@covibes/zeroshot 1.0.1

package/cluster-templates/conductor-bootstrap.json

@@ -0,0 +1,122 @@
+{
+  "name": "Two-Tier Conductor (Complexity × TaskType)",
+  "description": "Cost-optimized conductor: Haiku junior for 2D classification (complexity + taskType), Sonnet senior for UNCERTAIN tasks. Routes to appropriate cluster config via helpers.getConfig().",
+  "agents": [
+    {
+      "id": "junior-conductor",
+      "role": "conductor",
+      "model": "haiku",
+      "outputFormat": "json",
+      "jsonSchema": {
+        "type": "object",
+        "properties": {
+          "complexity": {
+            "type": "string",
+            "enum": ["TRIVIAL", "SIMPLE", "STANDARD", "CRITICAL", "UNCERTAIN"],
+            "description": "Task complexity level"
+          },
+          "taskType": {
+            "type": "string",
+            "enum": ["INQUIRY", "TASK", "DEBUG"],
+            "description": "Type of work: INQUIRY (questions/exploration), TASK (implement new), DEBUG (fix broken)"
+          },
+          "reasoning": {
+            "type": "string",
+            "description": "Why this classification (1-2 sentences)"
+          }
+        },
+        "required": ["complexity", "taskType", "reasoning"]
+      },
+      "prompt": {
+        "system": "You are the JUNIOR CONDUCTOR (Haiku) - fast, cost-efficient task classification.\n\n## Your Job\nClassify tasks on TWO dimensions: COMPLEXITY and TASK TYPE.\n\n## COMPLEXITY (how hard/risky)\n\n**TRIVIAL** - One command, one file, mechanical\n**SIMPLE** - One concern, straightforward\n**STANDARD** - Multi-file, needs planning\n**CRITICAL** - High risk (auth, payments, security, production)\n**UNCERTAIN** - Escalate to senior conductor\n\n## TASK TYPE (what kind of action)\n\n**INQUIRY** - Questions, exploration, understanding\n- \"How does X work?\", \"What files handle Y?\", \"Explain Z\"\n- NO changes made, just gathering information\n\n**TASK** - Implement something new\n- \"Add feature X\", \"Create Y\", \"Implement Z\"\n- Building new functionality\n\n**DEBUG** - Fix something broken\n- \"Why is X failing?\", \"Fix bug in Y\", \"Debug Z\"\n- Investigating and fixing existing issues\n\n## Output Format\n\n```json\n{\n  \"complexity\": \"TRIVIAL|SIMPLE|STANDARD|CRITICAL|UNCERTAIN\",\n  \"taskType\": \"INQUIRY|TASK|DEBUG\",\n  \"reasoning\": \"Brief explanation\"\n}\n```\n\n## Examples\n\n\"How does auth work?\" → SIMPLE, INQUIRY\n\"Add rate limiting\" → STANDARD, TASK\n\"Fix null pointer bug\" → SIMPLE, DEBUG\n\"Why is the API slow?\" → STANDARD, DEBUG\n\"Deploy to AWS\" → CRITICAL, TASK\n\"terraform plan\" → SIMPLE, TASK\n\"What files handle routing?\" → TRIVIAL, INQUIRY\n\n## Critical Rules\n\n1. ALWAYS output both dimensions\n2. INQUIRY = read-only, TASK = create new, DEBUG = fix broken\n3. complexity=UNCERTAIN only when truly ambiguous\n\nTask: {{ISSUE_OPENED.content.text}}"
+      },
+      "contextStrategy": {
+        "sources": [{ "topic": "ISSUE_OPENED", "limit": 1 }],
+        "format": "chronological",
+        "maxTokens": 100000
+      },
+      "triggers": [
+        {
+          "topic": "ISSUE_OPENED",
+          "logic": {
+            "engine": "javascript",
+            "script": "return message.sender === 'system';"
+          },
+          "action": "execute_task"
+        }
+      ],
+      "hooks": {
+        "onComplete": {
+          "action": "publish_message",
+          "transform": {
+            "engine": "javascript",
+            "script": "const { complexity, taskType, reasoning } = result;\nconst taskText = triggeringMessage.content?.text || '';\n\nif (complexity === 'UNCERTAIN') {\n  return {\n    topic: 'CONDUCTOR_ESCALATE',\n    content: {\n      text: reasoning,\n      data: { complexity, taskType, reasoning, taskText }\n    }\n  };\n}\n\nconst config = helpers.getConfig(complexity, taskType);\n\nreturn {\n  topic: 'CLUSTER_OPERATIONS',\n  content: {\n    text: `[${complexity}:${taskType}] ${reasoning}`,\n    data: {\n      complexity,\n      taskType,\n      operations: [\n        { action: 'load_config', config },\n        { action: 'publish', topic: 'ISSUE_OPENED', content: { text: taskText } }\n      ]\n    }\n  }\n};"
+          }
+        }
+      }
+    },
+    {
+      "id": "senior-conductor",
+      "role": "conductor",
+      "model": "sonnet",
+      "outputFormat": "json",
+      "jsonSchema": {
+        "type": "object",
+        "properties": {
+          "complexity": {
+            "type": "string",
+            "enum": ["TRIVIAL", "SIMPLE", "STANDARD", "CRITICAL"],
+            "description": "Task complexity (no UNCERTAIN - must decide)"
+          },
+          "taskType": {
+            "type": "string",
+            "enum": ["INQUIRY", "TASK", "DEBUG"],
+            "description": "Type of work after analysis"
+          },
+          "reasoning": {
+            "type": "string",
+            "description": "Detailed explanation"
+          }
+        },
+        "required": ["complexity", "taskType", "reasoning"]
+      },
+      "prompt": {
+        "system": "You are the SENIOR CONDUCTOR - expert task analyzer for ambiguous tasks.\n\nThe junior conductor was uncertain. Analyze deeply and make a definitive classification.\n\n## COMPLEXITY\n\n**TRIVIAL** - One command/file, mechanical, no risk\n**SIMPLE** - One concern, straightforward\n**STANDARD** - Multi-file, needs planning\n**CRITICAL** - High risk (auth/payments/security/production)\n\n## TASK TYPE\n\n**INQUIRY** - Questions, exploration (read-only)\n**TASK** - Implement something new (create)\n**DEBUG** - Fix something broken (investigate + fix)\n\n## Decision Rules\n\n1. YOU MUST DECIDE - no UNCERTAIN output\n2. When in doubt about complexity, go ONE LEVEL HIGHER\n3. INQUIRY vs TASK vs DEBUG based on intent, not keywords\n4. Consider: Is user asking a question? Building new? Fixing broken?\n\nJunior classified as UNCERTAIN. Original task and reasoning follow."
+      },
+      "contextStrategy": {
+        "sources": [
+          { "topic": "ISSUE_OPENED", "limit": 1 },
+          {
+            "topic": "CONDUCTOR_ESCALATE",
+            "since": "last_agent_start",
+            "limit": 1
+          },
+          {
+            "topic": "CLUSTER_OPERATIONS_VALIDATION_FAILED",
+            "since": "cluster_start",
+            "limit": 3
+          }
+        ],
+        "format": "chronological",
+        "maxTokens": 100000
+      },
+      "maxRetries": 3,
+      "triggers": [
+        { "topic": "CONDUCTOR_ESCALATE", "action": "execute_task" },
+        {
+          "topic": "CLUSTER_OPERATIONS_VALIDATION_FAILED",
+          "action": "execute_task"
+        }
+      ],
+      "hooks": {
+        "onComplete": {
+          "action": "publish_message",
+          "transform": {
+            "engine": "javascript",
+            "script": "const { complexity, taskType, reasoning } = result;\n\nlet taskText = triggeringMessage.content?.data?.taskText || '';\nif (!taskText) {\n  taskText = triggeringMessage.content?.text || '';\n}\n\nconst config = helpers.getConfig(complexity, taskType);\n\nreturn {\n  topic: 'CLUSTER_OPERATIONS',\n  content: {\n    text: `Senior: [${complexity}:${taskType}] ${reasoning}`,\n    data: {\n      complexity,\n      taskType,\n      operations: [\n        { action: 'load_config', config },\n        { action: 'publish', topic: 'ISSUE_OPENED', content: { text: taskText } }\n      ]\n    }\n  }\n};"
+          }
+        }
+      }
+    }
+  ]
+}

package/cluster-templates/conductor-junior-bootstrap.json

@@ -0,0 +1,69 @@
+{
+  "name": "Junior Conductor Bootstrap",
+  "description": "Cost-optimized haiku conductor for fast task classification - spawns agents directly for TRIVIAL/SIMPLE/STANDARD/CRITICAL, escalates only for UNCERTAIN tasks",
+  "agents": [
+    {
+      "id": "junior-conductor",
+      "role": "conductor",
+      "model": "haiku",
+      "outputFormat": "json",
+      "jsonSchema": {
+        "type": "object",
+        "properties": {
+          "classification": {
+            "type": "string",
+            "enum": ["TRIVIAL", "SIMPLE", "STANDARD", "CRITICAL", "UNCERTAIN"],
+            "description": "Task complexity category"
+          },
+          "reasoning": {
+            "type": "string",
+            "description": "Why this classification (1-2 sentences)"
+          },
+          "operations": {
+            "type": "array",
+            "description": "CLUSTER_OPERATIONS to spawn agents (empty if UNCERTAIN)"
+          }
+        },
+        "required": ["classification", "reasoning", "operations"]
+      },
+      "prompt": {
+        "system": "You are the JUNIOR CONDUCTOR (Haiku) - fast, cost-efficient task classification.\n\n## Your Job\nClassify tasks into complexity categories and spawn appropriate agent clusters.\nYou handle 95% of tasks. Only escalate when the DECISION ITSELF is hard.\n\n## Categories\n\n**TRIVIAL** (haiku worker only):\n- Typos, docs, simple renames, config changes\n- Simple scripts (hello world, count to 100)\n- No planning needed, mechanical implementation\n- Examples: \"fix typo in README\", \"create Python script that counts to 100\"\n\n**SIMPLE** (sonnet worker + haiku validator):\n- Single-file bug fixes\n- Small feature additions\n- Basic refactoring (one function)\n- Examples: \"fix null pointer in user service\", \"add validation to form\"\n\n**STANDARD** (planner + worker + 2 validators):\n- Multi-file features\n- Cross-component changes\n- Non-trivial refactoring\n- Examples: \"add rate limiting to API\", \"implement search filtering\"\n\n**CRITICAL** (planner(opus) + worker + security + reviewer + tester):\n- Auth, payments, security\n- Data migrations\n- Production-critical changes\n- Examples: \"implement OAuth2 login\", \"add payment processing\"\n\n**UNCERTAIN** (escalate to senior conductor):\n- Ambiguous requirements (can't determine scope)\n- Unknown unknowns (\"refactor auth\" - how big?)\n- Edge cases not covered by examples\n- Contradictory requirements\n\n## Output Format\n\n```json\n{\n  \"classification\": \"TRIVIAL|SIMPLE|STANDARD|CRITICAL|UNCERTAIN\",\n  \"reasoning\": \"Brief explanation (1-2 sentences)\",\n  \"operations\": [/* CLUSTER_OPERATIONS array or empty if UNCERTAIN */]\n}\n```\n\n## Agent Primitives - Copy these exactly\n\n### WORKER\n{\"id\":\"worker\",\"role\":\"implementation\",\"model\":\"haiku or sonnet\",\"verify\":true,\"maxIterations\":30,\"prompt\":{\"system\":\"Implement the task. On iteration 1: follow the plan or issue. On iteration 2+: fix ALL issues from validators.\"},\"contextStrategy\":{\"sources\":[{\"topic\":\"ISSUE_OPENED\",\"limit\":1},{\"topic\":\"PLAN_READY\",\"limit\":1},{\"topic\":\"VALIDATION_RESULT\",\"since\":\"last_task_end\",\"limit\":10}],\"format\":\"chronological\",\"maxTokens\":100000},\"triggers\":[{\"topic\":\"PLAN_READY\",\"action\":\"execute_task\"},{\"topic\":\"ISSUE_OPENED\",\"action\":\"execute_task\"},{\"topic\":\"VALIDATION_RESULT\",\"logic\":{\"engine\":\"javascript\",\"script\":\"const validators = cluster.getAgentsByRole('validator');\\nconst lastPush = ledger.findLast({ topic: 'IMPLEMENTATION_READY' });\\nif (!lastPush) return false;\\nconst responses = ledger.query({ topic: 'VALIDATION_RESULT', since: lastPush.timestamp });\\nif (responses.length < validators.length) return false;\\nreturn responses.some(r => r.content?.data?.approved === false || r.content?.data?.approved === 'false');\"},\"action\":\"execute_task\"},{\"topic\":\"CLUSTER_RESUMED\",\"action\":\"execute_task\"}],\"hooks\":{\"onComplete\":{\"action\":\"publish_message\",\"config\":{\"topic\":\"IMPLEMENTATION_READY\",\"content\":{\"text\":\"Implementation complete.\"}}}}}\n\n### PLANNER\n{\"id\":\"planner\",\"role\":\"planning\",\"model\":\"sonnet\",\"outputFormat\":\"json\",\"jsonSchema\":{\"type\":\"object\",\"properties\":{\"plan\":{\"type\":\"string\"},\"summary\":{\"type\":\"string\"},\"filesAffected\":{\"type\":\"array\",\"items\":{\"type\":\"string\"}}},\"required\":[\"plan\",\"summary\",\"filesAffected\"]},\"prompt\":{\"system\":\"Create a clear implementation plan. List files to modify and concrete steps.\"},\"contextStrategy\":{\"sources\":[{\"topic\":\"ISSUE_OPENED\",\"limit\":1}],\"format\":\"chronological\",\"maxTokens\":100000},\"triggers\":[{\"topic\":\"ISSUE_OPENED\",\"action\":\"execute_task\"}],\"hooks\":{\"onComplete\":{\"action\":\"publish_message\",\"config\":{\"topic\":\"PLAN_READY\",\"content\":{\"text\":\"{{result.plan}}\",\"data\":{\"summary\":\"{{result.summary}}\",\"filesAffected\":\"{{result.filesAffected}}\"}}}}}} \n\n### VALIDATOR\n{\"id\":\"validator\",\"role\":\"validator\",\"model\":\"haiku or sonnet\",\"outputFormat\":\"json\",\"jsonSchema\":{\"type\":\"object\",\"properties\":{\"approved\":{\"type\":\"boolean\"},\"summary\":{\"type\":\"string\"},\"errors\":{\"type\":\"array\",\"items\":{\"type\":\"string\"}}},\"required\":[\"approved\",\"summary\",\"errors\"]},\"prompt\":{\"system\":\"Verify implementation meets requirements. APPROVE if core functionality works. REJECT only for missing/broken functionality.\"},\"contextStrategy\":{\"sources\":[{\"topic\":\"ISSUE_OPENED\",\"limit\":1},{\"topic\":\"PLAN_READY\",\"limit\":1},{\"topic\":\"IMPLEMENTATION_READY\",\"limit\":1}],\"format\":\"chronological\",\"maxTokens\":50000},\"triggers\":[{\"topic\":\"IMPLEMENTATION_READY\",\"action\":\"execute_task\"}],\"hooks\":{\"onComplete\":{\"action\":\"publish_message\",\"config\":{\"topic\":\"VALIDATION_RESULT\",\"content\":{\"text\":\"{{result.summary}}\",\"data\":{\"approved\":\"{{result.approved}}\",\"errors\":\"{{result.errors}}\"}}}}}}\n\n### CODE REVIEWER\n{\"id\":\"reviewer\",\"role\":\"validator\",\"model\":\"sonnet\",\"outputFormat\":\"json\",\"jsonSchema\":{\"type\":\"object\",\"properties\":{\"approved\":{\"type\":\"boolean\"},\"summary\":{\"type\":\"string\"},\"issues\":{\"type\":\"array\",\"items\":{\"type\":\"string\"}}},\"required\":[\"approved\",\"summary\",\"issues\"]},\"prompt\":{\"system\":\"Code review for security and quality. REJECT for: SQL injection, XSS, auth bypass, exposed secrets, silent error swallowing. APPROVE if code is functional and safe.\"},\"contextStrategy\":{\"sources\":[{\"topic\":\"ISSUE_OPENED\",\"limit\":1},{\"topic\":\"PLAN_READY\",\"limit\":1},{\"topic\":\"IMPLEMENTATION_READY\",\"limit\":1}],\"format\":\"chronological\",\"maxTokens\":50000},\"triggers\":[{\"topic\":\"IMPLEMENTATION_READY\",\"action\":\"execute_task\"}],\"hooks\":{\"onComplete\":{\"action\":\"publish_message\",\"config\":{\"topic\":\"VALIDATION_RESULT\",\"content\":{\"text\":\"{{result.summary}}\",\"data\":{\"approved\":\"{{result.approved}}\",\"issues\":\"{{result.issues}}\"}}}}}}\n\n### SECURITY VALIDATOR\n{\"id\":\"security-validator\",\"role\":\"validator\",\"model\":\"sonnet\",\"outputFormat\":\"json\",\"jsonSchema\":{\"type\":\"object\",\"properties\":{\"approved\":{\"type\":\"boolean\"},\"summary\":{\"type\":\"string\"},\"vulnerabilities\":{\"type\":\"array\",\"items\":{\"type\":\"string\"}}},\"required\":[\"approved\",\"summary\",\"vulnerabilities\"]},\"prompt\":{\"system\":\"Deep security review. Check for: SQL injection, XSS, CSRF, auth bypass, insecure crypto, path traversal, exposed secrets. REJECT if any vulnerability found.\"},\"contextStrategy\":{\"sources\":[{\"topic\":\"ISSUE_OPENED\",\"limit\":1},{\"topic\":\"PLAN_READY\",\"limit\":1},{\"topic\":\"IMPLEMENTATION_READY\",\"limit\":1}],\"format\":\"chronological\",\"maxTokens\":50000},\"triggers\":[{\"topic\":\"IMPLEMENTATION_READY\",\"action\":\"execute_task\"}],\"hooks\":{\"onComplete\":{\"action\":\"publish_message\",\"config\":{\"topic\":\"VALIDATION_RESULT\",\"content\":{\"text\":\"{{result.summary}}\",\"data\":{\"approved\":\"{{result.approved}}\",\"vulnerabilities\":\"{{result.vulnerabilities}}\"}}}}}}\n\n### TESTER\n{\"id\":\"tester\",\"role\":\"validator\",\"model\":\"sonnet\",\"outputFormat\":\"json\",\"jsonSchema\":{\"type\":\"object\",\"properties\":{\"approved\":{\"type\":\"boolean\"},\"summary\":{\"type\":\"string\"},\"bugs\":{\"type\":\"array\",\"items\":{\"type\":\"string\"}}},\"required\":[\"approved\",\"summary\",\"bugs\"]},\"prompt\":{\"system\":\"QA testing. Test basic usage and common edge cases. REJECT if core functionality broken or crashes. APPROVE if it basically works.\"},\"contextStrategy\":{\"sources\":[{\"topic\":\"ISSUE_OPENED\",\"limit\":1},{\"topic\":\"PLAN_READY\",\"limit\":1},{\"topic\":\"IMPLEMENTATION_READY\",\"limit\":1}],\"format\":\"chronological\",\"maxTokens\":50000},\"triggers\":[{\"topic\":\"IMPLEMENTATION_READY\",\"action\":\"execute_task\"}],\"hooks\":{\"onComplete\":{\"action\":\"publish_message\",\"config\":{\"topic\":\"VALIDATION_RESULT\",\"content\":{\"text\":\"{{result.summary}}\",\"data\":{\"approved\":\"{{result.approved}}\",\"bugs\":\"{{result.bugs}}\"}}}}}}\n\n### COMPLETION DETECTOR (with validators)\n{\"id\":\"completion-detector\",\"role\":\"orchestrator\",\"triggers\":[{\"topic\":\"VALIDATION_RESULT\",\"logic\":{\"engine\":\"javascript\",\"script\":\"const validators = cluster.getAgentsByRole('validator');\\nconst lastPush = ledger.findLast({ topic: 'IMPLEMENTATION_READY' });\\nif (!lastPush) return false;\\nconst responses = ledger.query({ topic: 'VALIDATION_RESULT', since: lastPush.timestamp });\\nif (responses.length < validators.length) return false;\\nreturn responses.every(r => r.content?.data?.approved === true || r.content?.data?.approved === 'true');\"},\"action\":\"stop_cluster\"}]}\n\n### SIMPLE COMPLETION DETECTOR (no validators)\n{\"id\":\"completion-detector\",\"role\":\"orchestrator\",\"triggers\":[{\"topic\":\"IMPLEMENTATION_READY\",\"action\":\"stop_cluster\"}]}\n\n## Critical Rules\n\n1. Use categorical classification - NO confidence scores\n2. Only output UNCERTAIN when decision itself is hard\n3. Include full operations array for TRIVIAL/SIMPLE/STANDARD/CRITICAL\n4. Fail fast - if task is malformed/unclear, classify as UNCERTAIN\n5. Follow exact patterns above for operations\n6. For TRIVIAL: use haiku worker + simple completion detector\n7. For SIMPLE: use sonnet worker + haiku validator + full completion detector\n8. For STANDARD: use sonnet planner + sonnet worker + sonnet validator + sonnet reviewer + full completion detector\n9. For CRITICAL: use opus planner + sonnet worker + sonnet security-validator + sonnet reviewer + sonnet tester + full completion detector\n10. ALWAYS republish ISSUE_OPENED as last operation with full task text\n\nTask: {{ISSUE_OPENED.content.text}}"
+      },
+      "contextStrategy": {
+        "sources": [
+          {
+            "topic": "ISSUE_OPENED",
+            "limit": 1
+          }
+        ],
+        "format": "chronological",
+        "maxTokens": 100000
+      },
+      "triggers": [
+        {
+          "topic": "ISSUE_OPENED",
+          "logic": {
+            "engine": "javascript",
+            "script": "return message.sender === 'system';"
+          },
+          "action": "execute_task"
+        }
+      ],
+      "hooks": {
+        "onComplete": {
+          "action": "publish_message",
+          "config": {
+            "topic": "JUNIOR_CLASSIFICATION",
+            "content": {
+              "text": "{{result.reasoning}}",
+              "data": {
+                "classification": "{{result.classification}}",
+                "operations": "{{result.operations}}"
+              }
+            }
+          }
+        }
+      }
+    }
+  ]
+}

package/docker/zeroshot-cluster/Dockerfile

@@ -0,0 +1,132 @@
+# Base image for vibe cluster isolation mode
+# Provides: Node.js, Python, Git, Chromium, Claude CLI, Playwright deps, Infrastructure tools
+#
+# Build: docker build -t vibe-cluster-base vibe/cluster/docker/vibe-cluster/
+# Usage: vibe run <task> --isolation
+
+FROM node:20-slim
+
+# Version pinning for infrastructure tools
+ARG AWS_CLI_VERSION=2.15.10
+ARG TERRAFORM_VERSION=1.6.6
+ARG KUBECTL_VERSION=1.29.0
+ARG HELM_VERSION=3.13.3
+ARG INFRACOST_VERSION=0.10.32
+ARG TFLINT_VERSION=0.50.0
+ARG TFSEC_VERSION=1.28.4
+
+# Install system dependencies for e2e testing and development
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    curl \
+    ca-certificates \
+    gnupg \
+    unzip \
+    # Docker for starting services
+    docker.io \
+    docker-compose \
+    # Python for general development
+    python3 \
+    python3-pip \
+    python3-venv \
+    # Chromium dependencies
+    chromium \
+    fonts-liberation \
+    libasound2 \
+    libatk-bridge2.0-0 \
+    libatk1.0-0 \
+    libcups2 \
+    libdbus-1-3 \
+    libdrm2 \
+    libgbm1 \
+    libgtk-3-0 \
+    libnspr4 \
+    libnss3 \
+    libx11-xcb1 \
+    libxcomposite1 \
+    libxdamage1 \
+    libxfixes3 \
+    libxrandr2 \
+    xdg-utils \
+    && rm -rf /var/lib/apt/lists/* \
+    # Create python symlink for compatibility
+    && ln -sf /usr/bin/python3 /usr/bin/python
+
+# Install GitHub CLI for git authentication
+RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
+    && chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+    && apt-get update && apt-get install -y gh \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install infrastructure tools
+# AWS CLI v2
+RUN curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${AWS_CLI_VERSION}.zip" -o /tmp/awscliv2.zip \
+    && unzip -q /tmp/awscliv2.zip -d /tmp \
+    && /tmp/aws/install \
+    && rm -rf /tmp/awscliv2.zip /tmp/aws
+
+# Terraform
+RUN curl -fsSL "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" -o /tmp/terraform.zip \
+    && unzip -q /tmp/terraform.zip -d /usr/local/bin \
+    && chmod +x /usr/local/bin/terraform \
+    && rm /tmp/terraform.zip
+
+# kubectl
+RUN curl -fsSL "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl" -o /usr/local/bin/kubectl \
+    && chmod +x /usr/local/bin/kubectl
+
+# Helm
+RUN curl -fsSL "https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz" -o /tmp/helm.tar.gz \
+    && tar -xzf /tmp/helm.tar.gz -C /tmp \
+    && mv /tmp/linux-amd64/helm /usr/local/bin/helm \
+    && chmod +x /usr/local/bin/helm \
+    && rm -rf /tmp/helm.tar.gz /tmp/linux-amd64
+
+# infracost (cost estimation)
+RUN curl -fsSL "https://github.com/infracost/infracost/releases/download/v${INFRACOST_VERSION}/infracost-linux-amd64.tar.gz" -o /tmp/infracost.tar.gz \
+    && tar -xzf /tmp/infracost.tar.gz -C /tmp \
+    && mv /tmp/infracost-linux-amd64 /usr/local/bin/infracost \
+    && chmod +x /usr/local/bin/infracost \
+    && rm /tmp/infracost.tar.gz
+
+# tflint (terraform linter)
+RUN curl -fsSL "https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/tflint_linux_amd64.zip" -o /tmp/tflint.zip \
+    && unzip -q /tmp/tflint.zip -d /usr/local/bin \
+    && chmod +x /usr/local/bin/tflint \
+    && rm /tmp/tflint.zip
+
+# tfsec (security scanner)
+RUN curl -fsSL "https://github.com/aquasecurity/tfsec/releases/download/v${TFSEC_VERSION}/tfsec-linux-amd64" -o /usr/local/bin/tfsec \
+    && chmod +x /usr/local/bin/tfsec
+
+# Set AWS_PAGER to empty to disable paging in AWS CLI
+ENV AWS_PAGER=""
+
+# Set Chromium path for Playwright
+ENV CHROME_BIN=/usr/bin/chromium
+ENV PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium
+
+# Install Claude CLI globally
+RUN npm install -g @anthropic-ai/claude-code
+
+# Install Playwright (uses system Chromium)
+RUN npx playwright install-deps chromium 2>/dev/null || true
+
+# Add node user to docker group for Docker socket access
+RUN groupadd -f docker && usermod -aG docker node
+
+# Use existing 'node' user from base image (uid 1000)
+# Create directories with proper ownership for Claude CLI
+RUN mkdir -p /home/node/.claude /home/node/.config/gh \
+    && chown -R node:node /home/node
+
+# Create workspace directory with node ownership
+RUN mkdir -p /workspace && chown node:node /workspace
+WORKDIR /workspace
+
+# Switch to non-root user (required for --dangerously-skip-permissions)
+USER node
+
+# Default command (overridden by vibe)
+CMD ["bash"]

package/lib/completion.js

@@ -0,0 +1,174 @@
+const omelette = require('omelette');
+const fs = require('fs');
+const path = require('path');
+
+function setupCompletion() {
+  const complete = omelette('zeroshot');
+
+  complete.on('start', ({ reply }) => {
+    reply(['--issue', '--text', '--config']);
+  });
+
+  complete.on('list', ({ reply }) => {
+    reply([]);
+  });
+
+  complete.on('status', ({ reply }) => {
+    // Complete with cluster IDs
+    try {
+      const clustersDir = path.join(process.env.HOME, '.zeroshot', 'clusters');
+      if (fs.existsSync(clustersDir)) {
+        const clusterIds = fs
+          .readdirSync(clustersDir)
+          .filter((f) => f.endsWith('.json'))
+          .map((f) => f.replace('.json', ''));
+        reply(clusterIds);
+      } else {
+        reply([]);
+      }
+    } catch {
+      reply([]);
+    }
+  });
+
+  complete.on('logs', ({ reply }) => {
+    // Complete with cluster IDs or flags
+    try {
+      const clustersDir = path.join(process.env.HOME, '.zeroshot', 'clusters');
+      const completions = ['--follow', '-f', '--limit', '-n'];
+
+      if (fs.existsSync(clustersDir)) {
+        const clusterIds = fs
+          .readdirSync(clustersDir)
+          .filter((f) => f.endsWith('.json'))
+          .map((f) => f.replace('.json', ''));
+        reply([...clusterIds, ...completions]);
+      } else {
+        reply(completions);
+      }
+    } catch {
+      reply(['--follow', '-f', '--limit', '-n']);
+    }
+  });
+
+  complete.on('stop', ({ reply }) => {
+    // Complete with active cluster IDs
+    try {
+      const clustersDir = path.join(process.env.HOME, '.zeroshot', 'clusters');
+      if (fs.existsSync(clustersDir)) {
+        const clusterIds = fs
+          .readdirSync(clustersDir)
+          .filter((f) => f.endsWith('.json'))
+          .map((f) => f.replace('.json', ''));
+        reply(clusterIds);
+      } else {
+        reply([]);
+      }
+    } catch {
+      reply([]);
+    }
+  });
+
+  complete.on('kill', ({ reply }) => {
+    // Complete with active cluster IDs
+    try {
+      const clustersDir = path.join(process.env.HOME, '.zeroshot', 'clusters');
+      if (fs.existsSync(clustersDir)) {
+        const clusterIds = fs
+          .readdirSync(clustersDir)
+          .filter((f) => f.endsWith('.json'))
+          .map((f) => f.replace('.json', ''));
+        reply(clusterIds);
+      } else {
+        reply([]);
+      }
+    } catch {
+      reply([]);
+    }
+  });
+
+  complete.on('export', ({ reply }) => {
+    // Complete with cluster IDs
+    try {
+      const clustersDir = path.join(process.env.HOME, '.zeroshot', 'clusters');
+      if (fs.existsSync(clustersDir)) {
+        const clusterIds = fs
+          .readdirSync(clustersDir)
+          .filter((f) => f.endsWith('.json'))
+          .map((f) => f.replace('.json', ''));
+        reply(clusterIds);
+      } else {
+        reply([]);
+      }
+    } catch {
+      reply([]);
+    }
+  });
+
+  complete.on('finish', ({ reply }) => {
+    // Complete with cluster IDs and flags
+    try {
+      const clustersDir = path.join(process.env.HOME, '.zeroshot', 'clusters');
+      const completions = ['--merge', '--pr', '--push'];
+
+      if (fs.existsSync(clustersDir)) {
+        const clusterIds = fs
+          .readdirSync(clustersDir)
+          .filter((f) => f.endsWith('.json'))
+          .map((f) => f.replace('.json', ''));
+        reply([...clusterIds, ...completions]);
+      } else {
+        reply(completions);
+      }
+    } catch {
+      reply(['--merge', '--pr', '--push']);
+    }
+  });
+
+  complete.on('resume', ({ reply }) => {
+    // Complete with cluster IDs
+    try {
+      const clustersDir = path.join(process.env.HOME, '.zeroshot', 'clusters');
+      if (fs.existsSync(clustersDir)) {
+        const clusterIds = fs
+          .readdirSync(clustersDir)
+          .filter((f) => f.endsWith('.json'))
+          .map((f) => f.replace('.json', ''));
+        reply(clusterIds);
+      } else {
+        reply([]);
+      }
+    } catch {
+      reply([]);
+    }
+  });
+
+  complete.on('ui', ({ reply }) => {
+    reply(['--port']);
+  });
+
+  complete.on('watch', ({ reply }) => {
+    reply(['--filter', '--refresh-rate', 'running', 'stopped', 'all']);
+  });
+
+  // Default completion - show commands
+  complete.on('', ({ reply }) => {
+    reply([
+      'start',
+      'list',
+      'status',
+      'logs',
+      'stop',
+      'kill',
+      'finish',
+      'resume',
+      'export',
+      'ui',
+      'watch',
+    ]);
+  });
+
+  complete.init();
+}
+
+module.exports = { setupCompletion };

package/lib/id-detector.js

@@ -0,0 +1,53 @@
+/**
+ * ID Detector - Determines if an ID is a task or cluster
+ *
+ * Strategy:
+ * 1. Check if ID exists in cluster storage
+ * 2. If not, check if ID exists in task storage
+ * 3. Return type: 'cluster', 'task', or null
+ */
+
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+
+// Storage paths
+const CLUSTER_DIR = path.join(os.homedir(), '.zeroshot');
+const TASK_DIR = path.join(os.homedir(), '.claude-zeroshot');
+
+/**
+ * Detect if ID is a cluster or task
+ * @param {string} id - The ID to check
+ * @returns {'cluster'|'task'|null} - Type of ID or null if not found
+ */
+function detectIdType(id) {
+  // Check clusters
+  const clusterFile = path.join(CLUSTER_DIR, 'clusters.json');
+  if (fs.existsSync(clusterFile)) {
+    try {
+      const clusters = JSON.parse(fs.readFileSync(clusterFile, 'utf8'));
+      if (clusters[id]) {
+        return 'cluster';
+      }
+    } catch {
+      // Ignore parse errors
+    }
+  }
+
+  // Check tasks
+  const taskFile = path.join(TASK_DIR, 'tasks.json');
+  if (fs.existsSync(taskFile)) {
+    try {
+      const tasks = JSON.parse(fs.readFileSync(taskFile, 'utf8'));
+      if (tasks[id]) {
+        return 'task';
+      }
+    } catch {
+      // Ignore parse errors
+    }
+  }
+
+  return null;
+}
+
+module.exports = { detectIdType };

package/lib/settings.js

@@ -0,0 +1,97 @@
+/**
+ * Settings management for zeroshot
+ * Persistent user preferences stored in ~/.zeroshot/settings.json
+ */
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+// Settings file path
+const SETTINGS_FILE = path.join(os.homedir(), '.zeroshot', 'settings.json');
+
+// Default settings
+const DEFAULT_SETTINGS = {
+  defaultModel: 'sonnet',
+  defaultConfig: 'conductor-bootstrap',
+  defaultIsolation: false,
+  strictSchema: false, // false = live streaming (default), true = guaranteed schema compliance (no streaming)
+  logLevel: 'normal',
+};
+
+/**
+ * Load settings from disk, merging with defaults
+ */
+function loadSettings() {
+  if (!fs.existsSync(SETTINGS_FILE)) {
+    return { ...DEFAULT_SETTINGS };
+  }
+  try {
+    const data = fs.readFileSync(SETTINGS_FILE, 'utf8');
+    return { ...DEFAULT_SETTINGS, ...JSON.parse(data) };
+  } catch {
+    console.error('Warning: Could not load settings, using defaults');
+    return { ...DEFAULT_SETTINGS };
+  }
+}
+
+/**
+ * Save settings to disk
+ */
+function saveSettings(settings) {
+  const dir = path.dirname(SETTINGS_FILE);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+  fs.writeFileSync(SETTINGS_FILE, JSON.stringify(settings, null, 2), 'utf8');
+}
+
+/**
+ * Validate a setting value
+ * @returns {string|null} Error message if invalid, null if valid
+ */
+function validateSetting(key, value) {
+  if (!(key in DEFAULT_SETTINGS)) {
+    return `Unknown setting: ${key}`;
+  }
+
+  if (key === 'defaultModel' && !['opus', 'sonnet', 'haiku'].includes(value)) {
+    return `Invalid model: ${value}. Valid models: opus, sonnet, haiku`;
+  }
+
+  if (key === 'logLevel' && !['quiet', 'normal', 'verbose'].includes(value)) {
+    return `Invalid log level: ${value}. Valid levels: quiet, normal, verbose`;
+  }
+
+  return null;
+}
+
+/**
+ * Coerce value to correct type based on default value type
+ */
+function coerceValue(key, value) {
+  const defaultValue = DEFAULT_SETTINGS[key];
+
+  if (typeof defaultValue === 'boolean') {
+    return value === 'true' || value === '1' || value === 'yes' || value === true;
+  }
+
+  if (typeof defaultValue === 'number') {
+    const parsed = parseInt(value);
+    if (isNaN(parsed)) {
+      throw new Error(`Invalid number: ${value}`);
+    }
+    return parsed;
+  }
+
+  return value;
+}
+
+module.exports = {
+  loadSettings,
+  saveSettings,
+  validateSetting,
+  coerceValue,
+  DEFAULT_SETTINGS,
+  SETTINGS_FILE,
+};