fix: bb process/shell throws 'Operations not permitted(sysctl fail)' in agent sandbox

scripts/src/logseq/tasks/common_errors.clj

@@ -7,9 +7,9 @@
 (defn check-common-errors
   []
   (let [prompt (String. (fs/read-all-bytes "prompts/review.md"))
-        diff (:out (shell {:out :string} "git diff --no-prefix -U100 -- '*.cljs'"))]
+        diff (:out (shell {:out :string :shutdown nil} "git diff --no-prefix -U100 -- '*.cljs'"))]
     (when-not (string/blank? diff)
       (let [command (format "gh models run openai/gpt-5 \"%s\""
                             (str prompt
                                  (format "\n\n <diff>%s</diff>" diff)))]
-        (shell command)))))
+        (shell {:shutdown nil} command)))))

scripts/src/logseq/tasks/dev.clj

@@ -17,9 +17,9 @@
 (defn test
   "Run tests. Pass args through to cmd 'yarn cljs:run-test'"
   [& args]
-  (shell "yarn cljs:test")
+  (shell {:shutdown nil} "yarn cljs:test")
   (let [args* (or (seq args) ["-e" "long" "-e" "fix-me"])]
-    (apply shell "yarn cljs:run-test" args*)))
+    (apply shell {:shutdown nil} "yarn cljs:run-test" args*)))
 
 (defn lint-and-test
   "Run all lint tasks, then run tests(exclude testcases tagged by :long).
@@ -45,11 +45,12 @@
   (let [config-edn ".clj-kondo/metosin/malli-types/config.edn"
         compile-cmd "clojure -M:cljs compile gen-malli-kondo-config"]
     (println compile-cmd)
-    (shell compile-cmd)
+    (shell {:shutdown nil} compile-cmd)
     (println "generate kondo config: " config-edn)
     (io/make-parents config-edn)
     (let [config (with-out-str
-                   (pp/pprint (edn/read-string (:out (shell {:out :string} "node ./static/gen-malli-kondo-config.js")))))]
+                   (pp/pprint (edn/read-string (:out (shell {:out :string :shutdown nil}
+                                                            "node ./static/gen-malli-kondo-config.js")))))]
       (spit config-edn config))))
 
 (defn diff-datoms
@@ -76,19 +77,19 @@
                                                     (fs/glob "." "{src/main,deps/graph-parser/src}/**")))))]
     (do
       (println "Building publishing js asset...")
-      (shell "clojure -M:cljs release publishing db-worker inference-worker"))
+      (shell {:shutdown nil} "clojure -M:cljs release publishing db-worker inference-worker"))
     (println "Publishing js asset is up to date")))
 
 (defn publishing-backend
   "Builds publishing backend and copies over supporting frontend assets"
   [& args]
-  (apply shell {:dir "deps/publishing" :extra-env {"ORIGINAL_PWD" (fs/cwd)}}
+  (apply shell {:dir "deps/publishing" :extra-env {"ORIGINAL_PWD" (fs/cwd)} :shutdown nil}
          "yarn -s nbb-logseq -cp src:../graph-parser/src script/publishing.cljs"
          (into ["static"] args)))
 
 (defn watch-publishing-frontend
   [& _args]
-  (shell "npx shadow-cljs watch publishing"))
+  (shell {:shutdown nil} "npx shadow-cljs watch publishing"))
 
 (defn watch-publishing-backend
   "Builds publishing backend once watch-publishing-frontend has built initial frontend"
@@ -110,4 +111,4 @@
     (doseq [file-graph file-graphs]
       (let [db-graph (fs/path parent-graph-dir (fs/file-name file-graph))]
         (println "Importing" (str db-graph) "...")
-        (apply shell "bb" "dev:import" file-graph db-graph (concat import-options ["--validate"]))))))
+        (apply shell {:shutdown nil} "bb" "dev:db-import" file-graph db-graph (concat import-options ["--validate"]))))))

scripts/src/logseq/tasks/dev/desktop.clj

@@ -7,15 +7,15 @@
 (defn watch
   "Watches environment to reload cljs, css and other assets"
   []
-  (shell "yarn electron-watch"))
+  (shell {:shutdown nil} "yarn electron-watch"))
 
 (defn open-dev-electron-app
   "Opens dev-electron-app when watch process has built main.js"
   []
   (let [start-time (java.time.Instant/now)]
     (dotimes [_n 1000]
-             (if (and (fs/exists? "static/js/main.js")
-                      (task-util/file-modified-later-than? "static/js/main.js" start-time))
-               (shell "yarn dev-electron-app")
-               (println "Waiting for app to build..."))
-             (Thread/sleep 1000))))
+        (if (and (fs/exists? "static/js/main.js")
+                 (task-util/file-modified-later-than? "static/js/main.js" start-time))
+          (shell {:shutdown nil} "yarn dev-electron-app")
+          (println "Waiting for app to build..."))
+        (Thread/sleep 1000))))

scripts/src/logseq/tasks/dev/lint.clj

@@ -19,14 +19,14 @@
                "bb lang:validate-translations"
                "bb lint:ns-docstrings"]]
     (println cmd)
-    (shell cmd)))
+    (shell {:shutdown nil} cmd)))
 
 (defn kondo-git-changes
   "Run clj-kondo across dirs and only for files that git diff detects as unstaged changes"
   []
   (let [kondo-dirs ["src" "deps/common" "deps/db" "deps/graph-parser" "deps/outliner" "deps/publishing" "deps/publish" "deps/cli"]
         dir-regex (re-pattern (str "^(" (string/join "|" kondo-dirs) ")"))
-        dir-to-files (->> (shell {:out :string} "git diff --name-only")
+        dir-to-files (->> (shell {:out :string :shutdown nil} "git diff --name-only")
                           :out
                           string/split-lines
                           (filter #(re-find #"\.(cljs|clj|cljc)$" %))
@@ -39,13 +39,13 @@
               files (mapv #(string/replace-first % (str dir "/") "") files*)
               cmd (str "cd " dir " && clj-kondo --lint " (string/join " " files))
               _ (println cmd)
-              res (apply shell {:dir dir :continue :true} "clj-kondo --lint" files)]
+              res (apply shell {:dir dir :continue :true :shutdown nil} "clj-kondo --lint" files)]
           (when (pos? (:exit res)) (System/exit (:exit res)))))
       (println "No clj* files have changed to lint."))))
 
 (defn- validate-frontend-not-in-workers
   []
-  (let [res (shell {:out :string}
+  (let [res (shell {:out :string :shutdown nil}
                    "git grep -h" "\\[frontend.*:as"
                    "src/main/frontend/worker" "src/main/frontend/worker_common" "src/main/frontend/inference_worker")
         req-lines (->> (:out res)
@@ -61,7 +61,7 @@
 
 (defn- validate-workers-not-in-frontend
   []
-  (let [res (shell {:out :string :continue true}
+  (let [res (shell {:out :string :continue true :shutdown nil}
                    "grep -r --exclude-dir=worker --exclude-dir=inference_worker" "\\[frontend.worker.*:" "src/main/frontend")
         ;; allow reset-file b/c it's only affects tests
         allowed-exceptions #{"src/main/frontend/handler/file_based/file.cljs:            [frontend.worker.file.reset :as file-reset]"}

scripts/src/logseq/tasks/dev/mobile.clj

@@ -12,7 +12,7 @@
     (loop [n 1000]
       (if (and (fs/exists? "static/js/main.js")
                (task-util/file-modified-later-than? "static/js/main.js" start-time))
-        (shell cmd)
+        (shell {:shutdown nil} cmd)
         (println "Waiting for app to build..."))
       (Thread/sleep 1000)
       (when-not (or (and (fs/exists? "ios/App/App/public/js/main.js")
@@ -24,11 +24,11 @@
 (defn- set-system-env
   "Updates capacitor.config.ts serve url with IP from ifconfig"
   []
-  (let [ip (string/trim (:out (or (shell {:out :string :continue true} "ipconfig getifaddr en0")
-                                  (shell {:out :string} "ipconfig getifaddr en1"))))
+  (let [ip (string/trim (:out (or (shell {:out :string :continue true :shutdown nil} "ipconfig getifaddr en0")
+                                  (shell {:out :string :shutdown nil} "ipconfig getifaddr en1"))))
         logseq-app-server-url (format "%s://%s:%s" "http" ip "3001")]
     (println "Server URL:" logseq-app-server-url)
-    (shell "git checkout capacitor.config.ts")
+    (shell {:shutdown nil} "git checkout capacitor.config.ts")
     (let [new-body (-> (slurp "capacitor.config.ts")
                        (string/replace "// , server:" " , server:")
                        (string/replace "//    url:" "    url:")
@@ -46,28 +46,28 @@
   (doseq [cmd ["yarn clean"
                "yarn app-watch"]]
     (println cmd)
-    (shell cmd)))
+    (shell {:shutdown nil} cmd)))
 
 (defn npx-cap-run-ios
   "Copy assets files to iOS build directory, and run app in Xcode"
   []
   (open-dev-app "npx cap sync ios")
-  (shell "npx cap open ios"))
+  (shell {:shutdown nil} "npx cap open ios"))
 
 (defn npx-cap-run-android
   "Copy assets files to Android build directory, and run app in Android Studio"
   []
   (open-dev-app "npx cap sync android")
-  (shell "npx cap open android"))
+  (shell {:shutdown nil} "npx cap open android"))
 
 (defn run-ios-release
   "Build iOS app release"
   []
-  (shell "git checkout capacitor.config.ts")
-  (shell "yarn run-ios-release"))
+  (shell {:shutdown nil} "git checkout capacitor.config.ts")
+  (shell {:shutdown nil} "yarn run-ios-release"))
 
 (defn run-android-release
   "Build Android app release"
   []
-  (shell "git checkout capacitor.config.ts")
-  (shell "yarn run-android-release"))
+  (shell {:shutdown nil} "git checkout capacitor.config.ts")
+  (shell {:shutdown nil} "yarn run-android-release"))

scripts/src/logseq/tasks/lang.clj

@@ -150,7 +150,7 @@
   the ones defined for the default :en lang. This catches translations that have
   been added in UI but don't have an entry or translations no longer used in the UI"
   [{:keys [fix?]}]
-  (let [actual-dicts (->> (shell {:out :string}
+  (let [actual-dicts (->> (shell {:out :string :shutdown nil}
                                  ;; This currently assumes all ui translations
                                  ;; use (t and src/main. This can easily be
                                  ;; tweaked as needed