From 39a5122f68416e79d5145f7a9ffbb7da0b1f1be8 Mon Sep 17 00:00:00 2001 From: claude Date: Sat, 6 Jun 2026 16:38:44 +0000 Subject: [PATCH] build: drop unused agent-image apt deps Removes socat, openssh-client, and dnsutils from Dockerfile.claude and Dockerfile.codex. - socat was the privileged forwarder for the in-container ssh-agent that PRD 0009 removed; nothing in bot_bottle references it. - openssh-client was needed back when the agent talked ssh:// to upstreams; git-gate's insteadOf rewrites now route every upstream through HTTP/git-protocol, and ssh-keygen runs host-side from the deploy-key provisioner. - dnsutils was only used by tests/integration/test_sandbox_escape.py (attack 4b runs dig from inside the agent container). Splits python3/python3-pip/python3-venv onto a separate layer with a comment noting they're app-specific and a candidate to move to a downstream image. --- Dockerfile.claude | 20 +++++++++++++------- Dockerfile.codex | 10 +++++++++- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/Dockerfile.claude b/Dockerfile.claude index c7346d1..a003a5f 100644 --- a/Dockerfile.claude +++ b/Dockerfile.claude @@ -16,14 +16,20 @@ FROM node:22-slim # features (status checks, commits, PR creation) — without git in the # image, those features fail in surprising ways once the user does any # real work. ca-certificates is already in the slim base; listed for -# clarity in case the base ever drops it. socat is the privileged -# forwarder for the in-container ssh-agent (see bot_bottle/ssh.py): the agent -# runs as root and rejects non-root connections, so socat sits between -# node and the agent socket. curl is here so any HTTPS_PROXY-aware -# tool (curl itself, plus anything that shells out to it) works -# against egress's bumped TLS without the agent needing local DNS. +# clarity in case the base ever drops it. curl is here so any +# HTTPS_PROXY-aware tool (curl itself, plus anything that shells out +# to it) works against egress's bumped TLS without the agent needing +# local DNS. RUN apt-get update \ - && apt-get install -y --no-install-recommends git ca-certificates openssh-client socat curl dnsutils python3 python3-pip python3-venv \ + && apt-get install -y --no-install-recommends git ca-certificates curl \ + && rm -rf /var/lib/apt/lists/* + +# App-specific deps. Python isn't required by claude-code itself +# (claude-code is a Node CLI), but is convenient for the agent to +# shell out to for ad-hoc scripts. Kept on its own layer so it can +# be moved to a downstream image if the base ever needs to shrink. +RUN apt-get update \ + && apt-get install -y --no-install-recommends python3 python3-pip python3-venv \ && rm -rf /var/lib/apt/lists/* # Install claude-code globally. Pinned to the version verified in the v1 diff --git a/Dockerfile.codex b/Dockerfile.codex index 1d3715b..a2a246f 100644 --- a/Dockerfile.codex +++ b/Dockerfile.codex @@ -6,7 +6,15 @@ FROM node:22-slim RUN apt-get update \ - && apt-get install -y --no-install-recommends git ca-certificates openssh-client socat curl dnsutils python3 python3-pip python3-venv \ + && apt-get install -y --no-install-recommends git ca-certificates curl \ + && rm -rf /var/lib/apt/lists/* + +# App-specific deps. Python isn't required by codex itself +# (codex is a Node CLI), but is convenient for the agent to shell +# out to for ad-hoc scripts. Kept on its own layer so it can be +# moved to a downstream image if the base ever needs to shrink. +RUN apt-get update \ + && apt-get install -y --no-install-recommends python3 python3-pip python3-venv \ && rm -rf /var/lib/apt/lists/* RUN npm install -g --no-fund --no-audit @openai/codex@0.136.0 \