feat(runner): experimental workspace container implementation

Prototype implementation of ADR-0006 workspace architecture:
- MCP server for workspace command execution via kubectl exec
- Tool replacement: disallow Bash, provide mcp__workspace__exec
- Operator updates for workspace container pod spec
- Integration and unit tests

This is experimental and not yet ready for production use.

Co-Authored-By: Claude <noreply@anthropic.com>
Assisted-by: Claude Code (Opus 4.5)

Author: cgwalters

Makefile

@@ -62,12 +62,12 @@ build-runner: ## Build the Claude Code runner container image
 	cd components/runners && $(CONTAINER_ENGINE) build $(PLATFORM_FLAG) $(BUILD_FLAGS) -t $(RUNNER_IMAGE) -f claude-code-runner/Dockerfile .
 
 # Kubernetes deployment
-deploy: ## Deploy all components (auto-detects OpenShift or Kubernetes)
-	@echo "Deploying to cluster..."
+deploy: ## Deploy all components to OpenShift (production overlay)
+	@echo "Deploying to OpenShift..."
 	cd components/manifests && ./deploy.sh
 
 # Cleanup
-clean: ## Clean up all Kubernetes resources
+clean: ## Clean up all Kubernetes resources (production overlay)
 	@echo "Cleaning up Kubernetes resources..."
 	cd components/manifests && ./deploy.sh clean
 

components/manifests/base/crds/agenticsessions-crd.yaml

@@ -53,6 +53,9 @@ spec:
                 type: integer
                 description: "Index of the repo in repos array treated as the main repo (Claude working dir). Defaults to 0 (first repo)."
                 default: 0
+              workspaceImage:
+                type: string
+                description: "Container image for the workspace environment. Agent will execute commands in this container via kubectl exec. Examples: python:3.11, node:20, rust:1.75. If not specified, the agent runs commands directly (legacy mode)."
               interactive:
                 type: boolean
                 description: "When true, run session in interactive chat mode using inbox/outbox files"

components/manifests/deploy.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 
-# Deployment Script for vTeam Ambient Agentic Runner
-# Supports both OpenShift and standard Kubernetes (kind, etc.)
+# OpenShift Deployment Script for vTeam Ambient Agentic Runner
 # Usage: ./deploy.sh
 # Or with environment variables: NAMESPACE=my-namespace ./deploy.sh
 # Note: This script deploys pre-built images. Build and push images first.
@@ -31,27 +30,6 @@ command_exists() {
     command -v "$1" >/dev/null 2>&1
 }
 
-# Detect platform (OpenShift vs standard Kubernetes)
-detect_platform() {
-    if command_exists oc && oc api-resources | grep -q "route.openshift.io"; then
-        echo "openshift"
-    elif command_exists kubectl; then
-        echo "kubernetes"
-    else
-        echo "unknown"
-    fi
-}
-
-# Get the appropriate CLI command
-get_cli_cmd() {
-    local platform=$1
-    if [ "$platform" = "openshift" ]; then
-        echo "oc"
-    else
-        echo "kubectl"
-    fi
-}
-
 # Helper: Run the OAuth setup (Route host, OAuthClient, Secret)
 oauth_setup() {
     echo -e "${YELLOW}Configuring OpenShift OAuth for the frontend...${NC}"
@@ -146,18 +124,6 @@ EOF
     oc -n ${NAMESPACE} rollout restart deployment/frontend
 }
 
-# Detect platform
-PLATFORM=$(detect_platform)
-if [ "$PLATFORM" = "unknown" ]; then
-    echo -e "${RED}❌ Neither oc nor kubectl found. Please install one.${NC}"
-    exit 1
-fi
-CLI_CMD=$(get_cli_cmd "$PLATFORM")
-
-echo -e "${BLUE}Detected platform: ${GREEN}${PLATFORM}${NC}"
-echo -e "${BLUE}Using CLI: ${GREEN}${CLI_CMD}${NC}"
-echo ""
-
 # Configuration
 NAMESPACE="${NAMESPACE:-ambient-code}"
 # Allow overriding images via CONTAINER_REGISTRY/IMAGE_TAG or explicit DEFAULT_*_IMAGE
@@ -170,13 +136,6 @@ DEFAULT_RUNNER_IMAGE="${DEFAULT_RUNNER_IMAGE:-${CONTAINER_REGISTRY}/vteam_claude
 # Content service image (defaults to same as backend, but can be overridden)
 CONTENT_SERVICE_IMAGE="${CONTENT_SERVICE_IMAGE:-${DEFAULT_BACKEND_IMAGE}}"
 
-# Select overlay based on platform
-if [ "$PLATFORM" = "openshift" ]; then
-    OVERLAY="production"
-else
-    OVERLAY="kubernetes"
-fi
-
 # Handle uninstall/clean command early
 if [ "${1:-}" = "uninstall" ] || [ "${1:-}" = "clean" ]; then
     echo -e "${YELLOW}Uninstalling vTeam from namespace ${NAMESPACE}...${NC}"
@@ -267,10 +226,8 @@ EOF
     exit 0
 fi
 
-echo -e "${BLUE}🚀 vTeam Ambient Agentic Runner Deployment${NC}"
-echo -e "${BLUE}===========================================${NC}"
-echo -e "Platform: ${GREEN}${PLATFORM}${NC}"
-echo -e "Overlay: ${GREEN}${OVERLAY}${NC}"
+echo -e "${BLUE}🚀 vTeam Ambient Agentic Runner - OpenShift Deployment${NC}"
+echo -e "${BLUE}====================================================${NC}"
 echo -e "Namespace: ${GREEN}${NAMESPACE}${NC}"
 echo -e "Backend Image: ${GREEN}${DEFAULT_BACKEND_IMAGE}${NC}"
 echo -e "Frontend Image: ${GREEN}${DEFAULT_FRONTEND_IMAGE}${NC}"
@@ -281,6 +238,11 @@ echo ""
 
 # Check prerequisites
 echo -e "${YELLOW}Checking prerequisites...${NC}"
+if ! command_exists oc; then
+    echo -e "${RED}❌ OpenShift CLI (oc) not found. Please install it first.${NC}"
+    exit 1
+fi
+
 if ! command_exists kustomize; then
     echo -e "${RED}❌ Kustomize not found. Please install it first.${NC}"
     exit 1
@@ -289,50 +251,47 @@ fi
 echo -e "${GREEN}✅ Prerequisites check passed${NC}"
 echo ""
 
-# Check if logged in
-echo -e "${YELLOW}Checking cluster authentication...${NC}"
-if ! $CLI_CMD cluster-info >/dev/null 2>&1; then
-    echo -e "${RED}❌ Not connected to cluster. Please configure kubectl/oc first.${NC}"
+# Check if logged in to OpenShift
+echo -e "${YELLOW}Checking OpenShift authentication...${NC}"
+if ! oc whoami >/dev/null 2>&1; then
+    echo -e "${RED}❌ Not logged in to OpenShift. Please run 'oc login' first.${NC}"
     exit 1
 fi
 
-CURRENT_USER=$($CLI_CMD auth whoami 2>/dev/null || echo "unknown")
-echo -e "${GREEN}✅ Authenticated as: ${CURRENT_USER}${NC}"
+echo -e "${GREEN}✅ Authenticated as: $(oc whoami)${NC}"
 echo ""
 
-# Prepare oauth secret env file for kustomize secretGenerator (OpenShift only)
-if [ "$PLATFORM" = "openshift" ]; then
-    echo -e "${YELLOW}Preparing oauth secret env for kustomize...${NC}"
-    OAUTH_ENV_FILE="oauth-secret.env"
-    CLIENT_SECRET_VALUE="${OCP_OAUTH_CLIENT_SECRET:-}"
-    COOKIE_SECRET_VALUE="${OCP_OAUTH_COOKIE_SECRET:-}"
-    if [[ -z "$CLIENT_SECRET_VALUE" ]]; then
-        CLIENT_SECRET_VALUE=$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32)
-    fi
-    # cookie_secret must be exactly 16, 24, or 32 bytes. Use 32 ASCII bytes by default.
-    if [[ -z "$COOKIE_SECRET_VALUE" ]]; then
-        COOKIE_SECRET_VALUE=$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32)
-    fi
-    # If provided via .env, ensure it meets required length
-    COOKIE_LEN=${#COOKIE_SECRET_VALUE}
-    if [[ $COOKIE_LEN -ne 16 && $COOKIE_LEN -ne 24 && $COOKIE_LEN -ne 32 ]]; then
-        echo -e "${YELLOW}Provided OCP_OAUTH_COOKIE_SECRET length ($COOKIE_LEN) is invalid; regenerating 32-byte value...${NC}"
-        COOKIE_SECRET_VALUE=$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32)
-    fi
-    cat > "$OAUTH_ENV_FILE" << EOF
+# Prepare oauth secret env file for kustomize secretGenerator
+echo -e "${YELLOW}Preparing oauth secret env for kustomize...${NC}"
+OAUTH_ENV_FILE="oauth-secret.env"
+CLIENT_SECRET_VALUE="${OCP_OAUTH_CLIENT_SECRET:-}"
+COOKIE_SECRET_VALUE="${OCP_OAUTH_COOKIE_SECRET:-}"
+if [[ -z "$CLIENT_SECRET_VALUE" ]]; then
+    CLIENT_SECRET_VALUE=$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32)
+fi
+# cookie_secret must be exactly 16, 24, or 32 bytes. Use 32 ASCII bytes by default.
+if [[ -z "$COOKIE_SECRET_VALUE" ]]; then
+    COOKIE_SECRET_VALUE=$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32)
+fi
+# If provided via .env, ensure it meets required length
+COOKIE_LEN=${#COOKIE_SECRET_VALUE}
+if [[ $COOKIE_LEN -ne 16 && $COOKIE_LEN -ne 24 && $COOKIE_LEN -ne 32 ]]; then
+    echo -e "${YELLOW}Provided OCP_OAUTH_COOKIE_SECRET length ($COOKIE_LEN) is invalid; regenerating 32-byte value...${NC}"
+    COOKIE_SECRET_VALUE=$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32)
+fi
+cat > "$OAUTH_ENV_FILE" << EOF
 client-secret=${CLIENT_SECRET_VALUE}
 cookie_secret=${COOKIE_SECRET_VALUE}
 EOF
-    echo -e "${GREEN}✅ Generated ${OAUTH_ENV_FILE}${NC}"
-    echo ""
-fi
+echo -e "${GREEN}✅ Generated ${OAUTH_ENV_FILE}${NC}"
+echo ""
 
 
 # Deploy using kustomize
-echo -e "${YELLOW}Deploying using Kustomize...${NC}"
+echo -e "${YELLOW}Deploying to OpenShift using Kustomize...${NC}"
 
-# Use appropriate overlay
-cd overlays/${OVERLAY}
+# Use production overlay
+cd overlays/production
 
 # Set namespace if different from default
 if [ "$NAMESPACE" != "ambient-code" ]; then
@@ -349,39 +308,35 @@ kustomize edit set image quay.io/ambient_code/vteam_claude_runner:latest=${DEFAU
 
 # Build and apply manifests
 echo -e "${BLUE}Building and applying manifests...${NC}"
-kustomize build . | $CLI_CMD apply -f -
+kustomize build . | oc apply -f -
 
 # Return to manifests root
 cd ../..
 
 # Check if namespace exists and is active
 echo -e "${YELLOW}Checking namespace status...${NC}"
-if ! $CLI_CMD get namespace ${NAMESPACE} >/dev/null 2>&1; then
+if ! oc get namespace ${NAMESPACE} >/dev/null 2>&1; then
     echo -e "${RED}❌ Namespace ${NAMESPACE} does not exist${NC}"
     exit 1
 fi
 
 # Check if namespace is active
-NAMESPACE_PHASE=$($CLI_CMD get namespace ${NAMESPACE} -o jsonpath='{.status.phase}')
+NAMESPACE_PHASE=$(oc get namespace ${NAMESPACE} -o jsonpath='{.status.phase}')
 if [ "$NAMESPACE_PHASE" != "Active" ]; then
     echo -e "${RED}❌ Namespace ${NAMESPACE} is not active (phase: ${NAMESPACE_PHASE})${NC}"
     exit 1
 fi
 echo -e "${GREEN}✅ Namespace ${NAMESPACE} is active${NC}"
 
-# Switch to the target namespace (OpenShift only)
-if [ "$PLATFORM" = "openshift" ]; then
-    echo -e "${BLUE}Switching to namespace ${NAMESPACE}...${NC}"
-    oc project ${NAMESPACE}
-fi
+# Switch to the target namespace
+echo -e "${BLUE}Switching to namespace ${NAMESPACE}...${NC}"
+oc project ${NAMESPACE}
 
 ###############################################
-# OAuth setup: Route host, OAuthClient, Secret (OpenShift only)
+# OAuth setup: Route host, OAuthClient, Secret
 ###############################################
-if [ "$PLATFORM" = "openshift" ]; then
-    if ! oauth_setup; then
-        echo -e "${YELLOW}OAuth setup completed with warnings/errors. You may need a cluster-admin to apply the OAuthClient.${NC}"
-    fi
+if ! oauth_setup; then
+    echo -e "${YELLOW}OAuth setup completed with warnings/errors. You may need a cluster-admin to apply the OAuthClient.${NC}"
 fi
 
 # Apply git configuration if we created a patch
@@ -393,24 +348,24 @@ fi
 
 # Update operator deployment with custom runner image
 echo -e "${BLUE}Updating operator with custom runner image...${NC}"
-$CLI_CMD patch deployment agentic-operator -n ${NAMESPACE} -p "{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"agentic-operator\",\"env\":[{\"name\":\"AMBIENT_CODE_RUNNER_IMAGE\",\"value\":\"${DEFAULT_RUNNER_IMAGE}\"}]}]}}}}" --type=strategic
+oc patch deployment agentic-operator -n ${NAMESPACE} -p "{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"agentic-operator\",\"env\":[{\"name\":\"AMBIENT_CODE_RUNNER_IMAGE\",\"value\":\"${DEFAULT_RUNNER_IMAGE}\"}]}]}}}}" --type=strategic
 
 # Update backend deployment with content service image
 echo -e "${BLUE}Updating backend with content service image...${NC}"
-$CLI_CMD patch deployment backend-api -n ${NAMESPACE} -p "{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"backend-api\",\"env\":[{\"name\":\"CONTENT_SERVICE_IMAGE\",\"value\":\"${CONTENT_SERVICE_IMAGE}\"},{\"name\":\"IMAGE_PULL_POLICY\",\"value\":\"Always\"}]}]}}}}" --type=strategic
+oc patch deployment backend-api -n ${NAMESPACE} -p "{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"backend-api\",\"env\":[{\"name\":\"CONTENT_SERVICE_IMAGE\",\"value\":\"${CONTENT_SERVICE_IMAGE}\"},{\"name\":\"IMAGE_PULL_POLICY\",\"value\":\"Always\"}]}]}}}}" --type=strategic
 
 echo ""
 echo -e "${GREEN}✅ Deployment completed!${NC}"
 echo ""
 
 # Wait for deployments to be ready
 echo -e "${YELLOW}Waiting for deployments to be ready...${NC}"
-$CLI_CMD rollout status deployment/backend-api --namespace=${NAMESPACE} --timeout=300s
-$CLI_CMD rollout status deployment/agentic-operator --namespace=${NAMESPACE} --timeout=300s
-$CLI_CMD rollout status deployment/frontend --namespace=${NAMESPACE} --timeout=300s
+oc rollout status deployment/backend-api --namespace=${NAMESPACE} --timeout=300s
+oc rollout status deployment/agentic-operator --namespace=${NAMESPACE} --timeout=300s
+oc rollout status deployment/frontend --namespace=${NAMESPACE} --timeout=300s
 
-# Get service and ingress/route information
-echo -e "${BLUE}Getting service information...${NC}"
+# Get service and route information
+echo -e "${BLUE}Getting service and route information...${NC}"
 echo ""
 echo -e "${GREEN}🎉 Deployment successful!${NC}"
 echo -e "${GREEN}========================${NC}"
@@ -419,71 +374,52 @@ echo ""
 
 # Show pod status
 echo -e "${BLUE}Pod Status:${NC}"
-$CLI_CMD get pods -n ${NAMESPACE}
+oc get pods -n ${NAMESPACE}
 echo ""
 
-# Show services
+# Show services and route
 echo -e "${BLUE}Services:${NC}"
-$CLI_CMD get services -n ${NAMESPACE}
+oc get services -n ${NAMESPACE}
 echo ""
-
-# Show routes (OpenShift) or ingress (Kubernetes)
-if [ "$PLATFORM" = "openshift" ]; then
-    echo -e "${BLUE}Routes:${NC}"
-    oc get route -n ${NAMESPACE} || true
-    if [[ -z "${ROUTE_NAME:-}" ]]; then
-        if oc get route frontend-route -n ${NAMESPACE} >/dev/null 2>&1; then
-            ROUTE_NAME="frontend-route"
-        elif oc get route frontend -n ${NAMESPACE} >/dev/null 2>&1; then
-            ROUTE_NAME="frontend"
-        fi
+echo -e "${BLUE}Routes:${NC}"
+oc get route -n ${NAMESPACE} || true
+if [[ -z "${ROUTE_NAME:-}" ]]; then
+    if oc get route frontend-route -n ${NAMESPACE} >/dev/null 2>&1; then
+        ROUTE_NAME="frontend-route"
+    elif oc get route frontend -n ${NAMESPACE} >/dev/null 2>&1; then
+        ROUTE_NAME="frontend"
     fi
-    ROUTE_HOST=$(oc get route ${ROUTE_NAME:-frontend-route} -n ${NAMESPACE} -o jsonpath='{.spec.host}' 2>/dev/null || true)
-else
-    echo -e "${BLUE}Ingress:${NC}"
-    $CLI_CMD get ingress -n ${NAMESPACE} || true
-    INGRESS_HOST=$($CLI_CMD get ingress frontend-ingress -n ${NAMESPACE} -o jsonpath='{.spec.rules[0].host}' 2>/dev/null || echo "vteam.local")
 fi
+ROUTE_HOST=$(oc get route ${ROUTE_NAME:-frontend-route} -n ${NAMESPACE} -o jsonpath='{.spec.host}' 2>/dev/null || true)
 echo ""
 
-# Cleanup generated files (OpenShift only)
-if [ "$PLATFORM" = "openshift" ]; then
-    echo -e "${BLUE}Cleaning up generated files...${NC}"
-    rm -f "$OAUTH_ENV_FILE"
-fi
+# Cleanup generated files
+echo -e "${BLUE}Cleaning up generated files...${NC}"
+rm -f "$OAUTH_ENV_FILE"
 
 echo -e "${YELLOW}Next steps:${NC}"
-if [ "$PLATFORM" = "openshift" ]; then
-    if [[ -n "${ROUTE_HOST}" ]]; then
-        echo -e "1. Access the frontend via Route:"
-        echo -e "   ${BLUE}https://${ROUTE_HOST}${NC}"
-    else
-        echo -e "1. Access the frontend (fallback via port-forward):"
-        echo -e "   ${BLUE}oc port-forward svc/frontend-service 3000:3000 -n ${NAMESPACE}${NC}"
-        echo -e "   Then open: http://localhost:3000"
-    fi
+if [[ -n "${ROUTE_HOST}" ]]; then
+    echo -e "1. Access the frontend via Route:"
+    echo -e "   ${BLUE}https://${ROUTE_HOST}${NC}"
 else
-    echo -e "1. Access the frontend via Ingress:"
-    echo -e "   ${BLUE}http://${INGRESS_HOST}${NC}"
-    echo -e "   (Add '127.0.0.1 ${INGRESS_HOST}' to /etc/hosts for local access)"
-    echo -e "   Or via port-forward:"
-    echo -e "   ${BLUE}kubectl port-forward svc/frontend-service 3000:3000 -n ${NAMESPACE}${NC}"
+    echo -e "1. Access the frontend (fallback via port-forward):"
+    echo -e "   ${BLUE}oc port-forward svc/frontend-service 3000:3000 -n ${NAMESPACE}${NC}"
     echo -e "   Then open: http://localhost:3000"
 fi
 echo -e "2. Configure secrets in the UI (Runner/API keys, project settings)."
 echo -e "   Open the app and follow Settings → Runner Secrets."
 echo -e "3. Monitor the deployment:"
-echo -e "   ${BLUE}${CLI_CMD} get pods -n ${NAMESPACE} -w${NC}"
+echo -e "   ${BLUE}oc get pods -n ${NAMESPACE} -w${NC}"
 echo -e "4. View logs:"
-echo -e "   ${BLUE}${CLI_CMD} logs -f deployment/backend-api -n ${NAMESPACE}${NC}"
-echo -e "   ${BLUE}${CLI_CMD} logs -f deployment/agentic-operator -n ${NAMESPACE}${NC}"
-echo -e "5. Monitor sessions:"
-echo -e "   ${BLUE}${CLI_CMD} get agenticsessions -n ${NAMESPACE}${NC}"
+echo -e "   ${BLUE}oc logs -f deployment/backend-api -n ${NAMESPACE}${NC}"
+echo -e "   ${BLUE}oc logs -f deployment/agentic-operator -n ${NAMESPACE}${NC}"
+echo -e "4. Monitor RFE workflows:"
+echo -e "   ${BLUE}oc get agenticsessions -n ${NAMESPACE}${NC}"
 echo ""
 
 # Restore kustomization if we modified it
 echo -e "${BLUE}Restoring kustomization defaults...${NC}"
-cd overlays/${OVERLAY}
+cd overlays/production
 if [ "$NAMESPACE" != "ambient-code" ]; then
     kustomize edit set namespace ambient-code
 fi