docs(wiki): add Profile JSON Schema section (moved from README)
0b7ec15
docs(wiki): extract audit log + coi audit into dedicated Audit-Log page
Security-Monitoring was the largest page (~500 lines). Move the on-disk audit
log format, field reference, and the full 'coi audit' command docs into a new
Audit-Log page (Security-Monitoring now links to it with a short stub). Retarget
inbound links (Session-Logs, Migration-Guide, Home, sidebar). Security-Monitoring
328 lines; all internal links verified.
42cc419
docs(wiki): add persistent sidebar + footer nav; link Self-Update from Home
Health pass (post-0.9): wiki is otherwise healthy — no broken internal links,
no stale version/config references, page sizes reasonable. Add Karafka-style
persistent navigation (_Sidebar.md grouped by category, _Footer.md quick links)
and fix the orphaned Self-Update page (was a real page not linked from Home).
cbd5280
docs: 0.9 updates — upgrade guide (0.8→0.9), sockets, env_commands, pi
- Migration-Guide: add 'Upgrading from 0.8 to 0.9' (trust gate, network
sanitize, read-only .coi, protected git paths, allowlist/IPv6 tightening;
new features: sockets, env_commands, coi trust/audit, pi)
- Configuration: document [[sockets]] and [defaults.env_commands]; fix default
protected_paths list; add pi to tool name
- Supported-Tools: add pi section
- Home: link the 0.8→0.9 upgrade guide
ff3f763
fix: correct --resume/--continue description for opencode (both are aliases)
e163971
fix: update session log docs to reflect SessionLogger migration
- Session-Logs.md: remove stale "Related Background Logs" table that
still referenced network-refresh-<container>.log (no longer created);
replace with a "What Goes Into Session Logs" table showing which
subsystem output lands in which file (.stdout.log vs .stderr.log)
- Security-Monitoring.md: fix the Limitations note about NFT OnError
callbacks — errors now go to <container>.stderr.log (viewable via
`coi logs`), not silently discarded or sent to audit logs
66397f7
docs: add coi audit and coi logs documentation
- Security-Monitoring.md: add full 'coi audit' section covering both
dump and follow modes, event format/types, all five event sources,
heartbeat liveness detection, jq filtering examples, agent tuning
env vars, and resource overhead
- Session-Logs.md: new page documenting 'coi logs', log file locations,
follow mode, output format, and the network-refresh background log
- Home.md: link to Session-Logs from the Security nav section; update
Security-Monitoring description to mention coi audit
Closes #390
d9845a8
docs: fix macOS apt assumption and add sandbox context cross-link
- macOS-Setup-Guide: add Warning callout before Setup Instructions
noting that apt commands assume the Ubuntu Colima template; recommend
Ubuntu for best compatibility with COI's base image
- Supported-Tools: link Sandbox Context File section to
Architecture-and-Security-Model; add Architecture to See Also
52b6157
docs: fix bugs and fill content gaps from re-analysis
Bug fixes:
- Linux-Setup-Guide: fix usermod command (incus,incus-admin not
'incus incus-admin $USER' which passed incus-admin as a username)
- Image-Management: clarify Best Practices item 4 — coi image publish
captures filesystem state, not process memory; stateful = snapshots only
Content improvements:
- Home.md: add one-sentence description of what COI is before the callout
- Tmux-Automation: replace non-deterministic sleep-based CI examples with
polling helpers; add Note callout explaining why fixed sleeps are unreliable
- FAQ.md: expand Troubleshooting Quick Links from 2 to 7 entries covering
container pause/kill, privileged=true error, Docker Compose, DNS build issues
- Resource-and-Time-Limits: add prose section explaining what each limit
actually does (CPU enforce/priority, memory hard vs soft, swap semantics,
disk I/O cgroup blkio, tmpfs, runtime auto-stop)
- File-Transfer: add UID shifting note explaining automatic ownership mapping
and when to chown after pushing to system paths
- Security-Monitoring: clarify [monitoring] vs [monitoring.nft] as two
independent subsystems with separate prerequisites
- Configuration: note that forward_env is top-level in profiles vs under
[defaults] in main config
- Migration-Guide: add 4 more entries from Troubleshooting content (bool
pointer fix, settings.json deep merge, Docker Compose three-step launch,
EXDEV session save fix, UID/GID remapping)
083a40b
docs: complete structural, content, and style improvements (S4-S6, C1-C5, F5)
Structural:
- S4: Add Slot System section to Container-Lifecycle-and-Sessions explaining
container naming, auto-allocation, per-slot isolation, and alias suffixes
- S5: Merge Self-Update into System-Health-Check (update commands, how-it-works,
post-update steps); Self-Update.md becomes a redirect
- S6: Add Migration-Guide.md covering .coi.toml → .coi/config.toml move and
[[mounts]] vs [[mounts.default]] syntax difference
Content:
- C1: Add Best-Practices.md covering session mode selection, network mode
guide, monitoring recommendations, long-running tasks, team workflows,
AI-generated code handling, and storage cleanup
- C2: Expand Snapshot-Management.md with context opener (stateless vs stateful
tradeoffs, restore requirement) and Best Practices section
- C3: Add Troubleshooting section to Image-Management.md (image not found,
build failures, wrong image applied, stale image after update) and
Best Practices section
- C4: Document coi run in Container-Operations.md with use cases, flags,
and differences from coi shell
- C5: Add JSONL field schema tables to Security-Monitoring.md (common fields,
type-specific fields, NFT-specific fields)
Formatting:
- F5: Add Best Practices sections to Network-Isolation, Profiles,
Image-Management, and Snapshot-Management
Navigation:
- Home.md updated with Best-Practices and Migration-Guide in nav
e212582
docs: add Architecture, Getting-Started, and split FAQ into categories
- Add Architecture-and-Security-Model.md — conceptual "why COI" page
covering the threat model, all defense layers, architecture diagram,
and what COI does/does not protect against
- Add Getting-Started.md — step-by-step first-session walkthrough
covering install, coi build, coi shell, resume, parallel sessions,
and persistent mode, with links to next steps
- Split FAQ.md into three category files:
- FAQ-Platform-Comparisons.md (6 questions + comparison table)
- FAQ-Security-and-Trust.md (5 questions)
- FAQ-Setup-and-Operation.md (9 questions)
- Rewrite FAQ.md as a pure index with category table + troubleshooting
quick links
- Update Home.md: new Getting-Started and Architecture nav section,
point new-user callout to Getting-Started, list FAQ category pages
8aacd50
docs: quick-win formatting pass across all wiki pages
- Add H1 title to all 16 pages that were missing one
- Add FAQ question index with 22 anchor-linked entries grouped by category
- Add See Also section to all 19 pages with curated cross-links
- Upgrade three high-risk inline warnings to blockquote callouts:
allow_local_network_access, mount parent dir, disable_protection
a37731b
docs: replace em dashes with hyphens across all wiki pages
601826e
docs(faq): add Q&A on agentic development process
Explains that COI is partially built using AI coding agents and is
often developed inside COI itself (dogfooding).
3e49086
docs: update image-not-found behaviour to reflect interactive build prompt
24ebb93
Document v0.8.1 features and fix minor v0.8.0 gaps
v0.8.1 features now documented:
- Profile auto-resume: --resume restores original profile (Container-Lifecycle)
- `close` command as safe alias for poweroff inside containers (Container-Lifecycle)
- Git identity guard: user.useConfigOnly=true prevents "code" commits (Security-Best-Practices)
- Auto-trust mise config files via MISE_TRUSTED_CONFIG_PATHS (Image-Management)
- Secure env-var forwarding via tmux -e, not shell export (Container-Lifecycle)
v0.8.0 minor fixes:
- Container-Operations: fix bare `coi` image name → `coi-default` in launch example
- Profiles: show built-in `default` profile row in `coi profile list` example output
- Security-Best-Practices: renumber summary list after git identity guard insertion
2a9ec06
Fix outdated wiki: auto-build claim and missing re-login requirement
- Image-Management.md: Remove incorrect claim that `coi shell` and
`coi run` auto-build missing images. This was removed in v0.8.0 as
a breaking change — users must run `coi build` explicitly.
- Linux-Setup-Guide.md: Add prominent re-login/newgrp requirement after
`usermod -aG incus-admin` to all distro sections (Arch, Fedora,
openSUSE, Ubuntu). With the sg removal in v0.8.1, the incus-admin
group must be active in the user's session — previously sg handled
this transparently.
1835bf4
Add Linux Setup Guide for non-Ubuntu distros
New wiki page covering Arch/CachyOS, Fedora/RHEL, openSUSE, and Ubuntu
setup including Incus installation, idmap configuration, firewalld setup,
and common troubleshooting.
Addresses #317 (Arch Linux setup documentation).
147ed8d
Reduce documentation duplication and improve structure
- Deduplicate Sandbox Context: Configuration.md now links to Supported-Tools.md
instead of repeating the full auto-context section
- Move mount how-to from FAQ to Configuration.md "Mounting Additional Files" section;
FAQ entry replaced with short pointer
- Add "Getting Started" callout to Home.md for new users
- Trim Configuration.md Profiles section to a pointer (was duplicating Profiles.md)
0b692e6
Fix --debug flag description in Configuration wiki
12cd811
Fix final documentation issues for 0.8.0
- Image-Management: fix prose reference [build] → [container.build]
- Configuration: fix network.logging defaults (enabled=true, path=~/.coi/logs/network.log)
1f640ca
Fix remaining documentation inconsistencies for 0.8.0
- Image-Management: migrate profile example from deprecated [build] to [container.build]
- Configuration: remove "aider" from tool name comment (not yet registered),
move --tool from global flags to shell-only section
- Security-Monitoring: clarify write threshold mirrors read threshold (no separate config key)
- Profiles: add missing extended fields to Available Fields table
(model, paths, incus, git, ssh, security, monitoring, timezone, inherits)
fc9c364
Fix documentation inconsistencies for 0.8.0 release
- Profiles: migrate all examples from deprecated top-level image/persistent/[build]
to [container]/[container.build] nesting (0.8.0 rejects the old format)
- Resource-and-Time-Limits: replace obsolete [profiles.X] flat syntax with
directory-based profile config.toml examples
- Security-Monitoring: fix phantom config keys (rate_limit → rate_limit_per_second,
remove non-existent suspicious_unlimited, file_write_threshold_mb, file_write_rate_mb_per_sec)
- FAQ: move Aider from "currently supported" to "coming soon" (not yet registered)
- Troubleshooting: fix tmpfs_size default comment (empty string, not 4GiB),
remove phantom file_write_threshold_mb reference
- File-Transfer: fix /root/.claude paths to /home/code/.claude
- Container-Operations: document coi info, coi version, coi clean --pools/--orphans/--dry-run
- Profiles: add note explaining [[mounts]] (profiles) vs [[mounts.default]] (main config)
e888af3
Docs audit for 0.8.0: fix [defaults] → [container], coi resume → coi unfreeze, add security features
- Fix [defaults] → [container] for image/persistent in Configuration.md, Image-Management.md
- Replace all coi resume → coi unfreeze references (Security-Monitoring, Troubleshooting, Lifecycle)
- Add host-side immutable protection and guest API sections to Security-Best-Practices.md
- Add container aliases section to Container-Lifecycle-and-Sessions.md
- Update System-Health-Check.md for multi-pool support
- Add host_immutable, alias, storage_pool to config reference
8c0931f
Add Slack community links to FAQ and Troubleshooting pages
Closes #289 (wiki portion)
edcdea1
Update wiki for 0.8.0 release
- Rename default image coi → coi-default
- Move config path ~/.config/coi/config.toml → ~/.coi/config.toml
- Drop /etc/coi/ and ~/.config/coi/ from config hierarchy
- Replace coi build custom with profile-based build workflow
- Rename coi profile show → coi profile info
- Document profile inheritance (inherits field)
- Document coi profile create/edit/delete commands
- Remove non-existent coi config --init reference
7a6fa57
Update wiki for CLI flag removal and readonly mount support
Remove references to 21 CLI flags that are now config/profile-only.
Replace --network, --monitor, --ssh-agent, --forward-env, --timezone,
--mount, --env, --limit-*, --writable-git-hooks examples with config
TOML equivalents. Add readonly = true mount documentation and Claude
skills/commands/plugins mounting guide (ref #260).
Still-valid flags (--format, --capture, --tty, --env on container exec,
--timeout, --compression on build) are unchanged.
207d3f3
Add Profiles wiki page, update Configuration and Home
- New Profiles.md page covering directory structure, config reference,
context files, build scripts, commands, and examples
- Update Configuration.md: replace outdated inline profiles section
with link to new page, update config reference
- Update Home.md: add Profiles link to navigation
f47c13d
Document auto_context feature for sandbox context injection (#243)
- Configuration.md: Add auto_context option to [tool] config reference,
add Auto-Context Injection subsection explaining Claude/OpenCode behavior
- Supported-Tools.md: Add ToolWithAutoContextFile and ToolWithAutoContextPath
interfaces to Adding New Tools section, add Auto-Context Injection
subsection with per-tool details and opt-out instructions
8b865e8