feat: Full stack Docker Compose deployment with multi-agent container support #145
Description
feat: Full stack Docker Compose deployment with multi-agent container support
Overview
This tracking issue covers the end-to-end work required to run copilot-bridge as a fully containerised stack using Docker Compose, with support for multiple isolated agent containers, secure secret injection via 1Password, and a hardened architecture that minimises host exposure.
Motivation
copilot-bridge is currently designed to run as a bare-metal service on a developer workstation or server. As adoption grows, teams need a production-grade deployment path that provides:
- Isolation: each agent runs in its own container with its own workspace, identity, and network scope
- Security: no plaintext secrets on disk or in images; secrets injected at runtime via 1Password
- Reproducibility: the full stack (Mattermost + bridge + agents) spun up with a single
docker compose up - Resilience: the bridge waits for Mattermost to be healthy before starting; agents are restarted automatically on crash
Target Architecture
Host (Linux or macOS)
|
+-- docker-socket-proxy (filtered Docker API - no raw socket exposure)
|
+-- mattermost (chat platform, healthchecked)
|
+-- copilot-bridge (admin) (waits on mattermost healthy; talks to socket proxy)
|
+-- agent: lal (spawned on demand; mattermost-net only)
+-- agent: data (spawned on demand; mattermost-net only)
Networks:
mattermost-net: Mattermost + admin bridge + all agent containerssocket-proxy-net(internal): admin bridge + socket proxy only
Secret flow:
1Password (source of truth)
-> op-sa-token sealed in TPM (Linux) or Keychain (macOS) on host
-> Docker secret at container start
-> op inject renders config.json.tpl -> /tmp/config.json (tmpfs)
-> copilot-bridge start
Sub-issues
- feat: Secure credential management via 1Password CLI and Docker secrets #142 - Secure credential management via 1Password CLI and Docker secrets
- feat: Add official Dockerfile and container entrypoint #143 - Add official Dockerfile and container entrypoint
- feat: GitHub Copilot authentication in headless containerised deployments #144 - GitHub Copilot authentication in headless containerised deployments
- feat: Dynamic agent container spawning via Docker API #146 - Dynamic agent container spawning via Docker API
- feat: Agent container lifecycle management (idle pause, auto-restart) #147 - Agent container lifecycle management (idle pause, auto-restart)
- feat: docker-compose.yml full stack definition #148 - docker-compose.yml full stack definition
Threat Model
| Threat | Mitigated? |
|---|---|
| Secrets in git | Yes - only op:// references committed |
| Secrets in container image | Yes - injected at runtime |
| Secrets in env vars or logs | Yes - rendered to tmpfs only |
| Agent accessing Docker API | Yes - socket proxy on isolated internal network |
| Agent accessing other agent workspaces | Yes - separate volume mounts per agent |
| Host root access | Out of scope - if root is compromised, all bets are off |
Reported By
Agent (automated) - drafted collaboratively with user raykao