refactor: replace hardcoded pixel UID/GID literals with sandbox/user package constants

Author: deevus

internal/mcp/tools.go

@@ -18,6 +18,7 @@ import (
 
 	"github.com/deevus/pixels/internal/config"
 	"github.com/deevus/pixels/sandbox"
+	"github.com/deevus/pixels/sandbox/user"
 )
 
 // Tools is the dependency bundle every MCP handler closes over.
@@ -190,17 +191,6 @@ func (t *Tools) requireSandbox(name string) (Sandbox, error) {
 	return sb, nil
 }
 
-// pixelUID/pixelGID is the unprivileged sandbox user that MCP file operations
-// write as. Files written by the MCP write_file tool are chowned to this
-// owner so subsequent exec calls (which also run as this user) can read and
-// modify them. Hardcoded to match the convention established by the
-// provisioning scripts (rc.local creates `pixel` at uid 1000); MCP cannot
-// write root-owned files by design.
-const (
-	pixelUID = 1000
-	pixelGID = 1000
-)
-
 // editFileMaxBytes caps the in-memory read for EditFile. Editing past this
 // would silently truncate the rest of the file on write-back.
 const editFileMaxBytes = 10 * 1024 * 1024
@@ -628,7 +618,7 @@ func (t *Tools) WriteFile(ctx context.Context, in WriteFileIn) (WriteFileOut, er
 	}
 	defer t.Locks.Acquire(sb.Name)()
 
-	if err := t.Backend.WriteFile(ctx, sb.Name, in.Path, []byte(in.Content), mode, pixelUID, pixelGID); err != nil {
+	if err := t.Backend.WriteFile(ctx, sb.Name, in.Path, []byte(in.Content), mode, user.UID, user.GID); err != nil {
 		return WriteFileOut{}, err
 	}
 	t.touch(sb.Name)
@@ -710,7 +700,7 @@ func (t *Tools) EditFile(ctx context.Context, in EditFileIn) (EditFileOut, error
 		updated = strings.Replace(original, in.OldString, in.NewString, 1)
 	}
 
-	if err := t.Backend.WriteFile(ctx, sb.Name, in.Path, []byte(updated), 0o644, pixelUID, pixelGID); err != nil {
+	if err := t.Backend.WriteFile(ctx, sb.Name, in.Path, []byte(updated), 0o644, user.UID, user.GID); err != nil {
 		return EditFileOut{}, fmt.Errorf("write: %w", err)
 	}
 	t.touch(sb.Name)

internal/mcp/tools_test.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/deevus/pixels/internal/config"
 	"github.com/deevus/pixels/sandbox"
+	"github.com/deevus/pixels/sandbox/user"
 )
 
 type cloneRecord struct {
@@ -926,7 +927,7 @@ func TestWriteFileChownsToPixel(t *testing.T) {
 	if !ok {
 		t.Fatal("WriteFile must request explicit ownership for MCP tools")
 	}
-	if want := [2]int{pixelUID, pixelGID}; got != want {
+	if want := [2]int{user.UID, user.GID}; got != want {
 		t.Errorf("owner = %v, want %v (MCP must always write as the pixel user)", got, want)
 	}
 }
@@ -948,7 +949,7 @@ func TestEditFileChownsToPixel(t *testing.T) {
 	if !ok {
 		t.Fatal("EditFile must request explicit ownership when writing back")
 	}
-	if want := [2]int{pixelUID, pixelGID}; got != want {
+	if want := [2]int{user.UID, user.GID}; got != want {
 		t.Errorf("owner = %v, want %v", got, want)
 	}
 }

sandbox/incus/config.go

@@ -6,6 +6,8 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+
+	"github.com/deevus/pixels/sandbox/user"
 )
 
 // incusCfg holds parsed backend configuration.
@@ -51,8 +53,8 @@ func parseCfg(m map[string]string) (*incusCfg, error) {
 		pool:        "default",
 		sshUser:     "pixel",
 		sshKey:      "~/.ssh/id_ed25519",
-		uid:         1000,
-		gid:         1000,
+		uid:         user.UID,
+		gid:         user.GID,
 		provision:   true,
 		devtools:    true,
 		egress:      "unrestricted",

sandbox/truenas/client_test.go

@@ -237,7 +237,7 @@ func TestProvision(t *testing.T) {
 				DevTools:  true,
 			},
 			pool:      "tank",
-			wantCalls: 8, // dns + sshd config + profile.d + env + root key + pixel key + setup script + rc.local
+			wantCalls: 9, // dns + sshd config + profile.d + env + root key + pixel key + mise.toml + setup script + rc.local
 			check: func(t *testing.T, calls []fsWriteCall) {
 				paths := make(map[string]fsWriteCall)
 				for _, c := range calls {
@@ -256,12 +256,20 @@ func TestProvision(t *testing.T) {
 				if setup.mode != 0o755 {
 					t.Errorf("setup script mode = %o, want 755", setup.mode)
 				}
-				for _, want := range []string{"mise", "claude-code", "opencode", "codex", "su - pixel"} {
+				for _, want := range []string{"mise install", "su - pixel"} {
 					if !strings.Contains(setup.content, want) {
 						t.Errorf("setup script missing %q", want)
 					}
 				}
 
+				// mise.toml lists the tools mise install will pull in.
+				mise := paths[rootfs+"/home/pixel/.config/mise/config.toml"]
+				for _, want := range []string{"claude-code", "opencode", "codex"} {
+					if !strings.Contains(mise.content, want) {
+						t.Errorf("mise.toml missing %q", want)
+					}
+				}
+
 				// No systemd unit should be written.
 				if _, ok := paths[rootfs+"/etc/systemd/system/pixels-devtools.service"]; ok {
 					t.Error("systemd unit should not be written (zmx handles devtools)")