Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

overthinkos/debian-coder

Name: debian-coder
Author: overthinkos

ov-images/skills/debian-coder/SKILL.md

npx skillsauth add overthinkos/overthink-plugins debian-coder

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

debian-coder

Debian 13 trixie counterpart of /ov-images:fedora-coder. Same 80-line tests: block, same ~30 layers, same rootless posture (uid 1000 + passwordless sudo). Key wrinkles are all Debian-specific packaging quirks handled inside individual layers: bat → batcat symlink, Microsoft's dotnet-install.sh cross-distro installer, and package-existence tests (vs binary-path tests) for virtualization because Debian bundles libvirt drivers differently.

Definition

debian-coder:
  base: debian
  ports:
    - "2222:2222"                 # sshd-wrapper
    - "18765:18765"               # ov-mcp (Streamable HTTP)
  layers:
    # Baseline
    - agent-forwarding
    - sshd
    - ov-full
    - ov-mcp
    - container-nesting
    - dbus
    - tmux

    # Language runtimes
    - language-runtimes           # Go + PHP + .NET 9 (via Microsoft dotnet-install.sh)
    - golang
    - nodejs                      # plain nodejs — Debian ships no nodejs24
    - rust
    - pixi
    - uv

    # Build + developer tooling
    - build-toolchain
    - dev-tools                   # ripgrep, bat→batcat symlink, fd-find, neovim, …
    - pre-commit
    - direnv
    - gh
    - typst
    - asciinema

    # AI coding CLIs
    - claude-code
    - codex
    - gemini
    - forgecode
    - oracle

    # DevOps / cloud / infra
    - devops-tools
    - kubernetes
    - docker-ce
    - github-actions
    - google-cloud
    - google-cloud-npm
    - grafana-tools

User model — create mode

The debian:13 upstream base image ships no pre-existing uid-1000 account. build.yml distro.debian declares no base_user:, so user_policy: auto (the default) falls through to create mode. The bootstrap section of .build/debian/Containerfile emits:

RUN if ! getent passwd 1000 >/dev/null 2>&1; then
      (getent group 1000 >/dev/null 2>&1 || groupadd -g 1000 user) &&
      useradd -m -u 1000 -g 1000 -s /bin/bash user;
    fi

Resolved identity: User=user, UID=1000, GID=1000, Home=/home/user. Identical to fedora-coder / arch-coder. Contrast with /ov-images:ubuntu-coder which runs adopt mode on ubuntu:ubuntu.

See /ov:image "user_policy" and /ov:build "base_user" for the full decision table.

Security posture

| Field | Value | Source | |---|---|---| | cap_add | (empty) | — | | security_opt | [unmask=/proc/*] | /ov-layers:container-nesting | | devices | [/dev/fuse, /dev/net/tun] | /ov-layers:container-nesting | | privileged | false | — | | Network | bridge | defaults | | UID / user | 1000 / user | create mode | | sudo | passwordless via /etc/sudoers.d/ov-user (discovered via getent passwd 1000) | /ov-layers:sshd |

Debian-specific layer quirks

bat → batcat symlink (/ov-layers:dev-tools). Debian and Ubuntu rename bat → batcat to avoid a namespace collision with a legacy bacula utility. The dev-tools layer ships a distro-tolerant cmd task that creates /usr/bin/bat -> /usr/bin/batcat when only batcat is present; no-op on Fedora/Arch.
dotnet-sdk-9.0 via Microsoft's dotnet-install.sh (/ov-layers:language-runtimes). Debian 13 main ships no .NET; Microsoft's trixie apt repo has dotnet-sdk-9.0, but using the official cross-distro dotnet-install.sh channel-pin to 9.0 gives version parity with Ubuntu (whose Microsoft noble repo only ships 10.0). Installs to /usr/share/dotnet + symlinks /usr/bin/dotnet.
libvirt tests use package: not file: (/ov-layers:virtualization). Debian bundles libvirt drivers differently from Fedora's split packaging, so file: /usr/sbin/virtqemud would false-fail. The layer now probes via package: libvirt-daemon-driver-qemu + package_map: per-distro package name.
sudoers via getent (/ov-layers:sshd). Instead of hardcoding user ALL=…, the layer runs getent passwd 1000 | cut -d: -f1 at build time to discover the actual uid-1000 account. On debian-coder that returns user; on ubuntu-coder it returns ubuntu. One cross-distro implementation, no special cases.

Empirical test results (2026-04-20)

ov image test ghcr.io/overthinkos/debian-coder:latest — 143 passed · 0 failed · 0 skipped.

ov image test ghcr.io/overthinkos/debian-coder:latest --include-deploy — live-service extension tests (sshd on 2222, supervisord, dbus, ov-mcp, virtqemud session) — not run in Phase F (disk-constrained CI environment), but expected to mirror fedora-coder's +18 additions.

Verification recipe

# 1. Validate
ov image validate

# 2. Build dependencies auto-resolve (debian → debian-builder → debian-coder)
ov image build debian-coder

# 3. Disposable-container tests
ov image test ghcr.io/overthinkos/debian-coder:latest

# 4. Deploy + live tests
ov config debian-coder
ov start debian-coder
ov image test ghcr.io/overthinkos/debian-coder:latest --include-deploy

# 5. Clean up
ov stop debian-coder

Ports

| Port | Service | Bound by | |---|---|---| | 2222 | sshd-wrapper (SSH access as user with sudo) | /ov-layers:sshd | | 18765 | ov-mcp (entire ov CLI as MCP tools, Streamable HTTP) | /ov-layers:ov-mcp |

Conflicts with the other three coder-family images on the same ports — use -i <instance> or -p <remap> to run alongside.

Image size

~10.4 GB uncompressed. Comparable to fedora-coder (~14 GB); smaller due to tighter Debian package naming (no split -devel packages, sparser optional dependencies pulled by default).

Cross-distro siblings

All four coder-family images share the identical 80-line tests: block + ~30 identical layers; they diverge only in per-layer package-format sections.

/ov-images:fedora-coder — RPM (Fedora 43 via fedora-nonfree).
/ov-images:arch-coder — pacman + optional AUR.
/ov-images:ubuntu-coder — deb on Ubuntu 24.04; adopt mode (user:ubuntu).
/ov-images:debian-coder — this image; create mode (user:user).

Related images

/ov-images:debian — parent base.
/ov-images:debian-builder — multi-stage builder for pixi/npm/cargo.

Related layers (Debian-specific content)

/ov-layers:sshd — cross-distro sudoers via getent passwd 1000.
/ov-layers:dev-tools — bat → batcat symlink task.
/ov-layers:language-runtimes — Microsoft dotnet-install.sh cross-distro pattern.
/ov-layers:virtualization — package: + package_map: pattern for libvirt.
/ov-layers:build-toolchain — Debian -dev package equivalents of Fedora's -devel.
/ov-layers:gh, /ov-layers:docker-ce, /ov-layers:kubernetes, /ov-layers:container-nesting — each adds an upstream apt repo (with GPG key) for packages not in Debian main.

Related commands

/ov:shell, /ov:config, /ov:start, /ov:stop, /ov:test
/ov:image — user_policy: field reference
/ov:build — base_user: declaration (absent for Debian)
/ov:layer — authoring reference (covers exclude_distros:, tag-section repos:, Microsoft dotnet-install pattern)

When to use this skill

MUST be invoked when the task involves:

Building, deploying, or troubleshooting debian-coder.
Comparing cross-distro parity, especially between debian-coder and ubuntu-coder (the base images differ in their pre-existing user account).
Understanding why Debian needs the dotnet-install.sh shell task (vs Fedora's native dotnet-sdk rpm).
Adding new deb: sections to layers that are currently Fedora/Arch-only.

overthinkos/debian-coder

ov-images/skills/debian-coder/SKILL.md

Kitchen-sink development image on Debian 13 trixie: coding + AI-coding CLIs + DevOps tooling in one container. Debian base, 30+ direct layers mirroring fedora-coder's stack but with deb: sections. Runs as uid 1000 (`user`) with passwordless sudo. 143/0 tests pass as of 2026-04-20. Use when working with the debian-coder image — or when comparing cross-distro parity across the four coder-family images.

tools

Updated Apr 24, 2026

$ install --global

skillsauth

npx skillsauth add overthinkos/overthink-plugins debian-coder

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 24, 2026, 8:34 PM0.5s1 file scanned

SKILL.md

name:: debian-coder
description:: |
Kitchen-sink development image on Debian 13 trixie:: coding + AI-coding
mirroring fedora-coder's stack but with deb:: sections. Runs as uid 1000

debian-coder

Definition

debian-coder:
  base: debian
  ports:
    - "2222:2222"                 # sshd-wrapper
    - "18765:18765"               # ov-mcp (Streamable HTTP)
  layers:
    # Baseline
    - agent-forwarding
    - sshd
    - ov-full
    - ov-mcp
    - container-nesting
    - dbus
    - tmux

    # Language runtimes
    - language-runtimes           # Go + PHP + .NET 9 (via Microsoft dotnet-install.sh)
    - golang
    - nodejs                      # plain nodejs — Debian ships no nodejs24
    - rust
    - pixi
    - uv

    # Build + developer tooling
    - build-toolchain
    - dev-tools                   # ripgrep, bat→batcat symlink, fd-find, neovim, …
    - pre-commit
    - direnv
    - gh
    - typst
    - asciinema

    # AI coding CLIs
    - claude-code
    - codex
    - gemini
    - forgecode
    - oracle

    # DevOps / cloud / infra
    - devops-tools
    - kubernetes
    - docker-ce
    - github-actions
    - google-cloud
    - google-cloud-npm
    - grafana-tools

User model — create mode

RUN if ! getent passwd 1000 >/dev/null 2>&1; then
      (getent group 1000 >/dev/null 2>&1 || groupadd -g 1000 user) &&
      useradd -m -u 1000 -g 1000 -s /bin/bash user;
    fi

Resolved identity: User=user, UID=1000, GID=1000, Home=/home/user. Identical to fedora-coder / arch-coder. Contrast with /ov-images:ubuntu-coder which runs adopt mode on ubuntu:ubuntu.

See /ov:image "user_policy" and /ov:build "base_user" for the full decision table.

Security posture

Debian-specific layer quirks

bat → batcat symlink (/ov-layers:dev-tools). Debian and Ubuntu rename bat → batcat to avoid a namespace collision with a legacy bacula utility. The dev-tools layer ships a distro-tolerant cmd task that creates /usr/bin/bat -> /usr/bin/batcat when only batcat is present; no-op on Fedora/Arch.
dotnet-sdk-9.0 via Microsoft's dotnet-install.sh (/ov-layers:language-runtimes). Debian 13 main ships no .NET; Microsoft's trixie apt repo has dotnet-sdk-9.0, but using the official cross-distro dotnet-install.sh channel-pin to 9.0 gives version parity with Ubuntu (whose Microsoft noble repo only ships 10.0). Installs to /usr/share/dotnet + symlinks /usr/bin/dotnet.
libvirt tests use package: not file: (/ov-layers:virtualization). Debian bundles libvirt drivers differently from Fedora's split packaging, so file: /usr/sbin/virtqemud would false-fail. The layer now probes via package: libvirt-daemon-driver-qemu + package_map: per-distro package name.
sudoers via getent (/ov-layers:sshd). Instead of hardcoding user ALL=…, the layer runs getent passwd 1000 | cut -d: -f1 at build time to discover the actual uid-1000 account. On debian-coder that returns user; on ubuntu-coder it returns ubuntu. One cross-distro implementation, no special cases.

Empirical test results (2026-04-20)

ov image test ghcr.io/overthinkos/debian-coder:latest — 143 passed · 0 failed · 0 skipped.

Verification recipe

# 1. Validate
ov image validate

# 2. Build dependencies auto-resolve (debian → debian-builder → debian-coder)
ov image build debian-coder

# 3. Disposable-container tests
ov image test ghcr.io/overthinkos/debian-coder:latest

# 4. Deploy + live tests
ov config debian-coder
ov start debian-coder
ov image test ghcr.io/overthinkos/debian-coder:latest --include-deploy

# 5. Clean up
ov stop debian-coder

Ports

Conflicts with the other three coder-family images on the same ports — use -i <instance> or -p <remap> to run alongside.

Image size

~10.4 GB uncompressed. Comparable to fedora-coder (~14 GB); smaller due to tighter Debian package naming (no split -devel packages, sparser optional dependencies pulled by default).

Cross-distro siblings

All four coder-family images share the identical 80-line tests: block + ~30 identical layers; they diverge only in per-layer package-format sections.

/ov-images:fedora-coder — RPM (Fedora 43 via fedora-nonfree).
/ov-images:arch-coder — pacman + optional AUR.
/ov-images:ubuntu-coder — deb on Ubuntu 24.04; adopt mode (user:ubuntu).
/ov-images:debian-coder — this image; create mode (user:user).

Related images

/ov-images:debian — parent base.
/ov-images:debian-builder — multi-stage builder for pixi/npm/cargo.

Related layers (Debian-specific content)

/ov-layers:sshd — cross-distro sudoers via getent passwd 1000.
/ov-layers:dev-tools — bat → batcat symlink task.
/ov-layers:language-runtimes — Microsoft dotnet-install.sh cross-distro pattern.
/ov-layers:virtualization — package: + package_map: pattern for libvirt.
/ov-layers:build-toolchain — Debian -dev package equivalents of Fedora's -devel.
/ov-layers:gh, /ov-layers:docker-ce, /ov-layers:kubernetes, /ov-layers:container-nesting — each adds an upstream apt repo (with GPG key) for packages not in Debian main.

Related commands

/ov:shell, /ov:config, /ov:start, /ov:stop, /ov:test
/ov:image — user_policy: field reference
/ov:build — base_user: declaration (absent for Debian)
/ov:layer — authoring reference (covers exclude_distros:, tag-section repos:, Microsoft dotnet-install pattern)

When to use this skill

MUST be invoked when the task involves:

Building, deploying, or troubleshooting debian-coder.
Comparing cross-distro parity, especially between debian-coder and ubuntu-coder (the base images differ in their pre-existing user account).
Understanding why Debian needs the dotnet-install.sh shell task (vs Fedora's native dotnet-sdk rpm).
Adding new deb: sections to layers that are currently Fedora/Arch-only.

Related Skills

overthinkos/agents

development

VerifiedTrustedCommunity

Claude Code multi-agent support in Overthink — sub-agents, dynamic workflows, and agent teams, and how each drives the existing `ov eval` disposable beds to test and verify. MUST be invoked before authoring or invoking an ov sub-agent / dynamic workflow / agent team, wiring agent-lifecycle hooks, or asking "which primitive should drive the R10 beds?".

SKILL.mdUpdated May 31, 2026

overthinkos/workspace-mount

tools

VerifiedTrustedCommunity

Mounts a virtiofs share tagged `workspace` at /workspace inside a VM guest via a systemd .mount unit. Use when a kind:vm entity shares a host directory into the guest and you need it auto-mounted (and re-mounted at every boot).

SKILL.mdUpdated May 30, 2026

overthinkos/workspace-mount

overthinkos/android

development

VerifiedTrustedCommunity

MUST be invoked before any work involving: the `kind: android` schema kind, a `target: android` deploy, the `apk:` layer package format (installing Android apps declaratively), AndroidDeployTarget, an in-pod emulator OR a remote/physical adb-endpoint device, or nested `pod → android` deployment. The first-class Android device + app surface that sits above `ov eval adb`/`appium`.

SKILL.mdUpdated May 26, 2026

overthinkos/git-workflow

tools

VerifiedTrustedCommunity

Use when committing, branching, pushing, merging, tagging, creating PRs, or approving/merging PRs with gh — the feat/-branch, R10-gated, never-force-push landing workflow across the main repo + the plugins submodule + image/<distro> submodules. Covers sync-to-upstream, branch/worktree pruning, the fork+PR path for contributors without write access, and cross-repo @github landing order.

SKILL.mdUpdated May 25, 2026

overthinkos/git-workflow

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/overthinkos/overthink-plugins.git

# Copy into Claude Code skills folder (global)
cp -r overthink-plugins/ov-images/skills/debian-coder ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

overthinkos/overthink-plugins

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT