@fitlab-ai/agent-infra 0.5.9 → 0.5.10

package/lib/sandbox/engines/index.js

@@ -0,0 +1,27 @@
+import { colimaAdapter } from './colima.js';
+import { dockerDesktopAdapter } from './docker-desktop.js';
+import { nativeAdapter } from './native.js';
+import { orbstackAdapter } from './orbstack.js';
+import { wsl2Adapter } from './wsl2.js';
+
+export const ADAPTERS = Object.freeze({
+  colima: colimaAdapter,
+  orbstack: orbstackAdapter,
+  'docker-desktop': dockerDesktopAdapter,
+  native: nativeAdapter,
+  wsl2: wsl2Adapter
+});
+
+export function getAdapter(engineId) {
+  const adapter = ADAPTERS[engineId];
+  if (!adapter) {
+    throw new Error(`No adapter registered for engine '${engineId}'`);
+  }
+  return adapter;
+}
+
+export function enginesForPlatform(platformName) {
+  return Object.values(ADAPTERS)
+    .filter((adapter) => adapter.supportedPlatforms.includes(platformName))
+    .map((adapter) => adapter.id);
+}

package/lib/sandbox/engines/native.js

@@ -0,0 +1,112 @@
+export function isRootlessDocker({ env = process.env, runSafe } = {}) {
+  const dockerHost = env.DOCKER_HOST ?? '';
+  if (dockerHost.startsWith('unix:///run/user/')) {
+    return true;
+  }
+
+  if (!runSafe) {
+    return false;
+  }
+
+  try {
+    const securityOptions = runSafe('docker', ['info', '--format', '{{.SecurityOptions}}']);
+    return securityOptions.includes('rootless');
+  } catch {
+    return false;
+  }
+}
+
+export function resolveBuildUid({ engine, runFn, runSafeFn, env = process.env }) {
+  const runSafe = runSafeFn
+    ? (cmd, args) => runSafeFn(engine, cmd, args)
+    : undefined;
+
+  if (engine === 'native' && isRootlessDocker({ env, runSafe })) {
+    return { uid: '0', gid: '0' };
+  }
+
+  return {
+    uid: runFn(engine, 'id', ['-u']),
+    gid: runFn(engine, 'id', ['-g'])
+  };
+}
+
+export const nativeAdapter = {
+  id: 'native',
+  displayName: 'native Docker',
+  supportedPlatforms: ['linux', 'win32'],
+  dockerContext: null,
+  managed: false,
+  canApplyResources: 'never',
+
+  defaultResources() {
+    return null;
+  },
+
+  async ensure(_config, _onMessage, { runOk, runSafe }) {
+    if (!runOk('which', ['docker'])) {
+      throw new Error([
+        'Docker is not installed.',
+        'Install Docker Engine for your distribution: https://docs.docker.com/engine/install/',
+        'Then start the daemon with: sudo systemctl enable --now docker',
+        'If you want to run Docker without sudo, add your user to the docker group: sudo usermod -aG docker $USER'
+      ].join('\n'));
+    }
+
+    if (runOk('docker', ['info'])) {
+      return false;
+    }
+
+    const serverVersion = runSafe('docker', ['version', '--format', '{{.Server.Version}}']);
+    const rootless = isRootlessDocker({ runSafe });
+    if (!serverVersion) {
+      if (rootless) {
+        throw new Error([
+          'Docker rootless daemon is not running or is unreachable.',
+          'Start it with: systemctl --user start docker',
+          'Enable it on login with: systemctl --user enable docker',
+          'Verify DOCKER_HOST points at $XDG_RUNTIME_DIR/docker.sock.',
+          'Then retry: ai sandbox create <branch>'
+        ].join('\n'));
+      }
+
+      throw new Error([
+        'Docker daemon is not running or is unreachable.',
+        'Start it with: sudo systemctl start docker',
+        'Enable it on boot with: sudo systemctl enable docker',
+        'If you use rootless or remote Docker, verify DOCKER_HOST points at a reachable socket.',
+        'For rootless Docker, export DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock and run: systemctl --user start docker',
+        'Then retry: ai sandbox create <branch>'
+      ].join('\n'));
+    }
+
+    if (rootless) {
+      throw new Error([
+        'docker info failed even though the rootless daemon responded to version.',
+        'This usually means DOCKER_HOST or XDG_RUNTIME_DIR is misconfigured.',
+        'Verify DOCKER_HOST matches $XDG_RUNTIME_DIR/docker.sock.',
+        'Check the daemon with: systemctl --user status docker',
+        'Then retry: ai sandbox create <branch>'
+      ].join('\n'));
+    }
+
+    throw new Error([
+      'Docker is installed, but the current user may lack permission to use the daemon.',
+      'Add your user to the docker group: sudo usermod -aG docker $USER',
+      'Open a new login shell or run: newgrp docker'
+    ].join('\n'));
+  },
+
+  syncResources(config, onMessage) {
+    if (!config.hasUserVmConfig?.(config.userVm)) {
+      return;
+    }
+
+    onMessage?.(
+      'Warning: Linux native Docker has no managed VM; sandbox.vm.* is not applicable. '
+      + 'Use docker run --cpus / --memory per container or host cgroups.'
+    );
+  }
+};
+
+export default nativeAdapter;

package/lib/sandbox/engines/orbstack.js

@@ -0,0 +1,76 @@
+export const orbstackAdapter = {
+  id: 'orbstack',
+  displayName: 'OrbStack',
+  supportedPlatforms: ['darwin'],
+  dockerContext: 'orbstack',
+  managed: true,
+  canApplyResources: 'hot',
+
+  defaultResources() {
+    return null;
+  },
+
+  async ensure(_config, onMessage, { runOk, runVerbose }) {
+    let started = false;
+
+    if (!runOk('which', ['orb'])) {
+      onMessage?.('Installing OrbStack via Homebrew...');
+      runVerbose('brew', ['install', '--cask', 'orbstack']);
+    }
+
+    if (!runOk('docker', ['info'])) {
+      onMessage?.('Starting OrbStack...');
+      runVerbose('orb', ['start']);
+      started = true;
+    }
+
+    if (!runOk('docker', ['info'])) {
+      throw new Error('Docker daemon is not available after starting OrbStack');
+    }
+
+    return started;
+  },
+
+  startVm(_config, _onMessage, { runOk, runVerbose }) {
+    if (runOk('orb', ['status'])) {
+      return 'already-running';
+    }
+
+    runVerbose('orb', ['start']);
+    return 'started';
+  },
+
+  stopVm(_config, _onMessage, { run }) {
+    run('orb', ['stop']);
+    return 'stopped';
+  },
+
+  syncResources(config, onMessage, { runVerbose }) {
+    const vm = config?.vm ?? {};
+
+    if (vm.cpu != null) {
+      try {
+        runVerbose('orb', ['config', 'set', 'cpu', String(vm.cpu)]);
+      } catch {
+        onMessage?.(`Warning: failed to apply OrbStack cpu=${vm.cpu}; resource limit may not take effect.`);
+      }
+    }
+
+    if (vm.memory != null) {
+      try {
+        runVerbose('orb', ['config', 'set', 'memory_mib', String(vm.memory * 1024)]);
+      } catch {
+        onMessage?.(`Warning: failed to apply OrbStack memory=${vm.memory}GiB; resource limit may not take effect.`);
+      }
+    }
+
+    if (vm.disk != null) {
+      onMessage?.(
+        `Warning: OrbStack does not expose a fixed disk size; sandbox.vm.disk=${vm.disk} is ignored. `
+        + 'Manage storage via OrbStack settings GUI.'
+      );
+    }
+  }
+};
+
+export default orbstackAdapter;

package/lib/sandbox/engines/selinux.js

@@ -0,0 +1,60 @@
+import fs from 'node:fs';
+
+const SELINUX_ENFORCE_PATH = '/sys/fs/selinux/enforce';
+const detectionCache = new WeakMap();
+const VALID_DISABLE_VALUES = new Set([undefined, '', '0', '1']);
+
+function isDisabled(env) {
+  return env?.AGENT_INFRA_SELINUX_DISABLE === '1';
+}
+
+function readEnforceFlag(fsImpl) {
+  try {
+    return fsImpl.readFileSync(SELINUX_ENFORCE_PATH, 'utf8').trim();
+  } catch {
+    return null;
+  }
+}
+
+function isSelinuxEnforcing(fsImpl, platform) {
+  let cache = detectionCache.get(fsImpl);
+  if (!cache) {
+    cache = new Map();
+    detectionCache.set(fsImpl, cache);
+  }
+
+  if (cache.has(platform)) {
+    return cache.get(platform);
+  }
+
+  const enforcing = readEnforceFlag(fsImpl) === '1';
+  cache.set(platform, enforcing);
+  return enforcing;
+}
+
+export function selinuxLabelForMount(engine, options = {}) {
+  const {
+    fs: fsImpl = fs,
+    platform = process.platform,
+    env = process.env
+  } = options;
+
+  if (engine !== 'native' || platform !== 'linux') {
+    return null;
+  }
+  if (isDisabled(env)) {
+    return null;
+  }
+  if (!isSelinuxEnforcing(fsImpl, platform)) {
+    return null;
+  }
+
+  return 'z';
+}
+
+export function validateSelinuxDisableEnv(env = process.env) {
+  const value = env?.AGENT_INFRA_SELINUX_DISABLE;
+  if (!VALID_DISABLE_VALUES.has(value)) {
+    throw new Error('Invalid AGENT_INFRA_SELINUX_DISABLE value. Expected 1 to disable, or unset/0 for default.');
+  }
+}

package/lib/sandbox/engines/wsl2-paths.js

@@ -0,0 +1,59 @@
+import path from 'node:path';
+import { selinuxLabelForMount } from './selinux.js';
+
+const WINDOWS_DRIVE_PATH_PATTERN = /^([A-Za-z]):[\\/](.*)$/;
+const UNC_PATH_PATTERN = /^(?:\\\\|\/\/)[^\\/]+[\\/][^\\/]+/;
+
+export function hostJoin(basePath, ...segments) {
+  return basePath.startsWith('/') ? path.posix.join(basePath, ...segments) : path.join(basePath, ...segments);
+}
+
+export function isWindowsDrivePath(value) {
+  return typeof value === 'string' && WINDOWS_DRIVE_PATH_PATTERN.test(value);
+}
+
+export function isUncPath(value) {
+  return typeof value === 'string' && UNC_PATH_PATTERN.test(value);
+}
+
+export function windowsPathToWslPath(value) {
+  if (typeof value !== 'string' || value.length === 0) {
+    return value;
+  }
+
+  if (isUncPath(value)) {
+    throw new Error(`UNC paths are not supported for WSL2 sandbox mounts: ${value}`);
+  }
+
+  const match = value.match(WINDOWS_DRIVE_PATH_PATTERN);
+  if (!match) {
+    return value.replace(/\\/g, '/');
+  }
+
+  const [, drive, rest] = match;
+  const normalizedRest = rest.replace(/\\/g, '/').replace(/^\/+/, '');
+  return `/mnt/${drive.toLowerCase()}/${normalizedRest}`;
+}
+
+export function toEnginePath(engine, value) {
+  if (engine !== 'wsl2') {
+    return value;
+  }
+
+  return windowsPathToWslPath(value);
+}
+
+export function volumeArg(engine, hostPath, containerPath, suffix = '', options = {}) {
+  const { selinux = 'shared', ...selinuxOptions } = options;
+  const flags = suffix.replace(/^:/, '').split(',').filter(Boolean);
+
+  if (selinux !== 'none') {
+    const label = selinuxLabelForMount(engine, selinuxOptions);
+    if (label && !flags.includes(label)) {
+      flags.push(label);
+    }
+  }
+
+  const composedSuffix = flags.length > 0 ? `:${flags.join(',')}` : '';
+  return `${toEnginePath(engine, hostPath)}:${containerPath}${composedSuffix}`;
+}

package/lib/sandbox/engines/wsl2.js

@@ -0,0 +1,72 @@
+function ensureWslAvailable(runOk) {
+  if (runOk('wsl.exe', ['--status']) || runOk('wsl.exe', ['--', 'true'])) {
+    return;
+  }
+
+  throw new Error([
+    'WSL2 is required for Windows sandbox support.',
+    'Install WSL2, configure a default Linux distribution, and re-run "ai sandbox create".'
+  ].join('\n'));
+}
+
+function ensureDockerAvailable(runOk) {
+  if (runOk('wsl.exe', ['--', 'docker', 'info'])) {
+    return;
+  }
+
+  throw new Error([
+    'Docker is not available inside WSL2.',
+    'Start Docker Desktop and enable WSL integration for your default distribution.'
+  ].join('\n'));
+}
+
+function wsl2BackendCheck(runOk, onMessage) {
+  ensureWslAvailable(runOk);
+  onMessage?.('Checking Docker Desktop from WSL2...');
+  ensureDockerAvailable(runOk);
+}
+
+export const wsl2Adapter = {
+  id: 'wsl2',
+  displayName: 'WSL2',
+  supportedPlatforms: ['win32'],
+  dockerContext: null,
+  managed: true,
+  canApplyResources: 'never',
+
+  defaultResources() {
+    return null;
+  },
+
+  async ensure(config, onMessage, { runOk }) {
+    wsl2BackendCheck(runOk, onMessage);
+    void config;
+    return false;
+  },
+
+  startVm(config, onMessage, { runOk }) {
+    wsl2BackendCheck(runOk, onMessage);
+    void config;
+    return 'already-running';
+  },
+
+  stopVm() {
+    throw new Error(
+      'Windows uses Docker Desktop with WSL2. Stop it from Docker Desktop or run "wsl --shutdown" manually.'
+    );
+  },
+
+  syncResources(config, onMessage) {
+    if (!config.hasUserVmConfig?.(config.userVm)) {
+      return;
+    }
+
+    onMessage?.(
+      'Warning: Docker Desktop manages CPU/memory/disk via Settings -> Resources. '
+      + 'sandbox.vm.* values and --cpu/--memory flags are not applied for this engine. '
+      + 'Please configure resources in Docker Desktop GUI to match.'
+    );
+  }
+};
+
+export default wsl2Adapter;

package/lib/sandbox/index.js

@@ -3,9 +3,10 @@ const USAGE = `Usage: ai sandbox <command> [options]
 Commands:
   create <branch> [base]       Create a sandbox (VM + image + worktree + container)
   exec <branch> [cmd...]       Enter sandbox or run a command
+  refresh                      Sync host Claude Code credentials to all sandbox copies
   ls                           List sandboxes for the current project
   rm <branch> [--all]          Remove a sandbox or all sandboxes
-  vm status|start|stop         Manage the sandbox VM (macOS only)
+  vm status|start|stop         Manage the sandbox VM (macOS) or check the backend (Windows)
   rebuild [--quiet]            Rebuild the sandbox image
 
 Run 'ai sandbox <command> --help' for details.`;
@@ -38,6 +39,14 @@ export async function runSandbox(args) {
       }
       break;
     }
+    case 'refresh': {
+      const { refresh } = await import('./commands/refresh.js');
+      const exitCode = await refresh(rest);
+      if (typeof exitCode === 'number' && exitCode !== 0) {
+        process.exitCode = exitCode;
+      }
+      break;
+    }
     case 'ls': {
       const { ls } = await import('./commands/ls.js');
       ls(rest);

package/lib/sandbox/runtimes/ai-tools.dockerfile

@@ -7,7 +7,10 @@ RUN if [ -z "${AI_TOOL_PACKAGES}" ]; then \
       echo "AI_TOOL_PACKAGES build arg is required"; \
       exit 1; \
     fi && \
-    npm install -g ${AI_TOOL_PACKAGES}
+    set -e && \
+    for pkg in ${AI_TOOL_PACKAGES}; do \
+      npm install -g "$pkg"; \
+    done
 
 RUN npm install -g pyright
 
@@ -15,6 +18,16 @@ RUN mkdir -p /home/devuser/.local/share /home/devuser/.local/state
 
 RUN git config --global --add safe.directory /workspace
 
+# Host shell-config is bind-mounted as a directory at this path; the four files
+# inside (.gitconfig, .gitignore_global, .stCommitMsg, .bash_aliases) are exposed
+# via symlinks in $HOME. Directory binds avoid the //deleted invalidation that
+# single-file binds suffer when their source is rewritten on macOS/virtiofs.
+RUN mkdir -p /home/devuser/.host-shell-config && \
+    ln -sf .host-shell-config/.gitconfig        /home/devuser/.gitconfig && \
+    ln -sf .host-shell-config/.gitignore_global /home/devuser/.gitignore_global && \
+    ln -sf .host-shell-config/.stCommitMsg      /home/devuser/.stCommitMsg && \
+    ln -sf .host-shell-config/.bash_aliases     /home/devuser/.bash_aliases
+
 RUN echo 'export NPM_CONFIG_PREFIX=/home/devuser/.npm-global' >> /home/devuser/.bashrc && \
     echo 'export PATH="/home/devuser/.npm-global/bin:${PATH}"' >> /home/devuser/.bashrc && \
     echo 'export GIT_CONFIG_GLOBAL=/home/devuser/.gitconfig' >> /home/devuser/.bashrc && \

package/lib/sandbox/runtimes/base.dockerfile

@@ -18,7 +18,7 @@ RUN if [ "${HOST_UID}" = "0" ]; then \
     fi
 
 RUN apt-get update && apt-get install -y \
-    curl wget git vim file \
+    curl wget git vim file jq \
     build-essential ca-certificates gnupg lsb-release \
     libevent-core-2.1-7 libncursesw6 libtinfo6 \
     pkg-config bison libevent-dev libncurses-dev \
@@ -53,8 +53,123 @@ RUN printf '%s\n' \
       "set -as terminal-features 'xterm*:extkeys'" \
       "set -ga update-environment 'TERM_PROGRAM TERM_PROGRAM_VERSION LC_TERMINAL LC_TERMINAL_VERSION'" \
       'set -g mouse on' \
+      'set -g status-interval 1' \
+      'set -g status-right-length 80' \
+      "set -g status-right '#(/usr/local/bin/cc-token-status) | %H:%M'" \
     > /etc/tmux.conf
 
+RUN cat > /usr/local/bin/cc-token-status <<'SCRIPT' && chmod +x /usr/local/bin/cc-token-status
+#!/bin/sh
+set -eu
+
+CRED_FILE="/home/devuser/.claude/.credentials.json"
+[ -r "$CRED_FILE" ] || exit 0
+
+EXPIRES_MS=$(jq -r '(.claudeAiOauth.expiresAt // .expiresAt) // empty' "$CRED_FILE" 2>/dev/null || true)
+case "$EXPIRES_MS" in
+  ''|*[!0-9]*) exit 0 ;;
+esac
+
+NOW_MS=$(($(date +%s) * 1000))
+DIFF_MS=$((EXPIRES_MS - NOW_MS))
+DIFF_S=$((DIFF_MS / 1000))
+
+DIM='#[fg=colour245]'
+YELLOW='#[fg=yellow]'
+YELLOW_BOLD='#[fg=yellow,bold]'
+RED_BOLD='#[fg=red,bold]'
+RED_REV='#[fg=red,reverse]'
+RESET='#[default]'
+
+if [ "$DIFF_S" -le 0 ]; then
+  ELAPSED=$(( -DIFF_S ))
+  M=$((ELAPSED / 60))
+  printf '%sClaude Code auth EXPIRED %dm ago%s' "$RED_REV" "$M" "$RESET"
+elif [ "$DIFF_S" -lt 60 ]; then
+  printf '%sClaude Code auth expires in %ds%s' "$RED_BOLD" "$DIFF_S" "$RESET"
+elif [ "$DIFF_S" -lt 300 ]; then
+  M=$((DIFF_S / 60))
+  S=$((DIFF_S % 60))
+  printf '%sClaude Code auth expires in %dm %ds%s' "$RED_BOLD" "$M" "$S" "$RESET"
+elif [ "$DIFF_S" -lt 1800 ]; then
+  M=$((DIFF_S / 60))
+  printf '%sClaude Code auth expires in %dm%s' "$YELLOW_BOLD" "$M" "$RESET"
+elif [ "$DIFF_S" -lt 3600 ]; then
+  M=$((DIFF_S / 60))
+  printf '%sClaude Code auth expires in %dm%s' "$YELLOW" "$M" "$RESET"
+else
+  TOTAL_M=$((DIFF_S / 60))
+  H=$((TOTAL_M / 60))
+  M=$((TOTAL_M % 60))
+  printf '%sClaude Code auth expires in %dh %dm%s' "$DIM" "$H" "$M" "$RESET"
+fi
+SCRIPT
+
+RUN cat > /usr/local/bin/sandbox-dotfiles-link <<'SCRIPT' && chmod +x /usr/local/bin/sandbox-dotfiles-link
+#!/bin/sh
+# Mirror /dotfiles/ tree as symlinks under $HOME/, overwriting any image-baked
+# defaults. Future preferences only need to land in the host directory.
+set -eu
+
+DOTFILES_SRC=/dotfiles
+[ -d "$DOTFILES_SRC" ] || exit 0
+
+cd "$DOTFILES_SRC"
+find . -type f -print | while IFS= read -r rel; do
+  rel=${rel#./}
+  target="$HOME/$rel"
+  case "$rel" in
+    .ssh|.ssh/*|\
+    .gnupg|.gnupg/*|\
+    .claude|.claude/*|\
+    .codex|.codex/*|\
+    .gemini|.gemini/*|\
+    .config/opencode|.config/opencode/*|\
+    .local/share/opencode|.local/share/opencode/*|\
+    .host-shell-config|.host-shell-config/*|\
+    .gitconfig|.gitignore_global|.stCommitMsg|.bash_aliases)
+      continue ;;
+  esac
+
+  mkdir -p "$(dirname "$target")"
+  if [ -d "$target" ] && [ ! -L "$target" ]; then
+    printf 'sandbox-dotfiles-link: skipping %s (existing directory; use nested path like %s/<file> instead)\n' "$target" "$rel" >&2
+    continue
+  fi
+
+  ln -sfn "$DOTFILES_SRC/$rel" "$target" 2>/dev/null \
+    || printf 'sandbox-dotfiles-link: failed to link %s\n' "$target" >&2
+done
+SCRIPT
+
+RUN cat > /usr/local/bin/sandbox-tmux-entry <<'SCRIPT' && chmod +x /usr/local/bin/sandbox-tmux-entry
+#!/bin/sh
+set -eu
+
+sandbox-dotfiles-link >/dev/null || true
+
+SESSION=work
+
+if ! command -v tmux >/dev/null 2>&1; then
+  exec bash
+fi
+
+if ! tmux has-session -t "$SESSION" 2>/dev/null; then
+  exec tmux new-session -s "$SESSION"
+fi
+
+tmux list-sessions -F '#{session_name} #{session_attached}' 2>/dev/null | \
+  while read -r name attached; do
+    [ "$name" = "$SESSION" ] && continue
+    case "$name" in
+      ''|*[!0-9]*) continue ;;
+    esac
+    [ "$attached" = "0" ] && tmux kill-session -t "$name" 2>/dev/null || true
+  done
+
+exec tmux new-session -t "$SESSION"
+SCRIPT
+
 ENV LANG=en_US.UTF-8
 ENV LC_ALL=en_US.UTF-8
 ENV TERM=xterm-256color

package/lib/sandbox/shell.js

@@ -106,9 +106,9 @@ export function runVerbose(cmd, args, opts = {}) {
 
   if (result.status !== 0) {
     if (result.signal === 'SIGTERM') {
-      throw new Error(`Command timed out after ${opts.timeout ?? DEFAULT_TIMEOUT_MS}ms: ${cmd} ${args.join(' ')}`);
+      throw new Error(`Command timed out after ${opts.timeout ?? DEFAULT_TIMEOUT_MS}ms: ${cmd}`);
     }
-    throw new Error(`Command failed with exit code ${result.status}: ${cmd} ${args.join(' ')}`);
+    throw new Error(`Command failed with exit code ${result.status}: ${cmd}`);
   }
 }
 
@@ -118,5 +118,56 @@ export function runSafe(cmd, args, opts = {}) {
     ...normalizeOptions(opts, ['pipe', 'pipe', 'pipe']),
     encoding: 'utf8',
   }));
+  if (result.status !== 0 && result.stderr) {
+    process.stderr.write(result.stderr);
+  }
   return (result.stdout ?? '').trim();
 }
+
+export function commandForEngine(engine, cmd, args = []) {
+  if (engine === 'wsl2') {
+    const resolvedWrapper = resolveCommand('wsl.exe');
+    return { cmd: resolvedWrapper, args: ['--', cmd, ...args] };
+  }
+
+  return { cmd, args };
+}
+
+export function runEngine(engine, cmd, args, opts = {}) {
+  const command = commandForEngine(engine, cmd, args);
+  return run(command.cmd, command.args, opts);
+}
+
+export function execEngine(engine, cmd, args, opts = {}) {
+  const command = commandForEngine(engine, cmd, args);
+  return execFileSync(command.cmd, command.args, opts);
+}
+
+export function runOkEngine(engine, cmd, args, opts = {}) {
+  const command = commandForEngine(engine, cmd, args);
+  return runOk(command.cmd, command.args, opts);
+}
+
+export function runSafeEngine(engine, cmd, args, opts = {}) {
+  const command = commandForEngine(engine, cmd, args);
+  return runSafe(command.cmd, command.args, opts);
+}
+
+export function runVerboseEngine(engine, cmd, args, opts = {}) {
+  const command = commandForEngine(engine, cmd, args);
+  return runVerbose(command.cmd, command.args, opts);
+}
+
+export function runInteractiveEngine(engine, cmd, args, opts = {}) {
+  const command = commandForEngine(engine, cmd, args);
+  return runInteractive(command.cmd, command.args, opts);
+}
+
+export function runProbe(cmd, args, opts = {}) {
+  const { spawnFn = spawnSync, ...commandOpts } = opts;
+  const resolved = resolveCommand(cmd);
+  return spawnFn(resolved, args, commandOptions(resolved, normalizeOptions(
+    { encoding: 'utf8', ...commandOpts },
+    commandOpts.stdio ?? ['pipe', 'pipe', 'pipe']
+  )));
+}