start-command 0.7.6 → 0.10.0

package/src/bin/cli.js

@@ -15,12 +15,19 @@ const {
 } = require('../lib/args-parser');
 const {
   runIsolated,
+  runAsIsolatedUser,
   getTimestamp,
   createLogHeader,
   createLogFooter,
   writeLogFile,
   createLogPath,
 } = require('../lib/isolation');
+const {
+  createIsolatedUser,
+  deleteUser,
+  hasSudoAccess,
+  getCurrentUserGroups,
+} = require('../lib/user-manager');
 
 // Configuration from environment variables
 const config = {
@@ -211,31 +218,33 @@ function getToolVersion(toolName, versionFlag, verbose = false) {
   return firstLine || null;
 }
 
-/**
- * Print usage information
- */
+/** Print usage information */
 function printUsage() {
-  console.log('Usage: $ [options] [--] <command> [args...]');
-  console.log('       $ <command> [args...]');
-  console.log('');
-  console.log('Options:');
-  console.log(
-    '  --isolated, -i <environment>      Run in isolated environment (screen, tmux, docker)'
-  );
-  console.log('  --attached, -a            Run in attached mode (foreground)');
-  console.log('  --detached, -d            Run in detached mode (background)');
-  console.log('  --session, -s <name>      Session name for isolation');
-  console.log(
-    '  --image <image>           Docker image (required for docker isolation)'
-  );
-  console.log('  --version, -v             Show version information');
-  console.log('');
-  console.log('Examples:');
-  console.log('  $ echo "Hello World"');
-  console.log('  $ bun test');
-  console.log('  $ --isolated tmux -- bun start');
-  console.log('  $ -i screen -d bun start');
-  console.log('  $ --isolated docker --image oven/bun:latest -- bun install');
+  console.log(`Usage: $ [options] [--] <command> [args...]
+       $ <command> [args...]
+
+Options:
+  --isolated, -i <env>  Run in isolated environment (screen, tmux, docker)
+  --attached, -a        Run in attached mode (foreground)
+  --detached, -d        Run in detached mode (background)
+  --session, -s <name>  Session name for isolation
+  --image <image>       Docker image (required for docker isolation)
+  --isolated-user, -u [name]  Create isolated user with same permissions
+  --keep-user           Keep isolated user after command completes
+  --keep-alive, -k      Keep isolation environment alive after command exits
+  --auto-remove-docker-container  Auto-remove docker container after exit
+  --version, -v         Show version information
+
+Examples:
+  $ echo "Hello World"
+  $ bun test
+  $ --isolated tmux -- bun start
+  $ -i screen -d bun start
+  $ --isolated docker --image oven/bun:latest -- bun install
+  $ --isolated-user -- npm test            # Create isolated user
+  $ -u myuser -- npm start                 # Custom username
+  $ -i screen --isolated-user -- npm test  # Combine with process isolation
+  $ --isolated-user --keep-user -- npm start`);
   console.log('');
   console.log('Piping with $:');
   console.log('  echo "hi" | $ agent       # Preferred - pipe TO $ command');
@@ -305,8 +314,8 @@ if (!config.disableSubstitutions) {
 
 // Main execution
 (async () => {
-  // Check if running in isolation mode
-  if (hasIsolation(wrapperOptions)) {
+  // Check if running in isolation mode or with user isolation
+  if (hasIsolation(wrapperOptions) || wrapperOptions.user) {
     await runWithIsolation(wrapperOptions, command);
   } else {
     await runDirect(command);
@@ -324,43 +333,112 @@ async function runWithIsolation(options, cmd) {
   const startTime = getTimestamp();
 
   // Create log file path
-  const logFilePath = createLogPath(environment);
+  const logFilePath = createLogPath(environment || 'direct');
 
   // Get session name (will be generated by runIsolated if not provided)
   const sessionName =
     options.session ||
-    `${environment}-${Date.now()}-${Math.random().toString(36).substring(2, 8)}`;
+    `${environment || 'start'}-${Date.now()}-${Math.random().toString(36).substring(2, 8)}`;
+
+  // Handle --isolated-user option: create a new user with same permissions
+  let createdUser = null;
+
+  if (options.user) {
+    // Check for sudo access
+    if (!hasSudoAccess()) {
+      console.error(
+        'Error: --isolated-user requires sudo access without password.'
+      );
+      console.error(
+        'Configure NOPASSWD in sudoers or run with appropriate permissions.'
+      );
+      process.exit(1);
+    }
+
+    // Get current user groups to show what will be inherited
+    const currentGroups = getCurrentUserGroups();
+    const importantGroups = ['sudo', 'docker', 'wheel', 'admin'].filter((g) =>
+      currentGroups.includes(g)
+    );
+
+    console.log(`[User Isolation] Creating new user with same permissions...`);
+    if (importantGroups.length > 0) {
+      console.log(
+        `[User Isolation] Inheriting groups: ${importantGroups.join(', ')}`
+      );
+    }
+
+    // Create the isolated user
+    const userResult = createIsolatedUser(options.userName);
+    if (!userResult.success) {
+      console.error(
+        `Error: Failed to create isolated user: ${userResult.message}`
+      );
+      process.exit(1);
+    }
+
+    createdUser = userResult.username;
+    console.log(`[User Isolation] Created user: ${createdUser}`);
+    if (userResult.groups && userResult.groups.length > 0) {
+      console.log(
+        `[User Isolation] User groups: ${userResult.groups.join(', ')}`
+      );
+    }
+    if (options.keepUser) {
+      console.log(`[User Isolation] User will be kept after command completes`);
+    }
+    console.log('');
+  }
 
   // Print start message (unified format)
   console.log(`[${startTime}] Starting: ${cmd}`);
   console.log('');
 
   // Log isolation info
-  console.log(`[Isolation] Environment: ${environment}, Mode: ${mode}`);
+  if (environment) {
+    console.log(`[Isolation] Environment: ${environment}, Mode: ${mode}`);
+  }
   if (options.session) {
     console.log(`[Isolation] Session: ${options.session}`);
   }
   if (options.image) {
     console.log(`[Isolation] Image: ${options.image}`);
   }
+  if (createdUser) {
+    console.log(`[Isolation] User: ${createdUser} (isolated)`);
+  }
   console.log('');
 
   // Create log content
   let logContent = createLogHeader({
     command: cmd,
-    environment,
+    environment: environment || 'direct',
     mode,
     sessionName,
     image: options.image,
+    user: createdUser,
     startTime,
   });
 
-  // Run in isolation
-  const result = await runIsolated(environment, cmd, {
-    session: options.session,
-    image: options.image,
-    detached: mode === 'detached',
-  });
+  let result;
+
+  if (environment) {
+    // Run in isolation backend (screen, tmux, docker)
+    result = await runIsolated(environment, cmd, {
+      session: options.session,
+      image: options.image,
+      detached: mode === 'detached',
+      user: createdUser,
+      keepAlive: options.keepAlive,
+      autoRemoveDockerContainer: options.autoRemoveDockerContainer,
+    });
+  } else if (createdUser) {
+    // Run directly as the created user (no isolation backend)
+    result = await runAsIsolatedUser(cmd, createdUser);
+  } else {
+    // This shouldn't happen in isolation mode, but handle gracefully
+    result = { success: false, message: 'No isolation configuration provided' };
+  }
 
   // Get exit code
   const exitCode =
@@ -382,6 +460,23 @@ async function runWithIsolation(options, cmd) {
   console.log(`Exit code: ${exitCode}`);
   console.log(`Log saved: ${logFilePath}`);
 
+  // Cleanup: delete the created user if we created one (unless --keep-user)
+  if (createdUser && !options.keepUser) {
+    console.log('');
+    console.log(`[User Isolation] Cleaning up user: ${createdUser}`);
+    const deleteResult = deleteUser(createdUser, { removeHome: true });
+    if (deleteResult.success) {
+      console.log(`[User Isolation] User deleted successfully`);
+    } else {
+      console.log(`[User Isolation] Warning: ${deleteResult.message}`);
+    }
+  } else if (createdUser && options.keepUser) {
+    console.log('');
+    console.log(
+      `[User Isolation] Keeping user: ${createdUser} (use 'sudo userdel -r ${createdUser}' to delete)`
+    );
+  }
+
   process.exit(exitCode);
 }
 

package/src/lib/args-parser.js

@@ -6,11 +6,15 @@
  * 2. $ [wrapper-options] command [command-options]
  *
  * Wrapper Options:
- * --isolated, -i <backend>  Run in isolated environment (screen, tmux, docker)
- * --attached, -a            Run in attached mode (foreground)
- * --detached, -d            Run in detached mode (background)
- * --session, -s <name>      Session name for isolation
- * --image <image>           Docker image (required for docker isolation)
+ * --isolated, -i <backend>         Run in isolated environment (screen, tmux, docker)
+ * --attached, -a                   Run in attached mode (foreground)
+ * --detached, -d                   Run in detached mode (background)
+ * --session, -s <name>             Session name for isolation
+ * --image <image>                  Docker image (required for docker isolation)
+ * --isolated-user, -u [username]   Create isolated user with same permissions (auto-generated name if not specified)
+ * --keep-user                      Keep isolated user after command completes (don't delete)
+ * --keep-alive, -k                 Keep isolation environment alive after command exits
+ * --auto-remove-docker-container   Automatically remove docker container after exit (disabled by default)
  */
 
 // Debug mode from environment
@@ -34,6 +38,11 @@ function parseArgs(args) {
     detached: false, // Run in detached mode
     session: null, // Session name
     image: null, // Docker image
+    user: false, // Create isolated user
+    userName: null, // Optional custom username for isolated user
+    keepUser: false, // Keep isolated user after command completes (don't delete)
+    keepAlive: false, // Keep environment alive after command exits
+    autoRemoveDockerContainer: false, // Auto-remove docker container after exit
   };
 
   let commandArgs = [];
@@ -171,6 +180,47 @@ function parseOption(args, index, options) {
     return 1;
   }
 
+  // --isolated-user or -u [optional-username] - creates isolated user with same permissions
+  if (arg === '--isolated-user' || arg === '-u') {
+    options.user = true;
+    // Check if next arg is an optional username (not starting with -)
+    if (index + 1 < args.length && !args[index + 1].startsWith('-')) {
+      // Check if next arg looks like a username (not a command)
+      const nextArg = args[index + 1];
+      // If next arg matches username format, consume it
+      if (/^[a-zA-Z0-9_-]+$/.test(nextArg) && nextArg.length <= 32) {
+        options.userName = nextArg;
+        return 2;
+      }
+    }
+    return 1;
+  }
+
+  // --isolated-user=<value>
+  if (arg.startsWith('--isolated-user=')) {
+    options.user = true;
+    options.userName = arg.split('=')[1];
+    return 1;
+  }
+
+  // --keep-user - keep isolated user after command completes
+  if (arg === '--keep-user') {
+    options.keepUser = true;
+    return 1;
+  }
+
+  // --keep-alive or -k
+  if (arg === '--keep-alive' || arg === '-k') {
+    options.keepAlive = true;
+    return 1;
+  }
+
+  // --auto-remove-docker-container
+  if (arg === '--auto-remove-docker-container') {
+    options.autoRemoveDockerContainer = true;
+    return 1;
+  }
+
   // Not a recognized wrapper option
   return 0;
 }
@@ -213,6 +263,46 @@ function validateOptions(options) {
   if (options.image && options.isolated !== 'docker') {
     throw new Error('--image option is only valid with --isolated docker');
   }
+
+  // Keep-alive is only valid with isolation
+  if (options.keepAlive && !options.isolated) {
+    throw new Error('--keep-alive option is only valid with --isolated');
+  }
+
+  // Auto-remove-docker-container is only valid with docker isolation
+  if (options.autoRemoveDockerContainer && options.isolated !== 'docker') {
+    throw new Error(
+      '--auto-remove-docker-container option is only valid with --isolated docker'
+    );
+  }
+
+  // User isolation validation
+  if (options.user) {
+    // User isolation is not supported with Docker (Docker has its own user mechanism)
+    if (options.isolated === 'docker') {
+      throw new Error(
+        '--isolated-user is not supported with Docker isolation. Docker uses its own user namespace for isolation.'
+      );
+    }
+    // Validate custom username if provided
+    if (options.userName) {
+      if (!/^[a-zA-Z0-9_-]+$/.test(options.userName)) {
+        throw new Error(
+          `Invalid username format for --isolated-user: "${options.userName}". Username should contain only letters, numbers, hyphens, and underscores.`
+        );
+      }
+      if (options.userName.length > 32) {
+        throw new Error(
+          `Username too long for --isolated-user: "${options.userName}". Maximum length is 32 characters.`
+        );
+      }
+    }
+  }
+
+  // Keep-user validation
+  if (options.keepUser && !options.user) {
+    throw new Error('--keep-user option is only valid with --isolated-user');
+  }
 }
 
 /**