storkit: merge 360_story_run_storkit_container_under_gvisor_runsc_runtime

docker/docker-compose.yml

@@ -8,12 +8,39 @@
 # OrbStack users: just install OrbStack and use `docker compose` normally.
 # OrbStack's VirtioFS bind mount driver is significantly faster than
 # Docker Desktop's default (see spike findings).
+#
+# ── gVisor (runsc) host setup ────────────────────────────────────────────
+# This compose file uses `runtime: runsc` (gVisor) for syscall-level
+# sandboxing. gVisor intercepts all container syscalls in userspace so
+# that even if a malicious workload escapes the container's process
+# namespace it cannot make raw syscalls to the host kernel.
+#
+# Prerequisites on the Docker host:
+#   1. Install gVisor:
+#        curl -fsSL https://gvisor.dev/archive.key | sudo gpg --dearmor -o /usr/share/keyrings/gvisor-archive-keyring.gpg
+#        echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gvisor-archive-keyring.gpg] https://storage.googleapis.com/gvisor/releases release main" | sudo tee /etc/apt/sources.list.d/gvisor.list
+#        sudo apt-get update && sudo apt-get install -y runsc
+#   2. Register runsc with Docker (/etc/docker/daemon.json):
+#        {
+#          "runtimes": {
+#            "runsc": { "path": "/usr/bin/runsc" }
+#          }
+#        }
+#   3. Restart Docker:  sudo systemctl restart docker
+#   4. Verify:          docker run --runtime=runsc hello-world
+#
+# Note: On macOS (OrbStack / Docker Desktop) gVisor is Linux-only and
+# not supported. Remove `runtime: runsc` for local development on macOS.
 
 services:
   storkit:
     build:
       context: ..
       dockerfile: docker/Dockerfile
+    # Run under gVisor for syscall-level sandboxing.
+    # Requires runsc installed and registered in /etc/docker/daemon.json.
+    # See host setup instructions in the header comment above.
+    runtime: runsc
     container_name: storkit
     ports:
       # Bind to localhost only — not exposed on all interfaces.