fix(api): isolate docker runtime from host socket

[skulidropek]

Summary

• remove host /var/run/docker.sock bind from the docker-git API controller compose files
• start a managed Docker daemon inside docker-git-api for isolated project runtime state
• stop generated project containers from mounting the host Docker socket and pass only the configured isolated Docker endpoint into sessions/agents
• stabilize state-repo tests against the local docker-git post-push hook side effect

Proof

• bun run check
• bun run test
• docker compose -f docker-compose.yml config shows no /var/run/docker.sock:/var/run/docker.sock bind mount
• isolated runtime smoke:
  • started docker-git-api-isolated-smoke on port 3344
  • curl /health inside controller returned {"ok":true,"revision":"unknown","cwd":"/workspace","projectsRoot":"/home/dev/.docker-git"}
  • docker info inside controller returned isolated=29.1.3 root=/var/lib/docker
  • docker inspect mounts were only /home/dev/.docker-git and /var/lib/docker
  • smoke container/volumes were removed after verification

Notes

This protects the host Docker daemon from docker-git project lifecycle operations by default. The controller still needs host Docker only to start the controller container itself; project containers and docker-git-api runtime Docker commands use the managed daemon inside the controller.

[skulidropek]

AI Session Backup

Commit: b3d0a43
Status: success
Files: 10 (15.20 MB)
Links: README | Manifest

git status

On branch fix/isolated-docker-runtime
Your branch is up to date with 'origin/fix/isolated-docker-runtime'.

nothing to commit, working tree clean

[skulidropek]

AI Session Backup

Commit: 4b6dddc
Status: success
Files: 11 (18.37 MB)
Links: README | Manifest

git status

On branch fix/isolated-docker-runtime
Your branch is up to date with 'origin/fix/isolated-docker-runtime'.

nothing to commit, working tree clean

[skulidropek]

Proof for isolated Docker runtime fix (SHA 4b6dddc911bafe2ffac42abeae8dee4c4a9f7a2b):

• CI Check is green: https://github.com/ProverCoderAI/docker-git/actions/runs/25462801338
• CI Snapshot is green: https://github.com/ProverCoderAI/docker-git/actions/runs/25462801390
• CI Checking Dependencies is green: https://github.com/ProverCoderAI/docker-git/actions/runs/25462801369
• PR merge state: MERGEABLE / CLEAN.

Previously failing e2e jobs now pass in CI:

• E2E (OpenCode)
• E2E (Clone cache)
• E2E (Login context)
• E2E (Runtime volumes + SSH)
• E2E (Clone auto-open SSH)

Local validation before push:

• bash -n scripts/e2e/_lib.sh scripts/e2e/login-context.sh scripts/e2e/opencode-autoconnect.sh scripts/e2e/clone-cache.sh scripts/e2e/runtime-volumes-ssh.sh scripts/e2e/clone-auto-open-ssh.sh
• git diff --check
• bun run --cwd packages/lib lint
• bun run --cwd packages/app lint
• bun run --cwd packages/api test
• isolated runtime smoke: docker-git-api runs its own dockerd, no host /var/run/docker.sock mount, inner docker run busybox works.
• local e2e smoke: scripts/e2e/login-context.sh and scripts/e2e/clone-auto-open-ssh.sh passed with unique isolated controllers.