fix: keep replay unix sockets visible in sandboxes

[jy-tan]

Summary

Keep replay Unix sockets visible to sandboxed services by moving them off /tmp, which may be remounted inside strict Linux sandboxes. Prefer a short hidden path under .tusk for the normal case, and fall back to a short hidden workspace path when the .tusk mount cannot host Unix sockets.

This also bumps fence to v0.1.36 so replay picks up the Linux minimal /dev fix that these gRPC replay failures depended on.

Context

Previously, #194 changed to use a broad / for allowWrite, and under the old Fence mount ordering that late root bind overrode the special mounts.. At this point, /tmp is still accessible (this points to the host /tmp). Use-Tusk/fence#83 now restores their intended special-mount behavior: /tmp becomes private again, /proc is sandbox-local, and /dev keeps the minimal/special handling.

A quick fix would be to reintroduce /tmp into getAllowedWriteDirs(), but the more correct fix is to keep the socket in a location that is meant to be shared with the sandboxed service. This preserves the intended sandbox invariant that /tmp is private, avoids re-sharing the outer temp namespace just to expose one socket, and is less likely to collide with unrelated temp files.

The one drawback I would mention is that now the socket file is slightly more visible to the user, thus it's a bit more prone to accidental deletions, untracked file noise, etc. Adding a .tusk/.gitignore (which also ignores logs, traces, etc and can be deterministically generated by the setup agent or at tusk drift run time) could help mitigate this, plus it is already relatively obscured in .tusk/.s.

One additional portability issue is Unix domain socket path length: even a short filename can fail if the workspace path is very deep. To avoid that, this change now falls back to a short hashed socket name in an ancestor directory when the cwd-local candidates would be too long.

Changes

• Create Unix replay sockets from workspace-local paths instead of /tmp/tusk-connect.sock
• Prefer .tusk/.s so the socket stays hidden under the existing replay artifact directory
• Fall back to .t.sock when the preferred .tusk location cannot create a Unix socket in some Docker-backed environments
• Fall back again to a short hashed ancestor socket path when deep workspaces would exceed Unix domain socket path limits
• Bump fence to v0.1.36 so tusk-drift-cli picks up the strict Linux sandbox /dev fix
• Surface combined socket-listener errors and update Unix socket tests to assert the new hidden path behavior

Future todo

• Deterministically create a .tusk/.gitignore that can be invoked by the setup agent or upon tusk drift run.

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="internal/runner/server.go">

<violation number="1" location="internal/runner/server.go:208">
P2: Both new socket candidates are cwd-absolute paths, which can exceed Unix domain socket path limits in deep workspaces and cause startup failure.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}