@opencode-cloud/core 12.0.2 → 13.0.1

package/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "opencode-cloud-core"
-version = "12.0.2"
+version = "13.0.1"
 edition = "2024"
 rust-version = "1.89"
 license = "MIT"
@@ -23,11 +23,11 @@ napi = ["dep:napi", "dep:napi-derive"]
 
 [dependencies]
 clap = { version = "4.5", features = ["derive"] }
-tokio = { version = "1.43", features = ["rt-multi-thread", "macros"] }
+tokio = { version = "1.49", features = ["rt-multi-thread", "macros"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 jsonc-parser = { version = "0.29", features = ["serde"] }
-directories = "5"
+directories = "6"
 thiserror = "2"
 anyhow = "1"
 tracing = "0.1"
@@ -35,25 +35,25 @@ console = "0.16"
 chrono = { version = "0.4", default-features = false, features = ["std", "clock"] }
 
 # NAPI dependencies (optional - only for Node bindings)
-napi = { version = "2", features = ["tokio_rt", "napi9"], optional = true }
-napi-derive = { version = "2", optional = true }
+napi = { version = "3", features = ["tokio_rt", "napi9"], optional = true }
+napi-derive = { version = "3", optional = true }
 
 # Docker integration
-bollard = { version = "0.18", features = ["chrono", "buildkit"] }
+bollard = { version = "0.20.1", features = ["chrono", "buildkit"] }
 futures-util = "0.3"
 tar = "0.4"
-flate2 = "1.0"
+flate2 = "1.1"
 tokio-retry = "0.3"
-indicatif = { version = "0.17", features = ["tokio", "futures"] }
+indicatif = { version = "0.18", features = ["tokio", "futures"] }
 http-body-util = "0.1"
-bytes = "1.9"
-reqwest = { version = "0.12", default-features = false, features = ["rustls-tls", "json"] }
+bytes = "1.11"
+reqwest = { version = "0.13", default-features = false, features = ["rustls", "webpki-roots", "json"] }
 
 # Platform service management (macOS)
 plist = "1.8"
 
 # Host management
-whoami = "1.5"
+whoami = "2.1"
 ssh2-config-rs = "0.7.2"
 dirs = "6"
 

package/README.md

@@ -5,6 +5,7 @@
 [![crates.io](https://img.shields.io/crates/v/opencode-cloud.svg)](https://crates.io/crates/opencode-cloud)
 [![GHCR](https://img.shields.io/badge/ghcr.io-sandbox-blue?logo=github)](https://github.com/pRizz/opencode-cloud/pkgs/container/opencode-cloud-sandbox)
 [![Docker Hub](https://img.shields.io/docker/v/prizz/opencode-cloud-sandbox?label=docker&sort=semver)](https://hub.docker.com/r/prizz/opencode-cloud-sandbox)
+[![Docker Pulls](https://img.shields.io/docker/pulls/prizz/opencode-cloud-sandbox)](https://hub.docker.com/r/prizz/opencode-cloud-sandbox)
 [![docs.rs](https://docs.rs/opencode-cloud/badge.svg)](https://docs.rs/opencode-cloud)
 [![MSRV](https://img.shields.io/badge/MSRV-1.85-blue.svg)](https://blog.rust-lang.org/2025/02/20/Rust-1.85.0.html)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opencode-cloud/core",
-  "version": "12.0.2",
+  "version": "13.0.1",
   "description": "Core NAPI bindings for opencode-cloud (internal package)",
   "main": "index.js",
   "types": "index.d.ts",

package/src/docker/Dockerfile

@@ -71,7 +71,6 @@ RUN --mount=type=cache,target=/var/lib/apt/lists \
     systemd-sysv=257.* \
     dbus=1.16.* \
     # Shell and terminal
-    zsh=5.9-* \
     tmux=3.5a-* \
     # Editors
     vim=2:9.1.* \
@@ -155,7 +154,7 @@ RUN --mount=type=cache,target=/var/lib/apt/lists \
 # Create Non-Root User
 # -----------------------------------------------------------------------------
 # Create 'opencode' user with passwordless sudo
-RUN useradd -m -s /bin/zsh -G sudo opencode \
+RUN useradd -m -s /bin/bash -G sudo opencode \
     && echo "opencode ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/opencode \
     && chmod 0440 /etc/sudoers.d/opencode
 
@@ -176,27 +175,23 @@ RUN mkdir -p \
 ENV PATH="/home/opencode/.local/bin:${PATH}"
 
 # -----------------------------------------------------------------------------
-# Shell Setup: Zsh + Oh My Zsh + Starship
+# Shell Setup: Bash + Starship
 # -----------------------------------------------------------------------------
-# Oh My Zsh - self-managing installer, trusted to handle versions
-# Disabled temporarily to reduce Docker build time.
-# RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended
-
 # Starship prompt - self-managing installer, trusted to handle versions
 # Disabled temporarily to reduce Docker build time.
 # RUN curl -sS https://starship.rs/install.sh | sh -s -- --yes --bin-dir /home/opencode/.local/bin
 
-# Configure zsh with starship
+# Configure bash with starship
 # Disabled temporarily to reduce Docker build time.
-# RUN echo 'eval "$(starship init zsh)"' >> /home/opencode/.zshrc \
-#     && echo 'export PATH="/home/opencode/.local/bin:$PATH"' >> /home/opencode/.zshrc
+# RUN echo 'eval "$(starship init bash)"' >> /home/opencode/.bashrc \
+#     && echo 'export PATH="/home/opencode/.local/bin:$PATH"' >> /home/opencode/.bashrc
 
 # -----------------------------------------------------------------------------
 # mise: Universal Version Manager
 # -----------------------------------------------------------------------------
 # mise - self-managing installer, trusted to handle versions
 RUN curl https://mise.run | sh \
-    && echo 'eval "$(/home/opencode/.local/bin/mise activate zsh)"' >> /home/opencode/.zshrc
+    && echo 'eval "$(/home/opencode/.local/bin/mise activate bash)"' >> /home/opencode/.bashrc
 
 # Install language runtimes via mise (2026-02-03)
 # - node@25: pinned to major version
@@ -306,7 +301,7 @@ RUN mkdir -p /home/opencode/.cargo/registry /home/opencode/.cargo/git \
 # RUN apt-get update && apt-get install -y --no-install-recommends direnv=2.32.* \
 #     && rm -rf /var/lib/apt/lists/*
 # USER opencode
-# RUN echo 'eval "$(direnv hook zsh)"' >> /home/opencode/.zshrc
+# RUN echo 'eval "$(direnv hook bash)"' >> /home/opencode/.bashrc
 
 # Install HTTPie
 # Disabled temporarily to reduce Docker build time.
@@ -508,10 +503,10 @@ RUN printf '%s\n' \
     'alias d="docker"' \
     'alias dc="docker compose"' \
     '' \
-    >> /home/opencode/.zshrc
+    >> /home/opencode/.bashrc
 
 # Set up pipx path
-RUN echo 'export PATH="/home/opencode/.local/bin:$PATH"' >> /home/opencode/.zshrc
+RUN echo 'export PATH="/home/opencode/.local/bin:$PATH"' >> /home/opencode/.bashrc
 
 # -----------------------------------------------------------------------------
 # Stage 2: opencode build
@@ -540,7 +535,7 @@ USER opencode
 # commit on the main branch of https://github.com/pRizz/opencode.
 # Update it by running: ./scripts/update-opencode-commit.sh
 # Build opencode from source (BuildKit cache mounts disabled for now)
-RUN OPENCODE_COMMIT="cfe79755427fd8d3b94be76e1c7912bdc943a8ab" \
+RUN OPENCODE_COMMIT="ce0a5f0f2a8abfb9a00e335a41e7cfd3487dbb18" \
     && rm -rf /tmp/opencode-repo \
     && git clone --depth 1 https://github.com/pRizz/opencode.git /tmp/opencode-repo \
     && cd /tmp/opencode-repo \

package/src/docker/container.rs

@@ -10,9 +10,9 @@ use super::volume::{
     VOLUME_CACHE, VOLUME_CONFIG, VOLUME_PROJECTS, VOLUME_SESSION, VOLUME_STATE, VOLUME_USERS,
 };
 use super::{DockerClient, DockerError};
-use bollard::container::{
-    Config, CreateContainerOptions, RemoveContainerOptions, StartContainerOptions,
-    StopContainerOptions,
+use bollard::models::ContainerCreateBody;
+use bollard::query_parameters::{
+    CreateContainerOptions, RemoveContainerOptions, StartContainerOptions, StopContainerOptions,
 };
 use bollard::service::{
     HostConfig, Mount, MountPointTypeEnum, MountTypeEnum, PortBinding, PortMap,
@@ -155,11 +155,10 @@ pub async fn create_container(
         );
     }
 
-    // Create exposed ports map
-    let mut exposed_ports = HashMap::new();
-    exposed_ports.insert("3000/tcp".to_string(), HashMap::new());
+    // Create exposed ports list (bollard v0.20+ uses Vec<String>)
+    let mut exposed_ports = vec!["3000/tcp".to_string()];
     if cockpit_enabled_val {
-        exposed_ports.insert("9090/tcp".to_string(), HashMap::new());
+        exposed_ports.push("9090/tcp".to_string());
     }
 
     // Create host config
@@ -197,6 +196,9 @@ pub async fn create_container(
             mounts: Some(mounts),
             port_bindings: Some(port_bindings),
             auto_remove: Some(false),
+            // CAP_SETUID and CAP_SETGID required for opencode-broker to spawn
+            // PTY processes as different users via setuid/setgid syscalls
+            cap_add: Some(vec!["SETUID".to_string(), "SETGID".to_string()]),
             ..Default::default()
         }
     };
@@ -221,8 +223,8 @@ pub async fn create_container(
     }
     let final_env = if env.is_empty() { None } else { Some(env) };
 
-    // Create container config
-    let config = Config {
+    // Create container config (bollard v0.20+ uses ContainerCreateBody)
+    let config = ContainerCreateBody {
         image: Some(image_name.to_string()),
         hostname: Some(CONTAINER_NAME.to_string()),
         working_dir: Some("/home/opencode/workspace".to_string()),
@@ -234,8 +236,8 @@ pub async fn create_container(
 
     // Create container
     let options = CreateContainerOptions {
-        name: container_name,
-        platform: None,
+        name: Some(container_name.to_string()),
+        platform: String::new(),
     };
 
     let response = client
@@ -263,7 +265,7 @@ pub async fn start_container(client: &DockerClient, name: &str) -> Result<(), Do
 
     client
         .inner()
-        .start_container(name, None::<StartContainerOptions<String>>)
+        .start_container(name, None::<StartContainerOptions>)
         .await
         .map_err(|e| DockerError::Container(format!("Failed to start container {name}: {e}")))?;
 
@@ -282,10 +284,13 @@ pub async fn stop_container(
     name: &str,
     timeout_secs: Option<i64>,
 ) -> Result<(), DockerError> {
-    let timeout = timeout_secs.unwrap_or(10);
+    let timeout = timeout_secs.unwrap_or(10) as i32;
     debug!("Stopping container {} with {}s timeout", name, timeout);
 
-    let options = StopContainerOptions { t: timeout };
+    let options = StopContainerOptions {
+        signal: None,
+        t: Some(timeout),
+    };
 
     client
         .inner()

package/src/docker/error.rs

@@ -34,6 +34,10 @@ pub enum DockerError {
     #[error("Docker pull failed: {0}")]
     Pull(String),
 
+    /// Image operation failed
+    #[error("Docker image operation failed: {0}")]
+    Image(String),
+
     /// Container operation failed
     #[error("Container operation failed: {0}")]
     Container(String),

package/src/docker/image.rs

@@ -7,14 +7,18 @@ use super::progress::ProgressReporter;
 use super::{
     DOCKERFILE, DockerClient, DockerError, IMAGE_NAME_DOCKERHUB, IMAGE_NAME_GHCR, IMAGE_TAG_DEFAULT,
 };
-use bollard::image::{BuildImageOptions, BuilderVersion, CreateImageOptions};
 use bollard::moby::buildkit::v1::StatusResponse as BuildkitStatusResponse;
 use bollard::models::BuildInfoAux;
+use bollard::query_parameters::{
+    BuildImageOptions, BuilderVersion, CreateImageOptions, ListImagesOptionsBuilder,
+    RemoveImageOptionsBuilder,
+};
 use bytes::Bytes;
 use flate2::Compression;
 use flate2::write::GzEncoder;
 use futures_util::StreamExt;
-use std::collections::{HashMap, VecDeque};
+use http_body_util::{Either, Full};
+use std::collections::{HashMap, HashSet, VecDeque};
 use std::env;
 use std::time::{SystemTime, UNIX_EPOCH};
 use tar::Builder as TarBuilder;
@@ -66,6 +70,80 @@ pub async fn image_exists(
     }
 }
 
+/// Remove all images whose tags or digests contain the provided name fragment
+///
+/// Returns the number of image references removed.
+pub async fn remove_images_by_name(
+    client: &DockerClient,
+    name_fragment: &str,
+    force: bool,
+) -> Result<usize, DockerError> {
+    debug!("Removing Docker images matching '{name_fragment}'");
+
+    let images = list_docker_images(client).await?;
+
+    let references = collect_image_references(&images, name_fragment);
+    remove_image_references(client, references, force).await
+}
+
+/// List all local Docker images (including intermediate layers).
+async fn list_docker_images(
+    client: &DockerClient,
+) -> Result<Vec<bollard::models::ImageSummary>, DockerError> {
+    let list_options = ListImagesOptionsBuilder::new().all(true).build();
+    client
+        .inner()
+        .list_images(Some(list_options))
+        .await
+        .map_err(|e| DockerError::Image(format!("Failed to list images: {e}")))
+}
+
+/// Collect tags and digests that contain the provided name fragment.
+fn collect_image_references(
+    images: &[bollard::models::ImageSummary],
+    name_fragment: &str,
+) -> HashSet<String> {
+    let mut references = HashSet::new();
+    for image in images {
+        for tag in &image.repo_tags {
+            if tag != "<none>:<none>" && tag.contains(name_fragment) {
+                references.insert(tag.to_string());
+            }
+        }
+
+        for digest in &image.repo_digests {
+            if digest.contains(name_fragment) {
+                references.insert(digest.to_string());
+            }
+        }
+    }
+    references
+}
+
+/// Remove image references (tags/digests), returning the number removed.
+async fn remove_image_references(
+    client: &DockerClient,
+    references: HashSet<String>,
+    force: bool,
+) -> Result<usize, DockerError> {
+    if references.is_empty() {
+        return Ok(0);
+    }
+
+    let remove_options = RemoveImageOptionsBuilder::new().force(force).build();
+    let mut removed = 0usize;
+    for reference in references {
+        client
+            .inner()
+            .remove_image(&reference, Some(remove_options.clone()), None)
+            .await
+            .map_err(|e| DockerError::Image(format!("Failed to remove image {reference}: {e}")))?;
+        removed += 1;
+    }
+
+    Ok(removed)
+}
+
 /// Build the opencode image from embedded Dockerfile
 ///
 /// Shows real-time build progress with streaming output.
@@ -103,18 +181,20 @@ pub async fn build_image(
     );
     let build_args = build_args.unwrap_or_default();
     let options = BuildImageOptions {
-        t: full_name.clone(),
+        t: Some(full_name.clone()),
         dockerfile: "Dockerfile".to_string(),
         version: BuilderVersion::BuilderBuildKit,
         session: Some(session_id),
         rm: true,
         nocache: no_cache,
-        buildargs: build_args,
+        buildargs: Some(build_args),
+        platform: String::new(),
+        target: String::new(),
         ..Default::default()
     };
 
     // Create build body from context
-    let body = Bytes::from(context);
+    let body: Either<Full<Bytes>, _> = Either::Left(Full::new(Bytes::from(context)));
 
     // Start build with streaming output
     let mut stream = client.inner().build_image(options, None, Some(body));
@@ -137,10 +217,12 @@ pub async fn build_image(
 
         handle_stream_message(&info, progress, &mut log_state);
 
-        if let Some(error_msg) = info.error {
-            progress.abandon_all(&error_msg);
+        if let Some(error_detail) = &info.error_detail
+            && let Some(error_msg) = &error_detail.message
+        {
+            progress.abandon_all(error_msg);
             let context = format_build_error_with_context(
-                &error_msg,
+                error_msg,
                 &log_state.recent_logs,
                 &log_state.error_logs,
                 &log_state.recent_buildkit_logs,
@@ -620,8 +702,9 @@ async fn do_pull(
     let full_name = format!("{image}:{tag}");
 
     let options = CreateImageOptions {
-        from_image: image,
-        tag,
+        from_image: Some(image.to_string()),
+        tag: Some(tag.to_string()),
+        platform: String::new(),
         ..Default::default()
     };
 
@@ -634,9 +717,11 @@ async fn do_pull(
         match result {
             Ok(info) => {
                 // Handle errors from the stream
-                if let Some(error_msg) = info.error {
-                    progress.abandon_all(&error_msg);
-                    return Err(DockerError::Pull(error_msg));
+                if let Some(error_detail) = &info.error_detail
+                    && let Some(error_msg) = &error_detail.message
+                {
+                    progress.abandon_all(error_msg);
+                    return Err(DockerError::Pull(error_msg.to_string()));
                 }
 
                 // Handle layer progress

package/src/docker/mod.rs

@@ -42,7 +42,7 @@ pub use health::{
 pub use dockerfile::{DOCKERFILE, IMAGE_NAME_DOCKERHUB, IMAGE_NAME_GHCR, IMAGE_TAG_DEFAULT};
 
 // Image operations
-pub use image::{build_image, image_exists, pull_image};
+pub use image::{build_image, image_exists, pull_image, remove_images_by_name};
 
 // Update operations
 pub use update::{UpdateResult, has_previous_image, rollback_image, update_image};

package/src/docker/update.rs

@@ -6,7 +6,7 @@
 use super::image::{image_exists, pull_image};
 use super::progress::ProgressReporter;
 use super::{DockerClient, DockerError, IMAGE_NAME_GHCR, IMAGE_TAG_DEFAULT};
-use bollard::image::TagImageOptions;
+use bollard::query_parameters::TagImageOptions;
 use tracing::debug;
 
 /// Tag for the previous image version (used for rollback)
@@ -45,8 +45,8 @@ pub async fn tag_current_as_previous(client: &DockerClient) -> Result<(), Docker
 
     // Tag current as previous
     let options = TagImageOptions {
-        repo: IMAGE_NAME_GHCR,
-        tag: PREVIOUS_TAG,
+        repo: Some(IMAGE_NAME_GHCR.to_string()),
+        tag: Some(PREVIOUS_TAG.to_string()),
     };
 
     client
@@ -124,8 +124,8 @@ pub async fn rollback_image(client: &DockerClient) -> Result<(), DockerError> {
 
     // Re-tag previous as latest
     let options = TagImageOptions {
-        repo: IMAGE_NAME_GHCR,
-        tag: IMAGE_TAG_DEFAULT,
+        repo: Some(IMAGE_NAME_GHCR.to_string()),
+        tag: Some(IMAGE_TAG_DEFAULT.to_string()),
     };
 
     client

package/src/docker/volume.rs

@@ -4,7 +4,8 @@
 //! for persistent storage across container restarts.
 
 use super::{DockerClient, DockerError};
-use bollard::volume::CreateVolumeOptions;
+use bollard::models::VolumeCreateRequest;
+use bollard::query_parameters::RemoveVolumeOptions;
 use std::collections::HashMap;
 use tracing::debug;
 
@@ -73,12 +74,16 @@ pub async fn ensure_volumes_exist(client: &DockerClient) -> Result<(), DockerErr
 async fn ensure_volume_exists(client: &DockerClient, name: &str) -> Result<(), DockerError> {
     debug!("Checking volume: {}", name);
 
-    // Create volume options with default local driver
-    let options = CreateVolumeOptions {
-        name,
-        driver: "local",
-        driver_opts: HashMap::new(),
-        labels: HashMap::from([("managed-by", "opencode-cloud")]),
+    // Create volume request with default local driver (bollard v0.20+ uses VolumeCreateRequest)
+    let options = VolumeCreateRequest {
+        name: Some(name.to_string()),
+        driver: Some("local".to_string()),
+        driver_opts: Some(HashMap::new()),
+        labels: Some(HashMap::from([(
+            "managed-by".to_string(),
+            "opencode-cloud".to_string(),
+        )])),
+        cluster_volume_spec: None,
     };
 
     // create_volume is idempotent - returns existing volume if it exists
@@ -116,7 +121,7 @@ pub async fn remove_volume(client: &DockerClient, name: &str) -> Result<(), Dock
 
     client
         .inner()
-        .remove_volume(name, None)
+        .remove_volume(name, None::<RemoveVolumeOptions>)
         .await
         .map_err(|e| DockerError::Volume(format!("Failed to remove volume {name}: {e}")))?;
 

package/src/host/schema.rs

@@ -38,7 +38,7 @@ pub struct HostConfig {
 }
 
 fn default_user() -> String {
-    whoami::username()
+    whoami::username().unwrap_or_else(|_| "user".to_string())
 }
 
 impl Default for HostConfig {

package/src/platform/mod.rs

@@ -85,9 +85,12 @@ pub trait ServiceManager: Send + Sync {
 
 /// Get the appropriate service manager for the current platform
 ///
+/// # Arguments
+/// * `boot_mode` - "user" for user-level service (default), "system" for system-level
+///
 /// Returns an error if the platform is not supported or if the
 /// service manager implementation is not yet available.
-pub fn get_service_manager() -> Result<Box<dyn ServiceManager>> {
+pub fn get_service_manager(boot_mode: &str) -> Result<Box<dyn ServiceManager>> {
     #[cfg(target_os = "linux")]
     {
         if !systemd::systemd_available() {
@@ -96,11 +99,11 @@ pub fn get_service_manager() -> Result<Box<dyn ServiceManager>> {
                  Service registration requires systemd as the init system."
             ));
         }
-        Ok(Box::new(systemd::SystemdManager::new("user")))
+        Ok(Box::new(systemd::SystemdManager::new(boot_mode)))
     }
     #[cfg(target_os = "macos")]
     {
-        Ok(Box::new(launchd::LaunchdManager::new("user")))
+        Ok(Box::new(launchd::LaunchdManager::new(boot_mode)))
     }
     #[cfg(not(any(target_os = "linux", target_os = "macos")))]
     {
@@ -164,7 +167,7 @@ mod tests {
 
     #[test]
     fn test_get_service_manager_behavior() {
-        let result = get_service_manager();
+        let result = get_service_manager("user");
 
         // On Linux with systemd: returns Ok(SystemdManager)
         // On Linux without systemd: returns Err (systemd not available)
@@ -188,4 +191,16 @@ mod tests {
             assert!(result.is_err());
         }
     }
+
+    #[test]
+    fn test_get_service_manager_respects_boot_mode() {
+        // Test that boot_mode parameter is passed through
+        let user_result = get_service_manager("user");
+        let system_result = get_service_manager("system");
+
+        // Both should either succeed or fail based on platform support,
+        // but they should not panic
+        let _ = user_result;
+        let _ = system_result;
+    }
 }

package/src/platform/systemd.rs

@@ -130,11 +130,37 @@ pub fn systemd_available() -> bool {
     Path::new("/run/systemd/system").exists()
 }
 
+/// Check if systemd user session is available for the current user
+///
+/// Returns true if XDG_RUNTIME_DIR is set and the user's systemd directory exists.
+/// This is needed for `systemctl --user` commands to work.
+pub fn systemd_user_session_available() -> bool {
+    if let Ok(runtime_dir) = std::env::var("XDG_RUNTIME_DIR") {
+        // Check if the user's systemd directory exists
+        Path::new(&runtime_dir).join("systemd").exists()
+    } else {
+        false
+    }
+}
+
 impl ServiceManager for SystemdManager {
     fn install(&self, config: &ServiceConfig) -> Result<InstallResult> {
-        // Check permissions for system-level installation
-        if !self.user_mode {
-            // Check if we can write to /etc/systemd/system/
+        // Check permissions and session availability based on mode
+        if self.user_mode {
+            // User-level installation requires an active systemd user session
+            if !systemd_user_session_available() {
+                return Err(anyhow!(
+                    "User-level systemd session not available.\n\
+                     This typically happens during cloud-init or when running as a \
+                     different user without an active login session.\n\n\
+                     Solutions:\n\
+                     1. Use system-level installation: occ config set boot_mode system\n\
+                     2. Run the command from an interactive login session\n\
+                     3. Ensure XDG_RUNTIME_DIR is set and the user has an active systemd session"
+                ));
+            }
+        } else {
+            // System-level installation requires root privileges
             let test_path = self.service_dir().join(".opencode-cloud-test");
             if fs::write(&test_path, "").is_err() {
                 return Err(anyhow!(