FabricFabricHarness
Deployment

Docker

Emit a Dockerfile and (optionally) build/push the image.

The Docker target emits a Dockerfile plus the Node bundle. With --docker-build and --docker-push, the CLI invokes Docker for you.

Build the scaffold

fh build --target docker

Output:

.fabricharness/build/docker/
  Dockerfile
  dist/server.mjs
  manifest.json
  README.docker.md

Build the image in one step

fh build --target docker --docker-build --docker-tag myorg/agents:0.1.0

Add --docker-push to push immediately:

fh build --target docker --docker-build --docker-push --docker-tag myorg/agents:0.1.0

SBOM and provenance

The CLI integrates with Syft and cosign:

fh build --target docker \
  --docker-build --docker-tag myorg/agents:0.1.0 \
  --image-sbom --image-sbom-required \
  --provenance --sign-provenance --signing-key env://COSIGN_PRIVATE_KEY

Verify later with:

fh verify-attestation .fabricharness/build/docker
fh verify-provenance  .fabricharness/build/docker

Running the image

docker run --rm -p 8080:8080 \
  -e PORT=8080 \
  -e OPENAI_API_KEY=$OPENAI_API_KEY \
  myorg/agents:0.1.0

Sandbox notes

The Docker target (the host container) and the Docker sandbox (per-session isolation inside that host) are different things:

  • Target Docker = where the Fabric server runs.
  • Sandbox Docker = a separate Docker container started per session for tool execution. Requires Docker socket access from the host.

For most production deployments, use a non-Docker sandbox (e.g. Cloudflare Sandbox at the edge, or Foundry Hosted Agents on Azure) and reserve Docker for the host.

Node

Build a runnable Node HTTP server artifact.

Temporal Worker

Run agent sessions as durable Temporal workflows.

On this page

Build the scaffoldBuild the image in one stepSBOM and provenanceRunning the imageSandbox notes