@proletariat/cli 0.3.45 → 0.3.47

package/dist/lib/execution/config.d.ts

@@ -23,12 +23,14 @@ declare const CONFIG_KEYS: {
     dockerNetwork: string;
     dockerMemory: string;
     dockerCpus: string;
+    firewallAllowlistDomains: string;
     vmDefaultHost: string;
     vmUser: string;
     vmKeyPath: string;
     vmSyncMethod: string;
     coderName: string;
     authMethod: string;
+    createPrDefault: string;
 };
 /**
  * Load execution config from database, merging with defaults
@@ -56,6 +58,10 @@ export declare function saveTmuxControlMode(db: Database.Database, enabled: bool
  * When enabled, new terminal tabs open without stealing focus from current window.
  */
 export declare function saveTerminalOpenInBackground(db: Database.Database, enabled: boolean): void;
+/**
+ * Save extra firewall allowlist domains.
+ */
+export declare function saveFirewallAllowlistDomains(db: Database.Database, domains: string[]): void;
 /**
  * Save auth method preference (oauth or apikey)
  */
@@ -69,6 +75,15 @@ export declare function getAuthMethod(db: Database.Database): AuthMethod | null;
  * Clear saved auth method preference (will prompt again next time)
  */
 export declare function clearAuthMethod(db: Database.Database): void;
+/**
+ * Get saved PR creation default preference.
+ * Returns null if no preference has been saved (user should be prompted).
+ */
+export declare function getCreatePrDefault(db: Database.Database): boolean | null;
+/**
+ * Save PR creation default preference.
+ */
+export declare function saveCreatePrDefault(db: Database.Database, createPr: boolean): void;
 /**
  * Check if terminal app preference has been set
  */

package/dist/lib/execution/config.js

@@ -27,12 +27,14 @@ const CONFIG_KEYS = {
     dockerNetwork: 'execution.docker.network',
     dockerMemory: 'execution.docker.memory',
     dockerCpus: 'execution.docker.cpus',
+    firewallAllowlistDomains: 'execution.firewall.allowlist_domains',
     vmDefaultHost: 'execution.vm.default_host',
     vmUser: 'execution.vm.user',
     vmKeyPath: 'execution.vm.key_path',
     vmSyncMethod: 'execution.vm.sync_method',
     coderName: 'coder.name',
     authMethod: 'execution.auth_method',
+    createPrDefault: 'execution.create_pr_default',
 };
 /**
  * Get a setting value from the database
@@ -103,6 +105,11 @@ export function loadExecutionConfig(db) {
     if (authMethod) {
         config.authMethod = authMethod;
     }
+    // Load create PR default preference
+    const createPrDefault = getSetting(db, CONFIG_KEYS.createPrDefault);
+    if (createPrDefault !== null) {
+        config.createPrDefault = createPrDefault === 'true';
+    }
     // Load tmux settings
     const tmuxSession = getSetting(db, CONFIG_KEYS.tmuxSession);
     if (tmuxSession) {
@@ -133,6 +140,28 @@ export function loadExecutionConfig(db) {
     if (dockerCpus) {
         config.docker = { ...config.docker, cpus: parseInt(dockerCpus, 10) };
     }
+    // Load firewall allowlist domains
+    const firewallAllowlistDomains = getSetting(db, CONFIG_KEYS.firewallAllowlistDomains);
+    if (firewallAllowlistDomains) {
+        let parsed = [];
+        try {
+            const jsonValue = JSON.parse(firewallAllowlistDomains);
+            if (Array.isArray(jsonValue)) {
+                parsed = jsonValue
+                    .filter((domain) => typeof domain === 'string')
+                    .map(domain => domain.trim())
+                    .filter(Boolean);
+            }
+        }
+        catch {
+            // Backward-compatible fallback: comma-separated string
+            parsed = firewallAllowlistDomains
+                .split(',')
+                .map(domain => domain.trim())
+                .filter(Boolean);
+        }
+        config.firewall = { ...config.firewall, allowlistDomains: parsed };
+    }
     // Load VM settings
     const vmDefaultHost = getSetting(db, CONFIG_KEYS.vmDefaultHost);
     if (vmDefaultHost) {
@@ -184,6 +213,13 @@ export function saveTmuxControlMode(db, enabled) {
 export function saveTerminalOpenInBackground(db, enabled) {
     setSetting(db, CONFIG_KEYS.terminalOpenInBackground, enabled.toString());
 }
+/**
+ * Save extra firewall allowlist domains.
+ */
+export function saveFirewallAllowlistDomains(db, domains) {
+    const cleaned = [...new Set(domains.map(domain => domain.trim()).filter(Boolean))];
+    setSetting(db, CONFIG_KEYS.firewallAllowlistDomains, JSON.stringify(cleaned));
+}
 /**
  * Save auth method preference (oauth or apikey)
  */
@@ -206,6 +242,24 @@ export function getAuthMethod(db) {
 export function clearAuthMethod(db) {
     db.prepare(`DELETE FROM ${SETTINGS_TABLE} WHERE key = ?`).run(CONFIG_KEYS.authMethod);
 }
+/**
+ * Get saved PR creation default preference.
+ * Returns null if no preference has been saved (user should be prompted).
+ */
+export function getCreatePrDefault(db) {
+    const value = getSetting(db, CONFIG_KEYS.createPrDefault);
+    if (value === 'true')
+        return true;
+    if (value === 'false')
+        return false;
+    return null;
+}
+/**
+ * Save PR creation default preference.
+ */
+export function saveCreatePrDefault(db, createPr) {
+    setSetting(db, CONFIG_KEYS.createPrDefault, createPr.toString());
+}
 /**
  * Check if terminal app preference has been set
  */

package/dist/lib/execution/devcontainer.d.ts

@@ -4,7 +4,7 @@
  * Generates .devcontainer/ configuration for agent sandboxed execution.
  * Uses a custom Dockerfile with network firewall for security sandboxing.
  */
-import { ExecutionConfig } from './types.js';
+import { ExecutionConfig, ExecutorType } from './types.js';
 export type MountMode = 'worktree' | 'clone';
 export interface DevcontainerOptions {
     agentName: string;
@@ -21,6 +21,8 @@ export interface DevcontainerOptions {
     gitUserName?: string;
     /** Git user.email for commit attribution (detected from gh/git config on host) */
     gitUserEmail?: string;
+    /** Executor type - determines which CLI tools to install and which API domains to whitelist */
+    executor?: ExecutorType;
 }
 export interface DevcontainerJson {
     name: string;
@@ -58,9 +60,10 @@ export declare function generateDevcontainerJson(options: DevcontainerOptions, c
 export declare function generateDockerfile(options: DevcontainerOptions): string;
 /**
  * Generate firewall initialization script.
- * Whitelists only necessary domains for Claude Code operation.
+ * Whitelists only necessary domains for the configured executor.
+ * Claude Code requires api.anthropic.com; Codex requires api.openai.com.
  */
-export declare function generateFirewallScript(): string;
+export declare function generateFirewallScript(executor?: ExecutorType, extraAllowedDomains?: string[]): string;
 /**
  * Generate prlt setup script.
  * Rebuilds better-sqlite3 if prlt is mounted from host (not installed via npm).

package/dist/lib/execution/devcontainer.js

@@ -35,13 +35,16 @@ export function generateDevcontainerJson(options, config) {
     if (channel.registry === 'gh') {
         buildArgs.GITHUB_TOKEN = '${localEnv:GITHUB_TOKEN}';
     }
+    // Determine if this is a Claude Code executor (for Claude-specific mounts/config)
+    const isClaude = !options.executor || options.executor === 'claude-code';
     // Build mounts array - parent repo mounts only needed for worktree mode
     // TKT-801: Use consistency=cached to reduce grpcfuse contention on Docker Desktop.
     // This helps prevent kernel panics when multiple containers mount the same paths concurrently.
     const mounts = [
         'source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=cached',
         'source=claude-bash-history,target=/commandhistory,type=volume',
-        'source=claude-credentials,target=/home/node/.claude,type=volume',
+        // Claude credentials volume - only needed for Claude Code executor
+        ...(isClaude ? ['source=claude-credentials,target=/home/node/.claude,type=volume'] : []),
         // NOTE: ~/.claude.json is COPIED (not mounted) to /workspace/.claude.json
         // to avoid corruption from concurrent writes by multiple containers
         // NOTE: SSH agent socket mounting doesn't work reliably on Docker Desktop for Mac
@@ -170,9 +173,9 @@ RUN mkdir -p /home/node/.npm-global/bin /home/node/.npm-global/lib \\
 ENV NPM_CONFIG_PREFIX=/home/node/.npm-global
 ENV PATH=/home/node/.npm-global/bin:\$PATH
 
-# Install pnpm and Claude Code as node user so files are owned correctly
+# Install pnpm and executor CLI as node user so files are owned correctly
 USER node
-RUN npm install -g pnpm && npm install -g @anthropic-ai/claude-code
+RUN npm install -g pnpm && npm install -g @anthropic-ai/claude-code${options.executor === 'codex' ? ' && npm install -g @openai/codex' : ''}
 USER root
 
 # Install prlt CLI from public npm
@@ -207,9 +210,15 @@ WORKDIR /workspace
 }
 /**
  * Generate firewall initialization script.
- * Whitelists only necessary domains for Claude Code operation.
+ * Whitelists only necessary domains for the configured executor.
+ * Claude Code requires api.anthropic.com; Codex requires api.openai.com.
  */
-export function generateFirewallScript() {
+export function generateFirewallScript(executor, extraAllowedDomains = []) {
+    const extraDomainCommands = [...new Set(extraAllowedDomains
+            .map(domain => domain.trim().toLowerCase())
+            .filter(domain => /^[a-z0-9.-]+$/.test(domain)))]
+        .map(domain => `add_domain "${domain}"`)
+        .join('\n');
     return `#!/bin/bash
 set -e
 
@@ -291,9 +300,12 @@ add_domain "objects.githubusercontent.com"
 add_domain "raw.githubusercontent.com"
 add_domain "npm.pkg.github.com"
 
-# Add other allowed domains
+# Add executor-specific API domains
 add_domain "api.anthropic.com"
 add_domain "console.anthropic.com"
+${executor === 'codex' ? `# Codex API domains
+add_domain "api.openai.com"
+add_domain "openai.com"` : ''}
 add_domain "statsigapi.net"
 add_domain "sentry.io"
 add_domain "registry.npmjs.org"
@@ -301,6 +313,19 @@ add_domain "npmjs.com"
 add_domain "nodejs.org"
 add_domain "update.code.visualstudio.com"
 add_domain "vscode.download.prss.microsoft.com"
+${extraDomainCommands ? `# Additional user-configured allowlist domains
+${extraDomainCommands}` : ''}
+
+# Runtime allowlist domains (comma-separated), e.g. PRLT_EXTRA_ALLOWLIST_DOMAINS=api.staging.example.com
+if [ -n "\${PRLT_EXTRA_ALLOWLIST_DOMAINS:-}" ]; then
+    IFS=',' read -ra EXTRA_DOMAINS <<< "$PRLT_EXTRA_ALLOWLIST_DOMAINS"
+    for domain in "\${EXTRA_DOMAINS[@]}"; do
+        domain="\${domain//[[:space:]]/}"
+        if [ -n "$domain" ]; then
+            add_domain "$domain"
+        fi
+    done
+fi
 
 # Allow traffic to whitelisted IPs
 iptables -A OUTPUT -m set --match-set allowed-domains dst -j ACCEPT
@@ -522,6 +547,8 @@ configure_git_identity
 
 # Check if prlt is already installed globally (via npm)
 # TKT-954: Also check for updates - Docker layer caching may have installed an older version
+# TKT-1029: Don't exit early - continue to workspace dependency installation
+PRLT_CONFIGURED=false
 if command -v prlt &> /dev/null; then
     PRLT_PATH=$(which prlt)
     if [[ "$PRLT_PATH" == "/home/node/.npm-global/bin/prlt" ]]; then
@@ -544,12 +571,12 @@ if command -v prlt &> /dev/null; then
         else
             echo "prlt v\${CURRENT_VERSION} is up to date"
         fi
-        exit 0
+        PRLT_CONFIGURED=true
     fi
 fi
 
-# Check if mounted prlt exists at /opt/prlt
-if [ -d "/opt/prlt/apps/cli" ]; then
+# Check if mounted prlt exists at /opt/prlt (skip if already configured via npm)
+if [ "$PRLT_CONFIGURED" = "false" ] && [ -d "/opt/prlt/apps/cli" ]; then
     echo "Setting up mounted prlt..."
 
     PRLT_LOCAL="/home/node/.prlt-local"
@@ -597,7 +624,7 @@ WRAPPER_EOF
     # Create prltdev symlink for consistency with dev environment
     ln -sf "$WRAPPER" /home/node/.npm-global/bin/prltdev
     echo "prlt wrapper ready at $WRAPPER (also available as prltdev)"
-else
+elif [ "$PRLT_CONFIGURED" = "false" ]; then
     echo "No mounted prlt found, skipping setup"
 fi
 
@@ -647,8 +674,8 @@ export function createDevcontainerConfig(options, config) {
     const dockerfile = generateDockerfile(options);
     const dockerfilePath = path.join(devcontainerDir, 'Dockerfile');
     fs.writeFileSync(dockerfilePath, dockerfile);
-    // Generate and write firewall script
-    const firewallScript = generateFirewallScript();
+    // Generate and write firewall script (executor-aware for API domain whitelisting)
+    const firewallScript = generateFirewallScript(options.executor, config?.firewall.allowlistDomains ?? []);
     const firewallScriptPath = path.join(devcontainerDir, 'init-firewall.sh');
     fs.writeFileSync(firewallScriptPath, firewallScript, { mode: 0o755 });
     // Generate and write prlt setup script

package/dist/lib/execution/runners.d.ts

@@ -3,7 +3,7 @@
  *
  * Implementations for each execution environment (devcontainer, host, docker, vm).
  */
-import { ExecutionEnvironment, DisplayMode, SessionManager, ExecutorType, ExecutionContext, ExecutionConfig } from './types.js';
+import { ExecutionEnvironment, DisplayMode, OutputMode, SessionManager, ExecutorType, ExecutionContext, ExecutionConfig } from './types.js';
 /**
  * Build a unified name for tmux sessions, window names, and tab titles.
  * Format: "{ticketId}-{action}-{agentName}"
@@ -41,17 +41,6 @@ export declare function buildTmuxAttachCommand(useControlMode: boolean, includeU
  */
 export declare function configureITermTmuxPreferences(mode: 'tab' | 'window'): void;
 export declare function configureITermTmuxWindowMode(mode: 'tab' | 'window'): void;
-/**
- * Build the tmux script that runs inside the container.
- * In background mode: kills PID 1 (sleep infinity) after Claude exits to stop/remove container.
- * In terminal/foreground mode: drops into exec bash for user inspection.
- */
-export declare function buildTmuxScript(sessionName: string, claudeCmd: string, displayMode: DisplayMode): string;
-/**
- * Get the auto-remove flags for docker run based on display mode.
- * Background mode containers get --rm so Docker removes them when they stop.
- */
-export declare function getDockerAutoRemoveFlags(displayMode: DisplayMode): string[];
 /**
  * Check if the claude-credentials Docker volume exists.
  */
@@ -74,40 +63,41 @@ export declare function getDockerCredentialInfo(): {
     expiresAt: Date;
     subscriptionType?: string;
 } | null;
+export declare function getExecutorCommand(executor: ExecutorType, prompt: string, skipPermissions?: boolean): {
+    cmd: string;
+    args: string[];
+};
+/**
+ * Check if an executor is Claude Code.
+ * Used to gate Claude-specific flags and configuration.
+ */
+export declare function isClaudeExecutor(executor: ExecutorType): boolean;
 /**
- * Preflight result indicating whether the executor is ready to run.
+ * Get the display name for an executor type.
  */
+export declare function getExecutorDisplayName(executor: ExecutorType): string;
+/**
+ * Get the npm package name for an executor (for container installation).
+ */
+export declare function getExecutorPackage(executor: ExecutorType): string | null;
 export interface PreflightResult {
     ok: boolean;
     error?: string;
 }
 /**
- * Check if an executor binary is available on the host.
- * Returns a PreflightResult with ok=true if the binary is found,
- * or ok=false with a descriptive error and remediation hint.
+ * Check executor binary availability on host.
  */
 export declare function checkExecutorOnHost(executor: ExecutorType): PreflightResult;
 /**
- * Check if an executor binary is available inside a Docker container.
- * Returns a PreflightResult with ok=true if the binary is found,
- * or ok=false with a descriptive error and remediation hint.
+ * Check executor binary availability inside a container.
  */
 export declare function checkExecutorInContainer(executor: ExecutorType, containerId: string): PreflightResult;
 /**
- * Run preflight checks for a given execution environment and executor.
- * Validates that the executor binary is available before spawning.
- *
- * Checks performed per environment:
- * - host: Verify binary on PATH
- * - devcontainer: Verify binary inside container (if container running)
- * - docker: Verify binary on host (used in docker run command)
- * - vm: Verify binary on host (will be checked on remote separately)
+ * Run executor preflight checks for the target environment.
  */
-export declare function runExecutorPreflight(executor: ExecutorType, environment: ExecutionEnvironment, containerId?: string): PreflightResult;
-export declare function getExecutorCommand(executor: ExecutorType, prompt: string, skipPermissions?: boolean): {
-    cmd: string;
-    args: string[];
-};
+export declare function runExecutorPreflight(environment: ExecutionEnvironment, executor: ExecutorType, options?: {
+    containerId?: string;
+}): PreflightResult;
 export interface RunnerResult {
     success: boolean;
     pid?: string;
@@ -167,6 +157,12 @@ export declare function isContainerRunning(containerName: string): boolean;
  * Get the container ID for a running container.
  */
 export declare function getContainerId(containerName: string): string | null;
+/**
+ * Build the command to run Claude inside the container.
+ * Uses docker exec for direct container access.
+ * Uses a prompt file to avoid shell escaping issues.
+ */
+export declare function buildDevcontainerCommand(context: ExecutionContext, executor: ExecutorType, promptFile: string, containerId?: string, outputMode?: OutputMode, sandboxed?: boolean, displayMode?: DisplayMode): string;
 /**
  * Run command inside a Docker container.
  * Uses raw Docker commands for filesystem isolation - no devcontainer CLI required.