Merge pull request #22 from lemonade-sdk/snap_claude

kenvandine · web-flow · commit e6cd672d8353 · 2026-03-15T11:09:22.000-04:00
Add claude and codex AI assistant support
diff --git a/scripts/claude b/scripts/claude
@@ -0,0 +1,87 @@
+#!/bin/bash
+# Shim to launch the user-installed (or auto-downloaded) claude CLI.
+#
+# Problems this solves in strict confinement:
+#   1. lemonade-server sets HOME=$SNAP_COMMON, so claude would look for its
+#      config in the wrong place.  We derive the real home from SNAP_USER_COMMON
+#      and restore it before exec-ing claude.
+#   2. If claude isn't installed yet, we download @anthropic-ai/claude-code from
+#      the npm registry using curl, extract cli.js, and write a node wrapper that
+#      uses $SNAP/usr/bin/node (always executable inside the snap).
+
+CLAUDE_BIN="$SNAP_USER_COMMON/tools/bin/claude"
+MODULES_DIR="$SNAP_USER_COMMON/tools/lib/node_modules/@anthropic-ai/claude-code"
+
+_install_claude() {
+    echo "claude not found at $CLAUDE_BIN" >&2
+    echo "Downloading @anthropic-ai/claude-code from the npm registry..." >&2
+
+    mkdir -p "$SNAP_USER_COMMON/tools/bin" "$MODULES_DIR"
+
+    # Resolve the latest version tag and associated tarball URL and checksum
+    local metadata version tarball shasum
+    metadata=$(curl -sf "https://registry.npmjs.org/@anthropic-ai/claude-code/latest")
+    version=$(printf '%s\n' "$metadata" | sed -n 's/.*"version":"\([^"]*\)".*/\1/p' | head -1)
+    tarball=$(printf '%s\n' "$metadata" | sed -n 's/.*"tarball":"\([^"]*\)".*/\1/p' | head -1)
+    shasum=$(printf '%s\n' "$metadata" | sed -n 's/.*"shasum":"\([^"]*\)".*/\1/p' | head -1)
+
+    if [ -z "$version" ] || [ -z "$tarball" ] || [ -z "$shasum" ]; then
+        echo "ERROR: could not resolve @anthropic-ai/claude-code metadata from npm registry." >&2
+        echo "Check your network connection, or install manually:" >&2
+        echo "  npm install -g @anthropic-ai/claude-code --prefix '$SNAP_USER_COMMON/tools'" >&2
+        exit 1
+    fi
+
+    echo "Downloading claude v${version}..." >&2
+    local tmp_tgz
+    tmp_tgz=$(mktemp "${TMPDIR:-/tmp}/claude-code.XXXXXX.tgz")
+
+    if ! curl -fsSL "$tarball" -o "$tmp_tgz"; then
+        echo "ERROR: download of @anthropic-ai/claude-code v${version} failed." >&2
+        rm -f "$tmp_tgz"
+        exit 1
+    fi
+
+    # Verify the downloaded tarball against the npm-published shasum
+    local downloaded_shasum
+    downloaded_shasum=$(sha1sum "$tmp_tgz" | awk '{print $1}')
+    if [ "$downloaded_shasum" != "$shasum" ]; then
+        echo "ERROR: checksum verification failed for @anthropic-ai/claude-code v${version}." >&2
+        rm -f "$tmp_tgz"
+        exit 1
+    fi
+
+    if ! tar -xzf "$tmp_tgz" --strip-components=1 -C "$MODULES_DIR"; then
+        echo "ERROR: extraction of @anthropic-ai/claude-code v${version} failed." >&2
+        rm -f "$tmp_tgz"
+        exit 1
+    fi
+
+    rm -f "$tmp_tgz"
+
+    # Make the bundled ripgrep executable so claude's search features work
+    chmod +x "$MODULES_DIR/vendor/ripgrep/x64-linux/rg" 2>/dev/null || true
+
+    # Write a small wrapper that uses the node binary bundled with the snap.
+    # $SNAP is set by snapd at runtime, so this always resolves correctly even
+    # after snap refreshes.
+    cat > "$CLAUDE_BIN" << 'WRAPPER'
+#!/bin/sh
+SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
+exec "${SNAP}/usr/bin/node" \
+    "$SCRIPT_DIR/../lib/node_modules/@anthropic-ai/claude-code/cli.js" "$@"
+WRAPPER
+    chmod +x "$CLAUDE_BIN"
+    echo "claude v${version} installed to $CLAUDE_BIN" >&2
+}
+
+if [ ! -x "$CLAUDE_BIN" ]; then
+    _install_claude
+fi
+
+# Use SNAP_USER_COMMON as HOME so claude stores its config within the snap's
+# user data directory (~/.claude → $SNAP_USER_COMMON/.claude), which is
+# accessible under strict confinement without a personal-files plug.
+# Unset CLAUDECODE so claude doesn't refuse to start when the user is already
+# running a Claude Code session in the same shell environment.
+exec env -u CLAUDECODE HOME="$SNAP_USER_COMMON" "$CLAUDE_BIN" "$@"
diff --git a/scripts/codex b/scripts/codex
@@ -0,0 +1,144 @@
+#!/bin/bash
+# Shim to launch the user-installed (or auto-downloaded) codex CLI.
+#
+# Problems this solves in strict confinement:
+#   1. lemonade-server sets HOME=$SNAP_COMMON, so codex would look for its
+#      config in the wrong place.  We derive the real home from SNAP_USER_COMMON
+#      and restore it before exec-ing codex.
+#   2. If codex isn't installed yet, we download the platform-specific
+#      @openai/codex tarball from the npm registry using curl and extract the
+#      statically-linked native binary directly — no Node.js required.
+
+CODEX_BIN="$SNAP_USER_COMMON/tools/bin/codex"
+
+_install_codex() {
+    echo "codex not found at $CODEX_BIN" >&2
+    echo "Downloading @openai/codex from the npm registry..." >&2
+
+    mkdir -p "$SNAP_USER_COMMON/tools/bin"
+
+    # Resolve the latest version tag and integrity from npm metadata
+    local metadata version integrity
+    metadata=$(curl -sf "https://registry.npmjs.org/@openai/codex/latest")
+    version=$(printf '%s\n' "$metadata" | sed -n 's/.*"version":"\([^"]*\)".*/\1/p' | head -1)
+    # Extract the dist.integrity field (e.g., "sha512-<base64>") for the resolved version
+    integrity=$(printf '%s\n' "$metadata" | sed -n 's/.*"integrity":"\([^"]*\)".*/\1/p' | head -1)
+
+    if [ -z "$version" ] || [ -z "$integrity" ]; then
+        echo "ERROR: could not resolve @openai/codex version and integrity from npm registry." >&2
+        echo "Check your network connection, or install manually (after verifying checksum):" >&2
+        echo "  curl -fsSL https://registry.npmjs.org/@openai/codex/-/codex-VERSION-linux-x64.tgz \\" >&2
+        echo "    | tar -xzOf - package/vendor/x86_64-unknown-linux-musl/codex/codex \\" >&2
+        echo "    > '$CODEX_BIN' && chmod +x '$CODEX_BIN'" >&2
+        exit 1
+    fi
+
+    echo "Downloading codex v${version} (linux-x64 native binary)..." >&2
+    local tarball="https://registry.npmjs.org/@openai/codex/-/codex-${version}-linux-x64.tgz"
+
+    # Download tarball to a temporary file so we can verify its integrity.
+    local tmp_tgz
+    tmp_tgz=$(mktemp "${TMPDIR:-/tmp}/codex-tarball.XXXXXX") || {
+        echo "ERROR: failed to create temporary file for @openai/codex download." >&2
+        exit 1
+    }
+
+    if ! curl -fsSL "$tarball" -o "$tmp_tgz"; then
+        echo "ERROR: download of @openai/codex v${version}-linux-x64 failed." >&2
+        rm -f "$tmp_tgz"
+        rm -f "$CODEX_BIN"
+        exit 1
+    fi
+
+    # Verify tarball integrity against the npm dist.integrity field (sha512-<base64>).
+    local expected_prefix="sha512-"
+    local expected actual
+    expected="$integrity"
+    if [ "${expected#"$expected_prefix"}" = "$expected" ]; then
+        echo "ERROR: unsupported integrity format '$integrity' (expected sha512-*)." >&2
+        rm -f "$tmp_tgz"
+        rm -f "$CODEX_BIN"
+        exit 1
+    fi
+    expected="${expected#"$expected_prefix"}"
+
+    # Compute base64-encoded SHA-512 of the downloaded tarball.
+    if ! actual=$(openssl dgst -sha512 -binary "$tmp_tgz" 2>/dev/null | openssl base64 -A); then
+        echo "ERROR: failed to compute SHA-512 checksum for @openai/codex tarball." >&2
+        rm -f "$tmp_tgz"
+        rm -f "$CODEX_BIN"
+        exit 1
+    fi
+
+    if [ "$actual" != "$expected" ]; then
+        echo "ERROR: integrity check failed for @openai/codex v${version}-linux-x64 tarball." >&2
+        echo "Expected (from npm dist.integrity): $expected" >&2
+        echo "Actual (computed):                $actual" >&2
+        rm -f "$tmp_tgz"
+        rm -f "$CODEX_BIN"
+        exit 1
+    fi
+
+    # The linux-x64 tarball ships a statically-linked musl binary; extract it directly.
+    if ! tar -xzOf "$tmp_tgz" package/vendor/x86_64-unknown-linux-musl/codex/codex \
+            > "$CODEX_BIN"; then
+        echo "ERROR: failed to extract @openai/codex v${version}-linux-x64 binary." >&2
+        rm -f "$tmp_tgz"
+        rm -f "$CODEX_BIN"
+        exit 1
+    fi
+
+    rm -f "$tmp_tgz"
+    chmod +x "$CODEX_BIN"
+    echo "codex v${version} installed to $CODEX_BIN" >&2
+}
+
+if [ ! -x "$CODEX_BIN" ]; then
+    _install_codex
+fi
+
+# OPENAI_BASE_URL is set by lemonade-server to the server's /v1/ endpoint.
+# Forward it as CODEX_OSS_BASE_URL so codex points at lemonade instead of
+# the default Ollama port, and inject -c oss_provider=ollama so the
+# LM Studio/Ollama picker is skipped.
+CODEX_OSS_BASE_URL="${OPENAI_BASE_URL%/}"
+export CODEX_OSS_BASE_URL
+
+# Extract the model name passed via -m / --model so we can look up the actual
+# context window from the running lemonade server.
+MODEL_NAME=""
+for arg in "$@"; do
+    if [ -n "$_NEXT_IS_MODEL" ]; then
+        MODEL_NAME="$arg"
+        break
+    fi
+    case "$arg" in
+        -m|--model) _NEXT_IS_MODEL=1 ;;
+        -m=*|--model=*) MODEL_NAME="${arg#*=}"; break ;;
+    esac
+done
+
+# Query /api/v1/health for the loaded model's actual ctx_size and derive a
+# sensible tool_output_token_limit (1/8 of context window, min 8192).
+CONTEXT_ARGS=()
+if [ -n "$MODEL_NAME" ] && [ -n "$OPENAI_BASE_URL" ]; then
+    SERVER_BASE="${OPENAI_BASE_URL%%/v1*}"
+    ctx_size=$(curl -sf "$SERVER_BASE/api/v1/health" 2>/dev/null \
+        | jq -r --arg model "$MODEL_NAME" \
+            '.all_models_loaded[]? | select(.model_name == $model) | .recipe_options.ctx_size // empty' \
+            2>/dev/null | head -n1)
+    if [ -n "$ctx_size" ] && [ "$ctx_size" -gt 0 ] 2>/dev/null; then
+        tool_limit=$(( ctx_size / 8 ))
+        [ "$tool_limit" -lt 8192 ] && tool_limit=8192
+        CONTEXT_ARGS=(
+            -c "model_context_window=$ctx_size"
+            -c "model_auto_compact_token_limit=$tool_limit"
+        )
+    fi
+fi
+
+# Use SNAP_USER_COMMON as HOME so codex stores its config within the snap's
+# user data directory (~/.codex → $SNAP_USER_COMMON/.codex), which is
+# accessible under strict confinement without a personal-files plug.
+exec env HOME="$SNAP_USER_COMMON" "$CODEX_BIN" \
+    -c "oss_provider=\"ollama\"" "${CONTEXT_ARGS[@]}" "$@"
diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
@@ -49,6 +49,10 @@ platforms:
 layout:
   /usr/share/lemonade-server:
     symlink: $SNAP/usr/share/lemonade-server
+  # Node.js externalizes some builtins to /usr/share/nodejs at a hardcoded path.
+  # Bind the snap's copy so node can find them at runtime.
+  /usr/share/nodejs:
+    bind: $SNAP/usr/share/nodejs
   # Add layout entries so XRT's hardcoded absolute paths resolve to the snap's copies
   /usr/lib/x86_64-linux-gnu/libxrt_core.so.2:
     bind-file: $SNAP/usr/lib/x86_64-linux-gnu/libxrt_core.so.2.21.75
@@ -62,7 +66,6 @@ plugs:
     interface: content
     target: $SNAP/gpu-2404
     default-provider: mesa-2404
-
 slots:
   # Adds a pseudo content interface to allow clients to express their
   # runtime dependency on lemonade-server
@@ -101,8 +104,8 @@ apps:
       - hardware-observe
       - system-observe
     environment:
-      LD_LIBRARY_PATH: "$SNAP/usr/share/lemonade-server:$SNAP_COMMON/cache/lemonade/bin/llamacpp/vulka    n:$SNAP_COMMON/cache/lemonade/bin/whispercpp/vulkan:$SNAP/usr/lib/x86_64-linux-gnu:$SNAP/lib/x86_64-linux-gnu:/var/lib/snapd/lib/gl${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
-      PATH: "$SNAP/usr/bin:$PATH"
+      LD_LIBRARY_PATH: "$SNAP/usr/share/lemonade-server:$SNAP_COMMON/cache/lemonade/bin/llamacpp/vulkan:$SNAP_COMMON/cache/lemonade/bin/whispercpp/vulkan:$SNAP/usr/lib/x86_64-linux-gnu:$SNAP/lib/x86_64-linux-gnu:/var/lib/snapd/lib/gl${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
+      PATH: "$SNAP/usr/bin:$SNAP_USER_COMMON/tools/bin:$PATH"
       HOME: "$SNAP_COMMON"
       LEMONADE_CACHE_DIR: "$SNAP_COMMON/cache/lemonade"
       FLM_MODEL_PATH: $SNAP_COMMON/flm/models
@@ -169,6 +172,10 @@ parts:
       - libatomic1
       - libcurl4t64
       - curl # for metrics
+      - nodejs # for running @anthropic-ai/claude-code cli.js when auto-downloaded
+      - node-cjs-module-lexer # nodejs externalized builtin
+      - node-undici # nodejs externalized builtin
+      - node-acorn # nodejs externalized builtins (acorn + acorn-walk)
       - unzip # For extracting backends at runtime
       - libdrm-amdgpu1 # SD backends need this at runtime
       - libnuma1 # SD backends need this at runtime
@@ -447,7 +454,21 @@ parts:
     organize:
       lemonade-server-wrapper: bin/lemonade-server-wrapper
       metrics: bin/metrics
+      claude: usr/bin/claude
+      codex: usr/bin/codex
     override-prime: |
       craftctl default
       chmod +x $CRAFT_PRIME/bin/lemonade-server-wrapper
       chmod +x $CRAFT_PRIME/bin/metrics
+      chmod +x $CRAFT_PRIME/usr/bin/claude
+      chmod +x $CRAFT_PRIME/usr/bin/codex
+
+  tools:
+    plugin: nil
+    stage-packages:
+      - gh
+      - git
+      - jq
+      - make
+      - patch
+      - ripgrep
