Enable FUSE in workerd's local-dev Docker container client

src/workerd/server/container-client.c++

@@ -1698,6 +1698,24 @@ kj::Promise<void> ContainerClient::createContainer(kj::StringPtr effectiveImage,
     }
   }
 
+  // Docker doesn't grant FUSE access by default — enable the minimum permissions for it.
+  {
+    auto capAdd = hostConfig.initCapAdd(1);
+    capAdd.set(0, "SYS_ADMIN");
+  }
+  {
+    auto devices = hostConfig.initDevices(1);
+    auto fuseDev = devices[0];
+    fuseDev.setPathOnHost("/dev/fuse");
+    fuseDev.setPathInContainer("/dev/fuse");
+    fuseDev.setCgroupPermissions("rwm");
+  }
+  {
+    // Linux-only: no-op on hosts without AppArmor (e.g. macOS).
+    auto securityOpt = hostConfig.initSecurityOpt(1);
+    securityOpt.set(0, "apparmor:unconfined");
+  }
+
   auto response = co_await dockerApiRequest(network, kj::str(dockerPath), kj::HttpMethod::POST,
       kj::str("/containers/create?name=", containerName), codec.encode(jsonRoot));
 

src/workerd/server/docker-api.capnp

@@ -32,9 +32,9 @@ struct Docker {
   }
 
   struct DeviceMapping {
-    pathOnHost @0 :Text;
-    pathInContainer @1 :Text;
-    cgroupPermissions @2 :Text;
+    pathOnHost @0 :Text $Json.name("PathOnHost");
+    pathInContainer @1 :Text $Json.name("PathInContainer");
+    cgroupPermissions @2 :Text $Json.name("CgroupPermissions");
   }
 
   struct DeviceRequest {