build(agent-job): pin Claude Code CLI; smoke one turn per runtime

Add @anthropic-ai/claude-code@2.1.207 to the job image global npm install,
extend the smoke script with claude --version plus a documented per-runtime
turn block, and reconcile OpenCode/Claude adapter flags against the real CLIs
(all assumed flags confirmed). Document the anthropic_oauth_json credential
snapshot pattern in the README.
This commit is contained in:
Gabriel Brown
2026-07-11 11:25:44 -04:00
parent 702e53a4ba
commit 424307c5af
5 changed files with 26 additions and 10 deletions
+8 -3
View File
@@ -206,8 +206,9 @@ SPOON_AGENT_JOB_IMAGE="git.gbrown.org/gib/spoon-agent-job:latest"
``` ```
The job image includes Node 22, Bun, pnpm and yarn through Corepack, npm, git, The job image includes Node 22, Bun, pnpm and yarn through Corepack, npm, git,
ripgrep, Python, build tools, OpenCode, and the Codex CLI. It is not the forked ripgrep, Python, build tools, OpenCode, the Codex CLI, and the Claude Code CLI.
project's production runtime; it is the agent execution environment. It is not the forked project's production runtime; it is the agent execution
environment.
Production worker runtime requirements: Production worker runtime requirements:
@@ -255,7 +256,11 @@ Deployment readiness checklist:
API-key based AI provider profiles run through OpenCode. Codex ChatGPT login API-key based AI provider profiles run through OpenCode. Codex ChatGPT login
profiles run through the Codex CLI: Spoon writes the encrypted `auth.json` into profiles run through the Codex CLI: Spoon writes the encrypted `auth.json` into
the isolated job workspace as `CODEX_HOME/.codex/auth.json` before execution. the isolated job workspace as `CODEX_HOME/.codex/auth.json` before execution.
Treat that saved auth file like a password and only use it on trusted workers. Anthropic profiles run through the Claude Code CLI: API-key profiles authenticate
via `ANTHROPIC_API_KEY`, while `anthropic_oauth_json` credential-snapshot profiles
have their encrypted OAuth blob written into the isolated job workspace as
`~/.claude/.credentials.json` before execution. Treat those saved auth files like
a password and only use them on trusted workers.
</details> </details>
@@ -42,9 +42,9 @@ export const createClaudeAdapter: AdapterFactory = (deps) => {
workspace.turnMarker = `spoon-turn-${randomUUID()}`; workspace.turnMarker = `spoon-turn-${randomUUID()}`;
const marker = workspace.turnMarker; const marker = workspace.turnMarker;
// NOTE: exact flags are UNVERIFIED against the pinned CLI and are confirmed // Flags verified against `claude --help` (@anthropic-ai/claude-code@2.1.207):
// in Task 11's smoke. `--verbose` is required for `stream-json`; // `-p`, `--output-format stream-json`, `--verbose`, `--dangerously-skip-permissions`,
// `--resume <sessionId>` carries continuity. // `--model`, and `--resume <sessionId>` (continuity) all exist.
const argv = [ const argv = [
'claude', 'claude',
'-p', '-p',
@@ -57,9 +57,8 @@ export const createOpenCodeAdapter: AdapterFactory = (deps) => {
workspace.turnMarker = `spoon-turn-${randomUUID()}`; workspace.turnMarker = `spoon-turn-${randomUUID()}`;
const marker = workspace.turnMarker; const marker = workspace.turnMarker;
// NOTE: `--session` continuity is UNVERIFIED against `opencode run --help` and // Flags verified against `opencode run --help` (opencode-ai@1.17.9):
// may be dropped in Task 11's smoke; if unsupported, OpenCode turns are stateless // `--format json`, `--model`, and `--session <id>` all exist.
// (acceptable — Codex/Claude carry continuity).
const argv = [ const argv = [
'opencode', 'opencode',
'run', 'run',
+1 -1
View File
@@ -47,7 +47,7 @@ RUN dnf install -y --setopt=install_weak_deps=False --nodocs \
# Package managers + pinned agent CLIs (kept identical to the prior image). # Package managers + pinned agent CLIs (kept identical to the prior image).
# Fedora's nodejs-npm doesn't ship corepack, so install pnpm/yarn via npm. # Fedora's nodejs-npm doesn't ship corepack, so install pnpm/yarn via npm.
RUN npm install -g pnpm yarn bun@1.3.10 opencode-ai@1.17.9 @openai/codex@0.142.0 \ RUN npm install -g pnpm yarn bun@1.3.10 opencode-ai@1.17.9 @openai/codex@0.142.0 @anthropic-ai/claude-code@2.1.207 \
&& npm cache clean --force && npm cache clean --force
# oh-my-posh prompt (binary only; we ship our own /etc/spoon/omp.json theme). # oh-my-posh prompt (binary only; we ship our own /etc/spoon/omp.json theme).
+12
View File
@@ -28,4 +28,16 @@ fi
python3 --version python3 --version
opencode --version opencode --version
codex --version codex --version
claude --version
' '
# Manual per-runtime smoke (requires creds in your shell env):
# docker build -f docker/agent-job.Dockerfile -t spoon-agent-job:latest .
# docker run -d --name spoon-box-smoke --init spoon-agent-job:latest sleep infinity
# docker exec -e OPENAI_API_KEY -w /workspace spoon-box-smoke \
# opencode run --format json --model openai/gpt-5.5 -- 'print hello'
# docker exec -e ANTHROPIC_API_KEY -w /workspace spoon-box-smoke \
# claude -p 'print hello' --output-format stream-json --verbose --dangerously-skip-permissions
# docker exec -e CODEX_HOME=/root/.codex -w /workspace spoon-box-smoke \
# codex exec --json --dangerously-bypass-approvals-and-sandbox 'print hello'
# docker rm -f spoon-box-smoke