@locusai/cli 0.22.6 → 0.22.8

package/bin/locus.js

@@ -892,6 +892,7 @@ var init_progress = __esm(() => {
 var exports_sandbox = {};
 __export(exports_sandbox, {
   resolveSandboxMode: () => resolveSandboxMode,
+  probeSymlinkSupport: () => probeSymlinkSupport,
   getProviderSandboxName: () => getProviderSandboxName,
   getModelSandboxName: () => getModelSandboxName,
   displaySandboxWarning: () => displaySandboxWarning,
@@ -1054,7 +1055,7 @@ function detectContainerWorkdir(sandboxName, hostProjectRoot) {
       }).filter((mp) => !!mp && mp !== "/" && !systemPrefixes.some((p) => mp === p || mp.startsWith(`${p}/`)));
       for (const candidate of candidates) {
         try {
-          execSync2(`docker sandbox exec ${sandboxName} sh -c "test -d ${JSON.stringify(candidate + "/.git")} || test -f ${JSON.stringify(candidate + "/package.json")}"`, { stdio: ["pipe", "pipe", "pipe"], timeout: 3000 });
+          execSync2(`docker sandbox exec ${sandboxName} sh -c "test -d ${JSON.stringify(`${candidate}/`)} || test -f ${JSON.stringify(`${candidate}/package.json`)}"`, { stdio: ["pipe", "pipe", "pipe"], timeout: 3000 });
           log.debug("Detected container workdir from mount table", {
             hostProjectRoot,
             containerWorkdir: candidate
@@ -1086,6 +1087,21 @@ function detectContainerWorkdir(sandboxName, hostProjectRoot) {
   log.debug("Could not detect container workdir, falling back to host path");
   return null;
 }
+function probeSymlinkSupport(sandboxName, workdir) {
+  const log = getLogger();
+  const probe = ".locus-symlink-probe";
+  try {
+    execSync2(`docker sandbox exec --privileged ${sandboxName} sh -c ${JSON.stringify(`cd ${JSON.stringify(workdir)} && ln -s /tmp ${probe} && rm -f ${probe}`)}`, { stdio: ["pipe", "pipe", "pipe"], timeout: 5000 });
+    log.debug("Symlink probe succeeded — bind mount supports symlinks");
+    return true;
+  } catch {
+    try {
+      execSync2(`docker sandbox exec ${sandboxName} rm -f ${JSON.stringify(`${workdir}/${probe}`)}`, { stdio: ["pipe", "pipe", "pipe"], timeout: 3000 });
+    } catch {}
+    log.debug("Symlink probe failed — bind mount does not support symlinks (ENOSYS)");
+    return false;
+  }
+}
 function waitForEnter() {
   return new Promise((resolve) => {
     const rl = createInterface({
@@ -5208,7 +5224,7 @@ async function enforceSandboxIgnore(sandboxName, projectRoot, containerWorkdir)
     ruleCount: rules.length
   });
   try {
-    await execAsync(`docker sandbox exec ${sandboxName} sh -c ${JSON.stringify(script)}`, { timeout: 15000 });
+    await execAsync(`docker sandbox exec --privileged ${sandboxName} sh -c ${JSON.stringify(script)}`, { timeout: 15000 });
     log.debug("sandbox-ignore enforcement complete", { sandboxName });
   } catch (err) {
     log.debug("sandbox-ignore enforcement failed (non-fatal)", {
@@ -5278,6 +5294,7 @@ class SandboxedClaudeRunner {
     const dockerArgs = [
       "sandbox",
       "exec",
+      "--privileged",
       "-w",
       workdir,
       this.sandboxName,
@@ -5665,6 +5682,7 @@ class SandboxedCodexRunner {
     const dockerArgs = [
       "sandbox",
       "exec",
+      "--privileged",
       "-i",
       "-w",
       workdir,
@@ -5818,11 +5836,11 @@ class SandboxedCodexRunner {
     const { exec: exec2 } = await import("node:child_process");
     const execAsync2 = promisify2(exec2);
     try {
-      await execAsync2(`docker sandbox exec ${name} which codex`, {
+      await execAsync2(`docker sandbox exec --privileged ${name} which codex`, {
         timeout: 5000
       });
     } catch {
-      await execAsync2(`docker sandbox exec ${name} npm install -g @openai/codex`, {
+      await execAsync2(`docker sandbox exec --privileged ${name} npm install -g @openai/codex`, {
         timeout: 120000
       });
     }
@@ -13150,6 +13168,14 @@ async function handleCreate(projectRoot) {
     }
   }
   const workdir = config.sandbox.containerWorkdir ?? projectRoot;
+  if (config.sandbox.noSymlinks === undefined) {
+    const symlinkOk = probeSymlinkSupport(name, workdir);
+    config.sandbox.noSymlinks = !symlinkOk;
+    if (!symlinkOk) {
+      process.stderr.write(`  ${yellow2("⚠")} Bind mount does not support symlinks — using copy-based install.
+`);
+    }
+  }
   const backup = backupIgnoredFiles(projectRoot);
   try {
     await enforceSandboxIgnore(name, projectRoot, config.sandbox.containerWorkdir);
@@ -13160,7 +13186,7 @@ async function handleCreate(projectRoot) {
   config.sandbox.enabled = true;
   config.sandbox.providers = readySandboxes;
   saveConfig(projectRoot, config);
-  await runSandboxSetup(name, projectRoot, workdir);
+  await runSandboxSetup(name, projectRoot, config.sandbox.containerWorkdir, config.sandbox.noSymlinks);
   process.stderr.write(`
 ${green("✓")} Sandbox mode enabled for ${bold2(provider)}.
 `);
@@ -13369,6 +13395,7 @@ async function handleInstall(projectRoot, args) {
     const ok = await runInteractiveCommand("docker", [
       "sandbox",
       "exec",
+      "--privileged",
       sandboxName,
       "npm",
       "install",
@@ -13511,10 +13538,10 @@ function detectPackageManager2(projectRoot) {
   }
   return "npm";
 }
-function getInstallCommand(pm, noSymlinks) {
+function getInstallCommand(pm) {
   switch (pm) {
     case "bun":
-      return noSymlinks ? ["bun", "install", "--backend=copyfile"] : ["bun", "install"];
+      return ["bun", "install"];
     case "yarn":
       return ["yarn", "install"];
     case "pnpm":
@@ -13523,7 +13550,79 @@ function getInstallCommand(pm, noSymlinks) {
       return ["npm", "install"];
   }
 }
-async function runSandboxSetup(sandboxName, projectRoot, containerWorkdir) {
+function verifyBinEntries(sandboxName, workdir) {
+  try {
+    const binDir = `${workdir}/node_modules/.bin/`;
+    const result = execSync20(`docker sandbox exec --privileged ${sandboxName} sh -c ${JSON.stringify(`ls ${JSON.stringify(binDir)} 2>/dev/null | head -20`)}`, { encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 }).trim();
+    if (!result) {
+      process.stderr.write(`${yellow2("⚠")} node_modules/.bin is empty — binaries like biome may not be available.
+`);
+      process.stderr.write(`  ${dim2("This can happen if symlink dereferencing failed during install.")}
+`);
+      return;
+    }
+    const bins = result.split(`
+`).map((b) => b.trim());
+    const knownBins = ["biome", "tsc", "jest"];
+    const missing = knownBins.filter((b) => !bins.some((entry) => entry === b));
+    if (missing.length > 0) {
+      process.stderr.write(`  ${dim2(`Note: ${missing.join(", ")} not found in .bin (may not be a project dependency).`)}
+`);
+    }
+  } catch {}
+}
+function buildNoSymlinksInstallScript(workdir, pm) {
+  const installCmd = getInstallCommand(pm).join(" ");
+  return [
+    "set -e",
+    'TMPDIR="/tmp/locus-deps-install"',
+    `WORKDIR="${workdir}"`,
+    "",
+    "# Clean previous attempt",
+    'rm -rf "$TMPDIR"',
+    'mkdir -p "$TMPDIR"',
+    'cd "$WORKDIR"',
+    "",
+    "# Copy all package.json files (preserving workspace directory structure)",
+    'find . -name package.json -not -path "*/node_modules/*" -not -path "./.git/*" | while read f; do',
+    '  mkdir -p "$TMPDIR/$(dirname "$f")"',
+    '  cp "$f" "$TMPDIR/$f"',
+    "done",
+    "",
+    "# Copy lockfiles and config files that affect installation",
+    "for lf in bun.lock bun.lockb yarn.lock pnpm-lock.yaml package-lock.json; do",
+    '  [ -f "$WORKDIR/$lf" ] && cp "$WORKDIR/$lf" "$TMPDIR/$lf" || true',
+    "done",
+    "for cf in bunfig.toml .npmrc .yarnrc .yarnrc.yml .pnpmfile.cjs pnpm-workspace.yaml; do",
+    '  [ -f "$WORKDIR/$cf" ] && cp "$WORKDIR/$cf" "$TMPDIR/$cf" || true',
+    "done",
+    "",
+    "# Install on native filesystem (symlinks work here)",
+    'cd "$TMPDIR"',
+    `${installCmd}`,
+    "",
+    "# Copy node_modules back to bind mount, dereferencing all symlinks.",
+    "# -L follows symlinks so they become regular files/dirs on the bind mount.",
+    "# maxdepth 5 covers root + nested workspace packages",
+    'find "$TMPDIR" -maxdepth 5 -name node_modules -type d | while read nm; do',
+    '  rel="${nm#$TMPDIR/}"',
+    '  dest="$WORKDIR/$rel"',
+    '  rm -rf "$dest"',
+    "  # cp -rL dereferences symlinks; fall back to cp -rH if -L is unsupported",
+    '  cp -rL "$nm" "$dest" 2>/dev/null || cp -rH "$nm" "$dest" 2>/dev/null || cp -r "$nm" "$dest"',
+    "done",
+    "",
+    "# Ensure .bin entries are executable (some cp implementations drop +x)",
+    'if [ -d "$WORKDIR/node_modules/.bin" ]; then',
+    '  chmod +x "$WORKDIR/node_modules/.bin/"* 2>/dev/null || true',
+    "fi",
+    "",
+    "# Cleanup",
+    'rm -rf "$TMPDIR"'
+  ].join(`
+`);
+}
+async function runSandboxSetup(sandboxName, projectRoot, containerWorkdir, noSymlinks) {
   const workdir = containerWorkdir ?? projectRoot;
   const ecosystem = detectProjectEcosystem(projectRoot);
   const isJS = isJavaScriptEcosystem(ecosystem);
@@ -13532,18 +13631,37 @@ async function runSandboxSetup(sandboxName, projectRoot, containerWorkdir) {
     if (pm !== "npm") {
       await ensurePackageManagerInSandbox(sandboxName, pm);
     }
-    const installCmd = getInstallCommand(pm, !!containerWorkdir);
-    process.stderr.write(`
+    let installOk;
+    if (noSymlinks) {
+      const installCmd = getInstallCommand(pm);
+      process.stderr.write(`
+Installing dependencies (${bold2(installCmd.join(" "))}, symlink-free) in sandbox ${dim2(sandboxName)}...
+`);
+      const script = buildNoSymlinksInstallScript(workdir, pm);
+      installOk = await runInteractiveCommand("docker", [
+        "sandbox",
+        "exec",
+        "--privileged",
+        sandboxName,
+        "sh",
+        "-c",
+        script
+      ]);
+    } else {
+      const installCmd = getInstallCommand(pm);
+      process.stderr.write(`
 Installing dependencies (${bold2(installCmd.join(" "))}) in sandbox ${dim2(sandboxName)}...
 `);
-    const installOk = await runInteractiveCommand("docker", [
-      "sandbox",
-      "exec",
-      "-w",
-      workdir,
-      sandboxName,
-      ...installCmd
-    ]);
+      installOk = await runInteractiveCommand("docker", [
+        "sandbox",
+        "exec",
+        "--privileged",
+        "-w",
+        workdir,
+        sandboxName,
+        ...installCmd
+      ]);
+    }
     if (!installOk) {
       process.stderr.write(`${red2("✗")} Dependency install failed in sandbox ${dim2(sandboxName)}.
 `);
@@ -13551,6 +13669,7 @@ Installing dependencies (${bold2(installCmd.join(" "))}) in sandbox ${dim2(sandb
     }
     process.stderr.write(`${green("✓")} Dependencies installed in sandbox ${dim2(sandboxName)}.
 `);
+    verifyBinEntries(sandboxName, workdir);
   } else {
     process.stderr.write(`
 ${dim2(`Detected ${ecosystem} project — skipping JS package install.`)}
@@ -13564,6 +13683,7 @@ ${dim2(`Detected ${ecosystem} project — skipping JS package install.`)}
     const hookOk = await runInteractiveCommand("docker", [
       "sandbox",
       "exec",
+      "--privileged",
       "-w",
       workdir,
       sandboxName,
@@ -13599,7 +13719,7 @@ async function handleSetup(projectRoot) {
 `);
       continue;
     }
-    await runSandboxSetup(sandboxName, projectRoot, config.sandbox.containerWorkdir);
+    await runSandboxSetup(sandboxName, projectRoot, config.sandbox.containerWorkdir, config.sandbox.noSymlinks);
   }
 }
 function buildProviderSandboxNames(projectRoot) {
@@ -13661,7 +13781,7 @@ async function createProviderSandbox(provider, sandboxName, projectRoot) {
 }
 async function ensurePackageManagerInSandbox(sandboxName, pm) {
   try {
-    execSync20(`docker sandbox exec ${sandboxName} which ${pm}`, {
+    execSync20(`docker sandbox exec --privileged ${sandboxName} which ${pm}`, {
       stdio: ["pipe", "pipe", "pipe"],
       timeout: 5000
     });
@@ -13670,7 +13790,7 @@ async function ensurePackageManagerInSandbox(sandboxName, pm) {
     process.stderr.write(`Installing ${bold2(pm)} in sandbox...
 `);
     try {
-      execSync20(`docker sandbox exec ${sandboxName} npm install -g ${npmPkg}`, {
+      execSync20(`docker sandbox exec --privileged ${sandboxName} npm install -g ${npmPkg}`, {
         stdio: "inherit",
         timeout: 120000
       });
@@ -13682,7 +13802,7 @@ async function ensurePackageManagerInSandbox(sandboxName, pm) {
 }
 async function ensureCodexInSandbox(sandboxName) {
   try {
-    execSync20(`docker sandbox exec ${sandboxName} which codex`, {
+    execSync20(`docker sandbox exec --privileged ${sandboxName} which codex`, {
       stdio: ["pipe", "pipe", "pipe"],
       timeout: 5000
     });
@@ -13690,7 +13810,7 @@ async function ensureCodexInSandbox(sandboxName) {
     process.stderr.write(`Installing codex in sandbox...
 `);
     try {
-      execSync20(`docker sandbox exec ${sandboxName} npm install -g @openai/codex`, { stdio: "inherit", timeout: 120000 });
+      execSync20(`docker sandbox exec --privileged ${sandboxName} npm install -g @openai/codex`, { stdio: "inherit", timeout: 120000 });
     } catch {
       process.stderr.write(`${red2("✗")} Failed to install codex in sandbox.
 `);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@locusai/cli",
-  "version": "0.22.6",
+  "version": "0.22.8",
   "description": "GitHub-native AI engineering assistant",
   "type": "module",
   "bin": {
@@ -36,7 +36,7 @@
   "license": "MIT",
   "dependencies": {},
   "devDependencies": {
-    "@locusai/sdk": "^0.22.6",
+    "@locusai/sdk": "^0.22.8",
     "@types/bun": "latest",
     "typescript": "^5.8.3"
   },