From f7118203792a6b04ef1ff4bcaa31605c7a9ddfa5 Mon Sep 17 00:00:00 2001
From: Casey Brooks <casey.brooks@agyn.io>
Date: Fri, 20 Feb 2026 11:26:07 +0000
Subject: [PATCH 1/2] feat(compose): add docker runner service

---
 agyn/docker-compose.yaml | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/agyn/docker-compose.yaml b/agyn/docker-compose.yaml
index ff06cab..2c7bce7 100644
--- a/agyn/docker-compose.yaml
+++ b/agyn/docker-compose.yaml
@@ -60,10 +60,25 @@ services:
     networks:
       - agents_stack
 
+  docker-runner:
+    image: ghcr.io/agynio/docker-runner:0.12.0
+    restart: unless-stopped
+    environment:
+      DOCKER_RUNNER_SHARED_SECRET: ${DOCKER_RUNNER_SHARED_SECRET:-dev-shared-secret}
+      DOCKER_RUNNER_PORT: ${DOCKER_RUNNER_PORT:-7071}
+    volumes:
+      - type: bind
+        source: /var/run/docker.sock
+        target: /var/run/docker.sock
+    expose:
+      - "7071"
+    networks:
+      - agents_stack
+
   # Platform server (NestJS) — internal only, UI will proxy
   platform-server:
     user: root
-    image: ghcr.io/agynio/platform-server:0.11.0
+    image: ghcr.io/agynio/platform-server:0.12.0
     restart: unless-stopped
     environment:
       AGENTS_DATABASE_URL: postgresql://agents:agents@platform-db:5432/agents
@@ -80,7 +95,9 @@ services:
       GRAPH_BRANCH: v0.10.1
       GRAPH_AUTHOR_NAME: Agyn Platform
       GRAPH_AUTHOR_EMAIL: rowan.stein@agyn.io
-      DOCKER_SOCKET: /var/run/docker.sock
+      DOCKER_RUNNER_BASE_URL: http://docker-runner:7071
+      DOCKER_RUNNER_SHARED_SECRET: ${DOCKER_RUNNER_SHARED_SECRET:-dev-shared-secret}
+      DOCKER_RUNNER_TIMEOUT_MS: ${DOCKER_RUNNER_TIMEOUT_MS:-30000}
     depends_on:
       platform-db:
         condition: service_healthy
@@ -88,19 +105,20 @@ services:
         condition: service_started
       vault:
         condition: service_started
+      docker-runner:
+        condition: service_started
     expose:
       - "3010"
     # Run DB migrations then start the server. Requires prisma CLI in the image (now included).
     command: ["/bin/sh", "-lc", "set -e; prisma migrate deploy --schema /opt/app/packages/platform-server/prisma/schema.prisma; exec tsx src/index.ts"]
     volumes:
       - ..:/opt/app/data/bootstrap
-      - /var/run/docker.sock:/var/run/docker.sock
     networks:
       - agents_stack
 
   # Platform UI reverse proxy — the only exposed service
   platform-ui:
-    image: ghcr.io/agynio/platform-ui:0.11.0
+    image: ghcr.io/agynio/platform-ui:0.12.0
     restart: unless-stopped
     environment:
       API_UPSTREAM: http://platform-server:3010

From 26eef8cb148db3e2a0653f20a699bdb8fb4eec5d Mon Sep 17 00:00:00 2001
From: Casey Brooks <casey.brooks@agyn.io>
Date: Fri, 20 Feb 2026 12:19:27 +0000
Subject: [PATCH 2/2] fix(compose): keep docker runner internal

---
 agyn/docker-compose.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/agyn/docker-compose.yaml b/agyn/docker-compose.yaml
index 2c7bce7..26e9b41 100644
--- a/agyn/docker-compose.yaml
+++ b/agyn/docker-compose.yaml
@@ -70,8 +70,6 @@ services:
       - type: bind
         source: /var/run/docker.sock
         target: /var/run/docker.sock
-    expose:
-      - "7071"
     networks:
       - agents_stack