From 1aab33cb04f132541b73a3326d6b0d6079a294ed Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Fri, 7 Nov 2025 14:54:51 +0000
Subject: [PATCH] feat: Add automatic workspace container initialization on
 first login

- Created init-containers.sh to create workspace and restore-img
- Runs automatically on ai user's first login
- Uses ~/.aios-initialized flag to run once
- Updated sudoers to allow pacstrap, arch-chroot commands
---
 build.zsh              |  2 +-
 cfg/init-containers.sh | 46 ++++++++++++++++++++++++++++++++++++++++++
 cfg/setup-user.sh      | 14 ++++++++++++-
 3 files changed, 60 insertions(+), 2 deletions(-)
 create mode 100644 cfg/init-containers.sh

diff --git a/build.zsh b/build.zsh
index afd64d4..fde620b 100755
--- a/build.zsh
+++ b/build.zsh
@@ -65,7 +65,7 @@ cp -rf ./cfg/os-release root.x86_64/var/lib/machines/arch/etc/os-release
 
 # Configure sudoers for wheel group
 echo "Configuring sudoers..."
-arch-chroot root.x86_64/var/lib/machines/arch /bin/sh -c 'echo "%wheel ALL=(ALL:ALL) NOPASSWD: /usr/bin/pacman -Syu --noconfirm, /usr/bin/rm -rf /var/lib/pacman/db.lck, /usr/bin/poweroff, /usr/bin/reboot, /usr/bin/machinectl" >> /etc/sudoers'
+arch-chroot root.x86_64/var/lib/machines/arch /bin/sh -c 'echo "%wheel ALL=(ALL:ALL) NOPASSWD: /usr/bin/pacman, /usr/bin/pacstrap, /usr/bin/arch-chroot, /usr/bin/rm, /usr/bin/mkdir, /usr/bin/mv, /usr/bin/cp, /usr/bin/poweroff, /usr/bin/reboot, /usr/bin/machinectl, /bin/bash" >> /etc/sudoers'
 
 # Install aigpt (aios core package)
 echo "Installing aigpt..."
diff --git a/cfg/init-containers.sh b/cfg/init-containers.sh
new file mode 100644
index 0000000..8a8dac8
--- /dev/null
+++ b/cfg/init-containers.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+# Initialize child containers for ai user
+# This script runs once on first login
+
+echo "=== Initializing workspace containers ==="
+echo "This may take a few minutes..."
+
+# Create workspace directory
+mkdir -p /tmp/workspace-init
+
+# Create base workspace
+echo "Creating workspace container..."
+sudo pacstrap -c /tmp/workspace-init base
+
+# Configure workspace
+sudo arch-chroot /tmp/workspace-init /bin/sh -c 'pacman -Syu --noconfirm vim git zsh openssh nodejs npm sqlite'
+
+# Add securetty for pts login
+sudo bash -c 'cat >> /tmp/workspace-init/etc/securetty <<EOF
+pts/0
+pts/1
+pts/2
+pts/3
+pts/4
+pts/5
+EOF'
+
+# Move to /var/lib/machines
+sudo mkdir -p /var/lib/machines
+sudo mv /tmp/workspace-init /var/lib/machines/workspace
+
+# Create restore-img as clean backup
+echo "Creating restore-img (backup)..."
+sudo cp -a /var/lib/machines/workspace /var/lib/machines/restore-img
+
+echo ""
+echo "✓ Initialization complete!"
+echo ""
+echo "Available containers:"
+echo "  workspace    - Working environment"
+echo "  restore-img  - Clean backup"
+echo ""
+echo "Usage:"
+echo "  sudo machinectl start workspace"
+echo "  sudo machinectl shell workspace"
+echo ""
diff --git a/cfg/setup-user.sh b/cfg/setup-user.sh
index bf22c8e..4a307b3 100755
--- a/cfg/setup-user.sh
+++ b/cfg/setup-user.sh
@@ -46,9 +46,21 @@ cp -rf ./cfg/zshrc $ROOTFS/root/.zshrc
 # Copy .zshrc for user 'ai'
 cp -rf ./cfg/zshrc $ROOTFS/home/ai/.zshrc
 
-# Add MCP auto-setup and claude auto-start for ai user (login shell only)
+# Copy container initialization script
+cp -rf ./cfg/init-containers.sh $ROOTFS/usr/local/bin/init-containers.sh
+arch-chroot $ROOTFS /bin/sh -c 'chmod +x /usr/local/bin/init-containers.sh'
+
+# Add initialization, MCP auto-setup and claude auto-start for ai user (login shell only)
 cat >> $ROOTFS/home/ai/.zshrc <<'EOF'
 
+# Initialize workspace containers on first login
+if [ ! -f ~/.aios-initialized ]; then
+    echo "First login detected. Initializing workspace containers..."
+    if command -v sudo &>/dev/null && [ -x /usr/local/bin/init-containers.sh ]; then
+        /usr/local/bin/init-containers.sh && touch ~/.aios-initialized
+    fi
+fi
+
 # MCP auto-setup (run once after .claude.json is created)
 if [[ -f ~/.claude.json ]] && ! grep -q '"aigpt"' ~/.claude.json 2>/dev/null; then
     if command -v claude &>/dev/null && command -v aigpt &>/dev/null; then