Install custom tooling in the production stage via direct binaries and apt
so it doesn't break the base stage build.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The fork added build-time tooling (kubectl, kubeseal, uv, nano, vim) that
is not needed inside the container build and was causing repeated build
failures due to URL/checksum drift. These tools belong in the runtime
environment, not the image build.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- kubectl: pin to v1.32.0 instead of dynamic stable.txt (which was
returning a version with no matching binary, causing 404)
- kubeseal: fix URL to use versioned tarball (v0.36.6) instead of
/latest which had no unversioned asset, causing 404
- also removed wget (no longer needed after removing keyring/apt)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- kubectl: pin to v1.32.0 instead of dynamic stable.txt (which was
returning a version with no matching binary, causing 404)
- kubeseal: fix URL to use versioned tarball (v0.36.6) instead of
/latest which had no unversioned asset, causing 404
- also removed wget (no longer needed after removing keyring/apt)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The GitHub CLI keyring approach requires a hardcoded SHA256 checksum
that drifts as the keyring file is updated upstream, causing build
failures. Replace with direct binary tarball download which is simpler
and has no checksum drift issue.
Also removed wget (only needed for keyring download).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The GitHub CLI keyring approach requires a hardcoded SHA256 checksum
that drifts as the keyring file is updated upstream, causing build
failures. Replace with direct binary tarball download which is simpler
and has no checksum drift issue.
Also removed wget (only needed for keyring download).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The hardcoded checksum was out of date, causing sha256sum verification
to fail and abort the build.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
wget is called immediately after apt-get install but was not included
in the package list, causing the build to fail.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Required by the custom minimax provider in opencode.json which uses
@ai-sdk/anthropic to hit minimax's Anthropic-compatible API endpoint.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add wget, ripgrep, python3, and GitHub CLI (gh) to base image
- Add OPENCODE_ALLOW_ALL_MODELS=true to production ENV
- Move compose files, onboard-smoke Dockerfile to docker/
- Move entrypoint script to scripts/docker-entrypoint.sh
- Add Podman Quadlet unit files (pod, app, db containers)
- Add docker/README.md with build, compose, and quadlet docs
- Add scripts/docker-build-test.sh for local build validation
- Update all doc references for new file locations
- Keep main Dockerfile at project root (no .dockerignore changes needed)
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add USER_UID/USER_GID build args to Dockerfile
- Install gosu and remap node user/group at build time
- Set node home directory to /paperclip so agent credentials resolve correctly
- Add docker-entrypoint.sh for runtime UID/GID remapping via gosu
Co-Authored-By: Paperclip <noreply@paperclip.ing>
pnpm install needs the patches/ directory to resolve patched
dependencies (embedded-postgres). Without it, --frozen-lockfile
fails with ENOENT on the patch file.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The plugin framework landed without updating the Dockerfile. The
server now imports @paperclipai/plugin-sdk, so the deps stage needs
its package.json for install and the build stage needs to compile
it before building the server.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Switch the production stage to the built-in node user from
node:lts-trixie-slim, fixing two runtime failures:
1. Claude CLI rejects --dangerously-skip-permissions when the
process UID is 0, making the claude-local adapter unusable.
2. The server crashed at startup (EACCES) because /paperclip was
root-owned and the process could not write logs or instance data.
Changes vs the naive fix:
- Use COPY --chown=node:node instead of a separate RUN chown -R,
avoiding a duplicate image layer that would double the size of
the /app tree in the final image.
- Consolidate mkdir /paperclip + chown into the same RUN layer as
the npm global install (already runs as root) to keep layer count
minimal.
- Add USER node before CMD so the process runs unprivileged.
The VOLUME declaration comes after chown so freshly-mounted
anonymous volumes inherit the correct node:node ownership.
Fixes#344
Rewrites Dockerfile to use bookworm-slim base, installs Claude and Codex
CLIs, adds docker-compose.quickstart.yml for one-command setup, and adds
DOCKER.md with usage instructions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
pnpm monorepo with shared packages, server, and UI workspaces.
Includes Docker multi-stage build, Postgres compose, and root TypeScript/Vitest config.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Chris Farhood
dotta