docs: remove Docker/K3s/Kubernetes references from all documentation

Update README to reflect completed Apple Container migration: move
feat/apple-container and fix/ci-swift-bridge-dependency from In Progress
to merged status table, rewrite How It Works to describe native gateway
and container bridge architecture, remove GPU passthrough section, add
container-bridge to architecture table.

Remove K3s/Kubernetes/Docker references from: architecture docs
(sandbox-connect, sandbox-providers), agent configs (arch-doc-writer),
skill docs (update-docs), project docs (AGENTS.md, CONTRIBUTING.md),
and agent memory (arch-doc-writer MEMORY.md).

Author: persimmon16

.agents/skills/update-docs/SKILL.md

@@ -56,7 +56,7 @@ For each relevant commit, determine which doc page(s) it affects. Use this mappi
 | `crates/openshell-inference/` | `docs/inference/configure.md` |
 | `python/` (SDK changes) | `docs/reference/` or `docs/get-started/quickstart.md` |
 | `proto/` (API changes) | `docs/reference/` |
-| `deploy/` (Dockerfile, Helm) | `docs/sandboxes/manage-gateways.md`, `docs/about/architecture.md` |
+| `deploy/` (Containerfile, config) | `docs/sandboxes/manage-gateways.md`, `docs/about/architecture.md` |
 | Community sandbox definitions | `docs/sandboxes/community-sandboxes.md` |
 
 If a commit does not map to any existing page but introduces a user-visible concept, flag it as needing a new page.

.claude/agent-memory/arch-doc-writer/MEMORY.md

@@ -33,14 +33,11 @@
 - CLI cluster resolution: --cluster flag > OPENSHELL_CLUSTER env > active cluster file
 
 ## Bootstrap Crate Details
-- `docker.rs`: `ensure_container()` sets ~12 env vars (REGISTRY_*, IMAGE_*, PUSH_IMAGE_REFS, etc.)
-- `runtime.rs`: Polling params: health 180x2s, mTLS 90x2s
+- `container_runtime.rs`: RuntimeType enum, Apple Container runtime detection
+- `runtime_apple.rs`: Native macOS gateway process management, PID locking via flock
 - `metadata.rs`: Metadata at `gateways/{name}/metadata.json` (nested), mTLS at `gateways/{name}/mtls/` (nested)
-- `push.rs`: Uses `ctr` (not `k3s ctr`) with k3s containerd socket, `k8s.io` namespace
-- IMPORTANT: `ClusterHandle::destroy()` does NOT remove metadata; only CLI `cluster_admin_destroy()` in run.rs does
-- `ensure_image()`: Local-only refs (no `/`) get error with build instructions, not a Docker Hub pull attempt
-- Dockerfile.cluster: k3s v1.29.8-k3s1 base, manifests in `/opt/openshell/manifests/` (volume mount overwrites `/var/lib/`)
-- Healthcheck: checks k8s readyz, StatefulSet ready, Gateway Programmed, conditionally mTLS secret
+- IMPORTANT: No Docker, no K3s, no Kubernetes. Gateway runs as a native macOS process.
+- Container bridge: Swift daemon in `container-bridge/` translates gRPC to Apple Container API
 
 ## Server Crate Details
 - Two gRPC services: OpenShell (grpc.rs) and Inference (inference.rs), multiplexed via GrpcRouter by URI path
@@ -55,24 +52,15 @@
 - SSH handshake: "NSSH1" preface + HMAC-SHA256, used in both exec proxy (grpc.rs) and tunnel gateway (ssh_tunnel.rs)
 - Phase derivation: transient reasons (ReconcilerError, DependenciesNotReady) -> Provisioning; all others -> Error
 - Broadcast bus buffer sizes: SandboxWatchBus=128, TracingLogBus=1024, PlatformEventBus=1024
-- Sandbox CRD: `agents.x-k8s.io/v1alpha1/Sandbox`, labels: `openshell.ai/sandbox-id`, `openshell.ai/managed-by`
+- Sandbox backend: Apple Container VMs via container bridge gRPC
 - Proto files also include: `proto/inference.proto` (openshell.inference.v1)
 
 ## Container/Build Details
-- Four runtime images: sandbox (5 stages), gateway (2 stages), cluster (k3s base), pki-job (Alpine)
-- Two build-only images: python-wheels (Linux multi-arch), python-wheels-macos (osxcross cross-compile)
-- CI image: Dockerfile.ci (Ubuntu 24.04, pre-installs docker/buildx/aws/kubectl/helm/mise/uv/sccache/socat)
-- Cross-compilation: `deploy/docker/cross-build.sh` shared by sandbox + gateway Dockerfiles
-- Sandbox image has coding-agents stage: Claude CLI (native installer), OpenCode, Codex (npm)
-- Helm chart deploys a StatefulSet (NOT Deployment), PVC 1Gi at /var/openshell
-- Cluster image does NOT bundle image tarballs -- components pulled at runtime from distribution registry
-- PKI job generates CA + server cert + client cert for mTLS (RSA 2048, 10yr, Helm pre-install hook)
-- Build tasks in `tasks/*.toml`; scripts in `tasks/scripts/`
-- `cluster-deploy-fast.sh` supports both auto mode (git diff) and explicit targets (gateway/sandbox/chart/all)
-- `cluster-bootstrap.sh` ensures local Docker registry on port 5000, pushes all components, then deploys
-- Default values.yaml: repository is CloudFront-backed CDN, tag: "latest", pullPolicy: Always
-- Envoy Gateway version: v1.5.8 (set in mise.toml)
-- DNS solution in cluster-entrypoint.sh: iptables DNAT proxy (NOT host-gateway resolv.conf)
+- Gateway Containerfile: `deploy/container/Containerfile.gateway`
+- Container bridge: Swift package in `container-bridge/`, builds via `swift build -c release`
+- PKI: mTLS cert generation in bootstrap crate (RSA 2048)
+- Build tasks in `tasks/*.toml` (apple.toml for Apple Container tasks)
+- No Docker, no Helm, no K3s, no Kubernetes manifests
 
 ## Sandbox Connect Details
 - CLI SSH module: `crates/openshell-cli/src/ssh.rs` (sandbox_connect, sandbox_exec, sandbox_rsync, sandbox_ssh_proxy)

.claude/agents/arch-doc-writer.md

@@ -19,7 +19,7 @@ This is the OpenShell project — a sandbox/isolation system built in Rust.
 The docs in `architecture/` are structured as subsystem[-component].md. Key sub-systems are:
 
 - build (build system)
-- cluster (the entire deployment that can run on a single node or multi-node kubernetes cluster)
+- cluster (the gateway process and container bridge that manage sandboxes on the local machine)
 - gateway (the control plane / server system that manages a cluster and sandboxes)
 - inference (access to models for agents and what they produce, includes privacy aware model routing)
 - sandbox (long-running agentic environments that are strictly controlled by security policies)

.opencode/agents/arch-doc-writer.md

@@ -24,7 +24,7 @@ This is the OpenShell project — a sandbox/isolation system built in Rust.
 The docs in `architecture/` are structured as subsystem[-component].md. Key sub-systems are:
 
 - build (build system)
-- cluster (the entire deployment that can run on a single node or multi-node kubernetes cluster)
+- cluster (the gateway process and container bridge that manage sandboxes on the local machine)
 - gateway (the control plane / server system that manages a cluster and sandboxes)
 - inference (access to models for agents and what they produce, includes privacy aware model routing)
 - sandbox (long-running agentic environments that are strictly controlled by security policies)

AGENTS.md

@@ -40,7 +40,7 @@ These pipelines connect skills into end-to-end workflows. Individual skill files
 | `crates/openshell-tui/` | Terminal UI | Ratatui-based dashboard for monitoring |
 | `python/openshell/` | Python SDK | Python bindings and CLI packaging |
 | `proto/` | Protobuf definitions | gRPC service contracts |
-| `deploy/` | Containers, deployment config | Dockerfiles, deployment configuration |
+| `deploy/` | Deployment config | Containerfiles and deployment configuration |
 | `.agents/skills/` | Agent skills | Workflow automation for development |
 | `.agents/agents/` | Agent personas | Sub-agent definitions (e.g., reviewer, doc writer) |
 | `architecture/` | Architecture docs | Design decisions and component documentation |

CONTRIBUTING.md

@@ -196,7 +196,7 @@ These are the primary `mise` tasks for day-to-day development:
 | `python/`       | Python SDK and bindings                       |
 | `proto/`        | Protocol buffer definitions                   |
 | `tasks/`        | `mise` task definitions and build scripts     |
-| `deploy/`       | Dockerfiles, deployment configuration |
+| `deploy/`       | Containerfiles, deployment configuration |
 | `architecture/` | Architecture docs and plans                   |
 | `rfc/`          | Request for Comments proposals                |
 | `docs/`         | User-facing documentation (Sphinx/MyST)       |

README.md

@@ -13,30 +13,23 @@ This is an active fork of [NVIDIA/OpenShell](https://github.com/NVIDIA/OpenShell
 
 OpenShell is the safe, private runtime for autonomous AI agents. It provides sandboxed execution environments that protect your data, credentials, and infrastructure — governed by declarative YAML policies that prevent unauthorized file access, data exfiltration, and uncontrolled network activity.
 
-> **Fork status: active development.** The Apple Container migration is in progress. Security hardening has landed across 8 merged PRs. This fork tracks upstream and periodically syncs.
+> **Fork status: Apple Container migration complete.** Docker and K3s/Kubernetes have been fully removed. The gateway runs as a native macOS process and sandboxes are Apple Container VMs. Security hardening has landed across 8 merged PRs. This fork tracks upstream and periodically syncs.
 
 ## Fork Development Status
 
-### Merged
-
 | Area | Branch | Summary |
 |------|--------|---------|
+| Runtime | `feat/apple-container` | Core Apple Container integration: native gateway, container bridge, SSH bootstrap |
 | Security | `security/secure-defaults` | Localhost bind, enforce mode, Apple Container backend |
 | Security | `security/ci-hardening` | Fix shell injection in GitHub Actions workflows |
 | Security | `security/pki-hardening` | Constrain CA, fail-hard secrets, 365-day cert TTL |
 | Security | `security/ssh-host-key` | SSH host key verification when gateway provides fingerprint |
 | Security | `security/gateway-auth` | Insecure-mode guard, cross-sandbox credential theft fix |
 | Security | `security/misc-hardening` | PID locking, forward-spec warning, non-root container |
-| Security | `security/dead-code-removal` | Remove Kubernetes/Docker dead code from config and server |
+| Security | `security/dead-code-removal` | Remove Docker/K3s dead code from config and server |
 | Security | `security/fix-ssh-host-key-verification` | Hostname format, tempfile dep, TempDir leak fixes |
 | CI | `ci/trigger-macos-e2e` | macOS e2e validation with Apple Container install |
 | CI | `fix/release-auto-tag-signing` | Sign auto-tags via GitHub API, handle missing seed tag |
-
-### In Progress
-
-| Area | Branch | Summary |
-|------|--------|---------|
-| Runtime | `feat/apple-container` | Core Apple Container integration (21 commits ahead) |
 | CI | `fix/ci-swift-bridge-dependency` | Clone Apple Container for Swift bridge build |
 
 ## Quickstart
@@ -67,7 +60,7 @@ Both methods install the latest stable release from upstream by default. To inst
 openshell sandbox create -- claude  # or opencode, codex, copilot
 ```
 
-A gateway is created automatically on first use. To deploy on a remote host instead, pass `--remote user@host` to the create command.
+A gateway is created automatically on first use.
 
 The sandbox container includes the following tools by default:
 
@@ -126,7 +119,7 @@ OpenShell isolates each sandbox in its own container with policy-enforced egress
 | **Policy Engine**  | Enforces filesystem, network, and process constraints from application layer down to kernel. |
 | **Privacy Router** | Privacy-aware LLM routing that keeps sensitive context on sandbox compute.                   |
 
-Under the hood, all these components run as a [K3s](https://k3s.io/) Kubernetes cluster inside a container — no separate K8s install required. On this fork, the container runtime is [Apple Container](https://github.com/apple/container) on macOS (replacing the upstream Docker dependency). The `openshell gateway` commands take care of provisioning the container and cluster.
+On this fork, the gateway runs as a native macOS process and each sandbox is an [Apple Container](https://github.com/apple/container) VM. A Swift-based container bridge translates gRPC sandbox lifecycle calls into Apple Container API operations. The `openshell gateway` commands manage the gateway process and container bridge daemon.
 
 ## Protection Layers
 
@@ -145,20 +138,6 @@ Policies are declarative YAML files. Static sections (filesystem, process) are l
 
 Agents need credentials — API keys, tokens, service accounts. OpenShell manages these as **providers**: named credential bundles that are injected into sandboxes at creation. The CLI auto-discovers credentials for recognized agents (Claude, Codex, OpenCode, Copilot) from your shell environment, or you can create providers explicitly with `openshell provider create`. Credentials never leak into the sandbox filesystem; they are injected as environment variables at runtime.
 
-## GPU Support (Experimental)
-
-> **Experimental** — GPU passthrough works on supported hosts but is under active development. Expect rough edges and breaking changes.
-
-OpenShell can pass host GPUs into sandboxes for local inference, fine-tuning, or any GPU workload. Add `--gpu` when creating a sandbox:
-
-```bash
-openshell sandbox create --gpu --from [gpu-enabled-sandbox] -- claude
-```
-
-The CLI auto-bootstraps a GPU-enabled gateway on first use, auto-selecting CDI when available. GPU intent is also inferred automatically for community images with `gpu` in the name.
-
-**Requirements:** NVIDIA drivers and the [NVIDIA Container Toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html) must be installed on the host. The sandbox image must include the appropriate GPU drivers and libraries for your workload — the default `base` image does not. See the [BYOC example](https://github.com/NVIDIA/OpenShell/tree/main/examples/bring-your-own-container) for building a custom sandbox image with GPU support.
-
 ## Supported Agents
 
 | Agent                                                         | Source                                                                           | Notes                                                                         |
@@ -188,7 +167,7 @@ See the full [CLI reference](https://github.com/NVIDIA/OpenShell/blob/main/docs/
 
 ## Terminal UI
 
-OpenShell includes a real-time terminal dashboard for monitoring gateways, sandboxes, and providers — inspired by [k9s](https://k9scli.io/).
+OpenShell includes a real-time terminal dashboard for monitoring gateways, sandboxes, and providers.
 
 ```bash
 openshell term
@@ -198,7 +177,7 @@ openshell term
   <img src="docs/assets/openshell-terminal.png" alt="OpenShell Terminal UI">
 </p>
 
-The TUI gives you a live, keyboard-driven view of your cluster. Navigate with `Tab` to switch panels, `j`/`k` to move through lists, `Enter` to select, and `:` for command mode. Cluster health and sandbox status auto-refresh every two seconds.
+The TUI gives you a live, keyboard-driven view of your gateways and sandboxes. Navigate with `Tab` to switch panels, `j`/`k` to move through lists, `Enter` to select, and `:` for command mode. Gateway health and sandbox status auto-refresh every two seconds.
 
 ## Community Sandboxes and BYOC
 
@@ -244,7 +223,8 @@ All implementation work is human-gated — agents propose plans, humans approve,
 | Sandbox | `crates/openshell-sandbox/` | Container supervision, policy-enforced egress routing |
 | Policy Engine | `crates/openshell-policy/` | Filesystem, network, process, and inference constraints |
 | Privacy Router | `crates/openshell-router/` | Privacy-aware LLM routing |
-| Bootstrap | `crates/openshell-bootstrap/` | Cluster setup, image loading, mTLS PKI |
+| Container Bridge | `container-bridge/` | Swift daemon bridging gRPC to Apple Container API |
+| Bootstrap | `crates/openshell-bootstrap/` | Gateway setup, Apple Container runtime, mTLS PKI |
 | Core | `crates/openshell-core/` | Shared types, configuration, error handling |
 | Providers | `crates/openshell-providers/` | Credential provider backends |
 | TUI | `crates/openshell-tui/` | Ratatui-based terminal dashboard |

architecture/sandbox-connect.md

@@ -96,19 +96,19 @@ sequenceDiagram
     participant gRPC as Gateway (gRPC)
     participant Proxy as CLI (ssh-proxy)
     participant GW as Gateway (/connect/ssh)
-    participant K8s as Pod Resolver
+    participant VM as Apple Container VM
     participant SSHD as Sandbox SSH Daemon
 
     CLI->>gRPC: GetSandbox(name) -> sandbox.id
     CLI->>gRPC: CreateSshSession(sandbox_id)
     gRPC-->>CLI: token, gateway_host, gateway_port, scheme, connect_path
 
-    Note over CLI: Builds ProxyCommand string<br/>exec()s into ssh process
+    Note over CLI: Builds ProxyCommand string<br/>starts ssh process
 
     User->>Proxy: ssh spawns ProxyCommand subprocess
     Proxy->>GW: CONNECT /connect/ssh HTTP/1.1<br/>X-Sandbox-Id, X-Sandbox-Token
     GW->>GW: Validate token + sandbox phase
-    GW->>K8s: Resolve pod IP (or service DNS)
+    GW->>VM: Resolve container IP
     GW->>SSHD: TCP connect to port 2222
     GW->>SSHD: NSSH1 preface (token, ts, nonce, hmac)
     SSHD-->>GW: OK

architecture/sandbox-providers.md

@@ -345,10 +345,10 @@ CLI: openshell sandbox create -- claude
         Gateway: create_sandbox()
           +-- Validates provider "claude" exists in store (fail fast)
           +-- Persists Sandbox with spec.providers = ["claude"]
-          +-- Creates K8s Sandbox CRD (no credentials in pod spec)
+          +-- Creates Apple Container VM (no credentials in container spec)
                 |
-                K8s: pod starts openshell-sandbox binary
-                  +-- OPENSHELL_SANDBOX_ID and OPENSHELL_ENDPOINT set in pod env
+                Apple Container: VM starts openshell-sandbox binary
+                  +-- OPENSHELL_SANDBOX_ID and OPENSHELL_ENDPOINT set in container env
                   |
                     Sandbox supervisor: run_sandbox()
                       +-- Fetches policy via gRPC