typeclaw 0.36.0 → 0.36.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "typeclaw",
-  "version": "0.36.0",
+  "version": "0.36.1",
   "homepage": "https://github.com/typeclaw/typeclaw#readme",
   "bugs": {
     "url": "https://github.com/typeclaw/typeclaw/issues"

package/src/agent/plugin-tools.ts

@@ -38,6 +38,7 @@ import type {
 import {
   buildSandboxedCommand,
   canMountRealProc,
+  commandNeedsRealProc,
   DEFAULT_SANDBOX_ENV,
   ensureBwrapAvailable,
   ensureSessionTmpDir,
@@ -51,6 +52,7 @@ import {
   resolveProtectedZones,
   resolveSandboxSymlinks,
   resolveWritableZones,
+  SandboxDegradedProcError,
   type SandboxProcStrategy,
   subtractMasked,
 } from '@/sandbox'
@@ -643,6 +645,15 @@ async function applyBashSandbox(
   // it would never reach the sandboxed process (the non-sandboxed spawnHook
   // path does not run when the command is rewritten to a bwrap invocation).
   const proc = await resolveProcStrategy()
+  // Fail fast with an actionable error when /proc degraded to tmpfs AND the
+  // command needs a real /proc: under tmpfs Bun would otherwise abort deep in its
+  // pipeline with the opaque "NotDir", which the model retries forever. The
+  // SandboxDegradedProcError message tells it this is an environment limit, not
+  // the command's fault. Guarded on the command so non-bun bash still runs in the
+  // degraded mode (it does not touch /proc/self/{fd,maps}).
+  if (proc === 'tmpfs' && commandNeedsRealProc(command)) {
+    throw new SandboxDegradedProcError()
+  }
   const { commandString } = buildSandboxedCommand(command, {
     mounts: [
       { type: 'ro-bind', source: agentDir, dest: agentDir },

package/src/sandbox/availability.ts

@@ -209,12 +209,16 @@ export function canBindProcSafely(options?: { bwrapPath?: string }): Promise<boo
 }
 
 // Default backoff between proc-bind safety re-probes, in ms. Array length = retry
-// count (2 retries after the initial attempt = 3 probes total). The probe is
+// count (4 retries after the initial attempt = 5 probes total). The probe is
 // normally sub-ms; it only returns 'inconclusive' under transient CPU/IO
 // contention (e.g. a boot-time storm of concurrent LLM calls saturating the box
-// and tripping the probe's own timeout), so a short staggered wait lets the spike
-// pass before re-proving.
-export const PROC_BIND_RETRY_BACKOFF_MS = [250, 1_000] as const
+// and tripping the probe's own timeout), so a staggered wait lets the spike pass
+// before re-proving. Widened from [250,1000] after a deployed container degraded
+// to tmpfs (breaking `bun install`) when a boot-time load spike outlasted the old
+// two-retry budget; the longer tail rides out a sustained spike before failing
+// closed. 'unsafe' still short-circuits with no retry, so this never weakens the
+// leak-block guarantee — it only buys more chances to PROVE it.
+export const PROC_BIND_RETRY_BACKOFF_MS = [250, 1_000, 2_000, 4_000] as const
 
 // proc-bind selection must distinguish "definitely unavailable" from "couldn't
 // verify right now". A DEFINITIVE verdict is final: 'safe'→true; a real userns
@@ -375,9 +379,13 @@ async function probeProcBind(bwrap: string): Promise<ProcBindProbe> {
 }
 
 // Cap on the in-sandbox bwrap probe so a wedged runtime cannot stall the first
-// low-trust bash call. The probe normally completes in a few ms; this is a
-// generous ceiling, not a tuning knob.
-const PROC_BIND_PROBE_TIMEOUT_MS = 5_000
+// low-trust bash call. The probe normally completes in a few ms. Raised from 5s
+// because a deployed container fell to the tmpfs degraded mode (which breaks
+// `bun install` with Bun's opaque NotDir) when this timeout fired under a
+// boot-time storm of concurrent LLM/tool calls — a transient 'inconclusive' that
+// proves nothing about the host. A wider ceiling lets the real probe finish on a
+// briefly-saturated box; a genuinely wedged runtime still trips it and degrades.
+const PROC_BIND_PROBE_TIMEOUT_MS = 12_000
 
 // Designated probe-script exit codes. ONLY these two are a cacheable verdict;
 // every other code (a setup failure, bwrap startup failure, a signal, 127, …) is

package/src/sandbox/errors.ts

@@ -18,3 +18,26 @@ export class SandboxPolicyError extends Error {
     super(`sandbox policy rejected command: ${reason}`)
   }
 }
+
+// Raised when the /proc strategy degraded to the empty `tmpfs` fallback AND the
+// command needs a real /proc (a bun install / bunx / bun run that reads the
+// kernel-backed /proc/self/{fd,maps}). Without this pre-check Bun aborts deep in
+// its install pipeline with the opaque "NotDir" (ENOTDIR) error, which the model
+// misreads as a bad package or a transient hiccup and retries forever. Surfacing
+// it here, before the command runs, turns the failure into one the operator (or
+// the model) can act on: it is an environment/runtime limitation, not the
+// command's fault, so retrying the same command on the same container is futile.
+export class SandboxDegradedProcError extends Error {
+  override readonly name = 'SandboxDegradedProcError'
+  constructor() {
+    super(
+      'sandbox /proc is in degraded tmpfs mode, so bun package commands ' +
+        '(bun install / bun add / bunx / bun run) cannot run: Bun needs a real ' +
+        '/proc/self/fd, which this strategy cannot provide, and would otherwise ' +
+        'fail with an opaque "NotDir" error. This is a container/runtime limitation ' +
+        '(no usable user namespaces for the cap-free proc-bind strategy), not a ' +
+        'problem with the command or the package. Retrying the same command will ' +
+        'not help; report it as a sandbox/environment issue.',
+    )
+  }
+}

package/src/sandbox/index.ts

@@ -24,10 +24,10 @@ export {
   type WritableZones,
 } from './writable-zones'
 export { resolveSandboxSymlinks, type SandboxSymlinkSpec } from './symlinks'
-export { isPackageInstallCommand } from './package-install'
+export { commandNeedsRealProc, isPackageInstallCommand } from './package-install'
 export { ensureSessionTmpDir, isUnderTmp, mapVirtualTmpPath, SESSION_TMP_ROOT, sessionTmpDir } from './session-tmp'
 export { formatCommand, shellQuote } from './quote'
-export { SandboxPolicyError, SandboxUnavailableError } from './errors'
+export { SandboxDegradedProcError, SandboxPolicyError, SandboxUnavailableError } from './errors'
 export {
   DEFAULT_SANDBOX_ENV,
   type SandboxCommandFilter,

package/src/sandbox/package-install.ts

@@ -21,3 +21,38 @@ export function isPackageInstallCommand(command: string): boolean {
 
   return !words.some((word) => GLOBAL_FLAG.test(word))
 }
+
+// The bun subcommands whose work (or whose spawned child) reads the kernel-backed
+// /proc/self/{fd,maps} magic symlinks: package installs (add/install/i), the
+// package runners (x/create), and `run` (which can exec a package bin). Under the
+// degraded `tmpfs` /proc strategy those reads return ENOTDIR and Bun aborts with
+// its opaque "NotDir". `bunx` is the bare-binary alias for `bun x`.
+const REAL_PROC_BUN_SUBCOMMANDS = new Set(['add', 'install', 'i', 'x', 'create', 'run'])
+
+// Splits a command line at the shell operators that begin a NEW simple command —
+// `&&`, `||`, `;`, `|`, `|&`, `&`, newline — and the subshell opener `(`. A bun
+// invocation after a prelude (`cd app && bun install`, `mkdir a; cd a; bunx foo`)
+// starts a fresh segment, so checking each segment's head catches it where a
+// whole-string `words[0]` check would not. Coarse on purpose: it over-splits
+// inside quotes/`$()`, but this only feeds the DIAGNOSTIC below, never a privilege
+// decision, so a spurious extra segment can only make the error message MORE
+// likely, never widen the sandbox.
+const SHELL_COMMAND_SEPARATOR = /(?:&&|\|\||[;|&\n()])+/
+
+// Whether a command will exercise the real /proc, so a caller can turn the
+// degraded-mode `tmpfs` fallback into an actionable diagnostic instead of letting
+// Bun surface its opaque "NotDir". UNLIKE isPackageInstallCommand this is a
+// DIAGNOSTIC heuristic, not a privilege gate — it deliberately fires through shell
+// metacharacters and chained preludes (a `cd app && bunx foo` still runs bunx) and
+// never widens the sandbox surface, so erring toward catching more only improves
+// the error message.
+export function commandNeedsRealProc(command: string): boolean {
+  return command.split(SHELL_COMMAND_SEPARATOR).some((segment) => segmentInvokesRealProcBun(segment.trim()))
+}
+
+function segmentInvokesRealProcBun(segment: string): boolean {
+  if (segment === 'bunx' || segment.startsWith('bunx ')) return true
+  const words = segment.split(/\s+/)
+  if (words[0] !== 'bun') return false
+  return words[1] !== undefined && REAL_PROC_BUN_SUBCOMMANDS.has(words[1])
+}