A docker container that can be reached by the bot is not air-gapped. Words mean things.

Hi HN, I built an AI DevOps pipeline that hooks into GitHub webhooks, generates patches via OpenRouter (GPT-4o-mini), runs them in network-isolated Docker sandboxes, and posts the validated fix as a PR comment for review. Key design decisions: 1. Zero data retention — code is scrubbed in-memory before inference, `data_collection: deny` on every LLM request 2. Air-gapped sandbox — patches execute in Docker with no network, 512MB RAM / 2 CPU hard limit 3. Secret redaction — AWS keys, GitHub tokens, DB creds are regex-stripped in memory before leaving the gateway 4. No auto-commit — bot only suggests fixes, you review and apply (enterprise requirement) 5. PostgreSQL RLS for tenant isolation — enforced at the database engine, not the ORM layer Everything runs locally via Docker Compose (8 containers). You only pay for LLM tokens. Stack: Node.js gateway → FastAPI brain → Celery workers → Redis → PostgreSQL → Django dashboard Would love feedback on the sandbox isolation model and whether the suggestion-only workflow matches your team's compliance needs.