dockerize

demo/README.md

@@ -11,12 +11,37 @@ This demo shows how SecureClaw protects against prompt injection attacks that at
 
 ---
 
-## Demo Option 1: Simulation Script (No Sidecar Required)
+## Quick Start with Docker
 
-The quickest way to see the demo - runs a simulated walkthrough with no dependencies.
+The easiest way to run the demo - no local setup required.
+
+### Option A: Simulation Script (Fastest)
+
+```bash
+# Run the interactive simulation
+docker-compose -f docker-compose.demo.yml run demo-script
+```
+
+This walks through the attack scenario with colored output - no API keys or sidecar needed.
+
+### Option B: Live Demo with Sidecar
+
+```bash
+# Terminal 1: Start the sidecar (builds from source, may take a few minutes first time)
+docker-compose -f docker-compose.demo.yml up sidecar
+
+# Terminal 2: Run SecureClaw locally against the Docker sidecar
+cd /path/to/openclaw
+PREDICATE_SIDECAR_URL=http://localhost:8787 SECURECLAW_VERBOSE=true pnpm openclaw
+```
+
+---
+
+## Demo Option 1: Simulation Script (No Dependencies)
+
+The quickest way to see the demo - runs a simulated walkthrough.
 
 ```bash
-cd /Users/guoliangwang/Downloads/openclaw
 ./demo/hack-vs-fix.sh
 ```
 
@@ -31,31 +56,31 @@ This script:
 
 ---
 
-## Demo Option 2: Live Demo with Sidecar
+## Demo Option 2: Live Demo with Local Sidecar
 
 For a real end-to-end demo with the actual rust-predicate-authorityd sidecar.
 
 ### Prerequisites
 
 1. Build the rust-predicate-authorityd sidecar:
    ```bash
-   cd /Users/guoliangwang/Code/Sentience/rust-predicate-authorityd
+   cd /path/to/rust-predicate-authorityd
    cargo build --release
    ```
 
 2. Install SecureClaw dependencies:
    ```bash
-   cd /Users/guoliangwang/Downloads/openclaw
+   cd /path/to/openclaw
    pnpm install
    ```
 
 ### Running the Live Demo
 
 **Terminal 1 - Start the Sidecar:**
 ```bash
-cd /Users/guoliangwang/Code/Sentience/rust-predicate-authorityd
+cd /path/to/rust-predicate-authorityd
 cargo run --release -- \
-  --policy /Users/guoliangwang/Downloads/openclaw/policies/default.json \
+  --policy /path/to/openclaw/policies/default.json \
   --port 8787
 ```
 
@@ -67,7 +92,7 @@ You should see:
 
 **Terminal 2 - Run SecureClaw:**
 ```bash
-cd /Users/guoliangwang/Downloads/openclaw
+cd /path/to/openclaw
 SECURECLAW_VERBOSE=true pnpm openclaw
 ```
 
@@ -84,13 +109,11 @@ SECURECLAW_VERBOSE=true pnpm openclaw
 
 ---
 
-## Demo Option 3: Live Demo WITHOUT Sidecar (Fail-Open Mode)
+## Demo Option 3: Test Fail-Open vs Fail-Closed
 
-To test SecureClaw behavior when the sidecar is unavailable:
+Test SecureClaw behavior when the sidecar is unavailable:
 
 ```bash
-cd /Users/guoliangwang/Downloads/openclaw
-
 # Fail-open mode (allows actions when sidecar is down)
 SECURECLAW_FAIL_OPEN=true SECURECLAW_VERBOSE=true pnpm openclaw
 
@@ -111,6 +134,26 @@ In **fail-open mode**, actions will be allowed with a warning:
 
 ---
 
+## Docker Files
+
+| File | Description |
+|------|-------------|
+| `docker-compose.demo.yml` | Demo orchestration |
+| `docker/sidecar.Dockerfile` | Builds rust-predicate-authorityd from source |
+| `docker/secureclaw.Dockerfile` | Builds SecureClaw image |
+
+### Building Images Manually
+
+```bash
+# Build sidecar image
+docker build -f docker/sidecar.Dockerfile -t predicate-authorityd:demo ./docker
+
+# Build SecureClaw image
+docker build -f docker/secureclaw.Dockerfile -t secureclaw:demo .
+```
+
+---
+
 ## Key Files
 
 | File | Description |
@@ -123,7 +166,7 @@ In **fail-open mode**, actions will be allowed with a warning:
 
 ---
 
-## How It Works
+## Architecture
 
 ```
 ┌─────────────────┐     ┌──────────────────┐     ┌─────────────────────────┐

docker-compose.demo.yml

@@ -0,0 +1,63 @@
+# SecureClaw Demo Docker Compose
+#
+# This sets up the complete SecureClaw demo environment:
+# - rust-predicate-authorityd sidecar (policy engine)
+# - SecureClaw (OpenClaw with security plugin)
+#
+# Quick Start:
+#   # Run the simulation demo (no API keys needed)
+#   docker-compose -f docker-compose.demo.yml run demo-script
+#
+#   # Run full demo with sidecar
+#   docker-compose -f docker-compose.demo.yml up sidecar
+#   # Then in another terminal, run SecureClaw locally
+
+version: '3.8'
+
+services:
+  # ============================================================================
+  # Predicate Authority Sidecar
+  # Handles policy evaluation for all authorization requests
+  # ============================================================================
+  sidecar:
+    build:
+      context: ./docker
+      dockerfile: sidecar.Dockerfile
+    image: predicate-authorityd:demo
+    container_name: secureclaw-sidecar
+    ports:
+      - "8787:8787"
+    volumes:
+      # Mount policies for hot-reload during development
+      - ./policies:/app/policies:ro
+    environment:
+      - RUST_LOG=info,predicate_authorityd=debug
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8787/health"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
+      start_period: 30s  # Rust build takes time on first run
+    restart: unless-stopped
+
+  # ============================================================================
+  # Demo Script Runner
+  # Runs the hack-vs-fix simulation - NO dependencies needed
+  # ============================================================================
+  demo-script:
+    image: bash:5
+    container_name: secureclaw-demo-script
+    volumes:
+      - ./demo:/demo:ro
+    working_dir: /demo
+    command: ["bash", "/demo/hack-vs-fix.sh"]
+    stdin_open: true
+    tty: true
+
+# ============================================================================
+# Networks
+# ============================================================================
+networks:
+  default:
+    name: secureclaw-demo
+    driver: bridge

docker/secureclaw.Dockerfile

@@ -0,0 +1,63 @@
+# Dockerfile for SecureClaw (OpenClaw with security plugin)
+# Based on Node.js with pnpm
+
+# ============================================================================
+# Stage 1: Build SecureClaw
+# ============================================================================
+FROM node:22-bookworm-slim AS builder
+
+WORKDIR /app
+
+# Install pnpm
+RUN corepack enable && corepack prepare pnpm@10.23.0 --activate
+
+# Copy package files
+COPY package.json pnpm-lock.yaml* ./
+
+# Install dependencies
+RUN pnpm install --frozen-lockfile || pnpm install
+
+# Copy source code
+COPY . .
+
+# Build
+RUN pnpm build || true
+
+# ============================================================================
+# Stage 2: Runtime image
+# ============================================================================
+FROM node:22-bookworm-slim
+
+WORKDIR /app
+
+# Install pnpm
+RUN corepack enable && corepack prepare pnpm@10.23.0 --activate
+
+# Install curl for healthcheck
+RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*
+
+# Copy built application
+COPY --from=builder /app/dist ./dist
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/package.json ./
+COPY --from=builder /app/policies ./policies
+COPY --from=builder /app/demo ./demo
+
+# Environment variables for SecureClaw
+ENV SECURECLAW_PRINCIPAL=agent:secureclaw
+ENV SECURECLAW_POLICY=./policies/default.json
+ENV PREDICATE_SIDECAR_URL=http://sidecar:8787
+ENV SECURECLAW_FAIL_OPEN=false
+ENV SECURECLAW_VERBOSE=true
+ENV NODE_ENV=production
+
+# Create non-root user
+RUN useradd -m -s /bin/bash openclaw
+USER openclaw
+
+# Default port for OpenClaw gateway (if used)
+EXPOSE 18789
+
+# Default command - run the TUI
+ENTRYPOINT ["node", "dist/index.js"]
+CMD ["tui"]

docker/sidecar.Dockerfile

@@ -0,0 +1,63 @@
+# Dockerfile for rust-predicate-authorityd sidecar
+# Multi-stage build for smaller final image
+#
+# Build options:
+#   1. With local source: docker build --build-arg SIDECAR_SRC=../rust-predicate-authorityd
+#   2. From git: docker build (uses git clone)
+
+# ============================================================================
+# Stage 1: Build the Rust sidecar
+# ============================================================================
+FROM rust:1.75-slim-bookworm AS builder
+
+WORKDIR /build
+
+# Install build dependencies
+RUN apt-get update && apt-get install -y \
+    pkg-config \
+    libssl-dev \
+    git \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Clone the sidecar source from git
+# In production, pin to a specific tag/commit
+RUN git clone --depth 1 https://github.com/rcholic/rust-predicate-authorityd.git . || \
+    git clone --depth 1 https://github.com/predicatesystems/rust-predicate-authorityd.git .
+
+# Build release binary
+RUN cargo build --release
+
+# ============================================================================
+# Stage 2: Runtime image
+# ============================================================================
+FROM debian:bookworm-slim
+
+WORKDIR /app
+
+# Install runtime dependencies
+RUN apt-get update && apt-get install -y \
+    ca-certificates \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy the built binary
+COPY --from=builder /build/target/release/predicate-authorityd /usr/local/bin/
+
+# Create policies directory
+RUN mkdir -p /app/policies
+
+# Create non-root user
+RUN useradd -m -s /bin/bash predicate
+USER predicate
+
+# Default port
+EXPOSE 8787
+
+# Health check
+HEALTHCHECK --interval=10s --timeout=3s --start-period=5s --retries=3 \
+    CMD curl -f http://localhost:8787/health || exit 1
+
+# Default command - policy file should be mounted or provided
+ENTRYPOINT ["predicate-authorityd"]
+CMD ["--policy", "/app/policies/default.json", "--port", "8787", "--bind", "0.0.0.0"]