coleam00 · leex279 · May 1, 2026 · May 1, 2026 · May 1, 2026 · May 1, 2026
diff --git a/Dockerfile b/Dockerfile
@@ -108,13 +108,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends nodejs npm \
 # Point agent-browser to system Chromium (avoids ~400MB Chrome for Testing download)
 ENV AGENT_BROWSER_EXECUTABLE_PATH=/usr/bin/chromium
 
-# Pre-configure the Claude Code SDK cli.js path for any consumer that runs
-# a compiled Archon binary inside (or extending) this image. In source mode
-# (the default `bun run start` ENTRYPOINT), BUNDLED_IS_BINARY is false and
-# this variable is ignored — the SDK resolves cli.js via node_modules. Kept
-# here so extenders don't need to rediscover the path.
-# Path matches the hoisted layout produced by `bun install --linker=hoisted`.
-ENV CLAUDE_BIN_PATH=/app/node_modules/@anthropic-ai/claude-agent-sdk/cli.js
+# CLAUDE_BIN_PATH is set at container startup (docker-entrypoint.sh).
+# The entrypoint pins the glibc variant to bypass the SDK's musl-first resolver.
 
 # Create non-root user for running Claude Code
 # Claude Code refuses to run with --dangerously-skip-permissions as root for security

diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -37,6 +37,29 @@ if [ -n "$GH_TOKEN" ]; then
     '!f() { echo "username=x-access-token"; echo "password=${GH_TOKEN}"; }; f'
 fi
 
+# Pin the glibc Claude Code binary to bypass the SDK's musl-first resolver.
+# Bun's hoisted linker installs both glibc and musl optional-dep variants for
+# the current CPU arch; the SDK picks musl first, which fails to execute on
+# this Debian (glibc) image. Only sets CLAUDE_BIN_PATH if the user has not
+# already provided one via docker run -e or docker-compose env_file.
+if [ -z "${CLAUDE_BIN_PATH:-}" ]; then
+  case "$(uname -m)" in
+    x86_64)  _CLAUDE_BIN_CANDIDATE="/app/node_modules/@anthropic-ai/claude-agent-sdk-linux-x64/claude" ;;
+    aarch64) _CLAUDE_BIN_CANDIDATE="/app/node_modules/@anthropic-ai/claude-agent-sdk-linux-arm64/claude" ;;
+    *)
+      echo "ERROR: Unsupported CPU architecture $(uname -m). Set CLAUDE_BIN_PATH manually to a glibc Claude binary." >&2
+      exit 1
+      ;;
+  esac
+  if [ -x "$_CLAUDE_BIN_CANDIDATE" ]; then
+    export CLAUDE_BIN_PATH="$_CLAUDE_BIN_CANDIDATE"
+  else
+    echo "ERROR: Pinned Claude binary missing or non-executable at ${_CLAUDE_BIN_CANDIDATE}. The SDK package layout may have changed; set CLAUDE_BIN_PATH manually." >&2
+    exit 1
+  fi
+  unset _CLAUDE_BIN_CANDIDATE
+fi
+
 # Run setup-auth (exits after configuring Codex credentials), then exec the server
 # exec ensures bun is PID 1 and receives SIGTERM for graceful shutdown
 $RUNNER bun run setup-auth