@jgamaraalv/ts-dev-kit 3.1.2 → 3.2.0

package/.claude-plugin/marketplace.json

@@ -12,7 +12,7 @@
       "name": "ts-dev-kit",
       "source": "./",
       "description": "15 specialized agents and 22 skills for TypeScript fullstack development",
-      "version": "3.1.2",
+      "version": "3.2.0",
       "author": {
         "name": "jgamaraalv"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "ts-dev-kit",
-  "version": "3.1.2",
+  "version": "3.2.0",
   "description": "15 specialized agents and 22 skills for TypeScript fullstack development with Fastify, Next.js, PostgreSQL, Redis, and more.",
   "author": {
     "name": "jgamaraalv",

package/CHANGELOG.md

@@ -5,6 +5,26 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.2.0] - 2026-02-27
+
+### Added
+
+- Cross-scope agent name resolution: `/execute-task` and `/debug` dispatch protocols now detect whether agents are registered with a plugin prefix (`ts-dev-kit:agent-name`) and use the correct `subagent_type` automatically
+- `/yolo` Phase 1.5 — Ensure plugin availability: when ts-dev-kit is installed as a plugin, copies agents, skills, and agent-memory into the project before mounting the devcontainer so they're accessible inside the container
+- `/codebase-adapter` scope-aware discovery: phase 2 now searches agents and skills across project scope (`.claude/`), plugin scope (`node_modules/`), and personal scope (`~/.claude/`)
+
+### Fixed
+
+- Agent memory paths in all 13 agents now use dynamic resolution (`agent-memory/<name>/` at project root first, fallback to `.claude/agent-memory/<name>/`) instead of a hardcoded `.claude/` prefix
+- `/core-web-vitals` visualize script path no longer hardcoded to `~/.claude/skills/` — now discovers the correct path across all installation scopes
+
+## [3.1.3] - 2026-02-27
+
+### Fixed
+
+- `/yolo` firewall script: revert to strict upstream reference (`set -euo pipefail`, no fallbacks) — remove `exec > >(tee ...)` that caused VS Code to hang with "Unable to resolve resource", remove `|| true` fallbacks that masked failures, remove `| tee` from `postStartCommand`; keep only the `sort -u` dedup fix for duplicate DNS IPs
+- `/yolo` SKILL.md: document critical anti-patterns (process substitution logging, loose error handling, piped postStartCommand)
+
 ## [3.1.2] - 2026-02-27
 
 ### Fixed

package/agents/accessibility-pro.md

@@ -88,7 +88,7 @@ Report when done:
 </output>
 
 <agent-memory>
-You have a persistent memory directory at `.claude/agent-memory/accessibility-pro/`. Its contents persist across conversations.
+You have a persistent memory directory. Its contents persist across conversations. To find it, look for `agent-memory/accessibility-pro/` at the project root first, then fall back to `.claude/agent-memory/accessibility-pro/`. Use whichever path exists.
 
 As you work, consult your memory files to build on previous experience. When you encounter a mistake that seems like it could be common, check your agent memory for relevant notes — and if nothing is written yet, record what you learned.
 

package/agents/api-builder.md

@@ -58,7 +58,7 @@ Report when done:
 </output>
 
 <agent-memory>
-You have a persistent memory directory at `.claude/agent-memory/api-builder/`. Its contents persist across conversations.
+You have a persistent memory directory. Its contents persist across conversations. To find it, look for `agent-memory/api-builder/` at the project root first, then fall back to `.claude/agent-memory/api-builder/`. Use whichever path exists.
 
 As you work, consult your memory files to build on previous experience. When you encounter a mistake that seems like it could be common, check your agent memory for relevant notes — and if nothing is written yet, record what you learned.
 

package/agents/code-reviewer.md

@@ -70,7 +70,7 @@ APPROVE / REQUEST CHANGES / NEEDS DISCUSSION
 </output_format>
 
 <agent-memory>
-You have a persistent memory directory at `.claude/agent-memory/code-reviewer/`. Its contents persist across conversations.
+You have a persistent memory directory. Its contents persist across conversations. To find it, look for `agent-memory/code-reviewer/` at the project root first, then fall back to `.claude/agent-memory/code-reviewer/`. Use whichever path exists.
 
 As you work, consult your memory files to build on previous experience. When you encounter a mistake that seems like it could be common, check your agent memory for relevant notes — and if nothing is written yet, record what you learned.
 

package/agents/database-expert.md

@@ -69,7 +69,7 @@ Report when done:
 </output>
 
 <agent-memory>
-You have a persistent memory directory at `.claude/agent-memory/database-expert/`. Its contents persist across conversations.
+You have a persistent memory directory. Its contents persist across conversations. To find it, look for `agent-memory/database-expert/` at the project root first, then fall back to `.claude/agent-memory/database-expert/`. Use whichever path exists.
 
 As you work, consult your memory files to build on previous experience. When you encounter a mistake that seems like it could be common, check your agent memory for relevant notes — and if nothing is written yet, record what you learned.
 

package/agents/debugger.md

@@ -119,7 +119,7 @@ Report when done:
 </output>
 
 <agent-memory>
-You have a persistent memory directory at `.claude/agent-memory/debugger/`. Its contents persist across conversations.
+You have a persistent memory directory. Its contents persist across conversations. To find it, look for `agent-memory/debugger/` at the project root first, then fall back to `.claude/agent-memory/debugger/`. Use whichever path exists.
 
 As you work, consult your memory files to build on previous experience. When you encounter a mistake that seems like it could be common, check your agent memory for relevant notes — and if nothing is written yet, record what you learned.
 

package/agents/docker-expert.md

@@ -43,7 +43,7 @@ Report when done:
 </output>
 
 <agent-memory>
-You have a persistent memory directory at `.claude/agent-memory/docker-expert/`. Its contents persist across conversations.
+You have a persistent memory directory. Its contents persist across conversations. To find it, look for `agent-memory/docker-expert/` at the project root first, then fall back to `.claude/agent-memory/docker-expert/`. Use whichever path exists.
 
 As you work, consult your memory files to build on previous experience. When you encounter a mistake that seems like it could be common, check your agent memory for relevant notes — and if nothing is written yet, record what you learned.
 

package/agents/performance-engineer.md

@@ -101,7 +101,7 @@ Report when done:
 </output>
 
 <agent-memory>
-You have a persistent memory directory at `.claude/agent-memory/performance-engineer/`. Its contents persist across conversations.
+You have a persistent memory directory. Its contents persist across conversations. To find it, look for `agent-memory/performance-engineer/` at the project root first, then fall back to `.claude/agent-memory/performance-engineer/`. Use whichever path exists.
 
 As you work, consult your memory files to build on previous experience. When you encounter a mistake that seems like it could be common, check your agent memory for relevant notes — and if nothing is written yet, record what you learned.
 

package/agents/playwright-expert.md

@@ -90,7 +90,7 @@ Report when done:
 </output>
 
 <agent-memory>
-You have a persistent memory directory at `.claude/agent-memory/playwright-expert/`. Its contents persist across conversations.
+You have a persistent memory directory. Its contents persist across conversations. To find it, look for `agent-memory/playwright-expert/` at the project root first, then fall back to `.claude/agent-memory/playwright-expert/`. Use whichever path exists.
 
 As you work, consult your memory files to build on previous experience. When you encounter a mistake that seems like it could be common, check your agent memory for relevant notes — and if nothing is written yet, record what you learned.
 

package/agents/react-specialist.md

@@ -69,7 +69,7 @@ Report when done:
 </output>
 
 <agent-memory>
-You have a persistent memory directory at `.claude/agent-memory/react-specialist/`. Its contents persist across conversations.
+You have a persistent memory directory. Its contents persist across conversations. To find it, look for `agent-memory/react-specialist/` at the project root first, then fall back to `.claude/agent-memory/react-specialist/`. Use whichever path exists.
 
 As you work, consult your memory files to build on previous experience. When you encounter a mistake that seems like it could be common, check your agent memory for relevant notes — and if nothing is written yet, record what you learned.
 

package/agents/security-scanner.md

@@ -71,7 +71,7 @@ If implementing fixes, run the project's standard quality checks for every packa
   </quality_gates>
 
 <agent-memory>
-You have a persistent memory directory at `.claude/agent-memory/security-scanner/`. Its contents persist across conversations.
+You have a persistent memory directory. Its contents persist across conversations. To find it, look for `agent-memory/security-scanner/` at the project root first, then fall back to `.claude/agent-memory/security-scanner/`. Use whichever path exists.
 
 As you work, consult your memory files to build on previous experience. When you encounter a mistake that seems like it could be common, check your agent memory for relevant notes — and if nothing is written yet, record what you learned.
 

package/agents/test-generator.md

@@ -115,7 +115,7 @@ Report when done:
 </output>
 
 <agent-memory>
-You have a persistent memory directory at `.claude/agent-memory/test-generator/`. Its contents persist across conversations.
+You have a persistent memory directory. Its contents persist across conversations. To find it, look for `agent-memory/test-generator/` at the project root first, then fall back to `.claude/agent-memory/test-generator/`. Use whichever path exists.
 
 As you work, consult your memory files to build on previous experience. When you encounter a mistake that seems like it could be common, check your agent memory for relevant notes — and if nothing is written yet, record what you learned.
 

package/agents/typescript-pro.md

@@ -110,7 +110,7 @@ Report when done:
 </output>
 
 <agent-memory>
-You have a persistent memory directory at `.claude/agent-memory/typescript-pro/`. Its contents persist across conversations.
+You have a persistent memory directory. Its contents persist across conversations. To find it, look for `agent-memory/typescript-pro/` at the project root first, then fall back to `.claude/agent-memory/typescript-pro/`. Use whichever path exists.
 
 As you work, consult your memory files to build on previous experience. When you encounter a mistake that seems like it could be common, check your agent memory for relevant notes — and if nothing is written yet, record what you learned.
 

package/agents/ux-optimizer.md

@@ -66,7 +66,7 @@ Report when done:
 </output>
 
 <agent-memory>
-You have a persistent memory directory at `.claude/agent-memory/ux-optimizer/`. Its contents persist across conversations.
+You have a persistent memory directory. Its contents persist across conversations. To find it, look for `agent-memory/ux-optimizer/` at the project root first, then fall back to `.claude/agent-memory/ux-optimizer/`. Use whichever path exists.
 
 As you work, consult your memory files to build on previous experience. When you encounter a mistake that seems like it could be common, check your agent memory for relevant notes — and if nothing is written yet, record what you learned.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jgamaraalv/ts-dev-kit",
-  "version": "3.1.2",
+  "version": "3.2.0",
   "description": "Claude Code plugin: 15 agents + 22 skills for TypeScript fullstack development",
   "author": "jgamaraalv",
   "license": "MIT",

package/skills/codebase-adapter/SKILL.md

@@ -19,7 +19,7 @@ Working directory: !`pwd`
 
 Lockfile detected: !`ls bun.lock pnpm-lock.yaml yarn.lock package-lock.json 2>/dev/null | head -1 || echo "none"`
 
-Agents installed: !`ls .claude/agents/ 2>/dev/null | tr '\n' ' ' || echo "(not found)"`
+Agents installed: !`ls .claude/agents/ 2>/dev/null | tr '\n' ' ' || ls agents/ 2>/dev/null | tr '\n' ' ' || echo "(not found)"`
 
 MCP servers configured: !`python3 -c "import json; s=json.load(open('.claude/settings.json')); print(', '.join(s.get('mcpServers',{}).keys()) or '(none)')" 2>/dev/null || echo "(not found)"`
 
@@ -91,9 +91,17 @@ Discover with Read, Glob, Grep — verify everything, assume nothing.
 - typecheck, lint, test, build command names
 - Compose the full run command per workspace (e.g., `pnpm --filter @acme/api typecheck`)
 
-**Available skills** — list directories in `[plugin-root]/skills/`
-
-**Available agents** — list files in `[plugin-root]/.claude/agents/`
+**Available skills** — search across all scopes in order:
+1. `[plugin-root]/skills/` (plugin or project-local)
+2. `.claude/skills/` in the project root (project scope)
+3. `~/.claude/skills/` (personal scope)
+Merge and deduplicate — plugin-root takes priority.
+
+**Available agents** — search across all scopes in order:
+1. `[plugin-root]/agents/` and `[plugin-root]/.claude/agents/` (plugin or project-local)
+2. `.claude/agents/` in the project root (project scope)
+3. `~/.claude/agents/` (personal scope)
+Merge and deduplicate — plugin-root takes priority.
 
 **Available MCPs** — read `.claude/settings.json` in project root (and `~/.claude/settings.json` as fallback). Extract `mcpServers` keys.
 </phase_2_project_discovery>

package/skills/core-web-vitals/SKILL.md

@@ -75,18 +75,25 @@ correlates with INP but does not replace field measurement.
 
 When the user provides metric values or a Lighthouse JSON file, generate an interactive HTML report and open it in the browser:
 
+To locate the script, find `scripts/visualize.py` relative to this skill's directory. The path depends on how ts-dev-kit is installed:
+- **Project scope**: `skills/core-web-vitals/scripts/visualize.py` or `.claude/skills/core-web-vitals/scripts/visualize.py`
+- **Personal scope**: `~/.claude/skills/core-web-vitals/scripts/visualize.py`
+- **Plugin scope**: resolve via `node_modules/@jgamaraalv/ts-dev-kit/skills/core-web-vitals/scripts/visualize.py`
+
+Use `find` or `ls` to discover the actual path, then run:
+
 ```bash
-# From manual values
-python3 ~/.claude/skills/core-web-vitals/scripts/visualize.py \
+# From manual values (replace SCRIPT_PATH with the discovered path)
+python3 SCRIPT_PATH/visualize.py \
   --lcp 2.1 --inp 180 --cls 0.05 \
   --url https://example.com
 
 # From a Lighthouse JSON output
-python3 ~/.claude/skills/core-web-vitals/scripts/visualize.py \
+python3 SCRIPT_PATH/visualize.py \
   --lighthouse lighthouse-report.json
 
 # Custom output path, no auto-open
-python3 ~/.claude/skills/core-web-vitals/scripts/visualize.py \
+python3 SCRIPT_PATH/visualize.py \
   --lcp 3.8 --inp 420 --cls 0.12 \
   --output cwv-report.html --no-open
 ```

package/skills/debug/references/debug-dispatch.md

@@ -72,7 +72,7 @@ After investigation, dispatch the appropriate **specialist agent** (not necessar
 [Specific changes needed — be precise about expected behavior]
 ```
 
-Use the agent type that matches the fix domain:
+Use the agent type that matches the fix domain. If ts-dev-kit is installed as a plugin, use the prefixed name (e.g., `ts-dev-kit:api-builder`). Check which agents are available in your context and use the exact registered name:
 - API route fix -> `api-builder` (preloads fastify-best-practices)
 - Database/query fix -> `database-expert` (preloads drizzle-pg, postgresql)
 - Component fix -> `react-specialist` (preloads react-best-practices, composition-patterns)
@@ -84,6 +84,8 @@ Use the agent type that matches the fix domain:
 
 ## Role-specific prompts
 
+> **Note:** All agent types below may be prefixed with `ts-dev-kit:` when the plugin is installed in plugin scope (e.g., `ts-dev-kit:debugger`). Check the available agents in your context and use the exact registered name.
+
 ### Backend debugger
 
 **Agent type**: `debugger`
@@ -166,9 +168,10 @@ Verification focus:
 # Dispatch: MULTI-LAYER
 
 # Wave 1: Parallel investigation
+# Use "debugger" or "ts-dev-kit:debugger" depending on scope
 Task(
   description: "Debug resource creation API endpoint",
-  subagent_type: "debugger",
+  subagent_type: "debugger",  // or "ts-dev-kit:debugger" if plugin-scoped
   model: "sonnet",
   prompt: """
 ## Bug description
@@ -195,7 +198,7 @@ Returns 200, but GET /api/<resource> returns empty array.
 
 Task(
   description: "Debug resource list page",
-  subagent_type: "debugger",
+  subagent_type: "debugger",  // or "ts-dev-kit:debugger" if plugin-scoped
   model: "sonnet",
   prompt: """
 ## Bug description
@@ -219,12 +222,12 @@ stale data.
 )
 
 # Wave 2: Dispatch fixes using specialist agents matching the fix domain
-# e.g., api-builder for API fix, react-specialist for frontend fix
+# e.g., api-builder (or ts-dev-kit:api-builder) for API fix
 
 # Wave 3: E2E verification
 Task(
   description: "Verify resource creation flow",
-  subagent_type: "playwright-expert",
+  subagent_type: "playwright-expert",  // or "ts-dev-kit:playwright-expert"
   model: "haiku",
   prompt: """
 ## Your task

package/skills/execute-task/SKILL.md

@@ -176,11 +176,11 @@ Do not decompose if:
 Each role gets its own persona, skill set, context files, and success criteria.
 
 <example>
-Role A: Database specialist (sub-area: Database). Agent: database-expert. Task: design schema + migration for the new feature. Skills: drizzle-pg, postgresql.
-Role B: API endpoint developer (sub-area: Endpoints). Agent: api-builder. Task: build REST routes consuming the new schema. Skills: fastify-best-practices.
-Role C: Component architect (sub-area: Components). Agent: react-specialist. Task: build the result card and list components. Skills: react-best-practices, composition-patterns.
+Role A: Database specialist (sub-area: Database). Agent: database-expert (or ts-dev-kit:database-expert if plugin-scoped). Task: design schema + migration for the new feature. Skills: drizzle-pg, postgresql.
+Role B: API endpoint developer (sub-area: Endpoints). Agent: api-builder (or ts-dev-kit:api-builder). Task: build REST routes consuming the new schema. Skills: fastify-best-practices.
+Role C: Component architect (sub-area: Components). Agent: react-specialist (or ts-dev-kit:react-specialist). Task: build the result card and list components. Skills: react-best-practices, composition-patterns.
 Role D: Page builder (sub-area: Pages/routing). Agent: general-purpose (ad-hoc). Task: wire components into the search results page with data fetching. Skills: nextjs-best-practices.
-Role E: TypeScript library developer. Agent: typescript-pro. Task: add shared schemas and types. Skills: none extra.
+Role E: TypeScript library developer. Agent: typescript-pro (or ts-dev-kit:typescript-pro). Task: add shared schemas and types. Skills: none extra.
 </example>
 </rule_1_define_roles_independently>
 
@@ -188,8 +188,11 @@ Role E: TypeScript library developer. Agent: typescript-pro. Task: add shared sc
 For each role, spawn a specialized subagent via the Task tool.
 
 **Selecting the agent type:**
-1. Check if a project agent exists in `.claude/agents/` that matches the sub-area (see domain_areas table above for the mapping).
-2. If a matching agent exists, use its name as `subagent_type` (e.g., `database-expert`, `api-builder`, `react-specialist`).
+1. **Resolve the agent name for the current scope.** Agents may be registered under different names depending on how ts-dev-kit is installed:
+   - **Project scope** (`.claude/agents/`): short name — e.g., `database-expert`
+   - **Plugin scope**: prefixed with the plugin namespace — e.g., `ts-dev-kit:database-expert`
+   Before dispatching, check which agents are available in your context. If you see agents with a `ts-dev-kit:` prefix, use the prefixed name as `subagent_type`. If agents are available by short name, use the short name.
+2. If a matching agent exists (in any scope), use its resolved name as `subagent_type`.
 3. If no matching agent exists, use `general-purpose` as `subagent_type` and embed the full role definition directly in the prompt — this creates an ad-hoc specialist without needing a .md file.
 
 **Ad-hoc agent creation** — when `subagent_type: "general-purpose"` is used as a specialist surrogate, the prompt must include:

package/skills/execute-task/references/agent-dispatch.md

@@ -44,6 +44,8 @@ Agents with preloaded skills (via `skills` frontmatter) do NOT need Skill() call
 | typescript-pro | (none) | — |
 | playwright-expert | (none) | — |
 
+> **Note:** When ts-dev-kit is installed as a plugin, agent names are prefixed with the plugin namespace (e.g., `ts-dev-kit:api-builder` instead of `api-builder`). Always check the available agents in your context and use the full registered name as `subagent_type`.
+
 ### Agent tool restrictions
 
 | Agent | Restriction |
@@ -68,9 +70,11 @@ All agents default to `sonnet`. Override with the Task tool's `model` parameter
 ## Dispatch example
 
 ```
+// Use the agent name as registered in your context.
+// Project-scoped: "api-builder". Plugin-scoped: "ts-dev-kit:api-builder".
 Task(
   description: "Build resource API routes",
-  subagent_type: "api-builder",
+  subagent_type: "api-builder",  // or "ts-dev-kit:api-builder" if plugin-scoped
   model: "sonnet",
   prompt: """
 ## Your task
@@ -97,7 +101,10 @@ Discover from the codebase:
 
 Before dispatching, resolve the agent type for each role:
 
-1. **Check `.claude/agents/`** — if a project agent matches the sub-area from the domain mapping (e.g., `database-expert` for DB work, `api-builder` for endpoints, `react-specialist` for components), use it as `subagent_type`.
+1. **Resolve the agent name for the current scope.** Agents may be registered with a plugin prefix depending on how ts-dev-kit is installed:
+   - **Project scope** (`.claude/agents/`): short name — e.g., `api-builder`
+   - **Plugin scope**: prefixed — e.g., `ts-dev-kit:api-builder`
+   Check which agents are available in your context and use the exact registered name as `subagent_type`.
 2. **Use a built-in agent type** — if the Task tool has a matching built-in type (e.g., `typescript-pro`, `performance-engineer`, `security-scanner`), use it directly.
 3. **Create an ad-hoc specialist** — if no existing agent matches, use `subagent_type: "general-purpose"` and embed the full specialist definition in the prompt.
 

package/skills/yolo/SKILL.md

@@ -48,8 +48,11 @@ Follow this decision tree strictly. Each phase gates the next.
 START
   │
   ├─ Phase 1: Detect devcontainer
-  │    ├─ EXISTS → Phase 2
-  │    └─ MISSING → Phase 5 (install) → Phase 2
+  │    ├─ EXISTS → Phase 1.5
+  │    └─ MISSING → Phase 5 (install) → Phase 1.5
+  │
+  ├─ Phase 1.5: Ensure plugin availability
+  │    └─ Copy agents/skills/agent-memory into project if missing → Phase 2
   │
   ├─ Phase 2: Check Docker
   │    ├─ RUNNING → Phase 3
@@ -62,7 +65,7 @@ START
   │    └─ Start Docker Desktop/daemon → Phase 3
   │
   └─ Phase 5: Install devcontainer
-       └─ Scaffold .devcontainer/ → Phase 2
+       └─ Scaffold .devcontainer/ → Phase 1.5
 ```
 
 <phase_1_detect>
@@ -72,9 +75,9 @@ START
 Check whether `.devcontainer/devcontainer.json` exists in the project root.
 
 1. Read the `<live_context>` above for the pre-injected detection result.
-2. If **YES** — announce to the user and proceed to Phase 2:
+2. If **YES** — announce to the user and proceed to Phase 1.5:
 
-> **DEVCONTAINER DETECTED** — `.devcontainer/` found. Checking Docker status...
+> **DEVCONTAINER DETECTED** — `.devcontainer/` found. Checking plugin availability...
 
 3. If **NO** — announce and proceed to Phase 5:
 
@@ -82,6 +85,89 @@ Check whether `.devcontainer/devcontainer.json` exists in the project root.
 
 </phase_1_detect>
 
+<phase_1_5_ensure_plugin>
+
+## Phase 1.5 — Ensure plugin availability
+
+The devcontainer mounts only the project directory at `/workspace`. If ts-dev-kit is installed as a plugin (outside the project), its agents, skills, and agent-memory won't be available inside the container. This phase copies them into the project so they're accessible.
+
+### Step 1 — Check if agents and skills already exist in the project
+
+```bash
+ls .claude/agents/*.md 2>/dev/null && echo "AGENTS_PRESENT" || echo "AGENTS_MISSING"
+ls .claude/skills/*/SKILL.md 2>/dev/null && echo "SKILLS_PRESENT" || echo "SKILLS_MISSING"
+```
+
+If both are present, skip to Phase 2:
+
+> **PLUGIN FILES PRESENT** — agents and skills found in project. Checking Docker status...
+
+### Step 2 — Locate the plugin source
+
+If agents or skills are missing, search for the plugin in these locations (in order):
+
+1. `node_modules/@jgamaraalv/ts-dev-kit/` (npm-installed plugin)
+2. The directory containing this skill file (if invoked from a known path)
+
+```bash
+# Try npm location
+PLUGIN_SRC="node_modules/@jgamaraalv/ts-dev-kit"
+if [ ! -d "$PLUGIN_SRC/agents" ]; then
+  echo "Plugin not found in node_modules"
+  PLUGIN_SRC=""
+fi
+```
+
+If the plugin source cannot be found, inform the user and proceed to Phase 2 (the devcontainer will work but without ts-dev-kit agents):
+
+> **PLUGIN NOT FOUND** — Could not locate ts-dev-kit plugin files. The devcontainer will work but agents and skills won't be available. Install the plugin with `npm install -D @jgamaraalv/ts-dev-kit` to fix this.
+
+### Step 3 — Copy plugin files into the project
+
+```bash
+# Copy agents
+mkdir -p .claude/agents
+cp "$PLUGIN_SRC"/agents/*.md .claude/agents/
+
+# Copy skills (symlink directories to save space)
+mkdir -p .claude/skills
+for skill_dir in "$PLUGIN_SRC"/skills/*/; do
+  skill_name=$(basename "$skill_dir")
+  if [ ! -e ".claude/skills/$skill_name" ]; then
+    cp -r "$skill_dir" ".claude/skills/$skill_name"
+  fi
+done
+
+# Copy agent-memory scaffolds (don't overwrite existing memories)
+if [ -d "$PLUGIN_SRC/agent-memory" ]; then
+  for mem_dir in "$PLUGIN_SRC"/agent-memory/*/; do
+    mem_name=$(basename "$mem_dir")
+    if [ ! -d "agent-memory/$mem_name" ]; then
+      mkdir -p "agent-memory/$mem_name"
+      cp -n "$mem_dir"* "agent-memory/$mem_name/" 2>/dev/null || true
+    fi
+  done
+fi
+```
+
+### Step 4 — Suggest .gitignore update
+
+Check if these copied directories are already in `.gitignore`. If not, inform the user:
+
+> **PLUGIN FILES COPIED** — Agents, skills, and agent-memory copied into the project for devcontainer access.
+>
+> Consider adding these to `.gitignore` if you don't want to commit them:
+> ```
+> # ts-dev-kit plugin files (copied for devcontainer)
+> .claude/agents/
+> .claude/skills/
+> agent-memory/
+> ```
+
+Proceed to Phase 2.
+
+</phase_1_5_ensure_plugin>
+
 <phase_2_check_docker>
 
 ## Phase 2 — Check Docker
@@ -252,14 +338,23 @@ Write the file using the reference firewall script. See [references/init-firewal
 
 Key security features:
 
+- `set -euo pipefail` — exits immediately on any error (strict mode)
 - Default-deny policy (DROP all INPUT, OUTPUT, FORWARD)
-- Whitelisted outbound only: npm registry, GitHub (dynamic IP fetch), Claude API, Sentry, StatsIG, VS Code marketplace
+- Whitelisted outbound only: npm registry, GitHub (dynamic IP fetch via `api.github.com/meta`), Claude API, Sentry, StatsIG, VS Code marketplace
 - DNS and SSH allowed
 - Localhost and host network allowed
+- Docker DNS rules preserved before flushing
+- Uses `ipset hash:net` for efficient CIDR matching (required — do NOT add fallback logic)
 - Startup verification: confirms `example.com` is blocked and `api.github.com` is reachable
-- Docker DNS rules preserved
-- Falls back to iptables-only rules if `ipset` kernel module is unavailable (common on Docker Desktop for Mac)
-- Full diagnostic log at `/tmp/firewall-init.log` for troubleshooting
+- Exits with error if any domain fails to resolve or any IP range is invalid
+
+**Critical anti-patterns to avoid in this script:**
+- Do NOT use `exec > >(tee ...)` for logging — process substitutions run via `sudo` never receive EOF, causing the script to hang indefinitely and VS Code to fail with "Unable to resolve resource"
+- Do NOT remove the `-e` flag from `set -euo pipefail` — silent error handling masks failures
+- Do NOT add `|| true` fallbacks for core iptables/ipset commands
+
+**Critical anti-pattern to avoid in `devcontainer.json`:**
+- Do NOT pipe `postStartCommand` through `tee` (e.g., `... | tee /tmp/firewall-init.log`) — this hides the script's real exit code and creates redundant I/O. The correct value is simply: `"postStartCommand": "sudo /usr/local/bin/init-firewall.sh"`
 
 ### Step 5 — Add `.devcontainer` to `.gitignore` (optional)
 
@@ -279,9 +374,9 @@ cat .devcontainer/devcontainer.json | head -5
 
 Announce completion:
 
-> **DEVCONTAINER INSTALLED** — `.devcontainer/` is ready with Dockerfile, firewall script, and configuration. Proceeding to check Docker...
+> **DEVCONTAINER INSTALLED** — `.devcontainer/` is ready with Dockerfile, firewall script, and configuration. Checking plugin availability...
 
-Return to Phase 2.
+Return to Phase 1.5.
 
 </phase_5_install_devcontainer>
 

package/skills/yolo/references/devcontainer-json.md

@@ -57,7 +57,7 @@ Write this file to `.devcontainer/devcontainer.json`:
   },
   "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=delegated",
   "workspaceFolder": "/workspace",
-  "postStartCommand": "sudo /usr/local/bin/init-firewall.sh 2>&1 | tee /tmp/firewall-init.log",
+  "postStartCommand": "sudo /usr/local/bin/init-firewall.sh",
   "waitFor": "postStartCommand"
 }
 ```

package/skills/yolo/references/init-firewall.sh.md

@@ -4,279 +4,162 @@ Write this file to `.devcontainer/init-firewall.sh`:
 
 ```bash
 #!/bin/bash
-set -uo pipefail  # Strict vars and pipelines, but handle errors manually
-IFS=$'\n\t'
-
-LOG="/tmp/firewall-init.log"
-exec > >(tee -a "$LOG") 2>&1
-echo "=== Firewall init started at $(date -u) ==="
-
-# --- Diagnostics -----------------------------------------------------------
-echo "--- Pre-flight checks ---"
-HAVE_IPTABLES=false
-HAVE_IPSET=false
-
-if iptables -L -n >/dev/null 2>&1; then
-    HAVE_IPTABLES=true
-    echo "[OK] iptables is functional"
-else
-    echo "[FAIL] iptables is NOT functional — firewall cannot be configured"
-    echo "Hint: ensure --cap-add=NET_ADMIN is set in devcontainer.json runArgs"
-    exit 1
-fi
-
-if ipset list >/dev/null 2>&1 || ipset create _test hash:net 2>/dev/null; then
-    ipset destroy _test 2>/dev/null || true
-    HAVE_IPSET=true
-    echo "[OK] ipset is functional"
-else
-    echo "[WARN] ipset is NOT functional — falling back to iptables-only rules"
-fi
-
-if command -v dig >/dev/null 2>&1; then
-    echo "[OK] dig is available"
-else
-    echo "[WARN] dig not found — DNS resolution will use getent"
-fi
-
-if command -v aggregate >/dev/null 2>&1; then
-    echo "[OK] aggregate is available"
-else
-    echo "[WARN] aggregate not found — GitHub CIDRs will be added individually"
-fi
-
-# --- Helper: resolve domain to IPs ----------------------------------------
-resolve_domain() {
-    local domain="$1"
-    local ips=""
-    if command -v dig >/dev/null 2>&1; then
-        ips=$(dig +noall +answer +short A "$domain" 2>/dev/null | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | sort -u)
-    fi
-    if [ -z "$ips" ] && command -v getent >/dev/null 2>&1; then
-        ips=$(getent ahostsv4 "$domain" 2>/dev/null | awk '{print $1}' | sort -u | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$')
-    fi
-    echo "$ips"
-}
-
-# --- 1. Preserve Docker DNS -----------------------------------------------
-echo "--- Preserving Docker DNS rules ---"
-DOCKER_DNS_RULES=$(iptables-save -t nat 2>/dev/null | grep "127\.0\.0\.11" || true)
-
-# --- 2. Flush existing rules -----------------------------------------------
-echo "--- Flushing existing rules ---"
-iptables -F  || true
-iptables -X  || true
-iptables -t nat -F    || true
-iptables -t nat -X    || true
-iptables -t mangle -F || true
-iptables -t mangle -X || true
-if [ "$HAVE_IPSET" = true ]; then
-    ipset destroy allowed-domains 2>/dev/null || true
-fi
-
-# --- 3. Restore Docker DNS -------------------------------------------------
+set -euo pipefail  # Exit on error, undefined vars, and pipeline failures
+IFS=$'\n\t'       # Stricter word splitting
+
+# 1. Extract Docker DNS info BEFORE any flushing
+DOCKER_DNS_RULES=$(iptables-save -t nat | grep "127\.0\.0\.11" || true)
+
+# Flush existing rules and delete existing ipsets
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+ipset destroy allowed-domains 2>/dev/null || true
+
+# 2. Selectively restore ONLY internal Docker DNS resolution
 if [ -n "$DOCKER_DNS_RULES" ]; then
     echo "Restoring Docker DNS rules..."
     iptables -t nat -N DOCKER_OUTPUT 2>/dev/null || true
     iptables -t nat -N DOCKER_POSTROUTING 2>/dev/null || true
-    echo "$DOCKER_DNS_RULES" | while read -r rule; do
-        iptables -t nat $rule 2>/dev/null || true
-    done
+    echo "$DOCKER_DNS_RULES" | xargs -L 1 iptables -t nat
 else
     echo "No Docker DNS rules to restore"
 fi
 
-# --- 4. Base rules (DNS, SSH, localhost) ------------------------------------
-echo "--- Setting base rules ---"
-# Outbound DNS
+# First allow DNS and localhost before any restrictions
+# Allow outbound DNS
 iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
-iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
-# Inbound DNS responses
+# Allow inbound DNS responses
 iptables -A INPUT -p udp --sport 53 -j ACCEPT
-iptables -A INPUT -p tcp --sport 53 -j ACCEPT
-# Outbound SSH
+# Allow outbound SSH
 iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
+# Allow inbound SSH responses
 iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-# Localhost
+# Allow localhost
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT
 
-# --- 5. Host network -------------------------------------------------------
-HOST_IP=$(ip route 2>/dev/null | grep default | head -1 | awk '{print $3}')
-if [ -n "$HOST_IP" ]; then
-    HOST_NETWORK=$(echo "$HOST_IP" | sed "s/\.[0-9]*$/.0\/16/")
-    echo "Host network: $HOST_NETWORK (via $HOST_IP)"
-    iptables -A INPUT -s "$HOST_NETWORK" -j ACCEPT
-    iptables -A OUTPUT -d "$HOST_NETWORK" -j ACCEPT
-else
-    echo "[WARN] Could not detect host IP — allowing RFC1918 ranges for Docker connectivity"
-    iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
-    iptables -A OUTPUT -d 172.16.0.0/12 -j ACCEPT
-    iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
-    iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
-    iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
-    iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT
-fi
+# Create ipset with CIDR support
+ipset create allowed-domains hash:net
 
-# --- 6. Allowed domains ----------------------------------------------------
-ALLOWED_DOMAINS=(
-    "registry.npmjs.org"
-    "api.anthropic.com"
-    "sentry.io"
-    "statsig.anthropic.com"
-    "statsig.com"
-    "marketplace.visualstudio.com"
-    "vscode.blob.core.windows.net"
-    "update.code.visualstudio.com"
-)
+# Fetch GitHub meta information and aggregate + add their IP ranges
+echo "Fetching GitHub IP ranges..."
+gh_ranges=$(curl -s https://api.github.com/meta)
+if [ -z "$gh_ranges" ]; then
+    echo "ERROR: Failed to fetch GitHub IP ranges"
+    exit 1
+fi
 
-if [ "$HAVE_IPSET" = true ]; then
-    # ---- ipset mode (preferred) ----
-    echo "--- Building ipset allowlist ---"
-    ipset create allowed-domains hash:net
+if ! echo "$gh_ranges" | jq -e '.web and .api and .git' >/dev/null; then
+    echo "ERROR: GitHub API response missing required fields"
+    exit 1
+fi
 
-    # GitHub dynamic IPs
-    echo "Fetching GitHub IP ranges..."
-    gh_ranges=$(curl -sf --connect-timeout 10 https://api.github.com/meta 2>/dev/null || true)
-    if [ -n "$gh_ranges" ] && echo "$gh_ranges" | jq -e '.web and .api and .git' >/dev/null 2>&1; then
-        if command -v aggregate >/dev/null 2>&1; then
-            while read -r cidr; do
-                [[ "$cidr" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/[0-9]+$ ]] && ipset add allowed-domains "$cidr" 2>/dev/null || true
-            done < <(echo "$gh_ranges" | jq -r '(.web + .api + .git)[]' | aggregate -q 2>/dev/null)
-        else
-            while read -r cidr; do
-                [[ "$cidr" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/[0-9]+$ ]] && ipset add allowed-domains "$cidr" 2>/dev/null || true
-            done < <(echo "$gh_ranges" | jq -r '(.web + .api + .git)[]')
-        fi
-        echo "[OK] GitHub IP ranges added"
-    else
-        echo "[WARN] Could not fetch GitHub IPs — resolving github.com directly"
-        for gh_domain in "github.com" "api.github.com" "raw.githubusercontent.com" "objects.githubusercontent.com"; do
-            ips=$(resolve_domain "$gh_domain")
-            while read -r ip; do
-                [ -n "$ip" ] && ipset add allowed-domains "$ip" 2>/dev/null || true
-            done <<< "$ips"
-        done
+echo "Processing GitHub IPs..."
+while read -r cidr; do
+    if [[ ! "$cidr" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$ ]]; then
+        echo "ERROR: Invalid CIDR range from GitHub meta: $cidr"
+        exit 1
     fi
-
-    # Other allowed domains
-    for domain in "${ALLOWED_DOMAINS[@]}"; do
-        echo "Resolving $domain..."
-        ips=$(resolve_domain "$domain")
-        if [ -z "$ips" ]; then
-            echo "[WARN] Failed to resolve $domain — skipping"
-            continue
-        fi
-        while read -r ip; do
-            [ -n "$ip" ] && ipset add allowed-domains "$ip" 2>/dev/null || true
-        done <<< "$ips"
-    done
-
-    # Apply ipset match rule
-    iptables -A OUTPUT -m set --match-set allowed-domains dst -j ACCEPT
-
-else
-    # ---- iptables-only mode (fallback) ----
-    echo "--- Building iptables allowlist (no ipset) ---"
-
-    # GitHub IPs
-    echo "Fetching GitHub IP ranges..."
-    gh_ranges=$(curl -sf --connect-timeout 10 https://api.github.com/meta 2>/dev/null || true)
-    if [ -n "$gh_ranges" ] && echo "$gh_ranges" | jq -e '.web and .api and .git' >/dev/null 2>&1; then
-        while read -r cidr; do
-            [[ "$cidr" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/[0-9]+$ ]] && \
-                iptables -A OUTPUT -d "$cidr" -j ACCEPT 2>/dev/null || true
-        done < <(echo "$gh_ranges" | jq -r '(.web + .api + .git)[]')
-        echo "[OK] GitHub IP ranges added via iptables"
-    else
-        echo "[WARN] Could not fetch GitHub IPs — resolving github.com directly"
-        for gh_domain in "github.com" "api.github.com" "raw.githubusercontent.com" "objects.githubusercontent.com"; do
-            ips=$(resolve_domain "$gh_domain")
-            while read -r ip; do
-                [ -n "$ip" ] && iptables -A OUTPUT -d "$ip" -j ACCEPT 2>/dev/null || true
-            done <<< "$ips"
-        done
+    echo "Adding GitHub range $cidr"
+    ipset add allowed-domains "$cidr"
+done < <(echo "$gh_ranges" | jq -r '(.web + .api + .git)[]' | sort -u | aggregate -q)
+
+# Resolve and add other allowed domains
+for domain in \
+    "registry.npmjs.org" \
+    "api.anthropic.com" \
+    "sentry.io" \
+    "statsig.anthropic.com" \
+    "statsig.com" \
+    "marketplace.visualstudio.com" \
+    "vscode.blob.core.windows.net" \
+    "update.code.visualstudio.com"; do
+    echo "Resolving $domain..."
+    ips=$(dig +noall +answer A "$domain" | awk '$4 == "A" {print $5}' | sort -u)
+    if [ -z "$ips" ]; then
+        echo "ERROR: Failed to resolve $domain"
+        exit 1
     fi
 
-    # Other allowed domains
-    for domain in "${ALLOWED_DOMAINS[@]}"; do
-        echo "Resolving $domain..."
-        ips=$(resolve_domain "$domain")
-        if [ -z "$ips" ]; then
-            echo "[WARN] Failed to resolve $domain — skipping"
-            continue
+    while read -r ip; do
+        if [[ ! "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+            echo "ERROR: Invalid IP from DNS for $domain: $ip"
+            exit 1
         fi
-        while read -r ip; do
-            [ -n "$ip" ] && iptables -A OUTPUT -d "$ip" -j ACCEPT 2>/dev/null || true
-        done <<< "$ips"
-    done
+        echo "Adding $ip for $domain"
+        ipset add allowed-domains "$ip"
+    done < <(echo "$ips")
+done
+
+# Get host IP from default route
+HOST_IP=$(ip route | grep default | cut -d" " -f3)
+if [ -z "$HOST_IP" ]; then
+    echo "ERROR: Failed to detect host IP"
+    exit 1
 fi
 
-# --- 7. Default-deny policies ----------------------------------------------
-echo "--- Applying default-deny policies ---"
+HOST_NETWORK=$(echo "$HOST_IP" | sed "s/\.[0-9]*$/.0\/24/")
+echo "Host network detected as: $HOST_NETWORK"
+
+# Set up remaining iptables rules
+iptables -A INPUT -s "$HOST_NETWORK" -j ACCEPT
+iptables -A OUTPUT -d "$HOST_NETWORK" -j ACCEPT
+
+# Set default policies to DROP first
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT DROP
 
-# Allow established connections
+# First allow established connections for already approved traffic
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
-# Reject everything else with immediate feedback
-iptables -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
+# Then allow only specific outbound traffic to allowed domains
+iptables -A OUTPUT -m set --match-set allowed-domains dst -j ACCEPT
 
-# --- 8. Verification -------------------------------------------------------
-echo "--- Verifying firewall ---"
-VERIFIED=true
+# Explicitly REJECT all other outbound traffic for immediate feedback
+iptables -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
 
+echo "Firewall configuration complete"
+echo "Verifying firewall rules..."
 if curl --connect-timeout 5 https://example.com >/dev/null 2>&1; then
-    echo "[FAIL] Firewall verification failed — reached https://example.com (should be blocked)"
-    VERIFIED=false
+    echo "ERROR: Firewall verification failed - was able to reach https://example.com"
+    exit 1
 else
-    echo "[OK] https://example.com is blocked as expected"
+    echo "Firewall verification passed - unable to reach https://example.com as expected"
 fi
 
-if curl --connect-timeout 5 https://api.github.com/zen >/dev/null 2>&1; then
-    echo "[OK] https://api.github.com is reachable as expected"
+# Verify GitHub API access
+if ! curl --connect-timeout 5 https://api.github.com/zen >/dev/null 2>&1; then
+    echo "ERROR: Firewall verification failed - unable to reach https://api.github.com"
+    exit 1
 else
-    echo "[WARN] https://api.github.com is not reachable — GitHub IPs may have changed"
-    echo "       Claude Code will still work, but git operations may fail"
+    echo "Firewall verification passed - able to reach https://api.github.com as expected"
 fi
+```
 
-if [ "$VERIFIED" = false ]; then
-    echo "=== FIREWALL VERIFICATION FAILED ==="
-    exit 1
-fi
+## Differences from the upstream Claude Code reference
 
-echo "=== Firewall configured successfully ==="
-echo "Mode: $([ "$HAVE_IPSET" = true ] && echo 'ipset' || echo 'iptables-only')"
-echo "Log: $LOG"
-```
+The only change from the [upstream reference](https://github.com/anthropics/claude-code/blob/main/.devcontainer/init-firewall.sh) is `| sort -u` added to two pipelines to deduplicate IPs before `ipset add`:
 
-## Key improvements over the original
+1. **GitHub CIDRs** (line with `aggregate -q`): `jq -r '...'[]' | sort -u | aggregate -q` — deduplicates before aggregation
+2. **Domain resolution** (line with `dig`): `awk ... | sort -u` — deduplicates IPs from DNS (e.g., `marketplace.visualstudio.com` returns the same IP twice)
 
-| Issue | Original behavior | Improved behavior |
-|-------|-------------------|-------------------|
-| Duplicate IPs from DNS | `ipset add` fatal error (exit 1) | Deduplicates via `sort -u` + `ipset add ... \|\| true` |
-| `ipset` not available | Fatal crash | Falls back to iptables-only rules |
-| `aggregate` not available | Fatal crash | Adds CIDRs individually without aggregation |
-| `dig` not available | Fatal crash | Falls back to `getent ahostsv4` |
-| GitHub API unreachable | Fatal crash | Resolves github.com/api.github.com directly |
-| Domain resolution fails | Fatal crash | Skips domain with warning, continues |
-| Host IP detection fails | Fatal crash | Allows all RFC1918 ranges as fallback |
-| Docker DNS restore fails | Silent + potential crash | Handles per-rule with `|| true` |
-| No diagnostic output | Blind exit code 1 | Full log at `/tmp/firewall-init.log` |
-| GitHub unreachable after setup | Fatal crash | Warning only (Claude API is the critical path) |
+Without deduplication, `ipset add` fails with `"Element cannot be added to the set: it's already added"` and `set -euo pipefail` terminates the script.
 
 ## Firewall rules summary
 
 | Rule | Direction | Purpose |
 |------|-----------|---------|
-| DNS (UDP/TCP 53) | Outbound | Domain name resolution |
+| DNS (UDP 53) | Outbound | Domain name resolution |
 | SSH (TCP 22) | Outbound | Git over SSH |
 | Localhost | Both | Container-internal communication |
 | Host network | Both | Docker host ↔ container communication |
-| GitHub IPs | Outbound | Git operations, GitHub API (dynamically fetched or resolved) |
+| GitHub IPs | Outbound | Git operations, GitHub API (dynamically fetched from api.github.com/meta) |
 | npm registry | Outbound | Package installation |
 | api.anthropic.com | Outbound | Claude API calls |
 | sentry.io | Outbound | Error reporting |
@@ -287,7 +170,7 @@ echo "Log: $LOG"
 ## Verification on startup
 
 The script verifies the firewall by:
-1. Confirming `https://example.com` is **blocked** (must fail — otherwise exit 1)
-2. Confirming `https://api.github.com` is **reachable** (warning only if it fails)
+1. Confirming `https://example.com` is **blocked** (should fail)
+2. Confirming `https://api.github.com` is **reachable** (should succeed)
 
-All output is logged to `/tmp/firewall-init.log` for debugging.
+If either check fails, the script exits with an error and the container will not start.