Add Dev Container Template structure for spec compliance

.devcontainer/allowed-domains.txt.example

@@ -1,6 +1,13 @@
 # Custom Allowed Domains and IP Ranges
 # Copy this file to 'allowed-domains.txt' in your project root to add custom allowed domains/IPs
 #
+# Note: The following domains are already allowed by default:
+# - GitHub (all necessary endpoints)
+# - npm registry
+# - Anthropic API
+# - 1Password services (all regions: .com, .eu, .ca)
+# - Docker Hub
+#
 # Format:
 # - One entry per line
 # - Domain names will be resolved to IPs (e.g., example.com)

.devcontainer/docker-compose.yml

@@ -7,12 +7,8 @@ services:
       # Timezone
       - TZ=${TZ:-UTC}
 
-      # 1Password Configuration
+      # 1Password Configuration - only pass if set
       - OP_SERVICE_ACCOUNT_TOKEN=${OP_SERVICE_ACCOUNT_TOKEN:-}
-      - OP_CREATE_SERVICE_ACCOUNT=${OP_CREATE_SERVICE_ACCOUNT:-false}
-      - OP_SA_EXPIRES_IN=${OP_SA_EXPIRES_IN:-30d}
-      - OP_SA_VAULTS=${OP_SA_VAULTS:-}
-      - OP_SA_NAME=${OP_SA_NAME:-}
       - OP_CONNECT_HOST=${OP_CONNECT_HOST:-}
       - OP_CONNECT_TOKEN=${OP_CONNECT_TOKEN:-}
 

.github/workflows/publish-templates.yml

@@ -0,0 +1,47 @@
+name: Publish Dev Container Templates
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'src/**'
+  workflow_dispatch:
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Dev Container CLI
+        run: npm install -g @devcontainers/cli
+
+      - name: Publish Templates
+        run: |
+          # Publish the template to ghcr.io
+          devcontainer templates publish \
+            --registry ghcr.io \
+            --namespace ${{ github.repository_owner }}/templates \
+            ./src
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Verify Published Template
+        run: |
+          echo "Template published to: ghcr.io/${{ github.repository_owner }}/templates/liquescent-devcontainer"
+          echo ""
+          echo "Users can now apply it with:"
+          echo "  devcontainer templates apply --template-id ghcr.io/${{ github.repository_owner }}/templates/liquescent-devcontainer"

README.md

@@ -6,6 +6,22 @@
 
 A secure, polyglot development container with network isolation, comprehensive language support, and enterprise-grade secret management.
 
+## 📦 Distribution Methods
+
+This repository provides two ways to use our development container:
+
+### 1. **Pre-built Docker Image** (Recommended for speed)
+- Ready-to-use image from GitHub Container Registry
+- No build time required
+- Automatic updates when we publish new versions
+- Image: `ghcr.io/liquescent-development/devcontainer:latest`
+
+### 2. **Dev Container Template** (Recommended for customization)
+- Spec-compliant template you can add to any project
+- Customize the configuration for your specific needs
+- Located in `src/liquescent-devcontainer/`
+- Can be distributed via OCI registry as a template
+
 ## 🔒 Key Features
 
 ### Security & Network Isolation
@@ -36,9 +52,9 @@ A secure, polyglot development container with network isolation, comprehensive l
 - VS Code with Dev Containers extension
 - Git
 
-### Setup
+### Option 1: Using Pre-built Image (Fastest)
 
-1. **Clone this repository or copy `devcontainer.json`** to your project's `.devcontainer` folder
+1. **Copy the `.devcontainer` folder** from this repository to your project
 
 2. **Configure your environment**:
    ```bash
@@ -54,6 +70,33 @@ A secure, polyglot development container with network isolation, comprehensive l
 
 The container will automatically pull from `ghcr.io/liquescent-development/devcontainer:latest`.
 
+### Option 2: Using as a Template (Most Flexible)
+
+1. **Install the Dev Container CLI** (if not using VS Code):
+   ```bash
+   npm install -g @devcontainers/cli
+   ```
+
+2. **Apply the template to your project**:
+
+   From this repository:
+   ```bash
+   devcontainer templates apply \
+     --workspace-folder . \
+     --template-id ./src/liquescent-devcontainer
+   ```
+
+   Or from the published template (when available):
+   ```bash
+   devcontainer templates apply \
+     --workspace-folder . \
+     --template-id ghcr.io/liquescent-development/templates/liquescent-devcontainer
+   ```
+
+3. **Configure and customize** as needed
+
+4. **Open in your preferred tool** (VS Code, CLI, etc.)
+
 ## ⚙️ Configuration
 
 ### Environment Variables
@@ -88,6 +131,7 @@ By default, only these domains are accessible:
 - npm registry (registry.npmjs.org)
 - Anthropic API (api.anthropic.com)
 - Docker Hub (hub.docker.com)
+- 1Password (*.1password.com, *.1password.eu, *.1password.ca, *.1passwordservices.com)
 
 #### Adding Custom Domains
 

docker-image/scripts/init-firewall.sh

@@ -76,6 +76,47 @@ for domain in \
     done < <(echo "$ips")
 done
 
+# Resolve and add 1Password domains (required for 1Password CLI to function)
+# Based on: https://support.1password.com/ports-domains/
+echo "Configuring 1Password domains..."
+# Common 1Password subdomains across all regions (.com, .eu, .ca)
+onepassword_subdomains="1password my.1password app.1password api.1password events.1password b5n.1password"
+onepassword_tlds="com eu ca"
+
+for subdomain in $onepassword_subdomains; do
+    for tld in $onepassword_tlds; do
+        domain="${subdomain}.${tld}"
+        echo "Resolving $domain..."
+        # Use timeout and don't fail if a regional domain doesn't exist
+        ips=$(timeout 2 dig +noall +answer A "$domain" 2>/dev/null | awk '$4 == "A" {print $5}')
+        if [ -n "$ips" ]; then
+            while read -r ip; do
+                if [[ "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+                    echo "  Adding $ip"
+                    ipset add allowed-domains "$ip" 2>/dev/null || true
+                fi
+            done < <(echo "$ips")
+        fi
+    done
+done
+
+# Additional 1Password service domains
+for domain in \
+    "cache.agilebits.com" \
+    "c.1passwordservices.com" \
+    "app.1passwordusercontent.com"; do
+    echo "Resolving $domain..."
+    ips=$(timeout 2 dig +noall +answer A "$domain" 2>/dev/null | awk '$4 == "A" {print $5}')
+    if [ -n "$ips" ]; then
+        while read -r ip; do
+            if [[ "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+                echo "  Adding $ip"
+                ipset add allowed-domains "$ip" 2>/dev/null || true
+            fi
+        done < <(echo "$ips")
+    fi
+done
+
 # Process environment variable domains (from .env file via Docker Compose)
 if [ -n "${CUSTOM_ALLOWED_DOMAINS:-}" ]; then
     echo "Processing custom allowed domains from CUSTOM_ALLOWED_DOMAINS environment variable..."