feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360)
Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so
users can run GSD auto mode inside an isolated Docker sandbox (MicroVM)
without risk to the host filesystem, SSH keys, or other projects.
- Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000
- docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support
- .env.example: template for LLM provider keys and optional tool credentials
- docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow,
credential injection, and network allowlisting
- .dockerignore: project-root ignore file for efficient Docker builds
- src/tests/docker-template.test.ts: 13 structural tests verifying all template files
Fixes #1544
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
|
|
|
# ──────────────────────────────────────────────
|
|
|
|
|
# GSD Docker Sandbox Template
|
|
|
|
|
# Base: docker/sandbox-templates:shell
|
|
|
|
|
# Purpose: Isolated environment for GSD auto mode
|
|
|
|
|
# Usage: docker sandbox create --template ./docker
|
|
|
|
|
# ──────────────────────────────────────────────
|
2026-03-26 18:10:49 -04:00
|
|
|
FROM node:24-bookworm-slim
|
feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360)
Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so
users can run GSD auto mode inside an isolated Docker sandbox (MicroVM)
without risk to the host filesystem, SSH keys, or other projects.
- Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000
- docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support
- .env.example: template for LLM provider keys and optional tool credentials
- docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow,
credential injection, and network allowlisting
- .dockerignore: project-root ignore file for efficient Docker builds
- src/tests/docker-template.test.ts: 13 structural tests verifying all template files
Fixes #1544
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
|
|
|
|
|
|
|
|
# System dependencies required by GSD
|
|
|
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
|
|
|
git \
|
|
|
|
|
curl \
|
|
|
|
|
ca-certificates \
|
|
|
|
|
openssh-client \
|
2026-03-26 18:10:49 -04:00
|
|
|
gosu \
|
feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360)
Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so
users can run GSD auto mode inside an isolated Docker sandbox (MicroVM)
without risk to the host filesystem, SSH keys, or other projects.
- Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000
- docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support
- .env.example: template for LLM provider keys and optional tool credentials
- docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow,
credential injection, and network allowlisting
- .dockerignore: project-root ignore file for efficient Docker builds
- src/tests/docker-template.test.ts: 13 structural tests verifying all template files
Fixes #1544
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
|
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
|
|
|
|
|
|
# Install GSD globally — version controlled via build arg
|
|
|
|
|
ARG GSD_VERSION=latest
|
|
|
|
|
RUN npm install -g gsd-pi@${GSD_VERSION}
|
|
|
|
|
|
|
|
|
|
# Create non-root user for sandbox isolation
|
|
|
|
|
RUN groupadd --gid 1000 gsd \
|
|
|
|
|
&& useradd --uid 1000 --gid gsd --shell /bin/bash --create-home gsd
|
|
|
|
|
|
|
|
|
|
# Persistent GSD state directory
|
|
|
|
|
RUN mkdir -p /home/gsd/.gsd && chown -R gsd:gsd /home/gsd/.gsd
|
|
|
|
|
|
|
|
|
|
# Workspace directory — synced from host via Docker sandbox
|
|
|
|
|
WORKDIR /workspace
|
|
|
|
|
RUN chown gsd:gsd /workspace
|
|
|
|
|
|
2026-03-26 18:10:49 -04:00
|
|
|
# Entrypoint handles UID/GID remapping, bootstrap, and drops to gsd user
|
|
|
|
|
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
|
|
|
|
|
COPY bootstrap.sh /usr/local/bin/bootstrap.sh
|
|
|
|
|
RUN chmod +x /usr/local/bin/entrypoint.sh /usr/local/bin/bootstrap.sh
|
feat(docker): add official Docker sandbox template for isolated GSD auto mode (#2360)
Ship a Dockerfile.sandbox, docker-compose.yml, .env.example, and docs so
users can run GSD auto mode inside an isolated Docker sandbox (MicroVM)
without risk to the host filesystem, SSH keys, or other projects.
- Dockerfile.sandbox: Node 22 base, gsd-pi pre-installed, non-root user, port 3000
- docker-compose.yml: workspace volume mount, persistent .gsd state, env_file support
- .env.example: template for LLM provider keys and optional tool credentials
- docker/README.md: setup guide covering sandbox CLI, Compose, two-terminal workflow,
credential injection, and network allowlisting
- .dockerignore: project-root ignore file for efficient Docker builds
- src/tests/docker-template.test.ts: 13 structural tests verifying all template files
Fixes #1544
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 15:57:59 -04:00
|
|
|
|
|
|
|
|
# Expose default GSD web UI port
|
|
|
|
|
EXPOSE 3000
|
|
|
|
|
|
2026-03-26 18:10:49 -04:00
|
|
|
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
|
|
|
|
|
CMD ["gsd", "--help"]
|
