfile pip fix) — moot now
• Tag v1.4.3

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 681a15bde8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Return non-zero when Python dependency install fails

When pip install fails, the script only logs a warning and continues to print Setup complete!, then exits successfully; in the new v1.4.3 install flow this makes A0 report plugin setup as successful even though required deps are still missing. This occurs in common failure cases like network-restricted containers or pip permission/PEP668 issues, and leads to runtime failures later when CDP/WebSocket code imports these packages.

Useful? React with 👍 / 👎.

[notabotchef]

Lesson learned: don't fight the base image. The canonical A0 plugin flow (clone + execute.py) has worked since v1.0 for a reason — it uses sys.executable so it always targets the right Python. The prebuilt image was solving a problem we didn't have.