fix: address Copilot review (PR #168 round 1)

9 review comments, all addressed:

entrypoint.sh:
  - /workspace/CLAUDE.md is now chmod 600 (was 644) — orchestrators may
    embed credentials or private guidance; matches the mode used for
    ~/.claude/settings.json and ~/.git-credentials earlier in the script.
  - Plugin copy is now idempotent across re-runs against a persistent
    /workspace volume. Without the rm-first the 'cp -a src dst' pattern
    against an existing dst/ creates a nested dst/<basename>/ tree.

tests/integration/test_entrypoint_workspace_injection.py:
  - Removed unused 'json' and 'tempfile' imports.

lib/python/agentic_isolation/agentic_isolation/workspace_files.py:
  - inject() now validates container_path is absolute and has a
    non-empty basename, raising ValueError otherwise. Was silently
    producing tar entries with empty/invalid filenames for paths like
    '/' or 'relative/path'.
  - Two new unit tests cover the rejection paths.

docs/workspace.md:
  - Fixed Python snippet — was mixing docker_client + client variable
    names; copy-paste-runnable now.

docs/superpowers/plans/2026-05-12-workspace-injection-contract.md:
  - Replaced the two 'docker build providers/workspaces/claude-cli'
    invocations with the canonical 'just build-workspace-claude-cli'
    (docs/issues/002 had already noted this).

CLAUDE.md:
  - Removed the absolute /Users/neural/... path; replaced with a link
    to the sibling repo's Gitea URL.

docs/handoff-workspace-files-primitive.md:
  - Deleted. The original handoff doc that kicked off this brainstorming
    described the OLD per-domain contract (/etc/agentic/domain,
    AGENTIC_DOMAIN_*, AGENTIC_ALLOWED_TOOLS, entrypoint preamble
    templating). The merged spec + ADR-035 + docs/workspace.md
    supersede it. Git history preserves it.

176 Python tests + 7 integration tests + 1 OpenAPI snapshot all green.

Author: NeuralEmpowerment

CLAUDE.md

@@ -15,8 +15,9 @@ Atomic building blocks for AI agent systems. Claude Code plugins + Python librar
 > at [`providers/workspaces/claude-cli/scripts/entrypoint.sh`](providers/workspaces/claude-cli/scripts/entrypoint.sh)
 > (section 5.5) is the source of truth for behavior;
 > [ADR-035](docs/adrs/035-workspace-injection-contract.md) is the decision
-> record. The sibling consumer (the agentic-domain-runner) is at
-> `/Users/neural/Code/HomeLab/agentic-domain-runner`.
+> record. The reference consumer is the
+> [agentic-domain-runner](https://gitea.neuralempowerment.xyz/HomeLab/agentic-domain-runner)
+> (a sibling repo).
 
 ## Repo Structure
 

docs/handoff-workspace-files-primitive.md

@@ -460,7 +460,10 @@ fi
 - [ ] **Step 3: Rebuild the workspace image**
 
 ```bash
-docker build -t agentic-workspace-claude-cli:latest providers/workspaces/claude-cli
+# Canonical build (uses scripts/build-provider.py under the hood — stages
+# the build context the Dockerfile expects). Raw `docker build` against
+# providers/workspaces/claude-cli/ does NOT work; see docs/issues/002.
+just build-workspace-claude-cli
 ```
 
 Expected: clean build, no shellcheck warnings on the new section.
@@ -1343,11 +1346,14 @@ Pick the next tag (e.g., if `latest` aliases `0.7.x`, tag `0.8.0`). Conventions
 
 ```bash
 cd /Users/neural/Code/AgentParadise/agentic-primitives
-docker build -t agentic-workspace-claude-cli:0.8.0 \
-             -t agentic-workspace-claude-cli:latest \
-             providers/workspaces/claude-cli
+just build-workspace-claude-cli   # tags `latest` + the bundled Claude CLI version
+# (or: uv run scripts/build-provider.py claude-cli)
 ```
 
+`docker build -t ... providers/workspaces/claude-cli` does NOT work
+— the Dockerfile expects a staged build context that the script
+above produces. See docs/issues/002.
+
 - [ ] **Step 3: (Optional) Push to the registry**
 
 If the project uses GHCR or a private registry, push both tags. Otherwise leave at local only.

docs/superpowers/plans/2026-05-12-workspace-injection-contract.md

@@ -107,7 +107,8 @@ mount + env:
 ```python
 from agentic_isolation import WorkspaceFiles
 
-wf = WorkspaceFiles(client=docker_client)
+client = docker_client
+wf = WorkspaceFiles(client=client)
 
 # Bind-mount mode (host-resident content)
 mount = wf.bind_mount(workspace_dir, "/etc/agentic/workspace", read_only=True)

docs/workspace.md

@@ -69,9 +69,21 @@ def inject(
 
         Must be called after ``containers.create()`` and before
         ``container.start()`` — the put_archive API requires the container
-        to exist but works regardless of running state.
+        to exist but works regardless of running state. The
+        ``container_path``'s parent directory must already exist inside
+        the container; ``put_archive`` does not create intermediate
+        directories.
+
+        Raises ``ValueError`` if ``container_path`` is not an absolute
+        path or has an empty basename (e.g. ``/`` or trailing slash).
         """
         target = Path(container_path)
+        if not target.is_absolute():
+            raise ValueError(f"container_path must be absolute, got {container_path!r}")
+        if not target.name:
+            raise ValueError(
+                f"container_path must have a non-empty basename, got {container_path!r}"
+            )
         parent = str(target.parent)
         basename = target.name
 

lib/python/agentic_isolation/agentic_isolation/workspace_files.py

@@ -70,3 +70,29 @@ def test_inject_archives_and_calls_put_archive():
     # Quick sanity: tar archives start with the filename bytes in the
     # header at offset 0 — the basename should appear in the first 100 bytes.
     assert b"CLAUDE.md" in archive_bytes[:200]
+
+
+def test_inject_rejects_relative_path():
+    """inject() raises ValueError on non-absolute container_path."""
+    from agentic_isolation.workspace_files import WorkspaceFiles
+
+    wf = WorkspaceFiles(client=MagicMock())
+    try:
+        wf.inject("ctr", "relative/path", b"x")
+    except ValueError as e:
+        assert "absolute" in str(e)
+    else:
+        raise AssertionError("expected ValueError")
+
+
+def test_inject_rejects_empty_basename():
+    """inject() raises ValueError on a path whose .name is empty (e.g. /)."""
+    from agentic_isolation.workspace_files import WorkspaceFiles
+
+    wf = WorkspaceFiles(client=MagicMock())
+    try:
+        wf.inject("ctr", "/", b"x")
+    except ValueError as e:
+        assert "basename" in str(e)
+    else:
+        raise AssertionError("expected ValueError")

lib/python/agentic_isolation/tests/test_workspace_files.py

@@ -234,7 +234,10 @@ if [ -d "${INJECT_MOUNT}" ]; then
     ctx_src="${INJECT_MOUNT}/${AGENTIC_WORKSPACE_CONTEXT:-${INJECT_DEFAULT_CONTEXT}}"
     if [ -f "${ctx_src}" ]; then
         cp "${ctx_src}" "${INJECT_TARGET_CONTEXT}"
-        chmod 644 "${INJECT_TARGET_CONTEXT}"
+        # 600 because orchestrators may embed credentials or
+        # private guidance in the workspace context. Matches the mode
+        # used for ~/.claude/settings.json and ~/.git-credentials above.
+        chmod 600 "${INJECT_TARGET_CONTEXT}"
     fi
 
     if [ -d "${INJECT_MOUNT_PLUGINS}" ]; then
@@ -243,6 +246,11 @@ if [ -d "${INJECT_MOUNT}" ]; then
             [ -n "${plugin}" ] || continue
             src="${INJECT_MOUNT_PLUGINS}/${plugin}"
             [ -f "${src}/${INJECT_PLUGIN_MANIFEST}" ] || continue
+            # rm first → idempotent across re-runs when /workspace is a
+            # persistent named volume. Without the rm, `cp -a src dst`
+            # against an existing dst/ creates a nested dst/<basename>/
+            # tree instead of overwriting.
+            rm -rf "${INJECT_TARGET_PLUGINS}/${plugin}"
             cp -a "${src}" "${INJECT_TARGET_PLUGINS}/${plugin}"
             AGENTIC_PLUGIN_FLAGS="${AGENTIC_PLUGIN_FLAGS} --plugin-dir ${INJECT_TARGET_PLUGINS}/${plugin}"
         done < <(__inject_names "${AGENTIC_WORKSPACE_PLUGINS:-}" "${INJECT_MOUNT_PLUGINS}")

providers/workspaces/claude-cli/scripts/entrypoint.sh

@@ -8,9 +8,7 @@
 See spec: docs/superpowers/specs/2026-05-12-workspace-injection-contract-design.md
 """
 
-import json
 import subprocess
-import tempfile
 from pathlib import Path
 
 import pytest