@cyanautomation/kaseki-agent 1.36.11 → 1.37.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyanautomation/kaseki-agent",
-  "version": "1.36.11",
+  "version": "1.37.0",
   "description": "Admin/helper/doctor toolbox and local API client for Kaseki diagnostics, setup, and API-backed coding-agent task workflows",
   "type": "module",
   "license": "MIT",

package/scripts/kaseki-setup-host.sh

@@ -100,6 +100,19 @@ check_writable() {
   fi
 }
 
+fix_checkout_permissions_if_exists() {
+  # If checkout directory exists with potentially problematic ownership,
+  # try to fix it to match container UID:GID (only when --fix is set)
+  if [ "$KASEKI_FIX" != "1" ]; then
+    return 0
+  fi
+  if [ ! -d "$KASEKI_CHECKOUT_DIR" ]; then
+    return 0
+  fi
+  # Attempt to fix ownership to container UID:GID for consistency
+  run_privileged chown -R "$KASEKI_CONTAINER_UID:$KASEKI_CONTAINER_GID" "$KASEKI_CHECKOUT_DIR" 2>/dev/null || true
+}
+
 resolve_uid_to_name() {
   local uid="$1"
   if ! command -v getent >/dev/null 2>&1; then
@@ -151,12 +164,20 @@ run_checkout_freshness_probe() {
   local probe_status="skipped"
   local probe_detail="Checkout freshness probe skipped because setup did not run bootstrap."
   local probe_remediation=""
+  local stderr_file=""
+
+  cleanup_probe_stderr_file() {
+    if [ -n "$stderr_file" ]; then
+      rm -f "$stderr_file"
+    fi
+  }
 
   if [ ! -d "$checkout_dir" ]; then
     probe_status="failed"
     probe_detail="Checkout freshness probe failed: expected checkout path ${checkout_dir} does not exist."
     probe_remediation="Fix ownership/permissions so ${checkout_dir} and ${checkout_dir}/.git are readable by UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}."
     printf '%s|%s|%s\n' "$probe_status" "$probe_detail" "$probe_remediation"
+    cleanup_probe_stderr_file
     return 0
   fi
 
@@ -165,15 +186,12 @@ run_checkout_freshness_probe() {
     probe_detail="Checkout freshness probe failed: ${checkout_dir}/.git is missing or inaccessible."
     probe_remediation="Fix ownership/permissions so ${checkout_dir} and ${checkout_dir}/.git are readable by UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}."
     printf '%s|%s|%s\n' "$probe_status" "$probe_detail" "$probe_remediation"
+    cleanup_probe_stderr_file
     return 0
   fi
 
-  local stderr_file
   stderr_file="$(mktemp)"
-  
-  # Ensure cleanup on exit
-  trap 'rm -f "$stderr_file"' EXIT INT TERM
-  
+
   local probe_command=(git -C "$checkout_dir" rev-parse HEAD)
 
   local resolved_user_name=""
@@ -214,7 +232,7 @@ run_checkout_freshness_probe() {
     probe_status="ok"
     probe_detail="Checkout freshness probe passed for ${checkout_dir} as UID:GID ${KASEKI_CONTAINER_UID}:${KASEKI_CONTAINER_GID}."
   fi
-  rm -f "$stderr_file"
+  cleanup_probe_stderr_file
 
   printf '%s|%s|%s\n' "$probe_status" "$probe_detail" "$probe_remediation"
 }
@@ -324,6 +342,94 @@ bootstrap_checkout_if_possible() {
   return 1
 }
 
+ensure_git_safe_directory() {
+  if ! command -v git >/dev/null 2>&1; then
+    printf 'warning: git is unavailable; skipping safe.directory preflight for %s\n' "$KASEKI_CHECKOUT_DIR"
+    return 0
+  fi
+
+  if [ ! -d "$KASEKI_CHECKOUT_DIR/.git" ]; then
+    printf 'warning: %s/.git is missing; skipping safe.directory preflight\n' "$KASEKI_CHECKOUT_DIR"
+    return 0
+  fi
+
+  local status_code=0
+
+  # Configure safe.directory for current context (usually root when run via sudo)
+  local existing_safe_dirs
+  existing_safe_dirs="$(git config --global --get-all safe.directory 2>/dev/null || true)"
+  if printf '%s\n' "$existing_safe_dirs" | grep -Fxq "$KASEKI_CHECKOUT_DIR"; then
+    printf 'ok: git safe.directory already present for current user context\n'
+  else
+    if git config --global --add safe.directory "$KASEKI_CHECKOUT_DIR" >/dev/null 2>&1; then
+      printf 'ok: configured git safe.directory for current user context\n'
+    else
+      printf 'warning: failed to configure git safe.directory for current user context\n'
+      status_code=1
+    fi
+  fi
+
+  # If running via sudo, also configure safe.directory for the invoking user
+  if [ -n "${SUDO_USER:-}" ] && [ "$SUDO_USER" != "root" ]; then
+    local invoking_user_config
+    invoking_user_config="$(sudo -u "$SUDO_USER" git config --global --get-all safe.directory 2>/dev/null || true)"
+    if printf '%s\n' "$invoking_user_config" | grep -Fxq "$KASEKI_CHECKOUT_DIR"; then
+      printf 'ok: git safe.directory already present for invoking user (%s)\n' "$SUDO_USER"
+    else
+      if sudo -u "$SUDO_USER" git config --global --add safe.directory "$KASEKI_CHECKOUT_DIR" >/dev/null 2>&1; then
+        printf 'ok: configured git safe.directory for invoking user (%s)\n' "$SUDO_USER"
+      else
+        printf 'warning: failed to configure git safe.directory for invoking user (%s)\n' "$SUDO_USER"
+        status_code=1
+      fi
+    fi
+  fi
+
+  if [ "$status_code" -ne 0 ]; then
+    printf 'remediation: if you see dubious ownership errors, try manually running as the invoking user:\n'
+    if [ -n "${SUDO_USER:-}" ] && [ "$SUDO_USER" != "root" ]; then
+      printf '  sudo -u %s git config --global --add safe.directory "%s"\n' "$SUDO_USER" "$KASEKI_CHECKOUT_DIR"
+    fi
+    printf '  And as root: git config --global --add safe.directory "%s"\n' "$KASEKI_CHECKOUT_DIR"
+  fi
+
+  return 0
+}
+
+verify_git_safe_directory() {
+  # Verify that safe.directory is actually configured before bootstrap
+  if ! command -v git >/dev/null 2>&1; then
+    return 0
+  fi
+
+  if [ ! -d "$KASEKI_CHECKOUT_DIR/.git" ]; then
+    return 0
+  fi
+
+  local existing_safe_dirs
+  existing_safe_dirs="$(git config --global --get-all safe.directory 2>/dev/null || true)"
+  if printf '%s\n' "$existing_safe_dirs" | grep -Fxq "$KASEKI_CHECKOUT_DIR"; then
+    return 0
+  fi
+
+  # Not configured in current context; check if sudo user context has it
+  if [ -n "${SUDO_USER:-}" ] && [ "$SUDO_USER" != "root" ]; then
+    local invoking_user_config
+    invoking_user_config="$(sudo -u "$SUDO_USER" git config --global --get-all safe.directory 2>/dev/null || true)"
+    if printf '%s\n' "$invoking_user_config" | grep -Fxq "$KASEKI_CHECKOUT_DIR"; then
+      return 0
+    fi
+  fi
+
+  # Safe.directory not configured anywhere; warn but don't fail (bootstrap might still work)
+  printf 'warning: git safe.directory not found for checkout. If bootstrap fails with "dubious ownership", run:\n'
+  if [ -n "${SUDO_USER:-}" ] && [ "$SUDO_USER" != "root" ]; then
+    printf '  sudo -u %s git config --global --add safe.directory "%s"\n' "$SUDO_USER" "$KASEKI_CHECKOUT_DIR"
+  fi
+  printf '  git config --global --add safe.directory "%s"\n' "$KASEKI_CHECKOUT_DIR"
+  return 0
+}
+
 recreate_api_if_requested() {
   if [ "$KASEKI_RECREATE_API" != "1" ]; then
     return 0
@@ -358,6 +464,9 @@ check_writable "$KASEKI_ROOT/kaseki-results" || status=1
 printf 'using host secrets directory: %s\n' "$KASEKI_HOST_SECRETS_DIR"
 normalize_secrets_dir "$KASEKI_HOST_SECRETS_DIR"
 
+fix_checkout_permissions_if_exists
+ensure_git_safe_directory
+verify_git_safe_directory
 bootstrap_checkout_if_possible || status=$?
 
 probe_payload="$(run_checkout_freshness_probe "$KASEKI_CHECKOUT_DIR")"
@@ -383,7 +492,19 @@ fi
 recreate_api_if_requested || status=$?
 
 if [ "$status" -ne 0 ]; then
-  printf 'kaseki host setup incomplete. Re-run with --fix to create directories and bootstrap when possible.\n' >&2
+  printf 'kaseki host setup incomplete. Details above. Common remediation steps:\n' >&2
+  printf '\n' >&2
+  printf '1. Ensure git safe.directory is configured:\n' >&2
+  if [ -n "${SUDO_USER:-}" ] && [ "$SUDO_USER" != "root" ]; then
+    printf '   sudo -u %s git config --global --add safe.directory "%s"\n' "$SUDO_USER" "$KASEKI_CHECKOUT_DIR" >&2
+  fi
+  printf '   git config --global --add safe.directory "%s"\n' "$KASEKI_CHECKOUT_DIR" >&2
+  printf '\n' >&2
+  printf '2. Fix directory permissions/ownership:\n' >&2
+  printf '   sudo chown -R %d:%d "%s"\n' "$KASEKI_CONTAINER_UID" "$KASEKI_CONTAINER_GID" "$KASEKI_ROOT" >&2
+  printf '\n' >&2
+  printf '3. Retry setup:\n' >&2
+  printf '   sudo kaseki-agent host setup --fix\n' >&2
 fi
 
 exit "$status"