Fail fast in chroot mode on Alpine/musl daemon hosts and document glibc requirements

[Copilot]

AWF chroot startup implicitly depended on a glibc/Ubuntu-like daemon host (capsh, /bin/bash, host node path), causing late, cascading runtime failures on Alpine/musl runners. This PR makes that contract explicit and surfaces incompatibility at startup with actionable errors.

• Chroot preflight hardening (entrypoint)

  • Added an early host-userspace check in chroot path to detect Alpine/musl (/host/etc/alpine-release or musl loader presence).
  • Added explicit fast-fail error messages when musl/Alpine is detected.
  • Tightened prerequisite checks to verify host capsh and /bin/bash before proceeding.

• Documentation: explicit supported host contract

  • Updated chroot requirements to call out glibc-based daemon host requirement.
  • Documented /bin/bash as required in addition to capsh.
  • Added dedicated troubleshooting section for Alpine/musl detection error.

• Top-level discoverability

  • Updated README chroot docs entry to note glibc-based daemon host requirement.

# New early preflight behavior in chroot mode
if [ -f /host/etc/alpine-release ] || ls /host/lib/ld-musl-*.so.1 /host/usr/lib/ld-musl-*.so.1 >/dev/null 2>&1; then
  echo "[entrypoint][ERROR] AWF chroot mode requires a glibc-based daemon host (Ubuntu/Debian/RHEL-family)."
  echo "[entrypoint][ERROR] Detected Alpine/musl host filesystem under /host."
  exit 1
fi

[github-actions]

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit c0daf87

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	95.40%	95.47%	📈 +0.07%
Statements	95.22%	95.29%	📈 +0.07%
Functions	96.55%	96.55%	➡️ +0.00%
Branches	87.87%	87.91%	📈 +0.04%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/config-writer.ts	83.0% → 85.6% (+2.54%)	83.0% → 85.6% (+2.54%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR makes AWF chroot mode’s host prerequisites explicit and enforces them early, so incompatible daemon hosts (notably Alpine/musl) fail fast with clear, actionable errors instead of causing cascading runtime failures.

Changes:

• Added early Alpine/musl detection in the chroot startup path and tightened host prerequisite checks (capsh + /bin/bash) in the agent entrypoint.
• Updated chroot documentation to explicitly require a glibc-based daemon host and added troubleshooting guidance for the new fail-fast error.
• Improved top-level discoverability by noting the glibc-host requirement in the README’s docs index.

Show a summary per file

File	Description
README.md	Notes the glibc-based daemon host requirement in the Chroot mode docs link for discoverability.
docs/chroot-mode.md	Documents the glibc + bash requirements and adds troubleshooting for Alpine/musl detection.
containers/agent/entrypoint.sh	Implements early musl/Alpine detection and adds explicit host checks for capsh and /bin/bash.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 2

[lpcox]

@copilot address review feedback

[Copilot]

@copilot address review feedback

Addressed in commit 0434a38.

• Hardened musl detection by replacing the combined ls glob check with separate compgen -G checks so one unmatched glob can’t suppress Alpine/musl fail-fast detection.
• Updated the capsh prerequisite error text to be distro-agnostic: Debian/Ubuntu: libcap2-bin; RHEL/Fedora: libcap.

[github-actions]

Smoke Test Results

✅ GitHub API: 2 PR entries found in recent-prs.json
✅ Playwright: GitHub page navigation successful (title contains "GitHub")
✅ File verify: smoke-test-claude-26104281693.txt exists and valid

Overall: PASS — All smoke tests completed successfully.

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	✅ (PR #3428 fetched)
GitHub.com connectivity	⚠️ pre-step vars not expanded
File write/read	⚠️ pre-step vars not expanded
BYOK inference (agent → api-proxy → api.githubcopilot.com)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.
Author: @Copilot · Assignees: @lpcox @Copilot

Overall: PASS (core BYOK path verified; pre-step template vars unexpanded for tests 2–3)

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

🤖 Smoke Test Results

Test	Result
GitHub MCP	✅ PR data fetched successfully
GitHub.com HTTP	✅ HTTP 200
File write/read	✅ File verified

Overall: PASS

PR: Fail fast in chroot mode on Alpine/musl daemon hosts and document glibc requirements
Author: @Copilot · Assignees: @lpcox, @Copilot

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke test Codex: FAIL
✅ Merged PRs: Refactor option parser facade to direct re-exports and unify flag validation type; tests: replace host-env barrel imports with canonical host-env split modules
❌ safeinputs-gh PR query unavailable
✅ Playwright GitHub title; ❌ Tavily unavailable
✅ File/bash checks; ✅ discussion number/comment; ✅ npm build

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.15.0	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Result: FAILED — Python and Node.js versions differ between host and chroot. Go matches.

Tested by Smoke Chroot

[github-actions]

Smoke Test Results: FAIL. See log for details.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Smoke Test Results — FAIL

Check	Result
Redis PING	❌ Timeout/no response
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ Not attempted (pg_isready failed)

Overall: FAIL — host.docker.internal services are not reachable from this runner environment.

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3397 · ● 4.5M · ◷