From d3d655b9c913f03a66c9d213d46a67ed2dceec31 Mon Sep 17 00:00:00 2001
From: jedarden <github@jedarden.com>
Date: Fri, 22 May 2026 15:18:21 -0400
Subject: [PATCH] Evolver: Fix nsjail integration for complete sandbox coverage

- Add /opt to nsjail bindmounts so Rust toolchain (/opt/rust) is accessible
  during sandboxed validation of Rust bots
- Explicitly enable Alpine community repository in Dockerfile to ensure
  nsjail package can be installed (nsjail lives in community, not main)
- nsjail integration was already optional (falls back to plain exec if
  unavailable), but these changes ensure it actually works when enabled

This addresses bead bf-3f29: nsjail was listed in apk add but /opt wasn't
bindmounted, causing Rust validation to fail when UseNsjail=true.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .needle-predispatch-sha                       | 2 +-
 cmd/acb-evolver/Dockerfile                    | 6 +++++-
 cmd/acb-evolver/internal/validator/sandbox.go | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/.needle-predispatch-sha b/.needle-predispatch-sha
index 68b9fdd..945a355 100644
--- a/.needle-predispatch-sha
+++ b/.needle-predispatch-sha
@@ -1 +1 @@
-00d6754524b429bd61d3e6c581826aaaa5e614a2
+7137623f6a68882880fdeb89cf2ef06b41419a46
diff --git a/cmd/acb-evolver/Dockerfile b/cmd/acb-evolver/Dockerfile
index 425232d..52dcc03 100644
--- a/cmd/acb-evolver/Dockerfile
+++ b/cmd/acb-evolver/Dockerfile
@@ -46,7 +46,11 @@ WORKDIR /app
 # - python3, nodejs (typescript), rust (rustup), java, php
 # - nsjail for sandbox isolation during validation
 # - ca-certificates for HTTPS (LLM calls, K8s API)
-RUN apk --no-cache add \
+#
+# Note: nsjail is in the community repository, ensure it's enabled
+RUN grep -q '^https.*\/community$' /etc/apk/repositories || \
+    echo "https://dl-cdn.alpinelinux.org/alpine/v$(. /etc/os-release && echo $VERSION_ID | cut -d. -f1,2)/community" >> /etc/apk/repositories && \
+    apk --no-cache add \
     ca-certificates \
     tzdata \
     python3 \
diff --git a/cmd/acb-evolver/internal/validator/sandbox.go b/cmd/acb-evolver/internal/validator/sandbox.go
index ef56c38..ed09d79 100644
--- a/cmd/acb-evolver/internal/validator/sandbox.go
+++ b/cmd/acb-evolver/internal/validator/sandbox.go
@@ -127,7 +127,7 @@ func buildNsjailCmd(ctx context.Context, nsjailBin, execPath string, execArgs []
 	}
 
 	// Read-only bind-mounts for language runtimes and system libraries.
-	for _, p := range []string{"/bin", "/usr", "/lib", "/lib64", "/etc/alternatives", "/proc", "/dev"} {
+	for _, p := range []string{"/bin", "/usr", "/lib", "/lib64", "/etc/alternatives", "/opt", "/proc", "/dev"} {
 		if _, err := os.Stat(p); err == nil {
 			args = append(args, "--bindmount_ro", p)
 		}