start-command 0.9.0 → 0.10.0

package/src/lib/isolation.js

@@ -131,6 +131,22 @@ function hasTTY() {
   return Boolean(process.stdin.isTTY && process.stdout.isTTY);
 }
 
+/**
+ * Wrap command with sudo -u if user option is specified
+ * @param {string} command - Original command
+ * @param {string|null} user - Username to run as (or null)
+ * @returns {string} Wrapped command
+ */
+function wrapCommandWithUser(command, user) {
+  if (!user) {
+    return command;
+  }
+  // Use sudo -u to run command as specified user
+  // -E preserves environment variables
+  // -n ensures non-interactive (fails if password required)
+  return `sudo -n -u ${user} sh -c '${command.replace(/'/g, "'\\''")}'`;
+}
+
 /**
  * Run command in GNU Screen using detached mode with log capture
  * This is a workaround for environments without TTY
@@ -142,9 +158,10 @@ function hasTTY() {
  * @param {string} command - Command to execute
  * @param {string} sessionName - Session name
  * @param {object} shellInfo - Shell info from getShell()
+ * @param {string|null} user - Username to run command as (optional)
  * @returns {Promise<{success: boolean, sessionName: string, message: string, output: string}>}
  */
-function runScreenWithLogCapture(command, sessionName, shellInfo) {
+function runScreenWithLogCapture(command, sessionName, shellInfo, user = null) {
   const { shell, shellArg } = shellInfo;
   const logFile = path.join(os.tmpdir(), `screen-output-${sessionName}.log`);
 
@@ -154,7 +171,8 @@ function runScreenWithLogCapture(command, sessionName, shellInfo) {
   return new Promise((resolve) => {
     try {
       let screenArgs;
-      let effectiveCommand = command;
+      // Wrap command with user switch if specified
+      let effectiveCommand = wrapCommandWithUser(command, user);
 
       if (useNativeLogging) {
         // Modern screen (>= 4.5.1): Use -L -Logfile option for native log capture
@@ -167,7 +185,7 @@ function runScreenWithLogCapture(command, sessionName, shellInfo) {
           logFile,
           shell,
           shellArg,
-          command,
+          effectiveCommand,
         ];
 
         if (DEBUG) {
@@ -179,7 +197,7 @@ function runScreenWithLogCapture(command, sessionName, shellInfo) {
         // Older screen (< 4.5.1, e.g., macOS bundled 4.0.3): Use tee fallback
         // Wrap the command to capture output using tee
         // The parentheses ensure proper grouping of the command and its stderr
-        effectiveCommand = `(${command}) 2>&1 | tee "${logFile}"`;
+        effectiveCommand = `(${effectiveCommand}) 2>&1 | tee "${logFile}"`;
         screenArgs = ['-dmS', sessionName, shell, shellArg, effectiveCommand];
 
         if (DEBUG) {
@@ -299,7 +317,7 @@ function runScreenWithLogCapture(command, sessionName, shellInfo) {
 /**
  * Run command in GNU Screen
  * @param {string} command - Command to execute
- * @param {object} options - Options (session, detached, keepAlive)
+ * @param {object} options - Options (session, detached, user, keepAlive)
  * @returns {Promise<{success: boolean, sessionName: string, message: string}>}
  */
 function runInScreen(command, options = {}) {
@@ -317,16 +335,17 @@ function runInScreen(command, options = {}) {
   const { shell, shellArg } = shellInfo;
 
   try {
+    // Wrap command with user switch if specified
+    let effectiveCommand = wrapCommandWithUser(command, options.user);
+
     if (options.detached) {
       // Detached mode: screen -dmS <session> <shell> -c '<command>'
       // By default (keepAlive=false), the session will exit after command completes
       // With keepAlive=true, we start a shell that runs the command but stays alive
-      let effectiveCommand = command;
 
       if (options.keepAlive) {
         // With keep-alive: run command, then keep shell open
-        // Use exec to replace the shell, but first run command
-        effectiveCommand = `${command}; exec ${shell}`;
+        effectiveCommand = `${effectiveCommand}; exec ${shell}`;
       }
       // Without keep-alive: command runs and session exits naturally when done
 
@@ -383,7 +402,12 @@ function runInScreen(command, options = {}) {
         );
       }
 
-      return runScreenWithLogCapture(command, sessionName, shellInfo);
+      return runScreenWithLogCapture(
+        command,
+        sessionName,
+        shellInfo,
+        options.user
+      );
     }
   } catch (err) {
     return Promise.resolve({
@@ -397,7 +421,7 @@ function runInScreen(command, options = {}) {
 /**
  * Run command in tmux
  * @param {string} command - Command to execute
- * @param {object} options - Options (session, detached, keepAlive)
+ * @param {object} options - Options (session, detached, user, keepAlive)
  * @returns {Promise<{success: boolean, sessionName: string, message: string}>}
  */
 function runInTmux(command, options = {}) {
@@ -414,16 +438,18 @@ function runInTmux(command, options = {}) {
   const shellInfo = getShell();
   const { shell } = shellInfo;
 
+  // Wrap command with user switch if specified
+  let effectiveCommand = wrapCommandWithUser(command, options.user);
+
   try {
     if (options.detached) {
       // Detached mode: tmux new-session -d -s <session> '<command>'
       // By default (keepAlive=false), the session will exit after command completes
       // With keepAlive=true, we keep the shell alive after the command
-      let effectiveCommand = command;
 
       if (options.keepAlive) {
         // With keep-alive: run command, then keep shell open
-        effectiveCommand = `${command}; exec ${shell}`;
+        effectiveCommand = `${effectiveCommand}; exec ${shell}`;
       }
       // Without keep-alive: command runs and session exits naturally when done
 
@@ -458,14 +484,14 @@ function runInTmux(command, options = {}) {
       // Attached mode: tmux new-session -s <session> '<command>'
       if (DEBUG) {
         console.log(
-          `[DEBUG] Running: tmux new-session -s "${sessionName}" "${command}"`
+          `[DEBUG] Running: tmux new-session -s "${sessionName}" "${effectiveCommand}"`
         );
       }
 
       return new Promise((resolve) => {
         const child = spawn(
           'tmux',
-          ['new-session', '-s', sessionName, command],
+          ['new-session', '-s', sessionName, effectiveCommand],
           {
             stdio: 'inherit',
           }
@@ -501,7 +527,7 @@ function runInTmux(command, options = {}) {
 /**
  * Run command in Docker container
  * @param {string} command - Command to execute
- * @param {object} options - Options (image, session/name, detached, keepAlive, autoRemoveDockerContainer)
+ * @param {object} options - Options (image, session/name, detached, user, keepAlive, autoRemoveDockerContainer)
  * @returns {Promise<{success: boolean, containerName: string, message: string}>}
  */
 function runInDocker(command, options = {}) {
@@ -526,7 +552,7 @@ function runInDocker(command, options = {}) {
 
   try {
     if (options.detached) {
-      // Detached mode: docker run -d --name <name> <image> <shell> -c '<command>'
+      // Detached mode: docker run -d --name <name> [--user <user>] <image> <shell> -c '<command>'
       // By default (keepAlive=false), the container exits after command completes
       // With keepAlive=true, we keep the container running with a shell
       let effectiveCommand = command;
@@ -537,16 +563,7 @@ function runInDocker(command, options = {}) {
       }
       // Without keep-alive: container exits naturally when command completes
 
-      const dockerArgs = [
-        'run',
-        '-d',
-        '--name',
-        containerName,
-        options.image,
-        '/bin/sh',
-        '-c',
-        effectiveCommand,
-      ];
+      const dockerArgs = ['run', '-d', '--name', containerName];
 
       // Add --rm flag if autoRemoveDockerContainer is true
       // Note: --rm must come before the image name
@@ -554,6 +571,13 @@ function runInDocker(command, options = {}) {
         dockerArgs.splice(2, 0, '--rm');
       }
 
+      // Add --user flag if specified
+      if (options.user) {
+        dockerArgs.push('--user', options.user);
+      }
+
+      dockerArgs.push(options.image, '/bin/sh', '-c', effectiveCommand);
+
       if (DEBUG) {
         console.log(`[DEBUG] Running: docker ${dockerArgs.join(' ')}`);
         console.log(`[DEBUG] keepAlive: ${options.keepAlive || false}`);
@@ -588,18 +612,15 @@ function runInDocker(command, options = {}) {
         message,
       });
     } else {
-      // Attached mode: docker run -it --name <name> <image> <shell> -c '<command>'
-      const dockerArgs = [
-        'run',
-        '-it',
-        '--rm',
-        '--name',
-        containerName,
-        options.image,
-        '/bin/sh',
-        '-c',
-        command,
-      ];
+      // Attached mode: docker run -it --name <name> [--user <user>] <image> <shell> -c '<command>'
+      const dockerArgs = ['run', '-it', '--rm', '--name', containerName];
+
+      // Add --user flag if specified
+      if (options.user) {
+        dockerArgs.push('--user', options.user);
+      }
+
+      dockerArgs.push(options.image, '/bin/sh', '-c', command);
 
       if (DEBUG) {
         console.log(`[DEBUG] Running: docker ${dockerArgs.join(' ')}`);
@@ -687,6 +708,7 @@ function generateLogFilename(environment) {
  * @param {string} params.mode - attached or detached
  * @param {string} params.sessionName - Session/container name
  * @param {string} [params.image] - Docker image (for docker environment)
+ * @param {string} [params.user] - User to run command as (optional)
  * @param {string} params.startTime - Start timestamp
  * @returns {string} Log header content
  */
@@ -700,6 +722,9 @@ function createLogHeader(params) {
   if (params.image) {
     content += `Image: ${params.image}\n`;
   }
+  if (params.user) {
+    content += `User: ${params.user}\n`;
+  }
   content += `Platform: ${process.platform}\n`;
   content += `Node Version: ${process.version}\n`;
   content += `Working Directory: ${process.cwd()}\n`;
@@ -763,6 +788,37 @@ function resetScreenVersionCache() {
   screenVersionChecked = false;
 }
 
+/**
+ * Run command as an isolated user (without isolation backend)
+ * Uses sudo -u to switch users
+ * @param {string} cmd - Command to execute
+ * @param {string} username - User to run as
+ * @returns {Promise<{success: boolean, message: string, exitCode: number}>}
+ */
+function runAsIsolatedUser(cmd, username) {
+  return new Promise((resolve) => {
+    const child = spawn('sudo', ['-n', '-u', username, 'sh', '-c', cmd], {
+      stdio: 'inherit',
+    });
+
+    child.on('exit', (code) => {
+      resolve({
+        success: code === 0,
+        message: `Command completed as user "${username}" with exit code ${code}`,
+        exitCode: code || 0,
+      });
+    });
+
+    child.on('error', (err) => {
+      resolve({
+        success: false,
+        message: `Failed to run as user "${username}": ${err.message}`,
+        exitCode: 1,
+      });
+    });
+  });
+}
+
 module.exports = {
   isCommandAvailable,
   hasTTY,
@@ -770,7 +826,8 @@ module.exports = {
   runInTmux,
   runInDocker,
   runIsolated,
-  // Export logging utilities for unified experience
+  runAsIsolatedUser,
+  wrapCommandWithUser,
   getTimestamp,
   generateLogFilename,
   createLogHeader,
@@ -778,7 +835,6 @@ module.exports = {
   writeLogFile,
   getLogDir,
   createLogPath,
-  // Export screen version utilities for testing and debugging
   getScreenVersion,
   supportsLogfileOption,
   resetScreenVersionCache,