@fusionkit/ensemble 0.1.0

package/dist/test/external-executor.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/test/external-executor.test.js

@@ -0,0 +1,273 @@
+import assert from "node:assert/strict";
+import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { test } from "node:test";
+import { assertToolExecutionRecordV1, MODEL_FUSION_SCHEMA_BUNDLE_HASH, toolArgumentsHash } from "@fusionkit/protocol";
+import { executeFusionKitToolBatch, FusionKitToolExecutorClient, FusionKitToolExecutorClientError, FusionKitToolExecutorError, startFusionKitToolExecutorServer } from "../external-executor.js";
+import { createToolExecutor, registerDemoTools } from "../tool-executor.js";
+function contract(overrides = {}) {
+    return {
+        executor_id: "exec_fusionkit",
+        mode: "demo_safe",
+        environment_id: "env_local",
+        tool_policy_id: "policy_readonly",
+        allowed_tools: ["read_file", "list_files", "echo", "write_file", "fetch"],
+        side_effects: ["none", "read"],
+        limits: { timeoutMs: 1000, maxOutputBytes: 4096 },
+        timeoutMs: 1000,
+        budget: { maxSpendUsd: 0 },
+        audit_sink: "memory",
+        ...overrides
+    };
+}
+function repoFixture() {
+    const root = mkdtempSync(join(tmpdir(), "fusionkit-tool-executor-"));
+    const repo = join(root, "repo");
+    mkdirSync(repo);
+    mkdirSync(join(repo, "packages"));
+    writeFileSync(join(repo, "README.md"), "hello fusionkit\n");
+    writeFileSync(join(repo, "packages", "demo.txt"), "demo\n");
+    return { repo, cleanup: () => rmSync(root, { recursive: true, force: true }) };
+}
+function executorFixture(repo, overrides = {}) {
+    const executor = createToolExecutor(contract(overrides));
+    registerDemoTools(executor, repo);
+    executor.register({
+        definition: {
+            tool_name: "list_files",
+            side_effects: "read",
+            description: "Return a deterministic file list."
+        },
+        execute() {
+            return { files: ["README.md", "packages/demo.txt"] };
+        }
+    });
+    return executor;
+}
+function plan(toolName, args, sideEffects = "read_only", planId = `plan_${toolName}`) {
+    return {
+        schema: "tool-call-plan.v1",
+        schema_version: "v1",
+        schema_bundle_hash: MODEL_FUSION_SCHEMA_BUNDLE_HASH,
+        producer: "test",
+        producer_version: "0.1.0",
+        producer_git_sha: "0".repeat(40),
+        created_at: "2026-06-16T00:00:00.000Z",
+        plan_id: planId,
+        tool_name: toolName,
+        arguments_hash: toolArgumentsHash(args),
+        side_effects: sideEffects,
+        status: "pending"
+    };
+}
+function request(overrides = {}) {
+    const args = overrides.arguments ?? { path: "README.md" };
+    return {
+        candidate_id: "candidate_a",
+        tool_call_id: "tool_call_a",
+        plan: plan("read_file", args),
+        arguments: args,
+        environment_id: "env_local",
+        tool_policy_id: "policy_readonly",
+        ...overrides
+    };
+}
+async function close(server) {
+    await new Promise((resolve) => {
+        server.close(() => resolve());
+    });
+}
+test("batch execution returns schema-valid records grouped by candidate and tool call", async () => {
+    const fixture = repoFixture();
+    try {
+        const executor = executorFixture(fixture.repo);
+        const response = await executeFusionKitToolBatch(executor, {
+            requests: [
+                request({
+                    candidate_id: "candidate_a",
+                    tool_call_id: "tool_call_read",
+                    plan: plan("read_file", { path: "README.md" }, "read_only", "plan_read"),
+                    arguments: { path: "README.md" }
+                }),
+                request({
+                    candidate_id: "candidate_b",
+                    tool_call_id: "tool_call_list",
+                    plan: plan("list_files", { path: "packages" }, "read_only", "plan_list"),
+                    arguments: { path: "packages" }
+                })
+            ]
+        });
+        assert.equal(response.results.length, 2);
+        assert.equal(response.results[0]?.candidate_id, "candidate_a");
+        assert.equal(response.results[0]?.tool_call_id, "tool_call_read");
+        assert.equal(response.results[0]?.record.plan_id, "plan_read");
+        assert.equal(response.results[1]?.candidate_id, "candidate_b");
+        assert.equal(response.results[1]?.tool_call_id, "tool_call_list");
+        for (const result of response.results) {
+            assertToolExecutionRecordV1(result.record);
+            assert.equal(result.record.status, "succeeded");
+        }
+    }
+    finally {
+        fixture.cleanup();
+    }
+});
+test("identical read-only requests dedupe under matching policy and environment", async () => {
+    const fixture = repoFixture();
+    try {
+        const executor = executorFixture(fixture.repo);
+        const response = await executeFusionKitToolBatch(executor, {
+            requests: [
+                request({
+                    candidate_id: "candidate_a",
+                    tool_call_id: "tool_call_a",
+                    plan: plan("read_file", { path: "README.md" }, "read_only", "plan_a"),
+                    arguments: { path: "README.md" }
+                }),
+                request({
+                    candidate_id: "candidate_b",
+                    tool_call_id: "tool_call_b",
+                    plan: plan("read_file", { path: "README.md" }, "read_only", "plan_b"),
+                    arguments: { path: "README.md" }
+                })
+            ]
+        });
+        assert.equal(response.results[0]?.deduped, false);
+        assert.equal(response.results[1]?.deduped, true);
+        assert.equal(response.results[1]?.record.execution_id, response.results[0]?.record.execution_id);
+        assert.equal(response.results[1]?.record.plan_id, "plan_b");
+        const otherEnvironment = executorFixture(fixture.repo, { environment_id: "env_other" });
+        const third = await executeFusionKitToolBatch(otherEnvironment, {
+            requests: [
+                request({
+                    environment_id: "env_other",
+                    plan: plan("read_file", { path: "README.md" }, "read_only", "plan_c"),
+                    arguments: { path: "README.md" }
+                })
+            ]
+        });
+        assert.notEqual(third.results[0]?.record.execution_id, response.results[0]?.record.execution_id);
+    }
+    finally {
+        fixture.cleanup();
+    }
+});
+test("write, external, and unknown tools return failure taxonomy records", async () => {
+    const fixture = repoFixture();
+    try {
+        const executor = executorFixture(fixture.repo, {
+            allowed_tools: ["read_file", "list_files", "echo", "write_file", "fetch", "missing_tool"],
+            side_effects: ["none", "read", "write", "external"]
+        });
+        const response = await executeFusionKitToolBatch(executor, {
+            requests: [
+                request({
+                    tool_call_id: "tool_call_write",
+                    plan: plan("write_file", { path: "README.md" }, "writes_workspace", "plan_write"),
+                    arguments: { path: "README.md" }
+                }),
+                request({
+                    tool_call_id: "tool_call_fetch",
+                    plan: plan("fetch", { url: "https://example.com" }, "network", "plan_fetch"),
+                    arguments: { url: "https://example.com" }
+                }),
+                request({
+                    tool_call_id: "tool_call_missing",
+                    plan: plan("missing_tool", {}, "read_only", "plan_missing"),
+                    arguments: {}
+                })
+            ]
+        });
+        assert.equal(response.results[0]?.record.status, "failed");
+        assert.equal(response.results[0]?.record.error?.kind, "tool_denied");
+        assert.equal(response.results[1]?.record.status, "failed");
+        assert.equal(response.results[1]?.record.error?.kind, "tool_denied");
+        assert.equal(response.results[2]?.record.status, "unsupported");
+        assert.equal(response.results[2]?.record.error?.kind, "capability_missing");
+    }
+    finally {
+        fixture.cleanup();
+    }
+});
+test("batch validation rejects policy and argument mismatches", async () => {
+    const fixture = repoFixture();
+    try {
+        const executor = executorFixture(fixture.repo);
+        await assert.rejects(() => executeFusionKitToolBatch(executor, {
+            requests: [request({ environment_id: "env_other" })]
+        }), (error) => error instanceof FusionKitToolExecutorError &&
+            error.status === 403 &&
+            error.code === "environment_mismatch");
+        const badPlan = plan("read_file", { path: "README.md" }, "read_only", "plan_bad");
+        await assert.rejects(() => executeFusionKitToolBatch(executor, {
+            requests: [
+                request({
+                    plan: badPlan,
+                    arguments: { path: "packages/demo.txt" }
+                })
+            ]
+        }), (error) => error instanceof FusionKitToolExecutorError &&
+            error.status === 400 &&
+            error.code === "arguments_hash_mismatch");
+        const invalidPlan = {
+            ...plan("read_file", { path: "README.md" }, "read_only", "plan_invalid"),
+            status: "not-a-status"
+        };
+        await assert.rejects(() => executeFusionKitToolBatch(executor, {
+            requests: [request({ plan: invalidPlan })]
+        }), (error) => error instanceof FusionKitToolExecutorError &&
+            error.status === 400 &&
+            error.code === "invalid_request" &&
+            error.message.includes("plan invalid"));
+    }
+    finally {
+        fixture.cleanup();
+    }
+});
+test("HTTP server and client enforce auth and validate bad requests", async () => {
+    const fixture = repoFixture();
+    const executor = executorFixture(fixture.repo);
+    const started = await startFusionKitToolExecutorServer({
+        executor,
+        port: 0,
+        authToken: "secret"
+    });
+    try {
+        const health = await fetch(`${started.url}/v1/health`);
+        assert.equal(health.status, 200);
+        assert.deepEqual(await health.json(), {
+            ok: true,
+            service: "warrant-tool-executor"
+        });
+        const unauthenticated = await fetch(`${started.url}/v1/fusionkit/tool-executions`, {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({ requests: [] })
+        });
+        assert.equal(unauthenticated.status, 401);
+        const client = new FusionKitToolExecutorClient(started.url, "secret");
+        const success = await client.execute({
+            requests: [request()]
+        });
+        assert.equal(success.results[0]?.record.status, "succeeded");
+        const malformed = await fetch(`${started.url}/v1/fusionkit/tool-executions`, {
+            method: "POST",
+            headers: {
+                authorization: "Bearer secret",
+                "content-type": "application/json"
+            },
+            body: "{"
+        });
+        assert.equal(malformed.status, 400);
+        const malformedBody = (await malformed.json());
+        assert.equal(malformedBody.code, "invalid_json");
+        await assert.rejects(() => client.execute({
+            requests: [request({ tool_policy_id: "policy_other" })]
+        }), (error) => error instanceof FusionKitToolExecutorClientError && error.status === 403);
+    }
+    finally {
+        await close(started.server);
+        fixture.cleanup();
+    }
+});

package/dist/test/isolation.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/test/isolation.test.js

@@ -0,0 +1,359 @@
+import assert from "node:assert/strict";
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { test } from "node:test";
+import { runCandidateCommandWithIsolation, secretAbsenceMetadata, secretValueHash } from "../isolation.js";
+function workspaceFixture() {
+    const root = mkdtempSync(join(tmpdir(), "candidate-isolation-"));
+    writeFileSync(join(root, "README.md"), "# isolated\n");
+    return { root, cleanup: () => rmSync(root, { recursive: true, force: true }) };
+}
+test("process isolation preserves current command behavior and records hardening", async () => {
+    const workspace = workspaceFixture();
+    try {
+        const result = await runCandidateCommandWithIsolation({
+            command: "printf process-ok",
+            cwd: workspace.root,
+            timeoutMs: 1000
+        });
+        assert.equal(result.exitCode, 0);
+        assert.equal(result.stdout, "process-ok");
+        assert.equal(result.hardening.requested_isolation, "process");
+        assert.equal(result.hardening.actual_isolation, "process");
+        assert.equal(result.hardening.cleanup.status, "not_required");
+        assert.equal(result.hardening.network_policy.default_deny, true);
+        assert.equal(result.hardening.network_policy.enforced, false);
+    }
+    finally {
+        workspace.cleanup();
+    }
+});
+test("fake container isolation records runtime, mounts, network, and cleanup", async () => {
+    const workspace = workspaceFixture();
+    const driver = {
+        id: "fake-container",
+        supportsNetworkPolicy: true,
+        execute(input) {
+            assert.equal(input.image, "node:22-test");
+            assert.equal(input.workdir, "/workspace");
+            assert.deepEqual(input.mountPolicy.readOnlyCachePaths, ["/tmp/cache"]);
+            assert.deepEqual(input.networkPolicy.allowHosts, ["registry.example.com"]);
+            return {
+                stdout: "container-ok",
+                stderr: "",
+                exitCode: 0,
+                cleanup: { attempted: true, succeeded: true }
+            };
+        }
+    };
+    try {
+        const result = await runCandidateCommandWithIsolation({
+            command: "printf container-ok",
+            cwd: workspace.root,
+            isolation: {
+                kind: "container",
+                image: "node:22-test",
+                driver,
+                mountPolicy: { readOnlyCachePaths: ["/tmp/cache"] },
+                networkPolicy: {
+                    defaultDeny: true,
+                    allowHosts: ["registry.example.com"],
+                    enforce: true
+                }
+            }
+        });
+        assert.equal(result.exitCode, 0);
+        assert.equal(result.stdout, "container-ok");
+        assert.equal(result.hardening.requested_isolation, "container");
+        assert.equal(result.hardening.runtime.image, "node:22-test");
+        assert.equal(result.hardening.runtime.driver, "fake-container");
+        assert.equal(result.hardening.cleanup.status, "succeeded");
+    }
+    finally {
+        workspace.cleanup();
+    }
+});
+test("container isolation fails closed when network policy cannot be enforced", async () => {
+    const workspace = workspaceFixture();
+    const driver = {
+        id: "weak-container",
+        supportsNetworkPolicy: false,
+        execute() {
+            throw new Error("should not execute");
+        }
+    };
+    try {
+        const result = await runCandidateCommandWithIsolation({
+            command: "printf never",
+            cwd: workspace.root,
+            isolation: {
+                kind: "container",
+                driver,
+                networkPolicy: {
+                    defaultDeny: true,
+                    allowHosts: ["api.example.com"],
+                    enforce: true
+                }
+            }
+        });
+        assert.equal(result.exitCode, 1);
+        assert.match(result.stderr, /cannot enforce/);
+        assert.equal(result.hardening.cleanup.status, "failed");
+        assert.equal(result.hardening.network_policy.enforced, true);
+    }
+    finally {
+        workspace.cleanup();
+    }
+});
+test("container cleanup is recorded for failures and timeouts", async () => {
+    const workspace = workspaceFixture();
+    const driver = {
+        id: "timeout-container",
+        supportsNetworkPolicy: true,
+        execute() {
+            return {
+                stdout: "",
+                stderr: "timed out",
+                exitCode: 1,
+                timedOut: true,
+                cleanup: { attempted: true, succeeded: true }
+            };
+        }
+    };
+    try {
+        const result = await runCandidateCommandWithIsolation({
+            command: "sleep 10",
+            cwd: workspace.root,
+            isolation: { kind: "container", driver }
+        });
+        assert.equal(result.timedOut, true);
+        assert.equal(result.hardening.cleanup.status, "succeeded");
+    }
+    finally {
+        workspace.cleanup();
+    }
+});
+test("fake microVM isolation records vercel-sandbox runtime evidence", async () => {
+    const workspace = workspaceFixture();
+    const driver = {
+        id: "fake-vercel-sandbox",
+        provider: "vercel-sandbox",
+        supportsNetworkPolicy: true,
+        execute(input) {
+            assert.equal(input.provider, "vercel-sandbox");
+            assert.equal(input.runtime, "node24");
+            assert.equal(input.snapshotId, "snap_test");
+            assert.equal(input.workdir, "/workspace");
+            assert.deepEqual(input.networkPolicy.allowHosts, []);
+            return {
+                stdout: "microvm-ok",
+                stderr: "",
+                exitCode: 0,
+                actualIsolation: "vercel-sandbox",
+                runtime: {
+                    provider: "vercel-sandbox",
+                    runtime: "node24",
+                    snapshotId: "snap_test",
+                    sandboxId: "sbx_test",
+                    runtimeDigest: "sha256:" + "c".repeat(64)
+                },
+                cleanup: { attempted: true, succeeded: true }
+            };
+        }
+    };
+    try {
+        const result = await runCandidateCommandWithIsolation({
+            command: "printf microvm-ok",
+            cwd: workspace.root,
+            isolation: {
+                kind: "microvm",
+                driver,
+                snapshotId: "snap_test",
+                networkPolicy: { defaultDeny: true, allowHosts: [], enforce: true }
+            }
+        });
+        assert.equal(result.exitCode, 0);
+        assert.equal(result.stdout, "microvm-ok");
+        assert.equal(result.hardening.requested_isolation, "microvm");
+        assert.equal(result.hardening.actual_isolation, "vercel-sandbox");
+        assert.equal(result.hardening.runtime.provider, "vercel-sandbox");
+        assert.equal(result.hardening.runtime.runtime, "node24");
+        assert.equal(result.hardening.runtime.snapshot_id, "snap_test");
+        assert.equal(result.hardening.runtime.sandbox_id, "sbx_test");
+        assert.equal(result.hardening.runtime.driver, "fake-vercel-sandbox");
+        assert.equal(result.hardening.network_policy.enforced, true);
+        assert.equal(result.hardening.cleanup.status, "succeeded");
+    }
+    finally {
+        workspace.cleanup();
+    }
+});
+test("fake microVM isolation fails closed when network policy cannot be enforced", async () => {
+    const workspace = workspaceFixture();
+    const driver = {
+        id: "weak-microvm",
+        provider: "vercel-sandbox",
+        supportsNetworkPolicy: false,
+        execute() {
+            throw new Error("should not execute");
+        }
+    };
+    try {
+        const result = await runCandidateCommandWithIsolation({
+            command: "printf never",
+            cwd: workspace.root,
+            isolation: {
+                kind: "microvm",
+                driver,
+                networkPolicy: {
+                    defaultDeny: true,
+                    allowHosts: ["api.example.com"],
+                    enforce: true
+                }
+            }
+        });
+        assert.equal(result.exitCode, 1);
+        assert.match(result.stderr, /cannot enforce/);
+        assert.equal(result.hardening.requested_isolation, "microvm");
+        assert.equal(result.hardening.actual_isolation, "vercel-sandbox");
+        assert.equal(result.hardening.cleanup.status, "failed");
+        assert.equal(result.hardening.network_policy.enforced, true);
+    }
+    finally {
+        workspace.cleanup();
+    }
+});
+test("fake microVM cleanup failures and timeouts are recorded distinctly", async () => {
+    const workspace = workspaceFixture();
+    const cleanupFailureDriver = {
+        id: "cleanup-failure-microvm",
+        provider: "vercel-sandbox",
+        supportsNetworkPolicy: true,
+        execute() {
+            return {
+                stdout: "",
+                stderr: "cleanup failed",
+                exitCode: 1,
+                actualIsolation: "vercel-sandbox",
+                cleanup: { attempted: true, succeeded: false, error: "stop failed" }
+            };
+        }
+    };
+    const cleanupTimeoutDriver = {
+        id: "cleanup-timeout-microvm",
+        provider: "vercel-sandbox",
+        supportsNetworkPolicy: true,
+        execute() {
+            return {
+                stdout: "",
+                stderr: "cleanup timed out",
+                exitCode: 1,
+                actualIsolation: "vercel-sandbox",
+                cleanup: {
+                    attempted: true,
+                    succeeded: false,
+                    timedOut: true,
+                    error: "stop timed out"
+                }
+            };
+        }
+    };
+    try {
+        const failed = await runCandidateCommandWithIsolation({
+            command: "exit 1",
+            cwd: workspace.root,
+            isolation: { kind: "microvm", driver: cleanupFailureDriver }
+        });
+        assert.equal(failed.hardening.cleanup.status, "failed");
+        assert.equal(failed.hardening.cleanup.error, "stop failed");
+        const timedOut = await runCandidateCommandWithIsolation({
+            command: "exit 1",
+            cwd: workspace.root,
+            isolation: { kind: "microvm", driver: cleanupTimeoutDriver }
+        });
+        assert.equal(timedOut.hardening.cleanup.status, "timed_out");
+        assert.equal(timedOut.hardening.cleanup.timed_out, true);
+        assert.equal(timedOut.hardening.cleanup.error, "stop timed out");
+    }
+    finally {
+        workspace.cleanup();
+    }
+});
+test("fake microVM secret absence evidence omits raw secret values", async () => {
+    const workspace = workspaceFixture();
+    const secretValue = "microvm-secret-value";
+    const secretHash = secretValueHash(secretValue);
+    const driver = {
+        id: "secretless-microvm",
+        provider: "vercel-sandbox",
+        supportsNetworkPolicy: true,
+        execute(input) {
+            assert.equal(JSON.stringify(input).includes(secretValue), false);
+            assert.deepEqual(input.secretPolicy.secretNames, ["VERCEL_TOKEN"]);
+            assert.deepEqual(input.secretPolicy.secretValueHashes, [secretHash]);
+            assert.deepEqual(input.secretPolicy.injectedEnvNames, ["VERCEL_TOKEN"]);
+            return {
+                stdout: "secretless",
+                stderr: "",
+                exitCode: 0,
+                actualIsolation: "vercel-sandbox",
+                cleanup: { attempted: true, succeeded: true }
+            };
+        }
+    };
+    try {
+        const result = await runCandidateCommandWithIsolation({
+            command: "printf secretless",
+            cwd: workspace.root,
+            isolation: {
+                kind: "microvm",
+                driver,
+                secretPolicy: {
+                    secretNames: ["VERCEL_TOKEN"],
+                    secretValueHashes: [secretHash],
+                    injectedEnvNames: ["VERCEL_TOKEN"]
+                }
+            }
+        });
+        assert.equal(result.hardening.secret_absence.scanned, true);
+        assert.equal(result.hardening.secret_absence.leaks_found, false);
+        assert.equal(result.hardening.secret_absence.secret_names[0], "VERCEL_TOKEN");
+        assert.equal(result.hardening.secret_absence.secret_value_hashes[0], secretHash);
+        assert.equal(JSON.stringify(result.hardening).includes(secretValue), false);
+    }
+    finally {
+        workspace.cleanup();
+    }
+});
+test("secret absence scanning records names and hashes without raw values", () => {
+    const workspace = workspaceFixture();
+    const secretValue = "super-secret-value";
+    try {
+        const clean = secretAbsenceMetadata({
+            cwd: workspace.root,
+            transcript: "no secrets here",
+            secretPolicy: {
+                secretNames: ["API_TOKEN"],
+                secretValueHashes: [secretValueHash(secretValue)],
+                injectedEnvNames: ["API_TOKEN"]
+            }
+        });
+        assert.equal(clean.scanned, true);
+        assert.equal(clean.leaks_found, false);
+        assert.equal(JSON.stringify(clean).includes(secretValue), false);
+        writeFileSync(join(workspace.root, "leak.txt"), "API_TOKEN should not be here\n");
+        const leaked = secretAbsenceMetadata({
+            cwd: workspace.root,
+            transcript: secretValue,
+            secretPolicy: { secretNames: ["API_TOKEN"] },
+            knownSecretValues: [secretValue]
+        });
+        assert.equal(leaked.leaks_found, true);
+        assert.equal(leaked.leak_count > 0, true);
+        assert.equal(JSON.stringify(leaked).includes(secretValue), false);
+    }
+    finally {
+        workspace.cleanup();
+    }
+});

package/dist/test/tool-executor.test.d.ts

@@ -0,0 +1 @@
+export {};