@kokorolx/ai-sandbox-wrapper 3.4.3-beta.2 → 3.4.3

package/dockerfiles/base/skills/rtk-setup/SKILL.md

@@ -0,0 +1,118 @@
+---
+name: rtk-setup
+description: "One-time setup + ongoing enforcement of RTK (Rust Token Killer) across sessions and subagents. Persists RTK instructions to AGENTS.md and propagates to delegated tasks."
+compatibility: "OpenCode with RTK binary installed"
+metadata:
+  author: Sisyphus
+  version: "1.0.0"
+---
+
+# RTK Setup — Persistent RTK Enforcement
+
+This skill performs **setup** (persist RTK instructions) and **ongoing enforcement** (use rtk, propagate to subagents).
+
+## Phase 1: Detection (ALWAYS run first)
+
+Run these checks before anything else:
+
+```bash
+rtk --version
+```
+
+- If `rtk` is NOT found → **STOP**. Tell the user: "RTK is not installed. Install it first: `cargo install --git https://github.com/rtk-ai/rtk --locked`". Do NOT proceed with setup.
+- If `rtk` IS found → continue.
+
+### Check oh-my-opencode
+
+```bash
+ls ~/.config/opencode/oh-my-opencode.json 2>/dev/null
+```
+
+- If found → omo is installed. Note this for Phase 2.
+- If not found → skip omo-specific steps.
+
+## Phase 2: Setup (persist to AGENTS.md)
+
+Check BOTH of these files for the RTK managed block:
+
+1. **User-level**: `~/.config/opencode/AGENTS.md`
+2. **Project-level**: `./AGENTS.md` (current workspace)
+
+For EACH file, check if `<!-- RTK:START -->` exists. If it does NOT exist, **append** the following managed block to the file (create the file if it doesn't exist). NEVER replace existing content — only append.
+
+```markdown
+<!-- RTK:START -->
+<!-- Managed block - do not edit manually. Updated by: rtk-setup skill -->
+
+## RTK Token Optimizer
+
+This project uses **RTK** (Rust Token Killer) to reduce LLM token consumption by 60-90%.
+
+### Rules for ALL agents (including subagents)
+
+**ALWAYS** prefix these commands with `rtk`:
+
+| Command | Use instead |
+|---------|-------------|
+| `git status/diff/log/add/commit/push/pull` | `rtk git ...` |
+| `ls`, `ls -la` | `rtk ls` |
+| `cat file` | `rtk read file` |
+| `grep pattern .` / `rg pattern` | `rtk grep pattern .` |
+| `npm test` / `cargo test` / `pytest` | `rtk test <cmd>` |
+| `npm run build` / `cargo build` | `rtk err <cmd>` |
+| `gh pr list/view` | `rtk gh pr list/view` |
+| `docker ps` | `rtk docker ps` |
+| `eslint` / `tsc` | `rtk lint` / `rtk tsc` |
+
+**Do NOT** prefix: `npx`, `npm install`, `pip install`, `node`, `python3`, heredocs, piped commands.
+
+<!-- RTK:END -->
+```
+
+### If oh-my-opencode is installed
+
+After updating AGENTS.md files, check if the omo config at `~/.config/opencode/oh-my-opencode.json` has `prompt_append` fields on agents. If it does, inform the user:
+
+> "omo is installed. For maximum coverage, you can add RTK instructions to agent `prompt_append` fields in `oh-my-opencode.json`. This ensures subagents always use rtk even when AGENTS.md is not loaded. Want me to do this?"
+
+**Only modify `oh-my-opencode.json` if the user explicitly confirms.** If they confirm, append this line to the `prompt_append` of `sisyphus-junior` agent (the primary coder):
+
+```
+\n\nRTK: ALWAYS prefix shell commands with `rtk` when available (git, ls, grep, test, build). Example: `rtk git status` not `git status`.
+```
+
+Do NOT modify other agents' prompt_append unless asked.
+
+## Phase 3: Ongoing Enforcement (EVERY time this skill is loaded)
+
+### For the current agent
+
+From this point forward in this session, **you MUST**:
+
+1. **Use `rtk` prefix** for all supported shell commands (see table above)
+2. **Verify rtk is available** before first use: `rtk --version`
+3. If rtk is not available in the current environment, fall back to normal commands silently
+
+### For subagent delegation
+
+When delegating ANY task that involves shell commands (via `task()`, `delegate_task()`, or any delegation mechanism), **ALWAYS** add this to the `MUST DO` section of the delegation prompt:
+
+```
+- Use `rtk` prefix for shell commands when available (git, ls, grep, test, build). Run `rtk --version` first to check. If not installed, use normal commands. Examples: `rtk git status`, `rtk ls`, `rtk grep pattern .`, `rtk test npm test`.
+```
+
+This is NON-NEGOTIABLE. Subagents do not read AGENTS.md, so RTK instructions MUST be passed explicitly in every delegation prompt.
+
+### Quick reference for subagent prompts
+
+Copy-paste this one-liner into MUST DO sections:
+
+> Use `rtk` prefix for all shell commands (git, ls, grep, test, build, docker). Example: `rtk git status` not `git status`. If `rtk` is not found, use normal commands.
+
+## Summary
+
+| Phase | When | What |
+|-------|------|------|
+| Detection | Always first | Check rtk installed, check omo |
+| Setup | Once (idempotent) | Append RTK block to AGENTS.md (user + project) |
+| Enforcement | Every session | Use rtk yourself, propagate to all subagents |

package/dockerfiles/opencode/Dockerfile

@@ -0,0 +1,9 @@
+FROM ai-base:latest
+
+USER root
+RUN curl -fsSL https://opencode.ai/install | bash && \
+    mv /home/agent/.opencode/bin/opencode /usr/local/bin/opencode && \
+    rm -rf /home/agent/.opencode
+
+USER agent
+ENTRYPOINT ["opencode"]

package/dockerfiles/sandbox/Dockerfile

@@ -0,0 +1,91 @@
+
+FROM node:22-bookworm-slim
+
+ARG AGENT_UID=1001
+
+RUN apt-get update && apt-get install -y --no-install-recommends     git     curl     ssh     ca-certificates     jq     python3     python3-pip     python3-venv     python3-dev     python3-setuptools     build-essential     libopenblas-dev     pipx     unzip     xclip     wl-clipboard     ripgrep     tmux     vim-nox     fd-find     sqlite3     poppler-utils     qpdf     tesseract-ocr     && curl -LsSf https://astral.sh/uv/install.sh | UV_INSTALL_DIR=/usr/local/bin sh     && rm -rf /var/lib/apt/lists/*     && pipx ensurepath
+
+# Install Python PDF processing tools for PDF skill
+RUN pip3 install --no-cache-dir --break-system-packages pypdf pdfplumber reportlab pytesseract pdf2image
+
+RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg     && chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg     && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null     && apt-get update     && apt-get install -y gh     && rm -rf /var/lib/apt/lists/*
+
+# Install bun (used by most AI tool install scripts)
+RUN npm install -g bun
+
+# Install pnpm globally using npm (not bun, for stability)
+RUN npm install -g pnpm
+
+# Install TypeScript and LSP tools using npm
+RUN npm install -g typescript typescript-language-server pyright vscode-langservers-extracted
+
+# Verify installations
+RUN node --version && npm --version && pnpm --version && tsc --version
+
+# Install additional tools (if selected)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libglib2.0-0 \
+    libnspr4 \
+    libnss3 \
+    libdbus-1-3 \
+    libatk1.0-0 \
+    libatk-bridge2.0-0 \
+    libcups2 \
+    libxcb1 \
+    libxkbcommon0 \
+    libatspi2.0-0 \
+    libx11-6 \
+    libxcomposite1 \
+    libxdamage1 \
+    libxext6 \
+    libxfixes3 \
+    libxrandr2 \
+    libgbm1 \
+    libdrm2 \
+    libcairo2 \
+    libpango-1.0-0 \
+    libasound2 \
+    fonts-liberation \
+    libappindicator3-1 \
+    libu2f-udev \
+    libvulkan1 \
+    libxshmfence1 \
+    xdg-utils \
+    wget \
+    && rm -rf /var/lib/apt/lists/*
+ENV PLAYWRIGHT_BROWSERS_PATH=/opt/playwright-browsers
+RUN mkdir -p /opt/playwright-browsers && \
+    npm install -g @playwright/mcp@latest && \
+    touch /opt/.mcp-playwright-installed
+ENV CHROME_DEVTOOLS_MCP_NO_USAGE_STATISTICS=1
+RUN npm install -g chrome-devtools-mcp@latest && \
+    touch /opt/.mcp-chrome-devtools-installed
+RUN touch /opt/.mcp-playwright-installed
+
+# Create workspace
+WORKDIR /workspace
+
+# Non-root user for security (match host UID)
+RUN useradd -m -u ${AGENT_UID} -d /home/agent agent && \
+    mkdir -p /home/agent/.cache /home/agent/.npm /home/agent/.opencode /home/agent/.config && \
+    chown -R agent:agent /home/agent/.cache /home/agent/.npm /home/agent/.opencode /home/agent/.config /workspace && \
+    ([ -d /opt/playwright-browsers ] && chown -R agent:agent /opt/playwright-browsers || true)
+
+# === opencode ===
+USER root
+RUN curl -fsSL https://opencode.ai/install | bash && \
+    mv /root/.opencode/bin/opencode /usr/local/bin/opencode && \
+    rm -rf /root/.opencode
+
+# === codex ===
+USER root
+RUN mkdir -p /usr/local/lib/codex && \
+    cd /usr/local/lib/codex && \
+    bun init -y && \
+    bun add @openai/codex && \
+    ln -s /usr/local/lib/codex/node_modules/.bin/codex /usr/local/bin/codex
+USER agent
+
+USER agent
+ENV HOME=/home/agent
+CMD ["bash"]

package/dockerfiles/sandbox/skills/rtk/SKILL.md

@@ -0,0 +1,103 @@
+---
+name: rtk
+description: "Token optimizer for AI coding agents. Wraps common CLI commands with rtk to reduce LLM token consumption by 60-90%."
+compatibility: "OpenCode with RTK binary installed"
+metadata:
+  author: Sisyphus
+  version: "1.0.0"
+---
+
+# RTK — Rust Token Killer
+
+**Purpose**: Reduce token consumption by 60-90% on shell commands. RTK filters and compresses command output before it reaches your context.
+
+## When This Skill Activates
+
+This skill is loaded automatically. Once active, **always** prefix supported commands with `rtk`.
+
+## Command Mappings (MANDATORY)
+
+When running shell commands via Bash tool, use `rtk` prefix for these commands:
+
+| Instead of | Use | Savings |
+|-----------|-----|---------|
+| `git status` | `rtk git status` | ~80% |
+| `git diff` | `rtk git diff` | ~75% |
+| `git log` | `rtk git log` | ~80% |
+| `git add/commit/push/pull` | `rtk git add/commit/push/pull` | ~90% |
+| `ls` / `ls -la` | `rtk ls` | ~80% |
+| `cat file` | `rtk read file` | ~70% |
+| `grep pattern .` | `rtk grep pattern .` | ~80% |
+| `rg pattern` | `rtk grep pattern .` | ~80% |
+| `npm test` / `cargo test` / `pytest` | `rtk test <cmd>` | ~90% |
+| `npm run build` / `cargo build` | `rtk err <cmd>` | ~80% |
+| `gh pr list/view` | `rtk gh pr list/view` | ~70% |
+| `docker ps` | `rtk docker ps` | ~80% |
+| `eslint` / `tsc` | `rtk lint` / `rtk tsc` | ~80% |
+
+## Searching Inside `node_modules` / Ignored Directories
+
+By default, `rtk grep` respects `.gitignore` rules — meaning `node_modules`, `.nuxt`, `dist`, etc. are **excluded**. This is the right behavior 99% of the time.
+
+When you **need** to search inside ignored directories (debugging a library, checking an API signature, tracing a dependency bug):
+
+```bash
+# Search all files including node_modules (--no-ignore bypasses .gitignore)
+rtk grep "defineStore" . --no-ignore
+
+# Search a specific package only (combine --no-ignore with --glob)
+rtk grep "defineStore" . --no-ignore --glob 'node_modules/pinia/**'
+```
+
+**What does NOT work:**
+- `rtk grep "pattern" node_modules/pinia/` — still excluded even with direct path
+- `rtk grep "pattern" . --glob 'node_modules/**'` — glob alone doesn't override .gitignore
+
+**Key flag: `--no-ignore`** — this is the ONLY way to search ignored directories with rtk grep.
+
+### Other useful `rtk grep` flags
+
+```bash
+rtk grep "pattern" . -t ts          # Filter by file type (ts, py, rust, etc.)
+rtk grep "pattern" . -m 100         # Increase max results (default: 50)
+rtk grep "pattern" . -u             # Ultra-compact mode (even fewer tokens)
+rtk grep "pattern" . -l 120         # Max line length before truncation (default: 80)
+```
+
+## Commands to NOT Wrap
+
+Do NOT prefix these with `rtk` (unsupported or counterproductive):
+
+- `npx`, `npm install`, `pip install` (package managers)
+- `node`, `python3`, `ruby` (interpreters)
+- `nano-brain`, `openspec`, `opencode` (custom tools)
+- Heredocs (`<<EOF`)
+- Piped commands (`cmd1 | cmd2`) — wrap only the first command if applicable
+- Commands already prefixed with `rtk`
+
+## How RTK Works
+
+```
+Without RTK:  git status → 50 lines raw output → 2,000 tokens
+With RTK:     rtk git status → "3 modified, 1 untracked ✓" → 200 tokens
+```
+
+RTK runs the real command, then filters/compresses the output. The agent sees a compact summary instead of verbose raw output.
+
+## Detection
+
+Before using RTK commands, verify it's installed:
+```bash
+rtk --version
+```
+
+If `rtk` is not found, skip this skill — run commands normally without the `rtk` prefix.
+
+## Token Savings Reference
+
+Typical 30-min coding session:
+- Without RTK: ~150,000 tokens
+- With RTK: ~45,000 tokens
+- **Savings: ~70%**
+
+Biggest wins: test output (`rtk test` — 90%), git operations (`rtk git` — 80%), file reading (`rtk read` — 70%).

package/dockerfiles/sandbox/skills/rtk-setup/SKILL.md

@@ -0,0 +1,118 @@
+---
+name: rtk-setup
+description: "One-time setup + ongoing enforcement of RTK (Rust Token Killer) across sessions and subagents. Persists RTK instructions to AGENTS.md and propagates to delegated tasks."
+compatibility: "OpenCode with RTK binary installed"
+metadata:
+  author: Sisyphus
+  version: "1.0.0"
+---
+
+# RTK Setup — Persistent RTK Enforcement
+
+This skill performs **setup** (persist RTK instructions) and **ongoing enforcement** (use rtk, propagate to subagents).
+
+## Phase 1: Detection (ALWAYS run first)
+
+Run these checks before anything else:
+
+```bash
+rtk --version
+```
+
+- If `rtk` is NOT found → **STOP**. Tell the user: "RTK is not installed. Install it first: `cargo install --git https://github.com/rtk-ai/rtk --locked`". Do NOT proceed with setup.
+- If `rtk` IS found → continue.
+
+### Check oh-my-opencode
+
+```bash
+ls ~/.config/opencode/oh-my-opencode.json 2>/dev/null
+```
+
+- If found → omo is installed. Note this for Phase 2.
+- If not found → skip omo-specific steps.
+
+## Phase 2: Setup (persist to AGENTS.md)
+
+Check BOTH of these files for the RTK managed block:
+
+1. **User-level**: `~/.config/opencode/AGENTS.md`
+2. **Project-level**: `./AGENTS.md` (current workspace)
+
+For EACH file, check if `<!-- RTK:START -->` exists. If it does NOT exist, **append** the following managed block to the file (create the file if it doesn't exist). NEVER replace existing content — only append.
+
+```markdown
+<!-- RTK:START -->
+<!-- Managed block - do not edit manually. Updated by: rtk-setup skill -->
+
+## RTK Token Optimizer
+
+This project uses **RTK** (Rust Token Killer) to reduce LLM token consumption by 60-90%.
+
+### Rules for ALL agents (including subagents)
+
+**ALWAYS** prefix these commands with `rtk`:
+
+| Command | Use instead |
+|---------|-------------|
+| `git status/diff/log/add/commit/push/pull` | `rtk git ...` |
+| `ls`, `ls -la` | `rtk ls` |
+| `cat file` | `rtk read file` |
+| `grep pattern .` / `rg pattern` | `rtk grep pattern .` |
+| `npm test` / `cargo test` / `pytest` | `rtk test <cmd>` |
+| `npm run build` / `cargo build` | `rtk err <cmd>` |
+| `gh pr list/view` | `rtk gh pr list/view` |
+| `docker ps` | `rtk docker ps` |
+| `eslint` / `tsc` | `rtk lint` / `rtk tsc` |
+
+**Do NOT** prefix: `npx`, `npm install`, `pip install`, `node`, `python3`, heredocs, piped commands.
+
+<!-- RTK:END -->
+```
+
+### If oh-my-opencode is installed
+
+After updating AGENTS.md files, check if the omo config at `~/.config/opencode/oh-my-opencode.json` has `prompt_append` fields on agents. If it does, inform the user:
+
+> "omo is installed. For maximum coverage, you can add RTK instructions to agent `prompt_append` fields in `oh-my-opencode.json`. This ensures subagents always use rtk even when AGENTS.md is not loaded. Want me to do this?"
+
+**Only modify `oh-my-opencode.json` if the user explicitly confirms.** If they confirm, append this line to the `prompt_append` of `sisyphus-junior` agent (the primary coder):
+
+```
+\n\nRTK: ALWAYS prefix shell commands with `rtk` when available (git, ls, grep, test, build). Example: `rtk git status` not `git status`.
+```
+
+Do NOT modify other agents' prompt_append unless asked.
+
+## Phase 3: Ongoing Enforcement (EVERY time this skill is loaded)
+
+### For the current agent
+
+From this point forward in this session, **you MUST**:
+
+1. **Use `rtk` prefix** for all supported shell commands (see table above)
+2. **Verify rtk is available** before first use: `rtk --version`
+3. If rtk is not available in the current environment, fall back to normal commands silently
+
+### For subagent delegation
+
+When delegating ANY task that involves shell commands (via `task()`, `delegate_task()`, or any delegation mechanism), **ALWAYS** add this to the `MUST DO` section of the delegation prompt:
+
+```
+- Use `rtk` prefix for shell commands when available (git, ls, grep, test, build). Run `rtk --version` first to check. If not installed, use normal commands. Examples: `rtk git status`, `rtk ls`, `rtk grep pattern .`, `rtk test npm test`.
+```
+
+This is NON-NEGOTIABLE. Subagents do not read AGENTS.md, so RTK instructions MUST be passed explicitly in every delegation prompt.
+
+### Quick reference for subagent prompts
+
+Copy-paste this one-liner into MUST DO sections:
+
+> Use `rtk` prefix for all shell commands (git, ls, grep, test, build, docker). Example: `rtk git status` not `git status`. If `rtk` is not found, use normal commands.
+
+## Summary
+
+| Phase | When | What |
+|-------|------|------|
+| Detection | Always first | Check rtk installed, check omo |
+| Setup | Once (idempotent) | Append RTK block to AGENTS.md (user + project) |
+| Enforcement | Every session | Use rtk yourself, propagate to all subagents |

package/lib/build-sandbox.sh

@@ -18,8 +18,6 @@ echo "🔄 Generating unified sandbox Dockerfile..."
 echo "   Tools: $TOOLS"
 
 GENERATE_ONLY=1 INSTALL_RTK="${INSTALL_RTK:-0}" \
-  INSTALL_PUP="${INSTALL_PUP:-0}" \
-  INSTALL_OD_HELPERS="${INSTALL_OD_HELPERS:-1}" \
   INSTALL_PLAYWRIGHT_MCP="${INSTALL_PLAYWRIGHT_MCP:-0}" \
   INSTALL_CHROME_DEVTOOLS_MCP="${INSTALL_CHROME_DEVTOOLS_MCP:-0}" \
   INSTALL_PLAYWRIGHT="${INSTALL_PLAYWRIGHT:-0}" \
@@ -67,10 +65,6 @@ if [[ -d "dockerfiles/base/skills" ]]; then
   cp -r "dockerfiles/base/skills" "$SANDBOX_DIR/"
 fi
 
-if [[ -d "dockerfiles/base/scripts" ]]; then
-  cp -r "dockerfiles/base/scripts" "$SANDBOX_DIR/"
-fi
-
 echo "✅ Dockerfile generated at $SANDBOX_DIR/Dockerfile"
 
 echo "🔨 Building ai-sandbox:latest..."

package/lib/install-base.sh

@@ -67,51 +67,6 @@ COPY skills/rtk-setup/SKILL.md /home/agent/.config/opencode/skills/rtk-setup/SKI
   fi
 fi
 
-if [[ "${INSTALL_PUP:-0}" -eq 1 ]]; then
-  echo "📦 Pup (Datadog CLI) will be installed in base image (multi-stage build)"
-  DOCKERFILE_BUILD_STAGES+='# Build Pup from source (multi-stage: only binary is kept, Rust toolchain discarded)
-FROM rust:bookworm AS pup-builder
-RUN cargo install --git https://github.com/DataDog/pup --locked
-'
-  ADDITIONAL_TOOLS_INSTALL+='# Install Pup - Datadog CLI for AI agents (built from source)
-COPY --from=pup-builder /usr/local/cargo/bin/pup /usr/local/bin/pup
-'
-  # Copy Pup OpenCode skill into build context so it can be COPY'd into the image
-  SCRIPT_BASE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-  PUP_SKILLS_SRC="${SCRIPT_BASE_DIR}/../skills"
-  if [[ -d "$PUP_SKILLS_SRC/dd-pup" ]]; then
-    mkdir -p "dockerfiles/base/skills/dd-pup"
-    cp "$PUP_SKILLS_SRC/dd-pup/SKILL.md" "dockerfiles/base/skills/dd-pup/SKILL.md"
-    ADDITIONAL_TOOLS_INSTALL+='# Install Pup OpenCode skill (auto-discovered by OpenCode agents)
-RUN mkdir -p /home/agent/.config/opencode/skills/dd-pup
-COPY skills/dd-pup/SKILL.md /home/agent/.config/opencode/skills/dd-pup/SKILL.md
-'
-    echo "  ✅ Pup OpenCode skill will be copied into container"
-  else
-    echo "  ⚠️  Pup skill not found at $PUP_SKILLS_SRC/dd-pup — skipping skill installation"
-  fi
-fi
-
-if [[ "${INSTALL_OD_HELPERS:-1}" -eq 1 ]]; then
-  echo "📦 open-design helper scripts (od-status, od-health) will be installed in base image"
-  # Copy helper scripts into build context so they can be COPY'd into the image
-  SCRIPT_BASE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-  OD_HELPERS_SRC="${SCRIPT_BASE_DIR}/../scripts"
-  if [[ -f "$OD_HELPERS_SRC/od-status" && -f "$OD_HELPERS_SRC/od-health" ]]; then
-    mkdir -p "dockerfiles/base/scripts"
-    cp "$OD_HELPERS_SRC/od-status" "dockerfiles/base/scripts/od-status"
-    cp "$OD_HELPERS_SRC/od-health" "dockerfiles/base/scripts/od-health"
-    ADDITIONAL_TOOLS_INSTALL+='# Install open-design helper scripts (od-status, od-health) for agent containers
-COPY scripts/od-status /usr/local/bin/od-status
-COPY scripts/od-health /usr/local/bin/od-health
-RUN chmod +x /usr/local/bin/od-status /usr/local/bin/od-health
-'
-    echo "  ✅ open-design helpers will be copied into container"
-  else
-    echo "  ⚠️  open-design helpers not found at $OD_HELPERS_SRC — skipping"
-  fi
-fi
-
 if [[ "${INSTALL_PLAYWRIGHT:-0}" -eq 1 ]]; then
   echo "📦 Playwright will be installed in base image"
   ADDITIONAL_TOOLS_INSTALL+='# Install Playwright system dependencies

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kokorolx/ai-sandbox-wrapper",
-  "version": "3.4.3-beta.2",
+  "version": "3.4.3",
   "description": "Docker-based security sandbox for AI coding agents. Isolate Claude, Gemini, Aider, and other AI tools from your host system.",
   "keywords": [
     "ai",

package/setup.sh

@@ -281,8 +281,8 @@ echo "📁 Legacy workspaces file: $WORKSPACES_FILE"
 WORKSPACE="${WORKSPACES[0]}"
 
 # Tool definitions
-TOOL_OPTIONS="amp,opencode,openclaw,open-design,droid,claude,gemini,kilo,qwen,codex,qoder,auggie,codebuddy,jules,shai"
-TOOL_DESCS="AI coding assistant from @sourcegraph/amp,Open-source coding tool from opencode-ai,OpenClaw AI gateway (Docker Compose),Open Design daemon (HTTP service — agent-driven design generation),Factory CLI from factory.ai,Claude Code CLI from Anthropic,Google Gemini CLI (free tier),AI pair programmer (Git-native),Kilo Code (500+ models),Alibaba Qwen CLI (1M context),OpenAI Codex terminal agent,Qoder AI CLI assistant,Augment Auggie CLI,Tencent CodeBuddy CLI,Google Jules CLI,OVHcloud SHAI agent"
+TOOL_OPTIONS="amp,opencode,openclaw,droid,claude,gemini,kilo,qwen,codex,qoder,auggie,codebuddy,jules,shai"
+TOOL_DESCS="AI coding assistant from @sourcegraph/amp,Open-source coding tool from opencode-ai,OpenClaw AI gateway (Docker Compose),Factory CLI from factory.ai,Claude Code CLI from Anthropic,Google Gemini CLI (free tier),AI pair programmer (Git-native),Kilo Code (500+ models),Alibaba Qwen CLI (1M context),OpenAI Codex terminal agent,Qoder AI CLI assistant,Augment Auggie CLI,Tencent CodeBuddy CLI,Google Jules CLI,OVHcloud SHAI agent"
 
 # Pre-select previously installed tools
 PRESELECTED_TOOLS=""
@@ -303,7 +303,7 @@ echo "Installing tools: ${TOOLS[*]}"
 
 CONTAINERIZED_TOOLS=()
 for tool in "${TOOLS[@]}"; do
-  if [[ "$tool" =~ ^(amp|opencode|openclaw|open-design|claude|aider|droid|gemini|kilo|qwen|codex|qoder|auggie|codebuddy|jules|shai)$ ]]; then
+  if [[ "$tool" =~ ^(amp|opencode|openclaw|claude|aider|droid|gemini|kilo|qwen|codex|qoder|auggie|codebuddy|jules|shai)$ ]]; then
     CONTAINERIZED_TOOLS+=("$tool")
   fi
 done
@@ -311,8 +311,8 @@ done
 echo ""
 if [[ ${#CONTAINERIZED_TOOLS[@]} -gt 0 ]]; then
   # Category 1: AI Enhancement Tools (spec-driven development, UI/UX, browser automation)
-  AI_TOOL_OPTIONS="spec-kit,ux-ui-promax,openspec,playwright,rtk,pup,open-design"
-  AI_TOOL_DESCS="Spec-driven development toolkit,UI/UX design intelligence tool,OpenSpec - spec-driven development,Browser automation + Chromium/Firefox/WebKit (~500MB),RTK token optimizer - reduces LLM token usage by 60-90% (~5MB),Datadog Pup CLI - AI-agent-ready observability CLI (~10MB),Open Design daemon - AI design generation service (port 7456)"
+  AI_TOOL_OPTIONS="spec-kit,ux-ui-promax,openspec,playwright,rtk"
+  AI_TOOL_DESCS="Spec-driven development toolkit,UI/UX design intelligence tool,OpenSpec - spec-driven development,Browser automation + Chromium/Firefox/WebKit (~500MB),RTK token optimizer - reduces LLM token usage by 60-90% (~5MB)"
 
   multi_select "Select AI Enhancement Tools (installed in containers)" "$AI_TOOL_OPTIONS" "$AI_TOOL_DESCS"
   AI_ENHANCEMENT_TOOLS=("${SELECTED_ITEMS[@]}")
@@ -390,8 +390,6 @@ if [[ $NEEDS_BASE_IMAGE -eq 1 ]]; then
   INSTALL_CHROME_DEVTOOLS_MCP="${INSTALL_CHROME_DEVTOOLS_MCP:-0}"
   INSTALL_PLAYWRIGHT_MCP="${INSTALL_PLAYWRIGHT_MCP:-0}"
   INSTALL_RTK="${INSTALL_RTK:-0}"
-  INSTALL_PUP="${INSTALL_PUP:-0}"
-  INSTALL_OPEN_DESIGN="${INSTALL_OPEN_DESIGN:-0}"
 
   for addon in "${ADDITIONAL_TOOLS[@]}"; do
     case "$addon" in
@@ -419,16 +417,10 @@ if [[ $NEEDS_BASE_IMAGE -eq 1 ]]; then
       rtk)
         INSTALL_RTK=1
         ;;
-      pup)
-        INSTALL_PUP=1
-        ;;
-      open-design)
-        INSTALL_OPEN_DESIGN=1
-        ;;
     esac
   done
 
-  export INSTALL_SPEC_KIT INSTALL_UX_UI_PROMAX INSTALL_OPENSPEC INSTALL_PLAYWRIGHT INSTALL_RUBY INSTALL_CHROME_DEVTOOLS_MCP INSTALL_PLAYWRIGHT_MCP INSTALL_RTK INSTALL_PUP INSTALL_OPEN_DESIGN
+  export INSTALL_SPEC_KIT INSTALL_UX_UI_PROMAX INSTALL_OPENSPEC INSTALL_PLAYWRIGHT INSTALL_RUBY INSTALL_CHROME_DEVTOOLS_MCP INSTALL_PLAYWRIGHT_MCP INSTALL_RTK
   
   # Save MCP selections to ~/.ai-sandbox/config.json for ai-run auto-configuration
   SANDBOX_CONFIG="$HOME/.ai-sandbox/config.json"
@@ -443,54 +435,6 @@ if [[ $NEEDS_BASE_IMAGE -eq 1 ]]; then
     jq --argjson mcp "$MCP_INSTALLED" '.mcp.installed = $mcp' "$SANDBOX_CONFIG" > "$SANDBOX_CONFIG.tmp" && mv "$SANDBOX_CONFIG.tmp" "$SANDBOX_CONFIG"
     chmod 600 "$SANDBOX_CONFIG"
     echo "✅ MCP tool selections saved to config"
-
-    # Auto-detect host browser for ai-run's "Host Chrome CDP mode". That mode
-    # is gated on .mcp.chromePath being set in config.json, but setup never
-    # wrote it -- users had to manually edit the file. Detect a sensible
-    # default the first time an MCP browser tool is selected; preserve any
-    # existing value the user set themselves.
-    if [[ "$INSTALL_CHROME_DEVTOOLS_MCP" -eq 1 || "$INSTALL_PLAYWRIGHT_MCP" -eq 1 ]]; then
-      EXISTING_CHROME_PATH=$(jq -r '.mcp.chromePath // empty' "$SANDBOX_CONFIG" 2>/dev/null)
-      if [[ -z "$EXISTING_CHROME_PATH" ]]; then
-        DETECTED_CHROME_PATH=""
-        case "$(uname -s)" in
-          Darwin)
-            # Stable Chrome first, then Chromium, then popular forks.
-            for candidate in \
-              "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" \
-              "/Applications/Chromium.app/Contents/MacOS/Chromium" \
-              "/Applications/Brave Browser.app/Contents/MacOS/Brave Browser" \
-              "/Applications/Microsoft Edge.app/Contents/MacOS/Microsoft Edge" \
-              "/Applications/Arc.app/Contents/MacOS/Arc"; do
-              if [[ -f "$candidate" ]]; then
-                DETECTED_CHROME_PATH="$candidate"
-                break
-              fi
-            done
-            ;;
-          Linux)
-            for cmd in google-chrome-stable google-chrome chromium chromium-browser brave-browser microsoft-edge; do
-              if command -v "$cmd" &>/dev/null; then
-                DETECTED_CHROME_PATH=$(command -v "$cmd")
-                break
-              fi
-            done
-            ;;
-        esac
-
-        if [[ -n "$DETECTED_CHROME_PATH" ]]; then
-          jq --arg path "$DETECTED_CHROME_PATH" '.mcp.chromePath = $path' "$SANDBOX_CONFIG" > "$SANDBOX_CONFIG.tmp" \
-            && mv "$SANDBOX_CONFIG.tmp" "$SANDBOX_CONFIG"
-          chmod 600 "$SANDBOX_CONFIG"
-          echo "🌐 Host browser detected for CDP: $DETECTED_CHROME_PATH"
-          echo "   (ai-run will launch this with --remote-debugging-port for MCP browser tools.)"
-          echo "   To change or disable, edit .mcp.chromePath in $SANDBOX_CONFIG"
-        else
-          echo "ℹ️  No host browser auto-detected for CDP mode."
-          echo "   To enable, set .mcp.chromePath in $SANDBOX_CONFIG to a Chrome/Chromium binary."
-        fi
-      fi
-    fi
   fi
 fi
 
@@ -504,14 +448,8 @@ TOOLS="$TOOLS_CSV" \
   INSTALL_CHROME_DEVTOOLS_MCP="$INSTALL_CHROME_DEVTOOLS_MCP" \
   INSTALL_PLAYWRIGHT_MCP="$INSTALL_PLAYWRIGHT_MCP" \
   INSTALL_RTK="$INSTALL_RTK" \
-  INSTALL_PUP="$INSTALL_PUP" \
   bash "$SCRIPT_DIR/lib/build-sandbox.sh"
 
-# Install open-design as a separate daemon container (not part of sandbox image)
-if [[ "${INSTALL_OPEN_DESIGN:-0}" -eq 1 ]]; then
-  bash "$SCRIPT_DIR/lib/install-open-design.sh"
-fi
-
 OLD_IMAGES=()
 for tool in "${TOOLS[@]}"; do
   if docker image inspect "ai-${tool}:latest" &>/dev/null; then
@@ -600,9 +538,6 @@ if [[ ${#ADDITIONAL_TOOLS[@]} -gt 0 ]]; then
       rtk)
         echo "  rtk - Token optimizer for AI coding agents (60-90% savings)"
         ;;
-      open-design)
-        echo "  open-design - AI design generation daemon (port 7456)"
-        ;;
     esac
   done
 fi