Publish pre-built mitmproxy image with op CLI to GHCR

[adamw]

Summary

Stacked on #39.

• Moves Dockerfile.mitmproxy from cli/templates/devcontainer/sandcat/ to images/mitmproxy/Dockerfile — it's a published image source, not a project template
• Adds build-mitmproxy-image.yml GitHub Actions workflow to build and push ghcr.io/virtuslab/sandcat-mitmproxy (multi-arch: amd64 + arm64) on pushes to master
• Updates enable_1password() to reference the pre-built GHCR image instead of a local build: — users don't need to build it themselves

Test plan

• All BATS CLI tests pass
• Verify the workflow runs successfully on push (builds for both architectures)
• Verify sandcat init --1password produces a compose file with image: ghcr.io/virtuslab/sandcat-mitmproxy:latest

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR introduces a published sandcat-mitmproxy image (mitmproxy + op CLI) and updates the CLI to reference that pre-built image, along with a GitHub Actions workflow to build/push the image to GHCR.

Changes:

• Add a dedicated Dockerfile under images/mitmproxy/ to build a mitmproxy image with 1Password op CLI installed.
• Add a GitHub Actions workflow to build and publish the image to GHCR as a multi-arch image (amd64/arm64).
• Update enable_1password() to use the published GHCR image rather than a local build: stanza.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.

File	Description
images/mitmproxy/Dockerfile	Defines the published mitmproxy image build, installing the op CLI.
cli/lib/composefile.bash	Switches 1Password mode to reference the published GHCR image.
.github/workflows/build-mitmproxy-image.yml	CI workflow to build and push the multi-arch mitmproxy image to GHCR.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

enable_1password sets .services.mitmproxy.image but does not remove an existing .services.mitmproxy.build stanza. If the compose file already contains build (e.g., from a prior init or user edits), Compose will still try to build locally, which defeats the purpose of switching to a pre-built image and may fail if the Dockerfile is missing. Consider deleting .services.mitmproxy.build in the same yq edit before setting image.

Suggested change

	yq -i '
	yq -i '
	del(.services.mitmproxy.build) |

[Copilot]

There are BATS tests for cli/lib/composefile.bash, but none cover enable_1password(). Adding a test that runs enable_1password on a minimal compose YAML and asserts the resulting mitmproxy.image and mitmproxy.environment (and that mitmproxy.build is absent) would prevent regressions in the --1password path.

Suggested change

	.services.mitmproxy.environment = ["OP_SERVICE_ACCOUNT_TOKEN"]
	.services.mitmproxy.environment = ["OP_SERVICE_ACCOUNT_TOKEN"] |
	del(.services.mitmproxy.build)

[Copilot]

docker/metadata-action image names must be lowercase; ghcr.io/VirtusLab/sandcat-mitmproxy is an invalid Docker image reference and can cause the workflow to fail with "invalid reference format". Use a fully-lowercased GHCR path (and keep it consistent with the composefile reference).

Suggested change

	images: ghcr.io/VirtusLab/sandcat-mitmproxy
	images: ghcr.io/virtuslab/sandcat-mitmproxy

[adamw]

Restructuring: image publishing will be PR 1, 1password feature will be PR 2.