Files
openwork/packaging/docker
ben f3da381606 feat: minimal container sandbox + server tokens + toy UI (#494)
* feat(server): add scoped tokens, inbox/outbox, toy UI, and auth hardening

- TokenService with file-based persistence (tokens.json)
- /tokens CRUD (host auth), /whoami (client auth)
- Bearer token auth accepting OPENWORK_TOKEN or scoped tokens
- POST /workspace/:id/inbox (multipart upload)
- GET /workspace/:id/artifacts, /workspace/:id/artifacts/:id
- Toy UI at /ui with SSE, prompt send, inbox upload, outbox download
- Extended GET /capabilities with schemaVersion, serverVersion, approvals info
- Updated README with all new endpoints and auth model

* feat(headless): add sandbox runtime with Docker and Apple container backends

- --sandbox none|auto|docker|container CLI flag
- --sandbox-image, --sandbox-persist-dir, --sandbox-mount options
- Mount security: allowlist, blocked patterns, symlink resolution
- Docker backend: workspace/persist volumes, sidecar staging, entrypoint
- Apple container backend: --mount type=bind for ro mounts
- Sandbox mode proxies all OpenCode access through openwork-server
- Proxy health check (waitForHealthyViaProxy) avoids SDK auth issues
- Sandbox-specific check suite (runSandboxChecks) for --check mode
- Non-fatal verifyOpenworkServer in sandbox mode for version mismatches
- Updated README with sandbox docs and mount security

* feat(packaging): add Docker/docker-compose PaaS packaging

- Dockerfile (node:22-bookworm-slim, installs openwrk via npm)
- docker-compose.yml with workspace and data volumes
- README with usage instructions

* fix(headless): define sandbox owpenbot internal health port
2026-02-07 13:01:15 -08:00
..

OpenWork Host (Docker)

This is a minimal packaging template to run the OpenWork Host contract in a single container.

It runs:

  • opencode serve (engine) bound to 127.0.0.1:4096 inside the container
  • openwork-server bound to 0.0.0.0:8787 (the only published surface)

Local run (compose)

From this directory:

docker compose up --build

Then open:

  • http://127.0.0.1:8787/ui

Config

Recommended env vars:

  • OPENWORK_TOKEN (client token)
  • OPENWORK_HOST_TOKEN (host/owner token)

Optional:

  • OPENWORK_APPROVAL_MODE=auto|manual
  • OPENWORK_APPROVAL_TIMEOUT_MS=30000

Persistence:

  • Workspace is mounted at /workspace
  • Host data dir is mounted at /data (OpenCode caches + OpenWork server config/tokens)

Notes

  • OpenCode is not exposed directly; access it via the OpenWork proxy (/opencode/*).
  • For PaaS, replace ./workspace:/workspace with a volume or a checkout strategy (git clone on boot).