npm - keystone-cli - Versions diffs - 0.8.0 → 1.0.0 - Mend

keystone-cli 0.8.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (103) hide show

package/README.md +486 -54
package/package.json +8 -2
package/src/__fixtures__/index.ts +100 -0
package/src/cli.ts +809 -90
package/src/db/memory-db.ts +35 -1
package/src/db/workflow-db.test.ts +24 -0
package/src/db/workflow-db.ts +469 -14
package/src/expression/evaluator.ts +68 -4
package/src/parser/agent-parser.ts +6 -3
package/src/parser/config-schema.ts +38 -2
package/src/parser/schema.ts +192 -7
package/src/parser/test-schema.ts +29 -0
package/src/parser/workflow-parser.test.ts +54 -0
package/src/parser/workflow-parser.ts +153 -7
package/src/runner/aggregate-error.test.ts +57 -0
package/src/runner/aggregate-error.ts +46 -0
package/src/runner/audit-verification.test.ts +2 -2
package/src/runner/auto-heal.test.ts +1 -1
package/src/runner/blueprint-executor.test.ts +63 -0
package/src/runner/blueprint-executor.ts +157 -0
package/src/runner/concurrency-limit.test.ts +82 -0
package/src/runner/debug-repl.ts +18 -3
package/src/runner/durable-timers.test.ts +200 -0
package/src/runner/engine-executor.test.ts +464 -0
package/src/runner/engine-executor.ts +491 -0
package/src/runner/foreach-executor.ts +30 -12
package/src/runner/llm-adapter.test.ts +282 -5
package/src/runner/llm-adapter.ts +581 -8
package/src/runner/llm-clarification.test.ts +79 -21
package/src/runner/llm-errors.ts +83 -0
package/src/runner/llm-executor.test.ts +258 -219
package/src/runner/llm-executor.ts +226 -29
package/src/runner/mcp-client.ts +70 -3
package/src/runner/mcp-manager.test.ts +52 -52
package/src/runner/mcp-manager.ts +12 -5
package/src/runner/mcp-server.test.ts +117 -78
package/src/runner/mcp-server.ts +13 -4
package/src/runner/optimization-runner.ts +48 -31
package/src/runner/reflexion.test.ts +1 -1
package/src/runner/resource-pool.test.ts +113 -0
package/src/runner/resource-pool.ts +164 -0
package/src/runner/shell-executor.ts +130 -32
package/src/runner/standard-tools-integration.test.ts +36 -36
package/src/runner/standard-tools.test.ts +18 -0
package/src/runner/standard-tools.ts +110 -37
package/src/runner/step-executor.test.ts +176 -16
package/src/runner/step-executor.ts +530 -86
package/src/runner/stream-utils.test.ts +14 -0
package/src/runner/subflow-outputs.test.ts +103 -0
package/src/runner/test-harness.ts +161 -0
package/src/runner/tool-integration.test.ts +73 -79
package/src/runner/workflow-runner.test.ts +492 -15
package/src/runner/workflow-runner.ts +1438 -79
package/src/runner/workflow-subflows.test.ts +255 -0
package/src/templates/agents/keystone-architect.md +17 -12
package/src/templates/agents/tester.md +21 -0
package/src/templates/child-rollback.yaml +11 -0
package/src/templates/decompose-implement.yaml +53 -0
package/src/templates/decompose-problem.yaml +159 -0
package/src/templates/decompose-research.yaml +52 -0
package/src/templates/decompose-review.yaml +51 -0
package/src/templates/dev.yaml +134 -0
package/src/templates/engine-example.yaml +33 -0
package/src/templates/fan-out-fan-in.yaml +61 -0
package/src/templates/memory-service.yaml +1 -1
package/src/templates/parent-rollback.yaml +16 -0
package/src/templates/robust-automation.yaml +1 -1
package/src/templates/scaffold-feature.yaml +29 -27
package/src/templates/scaffold-generate.yaml +41 -0
package/src/templates/scaffold-plan.yaml +53 -0
package/src/types/status.ts +3 -0
package/src/ui/dashboard.tsx +4 -3
package/src/utils/assets.macro.ts +36 -0
package/src/utils/auth-manager.ts +585 -8
package/src/utils/blueprint-utils.test.ts +49 -0
package/src/utils/blueprint-utils.ts +80 -0
package/src/utils/circuit-breaker.test.ts +177 -0
package/src/utils/circuit-breaker.ts +160 -0
package/src/utils/config-loader.test.ts +100 -13
package/src/utils/config-loader.ts +44 -17
package/src/utils/constants.ts +62 -0
package/src/utils/error-renderer.test.ts +267 -0
package/src/utils/error-renderer.ts +320 -0
package/src/utils/json-parser.test.ts +4 -0
package/src/utils/json-parser.ts +18 -1
package/src/utils/mermaid.ts +4 -0
package/src/utils/paths.test.ts +46 -0
package/src/utils/paths.ts +70 -0
package/src/utils/process-sandbox.test.ts +128 -0
package/src/utils/process-sandbox.ts +293 -0
package/src/utils/rate-limiter.test.ts +143 -0
package/src/utils/rate-limiter.ts +221 -0
package/src/utils/redactor.test.ts +23 -15
package/src/utils/redactor.ts +65 -25
package/src/utils/resource-loader.test.ts +54 -0
package/src/utils/resource-loader.ts +158 -0
package/src/utils/sandbox.test.ts +69 -4
package/src/utils/sandbox.ts +69 -6
package/src/utils/schema-validator.ts +65 -0
package/src/utils/workflow-registry.test.ts +57 -0
package/src/utils/workflow-registry.ts +45 -25
/package/src/expression/{evaluator.audit.test.ts → evaluator-audit.test.ts} +0 -0
/package/src/runner/{mcp-client.audit.test.ts → mcp-client-audit.test.ts} +0 -0

package/src/runner/debug-repl.ts CHANGED Viewed

@@ -47,6 +47,21 @@ export class DebugRepl {
     rl.prompt();
     return new Promise((resolve) => {
+      let resolved = false;
+      const resolveOnce = (action: DebugAction) => {
+        if (resolved) return;
+        resolved = true;
+        resolve(action);
+      };
+      rl.on('close', () => {
+        resolveOnce({ type: 'continue_failure' });
+      });
+      rl.on('SIGINT', () => {
+        rl.close();
+      });
       rl.on('line', (line) => {
         const trimmed = line.trim();
         const [cmd, ...args] = trimmed.split(' ');
@@ -59,19 +74,19 @@ export class DebugRepl {
             break;
           case 'retry':
+            resolveOnce({ type: 'retry', modifiedStep: this.step });
             rl.close();
-            resolve({ type: 'retry', modifiedStep: this.step });
             break;
           case 'skip':
+            resolveOnce({ type: 'skip' });
             rl.close();
-            resolve({ type: 'skip' });
             break;
           case 'exit':
           case 'quit':
+            resolveOnce({ type: 'continue_failure' });
             rl.close();
-            resolve({ type: 'continue_failure' });
             break;
           case 'edit': {

package/src/runner/durable-timers.test.ts ADDED Viewed

@@ -0,0 +1,200 @@
+import { afterAll, beforeAll, describe, expect, it, mock } from 'bun:test';
+import { randomUUID } from 'node:crypto';
+import { WorkflowDb } from '../db/workflow-db';
+import type { Workflow } from '../parser/schema';
+import { StepStatus, WorkflowStatus } from '../types/status';
+import { WorkflowSuspendedError, WorkflowWaitingError } from './step-executor';
+import { WorkflowRunner } from './workflow-runner';
+describe('Durable Timers Integration', () => {
+  const dbPath = 'test-timers.db';
+  let db: WorkflowDb;
+  beforeAll(() => {
+    db = new WorkflowDb(dbPath);
+  });
+  afterAll(() => {
+    db.close();
+    try {
+      const { rmSync } = require('node:fs');
+      rmSync(dbPath);
+    } catch {}
+  });
+  const sleepWorkflow: Workflow = {
+    name: 'sleep-test',
+    steps: [
+      {
+        id: 'wait',
+        type: 'sleep',
+        duration: 120000, // 2 minutes
+        durable: true,
+        needs: [],
+      },
+    ],
+  };
+  const humanWorkflow: Workflow = {
+    name: 'human-test',
+    steps: [
+      {
+        id: 'approve',
+        type: 'human',
+        message: 'Approve?',
+        needs: [],
+      },
+    ],
+  };
+  it('should suspend a durable sleep step and create a timer', async () => {
+    const runner = new WorkflowRunner(sleepWorkflow, { dbPath });
+    const runId = runner.runId;
+    try {
+      await runner.run();
+    } catch (error) {
+      if (!(error instanceof WorkflowWaitingError)) {
+        throw error;
+      }
+      expect(error.stepId).toBe('wait');
+    }
+    const run = await db.getRun(runId);
+    expect(run?.status).toBe(WorkflowStatus.PAUSED);
+    const steps = await db.getStepsByRun(runId);
+    expect(steps[0].status).toBe(StepStatus.WAITING);
+    const timer = await db.getTimerByStep(runId, 'wait');
+    expect(timer).toBeDefined();
+    expect(timer?.timer_type).toBe('sleep');
+    expect(timer?.wake_at).not.toBeNull();
+    if (!timer?.wake_at) {
+      throw new Error('Expected timer wake_at to be set');
+    }
+    const wakeAt = new Date(timer.wake_at);
+    expect(wakeAt.getTime()).toBeGreaterThan(Date.now());
+  });
+  it('should persist human waits without scheduling', async () => {
+    const originalIsTTY = process.stdin.isTTY;
+    process.stdin.isTTY = false; // Ensure human step suspends instead of waiting for input
+    const runner = new WorkflowRunner(humanWorkflow, { dbPath });
+    const runId = runner.runId;
+    try {
+      await runner.run();
+    } catch (error) {
+      if (!(error instanceof WorkflowSuspendedError)) {
+        throw error;
+      }
+      expect(error.stepId).toBe('approve');
+    } finally {
+      process.stdin.isTTY = originalIsTTY;
+    }
+    const run = await db.getRun(runId);
+    expect(run?.status).toBe(WorkflowStatus.PAUSED);
+    const steps = await db.getStepsByRun(runId);
+    expect(steps[0].status).toBe(StepStatus.SUSPENDED);
+    const timer = await db.getTimerByStep(runId, 'approve');
+    expect(timer).toBeDefined();
+    expect(timer?.timer_type).toBe('human');
+    expect(timer?.wake_at).toBeNull();
+    const pending = await db.getPendingTimers();
+    expect(pending.find((t) => t.step_id === 'approve')).toBeUndefined();
+  });
+  it('should resume a waiting run if the timer has NOT elapsed', async () => {
+    const runner = new WorkflowRunner(sleepWorkflow, { dbPath });
+    const runId = runner.runId;
+    // Start it once to get it waiting
+    try {
+      await runner.run();
+    } catch {}
+    // Now try to resume with a new runner instance
+    const resumeRunner = new WorkflowRunner(sleepWorkflow, {
+      dbPath,
+      resumeRunId: runId,
+    });
+    try {
+      await resumeRunner.run();
+    } catch (error) {
+      if (!(error instanceof WorkflowWaitingError)) {
+        throw error;
+      }
+      expect(error.stepId).toBe('wait');
+    }
+    const steps = await db.getStepsByRun(runId);
+    expect(steps[0].status).toBe(StepStatus.WAITING);
+  });
+  it('should NOT create duplicate timers on resume', async () => {
+    const runner = new WorkflowRunner(sleepWorkflow, { dbPath });
+    const runId = runner.runId;
+    try {
+      await runner.run();
+    } catch {}
+    const timersBefore = await db.listTimers(runId);
+    expect(timersBefore).toHaveLength(1);
+    const resumeRunner = new WorkflowRunner(sleepWorkflow, { dbPath, resumeRunId: runId });
+    try {
+      await resumeRunner.run();
+    } catch {}
+    const timersAfter = await db.listTimers(runId);
+    // After fix, it should NOT create a new timer if one is already pending
+    expect(timersAfter).toHaveLength(1);
+  });
+  it('should resume and COMPLETE a waiting run if the timer has elapsed', async () => {
+    const runner = new WorkflowRunner(sleepWorkflow, { dbPath });
+    const runId = runner.runId;
+    try {
+      await runner.run();
+    } catch {}
+    const timer = await db.getTimerByStep(runId, 'wait');
+    expect(timer).toBeDefined();
+    if (!timer) {
+      throw new Error('Expected timer to be created');
+    }
+    // Manually backdate the timer in the DB to simulate elapsed time
+    const pastDate = new Date(Date.now() - 1000).toISOString();
+    const { Database } = require('bun:sqlite');
+    const sqlite = new Database(dbPath);
+    sqlite.prepare('UPDATE durable_timers SET wake_at = ? WHERE id = ?').run(pastDate, timer.id);
+    sqlite.close();
+    const resumeRunner = new WorkflowRunner(sleepWorkflow, {
+      dbPath,
+      resumeRunId: runId,
+    });
+    const outputs = await resumeRunner.run();
+    expect(outputs).toBeDefined();
+    const run = await db.getRun(runId);
+    expect(run?.status).toBe(WorkflowStatus.SUCCESS);
+    const steps = await db.getStepsByRun(runId);
+    expect(steps[0].status).toBe(StepStatus.SUCCESS);
+    const finalTimer = await db.getTimer(timer.id);
+    expect(finalTimer?.completed_at).not.toBeNull();
+  });
+});

package/src/runner/engine-executor.test.ts ADDED Viewed

@@ -0,0 +1,464 @@
+import { afterEach, describe, expect, it, mock, spyOn } from 'bun:test';
+import { mkdirSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import type { EngineStep } from '../parser/schema';
+import { executeEngineStep } from './engine-executor';
+// Helper to create a minimal valid EngineStep for testing
+const createStep = (overrides: Partial<EngineStep>): EngineStep =>
+  ({
+    id: 'test',
+    type: 'engine',
+    command: 'echo',
+    args: [],
+    cwd: '/tmp',
+    env: { PATH: '/usr/bin' },
+    needs: [],
+    ...overrides,
+  }) as EngineStep;
+describe('engine-executor', () => {
+  const tempDir = join(tmpdir(), `engine-test-${Date.now()}`);
+  afterEach(() => {
+    try {
+      rmSync(tempDir, { recursive: true, force: true });
+    } catch {
+      // Ignore cleanup errors
+    }
+  });
+  describe('executeEngineStep', () => {
+    it('should reject if aborted before execution', async () => {
+      const controller = new AbortController();
+      controller.abort();
+      const step = createStep({
+        cwd: '.',
+        env: { PATH: '/usr/bin' },
+      });
+      await expect(
+        executeEngineStep(
+          step,
+          { inputs: {}, secrets: {}, env: {}, steps: {} },
+          {
+            abortSignal: controller.signal,
+          }
+        )
+      ).rejects.toThrow('Step canceled');
+    });
+    it('should reject if cwd is not provided', async () => {
+      const step = createStep({
+        cwd: '',
+        env: { PATH: '/usr/bin' },
+      });
+      await expect(
+        executeEngineStep(step, { inputs: {}, secrets: {}, env: {}, steps: {} })
+      ).rejects.toThrow('requires an explicit cwd');
+    });
+    it('should reject if env is not provided', async () => {
+      const step = createStep({
+        cwd: '/tmp',
+        env: undefined as unknown as Record<string, string>,
+      });
+      await expect(
+        executeEngineStep(step, { inputs: {}, secrets: {}, env: {}, steps: {} })
+      ).rejects.toThrow('requires an explicit env');
+    });
+    it('should reject if PATH is not in env for non-absolute command', async () => {
+      const step = createStep({
+        cwd: '/tmp',
+        env: { HOME: '/home' },
+      });
+      await expect(
+        executeEngineStep(step, { inputs: {}, secrets: {}, env: {}, steps: {} })
+      ).rejects.toThrow('requires env.PATH');
+    });
+    it('should reject if command is denied', async () => {
+      const ConfigLoader = await import('../utils/config-loader');
+      const loadSpy = spyOn(ConfigLoader.ConfigLoader, 'load').mockReturnValue({
+        engines: {
+          denylist: ['rm', 'dd'],
+          allowlist: {},
+        },
+      } as ReturnType<typeof ConfigLoader.ConfigLoader.load>);
+      try {
+        const step = createStep({
+          command: 'rm',
+          args: ['-rf', '/'],
+          cwd: '/tmp',
+          env: { PATH: '/usr/bin' },
+        });
+        await expect(
+          executeEngineStep(step, { inputs: {}, secrets: {}, env: {}, steps: {} })
+        ).rejects.toThrow('denied by engines.denylist');
+      } finally {
+        loadSpy.mockRestore();
+      }
+    });
+    it('should reject if command is not in allowlist', async () => {
+      const ConfigLoader = await import('../utils/config-loader');
+      const loadSpy = spyOn(ConfigLoader.ConfigLoader, 'load').mockReturnValue({
+        engines: {
+          denylist: [],
+          allowlist: {
+            python: { command: 'python3', version: '3.11', versionArgs: [], args: [] },
+          },
+        },
+      } as ReturnType<typeof ConfigLoader.ConfigLoader.load>);
+      try {
+        const step = createStep({
+          command: 'node',
+          cwd: '/tmp',
+          env: { PATH: '/usr/bin' },
+        });
+        await expect(
+          executeEngineStep(step, { inputs: {}, secrets: {}, env: {}, steps: {} })
+        ).rejects.toThrow('not in the allowlist');
+      } finally {
+        loadSpy.mockRestore();
+      }
+    });
+    it('should match allowlist by basename', async () => {
+      const ConfigLoader = await import('../utils/config-loader');
+      const loadSpy = spyOn(ConfigLoader.ConfigLoader, 'load').mockReturnValue({
+        engines: {
+          denylist: [],
+          allowlist: {
+            echo: { command: 'echo', version: '', versionArgs: [], args: [] },
+          },
+        },
+      } as ReturnType<typeof ConfigLoader.ConfigLoader.load>);
+      try {
+        mkdirSync(tempDir, { recursive: true });
+        const step = createStep({
+          command: '/bin/echo',
+          args: ['hello'],
+          cwd: tempDir,
+          env: { PATH: '/bin:/usr/bin' },
+        });
+        const result = await executeEngineStep(
+          step,
+          { inputs: {}, secrets: {}, env: {}, steps: {} },
+          { artifactRoot: tempDir }
+        );
+        expect(result.exitCode).toBe(0);
+        expect(result.stdout).toContain('hello');
+      } finally {
+        loadSpy.mockRestore();
+      }
+    });
+    it('should reject on version mismatch', async () => {
+      const ConfigLoader = await import('../utils/config-loader');
+      const loadSpy = spyOn(ConfigLoader.ConfigLoader, 'load').mockReturnValue({
+        engines: {
+          denylist: [],
+          allowlist: {
+            echo: { command: 'echo', version: '999.0.0', versionArgs: [], args: [] },
+          },
+        },
+      } as ReturnType<typeof ConfigLoader.ConfigLoader.load>);
+      try {
+        mkdirSync(tempDir, { recursive: true });
+        const step = createStep({
+          command: '/bin/echo',
+          args: ['hello'],
+          cwd: tempDir,
+          env: { PATH: '/bin:/usr/bin' },
+        });
+        await expect(
+          executeEngineStep(
+            step,
+            { inputs: {}, secrets: {}, env: {}, steps: {} },
+            { artifactRoot: tempDir }
+          )
+        ).rejects.toThrow('version mismatch');
+      } finally {
+        loadSpy.mockRestore();
+      }
+    });
+    it('should parse JSON summary from stdout', async () => {
+      const ConfigLoader = await import('../utils/config-loader');
+      const loadSpy = spyOn(ConfigLoader.ConfigLoader, 'load').mockReturnValue({
+        engines: {
+          denylist: [],
+          allowlist: {
+            echo: { command: 'echo', version: '', versionArgs: [], args: [] },
+          },
+        },
+      } as ReturnType<typeof ConfigLoader.ConfigLoader.load>);
+      try {
+        mkdirSync(tempDir, { recursive: true });
+        const step = createStep({
+          command: '/bin/echo',
+          args: ['{"result": "success"}'],
+          cwd: tempDir,
+          env: { PATH: '/bin:/usr/bin' },
+        });
+        const result = await executeEngineStep(
+          step,
+          { inputs: {}, secrets: {}, env: {}, steps: {} },
+          { artifactRoot: tempDir }
+        );
+        expect(result.summary).toEqual({ result: 'success' });
+        expect(result.summarySource).toBe('stdout');
+        expect(result.summaryFormat).toBe('json');
+      } finally {
+        loadSpy.mockRestore();
+      }
+    });
+    it('should parse YAML summary from stdout', async () => {
+      const ConfigLoader = await import('../utils/config-loader');
+      const loadSpy = spyOn(ConfigLoader.ConfigLoader, 'load').mockReturnValue({
+        engines: {
+          denylist: [],
+          allowlist: {
+            sh: { command: 'sh', version: '', versionArgs: [], args: [] },
+          },
+        },
+      } as ReturnType<typeof ConfigLoader.ConfigLoader.load>);
+      try {
+        mkdirSync(tempDir, { recursive: true });
+        const step = createStep({
+          command: '/bin/sh',
+          args: ['-c', 'echo "result: success"; echo "count: 42"'],
+          cwd: tempDir,
+          env: { PATH: '/bin:/usr/bin' },
+        });
+        const result = await executeEngineStep(
+          step,
+          { inputs: {}, secrets: {}, env: {}, steps: {} },
+          { artifactRoot: tempDir }
+        );
+        expect(result.summary).toEqual({ result: 'success', count: 42 });
+        expect(result.summaryFormat).toBe('yaml');
+      } finally {
+        loadSpy.mockRestore();
+      }
+    });
+    it('should handle summary file over stdout', async () => {
+      const ConfigLoader = await import('../utils/config-loader');
+      const loadSpy = spyOn(ConfigLoader.ConfigLoader, 'load').mockReturnValue({
+        engines: {
+          denylist: [],
+          allowlist: {
+            sh: { command: 'sh', version: '', versionArgs: [], args: [] },
+          },
+        },
+      } as ReturnType<typeof ConfigLoader.ConfigLoader.load>);
+      try {
+        mkdirSync(tempDir, { recursive: true });
+        const step = createStep({
+          command: '/bin/sh',
+          args: [
+            '-c',
+            'echo \'{"from": "file"}\' > $KEYSTONE_ENGINE_SUMMARY_PATH && echo \'{"from": "stdout"}\'',
+          ],
+          cwd: tempDir,
+          env: { PATH: '/bin:/usr/bin' },
+        });
+        const result = await executeEngineStep(
+          step,
+          { inputs: {}, secrets: {}, env: {}, steps: {} },
+          { artifactRoot: tempDir }
+        );
+        expect(result.summary).toEqual({ from: 'file' });
+        expect(result.summarySource).toBe('file');
+      } finally {
+        loadSpy.mockRestore();
+      }
+    });
+    it('should handle invalid summary gracefully', async () => {
+      const ConfigLoader = await import('../utils/config-loader');
+      const loadSpy = spyOn(ConfigLoader.ConfigLoader, 'load').mockReturnValue({
+        engines: {
+          denylist: [],
+          allowlist: {
+            echo: { command: 'echo', version: '', versionArgs: [], args: [] },
+          },
+        },
+      } as ReturnType<typeof ConfigLoader.ConfigLoader.load>);
+      try {
+        mkdirSync(tempDir, { recursive: true });
+        const step = createStep({
+          command: '/bin/echo',
+          args: ['not valid json or yaml :: %%'],
+          cwd: tempDir,
+          env: { PATH: '/bin:/usr/bin' },
+        });
+        const result = await executeEngineStep(
+          step,
+          { inputs: {}, secrets: {}, env: {}, steps: {} },
+          { artifactRoot: tempDir }
+        );
+        expect(result.summary).toBeNull();
+        expect(result.summaryError).toBeDefined();
+      } finally {
+        loadSpy.mockRestore();
+      }
+    });
+    it('should apply redactForStorage to summary', async () => {
+      const ConfigLoader = await import('../utils/config-loader');
+      const loadSpy = spyOn(ConfigLoader.ConfigLoader, 'load').mockReturnValue({
+        engines: {
+          denylist: [],
+          allowlist: {
+            echo: { command: 'echo', version: '', versionArgs: [], args: [] },
+          },
+        },
+      } as ReturnType<typeof ConfigLoader.ConfigLoader.load>);
+      try {
+        mkdirSync(tempDir, { recursive: true });
+        const step = createStep({
+          command: '/bin/echo',
+          args: ['{"secret": "password123"}'],
+          cwd: tempDir,
+          env: { PATH: '/bin:/usr/bin' },
+        });
+        const redactForStorage = mock((value: unknown) => {
+          if (typeof value === 'object' && value !== null) {
+            return { ...(value as object), secret: '[REDACTED]' };
+          }
+          return value;
+        });
+        await executeEngineStep(
+          step,
+          { inputs: {}, secrets: {}, env: {}, steps: {} },
+          { artifactRoot: tempDir, redactForStorage }
+        );
+        expect(redactForStorage).toHaveBeenCalled();
+      } finally {
+        loadSpy.mockRestore();
+      }
+    });
+    it('should evaluate expressions in command args', async () => {
+      const ConfigLoader = await import('../utils/config-loader');
+      const loadSpy = spyOn(ConfigLoader.ConfigLoader, 'load').mockReturnValue({
+        engines: {
+          denylist: [],
+          allowlist: {
+            echo: { command: 'echo', version: '', versionArgs: [], args: [] },
+          },
+        },
+      } as ReturnType<typeof ConfigLoader.ConfigLoader.load>);
+      try {
+        mkdirSync(tempDir, { recursive: true });
+        const step = createStep({
+          command: '/bin/echo',
+          args: ['${{ inputs.message }}'],
+          cwd: tempDir,
+          env: { PATH: '/bin:/usr/bin' },
+        });
+        const result = await executeEngineStep(
+          step,
+          { inputs: { message: 'Hello, World!' }, secrets: {}, env: {}, steps: {} },
+          { artifactRoot: tempDir }
+        );
+        expect(result.stdout).toContain('Hello, World!');
+      } finally {
+        loadSpy.mockRestore();
+      }
+    });
+    it('should use custom versionArgs from allowlist', async () => {
+      const ConfigLoader = await import('../utils/config-loader');
+      const loadSpy = spyOn(ConfigLoader.ConfigLoader, 'load').mockReturnValue({
+        engines: {
+          denylist: [],
+          allowlist: {
+            echo: { command: 'echo', version: 'test', versionArgs: ['test'], args: [] },
+          },
+        },
+      } as ReturnType<typeof ConfigLoader.ConfigLoader.load>);
+      try {
+        mkdirSync(tempDir, { recursive: true });
+        const step = createStep({
+          command: '/bin/echo',
+          args: ['hello'],
+          cwd: tempDir,
+          env: { PATH: '/bin:/usr/bin' },
+        });
+        const result = await executeEngineStep(
+          step,
+          { inputs: {}, secrets: {}, env: {}, steps: {} },
+          { artifactRoot: tempDir }
+        );
+        expect(result.exitCode).toBe(0);
+      } finally {
+        loadSpy.mockRestore();
+      }
+    });
+    it('should handle wildcard patterns in denylist', async () => {
+      const ConfigLoader = await import('../utils/config-loader');
+      const loadSpy = spyOn(ConfigLoader.ConfigLoader, 'load').mockReturnValue({
+        engines: {
+          denylist: ['rm*', '*/rm'],
+          allowlist: {},
+        },
+      } as ReturnType<typeof ConfigLoader.ConfigLoader.load>);
+      try {
+        const step = createStep({
+          command: 'rmdir',
+          cwd: '/tmp',
+          env: { PATH: '/usr/bin' },
+        });
+        await expect(
+          executeEngineStep(step, { inputs: {}, secrets: {}, env: {}, steps: {} })
+        ).rejects.toThrow('denied by engines.denylist');
+      } finally {
+        loadSpy.mockRestore();
+      }
+    });
+  });
+});