@ai-support-agent/cli 0.0.39 → 0.0.40-beta.0

package/dist/docker/docker-runner.js

@@ -1,4 +1,10 @@
 "use strict";
+/**
+ * Docker runner — main entry point for Docker-based execution
+ *
+ * Orchestrates Docker availability check, image build, and container supervision.
+ * Supports both legacy single-container mode and per-project supervisor mode.
+ */
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     var desc = Object.getOwnPropertyDescriptor(m, k);
@@ -33,375 +39,24 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.checkDockerAvailable = checkDockerAvailable;
-exports.imageExists = imageExists;
-exports.buildImage = buildImage;
-exports.validatePackageNames = validatePackageNames;
-exports.generateProjectDockerfile = generateProjectDockerfile;
-exports.buildProjectImage = buildProjectImage;
-exports.buildContainerName = buildContainerName;
-exports.removeStaleContainer = removeStaleContainer;
-exports.buildVolumeMounts = buildVolumeMounts;
-exports.buildEnvArgs = buildEnvArgs;
+exports.DockerSupervisor = exports.migrateProjectConfigDir = exports.ensureImage = exports.resetInstalledVersionCache = exports.getInstalledVersion = exports.buildProjectVolumeMounts = exports.buildEnvArgs = exports.buildVolumeMounts = exports.buildProjectImage = exports.syncDockerfileToConfigDir = exports.generateProjectDockerfile = exports.validatePackageNames = exports.dockerLogin = exports.removeStaleContainer = exports.buildContainerName = exports.buildImage = exports.imageExists = exports.checkDockerAvailable = void 0;
 exports.buildContainerArgs = buildContainerArgs;
-exports.getInstalledVersion = getInstalledVersion;
-exports.resetInstalledVersionCache = resetInstalledVersionCache;
-exports.ensureImage = ensureImage;
-exports.dockerLogin = dockerLogin;
-exports.syncDockerfileToConfigDir = syncDockerfileToConfigDir;
-exports.migrateProjectConfigDir = migrateProjectConfigDir;
 exports.resetIsDockerRunning = resetIsDockerRunning;
 exports.runInDocker = runInDocker;
 const child_process_1 = require("child_process");
-const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
-const path = __importStar(require("path"));
-const dockerfile_path_1 = require("./dockerfile-path");
 const constants_1 = require("../constants");
 const config_manager_1 = require("../config-manager");
 const pid_manager_1 = require("../pid-manager");
 const i18n_1 = require("../i18n");
 const logger_1 = require("../logger");
-const security_1 = require("../security");
 const claude_config_validator_1 = require("../utils/claude-config-validator");
-const version_1 = require("../utils/version");
-const update_checker_1 = require("../update-checker");
-const api_client_1 = require("../api-client");
-function makeSessionId() {
-    const d = new Date();
-    const pad = (n, len = 2) => String(n).padStart(len, '0');
-    return (String(d.getFullYear()) +
-        pad(d.getMonth() + 1) +
-        pad(d.getDate()) +
-        pad(d.getHours()) +
-        pad(d.getMinutes()) +
-        pad(d.getSeconds()));
-}
-/** Convert a path.relative() result to POSIX format for container use */
-function toPosixRelative(relativePath) {
-    return relativePath.split(path.sep).join('/');
-}
-/**
- * Returns true when running via ts-node (i.e. `npm run dev`).
- * In this case, local dist/ should be mounted into containers instead of
- * relying on the npm-installed package inside the image.
- */
-function isRunningViaTsNode() {
-    const sym = Symbol.for('ts-node.register.instance');
-    return !!process[sym];
-}
-/**
- * Returns extra volume mount args to overlay the local dist/ into the container
- * when running in dev mode (ts-node), so the container uses local source code.
- * Returns an empty array when not in dev mode.
- */
-function buildDevMounts() {
-    if (!isRunningViaTsNode())
-        return [];
-    // __dirname is agent/src/docker — walk up two levels to get agent/
-    const agentRoot = path.resolve(__dirname, '..', '..');
-    const distDir = path.join(agentRoot, 'dist');
-    const localesDir = path.join(agentRoot, 'src', 'locales');
-    const containerBase = '/usr/local/lib/node_modules/@ai-support-agent/cli';
-    return [
-        '-v', `${distDir}:${containerBase}/dist:ro`,
-        '-v', `${localesDir}:${containerBase}/dist/locales:ro`,
-    ];
-}
-const IMAGE_NAME = 'ai-support-agent';
-const PASSTHROUGH_ENV_VARS = [
-    'AI_SUPPORT_AGENT_TOKEN',
-    'AI_SUPPORT_AGENT_API_URL',
-    'AI_SUPPORT_AGENT_CONFIG_DIR',
-    'ANTHROPIC_API_KEY',
-    'CLAUDE_CODE_OAUTH_TOKEN',
-];
-function checkDockerAvailable() {
-    try {
-        (0, child_process_1.execFileSync)('docker', ['info'], { stdio: 'ignore' });
-        return true;
-    }
-    catch {
-        return false;
-    }
-}
-function imageExists(version) {
-    try {
-        (0, child_process_1.execFileSync)('docker', ['image', 'inspect', `${IMAGE_NAME}:${version}`], { stdio: 'ignore' });
-        return true;
-    }
-    catch {
-        return false;
-    }
-}
-function buildImage(version, customDockerfile) {
-    const { dockerfilePath, contextDir } = (0, dockerfile_path_1.resolveDockerfile)(customDockerfile);
-    logger_1.logger.info((0, i18n_1.t)('docker.building'));
-    if (customDockerfile) {
-        logger_1.logger.info((0, i18n_1.t)('docker.usingCustomDockerfile', { path: dockerfilePath }));
-    }
-    (0, child_process_1.execFileSync)('docker', ['build', '-t', `${IMAGE_NAME}:${version}`, '--pull=false', '--build-arg', `AGENT_VERSION=${version}`, '-f', dockerfilePath, contextDir], { stdio: 'inherit' });
-    logger_1.logger.success((0, i18n_1.t)('docker.buildComplete'));
-}
-/** Allowlist for apt package names: letters, digits, hyphens, dots, plus signs, colons */
-const APT_PACKAGE_RE = /^[a-zA-Z0-9][a-zA-Z0-9+\-.:]*$/;
-/** Allowlist for npm package names: scoped (@scope/name) or plain, with version (@x.y.z) */
-const NPM_PACKAGE_RE = /^(@[a-zA-Z0-9_\-.]+\/)?[a-zA-Z0-9_\-.]+(@[a-zA-Z0-9._\-^~*]+)?$/;
-/**
- * Validate a list of package names against an allowlist regex.
- * Throws if any name is invalid to prevent Dockerfile injection.
- */
-function validatePackageNames(packages, type) {
-    const re = type === 'apt' ? APT_PACKAGE_RE : NPM_PACKAGE_RE;
-    for (const pkg of packages) {
-        if (!re.test(pkg)) {
-            throw new Error(`Invalid ${type} package name: "${pkg}"`);
-        }
-    }
-}
-/**
- * Generate a per-project Dockerfile that extends the base agent image.
- */
-function generateProjectDockerfile(baseVersion, aptPackages, npmPackages, commands = [], timezone) {
-    validatePackageNames(aptPackages, 'apt');
-    validatePackageNames(npmPackages, 'npm');
-    const lines = [`FROM ${IMAGE_NAME}:${baseVersion}`];
-    if (timezone) {
-        // Override the TZ env var set by docker run, allowing per-project custom timezone
-        lines.push(`ENV TZ=${timezone}`);
-    }
-    if (aptPackages.length > 0) {
-        lines.push(`RUN apt-get update && apt-get install -y --no-install-recommends \\`, `    ${aptPackages.join(' \\\n    ')} \\`, `    && rm -rf /var/lib/apt/lists/*`);
-    }
-    if (npmPackages.length > 0) {
-        lines.push(`RUN npm install -g ${npmPackages.join(' ')} && npm cache clean --force`);
-    }
-    for (const cmd of commands) {
-        if (/[\n\r|`;$()]/.test(cmd)) {
-            throw new Error(`Invalid command (contains forbidden character): "${cmd.substring(0, 50)}"`);
-        }
-        lines.push(`RUN ${cmd}`);
-    }
-    return lines.join('\n') + '\n';
-}
-/**
- * Build a per-project Docker image using the given Dockerfile.
- * Streams stdout/stderr to both the host terminal and the API (for real-time log viewing).
- */
-/** Maximum total log size kept in memory per session (2 MB). Older content is discarded. */
-const MAX_SESSION_LOG_BYTES = 2 * 1024 * 1024;
-/**
- * docker build プロセスに渡す環境変数を必要最小限に絞る。
- * process.env をそのまま渡すと API キー等の機密情報が漏洩するため、
- * ビルドに必要な変数のみを明示的に選択する。
- */
-function buildDockerEnv() {
-    const ALLOWED_KEYS = ['PATH', 'HOME', 'USER', 'TMPDIR', 'TMP', 'TEMP', 'LANG', 'LC_ALL'];
-    const env = {};
-    for (const key of ALLOWED_KEYS) {
-        if (process.env[key] !== undefined) {
-            env[key] = process.env[key];
-        }
-    }
-    env['BUILDKIT_PROGRESS'] = 'plain';
-    return env;
-}
-async function buildProjectImage(tenantCode, projectCode, baseVersion, dockerfilePath, apiClient, agentId) {
-    const imageTag = (0, dockerfile_path_1.getProjectImageTag)(tenantCode, projectCode, baseVersion);
-    const contextDir = (0, dockerfile_path_1.getDockerContextDir)();
-    const projectKey = `${tenantCode}#${projectCode}`;
-    const color = (0, logger_1.getProjectColor)(projectKey);
-    const reset = '\x1b[0m';
-    const prefix = `${color}[${projectKey}]${reset} `;
-    logger_1.logger.info(`[docker] Building project image: ${imageTag}`);
-    const sessionId = makeSessionId();
-    let seq = 0;
-    let fullLog = '';
-    let logTruncated = false;
-    let buf = '';
-    const flush = async () => {
-        if (!buf)
-            return;
-        const text = buf;
-        buf = '';
-        if (!logTruncated) {
-            if (fullLog.length + text.length <= MAX_SESSION_LOG_BYTES) {
-                fullLog += text;
-            }
-            else {
-                const remaining = MAX_SESSION_LOG_BYTES - fullLog.length;
-                fullLog += remaining > 0 ? text.slice(0, remaining) : '';
-                logTruncated = true;
-                logger_1.logger.warn('[docker] Build log exceeded 2 MB limit; remaining output will not be saved to S3');
-            }
-        }
-        if (apiClient) {
-            await apiClient.submitLogChunk({ agentId: agentId ?? '', projectCode, logType: 'docker-build', sessionId, seq: ++seq, text })
-                .catch((e) => logger_1.logger.warn(`[docker] Failed to send log chunk: ${e}`));
-        }
-    };
-    let buildError;
-    await new Promise((resolve, reject) => {
-        const proc = (0, child_process_1.spawn)('docker', [
-            'build', '-t', imageTag, '--pull=false', '--progress=plain',
-            '--build-arg', `AGENT_VERSION=${baseVersion}`,
-            '-f', dockerfilePath, contextDir,
-        ], { stdio: ['ignore', 'pipe', 'pipe'], env: buildDockerEnv() });
-        const writePrefixed = (0, logger_1.makeLinePrefixer)(prefix, (s) => process.stdout.write(s));
-        const onData = (d) => {
-            const text = d.toString();
-            writePrefixed(text);
-            buf += text;
-            if (buf.length > 4096) {
-                void flush();
-            }
-        };
-        proc.stdout?.on('data', onData);
-        proc.stderr?.on('data', onData);
-        proc.on('error', (err) => reject(err));
-        proc.on('close', (code) => {
-            if (code === 0)
-                resolve();
-            else
-                reject(new Error(`docker build exited with code ${code}`));
-        });
-    }).catch((e) => { buildError = e instanceof Error ? e : new Error(String(e)); });
-    await flush();
-    if (apiClient && fullLog) {
-        await apiClient.saveSessionLog({ agentId: agentId ?? '', projectCode, logType: 'docker-build', sessionId, content: fullLog })
-            .catch((e) => logger_1.logger.warn(`[docker] Failed to upload build log to S3: ${e}`));
-    }
-    if (buildError)
-        throw buildError;
-    logger_1.logger.success(`[docker] Project image built: ${imageTag}`);
-}
-/** Container-internal base path for project directories */
-const CONTAINER_PROJECTS_BASE = '/workspace/projects';
-/** Container-internal home directory */
-const CONTAINER_HOME = '/home/node';
-/**
- * Build a deterministic container name for a project.
- * Format: asa-{tenantCode}-{projectCode}-{agentId}
- * All components are lowercased and non-alphanumeric chars (except hyphens) are replaced with hyphens.
- */
-function buildContainerName(tenantCode, projectCode, agentId) {
-    const sanitize = (s) => s.toLowerCase().replace(/[^a-z0-9-]/g, '-');
-    const parts = ['ai', sanitize(tenantCode), sanitize(projectCode)];
-    if (agentId)
-        parts.push(sanitize(agentId));
-    return parts.join('-');
-}
-/**
- * Remove a stale container with the given name if it exists.
- * This handles the case where a previous run crashed and left a container behind,
- * which would prevent `docker run --name` from succeeding.
- */
-function removeStaleContainer(containerName) {
-    try {
-        (0, child_process_1.execFileSync)('docker', ['rm', '-f', containerName], { stdio: 'ignore' });
-    }
-    catch {
-        // Container does not exist or docker rm failed — ignore
-    }
-}
-function buildVolumeMounts() {
-    const home = os.homedir();
-    const mounts = [];
-    const projectMappings = [];
-    // Claude Code OAuth tokens and config — mount to container home
-    const claudeDir = path.join(home, '.claude');
-    if (fs.existsSync(claudeDir)) {
-        mounts.push('-v', `${claudeDir}:${path.posix.join(CONTAINER_HOME, '.claude')}:rw`);
-    }
-    const claudeJson = path.join(home, '.claude.json');
-    if (fs.existsSync(claudeJson)) {
-        mounts.push('-v', `${claudeJson}:${path.posix.join(CONTAINER_HOME, '.claude.json')}:rw`);
-    }
-    // Agent config — mount to container home
-    const agentConfigDir = (0, config_manager_1.getConfigDir)();
-    if (fs.existsSync(agentConfigDir)) {
-        const relativeToHome = path.relative(home, agentConfigDir);
-        const isUnderHome = !relativeToHome.startsWith('..');
-        const containerConfigDir = isUnderHome
-            ? path.posix.join(CONTAINER_HOME, toPosixRelative(relativeToHome))
-            : `/workspace/.config/ai-support-agent`;
-        mounts.push('-v', `${agentConfigDir}:${containerConfigDir}:rw`);
-    }
-    // AWS credentials — mount to container home
-    const awsDir = path.join(home, '.aws');
-    if (fs.existsSync(awsDir)) {
-        mounts.push('-v', `${awsDir}:${path.posix.join(CONTAINER_HOME, '.aws')}:ro`);
-    }
-    // Custom project directories — mount to /workspace/projects/{projectCode}
-    const config = (0, config_manager_1.loadConfig)();
-    if (config?.projects) {
-        const mounted = new Set();
-        const blockedPrefixes = [...security_1.BLOCKED_PATH_PREFIXES, ...(0, security_1.getSensitiveHomePaths)()];
-        for (const project of config.projects) {
-            if (project.projectDir && !mounted.has(project.projectDir) && fs.existsSync(project.projectDir)) {
-                let resolved;
-                try {
-                    resolved = fs.realpathSync(project.projectDir);
-                }
-                catch {
-                    logger_1.logger.warn(`[docker] Cannot resolve path, skipping: ${project.projectDir}`);
-                    continue;
-                }
-                const isBlocked = blockedPrefixes.some((prefix) => {
-                    const prefixWithoutSlash = prefix.replace(/\/$/, '');
-                    return resolved === prefixWithoutSlash || resolved.startsWith(prefix);
-                });
-                if (isBlocked) {
-                    logger_1.logger.warn(`[docker] Skipping blocked path for volume mount: ${project.projectDir}`);
-                    continue;
-                }
-                const containerDir = `${CONTAINER_PROJECTS_BASE}/${project.projectCode}`;
-                mounts.push('-v', `${project.projectDir}:${containerDir}:rw`);
-                projectMappings.push({
-                    hostDir: project.projectDir,
-                    containerDir,
-                    projectCode: project.projectCode,
-                });
-                mounted.add(project.projectDir);
-            }
-        }
-    }
-    return { mounts, projectMappings };
-}
-function buildEnvArgs(projectMappings) {
-    const args = [];
-    // Mark process as running inside a Docker container
-    args.push('-e', 'AI_SUPPORT_AGENT_IN_DOCKER=1');
-    // Set HOME to container-internal path (not host path)
-    args.push('-e', `HOME=${CONTAINER_HOME}`);
-    // Map config dir to container-internal path
-    const hostConfigDir = (0, config_manager_1.getConfigDir)();
-    const home = os.homedir();
-    const relativeToHome = path.relative(home, hostConfigDir);
-    const isUnderHome = !relativeToHome.startsWith('..');
-    const containerConfigDir = isUnderHome
-        ? path.posix.join(CONTAINER_HOME, toPosixRelative(relativeToHome))
-        : `/workspace/.config/ai-support-agent`;
-    for (const key of PASSTHROUGH_ENV_VARS) {
-        if (process.env[key]) {
-            if (key === 'AI_SUPPORT_AGENT_CONFIG_DIR') {
-                args.push('-e', `${key}=${containerConfigDir}`);
-            }
-            else {
-                args.push('-e', `${key}=${process.env[key]}`);
-            }
-        }
-    }
-    // Pass project directory mappings so agent uses container-internal paths
-    if (projectMappings.length > 0) {
-        // Format: projectCode=containerDir;projectCode2=containerDir2
-        const mapping = projectMappings
-            .map((m) => `${m.projectCode}=${m.containerDir}`)
-            .join(';');
-        args.push('-e', `AI_SUPPORT_AGENT_PROJECT_DIR_MAP=${mapping}`);
-    }
-    return args;
-}
+const docker_utils_1 = require("./docker-utils");
+const version_manager_1 = require("./version-manager");
+const dockerfile_sync_1 = require("./dockerfile-sync");
+const volume_mount_builder_1 = require("./volume-mount-builder");
+const docker_supervisor_1 = require("./docker-supervisor");
+const update_handler_1 = require("./update-handler");
 function buildContainerArgs(opts) {
     const args = ['ai-support-agent', 'start', '--no-docker'];
     if (opts.token) {
@@ -430,626 +85,13 @@ function buildContainerArgs(opts) {
     }
     return args;
 }
-let cachedInstalledVersion = null;
-/**
- * Get the currently installed version of @ai-support-agent/cli from npm global.
- * Falls back to AGENT_VERSION if npm query fails.
- * Result is cached after the first call.
- *
- * NOTE: Must only be called from host-side code (i.e. runInDocker).
- * Inside a Docker container the process runs with --no-docker, so
- * ensureImage() / getInstalledVersion() are never reached.
- */
-function getInstalledVersion() {
-    if (cachedInstalledVersion !== null)
-        return cachedInstalledVersion;
-    try {
-        const npmCmd = process.platform === 'win32' ? 'npm.cmd' : 'npm';
-        const output = (0, child_process_1.execFileSync)(npmCmd, ['list', '-g', '--json', '--depth=0'], {
-            encoding: 'utf-8',
-            timeout: 10_000,
-        });
-        const parsed = JSON.parse(output);
-        const version = parsed.dependencies?.['@ai-support-agent/cli']?.version;
-        if (version && (0, version_1.isValidVersion)(version)) {
-            cachedInstalledVersion = version;
-            return version;
-        }
-    }
-    catch {
-        // npm list failed — fall back to compile-time version
-    }
-    cachedInstalledVersion = constants_1.AGENT_VERSION;
-    return constants_1.AGENT_VERSION;
-}
-/**
- * Reset the cached installed version (for testing).
- */
-function resetInstalledVersionCache() {
-    cachedInstalledVersion = null;
-}
-function ensureImage(customDockerfile) {
-    const installedVersion = getInstalledVersion();
-    // Use the installed version if it is newer than the compile-time version
-    const version = (0, version_1.isNewerVersion)(constants_1.AGENT_VERSION, installedVersion) ? installedVersion : constants_1.AGENT_VERSION;
-    if (!imageExists(version)) {
-        buildImage(version, customDockerfile);
-    }
-    else {
-        logger_1.logger.info((0, i18n_1.t)('docker.imageFound', { version }));
-    }
-    return version;
-}
-function dockerLogin() {
-    logger_1.logger.info((0, i18n_1.t)('docker.loginStep1'));
-    console.log('');
-    console.log('  claude setup-token');
-    console.log('');
-    logger_1.logger.info((0, i18n_1.t)('docker.loginStep2'));
-    console.log('');
-    console.log('  export CLAUDE_CODE_OAUTH_TOKEN=<token>');
-    console.log('  ai-support-agent start');
-    console.log('');
-    logger_1.logger.info((0, i18n_1.t)('docker.loginStep3'));
-}
-/**
- * Called on the host after a container exits with DOCKER_UPDATE_EXIT_CODE.
- * Reads the new version from a project-specific config dir (written by the container),
- * installs it on the host with npm, then re-execs the process so ensureImage()
- * picks up the newly installed version and rebuilds the Docker image.
- */
-async function installUpdateAndRestart(projectConfigDir) {
-    let newVersion;
-    // First try project-specific config dir, fall back to global config dir
-    const searchDirs = projectConfigDir
-        ? [projectConfigDir, (0, config_manager_1.getConfigDir)()]
-        : [(0, config_manager_1.getConfigDir)()];
-    for (const dir of searchDirs) {
-        try {
-            const versionFile = path.join(dir, 'update-version.json');
-            const raw = fs.readFileSync(versionFile, 'utf-8');
-            const parsed = JSON.parse(raw);
-            if (parsed.version && (0, version_1.isValidVersion)(parsed.version)) {
-                newVersion = parsed.version;
-            }
-            fs.unlinkSync(versionFile);
-            break;
-        }
-        catch {
-            // File does not exist in this dir — try next
-        }
-    }
-    if (newVersion) {
-        logger_1.logger.info(`[docker] Installing @ai-support-agent/cli@${newVersion} on host...`);
-        // Always use 'global' install method on the host side regardless of how the
-        // host process was originally launched (it may be detected as 'local' in
-        // service/systemd environments where the script path is under node_modules).
-        const result = await (0, update_checker_1.performUpdate)(newVersion, 'global');
-        if (!result.success) {
-            logger_1.logger.warn(`[docker] Host npm install failed: ${result.error ?? 'unknown'}. Proceeding with existing version.`);
-        }
-        else {
-            // Invalidate the cached installed version so ensureImage() re-reads it
-            resetInstalledVersionCache(); // defined in this file
-        }
-    }
-    (0, update_checker_1.reExecProcess)();
-}
-/**
- * Copy the bundled Dockerfile (and entrypoint.sh) to the config directory
- * on first run so users can customise it.
- * Does NOT overwrite an existing file — user edits are preserved.
- * Exported for testing.
- */
-function syncDockerfileToConfigDir() {
-    const configDir = (0, config_manager_1.getConfigDir)();
-    const destDockerfile = path.join(configDir, 'Dockerfile');
-    if (fs.existsSync(destDockerfile))
-        return; // preserve existing file
-    try {
-        const srcDockerfile = (0, dockerfile_path_1.getDockerfilePath)();
-        fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
-        fs.copyFileSync(srcDockerfile, destDockerfile);
-        // Also copy entrypoint.sh which the bundled Dockerfile references via COPY
-        const srcEntrypoint = path.join((0, dockerfile_path_1.getDockerContextDir)(), 'docker', 'entrypoint.sh');
-        const destEntrypoint = path.join(configDir, 'docker', 'entrypoint.sh');
-        if (fs.existsSync(srcEntrypoint)) {
-            fs.mkdirSync(path.dirname(destEntrypoint), { recursive: true });
-            fs.copyFileSync(srcEntrypoint, destEntrypoint);
-        }
-        logger_1.logger.info((0, i18n_1.t)('docker.dockerfileSynced', { path: destDockerfile }));
-    }
-    catch (err) {
-        logger_1.logger.warn((0, i18n_1.t)('docker.dockerfileSyncFailed', { message: err instanceof Error ? err.message : String(err) }));
-    }
-}
-// ---------------------------------------------------------------------------
-// Per-project volume mount helpers
-// ---------------------------------------------------------------------------
-/**
- * Build volume mounts and env args for a single project container.
- * Each project gets its own isolated config dir under ~/.ai-support-agent/projects/{tenantCode}/{projectCode}/.ai-support-agent/
- */
-function buildProjectVolumeMounts(project, projectConfigHostDir) {
-    const home = os.homedir();
-    const mounts = [];
-    const envArgs = [];
-    // Claude Code OAuth tokens and config — mount to container home
-    const claudeDir = path.join(home, '.claude');
-    if (fs.existsSync(claudeDir)) {
-        mounts.push('-v', `${claudeDir}:${path.posix.join(CONTAINER_HOME, '.claude')}:rw`);
-    }
-    const claudeJson = path.join(home, '.claude.json');
-    if (fs.existsSync(claudeJson)) {
-        mounts.push('-v', `${claudeJson}:${path.posix.join(CONTAINER_HOME, '.claude.json')}:rw`);
-    }
-    // Per-project isolated config dir — mounts to /home/node/.ai-support-agent inside container
-    const containerConfigDir = path.posix.join(CONTAINER_HOME, '.ai-support-agent');
-    fs.mkdirSync(projectConfigHostDir, { recursive: true, mode: 0o700 });
-    mounts.push('-v', `${projectConfigHostDir}:${containerConfigDir}:rw`);
-    // Standard env vars for per-project container
-    envArgs.push('-e', 'AI_SUPPORT_AGENT_IN_DOCKER=1');
-    envArgs.push('-e', `HOME=${CONTAINER_HOME}`);
-    envArgs.push('-e', `AI_SUPPORT_AGENT_CONFIG_DIR=${containerConfigDir}`);
-    // Pass token and apiUrl per-project
-    if (project.token) {
-        envArgs.push('-e', `AI_SUPPORT_AGENT_TOKEN=${project.token}`);
-    }
-    if (project.apiUrl) {
-        // Replace localhost/127.0.0.1 with host.docker.internal so the container can reach the host
-        const containerApiUrl = project.apiUrl.replace(/^(https?:\/\/)(localhost|127\.0\.0\.1)(:\d+)?/, (_, scheme, _host, port) => `${scheme}host.docker.internal${port ?? ''}`);
-        envArgs.push('-e', `AI_SUPPORT_AGENT_API_URL=${containerApiUrl}`);
-    }
-    // Pass ANTHROPIC_API_KEY and CLAUDE_CODE_OAUTH_TOKEN if set
-    for (const key of ['ANTHROPIC_API_KEY', 'CLAUDE_CODE_OAUTH_TOKEN']) {
-        if (process.env[key]) {
-            envArgs.push('-e', `${key}=${process.env[key]}`);
-        }
-    }
-    // Pass host timezone so container clocks match the host by default.
-    // The per-project Dockerfile can override this with ENV TZ= if a custom timezone is configured.
-    const hostTz = Intl.DateTimeFormat().resolvedOptions().timeZone;
-    envArgs.push('-e', `TZ=${hostTz}`);
-    // Project dir mapping: single project only
-    const containerProjectDir = `${CONTAINER_PROJECTS_BASE}/${project.projectCode}`;
-    const blockedPrefixes = [...security_1.BLOCKED_PATH_PREFIXES, ...(0, security_1.getSensitiveHomePaths)()];
-    if (project.projectDir && fs.existsSync(project.projectDir)) {
-        let resolved;
-        try {
-            resolved = fs.realpathSync(project.projectDir);
-            const isBlocked = blockedPrefixes.some((prefix) => {
-                const prefixWithoutSlash = prefix.replace(/\/$/, '');
-                return resolved === prefixWithoutSlash || resolved.startsWith(prefix);
-            });
-            if (!isBlocked) {
-                mounts.push('-v', `${project.projectDir}:${containerProjectDir}:rw`);
-                envArgs.push('-e', `AI_SUPPORT_AGENT_PROJECT_DIR_MAP=${project.projectCode}=${containerProjectDir}`);
-            }
-            else {
-                logger_1.logger.warn(`[docker] Skipping blocked path for volume mount: ${project.projectDir}`);
-            }
-        }
-        catch {
-            logger_1.logger.warn(`[docker] Cannot resolve path, skipping: ${project.projectDir}`);
-        }
-    }
-    return { mounts, envArgs };
-}
-/**
- * Migrate per-project config directory from the legacy layout to the current layout.
- *
- * Legacy: ~/.ai-support-agent/projects/{projectCode}/
- * Current: ~/.ai-support-agent/projects/{tenantCode}/{projectCode}/
- *
- * Older agent versions stored project data without a tenantCode path segment.
- * This function moves the directory once so the current code finds it in the right place.
- */
-function migrateProjectConfigDir(project) {
-    const configBase = path.join((0, config_manager_1.getConfigDir)(), 'projects');
-    const legacyDir = path.join(configBase, project.projectCode);
-    const newDir = path.join(configBase, project.tenantCode, project.projectCode);
-    if (!fs.existsSync(legacyDir))
-        return; // nothing to migrate
-    if (fs.existsSync(newDir))
-        return; // already migrated
-    try {
-        fs.mkdirSync(path.join(configBase, project.tenantCode), { recursive: true, mode: 0o700 });
-        fs.renameSync(legacyDir, newDir);
-        logger_1.logger.info(`[docker] Migrated project config dir: ${legacyDir} → ${newDir}`);
-    }
-    catch (err) {
-        logger_1.logger.warn(`[docker] Failed to migrate project config dir for ${project.projectCode}: ${err instanceof Error ? err.message : String(err)}`);
-    }
-}
-/**
- * Get the host-side per-project config directory.
- * Located at: ~/.ai-support-agent/projects/{tenantCode}/{projectCode}/.ai-support-agent/
- */
-function getProjectConfigHostDir(project) {
-    return path.join((0, config_manager_1.getConfigDir)(), 'projects', project.tenantCode, project.projectCode, '.ai-support-agent');
-}
-/**
- * Manages one Docker container per project.
- * Spawned from runInDocker() when multiple projects are configured.
- */
-class DockerSupervisor {
-    handles = new Map();
-    updating = false;
-    opts;
-    version;
-    onAllStopped;
-    defaultAgentId;
-    /** Per-project agentId updated when the container registers with the API. */
-    projectAgentIds = new Map();
-    sigintHandler;
-    sigtermHandler;
-    constructor(version, opts) {
-        this.version = version;
-        this.opts = opts;
-        this.defaultAgentId = opts.agentId;
-    }
-    projectKey(project) {
-        return `${project.tenantCode}/${project.projectCode}`;
-    }
-    getProjectAgentId(project) {
-        return this.projectAgentIds.get(this.projectKey(project)) ?? this.defaultAgentId;
-    }
-    setProjectAgentId(project, agentId) {
-        this.projectAgentIds.set(this.projectKey(project), agentId);
-    }
-    createProjectApiClient(project) {
-        return new api_client_1.ApiClient(project.apiUrl, project.token);
-    }
-    start(projects, onStop) {
-        this.onAllStopped = onStop;
-        for (const project of projects) {
-            migrateProjectConfigDir(project);
-            this.spawnProject(project);
-        }
-        // Setup shutdown handlers
-        let shuttingDown = false;
-        const shutdown = () => {
-            if (shuttingDown)
-                return;
-            shuttingDown = true;
-            // Set updating flag so the close handler does not call process.exit again
-            this.updating = true;
-            if (this.sigintHandler)
-                process.removeListener('SIGINT', this.sigintHandler);
-            if (this.sigtermHandler)
-                process.removeListener('SIGTERM', this.sigtermHandler);
-            (0, pid_manager_1.removePidFile)();
-            logger_1.logger.info((0, i18n_1.t)('runner.shuttingDown'));
-            const closedPromises = [...this.handles.values()].map((h) => h.closedPromise);
-            this.stopAll();
-            onStop?.();
-            const shutdownTimer = setTimeout(() => {
-                logger_1.logger.warn('[docker] Shutdown timed out waiting for log flush; forcing exit');
-                process.exit(0);
-            }, this.opts.shutdownTimeoutMs ?? 10_000);
-            void Promise.all(closedPromises).then(() => {
-                clearTimeout(shutdownTimer);
-                process.exit(0);
-            });
-        };
-        this.sigintHandler = () => { logger_1.logger.info('[docker] SIGINT received, shutting down...'); shutdown(); };
-        this.sigtermHandler = () => { logger_1.logger.info('[docker] SIGTERM received, shutting down...'); shutdown(); };
-        process.on('SIGINT', this.sigintHandler);
-        process.on('SIGTERM', this.sigtermHandler);
-        // On macOS/Linux, Ctrl+C may not deliver SIGINT to Node.js when the terminal
-        // is in cooked mode and child processes share the process group. As a fallback,
-        // read \x03 (ETX) directly from stdin when it is a TTY in raw mode.
-        /* istanbul ignore next -- TTY-only path, not testable in CI */
-        if (process.stdin.isTTY) {
-            process.stdin.setRawMode(true);
-            process.stdin.resume();
-            process.stdin.on('data', (chunk) => {
-                if (chunk[0] === 0x03) { // Ctrl+C
-                    shutdown();
-                }
-            });
-        }
-    }
-    getImageTag(project) {
-        const projectTag = (0, dockerfile_path_1.getProjectImageTag)(project.tenantCode, project.projectCode, this.version);
-        try {
-            (0, child_process_1.execFileSync)('docker', ['image', 'inspect', projectTag], { stdio: 'ignore' });
-            return projectTag;
-        }
-        catch /* istanbul ignore next */ {
-            return `${IMAGE_NAME}:${this.version}`;
-        }
-    }
-    async rebuildAndRestart(project, projectConfigHostDir, forceIfDockerfileExists = false) {
-        const rebuildMarker = path.join(projectConfigHostDir, 'docker-rebuild-needed');
-        const projectDockerfile = path.join(projectConfigHostDir, 'Dockerfile');
-        const hasMarker = fs.existsSync(rebuildMarker);
-        const shouldBuild = hasMarker || (forceIfDockerfileExists && fs.existsSync(projectDockerfile));
-        if (shouldBuild) {
-            if (hasMarker)
-                fs.unlinkSync(rebuildMarker);
-            // Load the registered agentId before building so build logs are stored under
-            // the correct agentId (the one shown in the Web UI), not the host agentId.
-            const registeredAgentIdPath = path.join(projectConfigHostDir, 'docker-registered-agent-id');
-            if (fs.existsSync(registeredAgentIdPath)) {
-                const registeredId = fs.readFileSync(registeredAgentIdPath, 'utf-8').trim();
-                if (registeredId && registeredId !== this.getProjectAgentId(project)) {
-                    this.setProjectAgentId(project, registeredId);
-                }
-            }
-            // The container writes Dockerfile into its configDir root, which maps to projectConfigHostDir on host.
-            if (fs.existsSync(projectDockerfile)) {
-                try {
-                    await buildProjectImage(project.tenantCode, project.projectCode, this.version, projectDockerfile, this.createProjectApiClient(project), this.getProjectAgentId(project));
-                    // Copy the docker-customization-hash file written by the container so the
-                    // next container startup knows the current customization was already built.
-                    const srcHash = path.join(projectConfigHostDir, 'docker-customization-hash');
-                    const dstHash = path.join(projectConfigHostDir, 'docker-built-hash');
-                    if (fs.existsSync(srcHash)) {
-                        fs.copyFileSync(srcHash, dstHash);
-                    }
-                    // Clear any previous build error so the container can report success
-                    const buildErrorPath = path.join(projectConfigHostDir, 'docker-build-error');
-                    /* istanbul ignore next */
-                    if (fs.existsSync(buildErrorPath)) {
-                        fs.unlinkSync(buildErrorPath);
-                    }
-                }
-                catch (err) {
-                    const errorMsg = err instanceof Error ? err.message : String(err);
-                    logger_1.logger.error(`[docker] Image build failed: ${errorMsg}`);
-                    logger_1.logger.warn(`[docker] Container ${this.projectKey(project)} will start with previous image due to build failure.`);
-                    // Write the error message so the container can report it via heartbeat
-                    // Truncate to 3000 chars to avoid DynamoDB item size limits
-                    const buildErrorPath = path.join(projectConfigHostDir, 'docker-build-error');
-                    const truncatedError = errorMsg.length > 3000 ? errorMsg.substring(0, 3000) + '...(truncated)' : errorMsg;
-                    /* istanbul ignore next */
-                    try {
-                        fs.writeFileSync(buildErrorPath, truncatedError, 'utf-8');
-                    }
-                    catch (writeErr) {
-                        logger_1.logger.warn(`[docker] Failed to write build error file: ${writeErr instanceof Error ? writeErr.message : String(writeErr)}`);
-                    }
-                    // Write docker-built-hash even on failure so the next startup does not
-                    // attempt the same failed build again. The container starts with the
-                    // previous (base) image until the configuration is fixed and changed.
-                    const srcHash = path.join(projectConfigHostDir, 'docker-customization-hash');
-                    const dstHash = path.join(projectConfigHostDir, 'docker-built-hash');
-                    if (fs.existsSync(srcHash)) {
-                        fs.copyFileSync(srcHash, dstHash);
-                    }
-                }
-            }
-        }
-        this.spawnProject(project);
-    }
-    spawnProject(project) {
-        const key = this.projectKey(project);
-        const projectConfigHostDir = getProjectConfigHostDir(project);
-        // Pre-startup hash check: if docker-customization-hash !== docker-built-hash,
-        // rebuild before starting the container (handles the case where config changed while agent was stopped)
-        const customizationHashPath = path.join(projectConfigHostDir, 'docker-customization-hash');
-        const builtHashPath = path.join(projectConfigHostDir, 'docker-built-hash');
-        if (fs.existsSync(customizationHashPath) && fs.existsSync(builtHashPath)) {
-            const customizationHash = fs.readFileSync(customizationHashPath, 'utf-8').trim();
-            const builtHash = fs.readFileSync(builtHashPath, 'utf-8').trim();
-            if (customizationHash !== builtHash) {
-                logger_1.logger.info(`[docker] Pre-startup hash mismatch for ${key}, rebuilding before start...`);
-                void this.rebuildAndRestart(project, projectConfigHostDir, true);
-                return;
-            }
-        }
-        // Load the server-assigned agentId written by the container after registration.
-        // This ensures logs are stored under the same agentId shown in the Web UI.
-        const registeredAgentIdPath = path.join(projectConfigHostDir, 'docker-registered-agent-id');
-        if (fs.existsSync(registeredAgentIdPath)) {
-            const registeredId = fs.readFileSync(registeredAgentIdPath, 'utf-8').trim();
-            if (registeredId && registeredId !== this.getProjectAgentId(project)) {
-                logger_1.logger.info(`[docker] Using registered agentId for ${key}: ${registeredId}`);
-                this.setProjectAgentId(project, registeredId);
-            }
-        }
-        const { mounts, envArgs } = buildProjectVolumeMounts(project, projectConfigHostDir);
-        const containerArgs = [
-            'ai-support-agent', 'start', '--no-docker',
-            '--project', key,
-        ];
-        if (this.opts.pollInterval !== undefined) {
-            containerArgs.push('--poll-interval', String(this.opts.pollInterval));
-        }
-        if (this.opts.heartbeatInterval !== undefined) {
-            containerArgs.push('--heartbeat-interval', String(this.opts.heartbeatInterval));
-        }
-        if (this.opts.verbose) {
-            containerArgs.push('--verbose');
-        }
-        if (this.opts.autoUpdate === false) {
-            containerArgs.push('--no-auto-update');
-        }
-        if (this.opts.updateChannel) {
-            containerArgs.push('--update-channel', this.opts.updateChannel);
-        }
-        // No -i/-t flags: the container does not need stdin. stdout/stderr are
-        // captured via pipe. Shutdown is handled exclusively via docker stop.
-        const imageTag = this.getImageTag(project);
-        const containerName = buildContainerName(project.tenantCode, project.projectCode, this.opts.agentId);
-        removeStaleContainer(containerName);
-        const cidFile = path.join(os.tmpdir(), `ai-support-agent-${project.tenantCode}-${project.projectCode}-${Date.now()}.cid`);
-        const dockerArgs = [
-            'run', '--rm', '--name', containerName, '--cidfile', cidFile,
-            ...(process.getuid ? ['--user', `${process.getuid()}:${process.getgid()}`] : []),
-            ...mounts,
-            ...buildDevMounts(),
-            ...envArgs,
-            imageTag,
-            ...containerArgs,
-        ];
-        const projectColor = (0, logger_1.getProjectColor)(key);
-        const colorReset = '\x1b[0m';
-        const logPrefix = `${projectColor}[${key}]${colorReset} `;
-        logger_1.logger.info(`[docker] Starting container for project: ${key}`);
-        const child = (0, child_process_1.spawn)('docker', dockerArgs, { stdio: ['ignore', 'pipe', 'pipe'] });
-        let resolveClosed;
-        const closedPromise = new Promise((resolve) => { resolveClosed = resolve; });
-        const handle = {
-            project,
-            child,
-            version: this.version,
-            closeHandled: false,
-            closedPromise,
-            resolveClosed,
-            cidFile,
-        };
-        this.handles.set(key, handle);
-        // Stream container stdout/stderr to host terminal and API for real-time log viewing
-        // Use project-specific ApiClient so the token matches the projectCode in the request
-        const projectApiClient = this.createProjectApiClient(project);
-        if (projectApiClient) {
-            const sessionId = makeSessionId();
-            let seq = 0;
-            let fullLog = '';
-            let logTruncated = false;
-            let buf = '';
-            const apiClient = projectApiClient;
-            // Use a getter so that if the container writes docker-registered-agent-id after startup,
-            // subsequent log chunks are stored under the correct server-assigned agentId.
-            const supervisor = this;
-            const getAgentId = () => supervisor.getProjectAgentId(project) ?? '';
-            // Watch for the registered agentId file written by the container after registration
-            const noopWatcher = { close: () => undefined };
-            let registeredIdWatcher = noopWatcher;
-            try {
-                registeredIdWatcher = fs.watch(projectConfigHostDir, (eventType, filename) => {
-                    if (filename === 'docker-registered-agent-id' && (eventType === 'rename' || eventType === 'change')) {
-                        try {
-                            const newId = fs.readFileSync(registeredAgentIdPath, 'utf-8').trim();
-                            const currentId = supervisor.getProjectAgentId(project);
-                            if (newId && newId !== currentId) {
-                                logger_1.logger.info(`[docker] Container registered with agentId: ${newId} (was: ${currentId})`);
-                                supervisor.setProjectAgentId(project, newId);
-                            }
-                        }
-                        catch {
-                            // File may not exist yet if rename event fires before write completes
-                        }
-                    }
-                });
-            }
-            catch {
-                // Directory watch may fail if projectConfigHostDir doesn't exist yet — ignore
-            }
-            const flush = async () => {
-                if (!buf)
-                    return;
-                const text = buf;
-                buf = '';
-                if (!logTruncated) {
-                    if (fullLog.length + text.length <= MAX_SESSION_LOG_BYTES) {
-                        fullLog += text;
-                    }
-                    else {
-                        const remaining = MAX_SESSION_LOG_BYTES - fullLog.length;
-                        fullLog += remaining > 0 ? text.slice(0, remaining) : '';
-                        logTruncated = true;
-                        logger_1.logger.warn(`[docker] Container log for ${key} exceeded 2 MB limit; remaining output will not be saved to S3`);
-                    }
-                }
-                await apiClient.submitLogChunk({ agentId: getAgentId(), projectCode: project.projectCode, logType: 'container', sessionId, seq: ++seq, text })
-                    .catch((e) => logger_1.logger.warn(`[docker] log chunk failed: ${e}`));
-            };
-            const flushTimer = setInterval(() => { void flush(); }, 1_000).unref();
-            const writeStdout = (0, logger_1.makeLinePrefixer)(logPrefix, (s) => process.stdout.write(s));
-            const writeStderr = (0, logger_1.makeLinePrefixer)(logPrefix, (s) => process.stderr.write(s));
-            child.stdout?.on('data', (d) => { const t = d.toString(); writeStdout(t); buf += t; });
-            child.stderr?.on('data', (d) => { const t = d.toString(); writeStderr(t); buf += t; });
-            child.on('close', () => {
-                registeredIdWatcher.close();
-                clearInterval(flushTimer);
-                void flush().then(() => {
-                    if (fullLog) {
-                        void apiClient.saveSessionLog({ agentId: getAgentId(), projectCode: project.projectCode, logType: 'container', sessionId, content: fullLog })
-                            .catch((e) => logger_1.logger.warn(`[docker] S3 upload failed: ${e}`))
-                            .finally(() => { handle.resolveClosed(); });
-                    }
-                    else {
-                        handle.resolveClosed();
-                    }
-                }).catch(/* istanbul ignore next */ () => { handle.resolveClosed(); }).catch(/* istanbul ignore next */ () => { handle.resolveClosed(); });
-            });
-        }
-        child.on('error', (err) => {
-            logger_1.logger.error(`[docker] Container error for ${key}: ${err.message}`);
-        });
-        child.on('close', (code) => {
-            if (handle.closeHandled)
-                return;
-            handle.closeHandled = true;
-            this.handles.delete(key);
-            // Clean up cidfile
-            try {
-                fs.unlinkSync(handle.cidFile);
-            }
-            catch { /* ignore */ }
-            if (code === constants_1.DOCKER_UPDATE_EXIT_CODE && !this.updating) {
-                this.updating = true;
-                logger_1.logger.info(`[docker] Container ${key} exited for update. Stopping all containers and rebuilding...`);
-                this.stopAll();
-                void installUpdateAndRestart(projectConfigHostDir).catch((err) => {
-                    logger_1.logger.error(`[docker] Update failed: ${err instanceof Error ? err.message : String(err)}`);
-                    process.exit(1);
-                });
-                return;
-            }
-            if (code === constants_1.DOCKER_RESTART_EXIT_CODE && !this.updating) {
-                logger_1.logger.info(`[docker] Container ${key} requested restart. Rebuilding image if needed...`);
-                void this.rebuildAndRestart(project, projectConfigHostDir, true).catch((err) => {
-                    logger_1.logger.error(`[docker] Restart failed: ${err instanceof Error ? err.message : String(err)}`);
-                });
-                return;
-            }
-            if (this.handles.size === 0 && !this.updating) {
-                // All containers have exited cleanly
-                this.onAllStopped?.();
-                process.exit(code ?? 0);
-            }
-        });
-    }
-    stopAll() {
-        for (const [key, handle] of this.handles) {
-            if (!handle.closeHandled) {
-                logger_1.logger.info(`[docker] Stopping container for project: ${key}`);
-                // Try docker stop via cidfile (more reliable than SIGTERM to docker run process).
-                // Use spawn (non-blocking) so we don't stall the Node.js event loop during shutdown.
-                let stopped = false;
-                try {
-                    /* istanbul ignore next */
-                    if (fs.existsSync(handle.cidFile)) {
-                        const containerId = fs.readFileSync(handle.cidFile, 'utf-8').trim();
-                        /* istanbul ignore next */
-                        if (containerId) {
-                            (0, child_process_1.spawn)('docker', ['stop', '--time', '5', containerId], { stdio: 'ignore' });
-                            stopped = true;
-                        }
-                    }
-                }
-                catch /* istanbul ignore next */ {
-                    // Ignore errors — fall through to child.kill
-                }
-                if (!stopped) {
-                    handle.child.kill('SIGTERM');
-                }
-            }
-        }
-    }
-}
 let isDockerRunning = false;
 /** Reset the running flag (for testing). */
 function resetIsDockerRunning() {
     isDockerRunning = false;
 }
 function runInDocker(opts) {
-    // Guard against multiple concurrent invocations (e.g. auto-updater and
-    // server-triggered update firing at the same time).
+    // Guard against multiple concurrent invocations
     if (isDockerRunning) {
         logger_1.logger.warn('[docker] runInDocker called while already running — ignoring duplicate call');
         return;
@@ -1061,7 +103,7 @@ function runInDocker(opts) {
         process.exit(1);
         return;
     }
-    if (!checkDockerAvailable()) {
+    if (!(0, docker_utils_1.checkDockerAvailable)()) {
         logger_1.logger.error((0, i18n_1.t)('docker.notAvailable'));
         process.exit(1);
         return;
@@ -1070,16 +112,15 @@ function runInDocker(opts) {
     // Sync bundled Dockerfile to config dir on first run (unless disabled)
     const shouldSync = opts.dockerfileSync !== false && config?.dockerfileSync !== false;
     if (shouldSync) {
-        syncDockerfileToConfigDir();
+        (0, dockerfile_sync_1.syncDockerfileToConfigDir)();
     }
     // Resolve Dockerfile: CLI flag > config.dockerfilePath > configDir/Dockerfile > bundled default
     const customDockerfile = opts.dockerfile ?? config?.dockerfilePath;
-    const version = ensureImage(customDockerfile);
+    const version = (0, version_manager_1.ensureImage)(customDockerfile);
     // Determine projects to run (skip entries without tenantCode)
     const allProjects = config ? (0, config_manager_1.getProjectList)(config) : [];
     let projects;
     if (opts.project) {
-        // Single-project mode (e.g. for testing or external invocation)
         const slashIdx = opts.project.indexOf('/');
         if (slashIdx < 0) {
             logger_1.logger.error(`[docker] --project must be in "tenantCode/projectCode" format: ${opts.project}`);
@@ -1091,7 +132,6 @@ function runInDocker(opts) {
         projects = allProjects.filter((p) => p.tenantCode === tenantCode && p.projectCode === projectCode);
         if (projects.length === 0) {
             if (opts.token || process.env.AI_SUPPORT_AGENT_TOKEN) {
-                // Fallback: create a temporary project from env/CLI args
                 projects = [{
                         tenantCode,
                         projectCode,
@@ -1107,16 +147,13 @@ function runInDocker(opts) {
         }
     }
     else if (allProjects.length > 0) {
-        // Multi-project supervisor mode: one container per project
         projects = allProjects;
     }
     else {
-        // No config: run single container with legacy volume mount approach
         projects = [];
     }
     (0, claude_config_validator_1.ensureClaudeJsonIntegrity)();
     if (projects.length > 0) {
-        // Per-project container mode (new architecture)
         logger_1.logger.info(`[docker] Starting ${projects.length} project container(s)...`);
         const agentId = config?.agentId ?? os.hostname();
         const enrichedOpts = {
@@ -1124,15 +161,14 @@ function runInDocker(opts) {
             agentId: opts.agentId ?? agentId,
         };
         (0, pid_manager_1.writePidFile)();
-        const supervisor = new DockerSupervisor(version, enrichedOpts);
+        const supervisor = new docker_supervisor_1.DockerSupervisor(version, enrichedOpts);
         supervisor.start(projects, () => { isDockerRunning = false; });
         return;
     }
     // Legacy fallback: single container handling all projects via shared volume mount
-    // (used when no projects are registered in config — e.g. token/apiUrl passed via CLI)
     logger_1.logger.info((0, i18n_1.t)('docker.starting'));
-    const { mounts, projectMappings } = buildVolumeMounts();
-    const envArgs = buildEnvArgs(projectMappings);
+    const { mounts, projectMappings } = (0, volume_mount_builder_1.buildVolumeMounts)();
+    const envArgs = (0, volume_mount_builder_1.buildEnvArgs)(projectMappings);
     const containerArgs = buildContainerArgs(opts);
     const interactive = process.stdin.isTTY ? ['-it'] : ['-i'];
     const dockerArgs = [
@@ -1140,7 +176,7 @@ function runInDocker(opts) {
         ...(process.getuid ? ['--user', `${process.getuid()}:${process.getgid()}`] : []),
         ...mounts,
         ...envArgs,
-        `${IMAGE_NAME}:${version}`,
+        `${docker_utils_1.IMAGE_NAME}:${version}`,
         ...containerArgs,
     ];
     const child = (0, child_process_1.spawn)('docker', dockerArgs, {
@@ -1158,19 +194,44 @@ function runInDocker(opts) {
     });
     let closeHandled = false;
     child.on('close', (code) => {
-        // Guard against duplicate close events
         if (closeHandled)
             return;
         closeHandled = true;
         isDockerRunning = false;
-        // DOCKER_UPDATE_EXIT_CODE signals "update installed, rebuild image and restart".
-        // Any other exit (including 0 from SIGINT) exits the host process as-is.
         if (code === constants_1.DOCKER_UPDATE_EXIT_CODE) {
             logger_1.logger.info('[docker] Container exited for update. Rebuilding image and restarting...');
-            void installUpdateAndRestart();
+            void (0, update_handler_1.installUpdateAndRestart)();
             return;
         }
         process.exit(code ?? 0);
     });
 }
+// Re-exports for backward compatibility
+var docker_utils_2 = require("./docker-utils");
+Object.defineProperty(exports, "checkDockerAvailable", { enumerable: true, get: function () { return docker_utils_2.checkDockerAvailable; } });
+Object.defineProperty(exports, "imageExists", { enumerable: true, get: function () { return docker_utils_2.imageExists; } });
+Object.defineProperty(exports, "buildImage", { enumerable: true, get: function () { return docker_utils_2.buildImage; } });
+Object.defineProperty(exports, "buildContainerName", { enumerable: true, get: function () { return docker_utils_2.buildContainerName; } });
+Object.defineProperty(exports, "removeStaleContainer", { enumerable: true, get: function () { return docker_utils_2.removeStaleContainer; } });
+Object.defineProperty(exports, "dockerLogin", { enumerable: true, get: function () { return docker_utils_2.dockerLogin; } });
+var docker_security_1 = require("./docker-security");
+Object.defineProperty(exports, "validatePackageNames", { enumerable: true, get: function () { return docker_security_1.validatePackageNames; } });
+var dockerfile_generator_1 = require("./dockerfile-generator");
+Object.defineProperty(exports, "generateProjectDockerfile", { enumerable: true, get: function () { return dockerfile_generator_1.generateProjectDockerfile; } });
+var dockerfile_sync_2 = require("./dockerfile-sync");
+Object.defineProperty(exports, "syncDockerfileToConfigDir", { enumerable: true, get: function () { return dockerfile_sync_2.syncDockerfileToConfigDir; } });
+var project_image_builder_1 = require("./project-image-builder");
+Object.defineProperty(exports, "buildProjectImage", { enumerable: true, get: function () { return project_image_builder_1.buildProjectImage; } });
+var volume_mount_builder_2 = require("./volume-mount-builder");
+Object.defineProperty(exports, "buildVolumeMounts", { enumerable: true, get: function () { return volume_mount_builder_2.buildVolumeMounts; } });
+Object.defineProperty(exports, "buildEnvArgs", { enumerable: true, get: function () { return volume_mount_builder_2.buildEnvArgs; } });
+Object.defineProperty(exports, "buildProjectVolumeMounts", { enumerable: true, get: function () { return volume_mount_builder_2.buildProjectVolumeMounts; } });
+var version_manager_2 = require("./version-manager");
+Object.defineProperty(exports, "getInstalledVersion", { enumerable: true, get: function () { return version_manager_2.getInstalledVersion; } });
+Object.defineProperty(exports, "resetInstalledVersionCache", { enumerable: true, get: function () { return version_manager_2.resetInstalledVersionCache; } });
+Object.defineProperty(exports, "ensureImage", { enumerable: true, get: function () { return version_manager_2.ensureImage; } });
+var project_config_1 = require("./project-config");
+Object.defineProperty(exports, "migrateProjectConfigDir", { enumerable: true, get: function () { return project_config_1.migrateProjectConfigDir; } });
+var docker_supervisor_2 = require("./docker-supervisor");
+Object.defineProperty(exports, "DockerSupervisor", { enumerable: true, get: function () { return docker_supervisor_2.DockerSupervisor; } });
 //# sourceMappingURL=docker-runner.js.map