From 94000f6b6d07b31151deccc4e3e1fdccf5b5c487 Mon Sep 17 00:00:00 2001
From: Leonard Kugis <leonard@kug.is>
Date: Sat, 31 Jan 2026 14:08:20 +0100
Subject: Added docker scripts

---
 tools/docker_start.sh | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 tools/docker_start.sh

(limited to 'tools/docker_start.sh')

diff --git a/tools/docker_start.sh b/tools/docker_start.sh
new file mode 100644
index 0000000..cec5808
--- /dev/null
+++ b/tools/docker_start.sh
@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# @describe Start (or reuse) a sandbox Docker container with a bind-mounted workspace.
+# @option --workspace! Host path to mount into the container at /work (must be under $AICHAT_SANDBOX_BASE).
+# @option --image Docker image to use. Default: aichat-docker:latest
+# @option --name Optional explicit container name. Default: auto-generated.
+# @option --network Enable network access (true/false). Default: true
+# @option --ttl_minutes Optional TTL label for cleanup tooling. Default: 0 (no TTL)
+
+main() {
+  local base="${AICHAT_SANDBOX_BASE:-$HOME/aichat-workspaces}"
+  local image="${argc_image:-aichat-docker:latest}"
+  local net="${argc_network:-true}"
+  local ttl="${argc_ttl_minutes:-0}"
+
+  mkdir -p "$base"
+
+  local ws
+  ws="$(realpath -m "${argc_workspace}")"
+
+  local base_real
+  base_real="$(realpath -m "$base")"
+  case "$ws" in
+    "$base_real"/*) ;;
+    *)
+      echo "ERROR: workspace must be under $base_real (got $ws)" >> "$LLM_OUTPUT"
+      exit 2
+      ;;
+  esac
+
+  mkdir -p "$ws"
+
+  local name="${argc_name:-aichat-sbx-$(date +%s)-$RANDOM}"
+
+  if docker ps -a --format '{{.Names}}' | grep -qx "$name"; then
+    printf '{"container":"%s","workspace":"%s","status":"already-exists"}\n' "$name" "$ws" >> "$LLM_OUTPUT"
+    return 0
+  fi
+
+  local net_arg=()
+  if [[ "$net" == "false" ]]; then
+    net_arg+=(--network none)
+  fi
+
+  local uid gid
+  uid="$(id -u)"
+  gid="$(id -g)"
+
+  docker run -d --rm \
+    --name "$name" \
+    -u "${uid}:${gid}" \
+    -w /work \
+    -v "${ws}:/work:rw" \
+    --cap-drop=ALL \
+    --security-opt=no-new-privileges \
+    --pids-limit 256 \
+    --memory 2g \
+    --cpus 2 \
+    "${net_arg[@]}" \
+    --label "aichat.sandbox=true" \
+    --label "aichat.ttl_minutes=${ttl}" \
+    "$image" \
+    sh -lc 'sleep infinity' >/dev/null
+
+  printf '{"container":"%s","workspace":"%s","status":"started"}\n' "$name" "$ws" >> "$LLM_OUTPUT"
+}
+
+eval "$(argc --argc-eval "$0" "$@")"
+
-- 
cgit v1.2.3