yaver-cli 1.99.28 → 1.99.30

package/hermesc/README.md

@@ -0,0 +1,29 @@
+# hermesc binaries for yaver-cli
+
+Hermes bytecode compiler binaries matched to `react-native@0.81.5`
+(Hermes BC version 96, the version baked into the Yaver container app).
+
+## How this directory is populated
+
+- `darwin-arm64/` and `darwin-x64/` ship with the tarball as a macOS
+  universal binary. They're small (~6 MB) and cover the vast majority
+  of `yaver-push` users.
+- Other platforms (`linux-x64`, `win32-x64`) are installed at
+  `npm install -g yaver-cli` time by `src/postinstall.js` → it extracts
+  the right binary from the `react-native` npm tarball.
+- `linux-arm64` has no upstream prebuilt. On first push, `bundler.js`
+  falls back to `getHermescPathAsync({ allowBuildFromSource: true })`,
+  which builds hermesc from the project's own
+  `node_modules/react-native/sdks/hermes/` sources via CMake. Takes
+  ~3–5 min, cached afterwards.
+
+## How bundler.js resolves the right one
+
+1. Platform-matched cache (this dir, per `<platform>-<arch>` key)
+2. `~/.yaver/hermesc/<key>/hermesc` (per-user mirror)
+3. Legacy flat layout (top-level `hermesc` or `hermesc.exe`)
+4. Project-local `node_modules/react-native/sdks/hermesc/...`
+
+Never commit binaries into platform subdirs other than the two
+macOS ones — the installer writes them at install time and
+committing them would make every `git pull` churn large files.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "yaver-cli",
-  "version": "1.99.28",
+  "version": "1.99.30",
   "mcpName": "io.github.kivanccakmak/yaver",
   "description": "Unified npm bootstrap for the Yaver agent, SDK injection, and local-first developer runtime",
   "bin": {

package/src/bundler.js

@@ -2,31 +2,57 @@ const { execSync, execFileSync } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
+const { findExistingHermesc, ensureHermesc } = require('./hermesc-runtime');
 
 function getHermescPath() {
   const key = `${os.platform()}-${os.arch()}`;
   const dir = path.join(__dirname, '..', 'hermesc');
   const ext = os.platform() === 'win32' ? 'hermesc.exe' : 'hermesc';
 
+  // 1. Cache populated by postinstall (or previous on-demand install).
+  //    Covers the common case without any network access at push time.
+  const cached = findExistingHermesc();
+  if (cached) return cached;
+
+  // 2. Legacy/redundant lookup: packages built before the platform-aware
+  //    install may have raw hermesc subdirs left over, and third-party
+  //    forks sometimes drop their own binaries into hermesc/ directly.
   const candidates = [
     path.join(dir, key, ext),
     path.join(dir, 'darwin-arm64', ext),
     path.join(dir, 'linux-x64', ext),
+    path.join(dir, ext),
   ];
-
   const found = candidates.find(p => fs.existsSync(p));
-  if (!found) {
-    // Fall back to project's hermesc (react-native ships one)
+  if (found) {
+    try { fs.chmodSync(found, 0o755); } catch {}
+    return found;
+  }
+
+  // 3. Project's own react-native installation (ships hermesc at
+  //    RN 0.81+). Covers `--ignore-scripts` installs and linux-arm64
+  //    where we don't have a prebuilt binary.
+  const rnHermesc = findRNHermesc();
+  if (rnHermesc) return rnHermesc;
+
+  throw new Error(
+    `hermesc not found for ${key}. Run \`npm rebuild yaver-cli\` to re-trigger the platform-aware installer, or ensure react-native is installed locally.`,
+  );
+}
+
+// Async variant that will provision hermesc on demand if the sync path
+// can't find one. Callers that can `await` (push command, etc.) should
+// prefer this so the first push works even when postinstall was skipped.
+async function getHermescPathAsync({ quiet = true, allowBuildFromSource = false } = {}) {
+  try {
+    return getHermescPath();
+  } catch (_err) {
+    const provisioned = await ensureHermesc({ quiet, allowBuildFromSource });
+    if (provisioned) return provisioned;
     const rnHermesc = findRNHermesc();
     if (rnHermesc) return rnHermesc;
-
-    throw new Error(
-      `hermesc not found for ${key}. Install yaver-cli hermesc binaries or ensure react-native is installed.`
-    );
+    throw _err;
   }
-
-  try { fs.chmodSync(found, 0o755); } catch {}
-  return found;
 }
 
 /** Find hermesc from the project's react-native installation */
@@ -84,7 +110,10 @@ async function bundle({ platform, entryFile, outputDir, dev = false, minify = tr
 }
 
 async function compileHermes({ inputPath, outputPath }) {
-  const hermesc = getHermescPath();
+  // Prefer the async resolver: if the cache is empty (install did
+  // --ignore-scripts, or this is linux-arm64 and we need a build-
+  // from-source) it'll provision one on demand instead of throwing.
+  const hermesc = await getHermescPathAsync({ quiet: false, allowBuildFromSource: true });
   const tmp = inputPath + '.tmp';
   fs.renameSync(inputPath, tmp);
 
@@ -112,4 +141,10 @@ function readBytecodeVersion(hbcPath) {
   return buf.readUInt32LE(8);
 }
 
-module.exports = { bundle, compileHermes, readBytecodeVersion, getHermescPath };
+module.exports = {
+  bundle,
+  compileHermes,
+  readBytecodeVersion,
+  getHermescPath,
+  getHermescPathAsync,
+};

package/src/hermesc-runtime.js

@@ -0,0 +1,330 @@
+// Platform-aware hermesc provisioner for yaver-cli.
+//
+// Runs from `postinstall` on global installs and on-demand from the
+// bundler. Avoids shipping a ~6 MB binary inside the tarball that's
+// only correct for one platform — instead we detect the host and
+// install a matching hermesc at install time.
+//
+// Lookup order (redundant by design; any one succeeding is enough):
+//   1. Cached install under node_modules/yaver-cli/hermesc/<key>/hermesc
+//   2. Per-user cache under ~/.yaver/hermesc/<key>/hermesc
+//   3. Download from the react-native npm tarball and extract just
+//      sdks/hermesc/<rn-dir>/hermesc for this platform
+//   4. Build from the project's node_modules/react-native hermes
+//      sources (handles linux-arm64 where no prebuilt exists)
+//   5. Fall through — bundler.js then resolves from project-local RN
+//
+// Must never block `npm install`. Every failure is logged + swallowed;
+// the CLI still installs fine, the bundler just takes the runtime
+// fallback path the next time someone actually tries to push a bundle.
+
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+const https = require("https");
+const { spawnSync } = require("child_process");
+
+const HERMES_RN_VERSION = process.env.YAVER_HERMES_RN_VERSION || "0.81.5";
+
+// Maps node's platform-arch to the subdirectory react-native ships its
+// prebuilt hermesc under in the npm tarball (sdks/hermesc/<dir>/hermesc).
+// react-native 0.81.x does NOT ship a prebuilt for linux-arm64 —
+// those machines build from source instead (see buildFromProject()).
+const RN_PREBUILT_DIR = {
+  "darwin-arm64": "osx-bin",
+  "darwin-x64": "osx-bin",
+  "linux-x64": "linux64-bin",
+  "win32-x64": "win64-bin",
+};
+
+function platformKey() {
+  return `${process.platform}-${process.arch}`;
+}
+
+function hermescBasename() {
+  return process.platform === "win32" ? "hermesc.exe" : "hermesc";
+}
+
+function cliInstallDir() {
+  return path.join(__dirname, "..", "hermesc", platformKey());
+}
+
+function cliInstallPath() {
+  return path.join(cliInstallDir(), hermescBasename());
+}
+
+function userCacheDir() {
+  return path.join(os.homedir(), ".yaver", "hermesc", platformKey());
+}
+
+function userCachePath() {
+  return path.join(userCacheDir(), hermescBasename());
+}
+
+function hermescBinaryRunnable(binaryPath) {
+  try {
+    const res = spawnSync(binaryPath, ["--version"], {
+      stdio: ["ignore", "pipe", "pipe"],
+      timeout: 5000,
+    });
+    if (res.status !== 0) return false;
+    const out = (res.stdout?.toString() || "") + (res.stderr?.toString() || "");
+    return /hermes/i.test(out) || /bytecode/i.test(out);
+  } catch (_err) {
+    return false;
+  }
+}
+
+function chmodExec(binaryPath) {
+  if (process.platform === "win32") return;
+  try {
+    fs.chmodSync(binaryPath, 0o755);
+  } catch (_err) {
+    /* ignore */
+  }
+}
+
+function log(message, { quiet }) {
+  if (quiet) return;
+  console.error(`[yaver hermesc] ${message}`);
+}
+
+async function downloadToFile(url, outPath, { maxRedirects = 5 } = {}) {
+  return new Promise((resolve, reject) => {
+    const fetch = (u, redirectsLeft) => {
+      const req = https.get(u, (res) => {
+        if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+          if (redirectsLeft <= 0) {
+            reject(new Error(`too many redirects for ${url}`));
+            return;
+          }
+          res.resume();
+          const next = new URL(res.headers.location, u).toString();
+          fetch(next, redirectsLeft - 1);
+          return;
+        }
+        if (res.statusCode !== 200) {
+          reject(new Error(`HTTP ${res.statusCode} for ${u}`));
+          res.resume();
+          return;
+        }
+        const out = fs.createWriteStream(outPath);
+        res.pipe(out);
+        out.on("finish", () => out.close(() => resolve()));
+        out.on("error", (err) => {
+          try {
+            fs.rmSync(outPath, { force: true });
+          } catch (_err) {
+            /* ignore */
+          }
+          reject(err);
+        });
+      });
+      req.on("error", reject);
+      req.setTimeout(60000, () => {
+        req.destroy(new Error(`download timed out: ${u}`));
+      });
+    };
+    fetch(url, maxRedirects);
+  });
+}
+
+async function downloadFromRNTarball(destPath, { quiet }) {
+  const rnDir = RN_PREBUILT_DIR[platformKey()];
+  if (!rnDir) {
+    throw new Error(`no react-native prebuilt for ${platformKey()}`);
+  }
+
+  // Redundant registries — npm.js primary, unpkg as fallback CDN.
+  const candidates = [
+    `https://registry.npmjs.org/react-native/-/react-native-${HERMES_RN_VERSION}.tgz`,
+    `https://unpkg.com/react-native@${HERMES_RN_VERSION}/react-native-${HERMES_RN_VERSION}.tgz`,
+  ];
+
+  const tmpRoot = fs.mkdtempSync(path.join(os.tmpdir(), "yaver-hermesc-"));
+  const tarball = path.join(tmpRoot, "rn.tgz");
+
+  let lastErr = null;
+  for (const url of candidates) {
+    try {
+      log(`fetching ${url}`, { quiet });
+      await downloadToFile(url, tarball);
+      lastErr = null;
+      break;
+    } catch (err) {
+      lastErr = err;
+      log(`download failed: ${err.message}`, { quiet });
+      try {
+        fs.rmSync(tarball, { force: true });
+      } catch (_) {
+        /* ignore */
+      }
+    }
+  }
+  if (lastErr) {
+    try {
+      fs.rmSync(tmpRoot, { recursive: true, force: true });
+    } catch (_) {
+      /* ignore */
+    }
+    throw lastErr;
+  }
+
+  const rel = `package/sdks/hermesc/${rnDir}/${hermescBasename()}`;
+  const res = spawnSync("tar", ["-xzf", tarball, "-C", tmpRoot, rel], {
+    stdio: ["ignore", "pipe", "pipe"],
+  });
+  if (res.status !== 0) {
+    const stderr = res.stderr?.toString() || "unknown tar failure";
+    try {
+      fs.rmSync(tmpRoot, { recursive: true, force: true });
+    } catch (_) {
+      /* ignore */
+    }
+    throw new Error(`tar extract failed: ${stderr}`);
+  }
+
+  const extracted = path.join(tmpRoot, rel);
+  if (!fs.existsSync(extracted)) {
+    try {
+      fs.rmSync(tmpRoot, { recursive: true, force: true });
+    } catch (_) {
+      /* ignore */
+    }
+    throw new Error(`extracted hermesc missing: ${extracted}`);
+  }
+
+  fs.mkdirSync(path.dirname(destPath), { recursive: true });
+  fs.copyFileSync(extracted, destPath);
+  chmodExec(destPath);
+
+  try {
+    fs.rmSync(tmpRoot, { recursive: true, force: true });
+  } catch (_) {
+    /* ignore */
+  }
+}
+
+// Build hermesc from the project's own node_modules/react-native
+// sources. Covers linux-arm64 and any other platform where we don't
+// have a prebuilt. Mirrors desktop/agent/hermesc_resolver.go's
+// buildProjectHermesc path.
+function buildFromProject(destPath, { quiet }) {
+  const projectRoots = [
+    process.cwd(),
+    path.join(process.cwd(), ".."),
+  ];
+  for (const root of projectRoots) {
+    const hermesSrc = path.join(
+      root,
+      "node_modules",
+      "react-native",
+      "sdks",
+      "hermes",
+    );
+    if (!fs.existsSync(path.join(hermesSrc, "CMakeLists.txt"))) continue;
+    try {
+      log(`building hermesc from ${hermesSrc} (one-time, ~3–5 min)…`, { quiet });
+      const buildDir = fs.mkdtempSync(path.join(os.tmpdir(), "hermes-build-"));
+      const cmake = spawnSync(
+        "cmake",
+        ["-S", hermesSrc, "-B", buildDir, "-DCMAKE_BUILD_TYPE=Release"],
+        { stdio: quiet ? "ignore" : "inherit" },
+      );
+      if (cmake.status !== 0) throw new Error(`cmake configure failed`);
+      const build = spawnSync(
+        "cmake",
+        ["--build", buildDir, "--target", "hermesc", "--config", "Release", "-j"],
+        { stdio: quiet ? "ignore" : "inherit" },
+      );
+      if (build.status !== 0) throw new Error(`cmake build failed`);
+      const built = path.join(buildDir, "bin", hermescBasename());
+      if (!fs.existsSync(built)) throw new Error(`hermesc missing after build: ${built}`);
+      fs.mkdirSync(path.dirname(destPath), { recursive: true });
+      fs.copyFileSync(built, destPath);
+      chmodExec(destPath);
+      try {
+        fs.rmSync(buildDir, { recursive: true, force: true });
+      } catch (_) {
+        /* ignore */
+      }
+      return true;
+    } catch (err) {
+      log(`build-from-source failed at ${hermesSrc}: ${err.message}`, { quiet });
+    }
+  }
+  return false;
+}
+
+function findExistingHermesc() {
+  const candidates = [cliInstallPath(), userCachePath()];
+  for (const p of candidates) {
+    if (fs.existsSync(p)) {
+      chmodExec(p);
+      if (hermescBinaryRunnable(p)) return p;
+    }
+  }
+  return null;
+}
+
+async function ensureHermesc({ quiet = false, allowBuildFromSource = false } = {}) {
+  const existing = findExistingHermesc();
+  if (existing) return existing;
+
+  const key = platformKey();
+
+  if (RN_PREBUILT_DIR[key]) {
+    // Prefer cli-local install so `yaver-push` works offline after the
+    // first install (user cache also works; we write to both so either
+    // path resolves).
+    const dest = cliInstallPath();
+    try {
+      await downloadFromRNTarball(dest, { quiet });
+      if (hermescBinaryRunnable(dest)) {
+        // Also mirror into ~/.yaver so a later `npm uninstall` + reinstall
+        // doesn't re-download. Redundancy is the point.
+        try {
+          fs.mkdirSync(userCacheDir(), { recursive: true });
+          fs.copyFileSync(dest, userCachePath());
+          chmodExec(userCachePath());
+        } catch (_) {
+          /* ignore mirror errors */
+        }
+        log(`installed at ${dest}`, { quiet });
+        return dest;
+      }
+      log(`downloaded binary at ${dest} did not run — discarding`, { quiet });
+      try {
+        fs.rmSync(dest, { force: true });
+      } catch (_) {
+        /* ignore */
+      }
+    } catch (err) {
+      log(`prebuilt download failed: ${err.message}`, { quiet });
+    }
+  } else {
+    log(`no prebuilt available for ${key} — will try build-from-source on demand`, { quiet });
+  }
+
+  if (allowBuildFromSource) {
+    const dest = cliInstallPath();
+    if (buildFromProject(dest, { quiet }) && hermescBinaryRunnable(dest)) {
+      log(`built hermesc from source at ${dest}`, { quiet });
+      return dest;
+    }
+  }
+
+  // Fall through — caller should rely on bundler.js's project-local RN
+  // fallback (node_modules/react-native/sdks/hermesc/...). Return null
+  // rather than throwing so postinstall never fails npm install.
+  return null;
+}
+
+module.exports = {
+  ensureHermesc,
+  findExistingHermesc,
+  cliInstallPath,
+  userCachePath,
+  platformKey,
+  hermescBasename,
+};

package/src/postinstall.js

@@ -7,6 +7,7 @@
 // Must NEVER fail npm install. This is best-effort bootstrap only.
 
 const { ensureAgentBinary, runAgentCommand } = require("./agent-runtime");
+const { ensureHermesc } = require("./hermesc-runtime");
 const { execSync } = require("child_process");
 const fs = require("fs");
 const os = require("os");
@@ -69,6 +70,71 @@ function installMissingCodingRunners() {
   }
 }
 
+function ensureLinuxRunnerSandboxPackages() {
+  try {
+    if (process.platform !== "linux") return;
+    if (typeof process.geteuid !== "function" || process.geteuid() !== 0) return;
+    const missing = [];
+    if (!commandExists("bwrap")) missing.push("bubblewrap");
+    if (!commandExists("newuidmap")) missing.push("uidmap");
+    if (missing.length === 0) return;
+    if (!commandExists("apt-get")) {
+      log(`Runner sandbox packages missing (${missing.join(", ")}) and no apt-get is available for auto-install.`);
+      return;
+    }
+    execSync("apt-get update -y", { stdio: ["ignore", "ignore", "ignore"] });
+    execSync(`DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ${missing.join(" ")}`, {
+      stdio: "inherit",
+    });
+    log(`Installed Linux runner sandbox packages: ${missing.join(", ")}.`);
+  } catch (error) {
+    log(`Skipping Linux runner sandbox package bootstrap: ${error.message}`);
+  }
+}
+
+function ensureLinuxRunnerSandboxSupport() {
+  try {
+    if (process.platform !== "linux") return;
+    if (typeof process.geteuid !== "function" || process.geteuid() !== 0) return;
+    const confPath = "/etc/sysctl.d/99-yaver-runner-sandbox.conf";
+    let body = "kernel.unprivileged_userns_clone=1\nuser.max_user_namespaces=1048576\n";
+    if (fs.existsSync("/proc/sys/kernel/apparmor_restrict_unprivileged_userns")) {
+      body += "kernel.apparmor_restrict_unprivileged_userns=0\n";
+    }
+    fs.writeFileSync(confPath, body);
+    execSync("sysctl --system", { stdio: ["ignore", "ignore", "ignore"] });
+    log("Enabled Linux user-namespace prerequisites for Codex/runner sandboxes.");
+  } catch (error) {
+    log(`Skipping Linux runner sandbox bootstrap: ${error.message}`);
+  }
+}
+
+function reportLinuxRunnerSandboxStatus() {
+  try {
+    if (process.platform !== "linux") return;
+    const issues = [];
+    if (!commandExists("bwrap")) issues.push("bubblewrap");
+    if (!commandExists("newuidmap")) issues.push("uidmap");
+    try {
+      const userns = fs.readFileSync("/proc/sys/kernel/unprivileged_userns_clone", "utf8").trim();
+      if (userns === "0") issues.push("kernel.unprivileged_userns_clone=0");
+    } catch (_) {}
+    try {
+      const maxUserns = fs.readFileSync("/proc/sys/user/max_user_namespaces", "utf8").trim();
+      if (!maxUserns || maxUserns === "0") issues.push("user.max_user_namespaces=0");
+    } catch (_) {}
+    try {
+      const apparmor = fs.readFileSync("/proc/sys/kernel/apparmor_restrict_unprivileged_userns", "utf8").trim();
+      if (apparmor === "1") issues.push("kernel.apparmor_restrict_unprivileged_userns=1");
+    } catch (_) {}
+    if (issues.length > 0) {
+      log(`Linux runner sandbox still has blockers: ${issues.join(", ")}. Yaver will mark Codex blocked until the host allows it.`);
+    }
+  } catch (_) {
+    // Best-effort only.
+  }
+}
+
 function installMissingMobileTools() {
   const missing = MOBILE_TOOL_BOOTSTRAP.filter((entry) => !commandExists(entry.command));
   if (missing.length === 0) {
@@ -157,7 +223,26 @@ async function main() {
     return;
   }
 
+  // Platform-aware hermesc provisioning. Downloads the binary matching
+  // this host from the react-native npm tarball, caches it under the
+  // CLI install dir + ~/.yaver so `yaver-push` works offline after.
+  // Never blocks install — the bundler falls back to project-local RN
+  // if this step skipped or failed.
+  try {
+    const hermescPath = await ensureHermesc({ quiet: true });
+    if (hermescPath) {
+      log(`Hermes compiler ready at ${hermescPath}.`);
+    } else {
+      log(`Hermes compiler not pre-provisioned for ${process.platform}-${process.arch}; bundler will resolve project-local hermesc at push time.`);
+    }
+  } catch (error) {
+    log(`Skipping hermesc install: ${error.message}`);
+  }
+
   ensurePathOnUnix();
+  ensureLinuxRunnerSandboxPackages();
+  ensureLinuxRunnerSandboxSupport();
+  reportLinuxRunnerSandboxStatus();
 
   if (process.platform !== "linux" && process.platform !== "darwin") {
     return;