fix: mount ~/.cargo read-only in chroot, hide only credentials file

The previous approach hid the entire ~/.cargo directory via tmpfs AND
skipped mounting it unless --allow-full-filesystem-access was set.
This broke Rust toolchain access in chroot mode (rustc not found).

Now ~/.cargo is always mounted read-only in chroot mode for toolchain
access, and only ~/.cargo/credentials is hidden via tmpfs to protect
crates.io tokens.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Mossaka

src/docker-manager.test.ts

@@ -655,7 +655,7 @@ describe('docker-manager', () => {
       expect(volumes).not.toContain(`${homeDir}:/host${homeDir}:rw`);
     });
 
-    it('should not mount .cargo when enableChroot is true and allowFullFilesystemAccess is false', () => {
+    it('should mount .cargo read-only and hide only credentials when enableChroot is true and allowFullFilesystemAccess is false', () => {
       const configWithChroot = {
         ...mockConfig,
         enableChroot: true,
@@ -666,14 +666,14 @@ describe('docker-manager', () => {
       const volumes = agent.volumes as string[];
       const tmpfs = agent.tmpfs as string[];
 
-      // Should NOT mount .cargo as volume (it's hidden via tmpfs)
+      // Should mount .cargo as volume (read-only) so toolchain binaries are accessible
       const homeDir = process.env.HOME || '/root';
       const escapeRegExp = (s: string): string => s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-      const cargoVolumePattern = new RegExp(`${escapeRegExp(homeDir)}.*\\.cargo.*:/host.*\\.cargo`);
-      expect(volumes.some((v: string) => cargoVolumePattern.test(v))).toBe(false);
+      const cargoVolumePattern = new RegExp(`${escapeRegExp(homeDir)}/\\.cargo:/host.*\\.cargo:ro`);
+      expect(volumes.some((v: string) => cargoVolumePattern.test(v))).toBe(true);
 
-      // Should have .cargo hidden via tmpfs
-      expect(tmpfs.some((t: string) => t.includes('.cargo'))).toBe(true);
+      // Should hide only .cargo/credentials via tmpfs (not the entire directory)
+      expect(tmpfs.some((t: string) => t.includes('.cargo/credentials'))).toBe(true);
     });
 
     it('should mount .cargo when enableChroot is true and allowFullFilesystemAccess is true', () => {

src/docker-manager.ts

@@ -503,9 +503,9 @@ export function generateDockerCompose(
     }
 
     // Mount ~/.cargo for Rust binaries (read-only) if it exists
-    // SKIP if allowFullFilesystemAccess is false (credentials will be hidden via tmpfs)
+    // Credentials in ~/.cargo/credentials are hidden separately via tmpfs
     const hostCargoDir = path.join(userHome, '.cargo');
-    if (fs.existsSync(hostCargoDir) && config.allowFullFilesystemAccess) {
+    if (fs.existsSync(hostCargoDir)) {
       agentVolumes.push(`${hostCargoDir}:/host${hostCargoDir}:ro`);
     }
 
@@ -705,7 +705,7 @@ export function generateDockerCompose(
       `${effectiveHome}/.azure`,        // Azure credentials
       `${effectiveHome}/.config/gcloud`, // Google Cloud credentials
       `${effectiveHome}/.config/gh`,    // GitHub CLI OAuth tokens
-      `${effectiveHome}/.cargo`,        // Rust crates.io tokens (credentials file)
+      `${effectiveHome}/.cargo/credentials`, // Rust crates.io tokens
       `${effectiveHome}/.composer`,     // PHP Composer tokens (auth.json)
     ];
 
@@ -739,7 +739,7 @@ export function generateDockerCompose(
       `${userHome}/.azure`,        // Azure credentials
       `${userHome}/.config/gcloud`, // Google Cloud credentials
       `${userHome}/.config/gh`,    // GitHub CLI OAuth tokens
-      `${userHome}/.cargo`,        // Rust crates.io tokens (credentials file)
+      `${userHome}/.cargo/credentials`, // Rust crates.io tokens
       `${userHome}/.composer`,     // PHP Composer tokens (auth.json)
     ];