skimpyclaw 0.1.9 → 0.2.0

package/dist/__tests__/bash-path-validation.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/bash-path-validation.test.js

@@ -0,0 +1,164 @@
+import { describe, it, expect } from 'vitest';
+import { isPathLikeToken, extractScriptTarget, extractPathsFromCommand, validateBashPaths, } from '../tools/bash-path-validation.js';
+describe('isPathLikeToken', () => {
+    it('detects absolute paths', () => {
+        expect(isPathLikeToken('/etc/passwd')).toBe(true);
+        expect(isPathLikeToken('/home/user/file.txt')).toBe(true);
+    });
+    it('detects relative paths', () => {
+        expect(isPathLikeToken('./foo')).toBe(true);
+        expect(isPathLikeToken('../bar')).toBe(true);
+        expect(isPathLikeToken('.')).toBe(true);
+        expect(isPathLikeToken('..')).toBe(true);
+    });
+    it('detects home-relative paths', () => {
+        expect(isPathLikeToken('~/Documents')).toBe(true);
+        expect(isPathLikeToken('~')).toBe(true);
+    });
+    it('rejects flags', () => {
+        expect(isPathLikeToken('-f')).toBe(false);
+        expect(isPathLikeToken('--file')).toBe(false);
+        expect(isPathLikeToken('-')).toBe(false);
+        expect(isPathLikeToken('--')).toBe(false);
+    });
+    it('rejects bare words', () => {
+        expect(isPathLikeToken('foo')).toBe(false);
+        expect(isPathLikeToken('bar.txt')).toBe(false);
+        expect(isPathLikeToken('some-command')).toBe(false);
+    });
+    it('rejects empty/whitespace', () => {
+        expect(isPathLikeToken('')).toBe(false);
+        expect(isPathLikeToken('  ')).toBe(false);
+    });
+});
+describe('extractScriptTarget', () => {
+    it('extracts script path from python command', () => {
+        expect(extractScriptTarget(['python3', 'script.py'])).toBe('script.py');
+        expect(extractScriptTarget(['python3', '-u', 'script.py'])).toBe('script.py');
+        expect(extractScriptTarget(['python', '/home/user/run.py'])).toBe('/home/user/run.py');
+    });
+    it('extracts script path from node command', () => {
+        expect(extractScriptTarget(['node', 'app.js'])).toBe('app.js');
+        expect(extractScriptTarget(['node', '--experimental-modules', 'app.js'])).toBe('app.js');
+    });
+    it('extracts script path from ruby/perl', () => {
+        expect(extractScriptTarget(['ruby', 'script.rb'])).toBe('script.rb');
+        expect(extractScriptTarget(['perl', 'script.pl'])).toBe('script.pl');
+    });
+    it('extracts script path from shell interpreters', () => {
+        expect(extractScriptTarget(['bash', 'script.sh'])).toBe('script.sh');
+        expect(extractScriptTarget(['sh', './run.sh'])).toBe('./run.sh');
+    });
+    it('returns null for inline execution (-c, -e)', () => {
+        expect(extractScriptTarget(['python3', '-c', 'print("hi")'])).toBeNull();
+        expect(extractScriptTarget(['node', '-e', 'console.log(1)'])).toBeNull();
+        expect(extractScriptTarget(['perl', '-e', 'print 1'])).toBeNull();
+        expect(extractScriptTarget(['bash', '-c', 'echo hello'])).toBeNull();
+    });
+    it('returns null for module execution (-m)', () => {
+        expect(extractScriptTarget(['python3', '-m', 'http.server'])).toBeNull();
+    });
+    it('returns null for non-interpreter commands', () => {
+        expect(extractScriptTarget(['ls', '-la'])).toBeNull();
+        expect(extractScriptTarget(['grep', 'pattern', 'file.txt'])).toBeNull();
+    });
+    it('handles env var prefix in segment', () => {
+        expect(extractScriptTarget(['NODE_ENV=prod', 'node', 'app.js'])).toBe('app.js');
+    });
+    it('skips flags with values', () => {
+        expect(extractScriptTarget(['python3', '-W', 'ignore', 'script.py'])).toBe('script.py');
+    });
+    it('returns null for no arguments', () => {
+        expect(extractScriptTarget(['python3'])).toBeNull();
+        expect(extractScriptTarget([])).toBeNull();
+    });
+});
+describe('extractPathsFromCommand', () => {
+    const cwd = '/home/user/project';
+    it('extracts absolute paths from simple commands', () => {
+        const paths = extractPathsFromCommand('cat /etc/passwd', cwd);
+        expect(paths).toContain('/etc/passwd');
+    });
+    it('extracts relative paths and resolves them', () => {
+        const paths = extractPathsFromCommand('cat ./data/file.txt', cwd);
+        expect(paths).toContain('/home/user/project/data/file.txt');
+    });
+    it('extracts home-relative paths', () => {
+        const paths = extractPathsFromCommand('cat ~/secret.txt', cwd);
+        expect(paths.length).toBe(1);
+        expect(paths[0]).toMatch(/secret\.txt$/);
+    });
+    it('extracts paths from piped commands', () => {
+        const paths = extractPathsFromCommand('cat /etc/hosts | grep /var/log/syslog', cwd);
+        expect(paths).toContain('/etc/hosts');
+        expect(paths).toContain('/var/log/syslog');
+    });
+    it('extracts paths from chained commands', () => {
+        const paths = extractPathsFromCommand('ls /tmp && cat /etc/passwd', cwd);
+        expect(paths).toContain('/tmp');
+        expect(paths).toContain('/etc/passwd');
+    });
+    it('extracts interpreter script targets', () => {
+        const paths = extractPathsFromCommand('python3 /opt/scripts/exploit.py', cwd);
+        expect(paths).toContain('/opt/scripts/exploit.py');
+    });
+    it('extracts both script target and path args', () => {
+        const paths = extractPathsFromCommand('python3 ./script.py /data/input.csv', cwd);
+        expect(paths).toContain('/home/user/project/script.py');
+        expect(paths).toContain('/data/input.csv');
+    });
+    it('deduplicates paths', () => {
+        const paths = extractPathsFromCommand('cat /etc/passwd /etc/passwd', cwd);
+        expect(paths.length).toBe(1);
+    });
+    it('returns empty for commands with no path args', () => {
+        const paths = extractPathsFromCommand('echo hello world', cwd);
+        expect(paths).toEqual([]);
+    });
+    it('returns empty for inline interpreter execution', () => {
+        const paths = extractPathsFromCommand('python3 -c "print(1)"', cwd);
+        expect(paths).toEqual([]);
+    });
+    it('handles bare words that are not paths', () => {
+        const paths = extractPathsFromCommand('git status', cwd);
+        expect(paths).toEqual([]);
+    });
+});
+describe('validateBashPaths', () => {
+    // Use /home/user paths to avoid macOS /tmp → /private/tmp symlink issues
+    const allowedPaths = ['/home/user/project', '/home/user/data'];
+    it('returns null when all paths are allowed', () => {
+        expect(validateBashPaths('cat /home/user/project/file.txt', undefined, allowedPaths)).toBeNull();
+        expect(validateBashPaths('ls /home/user/data/stuff', undefined, allowedPaths)).toBeNull();
+    });
+    it('returns error when path is outside allowed dirs', () => {
+        const result = validateBashPaths('cat /etc/passwd', undefined, allowedPaths);
+        expect(result).toContain('Error');
+        expect(result).toContain('/etc/passwd');
+    });
+    it('blocks interpreter commands targeting outside paths', () => {
+        const result = validateBashPaths('python3 /opt/evil.py', undefined, allowedPaths);
+        expect(result).toContain('Error');
+        expect(result).toContain('/opt/evil.py');
+    });
+    it('allows interpreter commands targeting allowed paths', () => {
+        expect(validateBashPaths('python3 /home/user/project/run.py', undefined, allowedPaths)).toBeNull();
+    });
+    it('returns null when no allowedPaths configured (permissive)', () => {
+        expect(validateBashPaths('cat /etc/passwd', undefined, [])).toBeNull();
+    });
+    it('blocks paths in chained commands', () => {
+        const result = validateBashPaths('ls /home/user/data && cat /etc/shadow', undefined, allowedPaths);
+        expect(result).toContain('Error');
+        expect(result).toContain('/etc/shadow');
+    });
+    it('lists all blocked paths in error', () => {
+        const result = validateBashPaths('cat /etc/passwd /var/secret', undefined, allowedPaths);
+        expect(result).toContain('/etc/passwd');
+        expect(result).toContain('/var/secret');
+    });
+    it('returns null for commands with no path arguments', () => {
+        expect(validateBashPaths('echo hello', undefined, allowedPaths)).toBeNull();
+        expect(validateBashPaths('git status', undefined, allowedPaths)).toBeNull();
+    });
+});

package/dist/__tests__/doctor.runner.test.js

@@ -1,5 +1,5 @@
 import { beforeEach, describe, expect, it, vi } from 'vitest';
-const { mockLoadConfig, mockCheckNodeVersion, mockCheckPackageManagerAvailable, mockCheckTypeScriptCompile, mockCheckConfigExistsAndValidJson, mockCheckRequiredEnvVars, mockCheckEnvVarPatterns, mockCheckAllowedPathsWritable, mockCheckProviderAuth, mockCheckTelegramToken, mockCheckDiscordToken, mockCheckBrowserBinaryIfEnabled, mockCheckVoiceDependencies, mockCheckMcpConfig, mockCheckGatewayHostBindable, mockCheckSkimpyclawDirWritable, mockCheckPortAvailability, } = vi.hoisted(() => ({
+const { mockLoadConfig, mockCheckNodeVersion, mockCheckPackageManagerAvailable, mockCheckTypeScriptCompile, mockCheckConfigExistsAndValidJson, mockCheckRequiredEnvVars, mockCheckEnvVarPatterns, mockCheckAllowedPathsWritable, mockCheckProviderAuth, mockCheckTelegramToken, mockCheckDiscordToken, mockCheckBrowserBinaryIfEnabled, mockCheckVoiceDependencies, mockCheckMcpConfig, mockCheckGatewayHostBindable, mockCheckSkimpyclawDirWritable, mockCheckPortAvailability, mockCheckSandboxAvailable, } = vi.hoisted(() => ({
     mockLoadConfig: vi.fn(),
     mockCheckNodeVersion: vi.fn(),
     mockCheckPackageManagerAvailable: vi.fn(),
@@ -17,6 +17,7 @@ const { mockLoadConfig, mockCheckNodeVersion, mockCheckPackageManagerAvailable,
     mockCheckGatewayHostBindable: vi.fn(),
     mockCheckSkimpyclawDirWritable: vi.fn(),
     mockCheckPortAvailability: vi.fn(),
+    mockCheckSandboxAvailable: vi.fn(),
 }));
 vi.mock('../config.js', () => ({
     loadConfig: mockLoadConfig,
@@ -38,6 +39,7 @@ vi.mock('../doctor/checks.js', () => ({
     checkGatewayHostBindable: mockCheckGatewayHostBindable,
     checkSkimpyclawDirWritable: mockCheckSkimpyclawDirWritable,
     checkPortAvailability: mockCheckPortAvailability,
+    checkSandboxAvailable: mockCheckSandboxAvailable,
 }));
 import { computeExitCode, runDoctor } from '../doctor/runner.js';
 function okCheck(name, category, detail = 'ok') {
@@ -78,6 +80,7 @@ describe('doctor runner', () => {
         mockCheckGatewayHostBindable.mockReset();
         mockCheckSkimpyclawDirWritable.mockReset();
         mockCheckPortAvailability.mockReset();
+        mockCheckSandboxAvailable.mockReset();
         mockCheckNodeVersion.mockResolvedValue(okCheck('node_version', 'environment', 'v20.11.0'));
         mockCheckPackageManagerAvailable.mockResolvedValue(okCheck('package_manager_available', 'environment', 'pnpm'));
         mockCheckTypeScriptCompile.mockResolvedValue(okCheck('typescript_compile', 'environment'));
@@ -94,6 +97,7 @@ describe('doctor runner', () => {
         mockCheckGatewayHostBindable.mockResolvedValue(okCheck('gateway_host_bindable', 'runtime', '127.0.0.1 (always available)'));
         mockCheckSkimpyclawDirWritable.mockResolvedValue(okCheck('skimpyclaw_dirs_writable', 'runtime'));
         mockCheckPortAvailability.mockResolvedValue(okCheck('gateway_port_available', 'runtime'));
+        mockCheckSandboxAvailable.mockResolvedValue(okCheck('sandbox_available', 'runtime', 'Sandbox disabled'));
     });
     it('computes exit code 0 when all checks pass', () => {
         const code = computeExitCode({ checks: [okCheck('node_version', 'environment')] });

package/dist/__tests__/heartbeat.test.js

@@ -21,11 +21,11 @@ describe('heartbeat prompt path normalization', () => {
             agents: { default: 'main' },
             heartbeat: {
                 intervalMs: 60000,
-                prompt: 'Read /Users/katre/HEARTBEAT.md only. Reply HEARTBEAT_OK.',
+                prompt: 'Read /Users/example/HEARTBEAT.md only. Reply HEARTBEAT_OK.',
                 model: 'claude-fast',
                 tools: {
                     enabled: true,
-                    allowedPaths: ['/Users/katre/.skimpyclaw'],
+                    allowedPaths: ['/Users/example/.skimpyclaw'],
                     maxIterations: 10,
                     bashTimeout: 15000,
                 },
@@ -33,7 +33,7 @@ describe('heartbeat prompt path normalization', () => {
             channels: {
                 active: 'telegram',
                 telegram: {
-                    defaultAllowedPaths: ['/Users/katre/.skimpyclaw'],
+                    defaultAllowedPaths: ['/Users/example/.skimpyclaw'],
                 },
             },
         };
@@ -50,7 +50,7 @@ describe('heartbeat prompt path normalization', () => {
                 model: 'claude-fast',
                 tools: {
                     enabled: true,
-                    allowedPaths: ['/Users/katre/.skimpyclaw'],
+                    allowedPaths: ['/Users/example/.skimpyclaw'],
                     maxIterations: 10,
                     bashTimeout: 15000,
                 },
@@ -58,7 +58,7 @@ describe('heartbeat prompt path normalization', () => {
             channels: {
                 active: 'telegram',
                 telegram: {
-                    defaultAllowedPaths: ['/Users/katre/.skimpyclaw'],
+                    defaultAllowedPaths: ['/Users/example/.skimpyclaw'],
                 },
             },
         };

package/dist/__tests__/sandbox-bridge.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/sandbox-bridge.test.js

@@ -0,0 +1,116 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+const { mockExecInContainer } = vi.hoisted(() => ({
+    mockExecInContainer: vi.fn(),
+}));
+vi.mock('../sandbox/runtime.js', () => ({
+    execInContainer: mockExecInContainer,
+}));
+import { sandboxBash, sandboxReadFile, sandboxWriteFile, sandboxListDir, sandboxGlob, } from '../sandbox/bridge.js';
+describe('sandbox/bridge', () => {
+    beforeEach(() => {
+        vi.clearAllMocks();
+    });
+    describe('sandboxBash', () => {
+        it('passes command through', async () => {
+            mockExecInContainer.mockResolvedValue({ stdout: 'ok', stderr: '', exitCode: 0 });
+            const result = await sandboxBash('ctr', 'echo hi');
+            expect(result).toBe('ok');
+            expect(mockExecInContainer).toHaveBeenCalledWith('ctr', ['echo hi'], expect.any(Object));
+        });
+        it('handles cwd', async () => {
+            mockExecInContainer.mockResolvedValue({ stdout: '', stderr: '', exitCode: 0 });
+            await sandboxBash('ctr', 'ls', '/workspace');
+            const args = mockExecInContainer.mock.calls[0][1][0];
+            expect(args).toContain('cd');
+            expect(args).toContain('/workspace');
+        });
+        it('handles timeout', async () => {
+            mockExecInContainer.mockResolvedValue({ stdout: '', stderr: '', exitCode: 0 });
+            await sandboxBash('ctr', 'sleep 1', undefined, 5000);
+            const opts = mockExecInContainer.mock.calls[0][2];
+            expect(opts.timeout).toBe(5000);
+        });
+        it('truncates long output', async () => {
+            const longOutput = 'x'.repeat(60 * 1024);
+            mockExecInContainer.mockResolvedValue({ stdout: longOutput, stderr: '', exitCode: 0 });
+            const result = await sandboxBash('ctr', 'cmd');
+            expect(result.length).toBeLessThan(longOutput.length);
+            expect(result).toContain('truncated');
+        });
+        it('includes exit code on failure', async () => {
+            mockExecInContainer.mockResolvedValue({ stdout: 'out', stderr: 'err', exitCode: 42 });
+            const result = await sandboxBash('ctr', 'bad');
+            expect(result).toContain('[exit code: 42]');
+        });
+        it('returns (no output) when empty', async () => {
+            mockExecInContainer.mockResolvedValue({ stdout: '', stderr: '', exitCode: 0 });
+            const result = await sandboxBash('ctr', 'true');
+            expect(result).toBe('(no output)');
+        });
+    });
+    describe('sandboxReadFile', () => {
+        it('calls cat with path', async () => {
+            mockExecInContainer.mockResolvedValue({ stdout: 'content', stderr: '', exitCode: 0 });
+            const result = await sandboxReadFile('ctr', '/workspace/file.txt');
+            expect(result).toBe('content');
+            expect(mockExecInContainer.mock.calls[0][1][0]).toContain('cat');
+        });
+        it('truncates large files', async () => {
+            const big = 'y'.repeat(120 * 1024);
+            mockExecInContainer.mockResolvedValue({ stdout: big, stderr: '', exitCode: 0 });
+            const result = await sandboxReadFile('ctr', '/f');
+            expect(result.length).toBeLessThan(big.length);
+            expect(result).toContain('truncated');
+        });
+        it('throws on failure', async () => {
+            mockExecInContainer.mockResolvedValue({ stdout: '', stderr: 'not found', exitCode: 1 });
+            await expect(sandboxReadFile('ctr', '/missing')).rejects.toThrow('Failed to read');
+        });
+    });
+    describe('sandboxWriteFile', () => {
+        it('sends content via stdin', async () => {
+            mockExecInContainer.mockResolvedValue({ stdout: '', stderr: '', exitCode: 0 });
+            const result = await sandboxWriteFile('ctr', '/workspace/f.txt', 'hello');
+            expect(result).toContain('Written');
+            expect(result).toContain('5 bytes');
+            const opts = mockExecInContainer.mock.calls[0][2];
+            expect(opts.stdin).toBe('hello');
+        });
+        it('creates parent dirs', async () => {
+            mockExecInContainer.mockResolvedValue({ stdout: '', stderr: '', exitCode: 0 });
+            await sandboxWriteFile('ctr', '/workspace/a/b/c.txt', 'data');
+            expect(mockExecInContainer.mock.calls[0][1][0]).toContain('mkdir -p');
+        });
+        it('throws on failure', async () => {
+            mockExecInContainer.mockResolvedValue({ stdout: '', stderr: 'perm denied', exitCode: 1 });
+            await expect(sandboxWriteFile('ctr', '/f', 'x')).rejects.toThrow('Failed to write');
+        });
+    });
+    describe('sandboxListDir', () => {
+        it('calls ls -la', async () => {
+            mockExecInContainer.mockResolvedValue({ stdout: 'drwxr-xr-x ...', stderr: '', exitCode: 0 });
+            const result = await sandboxListDir('ctr', '/workspace');
+            expect(result).toBe('drwxr-xr-x ...');
+            expect(mockExecInContainer.mock.calls[0][1][0]).toContain('ls -la');
+        });
+        it('throws on failure', async () => {
+            mockExecInContainer.mockResolvedValue({ stdout: '', stderr: 'no such dir', exitCode: 1 });
+            await expect(sandboxListDir('ctr', '/bad')).rejects.toThrow('Failed to list');
+        });
+    });
+    describe('sandboxGlob', () => {
+        it('calls find with correct args', async () => {
+            mockExecInContainer.mockResolvedValue({ stdout: '/workspace/a.ts\n', stderr: '', exitCode: 0 });
+            const result = await sandboxGlob('ctr', '/workspace', '*.ts');
+            expect(result).toContain('/workspace/a.ts');
+            const cmd = mockExecInContainer.mock.calls[0][1][0];
+            expect(cmd).toContain('find');
+            expect(cmd).toContain('-name');
+            expect(cmd).toContain('-maxdepth');
+        });
+        it('throws on failure', async () => {
+            mockExecInContainer.mockResolvedValue({ stdout: '', stderr: 'err', exitCode: 1 });
+            await expect(sandboxGlob('ctr', '/x', '*.js')).rejects.toThrow('Failed to glob');
+        });
+    });
+});

package/dist/__tests__/sandbox-manager.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/sandbox-manager.test.js

@@ -0,0 +1,119 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+const { mockCreateContainer, mockRemoveContainer, mockIsContainerRunning, mockValidateMountPaths, } = vi.hoisted(() => ({
+    mockCreateContainer: vi.fn(),
+    mockRemoveContainer: vi.fn(),
+    mockIsContainerRunning: vi.fn(),
+    mockValidateMountPaths: vi.fn(),
+}));
+vi.mock('../sandbox/runtime.js', () => ({
+    createContainer: mockCreateContainer,
+    removeContainer: mockRemoveContainer,
+    isContainerRunning: mockIsContainerRunning,
+}));
+vi.mock('../sandbox/mount-security.js', () => ({
+    validateMountPaths: mockValidateMountPaths,
+}));
+import { ensureContainer, releaseContainer, pruneIdle, releaseAll, resetForTesting, SANDBOX_DEFAULTS, } from '../sandbox/manager.js';
+const testConfig = { ...SANDBOX_DEFAULTS, enabled: true };
+describe('sandbox/manager', () => {
+    beforeEach(() => {
+        resetForTesting();
+        vi.clearAllMocks();
+        mockValidateMountPaths.mockReturnValue([
+            { host: '/home/user/project', container: '/workspace/project', readOnly: false },
+        ]);
+        mockCreateContainer.mockResolvedValue(undefined);
+        mockRemoveContainer.mockResolvedValue(undefined);
+    });
+    describe('ensureContainer', () => {
+        it('creates container on first call', async () => {
+            const name = await ensureContainer('sess1', testConfig, ['/home/user/project']);
+            expect(name).toBe('skimpyclaw-sbx-sess1');
+            expect(mockCreateContainer).toHaveBeenCalledTimes(1);
+        });
+        it('reuses on second call if running', async () => {
+            mockIsContainerRunning
+                .mockResolvedValueOnce(false)
+                .mockResolvedValueOnce(true);
+            await ensureContainer('sess1', testConfig, ['/p']);
+            const name = await ensureContainer('sess1', testConfig, ['/p']);
+            expect(name).toBe('skimpyclaw-sbx-sess1');
+            expect(mockCreateContainer).toHaveBeenCalledTimes(1); // only first call
+        });
+        it('recreates if container died', async () => {
+            mockIsContainerRunning.mockResolvedValue(false);
+            await ensureContainer('sess1', testConfig, ['/p']);
+            // Second call — container exists in map but isContainerRunning returns false
+            await ensureContainer('sess1', testConfig, ['/p']);
+            expect(mockCreateContainer).toHaveBeenCalledTimes(2);
+        });
+        it('adopts existing running container after process restart', async () => {
+            mockIsContainerRunning.mockResolvedValue(true);
+            const name = await ensureContainer('default', testConfig, ['/p']);
+            expect(name).toBe('skimpyclaw-sbx-default');
+            expect(mockCreateContainer).not.toHaveBeenCalled();
+            expect(mockRemoveContainer).not.toHaveBeenCalled();
+        });
+        it('removes stale named container before creating', async () => {
+            mockIsContainerRunning.mockResolvedValue(false);
+            const name = await ensureContainer('default', testConfig, ['/p']);
+            expect(name).toBe('skimpyclaw-sbx-default');
+            expect(mockRemoveContainer).toHaveBeenCalledWith('skimpyclaw-sbx-default');
+            expect(mockCreateContainer).toHaveBeenCalledTimes(1);
+        });
+    });
+    describe('releaseContainer', () => {
+        it('removes container and clears from map', async () => {
+            await ensureContainer('sess1', testConfig, ['/p']);
+            await releaseContainer('sess1');
+            expect(mockRemoveContainer).toHaveBeenCalledWith('skimpyclaw-sbx-sess1');
+            // Next ensureContainer should create fresh
+            await ensureContainer('sess1', testConfig, ['/p']);
+            expect(mockCreateContainer).toHaveBeenCalledTimes(2);
+        });
+        it('no-ops for unknown session', async () => {
+            await expect(releaseContainer('unknown')).resolves.toBeUndefined();
+            expect(mockRemoveContainer).not.toHaveBeenCalled();
+        });
+    });
+    describe('pruneIdle', () => {
+        it('removes containers older than threshold', async () => {
+            vi.useFakeTimers();
+            try {
+                await ensureContainer('old', testConfig, ['/p']);
+                // Advance time by 10 seconds so the container is idle
+                vi.advanceTimersByTime(10_000);
+                const pruned = await pruneIdle(5_000);
+                expect(pruned).toBe(1);
+                expect(mockRemoveContainer).toHaveBeenCalledWith('skimpyclaw-sbx-old');
+            }
+            finally {
+                vi.useRealTimers();
+            }
+        });
+        it('keeps recent containers', async () => {
+            await ensureContainer('new', testConfig, ['/p']);
+            const pruned = await pruneIdle(60_000);
+            expect(pruned).toBe(0);
+        });
+    });
+    describe('releaseAll', () => {
+        it('removes all containers', async () => {
+            mockIsContainerRunning.mockResolvedValue(true);
+            await ensureContainer('a', testConfig, ['/p']);
+            await ensureContainer('b', testConfig, ['/p']);
+            await releaseAll();
+            expect(mockRemoveContainer).toHaveBeenCalledTimes(2);
+        });
+    });
+    describe('resetForTesting', () => {
+        it('clears state without removing containers', async () => {
+            mockIsContainerRunning.mockResolvedValue(false);
+            await ensureContainer('x', testConfig, ['/p']);
+            resetForTesting();
+            // Next call should create fresh (map is empty)
+            await ensureContainer('x', testConfig, ['/p']);
+            expect(mockCreateContainer).toHaveBeenCalledTimes(2);
+        });
+    });
+});

package/dist/__tests__/sandbox-mount-security.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/sandbox-mount-security.test.js

@@ -0,0 +1,131 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+vi.mock('fs', async () => {
+    const actual = await vi.importActual('fs');
+    return {
+        ...actual,
+        existsSync: vi.fn(),
+        realpathSync: vi.fn(),
+    };
+});
+import { existsSync, realpathSync } from 'fs';
+import { isBlockedPath, validateMountPaths, translatePath } from '../sandbox/mount-security.js';
+const mockExistsSync = existsSync;
+const mockRealpathSync = realpathSync;
+describe('sandbox/mount-security', () => {
+    beforeEach(() => {
+        vi.clearAllMocks();
+    });
+    describe('isBlockedPath', () => {
+        it('blocks .ssh', () => {
+            expect(isBlockedPath('/home/user/.ssh')).toBe(true);
+            expect(isBlockedPath('/home/user/.ssh/id_rsa')).toBe(true);
+        });
+        it('blocks .gnupg', () => {
+            expect(isBlockedPath('/home/user/.gnupg')).toBe(true);
+        });
+        it('blocks .aws', () => {
+            expect(isBlockedPath('/home/user/.aws')).toBe(true);
+        });
+        it('blocks credentials', () => {
+            expect(isBlockedPath('/some/path/credentials')).toBe(true);
+        });
+        it('blocks .env', () => {
+            expect(isBlockedPath('/project/.env')).toBe(true);
+        });
+        it('blocks .kube', () => {
+            expect(isBlockedPath('/home/user/.kube/config')).toBe(true);
+        });
+        it('blocks .docker/config.json compound pattern', () => {
+            expect(isBlockedPath('/home/user/.docker/config.json')).toBe(true);
+        });
+        it('allows normal paths', () => {
+            expect(isBlockedPath('/home/user/project')).toBe(false);
+            expect(isBlockedPath('/workspace/src/index.ts')).toBe(false);
+            expect(isBlockedPath('/tmp/test')).toBe(false);
+        });
+    });
+    describe('validateMountPaths', () => {
+        beforeEach(() => {
+            mockExistsSync.mockReturnValue(true);
+            mockRealpathSync.mockImplementation((p) => p);
+        });
+        it('maps to /workspace/<basename>', () => {
+            const mounts = validateMountPaths(['/home/user/myproject']);
+            const projectMount = mounts.find((m) => m.host === '/home/user/myproject');
+            expect(projectMount).toBeDefined();
+            expect(projectMount.container).toBe('/workspace/myproject');
+            expect(projectMount.readOnly).toBe(false);
+        });
+        it('deduplicates basenames with suffix', () => {
+            const mounts = validateMountPaths(['/a/project', '/b/project']);
+            const containers = mounts.filter((m) => m.host.endsWith('/project')).map((m) => m.container);
+            expect(containers).toContain('/workspace/project');
+            expect(containers).toContain('/workspace/project_1');
+        });
+        it('adds ~/.skimpyclaw at /workspace/config', () => {
+            const mounts = validateMountPaths(['/home/user/project']);
+            const configMount = mounts.find((m) => m.container === '/workspace/config');
+            expect(configMount).toBeDefined();
+        });
+        it('throws on blocked paths', () => {
+            expect(() => validateMountPaths(['/home/user/.ssh'])).toThrow('Blocked path');
+        });
+        it('skips missing paths', () => {
+            mockExistsSync.mockImplementation((p) => {
+                // Only ~/.skimpyclaw exists for the auto-add
+                return typeof p === 'string' && p.includes('.skimpyclaw');
+            });
+            const mounts = validateMountPaths(['/nonexistent/path']);
+            // Should only have the auto-added config mount
+            const nonConfig = mounts.filter((m) => m.container !== '/workspace/config');
+            expect(nonConfig).toHaveLength(0);
+        });
+        it('does not duplicate ~/.skimpyclaw if already in list', () => {
+            // Simulate ~/.skimpyclaw being passed explicitly
+            const home = process.env.HOME || '/Users/katre';
+            const skDir = `${home}/.skimpyclaw`;
+            mockRealpathSync.mockImplementation((p) => p);
+            // .skimpyclaw is NOT blocked, so it should be mounted
+            // But it should not appear twice
+            const mounts = validateMountPaths([skDir]);
+            const configMounts = mounts.filter((m) => m.host === skDir);
+            expect(configMounts).toHaveLength(1);
+        });
+    });
+    describe('translatePath', () => {
+        const mounts = [
+            { host: '/Users/katre/Sites/skimpyclaw', container: '/workspace/skimpyclaw', readOnly: false },
+            { host: '/Users/katre/.skimpyclaw', container: '/workspace/config', readOnly: false },
+        ];
+        it('translates host path to container path', () => {
+            expect(translatePath('/Users/katre/Sites/skimpyclaw/src/index.ts', mounts))
+                .toBe('/workspace/skimpyclaw/src/index.ts');
+        });
+        it('translates exact mount root', () => {
+            expect(translatePath('/Users/katre/Sites/skimpyclaw', mounts))
+                .toBe('/workspace/skimpyclaw');
+        });
+        it('translates config path', () => {
+            expect(translatePath('/Users/katre/.skimpyclaw/config.json', mounts))
+                .toBe('/workspace/config/config.json');
+        });
+        it('translates /Users path to /System/Volumes/Data mount on macOS', () => {
+            const macMounts = [
+                { host: '/System/Volumes/Data/Users/katre/.skimpyclaw', container: '/workspace/config', readOnly: false },
+            ];
+            expect(translatePath('/Users/katre/.skimpyclaw/state/japan-flight-watch.json', macMounts))
+                .toBe('/workspace/config/state/japan-flight-watch.json');
+        });
+        it('returns original path if no mount matches', () => {
+            expect(translatePath('/tmp/random/file', mounts)).toBe('/tmp/random/file');
+        });
+        it('matches most specific mount first', () => {
+            const nestedMounts = [
+                { host: '/Users/katre', container: '/workspace/home', readOnly: false },
+                { host: '/Users/katre/Sites/skimpyclaw', container: '/workspace/skimpyclaw', readOnly: false },
+            ];
+            expect(translatePath('/Users/katre/Sites/skimpyclaw/src/file.ts', nestedMounts))
+                .toBe('/workspace/skimpyclaw/src/file.ts');
+        });
+    });
+});

package/dist/__tests__/sandbox-runtime.test.d.ts

@@ -0,0 +1 @@
+export {};