From 5e1df6593511eca5ce7b6d307f025f2a265765fc Mon Sep 17 00:00:00 2001 From: "Will@Cambridge" Date: Sun, 21 Dec 2025 10:22:22 -0500 Subject: [PATCH] fix: make PLATFORM lazy to prevent errors during module load on unsupported platforms --- packages/opencode/src/util/security/commands/setup.ts | 2 +- packages/opencode/src/util/security/constants.ts | 2 +- packages/opencode/src/util/security/executor.ts | 6 +++--- packages/opencode/src/util/security/util.ts | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/packages/opencode/src/util/security/commands/setup.ts b/packages/opencode/src/util/security/commands/setup.ts index 5db330641..6f665ab22 100644 --- a/packages/opencode/src/util/security/commands/setup.ts +++ b/packages/opencode/src/util/security/commands/setup.ts @@ -7,7 +7,7 @@ import os from "os" * Configure sudoers file for passwordless execution */ async function configureSudoers(currentUser: string, restrictedUser: string): Promise { - const sudoRule = `${currentUser} ALL=(${restrictedUser}) NOPASSWD: ${PLATFORM.SHELL}` + const sudoRule = `${currentUser} ALL=(${restrictedUser}) NOPASSWD: ${PLATFORM().SHELL}` // Check if rule already exists const existing = await Bun.file(SUDOERS_FILE_PATH) diff --git a/packages/opencode/src/util/security/constants.ts b/packages/opencode/src/util/security/constants.ts index 8a6cee799..078ba0047 100644 --- a/packages/opencode/src/util/security/constants.ts +++ b/packages/opencode/src/util/security/constants.ts @@ -50,5 +50,5 @@ function getPlatformConstants() { } } -export const PLATFORM = getPlatformConstants() +export const PLATFORM = getPlatformConstants export const MACOS = MACOS_CONSTANTS // For darwin.ts diff --git a/packages/opencode/src/util/security/executor.ts b/packages/opencode/src/util/security/executor.ts index 571b8642a..9faa7d8e5 100644 --- a/packages/opencode/src/util/security/executor.ts +++ b/packages/opencode/src/util/security/executor.ts @@ -97,9 +97,9 @@ export class ProtectedExecutor { } // Set base environment (these override any parent values for security) - env.HOME = PLATFORM.USER_HOME // Match NFSHomeDirectory from user creation + env.HOME = PLATFORM().USER_HOME // Match NFSHomeDirectory from user creation env.USER = this.restrictedUser - env.SHELL = PLATFORM.SHELL + env.SHELL = PLATFORM().SHELL return env } @@ -126,7 +126,7 @@ export class ProtectedExecutor { "-n", // Non-interactive (requires NOPASSWD) "-u", this.restrictedUser, - PLATFORM.SHELL, + PLATFORM().SHELL, "--noprofile", "--norc", "-c", diff --git a/packages/opencode/src/util/security/util.ts b/packages/opencode/src/util/security/util.ts index ddccf39b2..df6cad3fd 100644 --- a/packages/opencode/src/util/security/util.ts +++ b/packages/opencode/src/util/security/util.ts @@ -7,7 +7,7 @@ import type { PlatformSecurity } from "./platform/interface" * Run sudo command (non-interactive, assumes auth cached) */ export async function runSudoCommand(cmd: string): Promise<{ exitCode: number; stdout: string; stderr: string }> { - const proc = Bun.spawn(["sudo", "-n", PLATFORM.SHELL, "-c", cmd], { + const proc = Bun.spawn(["sudo", "-n", PLATFORM().SHELL, "-c", cmd], { stdin: "ignore", stdout: "pipe", stderr: "pipe", @@ -125,7 +125,7 @@ export async function rebuildSudoersFile(config: SecurityConfig): Promise const rules: string[] = [] // Base rule: Allow main user to execute commands as restricted user - rules.push(`${config.mainUser} ALL=(${config.restrictedUser}) NOPASSWD: ${PLATFORM.SHELL}`) + rules.push(`${config.mainUser} ALL=(${config.restrictedUser}) NOPASSWD: ${PLATFORM().SHELL}`) // Whitelisted command rules: Allow restricted user to run whitelisted commands as main user for (const command of config.whitelistedCommands) {