@kokorolx/ai-sandbox-wrapper 2.4.0 → 2.7.0

package/bin/ai-run

@@ -15,7 +15,9 @@ Options:
   -p, --password <value>   Set OpenCode server password (for web/serve mode)
       --password-env <VAR> Read OpenCode server password from environment variable
       --allow-unsecured    Allow OpenCode server to run without password (suppresses warning)
+      --git-fetch          Enable git fetch-only mode (blocks push)
   -h, --help               Show this help message
+      --help-env           Show environment variables reference
 
 OpenCode Server Authentication (web/serve mode only):
   When running 'opencode web' or 'opencode serve', you can control authentication:
@@ -38,17 +40,92 @@ Examples:
   ai-run opencode web -p secret           # Run with password
   ai-run opencode --shell                 # Start shell, run tool manually
   ai-run aider -n mynetwork               # Connect to Docker network
+  ai-run opencode --git-fetch              # Git fetch only (no push)
 
 Documentation: https://github.com/kokorolx/ai-sandbox-wrapper
 EOF
   exit 0
 }
 
+show_help_env() {
+  cat << 'EOF'
+Environment Variables Reference
+===============================
+
+Runtime Environment Variables (inline with ai-run):
+---------------------------------------------------
+  AI_IMAGE_SOURCE=registry    Use pre-built images from GitLab registry instead of local
+                              Example: AI_IMAGE_SOURCE=registry ai-run opencode
+
+  AI_RUN_DEBUG=1              Enable debug output (shows Docker command details)
+                              Example: AI_RUN_DEBUG=1 ai-run opencode
+
+  AI_RUN_PLATFORM=linux/amd64 Force specific platform (useful for cross-arch)
+                              Example: AI_RUN_PLATFORM=linux/amd64 ai-run opencode
+
+  PORT_BIND=all               Bind exposed ports to all interfaces (0.0.0.0) instead of localhost
+                              ⚠️  Security risk - use only when needed
+                              Example: PORT_BIND=all ai-run opencode web -e 4096
+
+  PORT=3000,4000              (Deprecated) Expose ports - use --expose flag instead
+                              Example: PORT=3000 ai-run opencode
+
+Build Environment Variables (inline with setup.sh or install scripts):
+----------------------------------------------------------------------
+  DOCKER_NO_CACHE=1           Force rebuild without Docker cache
+                              Example: DOCKER_NO_CACHE=1 bash setup.sh
+
+  OPENCODE_VERSION=1.1.52     Install specific OpenCode version instead of latest
+                              Example: OPENCODE_VERSION=1.1.52 bash lib/install-opencode.sh
+
+  INSTALL_CHROME_DEVTOOLS_MCP=1  Install Chrome DevTools MCP in base image
+  INSTALL_PLAYWRIGHT_MCP=1       Install Playwright MCP in base image
+  INSTALL_PLAYWRIGHT=1           Install Playwright browser automation
+  INSTALL_RUBY=1                 Install Ruby 3.3.0 + Rails 8.0.2
+  INSTALL_SPEC_KIT=1             Install spec-kit (specify CLI)
+  INSTALL_UX_UI_PROMAX=1         Install uipro CLI
+  INSTALL_OPENSPEC=1             Install OpenSpec CLI
+
+Container Environment Variables (passed to container via ~/.ai-sandbox/env):
+-----------------------------------------------------------------------------
+  ANTHROPIC_API_KEY           Anthropic API key for Claude
+  OPENAI_API_KEY              OpenAI API key
+  OPENCODE_SERVER_PASSWORD    Password for OpenCode web server
+  OPENCODE_SERVER_USERNAME    Username for OpenCode web server (default: opencode)
+  GITHUB_TOKEN                GitHub token for gh CLI authentication
+  GH_TOKEN                    Alternative GitHub token variable
+
+Configuration Files:
+--------------------
+  ~/.ai-sandbox/config.json   Main configuration (workspaces, git, networks, MCP)
+  ~/.ai-sandbox/env           API keys and secrets (KEY=value format)
+  ~/.ai-sandbox/workspaces    Legacy workspace list (one path per line)
+
+Examples:
+  # Debug mode with registry images
+  AI_RUN_DEBUG=1 AI_IMAGE_SOURCE=registry ai-run opencode
+
+  # Rebuild everything from scratch
+  DOCKER_NO_CACHE=1 bash setup.sh --no-cache
+
+  # Install specific OpenCode version
+  OPENCODE_VERSION=1.1.52 bash lib/install-opencode.sh
+
+  # Expose port to network (not just localhost)
+  PORT_BIND=all ai-run opencode web -e 4096
+EOF
+  exit 0
+}
+
 # Check for help flag before anything else
 if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
   show_help
 fi
 
+if [[ "${1:-}" == "--help-env" ]]; then
+  show_help_env
+fi
+
 TOOL="$1"
 shift 2>/dev/null || { echo "❌ ERROR: No tool specified. Use 'ai-run --help' for usage."; exit 1; }
 
@@ -60,6 +137,7 @@ EXPOSE_ARG=""
 SERVER_PASSWORD=""
 PASSWORD_ENV_VAR=""
 ALLOW_UNSECURED=false
+GIT_FETCH_ONLY_FLAG=false
 TOOL_ARGS=()
 
 while [[ $# -gt 0 ]]; do
@@ -102,6 +180,10 @@ while [[ $# -gt 0 ]]; do
       ALLOW_UNSECURED=true
       shift
       ;;
+    --git-fetch)
+      GIT_FETCH_ONLY_FLAG=true
+      shift
+      ;;
     *)
       TOOL_ARGS+=("$1")
       shift
@@ -336,7 +418,7 @@ upgrade_config_to_v2() {
   fi
 
   # Add missing v2 fields while preserving existing networks
-  jq '.version = 2 | .workspaces = (.workspaces // []) | .git = (.git // {"allowedWorkspaces":[],"keySelections":{}})' \
+  jq '.version = 2 | .workspaces = (.workspaces // []) | .git = (.git // {"allowedWorkspaces":[],"keySelections":{}}) | .git.fetchOnlyWorkspaces = (.git.fetchOnlyWorkspaces // [])' \
     "$AI_SANDBOX_CONFIG" > "$AI_SANDBOX_CONFIG.tmp" \
     && mv "$AI_SANDBOX_CONFIG.tmp" "$AI_SANDBOX_CONFIG"
   chmod 600 "$AI_SANDBOX_CONFIG"
@@ -351,7 +433,7 @@ init_config() {
 
   if [[ ! -f "$AI_SANDBOX_CONFIG" ]]; then
     # Create new v2 config
-    local initial_config='{"version":2,"workspaces":[],"git":{"allowedWorkspaces":[],"keySelections":{}},"networks":{"global":[],"workspaces":{}}}'
+    local initial_config='{"version":2,"workspaces":[],"git":{"allowedWorkspaces":[],"fetchOnlyWorkspaces":[],"keySelections":{}},"networks":{"global":[],"workspaces":{}}}'
     echo "$initial_config" > "$AI_SANDBOX_CONFIG"
     chmod 600 "$AI_SANDBOX_CONFIG"
 
@@ -508,9 +590,27 @@ case "$TOOL" in
   opencode)
     mount_tool_config "$HOME/.config/opencode" ".config/opencode"
     mount_tool_config "$HOME/.local/share/opencode" ".local/share/opencode"
+    # Bundle default skills (copy if not already present)
+    AIRUN_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+    BUNDLED_SKILLS_DIR="$AIRUN_DIR/../skills"
+    if [[ -d "$BUNDLED_SKILLS_DIR" ]]; then
+      for skill_dir in "$BUNDLED_SKILLS_DIR"/*/; do
+        [[ ! -d "$skill_dir" ]] && continue
+        skill_name=$(basename "$skill_dir")
+        target_dir="$HOME/.config/opencode/skills/$skill_name"
+        if [[ ! -d "$target_dir" ]]; then
+          mkdir -p "$target_dir"
+          cp -r "$skill_dir"* "$target_dir/" 2>/dev/null || true
+        fi
+      done
+    fi
+    ;;
+  openclaw)
+    mount_tool_config "$HOME/.openclaw" ".openclaw"
     ;;
   claude)
     mount_tool_config "$HOME/.claude" ".claude"
+    mount_tool_config "$HOME/.ccs" ".ccs"
     ;;
   droid)
     mount_tool_config "$HOME/.config/droid" ".config/droid"
@@ -972,8 +1072,48 @@ is_git_allowed() {
   return 1
 }
 
+# Check if workspace is in fetch-only mode (config.json)
+is_git_fetch_only() {
+  local ws="$1"
+  if has_jq && [[ -f "$AI_SANDBOX_CONFIG" ]]; then
+    local fetch_only=$(jq -r --arg ws "$ws" '.git.fetchOnlyWorkspaces // [] | index($ws) // -1' "$AI_SANDBOX_CONFIG" 2>/dev/null)
+    [[ "$fetch_only" -ge 0 ]] && return 0
+  fi
+  return 1
+}
+
+# Apply fetch-only restrictions by adding pushInsteadOf to gitconfig
+apply_git_fetch_only() {
+  local gitconfig_path="$HOME_DIR/.gitconfig"
+  # Ensure .gitconfig exists
+  touch "$gitconfig_path"
+  # Append push-blocking config (redirects all push URLs to non-existent protocol)
+  cat >> "$gitconfig_path" << 'FETCHONLY'
+
+# AI Sandbox: Git fetch-only mode (push disabled)
+[url "no-push://blocked"]
+	pushInsteadOf = git@
+	pushInsteadOf = ssh://
+	pushInsteadOf = https://
+	pushInsteadOf = http://
+FETCHONLY
+  echo "🔒 Git fetch-only mode: push operations are blocked"
+}
+
+GIT_FETCH_ONLY_MODE=false
+
+# Check --git-fetch flag
+if [[ "$GIT_FETCH_ONLY_FLAG" == "true" ]]; then
+  GIT_FETCH_ONLY_MODE=true
+fi
+
+# Check if workspace is in fetch-only list
+if is_git_fetch_only "$CURRENT_DIR"; then
+  GIT_FETCH_ONLY_MODE=true
+fi
+
 # Check if Git access is allowed for this workspace
-if is_git_allowed "$CURRENT_DIR"; then
+if is_git_allowed "$CURRENT_DIR" || is_git_fetch_only "$CURRENT_DIR" || [[ "$GIT_FETCH_ONLY_FLAG" == "true" ]]; then
   # Previously allowed for this workspace
   # Check if saved keys exist for this workspace
   WORKSPACE_MD5=$(echo "$CURRENT_DIR" | md5sum | cut -c1-8)
@@ -1015,7 +1155,7 @@ if is_git_allowed "$CURRENT_DIR"; then
       if [ -x "$SETUP_SSH" ]; then
         # Join SAVED_KEYS into a comma-separated string for --keys
         KEYS_ARG=$(IFS=,; echo "${SAVED_KEYS[*]}")
-        output=$("$SETUP_SSH" --keys "$KEYS_ARG" 2>&1)
+        output=$( "$SETUP_SSH" --keys "$KEYS_ARG" 2>&1 ) || true
         TEMP_CONFIG=$(echo "$output" | grep "Config:" | tail -1 | awk '{print $NF}')
         if [ -f "$TEMP_CONFIG" ]; then
           cp "$TEMP_CONFIG" "$GIT_CACHE_DIR/ssh/config" 2>/dev/null || true
@@ -1048,6 +1188,11 @@ if is_git_allowed "$CURRENT_DIR"; then
     # Copy gitconfig to HOME_DIR (can't mount file inside mounted directory)
     cp "$HOME/.gitconfig" "$HOME_DIR/.gitconfig" 2>/dev/null || true
   fi
+
+  # Apply fetch-only restrictions if mode is active
+  if [[ "$GIT_FETCH_ONLY_MODE" == "true" ]]; then
+    apply_git_fetch_only
+  fi
 else
   # Ask user if they want Git access for this workspace (only in interactive mode)
   if [[ -t 0 ]] && ([ -d "$HOME/.ssh" ] || [ -f "$HOME/.gitconfig" ]); then
@@ -1060,11 +1205,13 @@ else
     echo "  1) Yes, allow once (this session only)"
     echo "  2) Yes, always allow for this workspace"
     echo "  3) No, keep Git disabled (secure default)"
+    echo "  4) Fetch only - allow once (no push, this session)"
+    echo "  5) Fetch only - always for this workspace (no push)"
     echo ""
-    read -p "Choice [1-3]: " git_choice
+    read -p "Choice [1-5]: " git_choice
 
     case "$git_choice" in
-      1|2)
+      1|2|4|5)
         # Interactive SSH key selection
         echo ""
         echo "🔑 SSH Key Selection"
@@ -1120,7 +1267,7 @@ else
                 # Join SELECTED_SSH_KEYS into a comma-separated string for --keys
                 KEYS_ARG=$(IFS=,; echo "${SELECTED_SSH_KEYS[*]}")
                 # Run it and capture the filtered config path
-                output=$("$SETUP_SSH" --keys "$KEYS_ARG" 2>&1)
+                output=$( "$SETUP_SSH" --keys "$KEYS_ARG" 2>&1 ) || true
                 TEMP_CONFIG=$(echo "$output" | grep "Config:" | tail -1 | awk '{print $NF}')
                 if [ -f "$TEMP_CONFIG" ]; then
                   cp "$TEMP_CONFIG" "$GIT_CACHE_DIR/ssh/config" 2>/dev/null || true
@@ -1156,6 +1303,9 @@ else
               cp "$HOME/.gitconfig" "$HOME_DIR/.gitconfig" 2>/dev/null || true
             fi
 
+            if [[ "$git_choice" == "4" || "$git_choice" == "5" ]]; then
+              GIT_FETCH_ONLY_MODE=true
+            fi
             if [ "$git_choice" = "2" ]; then
               # Save workspace and selected keys for future sessions
               echo "$CURRENT_DIR" >> "$GIT_ALLOWED_FILE"
@@ -1170,6 +1320,20 @@ else
               mkdir -p "$GIT_SHARED_DIR/keys"
               printf "%s\n" "${SELECTED_SSH_KEYS[@]}" > "$GIT_SHARED_DIR/keys/$WORKSPACE_MD5"
               echo "✅ Git access enabled and saved for: $CURRENT_DIR"
+            elif [ "$git_choice" = "5" ]; then
+              # Save workspace to fetchOnlyWorkspaces
+              if has_jq && [[ -f "$AI_SANDBOX_CONFIG" ]]; then
+                jq --arg ws "$CURRENT_DIR" '.git.fetchOnlyWorkspaces = ((.git.fetchOnlyWorkspaces // []) + [$ws] | unique)' "$AI_SANDBOX_CONFIG" > "$AI_SANDBOX_CONFIG.tmp" \
+                  && mv "$AI_SANDBOX_CONFIG.tmp" "$AI_SANDBOX_CONFIG"
+                chmod 600 "$AI_SANDBOX_CONFIG"
+              fi
+              # Save selected keys (one per line for easier parsing)
+              WORKSPACE_MD5=$(echo "$CURRENT_DIR" | md5sum | cut -c1-8)
+              mkdir -p "$GIT_SHARED_DIR/keys"
+              printf "%s\n" "${SELECTED_SSH_KEYS[@]}" > "$GIT_SHARED_DIR/keys/$WORKSPACE_MD5"
+              echo "✅ Git fetch-only access enabled and saved for: $CURRENT_DIR"
+            elif [ "$git_choice" = "4" ]; then
+              echo "✅ Git fetch-only access enabled for this session"
             else
               echo "✅ Git access enabled for this session"
             fi
@@ -1185,6 +1349,11 @@ else
         echo "🔒 Git access disabled (secure mode)"
         ;;
     esac
+
+    # Apply fetch-only restrictions if mode is active
+    if [[ "$GIT_FETCH_ONLY_MODE" == "true" ]]; then
+      apply_git_fetch_only
+    fi
     echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
     echo ""
   fi
@@ -1398,6 +1567,273 @@ if is_opencode_web_mode; then
   resolve_opencode_password
 fi
 
+# ============================================================================
+# MCP AUTO-CONFIGURATION FOR OPENCODE
+# ============================================================================
+
+# Check if MCP tool is installed (from config.json, set during setup.sh)
+is_mcp_installed() {
+  local mcp_tool="$1"
+  if has_jq && [[ -f "$AI_SANDBOX_CONFIG" ]]; then
+    jq -e --arg tool "$mcp_tool" '.mcp.installed | index($tool) != null' "$AI_SANDBOX_CONFIG" &>/dev/null
+  else
+    return 1
+  fi
+}
+
+# Check if MCP is already configured in OpenCode config
+is_mcp_configured() {
+  local mcp_name="$1"
+  local config_file="$HOME/.config/opencode/opencode.json"
+  
+  if [[ ! -f "$config_file" ]]; then
+    return 1
+  fi
+  
+  if has_jq; then
+    jq -e --arg name "$mcp_name" '.mcp[$name] // empty' "$config_file" &>/dev/null
+  else
+    grep -q "\"$mcp_name\"" "$config_file" 2>/dev/null
+  fi
+}
+
+# Add MCP configuration to OpenCode config
+add_mcp_config() {
+  local mcp_name="$1"
+  local mcp_command="$2"
+  local force="${3:-false}"
+  local config_file="$HOME/.config/opencode/opencode.json"
+  
+  # Check if already configured and warn user
+  if [[ "$force" != "true" ]] && is_mcp_configured "$mcp_name"; then
+    echo ""
+    echo "  ⚠️  WARNING: '$mcp_name' is already configured!"
+    echo "     Reconfiguring will overwrite your existing settings."
+    echo "     Any custom credentials or options will be lost."
+    read -p "     Are you sure you want to overwrite? [y/N]: " overwrite_choice
+    if [[ ! "$overwrite_choice" =~ ^[Yy]$ ]]; then
+      echo "     ⏭️  Kept existing configuration"
+      return 1
+    fi
+  fi
+  
+  mkdir -p "$(dirname "$config_file")"
+  
+  if [[ ! -f "$config_file" ]]; then
+    # Create new config with MCP
+    echo "{\"mcp\": {\"$mcp_name\": {\"type\": \"local\", \"command\": $mcp_command}}}" > "$config_file"
+  elif has_jq; then
+    # Add MCP to existing config
+    jq --arg name "$mcp_name" --argjson cmd "$mcp_command" \
+      '.mcp = (.mcp // {}) | .mcp[$name] = {"type": "local", "command": $cmd}' \
+      "$config_file" > "$config_file.tmp" && mv "$config_file.tmp" "$config_file"
+  else
+    echo "⚠️  jq not found. Please manually add MCP configuration to $config_file"
+    return 1
+  fi
+  chmod 600 "$config_file"
+}
+
+# Mark MCP as skipped for this workspace (don't ask again)
+mark_mcp_skipped() {
+  local skip_file="$SANDBOX_DIR/.mcp-skip-$WORKSPACE_MD5"
+  date -Iseconds > "$skip_file" 2>/dev/null || date > "$skip_file"
+}
+
+# Check if MCP prompt was skipped for this workspace
+is_mcp_skipped() {
+  local skip_file="$SANDBOX_DIR/.mcp-skip-$WORKSPACE_MD5"
+  [[ -f "$skip_file" ]]
+}
+
+# Configure MCP tools for OpenCode
+configure_opencode_mcp() {
+  # Only run for opencode tool in interactive mode
+  [[ "$TOOL" != "opencode" ]] && return 0
+  [[ ! -t 0 ]] && return 0
+  
+  local config_file="$HOME/.config/opencode/opencode.json"
+  
+  # Generate workspace hash for skip tracking
+  WORKSPACE_MD5=$(echo "$CURRENT_DIR" | md5sum | cut -c1-8)
+  
+  # Check if already skipped for this workspace
+  if is_mcp_skipped; then
+    return 0
+  fi
+  
+  # Detect installed MCP tools (from config.json, set during setup.sh)
+  local chrome_installed=false
+  local playwright_installed=false
+  local chrome_configured=false
+  local playwright_configured=false
+  
+  if is_mcp_installed "chrome-devtools"; then
+    chrome_installed=true
+    is_mcp_configured "chrome-devtools" && chrome_configured=true
+  fi
+  
+  if is_mcp_installed "playwright"; then
+    playwright_installed=true
+    is_mcp_configured "playwright" && playwright_configured=true
+  fi
+  
+  # If no MCP tools installed in image, return
+  if [[ "$chrome_installed" == "false" && "$playwright_installed" == "false" ]]; then
+    return 0
+  fi
+  
+  # If all installed tools are already configured, return silently
+  local all_configured=true
+  [[ "$chrome_installed" == "true" && "$chrome_configured" == "false" ]] && all_configured=false
+  [[ "$playwright_installed" == "true" && "$playwright_configured" == "false" ]] && all_configured=false
+  
+  if [[ "$all_configured" == "true" ]]; then
+    return 0
+  fi
+  
+  # Build lists of configured and unconfigured tools
+  local unconfigured=()
+  local configured=()
+  [[ "$chrome_installed" == "true" && "$chrome_configured" == "false" ]] && unconfigured+=("chrome-devtools")
+  [[ "$chrome_installed" == "true" && "$chrome_configured" == "true" ]] && configured+=("chrome-devtools")
+  [[ "$playwright_installed" == "true" && "$playwright_configured" == "false" ]] && unconfigured+=("playwright")
+  [[ "$playwright_installed" == "true" && "$playwright_configured" == "true" ]] && configured+=("playwright")
+  
+  # Show prompt
+  echo ""
+  echo "🔌 MCP Tools Detected"
+  echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+  
+  # Show already configured tools
+  if [[ ${#configured[@]} -gt 0 ]]; then
+    echo "Already configured:"
+    for tool in "${configured[@]}"; do
+      case "$tool" in
+        chrome-devtools)
+          echo "  ✓ Chrome DevTools MCP"
+          ;;
+        playwright)
+          echo "  ✓ Playwright MCP"
+          ;;
+      esac
+    done
+    echo ""
+  fi
+  
+  # Show unconfigured tools
+  if [[ ${#unconfigured[@]} -gt 0 ]]; then
+    echo "Not yet configured:"
+    for tool in "${unconfigured[@]}"; do
+      case "$tool" in
+        chrome-devtools)
+          echo "  • Chrome DevTools MCP - browser automation + performance profiling"
+          ;;
+        playwright)
+          echo "  • Playwright MCP - multi-browser automation"
+          ;;
+      esac
+    done
+    echo ""
+  fi
+  
+  echo "Configure MCP tools in OpenCode?"
+  echo "  1) Yes, configure all detected tools"
+  echo "  2) Yes, let me choose which ones"
+  echo "  3) No, skip (I'll configure manually)"
+  echo "  4) No, don't ask again for this workspace"
+  echo ""
+  read -p "Choice [1-4]: " mcp_choice
+  
+  local configured_any=false
+  
+  case "$mcp_choice" in
+    1)
+      # Configure all (both unconfigured and offer to reconfigure configured ones)
+      local all_tools=()
+      [[ "$chrome_installed" == "true" ]] && all_tools+=("chrome-devtools")
+      [[ "$playwright_installed" == "true" ]] && all_tools+=("playwright")
+      
+      for tool in "${all_tools[@]}"; do
+        case "$tool" in
+          chrome-devtools)
+            if add_mcp_config "chrome-devtools" '["chrome-devtools-mcp", "--headless", "--isolated", "--executablePath", "/opt/chromium"]'; then
+              echo "  ✓ Configured Chrome DevTools MCP"
+              configured_any=true
+            fi
+            ;;
+          playwright)
+            if add_mcp_config "playwright" '["npx", "@playwright/mcp@latest", "--headless", "--browser", "chromium"]'; then
+              echo "  ✓ Configured Playwright MCP"
+              configured_any=true
+            fi
+            ;;
+        esac
+      done
+      ;;
+    2)
+      # Let user choose from all installed tools
+      local all_tools=()
+      [[ "$chrome_installed" == "true" ]] && all_tools+=("chrome-devtools")
+      [[ "$playwright_installed" == "true" ]] && all_tools+=("playwright")
+      
+      for tool in "${all_tools[@]}"; do
+        local tool_desc=""
+        local status_hint=""
+        case "$tool" in
+          chrome-devtools)
+            tool_desc="Chrome DevTools MCP (browser automation + DevTools)"
+            is_mcp_configured "chrome-devtools" && status_hint=" [already configured]"
+            ;;
+          playwright)
+            tool_desc="Playwright MCP (multi-browser automation)"
+            is_mcp_configured "playwright" && status_hint=" [already configured]"
+            ;;
+        esac
+        read -p "  Configure $tool_desc$status_hint? [y/N]: " tool_choice
+        if [[ "$tool_choice" =~ ^[Yy]$ ]]; then
+          case "$tool" in
+            chrome-devtools)
+              if add_mcp_config "chrome-devtools" '["chrome-devtools-mcp", "--headless", "--isolated", "--executablePath", "/opt/chromium"]'; then
+                echo "    ✓ Configured"
+                configured_any=true
+              fi
+              ;;
+            playwright)
+              if add_mcp_config "playwright" '["npx", "@playwright/mcp@latest", "--headless", "--browser", "chromium"]'; then
+                echo "    ✓ Configured"
+                configured_any=true
+              fi
+              ;;
+          esac
+        else
+          echo "    ⏭️  Skipped"
+        fi
+      done
+      ;;
+    4)
+      mark_mcp_skipped
+      echo "ℹ️  Won't ask again for this workspace"
+      ;;
+    *)
+      echo "ℹ️  Skipped."
+      ;;
+  esac
+  
+  # Show config file path for easy editing
+  echo ""
+  if [[ "$configured_any" == "true" ]]; then
+    echo "✅ MCP configuration saved!"
+  fi
+  echo "📄 Config file: $config_file"
+  echo "   Edit this file to customize MCP settings or add credentials."
+  echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+  echo ""
+}
+
+# Run MCP configuration check for opencode
+configure_opencode_mcp
+
 # ============================================================================
 # WEB COMMAND DETECTION AND PORT EXPOSURE
 # ============================================================================
@@ -1637,6 +2073,69 @@ fi
 # Detect display configuration (clipboard integration)
 DISPLAY_FLAGS=$(detect_display_config)
 
+# ============================================================================
+# OPENCLAW DOCKER-COMPOSE MODE
+# ============================================================================
+if [[ "$TOOL" == "openclaw" ]]; then
+  OPENCLAW_REPO_DIR="$HOME/.ai-sandbox/tools/openclaw/repo"
+  
+  if [[ ! -d "$OPENCLAW_REPO_DIR" ]]; then
+    echo "❌ ERROR: OpenClaw repository not found at $OPENCLAW_REPO_DIR"
+    echo "   Run: npx @kokorolx/ai-sandbox-wrapper setup"
+    exit 1
+  fi
+  
+  cd "$OPENCLAW_REPO_DIR"
+  
+  OPENCLAW_COMPOSE_FILE="$OPENCLAW_REPO_DIR/docker-compose.yml"
+  OPENCLAW_OVERRIDE_FILE="$OPENCLAW_REPO_DIR/docker-compose.override.yml"
+  
+  echo "🔄 Generating OpenClaw docker-compose override..."
+  
+  cat > "$OPENCLAW_OVERRIDE_FILE" <<EOF
+services:
+  openclaw-gateway:
+    environment:
+      HOME: /home/node
+      OPENCLAW_GATEWAY_TOKEN: \${OPENCLAW_GATEWAY_TOKEN:-}
+    volumes:
+      - $HOME/.openclaw:/home/node/.openclaw
+EOF
+  
+  for workspace in "${WORKSPACES[@]}"; do
+    echo "      - $workspace:$workspace" >> "$OPENCLAW_OVERRIDE_FILE"
+  done
+  
+  cat >> "$OPENCLAW_OVERRIDE_FILE" <<EOF
+    ports:
+      - "18789:18789"
+      - "18790:18790"
+    working_dir: $CURRENT_DIR
+EOF
+  
+  if [[ -n "$NETWORK_OPTIONS" ]]; then
+    echo "    networks:" >> "$OPENCLAW_OVERRIDE_FILE"
+    for net in ${DOCKER_NETWORKS//,/ }; do
+      echo "      - $net" >> "$OPENCLAW_OVERRIDE_FILE"
+    done
+    echo "" >> "$OPENCLAW_OVERRIDE_FILE"
+    echo "networks:" >> "$OPENCLAW_OVERRIDE_FILE"
+    for net in ${DOCKER_NETWORKS//,/ }; do
+      echo "  $net:" >> "$OPENCLAW_OVERRIDE_FILE"
+      echo "    external: true" >> "$OPENCLAW_OVERRIDE_FILE"
+    done
+  fi
+  
+  echo "🚀 Starting OpenClaw with docker-compose..."
+  echo "🌐 Gateway: http://localhost:18789"
+  echo "🌐 Bridge: http://localhost:18790"
+  echo ""
+  
+  exec docker compose -f "$OPENCLAW_COMPOSE_FILE" -f "$OPENCLAW_OVERRIDE_FILE" \
+    --env-file "$ENV_FILE" \
+    up --remove-orphans
+fi
+
 docker run $CONTAINER_NAME --rm $TTY_FLAGS \
   --init \
   --platform "$PLATFORM" \