[Bug] .npmrc tmpfs mount creates empty directory instead of hiding file

[Mossaka]

Summary

PR #738 replaced individual /dev/null file mounts with directory-level tmpfs overlays for credential hiding. However, ~/.npmrc is a file, not a directory. Mounting tmpfs over a file path creates an empty directory at that path, which can confuse tools that check for .npmrc existence.

Problem

In src/docker-manager.ts, the credential hiding logic creates tmpfs mounts for these paths:

~/.docker, ~/.ssh, ~/.aws, ~/.kube, ~/.azure, 
~/.config/gcloud, ~/.config/gh, ~/.cargo, ~/.composer, ~/.npmrc

All of these except ~/.npmrc are directories. For directories, tmpfs works correctly - it creates an empty in-memory filesystem that shadows the real directory contents.

For ~/.npmrc (a file), Docker creates an empty directory named .npmrc instead. This means:

• test -f ~/.npmrc returns false (it's a directory now, not a file)
• test -d ~/.npmrc returns true (unexpected)
• npm config list may behave differently with a directory vs. no file
• Tools that check if [ -e ~/.npmrc ] will see "something exists" but reading it will fail differently than expected

Expected Behavior

~/.npmrc should either:

1. Not exist at all (as if the file was deleted), OR
2. Exist as an empty file (as the old /dev/null mount provided)

Actual Behavior

~/.npmrc becomes an empty directory, which is neither of the expected states.

Proposed Fix

Options:

1. Keep ~/.npmrc as a /dev/null bind mount (revert to the pre-fix: replace /dev/null mounts with tmpfs for credential hiding #738 approach for this single file)
2. Mount tmpfs on the parent directory if .npmrc is the only sensitive file there
3. Use an empty file bind mount instead of tmpfs for file paths

Added By

PR #738 (fix: replace /dev/null mounts with tmpfs for credential hiding). The Copilot PR reviewer flagged this concern but it was suppressed due to low confidence.

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster

[github-actions]

👋 Hello! I noticed this issue is related to #761:

• [Testing] Credential hiding integration tests only cover 3 of 14 protected paths #761 - Reports that credential hiding integration tests only cover 3 of 14 protected paths (including ~/.npmrc)

Both issues stem from PR #738's change from /dev/null file mounts to tmpfs directory overlays:

• This issue ([Bug] .npmrc tmpfs mount creates empty directory instead of hiding file #763) describes the specific bug where .npmrc becomes an empty directory
• Issue [Testing] Credential hiding integration tests only cover 3 of 14 protected paths #761 points out the lack of test coverage that could have caught this bug

They're complementary rather than duplicates - #761 is about missing tests, while this issue documents an actual implementation problem. However, implementing the tests proposed in #761 would likely catch the bug described here.

This is an automated message from the issue duplication detector.

AI generated by Issue Duplication Detector