dave/storkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 8 Wiki Activity

storkit: accept 360_story_run_storkit_container_under_gvisor_runsc_runtime

Browse Source
This commit is contained in:
dave
2026-03-23 11:48:32 +00:00
parent 86102f8ad6
commit 2bb36d0e68
1 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
.storkit/work/5_done/360_story_run_storkit_container_under_gvisor_runsc_runtime.md
View File

@@ -1,21 +0,0 @@
---
name: "Run storkit container under gVisor (runsc) runtime"
---
# Story 360: Run storkit container under gVisor (runsc) runtime
## User Story
As a storkit operator, I want the container to run under gVisor so that even if a malicious codebase escapes the container's process namespace, it cannot make raw syscalls to the host kernel.
## Acceptance Criteria
- [ ] docker-compose.yml specifies runtime: runsc
- [ ] PTY-based agent spawning (Claude Code via PTY) works correctly under runsc
- [ ] rebuild_and_restart (exec() replacement) works correctly under runsc
- [ ] Rust compilation inside the container completes successfully under runsc
- [ ] Document host setup requirement: runsc must be installed and registered in /etc/docker/daemon.json
## Out of Scope
- TBD