tinker-agent 1.0.60 → 1.0.61

package/bin/install-agent.sh

@@ -85,9 +85,16 @@ chmod +x /etc/profile.d/claude.sh
 echo "Installing Github CLI"
 # Install GitHub CLI
 curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
+chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list
 apt-get update && apt-get install gh -y
 
+# Download setup-agent.rb script
+TINKER_VERSION=${TINKER_VERSION:-main}
+echo "Downloading setup-agent.rb (version: ${TINKER_VERSION})..."
+curl -fsSL https://objectstore.fra1.civo.com/tinker/${TINKER_VERSION}/setup-agent.rb -o /usr/local/bin/setup-agent.rb
+chmod +x /usr/local/bin/setup-agent.rb
+
 # Create entrypoint
 cat << EOF > /entrypoint.sh
 #!/bin/bash

package/lib/tinker_agent/agent.rb

@@ -240,7 +240,6 @@ module TinkerAgent
       possible_paths = [
         File.join(Dir.pwd, "overrides", "agent-bridge-linux-#{linux_arch}"),              # TINKER_SANDBOX/overrides
         File.join(Dir.pwd, "tinker-public", "dist", "agent-bridge-linux-#{linux_arch}"),  # Running from metafolder
-        File.join(Dir.pwd, "..", "tinker-public", "dist", "agent-bridge-linux-#{linux_arch}"), # Running from TINKER_SANDBOX
         File.join(Dir.pwd, "dist", "agent-bridge-linux-#{linux_arch}"),                    # Running from tinker-public
       ]
 

package/package.json

@@ -1,12 +1,11 @@
 {
   "name": "tinker-agent",
-  "version": "1.0.60",
+  "version": "1.0.61",
   "description": "Tinker Agent Runner",
   "bin": "./bin/run-tinker-agent.rb",
   "files": [
     "bin/run-tinker-agent.rb",
     "agents.rb",
-    "setup-agent.rb",
     "lib/",
     "bin/agent-bridge-tmux",
     "bin/install-agent.sh"

package/setup-agent.rb

@@ -1,961 +0,0 @@
-#!/usr/bin/env ruby
-# frozen_string_literal: true
-
-# Tinker Agent - Run inside any Docker container with Ruby
-#
-# This script sets up and runs a Tinker agent. It:
-# 1. Generates MCP config from environment variables
-# 2. Verifies system prompt (agent banner) exists at /etc/tinker/system-prompt.txt
-# 3. Downloads and runs agent-bridge
-#
-# Requirements (install in your container):
-#   - Ruby 3.x
-#   - Node.js 20+
-#   - tmux
-#   - git, curl, gh (GitHub CLI)
-#   - claude CLI: npm install -g @anthropic-ai/claude-code
-#
-# Environment variables:
-#   AGENT_TYPE        - worker|planner|reviewer|researcher
-#   PROJECT_ID        - Your Tinker project ID
-#   RAILS_WS_URL      - WebSocket URL (wss://tinker.example.com/cable)
-#   RAILS_API_URL     - API URL (https://tinker.example.com/api/v1)
-#   RAILS_API_KEY     - MCP API key for this agent type
-#   GH_TOKEN          - GitHub token (or use GitHub App auth)
-#
-# Usage:
-#   curl -fsSL https://raw.githubusercontent.com/RoM4iK/tinker-public/main/tinker-agent.rb | ruby
-
-require "json"
-require "fileutils"
-require "open-uri"
-require "openssl"
-require "net/http"
-require "uri"
-require "base64"
-require "time"
-
-TINKER_VERSION = ENV["TINKER_VERSION"] || "main"
-TINKER_RAW_URL = "https://raw.githubusercontent.com/RoM4iK/tinker-public/#{TINKER_VERSION}"
-
-# Valid agent types
-VALID_AGENT_TYPES = %w[planner worker reviewer researcher]
-
-def check_env!
-  required = %w[RAILS_WS_URL]
-  missing = required.select { |var| ENV[var].to_s.empty? }
-
-  unless missing.empty?
-    puts "❌ Missing environment variables: #{missing.join(', ')}"
-    puts ""
-    puts "Required:"
-    puts "  RAILS_WS_URL   - WebSocket URL (wss://tinker.example.com/cable)"
-    puts ""
-    puts "Optional:"
-    puts "  RAILS_API_URL  - API URL for MCP tools"
-    puts "  RAILS_API_KEY  - MCP API key"
-    puts "  GH_TOKEN       - GitHub token"
-    exit 1
-  end
-
-  agent_type = ENV["AGENT_TYPE"]
-  if agent_type && !VALID_AGENT_TYPES.include?(agent_type)
-    puts "❌ Invalid AGENT_TYPE: #{agent_type}"
-    puts "   Valid types: #{VALID_AGENT_TYPES.join(', ')}"
-    exit 1
-  end
-end
-
-def fetch_agent_id!
-  rails_api_url = ENV["RAILS_API_URL"]
-  rails_api_key = ENV["RAILS_API_KEY"]
-  
-  unless rails_api_url && !rails_api_url.empty? && rails_api_key && !rails_api_key.empty?
-    puts "❌ RAILS_API_URL or RAILS_API_KEY not set"
-    puts "   Agent ID is required for the bridge to connect"
-    exit 1
-  end
-
-  # Fetch agent ID from Rails API using api_key
-  uri = URI("#{rails_api_url}/whoami")
-  http = Net::HTTP.new(uri.host, uri.port)
-  http.use_ssl = uri.scheme == "https"
-  
-  request = Net::HTTP::Get.new(uri)
-  request["X-API-Key"] = rails_api_key
-  request["Accept"] = "application/json"
-  
-  begin
-    puts "🔍 Fetching agent ID from #{rails_api_url}/whoami..."
-    response = http.request(request)
-    
-    if response.is_a?(Net::HTTPSuccess)
-      data = JSON.parse(response.body)
-      agent_id = data["agent_id"] || data["id"]
-      
-      if agent_id && !agent_id.to_s.empty?
-        ENV["AGENT_ID"] = agent_id.to_s
-        puts "✅ Agent ID fetched: #{agent_id}"
-      else
-        puts "❌ Could not find agent_id in API response"
-        puts "   Response: #{response.body}"
-        exit 1
-      end
-    else
-      puts "❌ Failed to fetch agent ID: #{response.code} #{response.message}"
-      puts "   Response: #{response.body}"
-      exit 1
-    end
-  rescue => e
-    puts "❌ Error fetching agent ID: #{e.message}"
-    puts "   #{e.class}: #{e.backtrace.first}"
-    exit 1
-  end
-end
-
-def setup_mcp_config!
-  # MCP config is project-specific and should be provided by the Dockerfile
-  # or mounted at runtime. This script only checks if it exists.
-  
-  agent_type = ENV["AGENT_TYPE"]
-  rails_api_url = ENV["RAILS_API_URL"]
-  rails_api_key = ENV["RAILS_API_KEY"]
-  
-  # Load existing config if present
-  existing_config = {}
-  if File.exist?(".mcp.json")
-    begin
-      existing_config = JSON.parse(File.read(".mcp.json"))
-      puts "✅ Found existing .mcp.json, merging configuration..."
-    rescue JSON::ParserError
-      puts "⚠️  Existing .mcp.json is invalid, starting fresh"
-    end
-  end
-  
-  # Ensure mcpServers key exists
-  existing_config["mcpServers"] ||= {}
-
-  if rails_api_url && !rails_api_url.empty? && rails_api_key && !rails_api_key.empty?
-    # Install tinker-mcp locally to ensure we can run it with node (bypassing shebang issues)
-    tools_dir = File.expand_path("~/tinker-tools")
-    FileUtils.mkdir_p(tools_dir)
-    
-    puts "📦 Installing tinker-mcp..."
-    # Redirect output to avoid cluttering logs, unless it fails
-    unless system("npm install --prefix #{tools_dir} tinker-mcp > /dev/null 2>&1")
-      puts "❌ Failed to install tinker-mcp"
-    end
-    
-    script_path = "#{tools_dir}/node_modules/tinker-mcp/dist/index.js"
-
-    tinker_server_config = {
-      "command" => "node",
-      "args" => [script_path],
-      "env" => {
-        "RAILS_API_URL" => rails_api_url,
-        "RAILS_API_KEY" => rails_api_key
-      }
-    }
-    
-    # Add/Update tinker server config
-    existing_config["mcpServers"]["tinker-#{agent_type}"] = tinker_server_config
-    
-    File.write(".mcp.json", JSON.pretty_generate(existing_config))
-    puts "📝 Updated .mcp.json with tinker-#{agent_type} server (using tinker-mcp)"
-  else
-    # Only write if we don't have existing config
-    if existing_config["mcpServers"].empty?
-      File.write(".mcp.json", JSON.generate({ "mcpServers" => {} }))
-      puts "ℹ️  No MCP API credentials - MCP tools disabled"
-    else
-      puts "ℹ️  No MCP API credentials - keeping existing config"
-    end
-  end
-end
-
-def setup_claude_config!
-  home_claude_json = File.expand_path("~/.claude.json")
-
-  # First, try to copy from mounted config (from host)
-  mounted_paths = ["/tmp/cfg/claude.json"]
-  mounted_paths.each do |path|
-    if File.exist?(path) && !File.exist?(home_claude_json)
-      FileUtils.cp(path, home_claude_json)
-      puts "📋 Copied claude.json from #{path}"
-      break
-    end
-  end
-
-  if File.exist?(home_claude_json)
-    puts "🔧 Configuring claude.json..."
-    begin
-      claude_config = JSON.parse(File.read(home_claude_json))
-
-      # Add bypass permission at top level
-      claude_config["bypassPermissionsModeAccepted"] = true
-
-      File.write(home_claude_json, JSON.pretty_generate(claude_config))
-      puts "✅ claude.json configured with bypass permissions"
-    rescue JSON::ParserError
-      puts "⚠️  claude.json is invalid, skipping configuration"
-    end
-  else
-    puts "⚠️  claude.json not found at #{home_claude_json}"
-  end
-end
-
-def setup_claude_settings!
-  settings_dir = File.expand_path("~/.claude")
-  FileUtils.mkdir_p(settings_dir)
-  home_settings_json = File.join(settings_dir, "settings.json")
-
-  puts "🔧 Configuring ~/.claude/settings.json..."
-
-  settings_config = {}
-
-  # First, try to load user's existing settings from mounted config
-  # We merge both files: settings.json AND claude.json (for theme/appearance settings)
-  mounted_settings_paths = [
-    "/tmp/cfg/settings.json",
-    "/tmp/cfg/claude.json"
-  ]
-
-  mounted_settings = {}
-  mounted_settings_paths.each do |path|
-    if File.exist?(path)
-      begin
-        file_settings = JSON.parse(File.read(path))
-        # Merge settings - later files override earlier ones for conflicting keys
-        mounted_settings = mounted_settings.merge(file_settings)
-        puts "   (loaded from #{path})"
-      rescue JSON::ParserError => e
-        puts "   ⚠️  Failed to parse #{path}: #{e.message}"
-      end
-    end
-  end
-
-  if mounted_settings.any?
-    settings_config = mounted_settings
-  elsif File.exist?(home_settings_json)
-    begin
-      settings_config = JSON.parse(File.read(home_settings_json))
-    rescue JSON::ParserError
-      puts "⚠️  ~/.claude/settings.json is invalid, starting fresh"
-    end
-  end
-  
-  # Configure hooks
-  settings_config["hooks"] ||= {}
-  
-  
-  # Configure SessionStart hook for skill knowledge injection
-  settings_config["hooks"]["SessionStart"] ||= []
-  # Remove old hook if present
-  settings_config["hooks"]["SessionStart"].reject! do |h| 
-    h["hooks"]&.first&.dig("command")&.include?("inject-skill-knowledge.rb")
-  end
-
-  # Install hook script to ~/.claude/hooks
-  hooks_dir = File.join(settings_dir, "hooks")
-  FileUtils.mkdir_p(hooks_dir)
-  
-  session_script_name = "inject-skill-knowledge.rb"
-  dest_path = File.join(hooks_dir, session_script_name)
-  
-  # Try local copy first (dev mode), otherwise download
-  local_hook_paths = [
-    File.join(Dir.pwd, "tinker-public", "hooks", session_script_name),
-    File.join(Dir.pwd, "hooks", session_script_name)
-  ]
-  
-  local_hook_content = nil
-  local_hook_paths.each do |path|
-    if File.exist?(path)
-      local_hook_content = File.read(path)
-      puts "   (using local hook: #{path})"
-      break
-    end
-  end
-  
-  if local_hook_content
-    File.write(dest_path, local_hook_content)
-    File.chmod(0755, dest_path)
-    puts "✅ Installed SessionStart hook (from local) to #{dest_path}"
-  else
-    puts "📥 Downloading SessionStart hook..."
-    hook_url = "#{TINKER_RAW_URL}/hooks/#{session_script_name}"
-    begin
-      hook_content = URI.open(hook_url).read
-      File.write(dest_path, hook_content)
-      File.chmod(0755, dest_path)
-      puts "✅ Installed SessionStart hook (from remote) to #{dest_path}"
-    rescue OpenURI::HTTPError => e
-      puts "⚠️  Failed to download hook: #{e.message}"
-    end
-  end
-  
-  session_hook_to_add = {
-    "hooks" => [{ "type" => "command", "command" => "ruby \"#{dest_path}\"" }]
-  }
-
-  settings_config["hooks"]["SessionStart"] << session_hook_to_add
-
-  # Install sessionstart-input.sh for repository context injection
-  # This provides repository information to Claude at session start
-  input_script_name = "sessionstart-input.sh"
-  input_dest_path = File.join(hooks_dir, input_script_name)
-
-  local_input_paths = [
-    File.join(Dir.pwd, "tinker-public", "hooks", input_script_name),
-    File.join(Dir.pwd, "hooks", input_script_name)
-  ]
-
-  local_input_content = nil
-  local_input_paths.each do |path|
-    if File.exist?(path)
-      local_input_content = File.read(path)
-      puts "   (using local input hook: #{path})"
-      break
-    end
-  end
-
-  if local_input_content
-    File.write(input_dest_path, local_input_content)
-    File.chmod(0755, input_dest_path)
-    puts "✅ Installed SessionStart input hook (from local) to #{input_dest_path}"
-  else
-    puts "📥 Downloading SessionStart input hook..."
-    input_hook_url = "#{TINKER_RAW_URL}/hooks/#{input_script_name}"
-    begin
-      input_hook_content = URI.open(input_hook_url).read
-      File.write(input_dest_path, input_hook_content)
-      File.chmod(0755, input_dest_path)
-      puts "✅ Installed SessionStart input hook (from remote) to #{input_dest_path}"
-    rescue OpenURI::HTTPError => e
-      puts "⚠️  Failed to download input hook: #{e.message}"
-    end
-  end
-
-  File.write(home_settings_json, JSON.pretty_generate(settings_config))
-  puts "✅ ~/.claude/settings.json configured with skill hooks"
-end
-
-def setup_system_prompt!
-  if File.exist?("/etc/tinker/system-prompt.txt")
-    puts "✅ System prompt available at /etc/tinker/system-prompt.txt"
-  else
-    puts "❌ /etc/tinker/system-prompt.txt not found!"
-    exit 1
-  end
-
-  # Add repository context to CLAUDE.md for easy reference
-  claude_md = File.expand_path("~/CLAUDE.md")
-  if ENV["REPOSITORIES_CONTEXT"]
-    repo_info = ENV["REPOSITORIES_CONTEXT"].split(',').map do |repo|
-      name, path = repo.split(':')
-      "  - **#{name}**: #{path}"
-    end.join("\n")
-
-    repo_context_md = <<~MARKDOWN
-      ## Repository Structure
-
-      This project has #{ENV["REPOSITORIES_CONTEXT"].split(',').count} repositories:
-
-      #{repo_info}
-
-      ### Repository Switching
-
-      Use `switch-to-repo.sh <name>` to change working directories:
-
-      ```bash
-      switch-to-repo.sh tinker
-      switch-to-repo.sh tinker-public
-      ```
-    MARKDOWN
-
-    # Append to existing CLAUDE.md or create new one
-    existing_content = File.exist?(claude_md) ? File.read(claude_md) : ""
-    File.write(claude_md, existing_content + "\n" + repo_context_md)
-    puts "📝 Repository context added to ~/CLAUDE.md"
-  end
-end
-
-
-def setup_skills!
-  skills = ENV["SKILLS"].to_s.split(",")
-  return if skills.empty?
-
-  skills_dir = File.expand_path("~/.claude/skills")
-  puts "🧠 Installing #{skills.size} skills to #{skills_dir}..."
-  FileUtils.mkdir_p(skills_dir)
-  
-  skills.each do |skill|
-    puts "   - #{skill}"
-    
-    # Try local copy first (dev mode, or if copied into image)
-    # Check both PWD/tinker-public/skills or PWD/skills (depending on how image was built)
-    local_paths = [
-      File.join(Dir.pwd, "tinker-public", "skills", skill, "SKILL.md")
-    ]
-    
-    skill_content = nil
-    
-    local_paths.each do |path|
-      if File.exist?(path)
-        skill_content = File.read(path)
-        puts "     (from local: #{path})"
-        break
-      end
-    end
-    
-    url = "#{TINKER_RAW_URL}/skills/#{skill}/SKILL.md"
-
-    begin
-      unless skill_content
-        skill_content = URI.open(url).read
-      end
-      
-      # Write to .claude/skills/[skill]/SKILL.md with proper structure
-      skill_dir = File.join(skills_dir, skill)
-      FileUtils.mkdir_p(skill_dir)
-      File.write(File.join(skill_dir, "SKILL.md"), skill_content)
-    rescue OpenURI::HTTPError, Errno::ENOENT => e
-      puts "⚠️  Failed to download skill #{skill}: #{e.message}"
-    end
-  end
-  
-  puts "✅ Skills installed"
-end
-
-def setup_github_auth!
-  app_id = ENV["GITHUB_APP_ID"] || ENV["GITHUB_APP_CLIENT_ID"]
-  
-  # Check for private key in typical locations
-  # 1. In the home directory (copied by entrypoint)
-  # 2. In /tmp (mounted by docker)
-  private_key_path = [
-    File.expand_path("~/.github-app-privkey.pem"),
-    "/tmp/github-app-privkey.pem"
-  ].find { |path| File.exist?(path) }
-
-  if app_id && ENV["GITHUB_APP_INSTALLATION_ID"] && private_key_path
-    puts "🔐 Configuring GitHub App authentication..."
-
-    # Create helper script
-    helper_content = <<~RUBY
-      #!/usr/bin/env ruby
-      require 'openssl'
-      require 'json'
-      require 'net/http'
-      require 'uri'
-      require 'base64'
-      require 'time'
-
-      PRIVATE_KEY_PATH = "#{private_key_path}"
-
-      def generate_jwt(app_id)
-        private_key = OpenSSL::PKey::RSA.new(File.read(PRIVATE_KEY_PATH))
-        payload = {
-          iat: Time.now.to_i - 60,
-          exp: Time.now.to_i + 480, # 8 minutes to handle clock skew
-          iss: app_id
-        }
-        header = { alg: 'RS256', typ: 'JWT' }
-        segments = [
-          Base64.urlsafe_encode64(header.to_json, padding: false),
-          Base64.urlsafe_encode64(payload.to_json, padding: false)
-        ]
-        signing_input = segments.join('.')
-        signature = private_key.sign(OpenSSL::Digest::SHA256.new, signing_input)
-        segments << Base64.urlsafe_encode64(signature, padding: false)
-        segments.join('.')
-      end
-
-      def get_installation_token(jwt, installation_id)
-        uri = URI("https://api.github.com/app/installations/\#{installation_id}/access_tokens")
-        http = Net::HTTP.new(uri.host, uri.port)
-        http.use_ssl = true
-        request = Net::HTTP::Post.new(uri)
-        request['Authorization'] = "Bearer \#{jwt}"
-        request['Accept'] = 'application/vnd.github+json'
-        
-        response = http.request(request)
-        data = JSON.parse(response.body)
-        
-        unless response.is_a?(Net::HTTPSuccess)
-          STDERR.puts "❌ Error getting installation token: \#{response.code} \#{response.message}"
-          STDERR.puts "   Response: \#{response.body}"
-          exit 1
-        end
-
-        { token: data['token'], expires_at: Time.parse(data['expires_at']) }
-      end
-
-      def find_or_create_cached_token(app_id, installation_id)
-        cache_file = '/tmp/github-app-token-cache'
-        cached_token = read_cached_token(cache_file)
-        return cached_token if cached_token
-
-        jwt = generate_jwt(app_id)
-        token_data = get_installation_token(jwt, installation_id)
-        File.write(cache_file, token_data.to_json)
-        token_data[:token]
-      end
-
-      def read_cached_token(cache_file)
-        return nil unless File.exist?(cache_file)
-        cache = JSON.parse(File.read(cache_file))
-        return if cache['token'].nil? || cache['expires_at'].nil?
-        return cache['token'] if Time.parse(cache['expires_at']) > Time.now + 300
-        nil
-      rescue
-      end
-
-      app_id = ENV['GITHUB_APP_CLIENT_ID'] || ENV['GITHUB_APP_ID']
-      installation_id = ENV['GITHUB_APP_INSTALLATION_ID']
-
-      puts find_or_create_cached_token(app_id, installation_id)
-    RUBY
-
-    # Install helper via sudo to /usr/local/bin
-    helper_path = "/usr/local/bin/git-auth-helper"
-    File.write("/tmp/git-auth-helper", helper_content)
-    system("sudo mv /tmp/git-auth-helper #{helper_path}")
-    system("sudo chmod +x #{helper_path}")
-
-    # Configure git
-    system("git config --global credential.helper '!f() { test \"$1\" = get && echo \"protocol=https\" && echo \"host=github.com\" && echo \"username=x-access-token\" && echo \"password=$(#{helper_path})\"; }; f'")
-
-    # Configure gh CLI wrapper for auto-refresh and permission controls
-    if install_gh_wrapper!(real_gh_path: "/usr/bin/gh", with_token_refresh: true, token_helper_path: helper_path)
-      puts "✅ GitHub App authentication configured (with auto-refresh + permission controls)"
-    end
-
-  elsif ENV["GH_TOKEN"] && !ENV["GH_TOKEN"].empty?
-    system("echo '#{ENV['GH_TOKEN']}' | gh auth login --with-token 2>/dev/null")
-
-    # Install wrapper for permission controls even with GH_TOKEN
-    if install_gh_wrapper!(real_gh_path: "/usr/bin/gh")
-      puts "🔐 GitHub authentication configured (with permission controls)"
-    else
-      puts "🔐 GitHub authentication configured"
-    end
-  else
-    puts "⚠️  No GH_TOKEN or GitHub App config - GitHub operations may fail"
-  end
-end
-
-def install_gh_wrapper!(real_gh_path:, with_token_refresh: false, token_helper_path: nil)
-  unless File.exist?(real_gh_path)
-    puts "⚠️  Could not find 'gh' at #{real_gh_path}, skipping wrapper"
-    return false
-  end
-
-  # Move real gh to gh.real if not already done
-  unless File.exist?("#{real_gh_path}.real")
-    system("sudo mv #{real_gh_path} #{real_gh_path}.real")
-  end
-
-  wrapper_path = "/usr/local/bin/gh"
-
-  # Build token export line if auto-refresh is enabled
-  token_export = with_token_refresh ? "export GH_TOKEN=$(#{token_helper_path})\n\n" : ""
-
-  wrapper_content = <<~BASH
-    #!/bin/bash
-    # GitHub CLI wrapper with permission controls for agents
-    #{token_export}# Check if caller is an agent (read AGENT_TYPE at runtime)
-    if [ -n "$AGENT_TYPE" ] && [[ "$AGENT_TYPE" =~ ^(worker|planner|reviewer|researcher)$ ]]; then
-      # Block comment-related commands for agents
-      if [[ "$1" == "comment" ]] || ([[ "$1" == "pr" ]] && [[ "$2" == "comment" ]]); then
-        echo "❌ You cannot use 'gh $*' commands as an agent." >&2
-        echo "" >&2
-        echo "Tinker has its own comment system via the add_comment MCP tool." >&2
-        echo "Please use the add_comment tool instead of gh commands." >&2
-        echo "" >&2
-        echo "Example:" >&2
-        echo "  add_comment(ticket_id: 123, content: \\"Your comment here\\", comment_type: \\"note\\")" >&2
-        exit 1
-      fi
-    fi
-
-    # Execute real gh binary with all arguments
-    exec #{real_gh_path}.real "$@"
-  BASH
-
-  File.write("/tmp/gh-wrapper", wrapper_content)
-  system("sudo mv /tmp/gh-wrapper #{wrapper_path}")
-  system("sudo chmod +x #{wrapper_path}")
-  true
-end
-
-def clone_repositories!
-  return unless ENV["REPOSITORIES_CONFIG"]
-
-  begin
-    repos = JSON.parse(ENV["REPOSITORIES_CONFIG"])
-    return unless repos.is_a?(Array) && repos.any?
-
-    puts "📚 Cloning #{repos.count} repositories..."
-
-    repos.each do |repo|
-      repo_name = repo["name"]
-      github_url = repo["github_url"]
-      sandbox_path = repo["path_in_sandbox"] || "/workspace/#{repo_name}"
-
-      # Create parent directory if needed
-      parent_dir = File.dirname(sandbox_path)
-      FileUtils.mkdir_p(parent_dir) unless File.exist?(parent_dir)
-
-      # Clone repository if it doesn't exist
-      unless File.exist?(sandbox_path)
-        puts "   📥 Cloning #{repo_name} to #{sandbox_path}..."
-        system("git", "clone", "--depth", "1", github_url, sandbox_path)
-      else
-        puts "   ✓ #{repo_name} already exists at #{sandbox_path}"
-      end
-    end
-
-    puts "✅ Repositories cloned"
-
-    # Write repository context to a file for hooks to read
-    # This is more reliable than environment variables in tmux sessions
-    if ENV["REPOSITORIES_CONTEXT"]
-      repo_context_file = File.expand_path("~/.claude/repos_context.txt")
-      File.write(repo_context_file, ENV["REPOSITORIES_CONTEXT"])
-      puts "📝 Repository context written to #{repo_context_file}"
-    end
-
-    # Export REPOSITORIES_CONTEXT to bash profile for shell sessions
-    if ENV["REPOSITORIES_CONTEXT"]
-      profile_file = File.expand_path("~/.bashrc")
-      existing_content = File.exist?(profile_file) ? File.read(profile_file) : ""
-
-      # Remove old export if present
-      existing_content.gsub!(/^export REPOSITORIES_CONTEXT=.*$/, "")
-
-      # Add new export at the end
-      File.write(profile_file, existing_content + "\nexport REPOSITORIES_CONTEXT=\"#{ENV['REPOSITORIES_CONTEXT']}\"\n")
-      puts "📝 REPOSITORIES_CONTEXT exported to ~/.bashrc"
-    end
-  rescue JSON::ParserError => e
-    puts "⚠️  Failed to parse REPOSITORIES_CONFIG: #{e.message}"
-  end
-end
-
-def setup_git_config!
-  # Configure identity if provided
-  if ENV["GIT_USER_NAME"] && !ENV["GIT_USER_NAME"].empty?
-    system("git config --global user.name \"#{ENV['GIT_USER_NAME']}\"")
-    puts "✅ Git user.name configured"
-  end
-
-  if ENV["GIT_USER_EMAIL"] && !ENV["GIT_USER_EMAIL"].empty?
-    system("git config --global user.email \"#{ENV['GIT_USER_EMAIL']}\"")
-    puts "✅ Git user.email configured"
-  end
-
-  # Force HTTPS instead of SSH to ensure our token auth works
-  # This fixes "Permission denied (publickey)" when the repo uses git@github.com remote
-  system("git config --global url.\"https://github.com/\".insteadOf \"git@github.com:\"")
-  puts "✅ Git configured to force HTTPS for GitHub"
-
-  # Avoid "dubious ownership" errors in containers
-  system("git config --global --add safe.directory \"#{Dir.pwd}\"")
-  puts "✅ Git configured to trust #{Dir.pwd}"
-end
-
-
-def setup_git_hooks!
-  # Install git hooks to encourage agents to use git-workflow skill
-  hooks_dest = File.join(Dir.pwd, ".git", "hooks")
-  return unless File.directory?(hooks_dest)
-
-  puts "🪝 Installing git hooks..."
-
-  # Try local copy first, then download from GitHub
-  local_paths = [
-    File.join(Dir.pwd, "tinker-public", "hooks", "pre-commit"),
-    File.join(Dir.pwd, "hooks", "pre-commit"),
-    "/tmp/hooks/pre-commit"
-  ]
-
-  hook_content = nil
-  local_paths.each do |path|
-    if File.exist?(path)
-      hook_content = File.read(path)
-      puts "   (from local: #{path})"
-      break
-    end
-  end
-
-  unless hook_content
-    url = "#{TINKER_RAW_URL}/hooks/pre-commit"
-    begin
-      hook_content = URI.open(url).read
-    rescue OpenURI::HTTPError => e
-      puts "⚠️  Failed to download pre-commit hook: #{e.message}"
-      return
-    end
-  end
-
-  hook_path = File.join(hooks_dest, "pre-commit")
-  File.write(hook_path, hook_content)
-  File.chmod(0755, hook_path)
-  puts "✅ Git hooks installed"
-end
-
-def setup_multi_repo_scripts!
-  # Install switch-to-repo.sh script and repo-specific setup scripts
-  # These are only needed when using multi-repo setup
-  repos_dir = File.expand_path("~/repos")
-  bin_dir = "/usr/local/bin"
-
-  puts "📚 Setting up multi-repo scripts..."
-
-  # Create repos directory for repo-specific setup scripts
-  FileUtils.mkdir_p(repos_dir)
-
-  # Install switch-to-repo.sh script
-  switch_script = File.join(bin_dir, "switch-to-repo.sh")
-
-  # Try local copy first, then download from GitHub
-  local_paths = [
-    File.join(Dir.pwd, "tinker-public", "hooks", "switch-to-repo.sh"),
-    File.join(Dir.pwd, "hooks", "switch-to-repo.sh"),
-    "/tmp/hooks/switch-to-repo.sh"
-  ]
-
-  script_content = nil
-  local_paths.each do |path|
-    if File.exist?(path)
-      script_content = File.read(path)
-      puts "   (from local: #{path})"
-      break
-    end
-  end
-
-  unless script_content
-    url = "#{TINKER_RAW_URL}/hooks/switch-to-repo.sh"
-    begin
-      script_content = URI.open(url).read
-    rescue OpenURI::HTTPError => e
-      puts "⚠️  Failed to download switch-to-repo.sh: #{e.message}"
-      return
-    end
-  end
-
-  # Write to temp file first, then sudo mv
-  temp_script = "/tmp/switch-to-repo.sh.temp"
-  File.write(temp_script, script_content)
-  system("sudo mv #{temp_script} #{switch_script}")
-  system("sudo chmod +x #{switch_script}")
-  puts "✅ Installed switch-to-repo.sh to #{bin_dir}"
-
-  # Install repo-specific setup scripts
-  # These are example scripts that can be customized per repository
-  local_repos_dir = File.join(Dir.pwd, "tinker-public", "repos")
-
-  if File.directory?(local_repos_dir)
-    Dir.glob(File.join(local_repos_dir, "*.sh")).each do |script_file|
-      script_name = File.basename(script_file)
-      dest_script = File.join(repos_dir, script_name)
-      FileUtils.cp(script_file, dest_script)
-      File.chmod(0755, dest_script)
-      puts "   - Installed #{script_name}"
-    end
-    puts "✅ Installed repo-specific setup scripts"
-  else
-    puts "ℹ️  No repo-specific setup scripts found (skipping)"
-  end
-end
-
-def download_agent_bridge!
-  # Detect architecture
-  arch = `uname -m`.strip
-  if arch == "x86_64"
-    arch = "amd64"
-  elsif arch == "aarch64" || arch == "arm64"
-    arch = "arm64"
-  else
-    puts "❌ Unsupported architecture: #{arch}"
-    exit 1
-  end
-
-  target_dir = "/usr/local/bin"
-
-  # 1. Check for local override in /tmp/overrides (development mode)
-  override_dir = "/tmp/overrides"
-  if Dir.exist?(override_dir)
-    local_override = File.join(override_dir, "agent-bridge-linux-#{arch}")
-    if File.exist?(local_override)
-      puts "🔧 Using local override: #{local_override}"
-      system("sudo cp #{local_override} #{target_dir}/agent-bridge")
-      system("sudo chmod +x #{target_dir}/agent-bridge")
-      puts "✅ agent-bridge installed from local override"
-      return download_agent_bridge_tmux!(target_dir)
-    end
-  end
-
-  # 2. Check if binaries are mounted at /tmp (dev mode)
-  if File.exist?("/tmp/agent-bridge")
-    puts "🔧 Installing mounted agent-bridge..."
-    system("sudo cp /tmp/agent-bridge #{target_dir}/agent-bridge")
-    system("sudo chmod +x #{target_dir}/agent-bridge")
-    puts "✅ agent-bridge installed from mount"
-    return download_agent_bridge_tmux!(target_dir)
-  end
-
-  # 3. Try Civo bucket download (production mode)
-  if ENV["CIVO_ACCESS_KEY_ID"] && ENV["CIVO_SECRET_KEY"]
-    puts "📥 Downloading agent-bridge from Civo bucket..."
-    if download_from_civo!(arch, target_dir)
-      return download_agent_bridge_tmux!(target_dir)
-    else
-      puts "⚠️  Civo download failed, falling back to GitHub..."
-    end
-  end
-
-  # 4. Fallback to GitHub raw URLs (legacy)
-  bridge_url = "#{TINKER_RAW_URL}/bin/agent-bridge-linux-#{arch}"
-  puts "📥 Downloading agent-bridge for linux-#{arch} from GitHub..."
-  system("sudo curl -fsSL #{bridge_url} -o #{target_dir}/agent-bridge")
-  system("sudo chmod +x #{target_dir}/agent-bridge")
-
-  puts "✅ agent-bridge installed to #{target_dir}"
-  download_agent_bridge_tmux!(target_dir)
-end
-
-def download_from_civo!(arch, target_dir)
-  require "aws-sdk-s3"
-
-  region = ENV["CIVO_REGION"] || "LON1"
-  endpoint = ENV["CIVO_ENDPOINT"] || "https://objectstore.fra1.civo.com"
-  bucket = ENV["TINKER_BINARIES_BUCKET"] || "tinker"
-  version = ENV["AGENT_BRIDGE_VERSION"] || "latest"
-
-  binary_name = "agent-bridge-linux-#{arch}"
-  key = "agent-bridge/#{version}/#{binary_name}"
-
-  puts "   Region: #{region}"
-  puts "   Bucket: #{bucket}"
-  puts "   Version: #{version}"
-  puts "   Binary: #{binary_name}"
-
-  begin
-    # Configure Civo S3-compatible client
-    Aws.config.update({
-      region: region,
-      endpoint: endpoint,
-      access_key_id: ENV["CIVO_ACCESS_KEY_ID"],
-      secret_access_key: ENV["CIVO_SECRET_KEY"]
-    })
-
-    s3 = Aws::S3::Resource.new
-    obj = s3.bucket(bucket).object(key)
-
-    # Generate presigned URL (valid for 1 hour)
-    url = obj.presigned_url(:get, expires_in: 3600)
-
-    puts "✅ Generated presigned URL"
-
-    # Download via curl
-    system("sudo curl -fsSL #{url} -o #{target_dir}/agent-bridge")
-
-    unless $?.success?
-      puts "❌ Failed to download agent-bridge from Civo"
-      return false
-    end
-
-    system("sudo chmod +x #{target_dir}/agent-bridge")
-    puts "✅ Downloaded agent-bridge from Civo"
-    return true
-
-  rescue LoadError
-    puts "⚠️  aws-sdk-s3 gem not installed"
-    return false
-  rescue Aws::S3::Errors::NoSuchKey
-    puts "❌ Version #{version} not found in bucket"
-    return false
-  rescue => e
-    puts "❌ Civo download failed: #{e.message}"
-    return false
-  end
-end
-
-def download_agent_bridge_tmux!(target_dir)
-  bridge_tmux_url = "#{TINKER_RAW_URL}/bin/agent-bridge-tmux"
-
-  if File.exist?("/tmp/agent-bridge-tmux")
-    puts "🔧 Installing mounted agent-bridge-tmux..."
-    system("sudo cp /tmp/agent-bridge-tmux #{target_dir}/agent-bridge-tmux")
-    system("sudo chmod +x #{target_dir}/agent-bridge-tmux")
-  else
-    system("sudo curl -fsSL #{bridge_tmux_url} -o #{target_dir}/agent-bridge-tmux")
-    system("sudo chmod +x #{target_dir}/agent-bridge-tmux")
-  end
-  
-  # Patch agent-bridge-tmux to force INSIDE_TMUX=1
-  # Note: This is now fixed in the repo, but we keep this for backward compatibility
-  # with older agent-bridge-tmux scripts if cached
-  puts "🔧 Patching agent-bridge-tmux to force INSIDE_TMUX=1..."
-  
-  # Read the file (we can read /usr/local/bin files usually)
-  content = File.read("#{target_dir}/agent-bridge-tmux")
-  
-  # Replace the command if not already present
-  unless content.include?("export INSIDE_TMUX=1")
-    new_content = content.gsub(
-      "&& agent-bridge\"", 
-      "&& export INSIDE_TMUX=1 && agent-bridge\""
-    )
-    
-    # Write to temp file
-    File.write("/tmp/agent-bridge-tmux-patched", new_content)
-    
-    # Move to destination with sudo
-    system("sudo mv /tmp/agent-bridge-tmux-patched #{target_dir}/agent-bridge-tmux")
-    system("sudo chmod +x #{target_dir}/agent-bridge-tmux")
-  end
-  
-  return target_dir
-end
-
-def run_agent!(bin_dir)
-  agent_type = ENV["AGENT_TYPE"] || "agent"
-  puts ""
-  puts "🚀 Starting #{agent_type}..."
-  puts "   Press Ctrl+B then D to detach from tmux"
-  puts ""
-
-  # Build environment variables to pass to agent-bridge-tmux
-  # We need to explicitly export AGENT_ID if it was fetched
-  env_vars = {}
-  env_vars["AGENT_ID"] = ENV["AGENT_ID"] if ENV["AGENT_ID"]
-  
-  # Run agent-bridge-tmux which handles tmux session and status bar
-  exec(env_vars, "#{bin_dir}/agent-bridge-tmux")
-end
-
-# Main
-puts "🤖 Tinker Agent Setup"
-puts "====================="
-puts ""
-
-check_env!
-fetch_agent_id!
-setup_mcp_config!
-setup_system_prompt!
-# Clone repositories BEFORE setting up hooks that depend on them
-setup_github_auth!
-setup_git_config!
-clone_repositories!
-setup_claude_config!
-setup_claude_settings!
-# setup_skill_hooks! # Deprecated in favor of global hooks
-setup_skills!
-setup_git_hooks!
-setup_multi_repo_scripts!
-# prepare_git_state! is now in entrypoint.sh
-bin_dir = download_agent_bridge!
-run_agent!(bin_dir)