letsbe-sysadmin/docker-compose.yml

version: "3.8"

services:
  agent:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: letsbe-agent

    environment:
      # Required: Orchestrator connection
      - ORCHESTRATOR_URL=${ORCHESTRATOR_URL:-http://host.docker.internal:8000}
      - AGENT_TOKEN=${AGENT_TOKEN:-dev-token}

      # Tenant assignment
      # Required in production. Set to the tenant UUID this agent belongs to.
      # Example: TENANT_ID=550e8400-e29b-41d4-a716-446655440000
      - TENANT_ID=${TENANT_ID:-}

      # Timing (seconds)
      - HEARTBEAT_INTERVAL=${HEARTBEAT_INTERVAL:-30}
      - POLL_INTERVAL=${POLL_INTERVAL:-5}

      # Logging
      - LOG_LEVEL=${LOG_LEVEL:-DEBUG}
      - LOG_JSON=${LOG_JSON:-false}

      # Resilience
      - MAX_CONCURRENT_TASKS=${MAX_CONCURRENT_TASKS:-3}
      - BACKOFF_BASE=${BACKOFF_BASE:-1.0}
      - BACKOFF_MAX=${BACKOFF_MAX:-60.0}
      - CIRCUIT_BREAKER_THRESHOLD=${CIRCUIT_BREAKER_THRESHOLD:-5}
      - CIRCUIT_BREAKER_COOLDOWN=${CIRCUIT_BREAKER_COOLDOWN:-300}

      # Security
      - ALLOWED_FILE_ROOT=${ALLOWED_FILE_ROOT:-/opt/letsbe}
      - MAX_FILE_SIZE=${MAX_FILE_SIZE:-10485760}
      - SHELL_TIMEOUT=${SHELL_TIMEOUT:-60}

      # Playwright browser automation
      - PLAYWRIGHT_ARTIFACTS_DIR=${PLAYWRIGHT_ARTIFACTS_DIR:-/opt/letsbe/playwright-artifacts}
      - PLAYWRIGHT_DEFAULT_TIMEOUT_MS=${PLAYWRIGHT_DEFAULT_TIMEOUT_MS:-60000}
      - PLAYWRIGHT_NAVIGATION_TIMEOUT_MS=${PLAYWRIGHT_NAVIGATION_TIMEOUT_MS:-120000}

    volumes:
      # Docker socket for docker executor
      - /var/run/docker.sock:/var/run/docker.sock

      # Hot reload in development
      - ./app:/app/app:ro
      - ./tests:/app/tests:ro
      - ./pytest.ini:/app/pytest.ini:ro

      # Host directory mounts for real infrastructure access
      - /opt/letsbe/env:/opt/letsbe/env
      - /opt/letsbe/stacks:/opt/letsbe/stacks
      - /opt/letsbe/nginx:/opt/letsbe/nginx

      # Pending results persistence
      - agent_home:/home/agent/.letsbe-agent

      # Playwright artifacts storage
      - playwright_artifacts:/opt/letsbe/playwright-artifacts

    # Security options for Chromium sandboxing
    security_opt:
      - seccomp=unconfined

    # Run as root for Docker socket access in dev
    # In production, use Docker group membership instead
    user: root

    restart: unless-stopped

    # Resource limits (increased for Playwright browser automation)
    deploy:
      resources:
        limits:
          cpus: '1.5'
          memory: 1G
        reservations:
          cpus: '0.25'
          memory: 256M

volumes:
  agent_home:
    name: letsbe-agent-home
  playwright_artifacts:
    name: letsbe-playwright-artifacts
Initial commit: SysAdmin Agent with executors - Core agent architecture with task manager and orchestrator client - Executors: ECHO, SHELL, FILE_WRITE, ENV_UPDATE, DOCKER_RELOAD, COMPOSITE, PLAYWRIGHT - EnvUpdateExecutor: Secure .env file management with key validation - DockerExecutor: Docker Compose operations with path security - CompositeExecutor: Sequential task execution with fail-fast behavior - Comprehensive unit tests (84 tests) - Docker deployment configuration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-03 11:05:54 +01:00			`version: "3.8"`

			`services:`
			`agent:`
			`build:`
			`context: .`
			`dockerfile: Dockerfile`
			`container_name: letsbe-agent`

			`environment:`
			`# Required: Orchestrator connection`
			`- ORCHESTRATOR_URL=${ORCHESTRATOR_URL:-http://host.docker.internal:8000}`
			`- AGENT_TOKEN=${AGENT_TOKEN:-dev-token}`

feat: add tenant_id support to agent registration - Add tenant_id field to Settings (via TENANT_ID env var) - Include tenant_id in registration payload when configured - Add TENANT_ID to docker-compose.yml with documentation - Add ROADMAP.md tracking project progress Agents can now be associated with a specific tenant at startup. Required in production, optional in development. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-05 20:10:43 +01:00			`# Tenant assignment`
			`# Required in production. Set to the tenant UUID this agent belongs to.`
			`# Example: TENANT_ID=550e8400-e29b-41d4-a716-446655440000`
			`- TENANT_ID=${TENANT_ID:-}`

Initial commit: SysAdmin Agent with executors - Core agent architecture with task manager and orchestrator client - Executors: ECHO, SHELL, FILE_WRITE, ENV_UPDATE, DOCKER_RELOAD, COMPOSITE, PLAYWRIGHT - EnvUpdateExecutor: Secure .env file management with key validation - DockerExecutor: Docker Compose operations with path security - CompositeExecutor: Sequential task execution with fail-fast behavior - Comprehensive unit tests (84 tests) - Docker deployment configuration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-03 11:05:54 +01:00			`# Timing (seconds)`
			`- HEARTBEAT_INTERVAL=${HEARTBEAT_INTERVAL:-30}`
			`- POLL_INTERVAL=${POLL_INTERVAL:-5}`

			`# Logging`
			`- LOG_LEVEL=${LOG_LEVEL:-DEBUG}`
			`- LOG_JSON=${LOG_JSON:-false}`

			`# Resilience`
			`- MAX_CONCURRENT_TASKS=${MAX_CONCURRENT_TASKS:-3}`
			`- BACKOFF_BASE=${BACKOFF_BASE:-1.0}`
			`- BACKOFF_MAX=${BACKOFF_MAX:-60.0}`
			`- CIRCUIT_BREAKER_THRESHOLD=${CIRCUIT_BREAKER_THRESHOLD:-5}`
			`- CIRCUIT_BREAKER_COOLDOWN=${CIRCUIT_BREAKER_COOLDOWN:-300}`

			`# Security`
Fix docker volume mounts for host directory access - Replace named volume (agent_data) with bind mounts for /opt/letsbe/{env,stacks,nginx} - Update ALLOWED_FILE_ROOT default from /opt/agent_data to /opt/letsbe - Add startup validation that warns (but doesn't block) if host dirs missing This fixes ENV_UPDATE writes going to container filesystem instead of host, and DOCKER_RELOAD failing with "File does not exist" errors. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-03 15:20:07 +01:00			`- ALLOWED_FILE_ROOT=${ALLOWED_FILE_ROOT:-/opt/letsbe}`
Initial commit: SysAdmin Agent with executors - Core agent architecture with task manager and orchestrator client - Executors: ECHO, SHELL, FILE_WRITE, ENV_UPDATE, DOCKER_RELOAD, COMPOSITE, PLAYWRIGHT - EnvUpdateExecutor: Secure .env file management with key validation - DockerExecutor: Docker Compose operations with path security - CompositeExecutor: Sequential task execution with fail-fast behavior - Comprehensive unit tests (84 tests) - Docker deployment configuration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-03 11:05:54 +01:00			`- MAX_FILE_SIZE=${MAX_FILE_SIZE:-10485760}`
			`- SHELL_TIMEOUT=${SHELL_TIMEOUT:-60}`

feat: add Playwright browser automation executor Stage 1 - Core Framework: - Add PlaywrightExecutor with scenario-based dispatch - Implement mandatory domain allowlists for security - Add route interception to block unauthorized domains - Create BaseScenario ABC, ScenarioOptions, ScenarioResult - Add scenario registry with @register_scenario decorator - Add validation helpers (is_domain_allowed, validate_allowed_domains) - Add Playwright config settings (artifacts dir, timeouts) Stage 2 - Scenarios: - Add 'echo' test scenario for connectivity verification - Add 'nextcloud_initial_setup' for first-time admin setup wizard - Install Playwright + Chromium in Dockerfile - Configure docker-compose with artifacts volume and security opts Includes 32 unit tests for validation logic and executor behavior. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-08 15:55:16 +01:00			`# Playwright browser automation`
			`- PLAYWRIGHT_ARTIFACTS_DIR=${PLAYWRIGHT_ARTIFACTS_DIR:-/opt/letsbe/playwright-artifacts}`
			`- PLAYWRIGHT_DEFAULT_TIMEOUT_MS=${PLAYWRIGHT_DEFAULT_TIMEOUT_MS:-60000}`
			`- PLAYWRIGHT_NAVIGATION_TIMEOUT_MS=${PLAYWRIGHT_NAVIGATION_TIMEOUT_MS:-120000}`

Initial commit: SysAdmin Agent with executors - Core agent architecture with task manager and orchestrator client - Executors: ECHO, SHELL, FILE_WRITE, ENV_UPDATE, DOCKER_RELOAD, COMPOSITE, PLAYWRIGHT - EnvUpdateExecutor: Secure .env file management with key validation - DockerExecutor: Docker Compose operations with path security - CompositeExecutor: Sequential task execution with fail-fast behavior - Comprehensive unit tests (84 tests) - Docker deployment configuration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-03 11:05:54 +01:00			`volumes:`
			`# Docker socket for docker executor`
			`- /var/run/docker.sock:/var/run/docker.sock`

			`# Hot reload in development`
			`- ./app:/app/app:ro`
feat: add Playwright browser automation executor Stage 1 - Core Framework: - Add PlaywrightExecutor with scenario-based dispatch - Implement mandatory domain allowlists for security - Add route interception to block unauthorized domains - Create BaseScenario ABC, ScenarioOptions, ScenarioResult - Add scenario registry with @register_scenario decorator - Add validation helpers (is_domain_allowed, validate_allowed_domains) - Add Playwright config settings (artifacts dir, timeouts) Stage 2 - Scenarios: - Add 'echo' test scenario for connectivity verification - Add 'nextcloud_initial_setup' for first-time admin setup wizard - Install Playwright + Chromium in Dockerfile - Configure docker-compose with artifacts volume and security opts Includes 32 unit tests for validation logic and executor behavior. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-08 15:55:16 +01:00			`- ./tests:/app/tests:ro`
			`- ./pytest.ini:/app/pytest.ini:ro`
Initial commit: SysAdmin Agent with executors - Core agent architecture with task manager and orchestrator client - Executors: ECHO, SHELL, FILE_WRITE, ENV_UPDATE, DOCKER_RELOAD, COMPOSITE, PLAYWRIGHT - EnvUpdateExecutor: Secure .env file management with key validation - DockerExecutor: Docker Compose operations with path security - CompositeExecutor: Sequential task execution with fail-fast behavior - Comprehensive unit tests (84 tests) - Docker deployment configuration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-03 11:05:54 +01:00
Fix docker volume mounts for host directory access - Replace named volume (agent_data) with bind mounts for /opt/letsbe/{env,stacks,nginx} - Update ALLOWED_FILE_ROOT default from /opt/agent_data to /opt/letsbe - Add startup validation that warns (but doesn't block) if host dirs missing This fixes ENV_UPDATE writes going to container filesystem instead of host, and DOCKER_RELOAD failing with "File does not exist" errors. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-03 15:20:07 +01:00			`# Host directory mounts for real infrastructure access`
			`- /opt/letsbe/env:/opt/letsbe/env`
			`- /opt/letsbe/stacks:/opt/letsbe/stacks`
			`- /opt/letsbe/nginx:/opt/letsbe/nginx`
Initial commit: SysAdmin Agent with executors - Core agent architecture with task manager and orchestrator client - Executors: ECHO, SHELL, FILE_WRITE, ENV_UPDATE, DOCKER_RELOAD, COMPOSITE, PLAYWRIGHT - EnvUpdateExecutor: Secure .env file management with key validation - DockerExecutor: Docker Compose operations with path security - CompositeExecutor: Sequential task execution with fail-fast behavior - Comprehensive unit tests (84 tests) - Docker deployment configuration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-03 11:05:54 +01:00
			`# Pending results persistence`
			`- agent_home:/home/agent/.letsbe-agent`

feat: add Playwright browser automation executor Stage 1 - Core Framework: - Add PlaywrightExecutor with scenario-based dispatch - Implement mandatory domain allowlists for security - Add route interception to block unauthorized domains - Create BaseScenario ABC, ScenarioOptions, ScenarioResult - Add scenario registry with @register_scenario decorator - Add validation helpers (is_domain_allowed, validate_allowed_domains) - Add Playwright config settings (artifacts dir, timeouts) Stage 2 - Scenarios: - Add 'echo' test scenario for connectivity verification - Add 'nextcloud_initial_setup' for first-time admin setup wizard - Install Playwright + Chromium in Dockerfile - Configure docker-compose with artifacts volume and security opts Includes 32 unit tests for validation logic and executor behavior. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-08 15:55:16 +01:00			`# Playwright artifacts storage`
			`- playwright_artifacts:/opt/letsbe/playwright-artifacts`

			`# Security options for Chromium sandboxing`
			`security_opt:`
			`- seccomp=unconfined`

Initial commit: SysAdmin Agent with executors - Core agent architecture with task manager and orchestrator client - Executors: ECHO, SHELL, FILE_WRITE, ENV_UPDATE, DOCKER_RELOAD, COMPOSITE, PLAYWRIGHT - EnvUpdateExecutor: Secure .env file management with key validation - DockerExecutor: Docker Compose operations with path security - CompositeExecutor: Sequential task execution with fail-fast behavior - Comprehensive unit tests (84 tests) - Docker deployment configuration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-03 11:05:54 +01:00			`# Run as root for Docker socket access in dev`
			`# In production, use Docker group membership instead`
			`user: root`

			`restart: unless-stopped`

feat: add Playwright browser automation executor Stage 1 - Core Framework: - Add PlaywrightExecutor with scenario-based dispatch - Implement mandatory domain allowlists for security - Add route interception to block unauthorized domains - Create BaseScenario ABC, ScenarioOptions, ScenarioResult - Add scenario registry with @register_scenario decorator - Add validation helpers (is_domain_allowed, validate_allowed_domains) - Add Playwright config settings (artifacts dir, timeouts) Stage 2 - Scenarios: - Add 'echo' test scenario for connectivity verification - Add 'nextcloud_initial_setup' for first-time admin setup wizard - Install Playwright + Chromium in Dockerfile - Configure docker-compose with artifacts volume and security opts Includes 32 unit tests for validation logic and executor behavior. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-08 15:55:16 +01:00			`# Resource limits (increased for Playwright browser automation)`
Initial commit: SysAdmin Agent with executors - Core agent architecture with task manager and orchestrator client - Executors: ECHO, SHELL, FILE_WRITE, ENV_UPDATE, DOCKER_RELOAD, COMPOSITE, PLAYWRIGHT - EnvUpdateExecutor: Secure .env file management with key validation - DockerExecutor: Docker Compose operations with path security - CompositeExecutor: Sequential task execution with fail-fast behavior - Comprehensive unit tests (84 tests) - Docker deployment configuration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-03 11:05:54 +01:00			`deploy:`
			`resources:`
			`limits:`
feat: add Playwright browser automation executor Stage 1 - Core Framework: - Add PlaywrightExecutor with scenario-based dispatch - Implement mandatory domain allowlists for security - Add route interception to block unauthorized domains - Create BaseScenario ABC, ScenarioOptions, ScenarioResult - Add scenario registry with @register_scenario decorator - Add validation helpers (is_domain_allowed, validate_allowed_domains) - Add Playwright config settings (artifacts dir, timeouts) Stage 2 - Scenarios: - Add 'echo' test scenario for connectivity verification - Add 'nextcloud_initial_setup' for first-time admin setup wizard - Install Playwright + Chromium in Dockerfile - Configure docker-compose with artifacts volume and security opts Includes 32 unit tests for validation logic and executor behavior. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-08 15:55:16 +01:00			`cpus: '1.5'`
			`memory: 1G`
Initial commit: SysAdmin Agent with executors - Core agent architecture with task manager and orchestrator client - Executors: ECHO, SHELL, FILE_WRITE, ENV_UPDATE, DOCKER_RELOAD, COMPOSITE, PLAYWRIGHT - EnvUpdateExecutor: Secure .env file management with key validation - DockerExecutor: Docker Compose operations with path security - CompositeExecutor: Sequential task execution with fail-fast behavior - Comprehensive unit tests (84 tests) - Docker deployment configuration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-03 11:05:54 +01:00			`reservations:`
feat: add Playwright browser automation executor Stage 1 - Core Framework: - Add PlaywrightExecutor with scenario-based dispatch - Implement mandatory domain allowlists for security - Add route interception to block unauthorized domains - Create BaseScenario ABC, ScenarioOptions, ScenarioResult - Add scenario registry with @register_scenario decorator - Add validation helpers (is_domain_allowed, validate_allowed_domains) - Add Playwright config settings (artifacts dir, timeouts) Stage 2 - Scenarios: - Add 'echo' test scenario for connectivity verification - Add 'nextcloud_initial_setup' for first-time admin setup wizard - Install Playwright + Chromium in Dockerfile - Configure docker-compose with artifacts volume and security opts Includes 32 unit tests for validation logic and executor behavior. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-08 15:55:16 +01:00			`cpus: '0.25'`
			`memory: 256M`
Initial commit: SysAdmin Agent with executors - Core agent architecture with task manager and orchestrator client - Executors: ECHO, SHELL, FILE_WRITE, ENV_UPDATE, DOCKER_RELOAD, COMPOSITE, PLAYWRIGHT - EnvUpdateExecutor: Secure .env file management with key validation - DockerExecutor: Docker Compose operations with path security - CompositeExecutor: Sequential task execution with fail-fast behavior - Comprehensive unit tests (84 tests) - Docker deployment configuration 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-03 11:05:54 +01:00
			`volumes:`
			`agent_home:`
			`name: letsbe-agent-home`
feat: add Playwright browser automation executor Stage 1 - Core Framework: - Add PlaywrightExecutor with scenario-based dispatch - Implement mandatory domain allowlists for security - Add route interception to block unauthorized domains - Create BaseScenario ABC, ScenarioOptions, ScenarioResult - Add scenario registry with @register_scenario decorator - Add validation helpers (is_domain_allowed, validate_allowed_domains) - Add Playwright config settings (artifacts dir, timeouts) Stage 2 - Scenarios: - Add 'echo' test scenario for connectivity verification - Add 'nextcloud_initial_setup' for first-time admin setup wizard - Install Playwright + Chromium in Dockerfile - Configure docker-compose with artifacts volume and security opts Includes 32 unit tests for validation logic and executor behavior. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-08 15:55:16 +01:00			`playwright_artifacts:`
			`name: letsbe-playwright-artifacts`