feat: principle #33 — container-first development
This commit is contained in:
23
README.md
23
README.md
@@ -353,6 +353,29 @@ Regular API operations and admin/debug operations need different auth levels.
|
||||
|
||||
---
|
||||
|
||||
### 33. Container-First Development
|
||||
|
||||
Use containers wherever possible — for isolation, reproducibility, and security.
|
||||
|
||||
- Dev environments: devcontainer (one Dockerfile for all agents)
|
||||
- Agent execution: run Claude Code in sandboxed containers (claudine)
|
||||
- Worker jobs: execute in ephemeral containers, not on the host directly
|
||||
- Dispatch workers: should spin up containers per job (isolation, cleanup, no state leakage)
|
||||
- Testing: container-based test environments matching production
|
||||
- Production: containerized services (not bare-metal pip installs)
|
||||
|
||||
The goal is not containers for containers' sake — it's **isolation + reproducibility + disposability**. A crashed job shouldn't affect the host. A rogue agent shouldn't access other projects.
|
||||
|
||||
**Origin:** "Wir sollten noch darauf achten so viel wie geht Container sinnvoll zu nutzen"
|
||||
|
||||
**How to apply:**
|
||||
- Dispatch Sprint 4+: Workers should optionally run jobs inside containers
|
||||
- `claudine` already does this for Claude Code sessions
|
||||
- Dev environment already uses `.devcontainer/Dockerfile`
|
||||
- Next step: containerized worker execution (docker/podman per job)
|
||||
|
||||
---
|
||||
|
||||
## (inbox — unsorted ideas)
|
||||
|
||||
- **Least-privilege agent access**: Agents should SSH as a dedicated non-root user (e.g. `deploy@`) with scoped sudo for only what they need (systemctl, caddy reload). No root SSH long-term.
|
||||
|
||||
Reference in New Issue
Block a user