feat: add sandbox-npm-install skill to community collection

Genericize and harden the sandbox-npm-install skill for use in any
Docker sandbox environment with virtiofs-mounted workspaces.

Changes:
- Remove project-specific path detection (app/client, adoption-site/client)
- Fix eval injection in verify_one() — use direct argument execution
- Add rm-rf path safety guard to prevent accidental damage
- Fix --playwright|true case-match bug
- Rewrite SKILL.md with keyword-rich description, prerequisites,
  troubleshooting table, and Vite compatibility section
- Move skill from .github/skills/ to skills/ collection

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: GeekTrainer

docs/README.skills.md

@@ -209,6 +209,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
 | [reviewing-oracle-to-postgres-migration](../skills/reviewing-oracle-to-postgres-migration/SKILL.md) | Identifies Oracle-to-PostgreSQL migration risks by cross-referencing code against known behavioral differences (empty strings, refcursors, type coercion, sorting, timestamps, concurrent transactions, etc.). Use when planning a database migration, reviewing migration artifacts, or validating that integration tests cover Oracle/PostgreSQL differences. | `references/REFERENCE.md`<br />`references/empty-strings-handling.md`<br />`references/no-data-found-exceptions.md`<br />`references/oracle-parentheses-from-clause.md`<br />`references/oracle-to-postgres-sorting.md`<br />`references/oracle-to-postgres-timestamp-timezone.md`<br />`references/oracle-to-postgres-to-char-numeric.md`<br />`references/oracle-to-postgres-type-coercion.md`<br />`references/postgres-concurrent-transactions.md`<br />`references/postgres-refcursor-handling.md` |
 | [ruby-mcp-server-generator](../skills/ruby-mcp-server-generator/SKILL.md) | Generate a complete Model Context Protocol server project in Ruby using the official MCP Ruby SDK gem. | None |
 | [rust-mcp-server-generator](../skills/rust-mcp-server-generator/SKILL.md) | Generate a complete Rust Model Context Protocol server project with tools, prompts, resources, and tests using the official rmcp SDK | None |
+| [sandbox-npm-install](../skills/sandbox-npm-install/SKILL.md) | Install npm packages in a Docker sandbox environment. Use this skill whenever you need to install, reinstall, or update node_modules inside a container where the workspace is mounted via virtiofs. Native binaries (esbuild, lightningcss, rollup) crash on virtiofs, so packages must be installed on the local ext4 filesystem and symlinked back. | `install.sh` |
 | [scaffolding-oracle-to-postgres-migration-test-project](../skills/scaffolding-oracle-to-postgres-migration-test-project/SKILL.md) | Scaffolds an xUnit integration test project for validating Oracle-to-PostgreSQL database migration behavior in .NET solutions. Creates the test project, transaction-rollback base class, and seed data manager. Use when setting up test infrastructure before writing migration integration tests, or when a test project is needed for Oracle-to-PostgreSQL validation. | None |
 | [scoutqa-test](../skills/scoutqa-test/SKILL.md) | This skill should be used when the user asks to "test this website", "run exploratory testing", "check for accessibility issues", "verify the login flow works", "find bugs on this page", or requests automated QA testing. Triggers on web application testing scenarios including smoke tests, accessibility audits, e-commerce flows, and user flow validation using ScoutQA CLI. IMPORTANT: Use this skill proactively after implementing web application features to verify they work correctly - don't wait for the user to ask for testing. | None |
 | [shuffle-json-data](../skills/shuffle-json-data/SKILL.md) | Shuffle repetitive JSON objects safely by validating schema consistency before randomising entries. | None |

skills/sandbox-npm-install/SKILL.md

@@ -0,0 +1,82 @@
+---
+name: sandbox-npm-install
+description: 'Install npm packages in a Docker sandbox environment. Use this skill whenever you need to install, reinstall, or update node_modules inside a container where the workspace is mounted via virtiofs. Native binaries (esbuild, lightningcss, rollup) crash on virtiofs, so packages must be installed on the local ext4 filesystem and symlinked back.'
+---
+
+# Sandbox npm Install
+
+## When to Use This Skill
+
+Use this skill whenever:
+- You need to install npm packages for the first time in a new sandbox session
+- `package.json` or `package-lock.json` has changed and you need to reinstall
+- You encounter native binary crashes with errors like `SIGILL`, `SIGSEGV`, `mmap`, or `unaligned sysNoHugePageOS`
+- The `node_modules` directory is missing or corrupted
+
+## Prerequisites
+
+- A Docker sandbox environment with a virtiofs-mounted workspace
+- Node.js and npm available in the container
+- A `package.json` file in the target workspace
+
+## Background
+
+Docker sandbox workspaces are typically mounted via **virtiofs** (file sync between the host and Linux VM). Native Go and Rust binaries (esbuild, lightningcss, rollup, etc.) crash with mmap alignment failures when executed from virtiofs on aarch64. The fix is to install on the container's local ext4 filesystem and symlink back into the workspace.
+
+## Step-by-Step Installation
+
+Run the bundled install script from the workspace root:
+
+```bash
+bash scripts/install.sh
+```
+
+### Common Options
+
+| Option | Description |
+|---|---|
+| `--workspace <path>` | Path to directory containing `package.json` (auto-detected if omitted) |
+| `--deps-dir <path>` | Local ext4 directory for installation (default: `/home/agent/project-deps`) |
+| `--playwright` | Also install Playwright Chromium browser for E2E testing |
+| `--no-verify` | Skip native binary verification after install |
+
+### What the Script Does
+
+1. Copies `package.json` and `package-lock.json` to a local ext4 directory
+2. Runs `npm ci` (or `npm install` if no lockfile) on the local filesystem
+3. Symlinks `node_modules` back into the workspace
+4. Verifies known native binaries (esbuild, rollup, lightningcss, vite) if present
+5. Optionally installs Playwright browsers
+
+If verification fails, run the script again — crashes can be intermittent during initial setup.
+
+## Post-Install Verification
+
+After the script completes, verify your toolchain works. For example:
+
+```bash
+npm test             # Run project tests
+npm run build        # Build the project
+npm run dev          # Start dev server
+```
+
+## Important Notes
+
+- The local install directory (e.g., `/home/agent/project-deps`) is **container-local** and is NOT synced back to the host
+- The `node_modules` symlink appears as a broken link on the host — this is harmless since `node_modules` is typically gitignored
+- Running `npm ci` or `npm install` on the host naturally replaces the symlink with a real directory
+- After any `package.json` or `package-lock.json` change, re-run the install script
+- Do NOT run `npm ci` or `npm install` directly in the mounted workspace — native binaries will crash
+
+## Troubleshooting
+
+| Problem | Solution |
+|---|---|
+| `SIGILL` or `SIGSEGV` when running dev server | Re-run the install script; ensure you're not running `npm install` directly in the workspace |
+| `node_modules` not found after install | Check that the symlink exists: `ls -la node_modules` |
+| Permission errors during install | Ensure the local deps directory is writable by the current user |
+| Verification fails intermittently | Run the script again — native binary crashes can be non-deterministic on first load |
+
+## Vite Compatibility
+
+If your project uses Vite, you may need to allow the symlinked path in `server.fs.allow`. Add the symlink target's parent directory (e.g., `/home/agent/project-deps/`) to your Vite config so that Vite can serve files through the symlink.

skills/sandbox-npm-install/scripts/install.sh

@@ -0,0 +1,176 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Sandbox npm Install Script
+# Installs node_modules on local ext4 filesystem and symlinks into the workspace.
+# This avoids native binary crashes (esbuild, lightningcss, rollup) on virtiofs.
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)"
+
+DEPS_DIR="/home/agent/project-deps"
+WORKSPACE_CLIENT=""
+INSTALL_PLAYWRIGHT="false"
+VERIFY_BINARIES="true"
+
+usage() {
+  cat <<EOF
+Usage: $(basename "$0") [options]
+
+Options:
+  --workspace <path>   Client workspace containing package.json
+  --deps-dir <path>    Local ext4 install directory (default: /home/agent/project-deps)
+  --playwright         Install Playwright Chromium browser
+  --no-verify          Skip native binary verification
+  --help               Show this help message
+
+Examples:
+  bash scripts/install.sh
+  bash scripts/install.sh --workspace app/client --playwright
+EOF
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --workspace)
+      WORKSPACE_CLIENT="${2:-}"
+      shift 2
+      ;;
+    --deps-dir)
+      DEPS_DIR="${2:-}"
+      shift 2
+      ;;
+    --playwright)
+      INSTALL_PLAYWRIGHT="true"
+      shift
+      ;;
+    --no-verify)
+      VERIFY_BINARIES="false"
+      shift
+      ;;
+    --help|-h)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Unknown option: $1"
+      usage
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -z "$WORKSPACE_CLIENT" ]]; then
+  if [[ -f "$REPO_ROOT/package.json" ]]; then
+    WORKSPACE_CLIENT="$REPO_ROOT"
+  elif [[ -f "$PWD/package.json" ]]; then
+    WORKSPACE_CLIENT="$PWD"
+  fi
+fi
+
+WORKSPACE_CLIENT="$(cd "$WORKSPACE_CLIENT" 2>/dev/null && pwd || true)"
+
+if [[ -z "$WORKSPACE_CLIENT" || ! -f "$WORKSPACE_CLIENT/package.json" ]]; then
+  echo "Could not find a valid workspace client path containing package.json."
+  echo "Use --workspace <path> to specify it explicitly."
+  exit 1
+fi
+
+# Validate deps directory path to prevent accidental damage
+DEPS_DIR="$(realpath -m "$DEPS_DIR" 2>/dev/null || echo "$DEPS_DIR")"
+case "$DEPS_DIR" in
+  /|/bin|/boot|/dev|/etc|/lib*|/opt|/proc|/root|/run|/sbin|/srv|/sys|/usr|/usr/*|/var)
+    echo "Error: deps directory '$DEPS_DIR' is a system path. Provide a safe subdirectory."
+    exit 1
+    ;;
+esac
+if [[ -z "$DEPS_DIR" || "$DEPS_DIR" == "/home" || "$DEPS_DIR" == "/home/agent" || "$DEPS_DIR" == "/tmp" ]]; then
+  echo "Error: deps directory '$DEPS_DIR' is too broad. Provide a dedicated subdirectory."
+  exit 1
+fi
+
+echo "=== Sandbox npm Install ==="
+echo "Workspace: $WORKSPACE_CLIENT"
+echo "Deps dir:  $DEPS_DIR"
+
+# Step 1: Prepare local deps directory
+echo "→ Preparing $DEPS_DIR..."
+rm -rf "$DEPS_DIR"
+mkdir -p "$DEPS_DIR"
+cp "$WORKSPACE_CLIENT/package.json" "$DEPS_DIR/"
+
+if [[ -f "$WORKSPACE_CLIENT/package-lock.json" ]]; then
+  cp "$WORKSPACE_CLIENT/package-lock.json" "$DEPS_DIR/"
+  INSTALL_CMD=(npm ci)
+else
+  echo "! package-lock.json not found; falling back to npm install"
+  INSTALL_CMD=(npm install)
+fi
+
+# Step 2: Install on local ext4
+echo "→ Running ${INSTALL_CMD[*]} on local ext4..."
+cd "$DEPS_DIR" && "${INSTALL_CMD[@]}"
+
+# Step 3: Symlink into workspace
+echo "→ Symlinking node_modules into workspace..."
+cd "$WORKSPACE_CLIENT"
+rm -rf node_modules
+ln -s "$DEPS_DIR/node_modules" node_modules
+
+has_dep() {
+  local dep="$1"
+  node -e "
+    const pkg=require(process.argv[1]);
+    const deps={...(pkg.dependencies||{}),...(pkg.devDependencies||{})};
+    process.exit(deps[process.argv[2]] ? 0 : 1);
+  " "$WORKSPACE_CLIENT/package.json" "$dep"
+}
+
+verify_one() {
+  local label="$1"
+  shift
+  if "$@" >/dev/null 2>&1; then
+    echo "  ✓ $label OK"
+    return 0
+  fi
+
+  echo "  ✗ $label FAIL"
+  return 1
+}
+
+if [[ "$VERIFY_BINARIES" == "true" ]]; then
+  # Step 4: Verify native binaries when present in this project
+  echo "→ Verifying native binaries..."
+  FAIL=0
+
+  if has_dep esbuild; then
+    verify_one "esbuild" node -e "require('esbuild').transform('const x: number = 1',{loader:'ts'}).catch(()=>process.exit(1))" || FAIL=1
+  fi
+
+  if has_dep rollup; then
+    verify_one "rollup" node -e "import('rollup').catch(()=>process.exit(1))" || FAIL=1
+  fi
+
+  if has_dep lightningcss; then
+    verify_one "lightningcss" node -e "try{require('lightningcss')}catch(_){process.exit(1)}" || FAIL=1
+  fi
+
+  if has_dep vite; then
+    verify_one "vite" node -e "import('vite').catch(()=>process.exit(1))" || FAIL=1
+  fi
+
+  if [ "$FAIL" -ne 0 ]; then
+    echo "✗ Binary verification failed. Try running the script again (crashes can be intermittent)."
+    exit 1
+  fi
+fi
+
+# Step 5: Optionally install Playwright
+if [[ "$INSTALL_PLAYWRIGHT" == "true" ]]; then
+  echo "→ Installing Playwright browsers..."
+  npx playwright install --with-deps chromium
+fi
+
+echo ""
+echo "=== ✓ Sandbox npm install complete ==="
+echo "Run 'npm run dev' to start the dev server."