fix(preview): let the atrium-preview tool actually install in sandboxes#548
Merged
Conversation
#547 shipped the tool, but no sandbox could see it: values.local.yaml sets TOOL_ALLOWLIST: "none" to hide the ~78 upstream plugins, and install_tool_shims skips every tool not on the list. Verified in a live prod sandbox mid-turn: command -v atrium-preview -> MISSING centaur-tools list | preview -> NOT-IN-CATALOG echo $TOOL_ALLOWLIST -> none That file's own comment called this shot: "When a tool is actually wired up (creds granted + deps installable), list its package name here." It now is — the token is in centaur-infra-env and iron-proxy injects it — so list it. The matched name is the tool's DIRECTORY name, not pyproject's [project] name (install_tool_shims.py: tool_name = package_dir.name). Both are atrium-preview here, but the comment now says which one it is so the next tool doesn't guess. Only reachable by running a real turn on prod: CI never installs tool shims, and the tool builds, lints, and passes its own tests regardless of this env var.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #547. The tool shipped correctly but no sandbox can install it, so an agent asked for a preview would find nothing.
infra/values.local.yamlsetsTOOL_ALLOWLIST: "none"to hide the ~78 upstream plugins that have no creds in Atrium.install_tool_shims.pyskips anything not on that list — including ours.Caught by running a real agent turn on prod and exec'ing into the live sandbox:
The file's own comment predicted exactly this: "When a tool is actually wired up (creds granted + deps installable), list its package name here, comma-separated." It now is —
ATRIUM_PREVIEW_LAUNCHER_TOKENis incentaur-infra-envand iron-proxy injects it host-scoped — so this lists it.Also documents which name is matched: the directory name under
centaur/tools, not pyproject's[project] name(install_tool_shims.py:tool_name = package_dir.name). They're identical here, but the next tool shouldn't have to re-derive that.Why CI couldn't catch this: CI never installs tool shims, and the tool builds, lints, and passes its tests regardless of this env var. It needs a redeploy to take effect —
SESSION_SANDBOX_EXTRA_ENVis read by api-rs and baked into each sandbox at creation.