refactor: Enable workspace auto-entry with full sudo and skip permissions

- Restore workspace auto-entry on ai user login
- Use systemd-nspawn -q -D to enter workspace
- Start claude with --dangerously-skip-permissions (no approval needed)
- Grant wheel group full sudo access (NOPASSWD: ALL) for container operation
- ai user can perform all root operations via sudo in workspace

build.zsh

@@ -63,9 +63,9 @@ arch-chroot root.x86_64 /bin/sh -c 'npm i -g @anthropic-ai/claude-code'
 # Copy os-release
 cp -rf ./cfg/os-release root.x86_64/etc/os-release
 
-# Configure sudoers for wheel group
+# Configure sudoers for wheel group (full access for container operation)
 echo "Configuring sudoers..."
-arch-chroot root.x86_64 /bin/sh -c 'echo "%wheel ALL=(ALL:ALL) NOPASSWD: /usr/bin/pacman, /usr/bin/pacstrap, /usr/bin/arch-chroot, /usr/bin/rm, /usr/bin/mkdir, /usr/bin/mv, /usr/bin/cp, /usr/bin/poweroff, /usr/bin/reboot, /usr/bin/machinectl, /usr/bin/systemd-nspawn, /usr/bin/mount, /usr/bin/chroot, /bin/bash" >> /etc/sudoers'
+arch-chroot root.x86_64 /bin/sh -c 'echo "%wheel ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers'
 
 # Install aigpt (aios core package)
 echo "Installing aigpt..."

cfg/setup-user.sh

@@ -61,13 +61,20 @@ cp -rf ./cfg/zshrc $ROOTFS/root/.zshrc
 # Copy .zshrc for user 'ai'
 cp -rf ./cfg/zshrc $ROOTFS/home/ai/.zshrc
 
-# Add claude auto-start on login (once, not exec)
+# Add workspace auto-entry and claude auto-start
 cat >> $ROOTFS/home/ai/.zshrc <<'EOF'
 
-# Start claude on login (once)
+# aios: auto-enter workspace container
 if [[ -o login ]] && [[ -o interactive ]]; then
+    if [[ -z "$INSIDE_WORKSPACE" ]]; then
+        # Enter workspace container
+        export INSIDE_WORKSPACE=1
+        exec sudo systemd-nspawn -q -D /var/lib/machines/workspace /bin/zsh
+    else
+        # Inside workspace - start claude with skip permissions
         if command -v claude &>/dev/null; then
-        claude
+            claude --dangerously-skip-permissions
+        fi
     fi
 fi
 EOF