@essential-apps/shopify-test-runner 1.0.0

package/src/scripts/runVmAuth.ts

@@ -0,0 +1,541 @@
+#!/usr/bin/env node
+/**
+ * One-time interactive Shopify auth capture inside a VM.
+ *
+ * Why this exists: online tests run inside an HVF arm64
+ * microVM (via supermachine HVF) with chromium under a virtual Xvfb display. There's no way
+ * to interactively log in to Shopify from outside the VM, but the
+ * captured storage state (cookies — Partners session AND, crucially,
+ * Cloudflare's `cf_clearance` Turnstile-bypass cookie) needs to be
+ * captured INSIDE that same VM so the browser fingerprint matches at
+ * test time. Captures from the macOS host (different UA, different
+ * canvas/WebGL hashes) trigger CF re-challenge.
+ *
+ * Flow:
+ *   1. Bake / acquire the same VM the online suite uses (same image,
+ *      same warmupTag → reuses the snapshot — warm acquires are
+ *      ~3 s instead of ~4 min cold bake).
+ *   2. Mount the workspace so storageState.json writes land on the
+ *      host filesystem.
+ *   3. Start x11vnc inside the guest, bound to 0.0.0.0:5900.
+ *   4. Forward host 127.0.0.1:5900 → guest:5900 via vm.exposeTcp.
+ *   5. Open macOS Screen Sharing pointed at vnc://localhost:5900.
+ *   6. Spawn captureAuth.js inside the guest. It opens chrome on
+ *      DISPLAY=:99, navigates to accounts.shopify.com/lookup, and
+ *      waits for a host-side Enter keystroke.
+ *   7. User logs in via VNC, ALSO visits the test store admin to
+ *      pass any Turnstile (so cf_clearance gets captured), then
+ *      hits Enter in the host terminal.
+ *   8. captureAuth writes storageState.json (via the mounted
+ *      workspace → host disk), then exits. We release the VM.
+ *
+ * Usage (one-time per developer machine, or when cf_clearance / the
+ * Partner session expires):
+ *
+ *   npm run test:online:auth
+ *
+ * macOS Screen Sharing opens automatically. If it doesn't, run
+ * `open vnc://localhost:5900` manually. VNC password is "test" by
+ * default; override with TEST_ONLINE_VNC_PASSWORD.
+ *
+ * Supersedes runDockerAuth.ts (libkrun-based; we no longer use
+ * libkrun for any test path).
+ */
+import { existsSync, mkdirSync, readFileSync } from 'node:fs';
+import { homedir, platform as osPlatform } from 'node:os';
+import { resolve } from 'node:path';
+import { spawn as nodeSpawn } from 'node:child_process';
+import { setTimeout as sleep } from 'node:timers/promises';
+import { prepareOciArchive, envFileArgs } from '@essential-apps/shopify-test-core';
+
+const repoRoot = process.cwd();
+const VNC_PORT = 5900;
+
+/**
+ * Resolve the VM image source the same way runVm.ts
+ * does. Without this, the VM runtime treats TEST_ONLINE_VM_IMAGE as
+ * a Docker Hub registry ref and tries to pull it — which 401s for
+ * locally-built `container build` images that never went to a
+ * registry. oci-archive mode is the only one that works for the
+ * Apple-`container`-built images we actually use.
+ */
+async function imageSourceOptions(): Promise<Record<string, unknown>> {
+  const mode = process.env['TEST_ONLINE_VM_IMAGE_SOURCE'] ?? 'oci-archive';
+  if (mode === 'registry') return {};
+  const ref =
+    process.env['TEST_ONLINE_VM_IMAGE'] ??
+    'essential-apps/shopify-test-vm:latest';
+  if (mode === 'oci-archive') {
+    const prep = await prepareOciArchive(ref);
+    if (prep.freshlySaved) {
+      console.error(
+        `[runVmAuth] saved ${ref} → ${prep.archivePath} (${(prep.sizeBytes / 1024 / 1024).toFixed(1)} MB)`,
+      );
+    }
+    return { source: 'oci-archive', sourcePath: prep.archivePath };
+  }
+  if (mode === 'oci-layout') {
+    const sourcePath = process.env['TEST_ONLINE_VM_IMAGE_LAYOUT_PATH'];
+    if (!sourcePath) {
+      throw new Error(
+        `TEST_ONLINE_VM_IMAGE_SOURCE=oci-layout requires TEST_ONLINE_VM_IMAGE_LAYOUT_PATH`,
+      );
+    }
+    return { source: 'oci-layout', sourcePath };
+  }
+  throw new Error(
+    `TEST_ONLINE_VM_IMAGE_SOURCE=${mode} not recognised. Valid: oci-archive | oci-layout | registry`,
+  );
+}
+
+interface PackageJson {
+  name?: string;
+}
+
+function readAppName(): string {
+  const pkgPath = resolve(repoRoot, 'package.json');
+  if (!existsSync(pkgPath)) {
+    throw new Error(
+      `No package.json at ${pkgPath}. Run this from the consuming app's repo root.`,
+    );
+  }
+  const pkg = JSON.parse(readFileSync(pkgPath, 'utf8')) as PackageJson;
+  if (!pkg.name) throw new Error(`package.json at ${pkgPath} has no \`name\` field.`);
+  return pkg.name.replace(/^@[^/]+\//, '');
+}
+
+async function main(): Promise<void> {
+  const appName = readAppName();
+  // Same node_modules volume + tarball-manifest extraFile as
+  // runVm.ts. Sharing both means auth-capture and online
+  // tests use the SAME snapshot (same warmupTag), so a single bake
+  // serves both flows.
+  const linuxModulesVolume =
+    process.env['TEST_LINUX_NODE_MODULES_VOLUME'] ??
+    resolve(homedir(), `.cache/${appName}-test/node_modules.img`);
+  mkdirSync(resolve(linuxModulesVolume, '..'), { recursive: true });
+  const tarballManifest = resolve(
+    repoRoot,
+    'vendor/essential-apps-shopify-test/.tarball-manifest',
+  );
+  const tarballManifestExists = existsSync(tarballManifest);
+
+  const vncPassword = process.env['TEST_ONLINE_VNC_PASSWORD'] ?? 'test';
+  const ref =
+    process.env['TEST_ONLINE_VM_IMAGE'] ?? 'essential-apps/shopify-test-vm:latest';
+  // amd64+Rosetta is the only path that has real Google Chrome
+  // installed (the Dockerfile installs google-chrome-stable amd64);
+  // we want real Chrome here so the captured fingerprint matches
+  // what online tests use (channel: 'chrome' via TEST_FORCE_REAL_CHROME,
+  // OR patchright bundled chromium — both run on this image).
+  const platform = process.env['TEST_ONLINE_VM_PLATFORM'] ?? 'linux/arm64';
+
+  console.error(`[runVmAuth] baking image…`);
+  const tBake = performance.now();
+  const { Image } = await import('@supermachine/core');
+  const imageOpts = await imageSourceOptions();
+  // Same warmup pattern as runVm.ts so this bake hits the
+  // existing snapshot (warmupTag must match). If runVm has
+  // never run cold yet, this will trigger that warmup — ~4 min once.
+  const image = await Image.build({
+    ref,
+    memoryMib: Number(process.env['TEST_ONLINE_VM_MEMORY_MIB'] ?? 8192),
+    vcpus: Number(process.env['TEST_ONLINE_VM_VCPUS'] ?? 4),
+    cmd: ['sleep', 'infinity'],
+    env: { SKIP_OFFLINE_HOST_HIJACK: '1' },
+    platform,
+    mounts: [
+      // VM runtime 0.7.28+ requires explicit guestPath and
+      // auto-mounts at boot before warmup fires.
+      { hostPath: repoRoot, guestTag: 'workspace', guestPath: '/workspace' },
+    ],
+    volumes: [
+      {
+        hostPath: linuxModulesVolume,
+        guestPath: '/workspace/node_modules',
+        sizeMib: 4096,
+      },
+    ],
+    extraFiles: tarballManifestExists
+      ? [
+          { hostPath: tarballManifest, guestPath: '/etc/.shopify-test-tarball-manifest' },
+        ]
+      : [],
+    // Independent auth-capture snapshot. (Despite the historical name
+    // this no longer shares runVm.ts's tag — that moved to
+    // `online-v15-<runtime>-<manifest>`.) This rarely-run flow keys on a
+    // static tag rather than auto-folding the @supermachine/core runtime
+    // version like the main runners, so bump it on warmup-script OR VM
+    // runtime changes. Bumped v3→v4 for the 0.7.62 runtime adoption.
+    warmupTag: 'online-v4',
+    // @ts-expect-error — @supermachine/core's BuildOptions type
+    // doesn't declare `warmup`, but the runtime accepts it. Tracked
+    // upstream; fix-or-augment when the types catch up.
+    warmup: async (vm: {
+      exec: (opts: { argv: string[]; timeoutMs?: number }) => Promise<{
+        exitCode: number;
+        stdout: Buffer;
+        stderr: Buffer;
+      }>;
+    }) => {
+      const r = await vm.exec({
+        argv: [
+          'sh',
+          '-c',
+          `
+          echo "[warmup] >>> ENTERED warmup callback at \$(date +%H:%M:%S.%N)"
+          set -e
+          # VM runtime 0.7.28+ auto-mounts /workspace +
+          # /workspace/node_modules BEFORE warmup fires. Keep the
+          # defence-in-depth virtiofs check so a future auto-mount
+          # regression can't let rm-rf nuke the host bind.
+          NM_FS=\$(stat -f -c %T /workspace/node_modules 2>/dev/null || stat --file-system --format=%T /workspace/node_modules)
+          echo "[warmup] /workspace/node_modules FS type: \$NM_FS"
+          if [ "\$NM_FS" = "virtiofs" ] || [ "\$NM_FS" = "fuse.virtiofs" ]; then
+            echo "FATAL: /workspace/node_modules is \$NM_FS — auto-mount broken"
+            grep ' /workspace' /proc/mounts
+            exit 1
+          fi
+          chown -R postgres:postgres /var/lib/postgresql/data
+          chmod 700 /var/lib/postgresql/data
+          mkdir -p /var/run/postgresql
+          chown postgres:postgres /var/run/postgresql
+          chmod 775 /var/run/postgresql
+          cd /workspace
+          # Fresh install every rebake (tarball-manifest hash
+          # invalidates the snapshot when tarballs change). Wiping
+          # before install ensures stale tarballs can't linger.
+          rm -rf node_modules/* node_modules/.[!.]* 2>/dev/null || true
+          # Don't pipe npm to "tail" — the pipeline status is tail's,
+          # masking npm failures under "set -e", so a transient install
+          # error would bake a half-installed node_modules cache that
+          # warm restores then reuse. Check npm's own status so a failed
+          # install aborts the bake (no cache poisoned, next run rebakes).
+          if ! npm install --legacy-peer-deps --engine-strict=false > /tmp/npm-install.log 2>&1; then
+            echo "--- npm install FAILED - last 40 lines ---"
+            tail -40 /tmp/npm-install.log
+            exit 1
+          fi
+          tail -30 /tmp/npm-install.log
+          if ! grep -q "^127.0.0.1.*localhost" /etc/hosts; then
+            echo "127.0.0.1 localhost" >> /etc/hosts
+            echo "::1 localhost" >> /etc/hosts
+          fi
+        `,
+        ],
+        timeoutMs: 15 * 60 * 1000,
+      });
+      if (r.exitCode !== 0) {
+        console.error('[runVmAuth.warmup] failed:', r.stdout.toString(), r.stderr.toString());
+        throw new Error(`warmup failed (exit ${r.exitCode})`);
+      }
+    },
+    ...imageOpts,
+  });
+  console.error(
+    `[runVmAuth] bake: ${((performance.now() - tBake) / 1000).toFixed(1)} s`,
+  );
+
+  const pool = await image.pool({ min: 1, max: 1, restoreOnRelease: false });
+  const vm = await pool.acquire();
+
+  // Loose typing so we can call signal/writeStdin/readStdout/etc.
+  // without re-importing the full @supermachine/core types tree (vendor name).
+  let forwarder: { stop: () => Promise<void> } | null = null;
+  let captureChild:
+    | {
+        signal: (n: number) => Promise<void>;
+        writeStdin: (b: Buffer) => Promise<void>;
+        readStdout?: () => Promise<Buffer>;
+        readStderr?: () => Promise<Buffer>;
+        wait?: () => Promise<{ exitCode: number }>;
+      }
+    | null = null;
+
+  // Idempotent cleanup. Two design constraints:
+  //   1. SIGINT may fire multiple times (user hammers Ctrl-C), and
+  //      cleanup() is async — a second invocation would otherwise
+  //      race the first, calling signal/wait on already-disposed
+  //      handles ("agent closed connection before sending EXIT").
+  //   2. Each step may throw on second call (already-closed sockets,
+  //      already-released vm, etc.) — wrap individually so a later
+  //      step still runs even if an earlier one's idempotency check
+  //      threw something the catch missed.
+  // Implementation: a singleton promise — first caller does the
+  // work, every subsequent caller awaits the same promise.
+  let cleanupPromise: Promise<void> | null = null;
+  const cleanup = (): Promise<void> => {
+    if (cleanupPromise) return cleanupPromise;
+    cleanupPromise = (async () => {
+      // Null each handle out after using it so a stray reference
+      // elsewhere can't be re-used.
+      const child = captureChild;
+      captureChild = null;
+      if (child) await child.signal(15).catch(() => undefined);
+
+      const fwd = forwarder;
+      forwarder = null;
+      if (fwd) await fwd.stop().catch(() => undefined);
+
+      await vm.release().catch(() => undefined);
+      await pool.shutdown().catch(() => undefined);
+    })();
+    return cleanupPromise;
+  };
+
+  // SIGINT / SIGTERM teardown — without these, Ctrl-C leaves the VM
+  // pinned and the next bake hits "snapshot in use" errors.
+  // First signal triggers cleanup + clean exit; second signal escalates
+  // to immediate process.exit so the user can always bail out.
+  let signalCount = 0;
+  const onSignal = (sig: NodeJS.Signals): void => {
+    signalCount += 1;
+    if (signalCount >= 2) {
+      console.error(`\n[runVmAuth] received ${sig} again — forcing exit`);
+      process.exit(130);
+    }
+    console.error(`\n[runVmAuth] received ${sig}, cleaning up…`);
+    cleanup()
+      .catch(() => undefined)
+      .finally(() => process.exit(130));
+  };
+  process.on('SIGINT', onSignal);
+  process.on('SIGTERM', onSignal);
+
+  try {
+    // 0) Post-restore sanity. VM runtime 0.7.28+ captures the
+    //    auto-mount tree in the snapshot, so /workspace and
+    //    /workspace/node_modules are already mounted on restore.
+    //    Assert + bail if anything's off.
+    const mountR = await vm.exec({
+      argv: ['sh', '-c', `
+        mountpoint -q /workspace || { echo "FATAL: /workspace not mounted"; exit 1; }
+        mountpoint -q /workspace/node_modules || { echo "FATAL: /workspace/node_modules not mounted"; exit 1; }
+        NM_FS=\$(stat -f -c %T /workspace/node_modules 2>/dev/null)
+        if [ "\$NM_FS" = "virtiofs" ] || [ "\$NM_FS" = "fuse.virtiofs" ]; then
+          echo "FATAL: /workspace/node_modules is \$NM_FS — auto-mount layering broken"
+          exit 1
+        fi
+        ls /workspace/node_modules/@essential-apps/shopify-test-runner/dist/scripts/captureAuth.js >/dev/null \
+          || { echo "FATAL: captureAuth.js missing in volume — snapshot/volume out of sync"; exit 1; }
+      `],
+      timeoutMs: 10_000,
+    });
+    if (mountR.exitCode !== 0) {
+      console.error(`[runVmAuth] mount failed:\n${mountR.stdout.toString()}${mountR.stderr.toString()}`);
+      throw new Error('mount setup failed');
+    }
+
+    // 1) Start x11vnc inside the guest. The image's entrypoint.sh
+    //    has the same logic gated on TEST_ONLINE_VNC=1, but that env is
+    //    bake-time only (already snapshotted). Running x11vnc here
+    //    sidesteps the need for a separate baked snapshot.
+    console.error(`[runVmAuth] starting x11vnc on guest :5900…`);
+    const vncStart = await vm.exec({
+      argv: [
+        'bash',
+        '-c',
+        `
+        # No set -e — too many of these commands have valid nonzero
+        # exits (pkill matching 0 procs, rm-of-missing-file, etc.) and
+        # masking them all with || true was both noisy and unreliable.
+        # We explicitly check exit conditions on the things that
+        # matter (Xvfb socket present, x11vnc listening).
+        # Restart Xvfb on :99 with -ac (disable X access control)
+        # so x11vnc — which runs in a fresh shell here, separate from
+        # the entrypoint shell that started the original Xvfb — can
+        # attach without an Xauthority cookie. The entrypoint's Xvfb
+        # is fine for Playwright (which sets DISPLAY=:99 and inherits
+        # the auth context from the same shell), but x11vnc launched
+        # via a separate vm.exec doesn't have that.
+        echo "[xvfb] stopping any existing Xvfb on :99…"
+        # IMPORTANT: do NOT use 'pkill -f' here — the -f flag matches
+        # the full command line, and our own bash script's argv
+        # contains the literal string we'd search for (it's an
+        # embedded heredoc), so pkill would kill its own parent
+        # shell. Match by process name only.
+        pkill -x Xvfb 2>/dev/null || true
+        rm -f /tmp/.X11-unix/X99 /tmp/.X99-lock
+        sleep 0.3
+        # -ac: disable access control (no auth required). Safe inside
+        # the VM — only x11vnc here is going to connect, and x11vnc's
+        # own VNC auth (-rfbauth) gates external access.
+        # -nolisten tcp: still no TCP listener on Xvfb itself.
+        echo "[xvfb] starting Xvfb :99 -ac …"
+        nohup Xvfb :99 -screen 0 1600x1000x24 -nolisten tcp -ac \
+          >/var/log/xvfb.log 2>&1 &
+        for _ in $(seq 1 50); do
+          [ -e /tmp/.X11-unix/X99 ] && break
+          sleep 0.1
+        done
+        if [ ! -e /tmp/.X11-unix/X99 ]; then
+          echo "[xvfb] FAILED to bind /tmp/.X11-unix/X99 within 5s"
+          cat /var/log/xvfb.log
+          exit 1
+        fi
+        echo "[xvfb] up."
+
+        mkdir -p /root/.vnc
+        x11vnc -storepasswd "${vncPassword}" /root/.vnc/passwd >/dev/null 2>&1
+        # Background via shell (&) not x11vnc's -bg (which has been
+        # observed to fork before the accept loop binds). nohup so
+        # the listener survives this exec call returning.
+        echo "[x11vnc] starting on :${VNC_PORT}…"
+        nohup x11vnc -display :99 -forever -shared \
+          -rfbauth /root/.vnc/passwd -rfbport ${VNC_PORT} -quiet \
+          >/var/log/x11vnc.log 2>&1 &
+        VNC_PID=$!
+        echo "[x11vnc] pid $VNC_PID"
+        # Verify the listener actually bound. Use netstat (from
+        # net-tools — installed in both the vm and libkrun
+        # images per the Dockerfiles). bash /dev/tcp was tried first
+        # but ubuntu/jammy bash sometimes ships without the
+        # /dev/tcp/* virtual device enabled, leading to silent probe
+        # failures even when x11vnc IS listening.
+        for _ in $(seq 1 30); do
+          if netstat -ltn 2>/dev/null | grep -q ":${VNC_PORT} "; then
+            exit 0
+          fi
+          sleep 0.1
+        done
+        echo "x11vnc didn't bind :${VNC_PORT} within 3s"
+        echo "--- netstat output ---"
+        netstat -ltn 2>&1 || echo "(netstat unavailable)"
+        echo "--- x11vnc log ---"
+        cat /var/log/x11vnc.log
+        exit 1
+      `,
+      ],
+      timeoutMs: 15_000,
+    });
+    if (vncStart.exitCode !== 0) {
+      console.error(
+        '[runVmAuth] x11vnc failed:',
+        vncStart.stdout.toString(),
+        vncStart.stderr.toString(),
+      );
+      throw new Error('x11vnc startup failed');
+    }
+
+    // 2) Forward host 127.0.0.1:5900 → guest :5900 so the macOS
+    //    Screen Sharing client can reach the VNC server.
+    forwarder = await vm.exposeTcp(VNC_PORT, VNC_PORT);
+    console.error(
+      `[runVmAuth] forwarding host 127.0.0.1:${VNC_PORT} → guest :${VNC_PORT}`,
+    );
+
+    // 3) Open macOS Screen Sharing pointed at the forwarder. Detach
+    //    so the parent process can carry on.
+    if (osPlatform() === 'darwin') {
+      console.error(
+        `[runVmAuth] VNC password (paste into Screen Sharing): ${vncPassword}`,
+      );
+      // Tiny delay so x11vnc accept-loop is warm before the client
+      // dials; otherwise Screen Sharing sometimes shows "connection
+      // refused" and the user has to retry.
+      await sleep(500);
+      // Embed the password in the URL (vnc://:<pw>@host) so macOS Screen
+      // Sharing connects WITHOUT prompting — prefilled, not typed. URL-encode
+      // in case TEST_ONLINE_VNC_PASSWORD has reserved chars.
+      const vncUrl = `vnc://:${encodeURIComponent(vncPassword)}@localhost:${VNC_PORT}`;
+      console.error(
+        `[runVmAuth] Opening macOS Screen Sharing → vnc://localhost:${VNC_PORT} (password prefilled)`,
+      );
+      console.error(`[runVmAuth] (If nothing opens: open '${vncUrl}')`);
+      nodeSpawn('open', [vncUrl], {
+        stdio: 'ignore',
+        detached: true,
+      }).unref();
+    } else {
+      console.error(
+        `[runVmAuth] Connect any VNC viewer to localhost:${VNC_PORT} (password: ${vncPassword}).`,
+      );
+    }
+
+    // 4) Spawn captureAuth.js inside the guest. It opens Chrome on
+    //    DISPLAY=:99, prompts for Enter on stdin, then writes
+    //    storageState.json (which lands on host disk via the
+    //    workspace mount). We bridge host stdin to the guest child
+    //    so the user's Enter keystroke reaches captureAuth's
+    //    readline prompt.
+    console.error('');
+    console.error('━'.repeat(72));
+    console.error('Inside Screen Sharing:');
+    console.error('  1. Log in to Shopify Partners (accounts.shopify.com/lookup).');
+    console.error('  2. Then visit your test store admin');
+    console.error('     (e.g. https://admin.shopify.com/store/<your-store>).');
+    console.error('     If a Cloudflare "Verify you are human" page appears,');
+    console.error('     click through it. Without this step, cf_clearance');
+    console.error('     never lands in storageState and tests will still hit');
+    console.error('     Turnstile.');
+    console.error('  3. Return here and press Enter to save & exit.');
+    console.error('━'.repeat(72));
+    console.error('');
+
+    captureChild = await vm.spawn({
+      argv: [
+        'sh',
+        '-c',
+        // tty=false here (no PTY) because we want the readline prompt
+        // to read from a plain stdin pipe — Chrome doesn't care, it
+        // reads DISPLAY from env.
+        `cd /workspace && DISPLAY=:99 TEST_IN_CONTAINER=true node ${envFileArgs(repoRoot)} node_modules/@essential-apps/shopify-test-runner/dist/scripts/captureAuth.js`,
+      ],
+      env: { DISPLAY: ':99', TEST_IN_CONTAINER: 'true' },
+    });
+
+    // Bridge host stdin → guest captureAuth stdin (for the Enter
+    // prompt). Forwarder runs until the guest child exits.
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', (chunk: string | Buffer) => {
+      const buf = typeof chunk === 'string' ? Buffer.from(chunk, 'utf8') : chunk;
+      captureChild!.writeStdin(buf).catch(() => undefined);
+    });
+    process.stdin.resume();
+
+    // Stream guest stdout/stderr to host for visibility.
+    const streamGuest = async (
+      reader: (() => Promise<Buffer>) | undefined,
+      out: NodeJS.WriteStream,
+    ): Promise<void> => {
+      if (!reader) return;
+      // eslint-disable-next-line no-constant-condition
+      while (true) {
+        const chunk = await reader().catch(() => null);
+        if (!chunk || chunk.length === 0) return;
+        out.write(chunk);
+      }
+    };
+    // captureChild has readStdout / readStderr — both Promise<Buffer>
+    // chunks until EOF (zero-length).
+    const childAny = captureChild as unknown as {
+      readStdout?: () => Promise<Buffer>;
+      readStderr?: () => Promise<Buffer>;
+      wait?: () => Promise<{ exitCode: number }>;
+    };
+    void streamGuest(childAny.readStdout, process.stdout);
+    void streamGuest(childAny.readStderr, process.stderr);
+
+    const result = await (childAny.wait?.() ?? Promise.resolve({ exitCode: 0 }));
+    if (result.exitCode === 0) {
+      console.error('');
+      console.error('[runVmAuth] ✓ captureAuth completed successfully.');
+      console.error('[runVmAuth] storageState.json written via workspace mount.');
+    } else {
+      console.error(
+        `[runVmAuth] captureAuth exited with code ${result.exitCode}`,
+      );
+    }
+    await cleanup();
+    process.exit(result.exitCode);
+  } catch (err) {
+    console.error('[runVmAuth] fatal:', (err as Error).message);
+    await cleanup();
+    process.exit(1);
+  }
+}
+
+main().catch(async (err) => {
+  console.error(err);
+  process.exit(1);
+});