From 34fcd3a4021f87ad7c0c27ffed17e03799dd2e74 Mon Sep 17 00:00:00 2001
From: GeekTrainer <GeekTrainer@users.noreply.github.com>
Date: Thu, 12 Mar 2026 17:13:30 +0000
Subject: [PATCH] feat: add sandbox-npm-install skill to community collection

Add a reusable Agent Skill that installs npm packages in Docker sandbox
environments where virtiofs-mounted workspaces cause native binary crashes
(esbuild, lightningcss, rollup). The script installs on local ext4 and
symlinks node_modules back into the workspace.

- SKILL.md with spec-compliant frontmatter and documentation
- scripts/install.sh with security hardening (no eval, readonly paths)
- Updated docs/README.skills.md with new skill entry

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 docs/README.skills.md                         |   1 +
 skills/sandbox-npm-install/SKILL.md           |  80 ++++++++
 skills/sandbox-npm-install/scripts/install.sh | 187 ++++++++++++++++++
 3 files changed, 268 insertions(+)
 create mode 100644 skills/sandbox-npm-install/SKILL.md
 create mode 100755 skills/sandbox-npm-install/scripts/install.sh

diff --git a/docs/README.skills.md b/docs/README.skills.md
index dd426af4c..c6088b7f8 100644
--- a/docs/README.skills.md
+++ b/docs/README.skills.md
@@ -209,6 +209,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
 | [reviewing-oracle-to-postgres-migration](../skills/reviewing-oracle-to-postgres-migration/SKILL.md) | Identifies Oracle-to-PostgreSQL migration risks by cross-referencing code against known behavioral differences (empty strings, refcursors, type coercion, sorting, timestamps, concurrent transactions, etc.). Use when planning a database migration, reviewing migration artifacts, or validating that integration tests cover Oracle/PostgreSQL differences. | `references/REFERENCE.md`<br />`references/empty-strings-handling.md`<br />`references/no-data-found-exceptions.md`<br />`references/oracle-parentheses-from-clause.md`<br />`references/oracle-to-postgres-sorting.md`<br />`references/oracle-to-postgres-timestamp-timezone.md`<br />`references/oracle-to-postgres-to-char-numeric.md`<br />`references/oracle-to-postgres-type-coercion.md`<br />`references/postgres-concurrent-transactions.md`<br />`references/postgres-refcursor-handling.md` |
 | [ruby-mcp-server-generator](../skills/ruby-mcp-server-generator/SKILL.md) | Generate a complete Model Context Protocol server project in Ruby using the official MCP Ruby SDK gem. | None |
 | [rust-mcp-server-generator](../skills/rust-mcp-server-generator/SKILL.md) | Generate a complete Rust Model Context Protocol server project with tools, prompts, resources, and tests using the official rmcp SDK | None |
+| [sandbox-npm-install](../skills/sandbox-npm-install/SKILL.md) | Install npm packages in a Docker sandbox environment. Use this skill whenever you need to install, reinstall, or update node_modules inside a container where the workspace is mounted via virtiofs. Native binaries (esbuild, lightningcss, rollup) crash on virtiofs, so packages must be installed on the local ext4 filesystem and symlinked back. | `scripts/install.sh` |
 | [scaffolding-oracle-to-postgres-migration-test-project](../skills/scaffolding-oracle-to-postgres-migration-test-project/SKILL.md) | Scaffolds an xUnit integration test project for validating Oracle-to-PostgreSQL database migration behavior in .NET solutions. Creates the test project, transaction-rollback base class, and seed data manager. Use when setting up test infrastructure before writing migration integration tests, or when a test project is needed for Oracle-to-PostgreSQL validation. | None |
 | [scoutqa-test](../skills/scoutqa-test/SKILL.md) | This skill should be used when the user asks to "test this website", "run exploratory testing", "check for accessibility issues", "verify the login flow works", "find bugs on this page", or requests automated QA testing. Triggers on web application testing scenarios including smoke tests, accessibility audits, e-commerce flows, and user flow validation using ScoutQA CLI. IMPORTANT: Use this skill proactively after implementing web application features to verify they work correctly - don't wait for the user to ask for testing. | None |
 | [shuffle-json-data](../skills/shuffle-json-data/SKILL.md) | Shuffle repetitive JSON objects safely by validating schema consistency before randomising entries. | None |
diff --git a/skills/sandbox-npm-install/SKILL.md b/skills/sandbox-npm-install/SKILL.md
new file mode 100644
index 000000000..d45b50241
--- /dev/null
+++ b/skills/sandbox-npm-install/SKILL.md
@@ -0,0 +1,80 @@
+---
+name: sandbox-npm-install
+description: 'Install npm packages in a Docker sandbox environment. Use this skill whenever you need to install, reinstall, or update node_modules inside a container where the workspace is mounted via virtiofs. Native binaries (esbuild, lightningcss, rollup) crash on virtiofs, so packages must be installed on the local ext4 filesystem and symlinked back.'
+---
+
+# Sandbox npm Install
+
+## When to Use This Skill
+
+Use this skill whenever:
+- You need to install npm packages for the first time in a new sandbox session
+- `package.json` or `package-lock.json` has changed and you need to reinstall
+- You encounter native binary crashes with errors like `SIGILL`, `SIGSEGV`, `mmap`, or `unaligned sysNoHugePageOS`
+- The `node_modules` directory is missing or corrupted
+
+## Prerequisites
+
+- A Docker sandbox environment with a virtiofs-mounted workspace
+- Node.js and npm available in the container
+- A `package.json` file in the target workspace
+
+## Background
+
+Docker sandbox workspaces are typically mounted via **virtiofs** (file sync between the host and Linux VM). Native Go and Rust binaries (esbuild, lightningcss, rollup, etc.) crash with mmap alignment failures when executed from virtiofs on aarch64. The fix is to install on the container's local ext4 filesystem and symlink back into the workspace.
+
+## Step-by-Step Installation
+
+Run the bundled install script from the workspace root:
+
+```bash
+bash scripts/install.sh
+```
+
+### Common Options
+
+| Option | Description |
+|---|---|
+| `--workspace <path>` | Path to directory containing `package.json` (auto-detected if omitted) |
+| `--playwright` | Also install Playwright Chromium browser for E2E testing |
+
+### What the Script Does
+
+1. Copies `package.json`, `package-lock.json`, and `.npmrc` (if present) to a local ext4 directory
+2. Runs `npm ci` (or `npm install` if no lockfile) on the local filesystem
+3. Symlinks `node_modules` back into the workspace
+4. Verifies known native binaries (esbuild, rollup, lightningcss, vite) if present
+5. Optionally installs Playwright browsers
+
+If verification fails, run the script again — crashes can be intermittent during initial setup.
+
+## Post-Install Verification
+
+After the script completes, verify your toolchain works. For example:
+
+```bash
+npm test             # Run project tests
+npm run build        # Build the project
+npm run dev          # Start dev server
+```
+
+## Important Notes
+
+- The local install directory (e.g., `/home/agent/project-deps`) is **container-local** and is NOT synced back to the host
+- The `node_modules` symlink appears as a broken link on the host — this is harmless since `node_modules` is typically gitignored
+- Running `npm ci` or `npm install` on the host naturally replaces the symlink with a real directory
+- After any `package.json` or `package-lock.json` change, re-run the install script
+- Do NOT run `npm ci` or `npm install` directly in the mounted workspace — native binaries will crash
+
+## Troubleshooting
+
+| Problem | Solution |
+|---|---|
+| `SIGILL` or `SIGSEGV` when running dev server | Re-run the install script; ensure you're not running `npm install` directly in the workspace |
+| `node_modules` not found after install | Check that the symlink exists: `ls -la node_modules` |
+| Permission errors during install | Ensure the local deps directory is writable by the current user |
+| Verification fails intermittently | Run the script again — native binary crashes can be non-deterministic on first load |
+
+## Vite Compatibility
+
+If your project uses Vite, you may need to allow the symlinked path in `server.fs.allow`. Add the symlink target's parent directory (e.g., `/home/agent/project-deps/`) to your Vite config so that Vite can serve files through the symlink.
diff --git a/skills/sandbox-npm-install/scripts/install.sh b/skills/sandbox-npm-install/scripts/install.sh
new file mode 100755
index 000000000..fba694519
--- /dev/null
+++ b/skills/sandbox-npm-install/scripts/install.sh
@@ -0,0 +1,187 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Sandbox npm Install Script
+# Installs node_modules on local ext4 filesystem and symlinks into the workspace.
+# This avoids native binary crashes (esbuild, lightningcss, rollup) on virtiofs.
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
+
+# Local ext4 base directory where node_modules is installed to avoid virtiofs crashes.
+# Change this path if your sandbox uses a different local filesystem location.
+readonly DEPS_BASE="/home/agent/project-deps"
+WORKSPACE_CLIENT=""
+INSTALL_PLAYWRIGHT="false"
+
+usage() {
+  cat <<EOF
+Usage: $(basename "$0") [options]
+
+Options:
+  --workspace <path>   Client workspace containing package.json
+  --playwright         Install Playwright Chromium browser
+  --help               Show this help message
+
+Examples:
+  bash scripts/install.sh
+  bash scripts/install.sh --workspace app/client --playwright
+EOF
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --workspace)
+      if [[ -z "${2:-}" ]]; then
+        echo "Error: --workspace requires a path argument"
+        usage
+        exit 1
+      fi
+      WORKSPACE_CLIENT="$2"
+      shift 2
+      ;;
+    --playwright)
+      INSTALL_PLAYWRIGHT="true"
+      shift
+      ;;
+    --help|-h)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Unknown option: $1"
+      usage
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -z "$WORKSPACE_CLIENT" ]]; then
+  if [[ -f "$PWD/package.json" ]]; then
+    WORKSPACE_CLIENT="$PWD"
+  elif [[ -f "$REPO_ROOT/package.json" ]]; then
+    WORKSPACE_CLIENT="$REPO_ROOT"
+  fi
+fi
+
+if [[ -n "$WORKSPACE_CLIENT" ]]; then
+  WORKSPACE_CLIENT="$(cd "$WORKSPACE_CLIENT" 2>/dev/null && pwd || true)"
+fi
+
+if [[ -z "$WORKSPACE_CLIENT" || ! -f "$WORKSPACE_CLIENT/package.json" ]]; then
+  echo "Could not find a valid workspace client path containing package.json."
+  echo "Use --workspace <path> to specify it explicitly."
+  exit 1
+fi
+
+echo "=== Sandbox npm Install ==="
+echo "Workspace: $WORKSPACE_CLIENT"
+
+# Derive a unique subdirectory from the workspace path relative to the repo root.
+# e.g. /repo/apps/web -> apps-web, /repo -> <repo-basename>
+REL_PATH="${WORKSPACE_CLIENT#"$REPO_ROOT"}"
+REL_PATH="${REL_PATH#/}"
+if [[ -z "$REL_PATH" ]]; then
+  REL_PATH="$(basename "$REPO_ROOT")"
+fi
+# Sanitize: replace path separators with hyphens
+DEPS_SUBDIR="${REL_PATH//\//-}"
+DEPS_DIR="${DEPS_BASE}/${DEPS_SUBDIR}"
+
+echo "Deps dir:  $DEPS_DIR"
+
+# Step 1: Prepare local deps directory
+echo "→ Preparing $DEPS_DIR..."
+if [[ -z "$DEPS_DIR" || "$DEPS_DIR" != "${DEPS_BASE}/"* ]]; then
+  echo "ERROR: DEPS_DIR ('$DEPS_DIR') is not under DEPS_BASE ('$DEPS_BASE'). Aborting."
+  exit 1
+fi
+rm -rf "$DEPS_DIR"
+mkdir -p "$DEPS_DIR"
+chmod 700 "$DEPS_DIR"
+cp "$WORKSPACE_CLIENT/package.json" "$DEPS_DIR/"
+
+# Copy .npmrc if present (needed for private registries / scoped packages)
+# Permissions restricted to owner-only since .npmrc may contain auth tokens
+if [[ -f "$WORKSPACE_CLIENT/.npmrc" ]]; then
+  cp "$WORKSPACE_CLIENT/.npmrc" "$DEPS_DIR/"
+  chmod 600 "$DEPS_DIR/.npmrc"
+fi
+
+if [[ -f "$WORKSPACE_CLIENT/package-lock.json" ]]; then
+  cp "$WORKSPACE_CLIENT/package-lock.json" "$DEPS_DIR/"
+  INSTALL_CMD=(npm ci)
+else
+  echo "! package-lock.json not found; falling back to npm install"
+  INSTALL_CMD=(npm install)
+fi
+
+# Step 2: Install on local ext4
+echo "→ Running ${INSTALL_CMD[*]} on local ext4..."
+cd "$DEPS_DIR" && "${INSTALL_CMD[@]}"
+
+# Step 3: Symlink into workspace
+echo "→ Symlinking node_modules into workspace..."
+cd "$WORKSPACE_CLIENT"
+rm -rf node_modules
+ln -s "$DEPS_DIR/node_modules" node_modules
+
+has_dep() {
+  local dep="$1"
+  node -e "
+    const pkg=require(process.argv[1]);
+    const deps={...(pkg.dependencies||{}),...(pkg.devDependencies||{})};
+    process.exit(deps[process.argv[2]] ? 0 : 1);
+  " "$WORKSPACE_CLIENT/package.json" "$dep"
+}
+
+verify_one() {
+  local label="$1"
+  shift
+  if "$@" >/dev/null 2>&1; then
+    echo "  ✓ $label OK"
+    return 0
+  fi
+
+  echo "  ✗ $label FAIL"
+  return 1
+}
+
+# Step 4: Verify native binaries when present in this project
+echo "→ Verifying native binaries..."
+FAIL=0
+
+if has_dep esbuild; then
+  verify_one "esbuild" node -e "require('esbuild').transform('const x: number = 1',{loader:'ts'}).catch(()=>process.exit(1))" || FAIL=1
+fi
+
+if has_dep rollup; then
+  verify_one "rollup" node -e "import('rollup').catch(()=>process.exit(1))" || FAIL=1
+fi
+
+if has_dep lightningcss; then
+  verify_one "lightningcss" node -e "try{require('lightningcss')}catch(_){process.exit(1)}" || FAIL=1
+fi
+
+if has_dep vite; then
+  verify_one "vite" node -e "import('vite').catch(()=>process.exit(1))" || FAIL=1
+fi
+
+if [ "$FAIL" -ne 0 ]; then
+  echo "✗ Binary verification failed. Try running the script again (crashes can be intermittent)."
+  exit 1
+fi
+
+# Step 5: Optionally install Playwright
+if [[ "$INSTALL_PLAYWRIGHT" == "true" ]]; then
+  echo "→ Installing Playwright browsers..."
+  if [[ "${EUID:-$(id -u)}" -eq 0 ]]; then
+    npx playwright install --with-deps chromium
+  else
+    npx playwright install chromium
+  fi
+fi
+
+echo ""
+echo "=== ✓ Sandbox npm install complete ==="
+echo "Run 'npm run dev' to start the dev server."