@cyanautomation/kaseki-agent 1.36.10 → 1.36.11

package/README.md

@@ -604,6 +604,14 @@ ssh pi@192.168.1.100 'tmp=$(mktemp) && curl -fsSL https://raw.githubusercontent.
 ssh pi@192.168.1.100 '/agents/kaseki-agent/scripts/kaseki-setup-host.sh --fix'
 ```
 
+If checkout freshness fails, remediation is now specific to the failure mode:
+
+- `.git` access failures (for example: `permission denied`, `not a git repository`,
+  or inaccessible `.git`) keep permission-focused remediation.
+- UID/GID impersonation failures (for example: unknown user/group or `sudo`/`runuser`
+  invocation errors) return remediation that asks you to configure a valid way to
+  execute as UID:GID `10000:10000` (or provide passwd/group mappings), then rerun setup.
+
 #### Local Activation (No SSH)
 
 ```bash

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyanautomation/kaseki-agent",
-  "version": "1.36.10",
+  "version": "1.36.11",
   "description": "Admin/helper/doctor toolbox and local API client for Kaseki diagnostics, setup, and API-backed coding-agent task workflows",
   "type": "module",
   "license": "MIT",

package/scripts/kaseki-setup-host.sh

@@ -100,6 +100,24 @@ check_writable() {
   fi
 }
 
+resolve_uid_to_name() {
+  local uid="$1"
+  if ! command -v getent >/dev/null 2>&1; then
+    printf ''
+    return 0
+  fi
+  getent passwd "$uid" 2>/dev/null | awk -F: 'NR==1 && NF>=6 {print $1}'
+}
+
+resolve_gid_to_name() {
+  local gid="$1"
+  if ! command -v getent >/dev/null 2>&1; then
+    printf ''
+    return 0
+  fi
+  getent group "$gid" 2>/dev/null | awk -F: 'NR==1 && NF>=4 {print $1}'
+}
+
 normalize_secrets_dir() {
   local secrets_dir="$1"
   if [ ! -d "$secrets_dir" ]; then
@@ -158,12 +176,25 @@ run_checkout_freshness_probe() {
   
   local probe_command=(git -C "$checkout_dir" rev-parse HEAD)
 
+  local resolved_user_name=""
+  local resolved_group_name=""
+  resolved_user_name="$(resolve_uid_to_name "$KASEKI_CONTAINER_UID")"
+  resolved_group_name="$(resolve_gid_to_name "$KASEKI_CONTAINER_GID")"
+
   if [ "$(id -u)" -eq "$KASEKI_CONTAINER_UID" ] && [ "$(id -g)" -eq "$KASEKI_CONTAINER_GID" ]; then
     "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
-  elif command -v sudo >/dev/null 2>&1; then
-    sudo -u "#${KASEKI_CONTAINER_UID}" -g "#${KASEKI_CONTAINER_GID}" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
-  elif command -v runuser >/dev/null 2>&1 && [ "$(id -u)" -eq 0 ]; then
-    runuser -u "#${KASEKI_CONTAINER_UID}" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
+  elif [ "$(id -u)" -eq 0 ] && command -v setpriv >/dev/null 2>&1; then
+    setpriv --reuid "$KASEKI_CONTAINER_UID" --regid "$KASEKI_CONTAINER_GID" --clear-groups -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
+  elif [ "$(id -u)" -eq 0 ] && command -v runuser >/dev/null 2>&1 && [ -n "$resolved_user_name" ] && [ -n "$resolved_group_name" ]; then
+    runuser -u "$resolved_user_name" -g "$resolved_group_name" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
+  elif [ "$(id -u)" -eq 0 ] && command -v sudo >/dev/null 2>&1; then
+    if [ -n "$resolved_user_name" ] && [ -n "$resolved_group_name" ]; then
+      sudo -u "$resolved_user_name" -g "$resolved_group_name" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
+    elif [ -n "$resolved_user_name" ]; then
+      sudo -u "$resolved_user_name" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
+    else
+      sudo -u "#${KASEKI_CONTAINER_UID}" -g "#${KASEKI_CONTAINER_GID}" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
+    fi
   else
     "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
   fi
@@ -172,8 +203,13 @@ run_checkout_freshness_probe() {
     probe_status="failed"
     local stderr_tail
     stderr_tail="$(tail -n 1 "$stderr_file" | tr -d '\r')"
-    probe_detail="Checkout freshness probe failed when running git metadata access as UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}: ${stderr_tail}"
-    probe_remediation="Fix ownership/permissions so ${checkout_dir} and ${checkout_dir}/.git are readable by UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}."
+    if printf '%s' "$stderr_tail" | grep -Eiq 'unknown user|unknown group|no passwd entry|user .* does not exist|group .* does not exist|sudo: .*unknown|sudo: .*invalid|runuser: .*does not exist|runuser: user .* does not exist|runuser: group .* does not exist|unable to initialize policy plugin|unable to set user context'; then
+      probe_detail="Checkout freshness probe failed: probe could not impersonate UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID} due to host user/group mapping or privilege-tool configuration issue: ${stderr_tail}"
+      probe_remediation="Configure a valid host method to run commands as UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID} (or ensure passwd/group mappings exist for that UID/GID), then rerun ./scripts/kaseki-setup-host.sh --fix."
+    else
+      probe_detail="Checkout freshness probe failed when running git metadata access as UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}: ${stderr_tail}"
+      probe_remediation="Fix ownership/permissions so ${checkout_dir} and ${checkout_dir}/.git are readable by UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}."
+    fi
   else
     probe_status="ok"
     probe_detail="Checkout freshness probe passed for ${checkout_dir} as UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}."