@kokorolx/ai-sandbox-wrapper 2.6.0 → 2.7.0

package/README.md

@@ -4,7 +4,7 @@
 
 Protect your SSH keys, API tokens, and system files while using AI tools that need filesystem access.
 
-*Last updated: February 9, 2026*
+*Last updated: February 25, 2026*
 
 ---
 
@@ -33,21 +33,24 @@ Protect your SSH keys, API tokens, and system files while using AI tools that ne
 
 ## ✨ What's New
 
-### v2.3.0-beta: Web Mode & Port Exposure
+### v2.7.0: Git Fetch-Only Mode & Bundled Skills
 
-- **Web Auto-Detection**: `opencode web` automatically exposes port 4096 and injects `--hostname 0.0.0.0`
-- **`--expose` Flag**: New way to expose ports (replaces deprecated `PORT` env var)
-- **Port Conflict Detection**: Fails fast if port is already in use
+- **Git Fetch-Only**: Allow git fetch/pull but block push — perfect for AI agents that should read but not write
+- **Bundled Skills**: RTK token optimizer skills auto-installed for OpenCode users
+- **SSH Config Fix**: Resolved crash during git credential setup
 
 ```bash
-# Web mode - automatic port exposure
-opencode web
+# Fetch-only mode (no push allowed)
+opencode --git-fetch
 
-# Custom port
-opencode web --port 8080
+# Or select from interactive menu:
+#   4) Fetch only - allow once (no push, this session)
+#   5) Fetch only - always for this workspace (no push)
 
-# Expose additional ports
-opencode --expose 3000,5555 web
+# Manage via CLI
+npx @kokorolx/ai-sandbox-wrapper git fetch-only ~/projects/myrepo
+npx @kokorolx/ai-sandbox-wrapper git full ~/projects/myrepo
+npx @kokorolx/ai-sandbox-wrapper git status
 ```
 
 ---
@@ -172,8 +175,21 @@ Git credentials are **not** shared by default. When you run a tool, you'll be pr
 ```
 🔐 Git Access Control
   1) Yes, allow once
-  2) Yes, always allow for this workspace  
+  2) Yes, always allow for this workspace
   3) No, keep Git disabled (secure default)
+  4) Fetch only - allow once (no push, this session)
+  5) Fetch only - always for this workspace (no push)
+```
+
+**Fetch-only mode** allows `git fetch`, `git pull`, `git clone` but blocks `git push`. Uses git's `pushInsteadOf` config — no network restrictions needed.
+
+```bash
+# Force fetch-only via flag
+opencode --git-fetch
+
+# Manage via CLI
+npx @kokorolx/ai-sandbox-wrapper git fetch-only ~/projects/myrepo
+npx @kokorolx/ai-sandbox-wrapper git full ~/projects/myrepo
 ```
 
 ### Clipboard
@@ -233,6 +249,17 @@ After installation, configure your MCP client (e.g., OpenCode) to use them:
 
 > **Note:** The `--no-sandbox` flags are required when running in Docker containers. This is safe because the container itself provides isolation.
 
+### Bundled Skills (OpenCode)
+
+OpenCode containers auto-install these skills on first run (existing skills are never overwritten):
+
+| Skill | Description |
+|-------|-------------|
+| `rtk` | Command reference for RTK token optimizer (60-90% token savings) |
+| `rtk-setup` | Persistent RTK enforcement — updates AGENTS.md and propagates to subagents |
+
+Skills are copied to `~/.config/opencode/skills/` and available immediately.
+
 ---
 
 ## 📁 Directory Structure
@@ -290,6 +317,9 @@ opencode -e 3000,4000         # Multiple ports
 # Network
 opencode -n mynetwork         # Join Docker network
 
+# Git fetch-only
+opencode --git-fetch            # Fetch only (no push)
+
 # Management
 npx @kokorolx/ai-sandbox-wrapper workspace list
 npx @kokorolx/ai-sandbox-wrapper clean

package/bin/ai-run

@@ -15,6 +15,7 @@ Options:
   -p, --password <value>   Set OpenCode server password (for web/serve mode)
       --password-env <VAR> Read OpenCode server password from environment variable
       --allow-unsecured    Allow OpenCode server to run without password (suppresses warning)
+      --git-fetch          Enable git fetch-only mode (blocks push)
   -h, --help               Show this help message
       --help-env           Show environment variables reference
 
@@ -39,6 +40,7 @@ Examples:
   ai-run opencode web -p secret           # Run with password
   ai-run opencode --shell                 # Start shell, run tool manually
   ai-run aider -n mynetwork               # Connect to Docker network
+  ai-run opencode --git-fetch              # Git fetch only (no push)
 
 Documentation: https://github.com/kokorolx/ai-sandbox-wrapper
 EOF
@@ -135,6 +137,7 @@ EXPOSE_ARG=""
 SERVER_PASSWORD=""
 PASSWORD_ENV_VAR=""
 ALLOW_UNSECURED=false
+GIT_FETCH_ONLY_FLAG=false
 TOOL_ARGS=()
 
 while [[ $# -gt 0 ]]; do
@@ -177,6 +180,10 @@ while [[ $# -gt 0 ]]; do
       ALLOW_UNSECURED=true
       shift
       ;;
+    --git-fetch)
+      GIT_FETCH_ONLY_FLAG=true
+      shift
+      ;;
     *)
       TOOL_ARGS+=("$1")
       shift
@@ -411,7 +418,7 @@ upgrade_config_to_v2() {
   fi
 
   # Add missing v2 fields while preserving existing networks
-  jq '.version = 2 | .workspaces = (.workspaces // []) | .git = (.git // {"allowedWorkspaces":[],"keySelections":{}})' \
+  jq '.version = 2 | .workspaces = (.workspaces // []) | .git = (.git // {"allowedWorkspaces":[],"keySelections":{}}) | .git.fetchOnlyWorkspaces = (.git.fetchOnlyWorkspaces // [])' \
     "$AI_SANDBOX_CONFIG" > "$AI_SANDBOX_CONFIG.tmp" \
     && mv "$AI_SANDBOX_CONFIG.tmp" "$AI_SANDBOX_CONFIG"
   chmod 600 "$AI_SANDBOX_CONFIG"
@@ -426,7 +433,7 @@ init_config() {
 
   if [[ ! -f "$AI_SANDBOX_CONFIG" ]]; then
     # Create new v2 config
-    local initial_config='{"version":2,"workspaces":[],"git":{"allowedWorkspaces":[],"keySelections":{}},"networks":{"global":[],"workspaces":{}}}'
+    local initial_config='{"version":2,"workspaces":[],"git":{"allowedWorkspaces":[],"fetchOnlyWorkspaces":[],"keySelections":{}},"networks":{"global":[],"workspaces":{}}}'
     echo "$initial_config" > "$AI_SANDBOX_CONFIG"
     chmod 600 "$AI_SANDBOX_CONFIG"
 
@@ -583,9 +590,27 @@ case "$TOOL" in
   opencode)
     mount_tool_config "$HOME/.config/opencode" ".config/opencode"
     mount_tool_config "$HOME/.local/share/opencode" ".local/share/opencode"
+    # Bundle default skills (copy if not already present)
+    AIRUN_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+    BUNDLED_SKILLS_DIR="$AIRUN_DIR/../skills"
+    if [[ -d "$BUNDLED_SKILLS_DIR" ]]; then
+      for skill_dir in "$BUNDLED_SKILLS_DIR"/*/; do
+        [[ ! -d "$skill_dir" ]] && continue
+        skill_name=$(basename "$skill_dir")
+        target_dir="$HOME/.config/opencode/skills/$skill_name"
+        if [[ ! -d "$target_dir" ]]; then
+          mkdir -p "$target_dir"
+          cp -r "$skill_dir"* "$target_dir/" 2>/dev/null || true
+        fi
+      done
+    fi
+    ;;
+  openclaw)
+    mount_tool_config "$HOME/.openclaw" ".openclaw"
     ;;
   claude)
     mount_tool_config "$HOME/.claude" ".claude"
+    mount_tool_config "$HOME/.ccs" ".ccs"
     ;;
   droid)
     mount_tool_config "$HOME/.config/droid" ".config/droid"
@@ -1047,8 +1072,48 @@ is_git_allowed() {
   return 1
 }
 
+# Check if workspace is in fetch-only mode (config.json)
+is_git_fetch_only() {
+  local ws="$1"
+  if has_jq && [[ -f "$AI_SANDBOX_CONFIG" ]]; then
+    local fetch_only=$(jq -r --arg ws "$ws" '.git.fetchOnlyWorkspaces // [] | index($ws) // -1' "$AI_SANDBOX_CONFIG" 2>/dev/null)
+    [[ "$fetch_only" -ge 0 ]] && return 0
+  fi
+  return 1
+}
+
+# Apply fetch-only restrictions by adding pushInsteadOf to gitconfig
+apply_git_fetch_only() {
+  local gitconfig_path="$HOME_DIR/.gitconfig"
+  # Ensure .gitconfig exists
+  touch "$gitconfig_path"
+  # Append push-blocking config (redirects all push URLs to non-existent protocol)
+  cat >> "$gitconfig_path" << 'FETCHONLY'
+
+# AI Sandbox: Git fetch-only mode (push disabled)
+[url "no-push://blocked"]
+	pushInsteadOf = git@
+	pushInsteadOf = ssh://
+	pushInsteadOf = https://
+	pushInsteadOf = http://
+FETCHONLY
+  echo "🔒 Git fetch-only mode: push operations are blocked"
+}
+
+GIT_FETCH_ONLY_MODE=false
+
+# Check --git-fetch flag
+if [[ "$GIT_FETCH_ONLY_FLAG" == "true" ]]; then
+  GIT_FETCH_ONLY_MODE=true
+fi
+
+# Check if workspace is in fetch-only list
+if is_git_fetch_only "$CURRENT_DIR"; then
+  GIT_FETCH_ONLY_MODE=true
+fi
+
 # Check if Git access is allowed for this workspace
-if is_git_allowed "$CURRENT_DIR"; then
+if is_git_allowed "$CURRENT_DIR" || is_git_fetch_only "$CURRENT_DIR" || [[ "$GIT_FETCH_ONLY_FLAG" == "true" ]]; then
   # Previously allowed for this workspace
   # Check if saved keys exist for this workspace
   WORKSPACE_MD5=$(echo "$CURRENT_DIR" | md5sum | cut -c1-8)
@@ -1090,7 +1155,7 @@ if is_git_allowed "$CURRENT_DIR"; then
       if [ -x "$SETUP_SSH" ]; then
         # Join SAVED_KEYS into a comma-separated string for --keys
         KEYS_ARG=$(IFS=,; echo "${SAVED_KEYS[*]}")
-        output=$("$SETUP_SSH" --keys "$KEYS_ARG" 2>&1)
+        output=$( "$SETUP_SSH" --keys "$KEYS_ARG" 2>&1 ) || true
         TEMP_CONFIG=$(echo "$output" | grep "Config:" | tail -1 | awk '{print $NF}')
         if [ -f "$TEMP_CONFIG" ]; then
           cp "$TEMP_CONFIG" "$GIT_CACHE_DIR/ssh/config" 2>/dev/null || true
@@ -1123,6 +1188,11 @@ if is_git_allowed "$CURRENT_DIR"; then
     # Copy gitconfig to HOME_DIR (can't mount file inside mounted directory)
     cp "$HOME/.gitconfig" "$HOME_DIR/.gitconfig" 2>/dev/null || true
   fi
+
+  # Apply fetch-only restrictions if mode is active
+  if [[ "$GIT_FETCH_ONLY_MODE" == "true" ]]; then
+    apply_git_fetch_only
+  fi
 else
   # Ask user if they want Git access for this workspace (only in interactive mode)
   if [[ -t 0 ]] && ([ -d "$HOME/.ssh" ] || [ -f "$HOME/.gitconfig" ]); then
@@ -1135,11 +1205,13 @@ else
     echo "  1) Yes, allow once (this session only)"
     echo "  2) Yes, always allow for this workspace"
     echo "  3) No, keep Git disabled (secure default)"
+    echo "  4) Fetch only - allow once (no push, this session)"
+    echo "  5) Fetch only - always for this workspace (no push)"
     echo ""
-    read -p "Choice [1-3]: " git_choice
+    read -p "Choice [1-5]: " git_choice
 
     case "$git_choice" in
-      1|2)
+      1|2|4|5)
         # Interactive SSH key selection
         echo ""
         echo "🔑 SSH Key Selection"
@@ -1195,7 +1267,7 @@ else
                 # Join SELECTED_SSH_KEYS into a comma-separated string for --keys
                 KEYS_ARG=$(IFS=,; echo "${SELECTED_SSH_KEYS[*]}")
                 # Run it and capture the filtered config path
-                output=$("$SETUP_SSH" --keys "$KEYS_ARG" 2>&1)
+                output=$( "$SETUP_SSH" --keys "$KEYS_ARG" 2>&1 ) || true
                 TEMP_CONFIG=$(echo "$output" | grep "Config:" | tail -1 | awk '{print $NF}')
                 if [ -f "$TEMP_CONFIG" ]; then
                   cp "$TEMP_CONFIG" "$GIT_CACHE_DIR/ssh/config" 2>/dev/null || true
@@ -1231,6 +1303,9 @@ else
               cp "$HOME/.gitconfig" "$HOME_DIR/.gitconfig" 2>/dev/null || true
             fi
 
+            if [[ "$git_choice" == "4" || "$git_choice" == "5" ]]; then
+              GIT_FETCH_ONLY_MODE=true
+            fi
             if [ "$git_choice" = "2" ]; then
               # Save workspace and selected keys for future sessions
               echo "$CURRENT_DIR" >> "$GIT_ALLOWED_FILE"
@@ -1245,6 +1320,20 @@ else
               mkdir -p "$GIT_SHARED_DIR/keys"
               printf "%s\n" "${SELECTED_SSH_KEYS[@]}" > "$GIT_SHARED_DIR/keys/$WORKSPACE_MD5"
               echo "✅ Git access enabled and saved for: $CURRENT_DIR"
+            elif [ "$git_choice" = "5" ]; then
+              # Save workspace to fetchOnlyWorkspaces
+              if has_jq && [[ -f "$AI_SANDBOX_CONFIG" ]]; then
+                jq --arg ws "$CURRENT_DIR" '.git.fetchOnlyWorkspaces = ((.git.fetchOnlyWorkspaces // []) + [$ws] | unique)' "$AI_SANDBOX_CONFIG" > "$AI_SANDBOX_CONFIG.tmp" \
+                  && mv "$AI_SANDBOX_CONFIG.tmp" "$AI_SANDBOX_CONFIG"
+                chmod 600 "$AI_SANDBOX_CONFIG"
+              fi
+              # Save selected keys (one per line for easier parsing)
+              WORKSPACE_MD5=$(echo "$CURRENT_DIR" | md5sum | cut -c1-8)
+              mkdir -p "$GIT_SHARED_DIR/keys"
+              printf "%s\n" "${SELECTED_SSH_KEYS[@]}" > "$GIT_SHARED_DIR/keys/$WORKSPACE_MD5"
+              echo "✅ Git fetch-only access enabled and saved for: $CURRENT_DIR"
+            elif [ "$git_choice" = "4" ]; then
+              echo "✅ Git fetch-only access enabled for this session"
             else
               echo "✅ Git access enabled for this session"
             fi
@@ -1260,6 +1349,11 @@ else
         echo "🔒 Git access disabled (secure mode)"
         ;;
     esac
+
+    # Apply fetch-only restrictions if mode is active
+    if [[ "$GIT_FETCH_ONLY_MODE" == "true" ]]; then
+      apply_git_fetch_only
+    fi
     echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
     echo ""
   fi
@@ -1979,6 +2073,69 @@ fi
 # Detect display configuration (clipboard integration)
 DISPLAY_FLAGS=$(detect_display_config)
 
+# ============================================================================
+# OPENCLAW DOCKER-COMPOSE MODE
+# ============================================================================
+if [[ "$TOOL" == "openclaw" ]]; then
+  OPENCLAW_REPO_DIR="$HOME/.ai-sandbox/tools/openclaw/repo"
+  
+  if [[ ! -d "$OPENCLAW_REPO_DIR" ]]; then
+    echo "❌ ERROR: OpenClaw repository not found at $OPENCLAW_REPO_DIR"
+    echo "   Run: npx @kokorolx/ai-sandbox-wrapper setup"
+    exit 1
+  fi
+  
+  cd "$OPENCLAW_REPO_DIR"
+  
+  OPENCLAW_COMPOSE_FILE="$OPENCLAW_REPO_DIR/docker-compose.yml"
+  OPENCLAW_OVERRIDE_FILE="$OPENCLAW_REPO_DIR/docker-compose.override.yml"
+  
+  echo "🔄 Generating OpenClaw docker-compose override..."
+  
+  cat > "$OPENCLAW_OVERRIDE_FILE" <<EOF
+services:
+  openclaw-gateway:
+    environment:
+      HOME: /home/node
+      OPENCLAW_GATEWAY_TOKEN: \${OPENCLAW_GATEWAY_TOKEN:-}
+    volumes:
+      - $HOME/.openclaw:/home/node/.openclaw
+EOF
+  
+  for workspace in "${WORKSPACES[@]}"; do
+    echo "      - $workspace:$workspace" >> "$OPENCLAW_OVERRIDE_FILE"
+  done
+  
+  cat >> "$OPENCLAW_OVERRIDE_FILE" <<EOF
+    ports:
+      - "18789:18789"
+      - "18790:18790"
+    working_dir: $CURRENT_DIR
+EOF
+  
+  if [[ -n "$NETWORK_OPTIONS" ]]; then
+    echo "    networks:" >> "$OPENCLAW_OVERRIDE_FILE"
+    for net in ${DOCKER_NETWORKS//,/ }; do
+      echo "      - $net" >> "$OPENCLAW_OVERRIDE_FILE"
+    done
+    echo "" >> "$OPENCLAW_OVERRIDE_FILE"
+    echo "networks:" >> "$OPENCLAW_OVERRIDE_FILE"
+    for net in ${DOCKER_NETWORKS//,/ }; do
+      echo "  $net:" >> "$OPENCLAW_OVERRIDE_FILE"
+      echo "    external: true" >> "$OPENCLAW_OVERRIDE_FILE"
+    done
+  fi
+  
+  echo "🚀 Starting OpenClaw with docker-compose..."
+  echo "🌐 Gateway: http://localhost:18789"
+  echo "🌐 Bridge: http://localhost:18790"
+  echo ""
+  
+  exec docker compose -f "$OPENCLAW_COMPOSE_FILE" -f "$OPENCLAW_OVERRIDE_FILE" \
+    --env-file "$ENV_FILE" \
+    up --remove-orphans
+fi
+
 docker run $CONTAINER_NAME --rm $TTY_FLAGS \
   --init \
   --platform "$PLATFORM" \

package/bin/cli.js

@@ -33,6 +33,8 @@ Commands:
   git status            Show git-enabled workspaces
   git enable <path>     Enable git access for a workspace
   git disable <path>    Disable git access for a workspace
+  git fetch-only <path>  Enable fetch-only git access (no push) for a workspace
+  git full <path>        Enable full git access for a workspace (moves from fetch-only if needed)
 
   network list          List configured networks
   network add <name> [--global|--workspace <path>]  Add a network
@@ -462,17 +464,25 @@ function runWorkspaceRemove(inputPath) {
 // GIT COMMANDS
 // ============================================================================
 function runGitStatus() {
-  const config = readConfig();
-  const allowed = config.git?.allowedWorkspaces || [];
-
-  console.log('\n🔐 Git-Enabled Workspaces:\n');
-  if (allowed.length === 0) {
-    console.log('  (no workspaces with git access)');
-    console.log('\n  Enable git: npx @kokorolx/ai-sandbox-wrapper git enable <workspace-path>');
+  const config = readConfig()
+  const allowed = config.git?.allowedWorkspaces || []
+  const fetchOnly = config.git?.fetchOnlyWorkspaces || []
+
+  console.log('\n🔐 Git-Enabled Workspaces:\n')
+  if (allowed.length === 0 && fetchOnly.length === 0) {
+    console.log('  (no workspaces with git access)')
+    console.log('\n  Enable git: npx @kokorolx/ai-sandbox-wrapper git enable <workspace-path>')
   } else {
-    allowed.forEach((ws, i) => console.log(`  ${i + 1}. ${ws}`));
+    if (allowed.length > 0) {
+      console.log('  Full access:')
+      allowed.forEach((ws, i) => console.log(`    ${i + 1}. ${ws}`))
+    }
+    if (fetchOnly.length > 0) {
+      console.log('  Fetch only (no push):')
+      fetchOnly.forEach((ws, i) => console.log(`    ${i + 1}. ${ws}`))
+    }
   }
-  console.log('');
+  console.log('')
 }
 
 function runGitEnable(inputPath) {
@@ -541,6 +551,66 @@ function runGitDisable(inputPath) {
   console.log(`✅ Disabled git access for: ${expandedPath}`);
 }
 
+function runGitFetchOnly(inputPath) {
+  if (!inputPath) {
+    console.error('❌ Please provide a workspace path')
+    console.error('Usage: npx @kokorolx/ai-sandbox-wrapper git fetch-only <path>')
+    process.exit(1)
+  }
+
+  const expandedPath = expandHome(inputPath)
+  const config = readConfig()
+
+  if (!config.git) config.git = { allowedWorkspaces: [], fetchOnlyWorkspaces: [], keySelections: {} }
+  if (!config.git.fetchOnlyWorkspaces) config.git.fetchOnlyWorkspaces = []
+
+  // Remove from full access if present
+  if (config.git.allowedWorkspaces) {
+    const fullIdx = config.git.allowedWorkspaces.indexOf(expandedPath)
+    if (fullIdx !== -1) config.git.allowedWorkspaces.splice(fullIdx, 1)
+  }
+
+  if (config.git.fetchOnlyWorkspaces.includes(expandedPath)) {
+    console.log(`ℹ️  Git fetch-only already enabled for: ${expandedPath}`)
+    return
+  }
+
+  config.git.fetchOnlyWorkspaces.push(expandedPath)
+  writeConfig(config)
+
+  console.log(`✅ Enabled git fetch-only for: ${expandedPath}`)
+}
+
+function runGitFull(inputPath) {
+  if (!inputPath) {
+    console.error('❌ Please provide a workspace path')
+    console.error('Usage: npx @kokorolx/ai-sandbox-wrapper git full <path>')
+    process.exit(1)
+  }
+
+  const expandedPath = expandHome(inputPath)
+  const config = readConfig()
+
+  if (!config.git) config.git = { allowedWorkspaces: [], fetchOnlyWorkspaces: [], keySelections: {} }
+  if (!config.git.allowedWorkspaces) config.git.allowedWorkspaces = []
+
+  // Remove from fetch-only if present
+  if (config.git.fetchOnlyWorkspaces) {
+    const foIdx = config.git.fetchOnlyWorkspaces.indexOf(expandedPath)
+    if (foIdx !== -1) config.git.fetchOnlyWorkspaces.splice(foIdx, 1)
+  }
+
+  if (config.git.allowedWorkspaces.includes(expandedPath)) {
+    console.log(`ℹ️  Git full access already enabled for: ${expandedPath}`)
+    return
+  }
+
+  config.git.allowedWorkspaces.push(expandedPath)
+  writeConfig(config)
+
+  console.log(`✅ Enabled git full access for: ${expandedPath}`)
+}
+
 // ============================================================================
 // NETWORK COMMANDS
 // ============================================================================
@@ -1259,11 +1329,17 @@ switch (command) {
         runGitEnable(subArg);
         break;
       case 'disable':
-        runGitDisable(subArg);
-        break;
+        runGitDisable(subArg)
+        break
+      case 'fetch-only':
+        runGitFetchOnly(subArg)
+        break
+      case 'full':
+        runGitFull(subArg)
+        break
       default:
-        console.error('Usage: npx @kokorolx/ai-sandbox-wrapper git <status|enable|disable> [path]');
-        process.exit(1);
+        console.error('Usage: npx @kokorolx/ai-sandbox-wrapper git <status|enable|disable|fetch-only|full> [path]')
+        process.exit(1)
     }
     break;
   case 'network':

package/dockerfiles/base/Dockerfile

@@ -1,3 +1,7 @@
+# Build RTK from source (multi-stage: only binary is kept, Rust toolchain discarded)
+FROM rust:bookworm AS rtk-builder
+RUN cargo install --git https://github.com/rtk-ai/rtk --locked
+
 FROM node:22-bookworm-slim
 
 ARG AGENT_UID=1001
@@ -34,31 +38,8 @@ RUN mkdir -p /usr/local/lib/openspec && \
     ln -sf /usr/local/lib/openspec/node_modules/.bin/openspec /usr/local/bin/openspec && \
     chmod -R 755 /usr/local/lib/openspec && \
     chmod +x /usr/local/bin/openspec
-# Install Playwright system dependencies
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    libglib2.0-0 \
-    libnspr4 \
-    libnss3 \
-    libdbus-1-3 \
-    libatk1.0-0 \
-    libatk-bridge2.0-0 \
-    libcups2 \
-    libxcb1 \
-    libxkbcommon0 \
-    libatspi2.0-0 \
-    libx11-6 \
-    libxcomposite1 \
-    libxdamage1 \
-    libxext6 \
-    libxfixes3 \
-    libxrandr2 \
-    libgbm1 \
-    libcairo2 \
-    libpango-1.0-0 \
-    libasound2 \
-    && rm -rf /var/lib/apt/lists/*
-# Install Playwright and browsers via npm
-RUN npm install -g playwright && npx playwright install
+# Install RTK - token optimizer for AI coding agents (built from source)
+COPY --from=rtk-builder /usr/local/cargo/bin/rtk /usr/local/bin/rtk
 RUN apt-get update && apt-get install -y --no-install-recommends \
     libglib2.0-0 \
     libnspr4 \
@@ -96,9 +77,6 @@ RUN mkdir -p /opt/playwright-browsers && \
     npx playwright-core install-deps chromium && \
     chmod -R 777 /opt/playwright-browsers && \
     ln -sf $(ls -d /opt/playwright-browsers/chromium-*/chrome-linux/chrome | head -1) /opt/chromium
-ENV CHROME_DEVTOOLS_MCP_NO_USAGE_STATISTICS=1
-RUN npm install -g chrome-devtools-mcp@latest && \
-    touch /opt/.mcp-chrome-devtools-installed
 RUN touch /opt/.mcp-playwright-installed
 
 # Create workspace

package/lib/install-base.sh

@@ -5,6 +5,7 @@ set -e
 mkdir -p "dockerfiles/base"
 
 ADDITIONAL_TOOLS_INSTALL=""
+DOCKERFILE_BUILD_STAGES=""
 
 if [[ "${INSTALL_SPEC_KIT:-0}" -eq 1 ]]; then
   echo "📦 spec-kit will be installed in base image"
@@ -39,6 +40,17 @@ if [[ "${INSTALL_OPENSPEC:-0}" -eq 1 ]]; then
 '
 fi
 
+if [[ "${INSTALL_RTK:-0}" -eq 1 ]]; then
+  echo "📦 RTK (Rust Token Killer) will be installed in base image (multi-stage build)"
+  DOCKERFILE_BUILD_STAGES+='# Build RTK from source (multi-stage: only binary is kept, Rust toolchain discarded)
+FROM rust:bookworm AS rtk-builder
+RUN cargo install --git https://github.com/rtk-ai/rtk --locked
+'
+  ADDITIONAL_TOOLS_INSTALL+='# Install RTK - token optimizer for AI coding agents (built from source)
+COPY --from=rtk-builder /usr/local/cargo/bin/rtk /usr/local/bin/rtk
+'
+fi
+
 if [[ "${INSTALL_PLAYWRIGHT:-0}" -eq 1 ]]; then
   echo "📦 Playwright will be installed in base image"
   ADDITIONAL_TOOLS_INSTALL+='# Install Playwright system dependencies
@@ -166,6 +178,7 @@ if [[ "${INSTALL_PLAYWRIGHT_MCP:-0}" -eq 1 ]]; then
 fi
 
 cat > "dockerfiles/base/Dockerfile" <<EOF
+${DOCKERFILE_BUILD_STAGES}
 FROM node:22-bookworm-slim
 
 ARG AGENT_UID=1001
@@ -228,4 +241,3 @@ docker build ${DOCKER_NO_CACHE:+--no-cache} \
   --build-arg AGENT_UID="${HOST_UID}" \
   -t "ai-base:latest" "dockerfiles/base"
 echo "✅ Base image built (ai-base:latest)"
-

package/lib/install-claude.sh

@@ -16,6 +16,16 @@ cat <<'EOF' > "dockerfiles/$TOOL/Dockerfile"
 FROM ai-base:latest
 
 USER root
+# Install tmux for Agent Teams split-pane mode
+RUN apt-get update && apt-get install -y --no-install-recommends tmux && rm -rf /var/lib/apt/lists/*
+
+# Install CCS (Claude Code Switch) for multi-provider model switching
+# Use --ignore-scripts to avoid postinstall failures when HOME=/home/agent but running as root
+RUN npm install -g @kaitranntt/ccs --ignore-scripts && \
+    mkdir -p /home/agent/.ccs && \
+    chown -R agent:agent /home/agent/.ccs && \
+    which ccs && ccs --version
+
 # Install Claude Code using official native installer
 RUN curl -fsSL https://claude.ai/install.sh | bash && \
     mkdir -p /usr/local/share && \
@@ -33,10 +43,15 @@ docker build ${DOCKER_NO_CACHE:+--no-cache} -t "ai-$TOOL:latest" "dockerfiles/$T
 echo "✅ $TOOL installed (Native Binary)"
 echo ""
 echo "Features:"
-echo "  ✓ Official native binary (no Node.js)"
+echo "  ✓ Official native binary"
 echo "  ✓ Claude 3.5 Sonnet/Opus models"
 echo "  ✓ Agentic coding with file editing"
 echo "  ✓ Web search and fetch built-in"
+echo "  ✓ Agent Teams (multi-agent tmux split-pane workflows)"
+echo "  ✓ CCS (Claude Code Switch) for multi-provider model switching"
 echo ""
 echo "Usage: ai-run claude"
-echo "Auth: Set ANTHROPIC_API_KEY environment variable"
+echo "Auth: Set ANTHROPIC_API_KEY in ~/.ai-sandbox/env"
+echo ""
+echo "Agent Teams: Add CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1 to ~/.ai-sandbox/env"
+echo "CCS: Run 'ai-run claude --shell' then 'ccs help' to configure providers"

package/lib/install-openclaw.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -e
+
+# OpenClaw installer: Uses official Docker Compose setup
+TOOL="openclaw"
+
+echo "🔄 Installing $TOOL (OpenClaw - Official Docker Compose)..."
+
+# Create directories
+OPENCLAW_REPO_DIR="$HOME/.ai-sandbox/tools/$TOOL/repo"
+mkdir -p "$OPENCLAW_REPO_DIR"
+mkdir -p "$HOME/.openclaw"
+
+# Clone OpenClaw repository if not exists
+if [[ ! -d "$OPENCLAW_REPO_DIR/.git" ]]; then
+  echo "📦 Cloning OpenClaw repository..."
+  git clone https://github.com/openclaw/openclaw.git "$OPENCLAW_REPO_DIR"
+else
+  echo "📦 OpenClaw repository already exists, pulling latest..."
+  cd "$OPENCLAW_REPO_DIR"
+  git pull origin main || git pull origin master || true
+fi
+
+cd "$OPENCLAW_REPO_DIR"
+
+# Build OpenClaw Docker image using their docker-compose
+echo "🔨 Building OpenClaw Docker image..."
+docker compose build
+
+echo "✅ $TOOL installed (Docker Compose)"
+echo ""
+echo "Features:"
+echo "  ✓ Official OpenClaw Docker setup"
+echo "  ✓ Gateway mode (port 18789)"
+echo "  ✓ Bridge mode (port 18790)"
+echo "  ✓ Workspace whitelist integration"
+echo ""
+echo "Usage: ai-run openclaw"
+echo "Config: ~/.openclaw/"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kokorolx/ai-sandbox-wrapper",
-  "version": "2.6.0",
+  "version": "2.7.0",
   "description": "Docker-based security sandbox for AI coding agents. Isolate Claude, Gemini, Aider, and other AI tools from your host system.",
   "keywords": [
     "ai",
@@ -27,6 +27,7 @@
   "files": [
     "bin/",
     "lib/",
+    "skills/",
     "dockerfiles/",
     "setup.sh",
     "README.md",

package/setup.sh

@@ -274,8 +274,8 @@ echo "📁 Legacy workspaces file: $WORKSPACES_FILE"
 WORKSPACE="${WORKSPACES[0]}"
 
 # Tool definitions
-TOOL_OPTIONS="amp,opencode,droid,claude,gemini,kilo,qwen,codex,qoder,auggie,codebuddy,jules,shai"
-TOOL_DESCS="AI coding assistant from @sourcegraph/amp,Open-source coding tool from opencode-ai,Factory CLI from factory.ai,Claude Code CLI from Anthropic,Google Gemini CLI (free tier),AI pair programmer (Git-native),Kilo Code (500+ models),Alibaba Qwen CLI (1M context),OpenAI Codex terminal agent,Qoder AI CLI assistant,Augment Auggie CLI,Tencent CodeBuddy CLI,Google Jules CLI,OVHcloud SHAI agent"
+TOOL_OPTIONS="amp,opencode,openclaw,droid,claude,gemini,kilo,qwen,codex,qoder,auggie,codebuddy,jules,shai"
+TOOL_DESCS="AI coding assistant from @sourcegraph/amp,Open-source coding tool from opencode-ai,OpenClaw AI gateway (Docker Compose),Factory CLI from factory.ai,Claude Code CLI from Anthropic,Google Gemini CLI (free tier),AI pair programmer (Git-native),Kilo Code (500+ models),Alibaba Qwen CLI (1M context),OpenAI Codex terminal agent,Qoder AI CLI assistant,Augment Auggie CLI,Tencent CodeBuddy CLI,Google Jules CLI,OVHcloud SHAI agent"
 
 # Interactive multi-select
 multi_select "Select AI Tools to Install" "$TOOL_OPTIONS" "$TOOL_DESCS"
@@ -290,7 +290,7 @@ echo "Installing tools: ${TOOLS[*]}"
 
 CONTAINERIZED_TOOLS=()
 for tool in "${TOOLS[@]}"; do
-  if [[ "$tool" =~ ^(amp|opencode|claude|aider|droid|gemini|kilo|qwen|codex|qoder|auggie|codebuddy|jules|shai)$ ]]; then
+  if [[ "$tool" =~ ^(amp|opencode|openclaw|claude|aider|droid|gemini|kilo|qwen|codex|qoder|auggie|codebuddy|jules|shai)$ ]]; then
     CONTAINERIZED_TOOLS+=("$tool")
   fi
 done
@@ -298,8 +298,8 @@ done
 echo ""
 if [[ ${#CONTAINERIZED_TOOLS[@]} -gt 0 ]]; then
   # Category 1: AI Enhancement Tools (spec-driven development, UI/UX, browser automation)
-  AI_TOOL_OPTIONS="spec-kit,ux-ui-promax,openspec,playwright"
-  AI_TOOL_DESCS="Spec-driven development toolkit,UI/UX design intelligence tool,OpenSpec - spec-driven development,Browser automation + Chromium/Firefox/WebKit (~500MB)"
+  AI_TOOL_OPTIONS="spec-kit,ux-ui-promax,openspec,playwright,rtk"
+  AI_TOOL_DESCS="Spec-driven development toolkit,UI/UX design intelligence tool,OpenSpec - spec-driven development,Browser automation + Chromium/Firefox/WebKit (~500MB),RTK token optimizer - reduces LLM token usage by 60-90% (~5MB)"
 
   multi_select "Select AI Enhancement Tools (installed in containers)" "$AI_TOOL_OPTIONS" "$AI_TOOL_DESCS"
   AI_ENHANCEMENT_TOOLS=("${SELECTED_ITEMS[@]}")
@@ -376,6 +376,7 @@ if [[ $NEEDS_BASE_IMAGE -eq 1 ]]; then
   INSTALL_RUBY=0
   INSTALL_CHROME_DEVTOOLS_MCP=0
   INSTALL_PLAYWRIGHT_MCP=0
+  INSTALL_RTK=0
 
   for addon in "${ADDITIONAL_TOOLS[@]}"; do
     case "$addon" in
@@ -400,10 +401,13 @@ if [[ $NEEDS_BASE_IMAGE -eq 1 ]]; then
       playwright-mcp)
         INSTALL_PLAYWRIGHT_MCP=1
         ;;
+      rtk)
+        INSTALL_RTK=1
+        ;;
     esac
   done
 
-  export INSTALL_SPEC_KIT INSTALL_UX_UI_PROMAX INSTALL_OPENSPEC INSTALL_PLAYWRIGHT INSTALL_RUBY INSTALL_CHROME_DEVTOOLS_MCP INSTALL_PLAYWRIGHT_MCP
+  export INSTALL_SPEC_KIT INSTALL_UX_UI_PROMAX INSTALL_OPENSPEC INSTALL_PLAYWRIGHT INSTALL_RUBY INSTALL_CHROME_DEVTOOLS_MCP INSTALL_PLAYWRIGHT_MCP INSTALL_RTK
   bash "$SCRIPT_DIR/lib/install-base.sh"
   
   # Save MCP selections to ~/.ai-sandbox/config.json for ai-run auto-configuration
@@ -431,6 +435,9 @@ for tool in "${TOOLS[@]}"; do
     opencode)
       bash "$SCRIPT_DIR/lib/install-opencode.sh"
       ;;
+    openclaw)
+      bash "$SCRIPT_DIR/lib/install-openclaw.sh"
+      ;;
     droid)
       bash "$SCRIPT_DIR/lib/install-droid.sh"
       ;;
@@ -525,6 +532,9 @@ if [[ ${#ADDITIONAL_TOOLS[@]} -gt 0 ]]; then
       playwright-mcp)
         echo "  @playwright/mcp - Microsoft Playwright MCP server"
         ;;
+      rtk)
+        echo "  rtk - Token optimizer for AI coding agents (60-90% savings)"
+        ;;
     esac
   done
 fi

package/skills/rtk/SKILL.md

@@ -0,0 +1,103 @@
+---
+name: rtk
+description: "Token optimizer for AI coding agents. Wraps common CLI commands with rtk to reduce LLM token consumption by 60-90%."
+compatibility: "OpenCode with RTK binary installed"
+metadata:
+  author: Sisyphus
+  version: "1.0.0"
+---
+
+# RTK — Rust Token Killer
+
+**Purpose**: Reduce token consumption by 60-90% on shell commands. RTK filters and compresses command output before it reaches your context.
+
+## When This Skill Activates
+
+This skill is loaded automatically. Once active, **always** prefix supported commands with `rtk`.
+
+## Command Mappings (MANDATORY)
+
+When running shell commands via Bash tool, use `rtk` prefix for these commands:
+
+| Instead of | Use | Savings |
+|-----------|-----|---------|
+| `git status` | `rtk git status` | ~80% |
+| `git diff` | `rtk git diff` | ~75% |
+| `git log` | `rtk git log` | ~80% |
+| `git add/commit/push/pull` | `rtk git add/commit/push/pull` | ~90% |
+| `ls` / `ls -la` | `rtk ls` | ~80% |
+| `cat file` | `rtk read file` | ~70% |
+| `grep pattern .` | `rtk grep pattern .` | ~80% |
+| `rg pattern` | `rtk grep pattern .` | ~80% |
+| `npm test` / `cargo test` / `pytest` | `rtk test <cmd>` | ~90% |
+| `npm run build` / `cargo build` | `rtk err <cmd>` | ~80% |
+| `gh pr list/view` | `rtk gh pr list/view` | ~70% |
+| `docker ps` | `rtk docker ps` | ~80% |
+| `eslint` / `tsc` | `rtk lint` / `rtk tsc` | ~80% |
+
+## Searching Inside `node_modules` / Ignored Directories
+
+By default, `rtk grep` respects `.gitignore` rules — meaning `node_modules`, `.nuxt`, `dist`, etc. are **excluded**. This is the right behavior 99% of the time.
+
+When you **need** to search inside ignored directories (debugging a library, checking an API signature, tracing a dependency bug):
+
+```bash
+# Search all files including node_modules (--no-ignore bypasses .gitignore)
+rtk grep "defineStore" . --no-ignore
+
+# Search a specific package only (combine --no-ignore with --glob)
+rtk grep "defineStore" . --no-ignore --glob 'node_modules/pinia/**'
+```
+
+**What does NOT work:**
+- `rtk grep "pattern" node_modules/pinia/` — still excluded even with direct path
+- `rtk grep "pattern" . --glob 'node_modules/**'` — glob alone doesn't override .gitignore
+
+**Key flag: `--no-ignore`** — this is the ONLY way to search ignored directories with rtk grep.
+
+### Other useful `rtk grep` flags
+
+```bash
+rtk grep "pattern" . -t ts          # Filter by file type (ts, py, rust, etc.)
+rtk grep "pattern" . -m 100         # Increase max results (default: 50)
+rtk grep "pattern" . -u             # Ultra-compact mode (even fewer tokens)
+rtk grep "pattern" . -l 120         # Max line length before truncation (default: 80)
+```
+
+## Commands to NOT Wrap
+
+Do NOT prefix these with `rtk` (unsupported or counterproductive):
+
+- `npx`, `npm install`, `pip install` (package managers)
+- `node`, `python3`, `ruby` (interpreters)
+- `nano-brain`, `openspec`, `opencode` (custom tools)
+- Heredocs (`<<EOF`)
+- Piped commands (`cmd1 | cmd2`) — wrap only the first command if applicable
+- Commands already prefixed with `rtk`
+
+## How RTK Works
+
+```
+Without RTK:  git status → 50 lines raw output → 2,000 tokens
+With RTK:     rtk git status → "3 modified, 1 untracked ✓" → 200 tokens
+```
+
+RTK runs the real command, then filters/compresses the output. The agent sees a compact summary instead of verbose raw output.
+
+## Detection
+
+Before using RTK commands, verify it's installed:
+```bash
+rtk --version
+```
+
+If `rtk` is not found, skip this skill — run commands normally without the `rtk` prefix.
+
+## Token Savings Reference
+
+Typical 30-min coding session:
+- Without RTK: ~150,000 tokens
+- With RTK: ~45,000 tokens
+- **Savings: ~70%**
+
+Biggest wins: test output (`rtk test` — 90%), git operations (`rtk git` — 80%), file reading (`rtk read` — 70%).

package/skills/rtk-setup/SKILL.md

@@ -0,0 +1,118 @@
+---
+name: rtk-setup
+description: "One-time setup + ongoing enforcement of RTK (Rust Token Killer) across sessions and subagents. Persists RTK instructions to AGENTS.md and propagates to delegated tasks."
+compatibility: "OpenCode with RTK binary installed"
+metadata:
+  author: Sisyphus
+  version: "1.0.0"
+---
+
+# RTK Setup — Persistent RTK Enforcement
+
+This skill performs **setup** (persist RTK instructions) and **ongoing enforcement** (use rtk, propagate to subagents).
+
+## Phase 1: Detection (ALWAYS run first)
+
+Run these checks before anything else:
+
+```bash
+rtk --version
+```
+
+- If `rtk` is NOT found → **STOP**. Tell the user: "RTK is not installed. Install it first: `cargo install --git https://github.com/rtk-ai/rtk --locked`". Do NOT proceed with setup.
+- If `rtk` IS found → continue.
+
+### Check oh-my-opencode
+
+```bash
+ls ~/.config/opencode/oh-my-opencode.json 2>/dev/null
+```
+
+- If found → omo is installed. Note this for Phase 2.
+- If not found → skip omo-specific steps.
+
+## Phase 2: Setup (persist to AGENTS.md)
+
+Check BOTH of these files for the RTK managed block:
+
+1. **User-level**: `~/.config/opencode/AGENTS.md`
+2. **Project-level**: `./AGENTS.md` (current workspace)
+
+For EACH file, check if `<!-- RTK:START -->` exists. If it does NOT exist, **append** the following managed block to the file (create the file if it doesn't exist). NEVER replace existing content — only append.
+
+```markdown
+<!-- RTK:START -->
+<!-- Managed block - do not edit manually. Updated by: rtk-setup skill -->
+
+## RTK Token Optimizer
+
+This project uses **RTK** (Rust Token Killer) to reduce LLM token consumption by 60-90%.
+
+### Rules for ALL agents (including subagents)
+
+**ALWAYS** prefix these commands with `rtk`:
+
+| Command | Use instead |
+|---------|-------------|
+| `git status/diff/log/add/commit/push/pull` | `rtk git ...` |
+| `ls`, `ls -la` | `rtk ls` |
+| `cat file` | `rtk read file` |
+| `grep pattern .` / `rg pattern` | `rtk grep pattern .` |
+| `npm test` / `cargo test` / `pytest` | `rtk test <cmd>` |
+| `npm run build` / `cargo build` | `rtk err <cmd>` |
+| `gh pr list/view` | `rtk gh pr list/view` |
+| `docker ps` | `rtk docker ps` |
+| `eslint` / `tsc` | `rtk lint` / `rtk tsc` |
+
+**Do NOT** prefix: `npx`, `npm install`, `pip install`, `node`, `python3`, heredocs, piped commands.
+
+<!-- RTK:END -->
+```
+
+### If oh-my-opencode is installed
+
+After updating AGENTS.md files, check if the omo config at `~/.config/opencode/oh-my-opencode.json` has `prompt_append` fields on agents. If it does, inform the user:
+
+> "omo is installed. For maximum coverage, you can add RTK instructions to agent `prompt_append` fields in `oh-my-opencode.json`. This ensures subagents always use rtk even when AGENTS.md is not loaded. Want me to do this?"
+
+**Only modify `oh-my-opencode.json` if the user explicitly confirms.** If they confirm, append this line to the `prompt_append` of `sisyphus-junior` agent (the primary coder):
+
+```
+\n\nRTK: ALWAYS prefix shell commands with `rtk` when available (git, ls, grep, test, build). Example: `rtk git status` not `git status`.
+```
+
+Do NOT modify other agents' prompt_append unless asked.
+
+## Phase 3: Ongoing Enforcement (EVERY time this skill is loaded)
+
+### For the current agent
+
+From this point forward in this session, **you MUST**:
+
+1. **Use `rtk` prefix** for all supported shell commands (see table above)
+2. **Verify rtk is available** before first use: `rtk --version`
+3. If rtk is not available in the current environment, fall back to normal commands silently
+
+### For subagent delegation
+
+When delegating ANY task that involves shell commands (via `task()`, `delegate_task()`, or any delegation mechanism), **ALWAYS** add this to the `MUST DO` section of the delegation prompt:
+
+```
+- Use `rtk` prefix for shell commands when available (git, ls, grep, test, build). Run `rtk --version` first to check. If not installed, use normal commands. Examples: `rtk git status`, `rtk ls`, `rtk grep pattern .`, `rtk test npm test`.
+```
+
+This is NON-NEGOTIABLE. Subagents do not read AGENTS.md, so RTK instructions MUST be passed explicitly in every delegation prompt.
+
+### Quick reference for subagent prompts
+
+Copy-paste this one-liner into MUST DO sections:
+
+> Use `rtk` prefix for all shell commands (git, ls, grep, test, build, docker). Example: `rtk git status` not `git status`. If `rtk` is not found, use normal commands.
+
+## Summary
+
+| Phase | When | What |
+|-------|------|------|
+| Detection | Always first | Check rtk installed, check omo |
+| Setup | Once (idempotent) | Append RTK block to AGENTS.md (user + project) |
+| Enforcement | Every session | Use rtk yourself, propagate to all subagents |

package/dockerfiles/amp/Dockerfile

@@ -1,17 +0,0 @@
-FROM ai-base:latest
-
-# Switch to root only for installing bun globally (needed for the system)
-USER root
-RUN npm install -g bun
-USER agent
-
-# Install Amp into user directory
-RUN mkdir -p /home/agent/lib/amp && \
-    cd /home/agent/lib/amp && \
-    bun init -y && \
-    bun add @sourcegraph/amp
-
-# Add the node_modules .bin to PATH
-ENV PATH="/home/agent/lib/amp/node_modules/.bin:${PATH}"
-
-ENTRYPOINT ["amp"]