[codex] Enable sudo fallback for Docker panel (#1466)

* Enable sudo fallback for Docker panel

* Prefer sudo for Docker panel commands

* Use pending saved sudo password immediately

* Try plain Docker before sudo fallback

* Detect Docker before sudo fallback

* Add sudo fallback for Docker popup commands

* Harden Docker popup sudo fallback

Author: binaricat

components/terminal/runtime/createTerminalSessionStarters.test.ts

@@ -161,6 +161,47 @@ test("startSSH forwards custom ProxyCommand to the SSH bridge", async () => {
   });
 });
 
+test("startSSH forwards the saved sudo autofill password to the SSH bridge", async () => {
+  let capturedOptions: Record<string, unknown> | null = null;
+  const terminalBackend = {
+    backendAvailable: () => true,
+    telnetAvailable: () => true,
+    moshAvailable: () => true,
+    localAvailable: () => true,
+    serialAvailable: () => true,
+    execAvailable: () => true,
+    startSSHSession: async (options: Record<string, unknown>) => {
+      capturedOptions = options;
+      return "ssh-session";
+    },
+    startTelnetSession: async () => "telnet-session",
+    startMoshSession: async () => "mosh-session",
+    startLocalSession: async () => "local-session",
+    startSerialSession: async () => "serial-session",
+    execCommand: async () => ({}),
+    onSessionData: () => noop,
+    onSessionExit: () => noop,
+    onChainProgress: () => noop,
+    writeToSession: noop,
+    resizeSession: noop,
+  };
+  const ctx = createStarterContext({
+    host: {
+      id: "host-1",
+      label: "Target",
+      hostname: "target.example.test",
+      username: "alice",
+      password: "login-secret",
+    },
+    terminalBackend,
+    sudoAutofillPassword: "sudo-secret",
+  });
+
+  await createTerminalSessionStarters(ctx as never).startSSH(createTermStub() as never);
+
+  assert.equal(capturedOptions?.sudoAutofillPassword, "sudo-secret");
+});
+
 test("startSSH enables sudo autofill only with the host saved password", async () => {
   let onData: ((data: string) => void) | null = null;
   const sent: string[] = [];
@@ -255,7 +296,7 @@ test("startSSH does not use unsaved retry passwords for sudo autofill", async ()
   assert.deepEqual(sent, []);
 });
 
-test("startSSH prefers latest sudo autofill password state over pending saved auth", async () => {
+test("startSSH uses pending saved auth for sudo autofill on the first saved connection", async () => {
   let onData: ((data: string) => void) | null = null;
   const sent: string[] = [];
   const terminalBackend = {
@@ -296,14 +337,15 @@ test("startSSH prefers latest sudo autofill password state over pending saved au
       },
     },
     terminalBackend,
-    sudoAutofillPasswordRef: { current: undefined },
+    sudoAutofillPasswordRef: { current: "stale-secret" },
   });
 
   await createTerminalSessionStarters(ctx as never).startSSH(createTermStub() as never);
   ctx.sudoAutofillRef.current?.armForCommand("sudo whoami");
   onData?.("[sudo] password for alice: ");
+  ctx.sudoAutofillRef.current?.confirmFill();
 
-  assert.deepEqual(sent, []);
+  assert.deepEqual(sent, ["pending-secret\n"]);
 });
 
 test("startSSH does not use merged group default passwords for sudo autofill", async () => {

components/terminal/runtime/createTerminalSessionStarters.ts

@@ -53,13 +53,13 @@ export const createTerminalSessionStarters = (ctx: TerminalSessionStartersContex
   };
 
   const resolveSavedSudoAutofillPassword = (): string | undefined => {
-    if (ctx.sudoAutofillPasswordRef) {
-      return sanitizeCredentialValue(ctx.sudoAutofillPasswordRef.current);
-    }
     const pendingAuth = ctx.pendingAuthRef.current;
     if (pendingAuth?.savedToHost && pendingAuth.password) {
       return sanitizeCredentialValue(pendingAuth.password);
     }
+    if (ctx.sudoAutofillPasswordRef) {
+      return sanitizeCredentialValue(ctx.sudoAutofillPasswordRef.current);
+    }
     return sanitizeCredentialValue(ctx.sudoAutofillPassword);
   };
 
@@ -401,6 +401,7 @@ export const createTerminalSessionStarters = (ctx: TerminalSessionStartersContex
           sshDebugLogEnabled: ctx.sshDebugLogEnabled,
           identityFilePaths: attempt.password ? undefined : targetIdentityFilePaths,
           knownHosts: ctx.knownHosts,
+          sudoAutofillPassword: resolveSavedSudoAutofillPassword(),
           // Ask the bridge to reuse the source tab's authenticated connection
           // (issue #1204). Only honored on the very first connect attempt; the
           // bridge silently falls back to a fresh connection if the source is
@@ -764,6 +765,7 @@ export const createTerminalSessionStarters = (ctx: TerminalSessionStartersContex
         // Lets the stats companion verify the host key before sending a saved
         // password (#1198), so it never discloses it to an unvetted host.
         knownHosts: ctx.knownHosts,
+        sudoAutofillPassword: resolveSavedSudoAutofillPassword(),
         cols: term.cols,
         rows: term.rows,
         charset: ctx.host.charset,
@@ -1002,6 +1004,7 @@ export const createTerminalSessionStarters = (ctx: TerminalSessionStartersContex
         knownHosts: ctx.knownHosts,
         jumpHosts: jumpHosts.length > 0 ? jumpHosts : undefined,
         agentForwarding: ctx.host.agentForwarding,
+        sudoAutofillPassword: resolveSavedSudoAutofillPassword(),
         cols: term.cols,
         rows: term.rows,
         charset: ctx.host.charset,

domain/remoteHistory.ts

@@ -9,7 +9,7 @@ export function isNetcattyAiHistoryCommand(command: string): boolean {
 }
 
 const NETCATTY_MANAGED_STARTUP_COMMAND =
-  /^printf '\\033\[H\\033\[2J\\033\[3J';\s*exec\s+(?:docker\s+(?:exec|logs)\b|tmux\s+attach\b)/;
+  /^(?:sh\s+-c\s+.*printf .*\\033\[H\\033\[2J\\033\[3J.*_nc_docker_err=.*\bdocker\s+inspect\b|printf '\\033\[H\\033\[2J\\033\[3J';\s*(?:_nc_docker_err=.*\bdocker\s+inspect\b|exec\s+(?:docker\s+(?:exec|logs)\b|tmux\s+attach\b)))/;
 
 /** True when a shell history line came from a Netcatty-managed terminal launch. */
 export function isNetcattyManagedStartupHistoryCommand(command: string): boolean {

domain/systemManager/dockerShell.test.ts

@@ -0,0 +1,30 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+
+import { buildDockerExecShellCommand, buildDockerLogsCommand } from './dockerShell.ts';
+
+test('buildDockerExecShellCommand probes plain Docker before sudo fallback', () => {
+  const command = buildDockerExecShellCommand('587abcdef123');
+
+  assert.match(command, /^sh -c /);
+  assert.match(command, /printf .*\\033\[H\\033\[2J\\033\[3J/);
+  assert.match(command, /docker inspect 587abcdef123/);
+  assert.match(command, /exec docker exec -it 587abcdef123/);
+  assert.match(command, /exec sudo docker exec -it 587abcdef123/);
+  assert.match(command, /permission\\ denied.*docker.sock.*docker.sock.*permission\\ denied/);
+  assert.doesNotMatch(command, /sudo -S/);
+  assert.equal(command.includes('\n'), false);
+});
+
+test('buildDockerLogsCommand probes plain Docker before sudo fallback', () => {
+  const command = buildDockerLogsCommand('587abcdef123');
+
+  assert.match(command, /^sh -c /);
+  assert.match(command, /printf .*\\033\[H\\033\[2J\\033\[3J/);
+  assert.match(command, /docker inspect 587abcdef123/);
+  assert.match(command, /exec docker logs -f --tail 200 587abcdef123/);
+  assert.match(command, /exec sudo docker logs -f --tail 200 587abcdef123/);
+  assert.match(command, /permission\\ denied.*docker.sock.*docker.sock.*permission\\ denied/);
+  assert.doesNotMatch(command, /sudo -S/);
+  assert.equal(command.includes('\n'), false);
+});

domain/systemManager/dockerShell.ts

@@ -5,15 +5,48 @@ export function sanitizeDockerContainerId(id: string): string {
 
 const CLEAR_STARTUP_OUTPUT = "printf '\\033[H\\033[2J\\033[3J';";
 
+function shQuote(value: string): string {
+  return `'${String(value).replace(/'/g, `'"'"'`)}'`;
+}
+
+function buildDockerCommandWithSudoFallback(containerId: string, dockerArgs: string): string {
+  const plainCommand = `docker ${dockerArgs}`;
+  const sudoCommand = `sudo ${plainCommand}`;
+  const script = [
+    CLEAR_STARTUP_OUTPUT,
+    `_nc_docker_err=$(docker inspect ${containerId} 2>&1 >/dev/null);`,
+    '_nc_docker_status=$?;',
+    `if [ "$_nc_docker_status" -eq 0 ]; then exec ${plainCommand}; fi;`,
+    '_nc_docker_lc=$(printf \'%s\' "$_nc_docker_err" | tr \'[:upper:]\' \'[:lower:]\');',
+    'case "$_nc_docker_lc" in',
+    [
+      '*permission\\ denied*docker\\ daemon*',
+      '*docker\\ daemon*permission\\ denied*',
+      '*permission\\ denied*docker.sock*',
+      '*docker.sock*permission\\ denied*',
+      '*permission\\ denied*/var/run/docker.sock*',
+      '*/var/run/docker.sock*permission\\ denied*',
+      '*permission\\ denied*connect\\ to\\ the\\ docker\\ daemon*',
+      '*connect\\ to\\ the\\ docker\\ daemon*permission\\ denied*',
+    ].join('|') + `) exec ${sudoCommand} ;;`,
+    '*) printf \'%s\\n\' "$_nc_docker_err" >&2; exit "$_nc_docker_status" ;;',
+    'esac',
+  ].join(' ');
+  return `sh -c ${shQuote(script)}`;
+}
+
 /** Interactive shell into a container — prefer bash, fall back to sh. */
 export function buildDockerExecShellCommand(containerId: string): string {
   const safeId = sanitizeDockerContainerId(containerId);
   if (!safeId) return 'echo "Invalid container id"';
-  return `${CLEAR_STARTUP_OUTPUT} exec docker exec -it ${safeId} sh -c 'command -v bash >/dev/null 2>&1 && exec bash || exec sh'`;
+  return buildDockerCommandWithSudoFallback(
+    safeId,
+    `exec -it ${safeId} sh -c 'command -v bash >/dev/null 2>&1 && exec bash || exec sh'`,
+  );
 }
 
 export function buildDockerLogsCommand(containerId: string): string {
   const safeId = sanitizeDockerContainerId(containerId);
   if (!safeId) return 'echo "Invalid container id"';
-  return `${CLEAR_STARTUP_OUTPUT} exec docker logs -f --tail 200 ${safeId}`;
+  return buildDockerCommandWithSudoFallback(safeId, `logs -f --tail 200 ${safeId}`);
 }

electron/bridges/sshBridge/startSession.cjs

@@ -38,6 +38,9 @@ function createStartSessionApi(ctx) {
         hostname: options.host || options.hostname || '',
         username: options.username || '',
         label: options.label || '',
+        systemManagerSudoPassword: typeof options.sudoAutofillPassword === 'string' && options.sudoAutofillPassword.length > 0
+          ? options.sudoAutofillPassword
+          : undefined,
         lastIdlePrompt: '',
         lastIdlePromptAt: 0,
         _promptTrackTail: '',

electron/bridges/systemManager/dockerOps.cjs

@@ -19,6 +19,37 @@ function sanitizeImageRef(ref) {
   return trimmed || null;
 }
 
+function isSuccessfulCommandResult(result) {
+  return result?.success && (result.code === 0 || result.code === null || result.code === undefined);
+}
+
+function dockerCommandError(result, fallback) {
+  return (result?.stderr || result?.error || "").trim() || fallback;
+}
+
+function isDockerSocketPermissionError(result) {
+  const text = `${result?.stderr || ""}\n${result?.stdout || ""}\n${result?.error || ""}`.toLowerCase();
+  if (!text.includes("permission denied")) return false;
+  return text.includes("docker daemon")
+    || text.includes("docker.sock")
+    || text.includes("/var/run/docker.sock")
+    || text.includes("connect to the docker daemon");
+}
+
+function getSessionSudoPassword(session) {
+  return typeof session?.systemManagerSudoPassword === "string" && session.systemManagerSudoPassword.length > 0
+    ? session.systemManagerSudoPassword
+    : null;
+}
+
+function buildDockerCommand(args) {
+  return `docker ${args}`.trim();
+}
+
+function buildSudoDockerCommand(args) {
+  return `sudo -S -p '' ${buildDockerCommand(args)}`;
+}
+
 function parseDockerContainers(stdout) {
   const containers = [];
   for (const line of (stdout || "").split("\n")) {
@@ -132,39 +163,49 @@ function summarizeContainerInspect(info) {
   };
 }
 
-function createDockerOpsApi({ execOnSession }) {
+function createDockerOpsApi({ execOnSession, getSession }) {
   async function runDocker(event, sessionId, args, timeoutMs = 15000) {
-    const cmd = `docker ${args}`;
+    const cmd = buildDockerCommand(args);
     const result = await execOnSession(event, sessionId, cmd, timeoutMs);
+    if (isSuccessfulCommandResult(result)) return result;
+
+    const sudoPassword = getSessionSudoPassword(getSession?.(sessionId));
+
+    if (sudoPassword && isDockerSocketPermissionError(result)) {
+      const sudoResult = await execOnSession(
+        event,
+        sessionId,
+        buildSudoDockerCommand(args),
+        timeoutMs,
+        { stdin: `${sudoPassword}\n` },
+      );
+      if (isSuccessfulCommandResult(sudoResult)) return sudoResult;
+      return {
+        success: false,
+        error: dockerCommandError(sudoResult, `sudo docker exited with code ${sudoResult?.code}`),
+        stderr: sudoResult?.stderr,
+      };
+    }
+
     if (!result.success) return result;
     if (result.code !== 0 && result.code !== null && result.code !== undefined) {
       return {
         success: false,
-        error: (result.stderr || "").trim() || `docker exited with code ${result.code}`,
+        error: dockerCommandError(result, `docker exited with code ${result.code}`),
         stderr: result.stderr,
       };
     }
     return result;
   }
 
   async function listContainers(event, sessionId) {
-    const result = await execOnSession(
-      event,
-      sessionId,
-      "docker ps -a --format '{{json .}}'",
-      12000,
-    );
+    const result = await runDocker(event, sessionId, "ps -a --format '{{json .}}'", 12000);
     if (!result.success) return { success: false, error: result.error };
     return { success: true, containers: parseDockerContainers(result.stdout) };
   }
 
   async function listImages(event, sessionId) {
-    const result = await execOnSession(
-      event,
-      sessionId,
-      "docker images --format '{{json .}}'",
-      12000,
-    );
+    const result = await runDocker(event, sessionId, "images --format '{{json .}}'", 12000);
     if (!result.success) return { success: false, error: result.error };
     return { success: true, images: parseDockerImages(result.stdout) };
   }
@@ -174,10 +215,10 @@ function createDockerOpsApi({ execOnSession }) {
     if (!sessionId) return { success: false, error: "Missing sessionId" };
     const ids = Array.isArray(payload?.ids) ? payload.ids.filter(Boolean) : [];
     const idArg = ids.map((id) => sanitizeDockerId(id)).filter(Boolean).join(" ");
-    const result = await execOnSession(
+    const result = await runDocker(
       event,
       sessionId,
-      `docker stats --no-stream --format '{{json .}}' ${idArg}`.trim(),
+      `stats --no-stream --format '{{json .}}' ${idArg}`.trim(),
       15000,
     );
     if (!result.success) return { success: false, error: result.error };
@@ -188,7 +229,7 @@ function createDockerOpsApi({ execOnSession }) {
     const { sessionId, containerId } = payload || {};
     if (!sessionId || !containerId) return { success: false, error: "Missing params" };
     const safeId = sanitizeDockerId(containerId);
-    const result = await execOnSession(event, sessionId, `docker inspect ${safeId}`, 10000);
+    const result = await runDocker(event, sessionId, `inspect ${safeId}`, 10000);
     if (!result.success) return { success: false, error: result.error };
     try {
       const parsed = JSON.parse(result.stdout || "[]");
@@ -203,7 +244,7 @@ function createDockerOpsApi({ execOnSession }) {
     const { sessionId, imageId } = payload || {};
     if (!sessionId || !imageId) return { success: false, error: "Missing params" };
     const safeId = sanitizeDockerId(imageId);
-    const result = await execOnSession(event, sessionId, `docker image inspect ${safeId}`, 10000);
+    const result = await runDocker(event, sessionId, `image inspect ${safeId}`, 10000);
     if (!result.success) return { success: false, error: result.error };
     try {
       const parsed = JSON.parse(result.stdout || "[]");