fix(workflows): resolve bash via absolute path on Windows (#1326)

[atlas-architect]

Fixes #1326.

Summary

• Problem: On Windows, child_process.execFile('bash', ...) resolves to C:\Windows\System32\bash.exe (WSL launcher) instead of Git Bash, because Windows CreateProcess searches System32 BEFORE PATH.
• Why it matters: WSL bash drops ${VAR} expansion in -c mode and uses /mnt/c/ paths instead of Git Bash's /c/, breaking every workflow bash node whose token substitution depends on env vars or path strings. Archon CLI on Windows fails with confusing "empty variable" symptoms.
• What changed: New resolveBashPath() helper in @archon/git/exec returns ARCHON_BASH_PATH env override → C:\Program Files\Git\bin\bash.exe Windows default → bash (Linux/macOS PATH unchanged). Both execFileAsync('bash', ...) sites in dag-executor.ts (bash node + loop node until-bash check) call through the helper.
• What did NOT change (scope boundary): Linux / macOS behavior unchanged. WSL bash itself is not patched (only avoided). No changes to bash-script syntax, variable substitution rules, or path normalization in caller code. Bun runtime / TypeScript compilation paths untouched.

UX Journey

Before

Windows User             Archon CLI                bash node
─────────────            ──────────                ─────────
fires workflow ────▶  spawn 'bash'
                      CreateProcess
                      System32 search ───▶  C:\Windows\System32\bash.exe (WSL)
                                              ${VAR} → empty string
                                              /c/Dev → /mnt/c/Dev
                      ◀────────────────────  fails with "empty variable"
sees confusing      ◀── reports node failed
failure

After

Windows User             Archon CLI                  bash node
─────────────            ──────────                  ─────────
fires workflow ────▶  spawn [resolveBashPath()]
                      *Windows: C:\Program Files\Git\bin\bash.exe*
                      CreateProcess
                      absolute path ─────▶   Git Bash
                                                ${VAR} expansion ✓
                                                /c/Dev path ✓
                      ◀────────────────────  succeeds
workflow proceeds  ◀── reports success

Architecture Diagram

Before

┌─────────────────┐    ┌──────────────────┐    ┌──────────────┐
│ dag-executor.ts │───▶│ execFileAsync    │───▶│ 'bash' (bare │
│  bash node      │    │ (child_process)  │    │  string)     │
│  loop until-bash│    │                  │    │              │
└─────────────────┘    └──────────────────┘    └──────────────┘
                                                Windows: System32 search
                                                → resolves to WSL bash

After

┌─────────────────┐    ┌──────────────────────┐    ┌─────────────────────┐
│ dag-executor.ts │───▶│ [+] resolveBashPath()│───▶│ [+] absolute path   │
│  bash node    [~]│    │     (new helper)    │    │     to Git Bash     │
│  loop[~]        │    │                      │    │                     │
└─────────────────┘    └──────────────────────┘    └─────────────────────┘
                          │
                          ▼
                       ┌─────────────────────┐
                       │ ARCHON_BASH_PATH    │
                       │ (env escape hatch)  │
                       └─────────────────────┘

Connection inventory:

From	To	Status	Notes
dag-executor.ts (bash node)	execFileAsync	modified	Now passes resolved path string instead of bare 'bash'
dag-executor.ts (loop node until-bash)	execFileAsync	modified	Same change
@archon/git/exec	(new export resolveBashPath)	new	Helper function added
process.env.ARCHON_BASH_PATH	resolveBashPath	new	Optional escape hatch

Label Snapshot

• Risk: risk: low
• Size: size: S
• Scope: core
• Module: git:exec (helper) + workflows:executor (call sites)

Change Metadata

• Change type: bug
• Primary scope: core

Linked Issue

• Closes bug(workflows): bash nodes silently fail on Windows when bash resolves to WSL launcher (System32\bash.exe) — $VAR expansion broken in -c mode #1326
• Related: N/A
• Depends on: N/A
• Supersedes: N/A

Validation Evidence (required)

$ bun run type-check
# Output: 9 packages green (no TypeScript errors)

• Evidence provided: Type-check pass + before/after smoke test (Windows 11 + Git for Windows 2.47, see Human Verification below).
• Commands intentionally skipped: bun run lint, bun run format:check, bun run test not run by submitter — fix is surgical (1 helper function + 2 call-site updates). Happy to run on request, or rely on CI.

Security Impact (required)

• New permissions/capabilities? No
• New external network calls? No
• Secrets/tokens handling changed? No
• File system access scope changed? No (reads process.env.ARCHON_BASH_PATH if set; no file system writes — only spawns the existing bash binary at a more deterministic path)

Compatibility / Migration

• Backward compatible? Yes — Linux / macOS behavior unchanged (still resolves bash via PATH)
• Config/env changes? Optional — ARCHON_BASH_PATH is a NEW optional env var; defaults work for standard Git for Windows installs.
• Database migration needed? No

Human Verification (required)

What was personally validated beyond CI:

• Verified scenarios:

  • Windows 11 + Git for Windows 2.47 default install → ${VAR} expansion works, /c/ path convention preserved
  • Reproduction of the bug pre-patch (bare 'bash') → confirmed empty ${VAR} + /mnt/c/ paths

• Edge cases checked:

  • User-scope Git install (%LOCALAPPDATA%\Programs\Git\...) → flagged as ARCHON_BASH_PATH use case
  • Linux fall-through (helper returns bare 'bash') → unchanged PATH behavior

• What was NOT verified:

  • Windows Server with WSL-only installations
  • macOS (no Mac in test environment; assumed unchanged since helper returns 'bash' on non-Windows)

Smoke test output (after patch):

Resolved bash: C:\Program Files\Git\bin\bash.exe
TARGET_FROM_PARENT=test-value-123          ← ${VAR} expansion works
PATH_CONVENTION=/c/Dev/platform/Archon/…   ← /c/ convention preserved

Before the patch (bare 'bash'):

Resolved bash: bash
TARGET_FROM_PARENT=                         ← WSL bash dropped the variable
PATH_CONVENTION=/mnt/c/Dev/…                ← WSL mount convention

Side Effects / Blast Radius (required)

• Affected subsystems/workflows: Any Archon workflow with bash: nodes when CLI runs on Windows. Loop nodes with until-bash conditions.
• Potential unintended effects: Users with both Git Bash and a custom bash.exe (higher on PATH) will now resolve to Git Bash specifically. Was non-deterministic before. ARCHON_BASH_PATH is the override.
• Guardrails/monitoring for early detection: Bash node error logs now show the resolved absolute path (was opaque before). Failure mode changes from "silent variable drop" to "explicit binary path mismatch" — easier to diagnose.

Rollback Plan (required)

• Fast rollback command/path: git revert <commit-sha> — single commit, no migration. Reverting reinstates bare 'bash' resolution behavior.
• Feature flags or config toggles: ARCHON_BASH_PATH=bash env var would partially undo the fix at runtime without code change.
• Observable failure symptoms: Post-rollback, Windows users would see the System32-first pathology again (empty ${VAR}, /mnt/c/ paths). Linux/macOS unaffected.

Risks and Mitigations

• Risk: Hardcoded Windows path C:\Program Files\Git\bin\bash.exe may not exist on user-scope installer or Windows Server with no Git for Windows.
  • Mitigation: ARCHON_BASH_PATH env var provides clean override. Helper falls through to PATH search if hardcoded path doesn't exist (preserves current behavior in that edge case). Open to walking PATH manually for the first non-System32 bash.exe if reviewer prefers a fancier heuristic — env-var-plus-default kept the fix surgical.
• Risk: Future contributor adds a third execFileAsync('bash', ...) site without going through resolveBashPath().
  • Mitigation: Helper exported from @archon/git/exec for discoverability. Could add ESLint rule banning bare 'bash' literal in future hardening pass if recurrence is observed.

---

Notes for reviewers

The Windows default (C:\Program Files\Git\bin\bash.exe) is the standard install location for Git for Windows. If you run into edge cases on Windows Server or custom Git installs, ARCHON_BASH_PATH gives a clean override without requiring a new patch.

Happy to iterate on the detection heuristic if you'd prefer something fancier (e.g. walking PATH manually to find the first non-System32 bash.exe), but the env-var-plus-sensible-default approach keeps the fix surgical and overridable.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f7f34454-2d02-42ea-9aea-32a6691726b1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Wirasm]

Hi @atlas-architect — thanks for opening this PR.

This repository uses a PR template at .github/pull_request_template.md with several required sections. A few of them appear to be empty or placeholder here:

• Summary
• UX Journey
• Architecture Diagram
• Label Snapshot
• Change Metadata
• Linked Issue
• Validation Evidence
• Security Impact
• Side Effects / Blast Radius
• Rollback Plan
• Risks and Mitigations

Could you fill those out (even briefly)? The template helps reviewers understand scope, risk, and rollback — it speeds up review significantly.

If a section genuinely doesn't apply, just write "N/A" in it rather than leaving it blank.

[atlas-architect]

Thanks @Wirasm — totally fair catch, my bad on submitting against the template without filling it in properly. Just pushed an update with all 11 required sections filled per .github/pull_request_template.md.

The fix itself is unchanged (resolveBashPath helper + 2 call-site updates in dag-executor.ts); the body now has Summary, UX Journey, Architecture Diagram + connection inventory, Label Snapshot, Change Metadata, Linked Issue, Validation Evidence, Security Impact, Compatibility, Human Verification, Side Effects / Blast Radius, Rollback Plan, and Risks and Mitigations.

A few sections marked N/A where they genuinely don't apply (no related/depends-on issues, no migration). Open to iterating if anything still needs more detail.

[Wirasm]

This is also targeting the wrong branch, it should target dev not main

[Wirasm]

please reopen targeting the right branch before i review

[atlas-architect]

Reopened as #1470 targeting dev per your guidance. Single fix commit cherry-picked onto fresh dev; one small import-block conflict resolved (kept dev's resolve as resolvePath alias + discoverScriptsForCwd rename). Type-check re-run green on the rebase. Thanks for the pointers on both the template and branch target — appreciate the patience.