Grok Build is xAI's official coding agent CLI. It speaks ACP natively via grok agent stdio — no wrapper required.
docker build -f Dockerfile.grok -t openab-grok:latest .The image pulls a pinned grok binary from xAI's public artifacts bucket and verifies its SHA256 checksum. Bump GROK_VERSION, GROK_SHA256_AMD64, and GROK_SHA256_ARM64 in Dockerfile.grok to upgrade.
helm install openab openab/openab \
--set agents.kiro.enabled=false \
--set agents.grok.discord.enabled=true \
--set agents.grok.discord.botToken="$DISCORD_BOT_TOKEN" \
--set-string 'agents.grok.discord.allowedChannels[0]=YOUR_CHANNEL_ID' \
--set agents.grok.image=ghcr.io/openabdev/openab-grok:latest \
--set agents.grok.command=grok \
--set-string 'agents.grok.args[0]=agent' \
--set-string 'agents.grok.args[1]=stdio' \
--set agents.grok.workingDir=/home/agentSet
agents.kiro.enabled=falseto disable the default Kiro agent.
[agent]
command = "grok"
args = ["agent", "stdio"]
working_dir = "/home/agent"Grok Build supports three credential sources. Pick whichever fits your deployment.
Set the environment variable in the pod / task definition:
export GROK_CODE_XAI_API_KEY="xai-..."Get a key from https://console.x.ai/. No interactive login needed.
⚠️ Security: env vars listed under[agent].envare visible to the agent and can be leaked via prompt injection. Prefer mounting them via the platform's secret manager.
If you want to use a SuperGrok subscription instead of pay-per-token API billing:
kubectl exec -it <pod> -- grok login --device-authThe CLI prints a short code and URL — open the URL on any device, enter the code, approve. The token is stored at ~/.grok/auth.json inside the container.
This works in any headless environment (K8s exec, ECS exec, plain SSH) without port-forwarding — unlike loopback OAuth flows.
export GROK_DEPLOYMENT_KEY="..."A deployment key takes precedence over auth.json. The CLI fetches managed config from cli-chat-proxy.grok.com/v1/deployment/config on startup. Available to xAI enterprise customers; contact xAI sales for details.
grok login stores OAuth credentials at ~/.grok/auth.json and runtime config at ~/.grok/config.toml. The OpenAB Helm chart's default persistence covers workingDir automatically (PVC mounted at /home/agent).
If deploying manually, mount persistent storage at /home/agent/.grok:
volumes:
- name: grok-credentials
persistentVolumeClaim:
claimName: grok-credentials-pvc
volumeMounts:
- name: grok-credentials
mountPath: /home/agent/.grokAPI-key-only deployments don't need persistence.
The default model is whichever Grok Build CLI selects (currently grok-code-fast-1 for the free tier; grok-4.3 family for SuperGrok). To override:
[agent]
command = "grok"
args = ["agent", "stdio", "--model", "grok-4.3"]
working_dir = "/home/agent"List available models inside the pod:
kubectl exec -it <pod> -- grok models# Inside the container (one-shot upgrade):
kubectl exec -it <pod> -- grok update
# Or rebuild the image with a new pinned version:
docker build -f Dockerfile.grok \
--build-arg GROK_VERSION=0.1.220 \
--build-arg GROK_SHA256_AMD64=... \
--build-arg GROK_SHA256_ARM64=... \
-t openab-grok:latest .| Property | Dockerfile.grok |
Dockerfile.hermes |
|---|---|---|
| Provider | xAI Grok only | xAI + 30 others via Nous gateway |
| ACP | Native (grok agent stdio) |
Via hermes-acp wrapper |
| Headless auth | API key env or device-code | Loopback OAuth (needs port-forward / ECS curl trick) |
| Supply chain | xAI only | xAI + Nous Research install script |
| Image size | Smaller (single static binary, no Python venv) | Larger (Python + uv + ffmpeg) |
Pick Dockerfile.grok if Grok is the only model you need. Pick Dockerfile.hermes if you want multi-provider switching or fallback chains.