Composable stacks, cell chrome/cell login, AWS read-only scoping, ollama proxy, patchright bot-stealth with human mouse, and 5 new nix modules

[DimmKirr]

Changes

• feat(cfg): composable stack + modules config with [aws], [op] documents, [ports], [mise], [cell].locale sections — users configure container capabilities via .devcell.toml instead of editing Dockerfiles
• feat(cmd): add cell chrome with project-scoped profiles, Playwright cookie sync, and UA fingerprint spoofing — users log into sites on the host and MCP replays cookies with matching fingerprint in the container
• feat(cmd): add cell login shortcut — opens a URL directly for quick auth and cookie sync
• feat(cmd): add cell serve as local ollama API proxy with Anthropic-compatible endpoints — Claude Code and Codex work with local models
• feat(cfg): [aws] read_only option with credential_process for IAM session policy scoping — containers can be locked to read-only AWS access (opt-in, default false)
• feat(runner): inject LANG/LC_ALL into containers from config, host, or default en_US.UTF-8 — container locale matches the host instead of defaulting to POSIX
• feat(scaffold): generate Dockerfile and flake.nix from stack+modules config at scaffold time — build context matches user config, no static templates
• feat(nixhome/scraping): nix-packaged patchright MCP with stealth init-script, runtime TZ/locale injection, and human-like Bezier mouse trajectories — Playwright MCP passes bot detection including mouse-movement analysis
• feat(nixhome/infra): AWS credential_process, read-only IAM policy, aws-api and cloudwatch MCP servers — AI agents get scoped AWS access
• feat(nixhome/modules): add postgresql, project-management, qa-tools, security modules — new tool domains available as composable modules
• feat(nixhome/entrypoint): secrets fragment writes op-resolved env vars to tmpfs for Playwright MCP — secrets never touch disk
• feat(nixhome/flake): export composable lib.mkHome, stacks, and modules for user wrapper flakes — users can build custom stacks without forking
• feat(nixhome/base): write /etc/devcell/metadata.json from Docker build ARGs — cell status can report build provenance
• feat(nixhome/base): add glibcLocales and dnsutils to base packages — containers have proper locale data and DNS tools out of the box
• feat(nixhome/financial): add stripe-cli, use managedMcp.nixBinPrefix for MCP server paths — absolute nix paths prevent PATH-order issues
• feat(nixhome/flake): add drawio to allowUnfreePredicate — drawio package can now be installed without unfree error
• refactor(ux): replace pterm with charmbracelet (lipgloss, huh, bubbletea) — brand color palette, multi-select prompts, adaptive light/dark theming
• refactor(docker): rename base stage to core across Dockerfile, bake, CI, Taskfile, and tests — no user-facing impact
• fix(cmd): auto-rebuild when build context is newer than existing image — cell no longer silently uses a stale container after a failed docker build
• fix(cfg): stack picker shows compressed Docker download sizes — ultimate shows ~7.6 GB (was ~2.9 GB nix download, misleading)
• fix(runner): increase container shared memory to 1GB — drawio-headless and Chromium no longer crash on large renders
• fix(nixhome/security): redirect hexstrike server working directory to /tmp — hexstrike.log no longer pollutes the project directory
• fix(ci): set NIX_CACHE_IMAGE to previous ultimate image in dev workflow — CI nix builds pre-seed /nix/store from cache instead of downloading ~7GB every run
• docs(web): update configuration.md, stacks-and-modules.md, cell.md — new commands, config sections, and modules documented
• chore(docker): restructure Dockerfile with nix cache pre-seeding and genesis bootstrap — faster rebuilds
• chore(ci): add deploy-site.yml and genesis.yml workflows
• chore(web): add 404 page, Umami analytics
• chore(images): move codex, opentofu-mcp, playwright, patchright-mcp from npm to nix — image builds are more reproducible
• chore(.gitleaks.toml): allowlist test fixture xrdp key.pem
• docs(README): update config references from ~/.config/devcell/ to project-local .devcell.toml
• test(cfg): 700+ lines covering composable stacks, modules, AWS, op documents, ports, MCP merge
• test(runner): playwright secrets, stale image detection, shm-size
• test(serve): full ollama proxy test suite (auth, handler, models, Anthropic/OpenAI compat)
• test(scaffold): generate_testdata and expanded scaffold tests for stack+modules flake generation
• test(image): use --debug for bash_echo/nix_version, relax spinner_visible for CI PTY compatibility