fix(spawner): stage jail spawn files under daemon-owned home, not /var/run #136

Merged

clawdie merged 1 commit from stage-under-daemon-home into main

2026-06-21 17:38:05 +02:00

Author	SHA1	Message	Date
Sam & Claude	a7565c49ad	fix(spawner): stage jail spawn files under daemon-owned home, not /var/run Some checks failed CI / markdown (pull_request) Has been cancelled Details CI / port (pull_request) Has been cancelled Details CI / agent-jail-pkgs (pull_request) Has been cancelled Details CI / rust (pull_request) Has been cancelled Details Closes #135. The daemon stages per-spawn launch.sh/env.sh under the jail root; the previous location /var/run/colibri-stage is root-owned, so the daemon (running as clawdie) could not create per-spawn subdirs there — the second jail-spawn EACCES, worked around in #134 by pre-creating the dir in agent-jail-bootstrap.sh. Move the default staging root to the daemon user's home, /home/clawdie/.cache/colibri/stage, which clawdie owns by construction of the jail account. create_dir_all now succeeds with no privileged pre-creation step, and /home is persistent (unlike a tmpfs /var/run). The path is overridable via COLIBRI_JAIL_STAGE_DIR, matching the daemon's other env-configurable paths. - spawner.rs: const → staged_jail_run_dir() resolver; updated unit test. - agent-jail-bootstrap.sh: drop the now-unnecessary install -d staging block and DAEMON_USER var (the #134 workaround). - docs: update jailed-spawn design + truss analysis to the new location. clippy clean; spawner suite green (21 tests); sh -n clean; touched docs pass the markdown gate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-21 17:37:32 +02:00

Author

SHA1

Message

Date

Sam & Claude

a7565c49ad

fix(spawner): stage jail spawn files under daemon-owned home, not /var/run

CI / markdown (pull_request) Has been cancelled

Details

CI / port (pull_request) Has been cancelled

Details

CI / agent-jail-pkgs (pull_request) Has been cancelled

Details

CI / rust (pull_request) Has been cancelled

Details

Closes #135. The daemon stages per-spawn launch.sh/env.sh under the jail root;
the previous location /var/run/colibri-stage is root-owned, so the daemon
(running as clawdie) could not create per-spawn subdirs there — the second
jail-spawn EACCES, worked around in #134 by pre-creating the dir in
agent-jail-bootstrap.sh.

Move the default staging root to the daemon user's home,
/home/clawdie/.cache/colibri/stage, which clawdie owns by construction of the
jail account. create_dir_all now succeeds with no privileged pre-creation step,
and /home is persistent (unlike a tmpfs /var/run). The path is overridable via
COLIBRI_JAIL_STAGE_DIR, matching the daemon's other env-configurable paths.

- spawner.rs: const → staged_jail_run_dir() resolver; updated unit test.
- agent-jail-bootstrap.sh: drop the now-unnecessary install -d staging block
  and DAEMON_USER var (the #134 workaround).
- docs: update jailed-spawn design + truss analysis to the new location.

clippy clean; spawner suite green (21 tests); sh -n clean; touched docs pass
the markdown gate.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-21 17:37:32 +02:00