From b0a0ff489166ce5b8e5af8f27ac349ba0bf3d0f8 Mon Sep 17 00:00:00 2001
From: Sam & Claude <samo.blatnik@gmail.com>
Date: Sun, 21 Jun 2026 08:59:33 +0200
Subject: [PATCH] fix(bootstrap): set jail npm PATH via /etc/profile.d, drop
 per-user .profile hack
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Root cause of the recurring "pi/bw not found in jail" bug: the npm-global-on-PATH
fix was solved canonically in the clawdie-iso image (/etc/profile.d/clawdie.sh,
all login shells), but the agent jail is a separate environment that never reused
it — a fresh Bastille jail doesn't inherit the image's profile.d, and the
bootstrap set no PATH. PR #120 band-aided it with a hardcoded append to one
user's ~/.profile (sh-only, drifts from NPM_PREFIX).

Replace that band-aid with the same mechanism the image uses, scoped to the jail:
- write one managed /etc/profile.d/clawdie-npm.sh derived from NPM_PREFIX
- source it from /etc/profile (covers all sh/bash login shells, system-wide),
  idempotently
- delete the per-user ~/.profile append from #120

Now the PATH content lives in a single file tied to NPM_PREFIX, so it can't miss
shells or drift from the prefix. Follow-up (not here): hoist the snippet into one
shared file installed by both clawdie-iso and the jail bootstrap, so a future new
environment can't re-grow this.

Verified: sh -n clean; smoke test — snippet expands NPM_PREFIX (keeps $PATH
literal), /etc/profile sources it, append is idempotent, sourced shell resolves
the npm-global bin onto PATH.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 packaging/freebsd/agent-jail-bootstrap.sh | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/packaging/freebsd/agent-jail-bootstrap.sh b/packaging/freebsd/agent-jail-bootstrap.sh
index fc66f17..863ca8b 100755
--- a/packaging/freebsd/agent-jail-bootstrap.sh
+++ b/packaging/freebsd/agent-jail-bootstrap.sh
@@ -83,10 +83,21 @@ if [ ! -e "${NPM_PREFIX}/bin/pi" ]; then
 fi
 cp -a "${NPM_PREFIX}/bin/pi" "${JAIL_ROOT}${NPM_PREFIX}/bin/pi"
 
-# Add npm-global bin to clawdie's PATH so pi/bw are found on login
-if ! grep -q 'npm-global/bin' "${JAIL_ROOT}/home/clawdie/.profile" 2>/dev/null; then
-    echo 'PATH="/home/clawdie/.npm-global/bin:$PATH"' >> "${JAIL_ROOT}/home/clawdie/.profile"
-    echo 'export PATH' >> "${JAIL_ROOT}/home/clawdie/.profile"
+# Put the npm-global bin on PATH for every login shell. Canonical mechanism
+# (same shape as the clawdie-iso image): the PATH content lives in one managed
+# /etc/profile.d snippet derived from NPM_PREFIX, and /etc/profile sources it —
+# not a per-user, single-shell ~/.profile line that drifts from the prefix.
+install -d -m 0755 "${JAIL_ROOT}/etc/profile.d"
+cat > "${JAIL_ROOT}/etc/profile.d/clawdie-npm.sh" <<EOF
+# Managed by agent-jail-bootstrap.sh — clawdie npm-global bin on PATH.
+PATH="${NPM_PREFIX}/bin:\$PATH"
+export PATH
+EOF
+chmod 0644 "${JAIL_ROOT}/etc/profile.d/clawdie-npm.sh"
+
+if ! grep -q '/etc/profile.d/clawdie-npm.sh' "${JAIL_ROOT}/etc/profile" 2>/dev/null; then
+    printf '\n[ -r /etc/profile.d/clawdie-npm.sh ] && . /etc/profile.d/clawdie-npm.sh\n' \
+        >> "${JAIL_ROOT}/etc/profile"
 fi
 
 echo "Done — ${JAIL_NAME} ready for vault provision."
-- 
2.45.3