EstebanForge
diff --git a/‎CHANGELOG.md‎
Lines changed: 26 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎internal/bridge/config.go‎
Lines changed: 95 additions & 0 deletions b/‎internal/bridge/config.go‎
Lines changed: 95 additions & 0 deletions
diff --git a/‎internal/bridge/detector.go‎
Lines changed: 268 additions & 0 deletions b/‎internal/bridge/detector.go‎
Lines changed: 268 additions & 0 deletions
@@ -2,6 +2,32 @@
 
 All notable changes to Construct CLI will be documented in this file.
 
+<!-- RELEASE:START 1.7.0 -->
+## [1.7.0] - 2026-04-16
+
+### Added
+- **Host Service Bridge**: New `[bridge]` configuration section that allows sandboxed containers to access services running on the host machine. This enables AI agents to connect to local databases, APIs, and development servers without leaving the isolated environment.
+- **Cross-Platform Gateway Detection**: Automatic host gateway IP detection supporting Docker (host-gateway, host.docker.internal), Podman (host.containers.internal), and network interface inspection across macOS, Linux, and WSL.
+- **Service Environment Variables**: For each configured host service, automatically injects `CONSTRUCT_<SERVICE>_HOST`, `CONSTRUCT_<SERVICE>_PORT`, and `CONSTRUCT_<SERVICE>_URL` environment variables, plus `CONSTRUCT_HOST_IP` for the detected gateway.
+- **Configurable Failure Behavior**: `on_failure` option in `[bridge]` section allows users to choose behavior when gateway detection fails: `"warn"` (default, continue with warning), `"fail"` (stop container startup), or `"silent"` (continue silently).
+- **Manual Host IP Override**: Advanced `manual_host_ip` option for users who need to specify a custom host IP when automatic detection fails or for non-standard network setups.
+- **AgentMemory Integration**: Out-of-the-box support for AgentMemory persistent memory server. Configure `services = ["agentmemory:3111"]` to enable AI agents to remember context across sessions while running in complete isolation.
+
+### Changed
+- **Docker Compose Override**: Enhanced `docker-compose.override.yml` generation to dynamically inject `extra_hosts` configuration based on `[bridge]` settings and detected host gateway.
+- **Container Environment Injection**: Extended environment variable assembly to include host service connection details when bridge is enabled.
+
+### Security
+- **Opt-In Security Model**: Host service bridge is disabled by default (`enabled = false`) and must be explicitly enabled by users. This maintains construct-cli's security-first approach while providing flexibility for development workflows.
+- **Gateway Validation**: Host gateway detection includes multiple validation methods and fallback mechanisms to ensure reliability while preventing accidental host exposure.
+
+### Documentation
+- **Configuration Reference**: Added comprehensive `[bridge]` section documentation in default `config.toml` template with usage examples and security considerations.
+- **Cross-Platform Support**: Documented platform-specific detection methods and troubleshooting steps for each container runtime.
+
+<!-- RELEASE:END 1.7.0 -->
+---
+
 <!-- RELEASE:START 1.6.3 -->
 ## [1.6.4] - 2026-04-11
 
 
@@ -0,0 +1,95 @@
+// Package bridge provides host service bridging for construct-cli sandboxes.
+// It allows containers to access services running on the host machine.
+package bridge
+
+import (
+	"fmt"
+	"strings"
+)
+
+// HostServiceConfig represents configuration for host service bridging.
+type HostServiceConfig struct {
+	Enabled      bool     `toml:"enabled"`        // Enable host service bridge
+	AutoDetect   bool     `toml:"auto_detect"`    // Automatically detect host gateway
+	OnFailure    string   `toml:"on_failure"`     // Behavior on detection failure: "warn", "fail", "silent"
+	ManualHostIP string   `toml:"manual_host_ip"` // Manual override for host IP
+	Services     []string `toml:"services"`       // Services to bridge: ["name:port"]
+}
+
+// DefaultHostServiceConfig returns default host service configuration.
+func DefaultHostServiceConfig() HostServiceConfig {
+	return HostServiceConfig{
+		Enabled:    false,
+		AutoDetect: true,
+		OnFailure:  "warn",
+		Services:   []string{},
+	}
+}
+
+// Validate validates the host service configuration.
+func (c *HostServiceConfig) Validate() error {
+	if !c.Enabled {
+		return nil
+	}
+
+	// Validate on_failure value
+	switch c.OnFailure {
+	case "warn", "fail", "silent":
+		// Valid values
+	default:
+		return fmt.Errorf("invalid on_failure value: %s (must be 'warn', 'fail', or 'silent')", c.OnFailure)
+	}
+
+	// Validate services format
+	for _, service := range c.Services {
+		if !strings.Contains(service, ":") {
+			return fmt.Errorf("invalid service format: %s (must be 'name:port')", service)
+		}
+		parts := strings.SplitN(service, ":", 2)
+		if parts[0] == "" {
+			return fmt.Errorf("service name cannot be empty in: %s", service)
+		}
+		if parts[1] == "" {
+			return fmt.Errorf("service port cannot be empty in: %s", service)
+		}
+	}
+
+	return nil
+}
+
+// GetServiceEnv generates environment variables for configured services.
+func (c *HostServiceConfig) GetServiceEnv(hostIP string) map[string]string {
+	if !c.Enabled || hostIP == "" {
+		return nil
+	}
+
+	env := make(map[string]string)
+	env["CONSTRUCT_HOST_IP"] = hostIP
+
+	for _, service := range c.Services {
+		parts := strings.SplitN(service, ":", 2)
+		name := strings.ToUpper(parts[0])
+		port := parts[1]
+
+		// Generate service-specific URLs
+		env[fmt.Sprintf("CONSTRUCT_%s_HOST", name)] = hostIP
+		env[fmt.Sprintf("CONSTRUCT_%s_PORT", name)] = port
+		env[fmt.Sprintf("CONSTRUCT_%s_URL", name)] = fmt.Sprintf("http://%s:%s", hostIP, port)
+	}
+
+	return env
+}
+
+// GetServiceNames returns a list of configured service names.
+func (c *HostServiceConfig) GetServiceNames() []string {
+	if !c.Enabled {
+		return nil
+	}
+
+	names := make([]string, 0, len(c.Services))
+	for _, service := range c.Services {
+		parts := strings.SplitN(service, ":", 2)
+		names = append(names, parts[0])
+	}
+	return names
+}
@@ -0,0 +1,268 @@
+package bridge
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+
+	"github.com/EstebanForge/construct-cli/internal/ui"
+)
+
+// DetectionMethod represents a host gateway detection method.
+type DetectionMethod struct {
+	Name     string
+	Detect   func() (string, error)
+	Priority int // Lower = higher priority
+}
+
+// DetectionResult represents the result of gateway detection.
+type DetectionResult struct {
+	Success   bool
+	HostIP    string
+	Method    string
+	AllErrors []string
+}
+
+// DetectHostGateway detects the host gateway IP using multiple methods.
+func DetectHostGateway(containerRuntime string, onFailure string) *DetectionResult {
+	result := &DetectionResult{
+		AllErrors: []string{},
+	}
+
+	// Build detection methods based on platform and runtime
+	methods := getDetectionMethods(runtime.GOOS, containerRuntime)
+
+	// Try each method in priority order
+	for _, method := range methods {
+		ui.LogDebug("Trying host gateway detection method: %s", method.Name)
+
+		hostIP, err := method.Detect()
+		if err != nil {
+			result.AllErrors = append(result.AllErrors,
+				fmt.Sprintf("%s: %v", method.Name, err))
+			ui.LogDebug("Method %s failed: %v", method.Name, err)
+			continue
+		}
+
+		if hostIP != "" && isValidIP(hostIP) {
+			result.Success = true
+			result.HostIP = hostIP
+			result.Method = method.Name
+			ui.LogDebug("Host gateway detected via %s: %s", method.Name, hostIP)
+			return result
+		}
+	}
+
+	// All methods failed
+	handleDetectionFailure(result, onFailure)
+	return result
+}
+
+// getDetectionMethods returns platform and runtime specific detection methods.
+func getDetectionMethods(_, containerRuntime string) []DetectionMethod {
+	methods := []DetectionMethod{}
+
+	// Method 1: Docker host-gateway (Docker 20.10+)
+	if containerRuntime == "docker" || containerRuntime == "container" {
+		methods = append(methods, DetectionMethod{
+			Name:     "docker-host-gateway",
+			Detect:   detectDockerHostGateway,
+			Priority: 1,
+		})
+	}
+
+	// Method 2: Docker host.docker.internal (macOS, Windows)
+	if containerRuntime == "docker" || containerRuntime == "container" {
+		methods = append(methods, DetectionMethod{
+			Name:     "docker-internal",
+			Detect:   detectDockerInternal,
+			Priority: 2,
+		})
+	}
+
+	// Method 3: Podman host.containers.internal
+	if containerRuntime == "podman" {
+		methods = append(methods, DetectionMethod{
+			Name:     "podman-internal",
+			Detect:   detectPodmanInternal,
+			Priority: 2,
+		})
+	}
+
+	// Method 4: Network interface inspection
+	methods = append(methods, DetectionMethod{
+		Name:     "network-inspection",
+		Detect:   detectNetworkInterface,
+		Priority: 3,
+	})
+
+	// Method 5: Docker bridge network inspection
+	if containerRuntime == "docker" || containerRuntime == "container" {
+		methods = append(methods, DetectionMethod{
+			Name:     "docker-bridge-inspection",
+			Detect:   detectDockerBridge,
+			Priority: 4,
+		})
+	}
+
+	return methods
+}
+
+// detectDockerHostGateway detects using Docker's host-gateway (Docker 20.10+)
+func detectDockerHostGateway() (string, error) {
+	// Check if docker supports host-gateway
+	cmd := exec.Command("docker", "run", "--rm", "alpine",
+		"sh", "-c", "getent hosts host.gateway | awk '{print $1}'")
+
+	output, err := cmd.Output()
+	if err != nil {
+		return "", fmt.Errorf("docker host-gateway not available: %w", err)
+	}
+
+	hostIP := strings.TrimSpace(string(output))
+	if hostIP == "" {
+		return "", fmt.Errorf("no IP returned from host.gateway")
+	}
+
+	return hostIP, nil
+}
+
+// detectDockerInternal detects using host.docker.internal
+func detectDockerInternal() (string, error) {
+	cmd := exec.Command("docker", "run", "--rm", "alpine",
+		"sh", "-c", "getent hosts host.docker.internal | awk '{print $1}'")
+
+	output, err := cmd.Output()
+	if err != nil {
+		return "", fmt.Errorf("host.docker.internal not available: %w", err)
+	}
+
+	hostIP := strings.TrimSpace(string(output))
+	if hostIP == "" {
+		return "", fmt.Errorf("no IP returned from host.docker.internal")
+	}
+
+	return hostIP, nil
+}
+
+// detectPodmanInternal detects using host.containers.internal
+func detectPodmanInternal() (string, error) {
+	cmd := exec.Command("podman", "run", "--rm", "alpine",
+		"sh", "-c", "getent hosts host.containers.internal | awk '{print $1}'")
+
+	output, err := cmd.Output()
+	if err != nil {
+		return "", fmt.Errorf("host.containers.internal not available: %w", err)
+	}
+
+	hostIP := strings.TrimSpace(string(output))
+	if hostIP == "" {
+		return "", fmt.Errorf("no IP returned from host.containers.internal")
+	}
+
+	return hostIP, nil
+}
+
+// detectNetworkInterface detects host IP by inspecting network interfaces
+func detectNetworkInterface() (string, error) {
+	// Try common gateway IPs
+	gatewayIPs := []string{
+		"192.168.65.1", // Docker Desktop macOS
+		"192.168.1.1",  // Common router
+		"10.0.2.2",     // QEMU/kvm
+		"172.17.0.1",   // Docker bridge default
+	}
+
+	for _, ip := range gatewayIPs {
+		if isValidIP(ip) {
+			// Try to ping or connect to verify
+			if isReachable(ip) {
+				return ip, nil
+			}
+		}
+	}
+
+	return "", fmt.Errorf("no reachable gateway IP found")
+}
+
+// detectDockerBridge detects by inspecting Docker bridge network
+func detectDockerBridge() (string, error) {
+	cmd := exec.Command("docker", "network", "inspect", "bridge",
+		"--format", "{{range .IPAM.Config}}{{.Gateway}}{{end}}")
+
+	output, err := cmd.Output()
+	if err != nil {
+		return "", fmt.Errorf("failed to inspect docker bridge: %w", err)
+	}
+
+	hostIP := strings.TrimSpace(string(output))
+	if hostIP == "" {
+		return "", fmt.Errorf("no gateway IP in docker bridge network")
+	}
+
+	return hostIP, nil
+}
+
+// handleDetectionFailure handles detection failure based on on_failure setting.
+func handleDetectionFailure(result *DetectionResult, onFailure string) {
+	switch onFailure {
+	case "silent":
+		// Do nothing
+		return
+
+	case "fail":
+		ui.GumError("Host gateway detection failed")
+		fmt.Println("\nAll detection methods failed:")
+		for _, err := range result.AllErrors {
+			fmt.Printf("  • %s\n", err)
+		}
+		fmt.Println("\nTroubleshooting:")
+		fmt.Println("  1. Update Docker/Podman to latest version")
+		fmt.Println("  2. Set manual_host_ip in config.toml")
+		fmt.Println("  3. Run: construct sys doctor --host-bridge")
+		os.Exit(1)
+
+	case "warn":
+		ui.GumWarning("Host gateway detection failed")
+		fmt.Println("\nAll detection methods failed:")
+		for _, err := range result.AllErrors {
+			fmt.Printf("  • %s\n", err)
+		}
+		fmt.Println("\n⚠️  Container will start without host service access")
+		fmt.Println("   AgentMemory plugin hooks will fail silently")
+		fmt.Println("\nFix options:")
+		fmt.Println("  1. Set manual_host_ip in [sandbox.host_services]")
+		fmt.Println("  2. Update container runtime (Docker 20.10+ or Podman 3.0+)")
+		fmt.Println("  3. Run: construct sys doctor --host-bridge")
+	}
+}
+
+// isValidIP checks if a string is a valid IP address
+func isValidIP(ip string) bool {
+	parts := strings.Split(ip, ".")
+	if len(parts) != 4 {
+		return false
+	}
+
+	for _, part := range parts {
+		if len(part) == 0 || len(part) > 3 {
+			return false
+		}
+		for _, char := range part {
+			if char < '0' || char > '9' {
+				return false
+			}
+		}
+	}
+
+	return true
+}
+
+// isReachable checks if an IP is reachable (basic ping/connect test)
+func isReachable(ip string) bool {
+	// For now, just validate the IP format
+	// In production, you might want to actually try connecting
+	return isValidIP(ip)
+}