What's in the binary.

PR opens → build queues → services come up → URL goes live. New commit supersedes the in-flight build. PR closes → environment is removed.

States flow pending → building → running → hibernating → terminated. Dashboard controls: rebuild, extend TTL, pin (keep past TTL). One sticky PR comment tracks current state + URL + TTL.

GitHub App for orgs, PAT for solo accounts. Deliveries are HMAC-verified, logged, replayable from the dashboard. GitLab, Gitea, and Forgejo are roadmap.

galley.yml is a small superset of compose, with kind, expose, health, ephemeral. Existing docker-compose.yml works too — Galley parses it and warns about ignored fields.

env: values interpolate at deploy time: ${GALLEY_PREVIEW_HOST_api} for the api service's hostname, ${PROJECT_SECRET} for stored secrets. Siblings reach each other on the env network as http://api:3001.

• web — public route on the bare domain, screenshots.
• api — public route on a subdomain, no screenshots.
• worker — runs, no inbound network.
• database, cache, queue — internal-only.
• other — no defaults applied.

Without an explicit kind, Galley infers from the image name and warns.

Each preview has a private network. Containers join it with an alias matching their galley.yml name — web reaches api at http://api:3001 directly. External traffic lands on a wildcard subdomain (pr-<n>-<repo>.preview.yourco.dev), with wildcard TLS via ACME DNS-01 or BYO cert.

Dockerfile present → built in a disposable unprivileged sandbox. No Dockerfile → language autodetect picks a base image and builds the source directly. Covers Node, Go, Python, Ruby, Rust, JVM, .NET, PHP, and most others.

Services build in parallel up to a per-host cap. A new commit cancels the in-flight build before queueing the next. Logs stream live.

Postgres, MySQL, Mongo, Redis — declare the image, env, and seed scripts you already use in dev; Galley boots a clean instance per preview and tears it down on PR close. Isolated state per PR.

What it doesn't do: production-shape snapshots, lazy cloning, migration auto-detection. Roadmap; today you handle those yourself.

Build output and container stdout/stderr stream over a single connection per deployment, tagged by service and stream. Lifecycle events (build started, service healthy, URL assigned) feed the deployment timeline.

Container metrics and long-term log retention are roadmap. The agent emits structured JSON — pipe it wherever your existing observability stack lives.

Screenshots. Each kind: web service is captured per viewport once it's healthy. Linked in the PR comment, grouped per service in the dashboard.

Notifications. Slack, Discord, or generic-webhook hooks per project. Test-fire button on every channel.

Four roles per project: owner (delete + members), admin (settings + deploys), developer (rebuild + terminate + read), viewer (read-only). One-time invite links scoped to project + role.

Previews can be public, basic-auth gated, or IP-allowlisted. A per-project bypass token lets CI / scripts skip the gate with a header — humans see auth, code uses the token. SSO (OIDC/SAML) is roadmap.

JSON API behind every dashboard action. Bearer-token auth, scoped tokens (projects:read|write, deployments:read|write, admin), audit-logged. A published OpenAPI spec and a wait-for-preview GitHub Action are roadmap.

Secrets are AES-256-GCM enveloped with a master key you provide. The key never enters the database; lose it and the ciphertext is rubble. Every admin action lands in an audit log with actor, target, IP, timestamp.

Threat model and what's out of scope live on /security.

Ships as Docker images. One compose project on one host brings up the server, agent, Postgres, message bus, ingress proxy. Migrations run on boot. v1 is single-host; multi-host is roadmap.

Topology, DNS, TLS, master key, backups — the docs.