# Sandbox worker for megasthenes — isolated git + tool execution.
# Requires gVisor runtime (runsc). See: https://gvisor.dev/docs/user_guide/install/

services:
  sandbox:
    image: ghcr.io/nilenso/megasthenes-sandbox:latest
    runtime: runsc
    cap_drop:
      - ALL
    cap_add:
      - SYS_ADMIN
    security_opt:
      - no-new-privileges
    tmpfs:
      - /tmp:rw,size=64m
    dns:
      - 8.8.8.8
      - 8.8.4.4
    ports:
      - "8080:8080"
    environment:
      - PORT=8080
      # Optional: set a shared secret for API authentication
      # - SANDBOX_SECRET=your-secret-here
    healthcheck:
      test: ["CMD", "bun", "-e", "fetch('http://localhost:8080/health').then(r=>r.ok?process.exit(0):process.exit(1)).catch(()=>process.exit(1))"]
      interval: 5s
      timeout: 3s
      retries: 5
    network_mode: bridge
    restart: unless-stopped