avoidwork · avoidwork · Jun 26, 2026 · Jun 26, 2026 · Jun 26, 2026 · Jun 26, 2026
diff --git a/Dockerfile b/Dockerfile
@@ -19,7 +19,7 @@ RUN npm prune --omit=dev && \
 FROM node:24-alpine
 
 RUN apk update && \
-    apk add --no-cache python3 ruby curl bash jq unzip wget ca-certificates git file zip xz lz4 diffutils tree rsync openssh-server openssh-client cronie ripgrep && \
+    apk add --no-cache python3 ruby curl bash jq unzip wget ca-certificates git github-cli file zip xz lz4 diffutils tree rsync openssh-server openssh-client cronie ripgrep && \
     ssh-keygen -A && \
     adduser -S -G node -h /home/madz -s /bin/sh madz && \
     mkdir -p /run/sshd /root/.cache /home/madz/.cache/madz/logs && \

diff --git a/openspec/changes/archive/2026-06-26-add-gh-cli-dockerfile-dependency/.openspec.yaml b/openspec/changes/archive/2026-06-26-add-gh-cli-dockerfile-dependency/.openspec.yaml
@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-06-26
diff --git a/openspec/changes/archive/2026-06-26-add-gh-cli-dockerfile-dependency/design.md b/openspec/changes/archive/2026-06-26-add-gh-cli-dockerfile-dependency/design.md
@@ -0,0 +1,48 @@
+## Context
+
+The project's Docker image is built from a multi-stage Dockerfile. The runtime stage (second FROM) installs system dependencies via `apk add --no-cache` on line 22. The `gh` CLI is not currently listed, meaning its presence in the container is implicit — it may be installed manually during development or not at all.
+
+The skill ecosystem relies on `gh` for:
+- Issue CRUD operations
+- PR creation, editing, and merging
+- Label management
+- Raw `gh api` calls
+
+All of these execute `gh` as a shell command via the `terminal` tool.
+
+## Goals / Non-Goals
+
+**Goals:**
+- Add `gh` to the `apk add` line in the Dockerfile's runtime stage
+- Ensure `gh` is present in every built container image
+- Maintain alphabetical ordering convention
+
+**Non-Goals:**
+- No code changes to `src/`, `index.js`, or skill scripts
+- No version pinning (following existing convention)
+- No documentation updates
+- No changes to the builder stage
+
+## Decisions
+
+1. **Add `gh` to existing `apk add` line** — Rather than creating a separate `RUN apk add gh` layer, append `gh` to the existing line. This keeps the Dockerfile clean and minimizes image layers.
+
+2. **Alphabetical placement** — Insert `gh` in alphabetical order among existing packages. It goes between `git` and `file` (alphabetically: `gh` < `git` < `file`... actually `gh` comes before `git` since `h` < `i`). So the order is: `...ca-certificates gh git file...`.
+
+3. **No version pinning** — Follow the existing pattern in the Dockerfile where packages are not version-pinned. This is consistent with the project's approach.
+
+4. **No additional repos** — `gh` is available in the main Alpine repository, so no additional repos or GPG keys are required.
+
+## Risks / Trade-offs
+
+- **Image size:** Adding `gh` increases the image by approximately 10-15 MB (compressed). This is negligible for the project's use case.
+- **Build time:** No meaningful impact on build time.
+- **Alpine availability:** `gh` is in the main Alpine repo, so no risk of missing packages.
+
+## Migration Plan
+
+This is a non-breaking change. No migration steps are required. The Docker image will simply include `gh` in future builds.
+
+## Open Questions
+
+None.
diff --git a/openspec/changes/archive/2026-06-26-add-gh-cli-dockerfile-dependency/proposal.md b/openspec/changes/archive/2026-06-26-add-gh-cli-dockerfile-dependency/proposal.md
@@ -0,0 +1,24 @@
+## Why
+
+The project's skill ecosystem relies heavily on the `gh` CLI for GitHub operations — issue CRUD, PR creation/editing/merging, label management, and raw API calls via the `terminal` tool. Currently, `gh` is not listed in the Dockerfile's `apk add` command, meaning its presence in the container is implicit (installed manually or not at all). Making it an explicit dependency ensures reproducibility and guarantees the binary is present in every build.
+
+## What Changes
+
+- Add `gh` to the `apk add --no-cache` line in the Dockerfile's runtime stage
+- No code changes to `src/`, `index.js`, or any skill scripts
+- No breaking changes
+
+## Capabilities
+
+### New Capabilities
+<!-- No new capabilities — this is a dependency declaration, not a feature -->
+
+### Modified Capabilities
+<!-- No spec-level behavior changes — this is purely a build dependency -->
+
+## Impact
+
+- **Dockerfile** — the single file to modify (runtime stage, line 22)
+- **Container image** — `gh` binary will be present in every built image
+- **Skills** — all skills that invoke `gh` via the `terminal` tool will have a guaranteed dependency
+- **No code changes** required in `src/` or `index.js`
diff --git a/...26-06-26-add-gh-cli-dockerfile-dependency/specs/dockerfile-dependencies/spec.md b/...26-06-26-add-gh-cli-dockerfile-dependency/specs/dockerfile-dependencies/spec.md
@@ -0,0 +1,12 @@
+## ADDED Requirements
+
+### Requirement: gh CLI must be installed in the container image
+The Dockerfile SHALL include `gh` in the `apk add --no-cache` command in the runtime stage, ensuring the GitHub CLI binary is present in every built container image.
+
+#### Scenario: gh is in the Dockerfile package list
+- **WHEN** the Dockerfile runtime stage is parsed
+- **THEN** `gh` appears in the `apk add --no-cache` command
+
+#### Scenario: gh is available in the container
+- **WHEN** the container is built and started
+- **THEN** `gh --version` executes successfully without "command not found"
diff --git a/openspec/changes/archive/2026-06-26-add-gh-cli-dockerfile-dependency/tasks.md b/openspec/changes/archive/2026-06-26-add-gh-cli-dockerfile-dependency/tasks.md
@@ -0,0 +1,5 @@
+## 1. Add gh CLI to Dockerfile
+
+- [x] 1.1 Add `gh` to the `apk add --no-cache` line in the Dockerfile runtime stage (line 22), in alphabetical order between `git` and `file`
+- [x] 1.2 Verify the Dockerfile syntax is valid after the change
+- [x] 1.3 Build the Docker image and verify `gh --version` works inside the container