@mseep/open-computer-use 1.0.0

package/helm/computer-use-server/values.schema.json

@@ -0,0 +1,183 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$comment": "SPDX-License-Identifier: FSL-1.1-Apache-2.0 — Copyright (c) 2025 Open Computer Use Contributors",
+  "title": "computer-use-server Helm values",
+  "type": "object",
+  "additionalProperties": true,
+  "required": ["image", "orchestrator", "dind", "secrets", "persistence", "service"],
+  "properties": {
+    "image": {
+      "type": "object",
+      "required": ["repository"],
+      "properties": {
+        "repository": { "type": "string", "minLength": 1 },
+        "tag": { "type": "string" },
+        "pullPolicy": { "type": "string", "enum": ["Always", "IfNotPresent", "Never"] }
+      }
+    },
+    "workspaceImage": {
+      "type": "object",
+      "properties": {
+        "repository": { "type": "string" },
+        "tag": { "type": "string" }
+      }
+    },
+    "orchestrator": {
+      "type": "object",
+      "required": ["replicas", "env"],
+      "properties": {
+        "runtimeClassName": { "type": "string" },
+        "replicas": { "type": "integer", "const": 1, "$comment": "Multi-replica is unsupported — orchestrator owns the inner dockerd and RWO PVCs." },
+        "env": {
+          "type": "object",
+          "required": ["PUBLIC_BASE_URL"],
+          "properties": {
+            "PUBLIC_BASE_URL": { "type": "string", "minLength": 1, "$comment": "Browser-reachable URL of the orchestrator. Empty value breaks file preview links." }
+          }
+        }
+      }
+    },
+    "dind": {
+      "type": "object",
+      "required": ["image"],
+      "properties": {
+        "image": {
+          "type": "object",
+          "required": ["repository", "tag"],
+          "properties": {
+            "repository": { "type": "string" },
+            "tag": { "type": "string" }
+          }
+        },
+        "storageDriver": { "type": "string" },
+        "privileged": {
+          "type": ["boolean", "null"],
+          "$comment": "null => privileged auto-derived from runtimeClassName (legacy). Set true for Kata, false to force unprivileged."
+        },
+        "kataInit": {
+          "type": "object",
+          "properties": {
+            "enabled": { "type": "boolean", "$comment": "Enables the chart-managed Kata-guest entrypoint wrapper. Pair with a Kata runtimeClassName and dind.privileged=true." },
+            "extraPackages": { "type": "array", "items": { "type": "string" } }
+          }
+        }
+      }
+    },
+    "cleanup": {
+      "type": "object",
+      "properties": {
+        "enabled": { "type": "boolean" },
+        "containerMaxAgeHours": { "type": "integer", "minimum": 1 },
+        "dataMaxAgeDays": { "type": "integer", "minimum": 1 }
+      }
+    },
+    "secrets": {
+      "type": "object",
+      "$comment": "Either secrets.create=true with mcpApiKey, or secrets.existingSecret must be set.",
+      "oneOf": [
+        {
+          "properties": {
+            "create": { "const": true },
+            "mcpApiKey": { "type": "string", "minLength": 1 }
+          },
+          "required": ["create", "mcpApiKey"]
+        },
+        {
+          "properties": {
+            "existingSecret": { "type": "string", "minLength": 1 }
+          },
+          "required": ["existingSecret"]
+        }
+      ]
+    },
+    "persistence": {
+      "type": "object",
+      "required": ["userData", "data", "skillsCache", "varLibDocker"],
+      "properties": {
+        "userData": { "$ref": "#/$defs/pvcSpec" },
+        "data": { "$ref": "#/$defs/pvcSpec" },
+        "skillsCache": { "$ref": "#/$defs/pvcSpec" },
+        "varLibDocker": {
+          "type": "object",
+          "required": ["sizeLimit"],
+          "properties": {
+            "sizeLimit": { "type": "string" },
+            "persistentVolume": {
+              "type": "object",
+              "$comment": "Block-mode PVC for /var/lib/docker (the Kata default). Disable only for the runc fallback.",
+              "properties": {
+                "enabled": { "type": "boolean" },
+                "size": { "type": "string" },
+                "storageClass": { "type": "string" },
+                "existingClaim": { "type": "string" }
+              }
+            }
+          }
+        }
+      }
+    },
+    "service": {
+      "type": "object",
+      "required": ["type", "port"],
+      "properties": {
+        "type": { "type": "string", "enum": ["ClusterIP", "NodePort", "LoadBalancer"] },
+        "port": { "type": "integer", "minimum": 1, "maximum": 65535 }
+      }
+    },
+    "ingress": {
+      "type": "object",
+      "properties": {
+        "enabled": { "type": "boolean" }
+      }
+    },
+    "postgresql": false
+  },
+  "allOf": [
+    {
+      "$comment": "When a Kata RuntimeClass is used, the dind container must run privileged and the kata init wrapper must stay enabled.",
+      "if": {
+        "properties": {
+          "orchestrator": {
+            "properties": {
+              "runtimeClassName": { "type": "string", "pattern": "^kata" }
+            },
+            "required": ["runtimeClassName"]
+          }
+        },
+        "required": ["orchestrator"]
+      },
+      "then": {
+        "properties": {
+          "dind": {
+            "properties": {
+              "privileged": {
+                "not": { "const": false },
+                "$comment": "Kata needs a privileged dind container (caps confined to the microVM)."
+              },
+              "kataInit": {
+                "properties": {
+                  "enabled": {
+                    "not": { "const": false },
+                    "$comment": "The Kata guest init wrapper is required under a Kata runtime."
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  ],
+  "$defs": {
+    "pvcSpec": {
+      "type": "object",
+      "properties": {
+        "enabled": { "type": "boolean" },
+        "size": { "type": "string" },
+        "storageClass": { "type": "string" },
+        "accessMode": { "type": "string", "enum": ["ReadWriteOnce", "ReadWriteOncePod"], "$comment": "Chart is single-replica by design (replicas: 1, owns inner dockerd). RWX/ROX would imply multi-replica which is unsupported." },
+        "existingClaim": { "type": "string" }
+      }
+    }
+  }
+}

package/helm/computer-use-server/values.yaml

@@ -0,0 +1,297 @@
+# SPDX-License-Identifier: FSL-1.1-Apache-2.0
+# Copyright (c) 2025 Open Computer Use Contributors
+#
+# Default values for computer-use-server.
+# See README.md for prerequisites and the full knob reference.
+# The inner Docker daemon runs under Kata Containers (microVM isolation) — the
+# supported DinD runtime. Setup guide: docs/kata-runtime.md.
+
+# -- Override the chart name. Useful when running multiple releases in one namespace.
+nameOverride: ""
+# -- Override the fully-qualified app name (release-name + chart name by default).
+fullnameOverride: ""
+
+image:
+  # -- Orchestrator image (the FastAPI server in computer-use-server/).
+  repository: ghcr.io/wide-moat/open-computer-use-server
+  # -- Defaults to .Chart.AppVersion when empty.
+  tag: ""
+  pullPolicy: IfNotPresent
+
+# Workspace image — the AI sandbox that the orchestrator spawns via the inner Docker.
+# This image is not pulled by Kubernetes directly; it is pulled by the inner dockerd
+# at first chat creation. The repo:tag is passed to the orchestrator as DOCKER_IMAGE.
+workspaceImage:
+  repository: ghcr.io/wide-moat/open-computer-use
+  tag: ""
+
+# -- imagePullSecrets are applied to the Pod for both orchestrator and dind images.
+imagePullSecrets: []
+
+orchestrator:
+  # runtimeClassName MUST match a RuntimeClass that already exists in the cluster.
+  # Values:
+  #   kata-qemu    Default, and the recommended runtime. Kata Containers —
+  #                install kata-deploy first (docs/kata-runtime.md). Works on
+  #                containerd 2.x and gives hypervisor (microVM) isolation. The
+  #                other dind.* / persistence defaults below assume this runtime.
+  #   "" (empty)   Stock runc + privileged dind. Functional, but INSECURE — the
+  #                inner daemon shares the host kernel and a container escape is
+  #                trivial. Local-testing escape hatch only; do not run it in
+  #                production. Also set dind.kataInit.enabled=false and
+  #                persistence.varLibDocker.persistentVolume.enabled=false.
+  runtimeClassName: kata-qemu
+
+  # Single replica is the only supported topology — the pod owns the inner dockerd
+  # and three RWO PVCs. Scaling out requires the K8sBackend rework (out of scope).
+  replicas: 1
+
+  resources:
+    requests:
+      cpu: 500m
+      memory: 1Gi
+    limits:
+      cpu: "4"
+      memory: 8Gi
+
+  # Non-secret env vars passed to the orchestrator. Secret vars live under .secrets.
+  env:
+    # REQUIRED. Browser-reachable URL of this service (no trailing slash).
+    # Baked into the system prompt so the model writes correct preview links and
+    # returned in the X-Public-Base-URL header so the Open WebUI filter agrees.
+    PUBLIC_BASE_URL: ""
+
+    COMMAND_TIMEOUT: "120"
+    SUB_AGENT_TIMEOUT: "3600"
+    CONTAINER_MEM_LIMIT: "2g"
+    CONTAINER_CPU_LIMIT: "1.0"
+    CONTAINER_IDLE_TIMEOUT: "600"
+    SINGLE_USER_MODE: "false"
+
+    # Path the inner dockerd creates owui-chat-* workspaces from. Must match the
+    # USER_DATA_BASE_PATH and BASE_DATA_DIR values from docker-compose.yml.
+    USER_DATA_BASE_PATH: /tmp/computer-use-data
+    BASE_DATA_DIR: /tmp/computer-use-data
+
+    # Talks to the inner dockerd over a unix socket shared via emptyDir.
+    DOCKER_SOCKET: unix:///var/run/docker.sock
+
+    # Workspace image is set automatically from .workspaceImage. Override here if needed.
+    # DOCKER_IMAGE: ""
+
+  # Operator escape hatch — appended to the container as-is.
+  # Example:
+  #   extraEnv:
+  #     - name: ANTHROPIC_BASE_URL
+  #       value: https://api.anthropic.com
+  extraEnv: []
+
+  # Add envFrom entries (existing ConfigMaps / Secrets) to the orchestrator container.
+  # Example:
+  #   envFrom:
+  #     - secretRef:
+  #         name: my-llm-creds
+  envFrom: []
+
+  # Liveness/readiness — orchestrator exposes /health on 8081.
+  probes:
+    liveness:
+      enabled: true
+      initialDelaySeconds: 30
+      periodSeconds: 30
+      timeoutSeconds: 10
+      failureThreshold: 3
+    readiness:
+      enabled: true
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 3
+
+  securityContext:
+    runAsNonRoot: false  # the orchestrator image runs as root inside the pod
+    allowPrivilegeEscalation: true
+    # The orchestrator does NOT need privileged. Only the dind container does.
+
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+
+dind:
+  # Image for the inner Docker daemon. Must accept the standard dockerd flags.
+  image:
+    repository: docker
+    tag: "27-dind"
+    pullPolicy: IfNotPresent
+  resources:
+    requests:
+      cpu: 500m
+      memory: 1Gi
+    limits:
+      cpu: "4"
+      memory: 8Gi
+  # storage driver passed to dockerd. The Kata default is fuse-overlayfs —
+  # overlay2 FAILS on the Kata virtio-fs guest root
+  # (kata-containers/kata-containers#1888); dind.kataInit installs fuse-overlayfs.
+  # If you run the insecure runc fallback, set this to overlay2.
+  storageDriver: fuse-overlayfs
+
+  # -- Explicit override of whether the dind container runs privileged.
+  # true (default) => REQUIRED for Kata: dockerd needs CAP_NET_ADMIN/CAP_NET_RAW
+  #   to build the iptables NAT chain, otherwise it fails with
+  #   "iptables: Could not fetch rule set generation id: Permission denied".
+  #   privileged=true is SAFE under Kata — the caps are confined to the microVM.
+  # false => force the dind container unprivileged.
+  # null  => auto-derive from orchestrator.runtimeClassName (empty => true,
+  #   set => false). Only useful for the runc fallback.
+  privileged: true
+
+  # -- Kata-guest init wrapper. Runs a chart-managed entrypoint that, before
+  # exec'ing dockerd:
+  #   (1) installs fuse-overlayfs (overlay2 fails on the Kata virtio-fs root)
+  #   (2) mknod /dev/fuse  (the Kata guest kernel has fuse but no device node)
+  #   (3) if persistence.varLibDocker.persistentVolume is enabled — mkfs.ext4 +
+  #       mounts the Block-mode PVC at /var/lib/docker
+  #   (4) runs the cgroup-v2 PID-1 evacuation shim (docker-library/docker#308) so
+  #       nested runc can enter cgroups inside the Kata guest
+  # Every step is idempotent and self-detecting. Set enabled=false only for the
+  # runc fallback. See docs/kata-runtime.md.
+  kataInit:
+    enabled: true
+    # extra apk packages installed at container start (idempotent, needs egress)
+    extraPackages: []
+
+cleanup:
+  enabled: true
+  image:
+    # Built from ./cron in the repo. Publish to your registry and point here.
+    repository: ghcr.io/wide-moat/open-computer-use-cleanup
+    tag: ""
+    pullPolicy: IfNotPresent
+  containerMaxAgeHours: 24
+  dataMaxAgeDays: 7
+  resources:
+    requests:
+      cpu: 50m
+      memory: 64Mi
+    limits:
+      cpu: 500m
+      memory: 256Mi
+
+secrets:
+  # When true, the chart renders a Secret from the values below. Convenient but
+  # bad for GitOps (values get committed). Prefer existingSecret in production.
+  create: true
+
+  # When set, ignored if .create is true. The chart adds this secret to envFrom on
+  # the orchestrator container. The secret must contain at least MCP_API_KEY.
+  existingSecret: ""
+
+  # REQUIRED unless using existingSecret. Bearer token for /mcp endpoint.
+  mcpApiKey: ""
+
+  visionApiKey: ""
+  anthropicAuthToken: ""
+  openaiApiKey: ""
+
+persistence:
+  # /tmp/computer-use-data — per-chat workspace data (uploads, outputs).
+  userData:
+    enabled: true
+    size: 20Gi
+    storageClass: ""
+    # Only ReadWriteOnce / ReadWriteOncePod are supported — chart is single-replica.
+    accessMode: ReadWriteOnce
+    existingClaim: ""
+
+  # /data — orchestrator long-lived state (mounted from compose volume `computer-use-data`).
+  data:
+    enabled: true
+    size: 5Gi
+    storageClass: ""
+    accessMode: ReadWriteOnce
+    existingClaim: ""
+
+  # /data/skills-cache — public skills cache used by skill_manager.
+  skillsCache:
+    enabled: true
+    size: 2Gi
+    storageClass: ""
+    accessMode: ReadWriteOnce
+    existingClaim: ""
+
+  # /var/lib/docker inside the dind container.
+  varLibDocker:
+    # sizeLimit applies to the emptyDir fallback (used when
+    # persistentVolume.enabled=false — i.e. only under the runc fallback).
+    sizeLimit: 50Gi
+    # -- Back /var/lib/docker with a Block-mode PVC (the Kata default).
+    # REQUIRED under Kata: the workspace image relies on security.capability
+    # xattrs, and the Kata virtio-fs root drops them (CVE-2021-20263), which
+    # breaks e.g. GStreamer binaries. A Block PVC arrives in the guest as a
+    # virtio-blk device; dind.kataInit formats it ext4, so xattrs are preserved.
+    # Set enabled=false only for the runc fallback. See docs/kata-runtime.md.
+    persistentVolume:
+      enabled: true
+      size: 50Gi
+      # Must reference a StorageClass that provisions Block volumes. Empty =>
+      # the cluster default StorageClass (which must be Block-capable).
+      storageClass: ""
+      # When set, the chart uses this claim instead of creating one.
+      existingClaim: ""
+
+service:
+  type: ClusterIP
+  port: 8081
+  annotations: {}
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+  hosts:
+    - host: orchestrator.example.com
+      paths:
+        - path: /
+          pathType: Prefix
+  tls: []
+  # Example:
+  #   tls:
+  #     - hosts:
+  #         - orchestrator.example.com
+  #       secretName: orchestrator-tls
+
+networkPolicy:
+  enabled: false
+  # Allow incoming traffic from these pod selectors (in addition to same-namespace).
+  ingressFrom: []
+  # Example:
+  #   ingressFrom:
+  #     - namespaceSelector:
+  #         matchLabels:
+  #           name: open-webui
+
+  # Extra egress rules appended to the chart's defaults (DNS + in-cluster + 0.0.0.0/0).
+  # Use this to add explicit allow rules — e.g. limit egress to a specific
+  # external host, or whitelist your cloud metadata service.
+  extraEgress: []
+  # Example:
+  #   extraEgress:
+  #     - to:
+  #         - ipBlock:
+  #             cidr: 169.254.169.254/32  # cloud metadata
+  #       ports:
+  #         - protocol: TCP
+  #           port: 80
+
+podDisruptionBudget:
+  enabled: false
+  minAvailable: 1
+
+serviceAccount:
+  create: true
+  name: ""
+  annotations: {}
+
+podAnnotations: {}
+podLabels: {}

package/lychee.toml

@@ -0,0 +1,36 @@
+# SPDX-License-Identifier: FSL-1.1-Apache-2.0
+# Copyright (c) 2025 Open Computer Use Contributors
+#
+# lychee — broken link checker.
+# Reference: https://lychee.cli.rs/usage/config/
+#
+# Inputs (which files/dirs to scan) are passed as positional CLI args by the
+# workflow, not as a config-file key. This file only carries flags and
+# exclusions.
+
+# Skip these paths when expanding globs — legacy buffer (will be migrated)
+# and common noisy directories.
+exclude_path = [
+  "docs/future-architecture",
+  "node_modules",
+  ".venv",
+  ".planning",
+]
+
+# Match the forward-reference rule: a relative path that doesn't resolve on
+# disk is a broken link, period.
+include_fragments = true
+
+# Patterns to allow without HTTP checking (anchor-only refs, mailto, etc.).
+exclude = [
+  '^mailto:',
+  '^tel:',
+]
+
+# External URLs are not what we're guarding against (forward-reference rule).
+# Skip them to avoid CI failing on rate-limited or transiently-down upstreams.
+exclude_all_private = false
+offline = false
+
+no_progress = true
+verbose = "info"

package/openwebui/Dockerfile

@@ -0,0 +1,52 @@
+# SPDX-License-Identifier: FSL-1.1-Apache-2.0
+# Copyright (c) 2025 Open Computer Use Contributors
+ARG OPENWEBUI_VERSION=0.9.5
+FROM ghcr.io/open-webui/open-webui:${OPENWEBUI_VERSION}
+
+# Copy all patches into the image
+COPY patches/ /tmp/patches/
+
+# Required: Auto-show artifacts panel when HTML code blocks are detected
+RUN python3 /tmp/patches/fix_artifacts_auto_show.py
+
+# Required: Error handling for tool loop — prevents UI hang on MCP/transport errors
+RUN python3 /tmp/patches/fix_tool_loop_errors.py
+
+# Required: Auto-detect file preview URLs in messages and show in artifacts panel
+RUN python3 /tmp/patches/fix_preview_url_detection.py
+
+# Optional: Truncate large MCP tool results to prevent context window exhaustion.
+# Requires fix_tool_loop_errors.py to be applied first.
+# Config: TOOL_RESULT_MAX_CHARS (default 50000), TOOL_RESULT_PREVIEW_CHARS (default 2000)
+RUN python3 /tmp/patches/fix_large_tool_results.py
+
+# Enabled backend patches:
+#
+# fix_large_tool_args: Truncates oversized tool call arguments in HTML attributes
+# to prevent browser UI freeze on large tool outputs (>10KB).
+RUN python3 /tmp/patches/fix_large_tool_args.py
+#
+# fix_attached_files_position: Moves file context to end of messages instead of
+# prepend, improving prompt cache hit rates with large file attachments.
+RUN python3 /tmp/patches/fix_attached_files_position.py
+#
+# fix_skip_embedding_chat_files: Skips expensive text extraction and embedding
+# for large chat file uploads (>1MB), using knowledge base fallback instead.
+RUN python3 /tmp/patches/fix_skip_embedding_chat_files.py
+#
+# fix_skip_rag_files_native_fc: Skips RAG pipeline for chat files when
+# computer_use tool is enabled, avoiding unnecessary processing.
+RUN python3 /tmp/patches/fix_skip_rag_files_native_fc.py
+
+RUN rm -rf /tmp/patches/
+
+# Copy Computer Use tool, function, and init script into the image
+COPY tools/ /app/init/tools/
+COPY functions/ /app/init/functions/
+COPY init.sh /app/init/init.sh
+RUN chmod +x /app/init/init.sh
+
+# Wrap the original entrypoint to run init in the background after startup
+RUN mv /app/backend/start.sh /app/backend/start-original.sh && \
+    printf '#!/bin/bash\n# Run init script in background (waits for Open WebUI to be ready)\n/app/init/init.sh &\n# Start original Open WebUI\nexec /app/backend/start-original.sh\n' > /app/backend/start.sh && \
+    chmod +x /app/backend/start.sh

package/openwebui/README.md

@@ -0,0 +1,38 @@
+# Open WebUI Integration
+
+Everything needed to connect [Open WebUI](https://github.com/open-webui/open-webui) to [Open Computer Use](https://github.com/Wide-Moat/open-computer-use). Works with stock Open WebUI — no fork required.
+
+> Just want to try it? [chat.yambr.com](https://chat.yambr.com) is a ready-to-use Open WebUI with Computer Use already wired in (GitHub/Google sign-in, models included). This directory is for embedding Computer Use into **your own** Open WebUI stack.
+
+## Components
+
+| # | Component | Type | Required | What it does |
+|---|-----------|------|----------|-------------|
+| 1 | [**tools/computer_use_tools.py**](tools/) | Tool | Yes | MCP client proxy — forwards `bash`, `create_file`, `str_replace`, `view`, `sub_agent` calls to the Computer Use Server |
+| 2 | [**functions/computer_link_filter.py**](functions/) | Filter | Yes | Fetches the server-generated system prompt (skills list + file base URL embedded server-side) and the `X-Public-Base-URL` response header; decorates responses with preview/archive links |
+| 3 | [**patches/**](patches/) | Build-time | Recommended | Quality-of-life fixes: auto-open file preview, truncate large tool args, skip unnecessary RAG processing |
+
+**Tool + Filter = minimum working setup.** Patches improve UX but everything works without them.
+
+## Quick Start
+
+**Automatic** (recommended): `docker-compose.webui.yml` builds a patched Open WebUI image and runs `init.sh` on first startup to install the tool + filter, configure valves, mark the **tool public-read** (`group:*` + `user:*` grants) and the **filter both active AND global** (two separate Open WebUI toggles), plus set `DEFAULT_MODEL_PARAMS = {function_calling: "native", stream_response: true}`.
+
+**Manual**: Install tool and filter through Workspace UI, set Tool ID to `ai_computer_use`, toggle **Active** and **Global** on the filter (both switches), set tool access to **Public** (Share → Public). See [setup guide](../README.md#required-setup-when-embedding-open-webui-into-your-own-stack) for the full checklist and common silent-fail traps.
+
+## Patches
+
+Applied at Docker build time. All are idempotent and non-breaking. The 4 patches marked **Active** below are critical for user-visible UX — embedding Open WebUI with an upstream `ghcr.io/open-webui/open-webui` image (no build from this Dockerfile) silently disables them. See [../README.md#required-setup-when-embedding-open-webui-into-your-own-stack](../README.md#required-setup-when-embedding-open-webui-into-your-own-stack) for the full embedding checklist.
+
+| Patch | Default | What it does | Without it |
+|-------|---------|--------------|------------|
+| `fix_artifacts_auto_show` | Active | Auto-opens preview panel for generated files | HTML/iframe renders as raw text in the chat body instead of the artifacts panel |
+| `fix_preview_url_detection` | Active | Detects file URLs in messages and opens iframe preview | Preview iframe is never auto-inserted after file links |
+| `fix_tool_loop_errors` | Active | Better error messages for tool call budget/transport errors | Raw exceptions instead of banners; `MCP call failed: Session terminated` appears unwrapped |
+| `fix_large_tool_results` | Active | Truncates large MCP tool results (>50K chars) and optionally uploads them to the Computer Use server via `ORCHESTRATOR_URL` | `TOOL_RESULT_MAX_CHARS` stops truncating and the large-result upload path is a no-op (large outputs wreck the model context). `ORCHESTRATOR_URL` itself is unaffected — the tool and filter keep using it for MCP/system-prompt traffic. |
+| `fix_large_tool_args` | Optional | Truncates huge tool call args (>10KB) to prevent browser freeze | Browser UI can freeze on "Executing [tool]..." with large str_replace payloads |
+| `fix_attached_files_position` | Optional | Moves file context to end of message (better prompt caching) | Attaching a file invalidates the cached prefix of the message |
+| `fix_skip_embedding_chat_files` | Optional | Skips embedding for large uploads (>1MB) | Large uploads block the chat for minutes on extraction/embedding |
+| `fix_skip_rag_files_native_fc` | Optional | Skips RAG when `ai_computer_use` handles files directly | Extra RAG pipeline runs on every message even when unnecessary |
+
+Built strictly for Open WebUI 0.9.5 (this image's first 3 version segments match its target Open WebUI base).

package/openwebui/functions/README.md

@@ -0,0 +1,48 @@
+# Computer Link Filter
+
+**File**: `computer_link_filter.py` — required companion to `computer_use_tools.py`.
+
+## What It Does
+
+| Phase | Action |
+|-------|--------|
+| **Inlet** (before LLM) | Injects system prompt: file server URL, `<available_skills>` XML (13 skills), output path mapping |
+| **Outlet** (after LLM) | Adds "View file" link + "Download all as archive" button when response contains file URLs |
+
+Without this filter, the model won't know about skills or how to generate file download links.
+
+## Valves
+
+| Valve | Default | Description |
+|-------|---------|-------------|
+| `ORCHESTRATOR_URL` | `http://computer-use-server:8081` | Internal URL of Computer Use server (server→server fetch of `/system-prompt`). Not browser-facing — the public URL is owned by the server. |
+| `PREVIEW_MODE` | `"button"` | Where the preview link appears: `button` (markdown link — the frontend patch promotes it to an inline artifact) \| `off` |
+| `ARCHIVE_BUTTON` | `"on"` | Add "Download archive" button to responses: `on` \| `off` |
+| `INJECT_SYSTEM_PROMPT` | `true` | Inject skills and file URL into system prompt |
+
+See [`docs/openwebui-filter.md`](../../docs/openwebui-filter.md#valves-reference) for the full Valves reference.
+
+## Installation
+
+1. **Workspace > Functions** → Create → paste `computer_link_filter.py`
+2. Enable globally (toggle in Functions list)
+3. Tool `ai_computer_use` must be installed (filter reads its valves for internal URL)
+
+Auto-configured by `docker-compose.webui.yml` via `init.sh`.
+
+## How File Links Work
+
+```
+inlet() → Injects the server-baked /system-prompt text (the server substitutes its
+          own PUBLIC_BASE_URL into the {file_base_url} placeholder before returning it).
+       → AI generates: [file.docx]({PUBLIC_BASE_URL}/files/{chat_id}/file.docx)
+outlet() → Appends preview-button + archive-download markdown links.
+```
+
+The model receives the mapping `/mnt/user-data/outputs/` → `{PUBLIC_BASE_URL}/files/{chat_id}/` and generates correct HTTP links directly. The filter never sees the public URL as a Valve — the server is the single source of truth and delivers it to `outlet()` via the `X-Public-Base-URL` response header on `/system-prompt` (cached alongside the prompt).
+
+## Related
+
+- [tools/README.md](../tools/README.md) — MCP client tool
+- [SKILLS.md](../../docs/SKILLS.md) — all available skills
+- [Main README](../../README.md#open-webui-integration) — full setup guide