@semalt-ai/code 1.8.5 → 1.20.0

package/test/sandbox-agent.test.js

@@ -0,0 +1,147 @@
+'use strict';
+
+// Integration tests for the OS-sandbox FALLBACK rules wired into agentExecShell
+// (Task 4.4). These exercise the config×detection decision at the executor
+// chokepoint without needing a real bwrap/sandbox-exec: the detection cache is
+// primed to "unavailable" (or the runner genuinely lacks the tool), and we
+// assert the fail-safe behavior — never a silent unsandboxed run.
+
+const { test } = require('node:test');
+const assert = require('node:assert');
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const ui = require('../lib/ui');
+const { createPermissionManager } = require('../lib/permissions');
+const { createToolExecutor } = require('../lib/tools');
+const { detectSandbox, _resetSandboxDetection } = require('../lib/sandbox');
+
+// Force the shared detection cache to "unavailable" so the unavailable-path
+// tests are deterministic on ANY runner (including macOS / a bwrap-equipped
+// Linux box where the sandbox would otherwise be available).
+function primeUnavailable() {
+  _resetSandboxDetection();
+  detectSandbox({
+    platform: 'linux',
+    which: () => null, // no bwrap
+    readFile: () => 'Linux version 6.0',
+    force: true,
+  });
+}
+
+function buildExec({ config, onUnsandboxed } = {}) {
+  const pm = createPermissionManager(ui, { skipPermissions: false, allowedTiers: ['exec'] });
+  pm.setUICallbacks({ onAddMessage: () => {}, onShowModal: () => {}, onCloseModal: () => {}, onCaptureNavigation: () => () => {} });
+  const getConfig = () => config;
+  return createToolExecutor(pm, ui, getConfig, { onUnsandboxed });
+}
+
+test('sandbox unavailable + auto + NO approver → REFUSED (never a silent unsandboxed run)', async () => {
+  primeUnavailable();
+  const { agentExecShell } = buildExec({ config: { sandbox: { mode: 'auto' } } });
+  const r = await agentExecShell('echo SHOULD_NOT_RUN');
+  assert.strictEqual(r.blocked, true);
+  assert.strictEqual(r.sandbox, 'unavailable');
+  assert.match(r.stderr, /refused to run unsandboxed/i);
+  assert.doesNotMatch(r.stdout || '', /SHOULD_NOT_RUN/);
+  _resetSandboxDetection();
+});
+
+test('sandbox unavailable + failIfUnavailable → HARD ERROR (strict gate)', async () => {
+  primeUnavailable();
+  const { agentExecShell } = buildExec({ config: { sandbox: { mode: 'auto', failIfUnavailable: true } } });
+  const r = await agentExecShell('echo SHOULD_NOT_RUN');
+  assert.strictEqual(r.blocked, true);
+  assert.strictEqual(r.sandbox, 'unavailable');
+  assert.match(r.stderr, /failIfUnavailable/);
+  _resetSandboxDetection();
+});
+
+test('sandbox unavailable + auto + approver says NO → refused', async () => {
+  primeUnavailable();
+  const { agentExecShell } = buildExec({ config: { sandbox: { mode: 'auto' } }, onUnsandboxed: async () => false });
+  const r = await agentExecShell('echo SHOULD_NOT_RUN');
+  assert.strictEqual(r.blocked, true);
+  _resetSandboxDetection();
+});
+
+test('sandbox unavailable + auto + human approver says YES → runs unsandboxed (status reflects it)', async () => {
+  primeUnavailable();
+  let asked = null;
+  const { agentExecShell } = buildExec({
+    config: { sandbox: { mode: 'auto' }, command_timeout_ms: 5000 },
+    onUnsandboxed: async (info) => { asked = info; return true; },
+  });
+  const r = await agentExecShell('echo RAN_UNSANDBOXED');
+  assert.ok(asked && typeof asked.reason === 'string' && asked.reason.length > 0, 'approver receives the reason');
+  assert.match(asked.reason, /bwrap|bubblewrap|not found/i);
+  assert.strictEqual(r.exit_code, 0);
+  assert.match(r.stdout, /RAN_UNSANDBOXED/);
+  assert.strictEqual(r.sandbox, 'unavailable'); // ran, but without kernel confinement
+  _resetSandboxDetection();
+});
+
+test('mode off → runs unsandboxed deterministically (human opt-out), status off', async () => {
+  // mode:off short-circuits before detection, so this is deterministic on every
+  // runner regardless of the cache.
+  primeUnavailable();
+  const { agentExecShell } = buildExec({ config: { sandbox: { mode: 'off' }, command_timeout_ms: 5000 } });
+  const r = await agentExecShell('echo MODE_OFF_RAN');
+  assert.strictEqual(r.exit_code, 0);
+  assert.match(r.stdout, /MODE_OFF_RAN/);
+  assert.strictEqual(r.sandbox, 'off');
+  // With no jail the command keeps the host network — surfaced honestly (Task 4.4b).
+  assert.strictEqual(r.network, 'on');
+  _resetSandboxDetection();
+});
+
+test('no MODEL-reachable path disables the sandbox: call-level options cannot flip the decision', async () => {
+  primeUnavailable();
+  const { agentExecShell } = buildExec({ config: { sandbox: { mode: 'auto' } } });
+  // A model only ever controls the command string + framework {signal}. Even if
+  // call options carried sandbox-ish keys (they never do in the real schema),
+  // they must NOT disable the gate — the decision reads only human config.
+  const r = await agentExecShell('echo SHOULD_NOT_RUN', { sandbox: 'off', mode: 'off', skipSandbox: true, failIfUnavailable: false });
+  assert.strictEqual(r.blocked, true, 'call-level options cannot disable the sandbox');
+  assert.strictEqual(r.sandbox, 'unavailable');
+  _resetSandboxDetection();
+});
+
+// Binary network isolation surfaced through the executor (Task 4.4b). Uses the
+// REAL sandbox so the result's `network` field reflects an actual kernel jail;
+// skips gracefully when the primitive is absent (mirrors the integration suite).
+const _realDet = (() => { _resetSandboxDetection(); const d = detectSandbox({ force: true }); _resetSandboxDetection(); return d; })();
+const NET_SKIP = _realDet.available && _realDet.tool === 'bwrap'
+  ? false
+  : `OS sandbox (bwrap) unavailable on this runner (${_realDet.reason || _realDet.platform})`;
+
+test('sandbox.network off → the shell result reports net OFF and the command has no network (real jail)', { skip: NET_SKIP }, async () => {
+  _resetSandboxDetection();
+  detectSandbox({ force: true }); // real detection, available
+  const probe = path.join(os.tmpdir(), `semalt-agent-netprobe-${process.pid}.js`);
+  fs.writeFileSync(probe, "const i=require('os').networkInterfaces();const nonLo=Object.keys(i).filter(n=>n!=='lo'&&n!=='lo0');process.exit(nonLo.length>0?0:7);");
+  try {
+    const { agentExecShell } = buildExec({ config: { sandbox: { mode: 'auto', network: 'off' }, command_timeout_ms: 10000 } });
+    // Pass model-reachable-looking call options — they must NOT re-enable the network.
+    const r = await agentExecShell(`${JSON.stringify(process.execPath)} ${JSON.stringify(probe)}`, { network: 'on', noNetwork: false });
+    assert.strictEqual(r.sandbox, 'on', 'ran inside a real jail');
+    assert.strictEqual(r.network, 'off', 'the result reports kernel-level no-network');
+    assert.strictEqual(r.exit_code, 7, 'the jailed command genuinely had no network (only loopback)');
+  } finally {
+    try { fs.unlinkSync(probe); } catch {}
+    _resetSandboxDetection();
+  }
+});
+
+test('the deny-list still fires UNDER the sandbox layer (defense in depth, agent-initiated)', async () => {
+  primeUnavailable();
+  const { agentExecShell } = buildExec({ config: { sandbox: { mode: 'off' } } });
+  // Even with the sandbox off, the deny-list chokepoint must still hard-block a
+  // destructive agent command before it ever reaches the spawn/sandbox path.
+  const r = await agentExecShell('rm -rf /');
+  assert.strictEqual(r.blocked, true);
+  assert.match(r.stderr, /deny-list/i);
+  _resetSandboxDetection();
+});

package/test/sandbox-integration.test.js

@@ -0,0 +1,216 @@
+'use strict';
+
+// Kernel-level enforcement tests for the OS sandbox (Task 4.4). These run REAL
+// bwrap (Linux/WSL2) or sandbox-exec (macOS) jails and assert the OS — not our
+// pattern-matching — blocks the writes. They SKIP gracefully when the primitive
+// is absent on the runner (mirroring the ripgrep-parity pattern), so the suite
+// stays green on a Windows/WSL1 box or a Linux box without bubblewrap.
+
+const { test } = require('node:test');
+const assert = require('node:assert');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const { spawnSync } = require('child_process');
+
+const { detectSandbox, buildBwrapArgs, buildSeatbeltPolicy } = require('../lib/sandbox');
+
+const det = detectSandbox({ force: true });
+const SKIP = det.available ? false : `OS sandbox tool unavailable on this runner (${det.reason || det.platform})`;
+
+function mkdir(prefix) {
+  return fs.realpathSync(fs.mkdtempSync(path.join(os.tmpdir(), prefix)));
+}
+
+// Run `cmd` inside a real jail whose ONLY writable root is `writableRoots`, with
+// `protectedPaths` forced read-only. Returns the spawn result ({ status, ... }).
+function runJailed(cmd, { writableRoots, protectedPaths, chdir }) {
+  if (det.tool === 'bwrap') {
+    const args = buildBwrapArgs({
+      writableRoots,
+      protectedPaths,
+      rootWritable: false,
+      chdir,
+      fsExists: (p) => { try { return fs.existsSync(p); } catch { return false; } },
+    });
+    return spawnSync(det.binPath || 'bwrap', [...args, '/bin/sh', '-c', cmd], { encoding: 'utf8', timeout: 10000 });
+  }
+  // sandbox-exec (macOS Seatbelt)
+  const policy = buildSeatbeltPolicy({ writableRoots, protectedPaths, rootWritable: false });
+  return spawnSync(det.binPath || 'sandbox-exec', ['-p', policy, '/bin/sh', '-c', cmd], { encoding: 'utf8', timeout: 10000 });
+}
+
+test('a write INSIDE the working dir succeeds under the jail', { skip: SKIP }, () => {
+  const work = mkdir('semalt-sbx-work-');
+  const r = runJailed(`echo ok > ${work}/inside.txt`, { writableRoots: [work], protectedPaths: [], chdir: work });
+  assert.strictEqual(r.status, 0, `expected success, stderr: ${r.stderr}`);
+  assert.ok(fs.existsSync(path.join(work, 'inside.txt')), 'file inside the working dir should be written');
+});
+
+test('a write OUTSIDE the working dir is blocked by the kernel layer', { skip: SKIP }, () => {
+  const work = mkdir('semalt-sbx-work-');
+  const outside = mkdir('semalt-sbx-out-');
+  const target = path.join(outside, 'escaped.txt');
+  const r = runJailed(`echo pwned > ${target}`, { writableRoots: [work], protectedPaths: [], chdir: work });
+  assert.notStrictEqual(r.status, 0, 'write outside the working dir must fail');
+  assert.ok(!fs.existsSync(target), 'the out-of-jail file must NOT exist');
+});
+
+test('writes to a protected dir are denied — including a NOT-YET-EXISTING config (CVE-2026-25725)', { skip: SKIP }, () => {
+  const work = mkdir('semalt-sbx-work-');
+  // Simulate ~/.semalt-ai: the dir exists but config.json does NOT. The whole
+  // dir is bound read-only, so the jailed process cannot CREATE the missing file
+  // to inject host-privileged hooks.
+  const protectedDir = mkdir('semalt-sbx-prot-');
+  const missingConfig = path.join(protectedDir, 'config.json');
+  assert.ok(!fs.existsSync(missingConfig), 'precondition: config.json does not exist yet');
+  const r = runJailed(`echo '{"hooks":1}' > ${missingConfig}`, { writableRoots: [work], protectedPaths: [protectedDir], chdir: work });
+  assert.notStrictEqual(r.status, 0, 'creating a missing config in a protected dir must fail');
+  assert.ok(!fs.existsSync(missingConfig), 'the not-yet-existing config must NOT have been created');
+});
+
+test('a protected dir nested inside a writable root still wins (read-only)', { skip: SKIP }, () => {
+  // cwd == $HOME edge case: the writable root CONTAINS the protected dir, and the
+  // protected re-bind must still win.
+  const work = mkdir('semalt-sbx-home-');
+  const protectedDir = path.join(work, '.semalt-ai');
+  fs.mkdirSync(protectedDir);
+  const target = path.join(protectedDir, 'config.json');
+  const r = runJailed(`echo x > ${target}`, { writableRoots: [work], protectedPaths: [protectedDir], chdir: work });
+  assert.notStrictEqual(r.status, 0, 'protected dir nested in a writable root must stay read-only');
+  assert.ok(!fs.existsSync(target), 'config.json under the nested protected dir must NOT be created');
+});
+
+test('a project .semalt/config.json write is blocked by the kernel layer, incl. not-yet-existing (Pre-Task 5.0b)', { skip: SKIP }, () => {
+  // The project .semalt dir lives INSIDE the writable working dir, yet binding it
+  // read-only must still win — so a sandboxed shell cannot create or modify
+  // .semalt/config.json (or agents/hooks) to drive host-privileged execution.
+  // Mirrors the CVE-2026-25725 not-yet-existing-file pattern: the dir exists, the
+  // config file does not.
+  const work = mkdir('semalt-sbx-proj-');
+  const dotSemalt = path.join(work, '.semalt');
+  fs.mkdirSync(dotSemalt);
+  const missingConfig = path.join(dotSemalt, 'config.json');
+  assert.ok(!fs.existsSync(missingConfig), 'precondition: .semalt/config.json does not exist yet');
+  const r = runJailed(`echo '{"hooks":1}' > ${missingConfig}`, { writableRoots: [work], protectedPaths: [dotSemalt], chdir: work });
+  assert.notStrictEqual(r.status, 0, 'creating .semalt/config.json inside the jail must fail');
+  assert.ok(!fs.existsSync(missingConfig), 'the not-yet-existing .semalt/config.json must NOT have been created');
+});
+
+test('a /proc/self/root rewrite is confined on the RESOLVED path (the Ona bypass)', { skip: SKIP }, () => {
+  // bwrap mounts a fresh /proc, so /proc/self/root resolves to the jail root and
+  // the kernel enforces the bind on the resolved path. (Seatbelt enforces on the
+  // resolved vnode the same way.) Either way the write must be blocked.
+  const work = mkdir('semalt-sbx-work-');
+  const outside = mkdir('semalt-sbx-out-');
+  const viaProc = `/proc/self/root${path.join(outside, 'rewrite.txt')}`;
+  const r = runJailed(`echo pwned > ${viaProc}`, { writableRoots: [work], protectedPaths: [], chdir: work });
+  assert.notStrictEqual(r.status, 0, 'a /proc/self/root rewrite must be confined on the resolved path');
+  assert.ok(!fs.existsSync(path.join(outside, 'rewrite.txt')), 'the rewritten target must NOT be written');
+});
+
+test('child processes inherit the jail (a spawned subprocess is confined)', { skip: SKIP }, () => {
+  const work = mkdir('semalt-sbx-work-');
+  const outside = mkdir('semalt-sbx-out-');
+  const target = path.join(outside, 'child.txt');
+  // The outer sh spawns an inner sh that attempts the escape — the boundary must
+  // cover the whole subprocess tree, not just the first process.
+  const r = runJailed(`sh -c "echo pwned > ${target}"`, { writableRoots: [work], protectedPaths: [], chdir: work });
+  assert.notStrictEqual(r.status, 0, 'a child process must not be able to escape the jail');
+  assert.ok(!fs.existsSync(target), 'the child-written out-of-jail file must NOT exist');
+});
+
+test('reads are allowed broadly even when writes are confined', { skip: SKIP }, () => {
+  const work = mkdir('semalt-sbx-work-');
+  // /etc/hostname exists on Linux; on macOS read /etc/hosts. Pick one that exists.
+  const readable = fs.existsSync('/etc/hostname') ? '/etc/hostname' : '/etc/hosts';
+  const r = runJailed(`cat ${readable} > ${work}/copy.txt`, { writableRoots: [work], protectedPaths: ['/etc'], chdir: work });
+  assert.strictEqual(r.status, 0, `reading ${readable} should succeed, stderr: ${r.stderr}`);
+});
+
+// ---------------------------------------------------------------------------
+// Binary network isolation (Task 4.4b) — REAL kernel enforcement.
+// ---------------------------------------------------------------------------
+//
+// Discriminator (no external connectivity required, so it is reliable in CI):
+//   * bwrap (Linux/WSL2): --unshare-net gives the jail a fresh network namespace
+//     with NO real interfaces — only loopback. We count non-loopback interfaces.
+//   * sandbox-exec (macOS): (deny network*) blocks socket operations — we test
+//     whether a TCP bind is permitted. (Skips on this Linux runner.)
+// Exit 0 ⇒ the probe HAS network; exit 7 ⇒ it does NOT.
+
+const NODE = process.execPath;
+
+function writeNetProbe(dir) {
+  const body = det.tool === 'bwrap'
+    ? "const i=require('os').networkInterfaces();const nonLo=Object.keys(i).filter(n=>n!=='lo'&&n!=='lo0');process.exit(nonLo.length>0?0:7);"
+    : "const s=require('net').createServer();s.on('error',()=>process.exit(7));s.listen(0,'0.0.0.0',()=>{s.close();process.exit(0);});";
+  const p = path.join(dir, 'netprobe.js');
+  fs.writeFileSync(p, body);
+  return p;
+}
+
+// Run a command inside a jail with the given network mode. `cmd` defaults to the
+// network probe; callers may override to test composition with the fs layer.
+function runJailedNet({ network, writableRoots, protectedPaths = [], chdir, cmd }) {
+  if (det.tool === 'bwrap') {
+    const args = buildBwrapArgs({
+      writableRoots, protectedPaths, rootWritable: false, chdir, network,
+      fsExists: (p) => { try { return fs.existsSync(p); } catch { return false; } },
+    });
+    return spawnSync(det.binPath || 'bwrap', [...args, '/bin/sh', '-c', cmd], { encoding: 'utf8', timeout: 10000 });
+  }
+  const policy = buildSeatbeltPolicy({ writableRoots, protectedPaths, rootWritable: false, network });
+  return spawnSync(det.binPath || 'sandbox-exec', ['-p', policy, '/bin/sh', '-c', cmd], { encoding: 'utf8', timeout: 10000 });
+}
+
+// Does the HOST itself have network the probe can see? (A degenerate CI box with
+// only loopback would make the "network on" positive vacuous — guard for it.)
+function hostHasNetwork() {
+  const dir = mkdir('semalt-sbx-host-');
+  const probe = writeNetProbe(dir);
+  const r = spawnSync(NODE, [probe], { encoding: 'utf8', timeout: 10000 });
+  return r.status === 0;
+}
+
+test('network OFF: a sandboxed command CANNOT reach the network (kernel-enforced)', { skip: SKIP }, () => {
+  const work = mkdir('semalt-sbx-net-off-');
+  const probe = writeNetProbe(work);
+  const r = runJailedNet({ network: 'off', writableRoots: [work], chdir: work, cmd: `${NODE} ${probe}` });
+  assert.strictEqual(r.status, 7, `no-network jail must have no network, got status ${r.status} stderr: ${r.stderr}`);
+});
+
+test('PAIRED positive — network ON: the same sandboxed command CAN reach the network', { skip: SKIP }, () => {
+  if (!hostHasNetwork()) { return; } // degenerate runner with only loopback — nothing to pair against
+  const work = mkdir('semalt-sbx-net-on-');
+  const probe = writeNetProbe(work);
+  const on = runJailedNet({ network: 'on', writableRoots: [work], chdir: work, cmd: `${NODE} ${probe}` });
+  assert.strictEqual(on.status, 0, `network-on jail must keep the host network, stderr: ${on.stderr}`);
+  // And the negative side of the pair, for an unambiguous on≠off difference.
+  const off = runJailedNet({ network: 'off', writableRoots: [work], chdir: work, cmd: `${NODE} ${probe}` });
+  assert.strictEqual(off.status, 7, 'network-off must differ from network-on');
+});
+
+test('network isolation COMPOSES with filesystem confinement (both apply)', { skip: SKIP }, () => {
+  // One no-network jail: prove the fs boundary AND the net boundary hold together.
+  const work = mkdir('semalt-sbx-compose-');
+  const outside = mkdir('semalt-sbx-compose-out-');
+  const probe = writeNetProbe(work);
+  // (a) filesystem: an out-of-CWD write is still blocked under the no-network jail.
+  const target = path.join(outside, 'escaped.txt');
+  const wr = runJailedNet({ network: 'off', writableRoots: [work], chdir: work, cmd: `echo pwned > ${target}` });
+  assert.notStrictEqual(wr.status, 0, 'fs confinement still applies under network-off');
+  assert.ok(!fs.existsSync(target), 'the out-of-jail write must not land');
+  // (b) network: the same jail config has no network.
+  const nr = runJailedNet({ network: 'off', writableRoots: [work], chdir: work, cmd: `${NODE} ${probe}` });
+  assert.strictEqual(nr.status, 7, 'network confinement applies in the same jail');
+});
+
+test('child processes inherit the no-network jail', { skip: SKIP }, () => {
+  const work = mkdir('semalt-sbx-net-child-');
+  const probe = writeNetProbe(work);
+  // The outer sh spawns an INNER sh that runs the probe — the no-network boundary
+  // must cover the whole subprocess tree, not just the first process.
+  const r = runJailedNet({ network: 'off', writableRoots: [work], chdir: work, cmd: `sh -c "${NODE} ${probe}"` });
+  assert.strictEqual(r.status, 7, 'a child process must also have no network');
+});