feat: US-068 - Fix Pi package asset discovery after SDK import bootstrap

Author: NathanFlurry

.agent/contracts/node-permissions.md

@@ -84,6 +84,11 @@ When a kernel is available, the kernel's `wrapFileSystem` deny-by-default permis
 ### Requirement: Projected Node-Modules Paths MUST Be Read-Only
 When driver-managed node_modules overlay/projection is active (including always-on `/app/node_modules` overlay), projected sandbox module paths (including `/app/node_modules` and descendants) MUST be treated as read-only runtime state.
 
+#### Scenario: Host-absolute package asset reads stay inside the projected closure
+- **WHEN** sandboxed package code derives a host-absolute path for its own projected module files from `import.meta.url`, `__filename`, or `realpath()` and then reads sibling assets such as `package.json`, `README.md`, or bundled theme/template files
+- **THEN** those read operations MUST succeed when the canonical path still resolves inside the configured projected `node_modules` closure
+- **AND** the same host-absolute projected paths MUST remain read-only for write, rename, mkdir, unlink, and rmdir operations
+
 #### Scenario: Sandboxed write targets projected module file
 - **WHEN** sandboxed code attempts `writeFile`, `unlink`, or `rename` for a path under projected `/app/node_modules`
 - **THEN** the operation MUST be denied with `EACCES` regardless of broader filesystem allow rules
@@ -102,4 +107,3 @@ Node-modules overlay access SHALL NOT grant implicit read access to non-overlay
 #### Scenario: Overlay availability does not auto-allow unrelated host reads
 - **WHEN** always-on `/app/node_modules` overlay is available and sandboxed code attempts to read `/etc/passwd` without explicit fs permission allowance
 - **THEN** runtime MUST deny the read with `EACCES`
-

CLAUDE.md

@@ -147,6 +147,7 @@
 - bridge exports that userland constructs with `new` must be assigned as constructable function properties, not object-literal method shorthands; shorthand methods like `createReadStream() {}` are not constructable and vendored fs coverage calls `new fs.createReadStream(...)`
 - `/proc/sys/kernel/hostname` conformance hits both kernel-backed and standalone NodeRuntime paths; a procfs fix that only lands in the kernel layer still leaves `createTestNodeRuntime()` fs/FileHandle coverage red
 - require-transformed ESM must not rely on the CommonJS wrapper's `__filename` / `__dirname` parameter names; keep wrapper internals on private names, synthesize local CJS bindings only for plain CommonJS sources, and compute transformed `import.meta.url` from `pathToFileURL(__secureExecFilename).href`
+- `ModuleAccessFileSystem` must treat host-absolute package asset paths derived from `import.meta.url`, `__filename`, or `realpath()` as part of the same read-only projected `node_modules` closure when they canonicalize inside the configured overlay; Pi and similar SDKs walk to sibling `package.json`/README/theme assets that way
 
 ## Virtual Kernel Architecture
 

packages/nodejs/src/module-access.ts

@@ -153,6 +153,7 @@ function collectOverlayAllowedRoots(hostNodeModulesRoot: string): string[] {
  */
 export class ModuleAccessFileSystem implements VirtualFileSystem {
 	private readonly baseFileSystem?: VirtualFileSystem;
+	private readonly configuredNodeModulesRoot: string;
 	private readonly hostNodeModulesRoot: string | null;
 	private readonly overlayAllowedRoots: string[];
 
@@ -169,6 +170,7 @@ export class ModuleAccessFileSystem implements VirtualFileSystem {
 
 		const cwd = path.resolve(cwdInput);
 		const nodeModulesPath = path.join(cwd, "node_modules");
+		this.configuredNodeModulesRoot = nodeModulesPath;
 		try {
 			this.hostNodeModulesRoot = fsSync.realpathSync(nodeModulesPath);
 			this.overlayAllowedRoots = collectOverlayAllowedRoots(this.hostNodeModulesRoot);
@@ -204,7 +206,10 @@ export class ModuleAccessFileSystem implements VirtualFileSystem {
 	}
 
 	private isReadOnlyProjectionPath(virtualPath: string): boolean {
-		return startsWithPath(virtualPath, SANDBOX_NODE_MODULES_ROOT);
+		return (
+			startsWithPath(virtualPath, SANDBOX_NODE_MODULES_ROOT) ||
+			this.isProjectedHostPath(virtualPath)
+		);
 	}
 
 	private shouldMergeBase(pathValue: string): boolean {
@@ -234,6 +239,35 @@ export class ModuleAccessFileSystem implements VirtualFileSystem {
 		return path.join(this.hostNodeModulesRoot, ...relative.split("/"));
 	}
 
+	private isProjectedHostPath(pathValue: string): boolean {
+		if (!path.isAbsolute(pathValue)) {
+			return false;
+		}
+
+		const resolved = path.resolve(pathValue);
+		if (isWithinPath(resolved, this.configuredNodeModulesRoot)) {
+			return true;
+		}
+		if (
+			this.hostNodeModulesRoot &&
+			isWithinPath(resolved, this.hostNodeModulesRoot)
+		) {
+			return true;
+		}
+		return this.overlayAllowedRoots.some((root) => isWithinPath(resolved, root));
+	}
+
+	private getOverlayHostPathCandidate(pathValue: string): string | null {
+		const overlayPath = this.overlayHostPathFor(pathValue);
+		if (overlayPath) {
+			return overlayPath;
+		}
+		if (!this.isProjectedHostPath(pathValue)) {
+			return null;
+		}
+		return path.resolve(pathValue);
+	}
+
 	prepareOpenSync(pathValue: string, flags: number): boolean {
 		const virtualPath = normalizeOverlayPath(pathValue);
 		if (this.isReadOnlyProjectionPath(virtualPath)) {
@@ -274,7 +308,7 @@ export class ModuleAccessFileSystem implements VirtualFileSystem {
 			);
 		}
 
-		const hostPath = this.overlayHostPathFor(virtualPath);
+		const hostPath = this.getOverlayHostPathCandidate(virtualPath);
 		if (!hostPath) {
 			return null;
 		}

packages/secure-exec/tests/cli-tools/pi-sdk-bootstrap.test.ts

@@ -0,0 +1,117 @@
+import { existsSync } from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { afterEach, describe, expect, it } from "vitest";
+import {
+	NodeRuntime,
+	allowAll,
+	createNodeDriver,
+	createNodeRuntimeDriverFactory,
+} from "../../src/index.js";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const SECURE_EXEC_ROOT = path.resolve(__dirname, "../..");
+const PI_CONFIG_ENTRY = path.resolve(
+	SECURE_EXEC_ROOT,
+	"node_modules/@mariozechner/pi-coding-agent/dist/config.js",
+);
+
+function skipUnlessPiInstalled(): string | false {
+	return existsSync(PI_CONFIG_ENTRY)
+		? false
+		: "@mariozechner/pi-coding-agent not installed";
+}
+
+function parseLastJsonLine(stdout: string): Record<string, unknown> {
+	const line = stdout
+		.trim()
+		.split("\n")
+		.map((entry) => entry.trim())
+		.filter(Boolean)
+		.at(-1);
+
+	if (!line) {
+		throw new Error(`sandbox produced no JSON output: ${JSON.stringify(stdout)}`);
+	}
+
+	return JSON.parse(line) as Record<string, unknown>;
+}
+
+describe.skipIf(skipUnlessPiInstalled())("Pi SDK bootstrap in NodeRuntime", () => {
+	let runtime: NodeRuntime | undefined;
+
+	afterEach(async () => {
+		await runtime?.terminate();
+		runtime = undefined;
+	});
+
+	it("resolves Pi package assets from the package root after config bootstrap", async () => {
+		const stdout: string[] = [];
+		const stderr: string[] = [];
+
+		runtime = new NodeRuntime({
+			onStdio: (event) => {
+				if (event.channel === "stdout") stdout.push(event.message);
+				if (event.channel === "stderr") stderr.push(event.message);
+			},
+			systemDriver: createNodeDriver({
+				moduleAccess: { cwd: SECURE_EXEC_ROOT },
+				permissions: allowAll,
+			}),
+			runtimeDriverFactory: createNodeRuntimeDriverFactory(),
+		});
+
+		const result = await runtime.exec(
+			`
+      const fs = require("node:fs");
+      (async () => {
+        try {
+          const config = await import(${JSON.stringify(PI_CONFIG_ENTRY)});
+          const packageJsonPath = config.getPackageJsonPath();
+          const readmePath = config.getReadmePath();
+          const themesDir = config.getThemesDir();
+          console.log(JSON.stringify({
+            ok: true,
+            appName: config.APP_NAME,
+            version: config.VERSION,
+            packageJsonPath,
+            packageJsonExists: fs.existsSync(packageJsonPath),
+            readmePath,
+            readmeExists: fs.existsSync(readmePath),
+            themesDir,
+            themesDirExists: fs.existsSync(themesDir),
+          }));
+        } catch (error) {
+          console.log(JSON.stringify({
+            ok: false,
+            error: String(error),
+            stack: error && typeof error === "object" && "stack" in error ? error.stack : undefined,
+          }));
+          process.exitCode = 1;
+        }
+      })();
+    `,
+			{ cwd: SECURE_EXEC_ROOT },
+		);
+
+		expect(result.code, stderr.join("")).toBe(0);
+
+		const payload = parseLastJsonLine(stdout.join(""));
+		expect(payload.ok).toBe(true);
+		expect(payload.appName).toBe("pi");
+		expect(payload.version).toBe("0.60.0");
+		expect(payload.packageJsonExists).toBe(true);
+		expect(String(payload.packageJsonPath)).toMatch(
+			/node_modules\/@mariozechner\/pi-coding-agent\/package\.json$/,
+		);
+		expect(String(payload.packageJsonPath)).not.toMatch(/\/dist\/package\.json$/);
+		expect(payload.readmeExists).toBe(true);
+		expect(String(payload.readmePath)).toMatch(
+			/node_modules\/@mariozechner\/pi-coding-agent\/README\.md$/,
+		);
+		expect(payload.themesDirExists).toBe(true);
+		expect(String(payload.themesDir)).toMatch(
+			/node_modules\/@mariozechner\/pi-coding-agent\/dist\/modes\/interactive\/theme$/,
+		);
+	});
+});

packages/secure-exec/tests/cli-tools/pi-sdk-real-provider.test.ts

@@ -196,8 +196,8 @@ describe.skipIf(skipReason)('Pi SDK real-provider E2E (sandbox VM)', () => {
       const error = String(payload.error ?? '');
       expect(payload.ok).toBe(false);
       expect(error).toContain('@mariozechner/pi-coding-agent');
-      expect(error).toContain('dist/config.js');
-      expect(error).toContain("Identifier '__filename' has already been declared");
+      expect(error).not.toContain("Identifier '__filename' has already been declared");
+      expect(error).not.toContain('/dist/package.json');
     },
     55_000,
   );

packages/secure-exec/tests/runtime-driver/node/module-access.test.ts

@@ -62,6 +62,7 @@ async function writePackage(
 	options: {
 		main?: string;
 		dependencies?: Record<string, string>;
+		packageJsonFields?: Record<string, unknown>;
 		files: PackageFiles;
 	},
 ): Promise<string> {
@@ -75,6 +76,7 @@ async function writePackage(
 		name: packageName,
 		main: options.main ?? "index.js",
 		dependencies: options.dependencies,
+		...options.packageJsonFields,
 	};
 	await writeFile(
 		path.join(packageDir, "package.json"),
@@ -216,6 +218,44 @@ describe("moduleAccess overlay", () => {
 		expect(capture.stdout()).toBe("42:host-file\n");
 	});
 
+	it("allows sync fs access to host absolute paths within the projected module tree", async () => {
+		const projectDir = await createTempProject();
+		tempDirs.push(projectDir);
+		const entryPath = path.join(
+			projectDir,
+			"node_modules",
+			"asset-probe",
+			"dist",
+			"config.js",
+		);
+		const packageJsonPath = path.join(
+			projectDir,
+			"node_modules",
+			"asset-probe",
+			"package.json",
+		);
+
+		await writePackage(projectDir, "asset-probe", {
+			files: {
+				"dist/config.js": "module.exports = { ok: true };",
+			},
+		});
+
+		const driver = createModuleAccessDriver({
+			moduleAccess: {
+				cwd: projectDir,
+			},
+		});
+		const filesystem = driver.filesystem!;
+
+		expect(await filesystem.exists(entryPath)).toBe(true);
+		expect(await filesystem.realpath(entryPath)).toBe(entryPath);
+		expect(await filesystem.exists(packageJsonPath)).toBe(true);
+		expect(await filesystem.readTextFile(packageJsonPath)).toContain(
+			'"name": "asset-probe"',
+		);
+	});
+
 	it("keeps projected node_modules read-only", async () => {
 		const projectDir = await createTempProject();
 		tempDirs.push(projectDir);

scripts/ralph/prd.json

@@ -1141,7 +1141,7 @@
         "Typecheck passes"
       ],
       "priority": 53.2,
-      "passes": false,
+      "passes": true,
       "notes": "Next blocker exposed by US-067. Exact repro as of 2026-03-26: after the `__filename` collision fix, importing `@mariozechner/pi-coding-agent@0.60.0` through NodeRuntime reaches `dist/config.js` and then fails with `ENOENT: no such file or directory, open '<repo>/node_modules/.pnpm/.../@mariozechner/pi-coding-agent/dist/package.json'`. Proposed unblock path: inspect how the sandboxed FS / path resolution is handling Pi's package-root detection and why `getPackageDir()` stops at `dist/` instead of the package root."
     },
     {

scripts/ralph/progress.txt

@@ -1,4 +1,5 @@
 ## Codebase Patterns
+- `ModuleAccessFileSystem` must allow read-only host-absolute package asset paths derived from `import.meta.url`, `__filename`, or `realpath()` when they canonicalize back into the configured `node_modules` overlay; real SDKs like Pi walk to sibling `package.json`, README, and theme/template assets that way.
 - Real-provider tool-integration coverage should stay opt-in via a dedicated env flag (for example `SECURE_EXEC_PI_REAL_PROVIDER_E2E=1`) and load secrets at runtime from `process.env` with `~/misc/env.txt` as a local fallback; never commit credentials or silently swap the live provider path back to a mock redirect.
 - Kernel-backed `/proc/self` tests must run through a process-scoped runtime such as `createNodeRuntime()` + `kernel.spawn('node', ...)` (or `createProcessScopedFileSystem`); raw kernel `vfs` calls have no caller PID context, and standalone NodeRuntime intentionally keeps `/proc/self/environ` denied.
 - `AF_UNIX` sockets are local IPC, not host networking: kernel `SocketTable` bind/listen/connect for path sockets must stay fully in-kernel, bypass `permissions.network`, and use only the listener registry plus VFS socket-file state.
@@ -733,3 +734,14 @@
   - `import.meta.url` compatibility cannot be implemented by rewriting to the wrapper `__filename`; it must stay a file URL string, which in this runtime means deriving it from `pathToFileURL(__secureExecFilename).href`.
   - Once the duplicate-binding bootstrap bug is removed, Pi v0.60.0 immediately hits package-root discovery (`dist/package.json` ENOENT), so the next investigation should focus on sandboxed filesystem/path resolution rather than provider traffic.
 ---
+## [2026-03-26 13:44 PDT] - US-068
+- Fixed `ModuleAccessFileSystem` so host-absolute package asset paths inside the projected `node_modules` closure stay readable and read-only after `import.meta.url` / `__filename` / `realpath()` resolution, instead of disappearing outside the overlay.
+- Added deterministic coverage for host-absolute projected-path reads in `packages/secure-exec/tests/runtime-driver/node/module-access.test.ts`, added a Pi-specific bootstrap smoke in `packages/secure-exec/tests/cli-tools/pi-sdk-bootstrap.test.ts`, and updated the opt-in real-provider harness so it no longer expects the resolved `dist/package.json` blocker.
+- Verified the original Pi blocker is gone: importing `packages/secure-exec/node_modules/@mariozechner/pi-coding-agent/dist/config.js` through `NodeRuntime` now resolves package metadata/assets from the package root, and a follow-up manual probe of `dist/index.js` now advances to the next concrete blocker, `Cannot find module '#ansi-styles'` from `chalk/source/index.js`.
+- Verified with `pnpm --filter @secure-exec/nodejs build`, `pnpm vitest run packages/secure-exec/tests/cli-tools/pi-sdk-bootstrap.test.ts`, `pnpm vitest run packages/secure-exec/tests/runtime-driver/node/module-access.test.ts -t 'allows sync fs access to host absolute paths within the projected module tree'`, `pnpm vitest run packages/secure-exec/tests/cli-tools/pi-sdk-real-provider.test.ts`, `pnpm --filter @secure-exec/nodejs check-types`, `pnpm --filter @secure-exec/core check-types`, and `pnpm --filter secure-exec check-types`.
+- Files changed: `CLAUDE.md`, `.agent/contracts/node-permissions.md`, `packages/nodejs/src/module-access.ts`, `packages/secure-exec/tests/runtime-driver/node/module-access.test.ts`, `packages/secure-exec/tests/cli-tools/pi-sdk-bootstrap.test.ts`, `packages/secure-exec/tests/cli-tools/pi-sdk-real-provider.test.ts`, `scripts/ralph/prd.json`, `scripts/ralph/progress.txt`
+- **Learnings for future iterations:**
+  - Pi-style package bootstraps can escape `/root/node_modules` string paths even when the module itself was projected correctly; the overlay has to recognize host-absolute paths that canonicalize back into the configured package roots.
+  - The quickest proof that a projected-package asset bug is fixed is a direct `dist/config.js` smoke through `NodeRuntime`; it isolates package-root detection before later SDK dependencies muddy the failure.
+  - After this fix, the next Pi SDK blocker is no longer filesystem discovery: importing `dist/index.js` now dies in Chalk import-map resolution (`#ansi-styles`), so follow-up work should stay in module resolution rather than package asset access.
+---