# Phase 3: Docker Client

**Status:** ⬜ Not Started
**Parent plan:** [PLAN.md](./PLAN.md)
**Domain:** backend

## Objective
Implement the Docker Engine API wrapper for container lifecycle management — pull images, inspect, create/start/stop/remove containers, and manage networks.

## Tasks

- [ ] Task 1: Create Docker client wrapper with socket connection (`/var/run/docker.sock`)
- [ ] Task 2: Implement `PullImage(ctx, image, tag, authConfig)` — pull with optional registry auth
- [ ] Task 3: Implement `InspectImage(ctx, image)` — extract EXPOSE ports, HEALTHCHECK, labels
- [ ] Task 4: Implement `CreateContainer(ctx, config)` — create with name, image, env, ports, network, labels
- [ ] Task 5: Implement `StartContainer(ctx, containerID)`, `StopContainer(ctx, containerID, timeout)`, `RemoveContainer(ctx, containerID, force)`
- [ ] Task 6: Implement `RestartContainer(ctx, containerID, timeout)`
- [ ] Task 7: Implement `ListContainers(ctx, filters)` — filter by labels to find managed containers
- [ ] Task 8: Implement `EnsureNetwork(ctx, networkName)` — create network if not exists
- [ ] Task 9: Implement `ConnectNetwork(ctx, networkID, containerID)` — attach container to network
- [ ] Task 10: Add docker-watcher labels to all managed containers (`docker-watcher.project`, `docker-watcher.stage`, `docker-watcher.instance-id`)

## Files to Modify/Create
- `internal/docker/client.go` — Docker client wrapper, connection setup
- `internal/docker/container.go` — container lifecycle operations
- `internal/docker/image.go` — pull and inspect operations
- `internal/docker/network.go` — network management

## Acceptance Criteria
- Client connects to Docker socket
- Pull handles both public and authenticated registries
- Image inspection extracts port, healthcheck, and label metadata
- Container creation applies all config (env, ports, network, labels)
- All operations return meaningful errors
- Managed containers are identifiable via labels

## Notes
- Use `github.com/docker/docker/client` SDK
- Container names should be deterministic: `dw-{project}-{stage}-{tag-sanitized}`
- All containers should be on the shared network (e.g., `staging-net`)
- Port mapping: container's EXPOSE port → random host port (Docker auto-assigns)
- Auth config for private registries will come from the store (encrypted tokens)

## Review Checklist
- [ ] All tasks completed
- [ ] Proper context propagation for cancellation
- [ ] Resource cleanup (close client, remove failed containers)
- [ ] No hardcoded values
- [ ] Error messages include container/image identifiers

## Handoff to Next Phase
<!-- Filled in by the implementation agent after completing this phase. -->