Devin Foley
ad0bb57350
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies, including running adapter CLIs inside remote sandboxes > - The QA matrix in PAPA-316 spins up local-runtime adapters (claude/gemini/opencode) against both SSH and the new exe.dev sandbox provider, and "Test" exercises the same install + probe path the real runtime uses > - On exe.dev the QA matrix failed at three different points: SSH/sandbox secret refs would not resolve, gemini-local could not find npm, and opencode-local installed a binary that was not on the probe-shell PATH > - These are all environment-shape issues the runtime should handle, not regressions in any individual adapter, so they need to be fixed in the shared install/resolve layer before the matrix can pass > - This pull request wires the environment id through to secret-ref resolution, bootstraps npm from a portable Node tarball when the sandbox image lacks Node, and symlinks the opencode binary into a directory that non-login shells see > - The benefit is that the QA matrix passes end-to-end on exe.dev, and any future sandbox provider that ships without Node or relies on rc-file PATH wiring gets the same fixes for free ## What Changed - `server/src/services/environment-execution-target.ts`: pass the environment `id` into `resolveEnvironmentDriverConfigForRuntime` for both the sandbox and SSH branches, so `privateKeySecretRef` / sandbox-provider secret refs (e.g. exe.dev `apiKey`) can resolve against the secret store at runtime instead of throwing `Runtime secret resolution requires an environment id`. - `packages/adapter-utils/src/sandbox-install-command.ts`: extend `buildSandboxNpmInstallCommand` with an `ENSURE_NPM_PREAMBLE` that, when `npm` is missing, downloads a portable Node v22 tarball into `$HOME/.local` and sets `PAPERCLIP_NPM_BOOTSTRAPPED=1` so the install step skips sudo (sudo's `secure_path` would lose the freshly-installed `npm` in `$HOME/.local/bin`). Distro-packaged Node from apt-get is intentionally avoided because it tends to be too old to parse modern JS syntax used by `@google/gemini-cli`. - `packages/adapters/gemini-local/src/index.ts`: switch the hardcoded `npm install -g @google/gemini-cli` to `buildSandboxNpmInstallCommand`, so gemini-local picks up the same sudo-aware + npm-bootstrap behavior as the other local adapters. - `packages/adapters/opencode-local/src/index.ts`: append a step to the install command that symlinks `$HOME/.opencode/bin/opencode` into `$HOME/.local/bin`. The upstream installer only adds `~/.opencode/bin` to PATH via `~/.bashrc`, which non-login `sh -c` probe invocations do not source. - `packages/adapter-utils/src/sandbox-install-command.test.ts`: cover the new preamble plus the unchanged root/sudo/user-prefix branches. ## Verification - `cd packages/adapter-utils && npm test -- sandbox-install-command` (passes; new "bootstraps npm from a portable Node tarball when missing" case is included). - Manual: ran the in-app `Test` action against the QA matrix dev instance for `QA exe.dev Claude`, `QA exe.dev Gemini`, and `QA exe.dev OpenCode` — all three now report `status=pass` including the hello probe. `QA SSH Claude` also passes; without the environment-id fix, SSH resolution threw before the wrapper / install fixes could run. - Suggested reviewer check: re-run the matrix on a fresh exe.dev environment and confirm the install step no longer hits `npm: command not found` for gemini and the opencode probe no longer hits `opencode: command not found`. ## Risks - Low/medium. The npm bootstrap pins Node `v22.11.0` from `nodejs.org/dist`; if that URL becomes unreachable the install will fail with a clear `curl` error rather than corrupting state. The bootstrap path is only taken when `npm` is genuinely missing, so existing sandbox images that ship with Node are unaffected. - The opencode symlink uses `ln -sf` into `$HOME/.local/bin`, which is created with `mkdir -p`; idempotent on re-install. - The `id` change is a strict additive: callers previously got `undefined` and only the secret-ref code paths actually read it. No behavior change for environments without secret refs. ## Model Used - Claude (Anthropic), `claude-opus-4-7`, with extended thinking and tool use enabled. Iterated through the Paperclip QA matrix harness; no other model assisted. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [ ] If this change affects the UI, I have included before/after screenshots (n/a — runtime/install path only) - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing>
119 lines
6.0 KiB
TypeScript
119 lines
6.0 KiB
TypeScript
import type { AdapterModelProfileDefinition } from "@paperclipai/adapter-utils";
|
|
|
|
export const type = "opencode_local";
|
|
export const label = "OpenCode (local)";
|
|
|
|
// Use OpenCode's official installer instead of `npm install -g opencode-ai`.
|
|
// The npm package reifies four large Linux x64 prebuilt-binary subpackages
|
|
// (linux-x64, linux-x64-musl, linux-x64-baseline, linux-x64-baseline-musl) in
|
|
// parallel even though only one matches the sandbox; on bandwidth-constrained
|
|
// sandboxes (e.g. Cloudflare) that exceeded the 240s install budget. The
|
|
// official installer fetches a single arch-specific binary into
|
|
// `$HOME/.opencode/bin` and tries to add it to PATH via `~/.bashrc`. That
|
|
// rc-file path is only sourced by interactive/login shells, so non-login
|
|
// `sh -c` probe invocations (used by the runtime PATH check) cannot find the
|
|
// binary. We fix that by symlinking the installed binary into a directory on
|
|
// the non-login `sh -c` PATH: prefer `/usr/local/bin` (universally on the
|
|
// default PATH on Linux distros) when root or passwordless sudo is available,
|
|
// otherwise fall back to `$HOME/.local/bin` (which is on the default PATH on
|
|
// the exe.dev sandbox image and most modern home-managed Linux images).
|
|
//
|
|
// Security tradeoff: this is `curl | bash` without a SHA-256 verification of
|
|
// the install script. We accept this because:
|
|
// 1. The install runs inside an isolated, ephemeral sandbox — blast radius
|
|
// is bounded to that sandbox's secrets and disk.
|
|
// 2. The prior `npm install -g opencode-ai` is also unverified code
|
|
// execution from a third-party registry; this is not strictly worse.
|
|
// 3. OpenCode does not publish per-release SHA-256 checksums in a stable
|
|
// location, and pinning a version + hash here would require manual
|
|
// version bumps on every OpenCode release.
|
|
// The `set -e` (implied by Bash's default with `-fsSL` upstream of a piped
|
|
// shell) and `curl -fsSL` give us fail-fast behavior on HTTP errors. If
|
|
// OpenCode starts publishing a stable checksum/signature, switch to fetching
|
|
// a versioned tarball + verifying the digest before exec.
|
|
export const SANDBOX_INSTALL_COMMAND =
|
|
'curl -fsSL https://opencode.ai/install | bash && ' +
|
|
'if [ -x "$HOME/.opencode/bin/opencode" ]; then ' +
|
|
'if [ "$(id -u)" -eq 0 ]; then ' +
|
|
'ln -sf "$HOME/.opencode/bin/opencode" /usr/local/bin/opencode; ' +
|
|
'elif command -v sudo >/dev/null 2>&1 && sudo -n true >/dev/null 2>&1; then ' +
|
|
'sudo ln -sf "$HOME/.opencode/bin/opencode" /usr/local/bin/opencode; ' +
|
|
'else ' +
|
|
'mkdir -p "$HOME/.local/bin" && ' +
|
|
'ln -sf "$HOME/.opencode/bin/opencode" "$HOME/.local/bin/opencode"; ' +
|
|
'fi; ' +
|
|
'fi';
|
|
|
|
export const DEFAULT_OPENCODE_LOCAL_MODEL = "openai/gpt-5.2-codex";
|
|
|
|
export function isValidOpenCodeModelId(value: unknown): value is string {
|
|
if (typeof value !== "string") return false;
|
|
const trimmed = value.trim();
|
|
const slashIndex = trimmed.indexOf("/");
|
|
return Boolean(trimmed) && slashIndex > 0 && slashIndex !== trimmed.length - 1;
|
|
}
|
|
|
|
export const models: Array<{ id: string; label: string }> = [
|
|
{ id: DEFAULT_OPENCODE_LOCAL_MODEL, label: DEFAULT_OPENCODE_LOCAL_MODEL },
|
|
{ id: "openai/gpt-5.4", label: "openai/gpt-5.4" },
|
|
{ id: "openai/gpt-5.2", label: "openai/gpt-5.2" },
|
|
{ id: "openai/gpt-5.1-codex-max", label: "openai/gpt-5.1-codex-max" },
|
|
{ id: "openai/gpt-5.1-codex-mini", label: "openai/gpt-5.1-codex-mini" },
|
|
];
|
|
|
|
export const modelProfiles: AdapterModelProfileDefinition[] = [
|
|
{
|
|
key: "cheap",
|
|
label: "Cheap",
|
|
description: "Use OpenCode's known Codex mini model as the budget lane.",
|
|
adapterConfig: {
|
|
model: "openai/gpt-5.1-codex-mini",
|
|
variant: "low",
|
|
},
|
|
source: "adapter_default",
|
|
},
|
|
];
|
|
|
|
export const agentConfigurationDoc = `# opencode_local agent configuration
|
|
|
|
Adapter: opencode_local
|
|
|
|
Use when:
|
|
- You want Paperclip to run OpenCode locally as the agent runtime
|
|
- You want provider/model routing in OpenCode format (provider/model)
|
|
- You want OpenCode session resume across heartbeats via --session
|
|
|
|
Don't use when:
|
|
- You need webhook-style external invocation (use openclaw_gateway or http)
|
|
- You only need one-shot shell commands (use process)
|
|
- OpenCode CLI is not installed on the machine
|
|
|
|
Core fields:
|
|
- cwd (string, optional): default absolute working directory fallback for the agent process (created if missing when possible)
|
|
- instructionsFilePath (string, optional): absolute path to a markdown instructions file prepended to the run prompt
|
|
- model (string, required): OpenCode model id in provider/model format (for example anthropic/claude-sonnet-4-5)
|
|
- variant (string, optional): provider-specific reasoning/profile variant passed as --variant (for example minimal|low|medium|high|xhigh|max)
|
|
- dangerouslySkipPermissions (boolean, optional): inject a runtime OpenCode config that allows \`external_directory\` access without interactive prompts; defaults to true for unattended Paperclip runs
|
|
- promptTemplate (string, optional): run prompt template
|
|
- command (string, optional): defaults to "opencode"
|
|
- extraArgs (string[], optional): additional CLI args
|
|
- env (object, optional): KEY=VALUE environment variables
|
|
|
|
Operational fields:
|
|
- timeoutSec (number, optional): run timeout in seconds
|
|
- graceSec (number, optional): SIGTERM grace period in seconds
|
|
|
|
Notes:
|
|
- OpenCode supports multiple providers and models. Use \
|
|
\`opencode models\` to list available options in provider/model format.
|
|
- Paperclip requires an explicit \`model\` value for \`opencode_local\` agents.
|
|
- Runs are executed with: opencode run --format json ...
|
|
- Sessions are resumed with --session when stored session cwd matches current cwd.
|
|
- The adapter sets OPENCODE_DISABLE_PROJECT_CONFIG=true to prevent OpenCode from \
|
|
writing an opencode.json config file into the project working directory. Model \
|
|
selection is passed via the --model CLI flag instead.
|
|
- When \`dangerouslySkipPermissions\` is enabled, Paperclip injects a temporary \
|
|
runtime config with \`permission.external_directory=allow\` so headless runs do \
|
|
not stall on approval prompts.
|
|
`;
|