Fix socket connection issues

[PabloZaiden]

This pull request introduces logic to ensure compatibility for SSH agent socket mounts in managed containers, particularly when the host's SSH agent socket path changes. The main addition is a utility that checks and, if necessary, creates or updates a symlink so the container's SSH mount always points to the current SSH agent socket. This helps prevent issues when the SSH agent socket moves between devcontainer sessions. Comprehensive tests have also been added to verify this behavior.

SSH Agent Socket Mount Compatibility:

• Added ensureManagedContainerSshMountCompatibility in src/runtime.ts to check if the SSH agent socket mount in a managed container is up-to-date, and to create or update a symlink if needed. This function handles cases where the mount source is missing, stale, or already correct, and returns a status string describing the action taken.
• Updated src/cli.ts to call this new function before starting the devcontainer, and to log messages when a symlink is created or updated. [1] [2]

Supporting Utilities:

• Added helpers in src/runtime.ts for resolving bind mount sources and handling missing paths, used by the compatibility logic.
• Extended imports in both src/runtime.ts and tests/runtime.test.ts to include necessary filesystem methods for symlink management and inspection. [1] [2]

Testing:

• Added a new test suite in tests/runtime.test.ts to verify all code paths of ensureManagedContainerSshMountCompatibility, including creation, update, no-op, and not-applicable scenarios. [1] [2]

Types:

• Introduced the ManagedContainerSshMountCompatibility type to clearly describe the possible outcomes of the compatibility check.

[Copilot]

Pull request overview

This PR addresses SSH agent socket mount breakages in managed devcontainers when the host SSH_AUTH_SOCK path changes between sessions by introducing host-side compatibility symlink management and wiring it into the up flow.

Changes:

• Added ensureManagedContainerSshMountCompatibility to detect stale/missing bind-mount sources and create/update a symlink to the current SSH_AUTH_SOCK.
• Invoked the compatibility check in the CLI up flow and logged when a symlink is created/updated.
• Added tests covering key outcomes (created-symlink, updated-symlink, unchanged, not-applicable).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
src/runtime.ts	Implements SSH mount compatibility logic (bind-mount source detection + symlink creation/update) and introduces outcome type.
src/cli.ts	Calls the compatibility function before devcontainer up and prints user-facing messages for symlink actions.
tests/runtime.test.ts	Adds a test suite validating the new compatibility behavior across multiple scenarios.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Path comparisons here use path.resolve, which does not canonicalize symlinks. On macOS (e.g. /tmp vs /private/tmp) or when SSH_AUTH_SOCK itself is a symlink, this can cause an unnecessary updated-symlink outcome even though both paths refer to the same underlying socket. Consider comparing canonicalized paths (e.g. via the existing resolveComparablePath helper or realpath where available) before deciding to update the symlink.

[Copilot]

rm(resolvedMountedSource) can throw ENOENT if the symlink is removed between the earlier lstat/readlink and this call (or if the path is concurrently modified). Using rm(..., { force: true }) (consistent with other rm usages in the repo) or unlink with a missing-path guard would make this update step more robust.

Suggested change

	await rm(resolvedMountedSource);
	await rm(resolvedMountedSource, { force: true });

[Copilot]

The new suite doesn’t currently cover the branch where the existing mount source is a symlink that already points at the current SSH_AUTH_SOCK (the isSymbolicLink() + resolvedExistingTarget === resolvedCurrentSshAuthSock path). Adding a test for that scenario would help ensure the function doesn’t rewrite a correct symlink and keeps the outcome as unchanged.

Suggested change

	test("does nothing when the existing mount source is a symlink that already resolves to the current host ssh agent socket", async () => {
	const tempDir = await mkdtemp(path.join(os.tmpdir(), "devbox-test-"));
	tempPaths.push(tempDir);
	const currentSocketPath = path.join(tempDir, "current", "agent.sock");
	const compatibilitySocketPath = path.join(tempDir, "compat", "agent.sock");
	await mkdir(path.dirname(currentSocketPath), { recursive: true });
	await mkdir(path.dirname(compatibilitySocketPath), { recursive: true });
	await writeFile(currentSocketPath, "current");
	await symlink(currentSocketPath, compatibilitySocketPath);
	await expect(
	ensureManagedContainerSshMountCompatibility(
	{
	Id: "container-1",
	Mounts: [
	{
	Type: "bind",
	Source: compatibilitySocketPath,
	Destination: "/run/devbox-ssh-auth.sock",
	},
	],
	},
	currentSocketPath,
	),
	).resolves.toBe("unchanged");
	expect(await readlink(compatibilitySocketPath)).toBe(currentSocketPath);
	});