v1.4.0-rc.11

.github/workflows/ci.yml

@@ -78,9 +78,9 @@ jobs:
       - name: Qlty check (all plugins)
         uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08  # v3.0.2
         with:
-          timeout_minutes: 5
+          timeout_minutes: 8
           max_attempts: 3
-          retry_on: error
+          retry_on: any
           command: qlty check --all --no-progress
 
   test:

.gitignore

@@ -148,6 +148,7 @@ apps/web/content/docs/
 # Storybook build output
 storybook-static/
 
-# Claude Code project instructions
+# Claude Code project instructions and local config
 CLAUDE.md
+.claude/
 artifacts/

CHANGELOG.md

@@ -91,6 +91,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- **Compose trigger uses Docker Engine API** — Compose-managed container updates now use the Docker Engine API directly (pull, stop, recreate) instead of shelling out to `docker compose` / `docker-compose` CLI. Eliminates `spawn docker ENOENT` errors in environments without Docker CLI binaries installed.
+- **Compose self-update delegates to parent orchestrator** — Self-update for compose-managed Drydock containers now uses the parent Docker trigger's helper-container transition with health gates and rollback, instead of direct stop/recreate.
+- **Compose runtime refresh extracted** — Shared `refreshComposeServiceWithDockerApi()` helper eliminates the recursive `recreateContainer` → `updateContainerWithCompose` call chain. Both code paths now converge on the same explicit, non-recursive method.
+- **Compose-file-once batch mode re-enabled** — `COMPOSEFILEONCE=true` now works with the Docker Engine API runtime. First container per service gets a full runtime refresh; subsequent containers sharing the same service skip the refresh.
 - **Self-update controller testable entrypoint** — Extracted process-level entry logic to a separate entrypoint module, making the controller independently testable without triggering process-exit side effects.
 - **Dockercompose YAML patching simplified** — Removed redundant type guards and dead-code branches from compose file patching helpers, reducing code paths and improving maintainability.
 - **Dashboard fetches recent-status from backend** — Dashboard now fetches pre-computed container statuses from `/api/containers/recent-status` instead of scanning the raw audit log client-side.
@@ -118,6 +122,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- **Action buttons disable and show spinner during in-progress actions** — Container action buttons (Stop, Start, Restart, Update, Delete) now show a disabled state with a spinner while the action runs in the background, providing clear visual feedback. The confirm dialog closes immediately on accept instead of blocking the UI.
+- **Command palette clears stale filter on navigation** — Navigating to a container via Ctrl+K search now clears the active `filterKind`, preventing stale filter state from hiding the navigated container.
+- **Manual update button works with compose triggers** — The update container endpoint now searches for both `docker` and `dockercompose` trigger types, matching the existing preview endpoint behavior. Previously, users with only a compose trigger saw "No docker trigger found for this container".
+- **CI: qlty retry on timeout** — Changed `retry_on` from `error` to `any` so qlty timeouts trigger retries. Increased timeout from 5 to 8 minutes.
+- **OIDC docs clarified `DD_PUBLIC_URL` requirement** — OIDC documentation now explicitly marks `DD_PUBLIC_URL` as required and includes it in all provider example configurations (Authelia, Auth0, Authentik, Dex). Without this variable, the OIDC provider fails to register at startup.
+- **Compose trigger docs updated for Engine API** — Removed stale references to `docker compose config --quiet` CLI validation and `docker compose pull`/`up` commands. Docs now reflect in-process YAML validation and Docker Engine API runtime. Added callout that Docker Compose CLI is not required.
+- **Container actions docs updated for compose triggers** — Update action documentation now mentions both Docker and Docker Compose trigger support.
 - **Compose trigger rejects compose files mounted outside app directory** — Removed overly strict working-directory boundary enforcement from `runComposeCommand` that rejected compose files bind-mounted outside `/home/node/app`, breaking documented mount patterns like `/drydock/docker-compose.yml`. Compose file paths are operator-configured and already validated during resolution.
 - **Compose trigger uses host paths instead of container paths** — Docker label auto-detection (`com.docker.compose.project.config_files`) now remaps host-side paths to container-internal paths using Drydock's own bind mount information. Previously, host paths like `/mnt/volume1/docker/stacks/monitoring/compose.yaml` were used directly inside the container where they don't exist, causing "does not exist" errors even when the file was properly mounted.
 - **Compose trigger logs spurious warnings for unrelated containers** — When multiple compose triggers are configured, each trigger now silently skips containers whose resolved compose files don't match the trigger's configured `FILE` path, eliminating noisy cross-stack "does not exist" warnings.

README.md

@@ -204,7 +204,7 @@ Docker Hub, GHCR, ECR, GCR, GAR, GitLab, Quay, Harbor, Artifactory, Nexus, and m
 <tr>
 <td align="center">
 <h3>Docker Compose Updates</h3>
-Auto-pull and recreate services via docker-compose with service-scoped compose image patching
+Auto-pull and recreate services via Docker Engine API with YAML-preserving service-scoped image patching
 </td>
 <td align="center">
 <h3>Distributed Agents</h3>

app/api/backup.test.ts

@@ -306,6 +306,55 @@ describe('Backup Router', () => {
       );
     });
 
+    test('should rollback successfully with a dockercompose trigger', async () => {
+      const handler = getHandler('post', '/:id/rollback');
+      const container = {
+        id: 'c1',
+        name: 'nginx',
+        image: { registry: { name: 'hub' } },
+      };
+      const latestBackup = {
+        id: 'b1',
+        containerId: 'c1',
+        imageName: 'library/nginx',
+        imageTag: '1.24',
+      };
+
+      mockGetContainer.mockReturnValue(container);
+      mockGetBackupsByName.mockReturnValue([latestBackup]);
+
+      const mockCurrentContainer = {};
+      const mockContainerSpec = { State: { Running: true } };
+      const composeTrigger = {
+        type: 'dockercompose',
+        getWatcher: vi.fn(() => ({ dockerApi: {} })),
+        pullImage: vi.fn().mockResolvedValue(undefined),
+        getCurrentContainer: vi.fn().mockResolvedValue(mockCurrentContainer),
+        inspectContainer: vi.fn().mockResolvedValue(mockContainerSpec),
+        stopAndRemoveContainer: vi.fn().mockResolvedValue(undefined),
+        recreateContainer: vi.fn().mockResolvedValue(undefined),
+      };
+      mockGetState.mockReturnValue({
+        trigger: { 'dockercompose.default': composeTrigger },
+        registry: { hub: { getAuthPull: vi.fn().mockResolvedValue({}) } },
+      });
+
+      const req = createMockRequest({ params: { id: 'c1' } });
+      const res = createMockResponse();
+      await handler(req, res);
+
+      expect(composeTrigger.pullImage).toHaveBeenCalled();
+      expect(composeTrigger.stopAndRemoveContainer).toHaveBeenCalled();
+      expect(composeTrigger.recreateContainer).toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith(
+        expect.objectContaining({
+          message: 'Container rolled back successfully',
+          backup: latestBackup,
+        }),
+      );
+    });
+
     test('should rollback successfully when a valid backupId is provided', async () => {
       const handler = getHandler('post', '/:id/rollback');
       const container = {

app/api/container-actions.test.ts

@@ -460,6 +460,34 @@ describe('Container Actions Router', () => {
       );
     });
 
+    test('should update container successfully with a dockercompose trigger', async () => {
+      const container = {
+        id: 'c1',
+        name: 'nginx',
+        image: { name: 'nginx' },
+        updateAvailable: true,
+      };
+      const updatedContainer = { ...container, image: { name: 'nginx:latest' } };
+      mockGetContainer.mockReturnValueOnce(container).mockReturnValueOnce(updatedContainer);
+      const mockTriggerFn = vi.fn().mockResolvedValue(undefined);
+      const trigger = { type: 'dockercompose', trigger: mockTriggerFn };
+      mockGetState.mockReturnValue({ trigger: { 'dockercompose.default': trigger } });
+
+      const handler = getHandler('post', '/:id/update');
+      const req = createMockRequest({ params: { id: 'c1' } });
+      const res = createMockResponse();
+      await handler(req, res);
+
+      expect(mockTriggerFn).toHaveBeenCalledWith(container);
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith(
+        expect.objectContaining({
+          message: 'Container updated successfully',
+          result: updatedContainer,
+        }),
+      );
+    });
+
     test('should return 404 when container not found', async () => {
       mockGetContainer.mockReturnValue(undefined);
 

app/api/container-actions.ts

@@ -163,7 +163,9 @@ async function updateContainer(req: Request, res: Response) {
     return;
   }
 
-  const trigger = findDockerTriggerForContainer(registry.getState().trigger, container);
+  const trigger = findDockerTriggerForContainer(registry.getState().trigger, container, {
+    triggerTypes: ['docker', 'dockercompose'],
+  });
   if (!trigger) {
     sendErrorResponse(res, 404, NO_DOCKER_TRIGGER_FOUND_ERROR);
     return;

app/api/docker-trigger.test.ts

@@ -26,7 +26,7 @@ describe('docker-trigger helper', () => {
     expect(result).toBeUndefined();
   });
 
-  test('ignores compose triggers by default', () => {
+  test('includes compose triggers by default', () => {
     const composeTrigger = { type: 'dockercompose' };
 
     const result = findDockerTriggerForContainer(
@@ -36,21 +36,21 @@ describe('docker-trigger helper', () => {
       { id: 'c1' },
     );
 
-    expect(result).toBeUndefined();
+    expect(result).toBe(composeTrigger);
   });
 
-  test('can include compose triggers when requested', () => {
+  test('can limit trigger types when requested', () => {
     const composeTrigger = { type: 'dockercompose' };
 
     const result = findDockerTriggerForContainer(
       {
         'dockercompose.default': composeTrigger,
       },
       { id: 'c1' },
-      { triggerTypes: ['docker', 'dockercompose'] },
+      { triggerTypes: ['docker'] },
     );
 
-    expect(result).toBe(composeTrigger);
+    expect(result).toBeUndefined();
   });
 
   test('skips docker triggers with a different agent than the container', () => {

app/api/docker-trigger.ts

@@ -3,7 +3,7 @@ import type Docker from '../triggers/providers/docker/Docker.js';
 import type Trigger from '../triggers/providers/Trigger.js';
 
 export const NO_DOCKER_TRIGGER_FOUND_ERROR = 'No docker trigger found for this container';
-const DEFAULT_TRIGGER_TYPES = ['docker'];
+const DEFAULT_TRIGGER_TYPES = ['docker', 'dockercompose'];
 
 interface FindDockerTriggerForContainerOptions {
   triggerTypes?: string[];

app/api/webhook.test.ts

@@ -1051,6 +1051,28 @@ describe('Webhook Router', () => {
       });
     });
 
+    test('should trigger update and return 200 with a dockercompose trigger', async () => {
+      const container = { name: 'my-nginx', image: { name: 'nginx' } };
+      mockGetContainers.mockReturnValue([container]);
+      const mockTrigger = vi.fn().mockResolvedValue(undefined);
+      mockGetState.mockReturnValue({
+        watcher: {},
+        trigger: { 'dockercompose.default': { type: 'dockercompose', trigger: mockTrigger } },
+      });
+
+      const handler = getHandler('post', '/update/:containerName');
+      const req = createMockRequest({ params: { containerName: 'my-nginx' } });
+      const res = createMockResponse();
+      await handler(req, res);
+
+      expect(mockTrigger).toHaveBeenCalledWith(container);
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith({
+        message: 'Update triggered for container my-nginx',
+        result: { container: 'my-nginx' },
+      });
+    });
+
     test('should sanitize reflected containerName in successful update response', async () => {
       const containerName = '\u001b[31mmy-nginx\u001b[0m\nnext';
       const container = { name: containerName, image: { name: 'nginx' } };