feat: route macOS node exec via app IPC

2026-01-18 16:36:13 +00:00
parent 5fe3c36471
commit 081123c0e4
4 changed files with 561 additions and 19 deletions
--- a/src/infra/exec-host.ts
+++ b/src/infra/exec-host.ts
@@ -0,0 +1,109 @@
+import crypto from "node:crypto";
+import net from "node:net";
+
+export type ExecHostRequest = {
+  command: string[];
+  rawCommand?: string | null;
+  cwd?: string | null;
+  env?: Record<string, string> | null;
+  timeoutMs?: number | null;
+  needsScreenRecording?: boolean | null;
+  agentId?: string | null;
+  sessionKey?: string | null;
+};
+
+export type ExecHostRunResult = {
+  exitCode?: number;
+  timedOut: boolean;
+  success: boolean;
+  stdout: string;
+  stderr: string;
+  error?: string | null;
+};
+
+export type ExecHostError = {
+  code: string;
+  message: string;
+  reason?: string;
+};
+
+export type ExecHostResponse =
+  | { ok: true; payload: ExecHostRunResult }
+  | { ok: false; error: ExecHostError };
+
+export async function requestExecHostViaSocket(params: {
+  socketPath: string;
+  token: string;
+  request: ExecHostRequest;
+  timeoutMs?: number;
+}): Promise<ExecHostResponse | null> {
+  const { socketPath, token, request } = params;
+  if (!socketPath || !token) return null;
+  const timeoutMs = params.timeoutMs ?? 20_000;
+  return await new Promise((resolve) => {
+    const client = new net.Socket();
+    let settled = false;
+    let buffer = "";
+    const finish = (value: ExecHostResponse | null) => {
+      if (settled) return;
+      settled = true;
+      try {
+        client.destroy();
+      } catch {
+        // ignore
+      }
+      resolve(value);
+    };
+
+    const requestJson = JSON.stringify(request);
+    const nonce = crypto.randomBytes(16).toString("hex");
+    const ts = Date.now();
+    const hmac = crypto
+      .createHmac("sha256", token)
+      .update(`${nonce}:${ts}:${requestJson}`)
+      .digest("hex");
+    const payload = JSON.stringify({
+      type: "exec",
+      id: crypto.randomUUID(),
+      nonce,
+      ts,
+      hmac,
+      requestJson,
+    });
+
+    const timer = setTimeout(() => finish(null), timeoutMs);
+
+    client.on("error", () => finish(null));
+    client.connect(socketPath, () => {
+      client.write(`${payload}\n`);
+    });
+    client.on("data", (data) => {
+      buffer += data.toString("utf8");
+      let idx = buffer.indexOf("\n");
+      while (idx !== -1) {
+        const line = buffer.slice(0, idx).trim();
+        buffer = buffer.slice(idx + 1);
+        idx = buffer.indexOf("\n");
+        if (!line) continue;
+        try {
+          const msg = JSON.parse(line) as { type?: string; ok?: boolean; payload?: unknown; error?: unknown };
+          if (msg?.type === "exec-res") {
+            clearTimeout(timer);
+            if (msg.ok === true && msg.payload) {
+              finish({ ok: true, payload: msg.payload as ExecHostRunResult });
+              return;
+            }
+            if (msg.ok === false && msg.error) {
+              finish({ ok: false, error: msg.error as ExecHostError });
+              return;
+            }
+            finish(null);
+            return;
+          }
+        } catch {
+          // ignore
+        }
+      }
+    });
+  });
+}
--- a/src/node-host/runner.ts
+++ b/src/node-host/runner.ts
@@ -19,6 +19,12 @@ import {
  saveExecApprovals,
  type ExecApprovalsFile,
 } from "../infra/exec-approvals.js";
+import {
+  requestExecHostViaSocket,
+  type ExecHostRequest,
+  type ExecHostResponse,
+  type ExecHostRunResult,
+} from "../infra/exec-host.js";
 import { getMachineDisplayName } from "../infra/machine-name.js";
 import { VERSION } from "../version.js";

@@ -86,6 +92,9 @@ type ExecEventPayload = {
 const OUTPUT_CAP = 200_000;
 const OUTPUT_EVENT_TAIL = 20_000;

+const execHostEnforced = process.env.CLAWDBOT_NODE_EXEC_HOST?.trim().toLowerCase() === "app";
+const execHostFallbackAllowed = process.env.CLAWDBOT_NODE_EXEC_FALLBACK?.trim() === "1";
+
 const blockedEnvKeys = new Set([
  "PATH",
  "NODE_OPTIONS",
@@ -305,6 +314,18 @@ function buildExecEventPayload(payload: ExecEventPayload): ExecEventPayload {
  return { ...payload, output: text };
 }

+async function runViaMacAppExecHost(params: {
+  approvals: ReturnType<typeof resolveExecApprovals>;
+  request: ExecHostRequest;
+}): Promise<ExecHostResponse | null> {
+  const { approvals, request } = params;
+  return await requestExecHostViaSocket({
+    socketPath: approvals.socketPath,
+    token: approvals.token,
+    request,
+  });
+}
+
 export async function runNodeHost(opts: NodeHostRunOptions): Promise<void> {
  const config = await ensureNodeHostConfig();
  const nodeId = opts.nodeId?.trim() || config.nodeId;
@@ -555,6 +576,87 @@ async function handleInvoke(
  const skillAllow =
    autoAllowSkills && resolution?.executableName ? bins.has(resolution.executableName) : false;

+  const useMacAppExec = process.platform === "darwin" && (execHostEnforced || !execHostFallbackAllowed);
+  if (useMacAppExec) {
+    const execRequest: ExecHostRequest = {
+      command: argv,
+      rawCommand: rawCommand || null,
+      cwd: params.cwd ?? null,
+      env: params.env ?? null,
+      timeoutMs: params.timeoutMs ?? null,
+      needsScreenRecording: params.needsScreenRecording ?? null,
+      agentId: agentId ?? null,
+      sessionKey: sessionKey ?? null,
+    };
+    const response = await runViaMacAppExecHost({ approvals, request: execRequest });
+    if (!response) {
+      client.sendEvent(
+        "exec.denied",
+        buildExecEventPayload({
+          sessionKey,
+          runId,
+          host: "node",
+          command: cmdText,
+          reason: "companion-unavailable",
+        }),
+      );
+      client.sendInvokeResponse({
+        type: "invoke-res",
+        id: frame.id,
+        ok: false,
+        error: {
+          code: "UNAVAILABLE",
+          message: "COMPANION_APP_UNAVAILABLE: macOS app exec host unreachable",
+        },
+      });
+      return;
+    }
+
+    if (!response.ok) {
+      const reason = response.error.reason ?? "approval-required";
+      client.sendEvent(
+        "exec.denied",
+        buildExecEventPayload({
+          sessionKey,
+          runId,
+          host: "node",
+          command: cmdText,
+          reason,
+        }),
+      );
+      client.sendInvokeResponse({
+        type: "invoke-res",
+        id: frame.id,
+        ok: false,
+        error: { code: "UNAVAILABLE", message: response.error.message },
+      });
+      return;
+    }
+
+    const result: ExecHostRunResult = response.payload;
+    const combined = [result.stdout, result.stderr, result.error].filter(Boolean).join("\n");
+    client.sendEvent(
+      "exec.finished",
+      buildExecEventPayload({
+        sessionKey,
+        runId,
+        host: "node",
+        command: cmdText,
+        exitCode: result.exitCode,
+        timedOut: result.timedOut,
+        success: result.success,
+        output: combined,
+      }),
+    );
+    client.sendInvokeResponse({
+      type: "invoke-res",
+      id: frame.id,
+      ok: true,
+      payloadJSON: JSON.stringify(result),
+    });
+    return;
+  }
+
  if (security === "deny") {
    client.sendEvent(
      "exec.denied",