# DeerFlow — Docker-out-of-Docker (DooD) overlay (OPT-IN, NOT loaded by default)
#
# Mounts the host Docker socket into the gateway container so that
# AioSandboxProvider running in pure-Docker mode — config.yaml:
#   sandbox.use: deerflow.community.aio_sandbox:AioSandboxProvider
# with NO provisioner_url — can start per-thread sandbox containers via the
# host Docker daemon.
#
# SECURITY: the host Docker socket grants the gateway container
# root-equivalent control of the host. Only load this overlay when you have
# explicitly chosen aio (DooD) sandbox mode and accept that trade-off. The
# default LocalSandboxProvider and the provisioner/Kubernetes mode do NOT need
# it and never load this file. See SECURITY.md for the full threat model.
#
# scripts/deploy.sh and scripts/docker.sh append this overlay automatically
# only when detect_sandbox_mode() returns "aio". Manual use:
#   docker compose -f docker-compose.yaml -f docker-compose.dood.yaml up -d
#
# Compatible with both docker-compose.yaml (prod) and docker-compose-dev.yaml
# (dev): both define a `gateway` service, and Compose merges this volume entry
# onto it. DEER_FLOW_DOCKER_SOCKET defaults to /var/run/docker.sock.
services:
  gateway:
    volumes:
      - ${DEER_FLOW_DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock