train-k8s-container-mitre 2.2.0 → 2.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8ef90f67ca076b6179acb73cdf55cbccc46c574353fa6840a9383bf619a12b03
-  data.tar.gz: 45a05c0359f9b79f1c80dca78db72bb902b15ba4cf36fa50cdd644d2ac4ca394
+  metadata.gz: 7401f8f5a6cd3dbab1c4ccf3badcabde98032ddfe39f791eb62aa3fb6d14f17f
+  data.tar.gz: b477518b7f03d3f419c0437ce9750af9f4e2496cf2995b0baed4bb41923034db
 SHA512:
-  metadata.gz: 5ffda135781a1949734ff7e604b8561569687a5787d48508c429df4bb247b99f9de69336aa44b5da243fe63b0838f1cee0a3bebffdb2beb3aeee88f8a6bdbd74
-  data.tar.gz: 237d9179ecdd74b3826de69299b07dfdcf6d001c5684f229344613def553832b1453e51ce418f73997c724ac9bf01ec2b8183476a311049340139db62fe9fa5c
+  metadata.gz: 69b0c02f9d1d724d6760e341f9f42caec31ccf3a4f96477ae9f09b121067b3c02edbc50cd1b0524296524d770ec87c9022f806b880ca30735c2349e972f108b7
+  data.tar.gz: 236996377e83721b771cf5c6d5103509b261c4361231dd313131340a0f52090d8020abf5437373b75aad23852d79db97cdd80c3d74960dcc52b859442035cf6e

data/.beads/.gitignore

@@ -0,0 +1,32 @@
+# SQLite databases
+*.db
+*.db?*
+*.db-journal
+*.db-wal
+*.db-shm
+
+# Daemon runtime files
+daemon.lock
+daemon.log
+daemon.pid
+bd.sock
+
+# Local version tracking (prevents upgrade notification spam after git ops)
+.local_version
+
+# Legacy database files
+db.sqlite
+bd.db
+
+# Merge artifacts (temporary files from 3-way merge)
+beads.base.jsonl
+beads.base.meta.json
+beads.left.jsonl
+beads.left.meta.json
+beads.right.jsonl
+beads.right.meta.json
+
+# Keep JSONL exports and config (source of truth for git)
+!issues.jsonl
+!metadata.json
+!config.json

data/.beads/README.md

@@ -0,0 +1,81 @@
+# Beads - AI-Native Issue Tracking
+
+Welcome to Beads! This repository uses **Beads** for issue tracking - a modern, AI-native tool designed to live directly in your codebase alongside your code.
+
+## What is Beads?
+
+Beads is issue tracking that lives in your repo, making it perfect for AI coding agents and developers who want their issues close to their code. No web UI required - everything works through the CLI and integrates seamlessly with git.
+
+**Learn more:** [github.com/steveyegge/beads](https://github.com/steveyegge/beads)
+
+## Quick Start
+
+### Essential Commands
+
+```bash
+# Create new issues
+bd create "Add user authentication"
+
+# View all issues
+bd list
+
+# View issue details
+bd show <issue-id>
+
+# Update issue status
+bd update <issue-id> --status in_progress
+bd update <issue-id> --status done
+
+# Sync with git remote
+bd sync
+```
+
+### Working with Issues
+
+Issues in Beads are:
+- **Git-native**: Stored in `.beads/issues.jsonl` and synced like code
+- **AI-friendly**: CLI-first design works perfectly with AI coding agents
+- **Branch-aware**: Issues can follow your branch workflow
+- **Always in sync**: Auto-syncs with your commits
+
+## Why Beads?
+
+✨ **AI-Native Design**
+- Built specifically for AI-assisted development workflows
+- CLI-first interface works seamlessly with AI coding agents
+- No context switching to web UIs
+
+🚀 **Developer Focused**
+- Issues live in your repo, right next to your code
+- Works offline, syncs when you push
+- Fast, lightweight, and stays out of your way
+
+🔧 **Git Integration**
+- Automatic sync with git commits
+- Branch-aware issue tracking
+- Intelligent JSONL merge resolution
+
+## Get Started with Beads
+
+Try Beads in your own projects:
+
+```bash
+# Install Beads
+curl -sSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash
+
+# Initialize in your repo
+bd init
+
+# Create your first issue
+bd create "Try out Beads"
+```
+
+## Learn More
+
+- **Documentation**: [github.com/steveyegge/beads/docs](https://github.com/steveyegge/beads/tree/main/docs)
+- **Quick Start Guide**: Run `bd quickstart`
+- **Examples**: [github.com/steveyegge/beads/examples](https://github.com/steveyegge/beads/tree/main/examples)
+
+---
+
+*Beads: Issue tracking that moves at the speed of thought* ⚡

data/.beads/config.yaml

@@ -0,0 +1,62 @@
+# Beads Configuration File
+# This file configures default behavior for all bd commands in this repository
+# All settings can also be set via environment variables (BD_* prefix)
+# or overridden with command-line flags
+
+# Issue prefix for this repository (used by bd init)
+# If not set, bd init will auto-detect from directory name
+# Example: issue-prefix: "myproject" creates issues like "myproject-1", "myproject-2", etc.
+# issue-prefix: ""
+
+# Use no-db mode: load from JSONL, no SQLite, write back after each command
+# When true, bd will use .beads/issues.jsonl as the source of truth
+# instead of SQLite database
+# no-db: false
+
+# Disable daemon for RPC communication (forces direct database access)
+# no-daemon: false
+
+# Disable auto-flush of database to JSONL after mutations
+# no-auto-flush: false
+
+# Disable auto-import from JSONL when it's newer than database
+# no-auto-import: false
+
+# Enable JSON output by default
+# json: false
+
+# Default actor for audit trails (overridden by BD_ACTOR or --actor)
+# actor: ""
+
+# Path to database (overridden by BEADS_DB or --db)
+# db: ""
+
+# Auto-start daemon if not running (can also use BEADS_AUTO_START_DAEMON)
+# auto-start-daemon: true
+
+# Debounce interval for auto-flush (can also use BEADS_FLUSH_DEBOUNCE)
+# flush-debounce: "5s"
+
+# Git branch for beads commits (bd sync will commit to this branch)
+# IMPORTANT: Set this for team projects so all clones use the same sync branch.
+# This setting persists across clones (unlike database config which is gitignored).
+# Can also use BEADS_SYNC_BRANCH env var for local override.
+# If not set, bd sync will require you to run 'bd config set sync.branch <branch>'.
+sync-branch: "beads-sync"
+
+# Multi-repo configuration (experimental - bd-307)
+# Allows hydrating from multiple repositories and routing writes to the correct JSONL
+# repos:
+#   primary: "."  # Primary repo (where this database lives)
+#   additional:   # Additional repos to hydrate from (read-only)
+#     - ~/beads-planning  # Personal planning repo
+#     - ~/work-planning   # Work planning repo
+
+# Integration settings (access with 'bd config get/set')
+# These are stored in the database, not in this file:
+# - jira.url
+# - jira.project
+# - linear.url
+# - linear.api-key
+# - github.org
+# - github.repo

data/.beads/issues.jsonl

@@ -0,0 +1,3 @@
+{"id":"train-k8s-container-681","title":"Submit PR: Auto-discover train-* gems in plugin list","status":"tombstone","priority":1,"issue_type":"task","created_at":"2025-12-21T14:29:28.015398-05:00","updated_at":"2025-12-21T14:32:43.790163-05:00","deleted_at":"2025-12-21T14:32:43.790163-05:00","deleted_by":"daemon","delete_reason":"delete","original_type":"task"}
+{"id":"train-k8s-container-7ew","title":"Submit PR: Dynamic os.kubernetes? methods","status":"tombstone","priority":1,"issue_type":"task","created_at":"2025-12-21T14:30:43.254682-05:00","updated_at":"2025-12-21T14:32:43.5904-05:00","deleted_at":"2025-12-21T14:32:43.5904-05:00","deleted_by":"daemon","delete_reason":"delete","original_type":"task"}
+{"id":"train-k8s-container-xlc","title":"Investigate connection pooling differences between v2.0 and v1.3.1","description":"## Root Cause Analysis Complete\n\n### The Bug\nPTY session's `parse_output` method used line-by-line matching to filter command echo-back, which failed for multi-line commands. The echoed command text was included in output, corrupting InSpec's file stat results.\n\n### Evidence\nNick's test data showed v2.2.0 returning command text in output:\n```\ngot: for f in $(find -L /etc/ssl/certs -type f); do\n    openssl x509 ...\n   2\u003e\u00261 ; echo __EXIT_CODE__=$?\nfind: '/etc/ssl/certs': No such file or directory\n```\n\n### Fix Implemented\n- Added `remove_command_echo` method in `lib/train-k8s-container/pty_session.rb`\n- Uses marker-based parsing: finds `2\u003e\u00261 ; echo __EXIT_CODE__=$?` and removes everything before it\n- Falls back to line-by-line for edge cases\n\n### Tests Added\n1. `spec/unit/pty_output_parsing_spec.rb` - 9 unit tests\n2. `spec/integration/execution_comparison_spec.rb` - 16 integration tests\n3. `test/scripts/test_pty_fix.rb` - manual validation script\n\n### Local Validation\nAll 6 manual tests pass against local kind cluster:\n- Simple commands ✅\n- Directory existence (matches ground truth) ✅\n- Multi-line command (no echo-back) ✅\n- No internal markers leaked ✅\n- Non-existent file detection ✅\n- Stat command parsing ✅\n\n## Remaining Work (from Peer Review)\n\n### Must Fix (bugs/gaps)\n1. **ANSI test assertion bug** - `spec/unit/pty_output_parsing_spec.rb:163` uses wrong quotes (`'\\e['` should be `\"\\e[\"`)\n2. **Add marker collision test** - What if output contains `__EXIT_CODE__`?\n3. **Add empty output test** - Edge case not covered\n4. **Add cleanup to manual script** - `test/scripts/test_pty_fix.rb` missing `SessionManager.instance.cleanup_all`\n\n### Nice to Have\n- PTY fallback test (when PTY mode fails)\n- Documentation improvements in code comments\n- Consider more unique marker (UUID-based) to prevent collision\n\n## Current State\n- Branch: `feature/fix-pty-output-parsing`\n- Files modified:\n  - `lib/train-k8s-container/pty_session.rb` (the fix)\n  - `spec/unit/pty_output_parsing_spec.rb` (new)\n  - `spec/integration/execution_comparison_spec.rb` (new)\n  - `test/scripts/test_pty_fix.rb` (new)\n- All 257 RSpec tests pass\n- Linting passes\n- Test pod `test-ubuntu` running in local cluster\n\n## Next Session Actions\n1. Fix ANSI test assertion\n2. Add marker collision test\n3. Add empty output test\n4. Add cleanup to manual script\n5. Run full test suite\n6. Commit with `fix: resolve PTY output parsing for multi-line commands`\n7. Push and create PR to main\n8. CI will validate, then merge triggers release","status":"open","priority":1,"issue_type":"task","created_at":"2025-12-21T14:34:45.055316-05:00","updated_at":"2026-01-16T11:59:38.678162-05:00","comments":[{"id":1,"issue_id":"train-k8s-container-xlc","author":"alippold","text":"## Test Data\nFiles in data/ directory:\n- train-k8s-container-scan-results v1.31.json\n- train-k8s-container-scan-results v2.json\n\n## Results Comparison\n| Version | Passed | Failed | Skipped | Duration |\n|---------|--------|--------|---------|----------|\n| v1.3.1  | 42     | 45     | 111     | 3.62s    |\n| v2.0    | 31     | 54     | 113     | 0.21s    |\n\n## Key Observations\n- v2.0 has 11 fewer passes and 9 more failures\n- v2.0 runs 17x faster (0.21s vs 3.62s)\n- Fast execution time suggests commands may not be executing properly\n\n## Investigation Areas\n1. Connection pooling behavior differences\n2. Session management / PTY handling\n3. Command execution timing\n4. Kubectl exec client changes between versions","created_at":"2025-12-21T19:51:04Z"},{"id":2,"issue_id":"train-k8s-container-xlc","author":"alippold","text":"## Test Strategy\n\nNeed to add regression tests for connection pooling to ensure commands execute properly:\n\n1. **Session reuse test**: Multiple commands on same connection should execute\n2. **Command output verification**: Verify actual command output, not just exit codes\n3. **Performance baseline**: Track that execution time is reasonable (not too fast = skipped)\n4. **Comparison test**: Run same commands with v1.3.1 and v2.0, compare results\n\nReference: Other projects with connection pooling (train-ssh, train-winrm) likely have these tests.\n\nTest files to check/update:\n- spec/integration/end_to_end_spec.rb\n- spec/integration/pty_session_integration_spec.rb\n- spec/integration/kubectl_exec_integration_spec.rb","created_at":"2025-12-24T16:01:06Z"},{"id":3,"issue_id":"train-k8s-container-xlc","author":"alippold","text":"## Research: Connection Pooling Test Patterns\n\nNeed to research how other Train transports test connection pooling:\n\n1. **Check train-ssh**: How does it test SSH connection reuse?\n2. **Check train-winrm**: How does it test WinRM session pooling?\n3. **Look for patterns**: Command execution verification, session state validation\n4. **Our implementation**: SessionManager + PTYSession classes\n\nFiles to review:\n- lib/train-k8s-container/session_manager.rb (our pooling logic)\n- lib/train-k8s-container/pty_session.rb (session handling)\n- Compare with train-ssh/train-winrm pooling tests\n- Add similar regression tests to our suite","created_at":"2025-12-24T16:02:25Z"},{"id":4,"issue_id":"train-k8s-container-xlc","author":"alippold","text":"## Alternative: Use connection_pool gem\n\nInstead of custom Singleton pooling, consider using the standard connection_pool gem:\n- https://github.com/mperham/connection_pool\n- v3.0.2 (actively maintained, Dec 2025)\n- Battle-tested in Sidekiq, Puma, production systems\n- Thread-safe, lazy creation, auto-reload on fork\n\nThis would replace our custom SessionManager with proven pooling logic and inherit its test coverage.","created_at":"2025-12-24T16:06:42Z"}]}

data/.beads/metadata.json

@@ -0,0 +1,4 @@
+{
+  "database": "beads.db",
+  "jsonl_export": "interactions.jsonl"
+}

data/.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "2.2.0"
+  ".": "2.2.1"
 }

data/.rubocop.yml

@@ -29,10 +29,11 @@ Metrics/PerceivedComplexity:
 Metrics/MethodLength:
   Enabled: false
 
-# RSpec tests will have longer blocks - acceptable
+# RSpec tests and gemspecs will have longer blocks - acceptable
 Metrics/BlockLength:
   Exclude:
     - spec/**/*_spec.rb
+    - '*.gemspec'
 
 # Allow reasonable line length (Chef standard is 150)
 Layout/LineLength:

data/CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.2.1](https://github.com/mitre/train-k8s-container/compare/v2.2.0...v2.2.1) (2026-01-17)
+
+
+### Bug Fixes
+
+* resolve PTY output parsing for multi-line commands ([#12](https://github.com/mitre/train-k8s-container/issues/12)) ([2680c3f](https://github.com/mitre/train-k8s-container/commit/2680c3f497d90d7ddf70dfeb85160e148cf397c6))
+
 ## [2.2.0](https://github.com/mitre/train-k8s-container/compare/v2.1.1...v2.2.0) (2025-12-24)
 
 

data/lib/train-k8s-container/pty_session.rb

@@ -2,6 +2,7 @@
 
 require 'pty'
 require 'timeout'
+require 'securerandom'
 require_relative 'errors'
 require_relative 'ansi_sanitizer'
 
@@ -14,7 +15,7 @@ module TrainPlugins
       class SessionClosedError < PtyError; end
       class CommandTimeoutError < PtyError; end
 
-      attr_reader :session_key, :reader, :writer, :pid
+      attr_reader :session_key, :reader, :writer, :pid, :marker_id
 
       DEFAULT_COMMAND_TIMEOUT = 60
       DEFAULT_SESSION_TIMEOUT = 300
@@ -30,6 +31,9 @@ module TrainPlugins
         @reader = nil
         @writer = nil
         @pid = nil
+        # Unique marker per session prevents collision with user output
+        # Uses 8-char hex (32 bits of entropy) - sufficient for session uniqueness
+        @marker_id = SecureRandom.hex(4)
       end
 
       def connect
@@ -70,8 +74,10 @@ module TrainPlugins
 
         @logger&.debug("Executing in PTY session: #{command}")
 
-        # Send command with exit code marker
-        cmd_with_marker = "#{command} 2>&1 ; echo __EXIT_CODE__=$?"
+        # Send command with unique exit code marker (prevents collision with user output)
+        # Note: Don't use 2>&1 - PTY already merges streams, and explicit redirect
+        # causes stderr content (like SELinux errors) to corrupt structured output
+        cmd_with_marker = "#{command}; echo #{exit_marker}=$?"
         @writer.puts(cmd_with_marker)
         @writer.flush
 
@@ -106,13 +112,31 @@ module TrainPlugins
 
       private
 
+      # Unique exit code marker for this session
+      # Format: __EXIT_CODE_<8-char-hex>__ (e.g., __EXIT_CODE_a1b2c3d4__)
+      # This prevents any possible collision with user output
+      def exit_marker
+        "__EXIT_CODE_#{@marker_id}__"
+      end
+
+      # Regex pattern to match our unique marker
+      def exit_marker_pattern
+        /#{Regexp.escape(exit_marker)}=(\d+)/
+      end
+
+      # Wrapper suffix added to commands (for echo removal)
+      def wrapper_suffix
+        "; echo #{exit_marker}=$?"
+      end
+
       def read_until_marker
         buffer = +'' # Unfreeze string
+        marker_regex = exit_marker_pattern
 
         Timeout.timeout(@command_timeout) do
           while (line = @reader.gets)
             buffer << line
-            break if line =~ /__EXIT_CODE__=(\d+)/
+            break if line =~ marker_regex
           end
         end
 
@@ -123,29 +147,91 @@ module TrainPlugins
         # Strip ANSI sequences
         cleaned = strip_ansi_sequences(buffer)
 
-        # Extract exit code
+        # IMPORTANT: Order matters here!
+        # When shell expands $? in echo-back, the marker appears TWICE:
+        #   1. In echoed command: "cmd 2>&1 ; echo __EXIT_CODE_xxx__=0"
+        #   2. In actual output: "...\n__EXIT_CODE_xxx__=0"
+        # We must remove the command echo FIRST (step 1), leaving only the
+        # actual output with its marker (step 2), then extract exit code and
+        # remove the marker.
+
+        # Step 1: Remove command echo-back from PTY output
+        # The shell echoes the command before executing, ending with our wrapper marker.
+        # For multi-line commands, we can't use simple line matching - we need to find
+        # the wrapper marker and remove everything up to and including it.
+        output = remove_command_echo(cleaned, command)
+
+        # Step 2: Extract exit code using our unique session marker
+        # Now there's only one marker in the text (the actual output)
         exit_code = 1
-        if (match = cleaned.match(/__EXIT_CODE__=(\d+)/))
+        if (match = output.match(exit_marker_pattern))
           exit_code = match[1].to_i
         end
 
-        # Remove exit code line
-        cleaned = cleaned.gsub(/__EXIT_CODE__=\d+.*$/, '')
+        # Step 3: Remove the exit code marker from output
+        output = remove_marker_line(output)
 
-        # Split into lines and remove command echo
-        lines = cleaned.lines
-        # Remove command wrapper echo (exact match)
-        cmd_wrapper = "#{command} 2>&1 ; echo __EXIT_CODE__=$?"
-        lines.reject! { |l| l.strip == cmd_wrapper.strip || l.strip == command.strip }
-
-        output = lines.join
+        # PTY merges stdout/stderr - we cannot separate them
+        # Always return output as stdout, let caller use exit_code for success/failure
+        Train::Extras::CommandResult.new(output.strip, '', exit_code)
+      end
 
-        # Separate stdout/stderr based on exit code
-        if exit_code.zero?
-          Train::Extras::CommandResult.new(output.strip, '', exit_code)
+      # Remove echoed command from PTY output
+      # PTY shells echo the command before output. Our wrapper adds:
+      #   "#{command} 2>&1 ; echo #{exit_marker}=$?"
+      # The shell echoes this, then outputs the result. We need to find
+      # where the echo ends and the actual output begins.
+      #
+      # IMPORTANT: Some shells expand $? BEFORE echoing, so the echo-back may show:
+      #   "command; echo __EXIT_CODE_xxx__=0" (expanded)
+      # instead of:
+      #   "command; echo __EXIT_CODE_xxx__=$?" (literal)
+      # We use a prefix pattern that matches both cases.
+      def remove_command_echo(text, command)
+        # Match the wrapper prefix (without $? or the exit code value)
+        # This handles both unexpanded ($?) and expanded (0, 127, etc.) cases
+        wrapper_prefix = "; echo #{exit_marker}="
+
+        # Strategy 1: Find the wrapper marker (handles multi-line commands)
+        # Everything before and including this line is command echo
+        marker_index = text.index(wrapper_prefix)
+        if marker_index
+          newline_after_marker = text.index("\n", marker_index)
+          if newline_after_marker
+            # Everything after the marker line is actual output
+            output = text[(newline_after_marker + 1)..]
+          else
+            # Edge case: no newline after the wrapper line
+            # Skip to end of line (past the =N or =$? part)
+            line_end = marker_index + wrapper_prefix.length
+            # Skip any remaining characters until end of string (the exit code value)
+            line_end += 1 while line_end < text.length && text[line_end] =~ /[\d$?]/
+            output = text[line_end..] || ''
+          end
         else
-          Train::Extras::CommandResult.new('', output.strip, exit_code)
+          # Strategy 2: Fall back to line-by-line removal (handles simple cases)
+          # This is used when the marker isn't present (e.g., some test scenarios)
+          output = text
         end
+
+        # Also remove simple command echo if still present
+        # (some shells may echo the command on its own line)
+        lines = output.lines
+        lines.reject! { |l| l.strip == command.strip }
+        lines.join
+      end
+
+      # Remove our unique exit code marker from the output
+      # Note: With --printf format (no trailing newline), the marker may be
+      # appended to the last line of output rather than on its own line.
+      # We must preserve the content before the marker.
+      def remove_marker_line(text)
+        # Remove the marker pattern itself, preserving any content before it
+        # This handles both cases:
+        # 1. Marker on its own line: "content\n__EXIT_CODE_xxx__=0\n" -> "content\n"
+        # 2. Marker appended to content: "?\n__EXIT_CODE_xxx__=0\n" -> "?\n"
+        #    or without newline: "?__EXIT_CODE_xxx__=0" -> "?"
+        text.sub(/#{Regexp.escape(exit_marker)}=\d+\n?/, '')
       end
 
       def strip_ansi_sequences(text)

data/lib/train-k8s-container/version.rb

@@ -2,6 +2,6 @@
 
 module TrainPlugins
   module K8sContainer
-    VERSION = '2.2.0'
+    VERSION = '2.2.1'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: train-k8s-container-mitre
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.2.1
 platform: ruby
 authors:
 - MITRE SAF Team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-12-24 00:00:00.000000000 Z
+date: 2026-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -40,6 +40,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".beads/.gitignore"
+- ".beads/README.md"
+- ".beads/config.yaml"
+- ".beads/issues.jsonl"
+- ".beads/metadata.json"
 - ".expeditor/buildkite/coverage.sh"
 - ".expeditor/buildkite/run_linux_tests.sh"
 - ".expeditor/config.yml"