Fix/shadow env in container (qwibitai#646)

* fix: shadow .env file in container to prevent agents from reading secrets

The main agent's container mounts the project root read-only, which
inadvertently exposed the .env file containing API keys. Mount /dev/null
over /workspace/project/.env to shadow it — secrets are already passed
via stdin and never need to be read from disk inside the container.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: adapt .env shadowing and runtime for Apple Container

Apple Container (VirtioFS) only supports directory mounts, not file
mounts. The previous /dev/null host-side mount over .env crashes with
VZErrorDomain "A directory sharing device configuration is invalid".

- Dockerfile: entrypoint now shadows .env via mount --bind inside the
  container, then drops privileges via setpriv to the host UID/GID
- container-runner: main containers skip --user and pass RUN_UID/RUN_GID
  env vars so entrypoint starts as root for mount --bind
- container-runtime: switch to Apple Container CLI (container), fix
  cleanupOrphans to use container list --format json
- Skill: add Dockerfile and container-runner.ts to
  convert-to-apple-container skill (v1.1.0)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: revert src to Docker runtime, keep Apple Container in skill only

The source files should remain Docker-compatible. The Apple Container
adaptations live in the convert-to-apple-container skill and are applied
on demand.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: gavrielc

.claude/skills/convert-to-apple-container/SKILL.md

@@ -13,11 +13,13 @@ This skill switches NanoClaw's container runtime from Docker to Apple Container
 - Startup check: `docker info` → `container system status` (with auto-start)
 - Orphan detection: `docker ps --filter` → `container ls --format json`
 - Build script default: `docker` → `container`
+- Dockerfile entrypoint: `.env` shadowing via `mount --bind` inside the container (Apple Container only supports directory mounts, not file mounts like Docker's `/dev/null` overlay)
+- Container runner: main-group containers start as root for `mount --bind`, then drop privileges via `setpriv`
 
 **What stays the same:**
-- Dockerfile (shared by both runtimes)
-- Container runner code (`src/container-runner.ts`)
 - Mount security/allowlist validation
+- All exported interfaces and IPC protocol
+- Non-main container behavior (still uses `--user` flag)
 - All other functionality
 
 ## Prerequisites
@@ -72,11 +74,15 @@ npx tsx scripts/apply-skill.ts .claude/skills/convert-to-apple-container
 This deterministically:
 - Replaces `src/container-runtime.ts` with the Apple Container implementation
 - Replaces `src/container-runtime.test.ts` with Apple Container-specific tests
+- Updates `src/container-runner.ts` with .env shadow mount fix and privilege dropping
+- Updates `container/Dockerfile` with entrypoint that shadows .env via `mount --bind`
 - Updates `container/build.sh` to default to `container` runtime
 - Records the application in `.nanoclaw/state.yaml`
 
 If the apply reports merge conflicts, read the intent files:
 - `modify/src/container-runtime.ts.intent.md` — what changed and invariants
+- `modify/src/container-runner.ts.intent.md` — .env shadow and privilege drop changes
+- `modify/container/Dockerfile.intent.md` — entrypoint changes for .env shadowing
 - `modify/container/build.sh.intent.md` — what changed for build script
 
 ### Validate code changes
@@ -172,4 +178,6 @@ Check directory permissions on the host. The container runs as uid 1000.
 |------|----------------|
 | `src/container-runtime.ts` | Full replacement — Docker → Apple Container API |
 | `src/container-runtime.test.ts` | Full replacement — tests for Apple Container behavior |
+| `src/container-runner.ts` | .env shadow mount removed, main containers start as root with privilege drop |
+| `container/Dockerfile` | Entrypoint: `mount --bind` for .env shadowing, `setpriv` privilege drop |
 | `container/build.sh` | Default runtime: `docker` → `container` |

.claude/skills/convert-to-apple-container/manifest.yaml

@@ -1,12 +1,14 @@
 skill: convert-to-apple-container
-version: 1.0.0
+version: 1.1.0
 description: "Switch container runtime from Docker to Apple Container (macOS)"
 core_version: 0.1.0
 adds: []
 modifies:
   - src/container-runtime.ts
   - src/container-runtime.test.ts
+  - src/container-runner.ts
   - container/build.sh
+  - container/Dockerfile
 structured: {}
 conflicts: []
 depends: []

.claude/skills/convert-to-apple-container/modify/container/Dockerfile

@@ -0,0 +1,68 @@
+# NanoClaw Agent Container
+# Runs Claude Agent SDK in isolated Linux VM with browser automation
+
+FROM node:22-slim
+
+# Install system dependencies for Chromium
+RUN apt-get update && apt-get install -y \
+    chromium \
+    fonts-liberation \
+    fonts-noto-color-emoji \
+    libgbm1 \
+    libnss3 \
+    libatk-bridge2.0-0 \
+    libgtk-3-0 \
+    libx11-xcb1 \
+    libxcomposite1 \
+    libxdamage1 \
+    libxrandr2 \
+    libasound2 \
+    libpangocairo-1.0-0 \
+    libcups2 \
+    libdrm2 \
+    libxshmfence1 \
+    curl \
+    git \
+    && rm -rf /var/lib/apt/lists/*
+
+# Set Chromium path for agent-browser
+ENV AGENT_BROWSER_EXECUTABLE_PATH=/usr/bin/chromium
+ENV PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium
+
+# Install agent-browser and claude-code globally
+RUN npm install -g agent-browser @anthropic-ai/claude-code
+
+# Create app directory
+WORKDIR /app
+
+# Copy package files first for better caching
+COPY agent-runner/package*.json ./
+
+# Install dependencies
+RUN npm install
+
+# Copy source code
+COPY agent-runner/ ./
+
+# Build TypeScript
+RUN npm run build
+
+# Create workspace directories
+RUN mkdir -p /workspace/group /workspace/global /workspace/extra /workspace/ipc/messages /workspace/ipc/tasks /workspace/ipc/input
+
+# Create entrypoint script
+# Secrets are passed via stdin JSON — temp file is deleted immediately after Node reads it
+# Follow-up messages arrive via IPC files in /workspace/ipc/input/
+# Apple Container only supports directory mounts (VirtioFS), so .env cannot be
+# shadowed with a host-side /dev/null file mount. Instead the entrypoint starts
+# as root, uses mount --bind to shadow .env, then drops to the host user via setpriv.
+RUN printf '#!/bin/bash\nset -e\n\n# Shadow .env so the agent cannot read host secrets (requires root)\nif [ "$(id -u)" = "0" ] && [ -f /workspace/project/.env ]; then\n  mount --bind /dev/null /workspace/project/.env\nfi\n\n# Compile agent-runner\ncd /app && npx tsc --outDir /tmp/dist 2>&1 >&2\nln -s /app/node_modules /tmp/dist/node_modules\nchmod -R a-w /tmp/dist\n\n# Capture stdin (secrets JSON) to temp file\ncat > /tmp/input.json\n\n# Drop privileges if running as root (main-group containers)\nif [ "$(id -u)" = "0" ] && [ -n "$RUN_UID" ]; then\n  chown "$RUN_UID:$RUN_GID" /tmp/input.json /tmp/dist\n  exec setpriv --reuid="$RUN_UID" --regid="$RUN_GID" --clear-groups -- node /tmp/dist/index.js < /tmp/input.json\nfi\n\nexec node /tmp/dist/index.js < /tmp/input.json\n' > /app/entrypoint.sh && chmod +x /app/entrypoint.sh
+
+# Set ownership to node user (non-root) for writable directories
+RUN chown -R node:node /workspace && chmod 777 /home/node
+
+# Set working directory to group workspace
+WORKDIR /workspace/group
+
+# Entry point reads JSON from stdin, outputs JSON to stdout
+ENTRYPOINT ["/app/entrypoint.sh"]

.claude/skills/convert-to-apple-container/modify/container/Dockerfile.intent.md

@@ -0,0 +1,31 @@
+# Intent: container/Dockerfile modifications
+
+## What changed
+Updated the entrypoint script to shadow `.env` inside the container and drop privileges at runtime, replacing the Docker-style host-side file mount approach.
+
+## Why
+Apple Container (VirtioFS) only supports directory mounts, not file mounts. The Docker approach of mounting `/dev/null` over `.env` from the host causes `VZErrorDomain Code=2 "A directory sharing device configuration is invalid"`. The fix moves the shadowing into the entrypoint using `mount --bind` (which works inside the Linux VM).
+
+## Key sections
+
+### Entrypoint script
+- Added: `mount --bind /dev/null /workspace/project/.env` when running as root and `.env` exists
+- Added: Privilege drop via `setpriv --reuid=$RUN_UID --regid=$RUN_GID --clear-groups` for main-group containers
+- Added: `chown` of `/tmp/input.json` and `/tmp/dist` to target user before dropping privileges
+- Removed: `USER node` directive — main containers start as root to perform the bind mount, then drop privileges in the entrypoint. Non-main containers still get `--user` from the host.
+
+### Dual-path execution
+- Root path (main containers): shadow .env → compile → capture stdin → chown → setpriv drop → exec node
+- Non-root path (other containers): compile → capture stdin → exec node
+
+## Invariants
+- The entrypoint still reads JSON from stdin and runs the agent-runner
+- The compiled output goes to `/tmp/dist` (read-only after build)
+- `node_modules` is symlinked, not copied
+- Non-main containers are unaffected (they arrive as non-root via `--user`)
+
+## Must-keep
+- The `set -e` at the top
+- The stdin capture to `/tmp/input.json` (required because setpriv can't forward stdin piping)
+- The `chmod -R a-w /tmp/dist` (prevents agent from modifying its own runner)
+- The `chown -R node:node /workspace` in the build step