@agentmeshhq/agent 0.1.12 → 0.1.14

package/src/__tests__/sandbox.test.ts

@@ -0,0 +1,435 @@
+import os from "node:os";
+import path from "node:path";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { DockerSandbox, type SandboxConfig, type SandboxMountPolicy } from "../core/sandbox.js";
+
+// Mock child_process
+vi.mock("node:child_process", () => ({
+  execSync: vi.fn(),
+  spawn: vi.fn(() => ({
+    on: vi.fn(),
+    unref: vi.fn(),
+    pid: 12345,
+  })),
+  spawnSync: vi.fn(() => ({
+    status: 0,
+    stdout: "mock-container-id\n",
+    stderr: "",
+  })),
+}));
+
+// Mock fs
+vi.mock("node:fs", () => ({
+  default: {
+    existsSync: vi.fn(() => true),
+  },
+}));
+
+describe("DockerSandbox", () => {
+  const defaultConfig: SandboxConfig = {
+    agentName: "test-agent",
+    image: "agentmesh/agent-sandbox:latest",
+    workspacePath: "/tmp/workspace",
+  };
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe("constructor", () => {
+    it("should create sandbox with default values", () => {
+      const sandbox = new DockerSandbox(defaultConfig);
+
+      expect(sandbox.getContainerName()).toMatch(/^agentmesh-sandbox-test-agent-[a-f0-9]{8}$/);
+    });
+
+    it("should merge config with defaults", () => {
+      const config: SandboxConfig = {
+        ...defaultConfig,
+        cpuLimit: "0.5",
+        memoryLimit: "1g",
+      };
+
+      const sandbox = new DockerSandbox(config);
+      expect(sandbox).toBeDefined();
+    });
+  });
+
+  describe("validateMountPolicy", () => {
+    it("should deny sensitive paths by default", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: path.join(os.homedir(), ".ssh"),
+      });
+
+      expect(() => sandbox.validateMountPolicy()).toThrow(/Mount denied.*\.ssh/);
+    });
+
+    it("should deny ~/.gnupg", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: path.join(os.homedir(), ".gnupg"),
+      });
+
+      expect(() => sandbox.validateMountPolicy()).toThrow(/Mount denied.*\.gnupg/);
+    });
+
+    it("should deny ~/.aws", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: path.join(os.homedir(), ".aws"),
+      });
+
+      expect(() => sandbox.validateMountPolicy()).toThrow(/Mount denied.*\.aws/);
+    });
+
+    it("should deny ~/.config/gcloud", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: path.join(os.homedir(), ".config/gcloud"),
+      });
+
+      expect(() => sandbox.validateMountPolicy()).toThrow(/Mount denied.*gcloud/);
+    });
+
+    it("should deny ~/.kube", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: path.join(os.homedir(), ".kube"),
+      });
+
+      expect(() => sandbox.validateMountPolicy()).toThrow(/Mount denied.*\.kube/);
+    });
+
+    it("should deny ~/.docker", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: path.join(os.homedir(), ".docker"),
+      });
+
+      expect(() => sandbox.validateMountPolicy()).toThrow(/Mount denied.*\.docker/);
+    });
+
+    it("should deny /var/run/docker.sock", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: "/var/run/docker.sock",
+      });
+
+      expect(() => sandbox.validateMountPolicy()).toThrow(/Mount denied.*docker\.sock/);
+    });
+
+    it("should allow regular workspace paths", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: "/tmp/workspace",
+      });
+
+      expect(() => sandbox.validateMountPolicy()).not.toThrow();
+    });
+
+    it("should enforce custom allowed paths when specified", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: "/home/user/random",
+      });
+
+      const policy: SandboxMountPolicy = {
+        allowedPaths: ["/home/user/allowed-only"],
+        deniedPaths: [],
+      };
+
+      expect(() => sandbox.validateMountPolicy(policy)).toThrow(/not in allowed paths/);
+    });
+
+    it("should allow path within custom allowed paths", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        workspacePath: "/home/user/projects/myrepo",
+      });
+
+      const policy: SandboxMountPolicy = {
+        allowedPaths: ["/home/user/projects"],
+        deniedPaths: [],
+      };
+
+      expect(() => sandbox.validateMountPolicy(policy)).not.toThrow();
+    });
+  });
+
+  describe("checkDockerAvailable", () => {
+    it("should return true when docker is available", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 0,
+        stdout: "Docker version 24.0.0",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      expect(DockerSandbox.checkDockerAvailable()).toBe(true);
+    });
+
+    it("should return false when docker is not available", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 1,
+        stdout: "",
+        stderr: "docker: command not found",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      expect(DockerSandbox.checkDockerAvailable()).toBe(false);
+    });
+  });
+
+  describe("listAll", () => {
+    it("should parse docker ps output correctly", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 0,
+        stdout:
+          "abc123|agentmesh-sandbox-agent1-12345678|Up 5 minutes|agentmesh/agent-sandbox:latest\ndef456|agentmesh-sandbox-agent2-87654321|Exited (0)|agentmesh/agent-sandbox:latest",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const containers = DockerSandbox.listAll();
+
+      expect(containers).toHaveLength(2);
+      expect(containers[0]).toEqual({
+        id: "abc123",
+        name: "agentmesh-sandbox-agent1-12345678",
+        status: "Up 5 minutes",
+        image: "agentmesh/agent-sandbox:latest",
+      });
+    });
+
+    it("should return empty array when no containers found", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 0,
+        stdout: "",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const containers = DockerSandbox.listAll();
+      expect(containers).toEqual([]);
+    });
+  });
+
+  describe("findExisting", () => {
+    it("should find existing container for agent", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 0,
+        stdout: "abc123def456\n",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const containerId = DockerSandbox.findExisting("test-agent");
+      expect(containerId).toBe("abc123def456");
+    });
+
+    it("should return null when no container exists", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 0,
+        stdout: "\n",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const containerId = DockerSandbox.findExisting("nonexistent");
+      expect(containerId).toBeNull();
+    });
+  });
+
+  describe("container lifecycle", () => {
+    it("should build correct docker run arguments", async () => {
+      const { spawnSync } = await import("node:child_process");
+      const mockSpawnSync = vi.mocked(spawnSync);
+
+      // Mock image inspect (image exists)
+      mockSpawnSync.mockReturnValueOnce({
+        status: 0,
+        stdout: "{}",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      // Mock docker run
+      mockSpawnSync.mockReturnValueOnce({
+        status: 0,
+        stdout: "container-id-12345\n",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const sandbox = new DockerSandbox({
+        agentName: "test",
+        image: "agentmesh/agent-sandbox:latest",
+        workspacePath: "/tmp/workspace",
+        cpuLimit: "2",
+        memoryLimit: "4g",
+        env: {
+          AGENT_TOKEN: "test-token",
+        },
+      });
+
+      await sandbox.pullImage();
+      await sandbox.start();
+
+      // Find the docker run call
+      const runCall = mockSpawnSync.mock.calls.find(
+        (call) => call[0] === "docker" && call[1]?.[0] === "run",
+      );
+
+      expect(runCall).toBeDefined();
+      const args = runCall![1] as string[];
+
+      // Check key arguments
+      expect(args).toContain("-d");
+      expect(args).toContain("--cpus");
+      expect(args).toContain("2");
+      expect(args).toContain("--memory");
+      expect(args).toContain("4g");
+      expect(args).toContain("--user");
+      expect(args).toContain("1000:1000");
+      expect(args).toContain("-e");
+      expect(args).toContain("AGENT_TOKEN=test-token");
+    });
+
+    it("should get container status", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 0,
+        stdout: "true|running|healthy",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const sandbox = new DockerSandbox(defaultConfig);
+      // @ts-expect-error - accessing private property for testing
+      sandbox.containerId = "test-container";
+
+      const status = sandbox.getStatus();
+
+      expect(status).toEqual({
+        running: true,
+        status: "running",
+        health: "healthy",
+      });
+    });
+
+    it("should return not found status when container not started", async () => {
+      const { spawnSync } = await import("node:child_process");
+      vi.mocked(spawnSync).mockReturnValueOnce({
+        status: 1, // docker inspect fails for non-existent container
+        stdout: "",
+        stderr: "Error: No such container",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const sandbox = new DockerSandbox(defaultConfig);
+      const status = sandbox.getStatus();
+
+      expect(status).toEqual({
+        running: false,
+        status: "not found",
+      });
+    });
+  });
+
+  describe("resource limits", () => {
+    it("should apply default CPU limit of 1", () => {
+      const sandbox = new DockerSandbox(defaultConfig);
+      // The default is applied in constructor
+      expect(sandbox).toBeDefined();
+    });
+
+    it("should apply default memory limit of 2g", () => {
+      const sandbox = new DockerSandbox(defaultConfig);
+      expect(sandbox).toBeDefined();
+    });
+
+    it("should allow custom resource limits", () => {
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        cpuLimit: "0.5",
+        memoryLimit: "512m",
+      });
+      expect(sandbox).toBeDefined();
+    });
+  });
+
+  describe("serve mode", () => {
+    it("should configure serve mode with port", async () => {
+      const { spawnSync } = await import("node:child_process");
+      const mockSpawnSync = vi.mocked(spawnSync);
+
+      // Mock image inspect
+      mockSpawnSync.mockReturnValueOnce({
+        status: 0,
+        stdout: "{}",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      // Mock docker run
+      mockSpawnSync.mockReturnValueOnce({
+        status: 0,
+        stdout: "container-id\n",
+        stderr: "",
+        pid: 1,
+        output: [],
+        signal: null,
+      });
+
+      const sandbox = new DockerSandbox({
+        ...defaultConfig,
+        serveMode: true,
+        servePort: 3001,
+      });
+
+      await sandbox.pullImage();
+      await sandbox.start();
+
+      const runCall = mockSpawnSync.mock.calls.find(
+        (call) => call[0] === "docker" && call[1]?.[0] === "run",
+      );
+
+      expect(runCall).toBeDefined();
+      const args = runCall![1] as string[];
+
+      expect(args).toContain("-p");
+      expect(args).toContain("3001:3001");
+      expect(args).toContain("opencode");
+      expect(args).toContain("serve");
+    });
+  });
+});