npm - @kokorolx/ai-sandbox-wrapper - Versions diffs - 3.0.1 → 3.0.3 - Mend

@kokorolx/ai-sandbox-wrapper 3.0.1 → 3.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md +4 -0
package/bin/ai-run +94 -4
package/dockerfiles/base/Dockerfile +1 -0
package/dockerfiles/sandbox/Dockerfile +1 -0
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -198,6 +198,10 @@ When running nano-brain inside the sandbox, `ai-run` performs a targeted preflig
 It also suppresses known **non-fatal** tree-sitter symbol-graph warnings when the command succeeds, so normal query output stays clean. To see suppressed diagnostics, run with debug mode (`AI_RUN_DEBUG=1`).
+This behavior applies to both:
+- direct mode (`ai-run npx nano-brain ...`)
+- interactive shell mode (`ai-run`, then run `npx nano-brain ...` inside the container shell)
 ```bash
 # Auto-repair enabled by default
 ai-run npx nano-brain status

package/bin/ai-run CHANGED Viewed

@@ -701,6 +701,7 @@ get_installed_tools() {
 # Tool config persistence via bind mounts
 # Bind-mount host paths directly to ensure changes persist to the host.
 TOOL_CONFIG_MOUNTS=""
+RG_COMPAT_MOUNT=""
 mount_tool_config() {
   local host_path="$1"
@@ -724,6 +725,32 @@ for tool in $(get_installed_tools); do
   done
 done
+setup_opencode_rg_compat() {
+  [[ "$TOOL" != "opencode" ]] && return 0
+  local bundled_rg="$HOME/.local/share/opencode/bin/rg"
+  local rg_shim_path="$SANDBOX_DIR/shared/rg-linux-shim"
+  [[ -f "$bundled_rg" ]] || return 0
+  command -v file &>/dev/null || return 0
+  local rg_file_info
+  rg_file_info=$(file -b "$bundled_rg" 2>/dev/null || true)
+  if echo "$rg_file_info" | grep -qi "Mach-O"; then
+    mkdir -p "$(dirname "$rg_shim_path")"
+    cat > "$rg_shim_path" << 'EOF'
+#!/usr/bin/env bash
+exec /usr/bin/rg "$@"
+EOF
+    chmod +x "$rg_shim_path"
+    RG_COMPAT_MOUNT="-v $rg_shim_path:/home/agent/.local/share/opencode/bin/rg:ro"
+    echo "⚠️  Detected incompatible OpenCode bundled rg (Mach-O). Using /usr/bin/rg in container."
+  fi
+}
+setup_opencode_rg_compat
 # Bundle OpenCode default skills (if opencode is installed)
 if get_installed_tools | grep -qw "opencode"; then
   AIRUN_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
@@ -756,11 +783,12 @@ if [[ -d "$HOST_SKILLS_DIR" ]]; then
   SHARED_CACHE_MOUNTS="$SHARED_CACHE_MOUNTS -v $HOST_SKILLS_DIR:/home/agent/.config/opencode/skills:ro"
 fi
-# Nano-brain mount disabled to prevent SQLite conflicts between host and container
-# All tools should use the MCP interface to interact with nano-brain on the host
+# Nano-brain read-only mount
+# Exposes logs/index/sqlite files to container while preventing writes
+NANO_BRAIN_MOUNT=""
 if [[ -d "$HOME/.nano-brain" ]]; then
-  echo "ℹ️  Skipping .nano-brain mount to prevent SQLite database corruption"
-  echo "   Use MCP interface for nano-brain access instead of direct CLI"
+  NANO_BRAIN_MOUNT="-v $HOME/.nano-brain:/home/agent/.nano-brain:ro"
+  echo "ℹ️  Mounted .nano-brain as read-only at /home/agent/.nano-brain"
 fi
@@ -2230,6 +2258,7 @@ if [[ "${AI_RUN_DEBUG:-}" == "1" ]]; then
   echo "🔧 Debug: PORT_MAPPINGS='$PORT_MAPPINGS'"
   echo "🔧 Debug: WEB_DETECTED='$WEB_DETECTED'"
   echo "🔧 Debug: EXPOSE_PORTS_LIST='$EXPOSE_PORTS_LIST'"
+  echo "🔧 Debug: RG_COMPAT_MOUNT='$RG_COMPAT_MOUNT'"
 fi
 is_nano_brain_command() {
@@ -2299,6 +2328,61 @@ run_with_capture() {
 run_with_capture
 '
+NANO_BRAIN_SHELL_HOOK=$(cat <<'EOF'
+nano_brain_shell_wrapper() {
+  local ORIG_CMD=("$@")
+  local REPAIR_PATTERN="(tree-sitter|native binding|Cannot find module.*tree-sitter|compiled against a different Node.js version|Exec format error|invalid ELF header|Native bindings not available)"
+  local WARN_PATTERN="(\\[treesitter\\] Native bindings not available|symbol graph disabled|tree-sitter-typescript\\.node|No such file or directory)"
+  local err_file
+  err_file=$(mktemp)
+  set +e
+  "${ORIG_CMD[@]}" 2>"$err_file"
+  local exit_code=$?
+  set -e
+  if [[ $exit_code -ne 0 ]] && grep -Eqi "$REPAIR_PATTERN" "$err_file"; then
+    cat "$err_file" >&2
+    echo "⚠️  Detected nano-brain native module issue."
+    echo "🔧 Running automatic repair (clearing npx/node-gyp caches)..."
+    rm -rf /home/agent/.npm/_npx /home/agent/.cache/node-gyp 2>/dev/null || true
+    npm cache clean --force >/dev/null 2>&1 || true
+    echo "🔁 Retrying nano-brain command once..."
+    "${ORIG_CMD[@]}"
+    local retry_code=$?
+    rm -f "$err_file"
+    return $retry_code
+  fi
+  if [[ $exit_code -eq 0 ]] && grep -Eqi "$WARN_PATTERN" "$err_file"; then
+    if [[ "${AI_RUN_DEBUG:-}" == "1" ]]; then
+      echo "ℹ️  nano-brain: non-fatal tree-sitter warning captured." >&2
+      cat "$err_file" >&2
+    else
+      grep -Eiv "$WARN_PATTERN" "$err_file" >&2 || true
+    fi
+    rm -f "$err_file"
+    return 0
+  fi
+  cat "$err_file" >&2
+  rm -f "$err_file"
+  return $exit_code
+}
+npx() {
+  if [[ "${1:-}" == "nano-brain" ]]; then
+    nano_brain_shell_wrapper command npx "$@"
+    return $?
+  fi
+  command npx "$@"
+}
+export -f nano_brain_shell_wrapper npx
+EOF
+)
 # Prepare command based on mode
 ENTRYPOINT_OVERRIDE=""
 if [[ -n "$TOOL" && "$SHELL_MODE" != "true" ]]; then
@@ -2332,6 +2416,10 @@ else
 fi
 # Nano-brain targeted preflight + auto-repair wrapper
+if [[ "$SHELL_MODE" == "true" ]] && [[ "$NANO_BRAIN_AUTO_REPAIR" == "true" ]] && [[ "${DOCKER_COMMAND[0]:-}" == "-c" ]]; then
+  DOCKER_COMMAND[1]="$NANO_BRAIN_SHELL_HOOK ${DOCKER_COMMAND[1]}"
+fi
 if [[ "$SHELL_MODE" != "true" ]] && is_nano_brain_command; then
   if [[ "$NANO_BRAIN_AUTO_REPAIR" == "true" ]]; then
     ENTRYPOINT_OVERRIDE="--entrypoint bash"
@@ -2457,6 +2545,7 @@ docker run $CONTAINER_NAME --rm $TTY_FLAGS \
   $VOLUME_MOUNTS \
   $CONFIG_MOUNT \
   $TOOL_CONFIG_MOUNTS \
+  $RG_COMPAT_MOUNT \
   $GIT_MOUNTS \
   $SSH_AGENT_ENV \
   $NETWORK_OPTIONS \
@@ -2466,6 +2555,7 @@ docker run $CONTAINER_NAME --rm $TTY_FLAGS \
   $OPENCODE_PASSWORD_ENV \
   -v "$HOME_DIR":/home/agent \
   $SHARED_CACHE_MOUNTS \
+  $NANO_BRAIN_MOUNT \
   -w "$CURRENT_DIR" \
   --env-file "$ENV_FILE" \
   -e TERM="$TERM" \

package/dockerfiles/base/Dockerfile CHANGED Viewed

@@ -90,6 +90,7 @@ RUN mkdir -p /opt/playwright-browsers && \
 ENV CHROME_DEVTOOLS_MCP_NO_USAGE_STATISTICS=1
 RUN npm install -g chrome-devtools-mcp@latest && \
     touch /opt/.mcp-chrome-devtools-installed
+RUN touch /opt/.mcp-playwright-installed
 # Create workspace
 WORKDIR /workspace

package/dockerfiles/sandbox/Dockerfile CHANGED Viewed

@@ -90,6 +90,7 @@ RUN mkdir -p /opt/playwright-browsers && \
 ENV CHROME_DEVTOOLS_MCP_NO_USAGE_STATISTICS=1
 RUN npm install -g chrome-devtools-mcp@latest && \
     touch /opt/.mcp-chrome-devtools-installed
+RUN touch /opt/.mcp-playwright-installed
 # Create workspace
 WORKDIR /workspace

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@kokorolx/ai-sandbox-wrapper",
-  "version": "3.0.1",
+  "version": "3.0.3",
   "description": "Docker-based security sandbox for AI coding agents. Isolate Claude, Gemini, Aider, and other AI tools from your host system.",
   "keywords": [
     "ai",