tlc-claude-code 2.0.1 → 2.1.0

package/server/lib/deploy/runners/secrets-runner.test.js

@@ -0,0 +1,127 @@
+/**
+ * Secrets Runner Tests
+ */
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { createSecretsRunner } from './secrets-runner.js';
+
+describe('secrets-runner', () => {
+  let globMock;
+  let readFileMock;
+  let runner;
+
+  beforeEach(() => {
+    globMock = vi.fn().mockResolvedValue([]);
+    readFileMock = vi.fn().mockResolvedValue('');
+    runner = createSecretsRunner({ glob: globMock, readFile: readFileMock });
+  });
+
+  it('passes when no secrets found in clean project', async () => {
+    globMock.mockResolvedValue(['src/index.js']);
+    readFileMock.mockResolvedValue('const x = 1;\nconsole.log(x);');
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(true);
+    expect(result.findings).toEqual([]);
+  });
+
+  it('detects hardcoded password assignment', async () => {
+    globMock.mockResolvedValue(['src/config.js']);
+    readFileMock.mockResolvedValue(
+      'const config = {\n  password: "supersecret123"\n};'
+    );
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.findings.length).toBeGreaterThan(0);
+    expect(result.findings[0].file).toBe('src/config.js');
+    expect(result.findings[0].pattern).toBeDefined();
+  });
+
+  it('detects AWS access key pattern', async () => {
+    globMock.mockResolvedValue(['src/aws.js']);
+    readFileMock.mockResolvedValue(
+      'const key = "AKIAIOSFODNN7EXAMPLE";\n'
+    );
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.findings.length).toBeGreaterThan(0);
+  });
+
+  it('detects private key header', async () => {
+    globMock.mockResolvedValue(['certs/key.pem']);
+    readFileMock.mockResolvedValue(
+      '-----BEGIN RSA PRIVATE KEY-----\nMIIEpA...\n-----END RSA PRIVATE KEY-----'
+    );
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.findings.length).toBeGreaterThan(0);
+  });
+
+  it('detects generic API key pattern', async () => {
+    globMock.mockResolvedValue(['src/api.js']);
+    readFileMock.mockResolvedValue(
+      'const token = "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";\n'
+    );
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.findings.length).toBeGreaterThan(0);
+  });
+
+  it('excludes test files by default', async () => {
+    globMock.mockResolvedValue([]);
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(true);
+
+    // Verify glob was called with exclusion patterns
+    const callArgs = globMock.mock.calls[0];
+    expect(callArgs[0]).toBeDefined(); // pattern
+    expect(callArgs[1]).toBeDefined(); // options with ignore
+  });
+
+  it('excludes node_modules by default', async () => {
+    globMock.mockResolvedValue([]);
+
+    await runner('/test/project', {});
+    const callArgs = globMock.mock.calls[0];
+    const options = callArgs[1];
+    expect(options.ignore).toContain('**/node_modules/**');
+  });
+
+  it('supports configurable exclusion patterns', async () => {
+    const customRunner = createSecretsRunner({
+      glob: globMock,
+      readFile: readFileMock,
+      extraIgnore: ['**/fixtures/**'],
+    });
+
+    globMock.mockResolvedValue([]);
+
+    await customRunner('/test/project', {});
+    const callArgs = globMock.mock.calls[0];
+    const options = callArgs[1];
+    expect(options.ignore).toContain('**/fixtures/**');
+  });
+
+  it('handles empty project directory', async () => {
+    globMock.mockResolvedValue([]);
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(true);
+    expect(result.findings).toEqual([]);
+  });
+
+  it('includes line number in findings', async () => {
+    globMock.mockResolvedValue(['src/config.js']);
+    readFileMock.mockResolvedValue(
+      'const a = 1;\nconst password = "secret";\nconst b = 2;'
+    );
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.findings[0].line).toBe(2);
+  });
+});

package/server/lib/deploy/security-gates.js

@@ -5,6 +5,9 @@
  * running security gates during deployment validation.
  */
 
+import { createDependencyRunner } from './runners/dependency-runner.js';
+import { createSecretsRunner } from './runners/secrets-runner.js';
+
 /**
  * Gate type constants
  */
@@ -36,29 +39,13 @@ const DEFAULT_TIER_GATES = {
 };
 
 /**
- * Default security gate runners (placeholder implementations)
+ * Built-in runners for dependencies and secrets gates.
+ * SAST, DAST, and container gates require custom runner injection.
+ * Gates without runners will SKIP (not fake-pass).
  */
-const defaultRunners = {
-  sast: async (projectPath, options) => {
-    // Placeholder SAST implementation
-    return { passed: true, findings: [] };
-  },
-  dast: async (projectPath, options) => {
-    // Placeholder DAST implementation
-    return { passed: true, findings: [] };
-  },
-  dependencies: async (projectPath, options) => {
-    // Placeholder dependency scanning implementation
-    return { passed: true, findings: [] };
-  },
-  container: async (projectPath, options) => {
-    // Placeholder container scanning implementation
-    return { passed: true, findings: [] };
-  },
-  secrets: async (projectPath, options) => {
-    // Placeholder secrets scanning implementation
-    return { passed: true, findings: [] };
-  },
+const builtInRunners = {
+  dependencies: createDependencyRunner(),
+  secrets: createSecretsRunner(),
 };
 
 /**
@@ -197,8 +184,8 @@ export async function runAllGates(tier, options = {}) {
 export function createSecurityGates(config = {}) {
   const { runners = {}, gateConfig = null } = config;
 
-  // Merge custom runners with defaults
-  const allRunners = { ...defaultRunners, ...runners };
+  // Merge built-in runners with custom runners (custom overrides built-in)
+  const allRunners = { ...builtInRunners, ...runners };
 
   return {
     /**

package/server/lib/deploy/security-gates.test.js

@@ -213,10 +213,17 @@ describe('security-gates', () => {
       expect(gates.hasRunner('custom')).toBe(true);
     });
 
-    it('provides default runners', () => {
+    it('has built-in runners for dependencies and secrets', () => {
       const gates = createSecurityGates();
-      expect(gates.hasRunner('sast')).toBe(true);
       expect(gates.hasRunner('dependencies')).toBe(true);
+      expect(gates.hasRunner('secrets')).toBe(true);
+    });
+
+    it('skips SAST/DAST/container without custom runners', () => {
+      const gates = createSecurityGates();
+      expect(gates.hasRunner('sast')).toBe(false);
+      expect(gates.hasRunner('dast')).toBe(false);
+      expect(gates.hasRunner('container')).toBe(false);
     });
   });
 });

package/server/lib/deploy-engine.js

@@ -0,0 +1,182 @@
+/**
+ * Deploy Engine — deploy projects to VPS via SSH
+ * Phase 80 Task 6
+ */
+
+const { generateSiteConfig } = require('./nginx-config.js');
+const { isValidBranch, isValidRepoUrl, isValidDomain, isValidProjectName } = require('./input-sanitizer.js');
+
+/**
+ * Sanitize branch name for DNS/container use
+ */
+function sanitizeBranch(branch) {
+  if (!branch) return 'unknown';
+  return branch.toLowerCase().replace(/[^a-z0-9-]/g, '-').replace(/-+/g, '-').replace(/^-|-$/g, '').slice(0, 63);
+}
+
+/**
+ * Create deploy engine
+ * @param {Object} options
+ * @param {Object} options.sshClient - SSH client instance
+ * @returns {Object} Deploy engine API
+ */
+function createDeployEngine({ sshClient }) {
+  const BASE_PORT = 4000;
+
+  /**
+   * Deploy a project to VPS
+   */
+  async function deploy(sshConfig, project, options = {}, onProgress) {
+    const { domain, branch = 'main' } = options;
+    if (!isValidProjectName(project.name)) throw new Error(`Invalid project name: ${project.name}`);
+    if (!isValidBranch(branch)) throw new Error(`Invalid branch name: ${branch}`);
+    if (project.repoUrl && !isValidRepoUrl(project.repoUrl)) throw new Error(`Invalid repo URL: ${project.repoUrl}`);
+    if (domain && !isValidDomain(domain)) throw new Error(`Invalid domain: ${domain}`);
+    const deployDir = `/opt/deploys/${project.name}`;
+    const report = (step, msg) => onProgress && onProgress({ step, message: msg });
+
+    // Step 1: Ensure deploy directory
+    report('prepare', 'Creating deploy directory...');
+    await sshClient.exec(sshConfig, `mkdir -p ${deployDir}`);
+
+    // Step 2: Clone or pull
+    report('git', 'Fetching latest code...');
+    const checkGit = await sshClient.exec(sshConfig, `test -d ${deployDir}/.git && echo "exists" || echo "new"`);
+    if (checkGit.stdout.trim() === 'exists') {
+      await sshClient.exec(sshConfig, `cd ${deployDir} && git fetch origin && git checkout ${branch} && git pull origin ${branch}`);
+    } else {
+      await sshClient.exec(sshConfig, `git clone ${project.repoUrl} ${deployDir} && cd ${deployDir} && git checkout ${branch}`);
+    }
+
+    // Step 3: Docker compose up
+    report('docker', 'Starting containers...');
+    await sshClient.exec(sshConfig, `cd ${deployDir} && docker compose up -d --build`);
+
+    // Step 4: Nginx config
+    if (domain) {
+      report('nginx', 'Configuring Nginx...');
+      const nginxConf = generateSiteConfig({ domain, port: 3000, proxyPass: 'http://127.0.0.1:3000' });
+      await sshClient.exec(sshConfig, `cat > /etc/nginx/sites-available/${project.name} << 'NGINX_EOF'\n${nginxConf}\nNGINX_EOF`);
+      await sshClient.exec(sshConfig, `ln -sf /etc/nginx/sites-available/${project.name} /etc/nginx/sites-enabled/`);
+      await sshClient.exec(sshConfig, `nginx -t && nginx -s reload`);
+    }
+
+    // Step 5: SSL
+    if (domain) {
+      report('ssl', 'Setting up SSL...');
+      await sshClient.exec(sshConfig, `certbot --nginx -d ${domain} --non-interactive --agree-tos --email admin@${domain} 2>/dev/null || true`);
+    }
+
+    report('done', 'Deployment complete');
+  }
+
+  /**
+   * Deploy a branch preview
+   */
+  async function deployBranch(sshConfig, project, branch, baseDomain, onProgress) {
+    if (!isValidProjectName(project.name)) throw new Error(`Invalid project name: ${project.name}`);
+    if (!isValidBranch(branch)) throw new Error(`Invalid branch name: ${branch}`);
+    if (project.repoUrl && !isValidRepoUrl(project.repoUrl)) throw new Error(`Invalid repo URL: ${project.repoUrl}`);
+    if (baseDomain && !isValidDomain(baseDomain)) throw new Error(`Invalid base domain: ${baseDomain}`);
+    const sanitized = sanitizeBranch(branch);
+    const deployDir = `/opt/deploys/${project.name}/branches/${sanitized}`;
+    const containerName = `tlc-${sanitizeBranch(project.name)}-${sanitized}`;
+    const report = (step, msg) => onProgress && onProgress({ step, message: msg });
+
+    // Allocate port
+    report('prepare', 'Allocating port...');
+    let portData = {};
+    try {
+      const portsResult = await sshClient.exec(sshConfig, `cat /opt/deploys/${project.name}/ports.json 2>/dev/null || echo "{}"`);
+      portData = JSON.parse(portsResult.stdout.trim());
+    } catch {}
+    const usedPorts = Object.values(portData);
+    let port = BASE_PORT;
+    while (usedPorts.includes(port)) port++;
+    portData[sanitized] = port;
+    const portJson = Buffer.from(JSON.stringify(portData)).toString('base64');
+    await sshClient.exec(sshConfig, `mkdir -p /opt/deploys/${project.name} && echo '${portJson}' | base64 -d > /opt/deploys/${project.name}/ports.json`);
+
+    // Clone branch
+    report('git', `Cloning branch ${branch}...`);
+    await sshClient.exec(sshConfig, `mkdir -p ${deployDir}`);
+    const checkGit = await sshClient.exec(sshConfig, `test -d ${deployDir}/.git && echo "exists" || echo "new"`);
+    if (checkGit.stdout.trim() === 'exists') {
+      await sshClient.exec(sshConfig, `cd ${deployDir} && git fetch origin && git reset --hard origin/${branch} 2>/dev/null || git checkout -b ${branch} origin/${branch}`);
+    } else {
+      await sshClient.exec(sshConfig, `git clone -b ${branch} ${project.repoUrl} ${deployDir}`);
+    }
+
+    // Docker compose with custom port
+    report('docker', 'Starting container...');
+    await sshClient.exec(sshConfig, `cd ${deployDir} && APP_PORT=${port} COMPOSE_PROJECT_NAME=${containerName} docker compose up -d --build`);
+
+    // Nginx for subdomain
+    report('nginx', `Configuring ${sanitized}.${baseDomain}...`);
+    const nginxConf = generateSiteConfig({
+      domain: `${sanitized}.${baseDomain}`,
+      port,
+      proxyPass: `http://127.0.0.1:${port}`,
+    });
+    await sshClient.exec(sshConfig, `cat > /etc/nginx/sites-available/${containerName} << 'NGINX_EOF'\n${nginxConf}\nNGINX_EOF`);
+    await sshClient.exec(sshConfig, `ln -sf /etc/nginx/sites-available/${containerName} /etc/nginx/sites-enabled/`);
+    await sshClient.exec(sshConfig, `nginx -t && nginx -s reload`);
+
+    report('done', `Preview at ${sanitized}.${baseDomain}`);
+    return { subdomain: `${sanitized}.${baseDomain}`, port, containerName };
+  }
+
+  /**
+   * Rollback to previous commit
+   */
+  async function rollback(sshConfig, project, onProgress) {
+    const deployDir = `/opt/deploys/${project.name}`;
+    const report = (step, msg) => onProgress && onProgress({ step, message: msg });
+
+    report('rollback', 'Rolling back...');
+    await sshClient.exec(sshConfig, `cd ${deployDir} && git checkout HEAD~1`);
+    await sshClient.exec(sshConfig, `cd ${deployDir} && docker compose up -d --build`);
+    report('done', 'Rollback complete');
+  }
+
+  /**
+   * Clean up a branch preview
+   */
+  async function cleanupBranch(sshConfig, project, branch) {
+    const sanitized = sanitizeBranch(branch);
+    const containerName = `tlc-${sanitizeBranch(project.name)}-${sanitized}`;
+    const deployDir = `/opt/deploys/${project.name}/branches/${sanitized}`;
+
+    // Stop and remove containers
+    await sshClient.exec(sshConfig, `cd ${deployDir} && docker compose down 2>/dev/null; docker stop ${containerName} 2>/dev/null; docker rm ${containerName} 2>/dev/null || true`);
+
+    // Remove nginx config
+    await sshClient.exec(sshConfig, `rm -f /etc/nginx/sites-enabled/${containerName} /etc/nginx/sites-available/${containerName}`);
+    await sshClient.exec(sshConfig, `nginx -t && nginx -s reload 2>/dev/null || true`);
+
+    // Remove deploy directory
+    await sshClient.exec(sshConfig, `rm -rf ${deployDir}`);
+
+    // Remove from port allocation
+    try {
+      const portsResult = await sshClient.exec(sshConfig, `cat /opt/deploys/${project.name}/ports.json 2>/dev/null || echo "{}"`);
+      const portData = JSON.parse(portsResult.stdout.trim());
+      delete portData[sanitized];
+      const portJson = Buffer.from(JSON.stringify(portData)).toString('base64');
+      await sshClient.exec(sshConfig, `echo '${portJson}' | base64 -d > /opt/deploys/${project.name}/ports.json`);
+    } catch {}
+  }
+
+  /**
+   * List active deployments
+   */
+  async function listDeployments(sshConfig, project) {
+    const result = await sshClient.exec(sshConfig, `ls /opt/deploys/${project.name}/branches/ 2>/dev/null || echo ""`);
+    const branches = result.stdout.trim().split('\n').filter(Boolean);
+    return branches.map(name => ({ branch: name, directory: `/opt/deploys/${project.name}/branches/${name}` }));
+  }
+
+  return { deploy, deployBranch, rollback, cleanupBranch, listDeployments, sanitizeBranch };
+}
+
+module.exports = { createDeployEngine };

package/server/lib/deploy-engine.test.js

@@ -0,0 +1,147 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+
+const { createDeployEngine } = await import('./deploy-engine.js');
+
+function createMockSsh() {
+  return {
+    exec: vi.fn().mockResolvedValue({ stdout: '', stderr: '', exitCode: 0 }),
+    execStream: vi.fn().mockResolvedValue(0),
+    upload: vi.fn().mockResolvedValue(),
+  };
+}
+
+describe('DeployEngine', () => {
+  let engine;
+  let mockSsh;
+
+  beforeEach(() => {
+    mockSsh = createMockSsh();
+    engine = createDeployEngine({ sshClient: mockSsh });
+  });
+
+  describe('deploy', () => {
+    it('executes git clone + docker compose + nginx steps', async () => {
+      const sshConfig = { host: '1.2.3.4', username: 'deploy', privateKeyPath: '/key' };
+      const project = { name: 'myapp', repoUrl: 'git@github.com:user/myapp.git' };
+      const progress = [];
+
+      await engine.deploy(sshConfig, project, { domain: 'myapp.dev', branch: 'main' }, (step) => progress.push(step));
+
+      // Should have called ssh exec multiple times
+      expect(mockSsh.exec.mock.calls.length).toBeGreaterThan(0);
+      // Should have progress steps
+      expect(progress.length).toBeGreaterThan(0);
+      // Verify key steps happened
+      const commands = mockSsh.exec.mock.calls.map(c => c[1]);
+      expect(commands.some(c => c.includes('git'))).toBe(true);
+      expect(commands.some(c => c.includes('docker'))).toBe(true);
+    });
+
+    it('generates correct Nginx config for project domain', async () => {
+      const sshConfig = { host: '1.2.3.4', username: 'deploy', privateKeyPath: '/key' };
+      const project = { name: 'myapp', repoUrl: 'git@github.com:user/myapp.git' };
+
+      await engine.deploy(sshConfig, project, { domain: 'myapp.dev', branch: 'main' });
+
+      // Should write nginx config
+      const commands = mockSsh.exec.mock.calls.map(c => c[1]);
+      const nginxWrite = commands.find(c => c.includes('sites-available') || c.includes('nginx'));
+      expect(nginxWrite).toBeTruthy();
+    });
+  });
+
+  describe('deployBranch', () => {
+    it('creates subdomain config for branch', async () => {
+      const sshConfig = { host: '1.2.3.4', username: 'deploy', privateKeyPath: '/key' };
+      const project = { name: 'myapp', repoUrl: 'git@github.com:user/myapp.git' };
+
+      await engine.deployBranch(sshConfig, project, 'feat-login', 'myapp.dev');
+
+      const commands = mockSsh.exec.mock.calls.map(c => c[1]);
+      expect(commands.some(c => c.includes('feat-login'))).toBe(true);
+    });
+
+    it('sanitizes branch name for DNS', async () => {
+      const sshConfig = { host: '1.2.3.4', username: 'deploy', privateKeyPath: '/key' };
+      const project = { name: 'myapp', repoUrl: 'git@github.com:user/myapp.git' };
+
+      await engine.deployBranch(sshConfig, project, 'feature/login-page', 'myapp.dev');
+
+      const commands = mockSsh.exec.mock.calls.map(c => c[1]);
+      // Should contain sanitized name (slashes → dashes)
+      expect(commands.some(c => c.includes('feature-login-page'))).toBe(true);
+    });
+
+    // Phase 81 Task 5: git commands must use original branch name
+    it('git clone uses original branch name not sanitized', async () => {
+      const sshConfig = { host: '1.2.3.4', username: 'deploy', privateKeyPath: '/key' };
+      const project = { name: 'myapp', repoUrl: 'git@github.com:user/myapp.git' };
+
+      await engine.deployBranch(sshConfig, project, 'feature/login-page', 'myapp.dev');
+
+      const commands = mockSsh.exec.mock.calls.map(c => c[1]);
+      // git clone -b must use the ORIGINAL branch name (feature/login-page)
+      const cloneCmd = commands.find(c => c.includes('git clone'));
+      if (cloneCmd) {
+        expect(cloneCmd).toContain('-b feature/login-page');
+      }
+      // git reset/checkout must use the ORIGINAL branch name
+      const resetCmd = commands.find(c => c.includes('git reset') || c.includes('git checkout'));
+      if (resetCmd) {
+        expect(resetCmd).toContain('origin/feature/login-page');
+      }
+    });
+
+    it('allocates unique port', async () => {
+      mockSsh.exec.mockImplementation(async (config, cmd) => {
+        if (cmd.includes('cat') && cmd.includes('ports.json')) {
+          return { stdout: '{}', stderr: '', exitCode: 0 };
+        }
+        return { stdout: '', stderr: '', exitCode: 0 };
+      });
+
+      const sshConfig = { host: '1.2.3.4', username: 'deploy', privateKeyPath: '/key' };
+      const project = { name: 'myapp', repoUrl: 'git@github.com:user/myapp.git' };
+
+      const result = await engine.deployBranch(sshConfig, project, 'main', 'myapp.dev');
+      expect(result.port).toBeGreaterThan(0);
+    });
+  });
+
+  describe('rollback', () => {
+    it('checks out previous commit', async () => {
+      const sshConfig = { host: '1.2.3.4', username: 'deploy', privateKeyPath: '/key' };
+
+      await engine.rollback(sshConfig, { name: 'myapp' });
+
+      const commands = mockSsh.exec.mock.calls.map(c => c[1]);
+      expect(commands.some(c => c.includes('git') && c.includes('HEAD~1'))).toBe(true);
+    });
+  });
+
+  describe('cleanupBranch', () => {
+    it('removes container and nginx config', async () => {
+      const sshConfig = { host: '1.2.3.4', username: 'deploy', privateKeyPath: '/key' };
+
+      await engine.cleanupBranch(sshConfig, { name: 'myapp' }, 'feat-login');
+
+      const commands = mockSsh.exec.mock.calls.map(c => c[1]);
+      expect(commands.some(c => c.includes('docker') && (c.includes('stop') || c.includes('rm')))).toBe(true);
+      expect(commands.some(c => c.includes('rm') && c.includes('sites-enabled'))).toBe(true);
+    });
+  });
+
+  describe('listDeployments', () => {
+    it('returns active deploys', async () => {
+      mockSsh.exec.mockResolvedValue({
+        stdout: 'main\nfeat-login\n',
+        stderr: '',
+        exitCode: 0,
+      });
+
+      const sshConfig = { host: '1.2.3.4', username: 'deploy', privateKeyPath: '/key' };
+      const deploys = await engine.listDeployments(sshConfig, { name: 'myapp' });
+      expect(Array.isArray(deploys)).toBe(true);
+    });
+  });
+});

package/server/lib/docker-api.js

@@ -0,0 +1,137 @@
+/**
+ * Docker API Router — Express routes for Docker management
+ * Phase 80 Task 1
+ */
+
+const express = require('express');
+
+/**
+ * Create Docker API router
+ * @param {Object} options
+ * @param {Object} options.dockerClient - Docker client instance
+ * @returns {express.Router}
+ */
+function createDockerRouter({ dockerClient }) {
+  const router = express.Router();
+
+  // GET /docker/status
+  router.get('/status', async (req, res) => {
+    try {
+      const status = await dockerClient.isAvailable();
+      if (!status.available) {
+        return res.status(503).json(status);
+      }
+      res.json(status);
+    } catch (err) {
+      res.status(503).json({ available: false, error: err.message });
+    }
+  });
+
+  // GET /docker/containers
+  router.get('/containers', async (req, res) => {
+    try {
+      const all = req.query.all === 'true';
+      const containers = await dockerClient.listContainers(all);
+      res.json(containers);
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  // GET /docker/containers/:id
+  router.get('/containers/:id', async (req, res) => {
+    try {
+      const detail = await dockerClient.getContainer(req.params.id);
+      res.json(detail);
+    } catch (err) {
+      const status = err.statusCode === 404 ? 404 : 500;
+      res.status(status).json({ error: err.message });
+    }
+  });
+
+  // POST /docker/containers/:id/start
+  router.post('/containers/:id/start', async (req, res) => {
+    try {
+      await dockerClient.startContainer(req.params.id);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  // POST /docker/containers/:id/stop
+  router.post('/containers/:id/stop', async (req, res) => {
+    try {
+      await dockerClient.stopContainer(req.params.id);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  // POST /docker/containers/:id/restart
+  router.post('/containers/:id/restart', async (req, res) => {
+    try {
+      await dockerClient.restartContainer(req.params.id);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  // DELETE /docker/containers/:id
+  router.delete('/containers/:id', async (req, res) => {
+    try {
+      const force = req.query.force === 'true';
+      await dockerClient.removeContainer(req.params.id, force);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  // GET /docker/containers/:id/logs
+  router.get('/containers/:id/logs', async (req, res) => {
+    try {
+      const tail = parseInt(req.query.tail, 10) || 100;
+      const logs = await dockerClient.getContainerLogs(req.params.id, { tail });
+      res.json({ logs });
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  // GET /docker/containers/:id/stats
+  router.get('/containers/:id/stats', async (req, res) => {
+    try {
+      const stats = await dockerClient.getContainerStats(req.params.id);
+      res.json(stats);
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  // GET /docker/images
+  router.get('/images', async (req, res) => {
+    try {
+      const images = await dockerClient.listImages();
+      res.json(images);
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  // GET /docker/volumes
+  router.get('/volumes', async (req, res) => {
+    try {
+      const volumes = await dockerClient.listVolumes();
+      res.json(volumes);
+    } catch (err) {
+      res.status(500).json({ error: err.message });
+    }
+  });
+
+  return router;
+}
+
+module.exports = { createDockerRouter };