create-interview-cockpit 0.17.3 → 0.19.0

package/template/server/src/infra-runner.ts

@@ -4,7 +4,7 @@ import { randomUUID } from "crypto";
 import { spawn } from "child_process";
 import * as storage from "./storage.js";
 
-type InfraExecutionMode = "plan-only" | "localstack";
+type InfraExecutionMode = "plan-only" | "localstack" | "docker";
 export type InfraRunAction = "validate" | "plan" | "command";
 type InfraRunStatus = "completed" | "failed";
 type OutputKind = "stdout" | "stderr" | "info";
@@ -12,7 +12,7 @@ type OutputKind = "stdout" | "stderr" | "info";
 interface InfraLabWorkspace {
   version: 1;
   label: string;
-  provider: "aws";
+  provider: "aws" | "docker";
   executionMode: InfraExecutionMode;
   activeFile: string;
   files: Record<string, string>;
@@ -54,7 +54,7 @@ export interface InfraRunListItem {
   startedAt: string;
   completedAt: string;
   durationMs: number;
-  provider: "aws";
+  provider: "aws" | "docker";
   executionMode: InfraExecutionMode;
   diagnostics: InfraDiagnostic[];
   planSummary?: InfraPlanSummary;
@@ -82,17 +82,21 @@ interface RunCommandResult {
 }
 
 interface ParsedCommand {
+  executable: string;
   args: string[];
   subcommand: string;
   action: InfraRunAction;
+  command: string;
   displayCommand: string;
   planOutputFile?: string;
+  tool: "terraform" | "docker" | "local";
 }
 
 const MAX_FILE_COUNT = 24;
 const MAX_TOTAL_SOURCE_BYTES = 500_000;
 const MAX_LOG_CHARS = 200_000;
 const SOURCE_MANIFEST = ".infra-source-files.json";
+const SHELL_OPERATORS = new Set(["|", "||", "&&", ";", ">", ">>", "<", "<<"]);
 const ALLOWED_SUBCOMMANDS = new Set([
   "fmt",
   "init",
@@ -106,6 +110,56 @@ const ALLOWED_SUBCOMMANDS = new Set([
   "version",
   "providers",
 ]);
+const ALLOWED_DOCKER_SUBCOMMANDS = new Set([
+  "version",
+  "info",
+  "context",
+  "ps",
+  "run",
+  "exec",
+  "create",
+  "container",
+  "image",
+  "images",
+  "history",
+  "network",
+  "volume",
+  "logs",
+  "inspect",
+  "port",
+  "top",
+  "stats",
+  "rm",
+  "rmi",
+  "stop",
+  "start",
+  "restart",
+  "build",
+  "pull",
+  "tag",
+  "compose",
+  "system",
+]);
+const ALLOWED_LOCAL_COMMANDS = new Set(["pwd", "ls", "cat", "curl"]);
+const DISALLOWED_DOCKER_FLAGS = new Set([
+  "--privileged",
+  "--pid=host",
+  "--ipc=host",
+  "--uts=host",
+  "--userns=host",
+  "--network=host",
+  "--net=host",
+]);
+const DISALLOWED_CURL_FLAGS = new Set([
+  "-o",
+  "--output",
+  "-O",
+  "--remote-name",
+  "--config",
+  "-K",
+  "-T",
+  "--upload-file",
+]);
 
 function getInfraRunsDir(): string {
   return path.resolve(storage.getContextFilesDir(), "..", "infra-runs");
@@ -182,9 +236,13 @@ function parseWorkspace(input: unknown): InfraLabWorkspace {
       typeof candidate.label === "string" && candidate.label.trim()
         ? candidate.label.trim()
         : "Infrastructure Lab",
-    provider: "aws",
+    provider: candidate.provider === "docker" ? "docker" : "aws",
     executionMode:
-      candidate.executionMode === "plan-only" ? "plan-only" : "localstack",
+      candidate.executionMode === "docker"
+        ? "docker"
+        : candidate.executionMode === "plan-only"
+          ? "plan-only"
+          : "localstack",
     activeFile:
       typeof candidate.activeFile === "string" && files[candidate.activeFile]
         ? candidate.activeFile
@@ -275,12 +333,91 @@ function extractPlanOutputFile(args: string[]): string | undefined {
   return undefined;
 }
 
-function parseCommand(command: string): ParsedCommand {
-  const tokens = splitCommand(command);
-  if (tokens.length === 0) {
-    throw new Error("Type a Terraform command to run");
+function assertNoShellOperators(tokens: string[]): void {
+  const operator = tokens.find((token) => SHELL_OPERATORS.has(token));
+  if (operator) {
+    throw new Error(
+      `Shell operator '${operator}' is not supported. Run one command at a time.`,
+    );
+  }
+}
+
+function hasForceFlag(args: string[]): boolean {
+  return args.some(
+    (arg) =>
+      arg === "-f" ||
+      arg === "--force" ||
+      arg.startsWith("--force=") ||
+      (/^-[A-Za-z]+$/.test(arg) && arg.includes("f")),
+  );
+}
+
+function assertSafeLocalPathArgs(args: string[], label: string): void {
+  for (const arg of args) {
+    if (!arg || arg.startsWith("-") || arg === ".") continue;
+    assertSafeRelativePath(arg, label);
+  }
+}
+
+function assertSafeDockerArgs(args: string[]): void {
+  const disallowed = args.find((arg) => DISALLOWED_DOCKER_FLAGS.has(arg));
+  if (disallowed) {
+    throw new Error(`${disallowed} is disabled in the lab console`);
+  }
+
+  const subcommand = args[0];
+  const composeSubcommand = subcommand === "compose" ? args[1] : undefined;
+
+  if (subcommand === "compose" && composeSubcommand === "up") {
+    const detached = args.includes("-d") || args.includes("--detach");
+    if (!detached) {
+      throw new Error(
+        "Use docker compose up -d in this console so the command does not stay attached forever",
+      );
+    }
+  }
+
+  const followsLogs = args.some(
+    (arg) =>
+      arg === "-f" || arg === "--follow" || /^-[A-Za-z]*f[A-Za-z]*$/.test(arg),
+  );
+  if ((subcommand === "logs" || composeSubcommand === "logs") && followsLogs) {
+    throw new Error(
+      "Follow-mode logs are disabled; run docker logs without -f",
+    );
   }
 
+  if (subcommand === "stats" && !args.includes("--no-stream")) {
+    throw new Error("Use docker stats --no-stream in this console");
+  }
+}
+
+function assertSafeCurlArgs(args: string[]): void {
+  const disallowed = args.find((arg) => DISALLOWED_CURL_FLAGS.has(arg));
+  if (disallowed) {
+    throw new Error(`${disallowed} is disabled in the lab console`);
+  }
+
+  const urls = args.filter((arg) => /^https?:\/\//i.test(arg));
+  if (urls.length === 0) {
+    throw new Error("curl requires a localhost http:// or https:// URL");
+  }
+
+  for (const url of urls) {
+    if (
+      !/^https?:\/\/(localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1\])(?::\d+)?(?:\/|$)/i.test(
+        url,
+      )
+    ) {
+      throw new Error("curl is limited to localhost URLs in the lab console");
+    }
+  }
+}
+
+function parseTerraformCommand(
+  command: string,
+  tokens: string[],
+): ParsedCommand {
   const args = tokens[0] === "terraform" ? tokens.slice(1) : [...tokens];
   if (args.length === 0) {
     throw new Error("Type a Terraform subcommand after 'terraform'");
@@ -289,7 +426,7 @@ function parseCommand(command: string): ParsedCommand {
   const subcommand = args[0];
   if (!ALLOWED_SUBCOMMANDS.has(subcommand)) {
     throw new Error(
-      "Only Terraform commands are allowed here: fmt, init, validate, plan, show, apply, destroy, output, state, version, providers",
+      "Supported Terraform commands: fmt, init, validate, plan, show, apply, destroy, output, state, version, providers",
     );
   }
 
@@ -312,7 +449,9 @@ function parseCommand(command: string): ParsedCommand {
     assertSafeRelativePath(planOutputFile, "Plan output file");
   }
 
+  const normalizedCommand = `terraform ${args.join(" ")}`;
   return {
+    executable: "terraform",
     args,
     subcommand,
     action:
@@ -321,30 +460,149 @@ function parseCommand(command: string): ParsedCommand {
         : subcommand === "plan"
           ? "plan"
           : "command",
-    displayCommand: `$ terraform ${args.join(" ")}\n`,
+    command: normalizedCommand,
+    displayCommand: `$ ${normalizedCommand}\n`,
     planOutputFile,
+    tool: "terraform",
   };
 }
 
-async function runTerraformCommand(
+function parseDockerCommand(command: string, tokens: string[]): ParsedCommand {
+  const args = tokens.slice(1);
+  if (args.length === 0) {
+    throw new Error("Type a Docker subcommand after 'docker'");
+  }
+
+  if (
+    args.some(
+      (arg) =>
+        arg === "-H" ||
+        arg.startsWith("-H=") ||
+        arg === "--host" ||
+        arg.startsWith("--host="),
+    )
+  ) {
+    throw new Error("Changing the Docker host is disabled in this console");
+  }
+
+  const subcommand = args[0];
+  if (!ALLOWED_DOCKER_SUBCOMMANDS.has(subcommand)) {
+    throw new Error(
+      "Supported Docker commands include: version, info, context, ps, run, exec, images, network, volume, container, logs, inspect, port, stats, rm, stop, start, build, pull, tag, compose, system",
+    );
+  }
+
+  assertSafeDockerArgs(args);
+
+  if (args.includes("prune") && !hasForceFlag(args)) {
+    throw new Error("Docker prune commands require --force or -f");
+  }
+
+  return {
+    executable: "docker",
+    args,
+    subcommand:
+      subcommand === "compose" && args[1] ? `compose ${args[1]}` : subcommand,
+    action: "command",
+    command: command.trim(),
+    displayCommand: `$ ${command.trim()}\n`,
+    tool: "docker",
+  };
+}
+
+function parseLocalCommand(command: string, tokens: string[]): ParsedCommand {
+  const executable = tokens[0];
+  const args = tokens.slice(1);
+
+  if (!ALLOWED_LOCAL_COMMANDS.has(executable)) {
+    throw new Error("Supported local commands: pwd, ls, cat, curl");
+  }
+
+  if (executable === "curl") {
+    assertSafeCurlArgs(args);
+    return {
+      executable,
+      args,
+      subcommand: executable,
+      action: "command",
+      command: command.trim(),
+      displayCommand: `$ ${command.trim()}\n`,
+      tool: "local",
+    };
+  }
+
+  if (executable === "pwd" && args.length > 0) {
+    throw new Error("pwd does not accept arguments in this console");
+  }
+
+  if (executable === "ls") {
+    assertSafeLocalPathArgs(args, "ls path");
+  }
+
+  if (executable === "cat") {
+    const fileArgs = args.filter((arg) => !arg.startsWith("-"));
+    if (fileArgs.length === 0) {
+      throw new Error("cat requires a workspace-relative file path");
+    }
+    assertSafeLocalPathArgs(fileArgs, "cat path");
+  }
+
+  return {
+    executable,
+    args,
+    subcommand: executable,
+    action: "command",
+    command: command.trim(),
+    displayCommand: `$ ${command.trim()}\n`,
+    tool: "local",
+  };
+}
+
+function parseCommand(command: string): ParsedCommand {
+  const tokens = splitCommand(command);
+  if (tokens.length === 0) {
+    throw new Error("Type a command to run");
+  }
+  assertNoShellOperators(tokens);
+
+  if (tokens[0] === "terraform" || ALLOWED_SUBCOMMANDS.has(tokens[0])) {
+    return parseTerraformCommand(command, tokens);
+  }
+
+  if (tokens[0] === "docker") {
+    return parseDockerCommand(command, tokens);
+  }
+
+  if (ALLOWED_LOCAL_COMMANDS.has(tokens[0])) {
+    return parseLocalCommand(command, tokens);
+  }
+
+  throw new Error(
+    "Supported commands: terraform, docker, pwd, ls, cat, curl. Shell operators are disabled.",
+  );
+}
+
+async function runWorkspaceCommand(
   cwd: string,
+  executable: string,
   args: string[],
   executionMode: InfraExecutionMode,
+  displayCommand: string,
   onChunk?: (chunk: { kind: OutputKind; text: string }) => void,
+  extraEnv: NodeJS.ProcessEnv = {},
 ): Promise<RunCommandResult> {
   return await new Promise<RunCommandResult>((resolve) => {
     const stdout: string[] = [];
     const stderr: string[] = [];
-    const commandLine = `$ terraform ${args.join(" ")}\n`;
     let settled = false;
 
-    onChunk?.({ kind: "info", text: commandLine });
+    onChunk?.({ kind: "info", text: displayCommand });
 
-    const child = spawn("terraform", args, {
+    const child = spawn(executable, args, {
       cwd,
       env: {
         ...getDefaultEnv(executionMode),
-        TF_DATA_DIR: path.join(cwd, ".tfdata"),
+        ...extraEnv,
       },
     });
 
@@ -365,13 +623,13 @@ async function runTerraformCommand(
       onChunk?.({ kind: "stderr", text });
     });
     child.on("error", (error) => {
-      const message = `terraform launch failed: ${error.message}\n`;
+      const message = `${executable} launch failed: ${error.message}\n`;
       onChunk?.({ kind: "stderr", text: message });
       finish({
         exitCode: 1,
         stdout: "",
         stderr: message,
-        combined: `${commandLine}${message}`,
+        combined: `${displayCommand}${message}`,
       });
     });
     child.on("close", (code) => {
@@ -381,12 +639,48 @@ async function runTerraformCommand(
         exitCode: typeof code === "number" ? code : 1,
         stdout: out,
         stderr: err,
-        combined: `${commandLine}${out}${err}`,
+        combined: `${displayCommand}${out}${err}`,
       });
     });
   });
 }
 
+async function runTerraformCommand(
+  cwd: string,
+  args: string[],
+  executionMode: InfraExecutionMode,
+  onChunk?: (chunk: { kind: OutputKind; text: string }) => void,
+): Promise<RunCommandResult> {
+  return runWorkspaceCommand(
+    cwd,
+    "terraform",
+    args,
+    executionMode,
+    `$ terraform ${args.join(" ")}\n`,
+    onChunk,
+    { TF_DATA_DIR: path.join(cwd, ".tfdata") },
+  );
+}
+
+async function runParsedCommand(
+  cwd: string,
+  parsed: ParsedCommand,
+  executionMode: InfraExecutionMode,
+  onChunk?: (chunk: { kind: OutputKind; text: string }) => void,
+): Promise<RunCommandResult> {
+  return runWorkspaceCommand(
+    cwd,
+    parsed.executable,
+    parsed.args,
+    executionMode,
+    parsed.displayCommand,
+    onChunk,
+    parsed.tool === "terraform"
+      ? { TF_DATA_DIR: path.join(cwd, ".tfdata") }
+      : {},
+  );
+}
+
 function toDiagnostics(value: unknown): InfraDiagnostic[] {
   if (!value || typeof value !== "object") return [];
   const diagnostics = (value as { diagnostics?: unknown }).diagnostics;
@@ -879,7 +1173,7 @@ export async function runInfraAction(input: {
     startedAt,
     completedAt,
     durationMs: new Date(completedAt).getTime() - new Date(startedAt).getTime(),
-    provider: "aws",
+    provider: workspace.provider,
     executionMode: workspace.executionMode,
     diagnostics,
     ...(planSummary ? { planSummary } : {}),
@@ -941,9 +1235,9 @@ export async function streamInfraCommand(input: {
     input.onMessage?.(message);
   };
 
-  const commandResult = await runTerraformCommand(
+  const commandResult = await runParsedCommand(
     workspaceDir,
-    parsed.args,
+    parsed,
     workspace.executionMode,
     (chunk) => {
       logs = appendLog(logs, chunk.text);
@@ -953,13 +1247,10 @@ export async function streamInfraCommand(input: {
 
   if (commandResult.exitCode !== 0) {
     status = "failed";
-    error = describeRunError(
-      commandResult,
-      `terraform ${parsed.subcommand} failed`,
-    );
+    error = describeRunError(commandResult, `${parsed.command} failed`);
   }
 
-  if (parsed.subcommand === "validate") {
+  if (parsed.tool === "terraform" && parsed.subcommand === "validate") {
     const validation = await collectValidationArtifacts(
       workspaceDir,
       workspace.executionMode,
@@ -970,7 +1261,7 @@ export async function streamInfraCommand(input: {
     artifacts.push(...validation.artifacts);
   }
 
-  if (parsed.subcommand === "plan") {
+  if (parsed.tool === "terraform" && parsed.subcommand === "plan") {
     artifacts.push(
       await writeArtifact(
         artifactsDir,
@@ -1012,12 +1303,12 @@ export async function streamInfraCommand(input: {
     ...(input.questionId ? { questionId: input.questionId } : {}),
     label: input.label?.trim() || workspace.label,
     action: parsed.action,
-    command: `terraform ${parsed.args.join(" ")}`,
+    command: parsed.command,
     status,
     startedAt,
     completedAt,
     durationMs: new Date(completedAt).getTime() - new Date(startedAt).getTime(),
-    provider: "aws",
+    provider: workspace.provider,
     executionMode: workspace.executionMode,
     diagnostics,
     ...(planSummary ? { planSummary } : {}),

package/template/server/src/storage.ts

@@ -73,7 +73,9 @@ export interface ContextFile {
     | "infra"
     | "react"
     | "nextjs"
-    | "module-federation";
+    | "module-federation"
+    | "canvas"
+    | "github-actions";
   /** Language hint for code snippets (e.g. 'typescript', 'javascript'). */
   language?: string;
   /** Short display label for code snippets. */