Worker: persistent per-user home + dotfiles materialization

- Each job/terminal now mounts a persistent per-user home (${workdir}/homes/ {username}) at /home/{username}; the thread checkout lives at ~/Code/{spoon}/{branch} so every thread shows up as a folder in one home and dotfiles/tools/nvim plugins persist across sessions - docker.ts helpers + git.ts cloneRepository take container home/cwd + dir name (backward-compatible defaults); codex/opencode/terminal use the per-user paths - new user-environment.ts: fetchUserEnvironment (worker-token Convex action) + materializeUserHome — ensures ~/.bash_profile, applies the editable overlay files, and (hashed/idempotent) clones the public dotfiles repo + runs the setup command inside the job image - stopWorkspace no longer deletes the home; only the container stops - Verified: codex runs a real turn under the new /home/{user} + ~/Code layout; overlay .bashrc loads in the interactive shell
2026-06-24 09:51:39 -04:00
parent 683fc62129
commit 4c0de2cbf3
5 changed files with 224 additions and 33 deletions
@@ -36,12 +36,16 @@ export const cloneRepository = async (args: {
  workBranch: string;
  redact: (value: string) => string;
  timeoutMs: number;
  // Directory name to clone into under `workdir` (default "repo"). Used to lay
  // out checkouts as ~/Code/{spoon}/{branch}.
  dirName?: string;
 }) => {
  await mkdir(args.workdir, { recursive: true });
  const dirName = args.dirName ?? 'repo';
  const repoUrl = `https://x-access-token:${args.token}@github.com/${args.owner}/${args.repo}.git`;
  const clone = await run(
    'git',
-    ['clone', '--branch', args.baseBranch, '--single-branch', repoUrl, 'repo'],
+    ['clone', '--branch', args.baseBranch, '--single-branch', repoUrl, dirName],
    {
      cwd: args.workdir,
      redact: args.redact,
@@ -51,7 +55,7 @@ export const cloneRepository = async (args: {
  if (clone.exitCode !== 0) {
    throw new Error(`git clone failed:\n${clone.output}`);
  }
-  const repoDir = path.join(args.workdir, 'repo');
+  const repoDir = path.join(args.workdir, dirName);
  const checkout = await run('git', ['checkout', '-b', args.workBranch], {
    cwd: repoDir,
    redact: args.redact,
@@ -80,18 +80,23 @@ export const containerVolumeSuffix = () =>
 export { hostWorkspacePath };
-export const jobWorkspaceVolumeSpec = (workdir: string) => {
+export const jobWorkspaceVolumeSpec = (
  workdir: string,
  containerHome = '/workspace',
 ) => {
  const volumeOptions =
    env.containerVolumeOptions ??
    (containerRuntime().endsWith('podman') ? 'Z' : undefined);
  const source = hostWorkspacePath(workdir);
  return volumeOptions
-    ? `${source}:/workspace:${volumeOptions}`
+    ? `${source}:${containerHome}:${volumeOptions}`
-    : `${source}:/workspace`;
+    : `${source}:${containerHome}`;
 };
 export const runInJobContainer = async (args: {
  workdir: string;
  containerHome?: string;
  containerCwd?: string;
  command: string[];
  environment: Record<string, string>;
  redact: (value: string) => string;
@@ -110,9 +115,9 @@ export const runInJobContainer = async (args: {
      ...networkArgs(),
      ...environmentArgs(args.environment),
      '-v',
-      jobWorkspaceVolumeSpec(args.workdir),
+      jobWorkspaceVolumeSpec(args.workdir, args.containerHome),
      '-w',
-      '/workspace/repo',
+      args.containerCwd ?? '/workspace/repo',
      env.jobImage,
      ...args.command,
    ],
@@ -128,6 +133,8 @@ export const runInJobContainer = async (args: {
 export const startWorkspaceContainer = async (args: {
  workdir: string;
  containerHome?: string;
  containerCwd?: string;
  containerName: string;
  environment: Record<string, string>;
  command?: string[];
@@ -154,9 +161,9 @@ export const startWorkspaceContainer = async (args: {
        : []),
      ...environmentArgs(args.environment),
      '-v',
-      jobWorkspaceVolumeSpec(args.workdir),
+      jobWorkspaceVolumeSpec(args.workdir, args.containerHome),
      '-w',
-      '/workspace/repo',
+      args.containerCwd ?? '/workspace/repo',
      env.jobImage,
      ...(args.command ?? ['sleep', 'infinity']),
    ],
@@ -220,6 +227,8 @@ export const execInWorkspaceContainer = async (args: {
 export const streamInJobContainer = async (args: {
  workdir: string;
  containerHome?: string;
  containerCwd?: string;
  command: string[];
  environment: Record<string, string>;
  redact: (value: string) => string;
@@ -240,9 +249,9 @@ export const streamInJobContainer = async (args: {
      ...networkArgs(),
      ...environmentArgs(args.environment),
      '-v',
-      jobWorkspaceVolumeSpec(args.workdir),
+      jobWorkspaceVolumeSpec(args.workdir, args.containerHome),
      '-w',
-      '/workspace/repo',
+      args.containerCwd ?? '/workspace/repo',
      env.jobImage,
      ...args.command,
    ],
@@ -11,7 +11,6 @@ import { getTerminalWorkspace } from './worker';
 const TERMINAL_IMAGE = env.terminalImage;
 const IDLE_STOP_MS = env.terminalIdleMs;
 const CONTAINER_WORKDIR = '/workspace/repo';
 const docker = new Docker();
@@ -21,7 +20,11 @@ const containerName = (jobId: string) =>
 type Session = { connections: number; idleTimer?: NodeJS.Timeout };
 const sessions = new Map<string, Session>();
-const ensureTerminalContainer = async (jobId: string, workdir: string) => {
+const ensureTerminalContainer = async (
  jobId: string,
  workdir: string,
  containerHome: string,
 ) => {
  const name = containerName(jobId);
  const container = docker.getContainer(name);
  const info = await container.inspect().catch(() => null);
@@ -35,11 +38,11 @@ const ensureTerminalContainer = async (jobId: string, workdir: string) => {
    name,
    Image: TERMINAL_IMAGE,
    Cmd: ['sleep', 'infinity'],
-    WorkingDir: CONTAINER_WORKDIR,
+    WorkingDir: containerHome,
    Tty: false,
    Labels: { 'spoon.agent.terminal': jobId },
    HostConfig: {
-      Binds: [`${source}:/workspace${suffix ? `:${suffix}` : ''}`],
+      Binds: [`${source}:${containerHome}${suffix ? `:${suffix}` : ''}`],
      NetworkMode: env.network,
      Memory: 4 * 1024 * 1024 * 1024,
      AutoRemove: false,
@@ -81,7 +84,11 @@ const bridge = async (ws: WebSocket, jobId: string) => {
  let stream: Duplex | undefined;
  let exec: Docker.Exec | undefined;
  try {
-    const container = await ensureTerminalContainer(jobId, workspace.workdir);
+    const container = await ensureTerminalContainer(
      jobId,
      workspace.workdir,
      workspace.containerHome,
    );
    exec = await container.exec({
      // Reattach a persistent tmux session across reconnects when tmux is
      // available; otherwise fall back to a plain login shell.
@@ -94,9 +101,10 @@ const bridge = async (ws: WebSocket, jobId: string) => {
      AttachStdout: true,
      AttachStderr: true,
      Tty: true,
-      WorkingDir: CONTAINER_WORKDIR,
+      WorkingDir: workspace.containerRepo,
      Env: [
        'TERM=xterm-256color',
        `HOME=${workspace.containerHome}`,
        ...workspace.secrets.map((s) => `${s.name}=${s.value}`),
      ],
    });
@@ -0,0 +1,119 @@
 import { createHash } from 'node:crypto';
 import { chmod, mkdir, readFile, writeFile } from 'node:fs/promises';
 import path from 'node:path';
 import { ConvexHttpClient } from 'convex/browser';
 import type { Id } from '@spoon/backend/convex/_generated/dataModel.js';
 import { api } from '@spoon/backend/convex/_generated/api.js';
 import { env } from './env';
 import { runInJobContainer } from './runtime/docker';
 const client = new ConvexHttpClient(env.convexUrl);
 export type UserEnvironment = {
  username: string;
  enabled: boolean;
  dotfilesRepoUrl?: string;
  dotfilesRepoRef?: string;
  setupCommand?: string;
  files: { path: string; content: string; isExecutable: boolean }[];
 };
 /** The job owner's resolved environment (username + dotfiles, decrypted). */
 export const fetchUserEnvironment = async (
  jobId: Id<'agentJobs'>,
 ): Promise<UserEnvironment | null> =>
  await client.action(api.userDotfilesNode.getEnvironmentForJob, {
    workerToken: env.workerToken,
    jobId,
  });
 const shellQuote = (value: string) => `'${value.replaceAll("'", "'\\''")}'`;
 // Keep a written path inside the home directory.
 const safeHomeJoin = (homeDir: string, relPath: string) => {
  const target = path.resolve(homeDir, relPath);
  const root = path.resolve(homeDir);
  if (target !== root && !target.startsWith(`${root}${path.sep}`)) {
    throw new Error(`Refusing to write dotfile outside home: ${relPath}`);
  }
  return target;
 };
 /**
 * Materializes the persistent per-user home: a `.bash_profile` so login shells
 * load `~/.bashrc`; (when configured and changed) a clone of the public dotfiles
 * repo + the setup command, run inside the job image so the user's tools/paths
 * apply; then the editable overlay files (which win over the repo). Idempotent
 * via a hash marker so the repo/setup only re-runs when the config changes.
 */
 export const materializeUserHome = async (args: {
  homeDir: string;
  containerHome: string;
  userEnv: UserEnvironment;
  redact: (value: string) => string;
 }): Promise<void> => {
  const { homeDir, containerHome, userEnv, redact } = args;
  await mkdir(homeDir, { recursive: true });
  // A mounted home has no /etc/skel, so ensure login shells source ~/.bashrc.
  const bashProfile = path.join(homeDir, '.bash_profile');
  await readFile(bashProfile, 'utf8').catch(async () => {
    await writeFile(
      bashProfile,
      '# Spoon: load ~/.bashrc for login shells.\n[ -f ~/.bashrc ] && . ~/.bashrc\n',
    );
  });
  if (!userEnv.enabled) return;
  // Public dotfiles repo + setup command, only re-run when the config changes.
  if (userEnv.dotfilesRepoUrl) {
    const configHash = createHash('sha256')
      .update(
        JSON.stringify({
          repo: userEnv.dotfilesRepoUrl,
          ref: userEnv.dotfilesRepoRef ?? '',
          setup: userEnv.setupCommand ?? '',
        }),
      )
      .digest('hex');
    const markerPath = path.join(homeDir, '.spoon', 'env-hash');
    const previous = await readFile(markerPath, 'utf8').catch(() => '');
    if (previous.trim() !== configHash) {
      const branch = userEnv.dotfilesRepoRef
        ? `--branch ${shellQuote(userEnv.dotfilesRepoRef)} `
        : '';
      const script = [
        'set -e',
        'rm -rf ~/.dotfiles',
        `git clone --depth 1 ${branch}${shellQuote(userEnv.dotfilesRepoUrl)} ~/.dotfiles`,
        userEnv.setupCommand
          ? `cd ~/.dotfiles && bash ${shellQuote(userEnv.setupCommand)}`
          : '',
      ]
        .filter(Boolean)
        .join('\n');
      await runInJobContainer({
        workdir: homeDir,
        containerHome,
        containerCwd: containerHome,
        command: ['bash', '-lc', script],
        environment: { HOME: containerHome },
        redact,
        timeoutMs: env.jobTimeoutMs,
      });
      await mkdir(path.dirname(markerPath), { recursive: true });
      await writeFile(markerPath, configHash);
    }
  }
  // Editable overlay tree (wins over the repo/setup output).
  for (const file of userEnv.files) {
    const target = safeHomeJoin(homeDir, file.path);
    await mkdir(path.dirname(target), { recursive: true });
    await writeFile(target, file.content);
    if (file.isExecutable) await chmod(target, 0o755);
  }
 };
@@ -17,11 +17,7 @@ import { api } from '@spoon/backend/convex/_generated/api.js';
 import type { NormalizedAgentEvent } from './agent-events';
 import type { OpenCodeSession } from './opencode-session';
 import { normalizeCodexJsonLine } from './agent-events';
-import {
+import { prepareCodexWorkspaceFiles } from './codex-runtime';
  codexContainerRepo,
  codexContainerWorkspace,
  prepareCodexWorkspaceFiles,
 } from './codex-runtime';
 import { env } from './env';
 import {
  cloneRepository,
@@ -45,6 +41,7 @@ import {
  stopWorkspaceContainer,
  streamInJobContainer,
 } from './runtime/docker';
 import { fetchUserEnvironment, materializeUserHome } from './user-environment';
 type Claim = {
  job: {
@@ -98,7 +95,14 @@ type Claim = {
 type ActiveWorkspace = {
  claim: Claim;
  // Host path of the persistent per-user home (mounted at `containerHome`).
  // Equal to `homeDir`; kept as `workdir` for the container mount source.
  workdir: string;
  homeDir: string;
  username: string;
  // In-container paths: HOME and the thread's checkout (~/Code/{spoon}/{branch}).
  containerHome: string;
  containerRepo: string;
  repoDir: string;
  githubToken: string;
  redact: (value: string) => string;
@@ -620,6 +624,8 @@ const ensureOpenCodeSession = async (workspace: ActiveWorkspace) => {
  );
  const container = await startWorkspaceContainer({
    workdir: workspace.workdir,
    containerHome: workspace.containerHome,
    containerCwd: workspace.containerRepo,
    containerName,
    environment: {
      ...aiEnv,
@@ -649,7 +655,7 @@ const ensureOpenCodeSession = async (workspace: ActiveWorkspace) => {
      const session = await createOpenCodeSession({
        baseUrl,
        password,
-        directory: '/workspace/repo',
+        directory: workspace.containerRepo,
        title: workspace.claim.job.prompt.slice(0, 80) || 'Spoon workspace',
        onEvent: async (event) => {
          const messageId = workspaceCurrentMessage.get(
@@ -721,7 +727,7 @@ const runCodexTurn = async (args: {
    outputFileName,
  );
  const outputFileContainerPath = path.posix.join(
-    codexContainerWorkspace,
+    workspace.containerHome,
    '.codex',
    outputFileName,
  );
@@ -747,15 +753,17 @@ const runCodexTurn = async (args: {
        '--output-last-message',
        outputFileContainerPath,
        '--cd',
-        codexContainerRepo,
+        workspace.containerRepo,
        prompt,
      ];
-  const aiEnv = providerEnvironment(workspace.claim, codexContainerWorkspace);
+  const aiEnv = providerEnvironment(workspace.claim, workspace.containerHome);
  const secretEnv = Object.fromEntries(
    workspace.claim.secrets.map((secret) => [secret.name, secret.value]),
  );
  const result = await streamInJobContainer({
    workdir: workspace.workdir,
    containerHome: workspace.containerHome,
    containerCwd: workspace.containerRepo,
    command,
    environment: {
      ...aiEnv,
@@ -866,7 +874,7 @@ const runOpenCodeTurn = async (args: {
    session,
    prompt,
    model: opencodeModel(workspace.claim),
-    directory: '/workspace/repo',
+    directory: workspace.containerRepo,
  });
  await turnDone;
 };
@@ -1268,9 +1276,15 @@ const ensureNoEnvFilesStaged = async (workspace: ActiveWorkspace) => {
  }
 };
 const slugify = (value: string) =>
  value
    .toLowerCase()
    .replace(/[^a-z0-9._-]+/g, '-')
    .replace(/^-+|-+$/g, '')
    .replace(/-{2,}/g, '-') || 'x';
 const runClaim = async (claim: Claim) => {
  const jobId = claim.job._id;
  const workdir = path.resolve(env.workdir, jobId);
  const secretValues = [
    claim.openai.apiKey ?? '',
    claim.aiProviderProfile?.secret ?? '',
@@ -1288,8 +1302,27 @@ const runClaim = async (claim: Claim) => {
      throw new Error('GitHub installation ID is missing.');
    }
    const githubToken = await getInstallationToken(claim.github.installationId);
    // Resolve the persistent per-user home and lay the checkout out as
    // ~/Code/{spoon}/{branch} inside it, so dotfiles/tools persist and every
    // thread shows up as a folder in one home.
    const userEnv = await fetchUserEnvironment(jobId);
    const username = userEnv?.username ?? 'user';
    const homeDir = path.resolve(env.workdir, 'homes', username);
    const containerHome = path.posix.join('/home', username);
    const spoonSlug = slugify(claim.spoon.name);
    const branchSlug = slugify(claim.job.workBranch);
    const checkoutParent = path.join(homeDir, 'Code', spoonSlug);
    const containerRepo = path.posix.join(
      containerHome,
      'Code',
      spoonSlug,
      branchSlug,
    );
    const repoDir = await cloneRepository({
-      workdir,
+      workdir: checkoutParent,
      dirName: branchSlug,
      token: githubToken,
      owner: claim.job.forkOwner,
      repo: claim.job.forkRepo,
@@ -1300,11 +1333,24 @@ const runClaim = async (claim: Claim) => {
    });
    const workspace: ActiveWorkspace = {
      claim,
-      workdir,
+      workdir: homeDir,
      homeDir,
      username,
      containerHome,
      containerRepo,
      repoDir,
      githubToken,
      redact,
    };
    if (userEnv) {
      await appendEvent(
        jobId,
        'info',
        'clone',
        'Applying your dotfiles and environment.',
      );
      await materializeUserHome({ homeDir, containerHome, userEnv, redact });
    }
    if (isCodexLoginProfile(claim)) {
      await prepareCodexAuth(workspace);
    }
@@ -1471,6 +1517,9 @@ export const getTerminalWorkspace = (jobId: string) => {
  if (!workspace) return null;
  return {
    workdir: workspace.workdir,
    containerHome: workspace.containerHome,
    containerRepo: workspace.containerRepo,
    username: workspace.username,
    secrets: workspace.claim.secrets,
  };
 };
@@ -1532,7 +1581,7 @@ export const replyToInteraction = async (
    session: workspace.opencodeSession,
    permissionId: args.externalRequestId,
    response: mapped,
-    directory: '/workspace/repo',
+    directory: workspace.containerRepo,
  });
  await patchInteractionRequest({
    interactionId: args.interactionId,
@@ -1781,7 +1830,8 @@ export const openWorkspacePullRequest = async (jobId: string) => {
    await stopWorkspaceContainer(workspace.containerName);
  }
  activeWorkspaces.delete(jobId);
-  await rm(workspace.workdir, { recursive: true, force: true });
+  // The persistent per-user home + ~/Code checkouts survive across sessions;
  // only the container is stopped.
  return {
    pullRequestUrl: pullRequest.html_url,
    pullRequestNumber: pullRequest.number,
@@ -1796,7 +1846,8 @@ export const stopWorkspace = async (jobId: string) => {
    await stopWorkspaceContainer(workspace.containerName);
  }
  activeWorkspaces.delete(jobId);
-  await rm(workspace.workdir, { recursive: true, force: true });
+  // The persistent per-user home + ~/Code checkouts survive across sessions;
  // only the container is stopped.
  return { success: true };
 };