From 691c0067b67f147b913f3b2830662d566ac8e192 Mon Sep 17 00:00:00 2001 From: Christian Nennemann Date: Tue, 31 Mar 2026 21:38:39 +0000 Subject: [PATCH] =?UTF-8?q?feat:=20principle=20#33=20=E2=80=94=20container?= =?UTF-8?q?-first=20development?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/README.md b/README.md index fe313b8..5738305 100644 --- a/README.md +++ b/README.md @@ -353,6 +353,29 @@ Regular API operations and admin/debug operations need different auth levels. --- +### 33. Container-First Development + +Use containers wherever possible — for isolation, reproducibility, and security. + +- Dev environments: devcontainer (one Dockerfile for all agents) +- Agent execution: run Claude Code in sandboxed containers (claudine) +- Worker jobs: execute in ephemeral containers, not on the host directly +- Dispatch workers: should spin up containers per job (isolation, cleanup, no state leakage) +- Testing: container-based test environments matching production +- Production: containerized services (not bare-metal pip installs) + +The goal is not containers for containers' sake — it's **isolation + reproducibility + disposability**. A crashed job shouldn't affect the host. A rogue agent shouldn't access other projects. + +**Origin:** "Wir sollten noch darauf achten so viel wie geht Container sinnvoll zu nutzen" + +**How to apply:** +- Dispatch Sprint 4+: Workers should optionally run jobs inside containers +- `claudine` already does this for Claude Code sessions +- Dev environment already uses `.devcontainer/Dockerfile` +- Next step: containerized worker execution (docker/podman per job) + +--- + ## (inbox — unsorted ideas) - **Least-privilege agent access**: Agents should SSH as a dedicated non-root user (e.g. `deploy@`) with scoped sudo for only what they need (systemctl, caddy reload). No root SSH long-term.