@cyanautomation/kaseki-agent 1.36.10 → 1.37.0

package/README.md

@@ -604,6 +604,14 @@ ssh pi@192.168.1.100 'tmp=$(mktemp) && curl -fsSL https://raw.githubusercontent.
 ssh pi@192.168.1.100 '/agents/kaseki-agent/scripts/kaseki-setup-host.sh --fix'
 ```
 
+If checkout freshness fails, remediation is now specific to the failure mode:
+
+- `.git` access failures (for example: `permission denied`, `not a git repository`,
+  or inaccessible `.git`) keep permission-focused remediation.
+- UID/GID impersonation failures (for example: unknown user/group or `sudo`/`runuser`
+  invocation errors) return remediation that asks you to configure a valid way to
+  execute as UID:GID `10000:10000` (or provide passwd/group mappings), then rerun setup.
+
 #### Local Activation (No SSH)
 
 ```bash

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyanautomation/kaseki-agent",
-  "version": "1.36.10",
+  "version": "1.37.0",
   "description": "Admin/helper/doctor toolbox and local API client for Kaseki diagnostics, setup, and API-backed coding-agent task workflows",
   "type": "module",
   "license": "MIT",

package/scripts/kaseki-setup-host.sh

@@ -100,6 +100,37 @@ check_writable() {
   fi
 }
 
+fix_checkout_permissions_if_exists() {
+  # If checkout directory exists with potentially problematic ownership,
+  # try to fix it to match container UID:GID (only when --fix is set)
+  if [ "$KASEKI_FIX" != "1" ]; then
+    return 0
+  fi
+  if [ ! -d "$KASEKI_CHECKOUT_DIR" ]; then
+    return 0
+  fi
+  # Attempt to fix ownership to container UID:GID for consistency
+  run_privileged chown -R "$KASEKI_CONTAINER_UID:$KASEKI_CONTAINER_GID" "$KASEKI_CHECKOUT_DIR" 2>/dev/null || true
+}
+
+resolve_uid_to_name() {
+  local uid="$1"
+  if ! command -v getent >/dev/null 2>&1; then
+    printf ''
+    return 0
+  fi
+  getent passwd "$uid" 2>/dev/null | awk -F: 'NR==1 && NF>=6 {print $1}'
+}
+
+resolve_gid_to_name() {
+  local gid="$1"
+  if ! command -v getent >/dev/null 2>&1; then
+    printf ''
+    return 0
+  fi
+  getent group "$gid" 2>/dev/null | awk -F: 'NR==1 && NF>=4 {print $1}'
+}
+
 normalize_secrets_dir() {
   local secrets_dir="$1"
   if [ ! -d "$secrets_dir" ]; then
@@ -133,12 +164,20 @@ run_checkout_freshness_probe() {
   local probe_status="skipped"
   local probe_detail="Checkout freshness probe skipped because setup did not run bootstrap."
   local probe_remediation=""
+  local stderr_file=""
+
+  cleanup_probe_stderr_file() {
+    if [ -n "$stderr_file" ]; then
+      rm -f "$stderr_file"
+    fi
+  }
 
   if [ ! -d "$checkout_dir" ]; then
     probe_status="failed"
     probe_detail="Checkout freshness probe failed: expected checkout path ${checkout_dir} does not exist."
     probe_remediation="Fix ownership/permissions so ${checkout_dir} and ${checkout_dir}/.git are readable by UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}."
     printf '%s|%s|%s\n' "$probe_status" "$probe_detail" "$probe_remediation"
+    cleanup_probe_stderr_file
     return 0
   fi
 
@@ -147,23 +186,33 @@ run_checkout_freshness_probe() {
     probe_detail="Checkout freshness probe failed: ${checkout_dir}/.git is missing or inaccessible."
     probe_remediation="Fix ownership/permissions so ${checkout_dir} and ${checkout_dir}/.git are readable by UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}."
     printf '%s|%s|%s\n' "$probe_status" "$probe_detail" "$probe_remediation"
+    cleanup_probe_stderr_file
     return 0
   fi
 
-  local stderr_file
   stderr_file="$(mktemp)"
-  
-  # Ensure cleanup on exit
-  trap 'rm -f "$stderr_file"' EXIT INT TERM
-  
+
   local probe_command=(git -C "$checkout_dir" rev-parse HEAD)
 
+  local resolved_user_name=""
+  local resolved_group_name=""
+  resolved_user_name="$(resolve_uid_to_name "$KASEKI_CONTAINER_UID")"
+  resolved_group_name="$(resolve_gid_to_name "$KASEKI_CONTAINER_GID")"
+
   if [ "$(id -u)" -eq "$KASEKI_CONTAINER_UID" ] && [ "$(id -g)" -eq "$KASEKI_CONTAINER_GID" ]; then
     "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
-  elif command -v sudo >/dev/null 2>&1; then
-    sudo -u "#${KASEKI_CONTAINER_UID}" -g "#${KASEKI_CONTAINER_GID}" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
-  elif command -v runuser >/dev/null 2>&1 && [ "$(id -u)" -eq 0 ]; then
-    runuser -u "#${KASEKI_CONTAINER_UID}" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
+  elif [ "$(id -u)" -eq 0 ] && command -v setpriv >/dev/null 2>&1; then
+    setpriv --reuid "$KASEKI_CONTAINER_UID" --regid "$KASEKI_CONTAINER_GID" --clear-groups -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
+  elif [ "$(id -u)" -eq 0 ] && command -v runuser >/dev/null 2>&1 && [ -n "$resolved_user_name" ] && [ -n "$resolved_group_name" ]; then
+    runuser -u "$resolved_user_name" -g "$resolved_group_name" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
+  elif [ "$(id -u)" -eq 0 ] && command -v sudo >/dev/null 2>&1; then
+    if [ -n "$resolved_user_name" ] && [ -n "$resolved_group_name" ]; then
+      sudo -u "$resolved_user_name" -g "$resolved_group_name" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
+    elif [ -n "$resolved_user_name" ]; then
+      sudo -u "$resolved_user_name" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
+    else
+      sudo -u "#${KASEKI_CONTAINER_UID}" -g "#${KASEKI_CONTAINER_GID}" -- "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
+    fi
   else
     "${probe_command[@]}" >/dev/null 2>"$stderr_file" || true
   fi
@@ -172,13 +221,18 @@ run_checkout_freshness_probe() {
     probe_status="failed"
     local stderr_tail
     stderr_tail="$(tail -n 1 "$stderr_file" | tr -d '\r')"
-    probe_detail="Checkout freshness probe failed when running git metadata access as UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}: ${stderr_tail}"
-    probe_remediation="Fix ownership/permissions so ${checkout_dir} and ${checkout_dir}/.git are readable by UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}."
+    if printf '%s' "$stderr_tail" | grep -Eiq 'unknown user|unknown group|no passwd entry|user .* does not exist|group .* does not exist|sudo: .*unknown|sudo: .*invalid|runuser: .*does not exist|runuser: user .* does not exist|runuser: group .* does not exist|unable to initialize policy plugin|unable to set user context'; then
+      probe_detail="Checkout freshness probe failed: probe could not impersonate UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID} due to host user/group mapping or privilege-tool configuration issue: ${stderr_tail}"
+      probe_remediation="Configure a valid host method to run commands as UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID} (or ensure passwd/group mappings exist for that UID/GID), then rerun ./scripts/kaseki-setup-host.sh --fix."
+    else
+      probe_detail="Checkout freshness probe failed when running git metadata access as UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}: ${stderr_tail}"
+      probe_remediation="Fix ownership/permissions so ${checkout_dir} and ${checkout_dir}/.git are readable by UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}."
+    fi
   else
     probe_status="ok"
     probe_detail="Checkout freshness probe passed for ${checkout_dir} as UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}."
   fi
-  rm -f "$stderr_file"
+  cleanup_probe_stderr_file
 
   printf '%s|%s|%s\n' "$probe_status" "$probe_detail" "$probe_remediation"
 }
@@ -288,6 +342,94 @@ bootstrap_checkout_if_possible() {
   return 1
 }
 
+ensure_git_safe_directory() {
+  if ! command -v git >/dev/null 2>&1; then
+    printf 'warning: git is unavailable; skipping safe.directory preflight for %s\n' "$KASEKI_CHECKOUT_DIR"
+    return 0
+  fi
+
+  if [ ! -d "$KASEKI_CHECKOUT_DIR/.git" ]; then
+    printf 'warning: %s/.git is missing; skipping safe.directory preflight\n' "$KASEKI_CHECKOUT_DIR"
+    return 0
+  fi
+
+  local status_code=0
+
+  # Configure safe.directory for current context (usually root when run via sudo)
+  local existing_safe_dirs
+  existing_safe_dirs="$(git config --global --get-all safe.directory 2>/dev/null || true)"
+  if printf '%s\n' "$existing_safe_dirs" | grep -Fxq "$KASEKI_CHECKOUT_DIR"; then
+    printf 'ok: git safe.directory already present for current user context\n'
+  else
+    if git config --global --add safe.directory "$KASEKI_CHECKOUT_DIR" >/dev/null 2>&1; then
+      printf 'ok: configured git safe.directory for current user context\n'
+    else
+      printf 'warning: failed to configure git safe.directory for current user context\n'
+      status_code=1
+    fi
+  fi
+
+  # If running via sudo, also configure safe.directory for the invoking user
+  if [ -n "${SUDO_USER:-}" ] && [ "$SUDO_USER" != "root" ]; then
+    local invoking_user_config
+    invoking_user_config="$(sudo -u "$SUDO_USER" git config --global --get-all safe.directory 2>/dev/null || true)"
+    if printf '%s\n' "$invoking_user_config" | grep -Fxq "$KASEKI_CHECKOUT_DIR"; then
+      printf 'ok: git safe.directory already present for invoking user (%s)\n' "$SUDO_USER"
+    else
+      if sudo -u "$SUDO_USER" git config --global --add safe.directory "$KASEKI_CHECKOUT_DIR" >/dev/null 2>&1; then
+        printf 'ok: configured git safe.directory for invoking user (%s)\n' "$SUDO_USER"
+      else
+        printf 'warning: failed to configure git safe.directory for invoking user (%s)\n' "$SUDO_USER"
+        status_code=1
+      fi
+    fi
+  fi
+
+  if [ "$status_code" -ne 0 ]; then
+    printf 'remediation: if you see dubious ownership errors, try manually running as the invoking user:\n'
+    if [ -n "${SUDO_USER:-}" ] && [ "$SUDO_USER" != "root" ]; then
+      printf '  sudo -u %s git config --global --add safe.directory "%s"\n' "$SUDO_USER" "$KASEKI_CHECKOUT_DIR"
+    fi
+    printf '  And as root: git config --global --add safe.directory "%s"\n' "$KASEKI_CHECKOUT_DIR"
+  fi
+
+  return 0
+}
+
+verify_git_safe_directory() {
+  # Verify that safe.directory is actually configured before bootstrap
+  if ! command -v git >/dev/null 2>&1; then
+    return 0
+  fi
+
+  if [ ! -d "$KASEKI_CHECKOUT_DIR/.git" ]; then
+    return 0
+  fi
+
+  local existing_safe_dirs
+  existing_safe_dirs="$(git config --global --get-all safe.directory 2>/dev/null || true)"
+  if printf '%s\n' "$existing_safe_dirs" | grep -Fxq "$KASEKI_CHECKOUT_DIR"; then
+    return 0
+  fi
+
+  # Not configured in current context; check if sudo user context has it
+  if [ -n "${SUDO_USER:-}" ] && [ "$SUDO_USER" != "root" ]; then
+    local invoking_user_config
+    invoking_user_config="$(sudo -u "$SUDO_USER" git config --global --get-all safe.directory 2>/dev/null || true)"
+    if printf '%s\n' "$invoking_user_config" | grep -Fxq "$KASEKI_CHECKOUT_DIR"; then
+      return 0
+    fi
+  fi
+
+  # Safe.directory not configured anywhere; warn but don't fail (bootstrap might still work)
+  printf 'warning: git safe.directory not found for checkout. If bootstrap fails with "dubious ownership", run:\n'
+  if [ -n "${SUDO_USER:-}" ] && [ "$SUDO_USER" != "root" ]; then
+    printf '  sudo -u %s git config --global --add safe.directory "%s"\n' "$SUDO_USER" "$KASEKI_CHECKOUT_DIR"
+  fi
+  printf '  git config --global --add safe.directory "%s"\n' "$KASEKI_CHECKOUT_DIR"
+  return 0
+}
+
 recreate_api_if_requested() {
   if [ "$KASEKI_RECREATE_API" != "1" ]; then
     return 0
@@ -322,6 +464,9 @@ check_writable "$KASEKI_ROOT/kaseki-results" || status=1
 printf 'using host secrets directory: %s\n' "$KASEKI_HOST_SECRETS_DIR"
 normalize_secrets_dir "$KASEKI_HOST_SECRETS_DIR"
 
+fix_checkout_permissions_if_exists
+ensure_git_safe_directory
+verify_git_safe_directory
 bootstrap_checkout_if_possible || status=$?
 
 probe_payload="$(run_checkout_freshness_probe "$KASEKI_CHECKOUT_DIR")"
@@ -347,7 +492,19 @@ fi
 recreate_api_if_requested || status=$?
 
 if [ "$status" -ne 0 ]; then
-  printf 'kaseki host setup incomplete. Re-run with --fix to create directories and bootstrap when possible.\n' >&2
+  printf 'kaseki host setup incomplete. Details above. Common remediation steps:\n' >&2
+  printf '\n' >&2
+  printf '1. Ensure git safe.directory is configured:\n' >&2
+  if [ -n "${SUDO_USER:-}" ] && [ "$SUDO_USER" != "root" ]; then
+    printf '   sudo -u %s git config --global --add safe.directory "%s"\n' "$SUDO_USER" "$KASEKI_CHECKOUT_DIR" >&2
+  fi
+  printf '   git config --global --add safe.directory "%s"\n' "$KASEKI_CHECKOUT_DIR" >&2
+  printf '\n' >&2
+  printf '2. Fix directory permissions/ownership:\n' >&2
+  printf '   sudo chown -R %d:%d "%s"\n' "$KASEKI_CONTAINER_UID" "$KASEKI_CONTAINER_GID" "$KASEKI_ROOT" >&2
+  printf '\n' >&2
+  printf '3. Retry setup:\n' >&2
+  printf '   sudo kaseki-agent host setup --fix\n' >&2
 fi
 
 exit "$status"