feat: Introduce Docker socket proxy and install Docker CLI in the app container for secure deployment operations.

docker-compose.prod.yml

@@ -29,6 +29,21 @@ services:
         limits:
           memory: 512M
 
+  socket-proxy:
+    image: tecnativa/docker-socket-proxy
+    container_name: socket_proxy
+    restart: unless-stopped
+    environment:
+      - CONTAINERS=1
+      - POST=1
+      - BUILD=1
+      - NETWORKS=1
+      - IMAGES=1 # Needed for pulling/pruning
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - internal
+
   app:
     container_name: aurora_app
     restart: unless-stopped
@@ -41,8 +56,6 @@ services:
       - "127.0.0.1:3000:3000"
     # Volumes for bot-triggered deployments
     volumes:
-      # Docker socket - allows bot to run docker compose commands
-      - /var/run/docker.sock:/var/run/docker.sock
       # Project directory - allows git pull and rebuild
       - .:/app/deploy
     working_dir: /app
@@ -60,9 +73,12 @@ services:
       - DATABASE_URL=postgresql://${DB_USER}:${DB_PASSWORD}@db:5432/${DB_NAME}
       # Deploy directory path for bot-triggered deployments
       - DEPLOY_DIR=/app/deploy
+      - DOCKER_HOST=tcp://socket-proxy:2375
     depends_on:
       db:
         condition: service_healthy
+      socket-proxy:
+        condition: service_started
     networks:
       - internal
       - web