ROX-33916: add devcontainer with Claude Code agent for autonomous collector development#3118
Open
robbycochran wants to merge 2 commits intomasterfrom
Open
ROX-33916: add devcontainer with Claude Code agent for autonomous collector development#3118robbycochran wants to merge 2 commits intomasterfrom
robbycochran wants to merge 2 commits intomasterfrom
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #3118 +/- ##
=======================================
Coverage 27.38% 27.38%
=======================================
Files 95 95
Lines 5427 5427
Branches 2548 2548
=======================================
Hits 1486 1486
Misses 3214 3214
Partials 727 727
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
robbycochran
changed the title
Stringy
reviewed
Mar 25, 2026
.devcontainer/entrypoint.sh
Outdated
| # Register GitHub MCP server if token is available | ||
| if [[ -n "${GITHUB_TOKEN:-}" ]]; then | ||
| if ! claude mcp add-json github \ | ||
| '{"type":"http","url":"https://api.githubcopilot.com/mcp","headers":{"Authorization":"Bearer '"$GITHUB_TOKEN"'","X-MCP-Toolsets":"context,repos,pull_requests,issues,actions,git"}}' \ |
Collaborator
There was a problem hiding this comment.
It might be a little cleaner/safer to interpolate the GITHUB_TOKEN into the json via jq
jq -n --arg token "$GITHUB_TOKEN" \
'{"type":"http","url":"https://api.githubcopilot.com/mcp","headers":{"Authorization":("Bearer " + $token),"X-MCP-Toolsets":"context,repos,pull_requests,issues,actions,git"}}'
.devcontainer/entrypoint.sh
Outdated
| mkdir -p /home/dev/.claude/debug /home/dev/.commandhistory | ||
|
|
||
| # Set defaults so Claude Code doesn't prompt on startup | ||
| claude config set --global theme dark 2> /dev/null || true |
Collaborator
There was a problem hiding this comment.
as a light-mode heathen, can we make this configurable with default to dark? 😅
.devcontainer/run.sh
Outdated
| echo "Task: $TASK" | ||
| echo "---" | ||
|
|
||
| trap on_exit EXIT |
Collaborator
There was a problem hiding this comment.
this trap should probably be after line 245 in case any of the subsequent commands fail and we bypass the cleanup
| - If build fails, fix and retry | ||
| 5. Test: `ctest --no-tests=error -V --test-dir cmake-build` | ||
| - If tests fail, fix and retry | ||
| 6. Format: `clang-format --style=file -i <changed .cpp/.h files>` |
Collaborator
There was a problem hiding this comment.
We might be able to make this more general purpose if we teach claude to use the pre-commit hooks, and should mean we're covered if it changes any non-C++ code
|
|
||
| 4. **Safety limits**: | ||
| - Maximum 6 CI cycles (about 3 hours of monitoring) | ||
| - If exceeded, update PR body and stop |
Collaborator
There was a problem hiding this comment.
once a cycle has been stopped, how would we restart it? It'd be ideal if we could add a comment with guidance on the specific problem and then prompt claude to fix and restart the cycle. Not sure if this is possible though
dfbf8345b feat: add devcontainer and Claude Code agent development environment 125265f23 docs: add Vertex AI setup and devcontainer build instructions to CLAUDE.md 446368067 feat: add launcher script with worktree isolation and GitHub PAT support 255973f63 feat: use official GitHub MCP server, fix run.sh, add bubblewrap 186b64f91 refactor: convert skills to collector-dev plugin with scoped tool permissions 654e94d16 feat: create branch and draft PR upfront, tighten iterate permissions 2c55d55db feat: add watch-ci skill for CI monitoring loop c5b99277f feat: add end-to-end task skill with CI monitoring loop 2e595c66c fix: load collector-dev plugin via --plugin-dir flag 495175e07 feat: stream agent activity to stdout in autonomous mode 37ae0c778 feat: add --local mode for debugging without worktree or PR 8d676b290 feat: add --headless mode (worktree + stream-json, no PR) 310f54b8a fix: initialize submodules in worktree after creation 3bc345bb6 fix: only init required submodules, drop --recursive 4026f1bbb fix: headless mode now invokes /collector-dev:task skill like default mode bbfc92dee feat: add preflight checks with clear error messages 02cd22383 refactor: remove gh CLI dependency, agent creates PR via GitHub MCP 63927219d refactor: move skills from plugin to standalone, simplify CLAUDE.md a56fcf0b9 refactor: switch worktree to clone, consolidate to 2 skills, fix audit issues c7d94e59a fix: move git push deny to container-only settings 97333c681 security: remove SSH mount, git push blocked by lack of credentials 27f9c5643 fix: set clone remote to GitHub URL instead of local path 9ca06ebb9 refactor: switch back to worktrees, mount .git at same absolute path dffd017f2 perf: shallow submodule checkout in worktrees (--depth 1) 0b48869be perf: mount submodules from main repo instead of cloning per worktree c7235b886 feat: make submodule mounting optional via --symlink-submodules 1ed07b9c7 feat: add --branch flag, use /tmp/collector-worktrees/ for worktrees 1ec7baa6a fix: reject --branch with --local mode 3a5bae34c fix: mount .git read-write so git commit works in container ae67afece security: mount .git read-only with worktree subdir read-write 4de75efbb fix: set theme and verbose defaults in entrypoint to skip startup prompts 75951d2c3 fix: chmod worktree git dir for container uid mismatch 4a890e4fd fix: use chmod a+rwX to fix directory permissions in worktree git dir d98fa6120 fix: mount .git read-write, partial ro/rw overlay doesn't work cb28d8977 security: remove SYS_PTRACE/NET_ADMIN/NET_RAW caps, drop --symlink-submodules d54640991 feat: specify GitHub MCP toolsets via X-MCP-Toolsets header cdc273455 feat: watch-ci updates PR body with agent status after each CI cycle 94df7c938 docs: add MCP Context Protector integration plan 1c4e4e6c9 fix: autonomous mode inlines task instructions instead of invoking /task skill deba75adc feat: add /dev-loop skill combining task + watch-ci + PR comment handling 2943f398b feat: allow specifying skill in autonomous mode, default to /dev-loop 36c9709c0 fix: remove local keyword from case branch (not a function) 0c1222999 docs: update MCP security plan — recommend mcp-watchdog over mcp-context-protector 7d156e3ee fix: push branch from host before launching autonomous agent 1bcb0215b fix: only push branch in autonomous /dev-loop mode, not for explicit skills 0903b5dff feat: TUI is now default for all modes, --no-tui for stream-json e058a9283 docs: clarify push_files usage in dev-loop and watch-ci skills 587f879da docs: add devcontainer README with GitHub PAT permissions and setup guide ba617318a fix: shfmt formatting and shellcheck SC2064 warning in run.sh d1620ff8c fix: shfmt formatting — use 4-space indent per .editorconfig 3ff6a8415 fix: address PR review feedback for devcontainer scripts
robbycochran
force-pushed
the
rc-claude-dev
branch
from
fc262d5 to
c62aa5b
Compare
|
/retest collector-on-push |
robbycochran
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a devcontainer-based development environment where a Claude Code agent can autonomously implement, build, test, and submit changes to collector. The agent works inside an isolated container based on the collector-builder image with all C++ dependencies pre-installed.
This gives you a secure workflow to run claude with a select set of tools, the benefit of CI feedback, and with permission checks disabled.
Workflow
Interactive
Autonomous (hands-off):
Agent implements, pushes via MCP, creates PR, monitors CI until green.
.devcontainer/run.sh "add unit tests for ExternalIPsConfig"What's included
Devcontainer (
.devcontainer/)collector-builder:masterwith Claude Code, Go, Node.js, gcloud CLI, clang-format, bubblewrap (sandboxing), ripgrep, fdrun.sh "task"— autonomous: implement, PR, CI looprun.sh --interactive— isolated clone + TUI for manual controlrun.sh --local— edit working tree directlyrun.sh --shell— shell into the container.claude/dirs, registers GitHub MCP server via PATSkills (
.claude/skills/)Security model
git pushfails at auth, only GitHub MCP can pushstackrox/collector(Contents, PRs, Actions)git clone --localin/tmp, not the user's checkoutAgent guide (
CLAUDE.md)/watch-ciPrerequisites
gcloud auth login && gcloud auth application-default loginCLAUDE_CODE_USE_VERTEX,GOOGLE_CLOUD_PROJECT,GOOGLE_CLOUD_LOCATION)GITHUB_TOKEN— fine-grained PAT forstackrox/collectorTest plan
/taskskill discovered and invocable/watch-cipushes via GitHub MCP and creates PR