Phase 0 codex-runner-substrate — docker chunk (Tasks 3-6) #27
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "feat/codex-runner-substrate"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Phase 0 — Codex-runner-substrate — docker chunk
Implementeert het docker-deel (Tasks 3-6) van het Phase 0 codex-runner-substrate plan. De MCP-slice (Tasks 1-2-7) is open in scrum4me-mcp #41. De host-canary (Task 8) en de ops-flow (Task 9) volgen na merge.
Plan + design (GO):
docs/superpowers/plans/2026-06-07-codex-runner-substrate-phase0-plan.md(codex r2 GO, 0 P1/P2, P3 overetc/codexpre-handled door repo-rootcodex/)docs/superpowers/specs/2026-06-07-codex-runner-substrate-phase0-design.md(codex r2 GO + scrum4me-server operational GO)Wijzigingen
Task 3 —
bin/run-one-job.ts— threadtSCRUM4ME_WORKER_RUNTIME(viagetWorkerRuntimeFromEnv) doorregisterWorker,startHeartbeaten beidetryClaimJob-call-sites (5e positional arg). Branched het binary (claudevscodex), de args (buildCodexArgsvoor codex; Claude-flagset onveranderd) en de exit-classificatie (classifyCodexOutputvoor codex; bestaande regex-scan voor claude). Skipt de Anthropic quota-probe voor CODEX (geen Anthropic-budget bij ChatGPT-plan auth).Task 4 —
bin/check-tokens.sh— runtime-aware credential-check. CLAUDE: bestaandeANTHROPIC_API_KEY/CLAUDE_CODE_OAUTH_TOKENchecks. CODEX:/home/agent/.codex/auth.jsonMOET aanwezig + readable + writable zijn (codex refresht z'n token zelf);codex login statusis opportunistisch. De Scrum4Me-token + DATABASE_URL TCP-probe blijven runtime-agnostisch.Task 5 —
Dockerfile— multi-stage refactor in 3 stages:base— system deps + node + gh + scrum4me-mcp clone + agent user + runner files + ENV + ENTRYPOINT (zonder agent-CLI).codex—npm install -g @openai/codex@0.137.0-alpha.4+COPY codex/ /opt/agent/etc/codex/.claude— native Claude Code installer, LAST stage, zodatdocker build .(no--target) byte-voor-byte hetzelfde Claude-image oplevert als vandaag.Task 6 — codex config + entrypoint + compose:
codex/config.toml(repo-root, niet onderetc/): approval=never, sandbox=workspace-write(network on), MCP vianpx tsx /opt/scrum4me-mcp/src/index.ts,required=true.env_varsforwardt token/DB/cache plusSCRUM4ME_WORKER_RUNTIME+SCRUM4ME_INSTANCE_ID+SCRUM4ME_WORKER_INSTANCE_ID+ capability-vars zodat de MCP-subprocess als CODEX registreert.[mcp_servers.scrum4me.env]zetTSX_TSCONFIG_PATHexpliciet.bin/entrypoint.sh— runtime-gated install van/opt/agent/etc/codex/config.toml→/home/agent/.codex/config.toml(viagosu agent, ná de settings.json-install, vóór de health-server).docker-compose.yml—agent-codexservice uit--target codex. Spiegeltagent-hardening (read_only / cap_drop ALL / no-new-privileges). Aparte${NAS_BASE}/codex-homebind voor/home/agent/.codex(auth.json refresh overleeft--force-recreate— server-review P2). Aparte log/state-dirs en host-port 18081.Verification
bash -n bin/check-tokens.sh— syntax OKbash -n bin/entrypoint.sh— syntax OKdocker compose config -q— services:agent,agent-codex(clean parse)claudeis de laatste FROM (default target preserved)getWorkerRuntimeFromEnv/buildCodexArgs/classifyCodexOutputbestaan opfeat/codex-runner-substratevan scrum4me-mcpVolgende stappen (niet in deze PR)
codex login→${NAS_BASE}/codex-home/auth.json; deployed-compose sync; fleet-regression gate (no---targetbuild moet de Claudeworker-idea-fleet ongewijzigd laten); container-smoke (MCP+NODE_PATH+runtime-env-forwarding); canary (SYSTEM PLAN_CHAT CODEX-job DONE met 0 auth/MCP errors).update_codex_workerflow in Ops-dashboard (fast-follow zodatagent-codexmee-redeployt zonder de Claude-fleet te raken).🤖 Generated with Claude Code
Adds codex/config.toml at repo-root: approval=never, sandbox=workspace- write (network on), MCP via npx tsx /opt/scrum4me-mcp/src/index.ts, required=true, with env_vars forwarding SCRUM4ME_TOKEN/DATABASE_URL/ DIRECT_URL/NODE_PATH/NPM_CONFIG_CACHE plus SCRUM4ME_WORKER_RUNTIME + SCRUM4ME_INSTANCE_ID + SCRUM4ME_WORKER_INSTANCE_ID + capability vars so the MCP subprocess registers as CODEX (codex plan-review P2). The [mcp_servers.scrum4me.env] block sets TSX_TSCONFIG_PATH explicitly (env_vars does not expand placeholders). entrypoint.sh installs /opt/agent/etc/codex/config.toml to /home/agent/.codex/config.toml after the existing settings.json install block and before the health-server start. Runtime-gated on SCRUM4ME_WORKER_RUNTIME=CODEX so the Claude image runs unchanged. install via gosu agent (no CAP_DAC_OVERRIDE under cap_drop:ALL). docker-compose.yml adds an agent-codex service from the same Dockerfile with target=codex. Mirrors agent hardening (read_only, cap_drop ALL, no-new-privileges) and adds a dedicated ${NAS_BASE}/codex-home bind into /home/agent/.codex so the codex auth.json refresh survives --force-recreate (server-review P2). Separate logs-codex/state-codex dirs + a non-conflicting host port (18081). Per docs/superpowers/plans/2026-06-07-codex-runner-substrate-phase0-plan.md Task 6. `docker compose config -q` validates clean (services: agent, agent-codex). bash -n on entrypoint.sh passes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>