convert-to-apple-containerlisted

# Convert to Apple Container This skill switches Deus's container runtime from Docker to Apple Container (macOS-only). It uses the skills engine for deterministic code changes, then walks through verification. **What this changes:** - Container runtime binary: `docker` → `container` - Mount syntax: `-v path:path:ro` → `--mount type=bind,source=...,target=...,readonly` - Startup check: `docker info` → `container system status` (with auto-start) - Orphan detection: `docker ps --filter` → `container ls --format json` - Build script default: `docker` → `container` - Dockerfile entrypoint: `.env` shadowing via `mount --bind` inside the container (Apple Container only supports directory mounts, not file mounts like Docker's `/dev/null` overlay) - Container runner: main-group containers start as root for `mount --bind`, then drop privileges via `setpriv` **What stays the same:** - Mount security/allowlist validation - All exported interfaces and IPC protocol - Non-main container behavior (still uses `--user` flag) - All other functionality ## Prerequisites Verify Apple Container is installed: ```bash container --version && echo "Apple Container ready" || echo "Install Apple Container first" ``` If not installed: - Download from https://github.com/apple/container/releases - Install the `.pkg` file - Verify: `container --version` Apple Container requires macOS. It does not work on Linux. ## Phase 1: Pre-flight ### Check if already applied ```bash grep "CONTAINER_RUNTIME_BIN