Merge main into massive-terminal-upgrade

Resolves merge conflicts: - apps/server/src/routes/terminal/common.ts: Keep randomBytes import, use @automaker/utils for createLogger - apps/ui/eslint.config.mjs: Use main's explicit globals list with XMLHttpRequest and MediaQueryListEvent additions - apps/ui/src/components/views/terminal-view.tsx: Keep our terminal improvements (killAllSessions, beforeunload, better error handling) - apps/ui/src/config/terminal-themes.ts: Keep our search highlight colors for all themes - apps/ui/src/store/app-store.ts: Keep our terminal settings persistence improvements (merge function) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-02 08:33:36 +00:00 · 2025-12-21 20:27:44 -05:00
parent 7869ec046a 17c69ea1ca
commit 584f5a3426
393 changed files with 32473 additions and 17974 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,7 +1,27 @@
 # Automaker Docker Compose
-# For self-hosting the Automaker backend server
+# Runs Automaker in complete isolation from your host filesystem.
+# The container cannot access any files on your laptop - only Docker-managed volumes.
+#
+# Usage:
+#   docker-compose up -d
+#   Then open http://localhost:3007
+#
+# See docs/docker-isolation.md for full documentation.

 services:
+  # Frontend UI
+  ui:
+    build:
+      context: .
+      dockerfile: apps/ui/Dockerfile
+    container_name: automaker-ui
+    restart: unless-stopped
+    ports:
+      - '3007:80'
+    depends_on:
+      - server
+
+  # Backend API Server
  server:
    build:
      context: .
@@ -9,7 +29,7 @@ services:
    container_name: automaker-server
    restart: unless-stopped
    ports:
-      - "3008:3008"
+      - '3008:3008'
    environment:
      # Required
      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
@@ -17,24 +37,32 @@ services:
      # Optional - authentication (leave empty to disable)
      - AUTOMAKER_API_KEY=${AUTOMAKER_API_KEY:-}

-      # Optional - restrict to specific directories (comma-separated)
-      - ALLOWED_PROJECT_DIRS=${ALLOWED_PROJECT_DIRS:-/projects}
+      # Optional - restrict to specific directory within container only
+      # Projects and files can only be created/accessed within this directory
+      # Paths are INSIDE the container, not on your host
+      # Default: /projects
+      - ALLOWED_ROOT_DIRECTORY=${ALLOWED_ROOT_DIRECTORY:-/projects}

-      # Optional - data directory for sessions, etc.
+      # Optional - data directory for sessions, settings, etc. (container-only)
      - DATA_DIR=/data

      # Optional - CORS origin (default allows all)
      - CORS_ORIGIN=${CORS_ORIGIN:-*}
-
-      # Optional - additional API keys
-      - OPENAI_API_KEY=${OPENAI_API_KEY:-}
-      - GOOGLE_API_KEY=${GOOGLE_API_KEY:-}
    volumes:
-      # Persist data between restarts
+      # ONLY named volumes - these are isolated from your host filesystem
+      # This volume persists data between restarts but is container-managed
      - automaker-data:/data

-      # Mount your projects directory (read-write access)
-      - ${PROJECTS_DIR:-./projects}:/projects
+      # NO host directory mounts - container cannot access your laptop files
+      # If you need to work on a project, create it INSIDE the container
+      # or use a separate docker-compose override file
+
+    # Security: Server runs as non-root user (already set in Dockerfile)
+    # Security: No privileged mode
+    # Security: No host network access
+    # Security: No host filesystem mounts

 volumes:
  automaker-data:
+    name: automaker-data
+    # Named volume - completely isolated from host filesystem