Container Runtime Contract
This document is the project source of truth for Docker image, Compose, and deploy runtime behavior.
Scope
whatsapp-adapter-wahawhatsapp-adapter-apiwhatsapp-adapter-appwhatsapp-adapter-docs
Required Runtime Rules
- Every long-running service runs in Docker as a non-root numeric user.
- Default runtime user and group on
mathboxare1001:1001unless a module env explicitly overrides them. - Every module owns
data/,logs/,conf/, and its compose file. conf/mounts stay read-only.- Every service uses
restart: unless-stopped. whatsapp-adapter-apiandwhatsapp-adapter-appexposeGET /healthz.whatsapp-adapter-wahaexposes the vendorGET /pinghealth endpoint.whatsapp-adapter-docsexposesGET /healthz.- Cross-module calls use the shared Docker network
${PROJECT_INTERNAL_NETWORK}.
Default Ports
whatsapp-adapter-api: host127.0.0.1:8100-> container5000whatsapp-adapter-app: host127.0.0.1:8101-> container5000whatsapp-adapter-waha: host127.0.0.1:8102-> container3000whatsapp-adapter-docs: host127.0.0.1:8103-> container8080
Expected Mounts
whatsapp-adapter-waha/app/data/app/logs/app/conf/app/.sessions/app/.mediawhatsapp-adapter-api/app/data/app/logs/app/conf/app/provider-sessionsread-only bind ofwhatsapp-adapter-waha/sessionsfor provider history supplementwhatsapp-adapter-app/app/data/app/logs/app/confwhatsapp-adapter-docs/app/data/app/logs/app/conf
Environment Materialization
- SOPS-encrypted
secrets/local/<module>.envis the source of truth for local runtime config. - SOPS-encrypted
secrets/prod/<module>.envis the source of truth for deploy runtime config. - Local start materializes
<module>/.env.localfromsecrets/local/<module>.env. - Deploy materializes
<module>/.env.serverfromsecrets/prod/<module>.env. ./script/materialize-secret.shrenders plaintext env files into the module runtime location.
Validation Checklist
- non-root runtime
- expected mounts
- expected env file exists
- log file under
/app/logs - health endpoint responds
- internal network exists before compose starts