totopo 3.1.0 → 3.2.0-rc-2

package/README.md

@@ -12,9 +12,10 @@ Local sandbox for AI agents.
 
 ## Motivation
 
-Two fundamental issues with AI agents:
-- They are non-deterministic and will occasionally make mistakes.
-- Susceptibility to prompt injection — they can get compromised and act against your interests without you knowing.
+**Can you trust an AI agent?** Two issues make that hard:
+
+- **Inherently unpredictable**: they will make mistakes, often without you knowing, and not always possible to undo.
+- **Vulnerable to prompt injection**: a subtle attack that can silently turn your agent against you.
 
 totopo addresses both with a dev container - when you run totopo in a given directory, the directory is mounted as a workspace where agents get a full, capable environment to work in — they just can't touch anything outside the workspace, and they can't reach remote git repositories.
 
@@ -48,7 +49,7 @@ Once set up, the flow is simple:
 
 A few things happen automatically:
 
-- **Agents stay up to date** — when you open a session, totopo ensures all AI CLIs are on their latest version.
+- **Agents stay up to date** — totopo keeps all AI CLIs on their latest versions, checking for updates automatically.
 - **Sessions are persistent** — agent memory and settings survive container restarts and rebuilds.
 - **Your machine stays safe** — the container can't push to remote, can't read outside the workspace, and sensitive paths like `.env` can be hidden from agents entirely (see [Shadow Paths](#shadow-paths)).
 
@@ -168,7 +169,7 @@ codex       # Codex (OpenAI)
 
 Agents are self-aware — sandbox constraints, git remote block, and any active shadow path overlays are injected into agent context at every session start.
 
-totopo updates all three CLIs to their latest published versions at most once per 24 hours per workspace.
+totopo keeps all three CLIs on their latest published versions, checking for updates automatically.
 
 ### Persistent Agent Memory
 

package/bin/totopo.js

@@ -5,8 +5,8 @@
 // =========================================================================================================================================
 
 import { execSync, spawnSync } from "node:child_process";
-import { existsSync } from "node:fs";
-import { dirname } from "node:path";
+import { existsSync, readFileSync } from "node:fs";
+import { dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 import { cancel, confirm, isCancel, log, select } from "@clack/prompts";
 import { run as dev } from "../dist/commands/dev.js";
@@ -37,6 +37,9 @@ try {
 const packageDir = dirname(dirname(fileURLToPath(import.meta.url)));
 const cwd = process.cwd();
 
+// --- Version -----------------------------------------------------------------------------------------------------------------------------
+const { version } = JSON.parse(readFileSync(join(packageDir, "package.json"), "utf8"));
+
 // --- Guard: dist/ must exist -------------------------------------------------------------------------------------------------------------
 if (!existsSync(new URL("../dist/commands/dev.js", import.meta.url))) {
     console.error("");
@@ -149,7 +152,7 @@ while (showMenu) {
     const activeCount = activeNames.length;
     const workspaceRunning = activeNames.some((n) => n === containerName);
 
-    const action = await menu({ ctx: workspace, activeCount, workspaceRunning });
+    const action = await menu({ ctx: workspace, activeCount, workspaceRunning, version });
 
     switch (action) {
         case "dev":

package/dist/commands/dev.js

@@ -5,14 +5,14 @@
 import { spawnSync } from "node:child_process";
 import { existsSync } from "node:fs";
 import { join, relative } from "node:path";
-import { cancel, isCancel, log, outro, select } from "@clack/prompts";
+import { cancel, confirm, isCancel, log, outro, select } from "@clack/prompts";
 import { buildAgentContextDocs, buildAgentMountArgs, injectAgentContext } from "../lib/agent-context.js";
-import { CONTAINER_POST_START, CONTAINER_WORKSPACE, LABEL_MANAGED, LABEL_PROFILE, LABEL_SHADOWS, PROFILE } from "../lib/constants.js";
+import { CONTAINER_STARTUP, CONTAINER_WORKSPACE, LABEL_MANAGED, LABEL_PROFILE, LABEL_SHADOWS, PROFILE } from "../lib/constants.js";
 import { buildDockerfile, buildImageWithTempfile } from "../lib/dockerfile-builder.js";
+import { isImageStale } from "../lib/migrate-to-latest.js";
 import { buildShadowMountArgs, ensureShadowsInSync, expandShadowPatterns } from "../lib/shadows.js";
 import { readTotopoYaml } from "../lib/totopo-yaml.js";
-import { readActiveProfile, readLastCliUpdate, writeActiveProfile, writeLastCliUpdate } from "../lib/workspace-identity.js";
-const CLI_UPDATE_THROTTLE_MS = 24 * 60 * 60 * 1000;
+import { readActiveProfile, writeActiveProfile } from "../lib/workspace-identity.js";
 // --- Prompt: working directory selection -------------------------------------------------------------------------------------------------
 async function promptWorkdir(workspaceDir, cwd) {
     if (cwd === workspaceDir)
@@ -82,32 +82,12 @@ function stopAndRemoveContainer(containerName) {
     spawnSync("docker", ["stop", containerName], { stdio: "pipe" });
     spawnSync("docker", ["rm", containerName], { stdio: "pipe" });
 }
-// --- Update AI CLIs to latest (runs as root so npm global is writable) -------------------------------------------------------------------
-function updateAiClis(containerName) {
-    log.step("Updating AI CLIs to latest...");
-    spawnSync("docker", [
-        "exec",
-        "-u",
-        "root",
-        containerName,
-        "npm",
-        "install",
-        "-g",
-        "opencode-ai@latest",
-        "@anthropic-ai/claude-code@latest",
-        "@openai/codex@latest",
-    ], { stdio: "inherit" });
-}
-// --- Run post-start ----------------------------------------------------------------------------------------------------------------------
-function runPostStart(containerName) {
-    log.step("Running post-start checks...");
-    const postStart = spawnSync("docker", ["exec", containerName, "node", CONTAINER_POST_START], {
-        stdio: "inherit",
+// --- Run startup checks (AI CLI update + readiness validation) ---------------------------------------------------------------------------
+function runStartup(containerName, quiet) {
+    const result = spawnSync("docker", ["exec", "-u", "root", containerName, "node", CONTAINER_STARTUP], {
+        stdio: quiet ? "pipe" : "inherit",
     });
-    if (postStart.status !== 0) {
-        outro("Post-start checks failed.");
-        process.exit(postStart.status ?? 1);
-    }
+    return result.status === 0;
 }
 export function startContainer(opts) {
     const { containerName, workspaceRoot, cacheDir, templatesDir, activeProfile, profileHook, expandedShadows, envFilePath, hasGit, shadowPatterns, workspaceName, noCache, quiet = false, } = opts;
@@ -260,7 +240,7 @@ export async function run(packageDir, ctx, options) {
     }
     const hasGit = existsSync(join(workspaceDir, ".git"));
     // --- Start container -----------------------------------------------------------------------------------------------------------------
-    const sessionResult = startContainer({
+    const containerOpts = {
         containerName,
         workspaceRoot: workspaceDir,
         cacheDir,
@@ -273,18 +253,42 @@ export async function run(packageDir, ctx, options) {
         shadowPatterns,
         workspaceName: ctx.displayName,
         ...(options?.noCache !== undefined && { noCache: options.noCache }),
-    });
-    // --- Post-start setup (only on fresh start or resume) --------------------------------------------------------------------------------
-    if (sessionResult === "created" || sessionResult === "resumed") {
-        const lastUpdate = readLastCliUpdate(ctx.workspaceId);
-        if (!lastUpdate || Date.now() - new Date(lastUpdate).getTime() >= CLI_UPDATE_THROTTLE_MS) {
-            updateAiClis(containerName);
-            writeLastCliUpdate(ctx.workspaceId, new Date().toISOString());
+    };
+    startContainer(containerOpts);
+    // --- Stale image check - prompt user to rebuild if image is outdated ------------------------------------------------------------------
+    let stale = isImageStale(containerName);
+    if (stale) {
+        const rebuild = await confirm({
+            message: "totopo's latest release includes an updated container image. Rebuild now? (Recommended) The process is quick and will not affect agent memory, settings, or your data.",
+            initialValue: true,
+        });
+        if (isCancel(rebuild)) {
+            cancel("Session cancelled.");
+            process.exit(0);
+        }
+        if (rebuild) {
+            stopAndRemoveContainer(containerName);
+            spawnSync("docker", ["rmi", containerName], { stdio: "pipe" });
+            startContainer(containerOpts);
+            stale = false;
+        }
+    }
+    // --- Startup checks (AI CLI update + readiness validation) ----------------------------------------------------------------------------
+    if (!runStartup(containerName, stale)) {
+        if (stale) {
+            const connect = await confirm({
+                message: "Startup checks failed (likely due to outdated image). Connect anyway?",
+                initialValue: true,
+            });
+            if (!connect || isCancel(connect)) {
+                cancel("Session cancelled.");
+                process.exit(0);
+            }
         }
         else {
-            log.info("AI CLIs are up to date.");
+            outro("Startup checks failed.");
+            process.exit(1);
         }
-        runPostStart(containerName);
     }
     // --- Connect -------------------------------------------------------------------------------------------------------------------------
     const exec = spawnSync("docker", ["exec", "-it", "-w", workdir, containerName, "bash", "--login"], {

package/dist/commands/menu.js

@@ -9,14 +9,14 @@ import { box, cancel, isCancel, select } from "@clack/prompts";
 import { PROFILE } from "../lib/constants.js";
 import { readActiveProfile } from "../lib/workspace-identity.js";
 export async function run(args) {
-    const { ctx, workspaceRunning } = args;
+    const { ctx, workspaceRunning, version } = args;
     // --- Read workspace config -----------------------------------------------------------------------------------------------------------
     const activeProfile = readActiveProfile(ctx.workspaceId) ?? PROFILE.default;
     const hasGit = existsSync(join(ctx.workspaceRoot, ".git"));
     // --- Status box ----------------------------------------------------------------------------------------------------------------------
     const containerStatus = workspaceRunning ? "running" : "stopped";
     const gitNotice = hasGit ? "" : `\n${styleText("yellow", "●")} no git — agent changes are not tracked`;
-    box(`workspace:   ${ctx.displayName}\nprofile:     ${activeProfile}\ncontainer:   ${containerStatus}${gitNotice}`, " totopo ", {
+    box(`workspace:   ${ctx.displayName}\nprofile:     ${activeProfile}\ncontainer:   ${containerStatus}${gitNotice}`, ` totopo v${version} `, {
         contentAlign: "left",
         titleAlign: "center",
         width: "auto",

package/dist/lib/constants.js

@@ -21,7 +21,7 @@ export const DEFAULT_SHADOW_PATHS = ["node_modules", ".env*"];
 export const CONTAINER_USER = "devuser";
 export const CONTAINER_HOME = `/home/${CONTAINER_USER}`;
 export const CONTAINER_WORKSPACE = "/workspace";
-export const CONTAINER_POST_START = `${CONTAINER_HOME}/post-start.mjs`;
+export const CONTAINER_STARTUP = `${CONTAINER_HOME}/startup.mjs`;
 // Docker container/image naming
 export const CONTAINER_NAME_PREFIX = "totopo-";
 // Docker label keys

package/dist/lib/dockerfile-builder.js

@@ -7,7 +7,7 @@ import { randomBytes } from "node:crypto";
 import { readFileSync, unlinkSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import { CONTAINER_HOME, CONTAINER_NAME_PREFIX, CONTAINER_POST_START, CONTAINER_USER, LABEL_MANAGED } from "./constants.js";
+import { CONTAINER_HOME, CONTAINER_NAME_PREFIX, CONTAINER_STARTUP, CONTAINER_USER, LABEL_MANAGED } from "./constants.js";
 // --- User shell config appended after USER instruction -----------------------------------------------------------------------------------
 const USER_SHELL_CONFIG = `
 # ---------------------------------------------------------------------------
@@ -19,7 +19,7 @@ RUN echo 'export PS1="\\[\\033[01;32m\\][devcontainer]\\[\\033[00m\\] \\[\\033[0
     echo 'echo ""' >> ${CONTAINER_HOME}/.bashrc && \\
     echo "echo \\"  Run 'opencode', 'claude', or 'codex' to start an agent.\\"" >> ${CONTAINER_HOME}/.bashrc && \\
     echo 'echo ""' >> ${CONTAINER_HOME}/.bashrc && \\
-    echo 'alias status="node ${CONTAINER_POST_START}"' >> ${CONTAINER_HOME}/.bashrc
+    echo 'alias status="node ${CONTAINER_STARTUP}"' >> ${CONTAINER_HOME}/.bashrc
 
 CMD ["/bin/bash"]
 `;

package/dist/lib/migrate-to-latest.js

@@ -24,7 +24,7 @@ import { homedir } from "node:os";
 import { join } from "node:path";
 import { log } from "@clack/prompts";
 import { load as loadYaml } from "js-yaml";
-import { AGENTS_DIR, LOCK_FILE, PROFILE, SHADOWS_DIR, TOTOPO_DIR, TOTOPO_YAML, WORKSPACES_DIR } from "./constants.js";
+import { AGENTS_DIR, CONTAINER_STARTUP, LOCK_FILE, PROFILE, SHADOWS_DIR, TOTOPO_DIR, TOTOPO_YAML, WORKSPACES_DIR } from "./constants.js";
 import { safeRmSync } from "./safe-rm.js";
 import { buildDefaultTotopoYaml, readTotopoYaml, slugifyForWorkspaceId, validateWorkspaceId, writeTotopoYaml, } from "./totopo-yaml.js";
 import { findTotopoYamlDir, getWorkspacesBaseDir, initWorkspaceDir, LOCK_KEYS } from "./workspace-identity.js";
@@ -296,7 +296,7 @@ function migrateLockFileFormat() {
             if (!firstLine || firstLine.includes("="))
                 continue; // empty or already new format
             const activeProfile = secondLine ?? PROFILE.default;
-            writeFileSync(lockPath, `${LOCK_KEYS.workspaceRoot}=${firstLine}\n${LOCK_KEYS.activeProfile}=${activeProfile}\n${LOCK_KEYS.lastCliUpdate}=\n`);
+            writeFileSync(lockPath, `${LOCK_KEYS.workspaceRoot}=${firstLine}\n${LOCK_KEYS.activeProfile}=${activeProfile}\n`);
         }
         catch {
             // unreadable -- skip, will surface as a broken workspace elsewhere
@@ -325,6 +325,32 @@ function migrateLockKeyYamlToRoot() {
         }
     }
 }
+/**
+ * v3.1.0 and earlier: Remove the "last-cli-update" key from .lock files.
+ * CLI update timestamps are now managed inside the container via /home/devuser/.ai-cli-updated.
+ * Detects old format by presence of "last-cli-update=" in the file content. Idempotent.
+ */
+function migrateRemoveLastCliUpdate() {
+    const baseDir = getWorkspacesBaseDir();
+    if (!existsSync(baseDir))
+        return;
+    for (const entry of readdirSync(baseDir)) {
+        const lockPath = join(baseDir, entry, LOCK_FILE);
+        try {
+            const content = readFileSync(lockPath, "utf8");
+            if (!content.includes("last-cli-update="))
+                continue;
+            const filtered = content
+                .split("\n")
+                .filter((line) => !line.startsWith("last-cli-update="))
+                .join("\n");
+            writeFileSync(lockPath, filtered);
+        }
+        catch {
+            // unreadable -- skip, will surface as a broken workspace elsewhere
+        }
+    }
+}
 // Order matters: migrateProjectsDir must run before migrateV2Workspaces because
 // step 2 scans ~/.totopo/workspaces/ which only exists after step 1 renames projects/.
 // Steps 3 and 4 are independent of each other and of steps 1-2.
@@ -338,6 +364,7 @@ const MIGRATIONS = [
     { from: "v2.x", description: "Remove legacy ~/.totopo/.env global key file", run: migrateGlobalEnv },
     { from: "v3-rc-6", description: "Upgrade .lock files from positional to key=value format", run: migrateLockFileFormat },
     { from: "v3-rc-8", description: "Rename 'yaml' key to 'root' in .lock files", run: migrateLockKeyYamlToRoot },
+    { from: "v3.1.0", description: "Remove last-cli-update key from .lock files", run: migrateRemoveLastCliUpdate },
 ];
 /** Run all migrations in order. Called early in bin/totopo.js startup. */
 export function runMigration(cwd) {
@@ -345,3 +372,16 @@ export function runMigration(cwd) {
         migration.run(cwd);
     }
 }
+// =========================================================================================================================================
+// Image staleness detection
+// Called at session start to detect outdated container images that need rebuilding.
+// Add new conditions here when the base image changes in future releases.
+// =========================================================================================================================================
+/** Check if a running container's image is stale (missing expected files/features). */
+export function isImageStale(containerName) {
+    // v3.2.0: startup.mjs replaced post-start.mjs + update-ai-clis.mjs
+    const check = spawnSync("docker", ["exec", containerName, "test", "-f", CONTAINER_STARTUP], { stdio: "pipe" });
+    if (check.status !== 0)
+        return true;
+    return false;
+}

package/dist/lib/workspace-identity.js

@@ -11,7 +11,6 @@ import { readTotopoYaml } from "./totopo-yaml.js";
 export const LOCK_KEYS = {
     workspaceRoot: "root",
     activeProfile: "profile",
-    lastCliUpdate: "last-cli-update",
 };
 /** Reverse lookup: file key → LockFile field name, used during parsing. */
 const FILE_KEY_TO_FIELD = Object.fromEntries(Object.entries(LOCK_KEYS).map(([field, key]) => [key, field]));
@@ -54,7 +53,6 @@ function parseLockFile(workspaceId) {
         return {
             workspaceRoot: partial.workspaceRoot,
             activeProfile: partial.activeProfile ?? PROFILE.default,
-            lastCliUpdate: partial.lastCliUpdate ?? "",
         };
     }
     catch {
@@ -72,44 +70,32 @@ function writeLockFileInternal(workspaceId, data) {
 export function readLockFile(workspaceId) {
     return parseLockFile(workspaceId)?.workspaceRoot ?? null;
 }
-/** Write a workspace's lock file with the owning workspace root path. Preserves active profile and lastCliUpdate. */
+/** Write a workspace's lock file with the owning workspace root path. Preserves active profile. */
 export function writeLockFile(workspaceId, workspaceRoot) {
     const existing = parseLockFile(workspaceId);
     writeLockFileInternal(workspaceId, {
         workspaceRoot,
         activeProfile: existing?.activeProfile ?? PROFILE.default,
-        lastCliUpdate: existing?.lastCliUpdate ?? "",
     });
 }
 /** Read the active profile name. Returns null if lock file is missing. */
 export function readActiveProfile(workspaceId) {
     return parseLockFile(workspaceId)?.activeProfile ?? null;
 }
-/** Write the active profile name. Preserves workspace root path and lastCliUpdate. */
+/** Write the active profile name. Preserves workspace root path. */
 export function writeActiveProfile(workspaceId, profile) {
     const existing = parseLockFile(workspaceId);
     if (!existing)
         return;
     writeLockFileInternal(workspaceId, { ...existing, activeProfile: profile });
 }
-/** Read the last CLI update timestamp. Returns empty string if lock file is missing or field was never set. */
-export function readLastCliUpdate(workspaceId) {
-    return parseLockFile(workspaceId)?.lastCliUpdate ?? "";
-}
-/** Write the last CLI update timestamp. Preserves all other fields. No-op if lock file is missing. */
-export function writeLastCliUpdate(workspaceId, timestamp) {
-    const existing = parseLockFile(workspaceId);
-    if (!existing)
-        return;
-    writeLockFileInternal(workspaceId, { ...existing, lastCliUpdate: timestamp });
-}
 // --- Workspace directory initialization --------------------------------------------------------------------------------------------------
 /** Initialize ~/.totopo/workspaces/<workspace_id>/ with lock file and subdirs. */
 export function initWorkspaceDir(workspaceId, workspaceRoot, activeProfile = PROFILE.default) {
     const dir = getWorkspaceDir(workspaceId);
     mkdirSync(join(dir, AGENTS_DIR), { recursive: true });
     mkdirSync(join(dir, SHADOWS_DIR), { recursive: true });
-    writeLockFileInternal(workspaceId, { workspaceRoot, activeProfile, lastCliUpdate: "" });
+    writeLockFileInternal(workspaceId, { workspaceRoot, activeProfile });
 }
 // --- Listing -----------------------------------------------------------------------------------------------------------------------------
 /** List all registered workspace IDs (directories with a .lock file) */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "totopo",
-  "version": "3.1.0",
+  "version": "3.2.0-rc-2",
   "description": "Run AI coding agents safely in your local codebase",
   "type": "module",
   "bin": {

package/templates/Dockerfile

@@ -86,13 +86,14 @@ RUN npm install -g \
 RUN groupadd --gid 1001 devuser && \
     useradd --uid 1001 --gid devuser --shell /bin/bash --create-home devuser && \
     mkdir -p /home/devuser/.local/state /home/devuser/.local/share /home/devuser/.local/bin && \
+    date -u +"%Y-%m-%dT%H:%M:%S.000Z" > /home/devuser/.ai-cli-updated && \
     chown -R devuser:devuser /home/devuser
 
 # ---------------------------------------------------------------------------
-# Layer 9 — Bake post-start script into image
+# Layer 9 — Bake startup script into image
 # ---------------------------------------------------------------------------
-COPY post-start.mjs /home/devuser/post-start.mjs
-RUN chown devuser:devuser /home/devuser/post-start.mjs
+COPY startup.mjs /home/devuser/startup.mjs
+RUN chown devuser:devuser /home/devuser/startup.mjs
 
 WORKDIR /workspace
 

package/templates/{post-start.mjs → startup.mjs}

@@ -1,11 +1,13 @@
 #!/usr/bin/env node
 // =============================================================================
-// post-start.mjs — Security validation & readiness check
-// Baked into the container image at /home/devuser/post-start.mjs
-// Must use only Node.js built-ins — no external packages available in container.
+// startup.mjs -- Container startup: AI CLI updates + readiness checks
+// Baked into the container image at /home/devuser/startup.mjs
+// Must run as root (npm global install requires root).
+// Must use only Node.js built-ins -- no external packages available in container.
 // =============================================================================
 
 import { execSync } from "node:child_process";
+import { readFileSync, writeFileSync } from "node:fs";
 
 const run = (cmd) => {
     try {
@@ -18,18 +20,17 @@ const run = (cmd) => {
     }
 };
 
-// ─── ANSI helpers ─────────────────────────────────────────────────────────────
+// -- ANSI helpers -------------------------------------------------------------
 const green = (s) => `\x1b[32m${s}\x1b[0m`;
 const _yellow = (s) => `\x1b[33m${s}\x1b[0m`;
 const red = (s) => `\x1b[31m${s}\x1b[0m`;
 const blue = (s) => `\x1b[34m${s}\x1b[0m`;
 const dim = (s) => `\x1b[2m${s}\x1b[0m`;
 const bold = (s) => `\x1b[1m${s}\x1b[0m`;
+const grey = (s) => `\x1b[90m${s}\x1b[0m`;
 
 let errors = 0;
 
-const grey = (s) => `\x1b[90m${s}\x1b[0m`;
-
 const ok = (label, detail) => console.log(`${green("✓")} ${label.padEnd(24)}${detail ? dim(detail) : ""}`);
 const skip = (label, detail) => console.log(`${grey("–")} ${grey(label.padEnd(24))}${detail ? grey(detail) : ""}`);
 const fail = (label, detail) => {
@@ -38,53 +39,80 @@ const fail = (label, detail) => {
 };
 const section = (title) => console.log(`\n${bold(title)}`);
 
-// ─── Header ──────────────────────────────────────────────────────────────────
-console.log(`\n${bold("totopo — Secure AI Box")}\n`);
+// -- Header -------------------------------------------------------------------
+console.log(`\n${bold("totopo - Sandbox for AI Agents")}\n`);
+
+// -- AI CLI update (requires root - skipped when run via 'status' alias as devuser) -
+section("AI CLI update");
+
+const isRoot = process.getuid?.() === 0;
+const TIMESTAMP_FILE = "/home/devuser/.ai-cli-updated";
+const THROTTLE_MS = 24 * 60 * 60 * 1000;
+
+let lastUpdate = 0;
+try {
+    const raw = readFileSync(TIMESTAMP_FILE, "utf8").trim();
+    lastUpdate = new Date(raw).getTime();
+} catch {
+    // File missing or unreadable -- treat as never updated
+}
+
+if (Number.isFinite(lastUpdate) && Date.now() - lastUpdate < THROTTLE_MS) {
+    ok("AI CLIs", "up to date");
+} else if (!isRoot) {
+    skip("AI CLIs", "update skipped (requires root)");
+} else {
+    console.log(`${blue("●")} ${dim("Updating AI CLIs to latest...")}`);
+    try {
+        execSync("npm install -g opencode-ai@latest @anthropic-ai/claude-code@latest @openai/codex@latest", {
+            stdio: "inherit",
+        });
+        writeFileSync(TIMESTAMP_FILE, `${new Date().toISOString()}\n`);
+        ok("AI CLIs", "updated");
+    } catch {
+        fail("AI CLIs", "update failed -- continuing with existing versions");
+    }
+}
 
-// ─── Security ────────────────────────────────────────────────────────────────
+// -- Security -----------------------------------------------------------------
 section("Security");
 
-const whoami = run("whoami");
-if (whoami !== "root") {
-    ok("non-root user", whoami ?? "unknown");
+const idOutput = run("id devuser");
+if (idOutput?.includes("uid=1001")) {
+    ok("non-root user", "devuser (uid=1001)");
 } else {
-    fail("non-root user", "running as root — container is misconfigured");
+    fail("non-root user", "devuser not found or wrong uid -- container is misconfigured");
 }
 
 const gitProtocol = run("git config --system protocol.allow");
 if (gitProtocol === "never") {
     ok("git remote block", "protocol.allow = never");
 } else {
-    fail("git remote block", "not set — rebuild the container");
+    fail("git remote block", "not set -- rebuild the container");
 }
 
 try {
     execSync("/usr/bin/git -C /workspace push", { stdio: "pipe" });
-    fail("push blocked", "git push succeeded — remote access is NOT blocked");
+    fail("push blocked", "git push succeeded -- remote access is NOT blocked");
 } catch {
     ok("push blocked", "remote push not possible");
 }
 
-// ─── AI tools ────────────────────────────────────────────────────────────────
+// -- AI tools -----------------------------------------------------------------
 section("AI tools");
 
-const aiToolResults = [];
-
 const checkTool = (cmd) => {
     const out = run(`${cmd} --version`);
     if (out !== null && out.trim() !== "") {
         const version = out.split("\n")[0];
         ok(cmd, version);
-        aiToolResults.push({ cmd, version, found: true });
         return;
     }
     const which = run(`which ${cmd}`);
     if (which !== null) {
         ok(cmd, "installed");
-        aiToolResults.push({ cmd, version: "installed", found: true });
     } else {
-        fail(cmd, "not found — rebuild container");
-        aiToolResults.push({ cmd, version: null, found: false });
+        fail(cmd, "not found -- rebuild container");
     }
 };
 
@@ -92,7 +120,7 @@ checkTool("opencode");
 checkTool("claude");
 checkTool("codex");
 
-// ─── Runtimes ────────────────────────────────────────────────────────────────
+// -- Runtimes -----------------------------------------------------------------
 section("Runtimes");
 
 const checkRuntime = (label, version) => {
@@ -115,7 +143,7 @@ checkRuntime("go", run("go version"));
 checkRuntime("cargo", run("cargo --version"));
 checkRuntime("java", run("java --version")?.split("\n")[0] ?? null);
 
-// ─── Dev tools ───────────────────────────────────────────────────────────────
+// -- Dev tools ----------------------------------------------------------------
 section("Dev tools");
 
 ok("gh", run("gh --version")?.split("\n")[0] ?? "not found");
@@ -125,7 +153,7 @@ ok("fzf", run("fzf --version") ?? "not found");
 ok("jq", run("jq --version") ?? "not found");
 ok("yq", run("yq --version") ?? "not found");
 
-// ─── Database tools ──────────────────────────────────────────────────────────
+// -- Database tools -----------------------------------------------------------
 section("Database tools");
 
 ok("sqlite3", run("sqlite3 --version")?.split(" ").slice(0, 2).join(" ") ?? "not found");
@@ -133,21 +161,21 @@ ok("psql", run("psql --version") ?? "not found");
 ok("mysql", run("mysql --version") ?? "not found");
 ok("redis-cli", run("redis-cli --version") ?? "not found");
 
-// ─── API keys ────────────────────────────────────────────────────────────────
+// -- API keys -----------------------------------------------------------------
 section("API keys");
 
 console.log(`${blue("●")} ${dim("API keys are injected via env_file in totopo.yaml. Set env_file to point to your .env file.")}`);
 
-// ─── Summary ─────────────────────────────────────────────────────────────────
+// -- Summary ------------------------------------------------------------------
 if (errors === 0) {
-    const workspaceSuffix = process.env.TOTOPO_WORKSPACE ? ` — workspace: ${bold(process.env.TOTOPO_WORKSPACE)}` : "";
+    const workspaceSuffix = process.env.TOTOPO_WORKSPACE ? ` - workspace: ${bold(process.env.TOTOPO_WORKSPACE)}` : "";
     console.log(`\n${blue("●")}  ${bold("totopo dev container ready")}${workspaceSuffix}`);
     console.log(
-        `${grey("   To adjust settings, ask any agent about")} ${bold("totopo.yaml")} ${grey("— it lives in the workspace root.")}\n`,
+        `${grey("   To adjust settings, ask any agent about")} ${bold("totopo.yaml")} ${grey("- it lives in the workspace root.")}\n`,
     );
     console.log(`${green("●")} ${bold("Ready.")}`);
     console.log(`${grey("Type 'status' to re-run the readiness check.")}\n`);
 } else {
-    console.log(`\n${red("●")} ${bold(`${errors} error(s) — see above. Rebuild the container to fix.`)}\n`);
+    console.log(`\n${red("●")} ${bold(`${errors} error(s) - see above. Rebuild the container to fix.`)}\n`);
     process.exit(1);
 }