Allow use on x86_64 systems (#46)

This PR uses the system architecture to decide which QEMU binary to run. Allows for use on x86_64 machines.

Author: ian-ross

.changeset/red-vms-sneeze.md

@@ -0,0 +1,5 @@
+---
+"pi-enclave": patch
+---
+
+Pass the architecture-specific QEMU binary through to Gondolin when starting the VM.

packages/enclave/README.md

@@ -8,11 +8,11 @@ VM-isolated enclave for [pi](https://pi.dev). Runs all tools inside a [Gondolin]
 pi install npm:pi-enclave
 ```
 
-Requires QEMU: `brew install qemu` (macOS) or `sudo apt install qemu-system-aarch64` (Linux).
+Requires QEMU: `brew install qemu` (macOS) or `sudo apt install qemu-system-x86` / `sudo apt install qemu-system-aarch64` (Linux, matching your host architecture).
 
 ## How it works
 
-pi-enclave starts an Alpine Linux micro-VM (QEMU/aarch64) and redirects all tool execution into it. Your workspace is mounted read-write at the same path inside the VM, so tools see identical paths on host and guest. File changes are bidirectional.
+pi-enclave starts an Alpine Linux micro-VM (QEMU, matching your host architecture) and redirects all tool execution into it. Your workspace is mounted read-write at the same path inside the VM, so tools see identical paths on host and guest. File changes are bidirectional.
 
 The core security property: **secrets never enter the VM**. Secrets configured in your TOML config (like `gh auth token`) are resolved on the host, and their values are replaced with random placeholders inside the VM. Gondolin's HTTP proxy substitutes real values on the wire, only for requests to configured hosts.
 

packages/enclave/src/vm.ts

@@ -232,9 +232,18 @@ export class EnclaveVM {
 			}
 		}
 
-		// Create and start VM
+		// Create and start VM. Pass qemuPath explicitly so the preflight
+		// check and Gondolin launch use the same architecture-specific binary.
+		const qemuPath = qemuBinaryForHost();
+		if (!qemuPath) {
+			throw new Error(`pi-enclave does not support host architecture: ${process.arch}`);
+		}
+
 		this.vm = await VM.create({
-			sandbox: this.options.image ? { imagePath: this.options.image } : undefined,
+			sandbox: {
+				...(this.options.image ? { imagePath: this.options.image } : {}),
+				qemuPath,
+			},
 			httpHooks,
 			env: {
 				...env,
@@ -319,28 +328,42 @@ function shellEscape(s: string): string {
 	return `'${s.replace(/'/g, "'\\''")}'`;
 }
 
+function qemuBinaryForHost(): string | undefined {
+	if (process.arch === "arm64") return "qemu-system-aarch64";
+	if (process.arch === "x64") return "qemu-system-x86_64";
+	return undefined;
+}
+
 /**
  * Check if QEMU is available on the host.
  */
 export function checkQemuAvailable(): { available: boolean; message?: string } {
+	const qemuBinary = qemuBinaryForHost();
+	if (!qemuBinary) {
+		return {
+			available: false,
+			message: `pi-enclave does not support host architecture: ${process.arch}`,
+		};
+	}
+
 	try {
-		execSync("which qemu-system-aarch64", { stdio: "ignore" });
+		execSync(`which ${qemuBinary}`, { stdio: "ignore" });
 		return { available: true };
 	} catch {
 		const platform = process.platform;
 		let installHint: string;
 		if (platform === "darwin") {
 			installHint = "Install with: brew install qemu";
 		} else if (platform === "linux") {
-			installHint =
-				"Install with: sudo apt install qemu-system-aarch64 (Debian/Ubuntu) or sudo pacman -S qemu-full (Arch)";
+			const debianPackage = process.arch === "arm64" ? "qemu-system-aarch64" : "qemu-system-x86";
+			installHint = `Install with: sudo apt install ${debianPackage} (Debian/Ubuntu) or sudo pacman -S qemu-full (Arch)`;
 		} else {
 			installHint = "QEMU is required but your platform may not be supported.";
 		}
 
 		return {
 			available: false,
-			message: `pi-enclave requires QEMU but qemu-system-aarch64 was not found.\n${installHint}`,
+			message: `pi-enclave requires QEMU but ${qemuBinary} was not found.\n${installHint}`,
 		};
 	}
 }