aibox doctor is intended to be a host-side command. During a host-only doctor review in projectious-work/aibox, we found several aibox doctor checks that either explicitly branch on being inside the aibox container or tell users to run doctor inside the container. Those checks belong in processkit's pk-doctor/MCP runtime surface if they are still needed, because pk-doctor is the in-container processkit health check.\n\nChecks to move or cover in pk-doctor/MCP if not already covered:\n\n- lnav availability for the Prefix L structured log viewer. Current aibox code checks PATH inside the container and skips outside.\n- processkit semantic search / sqlite-vec availability in the runtime uv cache. Current aibox code probes uv + sqlite-vec only inside the container.\n- Codex sandbox runtime probe: bwrap/bubblewrap availability, user namespace smoke probe, and PID 1 sleep-infinity hygiene. Host aibox can keep static compose posture checks, but runtime binary/probe checks are container-local.\n- runtime resource pressure from cgroup/procfs: memory.current, memory.events OOM kills, process counts, processkit MCP Python process counts.\n- container-local PowerKit image/plugin tree and status plugin script presence under /usr/local/share/aibox/tmux/plugins/tmux-powerkit. Host aibox can inspect generated config and container/image metadata, but should not warn based on paths it cannot directly access.\n- runtime-home write probes that write inside mounted home paths. Host aibox can inspect mount definitions through Docker/Podman, but actual write probes are container-local.\n\nDesired split:\n\n- aibox doctor remains host-only and validates host projections, generated files, config/schema, runtime inspect metadata, image version labels, mount declarations, and generated compose posture.\n- pk-doctor/MCP owns in-container runtime health probes and reports actionable container-local findings.\n- Host-side aibox doctor should not instruct users to run aibox doctor inside the container; it should either verify via Docker/Podman inspect/exec when appropriate or report INFO/SKIP without increasing warning counts.\n\nContext: this surfaced because host aibox doctor warned about a missing host PowerKit mirror even though the generated tmux config intentionally loads PowerKit from the image path. That warning directed the user toward a problem that host doctor could not actually verify.
aibox doctor is intended to be a host-side command. During a host-only doctor review in projectious-work/aibox, we found several aibox doctor checks that either explicitly branch on being inside the aibox container or tell users to run doctor inside the container. Those checks belong in processkit's pk-doctor/MCP runtime surface if they are still needed, because pk-doctor is the in-container processkit health check.\n\nChecks to move or cover in pk-doctor/MCP if not already covered:\n\n- lnav availability for the Prefix L structured log viewer. Current aibox code checks PATH inside the container and skips outside.\n- processkit semantic search / sqlite-vec availability in the runtime uv cache. Current aibox code probes uv + sqlite-vec only inside the container.\n- Codex sandbox runtime probe: bwrap/bubblewrap availability, user namespace smoke probe, and PID 1 sleep-infinity hygiene. Host aibox can keep static compose posture checks, but runtime binary/probe checks are container-local.\n- runtime resource pressure from cgroup/procfs: memory.current, memory.events OOM kills, process counts, processkit MCP Python process counts.\n- container-local PowerKit image/plugin tree and status plugin script presence under /usr/local/share/aibox/tmux/plugins/tmux-powerkit. Host aibox can inspect generated config and container/image metadata, but should not warn based on paths it cannot directly access.\n- runtime-home write probes that write inside mounted home paths. Host aibox can inspect mount definitions through Docker/Podman, but actual write probes are container-local.\n\nDesired split:\n\n- aibox doctor remains host-only and validates host projections, generated files, config/schema, runtime inspect metadata, image version labels, mount declarations, and generated compose posture.\n- pk-doctor/MCP owns in-container runtime health probes and reports actionable container-local findings.\n- Host-side aibox doctor should not instruct users to run aibox doctor inside the container; it should either verify via Docker/Podman inspect/exec when appropriate or report INFO/SKIP without increasing warning counts.\n\nContext: this surfaced because host aibox doctor warned about a missing host PowerKit mirror even though the generated tmux config intentionally loads PowerKit from the image path. That warning directed the user toward a problem that host doctor could not actually verify.