plonecli 7.0.0b2__tar.gz → 7.0.0b4__tar.gz

plonecli-7.0.0b4/.agents/skills/plonecli/SKILL.md

@@ -0,0 +1,74 @@
+---
+name: plonecli
+description: Scaffold and develop Plone packages with plonecli (copier-template based). Use for any plonecli command (create, add, setup, serve, test, debug, update, config) and whenever working on Plone add-on features: creating a backend add-on or Zope project; adding or creating a content type, behavior, view, viewlet, portlet, vocabulary, indexer, subscriber, control panel, form, theme, REST API service, or any other subtemplate; scaffolding an upgrade step / GenericSetup migration after changing profile XML (catalog.xml, types, workflows, registry, rolemap) so it reaches already-installed sites; running/testing/reconfiguring a generated project. Triggers on "plonecli ...", "create a Plone addon", "add/create a content type / behavior / view / viewlet / portlet / vocabulary / indexer / subscriber / control panel / REST API service", "add upgrade_step / upgrade step for the last change", "bump profile version / metadata.xml", "migrate already-installed Plone sites", "plone scaffold", "zope-setup".
+---
+
+# plonecli
+
+`plonecli` scaffolds and develops Plone packages using [copier](https://copier.readthedocs.io/) templates. It creates backend add-ons and Zope project setups, adds features (content types, behaviors, REST API services) via subtemplates, and wraps the project's `invoke` tasks for serving and testing.
+
+## How to invoke it
+
+- **End users:** `uvx plonecli <command>` (no install needed).
+- **Inside this repo (plonecli's own source):** it is not on `PATH` — use `uv run plonecli <command>`.
+
+On first run, plonecli clones the copier-templates to `~/.copier-templates/plone-copier-templates`. If a command complains about missing templates, run `plonecli update` first.
+
+## Command map
+
+| Command | Scope | What it does |
+|---|---|---|
+| `create <template> <name>` | anywhere | Scaffold a new project (`backend_addon`, `addon` = backend_addon+zope-setup, or `zope-setup`). See [reference/create.md](reference/create.md). |
+| `add <subtemplate>` | inside a project | Add a feature. Gated by project type. See [reference/add.md](reference/add.md). |
+| `setup` | inside a `backend_addon` | Apply `zope-setup` in place (run a Plone instance around the addon). |
+| `serve` | inside a project | `uv run invoke start` → http://localhost:8080. **See server rule below.** |
+| `test [-v]` | inside a project | `uv run invoke test`. |
+| `debug` | inside a project | `uv run invoke debug`. |
+| `update` | anywhere | Pull latest copier-templates + check PyPI for plonecli updates. |
+| `config` | anywhere | Interactive global settings → `~/.plonecli/config.toml`. |
+
+`add`, `setup`, `serve`, `test`, `debug` require being inside a plonecli-generated project (detected from `pyproject.toml`); otherwise they fail with `NotInPackageError`. Subtemplates are filtered by the project's type, so `plonecli -l` shows different options depending on where you are.
+
+`serve`, `test`, `debug` additionally need the `invoke` harness (`tasks.py`), which only the **`zope-setup`** layer provides. A project made with `create backend_addon` alone has no `tasks.py` — run `plonecli setup` first (or scaffold with the `addon` composite / `zope-setup`) before these commands work.
+
+## Decision flow
+
+1. **New project?** → `create`. Pure backend add-on: `plonecli create backend_addon my.addon`. Add-on **with** a runnable instance in one step: `plonecli create addon my.addon` (composite = `backend_addon` + `zope-setup`). Zope project: `plonecli create zope-setup my-project`. `addon` is **not** an alias of `backend_addon` — they are different templates. Details and template list: [reference/create.md](reference/create.md).
+2. **Add a feature to an existing addon?** → `cd` into the project, then `plonecli add content_type` / `behavior` / `restapi_service`. Field/wiring specifics: [reference/add.md](reference/add.md).
+3. **Changed GenericSetup profile XML (`profiles/default/*`) that must reach already-installed sites?** → `plonecli add upgrade_step` to scaffold the migration. See the upgrade-step rule below and [reference/add.md](reference/add.md).
+4. **Need a runnable Plone instance around an addon?** → `plonecli setup` (inside the addon).
+5. **Run / test it?** → `plonecli test` to test. For serving, follow the server rule below.
+6. **Change settings of an already-generated project?** → don't recreate it; use reconfigure. See [reference/maintain.md](reference/maintain.md).
+7. **Templates outdated, or want a different template repo/branch?** → `plonecli update`, or env overrides in [reference/maintain.md](reference/maintain.md).
+
+## Critical rules
+
+- **Never start the dev server yourself.** Do not run `plonecli serve` / `plonecli debug` / `invoke start`. Assume the instance is already running; if it is not, ask the user to start it. (`plonecli test` is fine to run.)
+- **Use native `uv`.** Run things as `uv run <command>`; never `uv pip` or `pip` unless explicitly told.
+- **Tests must pass — never skip them.** After scaffolding or adding a feature, run `plonecli test` and report real results.
+- **Profile XML changes need an upgrade step — scaffold it automatically.** Whenever you edit GenericSetup profile XML under `profiles/default/` (e.g. `catalog.xml`, `types/*.xml`, `types.xml`, `workflows.xml`, `registry.xml`, `rolemap.xml`) in a way that must propagate to already-installed sites, run `plonecli add upgrade_step` as part of the same change — don't leave it to the user to remember. It bumps `profiles/default/metadata.xml` and registers a GS upgrade handler; then fill that handler so existing sites actually get the change (reapply the relevant import step or migrate data). Never hand-edit `metadata.xml`'s version to "do an upgrade" — that bumps the number without a registered step. Details and what does/doesn't need a step: [reference/add.md](reference/add.md).
+- **Don't recreate to change settings.** Re-running `create` over an existing project is wrong; use the reconfigure flow ([reference/maintain.md](reference/maintain.md)).
+- After `create`/`add`/reconfigure, generated files change — review `git status`/diff and preserve intentional local edits.
+
+## Quick start
+
+```shell
+# new backend add-on (package only — no runnable instance yet)
+plonecli create backend_addon collective.todo
+cd collective.todo
+
+# add features
+plonecli add content_type
+plonecli add behavior
+plonecli add restapi_service
+
+# wrap it in a runnable Plone instance (adds the zope-setup / invoke harness)
+plonecli setup
+
+# verify (needs the zope-setup layer added above)
+plonecli test
+```
+
+Shortcut: `plonecli create addon collective.todo` scaffolds `backend_addon` **and** `zope-setup` in one step — use it instead of `create backend_addon` + `setup`. Do not run both; that applies zope-setup twice.
+
+For anything beyond this happy path, read the matching file in `reference/`.

plonecli-7.0.0b4/.agents/skills/plonecli/reference/add.md

@@ -0,0 +1,83 @@
+# Adding features — `plonecli add <subtemplate>`
+
+Run from **inside** a plonecli-generated project. If you are not in one, the command fails with `NotInPackageError` — `cd` into the project root first.
+
+```shell
+cd collective.todo
+plonecli add content_type
+plonecli add behavior
+plonecli add restapi_service
+```
+
+## Subtemplates are gated by project type
+
+plonecli detects the project type from `pyproject.toml` (e.g. `backend_addon`, `project`). Only subtemplates whose `parent` matches that type are offered. So:
+
+- Inside a **`backend_addon`**: `content_type`, `behavior`, `restapi_service`, `upgrade_step`, and more (`indexer`, `subscriber`, `vocabulary`, `view`, `viewlet`, `portlet`, `controlpanel`, `form`, `theme*`, `site_initialization`, …).
+- Inside a **`zope-setup`** project: `zope_instance`.
+
+Always confirm what is actually available here with `plonecli -l` (run inside the project) — it lists only the applicable subtemplates and reflects the configured template repo/branch.
+
+## The three common backend_addon subtemplates
+
+| Subtemplate | Adds | Typical follow-up |
+|---|---|---|
+| `content_type` | A Dexterity content type (schema, FTI, registration). | Restart/reinstall the addon so the new type is registered; add tests for the type. |
+| `behavior` | A behavior (reusable schema/marker applied to content types). | Wire the behavior onto a content type; add tests. |
+| `restapi_service` | A `plone.restapi` service (endpoint, adapter, registration). | Add tests exercising the endpoint. |
+
+copier will prompt interactively for the specifics (names, fields, options) — answer per the user's requirements. Do not invent answers; if the user hasn't specified e.g. field names, ask.
+
+## After adding
+
+1. Review `git status`/diff — `add` writes new files and may touch existing ones (e.g. `configure.zcml`, `profiles`). Preserve intentional local edits.
+2. Run `plonecli test` and report real results. Never skip tests.
+3. If a running instance is needed to see the change, ask the user to (re)start it — do not start the server yourself.
+
+## upgrade_step — required after profile XML changes
+
+When you change GenericSetup profile XML under `profiles/default/` in a way that must reach **already-installed** sites, add an upgrade step in the same change. Reinstalling the profile is not an option on real sites, so the migration has to be an upgrade step.
+
+```shell
+cd collective.todo
+plonecli add upgrade_step
+```
+
+It prompts for (defaults injected from the addon):
+
+| Question | Default | Meaning |
+|---|---|---|
+| `upgrade_step_title` | (required) | Human-readable title, e.g. "Add catalog index". |
+| `upgrade_step_description` | "A custom upgrade step" | What the step does. |
+| `source_version` | current `metadata.xml` version | Version being upgraded **from**. |
+| `destination_version` | `source + 1` | Version being upgraded **to**. |
+
+What it does (so you don't do it by hand):
+
+- Bumps `profiles/default/metadata.xml` to `destination_version`.
+- Creates `src/<package>/upgrades/` with a handler stub + ZCML registration, and includes `.upgrades` from `configure.zcml`.
+- Registers the step in `pyproject.toml` addon settings.
+
+After scaffolding, **fill the generated handler** so existing sites actually get the change — bumping the version alone does nothing. Typically the handler reapplies the relevant GenericSetup import step (e.g. reimport `catalog`, `typeinfo`, `workflow`, `plone.app.registry`) and/or migrates existing data, then add a test under `tests/test_upgrade_<destination_version>.py`.
+
+### Which profile changes need an upgrade step
+
+Need one (change must propagate to live sites):
+
+- `catalog.xml` — new/changed indexes or metadata columns (add index + reindex).
+- `types/*.xml`, `types.xml` — FTI changes, new content types, behaviors added to a type.
+- `workflows.xml`, `workflows/*.xml` — workflow definition or state changes.
+- `registry.xml` — new/changed `plone.registry` records.
+- `rolemap.xml` — new roles or permission mappings.
+
+Usually don't:
+
+- Brand-new addon whose profile has never been installed anywhere (initial install covers it).
+- Changes that only affect fresh installs and have no existing-site impact.
+- `metadata.xml` itself — that's the version marker the upgrade step bumps, not a thing you migrate.
+
+If unsure whether a given profile edit needs migrating to existing sites, add the upgrade step — it's cheap and safe; a missing one silently leaves installed sites stale.
+
+## zope_instance
+
+Inside a `zope-setup` project, `plonecli add zope_instance` adds an additional named Zope instance. Each instance has its own `.copier-answers.zope-instance-<name>.yml` and can later be reconfigured by name ([maintain.md](maintain.md)).

plonecli-7.0.0b4/.agents/skills/plonecli/reference/create.md

@@ -0,0 +1,46 @@
+# Creating projects — `plonecli create <template> <name>`
+
+```shell
+plonecli create backend_addon collective.todo   # backend add-on package only
+plonecli create addon collective.todo            # backend add-on + zope-setup (composite)
+plonecli create zope-setup my-project            # Zope project setup
+```
+
+## Project templates
+
+Discover them live with `plonecli -l` (this is authoritative — the registry scans `copier.yml` files in the templates clone, so available templates depend on the configured template repo/branch).
+
+| Template | Alias | Purpose |
+|---|---|---|
+| `backend_addon` | — | A Plone backend add-on package (the thing you develop). No alias. |
+| `addon` | `add-on` | **Composite** — applies `backend_addon` then `zope-setup` in one go. |
+| `zope-setup` | `project` | A Zope/Plone project setup that can run an instance. |
+
+`create` accepts either a template name or an alias (e.g. `add-on` → `addon`, `project` → `zope-setup`). Note `addon` and `backend_addon` are **different** templates: `addon` is the composite that also lays down the runnable zope-setup layer, while `backend_addon` is just the add-on package.
+
+## Composite templates
+
+A template may define **composite steps** — `create` then applies several sub-templates in sequence, echoing each step. `addon` is exactly this: it walks `backend_addon` then `zope-setup`. You do not need to do anything special; just run `create` once and let it walk the steps. Because `addon` already includes `zope-setup`, do **not** also run `plonecli setup` afterward — that would apply zope-setup twice.
+
+## Naming
+
+- Backend add-on names use dotted package notation: `collective.todo`, `my.addon`. This becomes the Python package and the project directory.
+- Zope-setup names are plain project directory names: `my-project`.
+
+## What gets generated
+
+A scaffolded project includes `pyproject.toml` (plonecli detects the project type from this) and a `.copier-answers*.yml` recording the answers — used later by reconfigure. Do not hand-edit the answers files; change settings via reconfigure ([maintain.md](maintain.md)).
+
+The `tasks.py` for `invoke` (which drives `serve`/`test`/`debug`/`reconfigure`) is provided by the **`zope-setup`** layer — not by a bare `backend_addon`. So a project made with `create backend_addon` alone has no `tasks.py`, and `plonecli test`/`serve`/`debug` won't work in it until you add zope-setup via `plonecli setup`. Projects made with `create addon` (composite) or `create zope-setup` already include `tasks.py`.
+
+## After creating
+
+1. `cd` into the new project directory.
+2. Add features with `plonecli add ...` ([add.md](add.md)).
+3. Run `plonecli test` and report results — do not skip tests.
+4. Review `git status` to see everything that was generated.
+5. Do **not** auto-start the server; if a running instance is needed, ask the user.
+
+## Adding a Zope instance to an existing addon
+
+If you already have a `backend_addon` and need a runnable Plone instance around it, do **not** create a separate project — run `plonecli setup` inside the addon. It applies `zope-setup` in place. `setup` only works inside a `backend_addon`; elsewhere it errors.

plonecli-7.0.0b4/.agents/skills/plonecli/reference/maintain.md

@@ -0,0 +1,67 @@
+# Running, testing, reconfiguring, updating
+
+## Running & testing
+
+These wrap the project's `invoke` tasks and must run inside the project:
+
+| Command | Delegates to | Notes |
+|---|---|---|
+| `plonecli serve` | `uv run invoke start` | Serves at http://localhost:8080. **Do not run this yourself** — assume the instance is already running; if not, ask the user to start it. |
+| `plonecli debug` | `uv run invoke debug` | Debug instance. **Do not run this yourself** either. |
+| `plonecli test` | `uv run invoke test` | Safe to run. `-v`/`--verbose` for verbose output. Run after scaffolding/adding features; report real results; never skip. |
+
+You may also call the underlying tasks directly with `uv run invoke <task>` if `plonecli` itself is unavailable.
+
+## Reconfiguring an existing project
+
+To change settings of an already-generated project, **do not re-run `create`** — re-run the template's questions via the `reconfigure` invoke task (wraps `copier recopy --trust --overwrite` against the right answers file):
+
+```shell
+uv run invoke reconfigure --target=addon                     # backend addon package metadata
+uv run invoke reconfigure --target=zope-setup                # project-level Plone/Zope settings
+uv run invoke reconfigure --target=instance                  # a Zope instance (port, DB, creds)
+uv run invoke reconfigure --target=instance --name=instance2 # a specific named instance
+```
+
+| Target | Reconfigures | Answers file |
+|---|---|---|
+| `addon` | Backend addon package settings | `.copier-answers.yml` |
+| `zope-setup` | Project-level Plone/Zope settings | `.copier-answers.zope-setup.yml` |
+| `instance` | Zope instance (port, DB, credentials) | `.copier-answers.zope-instance-<name>.yml` |
+
+Reconfigure **overwrites** generated config files with the new answers. Afterwards, review `git status`/diff and preserve any local edits worth keeping.
+
+## Updating templates & plonecli
+
+```shell
+plonecli update
+```
+
+Pulls the latest copier-templates clone and checks PyPI for a newer plonecli. Run this if `create`/`add` reports missing or stale templates. The clone lives at `~/.copier-templates/plone-copier-templates`.
+
+## Pointing at a different template repo/branch
+
+Environment variables override `~/.plonecli/config.toml` and take precedence:
+
+- `PLONECLI_TEMPLATES_REPO_URL` — template repository URL.
+- `PLONECLI_TEMPLATES_BRANCH` — branch to track (default `main`).
+- `PLONECLI_TEMPLATES_DIR` — local directory for the clone.
+
+```shell
+export PLONECLI_TEMPLATES_REPO_URL=https://github.com/myorg/my-templates
+export PLONECLI_TEMPLATES_BRANCH=develop
+plonecli create addon my.addon
+```
+
+Useful for testing custom template forks, CI with pre-cloned templates, or org-maintained template sets.
+
+## Global config
+
+`plonecli config` interactively sets author name/email, GitHub user, default Plone version, and templates repo/branch, saved to `~/.plonecli/config.toml`. On first run it offers to import legacy `~/.mrbob` settings.
+
+## Troubleshooting
+
+- **`NotInPackageError`** — you ran an in-project command (`add`/`setup`/`serve`/`test`/`debug`) outside a project. `cd` into the project root.
+- **Template not found / empty `plonecli -l`** — templates clone missing or stale: run `plonecli update`. If `update` itself fails (e.g. `~/.plonecli` is read-only, or `[templates] local_path` in `config.toml` points at a non-existent path such as another user's home) but a templates clone already exists elsewhere, bypass the config by pointing `PLONECLI_TEMPLATES_DIR` at the existing clone, e.g. `export PLONECLI_TEMPLATES_DIR=~/.copier-templates/plone-copier-templates`.
+- **Subtemplate not listed** — it does not match the current project type; run `plonecli -l` inside the correct project type.
+- **`setup` rejected** — `setup` only runs inside a `backend_addon`.

plonecli-7.0.0b4/.copier-answers.yml

@@ -0,0 +1,12 @@
+# Changes here will be overwritten by Copier; NEVER EDIT MANUALLY
+_commit: 978185b
+_src_path: /home/maik/develop/src/copier-claude-code-devcontainer/
+enable_docker_in_docker: true
+enable_plone: true
+enable_pnpm: false
+enable_python_uv: true
+enable_terminal_recording: true
+extra_mounts:
+- source=${localEnv:HOME}/develop/plone/src/copier-templates,target=/home/node/develop/plone/src/copier-templates,type=bind,consistency=delegated
+node_version: '20'
+

{plonecli-7.0.0b2 → plonecli-7.0.0b4}/.devcontainer/Dockerfile

@@ -26,6 +26,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
   chromium \
   python3 \
   python3-venv \
+  asciinema \
+  ffmpeg \
   && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 # Ensure default node user has access to /usr/local/share
@@ -55,6 +57,26 @@ RUN ARCH=$(dpkg --print-architecture) && \
   sudo dpkg -i "git-delta_${GIT_DELTA_VERSION}_${ARCH}.deb" && \
   rm "git-delta_${GIT_DELTA_VERSION}_${ARCH}.deb"
 
+# Terminal recording tools: vhs (scripted demos), agg (cast -> GIF), ttyd (vhs dep)
+ARG VHS_VERSION=0.8.0
+ARG AGG_VERSION=1.5.0
+ARG TTYD_VERSION=1.7.7
+RUN ARCH=$(dpkg --print-architecture) && \
+  case "$ARCH" in \
+    amd64) RUST_ARCH=x86_64-unknown-linux-gnu; TTYD_ARCH=x86_64 ;; \
+    arm64) RUST_ARCH=aarch64-unknown-linux-gnu; TTYD_ARCH=aarch64 ;; \
+    *) echo "Unsupported arch: $ARCH" && exit 1 ;; \
+  esac && \
+  wget "https://github.com/charmbracelet/vhs/releases/download/v${VHS_VERSION}/vhs_${VHS_VERSION}_${ARCH}.deb" && \
+  sudo dpkg -i "vhs_${VHS_VERSION}_${ARCH}.deb" && \
+  rm "vhs_${VHS_VERSION}_${ARCH}.deb" && \
+  wget -O /tmp/agg "https://github.com/asciinema/agg/releases/download/v${AGG_VERSION}/agg-${RUST_ARCH}" && \
+  sudo install -m 0755 /tmp/agg /usr/local/bin/agg && \
+  rm /tmp/agg && \
+  wget -O /tmp/ttyd "https://github.com/tsl0922/ttyd/releases/download/${TTYD_VERSION}/ttyd.${TTYD_ARCH}" && \
+  sudo install -m 0755 /tmp/ttyd /usr/local/bin/ttyd && \
+  rm /tmp/ttyd
+
 # Set up non-root user
 USER node
 
@@ -74,6 +96,8 @@ ARG ZSH_IN_DOCKER_VERSION=1.2.0
 RUN sh -c "$(wget -O- https://github.com/deluan/zsh-in-docker/releases/download/v${ZSH_IN_DOCKER_VERSION}/zsh-in-docker.sh)" -- \
   -p git \
   -p fzf \
+  -p docker \
+  -p docker-compose \
   -a "source /usr/share/doc/fzf/examples/key-bindings.zsh" \
   -a "source /usr/share/doc/fzf/examples/completion.zsh" \
   -a "export PROMPT_COMMAND='history -a' && export HISTFILE=/commandhistory/.bash_history" \
@@ -95,8 +119,3 @@ USER node
 
 # Install UV package manager
 RUN curl -LsSf https://astral.sh/uv/install.sh | sh
-
-# Install Claude Code (native) and OpenCode into ~/.local/bin (persisted in image)
-RUN mkdir -p "$HOME/.local/bin" && \
-  curl -fsSL https://claude.ai/install.sh | bash && \
-  curl -fsSL https://opencode.ai/install | bash

{plonecli-7.0.0b2 → plonecli-7.0.0b4}/.devcontainer/devcontainer.json

@@ -9,6 +9,11 @@
 		}
 	},
 
+	"features": {
+		"ghcr.io/devcontainers/features/docker-in-docker:2": {}
+	},
+
+	"initializeCommand": "mkdir -p \"$HOME/.claude\" \"$HOME/.copier-templates\" \"$HOME/.plonecli\"",
 	"runArgs": ["--cap-add=NET_ADMIN", "--cap-add=NET_RAW"],
 	"customizations": {
 		"vscode": {
@@ -42,8 +47,10 @@
 	"mounts": [
 		"source=claude-code-bashhistory-${devcontainerId},target=/commandhistory,type=volume",
 		"source=claude-code-config-${devcontainerId},target=/home/node/.claude,type=volume",
-		"source=${localEnv:HOME}/develop/plone/src/copier-templates,target=/home/node/develop/plone/src/copier-templates,type=bind,consistency=delegated",
-		"source=${localEnv:HOME}/.copier-templates/plone-copier-templates,target=/home/node/.copier-templates/plone-copier-templates,type=bind,readonly"
+		"source=${localEnv:HOME}/.claude,target=/host-claude-config,type=bind,readonly",
+		"source=${localEnv:HOME}/.copier-templates,target=/home/node/.copier-templates,type=bind,readonly",
+		"source=${localEnv:HOME}/.plonecli,target=/home/node/.plonecli,type=bind,readonly",
+		"source=${localEnv:HOME}/develop/plone/src/copier-templates,target=/home/node/develop/plone/src/copier-templates,type=bind,consistency=delegated"
 	],
 	"containerEnv": {
 		"CLAUDE_CONFIG_DIR": "/home/node/.claude",

{plonecli-7.0.0b2 → plonecli-7.0.0b4}/.devcontainer/init-firewall.sh

@@ -1,8 +1,22 @@
 #!/bin/bash
 set -euo pipefail  # Exit on error, undefined vars, and pipeline failures
 IFS=$'\n\t'       # Stricter word splitting
-# Extract Docker DNS info BEFORE any flushing
-DOCKER_DNS_RULES=$(iptables-save -t nat | grep "127\.0\.0\.11" || true)
+
+# Wait for Docker daemon to be ready (docker-in-docker feature starts it async)
+echo "Waiting for Docker daemon to be ready..."
+for i in $(seq 1 30); do
+    if docker info &>/dev/null; then
+        echo "Docker daemon is ready"
+        break
+    fi
+    if [ "$i" -eq 30 ]; then
+        echo "WARNING: Docker daemon not ready after 30s, proceeding anyway"
+    fi
+    sleep 1
+done
+
+# Save entire nat table BEFORE flushing (Docker needs it for DinD networking)
+SAVED_NAT=$(iptables-save -t nat)
 
 # Flush existing rules and delete existing ipsets
 iptables -F
@@ -13,21 +27,21 @@ iptables -t mangle -F
 iptables -t mangle -X
 ipset destroy allowed-domains 2>/dev/null || true
 
-# Selectively restore ONLY internal Docker DNS resolution
-if [ -n "$DOCKER_DNS_RULES" ]; then
-    echo "Restoring Docker DNS rules..."
-    iptables -t nat -N DOCKER_OUTPUT 2>/dev/null || true
-    iptables -t nat -N DOCKER_POSTROUTING 2>/dev/null || true
-    echo "$DOCKER_DNS_RULES" | xargs -L 1 iptables -t nat
+# Restore full nat table (DNS + MASQUERADE + DOCKER chains for DinD)
+if [ -n "$SAVED_NAT" ]; then
+    echo "Restoring Docker nat rules (DNS, MASQUERADE, DOCKER chains)..."
+    echo "$SAVED_NAT" | iptables-restore --noflush
 else
-    echo "No Docker DNS rules to restore"
+    echo "No Docker nat rules to restore"
 fi
 
 # First allow DNS and localhost before any restrictions
 # Allow outbound DNS
 iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
 # Allow inbound DNS responses
 iptables -A INPUT -p udp --sport 53 -j ACCEPT
+iptables -A INPUT -p tcp --sport 53 -j ACCEPT
 # Allow outbound SSH
 iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
 # Allow inbound SSH responses
@@ -36,6 +50,10 @@ iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT
 
+# Allow Docker bridge networks (DinD container communication)
+iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
+iptables -A OUTPUT -d 172.16.0.0/12 -j ACCEPT
+
 # Create ipset with CIDR support
 ipset create allowed-domains hash:net
 
@@ -68,12 +86,10 @@ for domain in \
     "api.anthropic.com" \
     "claude.ai" \
     "sentry.io" \
-    "statsig.anthropic.com" \
     "statsig.com" \
     "marketplace.visualstudio.com" \
     "vscode.blob.core.windows.net" \
-    "update.code.visualstudio.com" \
-    "opencode.ai"; do
+    "update.code.visualstudio.com"; do
     echo "Resolving $domain..."
     ips=$(dig +noall +answer A "$domain" | awk '$4 == "A" {print $5}')
     if [ -z "$ips" ]; then
@@ -94,7 +110,26 @@ done
 # PyPI (for UV package installation)
 for domain in \
     "pypi.org" \
-    "files.pythonhosted.org" \
+    "files.pythonhosted.org"; do
+    echo "Resolving $domain..."
+    ips=$(dig +noall +answer A "$domain" | awk '$4 == "A" {print $5}')
+    if [ -z "$ips" ]; then
+        echo "ERROR: Failed to resolve $domain"
+        exit 1
+    fi
+
+    while read -r ip; do
+        if [[ ! "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+            echo "ERROR: Invalid IP from DNS for $domain: $ip"
+            exit 1
+        fi
+        echo "Adding $ip for $domain"
+        ipset add allowed-domains "$ip" 2>/dev/null || true
+    done < <(echo "$ips")
+done
+
+# Plone (for version constraints)
+for domain in \
     "dist.plone.org"; do
     echo "Resolving $domain..."
     ips=$(dig +noall +answer A "$domain" | awk '$4 == "A" {print $5}')
@@ -113,6 +148,49 @@ for domain in \
     done < <(echo "$ips")
 done
 
+# Docker Hub (for DinD image pulls - CDN with rotating IPs, need /16)
+for domain in \
+    "registry-1.docker.io" \
+    "auth.docker.io" \
+    "production.cloudflare.docker.com"; do
+    echo "Resolving $domain..."
+    ips=$(dig +noall +answer A "$domain" | awk '$4 == "A" {print $5}')
+    if [ -z "$ips" ]; then
+        echo "WARNING: Failed to resolve $domain, skipping"
+        continue
+    fi
+    while read -r ip; do
+        if [[ ! "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+            echo "WARNING: Invalid IP from DNS for $domain: $ip, skipping"
+            continue
+        fi
+        cidr=$(echo "$ip" | sed 's/\.[0-9]*\.[0-9]*$/.0.0\/16/')
+        echo "Adding $cidr for $domain (CDN /16)"
+        ipset add allowed-domains "$cidr" 2>/dev/null || true
+    done < <(echo "$ips")
+done
+
+# GHCR (for container images)
+for domain in \
+    "ghcr.io" \
+    "pkg-containers.githubusercontent.com"; do
+    echo "Resolving $domain..."
+    ips=$(dig +noall +answer A "$domain" | awk '$4 == "A" {print $5}')
+    if [ -z "$ips" ]; then
+        echo "WARNING: Failed to resolve $domain, skipping"
+        continue
+    fi
+    while read -r ip; do
+        if [[ ! "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+            echo "WARNING: Invalid IP from DNS for $domain: $ip, skipping"
+            continue
+        fi
+        cidr=$(echo "$ip" | sed 's/\.[0-9]*\.[0-9]*$/.0.0\/16/')
+        echo "Adding $cidr for $domain (CDN /16)"
+        ipset add allowed-domains "$cidr" 2>/dev/null || true
+    done < <(echo "$ips")
+done
+
 # Get host IP from default route
 HOST_IP=$(ip route | grep default | cut -d" " -f3)
 if [ -z "$HOST_IP" ]; then
@@ -129,7 +207,7 @@ iptables -A OUTPUT -d "$HOST_NETWORK" -j ACCEPT
 
 # Set default policies to DROP first
 iptables -P INPUT DROP
-iptables -P FORWARD DROP
+iptables -P FORWARD ACCEPT
 iptables -P OUTPUT DROP
 
 # First allow established connections for already approved traffic