clawmini 0.0.7 → 0.0.9

package/e2e/policies/policies-context-cwd.test.ts

@@ -0,0 +1,160 @@
+import { describe, it, expect, beforeAll, afterAll, afterEach } from 'vitest';
+import path from 'node:path';
+import fsPromises from 'node:fs/promises';
+import { createTRPCClient, httpLink, TRPCClientError } from '@trpc/client';
+import { TestEnvironment, type ChatSubscription, policyWith } from '../_helpers/test-environment.js';
+import type { AgentRouter } from '../../src/daemon/api/agent-router.js';
+
+describe('Context-Aware Execution E2E', () => {
+  let env: TestEnvironment;
+  let chat: ChatSubscription | undefined;
+
+  beforeAll(async () => {
+    env = new TestEnvironment('e2e-context-cwd');
+    await env.setup();
+    await env.setupSubagentEnv({
+      policies: {
+        'print-cwd': {
+          description: 'Print the current working directory',
+          command: 'pwd',
+          args: [],
+          autoApprove: true,
+        },
+      },
+    });
+
+    // Create a 'foo' subdirectory inside the debug-agent's working directory.
+    await fsPromises.mkdir(path.join(env.e2eDir, 'debug-agent', 'foo'), { recursive: true });
+  }, 30000);
+
+  afterAll(() => env.teardown(), 30000);
+  afterEach(() => env.disconnectAll());
+
+  it('should execute policy in the requested subdirectory', async () => {
+    await env.addChat('chat-cwd');
+    chat = await env.connect('chat-cwd');
+
+    // Simulate the agent navigating to 'foo' and calling the policy.
+    await env.sendMessage('cd foo && clawmini-lite.js request print-cwd', {
+      chat: 'chat-cwd',
+      agent: 'debug-agent',
+    });
+
+    const policy = await chat.waitForMessage(policyWith('approved'));
+    expect(policy.content).toContain(path.join('debug-agent', 'foo'));
+  }, 30000);
+
+  // The tests below send a *crafted* sandbox-relative cwd directly to the
+  // tRPC endpoint, because lite always sends process.cwd() (an absolute host
+  // path). We extract the debug-agent's API credentials by asking it to echo
+  // them to stdout.
+  describe('direct tRPC cwd handling', () => {
+    let agentClient: ReturnType<typeof createTRPCClient<AgentRouter>>;
+
+    beforeAll(async () => {
+      const { url, token } = await env.getAgentCredentials();
+      agentClient = createTRPCClient<AgentRouter>({
+        links: [httpLink({ url, headers: () => ({ Authorization: `Bearer ${token}` }) })],
+      });
+    }, 30000);
+
+    it('should strip environment baseDir from a sandbox-relative cwd', async () => {
+      // Configure an environment with a baseDir. The environment matches the
+      // debug-agent directory, so when the agent reports cwd `/sandbox/foo`,
+      // the server strips `/sandbox` and executes inside `<agentDir>/foo`.
+      const envConfigDir = path.resolve(env.e2eDir, '.clawmini/environments/sandboxed');
+      await fsPromises.mkdir(envConfigDir, { recursive: true });
+      await fsPromises.writeFile(
+        path.join(envConfigDir, 'env.json'),
+        JSON.stringify({ baseDir: '/sandbox' })
+      );
+
+      env.updateSettings({ environments: { './debug-agent': 'sandboxed' } });
+
+      const result = await agentClient.createPolicyRequest.mutate({
+        commandName: 'print-cwd',
+        args: [],
+        fileMappings: {},
+        cwd: '/sandbox/foo',
+      });
+
+      expect(result.executionResult).toBeDefined();
+      expect(result.executionResult!.exitCode).toBe(0);
+      expect(result.executionResult!.stdout).toContain(path.join('debug-agent', 'foo'));
+    }, 15000);
+
+    it('should translate sandbox cwd when the env targets a parent of the agent dir', async () => {
+      // Simulates a cladding-like setup: the environment is enabled at the
+      // workspace root, and the agent lives in a subdirectory inside it. The
+      // agent (running in the VM) reports its cwd relative to the sandbox
+      // baseDir (`/vm-workspace/debug-agent/nested`), so the server must
+      // strip baseDir and resolve the remainder against the env target path
+      // (the workspace root) — not the agent dir, which would double-nest.
+      const envConfigDir = path.resolve(env.e2eDir, '.clawmini/environments/cladding-like');
+      await fsPromises.mkdir(envConfigDir, { recursive: true });
+      await fsPromises.writeFile(
+        path.join(envConfigDir, 'env.json'),
+        JSON.stringify({ baseDir: '/vm-workspace' })
+      );
+
+      const settings = env.getSettings();
+      settings.environments = { './': 'cladding-like' };
+      env.writeSettings(settings);
+
+      await fsPromises.mkdir(path.join(env.e2eDir, 'debug-agent', 'nested'), { recursive: true });
+
+      const result = await agentClient.createPolicyRequest.mutate({
+        commandName: 'print-cwd',
+        args: [],
+        fileMappings: {},
+        cwd: '/vm-workspace/debug-agent/nested',
+      });
+
+      expect(result.executionResult).toBeDefined();
+      expect(result.executionResult!.exitCode).toBe(0);
+      expect(result.executionResult!.stdout.trim()).toBe(
+        path.join(env.e2eDir, 'debug-agent', 'nested')
+      );
+    }, 15000);
+
+    it('should reject a cwd that escapes the env target dir', async () => {
+      // With the cladding-like env from the previous test still active, a
+      // sandbox cwd that resolves above the env target must be rejected.
+      await expect(
+        agentClient.createPolicyRequest.mutate({
+          commandName: 'print-cwd',
+          args: [],
+          fileMappings: {},
+          cwd: '/vm-workspace/../etc/passwd',
+        })
+      ).rejects.toSatisfy((err: unknown) => {
+        return (
+          err instanceof TRPCClientError &&
+          /Security Error: Path resolves outside/.test(err.message)
+        );
+      });
+    }, 15000);
+
+    it('should reject a cwd that escapes the agent directory', async () => {
+      // Remove the environment setup from the previous test so the baseDir
+      // branch does not apply here.
+      const settings = env.getSettings();
+      delete settings.environments;
+      env.writeSettings(settings);
+
+      await expect(
+        agentClient.createPolicyRequest.mutate({
+          commandName: 'print-cwd',
+          args: [],
+          fileMappings: {},
+          cwd: '../../escape',
+        })
+      ).rejects.toSatisfy((err: unknown) => {
+        return (
+          err instanceof TRPCClientError &&
+          /Security Error: Path resolves outside/.test(err.message)
+        );
+      });
+    }, 15000);
+  });
+});

package/e2e/policies/relative-script-path.test.ts

@@ -0,0 +1,60 @@
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import path from 'node:path';
+import fs from 'node:fs';
+import { TestEnvironment } from '../_helpers/test-environment.js';
+
+// Regression test: policies whose `command` is a relative path (e.g. the
+// built-in run-host uses `./.clawmini/policy-scripts/run-host.js`) must run
+// successfully even when the triggering agent's cwd is somewhere other than
+// the workspace root. resolvePolicies now resolves relative paths against the
+// workspace root so spawn no longer depends on the caller's cwd.
+describe('Policy with relative script path', () => {
+  let env: TestEnvironment;
+
+  beforeAll(async () => {
+    env = new TestEnvironment('e2e-policy-relative-path');
+    await env.setup();
+    await env.setupSubagentEnv();
+
+    const scriptRelDir = 'tools';
+    const scriptRelPath = `./${scriptRelDir}/relative-policy.sh`;
+    const scriptAbsDir = path.resolve(env.e2eDir, scriptRelDir);
+    const scriptAbsPath = path.resolve(env.e2eDir, scriptRelPath);
+
+    fs.mkdirSync(scriptAbsDir, { recursive: true });
+    fs.writeFileSync(
+      scriptAbsPath,
+      '#!/bin/sh\necho "arg: $1"\n',
+      { mode: 0o755 }
+    );
+
+    // autoApprove:true executes the policy directly from
+    // agent-policy-endpoints.createPolicyRequest, where hostCwd is resolved
+    // from the requesting agent's directory — making this path diverge from
+    // the workspace root even for the default configuration.
+    env.writePolicies({
+      'relative-policy': {
+        description: 'Policy whose command is a relative path from the workspace root',
+        command: scriptRelPath,
+        autoApprove: true,
+      },
+    });
+  }, 30000);
+
+  afterAll(() => env.teardown(), 30000);
+
+  it('runs the script regardless of the requesting agent cwd', async () => {
+    // The debug-agent runs commands in its own work dir (<workspaceRoot>/debug-agent),
+    // so a relative `command` of `./tools/relative-policy.sh` would resolve
+    // against that subdirectory without the fix — which does not contain the
+    // script. runLite proxies through the debug-agent's CLAW_API_URL/TOKEN so
+    // the request is created with that agent's identity.
+    const { stdout, code } = await env.runLite(
+      ['request', 'relative-policy', '--', 'hello'],
+      { cwd: path.resolve(env.e2eDir, 'debug-agent') }
+    );
+
+    expect(code).toBe(0);
+    expect(stdout).toContain('arg: hello');
+  }, 30000);
+});

package/e2e/policies/requests-show.test.ts

@@ -0,0 +1,135 @@
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import path from 'node:path';
+import fs from 'node:fs';
+import { TestEnvironment } from '../_helpers/test-environment.js';
+
+describe('E2E `requests show` script size handling', () => {
+  let env: TestEnvironment;
+  let agentDir = '';
+
+  beforeAll(async () => {
+    env = new TestEnvironment('e2e-tmp-requests-show');
+    await env.setup();
+    await env.setupSubagentEnv({
+      policies: {
+        'small-script': {
+          description: 'A small inline-able script',
+          command: './.clawmini/policy-scripts/small-script.sh',
+        },
+        'large-script': {
+          description: 'A large script that should spill to tmp',
+          command: './.clawmini/policy-scripts/large-script.sh',
+        },
+        'system-cmd': {
+          description: 'A system command (no script body)',
+          command: 'echo',
+          args: ['hi'],
+        },
+        'symlink-escape': {
+          description: 'A symlink in policy-scripts/ pointing outside it',
+          command: './.clawmini/policy-scripts/symlink-escape.sh',
+        },
+      },
+    });
+
+    const scriptsDir = env.getClawminiPath('policy-scripts');
+    fs.mkdirSync(scriptsDir, { recursive: true });
+    fs.writeFileSync(
+      path.join(scriptsDir, 'small-script.sh'),
+      '#!/bin/sh\necho hello-from-small\n',
+      { mode: 0o755 }
+    );
+    // 5000 chars > MAX_INLINE_SCRIPT_LENGTH (4000), forcing the spill path.
+    fs.writeFileSync(
+      path.join(scriptsDir, 'large-script.sh'),
+      '#!/bin/sh\n' + 'x'.repeat(5000) + '\n',
+      { mode: 0o755 }
+    );
+
+    // Plant a sensitive file outside policy-scripts/, then a symlink inside
+    // policy-scripts/ pointing at it. The endpoint must refuse to read the
+    // symlink target — string-prefix containment alone would allow this.
+    const sensitive = path.resolve(env.e2eDir, 'outside-sensitive.txt');
+    fs.writeFileSync(sensitive, 'top secret\n');
+    fs.symlinkSync(sensitive, path.join(scriptsDir, 'symlink-escape.sh'));
+
+    agentDir = path.resolve(env.e2eDir, 'debug-agent');
+    await env.getAgentCredentials();
+  }, 30000);
+
+  afterAll(() => env.teardown(), 30000);
+
+  const runLite = (args: string[]) => env.runLite(args, { cwd: agentDir });
+
+  it('shows a small script body inline', async () => {
+    const { stdout, stderr, code } = await runLite(['requests', 'show', 'small-script']);
+
+    expect(stderr).toBe('');
+    expect(code).toBe(0);
+    expect(stdout).toContain('"description": "A small inline-able script"');
+    expect(stdout).toContain('--- Script:');
+    expect(stdout).toContain('hello-from-small');
+    expect(stdout).not.toContain('copied to ./tmp/');
+  });
+
+  it('spills a large script to the agent tmp dir instead of inlining', async () => {
+    const { stdout, stderr, code } = await runLite(['requests', 'show', 'large-script']);
+
+    expect(stderr).toBe('');
+    expect(code).toBe(0);
+    expect(stdout).toContain('--- Script:');
+    expect(stdout).toContain('copied to ./tmp/policy-script-large-script.sh');
+    // The huge body must not be inlined.
+    expect(stdout).not.toContain('x'.repeat(100));
+
+    const spillPath = path.join(agentDir, 'tmp', 'policy-script-large-script.sh');
+    expect(fs.existsSync(spillPath)).toBe(true);
+    const spilled = fs.readFileSync(spillPath, 'utf8');
+    expect(spilled).toContain('x'.repeat(5000));
+    expect(spilled.startsWith('#!/bin/sh')).toBe(true);
+  });
+
+  it('overwrites the same spill file when shown again', async () => {
+    const spillPath = path.join(agentDir, 'tmp', 'policy-script-large-script.sh');
+    const before = fs.statSync(spillPath).size;
+
+    // Update the source script to a different (still-large) body.
+    const scriptPath = env.getClawminiPath('policy-scripts', 'large-script.sh');
+    fs.writeFileSync(scriptPath, '#!/bin/sh\n' + 'y'.repeat(6000) + '\n', { mode: 0o755 });
+
+    const { code } = await runLite(['requests', 'show', 'large-script']);
+    expect(code).toBe(0);
+
+    const after = fs.readFileSync(spillPath, 'utf8');
+    expect(after).toContain('y'.repeat(6000));
+    expect(after).not.toContain('x'.repeat(100));
+    expect(fs.statSync(spillPath).size).not.toBe(before);
+  });
+
+  it('prints JSON only with no script body for system-command policies', async () => {
+    const { stdout, stderr, code } = await runLite(['requests', 'show', 'system-cmd']);
+
+    expect(stderr).toBe('');
+    expect(code).toBe(0);
+    expect(stdout).toContain('"command": "echo"');
+    expect(stdout).toContain('(no script body:');
+    expect(stdout).not.toContain('--- Script:');
+  });
+
+  it('refuses to read a symlink in policy-scripts/ that points outside', async () => {
+    const { stdout, stderr, code } = await runLite([
+      'requests',
+      'show',
+      'symlink-escape',
+    ]);
+
+    expect(stderr).toBe('');
+    expect(code).toBe(0);
+    // The body itself must never appear, regardless of what error path the
+    // endpoint takes.
+    expect(stdout).not.toContain('top secret');
+    // The CLI surfaces BAD_REQUEST as a "(no script body: ...)" hint.
+    expect(stdout).toContain('(no script body:');
+    expect(stdout).toContain('does not point at a script in policy-scripts/');
+  });
+});

package/e2e/policies/requests.test.ts

@@ -0,0 +1,208 @@
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import path from 'node:path';
+import fs from 'node:fs';
+import fsPromises from 'node:fs/promises';
+import { TestEnvironment } from '../_helpers/test-environment.js';
+
+describe('E2E Requests Tests (Lite)', () => {
+  let env: TestEnvironment;
+  let agentDir = '';
+
+  beforeAll(async () => {
+    env = new TestEnvironment('e2e-tmp-requests');
+    await env.setup();
+    await env.setupSubagentEnv({
+      policies: {
+        'test-cmd': {
+          description: 'A test policy',
+          command: 'echo',
+          args: ['hello'],
+          allowHelp: true,
+        },
+        'no-help-cmd': {
+          description: 'A no help policy',
+          command: 'echo',
+          args: ['nohelp'],
+        },
+        'auto-cmd': {
+          description: 'An auto approve policy',
+          command: 'echo',
+          args: ['autoresult'],
+          autoApprove: true,
+        },
+        'interp-cmd': {
+          description: 'Auto-approve cat with {{myfile}} interpolation',
+          command: 'cat',
+          args: ['{{myfile}}'],
+          autoApprove: true,
+        },
+      },
+    });
+
+    agentDir = path.resolve(env.e2eDir, 'debug-agent');
+    await env.getAgentCredentials();
+  }, 30000);
+
+  afterAll(() => env.teardown(), 30000);
+
+  // All requests tests spawn lite from the debug-agent's working dir so
+  // --file relative paths resolve correctly.
+  const runLite = (args: string[]) => env.runLite(args, { cwd: agentDir });
+
+  it('should list policies', async () => {
+    const { stdout, code } = await runLite(['requests', 'list']);
+    expect(code).toBe(0);
+    expect(stdout).toContain('Available Policies:');
+    expect(stdout).toContain('- test-cmd');
+    expect(stdout).toContain('Description: A test policy');
+  });
+
+  it('should run --help on underlying command', async () => {
+    const { stdout, code } = await runLite(['request', 'test-cmd', '--help']);
+    expect(code).toBe(0);
+    expect(stdout).toBeTruthy();
+  });
+
+  it('should block --help if allowHelp is not true', async () => {
+    const { stderr, code } = await runLite(['request', 'no-help-cmd', '--help']);
+    expect(code).toBe(1);
+    expect(stderr).toContain('This command does not support --help');
+  });
+
+  it('should create a request and return an ID', async () => {
+    const dummyFilePath = path.join(agentDir, 'dummy.txt');
+    await fsPromises.writeFile(dummyFilePath, 'dummy content');
+
+    const { stdout, stderr, code } = await runLite([
+      'request',
+      'test-cmd',
+      '--file',
+      `target=${dummyFilePath}`,
+      '--',
+      'extra1',
+      'extra2',
+    ]);
+
+    expect(stderr).toBe('');
+    expect(code).toBe(0);
+    expect(stdout).toContain('Request created successfully.');
+    expect(stdout).toContain('Request ID:');
+    // Guidance for the agent: explain the request is queued, how the result
+    // arrives, that polling is forbidden, and what to do next. Normalize
+    // whitespace so assertions don't depend on where console.log wraps.
+    const flat = stdout.replace(/\s+/g, ' ');
+    expect(flat).toContain('has not run yet');
+    expect(flat).toContain('queued for user approval');
+    expect(flat).toContain('new user message in this chat');
+    expect(flat).toContain('do not poll');
+    expect(flat).toContain('end your turn');
+
+    const requestsDir = path.join(env.e2eDir, '.clawmini', 'tmp', 'requests');
+    const files = (await fsPromises.readdir(requestsDir)).filter((f) => f.endsWith('.json'));
+    expect(files.length).toBe(1);
+
+    const req = JSON.parse(await fsPromises.readFile(path.join(requestsDir, files[0]!), 'utf8'));
+    expect(req.commandName).toBe('test-cmd');
+    expect(req.args).toEqual(['extra1', 'extra2']);
+    expect(req.fileMappings).toHaveProperty('target');
+
+    const snapshotContent = await fsPromises.readFile(req.fileMappings.target, 'utf8');
+    expect(snapshotContent).toBe('dummy content');
+  });
+
+  it('should synchronously output execution result for auto-approved policy', async () => {
+    const { stdout, stderr, code } = await runLite(['request', 'auto-cmd', '--', 'extra-auto']);
+
+    expect(stderr).toBe('');
+    expect(code).toBe(0);
+    expect(stdout.trim()).toBe('autoresult extra-auto');
+    // Guidance text is only for queued requests — auto-approved policies
+    // run synchronously and must not include it.
+    expect(stdout).not.toContain('has not run yet');
+    expect(stdout).not.toContain('do not poll');
+  });
+
+  it('should interpolate {{placeholder}} in policy args with snapshot path', async () => {
+    const sourcePath = path.join(agentDir, 'interp-source.txt');
+    await fsPromises.writeFile(sourcePath, 'interpolated file content');
+
+    const { stdout, stderr, code } = await runLite([
+      'request',
+      'interp-cmd',
+      '--file',
+      `myfile=interp-source.txt`,
+    ]);
+
+    expect(stderr).toBe('');
+    expect(code).toBe(0);
+    expect(stdout).toContain('interpolated file content');
+  });
+
+  describe('--file snapshot security', () => {
+    it('should reject a --file path that resolves outside the agent directory', async () => {
+      const { stderr, code } = await runLite([
+        'request',
+        'test-cmd',
+        '--file',
+        `target=../../../etc/hosts`,
+      ]);
+
+      expect(code).toBe(1);
+      expect(stderr).toMatch(/Security Error: Path resolves outside/);
+    });
+
+    it('should reject a --file pointing at an absolute path outside the agent directory', async () => {
+      const { stderr, code } = await runLite([
+        'request',
+        'test-cmd',
+        '--file',
+        `target=/etc/hosts`,
+      ]);
+
+      expect(code).toBe(1);
+      expect(stderr).toMatch(/Security Error: Path resolves outside/);
+    });
+
+    it('should reject a --file that is a symlink', async () => {
+      fs.symlinkSync('/etc/hosts', path.join(agentDir, 'link-to-host.txt'));
+
+      const { stderr, code } = await runLite([
+        'request',
+        'test-cmd',
+        '--file',
+        `target=link-to-host.txt`,
+      ]);
+
+      expect(code).toBe(1);
+      expect(stderr).toMatch(/Security Error: Symlinks are not allowed/);
+    });
+
+    it('should reject a --file larger than the 5MB snapshot cap', async () => {
+      await fsPromises.writeFile(path.join(agentDir, 'big.bin'), Buffer.alloc(6 * 1024 * 1024));
+
+      const { stderr, code } = await runLite([
+        'request',
+        'test-cmd',
+        '--file',
+        `target=big.bin`,
+      ]);
+
+      expect(code).toBe(1);
+      expect(stderr).toMatch(/exceeds maximum snapshot size of 5MB/);
+    });
+
+    it('should reject a --file pointing at a directory', async () => {
+      fs.mkdirSync(path.join(agentDir, 'a-directory'));
+
+      const { stderr, code } = await runLite([
+        'request',
+        'test-cmd',
+        '--file',
+        `target=a-directory`,
+      ]);
+
+      expect(code).toBe(1);
+      expect(stderr).toMatch(/Requested path is not a file/);
+    });
+  });
+});