Migrate Docker CLI to Bollard API Client
Status: Deferred — incremental migration is the pragmatic path
Problem
Section titled “Problem”All Docker operations use ShellRunner which shells out to the docker CLI. Error handling relies on string-matching stderr text (e.g., "No such container", "No such network" in is_missing_cleanup_error()), which is brittle across Docker versions and locales.
Why It Matters
Section titled “Why It Matters”- String-matched error detection can break silently on Docker updates or non-English locales
- No structured error codes from CLI — only exit code 1 for most failures
- The
bollardcrate provides a typed Rust Docker API client over Unix socket/TCP with proper HTTP status codes (e.g., 404 for “not found” vs 500 for real errors)
Open Security Finding
Section titled “Open Security Finding”The Open review findings
catalog still tracks is_missing_cleanup_error() string-matching
Docker error messages. This migration would resolve that finding.
Options
Section titled “Options”-
Full migration to
bollard: Replace allShellRunnerDocker calls withbollardAPI calls. Significant refactor. -
Incremental migration: Start with cleanup/lifecycle operations (where string matching is most problematic), keep CLI for
docker buildanddocker run -it(where interactive TTY is needed).
Related Files
Section titled “Related Files”src/docker.rs—ShellRunner, command executionsrc/runtime/cleanup.rs—is_missing_cleanup_error(), orphan GC Docker callssrc/runtime/launch.rs—launch_agent_runtime()Docker run invocationsrc/runtime/attach.rs—attach_running(),inspect_container_state()src/runtime/image.rs—build_agent_image()Docker build invocation