From 5190cfbfdc2d3227ab9f80d3a18973bbf718b962 Mon Sep 17 00:00:00 2001 From: Can Date: Sat, 16 May 2026 16:15:02 +0000 Subject: [PATCH 1/6] feat: add Grok Build (xAI) as agent provider MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add xAI's official Grok Build CLI as a supported agent provider via its native ACP entry (`grok agent stdio`) — no wrapper required. Files added: - Dockerfile.grok: runtime image with pinned grok 0.1.211 binary (SHA256-verified, sourced from xAI's public artifacts bucket) - docs/grok.md: setup guide covering Docker build, Helm install, three auth options (API key / device-code / deployment key), credential persistence, and a comparison with Dockerfile.hermes - config.toml.example: agent example placed next to the hermes one - .github/workflows/build.yml: grok variant added to build-image, merge-manifests, and promote-stable matrices so the ghcr.io/openabdev/openab-grok image is published alongside other agent variants Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/build.yml | 3 + Dockerfile.grok | 59 ++++++++++++++++ config.toml.example | 10 +++ docs/grok.md | 134 ++++++++++++++++++++++++++++++++++++ 4 files changed, 206 insertions(+) create mode 100644 Dockerfile.grok create mode 100644 docs/grok.md diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 17b4505a..8eeb1173 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -73,6 +73,7 @@ jobs: - { suffix: "-opencode", dockerfile: "Dockerfile.opencode", artifact: "opencode" } - { suffix: "-cursor", dockerfile: "Dockerfile.cursor", artifact: "cursor" } - { suffix: "-hermes", dockerfile: "Dockerfile.hermes", artifact: "hermes" } + - { suffix: "-grok", dockerfile: "Dockerfile.grok", artifact: "grok" } platform: - { os: linux/amd64, runner: ubuntu-latest } - { os: linux/arm64, runner: ubuntu-24.04-arm } @@ -137,6 +138,7 @@ jobs: - { suffix: "-opencode", artifact: "opencode" } - { suffix: "-cursor", artifact: "cursor" } - { suffix: "-hermes", artifact: "hermes" } + - { suffix: "-grok", artifact: "grok" } runs-on: ubuntu-latest permissions: contents: read @@ -188,6 +190,7 @@ jobs: - { suffix: "-opencode" } - { suffix: "-cursor" } - { suffix: "-hermes" } + - { suffix: "-grok" } runs-on: ubuntu-latest permissions: contents: read diff --git a/Dockerfile.grok b/Dockerfile.grok new file mode 100644 index 00000000..4190b491 --- /dev/null +++ b/Dockerfile.grok @@ -0,0 +1,59 @@ +# --- Build stage --- +FROM rust:1-bookworm AS builder +WORKDIR /build +COPY Cargo.toml Cargo.lock ./ +RUN mkdir src && echo 'fn main() {}' > src/main.rs && cargo build --release && rm -rf src +COPY src/ src/ +RUN touch src/main.rs && cargo build --release + +# --- Runtime stage --- +FROM debian:bookworm-slim + +# Create agent user first so WORKDIR gets correct ownership +RUN useradd -m -u 1000 agent + +RUN apt-get update && apt-get install -y --no-install-recommends \ + ca-certificates curl procps ripgrep tini git && \ + rm -rf /var/lib/apt/lists/* + +# Install Grok Build CLI — pinned version with SHA256 checksum verification. +# Binary sourced from xAI's public artifacts bucket (same source the official +# `https://x.ai/cli/install.sh` resolves to) so the build is reproducible. +ARG GROK_VERSION=0.1.211 +ARG GROK_SHA256_AMD64=9245f9c921b1f91bfb34ee2ee27715000b65e947723541ff1a612eaece468bd0 +ARG GROK_SHA256_ARM64=b283cb72fdc3143365e044fd7f8630e14845640d4d81404bb36905cc7209abc6 +ARG TARGETPLATFORM +RUN set -eux; \ + case "${TARGETPLATFORM:-linux/amd64}" in \ + "linux/amd64") arch=x86_64; sha="${GROK_SHA256_AMD64}" ;; \ + "linux/arm64") arch=aarch64; sha="${GROK_SHA256_ARM64}" ;; \ + *) echo "Unsupported platform: ${TARGETPLATFORM}" >&2; exit 1 ;; \ + esac; \ + curl -fsSL "https://storage.googleapis.com/grok-build-public-artifacts/cli/grok-${GROK_VERSION}-linux-${arch}" \ + -o /tmp/grok && \ + echo "${sha} /tmp/grok" | sha256sum -c - && \ + install -m 0755 /tmp/grok /usr/local/bin/grok && \ + ln -sf /usr/local/bin/grok /usr/local/bin/agent && \ + rm /tmp/grok + +# Install gh CLI +RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \ + -o /usr/share/keyrings/githubcli-archive-keyring.gpg && \ + echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \ + > /etc/apt/sources.list.d/github-cli.list && \ + apt-get update && apt-get install -y --no-install-recommends gh && \ + rm -rf /var/lib/apt/lists/* + +ENV HOME=/home/agent +WORKDIR /home/agent + +COPY --from=builder --chown=1000:1000 /build/target/release/openab /usr/local/bin/openab + +# Pre-create credential dir so a PVC mounted at ~/.grok inherits correct ownership +RUN mkdir -p /home/agent/.grok && chown -R agent:agent /home/agent + +USER agent +HEALTHCHECK --interval=30s --timeout=5s --retries=3 \ + CMD pgrep -x openab || exit 1 +ENTRYPOINT ["tini", "--"] +CMD ["openab", "run", "-c", "/etc/openab/config.toml"] diff --git a/config.toml.example b/config.toml.example index 20ccff34..3e3c39d4 100644 --- a/config.toml.example +++ b/config.toml.example @@ -110,6 +110,16 @@ working_dir = "/home/agent" # # Supports 30+ providers (xAI Grok OAuth, Anthropic, OpenAI Codex, Gemini, etc.) # # Provider switching: kubectl exec -it -- hermes model +# [agent] +# command = "grok" +# args = ["agent", "stdio"] +# working_dir = "/home/agent" +# # Auth options: +# # 1. API key: env = { GROK_CODE_XAI_API_KEY = "${XAI_API_KEY}" } +# # 2. Device-code: kubectl exec -it -- grok login --device-auth +# # 3. Deployment key: env = { GROK_DEPLOYMENT_KEY = "${GROK_DEPLOYMENT_KEY}" } +# # See docs/grok.md for details. + [pool] max_sessions = 10 session_ttl_hours = 24 diff --git a/docs/grok.md b/docs/grok.md new file mode 100644 index 00000000..b6d4d09c --- /dev/null +++ b/docs/grok.md @@ -0,0 +1,134 @@ +# Grok Build (xAI) + +[Grok Build](https://x.ai/news/grok-build-cli) is xAI's official coding agent CLI. It speaks ACP natively via `grok agent stdio` — no wrapper required. + +## Docker Image + +```bash +docker build -f Dockerfile.grok -t openab-grok:latest . +``` + +The image pulls a pinned `grok` binary from xAI's public artifacts bucket and verifies its SHA256 checksum. Bump `GROK_VERSION`, `GROK_SHA256_AMD64`, and `GROK_SHA256_ARM64` in `Dockerfile.grok` to upgrade. + +## Helm Install + +```bash +helm install openab openab/openab \ + --set agents.kiro.enabled=false \ + --set agents.grok.discord.enabled=true \ + --set agents.grok.discord.botToken="$DISCORD_BOT_TOKEN" \ + --set-string 'agents.grok.discord.allowedChannels[0]=YOUR_CHANNEL_ID' \ + --set agents.grok.image=ghcr.io/openabdev/openab-grok:latest \ + --set agents.grok.command=grok \ + --set-string 'agents.grok.args[0]=agent' \ + --set-string 'agents.grok.args[1]=stdio' \ + --set agents.grok.workingDir=/home/agent +``` + +> Set `agents.kiro.enabled=false` to disable the default Kiro agent. + +## Manual config.toml + +```toml +[agent] +command = "grok" +args = ["agent", "stdio"] +working_dir = "/home/agent" +``` + +## Authentication + +Grok Build supports three credential sources. Pick whichever fits your deployment. + +### Option A: API key (simplest, recommended for CI / bot deployments) + +Set the environment variable in the pod / task definition: + +```bash +export GROK_CODE_XAI_API_KEY="xai-..." +``` + +Get a key from . No interactive login needed. + +> ⚠️ **Security**: env vars listed under `[agent].env` are visible to the agent and can be leaked via prompt injection. Prefer mounting them via the platform's secret manager. + +### Option B: Device-code OAuth (for SuperGrok subscriptions) + +If you want to use a SuperGrok subscription instead of pay-per-token API billing: + +```bash +kubectl exec -it -- grok login --device-auth +``` + +The CLI prints a short code and URL — open the URL on any device, enter the code, approve. The token is stored at `~/.grok/auth.json` inside the container. + +This works in any headless environment (K8s exec, ECS exec, plain SSH) **without port-forwarding** — unlike loopback OAuth flows. + +### Option C: Enterprise deployment key + +```bash +export GROK_DEPLOYMENT_KEY="..." +``` + +A deployment key takes precedence over `auth.json`. The CLI fetches managed config from `cli-chat-proxy.grok.com/v1/deployment/config` on startup. Available to xAI enterprise customers; contact xAI sales for details. + +## Credential Persistence + +`grok login` stores OAuth credentials at `~/.grok/auth.json` and runtime config at `~/.grok/config.toml`. The OpenAB Helm chart's default persistence covers `workingDir` automatically (PVC mounted at `/home/agent`). + +If deploying manually, mount persistent storage at `/home/agent/.grok`: + +```yaml +volumes: + - name: grok-credentials + persistentVolumeClaim: + claimName: grok-credentials-pvc +volumeMounts: + - name: grok-credentials + mountPath: /home/agent/.grok +``` + +API-key-only deployments don't need persistence. + +## Model Selection + +The default model is whichever Grok Build CLI selects (currently `grok-code-fast-1` for the free tier; `grok-4.3` family for SuperGrok). To override: + +```toml +[agent] +command = "grok" +args = ["agent", "stdio", "--model", "grok-4.3"] +working_dir = "/home/agent" +``` + +List available models inside the pod: + +```bash +kubectl exec -it -- grok models +``` + +## Updating + +```bash +# Inside the container (one-shot upgrade): +kubectl exec -it -- grok update + +# Or rebuild the image with a new pinned version: +docker build -f Dockerfile.grok \ + --build-arg GROK_VERSION=0.1.220 \ + --build-arg GROK_SHA256_AMD64=... \ + --build-arg GROK_SHA256_ARM64=... \ + -t openab-grok:latest . +``` + +## Comparison with Hermes + +| Property | `Dockerfile.grok` | `Dockerfile.hermes` | +|----------|-------------------|---------------------| +| Provider | xAI Grok only | xAI + 30 others via Nous gateway | +| ACP | Native (`grok agent stdio`) | Via `hermes-acp` wrapper | +| Headless auth | API key env or device-code | Loopback OAuth (needs port-forward / ECS curl trick) | +| Supply chain | xAI only | xAI + Nous Research install script | +| Image size | Smaller (single static binary, no Python venv) | Larger (Python + uv + ffmpeg) | + +Pick `Dockerfile.grok` if Grok is the only model you need. Pick `Dockerfile.hermes` if you want multi-provider switching or fallback chains. From 72b21d438336eb37e841ee95c4b38405d6d8ea5f Mon Sep 17 00:00:00 2001 From: Can Date: Sat, 16 May 2026 16:20:15 +0000 Subject: [PATCH 2/6] ci: add grok variant to docker-smoke-test matrix Mirrors the other agent variants so CI builds the Dockerfile.grok image and verifies that `grok agent stdio` answers the ACP initialize handshake (falling back to `grok --help` when auth is missing, same as other agents). Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/docker-smoke-test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-smoke-test.yml b/.github/workflows/docker-smoke-test.yml index 0fd0c238..2b8f7131 100644 --- a/.github/workflows/docker-smoke-test.yml +++ b/.github/workflows/docker-smoke-test.yml @@ -21,6 +21,7 @@ jobs: - { dockerfile: Dockerfile.opencode, suffix: "-opencode", agent: "opencode", agent_args: "acp" } - { dockerfile: Dockerfile.cursor, suffix: "-cursor", agent: "cursor-agent", agent_args: "acp" } - { dockerfile: Dockerfile.hermes, suffix: "-hermes", agent: "hermes-acp", agent_args: "" } + - { dockerfile: Dockerfile.grok, suffix: "-grok", agent: "grok", agent_args: "agent stdio" } runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 From 09f251baf4cfb051abd3942ea2c8aa8570d6f6c9 Mon Sep 17 00:00:00 2001 From: Can Yu Date: Sun, 17 May 2026 01:14:12 +0800 Subject: [PATCH 3/6] feat(helm): add grok agent example to values.yaml and NOTES.txt --- charts/openab/templates/NOTES.txt | 3 +++ charts/openab/values.yaml | 28 ++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/charts/openab/templates/NOTES.txt b/charts/openab/templates/NOTES.txt index 2030ed6f..ee389e79 100644 --- a/charts/openab/templates/NOTES.txt +++ b/charts/openab/templates/NOTES.txt @@ -42,6 +42,9 @@ Agents deployed: {{- else if eq (toString $cfg.command) "cursor-agent" }} Authenticate: kubectl exec -it deployment/{{ include "openab.agentFullname" (dict "ctx" $ "agent" $name) }} -- cursor-agent login +{{- else if eq (toString $cfg.command) "grok" }} + Authenticate: + kubectl exec -it deployment/{{ include "openab.agentFullname" (dict "ctx" $ "agent" $name) }} -- grok login --device-auth {{- end }} Restart after auth: diff --git a/charts/openab/values.yaml b/charts/openab/values.yaml index 0e4b5952..8e4f2fa9 100644 --- a/charts/openab/values.yaml +++ b/charts/openab/values.yaml @@ -161,6 +161,34 @@ agents: # storageClass: "" # size: 1Gi # image: "ghcr.io/openabdev/openab-hermes" + # grok: + # command: grok + # args: + # - agent + # - stdio + # # See docs/grok.md for the three authentication methods: + # # 1. API key (recommended for bots): set GROK_CODE_XAI_API_KEY via env or secretEnv + # # 2. Device-code OAuth: kubectl exec + `grok login --device-auth` (requires persistence) + # # 3. Enterprise deployment key: GROK_DEPLOYMENT_KEY + # discord: + # enabled: true + # allowedChannels: + # - "YOUR_CHANNEL_ID" + # allowedUsers: [] + # allowBotMessages: "off" + # trustedBotIds: [] + # workingDir: /home/agent + # env: {} + # envFrom: [] + # secretEnv: [] + # pool: + # maxSessions: 10 + # sessionTtlHours: 24 + # persistence: + # enabled: true + # storageClass: "" + # size: 1Gi + # image: "ghcr.io/openabdev/openab-grok" image: "" command: kiro-cli args: From 2e5b79a3b4dedbcce460f48f7f4b7ceb1920406e Mon Sep 17 00:00:00 2001 From: Can Yu Date: Sun, 17 May 2026 09:33:52 +0800 Subject: [PATCH 4/6] docs(helm): recommend API key for grok bot deployments in NOTES.txt Add guidance for bot/CI users to prefer GROK_CODE_XAI_API_KEY via secretEnv instead of interactive device-auth login. --- charts/openab/templates/NOTES.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/openab/templates/NOTES.txt b/charts/openab/templates/NOTES.txt index ee389e79..89b01ef6 100644 --- a/charts/openab/templates/NOTES.txt +++ b/charts/openab/templates/NOTES.txt @@ -45,6 +45,7 @@ Agents deployed: {{- else if eq (toString $cfg.command) "grok" }} Authenticate: kubectl exec -it deployment/{{ include "openab.agentFullname" (dict "ctx" $ "agent" $name) }} -- grok login --device-auth + For bot/CI deployments, prefer setting `GROK_CODE_XAI_API_KEY` via `secretEnv` instead of interactive device-auth login. See docs/grok.md for all authentication options. {{- end }} Restart after auth: From c3de45cdf302a7b05a51621afd374e09766bbf92 Mon Sep 17 00:00:00 2001 From: Can Yu Date: Sun, 17 May 2026 09:33:54 +0800 Subject: [PATCH 5/6] fix(docker): remove unused /usr/local/bin/agent symlink in Dockerfile.grok The symlink is not referenced by OpenAB, Helm, or CI and may cause confusion in multi-agent environments. --- Dockerfile.grok | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile.grok b/Dockerfile.grok index 4190b491..27b997ff 100644 --- a/Dockerfile.grok +++ b/Dockerfile.grok @@ -33,7 +33,6 @@ RUN set -eux; \ -o /tmp/grok && \ echo "${sha} /tmp/grok" | sha256sum -c - && \ install -m 0755 /tmp/grok /usr/local/bin/grok && \ - ln -sf /usr/local/bin/grok /usr/local/bin/agent && \ rm /tmp/grok # Install gh CLI From 6076fc482d9b3c16311f5b7a53f758ea1c1cd336 Mon Sep 17 00:00:00 2001 From: chaodu-agent Date: Sun, 17 May 2026 03:08:53 +0000 Subject: [PATCH 6/6] docs(readme): add Grok Build to supported agents list --- README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index ae2079b3..c5f81ddc 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ ![OpenAB banner](images/banner.jpg) -A lightweight, secure, cloud-native ACP harness that bridges **Discord, Slack**, and any [Agent Client Protocol](https://github.com/anthropics/agent-protocol)-compatible coding CLI (Kiro CLI, Claude Code, Codex, Gemini, OpenCode, Copilot CLI, Hermes, etc.) over stdio JSON-RPC — delivering the next-generation development experience. **Telegram, LINE, Feishu/Lark, Google Chat**, and other webhook-based platforms are supported via the standalone [Custom Gateway](gateway/). +A lightweight, secure, cloud-native ACP harness that bridges **Discord, Slack**, and any [Agent Client Protocol](https://github.com/anthropics/agent-protocol)-compatible coding CLI (Kiro CLI, Claude Code, Codex, Gemini, OpenCode, Copilot CLI, Hermes, Grok Build, etc.) over stdio JSON-RPC — delivering the next-generation development experience. **Telegram, LINE, Feishu/Lark, Google Chat**, and other webhook-based platforms are supported via the standalone [Custom Gateway](gateway/). 🪼 **Join our community!** Come say hi on Discord — we'd love to have you: **[🪼 OpenAB — Official](https://discord.gg/DmbhfDZjQS)** 🎉 @@ -20,8 +20,8 @@ A lightweight, secure, cloud-native ACP harness that bridges **Discord, Slack**, │ User │ │ │ │ copilot --acp │ ├──────────────┤ ▼ ▼ │ hermes-acp │ │ LINE │◄──webhook──┌──────────────────┐ │ opencode acp │ -│ User │ │ Custom Gateway │ └──────────────────┘ -├──────────────┤ │ (standalone) │ +│ User │ │ Custom Gateway │ │ grok agent stdio │ +├──────────────┤ │ (standalone) │ └──────────────────┘ │ Feishu/Lark │◄───WS──────│ │ │ User │ │ │ ├──────────────┤ │ │ @@ -38,7 +38,7 @@ A lightweight, secure, cloud-native ACP harness that bridges **Discord, Slack**, - **Multi-platform** — supports Discord and Slack, run one or both simultaneously - **Custom Gateway** — extend to Telegram, LINE, Feishu/Lark, Google Chat, MS Teams via standalone [gateway](gateway/) -- **Pluggable agent backend** — swap between Kiro CLI, Claude Code, Codex, Gemini, OpenCode, Copilot CLI, Hermes via config +- **Pluggable agent backend** — swap between Kiro CLI, Claude Code, Codex, Gemini, OpenCode, Copilot CLI, Hermes, Grok Build via config - **@mention trigger** — mention the bot in an allowed channel to start a conversation - **Thread-based multi-turn** — auto-creates threads; no @mention needed for follow-ups - **Multi-agent collaboration** — bot-to-bot messaging for coordinated workflows ([docs/multi-agent.md](docs/multi-agent.md)) @@ -169,6 +169,7 @@ The bot creates a thread. After that, just type in the thread — no @mention ne | Copilot CLI ⚠️ | `copilot --acp --stdio` | Native | [docs/copilot.md](docs/copilot.md) | | Cursor | `cursor-agent acp` | Native | [docs/cursor.md](docs/cursor.md) | | Hermes Agent | `hermes-acp` | Native | [docs/hermes.md](docs/hermes.md) | +| Grok Build | `grok agent stdio` | Native | [docs/grok.md](docs/grok.md) | > 🔧 Running multiple agents? See [docs/multi-agent.md](docs/multi-agent.md)