@kokorolx/ai-sandbox-wrapper 3.4.3 → 4.0.0

package/bin/ai-run

@@ -141,6 +141,290 @@ else
   TOOL=""
 fi
 
+# ────────────────────────────────────────────────────────────────
+# OPEN-DESIGN SERVICE-TYPE TOOL DISPATCHER
+# Unlike ephemeral CLI tools, open-design is a long-running daemon.
+# Routes init/start/stop/restart/status/logs subcommands and exits.
+# ────────────────────────────────────────────────────────────────
+if [[ "$TOOL" == "open-design" ]]; then
+  OD_CONTAINER_NAME="ai-open-design"
+  OD_IMAGE="ai-open-design:latest"
+  OD_NETWORK="ai-sandbox"
+  OD_VOLUME="ai-open-design-data"
+  OD_ENV_FILE="$HOME/.ai-sandbox/env"
+  OD_DEFAULT_URL="http://ai-open-design:7456"
+
+  od_print_help() {
+    cat <<HLP
+Usage: ai-run open-design <subcommand> [options]
+
+Subcommands:
+  init [--force]              One-time setup: generate API token, create network/volume
+  start [--expose] [--port N] Boot daemon (detached). --expose publishes port to host
+  stop                        Stop daemon (preserves container for restart)
+  restart [start-flags...]    Stop then start
+  status                      Show daemon state, network, port, token, health
+  logs [-f|--follow]          Show daemon logs (-f to follow)
+  --help, -h                  Show this help
+
+Examples:
+  ai-run open-design init
+  ai-run open-design start
+  ai-run open-design start --expose            # publishes 7456 to host
+  ai-run open-design start --expose --port 17456
+  ai-run open-design status
+HLP
+  }
+
+  od_env_has_token() {
+    [[ -f "$OD_ENV_FILE" ]] && grep -q "^OD_API_TOKEN=" "$OD_ENV_FILE"
+  }
+
+  od_read_token() {
+    [[ -f "$OD_ENV_FILE" ]] && grep "^OD_API_TOKEN=" "$OD_ENV_FILE" | head -1 | cut -d= -f2-
+  }
+
+  od_init() {
+    local force=false
+    if [[ "${1:-}" == "--force" ]]; then
+      force=true
+    fi
+
+    mkdir -p "$(dirname "$OD_ENV_FILE")"
+    touch "$OD_ENV_FILE"
+    chmod 600 "$OD_ENV_FILE"
+
+    if od_env_has_token && [[ "$force" != "true" ]]; then
+      echo "ℹ️  OD_API_TOKEN already set in $OD_ENV_FILE — nothing to do"
+      echo "    Use 'ai-run open-design init --force' to regenerate (will invalidate running sessions)"
+    else
+      if [[ "$force" == "true" ]] && od_env_has_token; then
+        printf "⚠️  This will replace the existing OD_API_TOKEN. Continue? [y/N] "
+        read -r confirm
+        if [[ "$confirm" != "y" && "$confirm" != "Y" ]]; then
+          echo "Aborted."
+          exit 0
+        fi
+        # Strip existing OD_API_TOKEN line
+        if [[ "$(uname)" == "Darwin" ]]; then
+          sed -i '' '/^OD_API_TOKEN=/d' "$OD_ENV_FILE"
+        else
+          sed -i '/^OD_API_TOKEN=/d' "$OD_ENV_FILE"
+        fi
+      fi
+      if ! command -v openssl >/dev/null 2>&1; then
+        echo "❌ ERROR: 'openssl' is required to generate a token" >&2
+        exit 1
+      fi
+      local token
+      token="$(openssl rand -hex 32)"
+      # Ensure trailing newline before append to avoid joining with previous line
+      if [[ -s "$OD_ENV_FILE" && -n "$(tail -c 1 "$OD_ENV_FILE" 2>/dev/null)" ]]; then
+        echo "" >> "$OD_ENV_FILE"
+      fi
+      echo "OD_API_TOKEN=$token" >> "$OD_ENV_FILE"
+      echo "✅ Generated OD_API_TOKEN (256-bit, written to $OD_ENV_FILE)"
+    fi
+
+    # Ensure OD_DAEMON_URL line
+    if ! grep -q "^OD_DAEMON_URL=" "$OD_ENV_FILE"; then
+      if [[ -s "$OD_ENV_FILE" && -n "$(tail -c 1 "$OD_ENV_FILE" 2>/dev/null)" ]]; then
+        echo "" >> "$OD_ENV_FILE"
+      fi
+      echo "OD_DAEMON_URL=$OD_DEFAULT_URL" >> "$OD_ENV_FILE"
+      echo "✅ Set OD_DAEMON_URL=$OD_DEFAULT_URL in $OD_ENV_FILE"
+    fi
+
+    chmod 600 "$OD_ENV_FILE"
+
+    # Ensure network
+    if ensure_network "$OD_NETWORK"; then
+      echo "✅ Docker network '$OD_NETWORK' ready"
+    fi
+
+    # Ensure volume
+    if ! docker volume inspect "$OD_VOLUME" >/dev/null 2>&1; then
+      docker volume create "$OD_VOLUME" >/dev/null
+      echo "✅ Docker volume '$OD_VOLUME' created"
+    else
+      echo "ℹ️  Docker volume '$OD_VOLUME' already exists"
+    fi
+
+    echo ""
+    echo "Next: ai-run open-design start"
+  }
+
+  od_start() {
+    local expose=false
+    local host_port=7456
+
+    while [[ $# -gt 0 ]]; do
+      case "$1" in
+        --expose) expose=true; shift ;;
+        --port)
+          shift
+          if [[ $# -gt 0 && "$1" =~ ^[0-9]+$ ]]; then
+            if (( $1 < 1 || $1 > 65535 )); then
+              echo "❌ ERROR: --port value '$1' out of range (1-65535)" >&2; exit 1
+            fi
+            host_port="$1"
+            shift
+          else
+            echo "❌ ERROR: --port requires a numeric value (e.g. 7456)" >&2; exit 1
+          fi
+          ;;
+        *) echo "❌ ERROR: unknown start flag: $1" >&2; exit 1 ;;
+      esac
+    done
+
+    if ! od_env_has_token; then
+      echo "❌ ERROR: OD_API_TOKEN not found in $OD_ENV_FILE"
+      echo "    Run: ai-run open-design init"
+      exit 1
+    fi
+
+    if ! docker image inspect "$OD_IMAGE" >/dev/null 2>&1; then
+      echo "❌ ERROR: image '$OD_IMAGE' not built"
+      echo "    Run: bash lib/install-open-design.sh"
+      exit 1
+    fi
+
+    ensure_network "$OD_NETWORK" || exit 1
+    docker volume inspect "$OD_VOLUME" >/dev/null 2>&1 || docker volume create "$OD_VOLUME" >/dev/null
+
+    # If a container with this name exists, handle it gracefully
+    if docker ps -a --format '{{.Names}}' | grep -q "^${OD_CONTAINER_NAME}$"; then
+      if docker ps --format '{{.Names}}' | grep -q "^${OD_CONTAINER_NAME}$"; then
+        echo "ℹ️  '$OD_CONTAINER_NAME' is already running"
+        echo "    Use 'ai-run open-design restart' to apply new flags"
+        return 0
+      else
+        echo "🔄 Removing stopped container '$OD_CONTAINER_NAME' to recreate with current flags..."
+        docker rm "$OD_CONTAINER_NAME" >/dev/null
+      fi
+    fi
+
+    local run_args=(
+      run -d
+      --name "$OD_CONTAINER_NAME"
+      --network "$OD_NETWORK"
+      --restart unless-stopped
+      -v "$OD_VOLUME:/app/.od"
+      --env-file "$OD_ENV_FILE"
+      -p "127.0.0.1:${host_port}:7456"
+    )
+
+    if [[ "$expose" == "true" ]]; then
+      echo "ℹ️  Port ${host_port} already published by default (127.0.0.1:${host_port}:7456)"
+    fi
+
+    run_args+=("$OD_IMAGE")
+
+    echo "🔄 Starting $OD_CONTAINER_NAME..."
+    docker "${run_args[@]}" >/dev/null
+    echo "✅ $OD_CONTAINER_NAME running on network '$OD_NETWORK'"
+    echo "   Published to host: http://localhost:${host_port}"
+  }
+
+  od_stop() {
+    if docker ps --format '{{.Names}}' | grep -q "^${OD_CONTAINER_NAME}$"; then
+      echo "🔄 Stopping $OD_CONTAINER_NAME..."
+      docker stop "$OD_CONTAINER_NAME" >/dev/null
+      echo "✅ $OD_CONTAINER_NAME stopped (data preserved in volume '$OD_VOLUME')"
+    else
+      echo "ℹ️  $OD_CONTAINER_NAME is not running"
+    fi
+  }
+
+  od_restart() {
+    od_stop
+    od_start "$@"
+  }
+
+  od_status() {
+    echo "Container : $OD_CONTAINER_NAME"
+    if docker ps --format '{{.Names}}' | grep -q "^${OD_CONTAINER_NAME}$"; then
+      echo "State     : running"
+      local uptime
+      uptime="$(docker inspect -f '{{.State.StartedAt}}' "$OD_CONTAINER_NAME" 2>/dev/null || echo unknown)"
+      echo "Started   : $uptime"
+      local ports
+      ports="$(docker inspect -f '{{json .NetworkSettings.Ports}}' "$OD_CONTAINER_NAME" 2>/dev/null || echo '{}')"
+      echo "Ports     : $ports"
+    elif docker ps -a --format '{{.Names}}' | grep -q "^${OD_CONTAINER_NAME}$"; then
+      echo "State     : stopped"
+      echo "   Hint   : ai-run open-design start"
+    else
+      echo "State     : not installed"
+      echo "   Hint   : ai-run open-design init && ai-run open-design start"
+    fi
+
+    echo "Network   : $OD_NETWORK"
+    echo "Volume    : $OD_VOLUME"
+    if od_env_has_token; then
+      local tok
+      tok="$(od_read_token)"
+      echo "API token : set (***${tok: -4})"
+    else
+      echo "API token : (unset — run 'ai-run open-design init')"
+    fi
+
+    # Try health check (only meaningful if container is running)
+    if docker ps --format '{{.Names}}' | grep -q "^${OD_CONTAINER_NAME}$"; then
+      # Try in-container curl first (fast path); fall back to one-off container on same network
+      # because upstream daemon image may not bundle curl
+      local health_ok=false
+      if docker exec "$OD_CONTAINER_NAME" sh -c 'command -v curl' >/dev/null 2>&1; then
+        if docker exec "$OD_CONTAINER_NAME" curl -sf --max-time 3 http://127.0.0.1:7456/api/health >/dev/null 2>&1; then
+          health_ok=true
+        fi
+      else
+        # Fallback: probe via a tiny one-off container in the same network
+        if docker run --rm --network "$OD_NETWORK" curlimages/curl:latest \
+            -sf --max-time 3 "http://${OD_CONTAINER_NAME}:7456/api/health" >/dev/null 2>&1; then
+          health_ok=true
+        fi
+      fi
+      if [[ "$health_ok" == "true" ]]; then
+        echo "Health    : OK"
+      else
+        echo "Health    : FAIL (daemon not responding on /api/health)"
+      fi
+    fi
+  }
+
+  od_logs() {
+    if ! docker ps -a --format '{{.Names}}' | grep -q "^${OD_CONTAINER_NAME}$"; then
+      echo "❌ ERROR: container '$OD_CONTAINER_NAME' does not exist" >&2
+      exit 1
+    fi
+    docker logs "$@" "$OD_CONTAINER_NAME"
+  }
+
+  # Dispatch subcommand
+  SUBCMD="${1:-}"
+  if [[ -n "$SUBCMD" ]]; then shift; fi
+  case "$SUBCMD" in
+    init)    od_init "$@" ;;
+    start)   od_start "$@" ;;
+    stop)    od_stop ;;
+    restart) od_restart "$@" ;;
+    status)  od_status ;;
+    logs)    od_logs "$@" ;;
+    --help|-h|"") od_print_help ;;
+    *)
+      echo "❌ ERROR: unknown subcommand '$SUBCMD'" >&2
+      echo ""
+      od_print_help
+      exit 1
+      ;;
+  esac
+  exit 0
+fi
+# ────────────────────────────────────────────────────────────────
+# END OPEN-DESIGN DISPATCHER
+# ────────────────────────────────────────────────────────────────
+
 # Handle no tool specified
 if [[ -z "$TOOL" ]]; then
   if [[ ! -t 0 ]] || [[ ! -t 1 ]]; then
@@ -810,6 +1094,20 @@ unset -f _pmcp_resolve_script_dir
 
 if [[ "$TOOL" == "opencode" ]] && command -v jq &>/dev/null && [[ -f "$AI_SANDBOX_CONFIG" ]] && declare -f pmcp::sanitize_name >/dev/null; then
   PLAYWRIGHT_HOST_CHROME=$(jq -r '.mcp.chromePath // empty' "$AI_SANDBOX_CONFIG" 2>/dev/null)
+  if [[ -n "$PLAYWRIGHT_HOST_CHROME" ]] && [[ -f "$PLAYWRIGHT_HOST_CHROME" ]]; then
+    # Ask user whether to open host Chrome browser
+    if [[ -t 0 ]]; then
+      echo ""
+      echo "🌐 Host Chrome browser is configured: $PLAYWRIGHT_HOST_CHROME"
+      printf "   Open browser for AI agent? [y/N] "
+      read -r -t 10 OPEN_CHROME_ANSWER || OPEN_CHROME_ANSWER=""
+      echo ""
+      if [[ ! "$OPEN_CHROME_ANSWER" =~ ^[Yy]$ ]]; then
+        echo "   ⏭️  Skipping host Chrome (using container Chromium if available)"
+        PLAYWRIGHT_HOST_CHROME=""
+      fi
+    fi
+  fi
   if [[ -n "$PLAYWRIGHT_HOST_CHROME" ]] && [[ -f "$PLAYWRIGHT_HOST_CHROME" ]]; then
     HOST_CHROME_CDP=true
     echo "🌐 Host Chrome CDP mode: $PLAYWRIGHT_HOST_CHROME"
@@ -1000,6 +1298,19 @@ get_network_containers() {
   docker network inspect "$network" --format '{{range .Containers}}{{.Name}} {{end}}' 2>/dev/null | xargs | tr ' ' ', '
 }
 
+# Ensure shared Docker network exists for cross-container service discovery
+# (e.g., agent containers reaching the open-design daemon by name)
+ensure_network() {
+  local net="${1:-ai-sandbox}"
+  if ! docker network inspect "$net" >/dev/null 2>&1; then
+    docker network create "$net" >/dev/null 2>&1 || {
+      echo "⚠️  WARNING: failed to create Docker network '$net'" >&2
+      return 1
+    }
+  fi
+  return 0
+}
+
 # Interactive network selection menu (multi-select)
 show_network_menu() {
   local compose_nets=()
@@ -2597,7 +2908,15 @@ fi
 
 # Nano-brain targeted preflight + auto-repair wrapper
 if [[ "$SHELL_MODE" == "true" ]] && [[ "$NANO_BRAIN_AUTO_REPAIR" == "true" ]] && [[ "${DOCKER_COMMAND[0]:-}" == "-c" ]]; then
-  DOCKER_COMMAND[1]="$NANO_BRAIN_SHELL_HOOK ${DOCKER_COMMAND[1]}"
+  # Separate hook from following command with newline so bash parses them
+  # as distinct statements. Without this, the hook's trailing `export -f`
+  # line gets joined with the next `echo` call, producing:
+  #   export -f nano_brain_shell_wrapper npx echo ''; echo '...'
+  # which makes bash try to `export -f echo` (a builtin, not a function)
+  # and `export -f ''` (empty name), emitting two harmless but ugly errors:
+  #   bash: line 68: export: echo: not a function
+  #   bash: line 68: export: : not a function
+  DOCKER_COMMAND[1]="$NANO_BRAIN_SHELL_HOOK"$'\n'"${DOCKER_COMMAND[1]}"
 fi
 
 if [[ "$SHELL_MODE" != "true" ]] && is_nano_brain_command; then
@@ -2739,12 +3058,23 @@ DOCKER_ARGS+=($TOOL_CONFIG_MOUNTS)
 DOCKER_ARGS+=($RG_COMPAT_MOUNT)
 DOCKER_ARGS+=($GIT_MOUNTS)
 DOCKER_ARGS+=($SSH_AGENT_ENV)
+# Default to ai-sandbox network for service discovery if user didn't specify.
+# Only add --network if creation succeeded; otherwise Docker uses its default bridge.
+if [[ -z "$NETWORK_OPTIONS" ]]; then
+  if ensure_network "ai-sandbox" >/dev/null 2>&1; then
+    DOCKER_ARGS+=(--network ai-sandbox)
+  fi
+fi
 DOCKER_ARGS+=($NETWORK_OPTIONS)
 DOCKER_ARGS+=($DISPLAY_FLAGS)
 DOCKER_ARGS+=($HOST_ACCESS_ARGS)
 DOCKER_ARGS+=($PORT_MAPPINGS)
 DOCKER_ARGS+=($OPENCODE_PASSWORD_ENV)
 DOCKER_ARGS+=(-v "$HOME_DIR":/home/agent)
+# Auto-mount open-design data volume read-only so agents can read generated artifacts
+if docker volume inspect ai-open-design-data >/dev/null 2>&1; then
+  DOCKER_ARGS+=(-v "ai-open-design-data:/workspace/.od:ro")
+fi
 DOCKER_ARGS+=($SHARED_CACHE_MOUNTS)
 DOCKER_ARGS+=($NANO_BRAIN_MOUNT)
 DOCKER_ARGS+=(-w "$CURRENT_DIR")
@@ -2763,5 +3093,41 @@ DOCKER_ARGS+=($TERMINAL_SIZE)
 DOCKER_ARGS+=("$IMAGE")
 DOCKER_ARGS+=("${DOCKER_COMMAND[@]}")
 
+# Auto-start open-design daemon if image exists but container not running
+if docker image inspect ai-open-design:latest >/dev/null 2>&1; then
+  if ! docker ps --format '{{.Names}}' | grep -q "^ai-open-design$"; then
+    if [[ -t 0 && -t 1 ]]; then
+      printf "🎨 Open Design daemon is not running. Start it? [Y/n] "
+      read -r OD_ANSWER
+      if [[ ! "$OD_ANSWER" =~ ^[Nn]$ ]]; then
+        OD_ENV_FILE="$HOME/.ai-sandbox/env"
+        OD_NETWORK="ai-sandbox"
+        OD_VOLUME="ai-open-design-data"
+        # Auto-init if token missing
+        if ! grep -q "^OD_API_TOKEN=" "$OD_ENV_FILE" 2>/dev/null; then
+          mkdir -p "$(dirname "$OD_ENV_FILE")"
+          touch "$OD_ENV_FILE"
+          chmod 600 "$OD_ENV_FILE"
+          OD_TOKEN="$(openssl rand -hex 32)"
+          echo "OD_API_TOKEN=$OD_TOKEN" >> "$OD_ENV_FILE"
+          echo "OD_DAEMON_URL=http://ai-open-design:7456" >> "$OD_ENV_FILE"
+          echo "✅ Generated OD_API_TOKEN"
+        fi
+        # Ensure network and volume
+        docker network inspect "$OD_NETWORK" >/dev/null 2>&1 || docker network create "$OD_NETWORK" >/dev/null
+        docker volume inspect "$OD_VOLUME" >/dev/null 2>&1 || docker volume create "$OD_VOLUME" >/dev/null
+        # Remove stopped container if exists
+        if docker ps -a --format '{{.Names}}' | grep -q "^ai-open-design$"; then
+          docker rm ai-open-design >/dev/null 2>&1 || true
+        fi
+        docker run -d --name ai-open-design --network "$OD_NETWORK" \
+          --restart unless-stopped -v "$OD_VOLUME:/app/.od" \
+          --env-file "$OD_ENV_FILE" ai-open-design:latest >/dev/null
+        echo "✅ Open Design daemon started (http://ai-open-design:7456)"
+      fi
+    fi
+  fi
+fi
+
 # Execute docker run with proper argument handling
 docker run "${DOCKER_ARGS[@]}"

package/bin/cli.js

@@ -140,6 +140,8 @@ function runRebuild() {
     INSTALL_CHROME_DEVTOOLS_MCP: hasMcp('chrome-devtools') ? '1' : '0',
     INSTALL_PLAYWRIGHT_HOST: useHostChrome ? '1' : '0',
     INSTALL_RTK: '0',
+    INSTALL_PUP: '0',
+    INSTALL_OD_HELPERS: '1',
     INSTALL_SPEC_KIT: '0',
     INSTALL_UX_UI_PROMAX: '0',
     INSTALL_OPENSPEC: '0',

package/dockerfiles/base/Dockerfile

@@ -1,3 +1,6 @@
+# Build RTK from source (multi-stage: only binary is kept, Rust toolchain discarded)
+FROM rust:bookworm AS rtk-builder
+RUN cargo install --git https://github.com/rtk-ai/rtk --locked
 
 FROM node:22-bookworm-slim
 
@@ -23,6 +26,30 @@ RUN npm install -g typescript typescript-language-server pyright vscode-langserv
 RUN node --version && npm --version && pnpm --version && tsc --version
 
 # Install additional tools (if selected)
+RUN PIPX_HOME=/opt/pipx PIPX_BIN_DIR=/usr/local/bin pipx install specify-cli --pip-args="git+https://github.com/github/spec-kit.git" && \
+    chmod +x /usr/local/bin/specify && \
+    ln -sf /usr/local/bin/specify /usr/local/bin/specify-cli
+RUN mkdir -p /usr/local/lib/uipro-cli && \
+    cd /usr/local/lib/uipro-cli && \
+    npm init -y && \
+    npm install uipro-cli && \
+    ln -sf /usr/local/lib/uipro-cli/node_modules/.bin/uipro /usr/local/bin/uipro && \
+    ln -sf /usr/local/bin/uipro /usr/local/bin/uipro-cli && \
+    chmod -R 755 /usr/local/lib/uipro-cli && \
+    chmod +x /usr/local/bin/uipro
+RUN mkdir -p /usr/local/lib/openspec && \
+    cd /usr/local/lib/openspec && \
+    npm init -y && \
+    npm install @fission-ai/openspec && \
+    ln -sf /usr/local/lib/openspec/node_modules/.bin/openspec /usr/local/bin/openspec && \
+    chmod -R 755 /usr/local/lib/openspec && \
+    chmod +x /usr/local/bin/openspec
+# Install RTK - token optimizer for AI coding agents (built from source)
+COPY --from=rtk-builder /usr/local/cargo/bin/rtk /usr/local/bin/rtk
+# Install RTK OpenCode skills (auto-discovered by OpenCode agents)
+RUN mkdir -p /home/agent/.config/opencode/skills/rtk /home/agent/.config/opencode/skills/rtk-setup
+COPY skills/rtk/SKILL.md /home/agent/.config/opencode/skills/rtk/SKILL.md
+COPY skills/rtk-setup/SKILL.md /home/agent/.config/opencode/skills/rtk-setup/SKILL.md
 RUN apt-get update && apt-get install -y --no-install-recommends \
     libglib2.0-0 \
     libnspr4 \
@@ -56,11 +83,13 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 ENV PLAYWRIGHT_BROWSERS_PATH=/opt/playwright-browsers
 RUN mkdir -p /opt/playwright-browsers && \
     npm install -g @playwright/mcp@latest && \
-    touch /opt/.mcp-playwright-installed
+    npx playwright-core install --no-shell chromium && \
+    npx playwright-core install-deps chromium && \
+    chmod -R 777 /opt/playwright-browsers && \
+    ln -sf $(ls -d /opt/playwright-browsers/chromium-*/chrome-linux/chrome | sort -V | tail -1) /opt/chromium
 ENV CHROME_DEVTOOLS_MCP_NO_USAGE_STATISTICS=1
 RUN npm install -g chrome-devtools-mcp@latest && \
     touch /opt/.mcp-chrome-devtools-installed
-RUN touch /opt/.mcp-playwright-installed
 
 # Create workspace
 WORKDIR /workspace

package/dockerfiles/sandbox/Dockerfile

@@ -1,3 +1,6 @@
+# Build RTK from source (multi-stage: only binary is kept, Rust toolchain discarded)
+FROM rust:bookworm AS rtk-builder
+RUN cargo install --git https://github.com/rtk-ai/rtk --locked
 
 FROM node:22-bookworm-slim
 
@@ -23,6 +26,30 @@ RUN npm install -g typescript typescript-language-server pyright vscode-langserv
 RUN node --version && npm --version && pnpm --version && tsc --version
 
 # Install additional tools (if selected)
+RUN PIPX_HOME=/opt/pipx PIPX_BIN_DIR=/usr/local/bin pipx install specify-cli --pip-args="git+https://github.com/github/spec-kit.git" && \
+    chmod +x /usr/local/bin/specify && \
+    ln -sf /usr/local/bin/specify /usr/local/bin/specify-cli
+RUN mkdir -p /usr/local/lib/uipro-cli && \
+    cd /usr/local/lib/uipro-cli && \
+    npm init -y && \
+    npm install uipro-cli && \
+    ln -sf /usr/local/lib/uipro-cli/node_modules/.bin/uipro /usr/local/bin/uipro && \
+    ln -sf /usr/local/bin/uipro /usr/local/bin/uipro-cli && \
+    chmod -R 755 /usr/local/lib/uipro-cli && \
+    chmod +x /usr/local/bin/uipro
+RUN mkdir -p /usr/local/lib/openspec && \
+    cd /usr/local/lib/openspec && \
+    npm init -y && \
+    npm install @fission-ai/openspec && \
+    ln -sf /usr/local/lib/openspec/node_modules/.bin/openspec /usr/local/bin/openspec && \
+    chmod -R 755 /usr/local/lib/openspec && \
+    chmod +x /usr/local/bin/openspec
+# Install RTK - token optimizer for AI coding agents (built from source)
+COPY --from=rtk-builder /usr/local/cargo/bin/rtk /usr/local/bin/rtk
+# Install RTK OpenCode skills (auto-discovered by OpenCode agents)
+RUN mkdir -p /home/agent/.config/opencode/skills/rtk /home/agent/.config/opencode/skills/rtk-setup
+COPY skills/rtk/SKILL.md /home/agent/.config/opencode/skills/rtk/SKILL.md
+COPY skills/rtk-setup/SKILL.md /home/agent/.config/opencode/skills/rtk-setup/SKILL.md
 RUN apt-get update && apt-get install -y --no-install-recommends \
     libglib2.0-0 \
     libnspr4 \
@@ -56,11 +83,13 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 ENV PLAYWRIGHT_BROWSERS_PATH=/opt/playwright-browsers
 RUN mkdir -p /opt/playwright-browsers && \
     npm install -g @playwright/mcp@latest && \
-    touch /opt/.mcp-playwright-installed
+    npx playwright-core install --no-shell chromium && \
+    npx playwright-core install-deps chromium && \
+    chmod -R 777 /opt/playwright-browsers && \
+    ln -sf $(ls -d /opt/playwright-browsers/chromium-*/chrome-linux/chrome | sort -V | tail -1) /opt/chromium
 ENV CHROME_DEVTOOLS_MCP_NO_USAGE_STATISTICS=1
 RUN npm install -g chrome-devtools-mcp@latest && \
     touch /opt/.mcp-chrome-devtools-installed
-RUN touch /opt/.mcp-playwright-installed
 
 # Create workspace
 WORKDIR /workspace
@@ -77,13 +106,12 @@ RUN curl -fsSL https://opencode.ai/install | bash && \
     mv /root/.opencode/bin/opencode /usr/local/bin/opencode && \
     rm -rf /root/.opencode
 
-# === codex ===
+# === claude ===
 USER root
-RUN mkdir -p /usr/local/lib/codex && \
-    cd /usr/local/lib/codex && \
-    bun init -y && \
-    bun add @openai/codex && \
-    ln -s /usr/local/lib/codex/node_modules/.bin/codex /usr/local/bin/codex
+RUN export HOME=/root && curl -fsSL https://claude.ai/install.sh | bash && \
+    mkdir -p /usr/local/share && \
+    mv /root/.local/share/claude /usr/local/share/claude && \
+    ln -sf /usr/local/share/claude/versions/$(ls /usr/local/share/claude/versions | head -1) /usr/local/bin/claude
 USER agent
 
 USER agent

package/lib/build-sandbox.sh

@@ -9,7 +9,7 @@ fi
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
-cd "$PROJECT_DIR"
+cd "$PROJECT_DIR" || exit 1
 
 SANDBOX_DIR="dockerfiles/sandbox"
 mkdir -p "$SANDBOX_DIR"
@@ -18,6 +18,8 @@ echo "🔄 Generating unified sandbox Dockerfile..."
 echo "   Tools: $TOOLS"
 
 GENERATE_ONLY=1 INSTALL_RTK="${INSTALL_RTK:-0}" \
+  INSTALL_PUP="${INSTALL_PUP:-0}" \
+  INSTALL_OD_HELPERS="${INSTALL_OD_HELPERS:-1}" \
   INSTALL_PLAYWRIGHT_MCP="${INSTALL_PLAYWRIGHT_MCP:-0}" \
   INSTALL_CHROME_DEVTOOLS_MCP="${INSTALL_CHROME_DEVTOOLS_MCP:-0}" \
   INSTALL_PLAYWRIGHT="${INSTALL_PLAYWRIGHT:-0}" \
@@ -51,6 +53,7 @@ BASE_PREAMBLE=$(echo "$BASE_CONTENT" | sed '/^USER agent$/,$d')
     fi
     
     echo "# === $tool ===" 
+    # shellcheck source=/dev/null
     SNIPPET_MODE=1 source "$INSTALL_SCRIPT"
     dockerfile_snippet
     echo ""
@@ -65,6 +68,10 @@ if [[ -d "dockerfiles/base/skills" ]]; then
   cp -r "dockerfiles/base/skills" "$SANDBOX_DIR/"
 fi
 
+if [[ -d "dockerfiles/base/scripts" ]]; then
+  cp -r "dockerfiles/base/scripts" "$SANDBOX_DIR/"
+fi
+
 echo "✅ Dockerfile generated at $SANDBOX_DIR/Dockerfile"
 
 echo "🔨 Building ai-sandbox:latest..."

package/lib/install-aider.sh

@@ -3,8 +3,9 @@ set -e
 
 dockerfile_snippet() {
   cat <<'SNIPPET'
+USER root
+RUN UV_TOOL_BIN_DIR=/usr/local/bin uv tool install aider-chat
 USER agent
-RUN python3 -m pip install --break-system-packages aider-install && aider-install
 SNIPPET
 }
 
@@ -24,9 +25,9 @@ mkdir -p "$HOME/.ai-sandbox/tools/$TOOL/home"
 # Create Dockerfile (extends base image which has Python)
 cat <<'EOF' > "dockerfiles/$TOOL/Dockerfile"
 FROM ai-base:latest
+USER root
+RUN UV_TOOL_BIN_DIR=/usr/local/bin uv tool install aider-chat
 USER agent
-# Install aider via aider-install
-RUN python3 -m pip install --break-system-packages aider-install && aider-install
 ENTRYPOINT ["aider"]
 EOF
 

package/lib/install-base.sh

@@ -67,6 +67,51 @@ COPY skills/rtk-setup/SKILL.md /home/agent/.config/opencode/skills/rtk-setup/SKI
   fi
 fi
 
+if [[ "${INSTALL_PUP:-0}" -eq 1 ]]; then
+  echo "📦 Pup (Datadog CLI) will be installed in base image (multi-stage build)"
+  DOCKERFILE_BUILD_STAGES+='# Build Pup from source (multi-stage: only binary is kept, Rust toolchain discarded)
+FROM rust:bookworm AS pup-builder
+RUN cargo install --git https://github.com/DataDog/pup --locked
+'
+  ADDITIONAL_TOOLS_INSTALL+='# Install Pup - Datadog CLI for AI agents (built from source)
+COPY --from=pup-builder /usr/local/cargo/bin/pup /usr/local/bin/pup
+'
+  # Copy Pup OpenCode skill into build context so it can be COPY'd into the image
+  SCRIPT_BASE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+  PUP_SKILLS_SRC="${SCRIPT_BASE_DIR}/../skills"
+  if [[ -d "$PUP_SKILLS_SRC/dd-pup" ]]; then
+    mkdir -p "dockerfiles/base/skills/dd-pup"
+    cp "$PUP_SKILLS_SRC/dd-pup/SKILL.md" "dockerfiles/base/skills/dd-pup/SKILL.md"
+    ADDITIONAL_TOOLS_INSTALL+='# Install Pup OpenCode skill (auto-discovered by OpenCode agents)
+RUN mkdir -p /home/agent/.config/opencode/skills/dd-pup
+COPY skills/dd-pup/SKILL.md /home/agent/.config/opencode/skills/dd-pup/SKILL.md
+'
+    echo "  ✅ Pup OpenCode skill will be copied into container"
+  else
+    echo "  ⚠️  Pup skill not found at $PUP_SKILLS_SRC/dd-pup — skipping skill installation"
+  fi
+fi
+
+if [[ "${INSTALL_OD_HELPERS:-1}" -eq 1 ]]; then
+  echo "📦 open-design helper scripts (od-status, od-health) will be installed in base image"
+  # Copy helper scripts into build context so they can be COPY'd into the image
+  SCRIPT_BASE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+  OD_HELPERS_SRC="${SCRIPT_BASE_DIR}/../scripts"
+  if [[ -f "$OD_HELPERS_SRC/od-status" && -f "$OD_HELPERS_SRC/od-health" ]]; then
+    mkdir -p "dockerfiles/base/scripts"
+    cp "$OD_HELPERS_SRC/od-status" "dockerfiles/base/scripts/od-status"
+    cp "$OD_HELPERS_SRC/od-health" "dockerfiles/base/scripts/od-health"
+    ADDITIONAL_TOOLS_INSTALL+='# Install open-design helper scripts (od-status, od-health) for agent containers
+COPY scripts/od-status /usr/local/bin/od-status
+COPY scripts/od-health /usr/local/bin/od-health
+RUN chmod +x /usr/local/bin/od-status /usr/local/bin/od-health
+'
+    echo "  ✅ open-design helpers will be copied into container"
+  else
+    echo "  ⚠️  open-design helpers not found at $OD_HELPERS_SRC — skipping"
+  fi
+fi
+
 if [[ "${INSTALL_PLAYWRIGHT:-0}" -eq 1 ]]; then
   echo "📦 Playwright will be installed in base image"
   ADDITIONAL_TOOLS_INSTALL+='# Install Playwright system dependencies
@@ -134,10 +179,7 @@ fi
 
 # MCP Tools for AI agent browser automation
 # Both tools share Playwright's Chromium (native ARM64/x86_64, avoids Puppeteer arch issues)
-MCP_BROWSER_INSTALLED=false
-
 if [[ "${INSTALL_CHROME_DEVTOOLS_MCP:-0}" -eq 1 ]] || [[ "${INSTALL_PLAYWRIGHT_MCP:-0}" -eq 1 ]]; then
-  MCP_BROWSER_INSTALLED=true
   echo "📦 Installing shared Chromium browser for MCP tools"
   ADDITIONAL_TOOLS_INSTALL+='RUN apt-get update && apt-get install -y --no-install-recommends \
     libglib2.0-0 \