npm - @pushpalsdev/cli - Versions diffs - 1.0.46 → 1.0.48 - Mend

@pushpalsdev/cli 1.0.46 → 1.0.48

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/pushpals-cli.js CHANGED Viewed

@@ -1523,6 +1523,9 @@ var MONITOR_POLL_MS = 2000;
 var HTTP_TIMEOUT_MS = 2500;
 var LOCALBUDDY_TIMEOUT_MS = 4000;
 var SSE_RECONNECT_MS = 1500;
+var DOCKER_VERSION_PROBE_TIMEOUT_MS = 1e4;
+var WORKERPAL_IMAGE_INSPECT_TIMEOUT_MS = 15000;
+var WORKERPAL_IMAGE_BUILD_TIMEOUT_MS = 10 * 60000;
 var DEFAULT_RUNTIME_BOOT_TIMEOUT_MS = 90000;
 var DEFAULT_RUNTIME_BOOT_POLL_MS = 1000;
 var DEFAULT_SERVER_BOOT_TIMEOUT_MS = 20000;
@@ -2948,7 +2951,7 @@ async function resolveWorkerpalDockerProbe(cwd, env, platform = process.platform
   const candidates = resolveRuntimeDockerExecutableCandidates(env, platform);
   const failures = [];
   for (const candidate of candidates) {
-    const result = await runCommandWithEnv([candidate, "version", "--format", "{{.Server.Version}}"], cwd, env);
+    const result = await runCommandWithEnv([candidate, "version", "--format", "{{.Server.Version}}"], cwd, env, DOCKER_VERSION_PROBE_TIMEOUT_MS);
     if (result.ok) {
       const version = result.stdout.trim();
       return {
@@ -3127,7 +3130,10 @@ async function cleanupLingeringPushPalsGitWorktrees(opts) {
     removed
   };
 }
-async function inspectDockerImageRuntimeTag(dockerExecutable, imageName, cwd, env) {
+function isMissingDockerImageDetail(detail) {
+  return /\b(no such object|no such image|not found)\b/i.test(String(detail ?? ""));
+}
+async function inspectDockerImageRuntimeTag(dockerExecutable, imageName, cwd, env, timeoutMs = WORKERPAL_IMAGE_INSPECT_TIMEOUT_MS) {
   const inspect = await runCommandWithEnv([
     dockerExecutable,
     "image",
@@ -3135,11 +3141,23 @@ async function inspectDockerImageRuntimeTag(dockerExecutable, imageName, cwd, en
     "--format",
     `{{ index .Config.Labels "${WORKERPAL_SANDBOX_RUNTIME_TAG_LABEL}" }}`,
     imageName
-  ], cwd, env);
-  if (!inspect.ok)
-    return "";
+  ], cwd, env, timeoutMs);
+  if (!inspect.ok) {
+    const detail = inspect.stderr || inspect.stdout || `exit ${inspect.exitCode}`;
+    if (isMissingDockerImageDetail(detail)) {
+      return { status: "missing", runtimeTag: "" };
+    }
+    return {
+      status: "failed",
+      runtimeTag: "",
+      detail: `failed to inspect local WorkerPal sandbox image ${imageName}: ${detail}`
+    };
+  }
   const value = inspect.stdout.trim();
-  return value === "<no value>" ? "" : value;
+  return {
+    status: "ok",
+    runtimeTag: value === "<no value>" ? "" : value
+  };
 }
 async function ensureWorkerpalDockerImageReady(opts) {
   const runtimeTag = String(opts.runtimeTag ?? "").trim();
@@ -3160,7 +3178,15 @@ async function ensureWorkerpalDockerImageReady(opts) {
   const dockerExecutable = resolveConfiguredDockerExecutable(opts.env, opts.platform ?? process.platform);
   const inspectImageRuntimeTagFn = opts.inspectImageRuntimeTagFn ?? inspectDockerImageRuntimeTag;
   const runCommandWithEnvFn = opts.runCommandWithEnvFn ?? runCommandWithEnv;
-  const existingRuntimeTag = await inspectImageRuntimeTagFn(dockerExecutable, opts.dockerImage, sandbox.root, opts.env);
+  console.log(`[pushpals] Checking WorkerPal sandbox image ${opts.dockerImage} for runtimeTag=${runtimeTag}...`);
+  const inspection = await inspectImageRuntimeTagFn(dockerExecutable, opts.dockerImage, sandbox.root, opts.env);
+  if (inspection.status === "failed") {
+    return {
+      ok: false,
+      detail: inspection.detail
+    };
+  }
+  const existingRuntimeTag = inspection.runtimeTag;
   if (existingRuntimeTag === runtimeTag) {
     return {
       ok: true,
@@ -3180,7 +3206,7 @@ async function ensureWorkerpalDockerImageReady(opts) {
     "-t",
     opts.dockerImage,
     "."
-  ], sandbox.root, opts.env);
+  ], sandbox.root, opts.env, WORKERPAL_IMAGE_BUILD_TIMEOUT_MS);
   if (!build.ok) {
     const detail = build.stderr || build.stdout || `docker build exited ${build.exitCode}`;
     return {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@pushpalsdev/cli",
-  "version": "1.0.46",
+  "version": "1.0.48",
   "description": "PushPals terminal CLI for LocalBuddy -> RemoteBuddy orchestration",
   "license": "MIT",
   "repository": {

package/runtime/sandbox/apps/workerpals/src/backends/openai_codex/openai_codex_executor.py CHANGED Viewed

@@ -62,7 +62,6 @@ _CODEX_WORKAROUND_PATTERNS = (
     ),
     re.compile(r"\bwithout requiring\b.{0,120}\bcodex\b", re.IGNORECASE),
     re.compile(r"\bavoid(?:ing)?\b.{0,120}\bcodex\b.{0,120}\bcall", re.IGNORECASE),
-    re.compile(r"\b(fell back|fallback|worked around|workaround|bypass(?:ed)?|switched to)\b.{0,120}\bcodex\b", re.IGNORECASE),
 )
 _CODEX_WORKAROUND_NEGATION_HINTS = (
     "do not",
@@ -75,6 +74,15 @@ _CODEX_WORKAROUND_NEGATION_HINTS = (
     "explicit failure",
     "codex cli is required infrastructure",
 )
+_REJECTED_EXEC_COMMAND_PATTERN = re.compile(r"exec_command failed for `([^`]+)`", re.IGNORECASE)
+_DISALLOWED_SHELL_WRAPPER_PREFIXES = (
+    "/bin/bash -lc ",
+    "bash -lc ",
+    "sh -lc ",
+    "cmd /c ",
+    "powershell -command ",
+    "pwsh -command ",
+)
 _VALID_APPROVAL_POLICIES = {"untrusted", "on-failure", "on-request", "never"}
 _VALID_SANDBOX_POLICIES = {"read-only", "workspace-write", "danger-full-access"}
@@ -942,6 +950,37 @@ def _detect_codex_workaround_signal(*texts: str) -> Optional[str]:
     return None
+def _normalize_command_text(command: str) -> str:
+    return re.sub(r"\s+", " ", str(command or "")).strip()
+def _is_disallowed_shell_wrapper_command(command: str) -> bool:
+    normalized = _normalize_command_text(command).lower()
+    return any(normalized.startswith(prefix) for prefix in _DISALLOWED_SHELL_WRAPPER_PREFIXES)
+def _extract_rejected_exec_command(text: str) -> str:
+    match = _REJECTED_EXEC_COMMAND_PATTERN.search(str(text or ""))
+    if not match:
+        return ""
+    return _normalize_command_text(match.group(1))
+def _collect_disallowed_shell_wrapper_rejections(*texts: str) -> List[str]:
+    rejected: List[str] = []
+    seen: set[str] = set()
+    for text in texts:
+        command = _extract_rejected_exec_command(str(text or ""))
+        if not command or not _is_disallowed_shell_wrapper_command(command):
+            continue
+        lowered = command.lower()
+        if lowered in seen:
+            continue
+        seen.add(lowered)
+        rejected.append(command)
+    return rejected
 def _read_text_if_exists(path: Path) -> str:
     try:
         if not path.exists():
@@ -1166,6 +1205,7 @@ def _run_codex_task(
         stdout_trace_state = _empty_codex_trace()
         trace_lock = threading.Lock()
         last_activity_at = {"ts": started_at}
+        wrapper_rejection_state: Dict[str, Any] = {"count": 0, "commands": []}
         def _drain_stdout() -> None:
             stream = proc.stdout
@@ -1199,6 +1239,21 @@ def _run_codex_task(
                     if chunk == "":
                         break
                     stderr_chunks.append(chunk)
+                    rejected_commands = _collect_disallowed_shell_wrapper_rejections(chunk)
+                    if rejected_commands:
+                        with trace_lock:
+                            wrapper_rejection_state["count"] = to_int(
+                                wrapper_rejection_state.get("count"), 0
+                            ) + len(rejected_commands)
+                            tracked = wrapper_rejection_state.get("commands")
+                            if not isinstance(tracked, list):
+                                tracked = []
+                            for command in rejected_commands:
+                                lowered = command.lower()
+                                if any(str(item).lower() == lowered for item in tracked):
+                                    continue
+                                tracked.append(command)
+                            wrapper_rejection_state["commands"] = tracked[:6]
             except Exception:
                 pass
             finally:
@@ -1226,6 +1281,7 @@ def _run_codex_task(
         )
         next_progress_at = started_at + float(progress_interval_s)
         timed_out = False
+        command_policy_rejection_loop = False
         while proc.poll() is None:
             now = time.monotonic()
@@ -1234,6 +1290,13 @@ def _run_codex_task(
                 _terminate_active_child()
                 break
+            with trace_lock:
+                wrapper_rejections = to_int(wrapper_rejection_state.get("count"), 0)
+            if wrapper_rejections >= 3:
+                command_policy_rejection_loop = True
+                _terminate_active_child()
+                break
             if now >= next_progress_at:
                 elapsed = int(max(0.0, now - started_at))
                 with trace_lock:
@@ -1279,6 +1342,18 @@ def _run_codex_task(
             part for part in (stdout, stderr, trace_excerpt) if str(part or "").strip()
         )
         usage = _usage_from_trace_or_estimate(stdout_trace, prompt, usage_output_text, model=model)
+        rejected_shell_wrappers = _collect_disallowed_shell_wrapper_rejections(stdout, stderr)
+        with trace_lock:
+            tracked = wrapper_rejection_state.get("commands")
+            if isinstance(tracked, list):
+                for command in tracked:
+                    text = _normalize_command_text(str(command))
+                    if not text:
+                        continue
+                    lowered = text.lower()
+                    if any(entry.lower() == lowered for entry in rejected_shell_wrappers):
+                        continue
+                    rejected_shell_wrappers.append(text)
         if timed_out:
             detail = (
@@ -1300,6 +1375,30 @@ def _run_codex_task(
         last_message = _read_text_if_exists(last_message_path)
         log_git_status(repo, log)
+        if command_policy_rejection_loop:
+            command_lines = (
+                "\n".join(f"- {command}" for command in rejected_shell_wrappers[:6])
+                if rejected_shell_wrappers
+                else "- (no command details captured)"
+            )
+            detail = (
+                "Codex repeatedly attempted disallowed shell-wrapper commands that the command "
+                "router rejected. Switch to direct commands only and avoid wrapper retries.\n"
+                f"Rejected commands:\n{command_lines}"
+            )
+            if last_message:
+                detail = f"{detail}\nLast assistant message:\n{last_message}"
+            if trace_excerpt:
+                detail = f"{detail}\n{trace_excerpt}"
+            return {
+                "ok": False,
+                "summary": "openai_codex command policy rejection loop",
+                "stdout": _truncate(stdout),
+                "stderr": _truncate(detail),
+                "exitCode": 6,
+                "usage": usage,
+            }
         if _INTERRUPTED_SIGNAL is not None:
             return {
                 "ok": False,

package/runtime/sandbox/apps/workerpals/src/backends/openai_codex/test_openai_codex_runtime_config.py CHANGED Viewed

@@ -15,6 +15,7 @@ from openai_codex_executor import (
     OpenAICodexRuntimeConfig,
     _resolve_reasoning_effort,
     _build_instruction,
+    _collect_disallowed_shell_wrapper_rejections,
     _detect_codex_workaround_signal,
     _extract_usage_counts,
     _load_prompt_template,
@@ -163,6 +164,12 @@ class OpenAICodexRuntimeConfigTests(unittest.TestCase):
         )
         self.assertIsNone(signal)
+    def test_ignores_generic_workaround_language_without_unavailable_codex_context(self) -> None:
+        signal = _detect_codex_workaround_signal(
+            "This is a workaround case, so I am stopping here until the command router issue is fixed.",
+        )
+        self.assertIsNone(signal)
     def test_discovers_repo_root_for_prompt_loading(self) -> None:
         repo_root = _repo_root_for_prompt_loading()
         self.assertTrue((repo_root / "prompts").is_dir())
@@ -190,6 +197,14 @@ class OpenAICodexRuntimeConfigTests(unittest.TestCase):
             {"prompt_tokens": 120, "completion_tokens": 30, "total_tokens": 150},
         )
+    def test_collects_disallowed_shell_wrapper_rejections(self) -> None:
+        commands = _collect_disallowed_shell_wrapper_rejections(
+            "error=exec_command failed for `/bin/bash -lc pwd`: CreateProcess { message: \"Rejected\" }",
+            "error=exec_command failed for `sh -lc \"git diff\"`: Rejected",
+            "error=exec_command failed for `pwd`: Rejected",
+        )
+        self.assertEqual(commands, ["/bin/bash -lc pwd", 'sh -lc "git diff"'])
     def test_usage_falls_back_to_estimate_when_trace_has_no_usage(self) -> None:
         usage = _usage_from_trace_or_estimate({}, "abc" * 30, "done", model="gpt-5.4")
         self.assertTrue(usage["estimated"])