Skip to content

fix(runtime): enforce package manager capabilities#48

Open
AsperforMias wants to merge 3 commits into
langgenius:mainfrom
AsperforMias:fix/environment-package-manager-runtime
Open

fix(runtime): enforce package manager capabilities#48
AsperforMias wants to merge 3 commits into
langgenius:mainfrom
AsperforMias:fix/environment-package-manager-runtime

Conversation

@AsperforMias

@AsperforMias AsperforMias commented Jul 16, 2026

Copy link
Copy Markdown

Summary

  • Add a versioned Driver image capability manifest declaring npm and pip as the package managers guaranteed by the maintained runtime image.
  • Pin the Cloudflare Sandbox base image by digest and verify during image construction that Node.js, npm, Python, and pip are executable and report valid versions.
  • Verify that python/python3 and pip/python -m pip resolve coherently without duplicating base-image or Ubuntu package versions in Docker arguments.
  • Use one image-owned checker for build verification and CI smoke coverage. Malformed, duplicate, missing-binary, or unimplemented manager declarations fail closed.
  • Exercise npm and pip with the same isolated-prefix layout used by Mosoo's reusable package artifacts from #345.
  • Keep the change based on current Driver main, including feat(runtime): inject artifact paths into child process env #49 runtime path projection and fix(acp): fail empty completed turns #50 ACP behavior.

Why

  • bug(environment): advertised package managers are missing from the Driver runtime mosoo#337 requires the product's writable manager set to match capabilities guaranteed by the selected Driver image. Without an image-owned contract, a base-image change can turn a valid Environment into a user-Run failure.
  • Exact EXPECTED_* values would duplicate versions produced by the pinned base image and mutable Ubuntu repositories. The maintained boundary is executable availability, valid version reporting, coherent aliases, and a real pinned-package smoke test.
  • Mosoo #345 prepares npm/pip dependencies as reusable Sandbox Backups, and Driver feat(runtime): inject artifact paths into child process env #49 projects restored artifact paths into child processes. This PR supplies the missing image capability and fail-fast verification layer.
  • The dependent product-side PR is langgenius/mosoo#340. This PR does not close the Mosoo issue by itself. Merge this PR first; #340 must then point its Driver submodule at the resulting upstream commit.

Verification

  • Commands:
    • bun run lint, bun run tc, and bun run build: passed.
    • bun run test: 205 passed and 4 credential-backed live tests skipped.
    • Driver artifact contract suite: 6 passed.
    • Driver feat(runtime): inject artifact paths into child process env #49 child-process environment regression suites: 17 passed across the path projection and provider launch paths.
    • Parent Mosoo just check: passed formatting, docs links, lint, typecheck, all workspace tests, and GraphQL freshness; API reported 1022 tests across 172 files.
    • Mosoo #345 artifact/build/restore regression suites: 44 passed.
    • Current amd64 Docker image build: passed; build output verified Node/npm and Python/pip availability and coherent aliases.
    • bun run docker:smoke:environment: installed and executed prettier@3.3.3 and six==1.16.0 from temporary isolated prefixes.
    • Missing-npm injection failed closed with npm failed: spawnSync npm ENOENT.
    • Malformed npm version injection failed closed with npm returned an invalid version: not-a-version.
    • Unknown-manager manifest injection failed closed with Environment package manager has no verify check: cargo.
  • Manual steps:
    • Built the Driver Dockerfile through local Wrangler using the real @cloudflare/sandbox Durable Object path.
    • Built pinned npm/pip artifacts in one Sandbox, persisted them through a local R2-backed Sandbox Backup, destroyed it, restored into a second Sandbox, and applied Driver feat(runtime): inject artifact paths into child process env #49's child-process environment projection.
    • Executed the restored Prettier CLI, Node package lookup, and Python import; output was 3.3.3, 3.3.3, and 1.16.0.
  • Not run:
    • Remote Cloudflare production deployment or account-backed platform integration tests.

Source logic, the #337 reproduction path, and the local Worker/Sandbox/R2/Driver injection chain demonstrate that the runtime capability fix is effective. The unverified boundary is remote Cloudflare platform integration behavior, not the issue's package-manager consistency contract.

Impact

  • User/API/contract changes:
  • Generated files / GraphQL / DB / lockfile:
    • No generated files, GraphQL changes, DB migrations, lockfile changes, caches, or build outputs are committed.
  • Env or config changes:
    • Pins cloudflare/sandbox:0.12.3 to its current digest so base image content is reproducible.
    • Adds no EXPECTED_* version arguments and no global PIP_* runtime environment variables.
    • Does not rewrite apt sources or add local network retry workarounds. Python/pip are installed through the image's normal Ubuntu repositories and verified afterward.
  • Risk and rollback:
    • Missing binaries, malformed version output, mismatched aliases, or an unimplemented manifest entry fail image construction instead of a user Run.
    • Compatible Ubuntu security updates are not rejected solely because a duplicated version constant became stale.
    • A base-image upgrade remains explicit through the tag/digest update and is covered by build verification and pinned-package smoke tests.
    • Rollback is a revert of these commits; no persistent data migration is involved.

Review

  • Closest review areas:
    • Docker image ownership and base digest maintenance.
    • Capability manifest semantics and cross-repository consumption.
    • Build-time verifier and isolated-prefix smoke behavior.
  • Known trade-offs:
    • apt, cargo, gem, and go are deliberately absent; Mosoo #340 owns legacy read compatibility and migration errors.
    • The small JSON manifest is intentional: it is the machine-readable Driver-owned boundary consumed by the image checker and Mosoo's drift test.
    • Local Wrangler validates the production code paths and container image, but cannot certify remote Cloudflare account behavior.

@AsperforMias AsperforMias marked this pull request as draft July 16, 2026 01:20
@AsperforMias AsperforMias force-pushed the fix/environment-package-manager-runtime branch from b18e58a to a5a6068 Compare July 16, 2026 01:42
@AsperforMias AsperforMias marked this pull request as ready for review July 16, 2026 03:22
@AsperforMias

Copy link
Copy Markdown
Author

ask for review to confirm @Yevanchen
if done, then i will open mosoo's #340 as step2

@AsperforMias

Copy link
Copy Markdown
Author

稍等,有些和 #49 重复了

@AsperforMias AsperforMias force-pushed the fix/environment-package-manager-runtime branch from a5a6068 to 3c619c8 Compare July 16, 2026 17:37
@AsperforMias AsperforMias force-pushed the fix/environment-package-manager-runtime branch from 9382ae6 to 944c07d Compare July 16, 2026 18:25
@AsperforMias

AsperforMias commented Jul 16, 2026

Copy link
Copy Markdown
Author

@vanillaxy could u plz review this , especially the Driver image capability contract, build-time verification, and isolated-prefix smoke coverage?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant