molecule-ai/molecule-core
34
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

feat(local-dev): containerize platform + canvas stack via docker-compose (closes #126)
Some checks failed
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 1s
Details
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 1s
Details
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 0s
Details
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 4s
Details
CI / Detect changes (pull_request) Successful in 7s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 7s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 6s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 8s
Details
Harness Replays / detect-changes (pull_request) Successful in 8s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 8s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 8s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 2s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 3s
Details
CI / Python Lint & Test (pull_request) Successful in 3s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 4s
Details
Harness Replays / Harness Replays (pull_request) Failing after 5s
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 51s
Details
CI / Canvas (Next.js) (pull_request) Successful in 2m5s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
CI / Platform (Go) (pull_request) Successful in 2m31s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 4m22s
Details

Browse Source 
Replaces the legacy nohup `go run ./cmd/server` setup with a fully
containerized local stack: postgres + redis + platform + canvas, all
with `restart: unless-stopped` so they survive Mac sleep/wake and
Docker Desktop daemon restarts.

## Changes

- **docker-compose.yml**
  - `restart: unless-stopped` on platform/postgres/redis
  - `BIND_ADDR=0.0.0.0` for platform — the dev-mode-fail-open default
    of 127.0.0.1 (PR #7) made the host unable to reach the container
    even with port mapping. Container netns is already isolated, so
    binding all interfaces inside is safe.
  - Healthchecks switched from `wget --spider` (HEAD → 404 forever
    because /health is GET-only) to `wget -qO /dev/null` (GET).
    Same regression existed on canvas; fixed both.

- **workspace-server/Dockerfile.dev**
  - `CGO_ENABLED=1` → `0` to match prod Dockerfile + Dockerfile.tenant.
    Without this, the alpine dev image fails with "gcc: not found"
    because workspace-server has no actual cgo deps but the env was
    forcing the cgo build path. Closes a divergence introduced in
    9d50a6da (today's air hot-reload PR).

- **canvas/Dockerfile**
  - `npm install` → `npm ci --include=optional` for lockfile-exact
    installs that include platform-specific @tailwindcss/oxide native
    binaries. Without these, `next build` fails with "Cannot read
    properties of undefined (reading 'All')" on the
    `@import "tailwindcss"` directive.

- **canvas/.dockerignore** (new)
  - Excludes `node_modules` and `.next` so the Dockerfile's
    `COPY . .` step doesn't clobber the freshly-installed container
    node_modules with the host's (potentially stale or wrong-arch)
    copy. This was the actual root cause of the canvas build break.

- **workspace-server/.gitignore**
  - Adds `/tmp/` for air's live-reload build cache.

## Stage A verified

```
container          status                    restart
postgres-1         Up (healthy)              unless-stopped
redis-1            Up (healthy)              unless-stopped
platform-1         Up (healthy, air-mode)    unless-stopped
canvas-1           Up (healthy)              unless-stopped

GET :8080/health  → 200
GET :3000/        → 200
DB preserved:     407 workspace rows + 5 named personas
Persona mount:    28 dirs at /etc/molecule-bootstrap/personas
```

## Stage B — N/A

This is local-dev infrastructure only. None of these files ship to
SaaS tenants — production EC2s use `Dockerfile.tenant` + `ec2.go`
user-data, not docker-compose.

## Out of scope

- The decorative-but-broken `wget --spider` healthcheck has presumably
  also been silently 404'ing on prod tenants. Ship a follow-up to
  audit + fix the prod path; not done here to keep the PR scoped.
- Docker Desktop "Start at login" is a per-machine GUI setting that
  must be toggled manually (Settings → General).
- The legacy heartbeat-all.sh that pinged 5 persona workspaces from
  the host has been deleted (~/.molecule-ai/heartbeat-all.sh).
  Per Hongming: each workspace is responsible for its own heartbeat.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
claude-ceo-assistant 2026-05-08 10:53:39 -07:00
parent 44bb35f2a8
commit 7eda8f510f
5 changed files with 30 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
canvas/.dockerignore Normal file
View File

@ -0,0 +1,10 @@
# Excluded from `docker build` context. Without this, the COPY . . step in
# canvas/Dockerfile clobbers the freshly-installed node_modules with the
# host's (potentially broken / wrong-arch) copy — the @tailwindcss/oxide
# native binary disagreed and broke `next build`.
node_modules
.next
.git
*.log
.env*
!.env.example

6
canvas/Dockerfile
View File

@ -1,7 +1,11 @@
FROM node:22-alpine AS builder FROM node:22-alpine AS builder
WORKDIR /app WORKDIR /app
COPY package.json package-lock.json* ./ COPY package.json package-lock.json* ./
RUN npm install # `npm ci` (not `install`) for lockfile-exact reproducibility.
# `--include=optional` ensures the platform-specific @tailwindcss/oxide
# native binary lands — without it, postcss fails with "Cannot read
# properties of undefined (reading 'All')" at build time.
RUN npm ci --include=optional
COPY . . COPY . .
ARG NEXT_PUBLIC_PLATFORM_URL=http://localhost:8080 ARG NEXT_PUBLIC_PLATFORM_URL=http://localhost:8080
ARG NEXT_PUBLIC_WS_URL=ws://localhost:8080/ws ARG NEXT_PUBLIC_WS_URL=ws://localhost:8080/ws

13
docker-compose.yml
View File

@ -13,6 +13,7 @@ services:
- pgdata:/var/lib/postgresql/data - pgdata:/var/lib/postgresql/data
networks: networks:
- molecule-monorepo-net - molecule-monorepo-net
restart: unless-stopped
healthcheck: healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-dev}"] test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-dev}"]
interval: 2s interval: 2s
@ -50,6 +51,7 @@ services:
- redisdata:/data - redisdata:/data
networks: networks:
- molecule-monorepo-net - molecule-monorepo-net
restart: unless-stopped
healthcheck: healthcheck:
test: ["CMD", "redis-cli", "ping"] test: ["CMD", "redis-cli", "ping"]
interval: 2s interval: 2s
@ -126,6 +128,10 @@ services:
REDIS_URL: redis://redis:6379 REDIS_URL: redis://redis:6379
PORT: "${PLATFORM_PORT:-8080}" PORT: "${PLATFORM_PORT:-8080}"
PLATFORM_URL: "http://platform:${PLATFORM_PORT:-8080}" PLATFORM_URL: "http://platform:${PLATFORM_PORT:-8080}"
# Container network namespace is already isolated; "all interfaces"
# inside the container = the bridge interface only. The fail-open
# default (127.0.0.1) would block host-to-container access.
BIND_ADDR: "${BIND_ADDR:-0.0.0.0}"
# Default MOLECULE_ENV=development so the WorkspaceAuth / AdminAuth # Default MOLECULE_ENV=development so the WorkspaceAuth / AdminAuth
# middleware fail-open path activates when ADMIN_TOKEN is unset — # middleware fail-open path activates when ADMIN_TOKEN is unset —
# otherwise the canvas (which runs without a bearer in pure local # otherwise the canvas (which runs without a bearer in pure local
@ -212,8 +218,11 @@ services:
- "${PLATFORM_PUBLISH_PORT:-8080}:${PLATFORM_PORT:-8080}" - "${PLATFORM_PUBLISH_PORT:-8080}:${PLATFORM_PORT:-8080}"
networks: networks:
- molecule-monorepo-net - molecule-monorepo-net
restart: unless-stopped
healthcheck: healthcheck:
test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:${PLATFORM_PORT:-8080}/health || exit 1"] # Plain GET — `--spider` would issue HEAD, which returns 404 because
# /health is registered as GET only.
test: ["CMD-SHELL", "wget -qO /dev/null --tries=1 http://localhost:${PLATFORM_PORT:-8080}/health || exit 1"]
interval: 5s interval: 5s
timeout: 5s timeout: 5s
retries: 10 retries: 10
@ -251,7 +260,7 @@ services:
networks: networks:
- molecule-monorepo-net - molecule-monorepo-net
healthcheck: healthcheck:
test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://127.0.0.1:${CANVAS_PORT:-3000} || exit 1"] test: ["CMD-SHELL", "wget -qO /dev/null --tries=1 http://127.0.0.1:${CANVAS_PORT:-3000} || exit 1"]
interval: 10s interval: 10s
timeout: 5s timeout: 5s
retries: 10 retries: 10

3
workspace-server/.gitignore vendored
View File

@ -1,2 +1,5 @@
# The compiled binary, not the cmd/server package. # The compiled binary, not the cmd/server package.
/server /server
# air live-reload build cache (Dockerfile.dev + docker-compose.dev.yml).
/tmp/

2
workspace-server/Dockerfile.dev
View File

@ -31,7 +31,7 @@ RUN go mod download
# block) so the Dockerfile doesn't need to COPY it. air watches the # block) so the Dockerfile doesn't need to COPY it. air watches the
# bind-mounted dir for changes. # bind-mounted dir for changes.
ENV CGO_ENABLED=1 ENV CGO_ENABLED=0
ENV GOFLAGS="-buildvcs=false" ENV GOFLAGS="-buildvcs=false"
# Run air with the .air.toml in the bind-mounted source dir. # Run air with the .air.toml in the bind-mounted source dir.