@companyhelm/runner 0.1.1 → 0.1.3

package/RUNTIME_IMAGE_VERSION

@@ -1 +1 @@
-0.0.9
+0.0.11

package/dist/commands/doctor.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runRunnerDoctorCommand = runRunnerDoctorCommand;
+exports.registerDoctorCommand = registerDoctorCommand;
+const config_js_1 = require("../config.js");
+const entrypoints_js_1 = require("../preflight/entrypoints.js");
+class RunnerDoctorCommand {
+    constructor(dependencies = {}) {
+        this.stdout = dependencies.stdout ?? process.stdout;
+        this.runPreflightFn = dependencies.runPreflightFn ?? entrypoints_js_1.runRunnerPreflight;
+    }
+    async run(options) {
+        const cfg = config_js_1.config.parse({});
+        const summary = await this.runPreflightFn({
+            cfg,
+            applyFixes: options.fix === true,
+        });
+        this.stdout.write(`${(0, entrypoints_js_1.formatRunnerPreflightSummary)(summary)}\n`);
+        return summary;
+    }
+}
+async function runRunnerDoctorCommand(options, dependencies) {
+    return await new RunnerDoctorCommand(dependencies).run(options);
+}
+function registerDoctorCommand(program) {
+    const doctorCommand = program
+        .command("doctor")
+        .description("Run runner host preflight checks.");
+    doctorCommand.action(async () => {
+        const summary = await runRunnerDoctorCommand({ fix: false });
+        if (!summary.passed) {
+            process.exitCode = 1;
+        }
+    });
+    doctorCommand
+        .command("fix")
+        .description("Attempt to fix supported runner host preflight failures.")
+        .action(async () => {
+        const summary = await runRunnerDoctorCommand({ fix: true });
+        if (!summary.passed) {
+            process.exitCode = 1;
+        }
+    });
+}

package/dist/commands/register-commands.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.registerCommands = registerCommands;
+const doctor_js_1 = require("./doctor.js");
 const logs_js_1 = require("./logs.js");
 const start_js_1 = require("./runner/start.js");
 const stop_js_1 = require("./runner/stop.js");
@@ -11,6 +12,7 @@ const register_thread_commands_js_1 = require("./thread/register-thread-commands
 function registerCommands(program) {
     (0, start_js_1.registerRunnerStartCommand)(program);
     (0, stop_js_1.registerRunnerStopCommand)(program);
+    (0, doctor_js_1.registerDoctorCommand)(program);
     (0, status_js_1.registerStatusCommand)(program);
     (0, logs_js_1.registerLogsCommand)(program);
     (0, register_thread_commands_js_1.registerThreadCommands)(program);

package/dist/commands/root.js

@@ -74,7 +74,11 @@ const daemon_js_1 = require("../utils/daemon.js");
 const logger_js_1 = require("../utils/logger.js");
 const path_js_1 = require("../utils/path.js");
 const terminal_js_1 = require("../utils/terminal.js");
-const workspace_agents_js_1 = require("../service/workspace_agents.js");
+const daemon_startup_watchdog_js_1 = require("../utils/daemon_startup_watchdog.js");
+const thread_metadata_store_js_1 = require("../provisioning/host_provisioning/thread_metadata_store.js");
+const thread_workspace_provisioner_js_1 = require("../provisioning/host_provisioning/thread_workspace_provisioner.js");
+const system_prompt_js_1 = require("../provisioning/runtime_provisioning/system_prompt.js");
+const entrypoints_js_1 = require("../preflight/entrypoints.js");
 const auth_js_1 = require("./sdk/codex/auth.js");
 const COMMAND_CHANNEL_CONNECT_RETRY_DELAY_MS = 1000;
 const COMMAND_CHANNEL_OPEN_TIMEOUT_MS = 5000;
@@ -95,7 +99,7 @@ const YOLO_SANDBOX_MODE = "danger-full-access";
 const YOLO_SANDBOX_POLICY = { type: "dangerFullAccess" };
 const DOCKER_INTERNAL_HOSTNAME = "host.docker.internal";
 const LOCALHOST_HOSTNAMES = new Set(["localhost", "127.0.0.1", "0.0.0.0", "::1"]);
-const DAEMON_STARTUP_TIMEOUT_MS = 15000;
+const DAEMON_STARTUP_TIMEOUT_MS = 60000;
 class RootCommandInterruptedError extends Error {
     constructor(message = "Root command interrupted.") {
         super(message);
@@ -1056,7 +1060,7 @@ function readWorkspaceThreadGitSkillsConfig(workspaceDirectory, logger) {
     }
 }
 async function ensureThreadGitSkillsInRuntime(cfg, threadState, containerService, logger) {
-    const packages = readWorkspaceThreadGitSkillsConfig(threadState.workspace, logger);
+    const packages = new thread_metadata_store_js_1.ThreadMetadataStore(cfg.config_directory, logger).readThreadGitSkillsConfig(threadState.id);
     if (packages.length === 0) {
         return;
     }
@@ -1104,8 +1108,11 @@ async function reconcileThreadRunningStateBeforeUserMessage(cfg, threadState, lo
             isCurrentTurnRunning: false,
         };
     }
-    const threadMcpSetup = buildThreadCodexMcpSetup(readWorkspaceThreadMcpConfig(threadState.workspace, logger));
-    const threadAgentCliConfig = readWorkspaceThreadAgentCliConfig(threadState.workspace, logger);
+    const metadataStore = new thread_metadata_store_js_1.ThreadMetadataStore(cfg.config_directory, logger);
+    const persistedThreadMcpServers = metadataStore.readThreadMcpConfig(threadState.id);
+    const persistedThreadGitSkillPackages = metadataStore.readThreadGitSkillsConfig(threadState.id);
+    const threadMcpSetup = buildThreadCodexMcpSetup(persistedThreadMcpServers);
+    const threadAgentCliConfig = buildThreadAgentCliConfig(threadState.cliSecret, cfg.agent_api_url);
     const appServerSession = await getOrCreateThreadAppServerSession(threadState.id, threadState.runtimeContainer, threadMcpSetup.appServerEnv, cfg.codex.app_server_client_name, logger);
     const runtimeUser = buildThreadRuntimeUser(cfg, threadState);
     await (0, thread_runtime_js_1.ensureThreadRuntimeReady)({
@@ -1117,6 +1124,11 @@ async function reconcileThreadRunningStateBeforeUserMessage(cfg, threadState, lo
         user: runtimeUser,
     });
     await ensureThreadGitSkillsInRuntime(cfg, threadState, containerService, logger);
+    await containerService.ensureRuntimeContainerThreadMetadata(threadState.runtimeContainer, runtimeUser, {
+        mcpServers: persistedThreadMcpServers,
+        gitSkillPackages: persistedThreadGitSkillPackages,
+        threadAgentCliConfig,
+    });
     if (threadAgentCliConfig) {
         await containerService.ensureRuntimeContainerAgentCliConfig(threadState.runtimeContainer, runtimeUser, threadAgentCliConfig);
     }
@@ -1151,14 +1163,22 @@ async function reconcileThreadRunningStateBeforeUserMessage(cfg, threadState, lo
         isCurrentTurnRunning: false,
     };
 }
-async function listTrackedThreadWorkspaces(cfg, logger) {
+async function listTrackedThreadRuntimeTargets(cfg, logger) {
     const { db, client } = await (0, db_js_1.initDb)(cfg.state_db_path);
     try {
-        const rows = await db.select({ workspace: schema_js_1.threads.workspace }).from(schema_js_1.threads);
-        return [...new Set(rows.map((row) => row.workspace.trim()).filter((workspace) => workspace.length > 0))];
+        return await db
+            .select({
+            threadId: schema_js_1.threads.id,
+            runtimeContainer: schema_js_1.threads.runtimeContainer,
+            homeDirectory: schema_js_1.threads.homeDirectory,
+            uid: schema_js_1.threads.uid,
+            gid: schema_js_1.threads.gid,
+        })
+            .from(schema_js_1.threads)
+            .all();
     }
     catch (error) {
-        logger.warn(`Failed to list tracked thread workspaces for GitHub installation sync: ${toErrorMessage(error)}`);
+        logger.warn(`Failed to list tracked thread runtimes for GitHub installation sync: ${toErrorMessage(error)}`);
         return [];
     }
     finally {
@@ -1179,19 +1199,35 @@ function resolveGithubInstallationsSyncDelayMs(installations) {
     }
     return Math.max(GITHUB_INSTALLATIONS_MIN_SYNC_INTERVAL_MS, Math.min(GITHUB_INSTALLATIONS_SYNC_INTERVAL_MS, syncDelayMs));
 }
-async function syncGithubInstallationsForWorkspaces(apiClient, options, workspaceDirectories, logger) {
-    const uniqueWorkspaces = [
-        ...new Set(workspaceDirectories.map((workspace) => workspace.trim()).filter((workspace) => workspace.length > 0)),
+async function syncGithubInstallationsForRuntimeTargets(cfg, apiClient, options, runtimeTargets, logger) {
+    const uniqueTargets = [
+        ...new Map(runtimeTargets
+            .filter((target) => target.runtimeContainer.trim().length > 0)
+            .map((target) => [target.runtimeContainer, target])).values(),
     ];
-    if (uniqueWorkspaces.length === 0) {
+    if (uniqueTargets.length === 0) {
         return [];
     }
     const installations = await loadRuntimeGithubInstallations(apiClient, options, logger);
     const payload = buildWorkspaceGithubInstallationsPayload(installations);
-    for (const workspaceDirectory of uniqueWorkspaces) {
-        writeWorkspaceGithubInstallationsPayload(workspaceDirectory, payload, logger);
+    const containerService = new thread_lifecycle_js_1.ThreadContainerService();
+    for (const target of uniqueTargets) {
+        try {
+            if (!await containerService.isContainerRunning(target.runtimeContainer)) {
+                continue;
+            }
+            await containerService.ensureRuntimeContainerGithubInstallations(target.runtimeContainer, {
+                uid: target.uid,
+                gid: target.gid,
+                agentUser: cfg.agent_user,
+                agentHomeDirectory: target.homeDirectory,
+            }, payload);
+        }
+        catch (error) {
+            logger.warn(`Failed syncing GitHub installations into runtime container '${target.runtimeContainer}': ${toErrorMessage(error)}`);
+        }
     }
-    logger.debug(`Synced ${installations.length} GitHub installation token(s) to ${uniqueWorkspaces.length} workspace(s).`);
+    logger.debug(`Synced ${installations.length} GitHub installation token(s) to ${uniqueTargets.length} runtime container(s).`);
     return installations;
 }
 async function waitForAbort(signal, delayMs) {
@@ -1215,8 +1251,8 @@ async function runGithubInstallationsSyncLoop(cfg, apiClient, options, logger, s
     while (!signal.aborted) {
         let nextDelayMs = GITHUB_INSTALLATIONS_SYNC_INTERVAL_MS;
         try {
-            const workspaces = await listTrackedThreadWorkspaces(cfg, logger);
-            const installations = await syncGithubInstallationsForWorkspaces(apiClient, options, workspaces, logger);
+            const runtimeTargets = await listTrackedThreadRuntimeTargets(cfg, logger);
+            const installations = await syncGithubInstallationsForRuntimeTargets(cfg, apiClient, options, runtimeTargets, logger);
             nextDelayMs = resolveGithubInstallationsSyncDelayMs(installations);
         }
         catch (error) {
@@ -1243,8 +1279,23 @@ function normalizeAdditionalModelInstructions(value) {
     const trimmed = value.trim();
     return trimmed.length > 0 ? trimmed : null;
 }
-function buildThreadDeveloperInstructions(additionalModelInstructions) {
-    return normalizeAdditionalModelInstructions(additionalModelInstructions);
+function buildThreadAgentCliConfig(cliSecret, agentApiUrl) {
+    const normalizedSecret = normalizeNonEmptyString(cliSecret);
+    if (!normalizedSecret) {
+        return null;
+    }
+    return {
+        agent_api_url: normalizeThreadAgentApiUrlForRuntime(agentApiUrl),
+        token: normalizedSecret,
+    };
+}
+function buildThreadDeveloperInstructions(cfg, additionalModelInstructions, cliSecret) {
+    return (0, system_prompt_js_1.buildCodexDeveloperInstructions)(additionalModelInstructions, {
+        homeDirectory: cfg.agent_home_directory,
+        agentApiUrl: normalizeThreadAgentApiUrlForRuntime(cfg.agent_api_url),
+        agentToken: normalizeNonEmptyString(cliSecret) ?? "<thread-secret>",
+        workspaceMode: cfg.use_dedicated_workspaces ? "dedicated" : "shared",
+    });
 }
 function buildUserTextInput(text) {
     return [
@@ -1598,16 +1649,22 @@ async function loadCodexSdkState(cfg) {
         client.close();
     }
 }
-async function refreshCodexModelsForRegistration(cfg, logger) {
+async function refreshCodexModelsForRegistration(cfg, logger, reportProgress) {
     const codexSdk = await loadCodexSdkState(cfg);
     if (!codexSdk || codexSdk.status !== "configured" || codexSdk.authentication === "unauthenticated") {
         logger.info("Codex is not configured; registering runner with unconfigured Codex SDK state.");
         return null;
     }
     try {
-        const results = await (0, refresh_models_js_1.refreshSdkModels)({ sdk: "codex", logger });
+        reportProgress?.("Refreshing Codex models from the local app-server.");
+        const results = await (0, refresh_models_js_1.refreshSdkModels)({
+            sdk: "codex",
+            logger,
+            imageStatusReporter: reportProgress,
+        });
         const modelCount = results[0]?.modelCount ?? 0;
         logger.info(`Refreshed Codex models from container app-server (${modelCount} models).`);
+        reportProgress?.(`Refreshed Codex models from container app-server (${modelCount} models).`);
         return null;
     }
     catch (error) {
@@ -1679,7 +1736,9 @@ async function handleCreateThreadRequest(cfg, commandChannel, request, requestId
         return;
     }
     const { db, client } = await (0, db_js_1.initDb)(cfg.state_db_path);
-    const threadDirectory = (0, thread_lifecycle_js_1.resolveThreadDirectory)(cfg.config_directory, cfg.workspaces_directory, threadId);
+    const workspaceProvisioner = new thread_workspace_provisioner_js_1.ThreadWorkspaceProvisioner(cfg.config_directory, cfg.workspaces_directory, cfg.workspace_path, cfg.use_dedicated_workspaces);
+    const metadataStore = new thread_metadata_store_js_1.ThreadMetadataStore(cfg.config_directory, logger);
+    const threadDirectory = workspaceProvisioner.resolveWorkspaceDirectory(threadId);
     const containerNames = (0, thread_lifecycle_js_1.buildThreadContainerNames)(threadId);
     const hostInfo = (0, host_js_1.getHostInfo)(cfg.codex.codex_auth_path);
     const normalizedAdditionalModelInstructions = normalizeAdditionalModelInstructions(request.additionalModelInstructions);
@@ -1741,12 +1800,9 @@ async function handleCreateThreadRequest(cfg, commandChannel, request, requestId
     finally {
         client.close();
     }
-    (0, node_fs_1.mkdirSync)(threadDirectory, { recursive: true });
-    (0, workspace_agents_js_1.ensureWorkspaceAgentsMd)(threadDirectory, cfg.agent_home_directory);
-    writeWorkspaceThreadGitSkillsConfig(threadDirectory, threadGitSkillPackages, logger);
-    writeWorkspaceThreadMcpConfig(threadDirectory, threadMcpServers, logger);
-    writeWorkspaceThreadAgentCliConfig(threadDirectory, cliSecret, cfg.agent_api_url, logger);
-    await syncGithubInstallationsForWorkspaces(apiClient, apiCallOptions, [threadDirectory], logger);
+    workspaceProvisioner.ensureWorkspaceDirectory(threadId);
+    metadataStore.writeThreadGitSkillsConfig(threadId, threadGitSkillPackages);
+    metadataStore.writeThreadMcpConfig(threadId, threadMcpServers);
     logger.debug(`Thread '${threadId}' workspace initialized at '${threadDirectory}'.`);
     const containerService = new thread_lifecycle_js_1.ThreadContainerService();
     const mounts = (0, thread_lifecycle_js_1.buildSharedThreadMounts)({
@@ -1796,8 +1852,10 @@ async function handleCreateThreadRequest(cfg, commandChannel, request, requestId
         if (!threadState) {
             throw new Error(`Thread '${threadId}' disappeared before SDK bootstrap.`);
         }
-        const threadMcpSetup = buildThreadCodexMcpSetup(readWorkspaceThreadMcpConfig(threadState.workspace, logger));
-        const threadAgentCliConfig = readWorkspaceThreadAgentCliConfig(threadState.workspace, logger);
+        const persistedThreadMcpServers = metadataStore.readThreadMcpConfig(threadState.id);
+        const persistedThreadGitSkillPackages = metadataStore.readThreadGitSkillsConfig(threadState.id);
+        const threadMcpSetup = buildThreadCodexMcpSetup(persistedThreadMcpServers);
+        const threadAgentCliConfig = buildThreadAgentCliConfig(threadState.cliSecret, cfg.agent_api_url);
         const appServerSession = await getOrCreateThreadAppServerSession(threadId, threadState.runtimeContainer, threadMcpSetup.appServerEnv, cfg.codex.app_server_client_name, logger);
         const runtimeUser = {
             uid: threadState.uid,
@@ -1814,14 +1872,28 @@ async function handleCreateThreadRequest(cfg, commandChannel, request, requestId
             user: runtimeUser,
         });
         await ensureThreadGitSkillsInRuntime(cfg, threadState, containerService, logger);
+        await containerService.ensureRuntimeContainerThreadMetadata(threadState.runtimeContainer, runtimeUser, {
+            mcpServers: persistedThreadMcpServers,
+            gitSkillPackages: persistedThreadGitSkillPackages,
+            threadAgentCliConfig,
+        });
         if (threadAgentCliConfig) {
             await containerService.ensureRuntimeContainerAgentCliConfig(threadState.runtimeContainer, runtimeUser, threadAgentCliConfig);
         }
+        await syncGithubInstallationsForRuntimeTargets(cfg, apiClient, apiCallOptions, [
+            {
+                threadId: threadState.id,
+                runtimeContainer: threadState.runtimeContainer,
+                homeDirectory: threadState.homeDirectory,
+                uid: threadState.uid,
+                gid: threadState.gid,
+            },
+        ], logger);
         if (!appServerSession.started) {
             await containerService.ensureRuntimeContainerCodexConfig(threadState.runtimeContainer, runtimeUser, threadMcpSetup.configToml);
         }
         await ensureThreadAppServerSessionStarted(appServerSession);
-        const developerInstructions = buildThreadDeveloperInstructions(threadState.additionalModelInstructions);
+        const developerInstructions = buildThreadDeveloperInstructions(cfg, threadState.additionalModelInstructions, threadState.cliSecret);
         logger.debug(`Starting app-server thread '${threadId}' with developer instructions: ${JSON.stringify(developerInstructions)}.`);
         const threadStartResponse = await appServerSession.appServer.startThreadWithResponse({
             model: threadState.model,
@@ -1904,6 +1976,7 @@ async function deleteThreadWithCleanup(cfg, request) {
     const containerService = new thread_lifecycle_js_1.ThreadContainerService();
     try {
         const containerNames = (0, thread_lifecycle_js_1.buildThreadContainerNames)(existingThread.id);
+        const workspaceProvisioner = new thread_workspace_provisioner_js_1.ThreadWorkspaceProvisioner(cfg.config_directory, cfg.workspaces_directory, cfg.workspace_path, cfg.use_dedicated_workspaces);
         await stopThreadAppServerSession(request.threadId);
         threadRolloutPaths.delete(request.threadId);
         await containerService.forceRemoveContainer(existingThread.runtimeContainer);
@@ -1912,7 +1985,8 @@ async function deleteThreadWithCleanup(cfg, request) {
         }
         await containerService.forceRemoveVolume(containerNames.home);
         await containerService.forceRemoveVolume(containerNames.tmp);
-        removeWorkspaceDirectory(existingThread.workspace);
+        workspaceProvisioner.removeWorkspaceDirectory(existingThread.id, existingThread.workspace);
+        new thread_metadata_store_js_1.ThreadMetadataStore(cfg.config_directory, (0, logger_js_1.createLogger)("ERROR")).removeThreadMetadata(existingThread.id);
     }
     catch (error) {
         return {
@@ -2071,8 +2145,11 @@ async function waitForThreadTurnCompletion(stateDbPath, appServer, commandChanne
 }
 async function executeCreateUserMessageRequest(cfg, commandChannel, request, requestId, threadState, startedFromIdle, trackTurnCompletion, logger) {
     const containerService = new thread_lifecycle_js_1.ThreadContainerService();
-    const threadMcpSetup = buildThreadCodexMcpSetup(readWorkspaceThreadMcpConfig(threadState.workspace, logger));
-    const threadAgentCliConfig = readWorkspaceThreadAgentCliConfig(threadState.workspace, logger);
+    const metadataStore = new thread_metadata_store_js_1.ThreadMetadataStore(cfg.config_directory, logger);
+    const persistedThreadMcpServers = metadataStore.readThreadMcpConfig(threadState.id);
+    const persistedThreadGitSkillPackages = metadataStore.readThreadGitSkillsConfig(threadState.id);
+    const threadMcpSetup = buildThreadCodexMcpSetup(persistedThreadMcpServers);
+    const threadAgentCliConfig = buildThreadAgentCliConfig(threadState.cliSecret, cfg.agent_api_url);
     const appServerSession = await getOrCreateThreadAppServerSession(request.threadId, threadState.runtimeContainer, threadMcpSetup.appServerEnv, cfg.codex.app_server_client_name, logger);
     const appServer = appServerSession.appServer;
     const runtimeUser = buildThreadRuntimeUser(cfg, threadState);
@@ -2093,6 +2170,11 @@ async function executeCreateUserMessageRequest(cfg, commandChannel, request, req
             user: runtimeUser,
         });
         await ensureThreadGitSkillsInRuntime(cfg, threadState, containerService, logger);
+        await containerService.ensureRuntimeContainerThreadMetadata(threadState.runtimeContainer, runtimeUser, {
+            mcpServers: persistedThreadMcpServers,
+            gitSkillPackages: persistedThreadGitSkillPackages,
+            threadAgentCliConfig,
+        });
         if (threadAgentCliConfig) {
             await containerService.ensureRuntimeContainerAgentCliConfig(threadState.runtimeContainer, runtimeUser, threadAgentCliConfig);
         }
@@ -2119,7 +2201,7 @@ async function executeCreateUserMessageRequest(cfg, commandChannel, request, req
             await updateThreadTurnState(cfg, request.threadId, { sdkThreadId });
         }
         else {
-            const developerInstructions = buildThreadDeveloperInstructions(threadState.additionalModelInstructions);
+            const developerInstructions = buildThreadDeveloperInstructions(cfg, threadState.additionalModelInstructions, threadState.cliSecret);
             const threadStartParams = {
                 model: request.model ?? threadState.model,
                 modelProvider: null,
@@ -2498,20 +2580,20 @@ async function runDetachedDaemonProcess(options) {
                 windowsHide: true,
             });
             let settled = false;
-            const timeout = setTimeout(() => {
+            const startupWatchdog = new daemon_startup_watchdog_js_1.DaemonStartupWatchdog(DAEMON_STARTUP_TIMEOUT_MS, () => {
                 if (settled) {
                     return;
                 }
                 settled = true;
                 child.kill();
                 reject(new Error(`Timed out waiting for daemon startup confirmation. See ${logPath}.`));
-            }, DAEMON_STARTUP_TIMEOUT_MS);
+            });
             const finish = (callback) => {
                 if (settled) {
                     return;
                 }
                 settled = true;
-                clearTimeout(timeout);
+                startupWatchdog.finish();
                 callback();
             };
             child.once("error", (error) => {
@@ -2527,6 +2609,10 @@ async function runDetachedDaemonProcess(options) {
                     return;
                 }
                 const type = message.type;
+                if (type === "daemon-progress") {
+                    startupWatchdog.bump();
+                    return;
+                }
                 if (type === "daemon-ready") {
                     finish(() => {
                         if (child.connected) {
@@ -2558,11 +2644,12 @@ function sendDaemonParentMessage(message) {
 async function runRootCommand(options, runtimeOptions) {
     const logger = (0, logger_js_1.createLogger)(options.logLevel ?? "INFO", { daemonMode: options.daemon ?? false });
     const cfg = buildRootConfig(options);
+    await (0, entrypoints_js_1.ensureRunnerStartupPreflight)(cfg);
     await (0, auth_js_1.ensureCodexRunnerStartState)(cfg, {
         useDedicatedAuth: options.useDedicatedAuth,
         logInfo: (message) => logger.info(message),
     });
-    const codexRefreshErrorMessage = await refreshCodexModelsForRegistration(cfg, logger);
+    const codexRefreshErrorMessage = await refreshCodexModelsForRegistration(cfg, logger, runtimeOptions?.onDaemonProgress);
     const registerRequest = await buildRegisterRunnerRequest(cfg, logger, codexRefreshErrorMessage);
     const apiCallOptions = buildGrpcAuthCallOptions(options.secret);
     if (options.daemon) {
@@ -2666,8 +2753,13 @@ async function runRootCommand(options, runtimeOptions) {
     }
 }
 function buildRootConfig(options) {
+    if (options.useDedicatedWorkspaces && typeof options.workspacePath === "string" && options.workspacePath.trim().length > 0) {
+        throw new Error("--workspace-path and --use-dedicated-workspaces cannot be used together.");
+    }
     return config_js_1.config.parse({
         config_directory: options.configPath,
+        workspace_path: options.workspacePath,
+        use_dedicated_workspaces: options.useDedicatedWorkspaces,
         state_db_path: options.stateDbPath,
         companyhelm_api_url: options.serverUrl,
         agent_api_url: options.agentApiUrl,

package/dist/commands/runner/common.js

@@ -6,12 +6,14 @@ function addRunnerStartOptions(command) {
     return command
         .option("--config-path <path>", global_options_js_1.CONFIG_PATH_OPTION_DESCRIPTION)
         .option("--server-url <url>", "CompanyHelm gRPC API URL override.")
-        .option("--agent-api-url <url>", "Agent gRPC API URL for companyhelm-agent in runtime containers (localhost is rewritten to http://host.docker.internal).")
+        .option("--agent-api-url <url>", "Agent REST API base URL for runtime containers (localhost is rewritten to http://host.docker.internal).")
+        .option("--workspace-path <path>", "Shared host workspace mounted at /workspace (defaults to the current working directory).")
         .option("--secret <secret>", "Bearer secret used as gRPC Authorization header.")
         .option("--state-db-path <path>", "State database path override (defaults to state.db under the active config directory).")
         .option("--log-path <path>", "Daemon log file override.")
         .option("--use-host-docker-runtime", "Mount host Docker socket into runtime containers instead of creating DinD sidecars.")
         .option("--use-dedicated-auth", "Preserve existing dedicated Codex auth if already configured; otherwise keep Codex unconfigured on startup.")
+        .option("--use-dedicated-workspaces", "Create per-thread dedicated workspaces under the configured workspaces directory.")
         .option("--host-docker-path <path>", "Host Docker endpoint when --use-host-docker-runtime is enabled (unix:///<socket-path> or tcp://localhost:<port>).")
         .option("--thread-git-skills-directory <path>", "Container path where thread git skill repositories are cloned before linking into ~/.codex/skills.")
         .option("-d, --daemon", "Run in daemon mode and fail fast when no SDK is configured.")

package/dist/commands/runner/start.js

@@ -15,6 +15,9 @@ async function runRunnerStartCommand(options) {
                 onDaemonReady: () => {
                     (0, root_js_1.sendDaemonParentMessage)({ type: "daemon-ready" });
                 },
+                onDaemonProgress: (message) => {
+                    (0, root_js_1.sendDaemonParentMessage)({ type: "daemon-progress", message });
+                },
             }
             : undefined);
     }

package/dist/config.js

@@ -53,6 +53,12 @@ exports.config = zod_1.z.object({
     config_directory: zod_1.z.string()
         .describe("The directory where the config files are stored.")
         .default(resolveConfigDirectoryDefault),
+    workspace_path: zod_1.z.string()
+        .describe("Shared workspace directory mounted at /workspace when dedicated workspaces are disabled.")
+        .default(() => process.cwd()),
+    use_dedicated_workspaces: zod_1.z.boolean()
+        .describe("When true, create per-thread dedicated workspaces under workspaces_directory.")
+        .default(false),
     workspaces_directory: zod_1.z.string()
         .describe("The directory where thread workspaces are stored, relative to config_directory when not absolute.")
         .default("workspaces"),
@@ -63,8 +69,8 @@ exports.config = zod_1.z.object({
         .describe("CompanyHelm control plane gRPC endpoint URL.")
         .default("https://api.companyhelm.com:50051"),
     agent_api_url: zod_1.z.string()
-        .describe("CompanyHelm AgentTaskService gRPC endpoint URL used by companyhelm-agent inside runtime threads.")
-        .default("https://api.companyhelm.com:50052"),
+        .describe("CompanyHelm agent REST API base URL used inside runtime threads.")
+        .default("https://api.companyhelm.com/agent/v1"),
     // Max outbound gRPC client messages to hold while the command channel is disconnected.
     client_message_buffer_limit: zod_1.z.number()
         .int()

package/dist/preflight/check.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/preflight/checks/linux/apparmor_restrict_unprivileged_userns_check.js

@@ -0,0 +1,96 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LinuxApparmorRestrictUnprivilegedUsernsCheck = void 0;
+const promises_1 = require("node:fs/promises");
+const node_child_process_1 = require("node:child_process");
+const APPARMOR_SYSCTL_KEY = "kernel.apparmor_restrict_unprivileged_userns";
+const UNPRIVILEGED_USERNS_SYSCTL_KEY = "kernel.unprivileged_userns_clone";
+const USER_NAMESPACE_LIMIT_SYSCTL_KEY = "user.max_user_namespaces";
+function isRootlessDindImage(image) {
+    return image.toLowerCase().includes("rootless");
+}
+async function defaultReadSysctlValue(key) {
+    const path = `/proc/sys/${key.replace(/\./g, "/")}`;
+    try {
+        return (await (0, promises_1.readFile)(path, "utf8")).trim();
+    }
+    catch (error) {
+        if (error && typeof error === "object" && "code" in error && error.code === "ENOENT") {
+            return null;
+        }
+        throw error;
+    }
+}
+async function defaultRunShellCommand(command) {
+    await new Promise((resolve, reject) => {
+        const child = (0, node_child_process_1.spawn)("bash", ["-lc", command], { stdio: "inherit" });
+        child.on("error", reject);
+        child.on("exit", (code, signal) => {
+            if (code === 0) {
+                resolve();
+                return;
+            }
+            reject(new Error(`Command failed (${signal ?? code ?? "unknown"}): ${command}`));
+        });
+    });
+}
+class LinuxApparmorRestrictUnprivilegedUsernsCheck {
+    constructor(cfg, dependencies = {}) {
+        this.cfg = cfg;
+        this.id = "linux.apparmor_restrict_unprivileged_userns";
+        this.description = "Verify Linux AppArmor permits unprivileged user namespaces for rootless DinD.";
+        this.platform = dependencies.platform ?? process.platform;
+        this.readSysctlValue = dependencies.readSysctlValue ?? defaultReadSysctlValue;
+        this.runShellCommand = dependencies.runShellCommand ?? defaultRunShellCommand;
+    }
+    async run() {
+        if (!this.isApplicable()) {
+            return {
+                status: "skipped",
+                summary: "Check only applies to Linux rootless DinD setups.",
+                fixAvailable: false,
+            };
+        }
+        const apparmorRestriction = await this.readSysctlValue(APPARMOR_SYSCTL_KEY);
+        if (apparmorRestriction === "1") {
+            const [userNamespaceClone, userNamespaceLimit] = await Promise.all([
+                this.readSysctlValue(UNPRIVILEGED_USERNS_SYSCTL_KEY),
+                this.readSysctlValue(USER_NAMESPACE_LIMIT_SYSCTL_KEY),
+            ]);
+            return {
+                status: "failed",
+                summary: `${APPARMOR_SYSCTL_KEY}=1 blocks rootless DinD on this Linux host ` +
+                    `(kernel.unprivileged_userns_clone=${userNamespaceClone ?? "unknown"}, ` +
+                    `user.max_user_namespaces=${userNamespaceLimit ?? "unknown"}).`,
+                fixAvailable: true,
+            };
+        }
+        return {
+            status: "passed",
+            summary: "Linux host is compatible with rootless DinD.",
+            fixAvailable: false,
+        };
+    }
+    async fix() {
+        if (!this.isApplicable()) {
+            return {
+                status: "skipped",
+                summary: "Check only applies to Linux rootless DinD setups.",
+            };
+        }
+        await this.runShellCommand("sudo tee /etc/sysctl.d/99-companyhelm-rootless.conf >/dev/null <<'EOF'\n" +
+            "kernel.unprivileged_userns_clone = 1\n" +
+            "user.max_user_namespaces = 28633\n" +
+            "kernel.apparmor_restrict_unprivileged_userns = 0\n" +
+            "EOF");
+        await this.runShellCommand("sudo sysctl --system");
+        return {
+            status: "fixed",
+            summary: "Updated Linux sysctl configuration for rootless DinD.",
+        };
+    }
+    isApplicable() {
+        return this.platform === "linux" && !this.cfg.use_host_docker_runtime && isRootlessDindImage(this.cfg.dind_image);
+    }
+}
+exports.LinuxApparmorRestrictUnprivilegedUsernsCheck = LinuxApparmorRestrictUnprivilegedUsernsCheck;

package/dist/preflight/entrypoints.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RUNNER_STARTUP_PREFLIGHT_SKIP_ENV = void 0;
+exports.createRunnerPreflight = createRunnerPreflight;
+exports.runRunnerPreflight = runRunnerPreflight;
+exports.formatRunnerPreflightSummary = formatRunnerPreflightSummary;
+exports.ensureRunnerStartupPreflight = ensureRunnerStartupPreflight;
+const apparmor_restrict_unprivileged_userns_check_js_1 = require("./checks/linux/apparmor_restrict_unprivileged_userns_check.js");
+const runner_preflight_js_1 = require("./runner_preflight.js");
+exports.RUNNER_STARTUP_PREFLIGHT_SKIP_ENV = "COMPANYHELM_SKIP_RUNNER_STARTUP_PREFLIGHT";
+function renderPreflightStatusLabel(status) {
+    if (status === "passed") {
+        return "PASS";
+    }
+    if (status === "failed") {
+        return "FAIL";
+    }
+    return "SKIP";
+}
+function createRunnerPreflight(cfg, overrides = {}) {
+    return new runner_preflight_js_1.RunnerPreflight([
+        new apparmor_restrict_unprivileged_userns_check_js_1.LinuxApparmorRestrictUnprivilegedUsernsCheck(cfg, overrides),
+    ]);
+}
+async function runRunnerPreflight(options, overrides = {}) {
+    return await createRunnerPreflight(options.cfg, overrides).run({ applyFixes: options.applyFixes });
+}
+function formatRunnerPreflightSummary(summary) {
+    const lines = [`Preflight status: ${summary.passed ? "passed" : "failed"}`];
+    if (summary.results.length === 0) {
+        lines.push("No applicable preflight checks.");
+        return lines.join("\n");
+    }
+    for (const result of summary.results) {
+        lines.push(`[${renderPreflightStatusLabel(result.status)}] ${result.id}: ${result.summary}`);
+    }
+    return lines.join("\n");
+}
+function shouldSkipRunnerStartupPreflight() {
+    const value = process.env[exports.RUNNER_STARTUP_PREFLIGHT_SKIP_ENV]?.trim().toLowerCase();
+    return value === "1" || value === "true";
+}
+async function ensureRunnerStartupPreflight(cfg, overrides = {}) {
+    if (shouldSkipRunnerStartupPreflight()) {
+        return;
+    }
+    const summary = await runRunnerPreflight({ cfg }, overrides);
+    if (summary.passed) {
+        return;
+    }
+    throw new Error(`${formatRunnerPreflightSummary(summary)}\n` +
+        "Run `companyhelm-runner doctor` for details or `companyhelm-runner doctor fix` to try automatic fixes.");
+}