feat: add Docker Hub support and blog post

Test · Test · commit f5fc969f3ef5 · 2025-12-14T20:01:37.000-03:00
- Add Dockerfile for multi-platform CLI image
- Add .github/workflows/docker.yml for Docker Hub publish
- Add docs/DOCKER.md with CI/CD examples
- Add blog post: Why Your AI Agent Needs E2E Encryption
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -0,0 +1,67 @@
+name: Docker Hub Publish
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Docker tag (e.g., latest, v1.0.0)'
+        required: true
+        default: 'latest'
+
+env:
+  REGISTRY: docker.io
+  IMAGE_NAME: gptcode/cli
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Update Docker Hub description
+        uses: peter-evans/dockerhub-description@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          repository: ${{ env.IMAGE_NAME }}
+          short-description: "GPTCode CLI - AI Coding Assistant"
+          readme-filepath: ./docs/DOCKER.md
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,42 @@
+# GPTCode CLI Docker Image
+# Multi-stage build for minimal image size
+#
+# Usage:
+#   docker build -t gptcode/cli:latest .
+#   docker run -e GPTCODE_TOKEN=$TOKEN gptcode/cli:latest gptcode run --headless
+#
+
+# Stage 1: Build
+FROM golang:1.24-alpine AS builder
+
+RUN apk add --no-cache git ca-certificates
+
+WORKDIR /build
+
+# Copy go mod files first for cache
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy source
+COPY . .
+
+# Build static binary
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o gptcode ./cmd/gptcode
+
+# Stage 2: Minimal runtime
+FROM alpine:3.19
+
+RUN apk add --no-cache ca-certificates tzdata git
+
+# Create non-root user
+RUN adduser -D -u 1000 gptcode
+USER gptcode
+
+WORKDIR /home/gptcode
+
+# Copy binary
+COPY --from=builder /build/gptcode /usr/local/bin/gptcode
+
+# Default command
+ENTRYPOINT ["gptcode"]
+CMD ["--help"]
diff --git a/docs/DOCKER.md b/docs/DOCKER.md
@@ -0,0 +1,101 @@
+# GPTCode CLI Docker Image
+
+Official Docker image for GPTCode CLI - your AI coding assistant.
+
+## Quick Start
+
+```bash
+# Pull the image
+docker pull gptcode/cli:latest
+
+# Run with your token
+docker run -e GPTCODE_TOKEN=$GPTCODE_TOKEN gptcode/cli:latest gptcode chat "explain Docker"
+```
+
+## Usage in CI/CD
+
+### GitHub Actions
+
+```yaml
+jobs:
+  ai-review:
+    runs-on: ubuntu-latest
+    container:
+      image: gptcode/cli:latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: AI Code Review
+        env:
+          GPTCODE_TOKEN: ${{ secrets.GPTCODE_TOKEN }}
+        run: gptcode review --ci
+```
+
+### GitLab CI
+
+```yaml
+code-review:
+  image: gptcode/cli:latest
+  script:
+    - gptcode review --ci
+  variables:
+    GPTCODE_TOKEN: $GPTCODE_TOKEN
+```
+
+### Jenkins Pipeline
+
+```groovy
+pipeline {
+    agent {
+        docker { image 'gptcode/cli:latest' }
+    }
+    environment {
+        GPTCODE_TOKEN = credentials('gptcode-token')
+    }
+    stages {
+        stage('AI Review') {
+            steps {
+                sh 'gptcode review --ci'
+            }
+        }
+    }
+}
+```
+
+## Environment Variables
+
+| Variable | Description | Required |
+|----------|-------------|----------|
+| `GPTCODE_TOKEN` | Authentication token from gptcode.app | Yes |
+| `GPTCODE_BACKEND` | LLM backend (openai, anthropic, etc.) | No |
+| `GPTCODE_MODEL` | Model to use | No |
+
+## Volume Mounts
+
+For persistent configuration:
+
+```bash
+docker run -v ~/.gptcode:/home/gptcode/.gptcode \
+           -v $(pwd):/workspace \
+           -w /workspace \
+           gptcode/cli:latest gptcode do "fix the tests"
+```
+
+## Available Tags
+
+- `latest` - Latest stable release
+- `v1.x.x` - Specific version
+- `main` - Latest from main branch (unstable)
+
+## Image Details
+
+- **Base**: Alpine Linux 3.19
+- **Size**: ~50MB
+- **Platforms**: linux/amd64, linux/arm64
+- **User**: Non-root (uid 1000)
+
+## Links
+
+- [GitHub Repository](https://github.com/gptcode-cloud/cli)
+- [Documentation](https://gptcode.app/docs)
+- [Get Your Token](https://gptcode.app/login)
diff --git a/docs/_posts/2025-12-14-why-your-ai-agent-needs-e2e-encryption.md b/docs/_posts/2025-12-14-why-your-ai-agent-needs-e2e-encryption.md
@@ -0,0 +1,135 @@
+---
+layout: post
+title: "Why Your AI Coding Agent Needs End-to-End Encryption"
+date: 2025-12-14
+author: GPTCode Team
+tags: [security, privacy, encryption, remote-access]
+---
+
+# Why Your AI Coding Agent Needs End-to-End Encryption 🔐
+
+You're working on a proprietary codebase. Maybe it's your startup's core product, your company's internal tools, or a client project under NDA. You want to use an AI coding assistant to help you work faster—but there's a catch.
+
+**Where is that context going?**
+
+## The Problem with Remote AI Dashboards
+
+Modern AI coding tools often include remote dashboards for:
+- Viewing sessions from your phone
+- Team collaboration and pair programming
+- Session history and analytics
+
+This is *incredibly useful*. But it also means your code, your prompts, and your AI's responses are passing through a server that you don't control.
+
+Most tools ask you to simply *trust* that:
+1. The server isn't logging your sessions
+2. No one at the company is viewing your code
+3. The infrastructure is secure against breaches
+
+But what if you didn't have to trust anyone?
+
+## Enter: End-to-End Encryption
+
+With GPTCode's new **Private Mode**, the server becomes a *blind relay*. Here's what that means:
+
+```
+┌─────────┐                ┌─────────┐                ┌─────────┐
+│   CLI   │◄──encrypted───►│  Live   │◄──encrypted───►│ Browser │
+│  Agent  │                │ Server  │                │   UI    │
+└─────────┘                └─────────┘                └─────────┘
+                                │
+                         Cannot decrypt!
+```
+
+### How It Works
+
+1. **Key Exchange**: When your CLI connects to the dashboard, it generates a unique key pair using **X25519** (the same algorithm used by Signal and WhatsApp).
+
+2. **Shared Secret**: Your browser also generates a key pair. The keys are exchanged through the server, but the server only sees *public keys*—it can never derive the shared secret.
+
+3. **Encrypted Payloads**: All session data—commands, outputs, AI responses—is encrypted with **ChaCha20-Poly1305** before leaving your machine. The server relays encrypted blobs it cannot read.
+
+4. **Zero Knowledge**: Even if the server is compromised, attackers get *nothing* of value—just encrypted gibberish.
+
+## What This Protects
+
+| Threat | Protected? |
+|--------|-----------|
+| Server logs your code | ✅ Encrypted |
+| Malicious insider at GPTCode | ✅ Can't read payloads |
+| Man-in-the-middle attack | ✅ Encryption + auth |
+| Server injects commands | ✅ Only your browser has the key |
+| Data breach on server | ✅ Only encrypted blobs stored |
+
+## The Trade-offs
+
+Let's be honest—E2E encryption isn't free:
+
+- **No server-side history**: We can't store your session transcripts for later (because we can't read them!)
+- **Per-session keys**: A new key pair for each session means no persistent encrypted storage
+- **Browser compatibility**: Requires modern browsers with Web Crypto support
+
+But for teams handling sensitive code, these trade-offs are worth it.
+
+## How to Enable Private Mode
+
+```bash
+# When connecting to Live Dashboard
+gptcode context live --private
+
+# Or in your config
+echo "live:
+  encryption: true" >> ~/.gptcode/config.yml
+```
+
+Once enabled, you'll see a 🔒 icon in your session, and the CLI will show:
+
+```
+✅ E2E encryption enabled
+   Agent fingerprint: A1B2C3D4E5F6G7H8
+   Browser fingerprint: Z9Y8X7W6V5U4T3S2
+```
+
+**Verify the fingerprints match** on first connection (Trust On First Use).
+
+## The Technical Stack
+
+For the curious, here's what we're using:
+
+| Component | Algorithm |
+|-----------|-----------|
+| Key Exchange | X25519 (ECDH) |
+| Symmetric Encryption | XChaCha20-Poly1305 |
+| Browser Fallback | libsodium.js |
+| Nonce Generation | Random 24 bytes |
+
+We chose these because:
+- **X25519**: Fast, secure, well-audited. Used by WireGuard, Signal, SSH.
+- **XChaCha20-Poly1305**: Extended nonce prevents birthday attacks. No IV reuse worries.
+- **libsodium**: When native Web Crypto isn't available, we fall back to the gold-standard crypto library.
+
+## Open Source Transparency
+
+Our encryption implementation is **fully open source**:
+
+- CLI: [`internal/crypto/e2e.go`](https://github.com/gptcode-cloud/cli)
+- Browser: [`priv/static/js/crypto.js`](https://github.com/gptcode-cloud/live)
+
+We encourage security audits and contributions. If you find a vulnerability, please [report it responsibly](mailto:security@gptcode.app).
+
+## The Bottom Line
+
+AI coding assistants are becoming essential tools. But convenience shouldn't come at the cost of security.
+
+With Private Mode, GPTCode proves you can have **both**:
+- Remote access from any device ✅
+- Team collaboration features ✅
+- **Zero-knowledge privacy** ✅
+
+Your code stays yours. Even we can't read it.
+
+---
+
+*Try Private Mode today: `gptcode context live --private`*
+
+*Questions? [Join our Discord](https://discord.gg/gptcode) or [open an issue](https://github.com/gptcode-cloud/cli/issues).*
