@wlfi-agent/cli 1.4.16 → 1.4.18

package/packages/rpc/src/index.js

@@ -0,0 +1 @@
+export * from './index.ts';

package/packages/ui/.turbo/turbo-build.log

@@ -1,43 +1,44 @@
-
-> @wlfi-agent/ui@0.0.0 build /Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/packages/ui
-> tsup
-
-CLI Building entry: src/tailwind.ts, src/components/badge.tsx, src/components/button.tsx, src/components/card.tsx, src/components/input.tsx, src/components/label.tsx, src/components/separator.tsx, src/components/textarea.tsx, src/utils/cn.ts
-CLI Using tsconfig: tsconfig.json
-CLI tsup v8.5.1
-CLI Using tsup config: /Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/packages/ui/tsup.config.ts
-CLI Target: es2022
-CLI Cleaning output folder
-ESM Build start
-ESM dist/tailwind.js                 1.59 KB
-ESM dist/utils/cn.js                 92.00 B
-ESM dist/components/label.js         327.00 B
-ESM dist/components/card.js          1.22 KB
-ESM dist/components/button.js        1.43 KB
-ESM dist/components/input.js         840.00 B
-ESM dist/components/badge.js         971.00 B
-ESM dist/components/textarea.js      785.00 B
-ESM dist/components/separator.js     349.00 B
-ESM dist/chunk-MOAFBKSA.js           209.00 B
-ESM dist/utils/cn.js.map             71.00 B
-ESM dist/tailwind.js.map             2.39 KB
-ESM dist/components/label.js.map     502.00 B
-ESM dist/components/card.js.map      2.10 KB
-ESM dist/components/input.js.map     1.12 KB
-ESM dist/components/button.js.map    2.14 KB
-ESM dist/components/textarea.js.map  1.05 KB
-ESM dist/components/badge.js.map     1.50 KB
-ESM dist/chunk-MOAFBKSA.js.map       368.00 B
-ESM dist/components/separator.js.map 519.00 B
-ESM ⚡️ Build success in 31ms
-DTS Build start
-DTS ⚡️ Build success in 688ms
-DTS dist/tailwind.d.ts             1.49 KB
-DTS dist/components/badge.d.ts     612.00 B
-DTS dist/components/button.d.ts    715.00 B
-DTS dist/components/card.d.ts      791.00 B
-DTS dist/components/input.d.ts     191.00 B
-DTS dist/components/label.d.ts     165.00 B
-DTS dist/components/separator.d.ts 166.00 B
-DTS dist/components/textarea.d.ts  206.00 B
-DTS dist/utils/cn.d.ts             106.00 B
+
+
+> @wlfi-agent/ui@0.0.0 build /Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/packages/ui
+> tsup
+
+CLI Building entry: src/tailwind.ts, src/components/badge.tsx, src/components/button.tsx, src/components/card.tsx, src/components/input.tsx, src/components/label.tsx, src/components/separator.tsx, src/components/textarea.tsx, src/utils/cn.ts
+CLI Using tsconfig: tsconfig.json
+CLI tsup v8.5.1
+CLI Using tsup config: /Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/packages/ui/tsup.config.ts
+CLI Target: es2022
+CLI Cleaning output folder
+ESM Build start
+ESM dist/utils/cn.js                 92.00 B
+ESM dist/components/badge.js         971.00 B
+ESM dist/tailwind.js                 1.59 KB
+ESM dist/components/button.js        1.43 KB
+ESM dist/components/input.js         840.00 B
+ESM dist/components/label.js         327.00 B
+ESM dist/components/textarea.js      785.00 B
+ESM dist/components/card.js          1.22 KB
+ESM dist/components/separator.js     349.00 B
+ESM dist/chunk-MOAFBKSA.js           209.00 B
+ESM dist/tailwind.js.map             2.39 KB
+ESM dist/utils/cn.js.map             71.00 B
+ESM dist/components/badge.js.map     1.50 KB
+ESM dist/components/input.js.map     1.12 KB
+ESM dist/components/button.js.map    2.14 KB
+ESM dist/components/separator.js.map 519.00 B
+ESM dist/components/label.js.map     502.00 B
+ESM dist/components/textarea.js.map  1.05 KB
+ESM dist/components/card.js.map      2.10 KB
+ESM dist/chunk-MOAFBKSA.js.map       368.00 B
+ESM ⚡️ Build success in 13ms
+DTS Build start
+DTS ⚡️ Build success in 792ms
+DTS dist/tailwind.d.ts             1.49 KB
+DTS dist/components/badge.d.ts     612.00 B
+DTS dist/components/button.d.ts    715.00 B
+DTS dist/components/card.d.ts      791.00 B
+DTS dist/components/input.d.ts     191.00 B
+DTS dist/components/label.d.ts     165.00 B
+DTS dist/components/separator.d.ts 166.00 B
+DTS dist/components/textarea.d.ts  206.00 B
+DTS dist/utils/cn.d.ts             106.00 B

package/packages/ui/dist/components/badge.d.ts

@@ -3,7 +3,7 @@ import { VariantProps } from 'class-variance-authority';
 import * as React from 'react';
 
 declare const badgeVariants: (props?: ({
-    variant?: "default" | "secondary" | "success" | "warning" | "destructive" | null | undefined;
+    variant?: "default" | "secondary" | "destructive" | "success" | "warning" | null | undefined;
 } & class_variance_authority_types.ClassProp) | undefined) => string;
 interface BadgeProps extends React.HTMLAttributes<HTMLDivElement>, VariantProps<typeof badgeVariants> {
 }

package/packages/ui/dist/components/button.d.ts

@@ -3,7 +3,7 @@ import { VariantProps } from 'class-variance-authority';
 import * as React from 'react';
 
 declare const buttonVariants: (props?: ({
-    variant?: "default" | "secondary" | "destructive" | "outline" | "ghost" | null | undefined;
+    variant?: "default" | "secondary" | "outline" | "ghost" | "destructive" | null | undefined;
     size?: "default" | "sm" | "lg" | null | undefined;
 } & class_variance_authority_types.ClassProp) | undefined) => string;
 interface ButtonProps extends React.ButtonHTMLAttributes<HTMLButtonElement>, VariantProps<typeof buttonVariants> {

package/packages/ui/node_modules/.bin/tsc

@@ -11,7 +11,7 @@ else
   export NODE_PATH="/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/typescript@5.9.3/node_modules/typescript/bin/node_modules:/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/typescript@5.9.3/node_modules/typescript/node_modules:/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/typescript@5.9.3/node_modules:/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/node_modules:$NODE_PATH"
 fi
 if [ -x "$basedir/node" ]; then
-  exec "$basedir/node"  "$basedir/../../../../node_modules/.pnpm/typescript@5.9.3/node_modules/typescript/bin/tsc" "$@"
+  exec "$basedir/node"  "$basedir/../typescript/bin/tsc" "$@"
 else
-  exec node  "$basedir/../../../../node_modules/.pnpm/typescript@5.9.3/node_modules/typescript/bin/tsc" "$@"
+  exec node  "$basedir/../typescript/bin/tsc" "$@"
 fi

package/packages/ui/node_modules/.bin/tsserver

@@ -11,7 +11,7 @@ else
   export NODE_PATH="/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/typescript@5.9.3/node_modules/typescript/bin/node_modules:/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/typescript@5.9.3/node_modules/typescript/node_modules:/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/typescript@5.9.3/node_modules:/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/node_modules:$NODE_PATH"
 fi
 if [ -x "$basedir/node" ]; then
-  exec "$basedir/node"  "$basedir/../../../../node_modules/.pnpm/typescript@5.9.3/node_modules/typescript/bin/tsserver" "$@"
+  exec "$basedir/node"  "$basedir/../typescript/bin/tsserver" "$@"
 else
-  exec node  "$basedir/../../../../node_modules/.pnpm/typescript@5.9.3/node_modules/typescript/bin/tsserver" "$@"
+  exec node  "$basedir/../typescript/bin/tsserver" "$@"
 fi

package/packages/ui/node_modules/.bin/tsup

@@ -11,7 +11,7 @@ else
   export NODE_PATH="/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/tsup@8.5.1_jiti@1.21.7_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3/node_modules/tsup/dist/node_modules:/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/tsup@8.5.1_jiti@1.21.7_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3/node_modules/tsup/node_modules:/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/tsup@8.5.1_jiti@1.21.7_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3/node_modules:/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/node_modules:$NODE_PATH"
 fi
 if [ -x "$basedir/node" ]; then
-  exec "$basedir/node"  "$basedir/../../../../node_modules/.pnpm/tsup@8.5.1_jiti@1.21.7_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3/node_modules/tsup/dist/cli-default.js" "$@"
+  exec "$basedir/node"  "$basedir/../tsup/dist/cli-default.js" "$@"
 else
-  exec node  "$basedir/../../../../node_modules/.pnpm/tsup@8.5.1_jiti@1.21.7_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3/node_modules/tsup/dist/cli-default.js" "$@"
+  exec node  "$basedir/../tsup/dist/cli-default.js" "$@"
 fi

package/packages/ui/node_modules/.bin/tsup-node

@@ -11,7 +11,7 @@ else
   export NODE_PATH="/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/tsup@8.5.1_jiti@1.21.7_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3/node_modules/tsup/dist/node_modules:/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/tsup@8.5.1_jiti@1.21.7_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3/node_modules/tsup/node_modules:/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/tsup@8.5.1_jiti@1.21.7_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3/node_modules:/Users/hanzhi/Documents/WLFI/wlfi-agent-sdk/node_modules/.pnpm/node_modules:$NODE_PATH"
 fi
 if [ -x "$basedir/node" ]; then
-  exec "$basedir/node"  "$basedir/../../../../node_modules/.pnpm/tsup@8.5.1_jiti@1.21.7_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3/node_modules/tsup/dist/cli-node.js" "$@"
+  exec "$basedir/node"  "$basedir/../tsup/dist/cli-node.js" "$@"
 else
-  exec node  "$basedir/../../../../node_modules/.pnpm/tsup@8.5.1_jiti@1.21.7_postcss@8.5.8_tsx@4.21.0_typescript@5.9.3/node_modules/tsup/dist/cli-node.js" "$@"
+  exec node  "$basedir/../tsup/dist/cli-node.js" "$@"
 fi

package/scripts/install-cli-launcher.mjs

@@ -0,0 +1,37 @@
+import os from 'node:os';
+import path from 'node:path';
+import { pathToFileURL } from 'node:url';
+import { installCliLauncher } from './install-rust-binaries.mjs';
+
+function resolveWlfiHome(env) {
+  return env.WLFI_HOME?.trim() || path.join(os.homedir(), '.wlfi_agent');
+}
+
+function installLocalCliLauncher({
+  env = process.env,
+  platform = process.platform,
+  cliEntrypoint,
+} = {}) {
+  const wlfiHome = resolveWlfiHome(env);
+  const binDir = path.join(wlfiHome, 'bin');
+  return installCliLauncher({ binDir, platform, cliEntrypoint });
+}
+
+function isDirectExecution() {
+  return (
+    Boolean(process.argv[1]) &&
+    import.meta.url === pathToFileURL(path.resolve(process.argv[1])).href
+  );
+}
+
+if (isDirectExecution()) {
+  try {
+    installLocalCliLauncher();
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    process.stderr.write(`${message}\n`);
+    process.exitCode = 1;
+  }
+}
+
+export { installLocalCliLauncher };

package/scripts/install-rust-binaries.mjs

@@ -6,6 +6,11 @@ import { pathToFileURL } from 'node:url';
 
 const repoRoot = new URL('..', import.meta.url).pathname;
 const extension = process.platform === 'win32' ? '.exe' : '';
+const MIN_RUST_VERSION = {
+  major: 1,
+  minor: 87,
+  patch: 0,
+};
 const rustBins = [
   'wlfi-agent-daemon',
   'wlfi-agent-admin',
@@ -22,6 +27,32 @@ function decodeOutput(value) {
   return value.toString().trim();
 }
 
+function formatMinimumRustVersion() {
+  return `${MIN_RUST_VERSION.major}.${MIN_RUST_VERSION.minor}.${MIN_RUST_VERSION.patch}`;
+}
+
+function parseRustVersion(output) {
+  const match = output.match(/\b(\d+)\.(\d+)\.(\d+)(?:[-+][^\s]+)?\b/);
+  if (!match) {
+    return null;
+  }
+  return {
+    major: Number(match[1]),
+    minor: Number(match[2]),
+    patch: Number(match[3]),
+  };
+}
+
+function compareVersions(left, right) {
+  if (left.major !== right.major) {
+    return left.major - right.major;
+  }
+  if (left.minor !== right.minor) {
+    return left.minor - right.minor;
+  }
+  return left.patch - right.patch;
+}
+
 function runCheck(spawnSyncImpl, command, args, options = {}) {
   return spawnSyncImpl(command, args, {
     cwd: repoRoot,
@@ -55,6 +86,53 @@ function resolveHelperScripts(binDir) {
   ];
 }
 
+function resolveCliEntrypoint() {
+  return path.join(repoRoot, 'dist', 'cli.cjs');
+}
+
+function escapePosixShellArgument(value) {
+  return `'${value.replace(/'/g, `'\\''`)}'`;
+}
+
+export function installCliLauncher({
+  binDir,
+  cliEntrypoint = resolveCliEntrypoint(),
+  platform = process.platform,
+  allowMissingEntrypoint = false,
+} = {}) {
+  if (!binDir) {
+    throw new Error('[wlfi-agent] binDir is required to install the CLI launcher.');
+  }
+
+  fs.mkdirSync(binDir, { recursive: true, mode: 0o700 });
+
+  if (!fs.existsSync(cliEntrypoint)) {
+    if (allowMissingEntrypoint) {
+      return false;
+    }
+    throw new Error(
+      `[wlfi-agent] CLI entrypoint was not found at ${cliEntrypoint}. Run \`npm run build\` first.`,
+    );
+  }
+
+  if (platform === 'win32') {
+    const destination = path.join(binDir, 'wlfi-agent.cmd');
+    const escaped = cliEntrypoint.replace(/"/g, '""');
+    fs.writeFileSync(destination, `@echo off\r\nnode "${escaped}" %*\r\n`, {
+      mode: 0o755,
+    });
+    return true;
+  }
+
+  const destination = path.join(binDir, 'wlfi-agent');
+  const script =
+    '#!/bin/sh\n' +
+    `exec node ${escapePosixShellArgument(cliEntrypoint)} "$@"\n`;
+  fs.writeFileSync(destination, script, { mode: 0o755 });
+  fs.chmodSync(destination, 0o755);
+  return true;
+}
+
 function checkCargoAvailable(spawnSyncImpl) {
   const result = runCheck(spawnSyncImpl, 'cargo', ['--version']);
   if (result.status === 0) {
@@ -73,6 +151,38 @@ function checkCargoAvailable(spawnSyncImpl) {
   throw new Error(lines.join('\n'));
 }
 
+function checkRustcVersion(spawnSyncImpl) {
+  const result = runCheck(spawnSyncImpl, 'rustc', ['--version']);
+  if (result.status !== 0) {
+    const detail = decodeOutput(result.stderr) || decodeOutput(result.stdout);
+    const lines = [
+      '[wlfi-agent] Rust compiler was not found on PATH.',
+      `[wlfi-agent] Install Rust ${formatMinimumRustVersion()} or newer from https://rustup.rs.`,
+    ];
+    if (detail) {
+      lines.push(`[wlfi-agent] rustc check output: ${detail}`);
+    }
+    lines.push(`[wlfi-agent] ${RERUN_INSTRUCTIONS}`);
+    throw new Error(lines.join('\n'));
+  }
+
+  const versionOutput = decodeOutput(result.stdout) || decodeOutput(result.stderr);
+  const parsedVersion = parseRustVersion(versionOutput);
+  if (!parsedVersion) {
+    throw new Error(
+      `[wlfi-agent] Unable to determine the installed Rust compiler version from: ${versionOutput || '<empty output>'}`,
+    );
+  }
+
+  if (compareVersions(parsedVersion, MIN_RUST_VERSION) < 0) {
+    throw new Error(
+      `[wlfi-agent] Rust ${formatMinimumRustVersion()} or newer is required; found ${versionOutput}.\n` +
+        `[wlfi-agent] Update Rust with \`rustup update\`.\n` +
+        `[wlfi-agent] ${RERUN_INSTRUCTIONS}`,
+    );
+  }
+}
+
 function checkMacOsToolchainAvailable(spawnSyncImpl, platform) {
   if (platform !== 'darwin') {
     return;
@@ -100,6 +210,7 @@ export function verifyRustInstallPrerequisites({
   platform = process.platform,
 } = {}) {
   checkCargoAvailable(spawnSyncImpl);
+  checkRustcVersion(spawnSyncImpl);
   checkMacOsToolchainAvailable(spawnSyncImpl, platform);
 }
 
@@ -122,6 +233,7 @@ export function installRustBinaries({
     'cargo',
     [
       'build',
+      '--locked',
       '--release',
       '-p',
       'wlfi-agent-daemon',

package/scripts/run-tests-isolated.mjs

@@ -0,0 +1,210 @@
+#!/usr/bin/env node
+
+import { spawn } from 'node:child_process';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+
+function fail(message) {
+  console.error(message);
+  process.exit(1);
+}
+
+const forwardedArgs = process.argv.slice(2);
+const commandArgs =
+  forwardedArgs[0] === '--' ? forwardedArgs.slice(1) : forwardedArgs;
+
+if (commandArgs.length === 0) {
+  fail(
+    'usage: node ./scripts/run-tests-isolated.mjs -- <command> [args...]',
+  );
+}
+
+const hostHome = process.env.HOME;
+const sandboxBaseDir = hostHome ? path.join(hostHome, '.wt') : os.tmpdir();
+fs.mkdirSync(sandboxBaseDir, { recursive: true, mode: 0o700 });
+const sandboxRoot = fs.mkdtempSync(path.join(sandboxBaseDir, 't-'));
+const homeDir = path.join(sandboxRoot, 'h');
+const wlfiHome = path.join(sandboxRoot, 'w');
+const tmpDir = path.join(sandboxRoot, 't');
+const binDir = path.join(sandboxRoot, 'b');
+const fakeKeychainRoot = path.join(sandboxRoot, 'k');
+const keepSandbox = process.env.WLFI_TEST_KEEP_SANDBOX === '1';
+const cargoHome =
+  process.env.CARGO_HOME ?? (hostHome ? path.join(hostHome, '.cargo') : undefined);
+const rustupHome =
+  process.env.RUSTUP_HOME ?? (hostHome ? path.join(hostHome, '.rustup') : undefined);
+const xdgCacheHome = path.join(sandboxRoot, 'c');
+const xdgConfigHome = path.join(sandboxRoot, 'g');
+
+for (const dir of [
+  homeDir,
+  wlfiHome,
+  tmpDir,
+  binDir,
+  fakeKeychainRoot,
+  xdgCacheHome,
+  xdgConfigHome,
+]) {
+  fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+}
+
+function writeExecutable(targetPath, contents) {
+  fs.writeFileSync(targetPath, contents, { mode: 0o755 });
+}
+
+writeExecutable(
+  path.join(binDir, 'security'),
+  `#!/usr/bin/env node
+import fs from 'node:fs';
+import path from 'node:path';
+
+const root = process.env.WLFI_TEST_FAKE_KEYCHAIN_ROOT;
+if (!root) {
+  console.error('WLFI_TEST_FAKE_KEYCHAIN_ROOT is required');
+  process.exit(70);
+}
+
+const dbPath = path.join(root, 'keychain.json');
+const [command, ...args] = process.argv.slice(2);
+
+function loadDb() {
+  try {
+    return JSON.parse(fs.readFileSync(dbPath, 'utf8'));
+  } catch (error) {
+    if (error && typeof error === 'object' && error.code === 'ENOENT') {
+      return {};
+    }
+    throw error;
+  }
+}
+
+function saveDb(db) {
+  fs.writeFileSync(dbPath, JSON.stringify(db, null, 2) + '\\n', { mode: 0o600 });
+}
+
+function readFlag(flag) {
+  const index = args.indexOf(flag);
+  if (index === -1 || index === args.length - 1) {
+    console.error('isolated security shim requires ' + flag);
+    process.exit(64);
+  }
+  return args[index + 1];
+}
+
+const service = readFlag('-s');
+const account = readFlag('-a');
+const key = service + '\\u0000' + account;
+const db = loadDb();
+
+switch (command) {
+  case 'add-generic-password': {
+    const secretHex = readFlag('-X');
+    db[key] = Buffer.from(secretHex, 'hex').toString('utf8');
+    saveDb(db);
+    process.exit(0);
+  }
+  case 'find-generic-password': {
+    if (!(key in db)) {
+      console.error('The specified item could not be found in the keychain.');
+      process.exit(44);
+    }
+    process.stdout.write(String(db[key]));
+    process.exit(0);
+  }
+  case 'delete-generic-password': {
+    if (!(key in db)) {
+      console.error('The specified item could not be found in the keychain.');
+      process.exit(44);
+    }
+    delete db[key];
+    saveDb(db);
+    process.exit(0);
+  }
+  default:
+    console.error('isolated security shim does not implement: ' + command);
+    process.exit(64);
+}
+`,
+);
+
+for (const commandName of ['sudo', 'launchctl']) {
+  writeExecutable(
+    path.join(binDir, commandName),
+    `#!/bin/sh
+echo "isolated test harness blocked real ${commandName}; inject a test double if this path is expected" >&2
+exit 99
+`,
+  );
+}
+
+const child = spawn(commandArgs[0], commandArgs.slice(1), {
+  stdio: 'inherit',
+  env: {
+    ...process.env,
+    HOME: homeDir,
+    WLFI_HOME: wlfiHome,
+    TMPDIR: tmpDir,
+    XDG_CACHE_HOME: xdgCacheHome,
+    XDG_CONFIG_HOME: xdgConfigHome,
+    PATH: `${binDir}${path.delimiter}${process.env.PATH ?? ''}`,
+    WLFI_TEST_FAKE_KEYCHAIN_ROOT: fakeKeychainRoot,
+    WLFI_TEST_SANDBOX_ROOT: sandboxRoot,
+    WLFI_TEST_ISOLATED: '1',
+    ...(cargoHome ? { CARGO_HOME: cargoHome } : {}),
+    ...(rustupHome ? { RUSTUP_HOME: rustupHome } : {}),
+  },
+});
+
+let cleanedUp = false;
+
+function cleanup() {
+  if (cleanedUp) {
+    return;
+  }
+  cleanedUp = true;
+
+  if (keepSandbox) {
+    console.error(`kept test sandbox: ${sandboxRoot}`);
+    return;
+  }
+
+  fs.rmSync(sandboxRoot, { recursive: true, force: true });
+  try {
+    fs.rmdirSync(sandboxBaseDir);
+  } catch (error) {
+    if (!error || typeof error !== 'object') {
+      throw error;
+    }
+    if (!('code' in error) || (error.code !== 'ENOENT' && error.code !== 'ENOTEMPTY')) {
+      throw error;
+    }
+  }
+}
+
+const signalExitCodes = {
+  SIGHUP: 129,
+  SIGINT: 130,
+  SIGTERM: 143,
+};
+
+for (const signal of Object.keys(signalExitCodes)) {
+  process.on(signal, () => {
+    if (!child.killed) {
+      child.kill(signal);
+    }
+  });
+}
+
+child.on('error', (error) => {
+  cleanup();
+  fail(`failed to start isolated test command: ${error.message}`);
+});
+
+child.on('exit', (code, signal) => {
+  cleanup();
+  if (signal) {
+    process.exit(signalExitCodes[signal] ?? 1);
+  }
+  process.exit(code ?? 1);
+});