From 776d175306293f0673361562f1face4e8c82f072 Mon Sep 17 00:00:00 2001
From: Adam Miller <admiller@redhat.com>
Date: Tue, 16 Jun 2026 16:40:11 -0500
Subject: [PATCH] feat(base): install Goose CLI

---
 sandboxes/base/Dockerfile | 18 ++++++++++++++++++
 sandboxes/base/README.md  | 11 ++++++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/sandboxes/base/Dockerfile b/sandboxes/base/Dockerfile
index 45698a8..a493849 100644
--- a/sandboxes/base/Dockerfile
+++ b/sandboxes/base/Dockerfile
@@ -26,6 +26,7 @@ WORKDIR /sandbox
 # dnsutils: dig, nslookup
 # Python is managed entirely by uv (see devtools stage).
 RUN apt-get update && apt-get install -y --no-install-recommends \
+        bash \
         ca-certificates \
         curl \
         dnsutils \
@@ -92,6 +93,23 @@ RUN curl -fsSL https://claude.ai/install.sh | bash \
     && cp /root/.local/bin/claude /usr/local/bin/claude \
     && chmod 755 /usr/local/bin/claude
 
+# Install Goose CLI/agent for all OpenShell sandboxes.
+# Goose provider credentials are intentionally configured at runtime, not baked into the image.
+ARG GOOSE_VERSION=stable
+RUN curl -fsSL "https://github.com/aaif-goose/goose/releases/download/${GOOSE_VERSION}/download_cli.sh" \
+        -o /tmp/download_cli.sh \
+    && if [ "${GOOSE_VERSION}" = "stable" ]; then \
+         CONFIGURE=false env -u GOOSE_VERSION bash /tmp/download_cli.sh; \
+       else \
+         CONFIGURE=false bash /tmp/download_cli.sh; \
+       fi \
+    && rm -f /tmp/download_cli.sh \
+    && if [ -f "$HOME/.local/bin/goose" ]; then \
+         mv "$HOME/.local/bin/goose" /usr/local/bin/goose; \
+       fi \
+    && chmod +x /usr/local/bin/goose \
+    && goose --version
+
 # uv (Python package/project manager) — pinned for reproducibility.
 # uv manages the Python toolchain; no system Python packages are needed.
 COPY --from=ghcr.io/astral-sh/uv:0.10.8 /uv /usr/local/bin/uv
diff --git a/sandboxes/base/README.md b/sandboxes/base/README.md
index 7b9e098..fc644e4 100644
--- a/sandboxes/base/README.md
+++ b/sandboxes/base/README.md
@@ -9,7 +9,7 @@ The foundational sandbox image that all other OpenShell Community sandbox images
 | OS | Ubuntu 24.04 |
 | Languages | `python3` (3.14.3), `node` (22.22.1) |
 | Package managers | `npm` (11.11.0), `uv` (0.10.8), `pip` |
-| Coding agents | `claude`, `opencode`, `codex`, `copilot` |
+| Coding agents | `claude`, `goose`, `opencode`, `codex`, `copilot` |
 | Developer | `gh`, `git`, `vim`, `nano` |
 | Networking | `ping`, `dig`, `nslookup`, `nc`, `traceroute`, `netstat`, `curl` |
 
@@ -57,6 +57,15 @@ FROM ${BASE_IMAGE}
 
 See the other directories under `sandboxes/` for examples.
 
+## Goose
+
+The base image installs Goose from the official AAIF Goose repository:
+
+- https://github.com/aaif-goose/goose
+- https://goose-docs.ai/
+
+Goose provider credentials are configured at runtime and are not baked into the sandbox image.
+
 ## Codex authentication
 
 For remote or headless OpenShell environments, if browser login hangs, try authenticating Codex with: