[awf] Agent container: Copilot CLI fails with `node: command not found` on runner bootstrap

[lpcox]

Problem

Two scheduled Copilot-engine workflows fail at runner initialization with:

/bin/bash: line 1: node: command not found

The Copilot CLI engine requires Node.js to execute. The runner environment does not have node on PATH, causing the startup script to fail immediately with exit code 1. Zero turns and zero tool calls are recorded — this is a pre-inference failure.

Context

• Original issue: [aw-failures] Copilot engine fails: node: command not found — Daily News + Daily Issues Report Generator gh-aw#27829
• Affected workflows: Daily News (run 24769919588) and Daily Issues Report Generator (run 24773828176)
• Both expired their agent job in under 6 minutes with no inference output

Root Cause

The AWF agent container (containers/agent/) is based on ubuntu:22.04 and relies on selective bind mounts from the host to expose binaries (/usr, /bin, /sbin, /lib, /lib64, /opt mounted read-only under /host/). The entrypoint.sh chroots to /host before running the user command.

If node is not installed at a path that is bind-mounted into the container (e.g., it lives under a path not covered by the selective mounts, or the runner image regressed and no longer has Node.js), the Copilot CLI startup script fails because node is not on PATH inside the chroot.

Additionally, the lock files for these workflows (daily-news.lock.yml, daily-issues-report.lock.yml) may be missing a setup-node step (or equivalent) that was previously present, meaning Node.js setup is no longer part of runner bootstrap.

Possible causes:

1. Lock files missing a setup-node step — recompiling them (see gh-aw#27724) may fix this
2. Runner image regression removing Node.js from the default PATH before the AWF container starts
3. Node.js installed under a path (e.g., /home/runner/.nvm/... or /usr/local/nvm/...) not covered by the agent container's bind mounts

Proposed Solution

1. Verify lock files — inspect daily-news.lock.yml and daily-issues-report.lock.yml to confirm whether a setup-node step is present. If absent, recompile the lock files.

2. Check bind mount coverage in containers/agent/entrypoint.sh and src/docker-manager.ts:

   • Confirm that the path where node lives on the host runner is included in the selective bind mounts (e.g., if node is under /usr/local/bin it is already covered, but if it is under /home/runner/.nvm it is NOT covered by current whitelisted home dirs).
   • The whitelisted $HOME subdirs currently include .cache, .config, .local, .anthropic, .claude, .cargo, .rustup, .npm, .copilot — notably .nvm is absent.

3. If .nvm or other Node.js install paths need coverage, add them to the allowed home subdirectory list in src/docker-manager.ts (the homeDirs array or equivalent).

4. Add a smoke test to the agent container that verifies node is accessible inside the chroot before the user command starts, emitting a clear diagnostic error if not found.

Generated by Firewall Issue Dispatcher · ● 185.4K · ◷