> ## Documentation Index
> Fetch the complete documentation index at: https://capy.sc/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Docker Container Secrets: capy run as Entrypoint

> Use Capy as your Docker ENTRYPOINT to inject decrypted secrets at container start. Works with docker-compose, Kubernetes Secrets, and multi-stage builds.

Docker is the simplest case: `capy run` is your entrypoint, and the runtime platform (whatever orchestrates the container) sets `SECRETS_BLOB` and `PROJECT_KEY` in the container's env.

## Dockerfile

```dockerfile theme={null}
FROM node:22-slim

WORKDIR /app
COPY package.json bun.lock ./
RUN npm install -g @capysc/cli && bun install --production

COPY . .

# capy run reads SECRETS_BLOB + PROJECT_KEY from the container env,
# decrypts, and spawns your app with plaintext process.env.
ENTRYPOINT ["capy", "run", "--"]
CMD ["node", "server.js"]
```

Any language works - swap the base image and the `CMD`. Python: `CMD ["python", "app.py"]`. Go: `CMD ["./my-binary"]`. Ruby: `CMD ["bundle", "exec", "rails", "server"]`.

## Running

```bash theme={null}
docker build -t my-app .

docker run \
  -e SECRETS_BLOB="$SECRETS_BLOB" \
  -e PROJECT_KEY="$PROJECT_KEY" \
  -p 3000:3000 \
  my-app
```

`capy deploy` → pick **Docker** prints a `docker run` snippet with your exact values filled in.

## docker-compose

```yaml theme={null}
services:
  app:
    build: .
    environment:
      SECRETS_BLOB: ${SECRETS_BLOB}
      PROJECT_KEY: ${PROJECT_KEY}
    ports:
      - "3000:3000"
```

Set `SECRETS_BLOB` and `PROJECT_KEY` in the compose host's env (your shell, a `.env` file next to `compose.yaml` - **not** the Capy-managed `.env` inside the project).

## Kubernetes

```yaml theme={null}
apiVersion: v1
kind: Secret
metadata:
  name: capy-deploy
type: Opaque
stringData:
  SECRETS_BLOB: "eyJkZXBsb3lJZCI6..."
  PROJECT_KEY: "a1b2c3..."
---
apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
        - name: app
          image: registry.example.com/my-app:latest
          envFrom:
            - secretRef:
                name: capy-deploy
          ports:
            - containerPort: 3000
```

The container image's `ENTRYPOINT ["capy", "run", "--"]` wraps your app; Kubernetes injects the two env vars from the `Secret`.

## Image size

`@capysc/cli` is a single Node binary (\~15 MB). If you want a smaller runtime image, multi-stage build with `capy run` only in the final image - it doesn't need build tooling.

## Revocation

Revoking the deploy token stops new container boots. Running containers keep their in-memory keys until they restart. To force immediate revocation everywhere, rotate the project key.
