Documentation
¶
Index ¶
- Constants
- func GetDockerDependency(depList []deps.Dependency) *deps.Dependency
- func GetDockerSocketGID() (uint32, error)
- func HasDockerDependency(depList []deps.Dependency) bool
- func ValidateDockerDependency(runtimeType container.RuntimeType, mode deps.DockerMode) error
- type BuildKitConfig
- type DockerDependencyConfig
- type ErrDockerDindRequiresDockerRuntime
- type ErrDockerHostRequiresDockerRuntime
- type ErrDockerRequiresDockerRuntime
- type Manager
- func (m *Manager) Close() error
- func (m *Manager) Create(ctx context.Context, opts Options) (*Run, error)
- func (m *Manager) Destroy(ctx context.Context, runID string) error
- func (m *Manager) FollowLogs(ctx context.Context, runID string, w io.Writer) error
- func (m *Manager) Get(runID string) (*Run, error)
- func (m *Manager) List() []*Run
- func (m *Manager) RecentLogs(runID string, lines int) (string, error)
- func (m *Manager) ResizeTTY(ctx context.Context, runID string, height, width uint) error
- func (m *Manager) Resolve(arg string) ([]*Run, error)
- func (m *Manager) RuntimeType() string
- func (m *Manager) Start(ctx context.Context, runID string, opts StartOptions) error
- func (m *Manager) StartAttached(ctx context.Context, runID string, stdin io.Reader, stdout, stderr io.Writer) error
- func (m *Manager) Stop(ctx context.Context, runID string) error
- func (m *Manager) Wait(ctx context.Context, runID string) error
- type ManagerOptions
- type Options
- type Run
- type StartOptions
- type State
Constants ¶
const DockerSocketPath = "/var/run/docker.sock"
DockerSocketPath is the standard path for the Docker socket on Linux.
Variables ¶
This section is empty.
Functions ¶
func GetDockerDependency ¶
func GetDockerDependency(depList []deps.Dependency) *deps.Dependency
GetDockerDependency returns the docker dependency from the list, or nil if not present. This allows callers to access the DockerMode field.
func GetDockerSocketGID ¶
GetDockerSocketGID returns the GID of the Docker socket. This is needed to add the container user to the docker group so they can access the socket.
Returns an error if the socket doesn't exist or cannot be stat'd.
func HasDockerDependency ¶
func HasDockerDependency(depList []deps.Dependency) bool
HasDockerDependency checks if the dependency list includes the docker dependency. Returns true if docker dependency is present, false otherwise.
func ValidateDockerDependency ¶
func ValidateDockerDependency(runtimeType container.RuntimeType, mode deps.DockerMode) error
ValidateDockerDependency checks if the docker dependency can be used with the given runtime and mode.
Both docker modes require Docker runtime: - Host mode needs socket access (Apple containers cannot mount host socket) - Dind mode needs privileged mode (Apple containers don't support this)
Types ¶
type BuildKitConfig ¶
type BuildKitConfig struct {
Enabled bool
NetworkName string
NetworkID string
SidecarName string
SidecarImage string
}
BuildKitConfig holds configuration for BuildKit sidecar.
type DockerDependencyConfig ¶
type DockerDependencyConfig struct {
// Mode is the docker access mode: "host" (socket mount) or "dind" (privileged).
Mode deps.DockerMode
// SocketMount is the mount configuration for the Docker socket.
// Only set for host mode.
SocketMount container.MountConfig
// GroupID is the GID of the docker socket, as a string for GroupAdd.
// Only set for host mode. Example: "999"
GroupID string
// Privileged indicates the container needs privileged mode.
// Only set for dind mode.
Privileged bool
}
DockerDependencyConfig holds the configuration needed to enable docker inside a container.
func ResolveDockerDependency ¶
func ResolveDockerDependency(depList []deps.Dependency, runtimeType container.RuntimeType) (*DockerDependencyConfig, error)
ResolveDockerDependency validates the docker dependency against the runtime and returns the configuration needed to enable docker in the container.
For host mode: 1. Validates that the runtime supports socket access (not Apple containers) 2. Gets the GID of the docker socket for group permissions 3. Returns the mount config and group ID
For dind mode: 1. Returns config indicating privileged mode is needed 2. No socket mount or GID needed (runs its own daemon)
Returns nil if docker dependency is not present in depList. Returns an error if validation fails or the socket cannot be accessed.
type ErrDockerDindRequiresDockerRuntime ¶
type ErrDockerDindRequiresDockerRuntime struct{}
ErrDockerDindRequiresDockerRuntime is returned when docker:dind mode is used with Apple containers runtime, which does not support privileged mode.
func (ErrDockerDindRequiresDockerRuntime) Error ¶
func (e ErrDockerDindRequiresDockerRuntime) Error() string
type ErrDockerHostRequiresDockerRuntime ¶
type ErrDockerHostRequiresDockerRuntime struct{}
ErrDockerHostRequiresDockerRuntime is returned when docker:host mode is used with Apple containers runtime, which cannot access the host Docker socket.
func (ErrDockerHostRequiresDockerRuntime) Error ¶
func (e ErrDockerHostRequiresDockerRuntime) Error() string
type ErrDockerRequiresDockerRuntime ¶
type ErrDockerRequiresDockerRuntime = ErrDockerHostRequiresDockerRuntime
ErrDockerRequiresDockerRuntime is an alias for backward compatibility. Deprecated: Use ErrDockerHostRequiresDockerRuntime instead.
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager handles run lifecycle operations.
func NewManager ¶
NewManager creates a new run manager with default options.
func NewManagerWithOptions ¶
func NewManagerWithOptions(opts ManagerOptions) (*Manager, error)
NewManagerWithOptions creates a new run manager with the given options.
func (*Manager) Close ¶
Close releases manager resources. It waits for active monitorContainerExit goroutines to finish so that logs are captured and state is updated before the runtime is closed.
func (*Manager) FollowLogs ¶
FollowLogs streams container logs to the provided writer. This is more reliable than Attach for output-only mode on already-running containers.
func (*Manager) RecentLogs ¶
RecentLogs returns the last n lines of container logs. Used to show recent output context for a running container.
func (*Manager) Resolve ¶ added in v0.3.0
Resolve takes a user-provided argument (a run ID, ID prefix, or run name) and returns the matching run(s).
Resolution priority:
- Exact ID match — if arg is a valid full run ID, look it up directly.
- ID prefix match — if arg starts with "run_", scan for runs whose ID starts with arg. Useful for typing abbreviated IDs.
- Exact name match — scan all runs for those whose Name field equals arg.
Returns an error if no runs match. The caller is responsible for handling the case where multiple runs match (e.g., prompting the user).
func (*Manager) RuntimeType ¶
RuntimeType returns the container runtime type (docker or apple).
func (*Manager) StartAttached ¶
func (m *Manager) StartAttached(ctx context.Context, runID string, stdin io.Reader, stdout, stderr io.Writer) error
StartAttached starts a run with stdin/stdout/stderr attached from the beginning. This is required for TUI applications (like Codex CLI) that need the terminal connected before the process starts to properly detect terminal capabilities. Unlike Start + Attach, this ensures the TTY is ready when the container command begins.
type ManagerOptions ¶
type ManagerOptions struct {
// NoSandbox disables gVisor sandbox for Docker containers.
// If nil, uses platform-aware defaults (gVisor on Linux, standard on macOS/Windows).
NoSandbox *bool
}
ManagerOptions configures the run manager.
type Options ¶
type Options struct {
Name string // Optional explicit name (--name flag or from config)
Workspace string
Grants []string
Cmd []string // Command to run (default: /bin/bash)
Config *config.Config // Optional moat.yaml config
Env []string // Additional environment variables (KEY=VALUE)
Rebuild bool // Force rebuild of container image (ignores cache)
KeepContainer bool // If true, don't auto-remove container after run
Interactive bool // Keep stdin open for interactive input
}
Options configures a new run.
type Run ¶
type Run struct {
ID string
Name string // Human-friendly name (e.g., "myapp" or "fluffy-chicken")
Workspace string
// Worktree tracking (set when created via moat wt or --wt flag)
WorktreeBranch string
WorktreePath string
WorktreeRepoID string
Grants []string
Agent string // Agent type from config (e.g., "claude-code", "codex")
Image string // Container image used for this run
ProviderMeta map[string]string // Provider-specific metadata (e.g., claude_session_id)
Ports map[string]int // endpoint name -> container port
HostPorts map[string]int // endpoint name -> host port (after binding)
State State
ContainerID string
SSHAgentServer *sshagent.Server // SSH agent proxy for SSH key access
Store *storage.RunStore // Run data storage
AuditStore *audit.Store // Tamper-proof audit log
SnapEngine *snapshot.Engine // Snapshot engine for workspace protection
KeepContainer bool // If true, don't auto-remove container after run
Interactive bool // If true, run was started in interactive mode
CreatedAt time.Time
StartedAt time.Time
StoppedAt time.Time
Error string
// Firewall settings (set when network.policy is strict)
FirewallEnabled bool
ProxyHost string // Host address for proxy (for firewall rules)
ProxyPort int // Port number for proxy (for firewall rules)
ProxyAuthToken string // Auth token for proxy daemon (set when run is registered with daemon)
// ProxyRegReq is the registration request saved for re-registration
// after a proxy daemon restart. The health monitor uses it to restore
// the run's credentials and configuration in the new daemon instance.
ProxyRegReq *daemon.RegisterRequest
// DaemonCommit is the git commit of the proxy daemon binary at the time
// the run was registered. Used to detect version skew with the CLI.
DaemonCommit string
// ProviderCleanupPaths tracks paths to clean up for each provider when the run ends.
// Keys are provider names, values are cleanup paths returned by ProviderSetup.ContainerMounts.
ProviderCleanupPaths map[string]string
// Snapshot settings
DisablePreRunSnapshot bool // If true, skip pre-run snapshot creation
// AWS credential provider (set when using aws grant)
AWSCredentialProvider *proxy.AWSCredentialProvider
// ClaudeConfigTempDir is the temporary directory containing Claude configuration files
// (settings.json, .mcp.json) that are mounted into the container. This should be
// cleaned up when the run is stopped or destroyed.
ClaudeConfigTempDir string
// CodexConfigTempDir is the temporary directory containing Codex configuration files
// (config.toml, auth.json) that are mounted into the container. This should be
// cleaned up when the run is stopped or destroyed.
CodexConfigTempDir string
// GeminiConfigTempDir is the temporary directory containing Gemini configuration files
// (settings.json, oauth_creds.json) that are mounted into the container. This should be
// cleaned up when the run is stopped or destroyed.
GeminiConfigTempDir string
// BuildKit sidecar fields (docker:dind only)
BuildkitContainerID string
NetworkID string
// ServiceContainers maps service name to container ID (e.g., "postgres" -> "abc123").
ServiceContainers map[string]string
// contains filtered or unexported fields
}
Run represents an agent execution environment.
func (*Run) SaveMetadata ¶
SaveMetadata persists the run's current state to disk. This should be called after any state change.
func (*Run) SetStateFailedAt ¶ added in v0.3.0
SetStateFailedAt atomically sets state to StateFailed with both error and timestamp in a single lock acquisition. This prevents a concurrent reader from observing StateFailed with no StoppedAt set.
func (*Run) SetStateWithError ¶
SetStateWithError safely updates the run state and error (thread-safe).
Source Files