fix: feat: merge chat container into edge — run chat server inside edge container with full permissions (reverts sandbox from #706) (#1083)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker/chat/Dockerfile

@@ -1,37 +0,0 @@
-# disinto-chat — minimal HTTP backend for Claude chat UI
-#
-# Small Debian slim base with Python runtime and Node.js.
-# Chosen for simplicity and small image size (~100MB).
-#
-# Image size: ~100MB (well under the 200MB ceiling)
-#
-# Claude CLI is baked into the image — same pattern as the agents container.
-
-FROM debian:bookworm-slim
-
-# Install Node.js (required for Claude CLI) and Python
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    nodejs npm python3 \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install Claude Code CLI — chat backend runtime
-RUN npm install -g @anthropic-ai/claude-code@2.1.84
-
-# Non-root user — fixed UID 10001 for sandbox hardening (#706)
-RUN useradd -m -u 10001 -s /bin/bash chat
-
-# Copy application files
-COPY server.py /usr/local/bin/server.py
-COPY entrypoint-chat.sh /entrypoint-chat.sh
-COPY ui/ /var/chat/ui/
-
-RUN chmod +x /entrypoint-chat.sh /usr/local/bin/server.py
-
-USER chat
-WORKDIR /var/chat
-
-EXPOSE 8080
-HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
-  CMD python3 -c "import urllib.request; urllib.request.urlopen('http://localhost:8080/health')" || exit 1
-
-ENTRYPOINT ["/entrypoint-chat.sh"]

docker/chat/entrypoint-chat.sh

@@ -1,37 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# entrypoint-chat.sh — Start the disinto-chat backend server
-#
-# Exec-replace pattern: this script is the container entrypoint and runs
-# the server directly (no wrapper needed). Logs to stdout for docker logs.
-
-LOGFILE="/tmp/chat.log"
-
-log() {
-    printf '[%s] %s\n' "$(date -u '+%Y-%m-%d %H:%M:%S UTC')" "$*" | tee -a "$LOGFILE"
-}
-
-# Sandbox sanity checks (#706) — fail fast if isolation is broken
-if [ -e /var/run/docker.sock ]; then
-    log "FATAL: /var/run/docker.sock is accessible — sandbox violation"
-    exit 1
-fi
-if [ "$(id -u)" = "0" ]; then
-    log "FATAL: running as root (uid 0) — sandbox violation"
-    exit 1
-fi
-
-# Verify Claude CLI is available (expected via volume mount from host).
-if ! command -v claude &>/dev/null; then
-    log "FATAL: claude CLI not found in PATH"
-    log "Mount the host binary into the container, e.g.:"
-    log "  volumes:"
-    log "    - /usr/local/bin/claude:/usr/local/bin/claude:ro"
-    exit 1
-fi
-log "Claude CLI: $(claude --version 2>&1 || true)"
-
-# Start the Python server (exec-replace so signals propagate correctly)
-log "Starting disinto-chat server on port 8080..."
-exec python3 /usr/local/bin/server.py

docker/chat/server.py

@@ -41,7 +41,7 @@ import base64
 import hashlib
 
 # Configuration
-HOST = os.environ.get("CHAT_HOST", "0.0.0.0")
+HOST = os.environ.get("CHAT_HOST", "127.0.0.1")
 PORT = int(os.environ.get("CHAT_PORT", 8080))
 UI_DIR = "/var/chat/ui"
 STATIC_DIR = os.path.join(UI_DIR, "static")

docker/edge/Dockerfile

@@ -1,6 +1,12 @@
 FROM caddy:latest
-RUN apk add --no-cache bash jq curl git docker-cli python3 openssh-client autossh
-COPY entrypoint-edge.sh /usr/local/bin/entrypoint-edge.sh
+RUN apk add --no-cache bash jq curl git docker-cli python3 openssh-client autossh \
+    nodejs npm
+# Claude Code CLI — chat backend runtime (merged from docker/chat, #1083)
+RUN npm install -g @anthropic-ai/claude-code@2.1.84
+COPY docker/edge/entrypoint-edge.sh /usr/local/bin/entrypoint-edge.sh
+# Chat server and UI (merged from docker/chat into edge, #1083)
+COPY docker/chat/server.py /usr/local/bin/chat-server.py
+COPY docker/chat/ui/ /var/chat/ui/
 
 VOLUME /data
 

docker/edge/entrypoint-edge.sh

@@ -244,6 +244,9 @@ else
   echo "edge: collect-engagement cron skipped (EDGE_ENGAGEMENT_READY=0)" >&2
 fi
 
+# Start chat server in background (#1083 — merged from docker/chat into edge)
+(python3 /usr/local/bin/chat-server.py 2>&1 | tee -a /opt/disinto-logs/chat.log) &
+
 # Nomad template renders Caddyfile to /local/Caddyfile via service discovery;
 # copy it into the expected location if present (compose uses the mounted path).
 if [ -f /local/Caddyfile ]; then