@pushpalsdev/cli 1.0.18 → 1.0.19

package/dist/pushpals-cli.js

@@ -1472,6 +1472,130 @@ function buildRuntimeAssetSource(root, protocolSchemasDir) {
     protocolSchemasDir
   };
 }
+function buildWorkerpalSandboxPaths(runtimeRoot) {
+  const root = join2(runtimeRoot, "sandbox");
+  return {
+    root,
+    dockerfilePath: join2(root, "apps", "workerpals", "Dockerfile.sandbox"),
+    packageJsonPath: join2(root, "package.json"),
+    workerpalsDir: join2(root, "apps", "workerpals"),
+    sharedDir: join2(root, "packages", "shared"),
+    protocolDir: join2(root, "packages", "protocol"),
+    configsDir: join2(root, "configs"),
+    workerpalsPromptsDir: join2(root, "prompts", "workerpals"),
+    protocolSchemasDir: join2(root, "protocol", "schemas")
+  };
+}
+function normalizeGitTrackedPath(pathValue) {
+  return String(pathValue ?? "").trim().replace(/\\/g, "/").replace(/^\.\/+/, "").replace(/\/+$/, "");
+}
+function listTrackedRepoFilesForPath(repoRoot, sourcePath) {
+  const normalizedSource = normalizeGitTrackedPath(sourcePath);
+  if (!normalizedSource)
+    return [];
+  const proc = Bun.spawnSync(["git", "ls-files", "-z", "--", normalizedSource], {
+    cwd: repoRoot,
+    stdout: "pipe",
+    stderr: "pipe",
+    env: {
+      ...process.env,
+      GIT_TERMINAL_PROMPT: "0",
+      GCM_INTERACTIVE: "Never"
+    }
+  });
+  if (proc.exitCode !== 0) {
+    const stderr = Buffer.from(proc.stderr ?? []).toString("utf8").trim();
+    throw new Error(`git ls-files failed for ${normalizedSource}${stderr ? `: ${stderr}` : ""}`);
+  }
+  return Buffer.from(proc.stdout ?? []).toString("utf8").split("\x00").map(normalizeGitTrackedPath).filter(Boolean);
+}
+function copyTrackedRepoPath(repoRoot, sourcePath, destinationPath, force = true) {
+  const normalizedSource = normalizeGitTrackedPath(sourcePath);
+  if (!normalizedSource) {
+    throw new Error("sourcePath is required");
+  }
+  const absoluteSource = resolve4(repoRoot, normalizedSource);
+  if (!existsSync4(absoluteSource)) {
+    throw new Error(`tracked repo source is missing: ${absoluteSource}`);
+  }
+  const trackedFiles = listTrackedRepoFilesForPath(repoRoot, normalizedSource);
+  const sourceStat = lstatSync(absoluteSource);
+  if (!sourceStat.isDirectory()) {
+    if (!trackedFiles.includes(normalizedSource)) {
+      throw new Error(`tracked repo file is not tracked by git: ${normalizedSource}`);
+    }
+    mkdirSync(dirname(destinationPath), { recursive: true });
+    cpSync(absoluteSource, destinationPath, {
+      recursive: false,
+      force,
+      errorOnExist: false
+    });
+    return;
+  }
+  if (trackedFiles.length === 0) {
+    throw new Error(`tracked repo directory has no tracked files: ${normalizedSource}`);
+  }
+  for (const trackedFile of trackedFiles) {
+    const relativePath = trackedFile === normalizedSource ? basename(trackedFile) : trackedFile.slice(normalizedSource.length + 1);
+    const sourceFile = resolve4(repoRoot, trackedFile);
+    const targetFile = join2(destinationPath, relativePath);
+    mkdirSync(dirname(targetFile), { recursive: true });
+    cpSync(sourceFile, targetFile, {
+      recursive: false,
+      force,
+      errorOnExist: false
+    });
+  }
+}
+function isCompleteWorkerpalSandboxRoot(root) {
+  return existsSync4(join2(root, "package.json")) && existsSync4(join2(root, "apps", "workerpals", "Dockerfile.sandbox")) && existsSync4(join2(root, "packages", "shared", "package.json")) && existsSync4(join2(root, "packages", "protocol", "package.json")) && existsSync4(join2(root, "configs", "default.toml")) && existsSync4(join2(root, "prompts", "workerpals")) && existsSync4(join2(root, "protocol", "schemas", "envelope.schema.json")) && existsSync4(join2(root, "protocol", "schemas", "events.schema.json"));
+}
+function populateWorkerpalSandboxRuntimeAssets(runtimeRoot, force) {
+  const sandbox = buildWorkerpalSandboxPaths(runtimeRoot);
+  cpSync(join2(runtimeRoot, "configs"), sandbox.configsDir, {
+    recursive: true,
+    force,
+    errorOnExist: false
+  });
+  cpSync(join2(runtimeRoot, "prompts", "workerpals"), sandbox.workerpalsPromptsDir, {
+    recursive: true,
+    force,
+    errorOnExist: false
+  });
+  cpSync(join2(runtimeRoot, "protocol", "schemas"), sandbox.protocolSchemasDir, {
+    recursive: true,
+    force,
+    errorOnExist: false
+  });
+}
+function copySourceCheckoutWorkerpalSandboxBuildContext(sourceRoot, runtimeRoot, force) {
+  const sandbox = buildWorkerpalSandboxPaths(runtimeRoot);
+  const copyPairs = [
+    ["package.json", sandbox.packageJsonPath],
+    ["apps/workerpals", sandbox.workerpalsDir],
+    ["packages/shared", sandbox.sharedDir],
+    ["packages/protocol", sandbox.protocolDir]
+  ];
+  for (const [fromPath, toPath] of copyPairs) {
+    copyTrackedRepoPath(sourceRoot, fromPath, toPath, force);
+  }
+  if (existsSync4(join2(sourceRoot, "bun.lock"))) {
+    copyTrackedRepoPath(sourceRoot, "bun.lock", join2(sandbox.root, "bun.lock"), force);
+  }
+  populateWorkerpalSandboxRuntimeAssets(runtimeRoot, force);
+}
+function copyWorkerpalSandboxBuildContext(source, runtimeRoot, force) {
+  const packagedSandboxRoot = join2(source.root, "sandbox");
+  if (isCompleteWorkerpalSandboxRoot(packagedSandboxRoot)) {
+    cpSync(packagedSandboxRoot, join2(runtimeRoot, "sandbox"), {
+      recursive: true,
+      force,
+      errorOnExist: false
+    });
+    return;
+  }
+  copySourceCheckoutWorkerpalSandboxBuildContext(source.root, runtimeRoot, force);
+}
 function isCompleteRuntimeAssetSource(source) {
   return existsSync4(source.envExamplePath) && existsSync4(source.visionExamplePath) && existsSync4(join2(source.configsDir, "default.toml")) && existsSync4(source.promptsDir) && existsSync4(join2(source.protocolSchemasDir, "envelope.schema.json")) && existsSync4(join2(source.protocolSchemasDir, "events.schema.json"));
 }
@@ -1658,6 +1782,7 @@ function copyRuntimeAssetBundle(source, runtimeRoot, force) {
     force,
     errorOnExist: false
   });
+  copyWorkerpalSandboxBuildContext(source, runtimeRoot, force);
 }
 function copyBundledRuntimeAssets(runtimeRoot, force = true) {
   const bundledSource = resolveBundledRuntimeAssetSource();
@@ -1693,7 +1818,7 @@ async function downloadRuntimeAssetsFromSourceTag(runtimeRoot, tag) {
     throw new Error(`Failed to fetch runtime source tree for ${tag} (HTTP ${treeResponse.status})`);
   }
   const treePayload = await treeResponse.json();
-  const paths = (treePayload.tree ?? []).filter((entry) => entry.type === "blob" && typeof entry.path === "string").map((entry) => String(entry.path)).filter((pathValue) => pathValue === ".env.example" || pathValue === "vision.example.md" || pathValue.startsWith("configs/") || pathValue.startsWith("prompts/") || pathValue.startsWith("packages/protocol/src/schemas/"));
+  const paths = (treePayload.tree ?? []).filter((entry) => entry.type === "blob" && typeof entry.path === "string").map((entry) => String(entry.path)).filter((pathValue) => pathValue === ".env.example" || pathValue === "vision.example.md" || pathValue === "package.json" || pathValue === "bun.lock" || pathValue.startsWith("configs/") || pathValue.startsWith("prompts/workerpals/") || pathValue.startsWith("prompts/") || pathValue.startsWith("apps/workerpals/") || pathValue.startsWith("packages/shared/") || pathValue.startsWith("packages/protocol/") || pathValue.startsWith("packages/protocol/src/schemas/"));
   if (paths.length === 0) {
     throw new Error(`Runtime source tree for ${tag} did not include prompts/config assets`);
   }
@@ -1701,10 +1826,16 @@ async function downloadRuntimeAssetsFromSourceTag(runtimeRoot, tag) {
   for (const pathValue of sorted) {
     const rawUrl = `https://raw.githubusercontent.com/${GITHUB_OWNER}/${GITHUB_REPO}/${encodeURIComponent(tag)}/${pathValue}`;
     const body = await fetchTextFromUrl(rawUrl, 20000);
-    const outPath = pathValue.startsWith("packages/protocol/src/schemas/") ? join2(runtimeRoot, "protocol", "schemas", pathValue.slice("packages/protocol/src/schemas/".length)) : join2(runtimeRoot, pathValue);
+    const outPath = pathValue === "package.json" || pathValue === "bun.lock" ? join2(runtimeRoot, "sandbox", pathValue) : pathValue.startsWith("apps/workerpals/") || pathValue.startsWith("packages/shared/") || pathValue.startsWith("packages/protocol/") ? join2(runtimeRoot, "sandbox", pathValue) : join2(runtimeRoot, pathValue);
     mkdirSync(dirname(outPath), { recursive: true });
     writeFileSync(outPath, body, "utf8");
+    if (pathValue.startsWith("packages/protocol/src/schemas/")) {
+      const runtimeSchemaPath = join2(runtimeRoot, "protocol", "schemas", pathValue.slice("packages/protocol/src/schemas/".length));
+      mkdirSync(dirname(runtimeSchemaPath), { recursive: true });
+      writeFileSync(runtimeSchemaPath, body, "utf8");
+    }
   }
+  populateWorkerpalSandboxRuntimeAssets(runtimeRoot, true);
 }
 async function ensureRuntimeAssets(runtimeRoot, runtimeTag) {
   console.log(`[pushpals] Preparing embedded runtime assets for ${runtimeTag}...`);
@@ -1712,12 +1843,12 @@ async function ensureRuntimeAssets(runtimeRoot, runtimeTag) {
   const currentTag = existsSync4(markerPath) ? readFileSync4(markerPath, "utf8").trim() : "";
   const protocolSchemasDir = join2(runtimeRoot, "protocol", "schemas");
   const hasProtocolSchemas = existsSync4(join2(protocolSchemasDir, "envelope.schema.json")) && existsSync4(join2(protocolSchemasDir, "events.schema.json"));
-  const hasAssets = existsSync4(join2(runtimeRoot, ".env.example")) && existsSync4(join2(runtimeRoot, "vision.example.md")) && existsSync4(join2(runtimeRoot, "configs", "default.toml")) && existsSync4(join2(runtimeRoot, "prompts")) && hasProtocolSchemas;
+  const hasAssets = existsSync4(join2(runtimeRoot, ".env.example")) && existsSync4(join2(runtimeRoot, "vision.example.md")) && existsSync4(join2(runtimeRoot, "configs", "default.toml")) && existsSync4(join2(runtimeRoot, "prompts")) && hasProtocolSchemas && isCompleteWorkerpalSandboxRoot(join2(runtimeRoot, "sandbox"));
   if (!hasAssets || currentTag !== runtimeTag) {
     console.log(`[pushpals] Embedded runtime assets ${hasAssets ? "are stale" : "are missing"}; refreshing bundle...`);
     copyBundledRuntimeAssets(runtimeRoot);
     const hasProtocolSchemasAfterCopy = existsSync4(join2(protocolSchemasDir, "envelope.schema.json")) && existsSync4(join2(protocolSchemasDir, "events.schema.json"));
-    const hasAssetsAfterCopy = existsSync4(join2(runtimeRoot, ".env.example")) && existsSync4(join2(runtimeRoot, "vision.example.md")) && existsSync4(join2(runtimeRoot, "configs", "default.toml")) && existsSync4(join2(runtimeRoot, "prompts")) && hasProtocolSchemasAfterCopy;
+    const hasAssetsAfterCopy = existsSync4(join2(runtimeRoot, ".env.example")) && existsSync4(join2(runtimeRoot, "vision.example.md")) && existsSync4(join2(runtimeRoot, "configs", "default.toml")) && existsSync4(join2(runtimeRoot, "prompts")) && hasProtocolSchemasAfterCopy && isCompleteWorkerpalSandboxRoot(join2(runtimeRoot, "sandbox"));
     if (!hasAssetsAfterCopy) {
       console.log("[pushpals] Bundled runtime assets are incomplete; falling back to release source downloads...");
       await downloadRuntimeAssetsFromSourceTag(runtimeRoot, runtimeTag);
@@ -1787,7 +1918,9 @@ function buildEmbeddedRuntimeEnv(baseEnv, opts) {
     PUSHPALS_PROJECT_ROOT_OVERRIDE: opts.repoRoot,
     ...useRuntimeConfig ? {
       PUSHPALS_CONFIG_DIR_OVERRIDE: join2(opts.runtimeRoot, "configs"),
-      PUSHPALS_PROMPTS_ROOT_OVERRIDE: opts.runtimeRoot
+      PUSHPALS_PROMPTS_ROOT_OVERRIDE: opts.runtimeRoot,
+      PUSHPALS_WORKERPALS_SANDBOX_ROOT: join2(opts.runtimeRoot, "sandbox"),
+      ...typeof opts.runtimeTag === "string" && opts.runtimeTag.trim() ? { PUSHPALS_RUNTIME_TAG: opts.runtimeTag.trim() } : {}
     } : {
       PUSHPALS_PROMPTS_ROOT_OVERRIDE: opts.repoRoot
     },
@@ -2263,6 +2396,116 @@ async function resolveWorkerpalDockerProbe(cwd, env, platform = process.platform
     detail: failures.join(" | ") || "docker"
   };
 }
+var WORKERPAL_SANDBOX_RUNTIME_TAG_LABEL = "pushpals.runtime_tag";
+var WORKERPAL_SANDBOX_COMPONENT_LABEL = "pushpals.component=workerpals-sandbox";
+function resolveConfiguredDockerExecutable(env, platform = process.platform) {
+  const configured = String(env.PUSHPALS_DOCKER_BIN_ABSOLUTE ?? env.PUSHPALS_DOCKER_BIN ?? (platform === "win32" ? "docker.exe" : "docker")).trim();
+  return configured || (platform === "win32" ? "docker.exe" : "docker");
+}
+async function inspectDockerImageRuntimeTag(dockerExecutable, imageName, cwd, env) {
+  const inspect = await runCommandWithEnv([
+    dockerExecutable,
+    "image",
+    "inspect",
+    "--format",
+    `{{ index .Config.Labels "${WORKERPAL_SANDBOX_RUNTIME_TAG_LABEL}" }}`,
+    imageName
+  ], cwd, env);
+  if (!inspect.ok)
+    return "";
+  const value = inspect.stdout.trim();
+  return value === "<no value>" ? "" : value;
+}
+async function ensureWorkerpalDockerImageReady(opts) {
+  const runtimeTag = String(opts.runtimeTag ?? "").trim();
+  if (!runtimeTag) {
+    return {
+      ok: false,
+      detail: "embedded runtime tag is required to prepare the WorkerPal sandbox image"
+    };
+  }
+  await (opts.ensureRuntimeAssetsFn ?? ensureRuntimeAssets)(opts.runtimeRoot, runtimeTag);
+  const sandbox = buildWorkerpalSandboxPaths(opts.runtimeRoot);
+  if (!isCompleteWorkerpalSandboxRoot(sandbox.root)) {
+    return {
+      ok: false,
+      detail: `embedded WorkerPal sandbox assets are incomplete at ${sandbox.root}`
+    };
+  }
+  const dockerExecutable = resolveConfiguredDockerExecutable(opts.env, opts.platform ?? process.platform);
+  const inspectImageRuntimeTagFn = opts.inspectImageRuntimeTagFn ?? inspectDockerImageRuntimeTag;
+  const runCommandWithEnvFn = opts.runCommandWithEnvFn ?? runCommandWithEnv;
+  const existingRuntimeTag = await inspectImageRuntimeTagFn(dockerExecutable, opts.dockerImage, sandbox.root, opts.env);
+  if (existingRuntimeTag === runtimeTag) {
+    return {
+      ok: true,
+      detail: `WorkerPal sandbox image is ready locally (${opts.dockerImage}, runtimeTag=${runtimeTag})`
+    };
+  }
+  console.log(existingRuntimeTag ? `[pushpals] WorkerPal sandbox image ${opts.dockerImage} is stale (runtimeTag=${existingRuntimeTag}); rebuilding locally...` : `[pushpals] WorkerPal sandbox image ${opts.dockerImage} is missing; building locally...`);
+  const build = await runCommandWithEnvFn([
+    dockerExecutable,
+    "build",
+    "-f",
+    "apps/workerpals/Dockerfile.sandbox",
+    "--label",
+    `${WORKERPAL_SANDBOX_RUNTIME_TAG_LABEL}=${runtimeTag}`,
+    "--label",
+    WORKERPAL_SANDBOX_COMPONENT_LABEL,
+    "-t",
+    opts.dockerImage,
+    "."
+  ], sandbox.root, opts.env);
+  if (!build.ok) {
+    const detail = build.stderr || build.stdout || `docker build exited ${build.exitCode}`;
+    return {
+      ok: false,
+      detail: `failed to build local WorkerPal sandbox image ${opts.dockerImage}: ${detail}`
+    };
+  }
+  return {
+    ok: true,
+    detail: `built local WorkerPal sandbox image ${opts.dockerImage} for runtimeTag=${runtimeTag}`
+  };
+}
+async function prepareEmbeddedWorkerpalDockerImageIfNeeded(opts) {
+  if (!opts.preparedRuntime.preflightUsesEmbeddedRuntime) {
+    return {
+      status: "skipped",
+      detail: "repo is using source-checkout runtime assets",
+      runtimeTag: ""
+    };
+  }
+  if (!opts.config.remotebuddy.autoSpawnWorkerpals || !opts.config.remotebuddy.workerpalDocker || !opts.config.remotebuddy.workerpalRequireDocker) {
+    return {
+      status: "skipped",
+      detail: "embedded docker-backed WorkerPal auto-spawn is not required",
+      runtimeTag: ""
+    };
+  }
+  if (opts.dockerPrecheck.status === "failed") {
+    return {
+      status: "failed",
+      detail: opts.dockerPrecheck.detail,
+      runtimeTag: ""
+    };
+  }
+  const runtimeTag = opts.preparedRuntime.runtimeTag || String(opts.runtimeTagHint ?? "").trim() || await (opts.resolveRuntimeReleaseTagFn ?? resolveRuntimeReleaseTag)(opts.runtimeTagHint);
+  if (!runtimeTag) {
+    return {
+      status: "failed",
+      detail: "embedded runtime tag is required to prepare the WorkerPal sandbox image",
+      runtimeTag: ""
+    };
+  }
+  const ensureResult = await (opts.ensureWorkerpalDockerImageReadyFn ?? ensureWorkerpalDockerImageReady)({
+    runtimeRoot: opts.preparedRuntime.runtimeRoot,
+    runtimeTag,
+    dockerImage: opts.config.remotebuddy.workerpalImage ?? opts.config.workerpals.dockerImage,
+    env: opts.dockerPrecheck.env
+  });
+  return ensureResult.ok ? { status: "ok", detail: ensureResult.detail, runtimeTag } : { status: "failed", detail: ensureResult.detail, runtimeTag };
+}
 async function precheckSourceControlManagerGitAvailability(opts) {
   const platform = opts.platform ?? process.platform;
   const env = buildEmbeddedRuntimeEnv(opts.baseEnv ?? process.env, {
@@ -2824,7 +3067,8 @@ async function autoStartRuntimeServices(opts) {
     repoRoot: opts.repoRoot,
     runtimeRoot,
     useRuntimeConfig: opts.preparedRuntime.preflightUsesEmbeddedRuntime,
-    sessionId: opts.sessionId
+    sessionId: opts.sessionId,
+    runtimeTag
   });
   runtimeEnv.PUSHPALS_WORKERPALS_BIN = runtimeBinaries.workerpals;
   const preconfiguredRuntimeGitBinary = runtimeEnv.PUSHPALS_GIT_BIN_ABSOLUTE ?? runtimeEnv.PUSHPALS_GIT_BIN;
@@ -3642,6 +3886,7 @@ async function main() {
   };
   let autoStartedServices = [];
   let pushpalsLogPath;
+  let resolvedRuntimeTagForAutoStart = preparedRuntime.runtimeTag || parsed.runtimeTag || "";
   const stopAutoStartedServices = () => {
     if (autoStartedServices.length === 0)
       return;
@@ -3650,17 +3895,32 @@ async function main() {
   };
   let serverHealthy = await probeServer(serverUrl);
   const serverWasAlreadyHealthy = serverHealthy;
+  if (!serverHealthy && workerpalDockerPrecheck.status === "failed") {
+    console.error(`[pushpals] Precheck failed: Docker-backed WorkerPal auto-spawn is required but Docker is unavailable (${workerpalDockerPrecheck.detail}).`);
+    console.error("[pushpals] Precheck failed: start Docker Desktop or the Docker daemon, then retry pushpals.");
+    process.exit(1);
+  }
+  if (workerpalDockerPrecheck.status !== "failed") {
+    const workerpalImagePrecheck = await prepareEmbeddedWorkerpalDockerImageIfNeeded({
+      preparedRuntime,
+      config,
+      dockerPrecheck: workerpalDockerPrecheck,
+      runtimeTagHint: resolvedRuntimeTagForAutoStart || parsed.runtimeTag
+    });
+    if (workerpalImagePrecheck.status === "failed") {
+      console.error(`[pushpals] Precheck failed: ${workerpalImagePrecheck.detail}.`);
+      process.exit(1);
+    }
+    if (workerpalImagePrecheck.runtimeTag) {
+      resolvedRuntimeTagForAutoStart = workerpalImagePrecheck.runtimeTag;
+    }
+  }
   let remoteBuddyConsumerHealth = {
     ok: false,
     detail: `No connected RemoteBuddy session consumer found for session ${sessionId}`
   };
   if (!serverHealthy) {
     if (!parsed.noAutoStart) {
-      if (workerpalDockerPrecheck.status === "failed") {
-        console.error(`[pushpals] Precheck failed: Docker-backed WorkerPal auto-spawn is required but Docker is unavailable (${workerpalDockerPrecheck.detail}).`);
-        console.error("[pushpals] Precheck failed: start Docker Desktop or the Docker daemon, then retry pushpals.");
-        process.exit(1);
-      }
       try {
         const startedRuntime = await autoStartRuntimeServices({
           repoRoot,
@@ -3670,7 +3930,7 @@ async function main() {
           sourceControlManagerPort: config.sourceControlManager.port,
           sourceControlManagerRemote: config.sourceControlManager.remote,
           preparedRuntime,
-          requestedRuntimeTag: parsed.runtimeTag,
+          requestedRuntimeTag: resolvedRuntimeTagForAutoStart || parsed.runtimeTag,
           startLocalBuddy: resolveCliLocalBuddyAutostart(parsed.runtimeOnly, Boolean(config.localbuddy.enabled)),
           baseEnv: workerpalDockerPrecheck.env
         });
@@ -3929,6 +4189,7 @@ export {
   resolveCliLocalBuddyAutostart,
   resolveBundledRuntimeAssetSource,
   resolveBundledMonitoringHubRoot,
+  prepareEmbeddedWorkerpalDockerImageIfNeeded,
   prepareCliRuntime,
   precheckWorkerpalDockerAvailability,
   precheckSourceControlManagerGitAvailability,
@@ -3941,7 +4202,11 @@ export {
   formatSessionEventLine,
   extractRemoteBuddySessionConsumerHealth,
   extractRemoteBuddyAutonomousEngineState,
+  ensureWorkerpalDockerImageReady,
+  downloadRuntimeAssetsFromSourceTag,
+  copyTrackedRepoPath,
   bundledMonitoringHubNeedsRefresh,
+  buildWorkerpalSandboxPaths,
   buildServiceStopCommand,
   buildRuntimeServiceLogPaths,
   buildOpenMonitoringHubCommand,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pushpalsdev/cli",
-  "version": "1.0.18",
+  "version": "1.0.19",
   "description": "PushPals terminal CLI for LocalBuddy -> RemoteBuddy orchestration",
   "license": "MIT",
   "repository": {

package/runtime/sandbox/apps/workerpals/.python-version

@@ -0,0 +1 @@
+3.12

package/runtime/sandbox/apps/workerpals/Dockerfile.sandbox

@@ -0,0 +1,71 @@
+# PushPals Worker Sandbox Dockerfile
+# This image provides an isolated environment for job execution
+# The entire monorepo is available in the container for job execution
+
+FROM oven/bun:1-debian AS base
+
+# Install git and other essential tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    curl \
+    ca-certificates \
+    openssh-client \
+    grep \
+    jq \
+    ripgrep \
+    fd-find \
+    less \
+    unzip \
+    zip \
+    procps \
+    dnsutils \
+    iputils-ping \
+    python3 \
+    python3-venv \
+    python3-pip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Worker runtime in one shared venv (uv default layout).
+# Keep the venv at /workspace/.venv so all backends use the same Python runtime.
+RUN mkdir -p /workspace \
+    && python3 -m venv /workspace/.venv \
+    && /workspace/.venv/bin/pip install --no-cache-dir --upgrade pip \
+    && /workspace/.venv/bin/pip install --no-cache-dir \
+        openhands-sdk \
+        openhands-agent-server \
+        openhands-workspace \
+        openhands-tools \
+        mini-swe-agent \
+        playwright \
+    && bun add -g @openai/codex \
+    && /workspace/.venv/bin/playwright install --with-deps chromium
+
+ENV PATH="/workspace/.venv/bin:/root/.bun/bin:${PATH}"
+ENV WORKERPALS_OPENHANDS_PYTHON="/workspace/.venv/bin/python"
+ENV WORKERPALS_OPENHANDS_WORKSPACE_PYTHON="/workspace/.venv/bin/python"
+ENV WORKERPALS_MINISWE_PYTHON="/workspace/.venv/bin/python"
+ENV PUSHPALS_OPENAI_CODEX_PYTHON="/workspace/.venv/bin/python"
+
+# Configure git for the worker
+RUN git config --global user.name "PushPals Worker" \
+    && git config --global user.email "worker@pushpals.local" \
+    && git config --global safe.directory '*' \
+    && git config --global core.autocrlf input
+
+# Set up the full monorepo structure
+WORKDIR /workspace
+
+# Copy entire repository (build context should be repo root)
+COPY . .
+
+# Install workspace dependencies (including devDeps needed for protocol build)
+RUN bun install
+
+# Build protocol package (needed by worker)
+RUN cd packages/protocol && bun run build
+
+# Set working directory for job execution
+WORKDIR /workspace
+
+# Default entrypoint runs the job runner with base64-encoded job spec
+ENTRYPOINT ["bun", "run", "/workspace/apps/workerpals/src/job_runner.ts"]

package/runtime/sandbox/apps/workerpals/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "workerpals",
+  "version": "1.0.0",
+  "type": "module",
+  "scripts": {
+    "dev": "bun --watch --no-clear-screen src/workerpals_main.ts",
+    "start": "bun run src/workerpals_main.ts",
+    "build:sandbox": "docker build -f Dockerfile.sandbox -t pushpals-worker-sandbox:latest ../..",
+    "docker:build": "docker build -f Dockerfile.sandbox -t pushpals-worker-sandbox:latest ../..",
+    "docker:build:local": "docker build -f Dockerfile.sandbox -t pushpals-worker-sandbox:local ../..",
+    "docker:run": "docker run --rm -it pushpals-worker-sandbox:latest",
+    "dev:docker": "bun run src/workerpals_main.ts --docker",
+    "workerpals:docker": "bun run src/workerpals_main.ts --docker",
+    "workerpals:docker:local": "bun run src/workerpals_main.ts --docker --docker-image pushpals-worker-sandbox:local"
+  },
+  "dependencies": {
+    "protocol": "workspace:*",
+    "shared": "workspace:*"
+  },
+  "devDependencies": {
+    "typescript": "~5.9.2",
+    "@types/bun": "latest"
+  },
+  "private": true
+}

package/runtime/sandbox/apps/workerpals/pyproject.toml

@@ -0,0 +1,8 @@
+[project]
+name = "workerpals"
+version = "0.1.0"
+description = "Add your description here"
+requires-python = ">=3.12"
+dependencies = [
+    "mini-swe-agent>=2.1.0",
+]

package/runtime/sandbox/apps/workerpals/src/backends/backend_config.ts

@@ -0,0 +1,111 @@
+import { readFileSync } from "fs";
+import { resolve } from "path";
+import { loadPushPalsConfig } from "shared";
+import type { ExecutorBackend } from "../common/types.js";
+import { MINISWE_BACKEND } from "./miniswe_backend.js";
+import { OPENAI_CODEX_BACKEND } from "./openai_codex_backend.js";
+import { OPENHANDS_BACKEND } from "./openhands_backend.js";
+import type { BackendTaskExecutor, DockerBackendSpec } from "./types.js";
+import { registerBackendTaskExecutor } from "./task_execute_registry.js";
+
+const FALLBACK_DEFAULT_EXECUTOR: ExecutorBackend = "miniswe";
+
+interface BackendTomlShape {
+  default_backend?: string;
+  env?: { shared_passthrough?: unknown };
+  backends?: Record<
+    string,
+    {
+      script_segments?: unknown;
+      passthrough_env?: unknown;
+      python_config_key?: string;
+      timeout_config_key?: string;
+    }
+  >;
+}
+
+function toStrings(value: unknown): string[] {
+  if (!Array.isArray(value)) return [];
+  return value
+    .filter((item): item is string => typeof item === "string")
+    .map((item) => item.trim())
+    .filter(Boolean);
+}
+
+function loadBackendToml(): BackendTomlShape {
+  const projectRoot = loadPushPalsConfig().projectRoot;
+  const path = resolve(projectRoot, "configs", "backend.toml");
+  try {
+    const parsed = Bun.TOML.parse(readFileSync(path, "utf-8")) as unknown;
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return {};
+    return parsed as BackendTomlShape;
+  } catch {
+    return {};
+  }
+}
+
+const config = loadBackendToml();
+const backendEntries = Object.entries(config.backends ?? {});
+
+export const BACKEND_EXECUTOR_SCRIPT_SEGMENTS: Record<string, readonly string[]> =
+  Object.fromEntries(
+    backendEntries.map(([name, spec]) => [name, toStrings(spec?.script_segments)]),
+  );
+
+export const EXECUTOR_BACKENDS = Object.keys(BACKEND_EXECUTOR_SCRIPT_SEGMENTS) as ExecutorBackend[];
+
+export const DEFAULT_EXECUTOR = (
+  typeof config.default_backend === "string" &&
+  EXECUTOR_BACKENDS.includes(config.default_backend as ExecutorBackend)
+    ? config.default_backend
+    : (EXECUTOR_BACKENDS[0] ?? FALLBACK_DEFAULT_EXECUTOR)
+) as ExecutorBackend;
+
+export const SHARED_DOCKER_PASSTHROUGH_ENV = toStrings(config.env?.shared_passthrough);
+
+export const BACKEND_DOCKER_PASSTHROUGH_ENV: Record<string, readonly string[]> = Object.fromEntries(
+  backendEntries.map(([name, spec]) => [name, toStrings(spec?.passthrough_env)]),
+);
+
+export const BACKEND_RUNTIME_CONFIG_KEYS: Record<
+  string,
+  { pythonKey: string; timeoutKey: string }
+> = Object.fromEntries(
+  backendEntries.map(([name, spec]) => [
+    name,
+    {
+      pythonKey: spec?.python_config_key?.trim() || `${name}Python`,
+      timeoutKey: spec?.timeout_config_key?.trim() || `${name}TimeoutMs`,
+    },
+  ]),
+);
+
+export const DOCKER_BACKENDS: readonly DockerBackendSpec[] = [
+  OPENHANDS_BACKEND,
+  MINISWE_BACKEND,
+  OPENAI_CODEX_BACKEND,
+];
+
+export function getDockerBackendSpec(name: ExecutorBackend): DockerBackendSpec {
+  const spec = DOCKER_BACKENDS.find((entry) => entry.name === name);
+  if (!spec) {
+    throw new Error(`Unknown docker backend: ${name}`);
+  }
+  return spec;
+}
+
+// ---- Auto-register task executors from backend modules ----------------------
+// Each DockerBackendSpec provides a taskExecute hook. Register them so that
+// execute_job.ts can discover executors via the registry without hardcoding
+// backend names.
+
+for (const backend of DOCKER_BACKENDS) {
+  registerBackendTaskExecutor(backend.name, backend.taskExecute);
+}
+
+export function getBackendTaskExecutorFromSpec(
+  name: ExecutorBackend,
+): BackendTaskExecutor | undefined {
+  const spec = DOCKER_BACKENDS.find((entry) => entry.name === name);
+  return spec?.taskExecute ?? undefined;
+}