fix: replace fake sudo with real sudo package

Real sudo uses env_reset by default, which naturally clears PKG_EXECPATH.
This lets the child binary's pkg bootstrap start fresh and load the embedded
main module correctly — no more 'Cannot find module' crash.

Removes the sudo-wrapper.sh hack entirely; the real sudo package handles
all edge cases (environment cleanup, privilege semantics) correctly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

vpn-node/Dockerfile

@@ -2,9 +2,10 @@ FROM debian:bookworm-slim
 
 LABEL description="dante SOCKS5 + purevpn-cli exit node"
 
-# ── System dependencies (all in one layer so apt cache is fresh for installer) ─
+# ── System dependencies ───────────────────────────────────────────────────────
 RUN apt-get update && apt-get install -y --no-install-recommends \
         dante-server \
+        sudo \
         curl wget ca-certificates \
         iproute2 iptables iputils-ping \
         netcat-openbsd procps dnsutils \
@@ -13,9 +14,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
         net-tools openresolv \
     && rm -rf /var/lib/apt/lists/*
 
+# ── Allow passwordless sudo for all (container is already isolated) ───────────
+RUN echo "ALL ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers
+
 # ── Stub openvpn-systemd-resolved ────────────────────────────────────────────
-# This package is not in Debian repos. Its absence is what triggers purevpn-cli
+# Not in Debian repos; purevpn-cli checks for it before calling sudo.
-# to call `sudo --install-missing-components`. A no-op stub satisfies the check.
 RUN mkdir -p /usr/lib/openvpn \
     && printf '#!/bin/sh\nexit 0\n' \
         | tee /usr/local/bin/openvpn-systemd-resolved \
@@ -29,21 +32,9 @@ RUN curl -fsSL https://apps.purevpn-tools.com/cross-platform/linux-cli/productio
     && bash /tmp/cli-install.sh \
     && rm -f /tmp/cli-install.sh
 
-# ── Fake sudo wrapper ────────────────────────────────────────────────────────
-# Unsets PKG_EXECPATH so the child's pkg bootstrap starts fresh instead of
-# treating argv[1] as a Node.js module path. Depth guard stops recursion.
-COPY sudo-wrapper.sh /usr/local/bin/sudo
-RUN chmod +x /usr/local/bin/sudo
-
 # ── PATH ──────────────────────────────────────────────────────────────────────
 ENV PATH=/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
-# ── Pre-install VPN components so runtime never needs sudo ───────────────────
-# Runs the binary as root during build; it calls our sudo wrapper (depth 1),
-# which correctly invokes the child. Connection attempt will fail (no auth),
-# but component files get written to stable paths and persist in the image.
-RUN purevpn-cli --connect US --install-missing-components 2>&1 || true
-
 # ── Location list ─────────────────────────────────────────────────────────────
 COPY servers.txt /etc/vpndock/servers.txt
 

vpn-node/sudo-wrapper.sh

@@ -1,20 +0,0 @@
-#!/bin/bash
-# Strip PKG_EXECPATH so the child's pkg bootstrap starts fresh.
-# When PKG_EXECPATH is inherited, bootstrap treats argv[1] as a module path
-# causing "Cannot find module '/--connect'" or '/--install-missing-components'.
-# env -u unsets only PKG_EXECPATH; all auth/config/session vars are kept.
-# Depth guard prevents infinite recursion.
-
-DEPTH="${PUREVPN_SUDO_DEPTH:-0}"
-if [[ "$DEPTH" -ge 2 ]]; then
-    echo "[sudo-wrapper] depth $DEPTH — exiting 0" >&2
-    exit 0
-fi
-
-args=()
-for a in "$@"; do
-    case "$a" in -E|-n|-H) ;; *) args+=("$a") ;; esac
-done
-
-echo "[sudo-wrapper] depth=$(( DEPTH+1 )): ${args[*]}" >&2
-exec env -u PKG_EXECPATH PUREVPN_SUDO_DEPTH=$(( DEPTH+1 )) "${args[@]}"