Skip to content

feat(web): Docker container workspaces #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cnjack merged 2 commits into from
Jun 23, 2026
Merged

feat(web): Docker container workspaces #97

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2711727
feat(web): Docker container workspaces (executor, lifecycle, terminal)
cnjack Jun 22, 2026
5547aed
fix(remote): drop unnecessary string() conversions on container state…
cnjack Jun 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- **Built-in color themes, unified across terminal and web.** A new single source of truth (`internal/theme`) defines 7 themes — 4 dark (jcode Dark, Midnight, Dracula, Nord) and 3 light (jcode Light, GitHub Light, Solarized Light) — as a typed semantic palette. `go generate` emits the web CSS (`[data-theme]` blocks) and the picker registry from that one Go file, so the two renderers can never drift.
- **`/theme` command** in the TUI opens a live-preview selector: arrow keys repaint the whole UI, Enter applies and persists to `config.theme`, Esc reverts. When no theme is persisted, the startup default is auto-selected from the terminal background. New `theme` config field.
- **Appearance settings tab** in the web UI: a System (follow-OS) option plus dark/light swatch grids that render a true mini-preview of each theme. Themes apply via `html[data-theme]`; the legacy light/dark/system localStorage values migrate automatically.
- **Docker container workspaces (web).** The remote-connect wizard can now bind a task to a Docker container, alongside SSH. A new `DockerExecutor` (Docker Go SDK, `client.FromEnv` → honors `DOCKER_HOST`) runs all agent file/command operations inside the container via `docker exec`, mirroring the SSH executor. A stopped container is started on connect and stopped again (ref-counted) once no task is using it; a one-shot container that exits immediately is reported with its logs rather than failing silently. The embedded terminal opens a real TTY *inside* the bound container (`docker exec`, bash→sh). Container-bound tasks are keyed `docker://<container>/<path>`, and the `switch_env` tool plus saved Docker aliases (`docker_aliases` in config) cover reconnects. Daemon-gated integration tests cover the lifecycle.

### Changed
- Renamed the session modes to **Ask for approval / Plan / Full access** across the web UI, terminal UI, and ACP. Their canonical IDs are now `approval` / `plan` / `full_access`; the old `ask`, `agent`, and `autopilot` IDs are no longer accepted.
Expand Down
34 changes: 30 additions & 4 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,18 +13,20 @@ require (
github.com/cloudwego/eino-ext/libs/acl/langfuse v0.1.1
github.com/coder/acp-go-sdk v0.13.5
github.com/creack/pty v1.1.24
github.com/docker/docker v28.5.2+incompatible

@coderabbitai coderabbitai Bot Jun 23, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For github.com/docker/docker, do GO-2026-4883, GO-2026-4887, GHSA-rg2x-37c3-w2rh, GHSA-vp62-88p7-qqf5, and GHSA-x86f-5xw2-fm2r impact the client package (github.com/docker/docker/client) or only daemon/server components? Also list the first patched module version for each advisory.

💡 Result:

The Go module github.com/docker/docker was deprecated as of Docker Engine v29 (November 2025) and will not receive further updates or patches [1][2][3]. Vulnerabilities affecting this module, including those listed, generally impact the daemon/server-side logic rather than the client package [4][5][6][7][8]. Users are advised to migrate to the maintained github.com/moby/moby/client and github.com/moby/moby/api modules [1][9][2]. Below is the impact analysis and status for each advisory: 1. GO-2026-4883 (CVE-2026-33997): Impacts daemon components (plugin privilege validation) [4][10]. No patched version exists for the deprecated github.com/docker/docker module [10]. 2. GO-2026-4887 (CVE-2026-34040): Impacts daemon components (AuthZ plugin bypass) [5]. No patched version exists for the deprecated github.com/docker/docker module [5]. 3. GHSA-rg2x-37c3-w2rh (CVE-2026-42306): Impacts daemon components (bind mount redirection during docker cp) [6][3][11]. No patched version exists for the deprecated github.com/docker/docker module. 4. GHSA-vp62-88p7-qqf5 (CVE-2026-41568): Impacts daemon components (symlink race during docker cp) [7]. No patched version exists for the deprecated github.com/docker/docker module. 5. GHSA-x86f-5xw2-fm2r (CVE-2026-41567): Impacts daemon components (arbitrary code execution via compressed archives) [8]. No patched version exists for the deprecated github.com/docker/docker module. Since github.com/docker/docker is deprecated and frozen, there are no first patched module versions for these advisories within that specific module path [1][9]. Mitigation requires migrating to the supported moby/moby modules [1][12].

Citations:

github.com/docker/docker is deprecated with no available patches; migrate to github.com/moby/moby modules.

The listed advisories (GO-2026-4883, GO-2026-4887, GHSA-rg2x-37c3-w2rh, GHSA-vp62-88p7-qqf5, GHSA-x86f-5xw2-fm2r) impact only daemon/server-side components, not the client package. However, github.com/docker/docker was deprecated as of Docker Engine v29 (November 2025) and is frozen—no patched versions will be released. Replace with the maintained github.com/moby/moby/client and github.com/moby/moby/api modules.

🧰 Tools
🪛 OSV Scanner (2.4.0)

[HIGH] 16-16: github.com/docker/docker 28.5.2+incompatible: Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/docker

(GO-2026-4883)

[HIGH] 16-16: github.com/docker/docker 28.5.2+incompatible: Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/docker

(GO-2026-4887)

[HIGH] 16-16: github.com/docker/docker 28.5.2+incompatible: Moby has an Off-by-one error in its plugin privilege validation

(GHSA-pxq6-2prw-chj9)

[HIGH] 16-16: github.com/docker/docker 28.5.2+incompatible: Docker: Race condition in docker cp allows bind mount redirection to host path

(GHSA-rg2x-37c3-w2rh)

[HIGH] 16-16: github.com/docker/docker 28.5.2+incompatible: Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap

(GHSA-vp62-88p7-qqf5)

[HIGH] 16-16: github.com/docker/docker 28.5.2+incompatible: Moby has AuthZ plugin bypass when provided oversized request bodies

(GHSA-x744-4wpc-v9h2)

[HIGH] 16-16: github.com/docker/docker 28.5.2+incompatible: Docker: PUT /containers/{id}/archive executes container binary on the host

(GHSA-x86f-5xw2-fm2r)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 16, The github.com/docker/docker dependency is deprecated and
will not receive security patches. Remove or replace the
github.com/docker/docker v28.5.2+incompatible line in go.mod and add the
maintained replacements github.com/moby/moby/client and github.com/moby/moby/api
modules with appropriate versions. Additionally, update all import statements
throughout the codebase that currently reference github.com/docker/docker
packages to use the corresponding github.com/moby/moby/client and
github.com/moby/moby/api packages instead.

Source: Linters/SAST tools

github.com/google/uuid v1.6.0
github.com/gorilla/websocket v1.5.3
github.com/mark3labs/mcp-go v0.54.1
github.com/mdp/qrterminal/v3 v3.2.1
github.com/rivo/uniseg v0.4.7
github.com/sashabaranov/go-openai v1.41.2
github.com/spf13/cobra v1.10.2
golang.org/x/crypto v0.50.0
golang.org/x/crypto v0.51.0
tinygo.org/x/bluetooth v0.15.0
)

require (
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/alecthomas/chroma/v2 v2.14.0 // indirect
github.com/atotto/clipboard v0.1.4 // indirect
github.com/aymerick/douceur v0.2.0 // indirect
Expand All @@ -35,6 +37,7 @@ require (
github.com/bytedance/sonic v1.15.0 // indirect
github.com/bytedance/sonic/loader v0.5.0 // indirect
github.com/cenkalti/backoff/v4 v4.3.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/charmbracelet/colorprofile v0.4.3 // indirect
github.com/charmbracelet/ultraviolet v0.0.0-20260525132238-948f4557a654 // indirect
github.com/charmbracelet/x/exp/slice v0.0.0-20250327172914-2fdc97757edf // indirect
Expand All @@ -44,10 +47,19 @@ require (
github.com/clipperhouse/displaywidth v0.11.0 // indirect
github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
github.com/cloudwego/base64x v0.1.6 // indirect
github.com/containerd/errdefs v1.0.0 // indirect
github.com/containerd/errdefs/pkg v0.3.0 // indirect
github.com/containerd/log v0.1.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/dlclark/regexp2 v1.11.0 // indirect
github.com/docker/go-connections v0.7.0 // indirect
github.com/docker/go-units v0.5.0 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/eino-contrib/jsonschema v1.0.3 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-ole/go-ole v1.2.6 // indirect
github.com/godbus/dbus/v5 v5.1.0 // indirect
github.com/google/jsonschema-go v0.4.2 // indirect
Expand All @@ -60,10 +72,16 @@ require (
github.com/mailru/easyjson v0.9.0 // indirect
github.com/mattn/go-runewidth v0.0.23 // indirect
github.com/microcosm-cc/bluemonday v1.0.27 // indirect
github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/moby/sys/atomicwriter v0.1.0 // indirect
github.com/moby/term v0.5.2 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/morikuni/aec v1.1.0 // indirect
github.com/muesli/cancelreader v0.2.2 // indirect
github.com/nikolalohinski/gonja v1.5.3 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.1 // indirect
github.com/pelletier/go-toml/v2 v2.2.4 // indirect
github.com/pkg/errors v0.9.2-0.20201214064552-5dd12d0cfe7f // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
Expand All @@ -86,13 +104,21 @@ require (
github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
github.com/yuin/goldmark v1.7.8 // indirect
github.com/yuin/goldmark-emoji v1.0.5 // indirect
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.69.0 // indirect
go.opentelemetry.io/otel v1.44.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.44.0 // indirect
go.opentelemetry.io/otel/metric v1.44.0 // indirect
go.opentelemetry.io/otel/trace v1.44.0 // indirect
golang.org/x/arch v0.19.0 // indirect
golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 // indirect
golang.org/x/net v0.52.0 // indirect
golang.org/x/net v0.55.0 // indirect
golang.org/x/sync v0.20.0 // indirect
golang.org/x/sys v0.45.0 // indirect
golang.org/x/term v0.42.0 // indirect
golang.org/x/text v0.36.0 // indirect
golang.org/x/term v0.43.0 // indirect
golang.org/x/text v0.37.0 // indirect
golang.org/x/time v0.15.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
gotest.tools/v3 v3.5.2 // indirect
rsc.io/qr v0.2.0 // indirect
)
Loading
Loading