feat: add containers tab to compose services

[Siumauricio]

What is this PR about?

Adds a Containers tab to the compose service page, allowing users to inspect each container in a compose deployment and run basic lifecycle actions (View Logs, Restart, Start, Stop, Kill) directly from the UI.

Changes

• packages/server/src/services/docker.ts — Added containerStart, containerStop, containerKill functions with remote server support. Updated containerRestart to also support serverId.
• apps/dokploy/server/api/routers/docker.ts — Added startContainer, stopContainer, killContainer tRPC procedures with server ownership checks and audit logging. Updated restartContainer to accept serverId.
• apps/dokploy/components/dashboard/compose/containers/show-compose-containers.tsx — New component with a table showing container name, state (badge), status, and container ID. Each row has a dropdown menu with lifecycle actions and a View Logs dialog.
• apps/dokploy/pages/.../compose/[composeId].tsx — Added the Containers tab between Deployments and Backups, gated by docker.read permission.

Checklist

• You created a dedicated branch based on the canary branch.
• You have read the suggestions in the CONTRIBUTING.md file https://github.com/Dokploy/dokploy/blob/canary/CONTRIBUTING.md#pull-request
• You have tested this PR in your local instance. If you have not tested it yet, please do so before submitting. This helps avoid wasting maintainers' time reviewing code that has not been verified by you.

Issues related (if applicable)

N/A

Screenshots (if applicable)

N/A

Greptile Summary

This PR adds a Containers tab to compose service pages, letting users inspect running containers and trigger lifecycle actions (start, stop, restart, kill) directly from the UI. The server-side service functions are well-structured, correctly supporting both local and remote server execution, and the old silent-error-swallowing in containerRestart is properly fixed.

• killContainer audit log records action: \"stop\" instead of \"kill\", making kill events indistinguishable from stop events in the audit trail.
• startContainer, stopContainer, and killContainer are gated by docker.read permission — consistent with the pre-existing pattern for restartContainer/removeContainer, but worth revisiting so read-only roles cannot mutate container state via the API.

Confidence Score: 4/5

Safe to merge with minor cleanup; no functional regressions introduced.

All findings are P2: the wrong audit action label for kill, the empty-string serverId, and the read-permission-for-write-mutations concern (which follows the existing codebase pattern). None block the primary user path. Score is 4 rather than 5 to flag the permission model concern as worth addressing before the pattern spreads further.

apps/dokploy/server/api/routers/docker.ts — audit action label for killContainer and permission level for mutation procedures.

_{Reviews (1): Last reviewed commit: "[autofix.ci] apply automated fixes" | Re-trigger Greptile}

Greptile also left 3 inline comments on this PR.

[greptile-apps]

Wrong audit action for killContainer

The killContainer procedure logs action: "stop", but the actual operation is a kill. This audit log will be misleading when trying to trace who forcefully killed a container vs. who gracefully stopped one.

Suggested change

	if (input.serverId) {
	const server = await findServerById(input.serverId);
	if (server.organizationId !== ctx.session?.activeOrganizationId) {
	await audit(ctx, {
	action: "kill",
	resourceType: "docker",

[greptile-apps]

Pass undefined instead of empty string for missing serverId

data?.serverId || "" passes an empty string when no server is associated. While if (serverId) checks in the service layer correctly treat "" as falsy (so execution falls through to local), passing "" to optional z.string().optional() fields is semantically incorrect and may cause confusion in future callsite reads.

Suggested change

	<div className="flex flex-col gap-4 pt-2.5">
	<ShowComposeContainers
	serverId={data?.serverId || ""}
	appName={data?.appName || ""}
	appType={data?.composeType || "docker-compose"}
	<ShowComposeContainers
	serverId={data?.serverId || undefined}
	appName={data?.appName || ""}
	appType={data?.composeType || "docker-compose"}
	/>

[greptile-apps]

Destructive mutations gated by docker.read permission

startContainer, stopContainer, and killContainer all use withPermission("docker", "read"), the same level used for read-only queries like getContainers. A user with only read access to docker can start, stop, or kill any container by calling the API directly, bypassing the intent of a read-only role. Consider requiring a write/update permission for these state-changing operations. (Note: the pre-existing restartContainer and removeContainer procedures share this pattern.)