npxc 0.2.0

Sandboxed npm execution for MCP servers via Apple container
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277

//! `npxc doctor` — prerequisite check and system-setup helpers.
//!
//! All functions print their results directly to stdout and absorb errors
//! internally; the goal is to emit as much diagnostic information as possible
//! even when individual checks fail.  The public entry-point is [`run`].

use std::path::Path;

use tokio::process::Command;

// ── JSON shapes ───────────────────────────────────────────────────────────────

/// Parsed output of `container system status --format json`.
///
/// The command emits a single JSON object.
#[derive(Debug, serde::Deserialize)]
struct SystemStatus {
    /// Service state: `"running"`, `"not running"`, or `"unregistered"`.
    status: String,
    /// Platform app-root directory (where kernels live).
    ///
    /// Present as an empty string when the service is not running.
    #[serde(rename = "appRoot")]
    app_root: Option<String>,
}

/// One entry from the `container system version --format json` array.
///
/// The array always contains a CLI entry (`appName == "container"`) and
/// optionally a server entry (`appName == "apiserver"`) when the daemon
/// responds in time.
#[derive(Debug, serde::Deserialize)]
struct VersionInfo {
    version: String,
    #[serde(rename = "buildType")]
    build_type: Option<String>,
    commit: Option<String>,
    #[serde(rename = "appName")]
    app_name: Option<String>,
}

// ── Public entry-point ────────────────────────────────────────────────────────

/// Run all doctor checks against `container_cli`, printing results to stdout.
pub async fn run(container_cli: &str) {
    if !check_cli(container_cli).await {
        return;
    }

    println!();
    println!("container system:");

    let Some(status) = fetch_system_status(container_cli).await else {
        return;
    };

    if ensure_system_running(container_cli, &status).await {
        ensure_kernel(container_cli, &status).await;
    }

    ensure_rosetta_disabled(container_cli).await;
}

// ── CLI check ─────────────────────────────────────────────────────────────────

/// Verify the container CLI is on `PATH` and print its version via
/// `container system version --format json`.
///
/// Returns `false` when the CLI is not found.
async fn check_cli(container_cli: &str) -> bool {
    let Ok(bin_path) = which::which(container_cli) else {
        println!("container CLI:  {container_cli} (NOT FOUND)");
        println!("  Install from: https://github.com/apple/container/releases");
        return false;
    };
    println!("container CLI:  {} (found)", bin_path.display());

    match Command::new(container_cli)
        .args(["system", "version", "--format", "json"])
        .output()
        .await
    {
        Ok(output) => match serde_json::from_slice::<Vec<VersionInfo>>(&output.stdout) {
            Ok(versions) => {
                // Prefer the CLI entry; fall back to first element if the
                // appName field is absent (future-proofing).
                let info = versions
                    .iter()
                    .find(|v| v.app_name.as_deref() == Some("container"))
                    .or_else(|| versions.first());
                match info {
                    Some(v) => {
                        let build = v.build_type.as_deref().unwrap_or("release");
                        let commit = v.commit.as_deref().unwrap_or("");
                        println!("  version:      {} ({build}, {commit})", v.version);
                    }
                    None => println!("  version:      (empty version response)"),
                }
            }
            Err(e) => {
                let raw = String::from_utf8_lossy(&output.stdout);
                println!(
                    "  version:      (JSON parse error: {e}; output: {})",
                    raw.trim()
                );
            }
        },
        Err(e) => println!("  version:      (error running version command: {e})"),
    }

    true
}

// ── System status ─────────────────────────────────────────────────────────────

/// Run `container system status --format json` and return the parsed result.
///
/// The output is captured regardless of exit code — the service being stopped
/// or unregistered is a valid (non-error) state that still produces JSON.
/// Returns `None` and prints an error only when the command cannot be spawned
/// or its stdout is not valid JSON.
async fn fetch_system_status(container_cli: &str) -> Option<SystemStatus> {
    let output = match Command::new(container_cli)
        .args(["system", "status", "--format", "json"])
        .output()
        .await
    {
        Ok(o) => o,
        Err(e) => {
            println!("  status:  (error running status command: {e})");
            return None;
        }
    };

    match serde_json::from_slice::<SystemStatus>(&output.stdout) {
        Ok(s) => Some(s),
        Err(e) => {
            let stderr = String::from_utf8_lossy(&output.stderr);
            println!(
                "  status:  (JSON parse error: {e}; stderr: {})",
                stderr.trim()
            );
            None
        }
    }
}

/// Ensure the container system service is running, starting it if necessary.
///
/// Returns `true` if the service is running after this call.
async fn ensure_system_running(container_cli: &str, status: &SystemStatus) -> bool {
    if status.status == "running" {
        println!("  status:  running \u{2713}");
        return true;
    }

    println!(
        "  status:  {} \u{2014} starting (with kernel install)...",
        status.status
    );
    match Command::new(container_cli)
        .args(["system", "start", "--enable-kernel-install"])
        .status()
        .await
    {
        Ok(s) if s.success() => {
            println!("  status:  started \u{2713}");
            true
        }
        Ok(s) => {
            println!(
                "  status:  `{container_cli} system start` failed (exit code: {:?})",
                s.code()
            );
            false
        }
        Err(e) => {
            println!("  status:  failed to start: {e}");
            false
        }
    }
}

// ── Kernel check ──────────────────────────────────────────────────────────────

/// Ensure a default kernel is installed under `<appRoot>/kernels/`.
///
/// `container system kernel set` stores kernels in the app-root filesystem
/// tree, which is not reflected in `container system property list`, so the
/// directory is checked directly using the `appRoot` field from the status JSON.
async fn ensure_kernel(container_cli: &str, status: &SystemStatus) {
    let kernel_present = status
        .app_root
        .as_deref()
        .filter(|r| !r.is_empty())
        .is_some_and(|root| {
            let kernels_dir = Path::new(root).join("kernels");
            std::fs::read_dir(kernels_dir).is_ok_and(|mut d| d.next().is_some())
        });

    if kernel_present {
        println!("  kernel:  configured \u{2713}");
        return;
    }

    println!("  kernel:  not configured \u{2014} installing recommended kernel...");
    match Command::new(container_cli)
        .args(["system", "kernel", "set", "--recommended"])
        .status()
        .await
    {
        Ok(s) if s.success() => println!("  kernel:  installed \u{2713}"),
        Ok(s) => {
            println!(
                "  kernel:  `{container_cli} system kernel set --recommended` failed \
                 (exit code: {:?})",
                s.code()
            );
            println!("           Run it manually for details.");
        }
        Err(e) => println!("  kernel:  failed to run: {e}"),
    }
}

// ── Rosetta check ─────────────────────────────────────────────────────────────

/// If Rosetta is not installed, disable `build.rosetta` and reset the
/// `BuildKit` builder so cross-arch builds don't fail at bootstrap.
async fn ensure_rosetta_disabled(container_cli: &str) {
    let rosetta_installed = Command::new("/usr/bin/arch")
        .args(["-x86_64", "/usr/bin/true"])
        .stdout(std::process::Stdio::null())
        .stderr(std::process::Stdio::null())
        .status()
        .await
        .is_ok_and(|s| s.success());

    if rosetta_installed {
        return;
    }

    let prop_ok = Command::new(container_cli)
        .args(["system", "property", "set", "build.rosetta", "false"])
        .stdout(std::process::Stdio::null())
        .stderr(std::process::Stdio::null())
        .status()
        .await
        .is_ok_and(|s| s.success());

    if prop_ok {
        println!("  build:   Rosetta not installed \u{2014} set build.rosetta=false \u{2713}");
    } else {
        println!("  build:   Rosetta not installed but could not set property");
        println!("           Run: {container_cli} system property set build.rosetta false");
    }

    // The BuildKit builder caches its launch config; reset it so the next
    // build starts fresh with the updated property.
    let stopped = Command::new(container_cli)
        .args(["builder", "stop"])
        .stdout(std::process::Stdio::null())
        .stderr(std::process::Stdio::null())
        .status()
        .await
        .is_ok_and(|s| s.success());
    let deleted = Command::new(container_cli)
        .args(["builder", "delete", "--force"])
        .stdout(std::process::Stdio::null())
        .stderr(std::process::Stdio::null())
        .status()
        .await
        .is_ok_and(|s| s.success());

    if stopped || deleted {
        println!("  build:   builder reset \u{2713}");
    }
}