Managed compute

Run the BuildAutomaton CLI bridge on each compute host you want in your managed AI fleet: laptops, workstations, servers, VPC instances, or private cloud machines. ACP stays on localhost while the bridge connects the host to your workspace.

Why use managed compute?

Many teams want coding agents, and optionally the LLMs those agents call, to run on compute hosts they already own, operate, or govern. A bridge brings each host into a managed AI fleet without moving ACP off localhost, keeping prompts, code, and tool traffic on machines and networks under your policy.

Managed compute helps you govern intellectual property, usage, and cost: you decide which models and endpoints are allowed, which hosts join the fleet, how data leaves your network, and how spend is attributed.

Headless auth

Use --headless when the bridge must not open a browser (servers and containers). Until your CLI lists that flag in --help, you can still pass --token and --workspace-id, or BUILDAUTOMATON_AUTH_TOKEN and BUILDAUTOMATON_WORKSPACE_ID, for non-interactive auth. Your host still needs outbound HTTPS and WebSocket access to the API (for example through a VPC NAT gateway). For a first-time browser sign-in, follow Getting started.

Dashboard token

In the app, open your workspace, go to Bridges, and create a bridge access token. You will use that token together with the workspace ID every time you start the CLI without a browser.

Environment variables and secrets

The CLI accepts the same values through flags or environment variables: BUILDAUTOMATON_AUTH_TOKEN and BUILDAUTOMATON_WORKSPACE_ID mirror --token and --workspace-id. Point at a non-default API with BUILDAUTOMATON_API_URL if your organization requires it.

Treat the token like any other long-lived secret. Load it from a secrets manager, Kubernetes Secret, or CI masked variable, or mount a Docker --env-file that is never committed to git, and avoid printing the environment in startup logs.

export BUILDAUTOMATON_AUTH_TOKEN="…"
export BUILDAUTOMATON_WORKSPACE_ID="…"
npx @buildautomaton/cli --headless

You can combine these options with others such as end-to-end certificate setup; see End-to-end encryption when you need --e2ee-certificates-dir as well.

Empty working directory

If the bridge starts in an empty working directory (for example a fresh /workspace in a container), it still connects the host to your managed AI fleet. The dev environment UI then walks you through initializing and cloning a Git repository so the agent has a real tree to work in. Mount a persistent volume if you want that checkout to survive restarts.

OpenCode (Docker)

The openeuler/opencode image on Docker Hub is a practical base for OpenCode. Extend it by copying a Node.js installation into the image so npx @buildautomaton/cli is available next to OpenCode, then start both processes in the same container (or network namespace) so the bridge can add the container host to your managed AI fleet while reaching OpenCode on localhost.

FROM openeuler/opencode:1.1.48
USER root
COPY --from=docker.io/node:22-bookworm /usr/local /usr/local
ENV PATH="/usr/local/bin:${PATH}"
WORKDIR /workspace

Build a small image from that Dockerfile, then run it with secrets injected as environment variables and with the Hub quick start's config volume for OpenCode. The shell snippet below is only an outline; replace YOUR_OPENCODE_START with the start command documented for your tag on Docker Hub.

docker build -t ba-opencode .
docker run --rm -it \
  -e BUILDAUTOMATON_AUTH_TOKEN -e BUILDAUTOMATON_WORKSPACE_ID \
  -v ~/.config/opencode:/root/.config/opencode \
  -v "$(pwd)":/workspace ba-opencode \
  sh -c 'YOUR_OPENCODE_START & npx @buildautomaton/cli --headless'

On a laptop you can skip --headless for the first connection and let the browser complete sign-in. The usual command is:

npx @buildautomaton/cli@latest

Claude Code on managed compute

A typical VPC setup uses a private EC2 instance with outbound access through NAT, Claude Code running in Docker, and the BuildAutomaton bridge in the same container or on the same Docker network. The bridge enrolls that compute host in your managed AI fleet and opens ACP to localhost.

FROM node:22-bookworm
WORKDIR /workspace
# Install Claude Code CLI per your org; mount the repo at docker run time.
CMD ["sh", "-c", "npx @buildautomaton/cli --headless & exec claude"]

Replace claude with the command your image actually uses, pass token variables from a secret store, set BUILDAUTOMATON_API_URL if you are not on the default API host, and allow outbound WebSocket traffic in the instance security group.

See also