feat(satellite): Implement runtime state management for MCP server processes

Author: Lasim

services/satellite/Dockerfile

@@ -1,12 +1,21 @@
-# Production image
-FROM node:24-alpine
+# Production image - Debian base required for nsjail
+FROM node:24-bookworm-slim
+
+# Install nsjail for stdio MCP server process isolation
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    nsjail \
+    && rm -rf /var/lib/apt/lists/*
+
+# Enable unprivileged user namespaces (required for nsjail)
+RUN echo "kernel.unprivileged_userns_clone=1" > /etc/sysctl.d/00-local-userns.conf
 
 WORKDIR /app
 
 # Copy package files
 COPY services/satellite/package.json ./
 
-# Install ONLY production dependencies (much faster than a full install)
+# Install ONLY production dependencies
 RUN npm install --omit=dev --no-package-lock
 
 # Copy pre-built files
@@ -18,4 +27,8 @@ RUN echo "NODE_ENV=production" > .env && \
     echo "LOG_LEVEL=info" >> .env
 
 EXPOSE 3001
+
+# Run as non-root user for security
+USER node
+
 CMD ["node", "--env-file=.env", "dist/index.js"]

services/satellite/README.md

@@ -138,6 +138,17 @@ The satellite will **fail to start** with clear error messages if required varia
 - `npm run lint` - Run ESLint with auto-fix
 - `npm start` - Start production server
 
+### System Prerequisites
+
+**Local Development:**
+- No special requirements - stdio MCP server process management works without isolation
+- Plain Node.js spawn() used for easy debugging
+- Works on macOS, Windows, and Linux
+
+**Production (Docker):**
+- nsjail automatically installed in Docker image for secure process isolation
+- See Dockerfile for configuration details
+
 ### Initial Setup Requirements
 
 1. **Backend Running**: Ensure DeployStack Backend is running at `DEPLOYSTACK_BACKEND_URL`