fix(api): mount host docker data for skiller (#366)

* fix(api): mount host docker data for skiller

* fix(api): make bundled skiller launch reproducible

* fix(api): address skiller review follow-ups

* fix(api): run scoped skiller as project user

* fix skiller launch review issues

* add skiller process timeout

Author: skulidropek

docker-compose.api.yml

@@ -35,7 +35,7 @@ services:
       - 1.1.1.1
     volumes:
       - docker_git_projects:${DOCKER_GIT_PROJECTS_ROOT:-/home/dev/.docker-git}
-      - docker_git_docker_data:/var/lib/docker
+      - /var/lib/docker:/var/lib/docker
       - /var/run/docker.sock:/var/run/docker.sock
     privileged: ${DOCKER_GIT_CONTROLLER_PRIVILEGED:-false}
     cgroup: host

docker-compose.yml

@@ -35,7 +35,7 @@ services:
       - 1.1.1.1
     volumes:
       - docker_git_projects:${DOCKER_GIT_PROJECTS_ROOT:-/home/dev/.docker-git}
-      - docker_git_docker_data:/var/lib/docker
+      - /var/lib/docker:/var/lib/docker
       - /var/run/docker.sock:/var/run/docker.sock
     privileged: ${DOCKER_GIT_CONTROLLER_PRIVILEGED:-false}
     cgroup: host

docs/pr-screenshots/issue-365/skiller-dashboard.png

@@ -0,0 +1,11 @@
+{
+  "click": {
+    "clicked": true,
+    "text": "Projects1",
+    "href": "#/projects"
+  },
+  "page": {
+    "href": "http://127.0.0.1:45112/api/skiller/app/#/projects",
+    "text": "Import from Git\nImport from Local\nWORKSPACE\nDashboard\nAll Skills\n0\nMarketplace\nProjects\n1\nSettings\nProjects\nAdd project\n\napp\n\n/home/dev/app\n\napp\n/home/dev/app\nImport from Git\nImport Local\nCopy from installed\nSKILLS IN THIS PROJECT\n\nNo project-scoped skills yet.\n\nNo skills here yet. Copy one you already have installed, import from Git, or browse the Marketplace — use the buttons above or below.\n\nCopy from installed\nImport from Git\nBrowse Marketplace\nSYSTEM PROMPTS\n\nEdit the prompt files that Codex, Claude Code, and Gemini read from this container.\n\nProject system prompts\n\nFiles in this repository workspace.\n\nCodex\n\nnot created\n\n/home/dev/app/AGENTS.md\n\nDelete\nSave\n\nClaude Code\n\nnot created\n\n/home/dev/app/CLAUDE.md\n\nDelete\nSave\n\nGemini\n\nnot created\n\n/home/dev/app/GEMINI.md\n\nDelete\nSave\nGlobal system prompts\n\nFiles in the selected container home.\n\nCodex\n\nnot created\n\n/tmp/docker-git-skiller/0e9c63fe5287/home/.codex/AGENTS.md\n\nDelete\nSave\n\nClaude Code\n\nnot created\n\n/tmp/docker-git-skiller/"
+  }
+}

docs/pr-screenshots/issue-365/skiller-projects-after-click.json

@@ -121,6 +121,16 @@ RUN if [ "$DOCKER_GIT_CONTROLLER_BUILD_SKILLER" = "1" ]; then \
           rm -rf /root/.bun/install/cache node_modules; \
           sleep $((attempt * 2)); \
         done \
+      && electron_zip="$(find "${electron_config_cache:-/root/.cache/electron}" -name 'electron-v*-linux-*.zip' -print -quit)" \
+      && if [ -z "$electron_zip" ]; then echo "Electron zip not found in cache: ${electron_config_cache:-/root/.cache/electron}" >&2; exit 1; fi \
+      && unzip -Z1 "$electron_zip" > /tmp/electron-zip-entries \
+      && if grep -Eq '(^/|(^|/)\.\.($|/))' /tmp/electron-zip-entries; then echo "Unsafe paths in Electron zip: $electron_zip" >&2; exit 1; fi \
+      && rm -f /tmp/electron-zip-entries \
+      && rm -rf node_modules/electron/dist node_modules/electron/path.txt \
+      && mkdir -p node_modules/electron/dist \
+      && unzip -q "$electron_zip" -d node_modules/electron/dist \
+      && printf '%s' electron > node_modules/electron/path.txt \
+      && test -x node_modules/electron/dist/electron \
       && bun run build \
       && touch out/.docker-git-browser-folder-picker.patch \
       && mkdir -p out/preload \

docs/pr-screenshots/issue-365/skiller-projects-after-click.png

@@ -12,14 +12,16 @@ This is now the intended controller plane:
 ## Runtime contract: host-Docker-backed
 
 `docker-git` is host-Docker-backed by default. The primary controller
-container created from this package binds the host socket
-(`/var/run/docker.sock:/var/run/docker.sock`, see `docker-compose.yml`) and
-uses it to spawn per-project containers. `DOCKER_GIT_DOCKER_RUNTIME=isolated`
-is an opt-in fallback for environments that explicitly require an embedded
-controller daemon. In isolated mode, start the controller through the host CLI
-or include `docker-compose.isolated.yml`; that overlay removes the host socket
-bind and defaults project containers to the embedded daemon endpoint
-`tcp://host.docker.internal:2375`.
+container created from this package binds the host socket and Docker data root
+(`/var/run/docker.sock:/var/run/docker.sock` and
+`/var/lib/docker:/var/lib/docker`, see `docker-compose.yml`) and uses them to
+spawn per-project containers and access the Docker volume paths reported by
+`docker inspect`. `DOCKER_GIT_DOCKER_RUNTIME=isolated` is an opt-in fallback for
+environments that explicitly require an embedded controller daemon. In isolated
+mode, start the controller through the host CLI or include
+`docker-compose.isolated.yml`; that overlay removes the host socket bind, keeps
+Docker data inside the controller volume, and defaults project containers to the
+embedded daemon endpoint `tcp://host.docker.internal:2375`.
 
 Security note: binding `/var/run/docker.sock` gives the controller container
 root-equivalent control over the host Docker daemon, including the ability to