@plosson/agentio 0.7.2 → 0.7.3

package/src/server/daemon.ts

@@ -0,0 +1,177 @@
+import { randomBytes } from 'crypto';
+
+import { loadConfig, saveConfig } from '../config/config-manager';
+import type { Config } from '../types/config';
+import type { ServerConfig } from '../types/server';
+import { handleRequest, type ServerContext } from './http';
+import {
+  createOAuthStore,
+  type PersistableOAuthState,
+} from './oauth-store';
+
+const DEFAULT_PORT = 9999;
+const DEFAULT_HOST = '0.0.0.0';
+
+/**
+ * Validate a port value from any source (CLI, env, config). Bun.serve
+ * silently falls back to a default when given NaN / negative / oversized
+ * values; we want to bail loudly instead so the operator sees the
+ * misconfiguration.
+ */
+function validatePort(value: number, source: string): number {
+  if (!Number.isInteger(value) || value < 1 || value > 65535) {
+    throw new Error(
+      `Invalid port from ${source}: must be an integer in [1, 65535], got ${value}`
+    );
+  }
+  return value;
+}
+
+export interface StartServerOptions {
+  /** Override the bound port (CLI flag > env > config > default). */
+  port?: number;
+  /** Override the bound host (CLI flag > env > config > default). */
+  host?: string;
+  /** Override the API key in-memory (does not get persisted). */
+  apiKey?: string;
+}
+
+let shutdownRequested = false;
+let runningServer: ReturnType<typeof Bun.serve> | null = null;
+
+/**
+ * Resolve effective server config from CLI options → env vars → stored
+ * config → defaults. The stored config is the source of truth for the API
+ * key (it persists across restarts), but CLI/env can override it for the
+ * current process only.
+ */
+async function resolveServerConfig(opts: StartServerOptions): Promise<{
+  port: number;
+  host: string;
+  apiKey: string;
+  generated: boolean;
+}> {
+  const config = (await loadConfig()) as Config;
+  let stored: ServerConfig = config.server ?? {};
+  let generated = false;
+
+  // Generate and persist an API key on first run.
+  if (!stored.apiKey) {
+    const generatedKey = `srv_${randomBytes(24).toString('base64url')}`;
+    stored = { ...stored, apiKey: generatedKey };
+    config.server = stored;
+    await saveConfig(config);
+    generated = true;
+  }
+
+  let port: number;
+  if (opts.port !== undefined) {
+    port = validatePort(opts.port, '--port');
+  } else if (process.env.AGENTIO_SERVER_PORT) {
+    port = validatePort(
+      Number(process.env.AGENTIO_SERVER_PORT),
+      'AGENTIO_SERVER_PORT'
+    );
+  } else if (stored.port !== undefined) {
+    port = validatePort(stored.port, 'config.server.port');
+  } else {
+    port = DEFAULT_PORT;
+  }
+
+  const host =
+    opts.host ??
+    process.env.AGENTIO_SERVER_HOST ??
+    stored.host ??
+    DEFAULT_HOST;
+
+  const apiKey =
+    opts.apiKey ?? process.env.AGENTIO_SERVER_API_KEY ?? stored.apiKey!;
+
+  return { port, host, apiKey, generated };
+}
+
+/**
+ * Start the agentio HTTP server in the foreground. Mirrors the gateway
+ * daemon's lifecycle: load/persist config, install signal handlers, run a
+ * Bun HTTP server, and `await` forever until SIGINT/SIGTERM.
+ */
+export async function startServer(opts: StartServerOptions = {}): Promise<void> {
+  console.log(`agentio-server starting (PID ${process.pid})`);
+
+  const { port, host, apiKey, generated } = await resolveServerConfig(opts);
+
+  if (generated) {
+    console.log('Generated new API key (persisted to config.server.apiKey)');
+  }
+
+  // Always print the API key so headless deploys (Docker, journalctl) can
+  // read it from the logs.
+  console.log(`API Key: ${apiKey}`);
+  console.log(`Listening on http://${host}:${port}`);
+
+  // Build the OAuth store. State is loaded from config.server.{clients,
+  // tokens} and persisted on every mutation through a callback that
+  // round-trips through loadConfig/saveConfig — that way we never clobber
+  // unrelated config.server.* fields (apiKey, port, host) that another
+  // part of the daemon may have updated.
+  const initialConfig = (await loadConfig()) as Config;
+  const oauthStore = createOAuthStore({
+    initial: {
+      clients: initialConfig.server?.clients,
+      tokens: initialConfig.server?.tokens,
+    },
+    save: async (state: PersistableOAuthState) => {
+      const cfg = (await loadConfig()) as Config;
+      cfg.server = {
+        ...cfg.server,
+        clients: state.clients,
+        tokens: state.tokens,
+      };
+      await saveConfig(cfg);
+    },
+  });
+
+  const ctx: ServerContext = { apiKey, oauthStore };
+
+  const shutdown = async (signal: string) => {
+    if (shutdownRequested) return;
+    shutdownRequested = true;
+    console.log(`\nReceived ${signal}, shutting down...`);
+    if (runningServer) {
+      runningServer.stop();
+      runningServer = null;
+    }
+    console.log('Server stopped');
+    process.exit(0);
+  };
+
+  process.on('SIGINT', () => shutdown('SIGINT'));
+  process.on('SIGTERM', () => shutdown('SIGTERM'));
+
+  try {
+    runningServer = Bun.serve({
+      port,
+      hostname: host,
+      // MCP's Streamable HTTP transport keeps GET /mcp SSE streams open
+      // for server-initiated messages (notifications, progress updates),
+      // and some tool calls legitimately take more than the default 10s
+      // (Gmail search, large RSS feeds, JIRA JQL queries). Set the idle
+      // timeout to Bun's maximum so the transport can hold connections
+      // as long as it needs. 255 is Bun's hard cap — passing higher
+      // values throws.
+      idleTimeout: 255,
+      fetch: (req) => handleRequest(req, ctx),
+    });
+
+    console.log('Server ready');
+
+    // Wait forever; signal handlers will exit().
+    await new Promise(() => {});
+  } catch (error) {
+    console.error(
+      'Server error:',
+      error instanceof Error ? error.message : error
+    );
+    process.exit(1);
+  }
+}

package/src/server/dockerfile-gen.test.ts

@@ -0,0 +1,192 @@
+import { describe, expect, test } from 'bun:test';
+
+import { generateTeleportDockerfile } from './dockerfile-gen';
+
+/**
+ * Pure unit tests for the teleport Dockerfile generator. These don't
+ * actually build a container; they just assert on the string that
+ * gets fed to siteio. The goal is to catch refactors that silently
+ * change container semantics — e.g. flipping the user to root, or
+ * dropping tini, or breaking the healthcheck.
+ */
+
+describe('generateTeleportDockerfile — structural invariants', () => {
+  test('is a non-empty string', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toBeTruthy();
+    expect(df.length).toBeGreaterThan(200);
+  });
+
+  test('starts with a comment declaring it auto-generated', () => {
+    const df = generateTeleportDockerfile();
+    expect(df.split('\n')[0]).toMatch(/^#.*auto-generated.*agentio mcp teleport/i);
+  });
+
+  test('uses ubuntu:24.04 as the base image', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain('FROM ubuntu:24.04');
+  });
+
+  test('installs ca-certificates, curl, tini', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain('ca-certificates');
+    expect(df).toContain('curl');
+    expect(df).toContain('tini');
+  });
+
+  test('cleans up apt lists (image size hygiene)', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain('rm -rf /var/lib/apt/lists/*');
+  });
+
+  test('creates the non-root agentio user with uid 1001', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain('groupadd -g 1001 agentio');
+    expect(df).toContain('useradd -u 1001 -g agentio');
+    expect(df).toContain('USER agentio');
+  });
+
+  test('sets HOME, XDG_CONFIG_HOME, PATH for the non-root user', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain('ENV HOME=/data');
+    expect(df).toContain('ENV XDG_CONFIG_HOME=/data');
+    expect(df).toContain('ENV PATH="/home/agentio/bin:${PATH}"');
+  });
+
+  test('ensures /data and /home/agentio/bin are owned by agentio', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain('chown -R agentio:agentio /data /home/agentio/bin');
+  });
+
+  test('never uses COPY or ADD (siteio inline Dockerfile constraint)', () => {
+    const df = generateTeleportDockerfile();
+    const lines = df.split('\n').filter((l) => !l.trim().startsWith('#'));
+    for (const line of lines) {
+      expect(line).not.toMatch(/^\s*COPY\b/);
+      expect(line).not.toMatch(/^\s*ADD\b/);
+    }
+  });
+});
+
+describe('generateTeleportDockerfile — binary fetch', () => {
+  test('fetches the binary at BUILD time via RUN curl (not at CMD)', () => {
+    const df = generateTeleportDockerfile();
+    // The curl call for the binary should be in a RUN, not in the CMD.
+    const cmdLine = df.match(/CMD \[.*\]/)?.[0] ?? '';
+    expect(cmdLine).not.toContain('curl -fL');
+    expect(df).toContain('curl -fL');
+  });
+
+  test('resolves arch for both x86_64 and arm64 linux', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain('aarch64|arm64');
+    expect(df).toContain('x86_64|amd64');
+    expect(df).toContain('linux-arm64');
+    expect(df).toContain('linux-x64');
+  });
+
+  test('unsupported arch exits 1 with a clear message', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain('unsupported arch');
+    expect(df).toContain('exit 1');
+  });
+
+  test('no version pinned → queries GitHub releases/latest for the tag', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain(
+      'https://api.github.com/repos/plosson/agentio/releases/latest'
+    );
+    expect(df).toContain('tag_name');
+  });
+
+  test('--version pinned → emits a literal VERSION="X" assignment', () => {
+    const df = generateTeleportDockerfile({ version: '1.2.3' });
+    expect(df).toContain('VERSION="1.2.3"');
+    expect(df).not.toContain('releases/latest');
+  });
+
+  test('download URL references both VERSION and PLATFORM variables', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain(
+      'https://github.com/plosson/agentio/releases/download/v${VERSION}/agentio-${PLATFORM}'
+    );
+  });
+
+  test('chmod +x on the installed binary', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain('chmod +x /home/agentio/bin/agentio');
+  });
+});
+
+describe('generateTeleportDockerfile — port + healthcheck + entrypoint', () => {
+  test('default port is 9999', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain('EXPOSE 9999');
+    expect(df).toContain('http://localhost:9999/health');
+    expect(df).toContain('--port 9999');
+  });
+
+  test('custom port threads through EXPOSE + HEALTHCHECK + CMD', () => {
+    const df = generateTeleportDockerfile({ port: 8080 });
+    expect(df).toContain('EXPOSE 8080');
+    expect(df).toContain('http://localhost:8080/health');
+    expect(df).toContain('--port 8080');
+    expect(df).not.toContain('EXPOSE 9999');
+  });
+
+  test('HEALTHCHECK has 30s start-period (enough for config import)', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain('--start-period=30s');
+    expect(df).toContain('HEALTHCHECK');
+  });
+
+  test('HEALTHCHECK uses curl -sf to exit non-zero on failure', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain('curl -sf http://localhost');
+    expect(df).toContain('exit 1');
+  });
+
+  test('tini is PID 1 via ENTRYPOINT', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain('ENTRYPOINT ["/usr/bin/tini", "--"]');
+  });
+
+  test('CMD runs config import THEN the server, via sh -c', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain(
+      'CMD ["sh", "-c", "agentio config import && exec agentio server start --foreground --host 0.0.0.0 --port 9999"]'
+    );
+  });
+
+  test('CMD uses `exec` before starting the server (so tini sees the right PID)', () => {
+    const df = generateTeleportDockerfile();
+    const cmdLine = df.match(/CMD \[.*\]/)?.[0] ?? '';
+    expect(cmdLine).toContain('exec agentio server start');
+  });
+
+  test('CMD binds to 0.0.0.0 (required for Docker networking)', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).toContain('--host 0.0.0.0');
+  });
+});
+
+describe('generateTeleportDockerfile — security posture', () => {
+  test('switches to non-root user BEFORE the CMD runs', () => {
+    const df = generateTeleportDockerfile();
+    const userIdx = df.indexOf('USER agentio');
+    const cmdIdx = df.search(/^CMD /m);
+    expect(userIdx).toBeGreaterThan(-1);
+    expect(cmdIdx).toBeGreaterThan(-1);
+    expect(userIdx).toBeLessThan(cmdIdx);
+  });
+
+  test('does not install sudo', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).not.toContain('sudo');
+  });
+
+  test('does not expose an SSH port', () => {
+    const df = generateTeleportDockerfile();
+    expect(df).not.toContain('EXPOSE 22');
+  });
+});

package/src/server/dockerfile-gen.ts

@@ -0,0 +1,101 @@
+/**
+ * Generate a self-contained inline Dockerfile for `agentio mcp teleport`.
+ *
+ * siteio's "inline Dockerfile" mode builds containers in an empty build
+ * context — the Dockerfile cannot `COPY` or `ADD` anything from the
+ * local filesystem. Everything the container needs has to be fetched at
+ * build time via `RUN curl`.
+ *
+ * This generator produces a Dockerfile that:
+ *   1. Installs ca-certificates, curl, and tini (for signal handling).
+ *   2. Creates a non-root `agentio` user with /data as HOME.
+ *   3. Fetches the release binary for the target platform at BUILD time,
+ *      so siteio/Docker can cache the layer and re-deploys are fast.
+ *   4. Runs `agentio config import` at container START, reading the
+ *      encrypted blob from the `AGENTIO_KEY` + `AGENTIO_CONFIG` env
+ *      vars (set by siteio via `apps set -e`).
+ *   5. Starts the HTTP server on port 9999, bound to 0.0.0.0.
+ *
+ * The generator is a pure function — no I/O, no side effects — so it's
+ * trivially unit-testable. Tests in dockerfile-gen.test.ts pin down the
+ * exact structure (HEALTHCHECK, EXPOSE, user, entrypoint, etc) so a
+ * well-meaning refactor can't silently break the container image.
+ */
+
+export interface TeleportDockerfileOptions {
+  /** GitHub release version tag to pin, without the leading "v". Omit to always fetch "latest". */
+  version?: string;
+  /** Port the server should bind inside the container. Defaults to 9999. */
+  port?: number;
+}
+
+const DEFAULT_PORT = 9999;
+
+export function generateTeleportDockerfile(
+  opts: TeleportDockerfileOptions = {}
+): string {
+  const port = opts.port ?? DEFAULT_PORT;
+  // Inject a fixed version into the RUN block if the caller pinned one;
+  // otherwise fall through to the GitHub "latest" redirect.
+  const versionResolver = opts.version
+    ? `VERSION="${opts.version}"`
+    : `VERSION=$(curl -sL https://api.github.com/repos/plosson/agentio/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\\1/')`;
+
+  return `# Auto-generated by \`agentio mcp teleport\`. Do not hand-edit.
+# This is a self-contained "inline Dockerfile" for siteio — it must not
+# reference any files from a local build context. Everything is fetched
+# at build time via curl.
+
+FROM ubuntu:24.04
+
+# Runtime dependencies:
+#   ca-certificates : HTTPS calls from the container
+#   curl            : release binary download + healthcheck
+#   tini            : proper PID 1 / signal handling
+RUN apt-get update && apt-get install -y --no-install-recommends \\
+    ca-certificates curl tini \\
+    && rm -rf /var/lib/apt/lists/*
+
+# Non-root user, home at /data so config.json + tokens.enc live in
+# a siteio-managed persistent volume path.
+RUN groupadd -g 1001 agentio \\
+    && useradd -u 1001 -g agentio -d /home/agentio -m agentio \\
+    && mkdir -p /data /home/agentio/bin \\
+    && chown -R agentio:agentio /data /home/agentio/bin
+
+# Fetch the agentio linux binary at BUILD time (not boot) so siteio
+# caches the layer and subsequent deploys reuse it unless --no-cache
+# is passed. Architecture is detected at build time.
+RUN set -eux; \\
+    ARCH=$(uname -m); \\
+    case "$ARCH" in \\
+        aarch64|arm64) PLATFORM="linux-arm64" ;; \\
+        x86_64|amd64)  PLATFORM="linux-x64" ;; \\
+        *) echo "unsupported arch: $ARCH" >&2; exit 1 ;; \\
+    esac; \\
+    ${versionResolver}; \\
+    echo "Installing agentio v\${VERSION} (\${PLATFORM})..."; \\
+    curl -fL "https://github.com/plosson/agentio/releases/download/v\${VERSION}/agentio-\${PLATFORM}" \\
+        -o /home/agentio/bin/agentio; \\
+    chmod +x /home/agentio/bin/agentio; \\
+    chown agentio:agentio /home/agentio/bin/agentio
+
+USER agentio
+ENV HOME=/data
+ENV XDG_CONFIG_HOME=/data
+ENV PATH="/home/agentio/bin:\${PATH}"
+
+EXPOSE ${port}
+
+# Healthcheck hits the agentio /health endpoint. start-period is 30s
+# because importing the config on first boot involves decrypting the
+# AGENTIO_CONFIG blob which can take a couple seconds on slow hardware.
+HEALTHCHECK --interval=30s --timeout=5s --start-period=30s --retries=3 \\
+    CMD curl -sf http://localhost:${port}/health || exit 1
+
+# tini becomes PID 1 for signal handling. sh -c runs the import-then-
+# server pipeline so SIGTERM propagates correctly to the running server.
+ENTRYPOINT ["/usr/bin/tini", "--"]
+CMD ["sh", "-c", "agentio config import && exec agentio server start --foreground --host 0.0.0.0 --port ${port}"]
+`;
+}

package/src/server/dockerfile-teleport.test.ts

@@ -0,0 +1,180 @@
+import { describe, expect, test } from 'bun:test';
+import { readFileSync } from 'fs';
+import { join } from 'path';
+
+/**
+ * Structural invariants for the committed docker/Dockerfile.teleport —
+ * the buildable-from-source Dockerfile used by `agentio teleport --git-branch`.
+ *
+ * Unlike the inline Dockerfile (which siteio builds in an empty context
+ * and therefore cannot COPY), this one IS given the repo as a build
+ * context by siteio's git-mode, so COPY is legitimate. The tests
+ * below pin down the multi-stage structure, the non-root runtime,
+ * the config-import + server-start CMD shape, and a handful of security
+ * posture invariants.
+ */
+
+const DOCKERFILE_PATH = join(
+  import.meta.dir,
+  '..',
+  '..',
+  'docker',
+  'Dockerfile.teleport'
+);
+
+function loadDockerfile(): string {
+  return readFileSync(DOCKERFILE_PATH, 'utf8');
+}
+
+describe('docker/Dockerfile.teleport — structural invariants', () => {
+  test('exists and is non-empty', () => {
+    const df = loadDockerfile();
+    expect(df.length).toBeGreaterThan(200);
+  });
+
+  test('first content line documents it as the teleport Dockerfile', () => {
+    const df = loadDockerfile();
+    const firstComment = df
+      .split('\n')
+      .find((l) => l.trim().startsWith('#') && l.length > 1);
+    expect(firstComment).toMatch(/teleport/i);
+  });
+
+  test('uses a multi-stage build (builder + runtime)', () => {
+    const df = loadDockerfile();
+    const fromLines = df
+      .split('\n')
+      .filter((l) => /^\s*FROM\s/.test(l));
+    expect(fromLines.length).toBe(2);
+  });
+
+  test('stage 1 builds with oven/bun', () => {
+    const df = loadDockerfile();
+    expect(df).toMatch(/FROM\s+oven\/bun/);
+    expect(df).toMatch(/AS\s+builder/);
+  });
+
+  test('stage 1 runs bun install with --frozen-lockfile', () => {
+    const df = loadDockerfile();
+    expect(df).toContain('bun install --frozen-lockfile');
+  });
+
+  test('stage 1 copies package.json + bun.lock separately from the rest', () => {
+    const df = loadDockerfile();
+    // This layer-caching discipline matters — we want bun install to
+    // only re-run when deps change, not on every source edit.
+    expect(df).toMatch(/COPY\s+package\.json\s+bun\.lock\*?\s+\.\//);
+  });
+
+  test('stage 1 compiles the native binary via build:native', () => {
+    const df = loadDockerfile();
+    expect(df).toContain('bun run build:native');
+  });
+
+  test('stage 2 is ubuntu:24.04', () => {
+    const df = loadDockerfile();
+    expect(df).toMatch(/FROM\s+ubuntu:24\.04\s*(?:\n|$)/);
+  });
+
+  test('stage 2 installs ca-certificates, curl, tini', () => {
+    const df = loadDockerfile();
+    expect(df).toContain('ca-certificates');
+    expect(df).toContain('curl');
+    expect(df).toContain('tini');
+  });
+
+  test('stage 2 cleans up apt lists', () => {
+    const df = loadDockerfile();
+    expect(df).toContain('rm -rf /var/lib/apt/lists/*');
+  });
+
+  test('stage 2 creates non-root agentio user with uid 1001', () => {
+    const df = loadDockerfile();
+    expect(df).toContain('groupadd -g 1001 agentio');
+    expect(df).toContain('useradd -u 1001 -g agentio');
+    expect(df).toContain('USER agentio');
+  });
+
+  test('copies binary from stage 1 with --chown=agentio:agentio', () => {
+    const df = loadDockerfile();
+    expect(df).toMatch(
+      /COPY\s+--from=builder\s+--chown=agentio:agentio\s+\/build\/dist\/agentio\s+\/home\/agentio\/bin\/agentio/
+    );
+  });
+
+  test('sets HOME, XDG_CONFIG_HOME, PATH', () => {
+    const df = loadDockerfile();
+    expect(df).toContain('ENV HOME=/data');
+    expect(df).toContain('ENV XDG_CONFIG_HOME=/data');
+    expect(df).toMatch(/ENV PATH="\/home\/agentio\/bin:\$\{PATH\}"/);
+  });
+
+  test('exposes port 9999', () => {
+    const df = loadDockerfile();
+    expect(df).toContain('EXPOSE 9999');
+  });
+
+  test('HEALTHCHECK probes /health on 9999 with curl -sf', () => {
+    const df = loadDockerfile();
+    expect(df).toContain('HEALTHCHECK');
+    expect(df).toContain('curl -sf http://localhost:9999/health');
+  });
+
+  test('HEALTHCHECK has start-period ≥ 30s', () => {
+    const df = loadDockerfile();
+    expect(df).toMatch(/--start-period=(\d+)s/);
+    const match = df.match(/--start-period=(\d+)s/);
+    const seconds = Number(match![1]);
+    expect(seconds).toBeGreaterThanOrEqual(30);
+  });
+
+  test('tini is PID 1 via ENTRYPOINT', () => {
+    const df = loadDockerfile();
+    expect(df).toContain('ENTRYPOINT ["/usr/bin/tini", "--"]');
+  });
+
+  test('CMD runs config import THEN the server, via sh -c with exec', () => {
+    const df = loadDockerfile();
+    expect(df).toContain(
+      'CMD ["sh", "-c", "agentio config import && exec agentio server start --foreground --host 0.0.0.0 --port 9999"]'
+    );
+  });
+
+  test('CMD binds to 0.0.0.0 (required for Docker networking)', () => {
+    const df = loadDockerfile();
+    const cmdLine = df.match(/CMD \[.*\]/m)?.[0] ?? '';
+    expect(cmdLine).toContain('--host 0.0.0.0');
+  });
+});
+
+describe('docker/Dockerfile.teleport — security posture', () => {
+  test('runtime stage switches to USER agentio before the CMD runs', () => {
+    const df = loadDockerfile();
+    // Find the position of USER agentio and the FINAL CMD/ENTRYPOINT.
+    const userIdx = df.lastIndexOf('USER agentio');
+    const cmdIdx = df.search(/^CMD /m);
+    expect(userIdx).toBeGreaterThan(-1);
+    expect(cmdIdx).toBeGreaterThan(-1);
+    expect(userIdx).toBeLessThan(cmdIdx);
+  });
+
+  test('does not install sudo', () => {
+    const df = loadDockerfile();
+    expect(df).not.toContain('sudo');
+  });
+
+  test('does not EXPOSE SSH', () => {
+    const df = loadDockerfile();
+    expect(df).not.toContain('EXPOSE 22');
+  });
+
+  test('HEALTHCHECK runs under the agentio user (no root escalation)', () => {
+    // Since USER agentio is set before HEALTHCHECK and CMD, they both
+    // run as agentio. Verify by ordering: USER must come before the
+    // HEALTHCHECK directive.
+    const df = loadDockerfile();
+    const userIdx = df.lastIndexOf('USER agentio');
+    const hcIdx = df.indexOf('HEALTHCHECK');
+    expect(userIdx).toBeLessThan(hcIdx);
+  });
+});