Overview
Dockhand is built with a modern, security-focused architecture that emphasizes performance, maintainability, and minimal dependencies. The application follows a server-side rendering (SSR) approach with progressive enhancement for optimal user experience.Dockhand runs on a custom Wolfi-based OS built from scratch using apko, with every package explicitly declared for maximum security.
Architecture Diagram
Frontend Architecture
The frontend is built with modern web technologies for maximum performance and developer experience.SvelteKit 2 & Svelte 5
Core framework features:- Server-Side Rendering (SSR): Initial page loads are rendered on the server for fast first paint
- Progressive Enhancement: Works without JavaScript, enhanced when available
- File-based Routing: Routes defined by file structure in
src/routes/ - API Routes: Backend endpoints colocated with frontend pages
- Type Safety: Full TypeScript support with generated types
Svelte 5 Runes
Dockhand uses Svelte 5’s new reactivity system:UI Components
Built with shadcn-svelte and TailwindCSS:shadcn-svelte
Accessible component library with bits-ui primitives for modals, dropdowns, tooltips, etc.
TailwindCSS v4
Utility-first CSS with Vite plugin for optimal performance
Lucide Icons
Consistent iconography with lucide-svelte
Mode Watcher
Dark/light theme with system preference detection
Specialized Components
Terminal Emulator (xterm.js):
CodeMirror 6):
Cytoscape.js):
Backend Architecture
The backend is built with SvelteKit API routes and modular server-side code.Bun Runtime
Dockhand uses Bun as the JavaScript runtime:- Fast execution: Optimized JavaScript and TypeScript engine
- Native TypeScript: No transpilation required
- Built-in fetch: Node.js fetch API for HTTP requests
- WebSocket support: Native WebSocket implementation
- Compatibility: Node.js API compatibility layer
The production Dockerfile uses Node.js 24 instead of Bun to avoid BoringSSL memory leaks on mTLS connections. Development can use either.
Server Module Structure
Docker API Integration
Direct API calls without dockerode:1
Unix Socket
Local Docker socket at
/var/run/docker.sock using custom agent2
TCP/TLS
Remote Docker daemon via HTTPS with optional mTLS client certificates
3
Hawser
WebSocket-based protocol for edge deployments and NAT traversal
Compose Stack Management
All stack operations usedocker compose commands:
- Internal:
~/.dockhand/stacks/{stackName}/compose.yaml - Git:
~/.dockhand/git/{repoId}/{stackName}/compose.yaml - External: Detected via Docker labels, not stored
Authentication System
Multi-provider authentication with security best practices:Authorization (RBAC)
Role-Based Access Control for Enterprise edition:Database Layer
Type-safe database operations with Drizzle ORM.Drizzle ORM
Modern TypeScript ORM with zero-runtime overhead:Schema Design
Database tables are defined using Drizzle’s schema builder:Migration System
Database migrations managed by Drizzle Kit:drizzle/for SQLitedrizzle-pg/for PostgreSQL
Migrations run automatically on application startup via
hooks.server.ts.Database Support
SQLite (Default)
SQLite (Default)
Using
better-sqlite3 for synchronous API and performance. Stored at $DATA_DIR/dockhand.db.PostgreSQL
PostgreSQL
Using
postgres package for production deployments. Configured via DATABASE_URL environment variable.Base Operating System
Custom Wolfi-based OS built with apko for security and minimalism.Wolfi OS
Wolfi is a Linux distribution designed for containers:- Minimal attack surface: Only necessary packages included
- CVE-free: Packages rebuilt to eliminate known vulnerabilities
- No shell required: Distroless by default
- APK packages: Fast package management
- Regular updates: Chainguard maintains the repository
apko Build Process
The Dockerfile uses apko to generate a custom OS:wolfi-base: Core system filesca-certificates: TLS certificate trust storebusybox: Essential Unix utilitiesdocker-cli,docker-compose: Docker managementgit,openssh-client: Git operationspostgresql-client,sqlite: Database clientstini: Init system for proper signal handlingsu-exec: User switching for PUID/PGID support
Multi-Stage Build
Real-Time Communication
Dockhand uses multiple protocols for real-time updates.Server-Sent Events (SSE)
One-way server-to-client streaming:- Dashboard real-time stats
- Log streaming
- Deployment progress
- Event notifications
WebSocket
Bi-directional communication for interactive features:- Interactive terminals
- Container exec sessions
- Real-time collaborative editing (future)
Monitoring & Metrics
Optional metrics collection using a separate Go process.Collection Worker
Written in Go for performance:- CPU percentage (calculated from CPU delta)
- Memory usage (with cache separation)
- Network RX/TX bytes
- Block I/O read/write bytes
Metrics Storage
In-memory storage with configurable retention:Security Architecture
Security is built into every layer of Dockhand.Threat Model
1
Authentication
Prevent unauthorized access with Argon2id hashing, secure session tokens, and MFA support
2
Authorization
Enforce least privilege with RBAC, environment-level permissions, and resource-level checks
3
Data Protection
Encrypt sensitive data (credentials, certificates) with AES-256-GCM
4
Network Security
Use TLS for all remote connections, validate certificates, support mTLS
5
Container Isolation
Run as non-root user, drop capabilities, use read-only filesystem where possible
Encryption
Credentials and secrets are encrypted at rest:- Docker registry passwords
- Git SSH keys and tokens
- LDAP bind passwords
- OIDC client secrets
- TLS private keys
- Environment variables marked as secrets
Session Security
Audit Logging
All privileged actions are logged:Performance Optimizations
Response Compression
Automatic gzip compression for responses:Database Indexing
Optimized indexes for common queries:Caching Strategy
- In-memory caching: Environment list, user permissions
- Conditional requests: ETags for static resources
- Stale-while-revalidate: Background data refresh
Deployment Architecture
Single Container Deployment
Simplest deployment with SQLite:PostgreSQL Deployment
For production with external database:High Availability
For enterprise deployments:- Load balancer: Nginx/Traefik in front of multiple Dockhand instances
- Shared PostgreSQL: Managed database (RDS, CloudSQL, etc.)
- Session affinity: Sticky sessions for WebSocket connections
- Health checks:
/api/healthendpoint for load balancer
Dockhand is designed to be stateless except for the database, making horizontal scaling straightforward.
Extension Points
Dockhand provides several extension points for customization.Webhooks
Outgoing webhooks for notifications:MQTT Integration
Publish events to MQTT broker:Custom Themes
Extend Tailwind configuration:Future Architecture Plans
Plugin System
Extensibility framework for custom integrations and UI components
GraphQL API
Alternative API layer for complex queries and subscriptions
Message Queue
Redis/NATS for distributed job processing
Kubernetes Support
Manage Kubernetes clusters alongside Docker
