@cyanautomation/kaseki-agent 1.64.2 → 1.65.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyanautomation/kaseki-agent",
-  "version": "1.64.2",
+  "version": "1.65.2",
   "description": "Admin/helper/doctor toolbox and local API client for Kaseki diagnostics, setup, and API-backed coding-agent task workflows",
   "type": "module",
   "license": "MIT",
@@ -57,7 +57,7 @@
     "test:cli:install-local": "npm link && kaseki-agent --version && npm unlink -g @cyanautomation/kaseki-agent",
     "test:cli:install-npx": "npx . --version 2>&1 | grep -q 'version' && echo 'npx test passed'",
     "test:cli:verify": "npm run build && kaseki-agent --help && kaseki-agent doctor --help && kaseki-agent run --help && kaseki-agent list --help && kaseki-agent report --help && kaseki-agent status --help && kaseki-agent cancel --help",
-    "test:ci": "npm run build && npm run type-check && jest --passWithNoTests && bash run-kaseki-json.test.sh && bash tests/allowlist-glob.test.sh && bash tests/restore-disallowed-changes.test.sh && bash tests/auto-lint-cleanup-allowlist.test.sh && bash tests/auto-lint-cleanup-classification.test.sh && bash tests/validation-allowlist-state.test.sh && bash tests/trailing-whitespace-cleanup.test.sh && bash tests/dependency-cache-key.test.sh && bash tests/dependency-restore-mode.test.sh && bash tests/doctor-template-parity.test.sh && bash tests/npm-install-flags.test.sh && bash tests/repo-memory.test.sh && bash tests/pre-agent-validation-order.test.sh && bash tests/scouting-order.test.sh && bash tests/goal-check-malformed-artifact.test.sh && bash scripts/test-github-app.sh && bash tests/github-app-token-install-layout.test.sh && bash tests/github-preflight-helper-load.test.sh",
+    "test:ci": "npm run build && npm run type-check && jest --passWithNoTests && bash run-kaseki-json.test.sh && bash tests/allowlist-glob.test.sh && bash tests/restore-disallowed-changes.test.sh && bash tests/auto-lint-cleanup-allowlist.test.sh && bash tests/auto-lint-cleanup-classification.test.sh && bash tests/validation-allowlist-state.test.sh && bash tests/trailing-whitespace-cleanup.test.sh && bash tests/dependency-cache-key.test.sh && bash tests/dependency-restore-mode.test.sh && bash tests/startup-check-status-aggregation.test.sh && bash tests/doctor-template-parity.test.sh && bash tests/npm-install-flags.test.sh && bash tests/repo-memory.test.sh && bash tests/unset-path-defaults.test.sh && bash tests/pre-agent-validation-order.test.sh && bash tests/scouting-order.test.sh && bash tests/goal-check-malformed-artifact.test.sh && bash scripts/test-github-app.sh && bash tests/github-app-token-install-layout.test.sh && bash tests/github-preflight-helper-load.test.sh",
     "test:watch": "jest --watch",
     "test:coverage": "jest --coverage",
     "lint": "npm run lint:js && npm run lint:sh || true",

package/scripts/docker-entrypoint.sh

@@ -24,6 +24,15 @@ set -euo pipefail
 #   - Express server starts listening on configured port
 #   - Ready to accept requests
 
+# Export shared container path defaults before command dispatch so every mode
+# (including the default agent branch) inherits the same core paths.
+export KASEKI_RESULTS_DIR="${KASEKI_RESULTS_DIR:-/results}"
+export KASEKI_WORKSPACE_DIR="${KASEKI_WORKSPACE_DIR:-/workspace}"
+export KASEKI_WORKSPACE_BASELINE_DIR="${KASEKI_WORKSPACE_BASELINE_DIR:-${KASEKI_WORKSPACE_DIR}/baseline}"
+export KASEKI_APP_LIB_DIR="${KASEKI_APP_LIB_DIR:-/app/lib}"
+export KASEKI_CACHE_DIR="${KASEKI_CACHE_DIR:-/cache}"
+export KASEKI_AGENT_BIN="${KASEKI_AGENT_BIN:-/usr/local/bin/kaseki-agent}"
+
 # Phase 2: Run early startup checks to catch permission and config issues
 # This runs before any kaseki operation to prevent silent failures
 # Auto-remediation enabled by default (KASEKI_STARTUP_CHECK_AUTO_REMEDIATE=1)
@@ -40,6 +49,48 @@ if [ "${KASEKI_SKIP_STARTUP_CHECKS:-0}" != "1" ]; then
   }
 fi
 
+# Phase 2b: Validate directory permissions for container user (UID 10000)
+# This is a critical check before the API starts—if directories aren't writable,
+# the API will fail to store results. Container runs as UID 10000:10000 per docker-compose.yml
+validate_directory_permissions() {
+  local uid="${KASEKI_CONTAINER_UID:-10000}"
+  local gid="${KASEKI_CONTAINER_GID:-10000}"
+  
+  # Directories that must be writable by the container user
+  local required_dirs=(
+    "${KASEKI_ROOT:-/agents}"
+    "${KASEKI_ROOT:-/agents}/kaseki-results"
+    "${KASEKI_ROOT:-/agents}/kaseki-runs"
+    "${KASEKI_ROOT:-/agents}/kaseki-cache"
+  )
+  
+  for dir in "${required_dirs[@]}"; do
+    if [ ! -d "$dir" ]; then
+      echo "warning: required directory does not exist: $dir" >&2
+      echo "  remediation: run 'sudo kaseki-agent host setup --fix' on the host" >&2
+      continue
+    fi
+    
+    # Test write access by the current process (running as UID 10000)
+    if ! [ -w "$dir" ]; then
+      echo "error: directory is not writable by container user ($uid:$gid): $dir" >&2
+      echo "  current ownership: $(stat -c '%U:%G' "$dir")" >&2
+      echo "  remediation: run 'sudo kaseki-agent host setup --fix' on the host" >&2
+      return 1
+    fi
+  done
+  
+  return 0
+}
+
+# Only validate permissions for API mode (not for agent or one-off runs)
+if [ "${1:-agent}" = "api" ] || [ "${1:-agent}" = "kaseki-api" ]; then
+  validate_directory_permissions || {
+    echo "error: directory permissions validation failed; cannot start API" >&2
+    exit 1
+  }
+fi
+
 # Phase 1: Dispatch to appropriate command handler
 case "${1:-agent}" in
   setup)
@@ -53,7 +104,7 @@ case "${1:-agent}" in
     # Health check and diagnostics
     # Usage: docker run kaseki-agent doctor
     shift || true
-    exec /usr/local/bin/kaseki-agent --doctor
+    exec "$KASEKI_AGENT_BIN" --doctor
     ;;
   
   run-mode)
@@ -78,9 +129,7 @@ case "${1:-agent}" in
     # Set required variables and execute agent
     export OPENROUTER_API_KEY_FILE=/secrets/openrouter_api_key
     export KASEKI_INSTANCE="${KASEKI_INSTANCE:-kaseki-run}"
-    export KASEKI_RESULTS_DIR="${KASEKI_RESULTS_DIR:-/results}"
-    
-    exec /usr/local/bin/kaseki-agent "$@"
+    exec "$KASEKI_AGENT_BIN" "$@"
     ;;
   
   setup-remote)
@@ -94,7 +143,7 @@ case "${1:-agent}" in
     # Standard agent execution (existing mode)
     # Usage: docker run kaseki-agent agent <repo> <ref>
     shift || true
-    exec /usr/local/bin/kaseki-agent "$@"
+    exec "$KASEKI_AGENT_BIN" "$@"
     ;;
   
   api|kaseki-api)

package/scripts/kaseki-setup-host.sh

@@ -372,7 +372,13 @@ run_privilege_tools_parallel() {
   : >"$stderr_file"
 
   local temp_dir
-  temp_dir=$(mktemp -d)
+  # Create temp directory with TMPDIR support (for containerized environments)
+  # Fail fast with clear error if temp directory cannot be created
+  if ! temp_dir=$(TMPDIR="${TMPDIR:-/tmp}" mktemp -d 2>/dev/null); then
+    printf 'error: failed to create temporary directory for privilege probe in %s\n' "${TMPDIR:-/tmp}" >"$stderr_file"
+    return 1
+  fi
+
   local success_marker="$temp_dir/success"
   local pids=()
   local failure_stderr_files=()
@@ -656,21 +662,42 @@ ensure_git_safe_directory() {
 
   local status_code=0
 
-  # Configure safe.directory for current context (usually root when run via sudo)
-  local existing_safe_dirs
-  existing_safe_dirs="$(git config --global --get-all safe.directory 2>/dev/null || true)"
-  if printf '%s\n' "$existing_safe_dirs" | grep -Fxq "$KASEKI_CHECKOUT_DIR"; then
-    printf 'ok: git safe.directory already present for current user context\n'
+  # Phase 1: Configure system-wide safe.directory (preferred approach for container isolation)
+  # System config (/etc/gitconfig) is visible to all users including container UID 10000
+  local existing_system_dirs
+  existing_system_dirs="$(git config --system --get-all safe.directory 2>/dev/null || true)"
+  if printf '%s\n' "$existing_system_dirs" | grep -Fxq "$KASEKI_CHECKOUT_DIR"; then
+    printf 'ok: git safe.directory already present in system config\n'
   else
-    if git config --global --add safe.directory "$KASEKI_CHECKOUT_DIR" >/dev/null 2>&1; then
-      printf 'ok: configured git safe.directory for current user context\n'
+    if git config --system --add safe.directory "$KASEKI_CHECKOUT_DIR" >/dev/null 2>&1; then
+      printf 'ok: configured git safe.directory in system config (/etc/gitconfig)\n'
     else
-      printf 'warning: failed to configure git safe.directory for current user context\n'
+      printf 'warning: failed to configure git safe.directory in system config (requires root); falling back to user configs\n'
       status_code=1
     fi
   fi
 
-  # If running via sudo, also configure safe.directory for the invoking user
+  # Phase 2: Fallback to user-level config for current context (usually root when run via sudo)
+  # Only perform this if system config failed
+  if [ "$status_code" -ne 0 ]; then
+    local existing_safe_dirs
+    existing_safe_dirs="$(git config --global --get-all safe.directory 2>/dev/null || true)"
+    if printf '%s\n' "$existing_safe_dirs" | grep -Fxq "$KASEKI_CHECKOUT_DIR"; then
+      printf 'ok: git safe.directory already present for current user context\n'
+      status_code=0
+    else
+      if git config --global --add safe.directory "$KASEKI_CHECKOUT_DIR" >/dev/null 2>&1; then
+        printf 'ok: configured git safe.directory for current user context\n'
+        status_code=0
+      else
+        printf 'warning: failed to configure git safe.directory for current user context\n'
+        status_code=1
+      fi
+    fi
+  fi
+
+  # Phase 3: If running via sudo, also configure safe.directory for the invoking user
+  # This ensures the user who invoked sudo can work with the checkout directly
   if [ -n "${SUDO_USER:-}" ] && [ "$SUDO_USER" != "root" ]; then
     local invoking_user_config
     invoking_user_config="$(sudo -u "$SUDO_USER" git config --global --get-all safe.directory 2>/dev/null || true)"
@@ -681,17 +708,17 @@ ensure_git_safe_directory() {
         printf 'ok: configured git safe.directory for invoking user (%s)\n' "$SUDO_USER"
       else
         printf 'warning: failed to configure git safe.directory for invoking user (%s)\n' "$SUDO_USER"
-        status_code=1
       fi
     fi
   fi
 
   if [ "$status_code" -ne 0 ]; then
-    printf 'remediation: if you see dubious ownership errors, try manually running as the invoking user:\n'
+    printf 'remediation: git safe.directory configuration failed\n'
+    printf '  If you see dubious ownership errors, verify system config or try manually:\n'
+    printf '    sudo git config --system --add safe.directory "%s"\n' "$KASEKI_CHECKOUT_DIR"
     if [ -n "${SUDO_USER:-}" ] && [ "$SUDO_USER" != "root" ]; then
-      printf '  sudo -u %s git config --global --add safe.directory "%s"\n' "$SUDO_USER" "$KASEKI_CHECKOUT_DIR"
+      printf '  Or for invoking user: sudo -u %s git config --global --add safe.directory "%s"\n' "$SUDO_USER" "$KASEKI_CHECKOUT_DIR"
     fi
-    printf '  And as root: git config --global --add safe.directory "%s"\n' "$KASEKI_CHECKOUT_DIR"
   fi
 
   return 0
@@ -707,6 +734,14 @@ verify_git_safe_directory() {
     return 0
   fi
 
+  # Check system-wide config first (preferred, visible to all users including containers)
+  local existing_system_dirs
+  existing_system_dirs="$(git config --system --get-all safe.directory 2>/dev/null || true)"
+  if printf '%s\n' "$existing_system_dirs" | grep -Fxq "$KASEKI_CHECKOUT_DIR"; then
+    return 0
+  fi
+
+  # Check current user context config (usually root)
   local existing_safe_dirs
   existing_safe_dirs="$(git config --global --get-all safe.directory 2>/dev/null || true)"
   if printf '%s\n' "$existing_safe_dirs" | grep -Fxq "$KASEKI_CHECKOUT_DIR"; then
@@ -724,10 +759,10 @@ verify_git_safe_directory() {
 
   # Safe.directory not configured anywhere; warn but don't fail (bootstrap might still work)
   printf 'warning: git safe.directory not found for checkout. If bootstrap fails with "dubious ownership", run:\n'
+  printf '  sudo git config --system --add safe.directory "%s"\n' "$KASEKI_CHECKOUT_DIR"
   if [ -n "${SUDO_USER:-}" ] && [ "$SUDO_USER" != "root" ]; then
-    printf '  sudo -u %s git config --global --add safe.directory "%s"\n' "$SUDO_USER" "$KASEKI_CHECKOUT_DIR"
+    printf '  Or: sudo -u %s git config --global --add safe.directory "%s"\n' "$SUDO_USER" "$KASEKI_CHECKOUT_DIR"
   fi
-  printf '  git config --global --add safe.directory "%s"\n' "$KASEKI_CHECKOUT_DIR"
   return 0
 }
 

package/scripts/startup-checks.sh

@@ -58,6 +58,21 @@ log_warn()  { echo -e "${YELLOW}⚠${NC} $*" >&2; }
 log_error() { echo -e "${RED}✗${NC} $*" >&2; }
 log_info()  { echo -e "${BLUE}ℹ${NC} $*" >&2; }
 
+merge_startup_status() {
+  local current="$1"
+  local next="$2"
+
+  if [ "$current" -eq 2 ] || [ "$next" -eq 2 ]; then
+    printf '2'
+  elif [ "$current" -eq 3 ] || [ "$next" -eq 3 ]; then
+    printf '3'
+  elif [ "$next" -ne 0 ]; then
+    printf '%s' "$next"
+  else
+    printf '%s' "$current"
+  fi
+}
+
 check_path_components_traversable() {
   local target_path="$1"
   local current=""
@@ -302,15 +317,15 @@ check_github_app_secrets() {
 
   check_secret_file_sources \
     "GitHub App ID" \
-    "$github_app_id_file" || exit_code=$((exit_code > $? ? exit_code : $?))
+    "$github_app_id_file" || exit_code=$(merge_startup_status "$exit_code" "$?")
 
   check_secret_file_sources \
     "GitHub App Client ID" \
-    "$github_app_client_id_file" || exit_code=$((exit_code > $? ? exit_code : $?))
+    "$github_app_client_id_file" || exit_code=$(merge_startup_status "$exit_code" "$?")
 
   check_secret_file_sources \
     "GitHub App private key" \
-    "$github_app_private_key_file" || exit_code=$((exit_code > $? ? exit_code : $?))
+    "$github_app_private_key_file" || exit_code=$(merge_startup_status "$exit_code" "$?")
 
   if [ "$exit_code" -eq 0 ]; then
     return 0
@@ -526,38 +541,38 @@ main() {
 
   case "$MODE" in
     all)
-      check_kaseki_root || overall_exit=$?
-      check_subdirectories || overall_exit=$((overall_exit > $? ? overall_exit : $?))
-      check_bootstrap_status || overall_exit=$((overall_exit > $? ? overall_exit : $?))
-      check_secret_paths || overall_exit=$((overall_exit > $? ? overall_exit : $?))
-      check_api_key || overall_exit=$((overall_exit > $? ? overall_exit : $?))
-      check_github_app_secrets || overall_exit=$((overall_exit > $? ? overall_exit : $?))
-      check_github_app_secret_paths || overall_exit=$((overall_exit > $? ? overall_exit : $?))
-      check_git_safe_directory || overall_exit=$((overall_exit > $? ? overall_exit : $?))
+      check_kaseki_root || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_subdirectories || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_bootstrap_status || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_secret_paths || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_api_key || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_github_app_secrets || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_github_app_secret_paths || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_git_safe_directory || overall_exit=$(merge_startup_status "$overall_exit" "$?")
       ;;
     permissions)
-      check_kaseki_root || overall_exit=$?
-      check_subdirectories || overall_exit=$?
+      check_kaseki_root || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_subdirectories || overall_exit=$(merge_startup_status "$overall_exit" "$?")
       ;;
     bootstrap)
-      check_bootstrap_status || overall_exit=$?
+      check_bootstrap_status || overall_exit=$(merge_startup_status "$overall_exit" "$?")
       ;;
     quick|boot)
-      check_kaseki_root || overall_exit=$?
+      check_kaseki_root || overall_exit=$(merge_startup_status "$overall_exit" "$?")
       ;;
     worker)
-      check_worker_mounts || overall_exit=$?
-      check_results_writable || overall_exit=$((overall_exit > $? ? overall_exit : $?))
-      check_secret_paths || overall_exit=$((overall_exit > $? ? overall_exit : $?))
-      check_api_key || overall_exit=$((overall_exit > $? ? overall_exit : $?))
-      check_github_app_secrets || overall_exit=$((overall_exit > $? ? overall_exit : $?))
-      check_github_app_secret_paths || overall_exit=$((overall_exit > $? ? overall_exit : $?))
+      check_worker_mounts || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_results_writable || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_secret_paths || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_api_key || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_github_app_secrets || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_github_app_secret_paths || overall_exit=$(merge_startup_status "$overall_exit" "$?")
       ;;
     baseline-validation)
-      check_kaseki_root || overall_exit=$?
-      check_subdirectories || overall_exit=$((overall_exit > $? ? overall_exit : $?))
-      check_bootstrap_status || overall_exit=$((overall_exit > $? ? overall_exit : $?))
-      check_secret_paths || overall_exit=$((overall_exit > $? ? overall_exit : $?))
+      check_kaseki_root || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_subdirectories || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_bootstrap_status || overall_exit=$(merge_startup_status "$overall_exit" "$?")
+      check_secret_paths || overall_exit=$(merge_startup_status "$overall_exit" "$?")
       ;;
     *)
       log_error "Unknown mode: $MODE"