Improve macOS Apple Silicon install flow (Colima/Docker Desktop)

[piartz]

Summary

This PR improves first-time installation on macOS (Apple Silicon in particular) while preserving the existing launcher workflow.

Key goals:

• Keep the current author flow and UX.
• Reduce manual prerequisites and runtime friction for macOS users.
• Support both Docker Desktop and Colima (Docker Desktop-free path).
• Make setup closer to fire-and-forget for first-time users.

What changed

Installer bootstrap (install.sh)

• Reworked install bootstrap to be user-target aware (SUDO_USER) instead of forcing root-only behavior.
• Added macOS-aware dependency bootstrap path.
• Added Homebrew detection/bootstrapping support for macOS dependency install flow.
• Hardened macOS detection and sudo/root guard behavior.

Launcher runtime compatibility (launcher.sh)

• Added runtime preparation helpers for macOS:
  • Docker path normalization
  • Compose detection
  • Docker daemon wait logic
  • Homebrew/package ensure helpers
  • Runtime selection/bring-up helpers for Docker Desktop and Colima
• Simplified runtime prompt flow to go directly to runtime selection when Docker daemon is down.
• Added Colima architecture guard for Apple Silicon:
  • Detects x86_64 Colima profile on arm64 host
  • Offers guided recreation to arm64 (aarch64) to prevent image format failures
• Fixed stdin restoration logic for non-interactive commands (help/status/...) so /dev/tty errors do not occur in command mode.
• Fixed password generation portability on macOS by forcing LC_ALL=C for /dev/urandom filtering.

Setup robustness improvements

• Added provider-specific API key minimum-length validation in wizard step:
  • OpenRouter >= 32 chars
  • Z.ai >= 20 chars
• Prevents late container crash loops due to short placeholder keys by failing fast in the wizard.

reconFTW and Kali deployment hardening

reconFTW MCP fixes applied

1. Force linux/amd64 for reconFTW service on ARM hosts.
2. Patch reconFTW Dockerfile base image line to FROM --platform=linux/amd64 ... on ARM.
3. Patch reconFTW Dockerfile venv creation to fallback to virtualenv if ensurepip fails.
4. Force SSE defaults for MCP services so health checks and transport mode match (/sse).
5. Extend recon health timings for ARM/emulation startup.
6. Patch recon entrypoint startup path to avoid heavy auto-bootstrap during service start:
   • auto-discover existing reconftw.sh
   • skip reconftw/install.sh by default unless RECONFTW_AUTO_INSTALL=true
7. Explicitly inject RECONFTW_AUTO_INSTALL=false in WEB compose recon service environment.

Kali MCP fixes applied

1. Patch Kali command block to a robust single-line bash -lc startup command (avoids multiline parsing issues).
2. Keep package install deterministic and verify core binaries (nmap, hydra, python3) after install.

Docs (README.md)

• Updated quick-start to reflect installer bootstrap usage.
• Clarified macOS runtime options (Docker Desktop or Colima).
• Added troubleshooting and runtime-choice guidance for macOS users.
• Added explicit macOS MCP compatibility notes for reconFTW/Kali and targeted rebuild instructions.
• Added non-macOS regression-risk notes.

Validation done locally (macOS Apple Silicon)

Executed clean install tests in isolated target directory:

• BUGTRACEAI_DIR=/Users/mperezrodriguez/bugtraceai/_fresh_install ./launcher.sh
• Selected full mode and exercised runtime/dependency recovery paths.
• Confirmed API key validation catches too-short keys during wizard.
• Confirmed WEB + CLI core services healthy.
• Reproduced and fixed reconFTW deployment issues iteratively from real user logs:
  • amd64 manifest mismatch
  • Python venv ensurepip failure
  • startup timeout/unhealthy behavior
• Reproduced and fixed Kali startup command parsing issue from real user logs.

Syntax checks:

• bash -n install.sh
• bash -n launcher.sh

Regression risk assessment

• Low expected risk for non-macOS/Linux users:
  • most behavior is macOS/ARM-gated
  • recon/Kali changes apply only when optional MCP profiles are enabled
• Maintenance risk exists if upstream compose/Dockerfile/entrypoint structure changes significantly; launcher patch anchors may need adjustment.

Notes

• This PR intentionally keeps existing structure and command UX, while improving compatibility and first-run resilience for macOS users.