feat(studio-bridge): transparent Docker delegation for process run

When `process run` detects Linux without Wine but with Docker available,
it transparently delegates to the pre-built container image. Cookie
validation runs before delegation to fail fast on bad credentials.

Also adds environment guards to linux auth/setup/status commands with
clear error messages, bakes aftman/rojo into the Docker image, and
moves validateCookieAsync to nevermore-cli-helpers for shared use.

Author: Quenty

.github/workflows/studio-linux-e2e.yml

@@ -43,11 +43,6 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
-      - name: Setup Aftman
-        uses: ok-nick/setup-aftman@v0.4.2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Build all tools
         run: pnpm -r --filter './tools/**' run build
 
@@ -58,20 +53,6 @@ jobs:
       - name: Verify environment health (pre-auth)
         run: studio-bridge linux status
 
-      - name: Validate cookie
-        if: ${{ env.ROBLOSECURITY != '' }}
-        run: |
-          STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-            -H "Cookie: .ROBLOSECURITY=$ROBLOSECURITY" \
-            https://users.roblox.com/v1/users/authenticated)
-          if [ "$STATUS" != "200" ]; then
-            echo "::error::ROBLOSECURITY cookie is invalid (HTTP $STATUS). Update the repository secret."
-            exit 1
-          fi
-          echo "Cookie validated (HTTP $STATUS)"
-        env:
-          ROBLOSECURITY: ${{ secrets.ROBLOSECURITY }}
-
       - name: Inject authentication
         if: ${{ env.ROBLOSECURITY != '' }}
         run: studio-bridge linux auth --verbose

tools/nevermore-cli-helpers/src/auth/roblox-auth/index.ts

@@ -153,6 +153,34 @@ export async function createPlaceInUniverseAsync(
   return placeId;
 }
 
+/**
+ * Validates the ROBLOSECURITY cookie against the Roblox API.
+ * Exits with an error if the cookie is invalid. Continues with a
+ * warning if the network request itself fails (offline scenario).
+ */
+export async function validateCookieAsync(cookie: string): Promise<void> {
+  try {
+    const response = await fetch('https://users.roblox.com/v1/users/authenticated', {
+      headers: {
+        Cookie: `.ROBLOSECURITY=${cookie}`,
+      },
+    });
+
+    if (response.status !== 200) {
+      OutputHelper.error(
+        `ROBLOSECURITY cookie is invalid or expired (HTTP ${response.status}). Update the cookie and try again.`,
+      );
+      process.exit(1);
+    }
+
+    OutputHelper.verbose('ROBLOSECURITY cookie validated successfully.');
+  } catch {
+    OutputHelper.warn(
+      'Could not validate ROBLOSECURITY cookie (network error). Continuing anyway.',
+    );
+  }
+}
+
 export interface RenamePlaceResult {
   success: boolean;
   reason?: 'no_cookie' | 'api_error';

tools/nevermore-cli-helpers/src/auth/roblox-auth/validate-cookie.test.ts

@@ -0,0 +1,63 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+
+vi.mock('@quenty/cli-output-helpers', () => ({
+  OutputHelper: {
+    error: vi.fn(),
+    warn: vi.fn(),
+    info: vi.fn(),
+    verbose: vi.fn(),
+  },
+}));
+
+import { validateCookieAsync } from './index.js';
+import { OutputHelper } from '@quenty/cli-output-helpers';
+
+const mockedOutputHelper = vi.mocked(OutputHelper);
+
+describe('validateCookieAsync', () => {
+  const originalFetch = globalThis.fetch;
+
+  beforeEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  afterEach(() => {
+    globalThis.fetch = originalFetch;
+  });
+
+  it('continues without error when cookie is valid (HTTP 200)', async () => {
+    const exitSpy = vi.spyOn(process, 'exit').mockImplementation(() => undefined as never);
+    globalThis.fetch = vi.fn().mockResolvedValue({ status: 200 });
+
+    await validateCookieAsync('valid-cookie');
+
+    expect(exitSpy).not.toHaveBeenCalled();
+    expect(mockedOutputHelper.error).not.toHaveBeenCalled();
+    expect(mockedOutputHelper.warn).not.toHaveBeenCalled();
+  });
+
+  it('exits with error when cookie is invalid (HTTP 401)', async () => {
+    const exitSpy = vi.spyOn(process, 'exit').mockImplementation(() => undefined as never);
+    globalThis.fetch = vi.fn().mockResolvedValue({ status: 401 });
+
+    await validateCookieAsync('expired-cookie');
+
+    expect(mockedOutputHelper.error).toHaveBeenCalledWith(
+      'ROBLOSECURITY cookie is invalid or expired (HTTP 401). Update the cookie and try again.',
+    );
+    expect(exitSpy).toHaveBeenCalledWith(1);
+  });
+
+  it('continues with warning when fetch throws (network error)', async () => {
+    const exitSpy = vi.spyOn(process, 'exit').mockImplementation(() => undefined as never);
+    globalThis.fetch = vi.fn().mockRejectedValue(new Error('network error'));
+
+    await validateCookieAsync('some-cookie');
+
+    expect(mockedOutputHelper.warn).toHaveBeenCalledWith(
+      'Could not validate ROBLOSECURITY cookie (network error). Continuing anyway.',
+    );
+    expect(exitSpy).not.toHaveBeenCalled();
+    expect(mockedOutputHelper.error).not.toHaveBeenCalled();
+  });
+});

tools/nevermore-cli-helpers/src/utils.ts

@@ -4,6 +4,7 @@ export {
   getRobloxCookieAsync,
   createPlaceInUniverseAsync,
   tryRenamePlaceAsync,
+  validateCookieAsync,
 } from './auth/roblox-auth/index.js';
 export type { RenamePlaceResult } from './auth/roblox-auth/index.js';
 export { COOKIE_NAME, parseStudioCookieValue } from './auth/roblox-auth/cookie-parser.js';

tools/studio-bridge/docker/Dockerfile

@@ -32,11 +32,24 @@ RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
     && corepack enable pnpm \
     && apt-get clean && rm -rf /var/lib/apt/lists/*
 
+# --- Aftman binary ---
+RUN curl -fsSL https://github.com/LPGhatguy/aftman/releases/download/v0.3.0/aftman-0.3.0-linux-x86_64.zip \
+        -o /tmp/aftman.zip \
+    && unzip -o /tmp/aftman.zip -d /tmp/aftman \
+    && install -m 755 /tmp/aftman/aftman /usr/local/bin/aftman \
+    && rm -rf /tmp/aftman.zip /tmp/aftman
+
 # --- Non-root user ---
 RUN useradd -m -s /bin/bash studio
 USER studio
 WORKDIR /home/studio
 
+# --- Install Aftman tools (rojo, lune, etc.) ---
+# aftman.toml lives in $HOME so shims can find it from any CWD
+COPY --from=workspace --chown=studio:studio aftman.toml /home/studio/aftman.toml
+RUN mkdir -p /home/studio/.aftman/bin \
+    && aftman install --no-trust-check
+
 # --- Build studio-bridge from source (via named build context "workspace") ---
 COPY --from=workspace --chown=studio:studio package.json pnpm-workspace.yaml pnpm-lock.yaml tsconfig.json /home/studio/build/
 COPY --from=workspace --chown=studio:studio tools/ /home/studio/build/tools/
@@ -81,7 +94,7 @@ ENV STUDIO_DIR=/home/studio/roblox-studio \
     MESA_GL_VERSION_OVERRIDE=4.5 \
     MESA_GLSL_VERSION_OVERRIDE=450 \
     NPM_CONFIG_PREFIX=/home/studio/.npm-global \
-    PATH=/home/studio/.npm-global/bin:$PATH
+    PATH=/home/studio/.aftman/bin:/home/studio/.npm-global/bin:$PATH
 
 COPY --chown=studio:studio entrypoint.sh /home/studio/entrypoint.sh
 RUN chmod +x /home/studio/entrypoint.sh

tools/studio-bridge/src/cli/script-executor.ts

@@ -24,6 +24,7 @@ export interface ExecuteScriptOptions {
   timeoutMs: number;
   verbose: boolean;
   showLogs: boolean;
+  filePath?: string;
 }
 
 /**
@@ -52,6 +53,15 @@ export async function resolvePlacePathAsync(
 export async function executeScriptAsync(
   options: ExecuteScriptOptions
 ): Promise<void> {
+  const { shouldDelegateToDockerAsync, delegateToDockerAsync } =
+    await import('../docker/docker-delegator.js');
+
+  if (await shouldDelegateToDockerAsync()) {
+    OutputHelper.verbose('[StudioBridge] No Wine detected, delegating to Docker');
+    await delegateToDockerAsync(options);
+    return; // unreachable — delegateToDockerAsync calls process.exit
+  }
+
   const { scriptContent, packageName, placePath, timeoutMs, verbose, showLogs } =
     options;
 

tools/studio-bridge/src/commands/linux/auth/auth.ts

@@ -7,6 +7,7 @@ import { defineCommand } from '../../framework/define-command.js';
 import { arg } from '../../framework/arg-builder.js';
 import { OutputHelper } from '@quenty/cli-output-helpers';
 import { getRobloxCookieAsync } from '@quenty/nevermore-cli-helpers';
+import { checkLinuxEnvironmentAsync } from '../../../linux/linux-env-guard.js';
 
 // ---------------------------------------------------------------------------
 // Types
@@ -43,6 +44,12 @@ function readStdinAsync(): Promise<string> {
 
 export async function authHandlerAsync(args: AuthArgs): Promise<AuthResult> {
   try {
+    const envError = await checkLinuxEnvironmentAsync();
+    if (envError) {
+      OutputHelper.error(envError);
+      process.exit(1);
+    }
+
     const linux = await import('../../../linux/index.js');
     const config = linux.resolveLinuxConfig();
 
@@ -61,6 +68,10 @@ export async function authHandlerAsync(args: AuthArgs): Promise<AuthResult> {
       cookie = await getRobloxCookieAsync();
     }
 
+    // Validate cookie before attempting Wine injection
+    const { validateCookieAsync } = await import('@quenty/nevermore-cli-helpers');
+    await validateCookieAsync(cookie);
+
     // Ensure display is running (Wine needs it for credential write)
     await linux.ensureDisplayAsync(config);
 
@@ -87,7 +98,7 @@ export async function authHandlerAsync(args: AuthArgs): Promise<AuthResult> {
 export const linuxAuthCommand = defineCommand<AuthArgs, AuthResult>({
   group: 'linux',
   name: 'auth',
-  description: 'Inject .ROBLOSECURITY cookie into Wine Credential Manager',
+  description: 'Inject .ROBLOSECURITY cookie into Wine Credential Manager (within Docker image or Linux with Wine)',
   category: 'infrastructure',
   safety: 'none',
   scope: 'standalone',

tools/studio-bridge/src/commands/linux/setup/setup.ts

@@ -6,6 +6,7 @@
 import { defineCommand } from '../../framework/define-command.js';
 import { arg } from '../../framework/arg-builder.js';
 import { OutputHelper } from '@quenty/cli-output-helpers';
+import { checkLinuxEnvironmentAsync } from '../../../linux/linux-env-guard.js';
 
 // ---------------------------------------------------------------------------
 // Types
@@ -30,6 +31,12 @@ interface SetupResult {
 
 export async function setupHandlerAsync(args: SetupArgs): Promise<SetupResult> {
   try {
+    const envError = await checkLinuxEnvironmentAsync();
+    if (envError) {
+      OutputHelper.error(envError);
+      process.exit(1);
+    }
+
     const linux = await import('../../../linux/index.js');
     const config = linux.resolveLinuxConfig();
 
@@ -119,7 +126,7 @@ export async function setupHandlerAsync(args: SetupArgs): Promise<SetupResult> {
 export const linuxSetupCommand = defineCommand<SetupArgs, SetupResult>({
   group: 'linux',
   name: 'setup',
-  description: 'Install Wine dependencies and Roblox Studio for headless Linux operation',
+  description: 'Install Wine + Roblox Studio for headless Linux operation (within Docker image or Linux with Wine)',
   category: 'infrastructure',
   safety: 'none',
   scope: 'standalone',

tools/studio-bridge/src/commands/linux/status/status.ts

@@ -6,6 +6,7 @@
 import * as fs from 'fs/promises';
 import { defineCommand } from '../../framework/define-command.js';
 import { OutputHelper } from '@quenty/cli-output-helpers';
+import { checkLinuxEnvironmentAsync } from '../../../linux/linux-env-guard.js';
 
 // ---------------------------------------------------------------------------
 // Types
@@ -48,6 +49,12 @@ async function fileExistsAsync(filePath: string): Promise<boolean> {
 
 export async function statusHandlerAsync(_args: StatusArgs): Promise<StatusResult> {
   try {
+    const envError = await checkLinuxEnvironmentAsync();
+    if (envError) {
+      OutputHelper.error(envError);
+      process.exit(1);
+    }
+
     const linux = await import('../../../linux/index.js');
     const config = linux.resolveLinuxConfig();
     let allOk = true;
@@ -176,7 +183,7 @@ export async function statusHandlerAsync(_args: StatusArgs): Promise<StatusResul
 export const linuxStatusCommand = defineCommand<StatusArgs, StatusResult>({
   group: 'linux',
   name: 'status',
-  description: 'Check Linux/Wine environment health for Studio',
+  description: 'Check Linux/Wine environment health for Studio (within Docker image or Linux with Wine)',
   category: 'infrastructure',
   safety: 'none',
   scope: 'standalone',

tools/studio-bridge/src/commands/process/run/run.ts

@@ -21,6 +21,7 @@ export interface ProcessRunOptions {
   timeoutMs: number;
   verbose: boolean;
   showLogs: boolean;
+  filePath?: string;
 }
 
 export interface ProcessRunResult {
@@ -107,6 +108,7 @@ export const processRunCommand = defineCommand<ProcessRunArgs, ProcessRunResult>
       timeoutMs: args.timeout ?? 120_000,
       verbose: false,
       showLogs: true,
+      filePath: args.file,
     });
   },
   // No MCP config -- process run is CLI-only