@openparachute/agent 0.2.2 → 0.2.3-rc.10

package/src/sandbox/egress.test.ts

@@ -1,113 +0,0 @@
-import { describe, test, expect } from "bun:test";
-import {
-  ANTHROPIC_EGRESS_HOSTS,
-  baseEgressAllowlist,
-  composeEgressAllowlist,
-  hostFromOrigin,
-  type EgressBaseInput,
-} from "./egress.ts";
-
-const BASE: EgressBaseInput = { hubOrigin: "https://hub.example.com" };
-
-describe("hostFromOrigin", () => {
-  test("reduces an origin to its hostname (strips scheme + port + path)", () => {
-    expect(hostFromOrigin("https://hub.example.com:1939/admin")).toBe("hub.example.com");
-  });
-  test("passes a bare host through", () => {
-    expect(hostFromOrigin("registry.npmjs.org")).toBe("registry.npmjs.org");
-  });
-  test("strips a :port from a bare host:port", () => {
-    expect(hostFromOrigin("127.0.0.1:1939")).toBe("127.0.0.1");
-  });
-  test("preserves loopback (a co-located dev hub is loopback)", () => {
-    expect(hostFromOrigin("http://127.0.0.1:1939")).toBe("127.0.0.1");
-  });
-  test("returns null for empty / nullish input", () => {
-    expect(hostFromOrigin("")).toBeNull();
-    expect(hostFromOrigin(undefined)).toBeNull();
-    expect(hostFromOrigin("   ")).toBeNull();
-  });
-});
-
-describe("baseEgressAllowlist — the non-removable base", () => {
-  test("always includes the Anthropic hosts + the hub host", () => {
-    const base = baseEgressAllowlist(BASE);
-    for (const h of ANTHROPIC_EGRESS_HOSTS) expect(base).toContain(h);
-    expect(base).toContain("hub.example.com");
-  });
-
-  test("includes a distinct vault host when given", () => {
-    const base = baseEgressAllowlist({ ...BASE, vaultOrigin: "https://vault.example.com" });
-    expect(base).toContain("vault.example.com");
-  });
-
-  test("dedupes a vault origin equal to the hub origin", () => {
-    const base = baseEgressAllowlist({
-      hubOrigin: "https://h.example.com",
-      vaultOrigin: "https://h.example.com",
-    });
-    expect(base.filter((h) => h === "h.example.com")).toHaveLength(1);
-  });
-});
-
-describe("composeEgressAllowlist — base floor is non-removable, spec is additive", () => {
-  test("an empty spec egress still gets the full base (weaver-style arm)", () => {
-    const allow = composeEgressAllowlist(BASE, []);
-    for (const h of ANTHROPIC_EGRESS_HOSTS) expect(allow).toContain(h);
-    expect(allow).toContain("hub.example.com");
-  });
-
-  test("an undefined spec egress still gets the full base", () => {
-    const allow = composeEgressAllowlist(BASE, undefined);
-    expect(allow).toContain("api.anthropic.com");
-    expect(allow).toContain("hub.example.com");
-  });
-
-  test("spec hosts are ADDED on top of the base", () => {
-    const allow = composeEgressAllowlist(BASE, ["registry.npmjs.org", "pypi.org"]);
-    // base present...
-    expect(allow).toContain("api.anthropic.com");
-    expect(allow).toContain("hub.example.com");
-    // ...plus the additions
-    expect(allow).toContain("registry.npmjs.org");
-    expect(allow).toContain("pypi.org");
-  });
-
-  test("SECURITY: a spec that lists ONLY a foreign host CANNOT drop the base — the base is still present", () => {
-    // A spec authored to omit the base entirely (the malicious-omit case).
-    const allow = composeEgressAllowlist(BASE, ["evil.example.com"]);
-    // The base floor survives regardless of what the spec listed.
-    expect(allow).toContain("api.anthropic.com");
-    expect(allow).toContain("hub.example.com");
-    // The spec's own host is added (additive), not a replacement.
-    expect(allow).toContain("evil.example.com");
-  });
-
-  test("SECURITY: a spec cannot REPLACE the Anthropic host with a look-alike — both end up present, base is not dropped", () => {
-    // A spec that tries to "override" the Anthropic host by re-declaring a near-miss.
-    const allow = composeEgressAllowlist(BASE, ["api.anthropic.com.evil.example.com"]);
-    // The real Anthropic apex is still on the list (the base recomputed from code).
-    expect(allow).toContain("api.anthropic.com");
-    // The look-alike is just an additional (separate) host, not a substitution.
-    expect(allow).toContain("api.anthropic.com.evil.example.com");
-    // And the look-alike did not evict the real host.
-    expect(allow.indexOf("api.anthropic.com")).toBeGreaterThanOrEqual(0);
-  });
-
-  test("the base always sorts FIRST (recomputed from code, prepended)", () => {
-    const allow = composeEgressAllowlist(BASE, ["z-late.example.com"]);
-    expect(allow[0]).toBe("api.anthropic.com");
-    expect(allow[allow.length - 1]).toBe("z-late.example.com");
-  });
-
-  test("spec origins are normalized to hosts (full URL and bare host land the same)", () => {
-    const a = composeEgressAllowlist(BASE, ["https://registry.npmjs.org"]);
-    const b = composeEgressAllowlist(BASE, ["registry.npmjs.org"]);
-    expect(a).toEqual(b);
-  });
-
-  test("dedupes a spec host that duplicates a base host", () => {
-    const allow = composeEgressAllowlist(BASE, ["hub.example.com"]);
-    expect(allow.filter((h) => h === "hub.example.com")).toHaveLength(1);
-  });
-});

package/src/sandbox/live-seatbelt.test.ts

@@ -1,277 +0,0 @@
-/**
- * LIVE sandbox-runtime assertions on this host (Seatbelt on macOS).
- *
- * These run a REAL sandboxed process and assert it is genuinely confined:
- *   - egress to a non-allowlisted host is DENIED;
- *   - egress to an allowlisted host is permitted to ATTEMPT (proxy admits it);
- *   - a read OUTSIDE the declared binds is DENIED;
- *   - a read INSIDE a bind is permitted.
- *
- * The sandbox-runtime singleton starts host proxies on `initialize` and tears
- * them down on `reset`; it is process-global, so these cases serialize (one
- * describe block, sequential `initialize`→wrap→reset per case). Sandboxed in a
- * fresh temp workspace — NEVER the operator's live ~/.parachute.
- *
- * Skipped automatically when the platform can't sandbox (`isSupportedPlatform()`
- * false) or its deps aren't satisfied — so CI on an unsupported runner stays
- * green while a capable host (this Mac) exercises the real boundary. The
- * config-shape tests (egress/mounts/config.test.ts) ALWAYS run regardless.
- */
-import { describe, test, expect, afterEach } from "bun:test";
-import { mkdtempSync, writeFileSync, mkdirSync, rmSync } from "node:fs";
-import { join } from "node:path";
-import { tmpdir, homedir } from "node:os";
-import { SandboxManager } from "@anthropic-ai/sandbox-runtime";
-import { buildSandboxConfig } from "./config.ts";
-import type { AgentSpec, BaseBinds } from "./types.ts";
-
-const CAN_SANDBOX =
-  SandboxManager.isSupportedPlatform() && SandboxManager.checkDependencies().errors.length === 0;
-
-// A positive control: prove the harness can actually run a sandboxed process at
-// all before asserting on denials (negative-scans-need-positive-controls).
-const d = CAN_SANDBOX ? describe : describe.skip;
-
-async function runSandboxed(
-  cfg: ReturnType<typeof buildSandboxConfig>,
-  command: string,
-): Promise<{ code: number; stdout: string; stderr: string }> {
-  await SandboxManager.initialize(cfg);
-  try {
-    const { argv, env } = await SandboxManager.wrapWithSandboxArgv(command);
-    const proc = Bun.spawn(argv, {
-      env: env as Record<string, string>,
-      stdout: "pipe",
-      stderr: "pipe",
-    });
-    const [stdout, stderr, code] = await Promise.all([
-      new Response(proc.stdout as ReadableStream<Uint8Array>).text(),
-      new Response(proc.stderr as ReadableStream<Uint8Array>).text(),
-      proc.exited,
-    ]);
-    return { code, stdout, stderr };
-  } finally {
-    await SandboxManager.reset();
-  }
-}
-
-let workspace: string;
-
-afterEach(() => {
-  if (workspace) rmSync(workspace, { recursive: true, force: true });
-});
-
-d("LIVE Seatbelt — network egress", () => {
-  test("positive control: the harness can run a trivial sandboxed command", async () => {
-    workspace = mkdtempSync(join(tmpdir(), "sbx-live-pos-"));
-    const spec: AgentSpec = { name: "pos", channels: ["c"], network: "restricted", egress: [] };
-    const cfg = buildSandboxConfig({
-      spec,
-      baseBinds: { workspace, runtimeReadOnly: [] },
-      egressBase: { hubOrigin: "http://127.0.0.1:1939" },
-      platform: "darwin",
-    });
-    const r = await runSandboxed(cfg, "echo sandbox-alive");
-    expect(r.code).toBe(0);
-    expect(r.stdout).toContain("sandbox-alive");
-  }, 60_000);
-
-  test("DENIED: curl to a host NOT in the allowlist is blocked", async () => {
-    workspace = mkdtempSync(join(tmpdir(), "sbx-live-deny-"));
-    // Allowlist the base only (anthropic + the loopback hub). example.com is NOT on it.
-    const spec: AgentSpec = { name: "deny", channels: ["c"], network: "restricted", egress: [] };
-    const cfg = buildSandboxConfig({
-      spec,
-      baseBinds: { workspace, runtimeReadOnly: [] },
-      egressBase: { hubOrigin: "http://127.0.0.1:1939" },
-      platform: "darwin",
-    });
-    const r = await runSandboxed(
-      cfg,
-      "curl -sS -m 8 -o /dev/null -w '%{http_code}' https://example.com",
-    );
-    // The egress proxy refuses a non-allowlisted host: curl exits non-zero
-    // (commonly 56 "CONNECT tunnel failed, response 403"). The key assertion is
-    // that the request did NOT succeed with a 2xx.
-    expect(r.code).not.toBe(0);
-    expect(r.stdout).not.toMatch(/^2\d\d$/);
-  }, 60_000);
-
-  test("a spec that adds an egress host gets that host on the allowlist (additive)", async () => {
-    workspace = mkdtempSync(join(tmpdir(), "sbx-live-add-"));
-    const spec: AgentSpec = { name: "add", channels: ["c"], network: "restricted", egress: ["example.com"] };
-    const cfg = buildSandboxConfig({
-      spec,
-      baseBinds: { workspace, runtimeReadOnly: [] },
-      egressBase: { hubOrigin: "http://127.0.0.1:1939" },
-      platform: "darwin",
-    });
-    // We assert the CONFIG carries the host (a live fetch to example.com would be
-    // a network-flaky external dependency; the denial test above is the live
-    // boundary proof). The base floor is also present.
-    expect(cfg.network.allowedDomains).toContain("example.com");
-    expect(cfg.network.allowedDomains).toContain("api.anthropic.com");
-  }, 60_000);
-});
-
-d("LIVE Seatbelt — filesystem read confinement", () => {
-  test("DENIED: reading a file OUTSIDE the declared binds fails", async () => {
-    workspace = mkdtempSync(join(tmpdir(), "sbx-live-read-"));
-    // A secret OUTSIDE the workspace, under a sibling temp dir we do NOT bind.
-    const secretDir = mkdtempSync(join(tmpdir(), "sbx-live-secret-"));
-    const secretFile = join(secretDir, "secret.txt");
-    writeFileSync(secretFile, "TOPSECRET-do-not-read");
-    try {
-      const spec: AgentSpec = { name: "read", channels: ["c"], network: "restricted", egress: [] };
-      const cfg = buildSandboxConfig({
-        spec,
-        baseBinds: { workspace, runtimeReadOnly: [] },
-        egressBase: { hubOrigin: "http://127.0.0.1:1939" },
-        platform: "darwin",
-      });
-      // Deny the temp root so the unbound secret dir is unreadable; re-allow only
-      // the workspace. (buildSandboxConfig denies /Users; the macOS temp dir lives
-      // under /var/folders, so we additionally deny the secret's parent to make the
-      // confinement assertion robust regardless of where the OS placed the tmp dir.)
-      cfg.filesystem.denyRead = [...cfg.filesystem.denyRead, secretDir];
-      const r = await runSandboxed(cfg, `cat ${secretFile}`);
-      expect(r.code).not.toBe(0);
-      expect(r.stdout).not.toContain("TOPSECRET");
-    } finally {
-      rmSync(secretDir, { recursive: true, force: true });
-    }
-  }, 60_000);
-
-  test("PRODUCTION PATH: the spec-derived /Users deny blocks a read of a real home-dir file (no manual patch)", async () => {
-    // The §4.5 scoped-read property is "an arm cannot read the operator's home."
-    // Prove it through the PRODUCTION config — secret under the REAL home dir,
-    // workspace also under home (so the re-allow path is exercised against the
-    // real `/Users` deny), and NO manual `denyRead` patch. This is the test that
-    // proves the deployed `denyRead:["/Users"]` actually confines reads.
-    const home = homedir();
-    workspace = mkdtempSync(join(home, ".sbx-live-ws-"));
-    const secretDir = mkdtempSync(join(home, ".sbx-live-secret-"));
-    const secretFile = join(secretDir, "home-secret.txt");
-    writeFileSync(secretFile, "HOME-TOPSECRET-do-not-read");
-    try {
-      const spec: AgentSpec = { name: "homeread", channels: ["c"], network: "restricted", egress: [] };
-      // buildSandboxConfig with platform "darwin" → denyRead:["/Users"],
-      // allowRead:[workspace]. We pass the config THROUGH unmodified.
-      const cfg = buildSandboxConfig({
-        spec,
-        baseBinds: { workspace, runtimeReadOnly: [] },
-        egressBase: { hubOrigin: "http://127.0.0.1:1939" },
-        platform: "darwin",
-      });
-      expect(cfg.filesystem.denyRead).toEqual(["/Users"]);
-      expect(cfg.filesystem.allowRead).toContain(workspace);
-      // The secret sits under /Users/<me>/… and is NOT in any bind → blocked.
-      const r = await runSandboxed(cfg, `cat ${secretFile}`);
-      expect(r.code).not.toBe(0);
-      expect(r.stdout).not.toContain("HOME-TOPSECRET");
-
-      // Positive control on the SAME production config: a file inside the
-      // workspace (also under /Users, but re-allowed by allowRead) IS readable —
-      // proving the deny didn't just break all reads.
-      const insideFile = join(workspace, "inside.txt");
-      writeFileSync(insideFile, "HOME-WORKSPACE-readable");
-      const ok = await runSandboxed(cfg, `cat ${insideFile}`);
-      expect(ok.code).toBe(0);
-      expect(ok.stdout).toContain("HOME-WORKSPACE-readable");
-    } finally {
-      rmSync(secretDir, { recursive: true, force: true });
-    }
-  }, 60_000);
-
-  test("DEFAULT POSTURE: ~/.parachute (operator.token's dir) is UNREADABLE, the workspace IS readable, network is OPEN", async () => {
-    // The security guarantee Aaron asked for: the DEFAULT spawn (no filesystem/no
-    // network knob) must (a) be unable to read the operator's secrets — modelled by
-    // a decoy planted in the REAL ~/.parachute, exactly where operator.token lives —
-    // while (b) still having the workspace readable and (c) the network fully OPEN.
-    // Reads scoped by default; internet open by default.
-    const home = homedir();
-    workspace = mkdtempSync(join(home, ".sbx-live-default-ws-"));
-    const decoy = join(home, ".parachute", `.sbx-live-decoy-${process.pid}.txt`);
-    writeFileSync(decoy, "OPERATOR-TOKEN-DECOY-do-not-read");
-    try {
-      // DEFAULT spec: neither filesystem nor network set → workspace-scoped reads + open net.
-      const spec: AgentSpec = { name: "deflt", channels: ["c"] };
-      const cfg = buildSandboxConfig({
-        spec,
-        baseBinds: { workspace, runtimeReadOnly: [] },
-        egressBase: { hubOrigin: "http://127.0.0.1:1939" },
-        platform: "darwin",
-      });
-      // Defaults: scoped reads (/Users denied) + OPEN network (no allowedDomains).
-      expect(cfg.filesystem.denyRead).toEqual(["/Users"]);
-      expect((cfg.network as { allowedDomains?: string[] }).allowedDomains).toBeUndefined();
-
-      // (a) the decoy in ~/.parachute is DENIED — operator.token is equally unreadable.
-      const blocked = await runSandboxed(cfg, `cat ${decoy}`);
-      expect(blocked.code).not.toBe(0);
-      expect(blocked.stdout).not.toContain("OPERATOR-TOKEN-DECOY");
-
-      // (b) positive control: a workspace file IS readable under the SAME config.
-      const inside = join(workspace, "inside.txt");
-      writeFileSync(inside, "WORKSPACE-readable-by-default");
-      const ok = await runSandboxed(cfg, `cat ${inside}`);
-      expect(ok.code).toBe(0);
-      expect(ok.stdout).toContain("WORKSPACE-readable-by-default");
-    } finally {
-      rmSync(decoy, { force: true });
-    }
-  }, 60_000);
-
-  test("ALLOWED: reading a file INSIDE the workspace bind succeeds", async () => {
-    workspace = mkdtempSync(join(tmpdir(), "sbx-live-read-ok-"));
-    const f = join(workspace, "inside.txt");
-    writeFileSync(f, "READABLE-inside-workspace");
-    const spec: AgentSpec = { name: "readok", channels: ["c"], network: "restricted", egress: [] };
-    const cfg = buildSandboxConfig({
-      spec,
-      baseBinds: { workspace, runtimeReadOnly: [] },
-      egressBase: { hubOrigin: "http://127.0.0.1:1939" },
-      platform: "darwin",
-    });
-    const r = await runSandboxed(cfg, `cat ${f}`);
-    expect(r.code).toBe(0);
-    expect(r.stdout).toContain("READABLE-inside-workspace");
-  }, 60_000);
-
-  test("DENIED: writing OUTSIDE the workspace fails (write confinement)", async () => {
-    workspace = mkdtempSync(join(tmpdir(), "sbx-live-write-"));
-    const outsideDir = mkdtempSync(join(tmpdir(), "sbx-live-outside-"));
-    const target = join(outsideDir, "should-not-exist.txt");
-    try {
-      const spec: AgentSpec = { name: "write", channels: ["c"], network: "restricted", egress: [] };
-      const cfg = buildSandboxConfig({
-        spec,
-        baseBinds: { workspace, runtimeReadOnly: [] },
-        egressBase: { hubOrigin: "http://127.0.0.1:1939" },
-        platform: "darwin",
-      });
-      const r = await runSandboxed(cfg, `echo pwned > ${target}`);
-      expect(r.code).not.toBe(0);
-      // The file must not have been created (write was blocked at the OS level).
-      expect(await Bun.file(target).exists()).toBe(false);
-    } finally {
-      rmSync(outsideDir, { recursive: true, force: true });
-    }
-  }, 60_000);
-
-  test("ALLOWED: writing INSIDE the workspace succeeds", async () => {
-    workspace = mkdtempSync(join(tmpdir(), "sbx-live-write-ok-"));
-    const target = join(workspace, "out.txt");
-    const spec: AgentSpec = { name: "writeok", channels: ["c"], network: "restricted", egress: [] };
-    const cfg = buildSandboxConfig({
-      spec,
-      baseBinds: { workspace, runtimeReadOnly: [] },
-      egressBase: { hubOrigin: "http://127.0.0.1:1939" },
-      platform: "darwin",
-    });
-    const r = await runSandboxed(cfg, `echo written-inside > ${target}`);
-    expect(r.code).toBe(0);
-    const written = await Bun.file(target).text();
-    expect(written).toContain("written-inside");
-  }, 60_000);
-});

package/src/sandbox/mounts.test.ts

@@ -1,154 +0,0 @@
-import { describe, test, expect } from "bun:test";
-import {
-  composeFilesystemView,
-  homeTreeDenyRoot,
-  sharedMounts,
-} from "./mounts.ts";
-import type { AgentMount, BaseBinds } from "./types.ts";
-
-const BASE: BaseBinds = {
-  workspace: "/state/sessions/arm",
-  runtimeReadOnly: ["/home/op/.claude"],
-};
-
-describe("homeTreeDenyRoot — platform nuance", () => {
-  test("macOS denies /Users", () => {
-    expect(homeTreeDenyRoot("darwin")).toBe("/Users");
-  });
-  test("Linux denies /home", () => {
-    expect(homeTreeDenyRoot("linux")).toBe("/home");
-  });
-});
-
-describe("composeFilesystemView — scoped reads + write confinement", () => {
-  test("with no mounts: reads = workspace + runtime, writes = workspace only", () => {
-    const fs = composeFilesystemView(BASE, undefined, "darwin");
-    expect(fs.allowRead).toContain("/state/sessions/arm");
-    expect(fs.allowRead).toContain("/home/op/.claude");
-    expect(fs.allowWrite).toEqual(["/state/sessions/arm"]);
-  });
-
-  test("the home tree is denied for reads (scoped-read policy, §4.5)", () => {
-    const fs = composeFilesystemView(BASE, undefined, "darwin");
-    expect(fs.denyRead).toContain("/Users");
-  });
-
-  test("the home tree denied is platform-correct on Linux", () => {
-    const fs = composeFilesystemView(BASE, undefined, "linux");
-    expect(fs.denyRead).toContain("/home");
-  });
-
-  test("an ro mount is readable but NOT writable", () => {
-    const mounts: AgentMount[] = [{ hostPath: "/refs/tree", mountPath: "/ref", mode: "ro" }];
-    const fs = composeFilesystemView(BASE, mounts, "darwin");
-    expect(fs.allowRead).toContain("/refs/tree");
-    expect(fs.allowWrite).not.toContain("/refs/tree");
-  });
-
-  test("an rw mount is BOTH readable and writable", () => {
-    const mounts: AgentMount[] = [{ hostPath: "/proj/foo", mountPath: "/work/foo", mode: "rw" }];
-    const fs = composeFilesystemView(BASE, mounts, "darwin");
-    expect(fs.allowRead).toContain("/proj/foo");
-    expect(fs.allowWrite).toContain("/proj/foo");
-  });
-
-  test("SECURITY: a path OUTSIDE all binds is not in the read surface (scoped, not broad)", () => {
-    const mounts: AgentMount[] = [{ hostPath: "/proj/foo", mountPath: "/work/foo", mode: "rw" }];
-    const fs = composeFilesystemView(BASE, mounts, "darwin");
-    // The operator's SSH dir / other vaults are NOT re-allowed within the denied home tree.
-    expect(fs.allowRead).not.toContain("/Users/op/.ssh");
-    expect(fs.allowRead).not.toContain("/Users/op/other-vault");
-    // And nothing widened the deny away.
-    expect(fs.denyRead).toEqual(["/Users"]);
-  });
-
-  test("SECURITY: writes are confined — only workspace + rw mounts, never an ro mount or arbitrary path", () => {
-    const mounts: AgentMount[] = [
-      { hostPath: "/refs/tree", mountPath: "/ref", mode: "ro" },
-      { hostPath: "/proj/foo", mountPath: "/work/foo", mode: "rw" },
-    ];
-    const fs = composeFilesystemView(BASE, mounts, "darwin");
-    expect(new Set(fs.allowWrite)).toEqual(new Set(["/state/sessions/arm", "/proj/foo"]));
-  });
-
-  test("the base binds are always present even if the spec declares none", () => {
-    const fs = composeFilesystemView(BASE, [], "linux");
-    expect(fs.allowRead).toContain("/state/sessions/arm");
-    expect(fs.allowRead).toContain("/home/op/.claude");
-    expect(fs.allowWrite).toContain("/state/sessions/arm");
-  });
-
-  test("dedupes a mount equal to the workspace", () => {
-    const mounts: AgentMount[] = [
-      { hostPath: "/state/sessions/arm", mountPath: "/work", mode: "rw" },
-    ];
-    const fs = composeFilesystemView(BASE, mounts, "darwin");
-    expect(fs.allowWrite.filter((p) => p === "/state/sessions/arm")).toHaveLength(1);
-  });
-
-  // The working-directory axis (design 2026-06-16-agent-filesystem-and-sharing.md):
-  // the spec's `workspace` (a shared real dir) is bound rw — readable + writable —
-  // decoupled from the private home (which stays the per-agent session dir).
-  describe("the working dir (workspace) as an rw working-root", () => {
-    test("a working dir is BOTH readable and writable (an rw working-root)", () => {
-      const fs = composeFilesystemView(BASE, undefined, "darwin", true, "/Users/op/Code/repo");
-      expect(fs.allowRead).toContain("/Users/op/Code/repo");
-      expect(fs.allowWrite).toContain("/Users/op/Code/repo");
-    });
-
-    test("the PRIVATE home is ALSO writable alongside the working dir (decoupled, both rw)", () => {
-      const fs = composeFilesystemView(BASE, undefined, "darwin", true, "/Users/op/Code/repo");
-      // The private session dir stays in the write surface (it holds .mcp.json/home/tmp).
-      expect(fs.allowWrite).toContain("/state/sessions/arm");
-      expect(fs.allowWrite).toContain("/Users/op/Code/repo");
-    });
-
-    test("unset working dir → only the private home is writable (today's behavior)", () => {
-      const fs = composeFilesystemView(BASE, undefined, "darwin", true, undefined);
-      expect(fs.allowWrite).toEqual(["/state/sessions/arm"]);
-    });
-
-    test("a blank working dir is ignored (treated as unset)", () => {
-      const fs = composeFilesystemView(BASE, undefined, "darwin", true, "");
-      expect(fs.allowWrite).toEqual(["/state/sessions/arm"]);
-    });
-
-    test("under filesystem 'full' (broad reads) the working dir is still in the write surface", () => {
-      const fs = composeFilesystemView(BASE, undefined, "darwin", false, "/Users/op/Code/repo");
-      expect(fs.denyRead).toEqual([]); // broad reads — no home-tree deny
-      expect(fs.allowWrite).toContain("/Users/op/Code/repo");
-      expect(fs.allowWrite).toContain("/state/sessions/arm");
-    });
-
-    test("a working dir equal to a declared mount dedupes in the write surface", () => {
-      const mounts: AgentMount[] = [{ hostPath: "/Users/op/Code/repo", mountPath: "/repo", mode: "rw" }];
-      const fs = composeFilesystemView(BASE, mounts, "darwin", true, "/Users/op/Code/repo");
-      expect(fs.allowWrite.filter((p) => p === "/Users/op/Code/repo")).toHaveLength(1);
-    });
-  });
-});
-
-describe("sharedMounts — the named cross-session relaxation", () => {
-  test("surfaces only mounts carrying a non-empty `shared` tag", () => {
-    const mounts: AgentMount[] = [
-      { hostPath: "/a", mountPath: "/a", mode: "ro" },
-      { hostPath: "/cache", mountPath: "/cache", mode: "ro", shared: "build-cache" },
-      { hostPath: "/b", mountPath: "/b", mode: "rw", shared: "" },
-    ];
-    const shared = sharedMounts(mounts);
-    expect(shared).toHaveLength(1);
-    expect(shared[0]!.shared).toBe("build-cache");
-  });
-
-  test("a shared mount is still bound like any other (honored in the fs view)", () => {
-    const mounts: AgentMount[] = [
-      { hostPath: "/cache", mountPath: "/cache", mode: "ro", shared: "build-cache" },
-    ];
-    const fs = composeFilesystemView(BASE, mounts, "darwin");
-    expect(fs.allowRead).toContain("/cache");
-  });
-
-  test("empty input → no shared mounts", () => {
-    expect(sharedMounts(undefined)).toEqual([]);
-  });
-});