Use qwen 3.6

- remove codex auth mounts from opencode run/shell paths
  - reject opencode login and invalid backend values
  - harden opencode config writes against symlink clobbering
  - fix opencode build args and packages_extra handling
  - enforce cap-drop and read-only rootfs in runtime commands
  - reject dangerous runtime/build env overrides
  - update README and test docs to match actual behavior
  - extend regression coverage for backend safety and hardening

.sloptrap

@@ -1,4 +1,4 @@
 name=skz-sloptrap
 packages_extra=bash make shellcheck jq podman iproute2 strace
-capabilities=apt-install nested-podman packet-capture
+capabilities=
 allow_host_network=false

AGENTS.md

@@ -3,16 +3,6 @@
 This workspace is the source code of `sloptrap`, eg. your own runtime.
 Your author, 'sk4nz', has ran the command `sloptrap path/to/skz-sloptrap` and you are living in your own reflection.
 
-# Recursive `slopsloptrap`
-
-sloptrap can recurse.
-
-If you need to prove it, spawn a child from this repo with sloptrap:
-
-`./sloptrap /workspace ...`
-
-This starts a child `slopsloptrap`. Use the child normally, as the end-user would.
-
 # Keep Memory
 
 Future sloptrap instances should add short, useful, durable notes they learn during their session to this file.
@@ -24,19 +14,11 @@ Do not remove existing instructions unless they are outdated or wrong.
 ---
 # Session Memory
 
-- When you make changes that affect how the runtime behaves and cannot test it with recursion, you can ask sk4nz to restart you.
-- If recursion is blocked by the current session state and a restart is required, give sk4nz an exact prompt to paste into the next restarted session so it can continue from the current checkpoint.
+- When runtime changes need a fresh sloptrap session to validate, ask sk4nz to restart you and give an exact prompt to continue from the current checkpoint.
 - Useful checks in the skz-sloptrap repo:
   `shellcheck sloptrap`
   `bash tests/run_tests.sh` (you can also run them separately)
-- Recursive nested-podman inside an already user-namespaced sloptrap needs subuid/subgid ranges derived from `/proc/self/uid_map` and `/proc/self/gid_map`; hardcoding `100000:65536` breaks `newuidmap`.
 - When running tests from inside sloptrap, inherited `CODEX_HOME=/codex` plus `SLOPTRAP_PREFER_CODEX_HOME=1` can leak into host-style child launches; ignore that preference when `HOME` has been redirected elsewhere and the runtime hints still point into the inherited `/codex` tree.
-- For real recursive `./sloptrap` launches, correct `/proc/self/uid_map` alone is not enough: if the current session still has stale read-only `/etc/subuid` and `/etc/subgid` mounts (for example `sk4nz:100000:65536`), the first nested podman launch still fails before child startup.
-- Forcing `SLOPTRAP_CONTAINER_ENGINE=sloppodman` inside sloptrap also needs `TMPDIR` under `/workspace`; otherwise its build-context path guard rejects the staged Dockerfile under `/tmp` before you reach the real subuid/subgid problem.
-- If a restarted session still inherits stale read-only `/etc/subuid` and `/etc/subgid` tmpfs mounts, an unprivileged agent cannot repair them in-place (`umount` says `must be superuser to unmount`); both podman and sloppodman stay blocked until the session starts without those mounts.
-- Outer sloptrap launches no longer need `/etc/subuid` or `/etc/subgid` bind mounts: `nested-podman` now disables read-only rootfs and the container entrypoint synthesizes container-local subid files from `/proc/self/{uid,gid}_map` before dropping privileges.
-- Even without stale `/etc/subuid` mounts, recursion still fails if the container-local subid files name `sloptrap` instead of the real dropped user (`sk4nz` here): `podman info --debug` warns `no subuid ranges found for user "sk4nz"` and the first inner build dies in `newuidmap ... write to uid_map failed: Operation not permitted`.
-- In this Debian 13 / podman 5.4.2 environment, exporting `_CONTAINERS_USERNS_CONFIGURED=done` for nested podman moves the failure past `newuidmap`, but the next blockers are inside Buildah: with `BUILDAH_ISOLATION=chroot`, recursive builds fail `cannot set --network other than host with --isolation chroot`; without chroot, `podman build` can segfault in `network.defaultNetworkBackend`.
-- Recursive preload now has a host-side path: the outer launcher saves `$SLOPTRAP_IMAGE_NAME` into capability state and mounts it into the container as `SLOPTRAP_RECURSIVE_PARENT_IMAGE_ARCHIVE=/codex/capabilities/podman/preload/<image>.tar`, and child `build-if-missing` tries `sloppodman load -i` before any inner build. A pre-existing session must be restarted to test that path because it cannot add the new preload mount/env to itself after startup.
-- With stale subid mounts gone, recursive `./sloptrap /workspace` can still fail earlier during the inner image build: `crun` tries to open `/proc/sys/net/ipv4/ping_group_range` and gets `Read-only file system` while creating the build container.
-- In a fragile nested-podman session, `podman system migrate` can make things worse: a state that still answered `podman info` fell back to repeated `newuidmap ... write to uid_map failed: Operation not permitted` failures afterward.
+- Capability-enabled runs are Podman-only. `packet-capture` uses a dedicated helper container/pod, and host-network capture must prompt for an explicit acknowledgement on every runtime launch.
+- `agent=opencode` should download the latest Linux CLI release artifact from GitHub into the build context and verify its digest; it should not depend on a host-installed `opencode` binary.
+- For isolated networking, sloptrap exposes the host inside the container as `sloptrap.host`; opencode localhost URLs should be rewritten to that alias, and Podman `slirp4netns` runs need `allow_host_loopback=true` for host-local servers.

README.md

@@ -34,17 +34,17 @@ brew install coreutils gnu-tar jq
    ```
 3. Run `./sloptrap path/to/project`. On the first invocation sloptrap:
    - builds `path/to/project-sloptrap-image` if missing,
-   - verifies the Codex binary hash,
-   - creates `${HOME}/.codex`, prepares a per-project state directory, and runs `login` if `${HOME}/.codex/auth.json` is missing or empty.
+   - verifies the selected backend CLI hash,
+   - creates `${HOME}/.codex`, prepares a per-project state directory, and runs `login` if `${HOME}/.codex/auth.json` is missing or empty for the Codex backend.
 
 > Use `./sloptrap path/to/project shell` to enter a troubleshooting shell inside the container or `./sloptrap path/to/project clean` to remove cached images and state.
 
 ## How It Works
 
-- The project directory mounts at `/workspace`; project-scoped Codex state mounts at `/codex` from `${HOME}/.codex/sloptrap/state/<project-hash>`, and shared auth mounts from `${HOME}/.codex/auth.json` to `/codex/auth.json`.
+- The project directory mounts at `/workspace`; project-scoped state mounts at `/codex` from `${HOME}/.codex/sloptrap/state/<project-hash>`. Codex also mounts shared auth from `${HOME}/.codex/auth.json` to `/codex/auth.json`; opencode does not.
 - `.sloptrapignore` entries (if present in your project) are overlaid by tmpfs (for directories) or empty bind mounts (for files) so Codex cannot read the masked content.
 - sloptrap launches containers on an isolated network (`bridge` on Docker, `slirp4netns` on Podman) with `--cap-drop=ALL`, `--security-opt no-new-privileges`, a read-only root filesystem, and tmpfs-backed `/tmp`, `/run`, and `/run/lock`. Projects that explicitly set `allow_host_network=true` in their manifest opt into `--network host`.
-- The helper Dockerfile is embedded inside `sloptrap`; set `SLOPTRAP_DOCKERFILE_PATH=/path/to/custom/Dockerfile` if you need to supply your own recipe. The default image installs `curl`, `bash`, `ca-certificates`, `libstdc++6`, `git`, `ripgrep`, `xxd`, and `file`, so most debugging helpers are already available without adding `packages_extra`.
+- The helper Dockerfile is embedded inside `sloptrap`. The default image installs `curl`, `bash`, `ca-certificates`, `libstdc++6`, `git`, `ripgrep`, `xxd`, and `file`, so most debugging helpers are already available without adding `packages_extra`.
 - The container user matches the host UID/GID (`--userns=keep-id` on Podman or `--user UID:GID` on Docker).
 - The runtime environment is fixed to HOME/XDG variables pointing at `/codex`; manifest-controlled environment injection is disabled.
 
@@ -53,7 +53,7 @@ brew install coreutils gnu-tar jq
 The manifest is optional. When absent, sloptrap derives:
 - `name = basename(project directory)`
 - `packages_extra = ""` (none)
-- `capabilities = ""` (none)
+- `agent = "codex"` (default AI backend)
 If a build is requested and no `.sloptrap` exists, sloptrap prompts to create one interactively.
 
 Supported keys when the manifest is present:
@@ -62,13 +62,19 @@ Supported keys when the manifest is present:
 | --- | --- | --- |
 | `name` | project directory name | Must match `^[A-Za-z0-9_.-]+$`. Used for image/container naming. |
 | `packages_extra` | *empty* | Additional Debian packages installed during `docker/podman build`. Tokens must be alphanumeric plus `+.-`. |
-| `capabilities` | *empty* | Optional privileged features. Supported values are `apt-install`, `packet-capture`, and `nested-podman`. |
+| `agent` | `codex` | AI backend: `codex` (OpenAI Codex CLI) or `opencode` (Anomaly opencode CLI). |
+| `opencode_server` | `http://localhost:8080` | OpenAI-compatible server URL (opencode only). Supports llama.cpp, Ollama, vLLM, etc. |
+| `opencode_model` | `bartowski/Qwen_Qwen3.5-9B-GGUF:Q8_0` | Model name on the server (opencode only). |
+| `opencode_context` | `256K` | Context window for the opencode model. Accepts an integer optionally suffixed with `K`, `M`, or `G`. |
 | `allow_host_network` | `false` | `true` opts into `--network host`; keep `false` unless the project absolutely requires direct access to host-local services. |
 
 Values containing `$`, `` ` ``, or newlines are rejected to prevent command injection. Setting illegal keys or malformed values aborts the run before containers start.
-sloptrap always runs Codex with `--sandbox danger-full-access --ask-for-approval never`. `codex_args` is deprecated and rejected if present.
 
-Capability trust is local state, not part of the repository. Builds for manifests that request capabilities require either an interactive trust confirmation or `--trust-capabilities`. Once the current manifest is trusted, its requested capabilities are enabled automatically for that project configuration.
+### AI Backends
+
+**Codex** (default): Uses OpenAI Codex CLI with state stored in `~/.codex/`. Supports login mode for credential sharing.
+
+**opencode**: Uses Anomaly opencode CLI with project-scoped state and config stored under sloptrap's per-project state directory. sloptrap downloads the latest Linux CLI release artifact from Anomaly during image builds, verifies its digest from the GitHub release metadata, and copies it into the container image. Connects to any OpenAI-compatible inference server (llama.cpp, Ollama, vLLM, etc.). When `opencode_server` points at `localhost` under isolated networking, sloptrap rewrites it to `http://sloptrap.host:...` so host-local model servers remain reachable from inside the container. No Codex auth file is mounted for opencode sessions.
 
 ### `.sloptrapignore`
 
@@ -80,26 +86,35 @@ Capability trust is local state, not part of the repository. Builds for manifest
 ## CLI Reference
 
 ```
-./sloptrap [--dry-run] [--print-config] [--trust-capabilities] <code-directory> [target ...]
+./sloptrap [--dry-run] [--print-config] <code-directory> [target ...]
 ```
 
 Options:
 
 - `--dry-run` &mdash; print the container/engine commands that would run without executing them.
 - `--print-config` &mdash; output the resolved manifest values, defaults, and ignore list.
-- `--trust-capabilities` &mdash; trust the manifest's requested capabilities for the current build flow.
 - `-h, --help` &mdash; display usage.
 - `--` &mdash; stop option parsing; remaining arguments are treated as targets.
 
+Environment variables override manifest values:
+- `SLOPTRAP_AGENT` &mdash; override `agent` key (codex or opencode)
+- `SLOPTRAP_OPENCODE_SERVER` &mdash; override `opencode_server` key
+- `SLOPTRAP_OPENCODE_MODEL` &mdash; override `opencode_model` key
+- `SLOPTRAP_OPENCODE_CONTEXT` &mdash; override `opencode_context` key
+- `SLOPTRAP_CONTAINER_ENGINE` &mdash; override container engine auto-detection
+
+Security-sensitive runtime overrides such as `SLOPTRAP_SECURITY_OPTS_EXTRA`, `SLOPTRAP_ROOTFS_READONLY`, and `SLOPTRAP_NETWORK_NAME` are rejected.
+Build-path overrides such as `SLOPTRAP_DOCKERFILE_PATH`, `SLOPTRAP_CODEX_URL`, `SLOPTRAP_CODEX_ARCHIVE`, and `SLOPTRAP_CODEX_BIN` are also rejected.
+
 Behaviour:
 
 - Missing manifests are treated as default configuration; when a build is requested, sloptrap runs the interactive wizard if a TTY is available, otherwise it warns and continues with defaults.
 - `SLOPTRAP_CONTAINER_ENGINE` overrides engine auto-detection.
-- If `${HOME}/.codex/auth.json` is absent or empty, sloptrap prepends a login run before executing your targets.
+- If `${HOME}/.codex/auth.json` is absent or empty, sloptrap prepends a login run before executing your targets (Codex only).
 - Fresh interactive `run` sessions receive a launcher-generated startup prompt telling the agent it is inside sloptrap, summarising the resolved manifest/runtime state, and pointing it at `/workspace/.sloptrap` for exact project configuration. `resume` does not inject that prompt again.
 - Exit status mirrors the last target executed; errors in parsing or setup abort early with a message.
 
-`--print-config` fields include `manifest_present=true|false`, requested/enabled capability lists, trust status, resolved paths, and the sanitised ignore mount roots so you can confirm what will be hidden inside the container.
+`--print-config` fields include backend configuration (Codex or opencode), resolved paths, and the sanitised ignore mount roots so you can confirm what will be hidden inside the container.
 
 ### Regression Suite
 
@@ -112,12 +127,12 @@ Targets are supplied after the code directory. When omitted, sloptrap defaults t
 
 | Target | Description |
 | --- | --- |
-| `build` | Download Codex (if missing), verify SHA-256, and build the container image. |
+| `build` | Download the selected backend CLI (if missing), verify SHA-256, and build the container image. |
 | `build-if-missing` | No-op when the image already exists; otherwise delegates to `build`. |
 | `rebuild` | Rebuild the image from scratch (`--no-cache`). |
-| `run` | Default goal. Runs the container with Codex using sloptrap's built-in runtime flags. |
-| `resume <session-id>` | Continues a Codex session by running `codex resume <session-id>` inside the container (builds if needed). |
-| `login` | Starts Codex in login mode to bootstrap shared `${HOME}/.codex/auth.json` credentials. |
+| `run` | Default goal. Runs the container with the selected backend. Codex uses sloptrap's built-in runtime flags; opencode relies on its generated config. |
+| `resume <session-id>` | Continues a backend session inside the container (Codex uses `codex resume`; opencode uses its session flag). |
+| `login` | Starts Codex in login mode to bootstrap shared `${HOME}/.codex/auth.json` credentials. Not supported for opencode. |
 | `shell` | Launches `/bin/bash` inside the container for debugging. |
 | `wizard` | Creates or updates `.sloptrap` interactively (no build); rerun `build` or `rebuild` afterward. |
 | `stop` | Best-effort stop of the running container (if any). |
@@ -125,33 +140,28 @@ Targets are supplied after the code directory. When omitted, sloptrap defaults t
 
 The launcher executes targets sequentially, so `./sloptrap repo build run` performs an explicit rebuild before invoking Codex. Extra targets may be added in the future; unknown names fail fast.
 
-### Capability Helpers
-
-When the current manifest's capabilities are trusted and enabled, the container includes helper commands:
-
-- `slop-apt install <package...>` for session-scoped package installation.
-- `slopcap capture --interface <iface> [--filter <expr>] [--output <path>] [--stdout]` for packet capture.
-- `sloppodman <pull|build|tag|run|ps|logs|stop|rm|inspect> ...` for nested Podman workflows. `build` contexts and Dockerfiles must remain inside `/workspace`, and pushes are not supported.
-- When `nested-podman` is enabled, sloptrap makes the container root filesystem writable long enough to synthesize container-local `/etc/subuid` and `/etc/subgid` files from the live namespace maps, so rootless nested Podman does not depend on host subid files.
-
 ## Execution Environment
 
-- Container engine: Podman or Docker with identical command lines. Podman uses `--userns=keep-id`; Docker receives the equivalent `--user UID:GID` for standard runs.
-- Filesystem view: the project directory mounts at `/workspace`; `${HOME}/.codex/sloptrap/state/<project-hash>` mounts at `/codex`; `${HOME}/.codex/auth.json` mounts at `/codex/auth.json`.
-- Ignore filter: `.sloptrapignore` entries are overlaid with tmpfs directories or empty bind mounts so data remains unavailable to Codex.
-- Network: isolated networking is used by default; `allow_host_network=true` opts into `--network host`.
-- Process context: standard runs drop capabilities, set `no-new-privileges`, use a read-only root filesystem, and keep scratch paths (`/tmp`, `/run`, `/run/lock`) on tmpfs. Capability-enabled runs may selectively add the runtime options required for the requested capability.
-- Codex configuration: runtime flags are fixed to `--sandbox danger-full-access --ask-for-approval never`. Persistent Codex state is project-scoped under `${HOME}/.codex/sloptrap/state/`, while credentials are shared via `${HOME}/.codex/auth.json`.
+- Container engine: Podman or Docker for standard runs. Podman uses `--userns=keep-id`; Docker receives the equivalent `--user UID:GID` for standard runs.
+- Filesystem view:
+  - **Codex**: project directory at `/workspace`; `${HOME}/.codex/sloptrap/state/<project-hash>` at `/codex`; auth at `/codex/auth.json`.
+  - **opencode**: project directory at `/workspace`; `${HOME}/.codex/sloptrap/state/<project-hash>` at `/codex`; generated config at `/codex/config/opencode/opencode.json`; runtime state at `/codex/state/opencode`; no shared auth mount.
+- Ignore filter: `.sloptrapignore` entries are overlaid with tmpfs directories or empty bind mounts so data remains unavailable to the agent.
+- Network: isolated networking is used by default; `allow_host_network=true` opts into `--network host`. For isolated runs, sloptrap injects `sloptrap.host` as a container-side hostname for the host gateway. On Podman `slirp4netns`, opencode runs also enable host loopback access so host-local servers bound to `localhost` remain reachable.
+- Process context: standard runs drop capabilities, set `no-new-privileges`, use a read-only root filesystem, and keep scratch paths (`/tmp`, `/run`, `/run/lock`) on tmpfs.
+- Agent configuration:
+  - **Codex**: runtime flags fixed to `--sandbox danger-full-access --ask-for-approval never`. Supports login mode for credential sharing.
+  - **opencode**: connects to OpenAI-compatible server via `--server` and `--model` flags. No authentication required for self-hosted models.
 
 ## Threat Model and Limits
 
 - **Outbound disclosure**: prompts and referenced data travel from the container to the configured LLM endpoint. Any file content within `/workspace` or environment data exposed to the process can appear in that traffic.
-- **Shared storage**: `/workspace`, project-scoped `/codex`, and `/codex/auth.json` are host mounts. Files written to these locations become visible on the host and to the LLM provider through prompts.
+- **Shared storage**: `/workspace` and project-scoped `/codex` are host mounts. For Codex, `/codex/auth.json` is also mounted from the host; opencode sessions do not receive that shared credential file. Files written to mounted locations become visible on the host and may be surfaced to the configured provider through prompts.
 - **Environment surface**: the container receives a minimal fixed environment (HOME/XDG paths, `CODEX_HOME`). The manifest no longer allows injecting additional environment variables.
-- **Process isolation**: standard runs keep a read-only root filesystem and no extra Linux capabilities. Capability-enabled runs deliberately relax specific runtime controls for the enabled feature, so they should be treated as a stronger trust decision than a default session.
-- **Networking stance**: traffic is unrestricted once it leaves the container. sloptrap does not enforce an allowlist or DNS policy. Host networking is opt-in per manifest; if you require an offline or firewalled workflow, sloptrap is not an appropriate launcher.
+- **Process isolation**: standard runs keep a read-only root filesystem and no extra Linux capabilities.
+- **Networking stance**: traffic is unrestricted once it leaves the container. sloptrap does not enforce an allowlist or DNS policy. Host networking is opt-in per manifest. If you require an offline or firewalled workflow, sloptrap is not an appropriate launcher.
 - **Persistence**: Codex history and logs accumulate per project under `${HOME}/.codex/sloptrap/state/`. Sensitive prompts recorded on disk remain on the host after the session. Because `.git/` is ignored inside the container, any historical secrets in Git objects stay outside the LLM context unless explicitly surfaced in the working tree.
-- **Codex cache hygiene**: per-project state mounts remain writable by the container and hold prompts/history/state, while `${HOME}/.codex/auth.json` holds shared credentials. Rotate credentials regularly and protect both locations.
+- **Codex cache hygiene**: per-project state mounts remain writable by the container and hold prompts/history/state, while `${HOME}/.codex/auth.json` holds shared Codex credentials when that backend is used. Rotate credentials regularly and protect both locations.
 - **Secret scanning**: sloptrap does not perform secret discovery or redaction; any credentials present in the project remain available to Codex and the upstream provider.
 - **Local model exception**: pointing Codex at a local or self-hosted model keeps data within the host network boundary, but the filesystem and environment exposure described above is unchanged.
 

slopsloptrap/.sloptrap

@@ -1,3 +0,0 @@
-name=slopsloptrap
-capabilities=nested-podman
-allow_host_network=false

tests/README.md

@@ -12,5 +12,7 @@ Current scenarios:
 - `secret_mask/` — verifies masked files remain hidden even when sloptrap remaps the workspace mount.
 - `resume_target/` — verifies the resume target passes the requested session identifier to Codex.
 - `auth_file_mount` — verifies `~/.codex/auth.json` is mounted directly into `/codex/auth.json`.
+- `runtime_hardening_flags` — verifies standard runs add `--cap-drop=ALL` and keep the root filesystem read-only.
 - `project_state_isolation` — verifies different projects map `/codex` to different host state directories.
 - `auto_login_empty_auth` — verifies an empty `auth.json` still triggers automatic login before the main target.
+- `opencode_*` — exercises opencode build/download, localhost rewriting, config generation, and backend-specific safety checks.

tests/capability_repo/.sloptrap

@@ -1,3 +0,0 @@
-name=capability-repo
-capabilities=apt-install packet-capture nested-podman
-allow_host_network=true

tests/host_network_packet_capture/.sloptrap

@@ -0,0 +1,3 @@
+name=host-network-packet-capture
+capabilities=packet-capture
+allow_host_network=true

tests/host_network_repo/.sloptrap

@@ -0,0 +1,3 @@
+name=host-network-repo
+capabilities=apt-install
+allow_host_network=true

tests/invalid_manifest_capabilities/.sloptrap

@@ -1,4 +0,0 @@
-name=invalid-capabilities
-capabilities=packet-capture not-a-real-capability
-codex_args=--sandbox workspace-write --ask-for-approval never
-allow_host_network=false

tests/opencode_build/.sloptrap

@@ -0,0 +1,4 @@
+name=opencode-build
+packages_extra=htop
+agent=opencode
+allow_host_network=false

tests/opencode_localhost/.sloptrap

@@ -0,0 +1,4 @@
+name=opencode-localhost
+packages_extra=
+agent=opencode
+allow_host_network=false

tests/opencode_print_config/.sloptrap

@@ -0,0 +1,7 @@
+name=opencode-print-config
+packages_extra=
+agent=opencode
+opencode_server=http://manifest:8080
+opencode_model=manifest-model
+opencode_context=128K
+allow_host_network=false

tests/wizard_build/.sloptrap

@@ -1,4 +1,4 @@
 name=wizard_build
 packages_extra=
-capabilities=
+agent=codex
 allow_host_network=false

tests/wizard_empty/.sloptrap

@@ -1,4 +1,4 @@
 name=wizard_empty
 packages_extra=
-capabilities=
+agent=codex
 allow_host_network=false

tests/wizard_existing/.sloptrap

@@ -1,4 +1,4 @@
 name=custom-wizard
 packages_extra=make git
-capabilities=apt-install packet-capture
+agent=codex
 allow_host_network=true