@semalt-ai/code 1.8.5 → 1.19.0

package/test/result-cap.test.js

@@ -0,0 +1,233 @@
+'use strict';
+
+// Task W.8 — Cap MCP & subagent output entering context.
+//
+// THE CHANGE these tests pin: MCP tool results (lib/mcp/client.js) and subagent
+// final text (lib/subagents.js) were the last two UNBOUNDED paths into context —
+// both fenced as untrusted, but neither token-capped. A server (MCP) or a verbose
+// child (subagent) could blow context wholesale. Both serializers now apply the
+// standard capToTokens (consistent with W.5–W.7) BEFORE wrapping the text in the
+// untrusted fence, with DIFFERENT budgets:
+//   * MCP — STRICTER (third-party, untrusted, server-controlled): the riskiest.
+//   * Subagent — GENEROUS (our own child's synthesized result): a safety net.
+// Tests assert the MODEL-FACING (and parent-facing) result: the bound, the
+// truncation notice, the fence-still-present, and that the two budgets differ.
+
+const { test, before, after, afterEach } = require('node:test');
+const assert = require('node:assert');
+
+const ui = require('../lib/ui');
+const { createApiClient } = require('../lib/api');
+const { createToolExecutor, extractToolCalls } = require('../lib/tools');
+const { createPermissionManager } = require('../lib/permissions');
+const {
+  createAgentRunner, formatMcpResult, formatSubagentResult,
+} = require('../lib/agent');
+const toolRegistry = require('../lib/tool_registry');
+const { createSubagentManager, buildSpawnAgentEntry } = require('../lib/subagents');
+const {
+  DEFAULT_MCP_MAX_RESULT_TOKENS, DEFAULT_SUBAGENT_MAX_RESULT_TOKENS,
+} = require('../lib/constants');
+const { startMockLLM } = require('./harness/mock-llm');
+
+const FENCE_OPEN = /<<<UNTRUSTED_EXTERNAL_CONTENT/;
+const FENCE_CLOSE = /<<<END_UNTRUSTED_EXTERNAL_CONTENT>>>/;
+
+// ---------------------------------------------------------------------------
+// Part A — pure model-facing serializers (formatMcpResult / formatSubagentResult)
+// ---------------------------------------------------------------------------
+
+test('MCP: small result passes through fully, no notice, still fenced', () => {
+  const content = 'just a small payload from the server';
+  const out = formatMcpResult({ action: 'mcp__srv__tool', content, maxTokens: 10000 });
+  assert.match(out, /MCP tool mcp__srv__tool result:/);
+  assert.match(out, FENCE_OPEN);
+  assert.match(out, FENCE_CLOSE);
+  assert.ok(out.includes(content), 'full payload present');
+  assert.doesNotMatch(out, /capped at/);
+});
+
+test('MCP: large result is capped with a notice, INSIDE the untrusted fence', () => {
+  const content = 'x'.repeat(4000); // ~1000 tokens
+  const out = formatMcpResult({ action: 'mcp__srv__tool', content, maxTokens: 50 });
+  assert.match(out, /capped at ~50 tokens \(was ~\d+\)/, 'truncation notice present');
+  // The capped content (and its notice) must remain BETWEEN the fence delimiters.
+  const open = out.indexOf('<<<UNTRUSTED_EXTERNAL_CONTENT');
+  const close = out.indexOf('<<<END_UNTRUSTED_EXTERNAL_CONTENT>>>');
+  const noticeAt = out.indexOf('capped at');
+  assert.ok(open >= 0 && close > open, 'fence present and well-ordered');
+  assert.ok(noticeAt > open && noticeAt < close, 'notice sits inside the fence');
+  // The full payload did NOT enter context.
+  assert.ok(out.length < content.length, 'result is shorter than the raw payload');
+});
+
+test('MCP: isError surfaces the error note, still fenced', () => {
+  const out = formatMcpResult({ action: 'mcp__srv__t', content: 'boom', isError: true, maxTokens: 10000 });
+  assert.match(out, /\(the tool reported an error\)/);
+  assert.match(out, FENCE_OPEN);
+});
+
+test('subagent: short result passes through fully, no notice, fenced', () => {
+  const content = 'CHILD FINDINGS: the project is a CLI';
+  const out = formatSubagentResult({ count: 1, content, maxTokens: 20000 });
+  assert.match(out, /Result from 1 subagent/);
+  assert.match(out, FENCE_OPEN);
+  assert.match(out, FENCE_CLOSE);
+  assert.ok(out.includes(content));
+  assert.doesNotMatch(out, /capped at/);
+});
+
+test('subagent: long result is capped with a notice', () => {
+  const content = 'y'.repeat(4000);
+  const out = formatSubagentResult({ count: 1, content, maxTokens: 50 });
+  assert.match(out, /capped at ~50 tokens \(was ~\d+\)/);
+  assert.match(out, FENCE_OPEN);
+  assert.match(out, FENCE_CLOSE);
+  assert.ok(out.length < content.length);
+});
+
+test('subagent: plural label for multiple subagents', () => {
+  const out = formatSubagentResult({ count: 3, content: 'a', maxTokens: 20000 });
+  assert.match(out, /Result from 3 subagents/);
+});
+
+// ---------------------------------------------------------------------------
+// Part B — the two budgets are DISTINCT and MCP is STRICTER
+// ---------------------------------------------------------------------------
+
+test('default budgets: MCP is strictly stricter than subagent', () => {
+  assert.ok(DEFAULT_MCP_MAX_RESULT_TOKENS < DEFAULT_SUBAGENT_MAX_RESULT_TOKENS,
+    'MCP budget must be stricter than the subagent budget');
+});
+
+test('budgets differ: content between the two budgets is capped under MCP but passes under subagent', () => {
+  // Size the content so its estimate is ABOVE the MCP default and BELOW the
+  // subagent default (estimate ≈ chars/4). Midpoint of the two budgets.
+  const midTokens = Math.floor((DEFAULT_MCP_MAX_RESULT_TOKENS + DEFAULT_SUBAGENT_MAX_RESULT_TOKENS) / 2);
+  const content = 'z'.repeat(midTokens * 4);
+
+  // No explicit maxTokens → each serializer uses ITS OWN default budget.
+  const mcp = formatMcpResult({ action: 'mcp__s__t', content });
+  const sub = formatSubagentResult({ count: 1, content });
+
+  assert.match(mcp, /capped at/, 'MCP caps a payload above its stricter budget');
+  assert.doesNotMatch(sub, /capped at/, 'subagent passes the same payload under its generous budget');
+});
+
+// ---------------------------------------------------------------------------
+// Part C — through the REAL agent loop (the wiring reads config; fence intact)
+// ---------------------------------------------------------------------------
+
+let prevKey;
+before(() => { prevKey = process.env.SEMALT_API_KEY; process.env.SEMALT_API_KEY = 'test-key'; });
+after(() => {
+  if (prevKey === undefined) delete process.env.SEMALT_API_KEY;
+  else process.env.SEMALT_API_KEY = prevKey;
+});
+afterEach(() => { toolRegistry.clearDynamicTools(); });
+
+// Build a full parent stack (api + permissions + executors + agent runner). With
+// `withSubagent` it also wires a subagent manager from the SAME building blocks
+// and registers the spawn_agent tool — mirroring test/subagents-agent.test.js.
+function buildStack(base, config, { withSubagent = false } = {}) {
+  const cfg = {
+    api_base: base, api_key: 'test-key', default_model: 'test-model',
+    temperature: 0.5, request_timeout_ms: 5000, stream: true, models: [],
+    ...config,
+  };
+  const getConfig = () => cfg;
+  const api = createApiClient({ getConfig, saveConfig: (c) => Object.assign(cfg, c), ui });
+  const pm = createPermissionManager(ui, { skipPermissions: true });
+  pm.setUICallbacks({ onAddMessage: () => {}, onShowModal: () => {}, onCloseModal: () => {}, onCaptureNavigation: () => () => {} });
+  const { agentExecShell, agentExecFile, describePermission } = createToolExecutor(pm, ui, getConfig);
+  const runner = createAgentRunner({
+    chatStream: api.chatStream, extractToolCalls, agentExecShell, agentExecFile,
+    describePermission, permissionManager: pm, ui, getConfig,
+  });
+  if (withSubagent) {
+    const manager = createSubagentManager({
+      chatStream: api.chatStream, extractToolCalls, agentExecShell, agentExecFile,
+      describePermission, permissionManager: pm, ui, getConfig,
+    });
+    toolRegistry.registerDynamicTool(buildSpawnAgentEntry(manager));
+  }
+  return { runner, getConfig, cfg };
+}
+
+// Register a fake MCP-style dynamic tool returning a fixed payload, so we exercise
+// the formatFileResult MCP branch WITHOUT the real SDK / a live server.
+function registerFakeMcpTool(content) {
+  toolRegistry.registerDynamicTool({
+    tool: 'mcp__test__big',
+    mcp: true,
+    server: 'test',
+    spec: { description: 'fake', parameters: { type: 'object', properties: {} } },
+    fromParams: (p) => ['mcp__test__big', p || {}],
+    parseXml: () => [],
+    permission: () => null,
+    execute: async () => ({ mcp: true, content, isError: false }),
+  });
+}
+
+test('real loop: a large MCP result is capped + still fenced in the tool message', async () => {
+  const mock = await startMockLLM();
+  registerFakeMcpTool('Q'.repeat(4000)); // ~1000 tokens
+  mock.replyWithToolCall('mcp__test__big', {});
+  mock.replyWith('done');
+  try {
+    const { runner } = buildStack(mock.base, { mcp: { servers: {}, max_result_tokens: 20 } });
+    const messages = [{ role: 'user', content: 'call the mcp tool' }];
+    await runner.runAgentLoop(messages, 'test-model', 5, null, { callbacks: { onError: () => {} } });
+    const toolMsg = messages.find((m) => m.role === 'tool' && /mcp__test__big/.test(m.content || ''));
+    assert.ok(toolMsg, 'MCP result fed back');
+    assert.match(toolMsg.content, FENCE_OPEN, 'still fenced after capping');
+    assert.match(toolMsg.content, FENCE_CLOSE);
+    assert.match(toolMsg.content, /capped at ~20 tokens/, 'capped at the configured MCP budget');
+    assert.ok(toolMsg.content.length < 4000, 'the full payload did not enter context');
+  } finally {
+    await mock.close();
+  }
+});
+
+test('real loop: a small MCP result passes through fully (paired positive), still fenced', async () => {
+  const mock = await startMockLLM();
+  registerFakeMcpTool('tiny payload');
+  mock.replyWithToolCall('mcp__test__big', {});
+  mock.replyWith('done');
+  try {
+    const { runner } = buildStack(mock.base, { mcp: { servers: {}, max_result_tokens: 10000 } });
+    const messages = [{ role: 'user', content: 'call the mcp tool' }];
+    await runner.runAgentLoop(messages, 'test-model', 5, null, { callbacks: { onError: () => {} } });
+    const toolMsg = messages.find((m) => m.role === 'tool' && /mcp__test__big/.test(m.content || ''));
+    assert.ok(toolMsg);
+    assert.match(toolMsg.content, FENCE_OPEN);
+    assert.ok(toolMsg.content.includes('tiny payload'));
+    assert.doesNotMatch(toolMsg.content, /capped at/);
+  } finally {
+    await mock.close();
+  }
+});
+
+test('real loop: a verbose subagent final text is capped + still fenced, isolation intact', async () => {
+  const mock = await startMockLLM();
+  const longChild = 'L'.repeat(4000); // ~1000 tokens
+  mock.replyWithToolCall('spawn_agent', { prompt: 'go research' }); // parent
+  mock.replyWith(longChild);                                        // child final
+  mock.replyWith('noted');                                         // parent final
+  try {
+    const { runner } = buildStack(mock.base,
+      { subagents: { max_concurrency: 3, max_result_tokens: 30 } }, { withSubagent: true });
+    const messages = [{ role: 'user', content: 'investigate' }];
+    await runner.runAgentLoop(messages, 'test-model', 5, null, { callbacks: { onError: () => {} } });
+    const toolMsg = messages.find((m) => m.role === 'tool' && /UNTRUSTED_EXTERNAL_CONTENT/.test(m.content || ''));
+    assert.ok(toolMsg, 'subagent result fed back fenced');
+    assert.match(toolMsg.content, FENCE_OPEN);
+    assert.match(toolMsg.content, FENCE_CLOSE);
+    assert.match(toolMsg.content, /capped at ~30 tokens/, 'capped at the configured subagent budget');
+    // Isolation unchanged: the parent did not absorb the child's long assistant turn.
+    const absorbed = messages.some((m) => m.role === 'assistant' && m.content === longChild);
+    assert.ok(!absorbed, 'the child assistant turn never lands in the parent history');
+  } finally {
+    await mock.close();
+  }
+});

package/test/sandbox-agent.test.js

@@ -0,0 +1,147 @@
+'use strict';
+
+// Integration tests for the OS-sandbox FALLBACK rules wired into agentExecShell
+// (Task 4.4). These exercise the config×detection decision at the executor
+// chokepoint without needing a real bwrap/sandbox-exec: the detection cache is
+// primed to "unavailable" (or the runner genuinely lacks the tool), and we
+// assert the fail-safe behavior — never a silent unsandboxed run.
+
+const { test } = require('node:test');
+const assert = require('node:assert');
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const ui = require('../lib/ui');
+const { createPermissionManager } = require('../lib/permissions');
+const { createToolExecutor } = require('../lib/tools');
+const { detectSandbox, _resetSandboxDetection } = require('../lib/sandbox');
+
+// Force the shared detection cache to "unavailable" so the unavailable-path
+// tests are deterministic on ANY runner (including macOS / a bwrap-equipped
+// Linux box where the sandbox would otherwise be available).
+function primeUnavailable() {
+  _resetSandboxDetection();
+  detectSandbox({
+    platform: 'linux',
+    which: () => null, // no bwrap
+    readFile: () => 'Linux version 6.0',
+    force: true,
+  });
+}
+
+function buildExec({ config, onUnsandboxed } = {}) {
+  const pm = createPermissionManager(ui, { skipPermissions: false, allowedTiers: ['exec'] });
+  pm.setUICallbacks({ onAddMessage: () => {}, onShowModal: () => {}, onCloseModal: () => {}, onCaptureNavigation: () => () => {} });
+  const getConfig = () => config;
+  return createToolExecutor(pm, ui, getConfig, { onUnsandboxed });
+}
+
+test('sandbox unavailable + auto + NO approver → REFUSED (never a silent unsandboxed run)', async () => {
+  primeUnavailable();
+  const { agentExecShell } = buildExec({ config: { sandbox: { mode: 'auto' } } });
+  const r = await agentExecShell('echo SHOULD_NOT_RUN');
+  assert.strictEqual(r.blocked, true);
+  assert.strictEqual(r.sandbox, 'unavailable');
+  assert.match(r.stderr, /refused to run unsandboxed/i);
+  assert.doesNotMatch(r.stdout || '', /SHOULD_NOT_RUN/);
+  _resetSandboxDetection();
+});
+
+test('sandbox unavailable + failIfUnavailable → HARD ERROR (strict gate)', async () => {
+  primeUnavailable();
+  const { agentExecShell } = buildExec({ config: { sandbox: { mode: 'auto', failIfUnavailable: true } } });
+  const r = await agentExecShell('echo SHOULD_NOT_RUN');
+  assert.strictEqual(r.blocked, true);
+  assert.strictEqual(r.sandbox, 'unavailable');
+  assert.match(r.stderr, /failIfUnavailable/);
+  _resetSandboxDetection();
+});
+
+test('sandbox unavailable + auto + approver says NO → refused', async () => {
+  primeUnavailable();
+  const { agentExecShell } = buildExec({ config: { sandbox: { mode: 'auto' } }, onUnsandboxed: async () => false });
+  const r = await agentExecShell('echo SHOULD_NOT_RUN');
+  assert.strictEqual(r.blocked, true);
+  _resetSandboxDetection();
+});
+
+test('sandbox unavailable + auto + human approver says YES → runs unsandboxed (status reflects it)', async () => {
+  primeUnavailable();
+  let asked = null;
+  const { agentExecShell } = buildExec({
+    config: { sandbox: { mode: 'auto' }, command_timeout_ms: 5000 },
+    onUnsandboxed: async (info) => { asked = info; return true; },
+  });
+  const r = await agentExecShell('echo RAN_UNSANDBOXED');
+  assert.ok(asked && typeof asked.reason === 'string' && asked.reason.length > 0, 'approver receives the reason');
+  assert.match(asked.reason, /bwrap|bubblewrap|not found/i);
+  assert.strictEqual(r.exit_code, 0);
+  assert.match(r.stdout, /RAN_UNSANDBOXED/);
+  assert.strictEqual(r.sandbox, 'unavailable'); // ran, but without kernel confinement
+  _resetSandboxDetection();
+});
+
+test('mode off → runs unsandboxed deterministically (human opt-out), status off', async () => {
+  // mode:off short-circuits before detection, so this is deterministic on every
+  // runner regardless of the cache.
+  primeUnavailable();
+  const { agentExecShell } = buildExec({ config: { sandbox: { mode: 'off' }, command_timeout_ms: 5000 } });
+  const r = await agentExecShell('echo MODE_OFF_RAN');
+  assert.strictEqual(r.exit_code, 0);
+  assert.match(r.stdout, /MODE_OFF_RAN/);
+  assert.strictEqual(r.sandbox, 'off');
+  // With no jail the command keeps the host network — surfaced honestly (Task 4.4b).
+  assert.strictEqual(r.network, 'on');
+  _resetSandboxDetection();
+});
+
+test('no MODEL-reachable path disables the sandbox: call-level options cannot flip the decision', async () => {
+  primeUnavailable();
+  const { agentExecShell } = buildExec({ config: { sandbox: { mode: 'auto' } } });
+  // A model only ever controls the command string + framework {signal}. Even if
+  // call options carried sandbox-ish keys (they never do in the real schema),
+  // they must NOT disable the gate — the decision reads only human config.
+  const r = await agentExecShell('echo SHOULD_NOT_RUN', { sandbox: 'off', mode: 'off', skipSandbox: true, failIfUnavailable: false });
+  assert.strictEqual(r.blocked, true, 'call-level options cannot disable the sandbox');
+  assert.strictEqual(r.sandbox, 'unavailable');
+  _resetSandboxDetection();
+});
+
+// Binary network isolation surfaced through the executor (Task 4.4b). Uses the
+// REAL sandbox so the result's `network` field reflects an actual kernel jail;
+// skips gracefully when the primitive is absent (mirrors the integration suite).
+const _realDet = (() => { _resetSandboxDetection(); const d = detectSandbox({ force: true }); _resetSandboxDetection(); return d; })();
+const NET_SKIP = _realDet.available && _realDet.tool === 'bwrap'
+  ? false
+  : `OS sandbox (bwrap) unavailable on this runner (${_realDet.reason || _realDet.platform})`;
+
+test('sandbox.network off → the shell result reports net OFF and the command has no network (real jail)', { skip: NET_SKIP }, async () => {
+  _resetSandboxDetection();
+  detectSandbox({ force: true }); // real detection, available
+  const probe = path.join(os.tmpdir(), `semalt-agent-netprobe-${process.pid}.js`);
+  fs.writeFileSync(probe, "const i=require('os').networkInterfaces();const nonLo=Object.keys(i).filter(n=>n!=='lo'&&n!=='lo0');process.exit(nonLo.length>0?0:7);");
+  try {
+    const { agentExecShell } = buildExec({ config: { sandbox: { mode: 'auto', network: 'off' }, command_timeout_ms: 10000 } });
+    // Pass model-reachable-looking call options — they must NOT re-enable the network.
+    const r = await agentExecShell(`${JSON.stringify(process.execPath)} ${JSON.stringify(probe)}`, { network: 'on', noNetwork: false });
+    assert.strictEqual(r.sandbox, 'on', 'ran inside a real jail');
+    assert.strictEqual(r.network, 'off', 'the result reports kernel-level no-network');
+    assert.strictEqual(r.exit_code, 7, 'the jailed command genuinely had no network (only loopback)');
+  } finally {
+    try { fs.unlinkSync(probe); } catch {}
+    _resetSandboxDetection();
+  }
+});
+
+test('the deny-list still fires UNDER the sandbox layer (defense in depth, agent-initiated)', async () => {
+  primeUnavailable();
+  const { agentExecShell } = buildExec({ config: { sandbox: { mode: 'off' } } });
+  // Even with the sandbox off, the deny-list chokepoint must still hard-block a
+  // destructive agent command before it ever reaches the spawn/sandbox path.
+  const r = await agentExecShell('rm -rf /');
+  assert.strictEqual(r.blocked, true);
+  assert.match(r.stderr, /deny-list/i);
+  _resetSandboxDetection();
+});

package/test/sandbox-integration.test.js

@@ -0,0 +1,216 @@
+'use strict';
+
+// Kernel-level enforcement tests for the OS sandbox (Task 4.4). These run REAL
+// bwrap (Linux/WSL2) or sandbox-exec (macOS) jails and assert the OS — not our
+// pattern-matching — blocks the writes. They SKIP gracefully when the primitive
+// is absent on the runner (mirroring the ripgrep-parity pattern), so the suite
+// stays green on a Windows/WSL1 box or a Linux box without bubblewrap.
+
+const { test } = require('node:test');
+const assert = require('node:assert');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const { spawnSync } = require('child_process');
+
+const { detectSandbox, buildBwrapArgs, buildSeatbeltPolicy } = require('../lib/sandbox');
+
+const det = detectSandbox({ force: true });
+const SKIP = det.available ? false : `OS sandbox tool unavailable on this runner (${det.reason || det.platform})`;
+
+function mkdir(prefix) {
+  return fs.realpathSync(fs.mkdtempSync(path.join(os.tmpdir(), prefix)));
+}
+
+// Run `cmd` inside a real jail whose ONLY writable root is `writableRoots`, with
+// `protectedPaths` forced read-only. Returns the spawn result ({ status, ... }).
+function runJailed(cmd, { writableRoots, protectedPaths, chdir }) {
+  if (det.tool === 'bwrap') {
+    const args = buildBwrapArgs({
+      writableRoots,
+      protectedPaths,
+      rootWritable: false,
+      chdir,
+      fsExists: (p) => { try { return fs.existsSync(p); } catch { return false; } },
+    });
+    return spawnSync(det.binPath || 'bwrap', [...args, '/bin/sh', '-c', cmd], { encoding: 'utf8', timeout: 10000 });
+  }
+  // sandbox-exec (macOS Seatbelt)
+  const policy = buildSeatbeltPolicy({ writableRoots, protectedPaths, rootWritable: false });
+  return spawnSync(det.binPath || 'sandbox-exec', ['-p', policy, '/bin/sh', '-c', cmd], { encoding: 'utf8', timeout: 10000 });
+}
+
+test('a write INSIDE the working dir succeeds under the jail', { skip: SKIP }, () => {
+  const work = mkdir('semalt-sbx-work-');
+  const r = runJailed(`echo ok > ${work}/inside.txt`, { writableRoots: [work], protectedPaths: [], chdir: work });
+  assert.strictEqual(r.status, 0, `expected success, stderr: ${r.stderr}`);
+  assert.ok(fs.existsSync(path.join(work, 'inside.txt')), 'file inside the working dir should be written');
+});
+
+test('a write OUTSIDE the working dir is blocked by the kernel layer', { skip: SKIP }, () => {
+  const work = mkdir('semalt-sbx-work-');
+  const outside = mkdir('semalt-sbx-out-');
+  const target = path.join(outside, 'escaped.txt');
+  const r = runJailed(`echo pwned > ${target}`, { writableRoots: [work], protectedPaths: [], chdir: work });
+  assert.notStrictEqual(r.status, 0, 'write outside the working dir must fail');
+  assert.ok(!fs.existsSync(target), 'the out-of-jail file must NOT exist');
+});
+
+test('writes to a protected dir are denied — including a NOT-YET-EXISTING config (CVE-2026-25725)', { skip: SKIP }, () => {
+  const work = mkdir('semalt-sbx-work-');
+  // Simulate ~/.semalt-ai: the dir exists but config.json does NOT. The whole
+  // dir is bound read-only, so the jailed process cannot CREATE the missing file
+  // to inject host-privileged hooks.
+  const protectedDir = mkdir('semalt-sbx-prot-');
+  const missingConfig = path.join(protectedDir, 'config.json');
+  assert.ok(!fs.existsSync(missingConfig), 'precondition: config.json does not exist yet');
+  const r = runJailed(`echo '{"hooks":1}' > ${missingConfig}`, { writableRoots: [work], protectedPaths: [protectedDir], chdir: work });
+  assert.notStrictEqual(r.status, 0, 'creating a missing config in a protected dir must fail');
+  assert.ok(!fs.existsSync(missingConfig), 'the not-yet-existing config must NOT have been created');
+});
+
+test('a protected dir nested inside a writable root still wins (read-only)', { skip: SKIP }, () => {
+  // cwd == $HOME edge case: the writable root CONTAINS the protected dir, and the
+  // protected re-bind must still win.
+  const work = mkdir('semalt-sbx-home-');
+  const protectedDir = path.join(work, '.semalt-ai');
+  fs.mkdirSync(protectedDir);
+  const target = path.join(protectedDir, 'config.json');
+  const r = runJailed(`echo x > ${target}`, { writableRoots: [work], protectedPaths: [protectedDir], chdir: work });
+  assert.notStrictEqual(r.status, 0, 'protected dir nested in a writable root must stay read-only');
+  assert.ok(!fs.existsSync(target), 'config.json under the nested protected dir must NOT be created');
+});
+
+test('a project .semalt/config.json write is blocked by the kernel layer, incl. not-yet-existing (Pre-Task 5.0b)', { skip: SKIP }, () => {
+  // The project .semalt dir lives INSIDE the writable working dir, yet binding it
+  // read-only must still win — so a sandboxed shell cannot create or modify
+  // .semalt/config.json (or agents/hooks) to drive host-privileged execution.
+  // Mirrors the CVE-2026-25725 not-yet-existing-file pattern: the dir exists, the
+  // config file does not.
+  const work = mkdir('semalt-sbx-proj-');
+  const dotSemalt = path.join(work, '.semalt');
+  fs.mkdirSync(dotSemalt);
+  const missingConfig = path.join(dotSemalt, 'config.json');
+  assert.ok(!fs.existsSync(missingConfig), 'precondition: .semalt/config.json does not exist yet');
+  const r = runJailed(`echo '{"hooks":1}' > ${missingConfig}`, { writableRoots: [work], protectedPaths: [dotSemalt], chdir: work });
+  assert.notStrictEqual(r.status, 0, 'creating .semalt/config.json inside the jail must fail');
+  assert.ok(!fs.existsSync(missingConfig), 'the not-yet-existing .semalt/config.json must NOT have been created');
+});
+
+test('a /proc/self/root rewrite is confined on the RESOLVED path (the Ona bypass)', { skip: SKIP }, () => {
+  // bwrap mounts a fresh /proc, so /proc/self/root resolves to the jail root and
+  // the kernel enforces the bind on the resolved path. (Seatbelt enforces on the
+  // resolved vnode the same way.) Either way the write must be blocked.
+  const work = mkdir('semalt-sbx-work-');
+  const outside = mkdir('semalt-sbx-out-');
+  const viaProc = `/proc/self/root${path.join(outside, 'rewrite.txt')}`;
+  const r = runJailed(`echo pwned > ${viaProc}`, { writableRoots: [work], protectedPaths: [], chdir: work });
+  assert.notStrictEqual(r.status, 0, 'a /proc/self/root rewrite must be confined on the resolved path');
+  assert.ok(!fs.existsSync(path.join(outside, 'rewrite.txt')), 'the rewritten target must NOT be written');
+});
+
+test('child processes inherit the jail (a spawned subprocess is confined)', { skip: SKIP }, () => {
+  const work = mkdir('semalt-sbx-work-');
+  const outside = mkdir('semalt-sbx-out-');
+  const target = path.join(outside, 'child.txt');
+  // The outer sh spawns an inner sh that attempts the escape — the boundary must
+  // cover the whole subprocess tree, not just the first process.
+  const r = runJailed(`sh -c "echo pwned > ${target}"`, { writableRoots: [work], protectedPaths: [], chdir: work });
+  assert.notStrictEqual(r.status, 0, 'a child process must not be able to escape the jail');
+  assert.ok(!fs.existsSync(target), 'the child-written out-of-jail file must NOT exist');
+});
+
+test('reads are allowed broadly even when writes are confined', { skip: SKIP }, () => {
+  const work = mkdir('semalt-sbx-work-');
+  // /etc/hostname exists on Linux; on macOS read /etc/hosts. Pick one that exists.
+  const readable = fs.existsSync('/etc/hostname') ? '/etc/hostname' : '/etc/hosts';
+  const r = runJailed(`cat ${readable} > ${work}/copy.txt`, { writableRoots: [work], protectedPaths: ['/etc'], chdir: work });
+  assert.strictEqual(r.status, 0, `reading ${readable} should succeed, stderr: ${r.stderr}`);
+});
+
+// ---------------------------------------------------------------------------
+// Binary network isolation (Task 4.4b) — REAL kernel enforcement.
+// ---------------------------------------------------------------------------
+//
+// Discriminator (no external connectivity required, so it is reliable in CI):
+//   * bwrap (Linux/WSL2): --unshare-net gives the jail a fresh network namespace
+//     with NO real interfaces — only loopback. We count non-loopback interfaces.
+//   * sandbox-exec (macOS): (deny network*) blocks socket operations — we test
+//     whether a TCP bind is permitted. (Skips on this Linux runner.)
+// Exit 0 ⇒ the probe HAS network; exit 7 ⇒ it does NOT.
+
+const NODE = process.execPath;
+
+function writeNetProbe(dir) {
+  const body = det.tool === 'bwrap'
+    ? "const i=require('os').networkInterfaces();const nonLo=Object.keys(i).filter(n=>n!=='lo'&&n!=='lo0');process.exit(nonLo.length>0?0:7);"
+    : "const s=require('net').createServer();s.on('error',()=>process.exit(7));s.listen(0,'0.0.0.0',()=>{s.close();process.exit(0);});";
+  const p = path.join(dir, 'netprobe.js');
+  fs.writeFileSync(p, body);
+  return p;
+}
+
+// Run a command inside a jail with the given network mode. `cmd` defaults to the
+// network probe; callers may override to test composition with the fs layer.
+function runJailedNet({ network, writableRoots, protectedPaths = [], chdir, cmd }) {
+  if (det.tool === 'bwrap') {
+    const args = buildBwrapArgs({
+      writableRoots, protectedPaths, rootWritable: false, chdir, network,
+      fsExists: (p) => { try { return fs.existsSync(p); } catch { return false; } },
+    });
+    return spawnSync(det.binPath || 'bwrap', [...args, '/bin/sh', '-c', cmd], { encoding: 'utf8', timeout: 10000 });
+  }
+  const policy = buildSeatbeltPolicy({ writableRoots, protectedPaths, rootWritable: false, network });
+  return spawnSync(det.binPath || 'sandbox-exec', ['-p', policy, '/bin/sh', '-c', cmd], { encoding: 'utf8', timeout: 10000 });
+}
+
+// Does the HOST itself have network the probe can see? (A degenerate CI box with
+// only loopback would make the "network on" positive vacuous — guard for it.)
+function hostHasNetwork() {
+  const dir = mkdir('semalt-sbx-host-');
+  const probe = writeNetProbe(dir);
+  const r = spawnSync(NODE, [probe], { encoding: 'utf8', timeout: 10000 });
+  return r.status === 0;
+}
+
+test('network OFF: a sandboxed command CANNOT reach the network (kernel-enforced)', { skip: SKIP }, () => {
+  const work = mkdir('semalt-sbx-net-off-');
+  const probe = writeNetProbe(work);
+  const r = runJailedNet({ network: 'off', writableRoots: [work], chdir: work, cmd: `${NODE} ${probe}` });
+  assert.strictEqual(r.status, 7, `no-network jail must have no network, got status ${r.status} stderr: ${r.stderr}`);
+});
+
+test('PAIRED positive — network ON: the same sandboxed command CAN reach the network', { skip: SKIP }, () => {
+  if (!hostHasNetwork()) { return; } // degenerate runner with only loopback — nothing to pair against
+  const work = mkdir('semalt-sbx-net-on-');
+  const probe = writeNetProbe(work);
+  const on = runJailedNet({ network: 'on', writableRoots: [work], chdir: work, cmd: `${NODE} ${probe}` });
+  assert.strictEqual(on.status, 0, `network-on jail must keep the host network, stderr: ${on.stderr}`);
+  // And the negative side of the pair, for an unambiguous on≠off difference.
+  const off = runJailedNet({ network: 'off', writableRoots: [work], chdir: work, cmd: `${NODE} ${probe}` });
+  assert.strictEqual(off.status, 7, 'network-off must differ from network-on');
+});
+
+test('network isolation COMPOSES with filesystem confinement (both apply)', { skip: SKIP }, () => {
+  // One no-network jail: prove the fs boundary AND the net boundary hold together.
+  const work = mkdir('semalt-sbx-compose-');
+  const outside = mkdir('semalt-sbx-compose-out-');
+  const probe = writeNetProbe(work);
+  // (a) filesystem: an out-of-CWD write is still blocked under the no-network jail.
+  const target = path.join(outside, 'escaped.txt');
+  const wr = runJailedNet({ network: 'off', writableRoots: [work], chdir: work, cmd: `echo pwned > ${target}` });
+  assert.notStrictEqual(wr.status, 0, 'fs confinement still applies under network-off');
+  assert.ok(!fs.existsSync(target), 'the out-of-jail write must not land');
+  // (b) network: the same jail config has no network.
+  const nr = runJailedNet({ network: 'off', writableRoots: [work], chdir: work, cmd: `${NODE} ${probe}` });
+  assert.strictEqual(nr.status, 7, 'network confinement applies in the same jail');
+});
+
+test('child processes inherit the no-network jail', { skip: SKIP }, () => {
+  const work = mkdir('semalt-sbx-net-child-');
+  const probe = writeNetProbe(work);
+  // The outer sh spawns an INNER sh that runs the probe — the no-network boundary
+  // must cover the whole subprocess tree, not just the first process.
+  const r = runJailedNet({ network: 'off', writableRoots: [work], chdir: work, cmd: `sh -c "${NODE} ${probe}"` });
+  assert.strictEqual(r.status, 7, 'a child process must also have no network');
+});