@kokorolx/ai-sandbox-wrapper 3.4.3 → 4.0.0

package/lib/install-open-design.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+set -e
+
+dockerfile_snippet() {
+  cat <<'SNIPPET'
+# open-design is a service-type tool (long-running daemon)
+# It uses its own upstream image, not ai-base
+# This snippet is included for convention only; the base image builder
+# does NOT inline open-design (it runs as a separate container)
+SNIPPET
+}
+
+if [[ "${SNIPPET_MODE:-}" == "1" ]]; then
+  return 0 2>/dev/null || exit 0
+fi
+
+TOOL="open-design"
+# NOTE: upstream vanjayak/open-design currently publishes only the 'latest' tag (as of 2026-05).
+# When upstream starts publishing version tags (e.g., 0.8.0-preview), pin via OPEN_DESIGN_IMAGE_TAG
+# or OPEN_DESIGN_IMAGE to avoid breaking changes.
+OPEN_DESIGN_IMAGE_TAG="${OPEN_DESIGN_IMAGE_TAG:-latest}"
+OPEN_DESIGN_IMAGE="${OPEN_DESIGN_IMAGE:-docker.io/vanjayak/open-design:${OPEN_DESIGN_IMAGE_TAG}}"
+OPEN_DESIGN_VERSION="${OPEN_DESIGN_VERSION:-${OPEN_DESIGN_IMAGE_TAG}}"
+
+echo "Installing $TOOL (Open Design daemon — long-running HTTP service)..."
+echo "  Upstream image: $OPEN_DESIGN_IMAGE"
+
+mkdir -p "dockerfiles/$TOOL"
+mkdir -p "$HOME/.ai-sandbox/tools/$TOOL/home"
+
+# Generate Dockerfile (idempotent — overwrites existing)
+cat > "dockerfiles/$TOOL/Dockerfile" <<EOF
+FROM $OPEN_DESIGN_IMAGE
+
+# Force daemon to bind on all interfaces inside the container.
+# Bearer token auth (OD_API_TOKEN env) protects the daemon.
+ENV OD_BIND_HOST=0.0.0.0
+
+# Document the port (publishing is controlled by ai-run --expose)
+EXPOSE 7456
+
+# Daemon entrypoint is provided by upstream image (do not override)
+EOF
+
+# Build image
+echo "Building Docker image for $TOOL..."
+docker build ${DOCKER_NO_CACHE:+--no-cache} -t "ai-$TOOL:latest" "dockerfiles/$TOOL"
+
+echo "✅ $TOOL installed (Open Design daemon)"
+echo ""
+echo "Features:"
+echo "  ✓ Long-running HTTP daemon (port 7456 inside container)"
+echo "  ✓ Bearer token auth (OD_API_TOKEN)"
+echo "  ✓ Persistent state via named volume (ai-open-design-data)"
+echo "  ✓ Internal-only by default (use --expose to publish to host)"
+echo ""
+echo "Usage:"
+echo "  ai-run open-design init     # one-time: generate token, network, volume"
+echo "  ai-run open-design start    # boot daemon"
+echo "  ai-run open-design status   # check health"

package/lib/install-openclaw.sh

@@ -26,11 +26,11 @@ if [[ ! -d "$OPENCLAW_REPO_DIR/.git" ]]; then
   git clone https://github.com/openclaw/openclaw.git "$OPENCLAW_REPO_DIR"
 else
   echo "📦 OpenClaw repository already exists, pulling latest..."
-  cd "$OPENCLAW_REPO_DIR"
+  cd "$OPENCLAW_REPO_DIR" || exit 1
   git pull origin main || git pull origin master || true
 fi
 
-cd "$OPENCLAW_REPO_DIR"
+cd "$OPENCLAW_REPO_DIR" || exit 1
 
 # Build OpenClaw Docker image using their docker-compose
 echo "🔨 Building OpenClaw Docker image..."

package/lib/install-opencode.sh

@@ -4,9 +4,12 @@ set -e
 dockerfile_snippet() {
   cat <<'SNIPPET'
 USER root
-RUN curl -fsSL https://opencode.ai/install | bash && \
+ENV HOME=/root
+RUN curl -fsSL --retry 3 --retry-delay 5 https://opencode.ai/install | bash && \
     mv /root/.opencode/bin/opencode /usr/local/bin/opencode && \
     rm -rf /root/.opencode
+USER agent
+ENV HOME=/home/agent
 SNIPPET
 }
 
@@ -32,11 +35,13 @@ if [[ -n "$OPENCODE_VERSION" ]]; then
 FROM ai-base:latest
 
 USER root
-RUN curl -fsSL https://opencode.ai/install | bash -s -- --version $OPENCODE_VERSION && \\
+ENV HOME=/root
+RUN curl -fsSL --retry 3 --retry-delay 5 https://opencode.ai/install | bash -s -- --version $OPENCODE_VERSION && \\
     mv /root/.opencode/bin/opencode /usr/local/bin/opencode && \\
     rm -rf /root/.opencode
 
 USER agent
+ENV HOME=/home/agent
 ENTRYPOINT ["opencode"]
 EOF
 else
@@ -44,11 +49,13 @@ else
 FROM ai-base:latest
 
 USER root
-RUN curl -fsSL https://opencode.ai/install | bash && \
+ENV HOME=/root
+RUN curl -fsSL --retry 3 --retry-delay 5 https://opencode.ai/install | bash && \
     mv /root/.opencode/bin/opencode /usr/local/bin/opencode && \
     rm -rf /root/.opencode
 
 USER agent
+ENV HOME=/home/agent
 ENTRYPOINT ["opencode"]
 EOF
 fi

package/lib/playwright-mcp-config.sh

@@ -189,6 +189,7 @@ pmcp::with_lock() {
     sleep 0.1
     waited=$((waited + 1))
   done
+  # shellcheck disable=SC2064  # intentional: capture $mutex value at trap definition time
   trap "rmdir '$mutex' 2>/dev/null || true" EXIT
   "$@"
   local rc=$?

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kokorolx/ai-sandbox-wrapper",
-  "version": "3.4.3",
+  "version": "4.0.0",
   "description": "Docker-based security sandbox for AI coding agents. Isolate Claude, Gemini, Aider, and other AI tools from your host system.",
   "keywords": [
     "ai",

package/setup.sh

@@ -281,8 +281,8 @@ echo "📁 Legacy workspaces file: $WORKSPACES_FILE"
 WORKSPACE="${WORKSPACES[0]}"
 
 # Tool definitions
-TOOL_OPTIONS="amp,opencode,openclaw,droid,claude,gemini,kilo,qwen,codex,qoder,auggie,codebuddy,jules,shai"
-TOOL_DESCS="AI coding assistant from @sourcegraph/amp,Open-source coding tool from opencode-ai,OpenClaw AI gateway (Docker Compose),Factory CLI from factory.ai,Claude Code CLI from Anthropic,Google Gemini CLI (free tier),AI pair programmer (Git-native),Kilo Code (500+ models),Alibaba Qwen CLI (1M context),OpenAI Codex terminal agent,Qoder AI CLI assistant,Augment Auggie CLI,Tencent CodeBuddy CLI,Google Jules CLI,OVHcloud SHAI agent"
+TOOL_OPTIONS="amp,opencode,openclaw,open-design,droid,claude,gemini,kilo,qwen,codex,qoder,auggie,codebuddy,jules,shai"
+TOOL_DESCS="AI coding assistant from @sourcegraph/amp,Open-source coding tool from opencode-ai,OpenClaw AI gateway (Docker Compose),Open Design daemon (HTTP service — agent-driven design generation),Factory CLI from factory.ai,Claude Code CLI from Anthropic,Google Gemini CLI (free tier),AI pair programmer (Git-native),Kilo Code (500+ models),Alibaba Qwen CLI (1M context),OpenAI Codex terminal agent,Qoder AI CLI assistant,Augment Auggie CLI,Tencent CodeBuddy CLI,Google Jules CLI,OVHcloud SHAI agent"
 
 # Pre-select previously installed tools
 PRESELECTED_TOOLS=""
@@ -303,7 +303,7 @@ echo "Installing tools: ${TOOLS[*]}"
 
 CONTAINERIZED_TOOLS=()
 for tool in "${TOOLS[@]}"; do
-  if [[ "$tool" =~ ^(amp|opencode|openclaw|claude|aider|droid|gemini|kilo|qwen|codex|qoder|auggie|codebuddy|jules|shai)$ ]]; then
+  if [[ "$tool" =~ ^(amp|opencode|openclaw|open-design|claude|aider|droid|gemini|kilo|qwen|codex|qoder|auggie|codebuddy|jules|shai)$ ]]; then
     CONTAINERIZED_TOOLS+=("$tool")
   fi
 done
@@ -311,8 +311,8 @@ done
 echo ""
 if [[ ${#CONTAINERIZED_TOOLS[@]} -gt 0 ]]; then
   # Category 1: AI Enhancement Tools (spec-driven development, UI/UX, browser automation)
-  AI_TOOL_OPTIONS="spec-kit,ux-ui-promax,openspec,playwright,rtk"
-  AI_TOOL_DESCS="Spec-driven development toolkit,UI/UX design intelligence tool,OpenSpec - spec-driven development,Browser automation + Chromium/Firefox/WebKit (~500MB),RTK token optimizer - reduces LLM token usage by 60-90% (~5MB)"
+  AI_TOOL_OPTIONS="spec-kit,ux-ui-promax,openspec,playwright,rtk,pup,open-design"
+  AI_TOOL_DESCS="Spec-driven development toolkit,UI/UX design intelligence tool,OpenSpec - spec-driven development,Browser automation + Chromium/Firefox/WebKit (~500MB),RTK token optimizer - reduces LLM token usage by 60-90% (~5MB),Datadog Pup CLI - AI-agent-ready observability CLI (~10MB),Open Design daemon - AI design generation service (port 7456)"
 
   multi_select "Select AI Enhancement Tools (installed in containers)" "$AI_TOOL_OPTIONS" "$AI_TOOL_DESCS"
   AI_ENHANCEMENT_TOOLS=("${SELECTED_ITEMS[@]}")
@@ -390,6 +390,8 @@ if [[ $NEEDS_BASE_IMAGE -eq 1 ]]; then
   INSTALL_CHROME_DEVTOOLS_MCP="${INSTALL_CHROME_DEVTOOLS_MCP:-0}"
   INSTALL_PLAYWRIGHT_MCP="${INSTALL_PLAYWRIGHT_MCP:-0}"
   INSTALL_RTK="${INSTALL_RTK:-0}"
+  INSTALL_PUP="${INSTALL_PUP:-0}"
+  INSTALL_OPEN_DESIGN="${INSTALL_OPEN_DESIGN:-0}"
 
   for addon in "${ADDITIONAL_TOOLS[@]}"; do
     case "$addon" in
@@ -417,10 +419,16 @@ if [[ $NEEDS_BASE_IMAGE -eq 1 ]]; then
       rtk)
         INSTALL_RTK=1
         ;;
+      pup)
+        INSTALL_PUP=1
+        ;;
+      open-design)
+        INSTALL_OPEN_DESIGN=1
+        ;;
     esac
   done
 
-  export INSTALL_SPEC_KIT INSTALL_UX_UI_PROMAX INSTALL_OPENSPEC INSTALL_PLAYWRIGHT INSTALL_RUBY INSTALL_CHROME_DEVTOOLS_MCP INSTALL_PLAYWRIGHT_MCP INSTALL_RTK
+  export INSTALL_SPEC_KIT INSTALL_UX_UI_PROMAX INSTALL_OPENSPEC INSTALL_PLAYWRIGHT INSTALL_RUBY INSTALL_CHROME_DEVTOOLS_MCP INSTALL_PLAYWRIGHT_MCP INSTALL_RTK INSTALL_PUP INSTALL_OPEN_DESIGN
   
   # Save MCP selections to ~/.ai-sandbox/config.json for ai-run auto-configuration
   SANDBOX_CONFIG="$HOME/.ai-sandbox/config.json"
@@ -435,6 +443,54 @@ if [[ $NEEDS_BASE_IMAGE -eq 1 ]]; then
     jq --argjson mcp "$MCP_INSTALLED" '.mcp.installed = $mcp' "$SANDBOX_CONFIG" > "$SANDBOX_CONFIG.tmp" && mv "$SANDBOX_CONFIG.tmp" "$SANDBOX_CONFIG"
     chmod 600 "$SANDBOX_CONFIG"
     echo "✅ MCP tool selections saved to config"
+
+    # Auto-detect host browser for ai-run's "Host Chrome CDP mode". That mode
+    # is gated on .mcp.chromePath being set in config.json, but setup never
+    # wrote it -- users had to manually edit the file. Detect a sensible
+    # default the first time an MCP browser tool is selected; preserve any
+    # existing value the user set themselves.
+    if [[ "$INSTALL_CHROME_DEVTOOLS_MCP" -eq 1 || "$INSTALL_PLAYWRIGHT_MCP" -eq 1 ]]; then
+      EXISTING_CHROME_PATH=$(jq -r '.mcp.chromePath // empty' "$SANDBOX_CONFIG" 2>/dev/null)
+      if [[ -z "$EXISTING_CHROME_PATH" ]]; then
+        DETECTED_CHROME_PATH=""
+        case "$(uname -s)" in
+          Darwin)
+            # Stable Chrome first, then Chromium, then popular forks.
+            for candidate in \
+              "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" \
+              "/Applications/Chromium.app/Contents/MacOS/Chromium" \
+              "/Applications/Brave Browser.app/Contents/MacOS/Brave Browser" \
+              "/Applications/Microsoft Edge.app/Contents/MacOS/Microsoft Edge" \
+              "/Applications/Arc.app/Contents/MacOS/Arc"; do
+              if [[ -f "$candidate" ]]; then
+                DETECTED_CHROME_PATH="$candidate"
+                break
+              fi
+            done
+            ;;
+          Linux)
+            for cmd in google-chrome-stable google-chrome chromium chromium-browser brave-browser microsoft-edge; do
+              if command -v "$cmd" &>/dev/null; then
+                DETECTED_CHROME_PATH=$(command -v "$cmd")
+                break
+              fi
+            done
+            ;;
+        esac
+
+        if [[ -n "$DETECTED_CHROME_PATH" ]]; then
+          jq --arg path "$DETECTED_CHROME_PATH" '.mcp.chromePath = $path' "$SANDBOX_CONFIG" > "$SANDBOX_CONFIG.tmp" \
+            && mv "$SANDBOX_CONFIG.tmp" "$SANDBOX_CONFIG"
+          chmod 600 "$SANDBOX_CONFIG"
+          echo "🌐 Host browser detected for CDP: $DETECTED_CHROME_PATH"
+          echo "   (ai-run will launch this with --remote-debugging-port for MCP browser tools.)"
+          echo "   To change or disable, edit .mcp.chromePath in $SANDBOX_CONFIG"
+        else
+          echo "ℹ️  No host browser auto-detected for CDP mode."
+          echo "   To enable, set .mcp.chromePath in $SANDBOX_CONFIG to a Chrome/Chromium binary."
+        fi
+      fi
+    fi
   fi
 fi
 
@@ -448,8 +504,14 @@ TOOLS="$TOOLS_CSV" \
   INSTALL_CHROME_DEVTOOLS_MCP="$INSTALL_CHROME_DEVTOOLS_MCP" \
   INSTALL_PLAYWRIGHT_MCP="$INSTALL_PLAYWRIGHT_MCP" \
   INSTALL_RTK="$INSTALL_RTK" \
+  INSTALL_PUP="$INSTALL_PUP" \
   bash "$SCRIPT_DIR/lib/build-sandbox.sh"
 
+# Install open-design as a separate daemon container (not part of sandbox image)
+if [[ "${INSTALL_OPEN_DESIGN:-0}" -eq 1 ]]; then
+  bash "$SCRIPT_DIR/lib/install-open-design.sh"
+fi
+
 OLD_IMAGES=()
 for tool in "${TOOLS[@]}"; do
   if docker image inspect "ai-${tool}:latest" &>/dev/null; then
@@ -538,6 +600,9 @@ if [[ ${#ADDITIONAL_TOOLS[@]} -gt 0 ]]; then
       rtk)
         echo "  rtk - Token optimizer for AI coding agents (60-90% savings)"
         ;;
+      open-design)
+        echo "  open-design - AI design generation daemon (port 7456)"
+        ;;
     esac
   done
 fi

package/skills/dd-pup/SKILL.md

@@ -0,0 +1,186 @@
+---
+name: dd-pup
+description: "Datadog CLI (pup) for AI agents. OAuth2 auth with token refresh. Query logs, metrics, monitors, traces, and more."
+compatibility: "OpenCode with pup binary installed"
+metadata:
+  author: datadog-labs
+  version: "1.0.0"
+  repository: https://github.com/DataDog/pup
+---
+
+# pup (Datadog CLI)
+
+Pup CLI for Datadog API operations. Supports OAuth2 and API key auth.
+
+## Quick Reference
+
+| Task | Command |
+|------|---------|
+| Search error logs | `pup logs search --query "status:error" --from 1h` |
+| List monitors | `pup monitors list` |
+| Create downtime | `pup downtime create --file downtime.json` |
+| Find slow traces | `pup traces search --query="@duration:>500000000" --from="1h"` |
+| List incidents | `pup incidents list` |
+| Query metrics | `pup metrics query --query "avg:system.cpu.user{*}"` |
+| List hosts | `pup infrastructure hosts list` |
+| Check SLOs | `pup slos list` |
+| On-call teams | `pup on-call teams list` |
+| Security signals | `pup security signals list --query "*" --from 24h` |
+| Check auth | `pup auth status` |
+| Refresh token | `pup auth refresh` |
+
+## Prerequisites
+
+```bash
+# Install pup via Homebrew (recommended)
+brew tap datadog-labs/pack
+brew install pup
+
+# Or build from source
+cargo install --git https://github.com/DataDog/pup
+```
+
+## Auth
+
+```bash
+pup auth login    # OAuth2 browser flow (recommended)
+pup auth status   # Check token validity
+pup auth refresh  # Refresh expired token (no browser)
+pup auth logout   # Clear credentials
+```
+
+**⚠️ Tokens expire (~1 hour)**. If a command fails with 401/403:
+```bash
+pup auth refresh  # Try refresh first
+pup auth login    # If refresh fails, full re-auth
+```
+
+### Headless/CI (no browser)
+
+```bash
+export DD_API_KEY=your-api-key
+export DD_APP_KEY=your-app-key
+export DD_SITE=datadoghq.com  # or datadoghq.eu, etc.
+```
+
+## Command Reference
+
+### Monitors
+
+```bash
+pup monitors list --limit 10
+pup monitors list --tags "env:prod"
+pup monitors get 12345
+pup monitors search --query "High CPU"
+pup monitors create --file monitor.json
+pup monitors delete 12345
+```
+
+### Logs
+
+```bash
+pup logs search --query "status:error" --from 1h
+pup logs search --query "service:payment-api" --from 1h --limit 100
+pup logs aggregate --query "service:api" --compute count --from 1h
+```
+
+### Metrics
+
+```bash
+pup metrics query --query "avg:system.cpu.user{*}" --from 1h
+pup metrics list --filter "system.*"
+```
+
+### APM / Services
+
+```bash
+pup apm services list --env production
+pup apm services stats --env production
+pup apm dependencies list --env production
+```
+
+### Traces
+
+```bash
+pup traces search --query="service:api-gateway" --from="1h"
+pup traces search --query="service:api @duration:>1000000000" --from="1h"
+pup traces aggregate --query="service:api" --compute="avg(@duration)" --group-by="resource_name" --from="1h"
+```
+
+### Infrastructure / Hosts
+
+```bash
+pup infrastructure hosts list
+pup infrastructure hosts list --filter "env:prod"
+```
+
+### Dashboards
+
+```bash
+pup dashboards list
+pup dashboards get abc-123
+pup dashboards create --file dashboard.json
+```
+
+### SLOs
+
+```bash
+pup slos list
+pup slos get slo-123
+pup slos status slo-123 --from 30d --to now
+```
+
+### Security
+
+```bash
+pup security signals list --query "*" --from 24h
+pup security rules list
+```
+
+### Live Debugger
+
+```bash
+pup debugger context my-svc --env prod
+pup symdb search --service my-svc --query MyController --view probe-locations
+pup debugger probes create --service my-svc --env prod \
+  --probe-location "com.example.MyController:handleRequest" \
+  --capture "request.id" --ttl 1h
+pup debugger probes watch --fields "message,captures,timestamp" --timeout 60
+```
+
+## Subcommand Discovery
+
+```bash
+pup --help            # List all commands
+pup <cmd> --help      # Command-specific help
+pup agent schema      # Machine-readable output
+```
+
+## Error Handling
+
+| Error | Cause | Fix |
+|-------|-------|-----|
+| 401 Unauthorized | Token expired | `pup auth refresh` |
+| 403 Forbidden | Missing scope | Check app key permissions |
+| 404 Not Found | Wrong ID/resource | Verify resource exists |
+| Rate limited | Too many requests | Add delays between calls |
+
+## Sites
+
+| Site | `DD_SITE` value |
+|------|-----------------|
+| US1 (default) | `datadoghq.com` |
+| US3 | `us3.datadoghq.com` |
+| US5 | `us5.datadoghq.com` |
+| EU1 | `datadoghq.eu` |
+| AP1 | `ap1.datadoghq.com` |
+| US1-FED | `ddog-gov.com` |
+
+## Detection
+
+Before using pup commands, verify it's installed:
+```bash
+pup --version
+```
+
+If `pup` is not found, skip this skill.

package/dockerfiles/base/skills/rtk/SKILL.md

@@ -1,103 +0,0 @@
----
-name: rtk
-description: "Token optimizer for AI coding agents. Wraps common CLI commands with rtk to reduce LLM token consumption by 60-90%."
-compatibility: "OpenCode with RTK binary installed"
-metadata:
-  author: Sisyphus
-  version: "1.0.0"
----
-
-# RTK — Rust Token Killer
-
-**Purpose**: Reduce token consumption by 60-90% on shell commands. RTK filters and compresses command output before it reaches your context.
-
-## When This Skill Activates
-
-This skill is loaded automatically. Once active, **always** prefix supported commands with `rtk`.
-
-## Command Mappings (MANDATORY)
-
-When running shell commands via Bash tool, use `rtk` prefix for these commands:
-
-| Instead of | Use | Savings |
-|-----------|-----|---------|
-| `git status` | `rtk git status` | ~80% |
-| `git diff` | `rtk git diff` | ~75% |
-| `git log` | `rtk git log` | ~80% |
-| `git add/commit/push/pull` | `rtk git add/commit/push/pull` | ~90% |
-| `ls` / `ls -la` | `rtk ls` | ~80% |
-| `cat file` | `rtk read file` | ~70% |
-| `grep pattern .` | `rtk grep pattern .` | ~80% |
-| `rg pattern` | `rtk grep pattern .` | ~80% |
-| `npm test` / `cargo test` / `pytest` | `rtk test <cmd>` | ~90% |
-| `npm run build` / `cargo build` | `rtk err <cmd>` | ~80% |
-| `gh pr list/view` | `rtk gh pr list/view` | ~70% |
-| `docker ps` | `rtk docker ps` | ~80% |
-| `eslint` / `tsc` | `rtk lint` / `rtk tsc` | ~80% |
-
-## Searching Inside `node_modules` / Ignored Directories
-
-By default, `rtk grep` respects `.gitignore` rules — meaning `node_modules`, `.nuxt`, `dist`, etc. are **excluded**. This is the right behavior 99% of the time.
-
-When you **need** to search inside ignored directories (debugging a library, checking an API signature, tracing a dependency bug):
-
-```bash
-# Search all files including node_modules (--no-ignore bypasses .gitignore)
-rtk grep "defineStore" . --no-ignore
-
-# Search a specific package only (combine --no-ignore with --glob)
-rtk grep "defineStore" . --no-ignore --glob 'node_modules/pinia/**'
-```
-
-**What does NOT work:**
-- `rtk grep "pattern" node_modules/pinia/` — still excluded even with direct path
-- `rtk grep "pattern" . --glob 'node_modules/**'` — glob alone doesn't override .gitignore
-
-**Key flag: `--no-ignore`** — this is the ONLY way to search ignored directories with rtk grep.
-
-### Other useful `rtk grep` flags
-
-```bash
-rtk grep "pattern" . -t ts          # Filter by file type (ts, py, rust, etc.)
-rtk grep "pattern" . -m 100         # Increase max results (default: 50)
-rtk grep "pattern" . -u             # Ultra-compact mode (even fewer tokens)
-rtk grep "pattern" . -l 120         # Max line length before truncation (default: 80)
-```
-
-## Commands to NOT Wrap
-
-Do NOT prefix these with `rtk` (unsupported or counterproductive):
-
-- `npx`, `npm install`, `pip install` (package managers)
-- `node`, `python3`, `ruby` (interpreters)
-- `nano-brain`, `openspec`, `opencode` (custom tools)
-- Heredocs (`<<EOF`)
-- Piped commands (`cmd1 | cmd2`) — wrap only the first command if applicable
-- Commands already prefixed with `rtk`
-
-## How RTK Works
-
-```
-Without RTK:  git status → 50 lines raw output → 2,000 tokens
-With RTK:     rtk git status → "3 modified, 1 untracked ✓" → 200 tokens
-```
-
-RTK runs the real command, then filters/compresses the output. The agent sees a compact summary instead of verbose raw output.
-
-## Detection
-
-Before using RTK commands, verify it's installed:
-```bash
-rtk --version
-```
-
-If `rtk` is not found, skip this skill — run commands normally without the `rtk` prefix.
-
-## Token Savings Reference
-
-Typical 30-min coding session:
-- Without RTK: ~150,000 tokens
-- With RTK: ~45,000 tokens
-- **Savings: ~70%**
-
-Biggest wins: test output (`rtk test` — 90%), git operations (`rtk git` — 80%), file reading (`rtk read` — 70%).

package/dockerfiles/base/skills/rtk-setup/SKILL.md

@@ -1,118 +0,0 @@
----
-name: rtk-setup
-description: "One-time setup + ongoing enforcement of RTK (Rust Token Killer) across sessions and subagents. Persists RTK instructions to AGENTS.md and propagates to delegated tasks."
-compatibility: "OpenCode with RTK binary installed"
-metadata:
-  author: Sisyphus
-  version: "1.0.0"
----
-
-# RTK Setup — Persistent RTK Enforcement
-
-This skill performs **setup** (persist RTK instructions) and **ongoing enforcement** (use rtk, propagate to subagents).
-
-## Phase 1: Detection (ALWAYS run first)
-
-Run these checks before anything else:
-
-```bash
-rtk --version
-```
-
-- If `rtk` is NOT found → **STOP**. Tell the user: "RTK is not installed. Install it first: `cargo install --git https://github.com/rtk-ai/rtk --locked`". Do NOT proceed with setup.
-- If `rtk` IS found → continue.
-
-### Check oh-my-opencode
-
-```bash
-ls ~/.config/opencode/oh-my-opencode.json 2>/dev/null
-```
-
-- If found → omo is installed. Note this for Phase 2.
-- If not found → skip omo-specific steps.
-
-## Phase 2: Setup (persist to AGENTS.md)
-
-Check BOTH of these files for the RTK managed block:
-
-1. **User-level**: `~/.config/opencode/AGENTS.md`
-2. **Project-level**: `./AGENTS.md` (current workspace)
-
-For EACH file, check if `<!-- RTK:START -->` exists. If it does NOT exist, **append** the following managed block to the file (create the file if it doesn't exist). NEVER replace existing content — only append.
-
-```markdown
-<!-- RTK:START -->
-<!-- Managed block - do not edit manually. Updated by: rtk-setup skill -->
-
-## RTK Token Optimizer
-
-This project uses **RTK** (Rust Token Killer) to reduce LLM token consumption by 60-90%.
-
-### Rules for ALL agents (including subagents)
-
-**ALWAYS** prefix these commands with `rtk`:
-
-| Command | Use instead |
-|---------|-------------|
-| `git status/diff/log/add/commit/push/pull` | `rtk git ...` |
-| `ls`, `ls -la` | `rtk ls` |
-| `cat file` | `rtk read file` |
-| `grep pattern .` / `rg pattern` | `rtk grep pattern .` |
-| `npm test` / `cargo test` / `pytest` | `rtk test <cmd>` |
-| `npm run build` / `cargo build` | `rtk err <cmd>` |
-| `gh pr list/view` | `rtk gh pr list/view` |
-| `docker ps` | `rtk docker ps` |
-| `eslint` / `tsc` | `rtk lint` / `rtk tsc` |
-
-**Do NOT** prefix: `npx`, `npm install`, `pip install`, `node`, `python3`, heredocs, piped commands.
-
-<!-- RTK:END -->
-```
-
-### If oh-my-opencode is installed
-
-After updating AGENTS.md files, check if the omo config at `~/.config/opencode/oh-my-opencode.json` has `prompt_append` fields on agents. If it does, inform the user:
-
-> "omo is installed. For maximum coverage, you can add RTK instructions to agent `prompt_append` fields in `oh-my-opencode.json`. This ensures subagents always use rtk even when AGENTS.md is not loaded. Want me to do this?"
-
-**Only modify `oh-my-opencode.json` if the user explicitly confirms.** If they confirm, append this line to the `prompt_append` of `sisyphus-junior` agent (the primary coder):
-
-```
-\n\nRTK: ALWAYS prefix shell commands with `rtk` when available (git, ls, grep, test, build). Example: `rtk git status` not `git status`.
-```
-
-Do NOT modify other agents' prompt_append unless asked.
-
-## Phase 3: Ongoing Enforcement (EVERY time this skill is loaded)
-
-### For the current agent
-
-From this point forward in this session, **you MUST**:
-
-1. **Use `rtk` prefix** for all supported shell commands (see table above)
-2. **Verify rtk is available** before first use: `rtk --version`
-3. If rtk is not available in the current environment, fall back to normal commands silently
-
-### For subagent delegation
-
-When delegating ANY task that involves shell commands (via `task()`, `delegate_task()`, or any delegation mechanism), **ALWAYS** add this to the `MUST DO` section of the delegation prompt:
-
-```
-- Use `rtk` prefix for shell commands when available (git, ls, grep, test, build). Run `rtk --version` first to check. If not installed, use normal commands. Examples: `rtk git status`, `rtk ls`, `rtk grep pattern .`, `rtk test npm test`.
-```
-
-This is NON-NEGOTIABLE. Subagents do not read AGENTS.md, so RTK instructions MUST be passed explicitly in every delegation prompt.
-
-### Quick reference for subagent prompts
-
-Copy-paste this one-liner into MUST DO sections:
-
-> Use `rtk` prefix for all shell commands (git, ls, grep, test, build, docker). Example: `rtk git status` not `git status`. If `rtk` is not found, use normal commands.
-
-## Summary
-
-| Phase | When | What |
-|-------|------|------|
-| Detection | Always first | Check rtk installed, check omo |
-| Setup | Once (idempotent) | Append RTK block to AGENTS.md (user + project) |
-| Enforcement | Every session | Use rtk yourself, propagate to all subagents |