Skip to main content

Overview

Dockhand is built with a modern, security-focused architecture that emphasizes performance, maintainability, and minimal dependencies. The application follows a server-side rendering (SSR) approach with progressive enhancement for optimal user experience.
Dockhand runs on a custom Wolfi-based OS built from scratch using apko, with every package explicitly declared for maximum security.

Architecture Diagram

Frontend Architecture

The frontend is built with modern web technologies for maximum performance and developer experience.

SvelteKit 2 & Svelte 5

Core framework features:
  • Server-Side Rendering (SSR): Initial page loads are rendered on the server for fast first paint
  • Progressive Enhancement: Works without JavaScript, enhanced when available
  • File-based Routing: Routes defined by file structure in src/routes/
  • API Routes: Backend endpoints colocated with frontend pages
  • Type Safety: Full TypeScript support with generated types

Svelte 5 Runes

Dockhand uses Svelte 5’s new reactivity system:

UI Components

Built with shadcn-svelte and TailwindCSS:

shadcn-svelte

Accessible component library with bits-ui primitives for modals, dropdowns, tooltips, etc.

TailwindCSS v4

Utility-first CSS with Vite plugin for optimal performance

Lucide Icons

Consistent iconography with lucide-svelte

Mode Watcher

Dark/light theme with system preference detection

Specialized Components

Terminal Emulator (xterm.js):
Code Editor (CodeMirror 6):
Dependency Graph (Cytoscape.js):

Backend Architecture

The backend is built with SvelteKit API routes and modular server-side code.

Bun Runtime

Dockhand uses Bun as the JavaScript runtime:
  • Fast execution: Optimized JavaScript and TypeScript engine
  • Native TypeScript: No transpilation required
  • Built-in fetch: Node.js fetch API for HTTP requests
  • WebSocket support: Native WebSocket implementation
  • Compatibility: Node.js API compatibility layer
The production Dockerfile uses Node.js 24 instead of Bun to avoid BoringSSL memory leaks on mTLS connections. Development can use either.

Server Module Structure

Docker API Integration

Direct API calls without dockerode:
Connection Types:
1

Unix Socket

Local Docker socket at /var/run/docker.sock using custom agent
2

TCP/TLS

Remote Docker daemon via HTTPS with optional mTLS client certificates
3

Hawser

WebSocket-based protocol for edge deployments and NAT traversal

Compose Stack Management

All stack operations use docker compose commands:
Stack Storage:
  • Internal: ~/.dockhand/stacks/{stackName}/compose.yaml
  • Git: ~/.dockhand/git/{repoId}/{stackName}/compose.yaml
  • External: Detected via Docker labels, not stored

Authentication System

Multi-provider authentication with security best practices:
Cookie Configuration:

Authorization (RBAC)

Role-Based Access Control for Enterprise edition:

Database Layer

Type-safe database operations with Drizzle ORM.

Drizzle ORM

Modern TypeScript ORM with zero-runtime overhead:

Schema Design

Database tables are defined using Drizzle’s schema builder:

Migration System

Database migrations managed by Drizzle Kit:
Migrations are stored in:
  • drizzle/ for SQLite
  • drizzle-pg/ for PostgreSQL
Migrations run automatically on application startup via hooks.server.ts.

Database Support

Using better-sqlite3 for synchronous API and performance. Stored at $DATA_DIR/dockhand.db.
Using postgres package for production deployments. Configured via DATABASE_URL environment variable.

Base Operating System

Custom Wolfi-based OS built with apko for security and minimalism.

Wolfi OS

Wolfi is a Linux distribution designed for containers:
  • Minimal attack surface: Only necessary packages included
  • CVE-free: Packages rebuilt to eliminate known vulnerabilities
  • No shell required: Distroless by default
  • APK packages: Fast package management
  • Regular updates: Chainguard maintains the repository

apko Build Process

The Dockerfile uses apko to generate a custom OS:
Packages Included:
  • wolfi-base: Core system files
  • ca-certificates: TLS certificate trust store
  • busybox: Essential Unix utilities
  • docker-cli, docker-compose: Docker management
  • git, openssh-client: Git operations
  • postgresql-client, sqlite: Database clients
  • tini: Init system for proper signal handling
  • su-exec: User switching for PUID/PGID support

Multi-Stage Build

The final image is built from scratch with only the custom OS and application files. No base image vulnerabilities.

Real-Time Communication

Dockhand uses multiple protocols for real-time updates.

Server-Sent Events (SSE)

One-way server-to-client streaming:
Use Cases:
  • Dashboard real-time stats
  • Log streaming
  • Deployment progress
  • Event notifications

WebSocket

Bi-directional communication for interactive features:
Use Cases:
  • Interactive terminals
  • Container exec sessions
  • Real-time collaborative editing (future)

Monitoring & Metrics

Optional metrics collection using a separate Go process.

Collection Worker

Written in Go for performance:
Collected Metrics:
  • CPU percentage (calculated from CPU delta)
  • Memory usage (with cache separation)
  • Network RX/TX bytes
  • Block I/O read/write bytes

Metrics Storage

In-memory storage with configurable retention:

Security Architecture

Security is built into every layer of Dockhand.

Threat Model

1

Authentication

Prevent unauthorized access with Argon2id hashing, secure session tokens, and MFA support
2

Authorization

Enforce least privilege with RBAC, environment-level permissions, and resource-level checks
3

Data Protection

Encrypt sensitive data (credentials, certificates) with AES-256-GCM
4

Network Security

Use TLS for all remote connections, validate certificates, support mTLS
5

Container Isolation

Run as non-root user, drop capabilities, use read-only filesystem where possible

Encryption

Credentials and secrets are encrypted at rest:
Encrypted Fields:
  • Docker registry passwords
  • Git SSH keys and tokens
  • LDAP bind passwords
  • OIDC client secrets
  • TLS private keys
  • Environment variables marked as secrets

Session Security

Audit Logging

All privileged actions are logged:

Performance Optimizations

Response Compression

Automatic gzip compression for responses:

Database Indexing

Optimized indexes for common queries:

Caching Strategy

  • In-memory caching: Environment list, user permissions
  • Conditional requests: ETags for static resources
  • Stale-while-revalidate: Background data refresh

Deployment Architecture

Single Container Deployment

Simplest deployment with SQLite:

PostgreSQL Deployment

For production with external database:

High Availability

For enterprise deployments:
  • Load balancer: Nginx/Traefik in front of multiple Dockhand instances
  • Shared PostgreSQL: Managed database (RDS, CloudSQL, etc.)
  • Session affinity: Sticky sessions for WebSocket connections
  • Health checks: /api/health endpoint for load balancer
Dockhand is designed to be stateless except for the database, making horizontal scaling straightforward.

Extension Points

Dockhand provides several extension points for customization.

Webhooks

Outgoing webhooks for notifications:

MQTT Integration

Publish events to MQTT broker:

Custom Themes

Extend Tailwind configuration:

Future Architecture Plans

Plugin System

Extensibility framework for custom integrations and UI components

GraphQL API

Alternative API layer for complex queries and subscriptions

Message Queue

Redis/NATS for distributed job processing

Kubernetes Support

Manage Kubernetes clusters alongside Docker