paperclip/Dockerfile

FROM node:lts-trixie-slim AS base
ARG USER_UID=1000
ARG USER_GID=1000
RUN apt-get update \
  && apt-get install -y --no-install-recommends ca-certificates gosu curl gh git wget ripgrep python3 \
  && rm -rf /var/lib/apt/lists/* \
  && corepack enable

# Modify the existing node user/group to have the specified UID/GID to match host user
RUN usermod -u $USER_UID --non-unique node \
  && groupmod -g $USER_GID --non-unique node \
  && usermod -g $USER_GID -d /paperclip node

FROM base AS deps
WORKDIR /app
COPY package.json pnpm-workspace.yaml pnpm-lock.yaml .npmrc ./
COPY cli/package.json cli/
COPY server/package.json server/
COPY ui/package.json ui/
COPY packages/shared/package.json packages/shared/
COPY packages/db/package.json packages/db/
COPY packages/adapter-utils/package.json packages/adapter-utils/
COPY packages/mcp-server/package.json packages/mcp-server/
COPY packages/adapters/claude-local/package.json packages/adapters/claude-local/
COPY packages/adapters/codex-local/package.json packages/adapters/codex-local/
COPY packages/adapters/cursor-local/package.json packages/adapters/cursor-local/
COPY packages/adapters/gemini-local/package.json packages/adapters/gemini-local/
COPY packages/adapters/openclaw-gateway/package.json packages/adapters/openclaw-gateway/
COPY packages/adapters/opencode-local/package.json packages/adapters/opencode-local/
COPY packages/adapters/pi-local/package.json packages/adapters/pi-local/
COPY packages/plugins/sdk/package.json packages/plugins/sdk/
COPY patches/ patches/

RUN pnpm install --frozen-lockfile

FROM base AS build
WORKDIR /app
COPY --from=deps /app /app
COPY . .
RUN pnpm --filter @paperclipai/ui build
RUN pnpm --filter @paperclipai/plugin-sdk build
RUN pnpm --filter @paperclipai/server build
RUN test -f server/dist/index.js || (echo "ERROR: server build output missing" && exit 1)

FROM base AS production
ARG USER_UID=1000
ARG USER_GID=1000
WORKDIR /app
COPY --chown=node:node --from=build /app /app
RUN npm install --global --omit=dev @anthropic-ai/claude-code@latest @openai/codex@latest opencode-ai \
  && mkdir -p /paperclip \
  && chown node:node /paperclip

COPY scripts/docker-entrypoint.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/docker-entrypoint.sh

ENV NODE_ENV=production \
  HOME=/paperclip \
  HOST=0.0.0.0 \
  PORT=3100 \
  SERVE_UI=true \
  PAPERCLIP_HOME=/paperclip \
  PAPERCLIP_INSTANCE_ID=default \
  USER_UID=${USER_UID} \
  USER_GID=${USER_GID} \
  PAPERCLIP_CONFIG=/paperclip/instances/default/config.json \
  PAPERCLIP_DEPLOYMENT_MODE=authenticated \
  PAPERCLIP_DEPLOYMENT_EXPOSURE=private \
  OPENCODE_ALLOW_ALL_MODELS=true

VOLUME ["/paperclip"]
EXPOSE 3100

ENTRYPOINT ["docker-entrypoint.sh"]
CMD ["node", "--import", "./server/node_modules/tsx/dist/loader.mjs", "server/dist/index.js"]
update docker base image 2026-03-05 15:08:36 +01:00			`FROM node:lts-trixie-slim AS base`
fix: support host UID/GID mapping for volume mounts - Add USER_UID/USER_GID build args to Dockerfile - Install gosu and remap node user/group at build time - Set node home directory to /paperclip so agent credentials resolve correctly - Add docker-entrypoint.sh for runtime UID/GID remapping via gosu Co-Authored-By: Paperclip <noreply@paperclip.ing> 2026-03-27 13:13:23 +00:00			`ARG USER_UID=1000`
			`ARG USER_GID=1000`
feat: Docker quickstart with Compose, docs, and improved Dockerfile Rewrites Dockerfile to use bookworm-slim base, installs Claude and Codex CLIs, adds docker-compose.quickstart.yml for one-command setup, and adds DOCKER.md with usage instructions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-26 10:32:33 -06:00			`RUN apt-get update \`
[codex] Fix Docker gh installation (#3844) ## Thinking Path > - Paperclip is the control plane for autonomous AI companies, and the Docker image is the no-local-Node path for running that control plane. > - The deploy workflow builds and pushes that image from the repository `Dockerfile`. > - The current image setup adds GitHub CLI through GitHub's external apt repository and verifies a mutable keyring URL with a pinned SHA256. > - GitHub rotated the CLI Linux package signing key, so that pinned keyring checksum now fails before Buildx can publish the image. > - Paperclip already has a repo-local precedent in `docker/untrusted-review/Dockerfile`: install Debian trixie's packaged `gh` directly from the base distribution. > - This pull request removes the external GitHub CLI apt keyring/repository path from the production image and installs `gh` with the rest of the Debian packages. > - The benefit is a simpler Docker build that no longer fails when GitHub rotates the apt keyring file. ## What Changed - Updated the main `Dockerfile` base stage to install `gh` from Debian trixie's package repositories. - Removed the mutable GitHub CLI apt keyring download, pinned checksum verification, extra apt source, second `apt-get update`, and separate `gh` install step. ## Verification - `git diff --check` - `./scripts/docker-build-test.sh` skipped because Docker is installed but the daemon is not running on this machine. - Confirmed `https://packages.debian.org/trixie/gh` returns HTTP 200, matching the base image distribution package source. ## Risks - Debian's `gh` package can lag the latest upstream GitHub CLI release. This is acceptable for the current image contract, which requires `gh` availability but does not document a latest-upstream version guarantee. - A full image build still needs to run in CI because the local Docker daemon is unavailable in this environment. ## Model Used - OpenAI Codex, GPT-5-based coding agent. Exact backend model ID was not exposed in this runtime; tool use and shell execution were enabled. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge Co-authored-by: Paperclip <noreply@paperclip.ing> 2026-04-16 17:10:42 -05:00			`&& apt-get install -y --no-install-recommends ca-certificates gosu curl gh git wget ripgrep python3 \`
chore(docker): improve base image and organize docker files - Add wget, ripgrep, python3, and GitHub CLI (gh) to base image - Add OPENCODE_ALLOW_ALL_MODELS=true to production ENV - Move compose files, onboard-smoke Dockerfile to docker/ - Move entrypoint script to scripts/docker-entrypoint.sh - Add Podman Quadlet unit files (pod, app, db containers) - Add docker/README.md with build, compose, and quadlet docs - Add scripts/docker-build-test.sh for local build validation - Update all doc references for new file locations - Keep main Dockerfile at project root (no .dockerignore changes needed) Co-Authored-By: Paperclip <noreply@paperclip.ing> 2026-04-01 11:06:37 +00:00			`&& rm -rf /var/lib/apt/lists/* \`
			`&& corepack enable`
Add project scaffolding and infrastructure config pnpm monorepo with shared packages, server, and UI workspaces. Includes Docker multi-stage build, Postgres compose, and root TypeScript/Vitest config. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:35 -06:00
fix: support host UID/GID mapping for volume mounts - Add USER_UID/USER_GID build args to Dockerfile - Install gosu and remap node user/group at build time - Set node home directory to /paperclip so agent credentials resolve correctly - Add docker-entrypoint.sh for runtime UID/GID remapping via gosu Co-Authored-By: Paperclip <noreply@paperclip.ing> 2026-03-27 13:13:23 +00:00			`# Modify the existing node user/group to have the specified UID/GID to match host user`
			`RUN usermod -u $USER_UID --non-unique node \`
			`&& groupmod -g $USER_GID --non-unique node \`
			`&& usermod -g $USER_GID -d /paperclip node`

Add project scaffolding and infrastructure config pnpm monorepo with shared packages, server, and UI workspaces. Includes Docker multi-stage build, Postgres compose, and root TypeScript/Vitest config. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:35 -06:00			`FROM base AS deps`
			`WORKDIR /app`
			`COPY package.json pnpm-workspace.yaml pnpm-lock.yaml .npmrc ./`
feat: Docker quickstart with Compose, docs, and improved Dockerfile Rewrites Dockerfile to use bookworm-slim base, installs Claude and Codex CLIs, adds docker-compose.quickstart.yml for one-command setup, and adds DOCKER.md with usage instructions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-26 10:32:33 -06:00			`COPY cli/package.json cli/`
Add project scaffolding and infrastructure config pnpm monorepo with shared packages, server, and UI workspaces. Includes Docker multi-stage build, Postgres compose, and root TypeScript/Vitest config. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:35 -06:00			`COPY server/package.json server/`
			`COPY ui/package.json ui/`
feat: Docker quickstart with Compose, docs, and improved Dockerfile Rewrites Dockerfile to use bookworm-slim base, installs Claude and Codex CLIs, adds docker-compose.quickstart.yml for one-command setup, and adds DOCKER.md with usage instructions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-26 10:32:33 -06:00			`COPY packages/shared/package.json packages/shared/`
			`COPY packages/db/package.json packages/db/`
			`COPY packages/adapter-utils/package.json packages/adapter-utils/`
fix(docker): include mcp server manifest in deps stage Co-Authored-By: Paperclip <noreply@paperclip.ing> 2026-04-06 21:43:19 -05:00			`COPY packages/mcp-server/package.json packages/mcp-server/`
feat: Docker quickstart with Compose, docs, and improved Dockerfile Rewrites Dockerfile to use bookworm-slim base, installs Claude and Codex CLIs, adds docker-compose.quickstart.yml for one-command setup, and adds DOCKER.md with usage instructions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-26 10:32:33 -06:00			`COPY packages/adapters/claude-local/package.json packages/adapters/claude-local/`
			`COPY packages/adapters/codex-local/package.json packages/adapters/codex-local/`
add support to `cursor` and `opencode` in containerized instances 2026-03-05 14:53:42 -03:00			`COPY packages/adapters/cursor-local/package.json packages/adapters/cursor-local/`
fix(docker): include gemini adapter manifest in deps stage 2026-03-12 12:28:45 -03:00			`COPY packages/adapters/gemini-local/package.json packages/adapters/gemini-local/`
Remove legacy OpenClaw adapter and keep gateway-only flow 2026-03-07 18:50:25 -06:00			`COPY packages/adapters/openclaw-gateway/package.json packages/adapters/openclaw-gateway/`
add support to `cursor` and `opencode` in containerized instances 2026-03-05 14:53:42 -03:00			`COPY packages/adapters/opencode-local/package.json packages/adapters/opencode-local/`
Add pi-local package.json to Dockerfile 2026-03-07 21:15:12 -05:00			`COPY packages/adapters/pi-local/package.json packages/adapters/pi-local/`
fix(docker): add plugin-sdk to Dockerfile build The plugin framework landed without updating the Dockerfile. The server now imports @paperclipai/plugin-sdk, so the deps stage needs its package.json for install and the build stage needs to compile it before building the server. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-23 19:58:59 -07:00			`COPY packages/plugins/sdk/package.json packages/plugins/sdk/`
fix(docker): copy patches directory into deps stage pnpm install needs the patches/ directory to resolve patched dependencies (embedded-postgres). Without it, --frozen-lockfile fails with ENOENT on the patch file. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-24 15:59:36 -07:00			`COPY patches/ patches/`
Add pi-local package.json to Dockerfile 2026-03-07 21:15:12 -05:00
Add project scaffolding and infrastructure config pnpm monorepo with shared packages, server, and UI workspaces. Includes Docker multi-stage build, Postgres compose, and root TypeScript/Vitest config. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:35 -06:00			`RUN pnpm install --frozen-lockfile`

			`FROM base AS build`
			`WORKDIR /app`
feat: Docker quickstart with Compose, docs, and improved Dockerfile Rewrites Dockerfile to use bookworm-slim base, installs Claude and Codex CLIs, adds docker-compose.quickstart.yml for one-command setup, and adds DOCKER.md with usage instructions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-26 10:32:33 -06:00			`COPY --from=deps /app /app`
Add project scaffolding and infrastructure config pnpm monorepo with shared packages, server, and UI workspaces. Includes Docker multi-stage build, Postgres compose, and root TypeScript/Vitest config. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:35 -06:00			`COPY . .`
fix incorrect pkg scope 2026-03-05 11:38:38 -03:00			`RUN pnpm --filter @paperclipai/ui build`
fix(docker): add plugin-sdk to Dockerfile build The plugin framework landed without updating the Dockerfile. The server now imports @paperclipai/plugin-sdk, so the deps stage needs its package.json for install and the build stage needs to compile it before building the server. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-23 19:58:59 -07:00			`RUN pnpm --filter @paperclipai/plugin-sdk build`
fix incorrect pkg scope 2026-03-05 11:38:38 -03:00			`RUN pnpm --filter @paperclipai/server build`
Add artifact-check to fail fast on broken builds 2026-03-05 14:22:45 -03:00			`RUN test -f server/dist/index.js \|\| (echo "ERROR: server build output missing" && exit 1)`
Add project scaffolding and infrastructure config pnpm monorepo with shared packages, server, and UI workspaces. Includes Docker multi-stage build, Postgres compose, and root TypeScript/Vitest config. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:35 -06:00
			`FROM base AS production`
fix: support host UID/GID mapping for volume mounts - Add USER_UID/USER_GID build args to Dockerfile - Install gosu and remap node user/group at build time - Set node home directory to /paperclip so agent credentials resolve correctly - Add docker-entrypoint.sh for runtime UID/GID remapping via gosu Co-Authored-By: Paperclip <noreply@paperclip.ing> 2026-03-27 13:13:23 +00:00			`ARG USER_UID=1000`
			`ARG USER_GID=1000`
Add project scaffolding and infrastructure config pnpm monorepo with shared packages, server, and UI workspaces. Includes Docker multi-stage build, Postgres compose, and root TypeScript/Vitest config. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:35 -06:00			`WORKDIR /app`
fix(docker): run production server as non-root node user Switch the production stage to the built-in node user from node:lts-trixie-slim, fixing two runtime failures: 1. Claude CLI rejects --dangerously-skip-permissions when the process UID is 0, making the claude-local adapter unusable. 2. The server crashed at startup (EACCES) because /paperclip was root-owned and the process could not write logs or instance data. Changes vs the naive fix: - Use COPY --chown=node:node instead of a separate RUN chown -R, avoiding a duplicate image layer that would double the size of the /app tree in the final image. - Consolidate mkdir /paperclip + chown into the same RUN layer as the npm global install (already runs as root) to keep layer count minimal. - Add USER node before CMD so the process runs unprivileged. The VOLUME declaration comes after chown so freshly-mounted anonymous volumes inherit the correct node:node ownership. Fixes #344 2026-03-08 13:47:59 -07:00			`COPY --chown=node:node --from=build /app /app`
			`RUN npm install --global --omit=dev @anthropic-ai/claude-code@latest @openai/codex@latest opencode-ai \`
			`&& mkdir -p /paperclip \`
			`&& chown node:node /paperclip`
feat: Docker quickstart with Compose, docs, and improved Dockerfile Rewrites Dockerfile to use bookworm-slim base, installs Claude and Codex CLIs, adds docker-compose.quickstart.yml for one-command setup, and adds DOCKER.md with usage instructions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-26 10:32:33 -06:00
chore(docker): improve base image and organize docker files - Add wget, ripgrep, python3, and GitHub CLI (gh) to base image - Add OPENCODE_ALLOW_ALL_MODELS=true to production ENV - Move compose files, onboard-smoke Dockerfile to docker/ - Move entrypoint script to scripts/docker-entrypoint.sh - Add Podman Quadlet unit files (pod, app, db containers) - Add docker/README.md with build, compose, and quadlet docs - Add scripts/docker-build-test.sh for local build validation - Update all doc references for new file locations - Keep main Dockerfile at project root (no .dockerignore changes needed) Co-Authored-By: Paperclip <noreply@paperclip.ing> 2026-04-01 11:06:37 +00:00			`COPY scripts/docker-entrypoint.sh /usr/local/bin/`
fix: support host UID/GID mapping for volume mounts - Add USER_UID/USER_GID build args to Dockerfile - Install gosu and remap node user/group at build time - Set node home directory to /paperclip so agent credentials resolve correctly - Add docker-entrypoint.sh for runtime UID/GID remapping via gosu Co-Authored-By: Paperclip <noreply@paperclip.ing> 2026-03-27 13:13:23 +00:00			`RUN chmod +x /usr/local/bin/docker-entrypoint.sh`

feat: Docker quickstart with Compose, docs, and improved Dockerfile Rewrites Dockerfile to use bookworm-slim base, installs Claude and Codex CLIs, adds docker-compose.quickstart.yml for one-command setup, and adds DOCKER.md with usage instructions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-26 10:32:33 -06:00			`ENV NODE_ENV=production \`
			`HOME=/paperclip \`
			`HOST=0.0.0.0 \`
			`PORT=3100 \`
			`SERVE_UI=true \`
			`PAPERCLIP_HOME=/paperclip \`
			`PAPERCLIP_INSTANCE_ID=default \`
fix: support host UID/GID mapping for volume mounts - Add USER_UID/USER_GID build args to Dockerfile - Install gosu and remap node user/group at build time - Set node home directory to /paperclip so agent credentials resolve correctly - Add docker-entrypoint.sh for runtime UID/GID remapping via gosu Co-Authored-By: Paperclip <noreply@paperclip.ing> 2026-03-27 13:13:23 +00:00			`USER_UID=${USER_UID} \`
			`USER_GID=${USER_GID} \`
feat: Docker quickstart with Compose, docs, and improved Dockerfile Rewrites Dockerfile to use bookworm-slim base, installs Claude and Codex CLIs, adds docker-compose.quickstart.yml for one-command setup, and adds DOCKER.md with usage instructions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-26 10:32:33 -06:00			`PAPERCLIP_CONFIG=/paperclip/instances/default/config.json \`
move docker into `authenticated` deployment mode 2026-03-05 15:07:54 +01:00			`PAPERCLIP_DEPLOYMENT_MODE=authenticated \`
chore(docker): improve base image and organize docker files - Add wget, ripgrep, python3, and GitHub CLI (gh) to base image - Add OPENCODE_ALLOW_ALL_MODELS=true to production ENV - Move compose files, onboard-smoke Dockerfile to docker/ - Move entrypoint script to scripts/docker-entrypoint.sh - Add Podman Quadlet unit files (pod, app, db containers) - Add docker/README.md with build, compose, and quadlet docs - Add scripts/docker-build-test.sh for local build validation - Update all doc references for new file locations - Keep main Dockerfile at project root (no .dockerignore changes needed) Co-Authored-By: Paperclip <noreply@paperclip.ing> 2026-04-01 11:06:37 +00:00			`PAPERCLIP_DEPLOYMENT_EXPOSURE=private \`
			`OPENCODE_ALLOW_ALL_MODELS=true`
Add project scaffolding and infrastructure config pnpm monorepo with shared packages, server, and UI workspaces. Includes Docker multi-stage build, Postgres compose, and root TypeScript/Vitest config. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:35 -06:00
feat: Docker quickstart with Compose, docs, and improved Dockerfile Rewrites Dockerfile to use bookworm-slim base, installs Claude and Codex CLIs, adds docker-compose.quickstart.yml for one-command setup, and adds DOCKER.md with usage instructions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-26 10:32:33 -06:00			`VOLUME ["/paperclip"]`
Add project scaffolding and infrastructure config pnpm monorepo with shared packages, server, and UI workspaces. Includes Docker multi-stage build, Postgres compose, and root TypeScript/Vitest config. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-16 13:31:35 -06:00			`EXPOSE 3100`
feat: Docker quickstart with Compose, docs, and improved Dockerfile Rewrites Dockerfile to use bookworm-slim base, installs Claude and Codex CLIs, adds docker-compose.quickstart.yml for one-command setup, and adds DOCKER.md with usage instructions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-26 10:32:33 -06:00
fix: support host UID/GID mapping for volume mounts - Add USER_UID/USER_GID build args to Dockerfile - Install gosu and remap node user/group at build time - Set node home directory to /paperclip so agent credentials resolve correctly - Add docker-entrypoint.sh for runtime UID/GID remapping via gosu Co-Authored-By: Paperclip <noreply@paperclip.ing> 2026-03-27 13:13:23 +00:00			`ENTRYPOINT ["docker-entrypoint.sh"]`
feat: Docker quickstart with Compose, docs, and improved Dockerfile Rewrites Dockerfile to use bookworm-slim base, installs Claude and Codex CLIs, adds docker-compose.quickstart.yml for one-command setup, and adds DOCKER.md with usage instructions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-26 10:32:33 -06:00			`CMD ["node", "--import", "./server/node_modules/tsx/dist/loader.mjs", "server/dist/index.js"]`