Fix: add compatibility for sandbox environments by replacing Unix sockets with tcp localhost#18
Open
dudgeon wants to merge 2 commits into
Open
Fix: add compatibility for sandbox environments by replacing Unix sockets with tcp localhost#18dudgeon wants to merge 2 commits into
dudgeon wants to merge 2 commits into
Conversation
In sandboxed environments (Claude Code on macOS Seatbelt, Linux seccomp), net.createServer().listen() on a Unix domain socket path fails with EPERM: operation not permitted. Since the daemon is spawned with stdio: 'ignore', this error is silently swallowed, breaking all page-level commands (snap, eval, click, type, etc.). Replace Unix domain sockets with TCP localhost on ephemeral ports: - server.listen(0, '127.0.0.1') lets the OS assign a random port - Port, PID, and auth token written atomically to a .port discovery file - Parent reads the port file to connect and authenticates with the token - Auth token (randomBytes + timingSafeEqual) compensates for TCP's weaker access control vs Unix socket file permissions This pattern mirrors Chrome DevTools (--remote-debugging-port=0 + DevToolsActivePort file), Jupyter kernels, nREPL (.nrepl-port), and VS Code Remote (connectionToken). https://claude.ai/code/session_01SzqvCN7CacGJXyEfKDwXXK
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In sandboxed environments (Claude Code on macOS Seatbelt, Linux seccomp),
net.createServer().listen() on a Unix domain socket path fails with
EPERM: operation not permitted. Since the daemon is spawned with
stdio: 'ignore', this error is silently swallowed, breaking all
page-level commands (snap, eval, click, type, etc.).
Replace Unix domain sockets with TCP localhost on ephemeral ports:
server.listen(0, '127.0.0.1') lets the OS assign a random port
Port, PID, and auth token written atomically to a .port discovery file
Parent reads the port file to connect and authenticates with the token
Auth token (randomBytes + timingSafeEqual) compensates for TCP's weaker
access control vs Unix socket file permissions
This pattern mirrors Chrome DevTools (--remote-debugging-port=0 +
DevToolsActivePort file), Jupyter kernels, nREPL (.nrepl-port), and
VS Code Remote (connectionToken).