diff --git a/homes/aarch64-darwin/evanreichard@mac-va-mbp-work/default.nix b/homes/aarch64-darwin/evanreichard@mac-va-mbp-work/default.nix
index b14fadb..17c832c 100755
--- a/homes/aarch64-darwin/evanreichard@mac-va-mbp-work/default.nix
+++ b/homes/aarch64-darwin/evanreichard@mac-va-mbp-work/default.nix
@@ -41,6 +41,7 @@ in
 
     services = {
       sketchybar = enabled;
+      open-proxy.server = enabled;
     };
 
     security = {
diff --git a/homes/aarch64-darwin/evanreichard@mac-va-mbp-work/vm-init.sh b/homes/aarch64-darwin/evanreichard@mac-va-mbp-work/vm-init.sh
index f0d4665..09a89dd 100755
--- a/homes/aarch64-darwin/evanreichard@mac-va-mbp-work/vm-init.sh
+++ b/homes/aarch64-darwin/evanreichard@mac-va-mbp-work/vm-init.sh
@@ -33,6 +33,16 @@ else
     echo "  [✓] VM SOCKS Proxy Already Running"
 fi
 
+# Reverse tunnel so the VM's `open`/`xdg-open` reach open-proxy serve on this host.
+if ! pgrep -f "ssh -N -R 7777:127.0.0.1:7777 adios-cs" > /dev/null; then
+    echo "  [*] VM Open Proxy Starting..."
+    ssh -N -R 7777:127.0.0.1:7777 adios-cs &> /dev/null &
+    disown
+    echo "  [✓] VM Open Proxy Started"
+else
+    echo "  [✓] VM Open Proxy Already Running"
+fi
+
 echo -e "  [*] Connecting..."
 
 # Connect to VM
diff --git a/homes/aarch64-linux/evanreichard@lin-va-mbp-work-vm/default.nix b/homes/aarch64-linux/evanreichard@lin-va-mbp-work-vm/default.nix
index 6bc607a..5611029 100755
--- a/homes/aarch64-linux/evanreichard@lin-va-mbp-work-vm/default.nix
+++ b/homes/aarch64-linux/evanreichard@lin-va-mbp-work-vm/default.nix
@@ -17,6 +17,7 @@ in
 
     services = {
       ssh-agent = enabled;
+      open-proxy.client = enabled;
     };
 
     security = {
diff --git a/modules/home/programs/terminal/nvim/config/lua/lsp-config.lua b/modules/home/programs/terminal/nvim/config/lua/lsp-config.lua
index 08e888f..6d51763 100755
--- a/modules/home/programs/terminal/nvim/config/lua/lsp-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/lsp-config.lua
@@ -241,7 +241,12 @@ setup_lsp("gopls", {
 		})
 	end,
 	filetypes = { "go" },
-	cmd = { "gopls", "-remote=auto" },
+	cmd = function(dispatchers, config)
+		return vim.lsp.rpc.start({ "gopls", "-remote=auto" }, dispatchers, {
+			cwd = config.root_dir,
+			env = { GOMEMLIMIT = "6GiB" },
+		})
+	end,
 	settings = {
 		gopls = {
 			buildFlags = { "-tags=e2e" },
diff --git a/modules/home/programs/terminal/pi/config/AGENTS.md b/modules/home/programs/terminal/pi/config/AGENTS.md
index 17e7580..21f8da6 100644
--- a/modules/home/programs/terminal/pi/config/AGENTS.md
+++ b/modules/home/programs/terminal/pi/config/AGENTS.md
@@ -46,7 +46,9 @@ Full-file reads are fine when genuinely needed, but avoid them as the default re
 
 4. **Rephrase over append**: When extending existing content (docs, comments, prose, code), prefer rephrasing to capture the new intent over tacking on more verbosity.
 
-5. **Knowledge Capture Check**: Before the final response, ask whether the task revealed a non-obvious convention, pitfall, repeatable workflow, or missing helper. If yes, briefly recommend exactly where to capture it: package/project AGENTS.md, global AGENTS.md, a skill, or a helper script. Skip this note when there is nothing meaningful.
+5. **Positive framing over prohibition**: State what _to_ do, not what _not_ to do. Default to omitting an instruction entirely rather than adding a "don't do X" rule — omission costs less context and avoids the failure mode where deleting a prohibition gets inverted into a mandate. Reserve explicit prohibitions for cases where the wrong behavior is a likely default that positive guidance alone can't redirect.
+
+6. **Knowledge Capture Check**: Before the final response, ask whether the task revealed a non-obvious convention, pitfall, repeatable workflow, or missing helper. If yes, briefly recommend exactly where to capture it: package/project AGENTS.md, global AGENTS.md, a skill, or a helper script. Skip this note when there is nothing meaningful.
 
 ## Style
 
diff --git a/modules/home/programs/terminal/pi/config/skills/create-skill/SKILL.md b/modules/home/programs/terminal/pi/config/skills/create-skill/SKILL.md
index 7c7770a..8b61318 100644
--- a/modules/home/programs/terminal/pi/config/skills/create-skill/SKILL.md
+++ b/modules/home/programs/terminal/pi/config/skills/create-skill/SKILL.md
@@ -48,6 +48,7 @@ description: "<One-liner: what it does and when to trigger. Keep under ~200 char
 - **Needs configurable values (paths, identifiers, etc.; not secrets — values are stored as plaintext files)?** Copy `assets/variable.sh` into the new skill's `scripts/` dir as-is. Callers use `variable.sh --get NAME [--require-exec RELPATH]`; the helper prints self-explaining `--set` instructions on "unset" or "set-but-invalid" and exits non-zero, so callers just propagate. The helper self-ignores its `.vars/` store on first `--set`, so no `.gitignore` setup is needed.
 - **Frontmatter is required.** `name` and `description` fields. The description is what the agent uses to decide whether to load the skill, so make it specific about trigger conditions.
 - **Don't over-specify.** Trust the agent to fill gaps. Document the _what_ and _when_, not every micro-step.
+- **Frame positively; omit rather than prohibit.** Write what the agent _should_ do. Prefer leaving a rule out over adding "don't do X" (see AGENTS.md principle: _Positive framing over prohibition_).
 - **Split workflow from reference when the reference surface grows.** If a skill accumulates lookup tables, mapping rules, or capability references that the workflow consults, move them into a sibling `<skill>/<category>/` directory (e.g. `mappings/`, `references/`) with one sub-doc per category and an index `README.md`. Keep `SKILL.md` focused on the hot path — workflow, hard rules, and a short table pointing at the sub-docs. Include a brief style guide in the index README covering (a) defer to authoritative sources (stubs, schemas, generated docs) whenever possible, (b) row/entry formatting conventions, (c) when to create a new sub-doc vs. extend an existing one.
 
 ### 3. Present for Review
diff --git a/modules/home/services/open-proxy/default.nix b/modules/home/services/open-proxy/default.nix
new file mode 100644
index 0000000..e80caa8
--- /dev/null
+++ b/modules/home/services/open-proxy/default.nix
@@ -0,0 +1,61 @@
+{ config
+, lib
+, pkgs
+, namespace
+, ...
+}:
+let
+  inherit (lib) mkIf mkEnableOption;
+  cfg = config.${namespace}.services.open-proxy;
+  package = pkgs.reichard.open-proxy;
+in
+{
+  options.${namespace}.services.open-proxy = {
+    server.enable = mkEnableOption "open-proxy host server (opens forwarded URLs/files on this machine)";
+    client.enable = mkEnableOption "open-proxy client (shadows open/xdg-open to forward to the host)";
+  };
+
+  config = lib.mkMerge [
+    (mkIf cfg.server.enable {
+      assertions = [
+        {
+          assertion = pkgs.stdenv.isDarwin;
+          message = "reichard.services.open-proxy.server is only supported on macOS (Darwin).";
+        }
+      ];
+
+      launchd.agents.open-proxy = {
+        enable = true;
+        config = {
+          Label = "io.reichard.open-proxy";
+          ProgramArguments = [ "${package}/bin/open-proxy" "serve" ];
+          RunAtLoad = true;
+          KeepAlive = true;
+          # open(1) lives in /usr/bin; launchd agents don't inherit a login PATH.
+          EnvironmentVariables.PATH = "/usr/bin:/bin:/usr/sbin:/sbin";
+          StandardOutPath = "${config.home.homeDirectory}/Library/Logs/open-proxy/open-proxy.out.log";
+          StandardErrorPath = "${config.home.homeDirectory}/Library/Logs/open-proxy/open-proxy.err.log";
+        };
+      };
+    })
+
+    (mkIf cfg.client.enable {
+      assertions = [
+        {
+          assertion = pkgs.stdenv.isLinux;
+          message = "reichard.services.open-proxy.client is only supported on Linux.";
+        }
+      ];
+
+      # Shadow the openers via ~/.local/bin (prepended to PATH below). open-proxy
+      # keys off argv[0], so these symlinks run in client mode and fall back to
+      # any real opener further down PATH when the host is unreachable.
+      home.file = {
+        ".local/bin/open".source = "${package}/bin/open-proxy";
+        ".local/bin/xdg-open".source = "${package}/bin/open-proxy";
+      };
+
+      home.sessionPath = [ "$HOME/.local/bin" ];
+    })
+  ];
+}
diff --git a/packages/open-proxy/default.nix b/packages/open-proxy/default.nix
new file mode 100644
index 0000000..91bf7d8
--- /dev/null
+++ b/packages/open-proxy/default.nix
@@ -0,0 +1,25 @@
+{ lib
+, buildGoModule
+, fetchgit
+}:
+
+buildGoModule rec {
+  pname = "open-proxy";
+  version = "unstable-2026-06-09";
+
+  src = fetchgit {
+    url = "https://gitea.va.reichard.io/evan/open-proxy.git";
+    rev = "2cedcf448c984192d043b82ec9d614a349b0450b";
+    hash = "sha256-R7JbWPkU8A6uABroNYBu+8K75xDK+VTuuBUPOaOEb+k=";
+  };
+
+  vendorHash = null;
+
+  meta = {
+    description = "Forward `open`/`xdg-open` from a remote VM to the host machine";
+    homepage = "https://gitea.va.reichard.io/evan/open-proxy";
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ evanreichard ];
+    mainProgram = "open-proxy";
+  };
+}