From 2ff854f79ae867d03c9e2404e0d356eacbc42d25 Mon Sep 17 00:00:00 2001
From: RockChinQ <rockchinq@gmail.com>
Date: Sun, 21 Jun 2026 08:15:02 -0400
Subject: [PATCH] build(Dockerfile): install Node.js LTS so sandbox can run
 npx-based stdio MCP servers

The final runtime image (used by langbot/plugin_runtime/box) shipped uv and
docker-cli but no node, so any npx-launched stdio MCP server inside the box
sandbox exited with return_code=127 (command not found). Install Node.js 22
LTS via NodeSource; node/npx land in /usr/bin, which is on the nsjail
read-only mount whitelist (_READONLY_SYSTEM_MOUNTS) and is bound into the
sandbox chroot automatically.
---
 Dockerfile | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 59c9331a6..99fce8f2b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -52,6 +52,15 @@ RUN apt-get update \
     && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo \"$VERSION_CODENAME\") stable" > /etc/apt/sources.list.d/docker.list \
     && apt-get update \
     && apt-get install -y --no-install-recommends docker-ce-cli \
+    # Install Node.js LTS so the sandbox (nsjail/Docker box) can run npx-based
+    # stdio MCP servers. node/npx land in /usr/bin, which is on the nsjail
+    # read-only mount whitelist (_READONLY_SYSTEM_MOUNTS), so they are bound
+    # into the sandbox chroot automatically. Without node, any npx-launched
+    # MCP server exits with return_code=127 (command not found).
+    && curl -fsSL https://deb.nodesource.com/setup_22.x -o /tmp/nodesource_setup.sh \
+    && bash /tmp/nodesource_setup.sh \
+    && apt-get install -y --no-install-recommends nodejs \
+    && rm -f /tmp/nodesource_setup.sh \
     && python -m pip install --no-cache-dir uv \
     && uv sync \
     && apt-get purge -y --auto-remove curl gnupg \