v0.1.0 (#17)

internal/recipe/context.go

@@ -7,10 +7,11 @@ import (
 )
 
 // ExecContext holds mutable state that persists across recipe steps.
-// It is initialized empty and updated by ENV and WORKDIR steps.
+// It is initialized empty and updated by ENV, WORKDIR, and USER steps.
 type ExecContext struct {
 	WorkDir string
 	EnvVars map[string]string
+	User    string // Current unix user for command execution.
 }
 
 // This regex matches:
@@ -25,7 +26,20 @@ var envRegex = regexp.MustCompile(`\$\$|\$\{([a-zA-Z0-9_]*)\}|\$([a-zA-Z0-9_]+)`
 // If WORKDIR and/or ENV are set, they are prepended as a shell preamble:
 //
 //	cd '/the/dir' && KEY='val' /bin/sh -c 'original command'
+//
+// If USER is set to a non-root user, the entire command is wrapped with su:
+//
+//	su <user> -s /bin/sh -c '<preamble + command>'
 func (c *ExecContext) WrappedCommand(cmd string) string {
+	inner := c.innerCommand(cmd)
+	if c.User != "" && c.User != "root" {
+		return "su " + shellescape(c.User) + " -s /bin/sh -c " + shellescape(inner)
+	}
+	return inner
+}
+
+// innerCommand builds the command with workdir/env preamble but without user wrapping.
+func (c *ExecContext) innerCommand(cmd string) string {
 	prefix := c.shellPrefix()
 	if prefix == "" {
 		return cmd
@@ -42,7 +56,11 @@ func (c *ExecContext) WrappedCommand(cmd string) string {
 // simultaneously before a healthcheck is evaluated.
 func (c *ExecContext) StartCommand(cmd string) string {
 	prefix := c.shellPrefix()
-	return prefix + "nohup /bin/sh -c " + shellescape(cmd) + " >/dev/null 2>&1 &"
+	inner := prefix + "nohup /bin/sh -c " + shellescape(cmd) + " >/dev/null 2>&1 &"
+	if c.User != "" && c.User != "root" {
+		return "su " + shellescape(c.User) + " -s /bin/sh -c " + shellescape(inner)
+	}
+	return inner
 }
 
 // shellPrefix builds the "cd ... && KEY=val " preamble for a shell command.
@@ -97,8 +115,11 @@ func expandEnv(s string, vars map[string]string) string {
 	})
 }
 
-// shellescape wraps s in single quotes, escaping any embedded single quotes.
+// Shellescape wraps s in single quotes, escaping any embedded single quotes.
 // This is POSIX-safe for paths, env values, and shell commands.
-func shellescape(s string) string {
+func Shellescape(s string) string {
 	return "'" + strings.ReplaceAll(s, "'", `'\''`) + "'"
 }
+
+// shellescape is the package-internal alias for Shellescape.
+func shellescape(s string) string { return Shellescape(s) }

internal/recipe/executor.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"log/slog"
+	"path"
 	"strings"
 	"time"
 
@@ -16,6 +17,10 @@ import (
 // explicit --timeout flag.
 const DefaultStepTimeout = 30 * time.Second
 
+// BuildFilesDir is the directory inside the sandbox where uploaded build
+// archives are extracted. COPY instructions reference paths relative to this.
+const BuildFilesDir = "/tmp/build-files"
+
 // BuildLogEntry is the per-step record stored in template_builds.logs (JSONB).
 type BuildLogEntry struct {
 	Step    int    `json:"step"`
@@ -32,13 +37,18 @@ type BuildLogEntry struct {
 // the method on the hostagent Connect RPC client.
 type ExecFunc func(ctx context.Context, req *connect.Request[pb.ExecRequest]) (*connect.Response[pb.ExecResponse], error)
 
+// ProgressFunc is called after each step with the current step counter and
+// accumulated log entries. Used for per-step DB progress updates.
+type ProgressFunc func(step int, entries []BuildLogEntry)
+
 // Execute runs steps sequentially against sandboxID using execFn.
 //
 //   - phase labels the log entries (e.g., "pre-build", "recipe", "post-build").
 //   - startStep is the 1-based offset so entries are globally numbered across phases.
 //   - defaultTimeout applies to RUN steps with no per-step --timeout; 0 → 10 minutes.
-//   - bctx is mutated in place as ENV/WORKDIR steps execute, and carries forward
+//   - bctx is mutated in place as ENV/WORKDIR/USER steps execute, and carries forward
 //     into subsequent phases when the caller passes the same pointer.
+//   - onProgress is called after each step for live progress updates (may be nil).
 //
 // Returns all log entries appended during this call, the next step counter
 // value, and whether all steps succeeded. On false the last entry contains
@@ -53,6 +63,7 @@ func Execute(
 	defaultTimeout time.Duration,
 	bctx *ExecContext,
 	execFn ExecFunc,
+	onProgress ProgressFunc,
 ) (entries []BuildLogEntry, nextStep int, ok bool) {
 	if defaultTimeout <= 0 {
 		defaultTimeout = 10 * time.Minute
@@ -72,19 +83,30 @@ func Execute(
 			entries = append(entries, BuildLogEntry{Step: step, Phase: phase, Cmd: st.Raw, Ok: true})
 
 		case KindWORKDIR:
+			// Create the directory if it doesn't exist.
+			mkdirEntry := execRawShell(ctx, st.Raw, sandboxID, phase, step, 10*time.Second, execFn,
+				"mkdir -p "+shellescape(st.Path))
+			if !mkdirEntry.Ok {
+				entries = append(entries, mkdirEntry)
+				return entries, step, false
+			}
 			bctx.WorkDir = st.Path
-			entries = append(entries, BuildLogEntry{Step: step, Phase: phase, Cmd: st.Raw, Ok: true})
+			mkdirEntry.Ok = true
+			entries = append(entries, mkdirEntry)
 
-		case KindUSER, KindCOPY:
-			verb := strings.ToUpper(strings.Fields(st.Raw)[0])
-			entries = append(entries, BuildLogEntry{
-				Step:   step,
-				Phase:  phase,
-				Cmd:    st.Raw,
-				Stderr: verb + " is not yet supported",
-				Ok:     false,
-			})
-			return entries, step, false
+		case KindUSER:
+			entry, succeeded := execUser(ctx, st, sandboxID, phase, step, bctx, execFn)
+			entries = append(entries, entry)
+			if !succeeded {
+				return entries, step, false
+			}
+
+		case KindCOPY:
+			entry, succeeded := execCopy(ctx, st, sandboxID, phase, step, bctx, execFn)
+			entries = append(entries, entry)
+			if !succeeded {
+				return entries, step, false
+			}
 
 		case KindSTART:
 			entry, succeeded := execStart(ctx, st, sandboxID, phase, step, bctx, execFn)
@@ -104,6 +126,10 @@ func Execute(
 				return entries, step, false
 			}
 		}
+
+		if onProgress != nil {
+			onProgress(step, entries)
+		}
 	}
 	return entries, step, true
 }
@@ -145,6 +171,123 @@ func execRun(
 	return entry, entry.Ok
 }
 
+// execUser creates a unix user (if not exists), grants passwordless sudo,
+// and updates bctx.User for subsequent steps.
+func execUser(
+	ctx context.Context,
+	st Step,
+	sandboxID, phase string,
+	step int,
+	bctx *ExecContext,
+	execFn ExecFunc,
+) (BuildLogEntry, bool) {
+	username := st.Key
+	// Create user if not exists, with home directory and bash shell.
+	// Grant passwordless sudo access (E2B convention).
+	// Uses printf %s to avoid shell injection in the sudoers line.
+	script := fmt.Sprintf(
+		"id %s >/dev/null 2>&1 || (adduser --disabled-password --gecos '' --shell /bin/bash %s && printf '%%s ALL=(ALL) NOPASSWD:ALL\\n' %s >> /etc/sudoers)",
+		shellescape(username), shellescape(username), shellescape(username),
+	)
+
+	entry := execRawShell(ctx, st.Raw, sandboxID, phase, step, 30*time.Second, execFn, script)
+	if entry.Ok {
+		bctx.User = username
+		// Update HOME so ~ expands correctly in subsequent RUN/WORKDIR steps.
+		if bctx.EnvVars == nil {
+			bctx.EnvVars = make(map[string]string)
+		}
+		if username == "root" {
+			bctx.EnvVars["HOME"] = "/root"
+		} else {
+			bctx.EnvVars["HOME"] = "/home/" + username
+		}
+	}
+	return entry, entry.Ok
+}
+
+// execCopy copies a file or directory from the build archive (extracted at
+// BuildFilesDir) to the destination path inside the sandbox. Ownership is
+// set to the current user from bctx.
+func execCopy(
+	ctx context.Context,
+	st Step,
+	sandboxID, phase string,
+	step int,
+	bctx *ExecContext,
+	execFn ExecFunc,
+) (BuildLogEntry, bool) {
+	// Validate all source paths: must be relative and not escape the archive directory.
+	var srcPaths []string
+	for _, s := range st.Srcs {
+		cleaned := path.Clean(s)
+		if strings.HasPrefix(cleaned, "..") || strings.HasPrefix(cleaned, "/") {
+			return BuildLogEntry{
+				Step:   step,
+				Phase:  phase,
+				Cmd:    st.Raw,
+				Stderr: fmt.Sprintf("COPY source must be a relative path within the archive: %q", s),
+			}, false
+		}
+		srcPaths = append(srcPaths, shellescape(BuildFilesDir+"/"+cleaned))
+	}
+
+	dst := st.Dst
+	// Resolve relative destination against the current WORKDIR.
+	if dst != "" && dst[0] != '/' && bctx.WorkDir != "" {
+		dst = bctx.WorkDir + "/" + dst
+	}
+	owner := "root"
+	if bctx.User != "" {
+		owner = bctx.User
+	}
+	script := fmt.Sprintf(
+		"cp -r %s %s && chown -R %s:%s %s",
+		strings.Join(srcPaths, " "), shellescape(dst), shellescape(owner), shellescape(owner), shellescape(dst),
+	)
+
+	entry := execRawShell(ctx, st.Raw, sandboxID, phase, step, 60*time.Second, execFn, script)
+	return entry, entry.Ok
+}
+
+// execRawShell runs a shell command directly (as root) without ExecContext
+// wrapping. Used for internal operations like user creation and file copy.
+func execRawShell(
+	ctx context.Context,
+	raw, sandboxID, phase string,
+	step int,
+	timeout time.Duration,
+	execFn ExecFunc,
+	shellCmd string,
+) BuildLogEntry {
+	execCtx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+
+	start := time.Now()
+	resp, err := execFn(execCtx, connect.NewRequest(&pb.ExecRequest{
+		SandboxId:  sandboxID,
+		Cmd:        "/bin/sh",
+		Args:       []string{"-c", shellCmd},
+		TimeoutSec: int32(timeout.Seconds()),
+	}))
+
+	entry := BuildLogEntry{
+		Step:    step,
+		Phase:   phase,
+		Cmd:     raw,
+		Elapsed: time.Since(start).Milliseconds(),
+	}
+	if err != nil {
+		entry.Stderr = fmt.Sprintf("exec error: %v", err)
+		return entry
+	}
+	entry.Stdout = string(resp.Msg.Stdout)
+	entry.Stderr = string(resp.Msg.Stderr)
+	entry.Exit = resp.Msg.ExitCode
+	entry.Ok = resp.Msg.ExitCode == 0
+	return entry
+}
+
 func execStart(
 	ctx context.Context,
 	st Step,

internal/recipe/step.go

@@ -24,9 +24,11 @@ type Step struct {
 	Raw     string        // original string, preserved for logging
 	Shell   string        // KindRUN, KindSTART: the shell command text
 	Timeout time.Duration // KindRUN: 0 means use caller's default
-	Key     string        // KindENV: variable name
+	Key     string        // KindENV: variable name; KindUSER: username
 	Value   string        // KindENV: variable value
 	Path    string        // KindWORKDIR: directory path
+	Srcs    []string      // KindCOPY: source paths (relative to build archive)
+	Dst     string        // KindCOPY: destination path inside sandbox
 }
 
 // ParseStep parses a single recipe instruction string into a Step.
@@ -61,9 +63,9 @@ func ParseStep(s string) (Step, error) {
 	case "WORKDIR":
 		return parseWORKDIR(s, rest)
 	case "USER":
-		return Step{Kind: KindUSER, Raw: s}, nil
+		return parseUSER(s, rest)
 	case "COPY":
-		return Step{Kind: KindCOPY, Raw: s}, nil
+		return parseCOPY(s, rest)
 	default:
 		return Step{}, fmt.Errorf("unknown instruction %q (expected RUN, START, ENV, WORKDIR, USER, or COPY)", keyword)
 	}
@@ -127,3 +129,33 @@ func parseWORKDIR(raw, path string) (Step, error) {
 	}
 	return Step{Kind: KindWORKDIR, Raw: raw, Path: path}, nil
 }
+
+func parseUSER(raw, username string) (Step, error) {
+	if username == "" {
+		return Step{}, fmt.Errorf("USER requires a username: %q", raw)
+	}
+	// Validate: alphanumeric, hyphens, underscores only; must start with a letter or underscore.
+	for i, c := range username {
+		if i == 0 && !((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || c == '_') {
+			return Step{}, fmt.Errorf("USER username must start with a letter or underscore: %q", raw)
+		}
+		if !((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || c == '_' || c == '-') {
+			return Step{}, fmt.Errorf("USER username contains invalid character %q: %q", string(c), raw)
+		}
+	}
+	return Step{Kind: KindUSER, Raw: raw, Key: username}, nil
+}
+
+func parseCOPY(raw, rest string) (Step, error) {
+	if rest == "" {
+		return Step{}, fmt.Errorf("COPY requires <src>... <dst>: %q", raw)
+	}
+	parts := strings.Fields(rest)
+	if len(parts) < 2 {
+		return Step{}, fmt.Errorf("COPY requires <src>... <dst>: %q", raw)
+	}
+	// Last argument is the destination, everything before is sources.
+	dst := parts[len(parts)-1]
+	srcs := parts[:len(parts)-1]
+	return Step{Kind: KindCOPY, Raw: raw, Srcs: srcs, Dst: dst}, nil
+}

internal/recipe/step_test.go

@@ -1,6 +1,7 @@
 package recipe
 
 import (
+	"reflect"
 	"testing"
 	"time"
 )
@@ -111,16 +112,42 @@ func TestParseStep(t *testing.T) {
 			input:   "WORKDIR",
 			wantErr: true,
 		},
-		// USER and COPY stubs
+		// USER
 		{
-			name:  "USER stub",
+			name:  "USER basic",
 			input: "USER www-data",
-			want:  Step{Kind: KindUSER, Raw: "USER www-data"},
+			want:  Step{Kind: KindUSER, Raw: "USER www-data", Key: "www-data"},
 		},
 		{
-			name:  "COPY stub",
+			name:    "USER empty",
+			input:   "USER",
+			wantErr: true,
+		},
+		{
+			name:    "USER invalid chars",
+			input:   "USER bad user",
+			wantErr: true,
+		},
+		// COPY
+		{
+			name:  "COPY basic",
 			input: "COPY config.yaml /etc/app/config.yaml",
-			want:  Step{Kind: KindCOPY, Raw: "COPY config.yaml /etc/app/config.yaml"},
+			want:  Step{Kind: KindCOPY, Raw: "COPY config.yaml /etc/app/config.yaml", Srcs: []string{"config.yaml"}, Dst: "/etc/app/config.yaml"},
+		},
+		{
+			name:  "COPY multiple sources",
+			input: "COPY a.txt b.txt /dest/",
+			want:  Step{Kind: KindCOPY, Raw: "COPY a.txt b.txt /dest/", Srcs: []string{"a.txt", "b.txt"}, Dst: "/dest/"},
+		},
+		{
+			name:    "COPY missing dst",
+			input:   "COPY config.yaml",
+			wantErr: true,
+		},
+		{
+			name:    "COPY empty",
+			input:   "COPY",
+			wantErr: true,
 		},
 		// Unknown keyword
 		{
@@ -148,7 +175,7 @@ func TestParseStep(t *testing.T) {
 			if err != nil {
 				t.Fatalf("ParseStep(%q) unexpected error: %v", tc.input, err)
 			}
-			if got != tc.want {
+			if !reflect.DeepEqual(got, tc.want) {
 				t.Errorf("ParseStep(%q)\n  got  %+v\n  want %+v", tc.input, got, tc.want)
 			}
 		})