@companyhelm/runner 0.1.1 → 0.1.3

package/dist/service/thread_lifecycle.js

@@ -15,6 +15,7 @@ const dockerode_1 = __importDefault(require("dockerode"));
 const node_child_process_1 = require("node:child_process");
 const node_fs_1 = require("node:fs");
 const node_path_1 = require("node:path");
+const script_renderer_js_1 = require("../provisioning/runtime_provisioning/script_renderer.js");
 const path_js_1 = require("../utils/path.js");
 const runtime_bashrc_js_1 = require("./runtime_bashrc.js");
 const runtime_shell_js_1 = require("./runtime_shell.js");
@@ -193,12 +194,6 @@ function buildRuntimeToolingValidationScript(user) {
     return [
         bootstrap,
         "",
-        'if ! command -v companyhelm-agent >/dev/null 2>&1; then',
-        '  echo "companyhelm-agent CLI is not available after sourcing nvm." >&2',
-        '  echo "Fix: install @companyhelm/agent-cli in the runtime image." >&2',
-        "  exit 1",
-        "fi",
-        "",
         'if ! command -v aws >/dev/null 2>&1; then',
         '  echo "aws CLI is not available in runtime PATH." >&2',
         '  echo "Fix: install awscli in the runtime image." >&2',
@@ -442,6 +437,7 @@ class ThreadContainerService {
     constructor(docker, runCommand = node_child_process_1.spawnSync) {
         this.docker = docker ?? new dockerode_1.default();
         this.runCommand = runCommand;
+        this.scriptRenderer = new script_renderer_js_1.RuntimeProvisioningScriptRenderer();
     }
     runDockerExecScript(args, contextMessage) {
         const result = this.runCommand("docker", args, {
@@ -616,46 +612,72 @@ class ThreadContainerService {
         }
     }
     async ensureRuntimeContainerIdentity(name, user) {
-        const script = buildRuntimeIdentityProvisionScript(user);
+        const script = this.scriptRenderer.renderIdentityScript(user);
         this.runDockerExecScript(["exec", "-u", "0", name, "bash", "-lc", script], `Failed to provision runtime user '${user.agentUser}' in container '${name}'`);
     }
     async ensureRuntimeContainerTooling(name, user) {
-        const script = buildRuntimeToolingValidationScript(user);
-        this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", script], `Failed to validate runtime tooling (nvm/codex/companyhelm-agent/aws/playwright) in container '${name}'`);
+        const script = this.scriptRenderer.renderToolingValidationScript(user);
+        this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", script], `Failed to validate runtime tooling (nvm/codex/aws/playwright) in container '${name}'`);
     }
     async ensureRuntimeContainerBashrc(name, user) {
-        const script = buildRuntimeBashrcProvisionScript(user);
+        const script = this.scriptRenderer.renderBashrcScript(user);
         this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", script], `Failed to provision runtime .bashrc in container '${name}'`);
     }
     async ensureRuntimeContainerCodexConfig(name, user, configToml) {
-        const script = [
-            "set -euo pipefail",
-            `AGENT_HOME=${shellQuote(user.agentHomeDirectory)}`,
-            `CONFIG_CONTENT=${shellQuote(configToml)}`,
-            "",
-            'install -d -m 0755 "$AGENT_HOME/.codex"',
-            'printf \'%s\' "$CONFIG_CONTENT" > "$AGENT_HOME/.codex/config.toml"',
-            'chmod 0644 "$AGENT_HOME/.codex/config.toml"',
-        ].join("\n");
+        const script = this.scriptRenderer.renderCodexConfigScript(user, configToml);
         this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", script], `Failed to write runtime Codex config.toml in container '${name}'`);
     }
     async ensureRuntimeContainerAgentCliConfig(name, user, config) {
-        const script = buildRuntimeAgentCliConfigScript(user, config);
-        this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", script], `Failed to write runtime companyhelm-agent CLI config in container '${name}'`);
+        const script = this.scriptRenderer.renderAgentCliConfigScript(user, config);
+        this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", script], `Failed to write runtime agent config in container '${name}'`);
     }
     async ensureRuntimeContainerGitConfig(name, user, gitUserName, gitUserEmail) {
-        const script = buildRuntimeGitConfigScript(gitUserName, gitUserEmail);
+        const script = this.scriptRenderer.renderGitConfigScript(gitUserName, gitUserEmail);
         this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", script], `Failed to configure git author defaults in runtime container '${name}'`);
     }
     async ensureRuntimeContainerThreadGitSkills(name, user, options) {
         if (options.packages.length === 0) {
             return;
         }
-        const cloneScript = buildRuntimeThreadGitSkillsCloneScript(options);
+        const cloneScript = this.scriptRenderer.renderThreadGitSkillsCloneScript(options);
         this.runDockerExecScript(["exec", "-u", "0", name, "bash", "-lc", cloneScript], `Failed to provision thread git skills in runtime container '${name}'`);
-        const linkScript = buildRuntimeThreadGitSkillsLinkScript(user, options);
+        const linkScript = this.scriptRenderer.renderThreadGitSkillsLinkScript(user, options);
         this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", linkScript], `Failed to provision thread git skills in runtime container '${name}'`);
     }
+    async ensureRuntimeContainerAgentMetadataFiles(name, user, files, contextMessage) {
+        if (files.length === 0) {
+            return;
+        }
+        const script = this.scriptRenderer.renderAgentMetadataScript(user, files);
+        this.runDockerExecScript(["exec", "-u", user.agentUser, name, "bash", "-lc", script], contextMessage);
+    }
+    async ensureRuntimeContainerGithubInstallations(name, user, payload) {
+        await this.ensureRuntimeContainerAgentMetadataFiles(name, user, [
+            {
+                filename: "installations.json",
+                content: `${JSON.stringify(payload, null, 2)}\n`,
+            },
+        ], `Failed to write runtime GitHub installations metadata in container '${name}'`);
+    }
+    async ensureRuntimeContainerThreadMetadata(name, user, payload) {
+        const files = [
+            {
+                filename: "thread-mcp.json",
+                content: `${JSON.stringify({ servers: payload.mcpServers }, null, 2)}\n`,
+            },
+            {
+                filename: "thread-git-skills.json",
+                content: `${JSON.stringify({ packages: payload.gitSkillPackages }, null, 2)}\n`,
+            },
+        ];
+        if (payload.threadAgentCliConfig) {
+            files.push({
+                filename: "thread-agent-cli.json",
+                content: `${JSON.stringify(payload.threadAgentCliConfig, null, 2)}\n`,
+            });
+        }
+        await this.ensureRuntimeContainerAgentMetadataFiles(name, user, files, `Failed to write runtime thread metadata in container '${name}'`);
+    }
     async stopContainer(name) {
         try {
             await this.docker.getContainer(name).stop({ t: 10 });

package/dist/service/thread_turn_state.js

@@ -12,6 +12,7 @@ async function loadThreadMessageExecutionState(stateDbPath, threadId) {
             .select({
             id: schema_js_1.threads.id,
             workspace: schema_js_1.threads.workspace,
+            cliSecret: schema_js_1.threads.cliSecret,
             sdkThreadId: schema_js_1.threads.sdkThreadId,
             model: schema_js_1.threads.model,
             reasoningLevel: schema_js_1.threads.reasoningLevel,

package/dist/templates/provisioning/runtime_agent_cli_config.sh.j2

@@ -0,0 +1,8 @@
+set -euo pipefail
+CONFIG_DIR={{config_dir}}
+CONFIG_PATH={{config_path}}
+CONFIG_CONTENT={{config_content}}
+
+install -d -m 0755 "$CONFIG_DIR"
+printf '%s' "$CONFIG_CONTENT" > "$CONFIG_PATH"
+chmod 0600 "$CONFIG_PATH"

package/dist/templates/provisioning/runtime_agent_metadata.sh.j2

@@ -0,0 +1,8 @@
+set -euo pipefail
+AGENT_HOME={{agent_home}}
+METADATA_ROOT={{metadata_root}}
+
+install -d -m 0755 "$AGENT_HOME/.companyhelm"
+install -d -m 0755 "$METADATA_ROOT"
+
+{{file_blocks}}

package/dist/templates/provisioning/runtime_bashrc.sh.j2

@@ -0,0 +1,7 @@
+set -euo pipefail
+AGENT_HOME={{agent_home}}
+BASHRC_CONTENT={{bashrc_content}}
+
+install -d -m 0755 "$AGENT_HOME"
+printf '%s' "$BASHRC_CONTENT" > "$AGENT_HOME/.bashrc"
+chmod 0644 "$AGENT_HOME/.bashrc"

package/dist/templates/provisioning/runtime_codex_config.sh.j2

@@ -0,0 +1,7 @@
+set -euo pipefail
+AGENT_HOME={{agent_home}}
+CONFIG_CONTENT={{config_content}}
+
+install -d -m 0755 "$AGENT_HOME/.codex"
+printf '%s' "$CONFIG_CONTENT" > "$AGENT_HOME/.codex/config.toml"
+chmod 0644 "$AGENT_HOME/.codex/config.toml"

package/dist/templates/provisioning/runtime_git_config.sh.j2

@@ -0,0 +1,28 @@
+set -euo pipefail
+DEFAULT_GIT_USER_NAME={{default_git_user_name}}
+DEFAULT_GIT_USER_EMAIL={{default_git_user_email}}
+
+if ! command -v git >/dev/null 2>&1; then
+  exit 0
+fi
+
+if ! git config --global --get user.name >/dev/null 2>&1; then
+  git config --global user.name "$DEFAULT_GIT_USER_NAME"
+fi
+if ! git config --global --get user.email >/dev/null 2>&1; then
+  git config --global user.email "$DEFAULT_GIT_USER_EMAIL"
+fi
+
+if [ ! -d /workspace ]; then
+  exit 0
+fi
+
+while IFS= read -r -d '' git_dir; do
+  repo_root="$(dirname "$git_dir")"
+  if ! git -C "$repo_root" config --local --get user.name >/dev/null 2>&1; then
+    git -C "$repo_root" config --local user.name "$DEFAULT_GIT_USER_NAME"
+  fi
+  if ! git -C "$repo_root" config --local --get user.email >/dev/null 2>&1; then
+    git -C "$repo_root" config --local user.email "$DEFAULT_GIT_USER_EMAIL"
+  fi
+done < <(find /workspace -type d -name .git -print0 2>/dev/null || true)

package/dist/templates/provisioning/runtime_identity.sh.j2

@@ -0,0 +1,65 @@
+set -euo pipefail
+AGENT_USER={{agent_user}}
+AGENT_HOME={{agent_home}}
+AGENT_UID={{agent_uid}}
+AGENT_GID={{agent_gid}}
+
+AGENT_GROUP="$AGENT_USER"
+EXISTING_GID_GROUP="$(getent group "$AGENT_GID" | cut -d: -f1 || true)"
+if [ -n "$EXISTING_GID_GROUP" ] && [ "$EXISTING_GID_GROUP" != "$AGENT_USER" ] && ! getent group "$AGENT_USER" >/dev/null 2>&1; then
+  groupmod -n "$AGENT_USER" "$EXISTING_GID_GROUP"
+fi
+if getent group "$AGENT_USER" >/dev/null 2>&1; then
+  if [ "$(getent group "$AGENT_USER" | cut -d: -f3)" != "$AGENT_GID" ]; then
+    groupmod -g "$AGENT_GID" "$AGENT_USER"
+  fi
+else
+  groupadd -g "$AGENT_GID" "$AGENT_USER"
+fi
+
+EXISTING_UID_USER="$(getent passwd "$AGENT_UID" | cut -d: -f1 || true)"
+if [ -n "$EXISTING_UID_USER" ] && [ "$EXISTING_UID_USER" != "$AGENT_USER" ] && ! id -u "$AGENT_USER" >/dev/null 2>&1; then
+  usermod -l "$AGENT_USER" -d "$AGENT_HOME" -g "$AGENT_GROUP" -s /bin/bash "$EXISTING_UID_USER"
+elif id -u "$AGENT_USER" >/dev/null 2>&1; then
+  usermod -u "$AGENT_UID" -g "$AGENT_GROUP" -d "$AGENT_HOME" -s /bin/bash "$AGENT_USER"
+else
+  useradd -m -d "$AGENT_HOME" -u "$AGENT_UID" -g "$AGENT_GROUP" -s /bin/bash "$AGENT_USER"
+fi
+
+install -d -m 0755 -o "$AGENT_UID" -g "$AGENT_GID" "$AGENT_HOME"
+
+SUDOERS_FILE="/etc/sudoers.d/90-companyhelm-agent"
+if command -v sudo >/dev/null 2>&1; then
+  install -d -m 0750 /etc/sudoers.d
+  printf '%s\n' "$AGENT_USER ALL=(ALL) NOPASSWD:ALL" > "$SUDOERS_FILE"
+  chmod 0440 "$SUDOERS_FILE"
+  if command -v visudo >/dev/null 2>&1; then
+    visudo -cf "$SUDOERS_FILE" >/dev/null
+  fi
+fi
+
+install -d -m 0755 -o "$AGENT_UID" -g "$AGENT_GID" "$AGENT_HOME/.codex"
+install -d -m 0755 -o "$AGENT_UID" -g "$AGENT_GID" "$AGENT_HOME/.cache"
+if [ -e "$AGENT_HOME/.codex/auth.json" ]; then
+  chown "$AGENT_UID:$AGENT_GID" "$AGENT_HOME/.codex/auth.json" || true
+fi
+
+PLAYWRIGHT_SHARED_CACHE="/ms-playwright"
+PLAYWRIGHT_DEFAULT_CACHE="$AGENT_HOME/.cache/ms-playwright"
+install -d -m 0755 "$PLAYWRIGHT_SHARED_CACHE"
+if [ "$(stat -c '%u:%g' "$PLAYWRIGHT_SHARED_CACHE" 2>/dev/null || true)" != "$AGENT_UID:$AGENT_GID" ]; then
+  chown -R "$AGENT_UID:$AGENT_GID" "$PLAYWRIGHT_SHARED_CACHE" || true
+fi
+if [ -L "$PLAYWRIGHT_DEFAULT_CACHE" ]; then
+  if [ "$(readlink "$PLAYWRIGHT_DEFAULT_CACHE" 2>/dev/null || true)" != "$PLAYWRIGHT_SHARED_CACHE" ]; then
+    rm -f "$PLAYWRIGHT_DEFAULT_CACHE"
+    ln -s "$PLAYWRIGHT_SHARED_CACHE" "$PLAYWRIGHT_DEFAULT_CACHE"
+  fi
+elif [ ! -e "$PLAYWRIGHT_DEFAULT_CACHE" ]; then
+  ln -s "$PLAYWRIGHT_SHARED_CACHE" "$PLAYWRIGHT_DEFAULT_CACHE"
+else
+  chown -R "$AGENT_UID:$AGENT_GID" "$PLAYWRIGHT_DEFAULT_CACHE" || true
+fi
+install -d -m 0755 -o "$AGENT_UID" -g "$AGENT_GID" "$AGENT_HOME/.companyhelm"
+install -d -m 0755 -o "$AGENT_UID" -g "$AGENT_GID" "$AGENT_HOME/.companyhelm/agent"
+chown -R "$AGENT_UID:$AGENT_GID" "$AGENT_HOME" || true

package/dist/templates/provisioning/runtime_thread_git_skills_clone.sh.j2

@@ -0,0 +1,11 @@
+set -euo pipefail
+SKILLS_ROOT={{skills_root}}
+
+install -d -m 0755 "$SKILLS_ROOT"
+
+if ! command -v git >/dev/null 2>&1; then
+  echo "git is not available in the runtime container." >&2
+  exit 1
+fi
+
+{{package_blocks}}

package/dist/templates/provisioning/runtime_thread_git_skills_link.sh.j2

@@ -0,0 +1,7 @@
+set -euo pipefail
+SKILLS_ROOT={{skills_root}}
+CODEX_SKILLS_ROOT={{codex_skills_root}}
+
+install -d -m 0755 "$CODEX_SKILLS_ROOT"
+
+{{skill_blocks}}

package/dist/templates/provisioning/runtime_tooling_validation.sh.j2

@@ -0,0 +1,32 @@
+{{bootstrap}}
+
+if ! command -v aws >/dev/null 2>&1; then
+  echo "aws CLI is not available in runtime PATH." >&2
+  echo "Fix: install awscli in the runtime image." >&2
+  exit 1
+fi
+
+if ! command -v playwright >/dev/null 2>&1; then
+  echo "playwright CLI is not available after sourcing nvm." >&2
+  echo "Fix: install playwright in the runtime image (for example: npm install --global playwright)." >&2
+  exit 1
+fi
+
+PLAYWRIGHT_CACHE_DIR="${PLAYWRIGHT_BROWSERS_PATH:-$HOME/.cache/ms-playwright}"
+if [ ! -d "$PLAYWRIGHT_CACHE_DIR" ]; then
+  echo "Playwright browser cache directory is missing: $PLAYWRIGHT_CACHE_DIR" >&2
+  echo "Fix: set PLAYWRIGHT_BROWSERS_PATH and run npx playwright install chromium during runtime image build." >&2
+  exit 1
+fi
+
+CHROMIUM_BIN="$(find "$PLAYWRIGHT_CACHE_DIR" -type f -path "*/chrome-linux/chrome" -print -quit 2>/dev/null || true)"
+if [ -z "$CHROMIUM_BIN" ]; then
+  echo "Playwright chromium binary is missing under $PLAYWRIGHT_CACHE_DIR." >&2
+  echo "Fix: run npx playwright install chromium while building the runtime image." >&2
+  exit 1
+fi
+
+if [ ! -x "$CHROMIUM_BIN" ]; then
+  echo "Playwright chromium binary exists but is not executable: $CHROMIUM_BIN" >&2
+  exit 1
+fi

package/dist/templates/system_prompts/common.md.j2

@@ -0,0 +1,46 @@
+# Agent Instructions
+
+## Workspace Structure
+
+- You are running in a thread-specific container and workspace.
+- This workspace may be shared or dedicated depending on runner startup configuration.
+- Repositories should live in subdirectories of `/workspace`.
+
+## Docker
+
+Docker is available, the docker host runs in a separate container. The network is shared with the container.
+- Only `/workspace` is shared with the docker host.
+- `{{home_directory}}/.codex/auth.json` is also shared with the docker host.
+- Nested DinD is not supported in this environment because the outer runtime already uses rootless DinD.
+- If you need Docker in Docker, mount the configured host runtime instead of trying nested DinD.
+
+## GitHub Installations
+
+- Synced GitHub installation credentials are stored at `{{home_directory}}/.companyhelm/agent/installations.json`.
+- Use `list-installations` to inspect installation IDs, repository scopes, tokens, and expiration timestamps.
+- Use `gh-use-installation <installation-id>` to configure `gh` authentication for a specific installation.
+
+```bash
+list-installations
+gh-use-installation {installation_id}
+gh auth status --hostname github.com
+```
+
+## Available CLI Tools
+
+- `list-installations`: list synced GitHub installations with repositories, access tokens, and expirations.
+- `gh-use-installation <installation-id>`: configure `gh` authentication for a selected GitHub installation token.
+- `aws`: AWS CLI is pre-installed and available in `PATH`.
+- For scripted PR creation and updates, use `gh pr create --body-file <path>` and `gh pr edit --body-file <path>`.
+- Playwright CLI is already installed and available with Chromium pre-installed.
+
+## Agent API
+
+- Use the CompanyHelm agent REST API directly with `Authorization: Bearer {{agent_token}}`.
+- Agent API base URL: `{{agent_api_url}}`
+- The bearer token above is the existing thread secret.
+
+```bash
+curl -H "Authorization: Bearer {{agent_token}}" \
+  {{agent_api_url}}/
+```

package/dist/templates/system_prompts/dedicated_workspace.md.j2

@@ -0,0 +1,5 @@
+## Dedicated Workspace
+
+- This runtime is using a dedicated per-thread host workspace mounted at `/workspace`.
+- Files in `/workspace` are isolated to this thread workspace lifecycle.
+- The runner may remove the host workspace when the thread is deleted.

package/dist/templates/system_prompts/shared_workspace.md.j2

@@ -0,0 +1,5 @@
+## Shared Workspace
+
+- This runtime is using a shared host workspace mounted directly at `/workspace`.
+- Changes made in `/workspace` may be visible to multiple threads that use the same runner workspace path.
+- Do not assume `/workspace` is isolated per thread.

package/dist/utils/daemon_startup_watchdog.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DaemonStartupWatchdog = void 0;
+class DaemonStartupWatchdog {
+    constructor(timeoutMs, onTimeout) {
+        this.timeoutMs = timeoutMs;
+        this.onTimeout = onTimeout;
+        this.bump();
+    }
+    bump() {
+        if (this.timer) {
+            clearTimeout(this.timer);
+        }
+        this.timer = setTimeout(() => {
+            this.timer = undefined;
+            this.onTimeout();
+        }, this.timeoutMs);
+    }
+    finish() {
+        if (!this.timer) {
+            return;
+        }
+        clearTimeout(this.timer);
+        this.timer = undefined;
+    }
+}
+exports.DaemonStartupWatchdog = DaemonStartupWatchdog;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@companyhelm/runner",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "Run the CompanyHelm runner in fully isolated Docker sandboxes.",
   "license": "MIT",
   "repository": {

package/dist/service/workspace_agents.js

@@ -1,82 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.renderRuntimeAgentsMd = renderRuntimeAgentsMd;
-exports.ensureWorkspaceAgentsMd = ensureWorkspaceAgentsMd;
-const node_fs_1 = require("node:fs");
-const node_path_1 = require("node:path");
-const RUNTIME_AGENTS_TEMPLATE_PATH = "templates/runtime_agents.md.j2";
-const DEFAULT_HOME_DIRECTORY = "/home/agent";
-function renderJinjaTemplate(template, context) {
-    return template.replace(/{{\s*([a-zA-Z0-9_]+)\s*}}/g, (_match, key) => {
-        const value = context[key];
-        if (value === undefined) {
-            throw new Error(`Missing template value for key '${key}'`);
-        }
-        return value;
-    });
-}
-function resolveTemplatePath() {
-    const distRelativePath = (0, node_path_1.join)(__dirname, "..", RUNTIME_AGENTS_TEMPLATE_PATH);
-    if ((0, node_fs_1.existsSync)(distRelativePath)) {
-        return distRelativePath;
-    }
-    const sourceRelativePath = (0, node_path_1.join)(__dirname, "..", "..", "src", RUNTIME_AGENTS_TEMPLATE_PATH);
-    if ((0, node_fs_1.existsSync)(sourceRelativePath)) {
-        return sourceRelativePath;
-    }
-    throw new Error(`Runtime AGENTS template was not found at ${distRelativePath} or ${sourceRelativePath}`);
-}
-function extractTopLevelSections(markdown) {
-    const sections = [];
-    const headingRegex = /^## .+$/gm;
-    const matches = [...markdown.matchAll(headingRegex)];
-    for (let index = 0; index < matches.length; index += 1) {
-        const match = matches[index];
-        const marker = match[0].trim();
-        const start = match.index ?? 0;
-        const end = index + 1 < matches.length ? (matches[index + 1].index ?? markdown.length) : markdown.length;
-        const content = markdown.slice(start, end).trimEnd();
-        sections.push({ marker, content });
-    }
-    return sections;
-}
-function renderRuntimeAgentsMd(homeDirectory = DEFAULT_HOME_DIRECTORY) {
-    const template = (0, node_fs_1.readFileSync)(resolveTemplatePath(), "utf8");
-    return renderJinjaTemplate(template, {
-        home_directory: homeDirectory,
-    }).trim() + "\n";
-}
-function ensureWorkspaceAgentsMd(workspaceDirectory, homeDirectory = DEFAULT_HOME_DIRECTORY) {
-    (0, node_fs_1.mkdirSync)(workspaceDirectory, { recursive: true });
-    const agentsPath = (0, node_path_1.join)(workspaceDirectory, "AGENTS.md");
-    let existing = "";
-    try {
-        existing = (0, node_fs_1.readFileSync)(agentsPath, "utf8");
-    }
-    catch {
-        existing = "";
-    }
-    let rendered = "";
-    try {
-        rendered = renderRuntimeAgentsMd(homeDirectory);
-    }
-    catch {
-        return;
-    }
-    const templateSections = extractTopLevelSections(rendered);
-    const pendingSections = templateSections
-        .filter((section) => !existing.includes(section.marker))
-        .map((section) => section.content);
-    if (pendingSections.length === 0) {
-        return;
-    }
-    const updated = existing.trim()
-        ? `${existing.trimEnd()}\n\n${pendingSections.join("\n\n")}\n`
-        : rendered;
-    try {
-        (0, node_fs_1.writeFileSync)(agentsPath, updated, "utf8");
-    }
-    catch {
-        // Best-effort workspace instruction file.
-    }
-}

package/dist/templates/runtime_agents.md.j2

@@ -1,50 +0,0 @@
-# Agent Instructions
-
-## Workspace Structure
-
-- You are running in a thread-specific container and workspace
-- This workspace is not initialized as a Git repository by default. Repositories should live in a subdirectory of the workspace.
-
-## Docker
-
-Docker is available, the docker host runs in a separate container. The network is shared with container.
-- only the `/workspace` is shared with the docker host
-- `{{home_directory}}/.codex/auth.json` is also shared with the docker host
-- Nested DinD is not supported in this environment because the outer runtime already uses rootless DinD.
-- If you need to use Docker in Docker you can mount the docker socket in the container and use this environment DinD to run containers within containers.
-
-## GitHub Installations
-
-- Synced GitHub installation credentials are written to `/workspace/.companyhelm/installations.json`.
-- Use `list-installations` to inspect installation IDs, repository scopes, tokens, and expiration timestamps.
-- Use `gh-use-installation <installation-id>` to configure `gh` authentication for a specific installation.
-
-```bash
-# Inspect synced installation credentials
-list-installations
-
-# Configure gh to use installation 112331765
-gh-use-installation 112331765
-
-# Verify gh is authenticated for github.com
-gh auth status --hostname github.com
-```
-
-## Available CLI Tools
-
-- `list-installations`: list synced GitHub installations with repositories, access tokens, and expirations.
-- `gh-use-installation <installation-id>`: configure `gh` authentication for a selected GitHub installation token.
-- `aws`: AWS CLI is pre-installed and available in `PATH`.
-- For scripted PR creation/updates, always use `gh pr create --body-file <path>` and `gh pr edit --body-file <path>` instead of inline `--body` to avoid shell interpolation of markdown backticks.
-- DO NOT INSTALL PLAYWRIGHT IN THE RUNTIME IMAGE. Playwright CLI is already installed and available for browser automation tasks with Chromium pre-installed: `playwright open --browser=chromium ...`
-
-## CompanyHelm Agent CLI
-
-- `companyhelm-agent` is pre-installed in the runtime image.
-- Thread bootstrap writes `{{home_directory}}/.config/companyhelm-agent-cli/config.json` with:
-  - `agent_api_url`: localhost targets are rewritten to `host.docker.internal` (for example `http://host.docker.internal:<port>`) for Docker-to-host access.
-  - `token`: sourced from the thread secret.
-- Example commands:
-  - `companyhelm-agent task get --task-id <id>`
-  - `companyhelm-agent task dependencies --task-id <id>`
-  - `companyhelm-agent task update-status --task-id <id> --status <draft|pending|in_progress|completed>`