Codex/shared python sdk runtime

Cargo.toml

@@ -21,6 +21,7 @@ members = [
   "crates/acp-registry-client",
   "crates/peekoo-mcp-server",
   "crates/peekoo-analytics",
+  "crates/peekoo-python-sdk",
   "apps/desktop-tauri/src-tauri",
 ]
 resolver = "2"
@@ -42,4 +43,3 @@ strip = true
 
 
 
-

apps/desktop-tauri/src-tauri/gen/schemas/macOS-schema.json

@@ -2636,6 +2636,60 @@
           "const": "notification:deny-show",
           "markdownDescription": "Denies the show command without any pre-configured scope."
         },
+        {
+          "description": "Default permissions for the plugin\n#### This default permission set includes:\n\n- `allow-capture`\n- `allow-identify`\n- `allow-alias`\n- `allow-reset`\n- `allow-get-distinct-id`\n- `allow-get-config`",
+          "type": "string",
+          "const": "posthog:default",
+          "markdownDescription": "Default permissions for the plugin\n#### This default permission set includes:\n\n- `allow-capture`\n- `allow-identify`\n- `allow-alias`\n- `allow-reset`\n- `allow-get-distinct-id`\n- `allow-get-config`"
+        },
+        {
+          "description": "Allows creating user aliases in PostHog",
+          "type": "string",
+          "const": "posthog:allow-alias",
+          "markdownDescription": "Allows creating user aliases in PostHog"
+        },
+        {
+          "description": "Allows capturing PostHog events",
+          "type": "string",
+          "const": "posthog:allow-capture",
+          "markdownDescription": "Allows capturing PostHog events"
+        },
+        {
+          "description": "Allows getting PostHog configuration for frontend initialization",
+          "type": "string",
+          "const": "posthog:allow-get-config",
+          "markdownDescription": "Allows getting PostHog configuration for frontend initialization"
+        },
+        {
+          "description": "Allows getting the current distinct ID",
+          "type": "string",
+          "const": "posthog:allow-get-distinct-id",
+          "markdownDescription": "Allows getting the current distinct ID"
+        },
+        {
+          "description": "Allows identifying users in PostHog",
+          "type": "string",
+          "const": "posthog:allow-identify",
+          "markdownDescription": "Allows identifying users in PostHog"
+        },
+        {
+          "description": "Enables the ping command without any pre-configured scope.",
+          "type": "string",
+          "const": "posthog:allow-ping",
+          "markdownDescription": "Enables the ping command without any pre-configured scope."
+        },
+        {
+          "description": "Allows resetting user data in PostHog",
+          "type": "string",
+          "const": "posthog:allow-reset",
+          "markdownDescription": "Allows resetting user data in PostHog"
+        },
+        {
+          "description": "Denies the ping command without any pre-configured scope.",
+          "type": "string",
+          "const": "posthog:deny-ping",
+          "markdownDescription": "Denies the ping command without any pre-configured scope."
+        },
         {
           "description": "This permission set configures which\nprocess features are by default exposed.\n\n#### Granted Permissions\n\nThis enables to quit via `allow-exit` and restart via `allow-restart`\nthe application.\n\n#### This default permission set includes:\n\n- `allow-exit`\n- `allow-restart`",
           "type": "string",
@@ -2666,6 +2720,48 @@
           "const": "process:deny-restart",
           "markdownDescription": "Denies the restart command without any pre-configured scope."
         },
+        {
+          "description": "Allows all required permissions (envelope, breadcrumb)\n#### This default permission set includes:\n\n- `allow-envelope`\n- `allow-breadcrumb`",
+          "type": "string",
+          "const": "sentry:default",
+          "markdownDescription": "Allows all required permissions (envelope, breadcrumb)\n#### This default permission set includes:\n\n- `allow-envelope`\n- `allow-breadcrumb`"
+        },
+        {
+          "description": "Enables the breadcrumb command.",
+          "type": "string",
+          "const": "sentry:allow-breadcrumb",
+          "markdownDescription": "Enables the breadcrumb command."
+        },
+        {
+          "description": "Enables the envelope command.",
+          "type": "string",
+          "const": "sentry:allow-envelope",
+          "markdownDescription": "Enables the envelope command."
+        },
+        {
+          "description": "Enables the event command without any pre-configured scope.",
+          "type": "string",
+          "const": "sentry:allow-event",
+          "markdownDescription": "Enables the event command without any pre-configured scope."
+        },
+        {
+          "description": "Denies the breadcrumb command.",
+          "type": "string",
+          "const": "sentry:deny-breadcrumb",
+          "markdownDescription": "Denies the breadcrumb command."
+        },
+        {
+          "description": "Denies the envelope command.",
+          "type": "string",
+          "const": "sentry:deny-envelope",
+          "markdownDescription": "Denies the envelope command."
+        },
+        {
+          "description": "Denies the event command without any pre-configured scope.",
+          "type": "string",
+          "const": "sentry:deny-event",
+          "markdownDescription": "Denies the event command without any pre-configured scope."
+        },
         {
           "description": "This permission set configures which\nshell functionality is exposed by default.\n\n#### Granted Permissions\n\nIt allows to use the `open` functionality with a reasonable\nscope pre-configured. It will allow opening `http(s)://`,\n`tel:` and `mailto:` links.\n\n#### This default permission set includes:\n\n- `allow-open`",
           "type": "string",

crates/peekoo-plugin-host/src/host_functions.rs

@@ -884,13 +884,32 @@ fn host_process_exec(
 ) -> Result<(), Error> {
     let ctx = user_data.get().map_err(|e| Error::msg(format!("{e}")))?;
     let ctx = ctx.lock().map_err(|e| Error::msg(format!("{e}")))?;
-    require_declared_capability(&ctx, "process:exec")?;
+    if let Err(err) = require_declared_capability(&ctx, "process:exec") {
+        let response = serde_json::json!({
+            "ok": false,
+            "statusCode": -1,
+            "stdout": "",
+            "stderr": err.to_string(),
+        })
+        .to_string();
+        write_output(plugin, outputs, &response)?;
+        return Ok(());
+    }
+
     let input_str = read_input(plugin, inputs)?;
     let req: serde_json::Value = serde_json::from_str(&input_str).unwrap_or_default();
 
     let program = req["program"].as_str().unwrap_or_default().trim();
     if program.is_empty() {
-        return Err(Error::msg("process program is required"));
+        let response = serde_json::json!({
+            "ok": false,
+            "statusCode": -1,
+            "stdout": "",
+            "stderr": "process program is required",
+        })
+        .to_string();
+        write_output(plugin, outputs, &response)?;
+        return Ok(());
     }
 
     let args = req["args"]
@@ -903,13 +922,44 @@ fn host_process_exec(
         .unwrap_or_default();
 
     let cwd = req["cwd"].as_str().unwrap_or(".");
-    let resolved_cwd = resolve_process_cwd(&ctx, cwd)?;
+    let resolved_cwd = match resolve_process_cwd(&ctx, cwd) {
+        Ok(path) => path,
+        Err(err) => {
+            let response = serde_json::json!({
+                "ok": false,
+                "statusCode": -1,
+                "stdout": "",
+                "stderr": err.to_string(),
+            })
+            .to_string();
+            write_output(plugin, outputs, &response)?;
+            return Ok(());
+        }
+    };
 
-    let output = Command::new(program)
+    let resolved_program = resolve_process_program(program, &resolved_cwd);
+    let output = match Command::new(&resolved_program)
         .args(&args)
         .current_dir(&resolved_cwd)
         .output()
-        .map_err(|e| Error::msg(format!("Process spawn failed: {e}")))?;
+    {
+        Ok(output) => output,
+        Err(e) => {
+            let response = serde_json::json!({
+                "ok": false,
+                "statusCode": -1,
+                "stdout": "",
+                "stderr": format!(
+                    "Process spawn failed: program='{}' cwd='{}' ({e})",
+                    resolved_program.display(),
+                    resolved_cwd.display()
+                ),
+            })
+            .to_string();
+            write_output(plugin, outputs, &response)?;
+            return Ok(());
+        }
+    };
 
     let stdout = String::from_utf8_lossy(&output.stdout).to_string();
     let stderr = String::from_utf8_lossy(&output.stderr).to_string();
@@ -930,6 +980,22 @@ fn host_process_exec(
     Ok(())
 }
 
+fn resolve_process_program(program: &str, cwd: &Path) -> PathBuf {
+    let expanded = expand_tilde_path(program);
+    let candidate = PathBuf::from(expanded);
+    if candidate.is_absolute() {
+        return candidate;
+    }
+
+    // Keep PATH lookup behavior for plain command names (e.g. "python3").
+    let has_path_separator = program.contains('/') || program.contains('\\');
+    if !has_path_separator {
+        return candidate;
+    }
+
+    cwd.join(candidate)
+}
+
 fn host_set_mood(
     plugin: &mut CurrentPlugin,
     inputs: &[Val],

crates/peekoo-plugin-sdk/src/lib.rs

@@ -96,6 +96,7 @@ pub mod log;
 pub mod mood;
 pub mod notify;
 pub mod oauth;
+pub mod process;
 pub mod schedule;
 pub mod secrets;
 pub mod state;
@@ -125,6 +126,7 @@ pub mod peekoo {
     pub use crate::mood;
     pub use crate::notify;
     pub use crate::oauth;
+    pub use crate::process;
     pub use crate::schedule;
     pub use crate::secrets;
     pub use crate::state;

crates/peekoo-python-sdk/Cargo.toml

@@ -0,0 +1,8 @@
+[package]
+name = "peekoo-python-sdk"
+version = "0.1.0"
+edition = "2024"
+license = "MIT"
+
+[lib]
+path = "src/lib.rs"

crates/peekoo-python-sdk/scripts/build_runtime_package.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REQ_FILE="${1:-}"
+OUT_FILE="${2:-}"
+
+if [[ -z "$REQ_FILE" || -z "$OUT_FILE" ]]; then
+  echo "usage: $0 <requirements.txt> <output.tar.gz>" >&2
+  exit 1
+fi
+
+if [[ ! -f "$REQ_FILE" ]]; then
+  echo "requirements file not found: $REQ_FILE" >&2
+  exit 1
+fi
+
+platform="$(uname -s | tr '[:upper:]' '[:lower:]')"
+arch="$(uname -m)"
+case "$platform:$arch" in
+  darwin:arm64) target_triple="aarch64-apple-darwin" ;;
+  darwin:x86_64) target_triple="x86_64-apple-darwin" ;;
+  linux:x86_64) target_triple="x86_64-unknown-linux-gnu" ;;
+  linux:aarch64) target_triple="aarch64-unknown-linux-gnu" ;;
+  *)
+    echo "unsupported platform: $platform/$arch" >&2
+    exit 1
+    ;;
+esac
+
+release_tag="${PEEKOO_PYTHON_STANDALONE_TAG:-20250317}"
+archive_url="${PEEKOO_PYTHON_STANDALONE_URL:-https://github.com/indygreg/python-build-standalone/releases/download/${release_tag}/cpython-3.12.9+${release_tag}-${target_triple}-install_only.tar.gz}"
+
+workdir="$(mktemp -d)"
+trap 'rm -rf "$workdir"' EXIT
+
+archive_path="$workdir/python-runtime.tar.gz"
+curl -fL "$archive_url" -o "$archive_path"
+tar -xzf "$archive_path" -C "$workdir"
+
+if [[ -x "$workdir/python/bin/python3" ]]; then
+  py_bin="$workdir/python/bin/python3"
+elif [[ -x "$workdir/python/bin/python" ]]; then
+  py_bin="$workdir/python/bin/python"
+else
+  echo "python binary not found in extracted runtime" >&2
+  exit 1
+fi
+
+"$py_bin" -m ensurepip --upgrade || true
+"$py_bin" -m pip install --upgrade pip setuptools wheel
+"$py_bin" -m pip install --no-cache-dir -r "$REQ_FILE"
+
+mkdir -p "$(dirname "$OUT_FILE")"
+tar -czf "$OUT_FILE" -C "$workdir" python
+
+echo "Python runtime package created: $OUT_FILE"

crates/peekoo-python-sdk/scripts/install_runtime_package.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+PACKAGE_FILE="${1:-}"
+TARGET_DIR="${2:-$HOME/.peekoo/python-sdk}"
+
+if [[ -z "$PACKAGE_FILE" ]]; then
+  echo "usage: $0 <runtime-package.tar.gz> [target-dir]" >&2
+  exit 1
+fi
+
+if [[ ! -f "$PACKAGE_FILE" ]]; then
+  echo "package file not found: $PACKAGE_FILE" >&2
+  exit 1
+fi
+
+mkdir -p "$TARGET_DIR"
+rm -rf "$TARGET_DIR/python"
+tar -xzf "$PACKAGE_FILE" -C "$TARGET_DIR"
+
+echo "Python runtime installed to: $TARGET_DIR/python"

crates/peekoo-python-sdk/src/lib.rs

@@ -0,0 +1,39 @@
+pub const SHARED_PYTHON_SDK_ROOT: &str = "~/.peekoo/python-sdk";
+
+pub fn shared_python_candidates() -> Vec<String> {
+    vec![
+        format!("{SHARED_PYTHON_SDK_ROOT}/python/bin/python3"),
+        format!("{SHARED_PYTHON_SDK_ROOT}/python/bin/python"),
+        format!("{SHARED_PYTHON_SDK_ROOT}/python/python.exe"),
+        format!("{SHARED_PYTHON_SDK_ROOT}/python/bin/python.exe"),
+    ]
+}
+
+pub fn plugin_local_python_candidates() -> Vec<String> {
+    vec![
+        "runtime/python/bin/python3".to_string(),
+        "runtime/python/bin/python".to_string(),
+        "runtime/python/python.exe".to_string(),
+        "runtime/python/bin/python.exe".to_string(),
+    ]
+}
+
+pub fn system_python_candidates() -> Vec<String> {
+    vec![
+        "python3".to_string(),
+        "python".to_string(),
+        "py".to_string(),
+    ]
+}
+
+pub fn all_python_candidates() -> Vec<String> {
+    let mut out = Vec::new();
+    out.extend(shared_python_candidates());
+    out.extend(plugin_local_python_candidates());
+    out.extend(system_python_candidates());
+    out
+}
+
+pub fn is_spawn_error_message(message: &str) -> bool {
+    message.contains("Process spawn failed")
+}