chore(agent): docker cleanups for the sandbox-agent sidecar

[mmabrouk]

Stacked on #(feat/agent-harness-port). Docker/licensing cleanups for the agent sidecar. No app logic changes.

What changed

• Production sidecar Dockerfile (services/agent/docker/Dockerfile, new). The sidecar only had a Dockerfile.dev (tsx watch, bind-mounted source). This adds a credential-free production image: source baked in, NODE_ENV=production, runs src/server.ts without a watcher.
• services/agent/docker/README.md (new) documents the image licensing posture and the two auth paths.
• Daytona snapshot builder docstring + docker-compose comment updated to record the recipe-not-image posture (we ship the build script, not a Claude-containing image).

Licensing posture this encodes

• Pi (@earendil-works/pi-coding-agent, MIT) is baked.
• Claude Code is proprietary (Anthropic Commercial Terms grant a usage license only, no redistribution). It is never baked into an image we build and ship. The sandbox-agent daemon installs it from Anthropic at runtime, keeping Anthropic as the distributor.
• No credential is baked. Auth is injected at runtime: ANTHROPIC_API_KEY (default, and the only option for cloud/multi-tenant), or a mounted OAuth login for individual self-host use.

Verified

• Image builds clean (696MB) and bundles the Pi extension.
• Built image contains pi/pi-acp (MIT) and the Apache-2.0 claude-agent-acp adapter, but no claude binary, no @anthropic-ai/claude-code, no baked credentials.
• Container boots and serves GET /health → {"status":"ok"}.

Deferred (follow-ups)

• Wiring the production Dockerfile into a production compose target.
• Cleaner-provenance Daytona snapshot (daemon-only base + Anthropic-direct Claude install); needs one live Daytona build to confirm the non--full image ships the ACP adapters.
• The rivet → sandbox-agent rename is a separate change, intentionally not included here.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agenta-documentation	Ready	Preview, Comment	Jun 18, 2026 8:29pm

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: ab1cca7a-5fb0-43ea-be80-1a6df94034f6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• ✅ Review completed - (🔄 Check again to review again)

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/agent-docker-cleanups

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 7d897969-f27b-477c-96b8-a0410d50701c

📥 Commits

Reviewing files that changed from the base of the PR and between 8b00633 and c34a392.

📒 Files selected for processing (4)

• docs/design/agent-workflows/scratch/wp-8-rivet-acp-runtime/poc/build_rivet_snapshot.py
• hosting/docker-compose/ee/docker-compose.dev.yml
• services/agent/docker/Dockerfile
• services/agent/docker/README.md

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical: Add a non-root USER directive to fix Trivy DS-0002 security issue.

The Dockerfile runs as root by default (no USER directive), which is a significant container security risk. Additionally, the comment on lines 53–54 assumes non-root execution to avoid pnpm/corepack HOME writes, but no non-root user is created, so this assumption is violated.

Add a USER directive before the final CMD to run the container as a non-root user (e.g., node, or a custom user if needed for permission isolation). Ensure the application directory and any runtime-modified paths are readable/writable by that user.

🔒 Proposed fix: Add USER directive

 # Call the local tsx binary directly to avoid pnpm/corepack HOME writes when the
 # container runs as a non-root host uid.
+USER node
 CMD ["node_modules/.bin/tsx", "src/server.ts"]

Note: Verify that the node user (provided by the node:24-slim base image) has read access to /app and write access to any runtime-created directories (e.g., agent state, logs, or cache). If permission issues arise, ensure the build step either changes ownership or sets permissive directory modes.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	FROM node:24-slim
	WORKDIR /app
	# CA certificates: the sandbox-agent daemon (Rust) downloads harness CLIs (e.g. Claude
	# Code) over HTTPS using the system trust store, which node:*-slim omits — without this
	# the daemon's `install-agent claude` fails TLS verification. git lets npm/installers
	# fetch git deps.
	RUN apt-get update \
	&& apt-get install -y --no-install-recommends ca-certificates git \
	&& rm -rf /var/lib/apt/lists/*
	RUN corepack enable
	# Install deps as a cached layer (manifest + lockfile only). The full dependency set is
	# installed (not --prod): the runtime uses `tsx` and the extension build uses `esbuild`,
	# both devDependencies.
	COPY package.json pnpm-lock.yaml ./
	RUN pnpm install --frozen-lockfile
	# Bake the source (no bind mount in production).
	COPY tsconfig.json ./
	COPY scripts ./scripts
	COPY src ./src
	COPY config ./config
	COPY skills ./skills
	# Bundle the Agenta Pi extension (tracing + tools) into dist/. runSandboxAgent installs
	# this baked copy into Pi's agent dir on every run. Rebuild the image after editing
	# src/extensions/agenta.ts or the tracer.
	RUN pnpm run build:extension
	ENV NODE_ENV=production \
	PORT=8765
	EXPOSE 8765
	# Call the local tsx binary directly to avoid pnpm/corepack HOME writes when the
	# container runs as a non-root host uid.
	CMD ["node_modules/.bin/tsx", "src/server.ts"]
	FROM node:24-slim
	WORKDIR /app
	# CA certificates: the sandbox-agent daemon (Rust) downloads harness CLIs (e.g. Claude
	# Code) over HTTPS using the system trust store, which node:*-slim omits — without this
	# the daemon's `install-agent claude` fails TLS verification. git lets npm/installers
	# fetch git deps.
	RUN apt-get update \
	&& apt-get install -y --no-install-recommends ca-certificates git \
	&& rm -rf /var/lib/apt/lists/*
	RUN corepack enable
	# Install deps as a cached layer (manifest + lockfile only). The full dependency set is
	# installed (not --prod): the runtime uses `tsx` and the extension build uses `esbuild`,
	# both devDependencies.
	COPY package.json pnpm-lock.yaml ./
	RUN pnpm install --frozen-lockfile
	# Bake the source (no bind mount in production).
	COPY tsconfig.json ./
	COPY scripts ./scripts
	COPY src ./src
	COPY config ./config
	COPY skills ./skills
	# Bundle the Agenta Pi extension (tracing + tools) into dist/. runSandboxAgent installs
	# this baked copy into Pi's agent dir on every run. Rebuild the image after editing
	# src/extensions/agenta.ts or the tracer.
	RUN pnpm run build:extension
	ENV NODE_ENV=production \
	PORT=8765
	EXPOSE 8765
	# Call the local tsx binary directly to avoid pnpm/corepack HOME writes when the
	# container runs as a non-root host uid.
	USER node
	CMD ["node_modules/.bin/tsx", "src/server.ts"]

Source: Linters/SAST tools