@mhingston5/conduit 1.0.0

package/tests/gateway.service.test.ts

@@ -0,0 +1,58 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { GatewayService } from '../src/gateway/gateway.service.js';
+import { ExecutionContext } from '../src/core/execution.context.js';
+import pino from 'pino';
+import axios from 'axios';
+
+vi.mock('axios');
+const logger = pino({ level: 'silent' });
+
+describe('GatewayService', () => {
+    let gateway: GatewayService;
+    let context: ExecutionContext;
+
+    beforeEach(() => {
+        const securityService = {
+            validateUrl: vi.fn().mockReturnValue({ valid: true }),
+        } as any;
+        gateway = new GatewayService(logger, securityService);
+        context = new ExecutionContext({ logger });
+        vi.clearAllMocks();
+    });
+
+    it('should discover tools from multiple upstreams', async () => {
+        gateway.registerUpstream({ id: 'u1', url: 'http://u1' });
+        gateway.registerUpstream({ id: 'u2', url: 'http://u2' });
+
+        (axios.post as any).mockImplementation((url: string) => {
+            if (url === 'http://u1') return { data: { result: { tools: [{ name: 't1', inputSchema: {} }] } } };
+            if (url === 'http://u2') return { data: { result: { tools: [{ name: 't2', inputSchema: {} }] } } };
+            return { data: { result: { tools: [] } } };
+        });
+
+        const tools = await gateway.discoverTools(context);
+        expect(tools).toHaveLength(2);
+        expect(tools.find(t => t.name === 'u1__t1')).toBeDefined();
+        expect(tools.find(t => t.name === 'u2__t2')).toBeDefined();
+    });
+
+    it('should route tool calls to correct upstream', async () => {
+        gateway.registerUpstream({ id: 'u1', url: 'http://u1' });
+
+        (axios.post as any).mockResolvedValue({
+            data: { result: { stdout: 'done' } }
+        });
+
+        const response = await gateway.callTool('u1__t1', { arg1: 'val' }, context);
+
+        expect(axios.post).toHaveBeenCalledWith(
+            'http://u1',
+            expect.objectContaining({
+                method: 'call_tool',
+                params: expect.objectContaining({ name: 't1' })
+            }),
+            expect.anything()
+        );
+        expect(response.result.stdout).toBe('done');
+    });
+});

package/tests/gateway.strict.unit.test.ts

@@ -0,0 +1,74 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { GatewayService } from '../src/gateway/gateway.service.js';
+import { ExecutionContext } from '../src/core/execution.context.js';
+import { createLogger } from '../src/core/logger.js';
+import { ConfigService } from '../src/core/config.service.js';
+import { PolicyService } from '../src/core/policy.service.js';
+import { ToolSchema } from '../src/gateway/schema.cache.js';
+
+describe('GatewayService (Strict Verification)', () => {
+    let gateway: GatewayService;
+    let logger: any;
+    let mockClient: any;
+
+    beforeEach(() => {
+        logger = createLogger(new ConfigService());
+        gateway = new GatewayService(logger, { validateUrl: vi.fn().mockResolvedValue({ valid: true }) } as any, new PolicyService());
+
+        mockClient = {
+            call: vi.fn(),
+            getManifest: vi.fn(),
+        };
+        (gateway as any).clients.set('mock-tool', mockClient);
+    });
+
+    const mockSchema: ToolSchema = {
+        name: 'test_tool',
+        description: 'A test tool',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                foo: { type: 'string' }
+            }
+        }
+    };
+
+    const mockStub: ToolSchema = {
+        name: 'stub_tool',
+        description: 'A stub tool',
+        inputSchema: undefined,
+    };
+
+    it('should allow call with missing schema in non-strict mode', async () => {
+        const context = new ExecutionContext({ logger, strictValidation: false });
+        (gateway as any).schemaCache.set('mock-tool', [mockStub]);
+        mockClient.call.mockResolvedValue({ result: 'ok' });
+
+        const response = await gateway.callTool('mock-tool__stub_tool', {}, context);
+
+        expect(response.error).toBeUndefined();
+        expect(mockClient.call).toHaveBeenCalled();
+    });
+
+    it('should block call with missing schema in strict mode', async () => {
+        const context = new ExecutionContext({ logger, strictValidation: true });
+        (gateway as any).schemaCache.set('mock-tool', [mockStub]);
+
+        const response = await gateway.callTool('mock-tool__stub_tool', {}, context);
+
+        expect(response.error).toBeDefined();
+        expect(response.error?.code).toBe(-32602);
+        expect(response.error?.message).toContain('Strict mode');
+        expect(mockClient.call).not.toHaveBeenCalled();
+    });
+
+    it('should block unknown tool in strict mode', async () => {
+        const context = new ExecutionContext({ logger, strictValidation: true });
+        (gateway as any).schemaCache.set('mock-tool', [mockSchema]);
+
+        const response = await gateway.callTool('mock-tool__unknown', {}, context);
+
+        expect(response.error).toBeDefined();
+        expect(response.error?.code).toBe(-32601);
+    });
+});

package/tests/gateway.validation.unit.test.ts

@@ -0,0 +1,89 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { GatewayService } from '../src/gateway/gateway.service.js';
+import { ExecutionContext } from '../src/core/execution.context.js';
+import { createLogger } from '../src/core/logger.js';
+import { ConfigService } from '../src/core/config.service.js';
+import { PolicyService } from '../src/core/policy.service.js';
+import { ToolSchema } from '../src/gateway/schema.cache.js';
+
+describe('GatewayService (ValidateTool)', () => {
+    let gateway: GatewayService;
+    let logger: any;
+    let mockClient: any;
+
+    beforeEach(() => {
+        logger = createLogger(new ConfigService());
+        gateway = new GatewayService(logger, { validateUrl: vi.fn().mockResolvedValue({ valid: true }) } as any, new PolicyService());
+
+        mockClient = {
+            call: vi.fn(),
+            getManifest: vi.fn(),
+        };
+        (gateway as any).clients.set('mock-package', mockClient);
+    });
+
+    const mockSchema: ToolSchema = {
+        name: 'test_tool',
+        description: 'A test tool',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                foo: { type: 'string' },
+                bar: { type: 'number' }
+            },
+            required: ['foo']
+        }
+    };
+
+    it('should return valid:true for valid parameters', async () => {
+        const context = new ExecutionContext({ logger });
+
+        // Mock listToolStubs behavior by pre-loading cache or mocking cache
+        // Let's use internal method to seed cache
+        (gateway as any).schemaCache.set('mock-package', [mockSchema]);
+
+        const result = await gateway.validateTool('mock-package__test_tool', { foo: 'hello', bar: 123 }, context);
+
+        expect(result.valid).toBe(true);
+        expect(result.errors).toBeUndefined();
+    });
+
+    it('should return valid:false for invalid parameters', async () => {
+        const context = new ExecutionContext({ logger });
+        (gateway as any).schemaCache.set('mock-package', [mockSchema]);
+
+        const result = await gateway.validateTool('mock-package__test_tool', { bar: 'wrong type' }, context);
+
+        expect(result.valid).toBe(false);
+        expect(result.errors).toBeDefined();
+        // Check for specific error message if possible, but generic check is fine for now
+        expect(JSON.stringify(result.errors)).toContain('must have required property');
+    });
+
+    it('should lazy load schema if missing', async () => {
+        const context = new ExecutionContext({ logger });
+
+        // Mock listToolStubs to populate cache
+        // We can spy on listToolStubs but it's easier to verify behavior by effect
+
+        // Actually, listToolStubs populates cache from RPC/Manifest
+        mockClient.call.mockResolvedValue({
+            result: { tools: [mockSchema] }
+        });
+
+        const result = await gateway.validateTool('mock-package__test_tool', { foo: 'lazy' }, context);
+
+        expect(mockClient.call).toHaveBeenCalled(); // Should fetch since cache was empty
+        expect(result.valid).toBe(true);
+    });
+
+    it('should return error if tool not found', async () => {
+        const context = new ExecutionContext({ logger });
+        mockClient.call.mockResolvedValue({ result: { tools: [] } });
+
+        const result = await gateway.validateTool('mock-package__non_existent', {}, context);
+
+        expect(result.valid).toBe(false);
+        expect(result.errors?.[0]).toContain('not found');
+    });
+});

package/tests/gateway_validation.test.ts

@@ -0,0 +1,86 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { GatewayService } from '../src/gateway/gateway.service.js';
+import { ExecutionContext } from '../src/core/execution.context.js';
+import { UpstreamInfo } from '../src/gateway/upstream.client.js';
+import { createLogger } from '../src/core/logger.js';
+import { ConfigService } from '../src/core/config.service.js';
+import { IUrlValidator } from '../src/core/interfaces/url.validator.interface.js';
+import { PolicyService } from '../src/core/policy.service.js';
+
+class MockUrlValidator implements IUrlValidator {
+    async validateUrl(url: string) { return { valid: true }; }
+}
+
+describe('GatewayService validation', () => {
+    let gateway: GatewayService;
+    let logger: any;
+    let urlValidator: IUrlValidator;
+    let policyService: PolicyService;
+
+    const mockUpstream: UpstreamInfo = {
+        id: 'mock-upstream',
+        type: 'http',
+        url: 'http://localhost:3000/mcp'
+    };
+
+    beforeEach(() => {
+        logger = createLogger(new ConfigService());
+        urlValidator = new MockUrlValidator();
+        policyService = new PolicyService();
+        gateway = new GatewayService(logger, urlValidator, policyService);
+        gateway.registerUpstream(mockUpstream);
+    });
+
+    afterEach(() => {
+        vi.restoreAllMocks();
+    });
+
+    it('should validate params against schema', async () => {
+        const client = (gateway as any).clients.get('mock-upstream');
+        const callSpy = vi.spyOn(client, 'call').mockResolvedValue({
+            jsonrpc: '2.0',
+            id: 1,
+            result: {
+                tools: [{
+                    name: 'test',
+                    inputSchema: {
+                        type: 'object',
+                        properties: { count: { type: 'number' } },
+                        required: ['count']
+                    }
+                }]
+            }
+        });
+
+        const context = new ExecutionContext({ logger });
+
+        // Fail validation
+        const failParams = { count: 'not a number' };
+        const failRes = await gateway.callTool('mock-upstream__test', failParams, context);
+        expect(failRes.error).toBeDefined();
+        expect(failRes.error?.code).toBe(-32602);
+
+        // Pass validation
+        callSpy.mockResolvedValueOnce({ jsonrpc: '2.0', id: 2, result: { success: true } });
+        const passParams = { count: 123 };
+        const passRes = await gateway.callTool('mock-upstream__test', passParams, context);
+        expect(passRes.error).toBeUndefined();
+    });
+
+    it('should allow tool call if schema is missing (backward compatibility / permissive)', async () => {
+        const client = (gateway as any).clients.get('mock-upstream');
+        const callSpy = vi.spyOn(client, 'call').mockResolvedValue({
+            jsonrpc: '2.0',
+            id: 1,
+            result: { tools: [{ name: 'noschema' }] } // no inputSchema
+        });
+
+        const context = new ExecutionContext({ logger });
+        const params = { any: 'thing' };
+
+        callSpy.mockResolvedValueOnce({ jsonrpc: '2.0', id: 2, result: { success: true } });
+        const res = await gateway.callTool('mock-upstream__noschema', params, context);
+
+        expect(res.error).toBeUndefined();
+    });
+});

package/tests/hardening.test.ts

@@ -0,0 +1,139 @@
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { SocketTransport } from '../src/transport/socket.transport.js';
+import { RequestController } from '../src/core/request.controller.js';
+import { SecurityService } from '../src/core/security.service.js';
+import { ConcurrencyService } from '../src/core/concurrency.service.js';
+import { ExecutionService } from '../src/core/execution.service.js';
+import { ExecutorRegistry } from '../src/core/registries/executor.registry.js';
+import { buildDefaultMiddleware } from '../src/core/middleware/middleware.builder.js';
+import { pino } from 'pino';
+import net from 'net';
+import os from 'os';
+import path from 'path';
+
+const logger = pino({ level: 'silent' });
+
+describe('V1 Hardening Tests', () => {
+    let transport: SocketTransport;
+    let securityService: SecurityService;
+    let requestController: RequestController;
+    let socketPath: string;
+    let mockDenoExecutor: any;
+
+    beforeEach(async () => {
+        const ipcToken = 'master-token';
+        securityService = new SecurityService(logger, ipcToken);
+        const concurrencyService = new ConcurrencyService(logger, { maxConcurrent: 10 });
+
+        const gatewayService = {
+            callTool: vi.fn(),
+            discoverTools: vi.fn().mockResolvedValue([]), // Return empty array for SDK generation
+            listToolPackages: vi.fn().mockResolvedValue([]),
+            listToolStubs: vi.fn().mockResolvedValue([])
+        } as any;
+
+        const defaultLimits = { timeoutMs: 1000, memoryLimitMb: 128, maxOutputBytes: 1024, maxLogEntries: 5 }; // Low log limit
+
+        const executorRegistry = new ExecutorRegistry();
+
+        // Mock DenoExecutor
+        mockDenoExecutor = {
+            execute: vi.fn().mockResolvedValue({ stdout: '', stderr: '', exitCode: 0 })
+        };
+        executorRegistry.register('deno', mockDenoExecutor as any);
+
+        const executionService = new ExecutionService(
+            logger,
+            defaultLimits,
+            gatewayService,
+            securityService,
+            executorRegistry
+        );
+        executionService.ipcAddress = '127.0.0.1:0'; // Dummy address for tests
+        // Ensure executionService has required methods for RequestController healthCheck/warmup delegation
+        vi.spyOn(executionService, 'shutdown').mockResolvedValue();
+        vi.spyOn(executionService, 'warmup').mockResolvedValue();
+        vi.spyOn(executionService, 'healthCheck').mockResolvedValue({ status: 'ok' });
+
+        requestController = new RequestController(logger, executionService, gatewayService, buildDefaultMiddleware(securityService));
+
+        transport = new SocketTransport(logger, requestController, concurrencyService);
+
+        socketPath = path.join(os.tmpdir(), `conduit-test-${Math.random().toString(36).substring(7)}.sock`);
+        if (os.platform() === 'win32') {
+            socketPath = '\\\\.\\pipe\\conduit-test-' + Math.random().toString(36).substring(7);
+        }
+        await transport.listen({ path: socketPath });
+    });
+
+    afterEach(async () => {
+        await transport.close();
+    });
+
+    async function sendRequest(request: any): Promise<any> {
+        return new Promise((resolve, reject) => {
+            const client = net.createConnection({ path: socketPath }, () => {
+                client.write(JSON.stringify(request) + '\n');
+            });
+
+            client.once('data', (data) => {
+                resolve(JSON.parse(data.toString()));
+                client.end();
+            });
+
+            client.on('error', reject);
+        });
+    }
+
+    it('should deny executeTypeScript with session token', async () => {
+        const sessionToken = securityService.createSession();
+
+        const response = await sendRequest({
+            jsonrpc: '2.0',
+            id: 1,
+            method: 'mcp.executeTypeScript',
+            params: { code: 'console.log("hi")' },
+            auth: { bearerToken: sessionToken }
+        });
+
+        expect(response.error).toBeDefined();
+        expect(response.error.code).toBe(-32003); // Forbidden
+        expect(response.error.message).toContain('Session tokens are restricted');
+    });
+
+    it('should allow discoverTools with session token', async () => {
+        const sessionToken = securityService.createSession();
+
+        // Mock handleDiscoverTools response logic via requestController
+        // We mocked gatewayService but requestController calls it.
+        // We need to ensure requestController.handleDiscoverTools works.
+        // It calls gatewayService.discoverTools.
+        (requestController as any).gatewayService.discoverTools.mockResolvedValue([]);
+
+        const response = await sendRequest({
+            jsonrpc: '2.0',
+            id: 2,
+            method: 'mcp.discoverTools',
+            params: {},
+            auth: { bearerToken: sessionToken }
+        });
+
+        expect(response.error).toBeUndefined();
+        expect(response.result).toBeDefined();
+    });
+
+    it('should allow executeTypeScript with master token', async () => {
+        const response = await sendRequest({
+            jsonrpc: '2.0',
+            id: 3,
+            method: 'mcp.executeTypeScript',
+            params: { code: 'import * as os from "os"; console.log("hi")' },
+            auth: { bearerToken: 'master-token' }
+        });
+
+        // It should call the executor (which we mocked above to success)
+        expect(response.error).toBeUndefined();
+        expect(mockDenoExecutor.execute).toHaveBeenCalled();
+    });
+});

package/tests/hardening_v1.test.ts

@@ -0,0 +1,72 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import axios from 'axios';
+import dns from 'node:dns/promises';
+import { UpstreamClient } from '../src/gateway/upstream.client.js';
+import { SecurityService } from '../src/core/security.service.js';
+import { AuthService } from '../src/gateway/auth.service.js';
+import { ExecutionContext } from '../src/core/execution.context.js';
+import pino from 'pino';
+
+const logger = pino({ level: 'silent' });
+
+vi.mock('axios');
+vi.mock('node:dns/promises');
+
+describe('V1 Hardening', () => {
+    let securityService: SecurityService;
+    let upstreamClient: UpstreamClient;
+    let authService: AuthService;
+
+    beforeEach(() => {
+        securityService = new SecurityService(logger, 'ipctoken');
+        authService = new AuthService(logger);
+        upstreamClient = new UpstreamClient(
+            logger,
+            { id: 'test', url: 'http://example.com/mcp' },
+            authService,
+            securityService
+        );
+        vi.clearAllMocks();
+    });
+
+    describe('SSRF Protection', () => {
+        it('should disable redirects in axios config', async () => {
+            // Mock security check to pass
+            vi.spyOn(securityService, 'validateUrl').mockResolvedValue({ valid: true });
+            (axios.post as any).mockResolvedValue({ data: { jsonrpc: '2.0', id: 1, result: {} } });
+
+            await upstreamClient.call(
+                { jsonrpc: '2.0', id: 1, method: 'tools/list' },
+                new ExecutionContext({ logger })
+            );
+
+            expect(axios.post).toHaveBeenCalledWith(
+                'http://example.com/mcp',
+                expect.any(Object),
+                expect.objectContaining({ maxRedirects: 0 })
+            );
+        });
+
+        it('should check all resolved addresses for private IPs', async () => {
+            // Mock dns.lookup to return a private IP in the list
+            (dns.lookup as any).mockResolvedValue([
+                { address: '1.1.1.1', family: 4 },
+                { address: '127.0.0.1', family: 4 } // Private!
+            ]);
+
+            const result = await securityService.validateUrl('http://example.com');
+            expect(result.valid).toBe(false);
+            expect(result.message).toContain('resolves to private network');
+            expect(dns.lookup).toHaveBeenCalledWith('example.com', { all: true });
+        });
+
+        it('should allow benign public IPs', async () => {
+            (dns.lookup as any).mockResolvedValue([
+                { address: '93.184.216.34', family: 4 }
+            ]);
+
+            const result = await securityService.validateUrl('http://example.com');
+            expect(result.valid).toBe(true);
+        });
+    });
+});

package/tests/isolate.executor.test.ts

@@ -0,0 +1,100 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { IsolateExecutor } from '../src/executors/isolate.executor.js';
+import { ExecutionContext } from '../src/core/execution.context.js';
+import pino from 'pino';
+
+const logger = pino({ level: 'silent' });
+
+describe('IsolateExecutor', () => {
+    let executor: IsolateExecutor;
+    let gatewayService: any;
+
+    beforeEach(() => {
+        gatewayService = {
+            callTool: vi.fn().mockResolvedValue({ result: { content: 'test' } }),
+            discoverTools: vi.fn().mockResolvedValue([]),
+        };
+        executor = new IsolateExecutor(logger, gatewayService);
+    });
+
+    it('should execute simple JavaScript code', async () => {
+        const code = 'console.log("Hello from isolate")';
+        const context = new ExecutionContext({ logger });
+        const limits = { timeoutMs: 5000, memoryLimitMb: 128, maxOutputBytes: 1024, maxLogEntries: 100 };
+
+        const result = await executor.execute(code, limits, context);
+
+        expect(result.exitCode).toBe(0);
+        expect(result.stdout).toContain('Hello from isolate');
+    });
+
+    it('should capture console.error output', async () => {
+        const code = 'console.error("Error message")';
+        const context = new ExecutionContext({ logger });
+        const limits = { timeoutMs: 5000, memoryLimitMb: 128, maxOutputBytes: 1024, maxLogEntries: 100 };
+
+        const result = await executor.execute(code, limits, context);
+
+        expect(result.exitCode).toBe(0);
+        expect(result.stderr).toContain('Error message');
+    });
+
+    it('should timeout on long execution', async () => {
+        const code = 'while(true) {}';  // Infinite loop
+        const context = new ExecutionContext({ logger });
+        const limits = { timeoutMs: 100, memoryLimitMb: 128, maxOutputBytes: 1024, maxLogEntries: 100 };
+
+        const result = await executor.execute(code, limits, context);
+
+        expect(result.error).toBeDefined();
+        expect(result.error?.code).toBe(-32008);  // RequestTimeout
+    }, 10000);
+
+    it('should expose tools.$raw for calling tools', async () => {
+        gatewayService.callTool.mockResolvedValue({
+            result: { message: 'Tool called!' }
+        });
+
+        const code = `
+            const result = await tools.$raw('test__hello', { arg: 1 });
+            console.log(JSON.stringify(result));
+        `;
+        const context = new ExecutionContext({ logger });
+        const limits = { timeoutMs: 5000, memoryLimitMb: 128, maxOutputBytes: 1024, maxLogEntries: 100 };
+
+        const result = await executor.execute(code, limits, context);
+
+        expect(result.exitCode).toBe(0);
+        expect(gatewayService.callTool).toHaveBeenCalledWith('test__hello', { arg: 1 }, context);
+    });
+
+    it('should use injected SDK script for typed access', async () => {
+        gatewayService.callTool.mockResolvedValue({
+            result: { content: 'typed result' }
+        });
+
+        const sdkScript = `
+            const tools = {
+                mock: {
+                    async hello(args) {
+                        const res = await __callTool('mock__hello', JSON.stringify(args));
+                        return JSON.parse(res);
+                    }
+                }
+            };
+        `;
+
+        const code = `
+            await tools.mock.hello({ name: 'Typed' });
+            console.log('Typed call done');
+        `;
+        const context = new ExecutionContext({ logger });
+        const limits = { timeoutMs: 5000, memoryLimitMb: 128, maxOutputBytes: 1024, maxLogEntries: 100 };
+
+        const result = await executor.execute(code, limits, context, { sdkCode: sdkScript });
+
+        expect(result.exitCode).toBe(0);
+        expect(gatewayService.callTool).toHaveBeenCalledWith('mock__hello', { name: 'Typed' }, context);
+        expect(result.stdout).toContain('Typed call done');
+    });
+});

package/tests/log-limit.test.ts

@@ -0,0 +1,55 @@
+import { describe, it, expect, beforeEach, beforeAll, afterAll } from 'vitest';
+import { DenoExecutor } from '../src/executors/deno.executor.js';
+import { PyodideExecutor } from '../src/executors/pyodide.executor.js';
+import { ExecutionContext } from '../src/core/execution.context.js';
+import { ConduitError } from '../src/core/request.controller.js';
+import pino from 'pino';
+
+const logger = pino({ level: 'silent' });
+
+describe('LogLimitExceeded Verification', () => {
+    let context: ExecutionContext;
+
+    beforeEach(() => {
+        context = new ExecutionContext({ logger });
+    });
+
+    describe('DenoExecutor', () => {
+        it('should return LogLimitExceeded when log entry limit breached', async () => {
+            const executor = new DenoExecutor();
+            const result = await executor.execute('for(let i=0; i<100; i++) console.log(i)', {
+                timeoutMs: 5000,
+                memoryLimitMb: 128,
+                maxOutputBytes: 1024 * 1024,
+                maxLogEntries: 10,
+            }, context);
+
+            expect(result.error?.code).toBe(ConduitError.LogLimitExceeded);
+            expect(result.error?.message).toContain('Log entry limit exceeded');
+        });
+    });
+
+    describe('PyodideExecutor', () => {
+        let pyExecutor: PyodideExecutor;
+
+        beforeAll(() => {
+            pyExecutor = new PyodideExecutor();
+        });
+
+        afterAll(async () => {
+            await pyExecutor.shutdown();
+        });
+
+        it('should return LogLimitExceeded when log entry limit breached', async () => {
+            const result = await pyExecutor.execute('for i in range(100): print(i)', {
+                timeoutMs: 10000,
+                memoryLimitMb: 128,
+                maxOutputBytes: 1024 * 1024,
+                maxLogEntries: 10,
+            }, context);
+
+            expect(result.error?.code).toBe(ConduitError.LogLimitExceeded);
+            expect(result.error?.message).toContain('Log entry limit exceeded');
+        }, 20000);
+    });
+});