feat: add Docker deployment for chats server #143
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add Docker deployment configuration specifically for running the --chats conversation browser feature persistently. Note: This setup uses network isolation which prevents other CLI features (--agent, --command) that require downloading templates from the internet. The chats server only needs local file access. Security features: - Network isolation via sidecar proxy pattern (app has NO internet access) - Read-only filesystem prevents persistence of malicious changes - All Linux capabilities dropped (CAP_DROP ALL) - No privilege escalation (no-new-privileges:true) - Non-root user execution (configurable UID) - Health checks with autoheal for automatic recovery - Memory limits to prevent resource exhaustion - Localhost-only port binding (127.0.0.1:9876) Architecture: - claude-chats: Main app container (isolated network, no internet) - proxy: socat container bridging localhost to isolated network - autoheal: Monitors and restarts unhealthy containers Files added: - cli-tool/docker-chats-server/Dockerfile - cli-tool/docker-chats-server/docker-compose.yml - cli-tool/docker-chats-server/README.md
Addresses PR review feedback to ensure reproducible builds: - willfarrell/autoheal:latest → willfarrell/autoheal:1.2.0 - alpine/socat:latest → alpine/socat:1.8.0.3 - claude-code-templates@latest → claude-code-templates@1.28.3
|
@drewburchfield is attempting to deploy a commit to the Daniel Avila's projects Team on Vercel. A member of the Team first needs to authorize it. |
There was a problem hiding this comment.
1 issue found across 3 files
Prompt for AI agents (all 1 issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="cli-tool/docker-chats-server/README.md">
<violation number="1" location="cli-tool/docker-chats-server/README.md:96">
P2: The `curl` command is not available in the `claude-chats-monitor` container since it was intentionally excluded for security (see Dockerfile). Consider using the existing healthcheck approach with node's fetch, e.g.:
```bash
docker exec claude-chats-monitor node -e "fetch('http://localhost:9876/api/conversations').then(r => console.log('Status:', r.status))"
```</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
| The health check tests `http://localhost:9876/api/conversations`. If failing: | ||
| ```bash | ||
| # Check if the app is responding | ||
| docker exec claude-chats-monitor curl -s http://localhost:9876/api/conversations | head |
There was a problem hiding this comment.
P2: The curl command is not available in the claude-chats-monitor container since it was intentionally excluded for security (see Dockerfile). Consider using the existing healthcheck approach with node's fetch, e.g.:
docker exec claude-chats-monitor node -e "fetch('http://localhost:9876/api/conversations').then(r => console.log('Status:', r.status))"Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cli-tool/docker-chats-server/README.md, line 96:
<comment>The `curl` command is not available in the `claude-chats-monitor` container since it was intentionally excluded for security (see Dockerfile). Consider using the existing healthcheck approach with node's fetch, e.g.:
```bash
docker exec claude-chats-monitor node -e "fetch('http://localhost:9876/api/conversations').then(r => console.log('Status:', r.status))"
```</comment>
<file context>
@@ -0,0 +1,160 @@
+The health check tests `http://localhost:9876/api/conversations`. If failing:
+```bash
+# Check if the app is responding
+docker exec claude-chats-monitor curl -s http://localhost:9876/api/conversations | head
+```
+
</file context>
Suggested change
| docker exec claude-chats-monitor curl -s http://localhost:9876/api/conversations | head | |
| docker exec claude-chats-monitor node -e "fetch('http://localhost:9876/api/conversations').then(r => r.json()).then(d => console.log(JSON.stringify(d).slice(0,500)))" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds a security-hardened Docker deployment for running the
--chatsconversation browser as a persistent service.Security features:
Test plan
docker-compose up -d --buildhttp://localhost:9876docker exec claude-chats-monitor ping google.comshould failSummary by cubic
Adds a Docker-based deployment to run the --chats server as a persistent local service with strict network isolation. The server runs on localhost:9876 behind a proxy and is hardened for production use.
New Features
Dependencies
Written for commit 6b5f9f2. Summary will update automatically on new commits.