Agent 4: Container image updates (Dockerfile, entrypoint.sh, tools/)

[TomProkop]

Objective

Update the AgentBox container image (root Dockerfile + entrypoint.sh) to support SSH access, token injection for all 6 services, and the SharePoint CLI tool.

Scope

Files to modify/create (root directory ONLY — do NOT touch src/, infra/, or .github/):

Dockerfile Changes (modify existing)

Add after existing layers:

# ── OpenSSH server (certificate auth, port 2222) ──
RUN apt-get update && apt-get install -y --no-install-recommends openssh-server && \
    rm -rf /var/lib/apt/lists/* && \
    mkdir -p /run/sshd

# sshd config: cert-only auth, no passwords, port 2222
RUN cat >> /etc/ssh/sshd_config <<'SSHD'
Port 2222
TrustedUserCAKeys /etc/ssh/trusted_ca_keys.pub
PasswordAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile none
PermitRootLogin no
AllowUsers agentbox
SSHD

# ── sp-read CLI (SharePoint document retrieval) ──
COPY tools/sp-read /usr/local/bin/sp-read
RUN chmod +x /usr/local/bin/sp-read

EXPOSE 80 2222 7681 8080

entrypoint.sh Changes (modify existing)

Add after nginx start block:

# ── Start sshd (if CA key provisioned) ──
if [[ -f /etc/ssh/trusted_ca_keys.pub ]]; then
    /usr/sbin/sshd -D -p 2222 &
    echo "🔐 SSH available on port 2222 (certificate auth only)"
fi

# ── GitHub token injection ──
if [[ -n "${GH_TOKEN:-}" ]]; then
    echo "export GH_TOKEN='$GH_TOKEN'" >> /home/agentbox/.zshrc
    echo "export GITHUB_TOKEN='$GH_TOKEN'" >> /home/agentbox/.zshrc
fi
if [[ -n "${COPILOT_GITHUB_TOKEN:-}" ]]; then
    echo "export COPILOT_GITHUB_TOKEN='$COPILOT_GITHUB_TOKEN'" >> /home/agentbox/.zshrc
fi

# ── ADO token ──
if [[ -n "${ADO_TOKEN:-}" ]]; then
    echo "export AZURE_DEVOPS_EXT_PAT='$ADO_TOKEN'" >> /home/agentbox/.zshrc
fi

# ── JSM token ──
if [[ -n "${JIRA_TOKEN:-}" ]]; then
    echo "export JIRA_TOKEN='$JIRA_TOKEN'" >> /home/agentbox/.zshrc
    if [[ -n "${JIRA_CLOUD_ID:-}" ]]; then
        echo "export JIRA_CLOUD_ID='$JIRA_CLOUD_ID'" >> /home/agentbox/.zshrc
    fi
fi

# ── SharePoint Reader credentials ──
if [[ -n "${SP_CLIENT_ID:-}" ]]; then
    echo "export SP_CLIENT_ID='$SP_CLIENT_ID'" >> /home/agentbox/.zshrc
    echo "export SP_TENANT_ID='$SP_TENANT_ID'" >> /home/agentbox/.zshrc
fi

New file: tools/sp-read

Create a placeholder bash script that will be the SharePoint document retrieval CLI:

#!/bin/bash
# sp-read — SharePoint Online document reader for AgentBox
# Uses SP_CLIENT_ID + SP_TENANT_ID + certificate to access Sites.Selected
# Usage: sp-read list <site-url>
#        sp-read get <site-url> <file-path>
#        sp-read search <site-url> <query>
echo "sp-read: SharePoint document reader (placeholder — implementation pending)"
echo "Environment: SP_CLIENT_ID=${SP_CLIENT_ID:-not set}, SP_TENANT_ID=${SP_TENANT_ID:-not set}"
exit 0

Key Design Decisions

• Port 2222 for SSH (ACI reserves port 22)
• Certificate-only auth — no passwords, TrustedUserCAKeys
• COPILOT_GITHUB_TOKEN is separate from GH_TOKEN — allows split identity (shared Copilot + user git)
• Token injection goes to .zshrc so all shells get credentials
• sshd only starts if CA key file exists (graceful degradation)

Conflict Prevention

This agent modifies ONLY: Dockerfile, entrypoint.sh, and creates tools/sp-read.
No other agent touches these files.

Acceptance Criteria

• Dockerfile builds successfully (syntax valid)
• docker run starts nginx + sshd on correct ports
• Token env vars are injected into user's shell
• tools/sp-read is executable and shows usage
• EXPOSE includes ports 80, 2222, 7681, 8080