feat: Full stack Docker Compose deployment with multi-agent container support

[raykao]

feat: Full stack Docker Compose deployment with multi-agent container support

Overview

This tracking issue covers the end-to-end work required to run copilot-bridge as a fully containerised stack using Docker Compose, with support for multiple isolated agent containers, secure secret injection via 1Password, and a hardened architecture that minimises host exposure.

Motivation

copilot-bridge is currently designed to run as a bare-metal service on a developer workstation or server. As adoption grows, teams need a production-grade deployment path that provides:

• Isolation: each agent runs in its own container with its own workspace, identity, and network scope
• Security: no plaintext secrets on disk or in images; secrets injected at runtime via 1Password
• Reproducibility: the full stack (Mattermost + bridge + agents) spun up with a single docker compose up
• Resilience: the bridge waits for Mattermost to be healthy before starting; agents are restarted automatically on crash

Target Architecture

Host (Linux or macOS)
  |
  +-- docker-socket-proxy      (filtered Docker API - no raw socket exposure)
  |
  +-- mattermost               (chat platform, healthchecked)
  |
  +-- copilot-bridge (admin)   (waits on mattermost healthy; talks to socket proxy)
        |
        +-- agent: lal         (spawned on demand; mattermost-net only)
        +-- agent: data        (spawned on demand; mattermost-net only)

Networks:

• mattermost-net: Mattermost + admin bridge + all agent containers
• socket-proxy-net (internal): admin bridge + socket proxy only

Secret flow:

1Password (source of truth)
  -> op-sa-token sealed in TPM (Linux) or Keychain (macOS) on host
  -> Docker secret at container start
  -> op inject renders config.json.tpl -> /tmp/config.json (tmpfs)
  -> copilot-bridge start

Sub-issues

• feat: Secure credential management via 1Password CLI and Docker secrets #142 - Secure credential management via 1Password CLI and Docker secrets
• feat: Add official Dockerfile and container entrypoint #143 - Add official Dockerfile and container entrypoint
• feat: GitHub Copilot authentication in headless containerised deployments #144 - GitHub Copilot authentication in headless containerised deployments
• feat: Dynamic agent container spawning via Docker API #146 - Dynamic agent container spawning via Docker API
• feat: Agent container lifecycle management (idle pause, auto-restart) #147 - Agent container lifecycle management (idle pause, auto-restart)
• feat: docker-compose.yml full stack definition #148 - docker-compose.yml full stack definition

Threat Model

Threat	Mitigated?
Secrets in git	Yes - only op:// references committed
Secrets in container image	Yes - injected at runtime
Secrets in env vars or logs	Yes - rendered to tmpfs only
Agent accessing Docker API	Yes - socket proxy on isolated internal network
Agent accessing other agent workspaces	Yes - separate volume mounts per agent
Host root access	Out of scope - if root is compromised, all bets are off

Reported By

Agent (automated) - drafted collaboratively with user raykao