
Security News
pnpm 11.10 Hardens Registry Authentication to Block Token Redirection
pnpm 11.10 hardens registry auth to block token redirection, tightens pack-app and deploy, and makes the Rust port (v12) installable.
@m14i/sith
Advanced tools
Turn your context to the dark side. Standardize and share your OpenCode setup with a fully dockerized environment, designed for seamless collaboration and CI integration.
Turn your context to the dark side.
Standardize and share your OpenCode setup with a fully dockerized environment, designed for seamless collaboration and CI integration.
Install globally (recommended):
npm install -g @m14i/sith
Or use npx (slower, pulls image every time):
npx @m14i/sith@latest
# Interactive terminal UI (default)
sith
# Type your prompt to start OpenCode with that task
# Or use slash commands: /shell, /config, /help
# Direct commands
sith --it # Launch Docker shell immediately
sith --pull # Pull prebuilt image
sith --build # Build from scratch
sith --legacy # Use legacy menu interface
| Method | Command | Speed | Trust Model | Use Case |
|---|---|---|---|---|
| Prebuilt (Recommended) | sith --pull | ⚡ Fast | GitHub Actions + Cosign | Production, CI/CD |
| Local Build | sith --build | 🐌 Slow | Your machine | Air-gapped, custom builds |
| Command | Description |
|---|---|
sith | Interactive terminal UI (Claude Code style) |
sith --it | Launch Docker shell immediately |
sith --pull | Pull prebuilt image from GHCR |
sith --build | Build Docker image from scratch |
sith --legacy | Use legacy menu interface |
sith --help | Show all available commands |
When you run sith, you get an interactive terminal interface:
Prompt input:
Fix authentication bug → OpenCode launches with this taskSlash commands:
/shell → Start Docker shell only (no OpenCode)/config → Open configuration menu (pull/build options)/help → Show available commandsNavigation:
Ctrl+C or Esc → Exit terminal UIPull and verify:
# Pull (supports linux/amd64 and linux/arm64)
sith --pull
# Or use Docker directly
docker pull ghcr.io/merzoukemanouri/sith:latest
# Verify signature (optional)
cosign verify \
--certificate-identity-regexp="https://github.com/MerzoukeMansouri/sith" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
ghcr.io/merzoukemanouri/sith:latest
Benefits:
Sith supports two AI providers: Claude Code (via Anthropic) and OpenCode (via GitHub Copilot).
Sith ships with the claude CLI. Authenticate it with your Anthropic account using a long-lived OAuth token — no API key required.
Step 1 — Generate the token (once, on your local machine):
claude setup-token
Follow the browser prompt, then copy the printed token. It is valid for one year and scoped to inference only.
Step 2 — Export it:
export CLAUDE_CODE_OAUTH_TOKEN=your_token_here
Make it persistent (add to ~/.zshrc or ~/.bashrc):
export CLAUDE_CODE_OAUTH_TOKEN=your_token_here
Verify:
claude auth status
# Should show: "loggedIn": true, "authMethod": "claude.ai"
Requirements: Claude Pro, Max, Team, or Enterprise subscription.
Sith uses Claude Sonnet 4.6 via GitHub Copilot by default for OpenCode. Requires a GitHub token with Copilot access.
Automatic (recommended):
If you have GitHub CLI (gh) installed and authenticated, Sith automatically fetches your token:
sith # Auto-detects token via gh auth token
Manual token:
If you don't have gh CLI or prefer manual setup:
copilot, repo, read:orgexport GITHUB_TOKEN=gho_your_token_here
sith
Make it persistent (add to ~/.zshrc or ~/.bashrc):
export GITHUB_TOKEN=$(gh auth token)
Inside container: Once OpenCode starts, authenticate with GitHub Copilot:
opencode providers login
# Follow prompts to authenticate with GitHub
Add both tokens as repository secrets, then pass them to the container:
- name: Run sith
env:
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
docker run --rm \
-e CLAUDE_CODE_OAUTH_TOKEN=$CLAUDE_CODE_OAUTH_TOKEN \
-e GITHUB_TOKEN=$GITHUB_TOKEN \
ghcr.io/merzoukemanouri/sith:latest "claude auth status"
Generate CLAUDE_CODE_OAUTH_TOKEN once with claude setup-token and store it in Settings → Secrets → Actions as CLAUDE_CODE_OAUTH_TOKEN.
All Docker images published to ghcr.io/merzoukemanouri/sith are:
See SECURITY.md for detailed security practices and considerations.
Prebuilt Images:
Local Builds:
For more details, see the Docker Distribution Guide.
For contributors working on the CLI:
# Install dependencies
pnpm install
# Run in development mode (no build)
pnpm dev
# Build and test
pnpm dev:build # Build and run CLI
pnpm dev:shell # Build and launch shell
# Type checking
pnpm typecheck
# Clean build artifacts
pnpm clean
Automated releases using semantic-release and conventional commits.
Commit Format:
feat: - New feature (triggers minor version bump)fix: - Bug fix (triggers patch version bump)BREAKING CHANGE: - Breaking change (triggers major version bump)chore:, docs:, style: - No releaseRelease Process:
main branchExample:
git commit -m "feat: add new interactive menu option"
git push origin main
# Automatic release triggered!
Requirements:
NPM_TOKEN secret configured in GitHub repository settingsFAQs
Turn your context to the dark side. Standardize and share your OpenCode setup with a fully dockerized environment, designed for seamless collaboration and CI integration.
The npm package @m14i/sith receives a total of 47 weekly downloads. As such, @m14i/sith popularity was classified as not popular.
We found that @m14i/sith demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
pnpm 11.10 hardens registry auth to block token redirection, tightens pack-app and deploy, and makes the Rust port (v12) installable.

Security News
/Research
Socket uncovered 17 malicious npm and PyPI packages typosquatting Paysafe, Skrill, and Neteller SDKs to steal developer secrets.

Security News
Node.js is debating whether AI-driven security report volume warrants moving more vulnerability reports into public workflows.