Add complete Docker setup and comprehensive documentation

[imonroe]

Summary

This PR adds the complete Docker-based development environment implementation for anydev, including the Dockerfile, docker-compose configuration, entrypoint script, and comprehensive setup documentation.

Key Changes

• Dockerfile: Multi-layer image based on codercom/code-server with PHP 8.3, Node.js 22 LTS, Python 3, Composer, Drush Launcher, and declarative VS Code extension management
• docker-compose.yml: Service configuration with volume mounts for code, extensions, settings, and SSH agent socket forwarding
• docker-compose.override.yml.example: Optional template for Docker socket access (for Lando/Docker commands from container)
• entrypoint.sh: Container startup script that configures git identity and validates SSH agent socket availability
• .env.example: Environment variable template for Code Server port, password, host paths, user identity, git config, and SSH socket
• config/settings.json: Default VS Code settings (bind-mounted for persistence)
• extensions.txt: Declarative list of pre-installed VS Code extensions (PHP IntelliSense, Xdebug, Prettier, ESLint, Python, YAML, GitLens, EditorConfig, spell-checker)
• .dockerignore: Build context filtering to exclude secrets, git history, and documentation
• README.md: Expanded with detailed setup instructions, prerequisites, daily usage, Lando workflow, troubleshooting, and project structure
• CLAUDE.md: New project guide documenting architecture decisions, gotchas, and development conventions
• .gitignore: Updated to exclude .env, docker-compose.override.yml, and OS-specific files

Notable Implementation Details

• UID/GID matching: Dockerfile adjusts the coder user to match host UID/GID via build args, preventing file permission issues
• SSH agent forwarding: Socket mounted directly (no private key exposure); validation in entrypoint warns if socket is unavailable
• Extension persistence: Build-time installation from extensions.txt + named volume for session-persistent additions
• Settings sync: config/settings.json bind-mounted so VS Code changes persist to the repository
• Non-root user: All operations run as coder user except system package installation
• Lando interop: Documented as separate workflow; optional Docker socket access via override file
• Build flexibility: PHP and Node versions configurable via build args

https://claude.ai/code/session_01RKiQewfP7TdA9SFkuwEVMY

[Copilot]

Pull request overview

Adds a Docker-based dev environment for anydev centered on code-server, including container build/run configuration plus onboarding and workflow documentation.

Changes:

• Introduces a codercom/code-server-based Docker image with PHP/Node/Python tooling, Drush, and build-time VS Code extension installation.
• Adds Compose configuration, environment templates, and an entrypoint that configures git identity and checks SSH agent forwarding.
• Expands project documentation (setup, daily usage, troubleshooting) and adds a project guide.

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
Dockerfile	Builds the dev image (PHP/Node/Python/Composer/Drush) and installs extensions; sets entrypoint
docker-compose.yml	Defines the code-server service (build args, ports, env vars, volumes)
docker-compose.override.yml.example	Optional override template for mounting Docker socket (with warnings)
entrypoint.sh	Configures git identity from env and validates SSH agent socket, then execs CMD
.env.example	Template for required env vars (port/password/paths/UID/GID/git/SSH)
extensions.txt	Declarative list of VS Code extensions to preinstall in the image
config/settings.json	Default VS Code settings bind-mounted into the container
.dockerignore	Excludes secrets and non-build artifacts from Docker build context
README.md	Adds detailed prerequisites, setup, workflows, rebuild steps, and troubleshooting
CLAUDE.md	New project guide (architecture decisions, gotchas, conventions)
.gitignore	Ignores .env, local override compose file, and OS-specific files

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Fetching and executing the NodeSource setup script via curl ... | bash - increases supply-chain risk. Prefer adding the repository via signed APT keyring + sources.list entry (similar to the Sury PHP repo) so the install path is auditable and avoids piping remote scripts into a shell.

Suggested change

	RUN curl -fsSL https://deb.nodesource.com/setup_${NODE_MAJOR}.x | bash -
	RUN curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /usr/share/keyrings/nodesource.gpg \
	&& echo "deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" \
	> /etc/apt/sources.list.d/nodesource.list

[Copilot]

The SSH agent socket bind mount will make docker compose up fail if SSH_AUTH_SOCK is empty (the default in .env.example) because the resulting volume spec becomes :/. Consider moving this mount to an optional override/profile (similar to the Docker socket override) or otherwise making the socket mount conditional so the base setup works without SSH forwarding.

Suggested change

	- SSH_AUTH_SOCK=${SSH_AUTH_SOCK}
	volumes:
	- ${HOST_CODE_DIR}:/home/coder/code
	- code-server-extensions:/home/coder/.local/share/code-server/extensions
	- ./config/settings.json:/home/coder/.local/share/code-server/User/settings.json
	- ${SSH_AUTH_SOCK}:${SSH_AUTH_SOCK}
	- SSH_AUTH_SOCK=${SSH_AUTH_SOCK:-/tmp/ssh_auth_sock}
	volumes:
	- ${HOST_CODE_DIR}:/home/coder/code
	- code-server-extensions:/home/coder/.local/share/code-server/extensions
	- ./config/settings.json:/home/coder/.local/share/code-server/User/settings.json
	- ${SSH_AUTH_SOCK:-/dev/null}:/tmp/ssh_auth_sock

[Copilot]

Using codercom/code-server:latest makes builds non-reproducible and can introduce breaking changes unexpectedly. Pin the base image to a specific version/tag (or digest) and update intentionally.

Suggested change

	FROM codercom/code-server:latest
	FROM codercom/code-server:4.91.1

[Copilot]

This Dockerfile sets a new ENTRYPOINT but does not set an explicit CMD, so runtime behavior depends entirely on whatever CMD the upstream codercom/code-server image happens to define. To make the image self-contained (and resilient to upstream changes), set an explicit CMD for starting code-server (or have the entrypoint invoke code-server directly and treat inherited CMD as args).

Suggested change

	ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
	ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
	CMD ["code-server"]

[Copilot]

This RUN command downloads and executes the Composer installer directly from https://getcomposer.org/installer without any checksum or signature verification, which means a compromise of the Composer download endpoint or a TLS MITM could execute arbitrary code as root during image build. An attacker controlling this script can modify your image, inject backdoors, or exfiltrate secrets available in the build environment. To mitigate, pin a specific installer version and verify its published checksum or signature before execution, or install Composer from a distribution package manager that provides integrity verification.

[Copilot]

This RUN step downloads drush.phar from https://github.com/drush-ops/drush-launcher/releases/latest/download/drush.phar and makes it executable without pinning a specific release or verifying its integrity, so a compromised GitHub account, release artifact, or TLS MITM could replace it with arbitrary code. Because drush runs inside the container with your user privileges (and access to your code and forwarded SSH agent), a malicious binary here would enable full compromise of the development environment. To reduce this risk, pin to a specific release URL and verify a known checksum or signature before installing the PHAR, or use a package source that provides built-in integrity verification.