fix: reorder --install-missing-components to argv[1] in sudo wrapper

pkg bootstrap crashes when argv[1]='--connect' and --install-missing-components
is present — it tries require('/--connect'). Moving --install-missing-components
to argv[1] lets pkg handle it as its own bootstrap flag. Extracted wrapper to
sudo-wrapper.sh for readability.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

vpn-node/Dockerfile

@@ -36,12 +36,13 @@ RUN echo "=== binary type ===" \
     && head -3 /opt/purevpn-cli/bin/purevpn-cli 2>/dev/null || true
 
 # ── Fake sudo wrapper ────────────────────────────────────────────────────────
-# Strips --install-missing-components (crashes pkg bootstrap when combined with
-# --connect) then re-runs the binary with a CLEAN environment (env -i) so that
-# any env vars set by the parent purevpn-cli don't corrupt the child's pkg
-# bootstrap. Prints env key names and exec'd command for diagnosis.
-RUN printf '#!/bin/bash\necho "[sudo] env: $(env | cut -d= -f1 | tr "\\n" " ")"\nnew=()\nfor a in "$@"; do\n  [[ "$a" == "--install-missing-components" ]] && { echo "[sudo] stripped --install-missing-components"; continue; }\n  new+=("$a")\ndone\necho "[sudo] exec (clean env): ${new[*]}"\nexec env -i PATH="$PATH" HOME=/root USER=root "${new[@]}"\n' \
-    > /usr/local/bin/sudo && chmod +x /usr/local/bin/sudo
+# The purevpn-cli pkg bootstrap uses argv[1] as the main module path when
+# --install-missing-components is present (causing "Cannot find module '/--connect'").
+# Fix: move --install-missing-components to argv[1] so the bootstrap handles
+# it as its own flag rather than trying to load '--connect' as a script.
+# Clean env (env -i) prevents parent env vars from interfering with pkg startup.
+COPY sudo-wrapper.sh /usr/local/bin/sudo
+RUN chmod +x /usr/local/bin/sudo
 
 # ── PATH ──────────────────────────────────────────────────────────────────────
 ENV PATH=/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

vpn-node/sudo-wrapper.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# sudo-wrapper.sh
+#
+# purevpn-cli (pkg/Node.js binary) calls:
+#   sudo purevpn-cli --connect <loc> --install-missing-components
+#
+# The pkg bootstrap uses argv[1] as the main module path when
+# --install-missing-components is present. With the original call order,
+# argv[1] = '--connect', so pkg tries require('/--connect') → crash.
+#
+# Fix: move --install-missing-components to argv[1] position so pkg sees it
+# as its own bootstrap flag instead of a module path.
+# Also strip -E / -n (sudo flags we don't need) and run with a clean env.
+
+binary=""
+has_install_flag=false
+other_args=()
+
+for a in "$@"; do
+    case "$a" in
+        -E|-n|--preserve-env|--non-interactive) continue ;;  # sudo flags, ignore
+        --install-missing-components) has_install_flag=true ;;
+        *)
+            if [[ -z "$binary" ]]; then
+                binary="$a"
+            else
+                other_args+=("$a")
+            fi
+            ;;
+    esac
+done
+
+if [[ -z "$binary" ]]; then
+    echo "[sudo-wrapper] no binary supplied" >&2
+    exit 1
+fi
+
+if [[ "$has_install_flag" == "true" ]]; then
+    echo "[sudo-wrapper] reorder: $binary --install-missing-components ${other_args[*]}" >&2
+    exec env -i \
+        PATH="/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
+        HOME=/root USER=root LOGNAME=root \
+        "$binary" "--install-missing-components" "${other_args[@]}"
+else
+    echo "[sudo-wrapper] passthrough: $binary ${other_args[*]}" >&2
+    exec env -i \
+        PATH="/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
+        HOME=/root USER=root LOGNAME=root \
+        "$binary" "${other_args[@]}"
+fi