remove docker local mode

Author: root

Makefile

@@ -245,11 +245,6 @@ endif
 
 redo:
 	@echo "Full rebuild: building artifacts and image before replacing container + volumes..."
-	@if grep -q '^APPOS_SECRET_KEY=replace-with-a-random-base64-secret' build/.env 2>/dev/null; then \
-		NEW_KEY=$$(openssl rand -base64 32); \
-		sed -i "s|^APPOS_SECRET_KEY=replace-with-a-random-base64-secret|APPOS_SECRET_KEY=$$NEW_KEY|" build/.env; \
-		echo "✓ Generated APPOS_SECRET_KEY in build/.env"; \
-	fi
 	@$(MAKE) build
 	@$(MAKE) image build-local
 	@docker rm -f $$(docker ps -aq --filter name=$(CONTAINER)) 2>/dev/null || true
@@ -266,6 +261,7 @@ run:
 	@docker cp backend/appos $(CONTAINER):/usr/local/bin/appos
 	@docker cp web/dist/. $(CONTAINER):/usr/share/nginx/html/web/
 	@docker cp templates/apps/. $(CONTAINER):/appos/data/templates/apps/
+	@docker cp build/supervisord.conf $(CONTAINER):/etc/supervisor/supervisord.conf
 	@docker cp build/nginx.conf $(CONTAINER):/etc/nginx/nginx.conf
 	@docker exec $(CONTAINER) nginx -t
 	@docker exec $(CONTAINER) supervisorctl -c /etc/supervisor/supervisord.conf restart appos nginx
@@ -963,11 +959,6 @@ endif
 # Container Management
 # ============================================================
 start:
-	@if grep -q '^APPOS_SECRET_KEY=replace-with-a-random-base64-secret' build/.env 2>/dev/null; then \
-		NEW_KEY=$$(openssl rand -base64 32); \
-		sed -i "s|^APPOS_SECRET_KEY=replace-with-a-random-base64-secret|APPOS_SECRET_KEY=$$NEW_KEY|" build/.env; \
-		echo "✓ Generated APPOS_SECRET_KEY in build/.env"; \
-	fi
 	@if [ "$(ARG2)" = "dev" ] || [ "$(ARG2)" = "latest" ]; then \
 		IMAGE_TAG=$(ARG2); \
 		PORT=9091; \

README.md

@@ -7,3 +7,9 @@ OS for Your self-hosted Apps
 - Do not write full story content in `epics.md`.
 - Epic-level detail belongs in `specs/implementation-artifacts/epic*.md`.
 - Implementation-ready story detail belongs in `specs/implementation-artifacts/story*.md`.
+
+## Install
+
+```
+docker run -d --name appos-demo --restart unless-stopped -p 9092:80 -p 9223:2222 -v /var/run/docker.sock:/var/run/docker.sock -v appos_data:/appos/data websoft9dev/appos:dev
+```

backend/docs/openapi/api.yaml

@@ -1899,7 +1899,7 @@ paths:
                 - Apps
     /api/apps/{id}/config:
         get:
-            description: Returns docker-compose.yml content for one installed app. Supports local and remote servers. Superuser only.
+            description: Returns docker-compose.yml content for one installed app on a managed server. Superuser only.
             operationId: get_api_apps_id_config
             parameters:
                 - description: app instance ID
@@ -1950,7 +1950,7 @@ paths:
             tags:
                 - Apps
         put:
-            description: Overwrites docker-compose.yml for one installed app. Supports local and remote servers. Superuser only.
+            description: Overwrites docker-compose.yml for one installed app on a managed server. Superuser only.
             operationId: put_api_apps_id_config
             parameters:
                 - description: app instance ID
@@ -2009,7 +2009,7 @@ paths:
                 - Apps
     /api/apps/{id}/config/rollback:
         post:
-            description: Restores the latest saved docker-compose rollback point for one installed app. Supports local and remote servers. Superuser only.
+            description: Restores the latest saved docker-compose rollback point for one installed app on a managed server. Superuser only.
             operationId: post_api_apps_id_config_rollback
             parameters:
                 - description: app instance ID
@@ -2067,7 +2067,7 @@ paths:
                 - Apps
     /api/apps/{id}/config/validate:
         post:
-            description: Validates draft docker-compose.yml content for one installed app before saving. Supports local and remote servers. Superuser only.
+            description: Validates draft docker-compose.yml content for one installed app on a managed server before saving. Superuser only.
             operationId: post_api_apps_id_config_validate
             parameters:
                 - description: app instance ID
@@ -11935,27 +11935,6 @@ paths:
             summary: List Docker servers
             tags:
                 - Docker
-    /api/servers/local/docker-bridge:
-        get:
-            operationId: get_api_servers_local_docker-bridge
-            responses:
-                "200":
-                    content:
-                        application/json:
-                            schema:
-                                $ref: '#/components/schemas/SuccessEnvelope'
-                    description: OK
-                "401":
-                    content:
-                        application/json:
-                            schema:
-                                $ref: '#/components/schemas/ErrorEnvelope'
-                    description: Unauthorized
-            security:
-                - bearerAuth: []
-            summary: Get servers local docker bridge
-            tags:
-                - Servers
     /api/settings:
         get:
             operationId: pb_settings_get

backend/docs/openapi/ext-api.yaml

@@ -1718,7 +1718,7 @@ paths:
     get:
       tags: [Apps]
       summary: Get app compose config
-      description: "Returns docker-compose.yml content for one installed app. Supports local and remote servers. Superuser only."
+      description: "Returns docker-compose.yml content for one installed app on a managed server. Superuser only."
       operationId: get_api_apps_id_config
       parameters:
         - name: id
@@ -1768,7 +1768,7 @@ paths:
     put:
       tags: [Apps]
       summary: Write app compose config
-      description: "Overwrites docker-compose.yml for one installed app. Supports local and remote servers. Superuser only."
+      description: "Overwrites docker-compose.yml for one installed app on a managed server. Superuser only."
       operationId: put_api_apps_id_config
       parameters:
         - name: id
@@ -1826,7 +1826,7 @@ paths:
     post:
       tags: [Apps]
       summary: Roll back app compose config
-      description: "Restores the latest saved docker-compose rollback point for one installed app. Supports local and remote servers. Superuser only."
+      description: "Restores the latest saved docker-compose rollback point for one installed app on a managed server. Superuser only."
       operationId: post_api_apps_id_config_rollback
       parameters:
         - name: id
@@ -1883,7 +1883,7 @@ paths:
     post:
       tags: [Apps]
       summary: Validate app compose config
-      description: "Validates draft docker-compose.yml content for one installed app before saving. Supports local and remote servers. Superuser only."
+      description: "Validates draft docker-compose.yml content for one installed app on a managed server before saving. Superuser only."
       operationId: post_api_apps_id_config_validate
       parameters:
         - name: id
@@ -7196,26 +7196,6 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/ErrorEnvelope'
-  /api/servers/local/docker-bridge:
-    get:
-      tags: [Servers]
-      summary: Get servers local docker bridge
-      operationId: get_api_servers_local_docker-bridge
-      security:
-        - bearerAuth: []  # superuser required
-      responses:
-        "200":
-          description: OK
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/SuccessEnvelope'
-        "401":
-          description: Unauthorized
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorEnvelope'
   /api/servers/{serverId}/docker/compose/config:
     get:
       tags: [Docker]

backend/docs/openapi/group-matrix.yaml

@@ -447,7 +447,6 @@ groups:
     extSurface:
       - GET /api/servers/docker-targets
       - GET /api/servers/connection
-      - GET /api/servers/local/docker-bridge
       - GET /api/servers/{serverId}/ops/connectivity
       - POST /api/servers/{serverId}/ops/power
       - GET /api/servers/{serverId}/ops/ports

backend/domain/lifecycle/runtime/deployment_targets.go

@@ -2,7 +2,7 @@ package runtime
 
 import (
 	"context"
-	"os"
+	"fmt"
 	"path/filepath"
 
 	"github.com/pocketbase/pocketbase/core"
@@ -33,29 +33,6 @@ type Executor interface {
 	Name() string
 }
 
-type localExecutor struct {
-	app core.App
-}
-
-func (e localExecutor) PrepareWorkspace(projectDir string, compose string) error {
-	if err := os.MkdirAll(projectDir, 0o755); err != nil {
-		return err
-	}
-	return os.WriteFile(filepath.Join(projectDir, "docker-compose.yml"), []byte(compose), 0o600)
-}
-
-func (e localExecutor) DockerClient() (*docker.Client, error) {
-	exec := docker.NewLocalExecutor("")
-	if os.Getuid() != 0 {
-		exec.SudoEnabled = true
-	}
-	return docker.New(exec), nil
-}
-
-func (e localExecutor) Name() string {
-	return "local"
-}
-
 type sshExecutor struct {
 	app           core.App
 	serverID      string
@@ -127,18 +104,25 @@ func (e sshExecutor) factory() sftpClientFactory {
 	return defaultSFTPClientFactory
 }
 
-func executorName(serverID string) string {
+func NewDeploymentExecutor(app core.App, serverID string) Executor {
 	if serverID == "" || serverID == "local" {
-		return "local"
+		return unsupportedExecutor{}
 	}
-	return "ssh"
+	return newSSHExecutor(app, serverID)
 }
 
-func NewDeploymentExecutor(app core.App, serverID string) Executor {
-	if executorName(serverID) == "local" {
-		return localExecutor{app: app}
-	}
-	return newSSHExecutor(app, serverID)
+type unsupportedExecutor struct{}
+
+func (unsupportedExecutor) PrepareWorkspace(string, string) error {
+	return fmt.Errorf("managed server is required for deployment execution")
+}
+
+func (unsupportedExecutor) DockerClient() (*docker.Client, error) {
+	return nil, fmt.Errorf("managed server is required for deployment execution")
+}
+
+func (unsupportedExecutor) Name() string {
+	return "unsupported"
 }
 
 func newSSHExecutor(app core.App, serverID string) sshExecutor {

backend/domain/lifecycle/runtime/deployment_targets_test.go

@@ -3,7 +3,6 @@ package runtime
 import (
 	"context"
 	"errors"
-	"os"
 	"path/filepath"
 	"testing"
 
@@ -43,8 +42,8 @@ func TestNewDeploymentExecutor(t *testing.T) {
 		serverID string
 		wantName string
 	}{
-		{name: "empty server id", serverID: "", wantName: "local"},
-		{name: "explicit local", serverID: "local", wantName: "local"},
+		{name: "empty server id", serverID: "", wantName: "unsupported"},
+		{name: "explicit local", serverID: "local", wantName: "unsupported"},
 		{name: "remote id", serverID: "srv-1", wantName: "ssh"},
 	}
 
@@ -58,22 +57,10 @@ func TestNewDeploymentExecutor(t *testing.T) {
 	}
 }
 
-func TestLocalExecutorPrepareWorkspace(t *testing.T) {
-	tmpDir := t.TempDir()
-	projectDir := filepath.Join(tmpDir, "project")
-	compose := "services:\n  web:\n    image: nginx:alpine\n"
-
-	exec := localExecutor{}
-	if err := exec.PrepareWorkspace(projectDir, compose); err != nil {
-		t.Fatalf("PrepareWorkspace returned error: %v", err)
-	}
-
-	data, err := os.ReadFile(filepath.Join(projectDir, "docker-compose.yml"))
-	if err != nil {
-		t.Fatalf("failed to read docker-compose.yml: %v", err)
-	}
-	if got := string(data); got != compose {
-		t.Fatalf("unexpected compose content: got %q want %q", got, compose)
+func TestUnsupportedExecutorRejectsWorkspacePreparation(t *testing.T) {
+	exec := NewDeploymentExecutor(nil, "")
+	if err := exec.PrepareWorkspace(filepath.Join(t.TempDir(), "project"), "services: {}\n"); err == nil {
+		t.Fatal("expected unsupported executor to reject workspace preparation")
 	}
 }
 

backend/domain/lifecycle/runtime/node_executor.go

@@ -36,10 +36,6 @@ func runtimeExecutorApp(executor Executor) core.App {
 		return typed.App()
 	}
 	switch typed := executor.(type) {
-	case localExecutor:
-		return typed.app
-	case *localExecutor:
-		return typed.app
 	case sshExecutor:
 		return typed.app
 	case *sshExecutor:

backend/domain/monitor/signals/platform/observer.go

@@ -2,6 +2,7 @@ package platform
 
 import (
 	"context"
+	"fmt"
 	"log/slog"
 	"os"
 	"runtime"
@@ -11,21 +12,22 @@ import (
 	"github.com/websoft9/appos/backend/domain/monitor"
 	monitormetrics "github.com/websoft9/appos/backend/domain/monitor/metrics"
 	monitorstatus "github.com/websoft9/appos/backend/domain/monitor/status"
-	"github.com/websoft9/appos/backend/infra/docker"
 	"github.com/websoft9/appos/backend/infra/supervisor"
 )
 
-func NewPlatformObserver(app core.App, snapshotFn func() RuntimeSnapshot) *PlatformObserver {
-	localDockerClient := docker.New(docker.NewLocalExecutor(""))
+func localContainerStatsDisabled(context.Context) (string, error) {
+	return "", fmt.Errorf("local docker daemon access disabled")
+}
 
+func NewPlatformObserver(app core.App, snapshotFn func() RuntimeSnapshot) *PlatformObserver {
 	return &PlatformObserver{
 		app:                app,
 		snapshotFn:         snapshotFn,
 		resourceFn:         supervisor.GetProcessResources,
 		appCoreTelemetryFn: collectLocalAppCoreMetricPoints,
 		appCoreMemoryFn:    readLocalAppCoreMemory,
 		hostTelemetryFn:    collectLocalHostMetricPoints,
-		containerStatsFn:   localDockerClient.ContainerStats,
+		containerStatsFn:   localContainerStatsDisabled,
 		containerSamples:   map[string]localContainerCounters{},
 		nowFn: func() time.Time {
 			return time.Now().UTC()

backend/domain/resource/servers/docker_runtime.go

@@ -9,10 +9,11 @@ import (
 )
 
 // NewDockerClient returns a Docker client bound to the requested server.
-// When serverID is empty or "local", the provided localClient is returned.
-func NewDockerClient(app core.App, serverID string, localClient *docker.Client) (*docker.Client, error) {
+// Local Docker daemon access is intentionally unsupported; callers must
+// provide a managed server target that resolves to SSH.
+func NewDockerClient(app core.App, serverID string) (*docker.Client, error) {
 	if serverID == "" || serverID == "local" {
-		return localClient, nil
+		return nil, fmt.Errorf("managed server is required for docker operations")
 	}
 
 	server, err := LoadManagedServer(app, serverID)