@vellumai/assistant 0.3.19 → 0.3.21

package/src/__tests__/skill-projection-feature-flag.test.ts

@@ -0,0 +1,363 @@
+/**
+ * Tests that projectSkillTools drops flag-OFF active skills from projected
+ * tools, even when conversation history contains old markers for those skills.
+ */
+import * as realFs from 'node:fs';
+
+import { beforeEach, describe, expect, mock, test } from 'bun:test';
+
+import type { SkillSummary, SkillToolManifest } from '../config/skills.js';
+import { RiskLevel } from '../permissions/types.js';
+import type { Message } from '../providers/types.js';
+import type { Tool } from '../tools/types.js';
+
+// ---------------------------------------------------------------------------
+// Mock state
+// ---------------------------------------------------------------------------
+
+let mockCatalog: SkillSummary[] = [];
+let mockManifests: Record<string, SkillToolManifest | null> = {};
+let mockRegisteredTools: Map<string, Tool[]> = new Map();
+let mockUnregisteredSkillIds: string[] = [];
+let mockSkillRefCount: Map<string, number> = new Map();
+
+let currentConfig: Record<string, unknown> = { featureFlags: {} };
+const DECLARED_SKILL_ID = 'hatch-new-assistant';
+const DECLARED_LEGACY_KEY = 'skills.hatch-new-assistant.enabled';
+
+// ---------------------------------------------------------------------------
+// Mocks
+// ---------------------------------------------------------------------------
+
+mock.module('../config/skills.js', () => ({
+  loadSkillCatalog: () => mockCatalog,
+}));
+
+mock.module('../config/loader.js', () => ({
+  getConfig: () => currentConfig,
+}));
+
+mock.module('../skills/active-skill-tools.js', () => {
+  const parseMarkers = (messages: Message[]) => {
+    const skillLoadUseIds = new Set<string>();
+    for (const msg of messages) {
+      for (const block of msg.content) {
+        if (block.type === 'tool_use' && block.name === 'skill_load') {
+          skillLoadUseIds.add(block.id);
+        }
+      }
+    }
+    const re = /<loaded_skill\s+id="([^"]+)"(?:\s+version="([^"]+)")?\s*\/>/g;
+    const seen = new Set<string>();
+    const entries: Array<{ id: string; version?: string }> = [];
+    for (const msg of messages) {
+      for (const block of msg.content) {
+        if (block.type !== 'tool_result') continue;
+        if (!skillLoadUseIds.has(block.tool_use_id)) continue;
+        const text = block.content;
+        if (!text) continue;
+        for (const m of text.matchAll(re)) {
+          if (!seen.has(m[1])) {
+            seen.add(m[1]);
+            const entry: { id: string; version?: string } = { id: m[1] };
+            if (m[2]) entry.version = m[2];
+            entries.push(entry);
+          }
+        }
+      }
+    }
+    return entries;
+  };
+
+  return {
+    deriveActiveSkills: (messages: Message[]) => parseMarkers(messages),
+    deriveActiveSkillIds: (messages: Message[]) => parseMarkers(messages).map((e) => e.id),
+  };
+});
+
+mock.module('../skills/tool-manifest.js', () => ({
+  parseToolManifestFile: (filePath: string) => {
+    const parts = filePath.split('/');
+    const skillId = parts[parts.length - 2];
+    const manifest = mockManifests[skillId];
+    if (!manifest) throw new Error(`Mock: no manifest for skill "${skillId}"`);
+    return manifest;
+  },
+}));
+
+mock.module('../tools/skills/skill-tool-factory.js', () => ({
+  createSkillToolsFromManifest: (
+    entries: SkillToolManifest['tools'],
+    skillId: string,
+    _skillDir: string,
+    versionHash: string,
+    bundled?: boolean,
+  ): Tool[] => {
+    return entries.map((entry) => ({
+      name: entry.name,
+      description: entry.description,
+      category: entry.category,
+      defaultRiskLevel: RiskLevel.Medium,
+      origin: 'skill' as const,
+      ownerSkillId: skillId,
+      ownerSkillVersionHash: versionHash,
+      ownerSkillBundled: bundled ?? undefined,
+      getDefinition: () => ({
+        name: entry.name,
+        description: entry.description,
+        input_schema: entry.input_schema as object,
+      }),
+      execute: async () => ({ content: '', isError: false }),
+    }));
+  },
+}));
+
+mock.module('../tools/registry.js', () => ({
+  registerSkillTools: (tools: Tool[]) => {
+    const skillIds = new Set<string>();
+    for (const tool of tools) {
+      const skillId = tool.ownerSkillId!;
+      skillIds.add(skillId);
+      const existing = mockRegisteredTools.get(skillId) ?? [];
+      existing.push(tool);
+      mockRegisteredTools.set(skillId, existing);
+    }
+    for (const id of skillIds) {
+      mockSkillRefCount.set(id, (mockSkillRefCount.get(id) ?? 0) + 1);
+    }
+    return tools;
+  },
+  unregisterSkillTools: (skillId: string) => {
+    mockUnregisteredSkillIds.push(skillId);
+    const current = mockSkillRefCount.get(skillId) ?? 0;
+    if (current > 1) {
+      mockSkillRefCount.set(skillId, current - 1);
+      return;
+    }
+    mockSkillRefCount.delete(skillId);
+    mockRegisteredTools.delete(skillId);
+  },
+  getTool: (name: string): Tool | undefined => {
+    let found: Tool | undefined;
+    for (const tools of mockRegisteredTools.values()) {
+      for (const tool of tools) {
+        if (tool.name === name) found = tool;
+      }
+    }
+    return found;
+  },
+  getSkillToolNames: () => {
+    const names: string[] = [];
+    for (const tools of mockRegisteredTools.values()) {
+      for (const tool of tools) {
+        names.push(tool.name);
+      }
+    }
+    return names;
+  },
+}));
+
+mock.module('node:fs', () => ({
+  ...realFs,
+  existsSync: (p: string) => {
+    if (typeof p === 'string' && p.endsWith('TOOLS.json')) {
+      const parts = p.split('/');
+      const skillId = parts[parts.length - 2];
+      return skillId in mockManifests;
+    }
+    return realFs.existsSync(p);
+  },
+}));
+
+mock.module('../skills/version-hash.js', () => ({
+  computeSkillVersionHash: (skillDir: string) => {
+    const parts = skillDir.split('/');
+    const skillId = parts[parts.length - 1];
+    return `v1:default-hash-${skillId}`;
+  },
+}));
+
+mock.module('../util/logger.js', () => ({
+  getLogger: () => ({
+    info: () => {},
+    warn: () => {},
+    debug: () => {},
+    error: () => {},
+  }),
+}));
+
+// ---------------------------------------------------------------------------
+// Import module under test (after mocks)
+// ---------------------------------------------------------------------------
+
+const { projectSkillTools, resetSkillToolProjection } = await import(
+  '../daemon/session-skill-tools.js'
+);
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function makeSkill(id: string): SkillSummary {
+  return {
+    id,
+    name: id,
+    description: `Skill ${id}`,
+    directoryPath: `/skills/${id}`,
+    skillFilePath: `/skills/${id}/SKILL.md`,
+    userInvocable: true,
+    disableModelInvocation: false,
+    source: 'managed',
+  };
+}
+
+function makeManifest(toolNames: string[]): SkillToolManifest {
+  return {
+    version: 1,
+    tools: toolNames.map((name) => ({
+      name,
+      description: `Tool ${name}`,
+      category: 'test',
+      risk: 'medium' as const,
+      input_schema: { type: 'object', properties: {} },
+      executor: 'run.ts',
+      execution_target: 'host' as const,
+    })),
+  };
+}
+
+/** Build conversation history with a loaded_skill marker. */
+function buildHistoryWithMarker(skillId: string): Message[] {
+  return [
+    {
+      role: 'assistant',
+      content: [{ type: 'tool_use', id: 'tu-1', name: 'skill_load', input: { skill: skillId } }],
+    },
+    {
+      role: 'user',
+      content: [{
+        type: 'tool_result',
+        tool_use_id: 'tu-1',
+        content: `Loaded.\n\n<loaded_skill id="${skillId}" version="v1:default-hash-${skillId}" />`,
+      }],
+    },
+  ];
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe('projectSkillTools feature flag enforcement', () => {
+  beforeEach(() => {
+    mockCatalog = [];
+    mockManifests = {};
+    mockRegisteredTools = new Map();
+    mockUnregisteredSkillIds = [];
+    mockSkillRefCount = new Map();
+    currentConfig = { featureFlags: {} };
+    resetSkillToolProjection();
+  });
+
+  test('no skill tools projected for flag OFF skill even with old markers', () => {
+    mockCatalog = [makeSkill(DECLARED_SKILL_ID)];
+    mockManifests = { [DECLARED_SKILL_ID]: makeManifest(['browser_navigate', 'browser_click']) };
+
+    // History contains a marker from before the flag was turned off
+    const history = buildHistoryWithMarker(DECLARED_SKILL_ID);
+    const prevActive = new Map<string, string>();
+
+    // Feature flag is OFF
+    currentConfig = { featureFlags: { [DECLARED_LEGACY_KEY]: false } };
+
+    const result = projectSkillTools(history, { previouslyActiveSkillIds: prevActive });
+
+    // No tools should be projected
+    expect(result.toolDefinitions).toHaveLength(0);
+    expect(result.allowedToolNames.size).toBe(0);
+  });
+
+  test('skill tools projected normally when flag is ON', () => {
+    mockCatalog = [makeSkill(DECLARED_SKILL_ID)];
+    mockManifests = { [DECLARED_SKILL_ID]: makeManifest(['browser_navigate', 'browser_click']) };
+
+    const history = buildHistoryWithMarker(DECLARED_SKILL_ID);
+    const prevActive = new Map<string, string>();
+
+    // Feature flag is ON
+    currentConfig = { featureFlags: { [DECLARED_LEGACY_KEY]: true } };
+
+    const result = projectSkillTools(history, { previouslyActiveSkillIds: prevActive });
+
+    expect(result.toolDefinitions).toHaveLength(2);
+    expect(result.allowedToolNames.has('browser_navigate')).toBe(true);
+    expect(result.allowedToolNames.has('browser_click')).toBe(true);
+  });
+
+  test('skill tools projected normally when flag key is absent (defaults to enabled)', () => {
+    mockCatalog = [makeSkill(DECLARED_SKILL_ID)];
+    mockManifests = { [DECLARED_SKILL_ID]: makeManifest(['browser_navigate']) };
+
+    const history = buildHistoryWithMarker(DECLARED_SKILL_ID);
+    const prevActive = new Map<string, string>();
+
+    // featureFlags is empty — should default to enabled
+    currentConfig = { featureFlags: {} };
+
+    const result = projectSkillTools(history, { previouslyActiveSkillIds: prevActive });
+
+    expect(result.toolDefinitions).toHaveLength(1);
+    expect(result.allowedToolNames.has('browser_navigate')).toBe(true);
+  });
+
+  test('mixed flag-on and flag-off skills — only flag-on tools projected', () => {
+    mockCatalog = [makeSkill(DECLARED_SKILL_ID), makeSkill('twitter')];
+    mockManifests = {
+      [DECLARED_SKILL_ID]: makeManifest(['browser_navigate']),
+      twitter: makeManifest(['twitter_post']),
+    };
+
+    const history: Message[] = [
+      {
+        role: 'assistant',
+        content: [
+          { type: 'tool_use', id: 'tu-1', name: 'skill_load', input: { skill: DECLARED_SKILL_ID } },
+        ],
+      },
+      {
+        role: 'user',
+        content: [{
+          type: 'tool_result',
+          tool_use_id: 'tu-1',
+          content: `<loaded_skill id="${DECLARED_SKILL_ID}" version="v1:default-hash-${DECLARED_SKILL_ID}" />`,
+        }],
+      },
+      {
+        role: 'assistant',
+        content: [
+          { type: 'tool_use', id: 'tu-2', name: 'skill_load', input: { skill: 'twitter' } },
+        ],
+      },
+      {
+        role: 'user',
+        content: [{
+          type: 'tool_result',
+          tool_use_id: 'tu-2',
+          content: '<loaded_skill id="twitter" version="v1:default-hash-twitter" />',
+        }],
+      },
+    ];
+    const prevActive = new Map<string, string>();
+
+    // Declared skill is OFF, twitter is undeclared with no persisted override so remains ON.
+    currentConfig = {
+      featureFlags: { [DECLARED_LEGACY_KEY]: false },
+    };
+
+    const result = projectSkillTools(history, { previouslyActiveSkillIds: prevActive });
+
+    const toolNames = result.toolDefinitions.map((t) => t.name);
+    expect(toolNames).toContain('twitter_post');
+    expect(toolNames).not.toContain('browser_navigate');
+  });
+});

package/src/__tests__/system-prompt.test.ts

@@ -49,7 +49,7 @@ mock.module('../util/logger.js', () => ({
 
 mock.module('../config/loader.js', () => ({
   getConfig: () => ({
-    sandbox: { enabled: true, backend: 'docker' },
+    sandbox: { enabled: true },
   }),
 }));
 

package/src/__tests__/terminal-sandbox.test.ts

@@ -45,14 +45,12 @@ mock.module('node:fs', () => ({
 const { wrapCommand } = await import('../tools/terminal/sandbox.js');
 const { ToolError } = await import('../util/errors.js');
 
-const defaultDocker = { image: 'vellum-sandbox:latest', shell: 'bash', cpus: 1, memoryMb: 512, pidsLimit: 256, network: 'none' as const };
-
 function disabledConfig(): SandboxConfig {
-  return { enabled: false, backend: 'native', docker: defaultDocker };
+  return { enabled: false };
 }
 
 function nativeConfig(): SandboxConfig {
-  return { enabled: true, backend: 'native', docker: defaultDocker };
+  return { enabled: true };
 }
 
 describe('terminal sandbox — disabled behavior', () => {
@@ -101,14 +99,20 @@ describe('terminal sandbox — enabled fail-closed behavior', () => {
   });
 
   test('returns bwrap wrapper when bwrap is available on linux', () => {
+    // GIVEN bwrap is available on a linux platform
     execSyncMock.mockImplementation(() => undefined);
+
+    // WHEN wrapping a command with the native sandbox config
     const result = wrapCommand('echo hello', '/home/user/project', nativeConfig());
+
+    // THEN the result uses bwrap with network isolation
     expect(result.command).toBe('bwrap');
     expect(result.sandboxed).toBe(true);
     expect(result.args).toContain('--ro-bind');
     expect(result.args).toContain('--unshare-net');
     expect(result.args).toContain('--unshare-pid');
-    // The user command runs via bash inside the sandbox
+
+    // AND the user command runs via bash inside the sandbox
     const bashIdx = result.args.indexOf('bash');
     expect(bashIdx).toBeGreaterThan(0);
     expect(result.args.slice(bashIdx)).toEqual(['bash', '-c', '--', 'echo hello']);
@@ -155,13 +159,21 @@ describe('terminal sandbox — macOS sandbox-exec behavior', () => {
   });
 
   test('returns sandbox-exec wrapper on macOS when enabled', () => {
+    // GIVEN the platform is macOS
+    // (set in beforeEach)
+
+    // WHEN wrapping a command with the native sandbox config
     const result = wrapCommand('echo hello', '/tmp/project', nativeConfig());
+
+    // THEN the result uses sandbox-exec
     expect(result.command).toBe('sandbox-exec');
     expect(result.sandboxed).toBe(true);
     expect(result.args[0]).toBe('-f');
-    // Profile path is the second arg
+
+    // AND the profile path is the second arg
     expect(result.args[1]).toContain('sandbox-profile-');
-    // bash -c -- command follows the profile
+
+    // AND bash -c -- command follows the profile
     expect(result.args.slice(2)).toEqual(['bash', '-c', '--', 'echo hello']);
   });
 
@@ -195,10 +207,131 @@ describe('terminal sandbox — backend selection', () => {
     expect(result.sandboxed).toBe(true);
   });
 
-  test('disabled config ignores backend setting', () => {
-    const config: SandboxConfig = { enabled: false, backend: 'docker', docker: defaultDocker };
+  test('disabled config returns unsandboxed wrapper', () => {
+    const config: SandboxConfig = { enabled: false };
     const result = wrapCommand('echo hello', '/tmp/project', config);
     expect(result.command).toBe('bash');
     expect(result.sandboxed).toBe(false);
   });
 });
+
+describe('terminal sandbox — proxied network mode on Linux', () => {
+  beforeEach(() => {
+    platform = 'linux';
+    execSyncMock.mockImplementation(() => undefined);
+  });
+
+  test('omits --unshare-net when networkMode is proxied', () => {
+    /**
+     * Tests that bwrap args omit --unshare-net in proxied mode so the process
+     * can reach the local credential proxy on 127.0.0.1.
+     */
+
+    // GIVEN bwrap is available on linux
+    // (set in beforeEach)
+
+    // WHEN wrapping a command with proxied network mode
+    const result = wrapCommand('curl https://example.com', '/home/user/project', nativeConfig(), { networkMode: 'proxied' });
+
+    // THEN the result uses bwrap
+    expect(result.command).toBe('bwrap');
+    expect(result.sandboxed).toBe(true);
+
+    // AND --unshare-net is NOT present (network is allowed)
+    expect(result.args).not.toContain('--unshare-net');
+
+    // AND --unshare-pid is still present (PID isolation remains)
+    expect(result.args).toContain('--unshare-pid');
+  });
+
+  test('includes --unshare-net when networkMode is off', () => {
+    /**
+     * Tests that bwrap args include --unshare-net when network is off (default).
+     */
+
+    // GIVEN bwrap is available on linux
+    // (set in beforeEach)
+
+    // WHEN wrapping a command with network mode off
+    const result = wrapCommand('echo hello', '/home/user/project', nativeConfig(), { networkMode: 'off' });
+
+    // THEN --unshare-net is present (network is blocked)
+    expect(result.args).toContain('--unshare-net');
+  });
+
+  test('includes --unshare-net when no options are provided', () => {
+    /**
+     * Tests that the default behavior (no options) blocks network access.
+     */
+
+    // GIVEN bwrap is available on linux
+    // (set in beforeEach)
+
+    // WHEN wrapping a command without any options
+    const result = wrapCommand('echo hello', '/home/user/project', nativeConfig());
+
+    // THEN --unshare-net is present (network is blocked by default)
+    expect(result.args).toContain('--unshare-net');
+  });
+});
+
+describe('terminal sandbox — proxied network mode on macOS', () => {
+  beforeEach(() => {
+    platform = 'darwin';
+    writeFileSyncMock.mockClear();
+    existsSyncMock.mockImplementation(() => true);
+  });
+
+  test('writes SBPL profile with allow network when networkMode is proxied', () => {
+    /**
+     * Tests that the macOS sandbox profile allows network access in proxied mode
+     * so the process can reach the local credential proxy.
+     */
+
+    // GIVEN the platform is macOS
+    // (set in beforeEach)
+
+    // WHEN wrapping a command with proxied network mode
+    wrapCommand('curl https://example.com', '/tmp/project', nativeConfig(), { networkMode: 'proxied' });
+
+    // THEN the written profile contains (allow network*) instead of (deny network*)
+    const profileContent = writeFileSyncMock.mock.calls[0]?.[1] as string;
+    expect(profileContent).toContain('(allow network*)');
+    expect(profileContent).not.toContain('(deny network*)');
+  });
+
+  test('writes SBPL profile with deny network when networkMode is off', () => {
+    /**
+     * Tests that the macOS sandbox profile blocks network access when network
+     * mode is off (the default behavior).
+     */
+
+    // GIVEN the platform is macOS
+    // (set in beforeEach)
+
+    // WHEN wrapping a command with network mode off
+    wrapCommand('echo hello', '/tmp/project', nativeConfig(), { networkMode: 'off' });
+
+    // THEN the written profile contains (deny network*)
+    const profileContent = writeFileSyncMock.mock.calls[0]?.[1] as string;
+    expect(profileContent).toContain('(deny network*)');
+    expect(profileContent).not.toContain('(allow network*)');
+  });
+
+  test('writes SBPL profile with deny network when no options are provided', () => {
+    /**
+     * Tests that the default behavior (no options) blocks network access on macOS.
+     */
+
+    // GIVEN the platform is macOS
+    // (set in beforeEach)
+
+    // WHEN wrapping a command without any options
+    wrapCommand('echo hello', '/tmp/project', nativeConfig());
+
+    // THEN the written profile contains (deny network*)
+    const profileContent = writeFileSyncMock.mock.calls[0]?.[1] as string;
+    expect(profileContent).toContain('(deny network*)');
+    expect(profileContent).not.toContain('(allow network*)');
+  });
+});

package/src/__tests__/terminal-tools.test.ts

@@ -1,4 +1,4 @@
-import { mkdirSync, mkdtempSync, rmSync, symlinkSync } from 'node:fs';
+import { mkdtempSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 
@@ -467,15 +467,6 @@ describe('buildSanitizedEnv', () => {
 describe('wrapCommand', () => {
   const disabledConfig: SandboxConfig = {
     enabled: false,
-    backend: 'native',
-    docker: {
-      image: 'vellum-sandbox:latest',
-      shell: 'bash',
-      cpus: 1,
-      memoryMb: 512,
-      pidsLimit: 256,
-      network: 'none',
-    },
   };
 
   test('disabled sandbox returns plain bash invocation', () => {
@@ -546,89 +537,7 @@ describe('Native sandbox backend', () => {
 });
 
 // ═══════════════════════════════════════════════════════════════════════════
-//  5. Docker sandbox backend
-// ═══════════════════════════════════════════════════════════════════════════
-
-describe('Docker sandbox backend', () => {
-  let DockerBackend: new (sandboxRoot: string, config?: Record<string, unknown>, uid?: number, gid?: number) => SandboxBackend;
-  let _resetDockerChecks: () => void;
-
-  const sandboxDir = join(testTmpDir, 'docker-sandbox');
-
-  beforeEach(async () => {
-    mkdirSync(sandboxDir, { recursive: true });
-    const mod = await import('../tools/terminal/backends/docker.js');
-    DockerBackend = mod.DockerBackend;
-    _resetDockerChecks = mod._resetDockerChecks;
-    _resetDockerChecks();
-  });
-
-  afterEach(() => {
-    try { rmSync(sandboxDir, { recursive: true, force: true }); } catch {}
-  });
-
-  test('constructor resolves symlinks in sandbox root', () => {
-    const realDir = join(testTmpDir, 'docker-real');
-    const linkDir = join(testTmpDir, 'docker-link');
-    mkdirSync(realDir, { recursive: true });
-    try {
-      symlinkSync(realDir, linkDir);
-      // Construct backend with the symlink — it should resolve to the real path.
-      const backend = new DockerBackend(linkDir, undefined, 1000, 1000);
-      // We can't inspect private fields directly, but wrapping will fail at
-      // preflight checks (Docker not available) — this tests that constructor
-      // does not throw on a valid symlinked path.
-      expect(backend).toBeDefined();
-    } finally {
-      try { rmSync(linkDir); } catch {}
-      try { rmSync(realDir, { recursive: true, force: true }); } catch {}
-    }
-  });
-
-  test('constructor rejects sandbox root with null bytes', () => {
-    // realpathSync throws TypeError before validatePathSafety can run
-    expect(() => new DockerBackend('/tmp/foo\0bar', undefined, 1000, 1000)).toThrow();
-  });
-
-  test('constructor rejects sandbox root with newlines', () => {
-    // Create a real directory with a newline in its name so realpathSync
-    // succeeds and the rejection comes from validatePathSafety, not ENOENT.
-    const nlDir = join(testTmpDir, 'has\nnewline');
-    mkdirSync(nlDir, { recursive: true });
-    try {
-      expect(() => new DockerBackend(nlDir, undefined, 1000, 1000)).toThrow(ToolError);
-    } finally {
-      try { rmSync(nlDir, { recursive: true, force: true }); } catch {}
-    }
-  });
-
-  test('constructor rejects sandbox root with carriage returns', () => {
-    // Create a real directory with a carriage return in its name so
-    // realpathSync succeeds and validatePathSafety is what rejects it.
-    const crDir = join(testTmpDir, 'has\rreturn');
-    mkdirSync(crDir, { recursive: true });
-    try {
-      expect(() => new DockerBackend(crDir, undefined, 1000, 1000)).toThrow(ToolError);
-    } finally {
-      try { rmSync(crDir, { recursive: true, force: true }); } catch {}
-    }
-  });
-
-  test('validates path safety after resolving symlinks', () => {
-    // Create a directory with a comma in the name to test validatePathSafety.
-    // On most filesystems this is allowed, so validatePathSafety should catch it.
-    const commaDir = join(testTmpDir, 'has,comma');
-    mkdirSync(commaDir, { recursive: true });
-    try {
-      expect(() => new DockerBackend(commaDir, undefined, 1000, 1000)).toThrow(ToolError);
-    } finally {
-      try { rmSync(commaDir, { recursive: true, force: true }); } catch {}
-    }
-  });
-});
-
-// ═══════════════════════════════════════════════════════════════════════════
-//  6. Shell tool — input validation
+//  5. Shell tool — input validation
 // ═══════════════════════════════════════════════════════════════════════════
 
 describe('Shell tool input validation', () => {