docs: add SELinux/RHEL notice to container quick start

[aviavraham]

Summary

• Added callout notes to Quick Start sections in both README.md and CONTAINER.md warning RHEL/Fedora/SELinux users that the default commands will fail
• Points users to the existing "Podman Rootless Mode" section which documents the required flags (:z labels, --userns=keep-id, GIT_CONFIG_* env vars)

Context

Following the Quick Start container examples on a Fedora system with SELinux enforcing results in Permission denied and dubious ownership errors. The fix already exists in the Podman Rootless Mode section, but there's no indication in the Quick Start to look there — users hit a wall with no guidance.

Test plan

• Verify the Quick Start commands still render correctly in GitHub markdown
• Confirm the anchor link #podman-rootless-mode resolves correctly in CONTAINER.md
• Confirm the cross-file link CONTAINER.md#podman-rootless-mode resolves from README.md

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Quick Start, container setup, and troubleshooting examples updated to add SELinux relabeling labels (use :Z / :z on bind mounts) so Podman bind mounts work on SELinux-enabled systems.
  • Guidance retained for RHEL/Fedora/SELinux users about permission/ownership errors and Podman Rootless Mode configuration/workarounds.

[coderabbitai]

📝 Walkthrough

Walkthrough

Quick Start and examples in CONTAINER.md and README.md now append SELinux relabeling (:Z / :z) to Podman -v bind mounts (e.g., -v ...:/repo:ro,Z and -v ...:/reports:Z) so the commands are SELinux-compatible.

Changes

Podman SELinux volume mounts

Layer / File(s)	Summary
Add :Z/:z to podman -v mounts CONTAINER.md, README.md	Updated Podman podman run examples: repository mount changed to -v ...:/repo:ro,Z (or :ro,z) and reports mount to -v ...:/reports:Z (or :z) across Quick Start, examples, save-output, and troubleshooting sections to ensure SELinux-compatible bind mounts.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title follows Conventional Commits format (docs: ...) and describes the main change, but the actual changes are adding SELinux labels to Podman commands, not adding notices.	Update title to accurately reflect the actual changes: 'docs: add SELinux labels to podman examples' or similar, since the PR primarily updates volume mount options with :z flags.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[aegeiger]

Instead of this comment I'd suggest editing the command itself. -v /path/to/repo:/repo:ro,Z -v ~/agentready-reports:/reports:Z

[aviavraham]

@aegeiger Good point, just worth noting that the :z / :Z flags only apply when SELinux is enabled and enforcing, and are simply ignored on systems without it. That's actually the reason I suggested linking to the relevant documentation section, it gives users the context to decide whether these options apply to their environment and Linux OS setup.
Do you think it is a better solution than my suggestion?

[aegeiger]

@aviavraham on systems without SELinux this flag is silently ignored without harm, so IMHO we should advise everyone to run it. Tested on macOS.

[aviavraham]

Agree, I will update the MR

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CONTAINER.md`:
- Around line 16-17: Several remaining Podman bind-mount examples in
CONTAINER.md still omit SELinux mount labels and can fail for SELinux-enforcing
users; update every occurrence of the Podman bind-mount examples (the lines
using "podman run -v ..." and the earlier sample mounts like "-v
/path/to/repo:/repo" or "-v ~/agentready-reports:/reports") to append the
appropriate SELinux label (:z or :Z) consistent with the Quick Start fix, or add
a short note next to each Podman example explaining to use :z/:Z for SELinux,
ensuring all Podman run -v examples are updated consistently.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: e305352d-41f0-4915-94ee-5fa73921c2ad

📥 Commits

Reviewing files that changed from the base of the PR and between e238d36 and ff6ac87.

📒 Files selected for processing (2)

• CONTAINER.md
• README.md

[github-actions]

📉 Test Coverage Report

Branch	Coverage
This PR	72.8%
Main	73.1%
Diff	⚠️ -0.3%

---

Coverage calculated from unit tests only

[jwm4]

Review by Bill Murdock (with assistance from Claude Code)

Verdict: Request changes

Good idea to make the Quick Start work out of the box on SELinux systems.

Inconsistent :z vs :Z casing

The PR adds uppercase :Z to the Quick Start examples, but the existing "Podman Rootless Mode" and "Troubleshooting: Permission denied" sections in CONTAINER.md use lowercase :z. The file also has a "Note on SELinux Labels" section explaining the difference between the two. Could you make sure the choice is intentional and consistent, or explain why the Quick Start should use a different variant than the rest of the file?

Other examples

Several other podman run -v examples in CONTAINER.md don't have either flag. Is there a reason the fix should be limited to Quick Start, or should it apply more broadly?

[aviavraham]

@jwm4, you're right, let me review the container document and update the needed commands

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CONTAINER.md`:
- Around line 230-231: Update the example host mount paths in the
troubleshooting Docker volume flags so they are copy/paste-safe: replace the
literal "/repo" in the "-v /repo:/repo:ro,z" entry with a real-host-path
placeholder like "$(pwd)" or "/path/to/repo", and replace the
"~/agentready-reports" in "-v ~/agentready-reports:/reports:z" with an absolute
path (e.g., "$HOME/agentready-reports" or "/path/to/reports") so users won't get
errors when running the shown docker command.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 677b39ea-4515-46dd-aa0b-9c5104750773

📥 Commits

Reviewing files that changed from the base of the PR and between ff6ac87 and aad3469.

📒 Files selected for processing (2)

• CONTAINER.md
• README.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix host mount path in troubleshooting example

Line 230 uses /repo as the host source (-v /repo:/repo:ro,z), which will fail for most users unless they happen to have that exact host directory. Use a real host path pattern here (e.g., $(pwd) or /path/to/repo) to keep this command copy/paste-safe.

Suggested doc fix

 podman run --rm \
-  -v /repo:/repo:ro,z \
+  -v $(pwd):/repo:ro,z \
   -v ~/agentready-reports:/reports:z \
   ghcr.io/ambient-code/agentready:latest \
   assess /repo --output-dir /reports

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	-v /repo:/repo:ro,z \
	-v ~/agentready-reports:/reports:z \
	podman run --rm \
	-v $(pwd):/repo:ro,z \
	-v ~/agentready-reports:/reports:z \
	ghcr.io/ambient-code/agentready:latest \
	assess /repo --output-dir /reports

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CONTAINER.md` around lines 230 - 231, Update the example host mount paths in
the troubleshooting Docker volume flags so they are copy/paste-safe: replace the
literal "/repo" in the "-v /repo:/repo:ro,z" entry with a real-host-path
placeholder like "$(pwd)" or "/path/to/repo", and replace the
"~/agentready-reports" in "-v ~/agentready-reports:/reports:z" with an absolute
path (e.g., "$HOME/agentready-reports" or "/path/to/reports") so users won't get
errors when running the shown docker command.

[jwm4]

Review by Bill Murdock (with assistance from Claude Code)

Thanks for the update, @aviavraham. The latest commit addresses both concerns: consistent lowercase :z across all examples, and coverage extended beyond just Quick Start. LGTM.

[github-actions]

🎉 This PR is included in version 2.45.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀