mirror of
https://github.com/alkimake/paperclip.git
synced 2026-06-14 10:00:38 +09:00
ad0bb57350
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies, including running adapter CLIs inside remote sandboxes > - The QA matrix in PAPA-316 spins up local-runtime adapters (claude/gemini/opencode) against both SSH and the new exe.dev sandbox provider, and "Test" exercises the same install + probe path the real runtime uses > - On exe.dev the QA matrix failed at three different points: SSH/sandbox secret refs would not resolve, gemini-local could not find npm, and opencode-local installed a binary that was not on the probe-shell PATH > - These are all environment-shape issues the runtime should handle, not regressions in any individual adapter, so they need to be fixed in the shared install/resolve layer before the matrix can pass > - This pull request wires the environment id through to secret-ref resolution, bootstraps npm from a portable Node tarball when the sandbox image lacks Node, and symlinks the opencode binary into a directory that non-login shells see > - The benefit is that the QA matrix passes end-to-end on exe.dev, and any future sandbox provider that ships without Node or relies on rc-file PATH wiring gets the same fixes for free ## What Changed - `server/src/services/environment-execution-target.ts`: pass the environment `id` into `resolveEnvironmentDriverConfigForRuntime` for both the sandbox and SSH branches, so `privateKeySecretRef` / sandbox-provider secret refs (e.g. exe.dev `apiKey`) can resolve against the secret store at runtime instead of throwing `Runtime secret resolution requires an environment id`. - `packages/adapter-utils/src/sandbox-install-command.ts`: extend `buildSandboxNpmInstallCommand` with an `ENSURE_NPM_PREAMBLE` that, when `npm` is missing, downloads a portable Node v22 tarball into `$HOME/.local` and sets `PAPERCLIP_NPM_BOOTSTRAPPED=1` so the install step skips sudo (sudo's `secure_path` would lose the freshly-installed `npm` in `$HOME/.local/bin`). Distro-packaged Node from apt-get is intentionally avoided because it tends to be too old to parse modern JS syntax used by `@google/gemini-cli`. - `packages/adapters/gemini-local/src/index.ts`: switch the hardcoded `npm install -g @google/gemini-cli` to `buildSandboxNpmInstallCommand`, so gemini-local picks up the same sudo-aware + npm-bootstrap behavior as the other local adapters. - `packages/adapters/opencode-local/src/index.ts`: append a step to the install command that symlinks `$HOME/.opencode/bin/opencode` into `$HOME/.local/bin`. The upstream installer only adds `~/.opencode/bin` to PATH via `~/.bashrc`, which non-login `sh -c` probe invocations do not source. - `packages/adapter-utils/src/sandbox-install-command.test.ts`: cover the new preamble plus the unchanged root/sudo/user-prefix branches. ## Verification - `cd packages/adapter-utils && npm test -- sandbox-install-command` (passes; new "bootstraps npm from a portable Node tarball when missing" case is included). - Manual: ran the in-app `Test` action against the QA matrix dev instance for `QA exe.dev Claude`, `QA exe.dev Gemini`, and `QA exe.dev OpenCode` — all three now report `status=pass` including the hello probe. `QA SSH Claude` also passes; without the environment-id fix, SSH resolution threw before the wrapper / install fixes could run. - Suggested reviewer check: re-run the matrix on a fresh exe.dev environment and confirm the install step no longer hits `npm: command not found` for gemini and the opencode probe no longer hits `opencode: command not found`. ## Risks - Low/medium. The npm bootstrap pins Node `v22.11.0` from `nodejs.org/dist`; if that URL becomes unreachable the install will fail with a clear `curl` error rather than corrupting state. The bootstrap path is only taken when `npm` is genuinely missing, so existing sandbox images that ship with Node are unaffected. - The opencode symlink uses `ln -sf` into `$HOME/.local/bin`, which is created with `mkdir -p`; idempotent on re-install. - The `id` change is a strict additive: callers previously got `undefined` and only the secret-ref code paths actually read it. No behavior change for environments without secret refs. ## Model Used - Claude (Anthropic), `claude-opus-4-7`, with extended thinking and tool use enabled. Iterated through the Paperclip QA matrix harness; no other model assisted. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [ ] If this change affects the UI, I have included before/after screenshots (n/a — runtime/install path only) - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing> |
||
|---|---|---|
| .. | ||
| recovery | ||
| access.ts | ||
| activity-log.ts | ||
| activity.ts | ||
| adapter-plugin-store.ts | ||
| agent-instructions.ts | ||
| agent-permissions.ts | ||
| agent-start-lock.ts | ||
| agents.ts | ||
| approvals.ts | ||
| assets.ts | ||
| board-auth.ts | ||
| budgets.ts | ||
| companies.ts | ||
| company-export-readme.ts | ||
| company-member-roles.ts | ||
| company-portability.ts | ||
| company-search-rate-limit.ts | ||
| company-search.ts | ||
| company-skills.ts | ||
| costs.ts | ||
| cron.ts | ||
| dashboard.ts | ||
| default-agent-instructions.ts | ||
| documents.ts | ||
| environment-config.ts | ||
| environment-execution-target.ts | ||
| environment-probe.ts | ||
| environment-run-orchestrator.ts | ||
| environment-runtime.ts | ||
| environments.ts | ||
| execution-workspace-policy.ts | ||
| execution-workspaces.ts | ||
| feedback-redaction.ts | ||
| feedback-share-client.ts | ||
| feedback.ts | ||
| finance.ts | ||
| github-fetch.ts | ||
| goals.ts | ||
| heartbeat-run-summary.ts | ||
| heartbeat-stop-metadata.test.ts | ||
| heartbeat-stop-metadata.ts | ||
| heartbeat.ts | ||
| hire-hook.ts | ||
| inbox-dismissals.ts | ||
| index.ts | ||
| instance-settings.ts | ||
| invite-grants.ts | ||
| issue-approvals.ts | ||
| issue-assignment-wakeup.ts | ||
| issue-continuation-summary.ts | ||
| issue-execution-policy.ts | ||
| issue-goal-fallback.ts | ||
| issue-liveness.ts | ||
| issue-references.ts | ||
| issue-thread-interactions.test.ts | ||
| issue-thread-interactions.ts | ||
| issue-tree-control.ts | ||
| issues.ts | ||
| json-schema-secret-refs.ts | ||
| live-events.ts | ||
| local-service-supervisor.ts | ||
| plugin-capability-validator.ts | ||
| plugin-config-validator.ts | ||
| plugin-database.ts | ||
| plugin-dev-watcher.ts | ||
| plugin-environment-driver.ts | ||
| plugin-event-bus.ts | ||
| plugin-host-service-cleanup.ts | ||
| plugin-host-services.ts | ||
| plugin-job-coordinator.ts | ||
| plugin-job-scheduler.ts | ||
| plugin-job-store.ts | ||
| plugin-lifecycle.ts | ||
| plugin-loader.ts | ||
| plugin-local-folders.ts | ||
| plugin-log-retention.ts | ||
| plugin-managed-agents.ts | ||
| plugin-managed-routines.ts | ||
| plugin-managed-skills.ts | ||
| plugin-manifest-validator.ts | ||
| plugin-registry.ts | ||
| plugin-runtime-sandbox.ts | ||
| plugin-secrets-handler.ts | ||
| plugin-state-store.ts | ||
| plugin-stream-bus.ts | ||
| plugin-tool-dispatcher.ts | ||
| plugin-tool-registry.ts | ||
| plugin-worker-manager.ts | ||
| productivity-review.ts | ||
| project-workspace-runtime-config.ts | ||
| projects.ts | ||
| quota-windows.ts | ||
| routines.ts | ||
| run-continuations.ts | ||
| run-liveness.ts | ||
| run-log-store.ts | ||
| sandbox-provider-runtime.ts | ||
| secrets.ts | ||
| sidebar-badges.ts | ||
| sidebar-preferences.ts | ||
| work-products.ts | ||
| workspace-operation-log-store.ts | ||
| workspace-operations.ts | ||
| workspace-realization.ts | ||
| workspace-runtime-read-model.ts | ||
| workspace-runtime.ts | ||