codeforge-dev 1.14.2 → 2.0.0

package/.devcontainer/plugins/devs-marketplace/plugins/workspace-scope-guard/README.md

@@ -27,7 +27,7 @@ These paths are always permitted regardless of working directory:
 
 | Path | Reason |
 |------|--------|
-| `/workspaces/.claude/` | Claude config, plans, rules |
+| `~/.claude/` | Claude config, plans, rules |
 | `/tmp/` | System temp directory |
 
 ### CWD Context Injection

package/.devcontainer/plugins/devs-marketplace/plugins/workspace-scope-guard/scripts/guard-workspace-scope.py

@@ -28,8 +28,9 @@ BLACKLISTED_PREFIXES = [
 ]
 
 # Paths always allowed regardless of working directory
+_home = os.environ.get("HOME", "/home/vscode")
 ALLOWED_PREFIXES = [
-    "/workspaces/.claude/",  # Claude config, plans, rules
+    f"{_home}/.claude/",     # Claude config, plans, rules
     "/tmp/",                 # System scratch
 ]
 
@@ -156,7 +157,7 @@ def extract_primary_command(command: str) -> str:
     while i < len(tokens):
         tok = tokens[i]
         # Skip inline variable assignments: VAR=value
-        if "=" in tok and not tok.startswith("-") and tok.split("=")[0].isidentifier():
+        if "=" in tok and not tok.startswith("-") and tok.split("=", 1)[0].isidentifier():
             i += 1
             continue
         # Skip sudo and its flags

package/.devcontainer/scripts/check-setup.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (c) 2026 Marcus Krueger
 # Verify CodeForge setup is working correctly
 # Run anytime with: check-setup
 
@@ -34,10 +36,10 @@ warn_check() {
 echo ""
 echo "Core:"
 check "Claude Code installed" "command -v claude"
-warn_check "Claude native binary" "[ -x ~/.local/bin/claude ] || [ -x /usr/local/bin/claude ]"
+warn_check "Claude native binary" "[ -x ~/.local/bin/claude ]"
 check "cc alias configured" "grep -q 'alias cc=' ~/.bashrc 2>/dev/null || grep -q 'alias cc=' ~/.zshrc 2>/dev/null"
-check "Config directory exists" "[ -d '${CLAUDE_CONFIG_DIR:-/workspaces/.claude}' ]"
-check "Settings file exists" "[ -f '${CLAUDE_CONFIG_DIR:-/workspaces/.claude}/settings.json' ]"
+check "Config directory exists" "[ -d '${CLAUDE_CONFIG_DIR:-$HOME/.claude}' ]"
+check "Settings file exists" "[ -f '${CLAUDE_CONFIG_DIR:-$HOME/.claude}/settings.json' ]"
 
 echo ""
 echo "Authentication:"

package/.devcontainer/scripts/preflight.sh

@@ -0,0 +1,113 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (c) 2026 Marcus Krueger
+# Pre-flight check: validates a container runtime is available on the host.
+# Runs via initializeCommand BEFORE any container build/pull/start.
+
+set -euo pipefail
+
+# --- OS detection ---
+
+detect_os() {
+    if [[ -f /proc/version ]] && grep -qi 'microsoft\|wsl' /proc/version 2>/dev/null; then
+        echo "wsl"
+    elif [[ "$(uname -s)" == "Darwin" ]]; then
+        echo "macos"
+    else
+        echo "linux"
+    fi
+}
+
+# --- Timeout wrapper (macOS lacks coreutils timeout) ---
+
+run_with_timeout() {
+    local seconds="$1"
+    shift
+    if command -v timeout &>/dev/null; then
+        timeout "$seconds" "$@" &>/dev/null 2>&1
+    else
+        # Fallback for macOS: background + kill
+        "$@" &>/dev/null 2>&1 &
+        local pid=$!
+        (sleep "$seconds" && kill "$pid" 2>/dev/null) &
+        local watchdog=$!
+        if wait "$pid" 2>/dev/null; then
+            kill "$watchdog" 2>/dev/null
+            wait "$watchdog" 2>/dev/null
+            return 0
+        else
+            kill "$watchdog" 2>/dev/null
+            wait "$watchdog" 2>/dev/null
+            return 1
+        fi
+    fi
+}
+
+# --- Runtime detection ---
+
+check_runtime() {
+    local runtime="$1"
+    if ! command -v "$runtime" &>/dev/null; then
+        return 1
+    fi
+    if run_with_timeout 5 "$runtime" info; then
+        return 0
+    fi
+    return 1
+}
+
+# --- Main ---
+
+for runtime in docker podman; do
+    if check_runtime "$runtime"; then
+        exit 0
+    fi
+done
+
+# No working runtime found — determine why and advise
+
+found_binary=""
+for runtime in docker podman; do
+    if command -v "$runtime" &>/dev/null; then
+        found_binary="$runtime"
+        break
+    fi
+done
+
+HOST_OS="$(detect_os)"
+
+echo ""
+echo "╔══════════════════════════════════════════════════════════════╗"
+echo "║  CodeForge: Container runtime not available                 ║"
+echo "╚══════════════════════════════════════════════════════════════╝"
+echo ""
+
+if [[ -n "$found_binary" ]]; then
+    echo "  Found '$found_binary' but the daemon is not responding."
+    echo ""
+    case "$HOST_OS" in
+        wsl)
+            echo "  Fix: Start Docker Desktop and enable WSL 2 integration:"
+            echo "        Settings → Resources → WSL Integration"
+            ;;
+        macos)
+            echo "  Fix: Start Docker Desktop:"
+            echo "        open -a Docker"
+            ;;
+        linux)
+            echo "  Fix: Start the Docker daemon:"
+            echo "        sudo systemctl start docker"
+            ;;
+    esac
+else
+    echo "  No container runtime (docker or podman) found in PATH."
+    echo ""
+    echo "  Install Docker Desktop:"
+    echo "    https://www.docker.com/products/docker-desktop/"
+    echo ""
+    echo "  Or install Podman:"
+    echo "    https://podman.io/getting-started/installation"
+fi
+
+echo ""
+exit 1

package/.devcontainer/scripts/setup-aliases.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (c) 2026 Marcus Krueger
 # Setup cc/claude/ccraw aliases for claude with local system prompt support
 #
 # Idempotent: removes the entire managed block then re-writes it fresh.
@@ -74,14 +76,14 @@ export GH_CONFIG_DIR="${GH_CONFIG_DIR:-/workspaces/.gh}"
 export LANG=en_US.UTF-8
 export LC_ALL=en_US.UTF-8
 
-# Prefer native binary over npm-installed version
-if [ -x "\$HOME/.local/bin/claude" ]; then
-    _CLAUDE_BIN="\$HOME/.local/bin/claude"
-elif [ -x /usr/local/bin/claude ]; then
-    _CLAUDE_BIN=/usr/local/bin/claude
-else
-    _CLAUDE_BIN=claude
+# Terminal color defaults — Docker sets TERM=xterm (8 colors); upgrade to 256-color
+if [ "\$TERM" = "xterm" ] || [ -z "\$TERM" ]; then
+    export TERM=xterm-256color
 fi
+export COLORTERM="\${COLORTERM:-truecolor}"
+
+# Native binary (installed by claude-code-native feature)
+_CLAUDE_BIN="\$HOME/.local/bin/claude"
 
 # ChromaTerm wrapper (if ct is installed, wrap claude through it)
 if command -v ct >/dev/null 2>&1; then
@@ -94,13 +96,14 @@ alias cc='CLAUDE_CODE_ADDITIONAL_DIRECTORIES_CLAUDE_MD=1 "\$_CLAUDE_WRAP" "\$_CL
 alias claude='CLAUDE_CODE_ADDITIONAL_DIRECTORIES_CLAUDE_MD=1 "\$_CLAUDE_WRAP" "\$_CLAUDE_BIN" --system-prompt-file "\$CLAUDE_CONFIG_DIR/main-system-prompt.md" --permission-mode plan --allow-dangerously-skip-permissions'
 alias ccraw='command "\$_CLAUDE_BIN"'
 alias ccw='CLAUDE_CODE_ADDITIONAL_DIRECTORIES_CLAUDE_MD=1 "\$_CLAUDE_WRAP" "\$_CLAUDE_BIN" --system-prompt-file "\$CLAUDE_CONFIG_DIR/writing-system-prompt.md" --permission-mode plan --allow-dangerously-skip-permissions'
+alias cc-orc='CLAUDE_CODE_ADDITIONAL_DIRECTORIES_CLAUDE_MD=1 "\$_CLAUDE_WRAP" "\$_CLAUDE_BIN" --system-prompt-file "\$CLAUDE_CONFIG_DIR/orchestrator-system-prompt.md" --permission-mode plan --allow-dangerously-skip-permissions'
 
 cc-tools() {
   echo "CodeForge Available Tools"
   echo "━━━━━━━━━━━━━━━━━━━━━━━━"
   printf "  %-20s %s\n" "COMMAND" "STATUS"
   echo "  ────────────────────────────────────"
-  for cmd in claude cc ccw ccraw ccusage ccburn claude-monitor \\
+  for cmd in claude cc ccw ccraw cc-orc ccusage ccburn claude-monitor \\
              ccms ct cargo ruff biome dprint shfmt shellcheck hadolint \\
              ast-grep tree-sitter pyright typescript-language-server \\
              agent-browser gh docker git jq tmux bun go infocmp; do
@@ -114,6 +117,7 @@ cc-tools() {
 }
 
 alias check-setup='bash ${DEVCONTAINER_SCRIPTS}/check-setup.sh'
+alias codeforge='node \${WORKSPACE_ROOT}/setup.js'
 ${BLOCK_END}
 BLOCK_EOF
 
@@ -126,5 +130,6 @@ echo "  cc          -> claude with \$CLAUDE_CONFIG_DIR/main-system-prompt.md"
 echo "  claude      -> claude with \$CLAUDE_CONFIG_DIR/main-system-prompt.md"
 echo "  ccraw       -> vanilla claude without any config"
 echo "  ccw         -> claude with \$CLAUDE_CONFIG_DIR/writing-system-prompt.md"
+echo "  cc-orc      -> claude with \$CLAUDE_CONFIG_DIR/orchestrator-system-prompt.md (delegation mode)"
 echo "  cc-tools    -> list all available CodeForge tools"
 echo "  check-setup -> verify CodeForge setup health"

package/.devcontainer/scripts/setup-auth.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (c) 2026 Marcus Krueger
 # Configure Git (GitHub CLI) and NPM authentication from .secrets file or environment variables.
 # Environment variables override .secrets values, supporting Codespaces secrets and localEnv.
 # Auth failure should not block other setup steps, so set -e is intentionally omitted.
@@ -65,6 +67,50 @@ else
     echo "[setup-auth] NPM_TOKEN not set, skipping NPM auth"
 fi
 
+# --- Claude auth token (from 'claude setup-token') ---
+# Long-lived tokens only — generated via: claude setup-token
+# Note: After unset, the token remains visible in /proc/<pid>/environ for the
+# lifetime of this process. This is a platform limitation of environment variables.
+_USERNAME="${SUDO_USER:-${USER:-vscode}}"
+_USER_HOME=$(getent passwd "$_USERNAME" 2>/dev/null | cut -d: -f6)
+_USER_HOME="${_USER_HOME:-/home/$_USERNAME}"
+CLAUDE_CRED_DIR="${CLAUDE_CONFIG_DIR:-${_USER_HOME}/.claude}"
+CLAUDE_CRED_FILE="$CLAUDE_CRED_DIR/.credentials.json"
+if [ -n "$CLAUDE_AUTH_TOKEN" ]; then
+    # Validate token format (claude setup-token produces sk-ant-* tokens)
+    if [[ ! "$CLAUDE_AUTH_TOKEN" =~ ^sk-ant- ]]; then
+        echo "[setup-auth] WARNING: CLAUDE_AUTH_TOKEN doesn't match expected format (sk-ant-*), skipping"
+    elif [ -f "$CLAUDE_CRED_FILE" ]; then
+        echo "[setup-auth] .credentials.json already exists, skipping token injection"
+        # Verify permissions haven't been tampered with
+        perms=$(stat -c %a "$CLAUDE_CRED_FILE" 2>/dev/null)
+        if [ -n "$perms" ] && [ "$perms" != "600" ]; then
+            echo "[setup-auth] WARNING: .credentials.json has permissions $perms (expected 600), fixing"
+            chmod 600 "$CLAUDE_CRED_FILE"
+        fi
+        AUTH_CONFIGURED=true
+    else
+        echo "[setup-auth] Creating .credentials.json from CLAUDE_AUTH_TOKEN..."
+        # Create directory with restrictive permissions (matches credential file at 600)
+        ( umask 077; mkdir -p "$CLAUDE_CRED_DIR" )
+        # Escape JSON-special characters in token value (defense against malformed JSON
+        # if a token ever contains " or \ — unlikely with sk-ant-* but closes the gap)
+        ESCAPED_TOKEN=$(printf '%s' "$CLAUDE_AUTH_TOKEN" | sed 's/\\/\\\\/g; s/"/\\"/g')
+        # Write credentials with restrictive permissions from the start (no race window).
+        # Uses printf '%s' to avoid shell expansion of token value (defense against
+        # metacharacters in the token string — backticks, $(), quotes).
+        if ( umask 077; printf '{\n  "claudeAiOauth": {\n    "accessToken": "%s",\n    "refreshToken": "%s",\n    "expiresAt": 9999999999999,\n    "scopes": ["user:inference", "user:profile"]\n  }\n}\n' "$ESCAPED_TOKEN" "$ESCAPED_TOKEN" > "$CLAUDE_CRED_FILE" ); then
+            echo "[setup-auth] Claude auth token configured"
+            AUTH_CONFIGURED=true
+        else
+            echo "[setup-auth] WARNING: Failed to write .credentials.json — check permissions on $CLAUDE_CRED_DIR"
+        fi
+    fi
+    unset CLAUDE_AUTH_TOKEN
+else
+    echo "[setup-auth] CLAUDE_AUTH_TOKEN not set, skipping Claude auth"
+fi
+
 # --- Summary ---
 if [ "$AUTH_CONFIGURED" = true ]; then
     echo "[setup-auth] Auth configuration complete"

package/.devcontainer/scripts/setup-config.sh

@@ -1,13 +1,23 @@
 #!/bin/bash
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (c) 2026 Marcus Krueger
 # Copy configuration files to workspace based on file-manifest.json
 
-CONFIG_DIR="${CONFIG_SOURCE_DIR:?CONFIG_SOURCE_DIR not set}"
-MANIFEST="$CONFIG_DIR/file-manifest.json"
-
 log() { echo "[setup-config] $*"; }
 warn() { echo "[setup-config] WARNING: $*"; }
 err() { echo "[setup-config] ERROR: $*" >&2; }
 
+CODEFORGE_DIR="${CODEFORGE_DIR:-${WORKSPACE_ROOT:?}/.codeforge}"
+CONFIG_DIR="$CODEFORGE_DIR"
+MANIFEST="$CODEFORGE_DIR/file-manifest.json"
+
+# Legacy fallback: if .codeforge/ doesn't exist but old config dir does, warn and use old path
+if [ ! -d "$CODEFORGE_DIR" ] && [ -d "${WORKSPACE_ROOT}/.devcontainer/config/defaults" ]; then
+	warn ".codeforge/ not found — falling back to .devcontainer/config/defaults (deprecated)"
+	CONFIG_DIR="${WORKSPACE_ROOT}/.devcontainer/config"
+	MANIFEST="$CONFIG_DIR/file-manifest.json"
+fi
+
 # Deprecation notice if legacy OVERWRITE_CONFIG is still set
 if [ -n "${OVERWRITE_CONFIG+x}" ]; then
 	warn "OVERWRITE_CONFIG is deprecated. Use per-file 'overwrite' in config/file-manifest.json instead."
@@ -18,7 +28,7 @@ legacy_copy() {
 	local target_dir="${CLAUDE_CONFIG_DIR:?CLAUDE_CONFIG_DIR not set}"
 	warn "file-manifest.json not found, falling back to legacy copy"
 	mkdir -p "$target_dir"
-	for file in defaults/settings.json defaults/keybindings.json defaults/main-system-prompt.md; do
+	for file in config/settings.json config/keybindings.json config/main-system-prompt.md; do
 		if [ -f "$CONFIG_DIR/$file" ]; then
 			local basename="${file##*/}"
 			cp "$CONFIG_DIR/$file" "$target_dir/$basename"
@@ -96,21 +106,30 @@ jq -r '.[] | [.src, .dest, (.destFilename // "__NONE__"), (.enabled // true | to
 		# Apply overwrite strategy
 		case "$overwrite" in
 		always)
-			cp "$src_path" "$dest_path"
-			log "Copied $src → $dest_path (always)"
+			if cp "$src_path" "$dest_path" 2>/dev/null; then
+				log "Copied $src → $dest_path (always)"
+			else
+				warn "Failed to copy $src → $dest_path (permission denied?)"
+			fi
 			;;
 		never)
 			if [ ! -f "$dest_path" ]; then
-				cp "$src_path" "$dest_path"
-				log "Copied $src → $dest_path (new)"
+				if cp "$src_path" "$dest_path" 2>/dev/null; then
+					log "Copied $src → $dest_path (new)"
+				else
+					warn "Failed to copy $src → $dest_path (permission denied?)"
+				fi
 			else
 				log "Skipping $src (exists, overwrite=never)"
 			fi
 			;;
 		if-changed | *)
 			if should_copy "$src_path" "$dest_path"; then
-				cp "$src_path" "$dest_path"
-				log "Copied $src → $dest_path (changed)"
+				if cp "$src_path" "$dest_path" 2>/dev/null; then
+					log "Copied $src → $dest_path (changed)"
+				else
+					warn "Failed to copy $src → $dest_path (permission denied?)"
+				fi
 			else
 				log "Skipping $src (unchanged)"
 			fi

package/.devcontainer/scripts/setup-migrate-claude.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (c) 2026 Marcus Krueger
+# One-time migration: /workspaces/.claude → $HOME/.claude
+# Migrates config, credentials, and rules from the old bind-mount location
+# to the new home directory (Docker named volume).
+#
+# Uses cp -a (archive) for a faithful copy that preserves permissions,
+# timestamps, symlinks, and directory structure. Migration is one-time
+# (marker-gated), so overwrite is safe — the old directory is authoritative.
+
+OLD_DIR="/workspaces/.claude"
+_USERNAME="${SUDO_USER:-${USER:-vscode}}"
+_USER_HOME=$(getent passwd "$_USERNAME" 2>/dev/null | cut -d: -f6)
+_USER_HOME="${_USER_HOME:-/home/$_USERNAME}"
+NEW_DIR="${CLAUDE_CONFIG_DIR:-${_USER_HOME}/.claude}"
+MARKER="$NEW_DIR/.migrated-from-workspaces"
+CODEFORGE_MARKER="${CODEFORGE_DIR:-${WORKSPACE_ROOT:-/workspaces}/.codeforge}/.markers/v2-migrated"
+
+# Nothing to migrate if old directory doesn't exist
+if [ ! -d "$OLD_DIR" ]; then
+    exit 0
+fi
+
+# Skip if old directory is empty (nothing worth migrating)
+if [ -z "$(ls -A "$OLD_DIR" 2>/dev/null)" ]; then
+    exit 0
+fi
+
+# Idempotency: skip if migration already completed (check both old and new markers)
+if [ -f "$MARKER" ] || [ -f "$CODEFORGE_MARKER" ]; then
+    exit 0
+fi
+
+# Symlink protection: verify OLD_DIR itself is a real directory, not a symlink
+if [ -L "$OLD_DIR" ]; then
+    echo "[setup-migrate] WARNING: /workspaces/.claude is a symlink, skipping migration for safety"
+    exit 0
+fi
+
+echo "[setup-migrate] Migrating /workspaces/.claude → $NEW_DIR ..."
+mkdir -p "$NEW_DIR"
+
+# -a: archive mode (-dR --preserve=all) — preserves permissions, timestamps,
+#     symlinks, ownership, and directory structure faithfully.
+# Errors logged explicitly (no 2>/dev/null) so failures are visible.
+if cp -a "$OLD_DIR/." "$NEW_DIR/"; then
+    # Fix ownership — source files may be owned by a different uid from a
+    # previous container lifecycle. chown everything to the current user.
+    chown -R "$(id -un):$(id -gn)" "$NEW_DIR/" 2>/dev/null || true
+
+    # Verify critical files arrived
+    MISSING=""
+    [ ! -f "$NEW_DIR/.claude.json" ] && [ -f "$OLD_DIR/.claude.json" ] && MISSING="$MISSING .claude.json"
+    [ ! -d "$NEW_DIR/plugins" ] && [ -d "$OLD_DIR/plugins" ] && MISSING="$MISSING plugins/"
+    [ ! -f "$NEW_DIR/.credentials.json" ] && [ -f "$OLD_DIR/.credentials.json" ] && MISSING="$MISSING .credentials.json"
+    if [ -n "$MISSING" ]; then
+        echo "[setup-migrate] WARNING: Migration incomplete — missing:$MISSING"
+        echo "[setup-migrate] Old directory preserved at $OLD_DIR for manual recovery"
+        exit 1
+    fi
+
+    # Mark migration complete (write to both old and new marker locations)
+    date -Iseconds > "$MARKER"
+    _codeforge_markers_dir="$(dirname "$CODEFORGE_MARKER")"
+    if [ -d "$_codeforge_markers_dir" ] || mkdir -p "$_codeforge_markers_dir" 2>/dev/null; then
+        date -Iseconds > "$CODEFORGE_MARKER"
+    fi
+
+    # Rename old directory to .bak
+    if mv "$OLD_DIR" "${OLD_DIR}.bak" 2>/dev/null; then
+        echo "[setup-migrate] Migration complete. Old directory moved to ${OLD_DIR}.bak"
+    else
+        echo "[setup-migrate] Migration complete. Could not rename old directory — remove /workspaces/.claude/ manually"
+    fi
+else
+    echo "[setup-migrate] ERROR: cp failed — check output above for details"
+    echo "[setup-migrate] Old directory preserved at $OLD_DIR"
+    exit 1
+fi

package/.devcontainer/scripts/setup-migrate-codeforge.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (c) 2026 Marcus Krueger
+# One-time migration: .devcontainer/config/ → .codeforge/
+# Migrates config files, manifest, and terminal scripts from the legacy
+# .devcontainer/config/ layout to the new .codeforge/ directory structure.
+
+WORKSPACE_ROOT="${WORKSPACE_ROOT:?WORKSPACE_ROOT not set}"
+CODEFORGE_DIR="${CODEFORGE_DIR:-${WORKSPACE_ROOT}/.codeforge}"
+OLD_CONFIG_DIR="${WORKSPACE_ROOT}/.devcontainer/config"
+OLD_DEFAULTS_DIR="${OLD_CONFIG_DIR}/defaults"
+MARKER="$CODEFORGE_DIR/.markers/v2-migrated"
+
+log() { echo "[setup-migrate-codeforge] $*"; }
+warn() { echo "[setup-migrate-codeforge] WARNING: $*"; }
+
+# Already migrated — skip
+if [ -d "$CODEFORGE_DIR" ]; then
+	log ".codeforge/ already exists — skipping migration"
+	exit 0
+fi
+
+# Nothing to migrate if old defaults dir doesn't exist
+if [ ! -d "$OLD_DEFAULTS_DIR" ]; then
+	log "No legacy .devcontainer/config/defaults/ found — skipping migration"
+	exit 0
+fi
+
+log "Migrating .devcontainer/config/ → .codeforge/ ..."
+
+# Create directory structure
+mkdir -p "$CODEFORGE_DIR/config/rules" \
+	"$CODEFORGE_DIR/scripts" \
+	"$CODEFORGE_DIR/.markers" \
+	"$CODEFORGE_DIR/.checksums"
+
+# Copy config files from .devcontainer/config/defaults/ → .codeforge/config/
+if [ -d "$OLD_DEFAULTS_DIR" ]; then
+	cp -a "$OLD_DEFAULTS_DIR/." "$CODEFORGE_DIR/config/"
+	log "Copied config files from defaults/ → .codeforge/config/"
+fi
+
+# Copy file-manifest.json, rewriting src paths from defaults/ to config/
+if [ -f "$OLD_CONFIG_DIR/file-manifest.json" ]; then
+	sed 's|"defaults/|"config/|g' "$OLD_CONFIG_DIR/file-manifest.json" > "$CODEFORGE_DIR/file-manifest.json"
+	log "Copied file-manifest.json (rewrote defaults/ → config/)"
+fi
+
+# Copy terminal scripts from .devcontainer/ → .codeforge/scripts/
+for script in connect-external-terminal.sh connect-external-terminal.ps1; do
+	if [ -f "${WORKSPACE_ROOT}/.devcontainer/${script}" ]; then
+		cp "${WORKSPACE_ROOT}/.devcontainer/${script}" "$CODEFORGE_DIR/scripts/${script}"
+		log "Copied ${script} → .codeforge/scripts/"
+	fi
+done
+
+# Write migration marker
+date -Iseconds > "$MARKER"
+
+log "Migration complete — .codeforge/ is ready"

package/.devcontainer/scripts/setup-plugins.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (c) 2026 Marcus Krueger
 # Install plugins: official Anthropic + local devs-marketplace registration
 #
 # Individual marketplace plugins are enabled via enabledPlugins in settings.json.
@@ -57,7 +59,7 @@ if [ -d "$MARKETPLACE_PATH/plugins" ]; then
         plugin_name=$(basename "$plugin_dir")
 
         # Skip blacklisted plugins
-        if echo ",$PLUGIN_BLACKLIST," | grep -q ",$plugin_name,"; then
+        if echo ",${PLUGIN_BLACKLIST}," | grep -q ",$plugin_name,"; then
             echo "[setup-plugins] Skipping $plugin_name (blacklisted)"
             continue
         fi

package/.devcontainer/scripts/setup-projects.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (c) 2026 Marcus Krueger
 # Auto-detect projects under /workspaces/ and register them in Project Manager's projects.json.
 # Runs an initial scan synchronously, then starts an inotifywait background watcher
 # that updates the project list instantly when directories are created or removed.
@@ -176,7 +178,7 @@ start_watcher() {
 	fi
 
 	# Check if inotifywait is available (installed by tmux feature at build time)
-	if ! command -v inotifywait &>/dev/null; then
+	if ! command -v inotifywait >/dev/null 2>&1; then
 		echo "$LOG_PREFIX WARNING: inotify-tools not installed, watcher disabled"
 		return 1
 	fi

package/.devcontainer/scripts/setup-terminal.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (c) 2026 Marcus Krueger
 # Configure VS Code Shift+Enter → newline for Claude Code terminal input
 # Writes to ~/.config/Code/User/keybindings.json (same path /terminal-setup uses)
 
@@ -19,7 +21,7 @@ fi
 # === Merge or create keybindings ===
 BINDING='{"key":"shift+enter","command":"workbench.action.terminal.sendSequence","args":{"text":"\\u001b\\r"},"when":"terminalFocus"}'
 
-if [ -f "$KEYBINDINGS_FILE" ] && command -v jq &>/dev/null; then
+if [ -f "$KEYBINDINGS_FILE" ] && command -v jq >/dev/null 2>&1; then
 	# Merge into existing keybindings
 	if jq empty "$KEYBINDINGS_FILE" 2>/dev/null; then
 		jq ". + [$BINDING]" "$KEYBINDINGS_FILE" >"$KEYBINDINGS_FILE.tmp" &&

package/.devcontainer/scripts/setup-update-claude.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (c) 2026 Marcus Krueger
 # Update Claude Code CLI to the latest version (native binary only)
 # Runs non-blocking in background by default via setup.sh
 # All failures are warnings — this script never blocks container startup
@@ -25,46 +27,39 @@ fi
 
 # === CLEANUP TRAP ===
 cleanup() {
-	rm -f "${_TMPDIR}/claude-update" 2>/dev/null || true
-	rm -f "${_TMPDIR}/claude-update-manifest.json" 2>/dev/null || true
 	rm -rf "$LOCK_FILE" 2>/dev/null || true
 }
 trap cleanup EXIT
 
-# === VERIFY CLAUDE IS INSTALLED ===
-if ! command -v claude &>/dev/null; then
-	log "Claude Code not found, skipping update"
-	exit 0
-fi
+# === NATIVE BINARY ===
+NATIVE_BIN="$HOME/.local/bin/claude"
 
-# === ENSURE NATIVE BINARY EXISTS ===
-# 'claude install' puts the binary at ~/.local/bin/claude (symlink to ~/.local/share/claude/versions/*)
-# Legacy manual installs used /usr/local/bin/claude — check both, prefer ~/.local
-if [ -x "$HOME/.local/bin/claude" ]; then
-	NATIVE_BIN="$HOME/.local/bin/claude"
-elif [ -x "/usr/local/bin/claude" ]; then
-	NATIVE_BIN="/usr/local/bin/claude"
-else
-	NATIVE_BIN=""
+if [ ! -x "$NATIVE_BIN" ]; then
+	log "ERROR: Native binary not found at ${NATIVE_BIN}"
+	log "  The claude-code-native feature should install this during container build."
+	log "  Try rebuilding the container or running: curl -fsSL https://claude.ai/install.sh | sh"
+	exit 1
 fi
-if [ -z "$NATIVE_BIN" ]; then
-	log "Native binary not found, installing..."
-	if claude install 2>&1 | tee -a "$LOG_FILE"; then
-		log "Native binary installed successfully"
+
+# === TRANSITIONAL: Remove leftover npm installation ===
+NPM_CLAUDE="$(npm config get prefix 2>/dev/null)/lib/node_modules/@anthropic-ai/claude-code"
+if [ -d "$NPM_CLAUDE" ]; then
+	log "Removing leftover npm installation at ${NPM_CLAUDE}..."
+	if sudo npm uninstall -g @anthropic-ai/claude-code 2>/dev/null; then
+		log "Removed leftover npm installation"
 	else
-		log "WARNING: 'claude install' failed, skipping"
-		exit 0
+		log "WARNING: Could not remove npm installation (non-blocking)"
 	fi
-	# Skip update check on first install — next start will handle it
-	exit 0
 fi
 
 # === CHECK FOR UPDATES ===
 CURRENT_VERSION=$("$NATIVE_BIN" --version 2>/dev/null | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1 || echo "unknown")
 log "Current version: ${CURRENT_VERSION}"
 
-# Use the official update command (handles download, verification, and versioned install)
-if "$NATIVE_BIN" update 2>&1 | tee -a "$LOG_FILE"; then
+# Use the official update command with timeout (handles download, verification, and versioned install)
+timeout 60 "$NATIVE_BIN" update 2>&1 | tee -a "$LOG_FILE"
+UPDATE_STATUS=${PIPESTATUS[0]}
+if [ "$UPDATE_STATUS" -eq 0 ]; then
 	UPDATED_VERSION=$("$NATIVE_BIN" --version 2>/dev/null | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1 || echo "unknown")
 	if [ "$CURRENT_VERSION" != "$UPDATED_VERSION" ]; then
 		log "Updated Claude Code: ${CURRENT_VERSION} → ${UPDATED_VERSION}"
@@ -72,5 +67,5 @@ if "$NATIVE_BIN" update 2>&1 | tee -a "$LOG_FILE"; then
 		log "Already up to date (${CURRENT_VERSION})"
 	fi
 else
-	log "WARNING: 'claude update' failed, skipping"
+	log "WARNING: 'claude update' failed or timed out (exit ${UPDATE_STATUS})"
 fi