skimpyclaw 0.3.14 → 0.4.0

package/dist/__tests__/sandbox-manager.test.js

@@ -1,144 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest';
-const { mockCreateContainer, mockRemoveContainer, mockIsContainerRunning, mockValidateMountPaths, } = vi.hoisted(() => ({
-    mockCreateContainer: vi.fn(),
-    mockRemoveContainer: vi.fn(),
-    mockIsContainerRunning: vi.fn(),
-    mockValidateMountPaths: vi.fn(),
-}));
-vi.mock('../sandbox/runtime.js', () => ({
-    createContainer: mockCreateContainer,
-    removeContainer: mockRemoveContainer,
-    isContainerRunning: mockIsContainerRunning,
-}));
-vi.mock('../sandbox/mount-security.js', () => ({
-    validateMountPaths: mockValidateMountPaths,
-}));
-import { ensureContainer, releaseContainer, pruneIdle, releaseAll, resetForTesting, SANDBOX_DEFAULTS, } from '../sandbox/manager.js';
-const testConfig = { ...SANDBOX_DEFAULTS, enabled: true };
-describe('sandbox/manager', () => {
-    beforeEach(() => {
-        resetForTesting();
-        vi.clearAllMocks();
-        mockValidateMountPaths.mockReturnValue([
-            { host: '/home/user/project', container: '/workspace/project', readOnly: false },
-        ]);
-        mockCreateContainer.mockResolvedValue(undefined);
-        mockRemoveContainer.mockResolvedValue(undefined);
-    });
-    describe('ensureContainer', () => {
-        it('creates container on first call', async () => {
-            const name = await ensureContainer('sess1', testConfig, ['/home/user/project']);
-            expect(name).toBe('skimpyclaw-sbx-sess1');
-            expect(mockCreateContainer).toHaveBeenCalledTimes(1);
-        });
-        it('reuses on second call if running', async () => {
-            mockIsContainerRunning
-                .mockResolvedValueOnce(false)
-                .mockResolvedValueOnce(true);
-            await ensureContainer('sess1', testConfig, ['/p']);
-            const name = await ensureContainer('sess1', testConfig, ['/p']);
-            expect(name).toBe('skimpyclaw-sbx-sess1');
-            expect(mockCreateContainer).toHaveBeenCalledTimes(1); // only first call
-        });
-        it('recreates if container died', async () => {
-            mockIsContainerRunning.mockResolvedValue(false);
-            await ensureContainer('sess1', testConfig, ['/p']);
-            // Second call — container exists in map but isContainerRunning returns false
-            await ensureContainer('sess1', testConfig, ['/p']);
-            expect(mockCreateContainer).toHaveBeenCalledTimes(2);
-        });
-        it('adopts existing running container after process restart', async () => {
-            mockIsContainerRunning.mockResolvedValue(true);
-            const name = await ensureContainer('default', testConfig, ['/p']);
-            expect(name).toBe('skimpyclaw-sbx-default');
-            expect(mockCreateContainer).not.toHaveBeenCalled();
-            expect(mockRemoveContainer).not.toHaveBeenCalled();
-        });
-        it('removes stale named container before creating', async () => {
-            mockIsContainerRunning.mockResolvedValue(false);
-            const name = await ensureContainer('default', testConfig, ['/p']);
-            expect(name).toBe('skimpyclaw-sbx-default');
-            expect(mockRemoveContainer).toHaveBeenCalledWith('skimpyclaw-sbx-default');
-            expect(mockCreateContainer).toHaveBeenCalledTimes(1);
-        });
-        it('expands ${VAR} references in env from process.env', async () => {
-            process.env.MY_SECRET = 'hunter2';
-            try {
-                const configWithEnv = {
-                    ...testConfig,
-                    env: { TOKEN: '${MY_SECRET}', PLAIN: 'literal' },
-                };
-                await ensureContainer('env-test', configWithEnv, ['/p']);
-                const opts = mockCreateContainer.mock.calls[0][1];
-                expect(opts.env).toEqual({ TOKEN: 'hunter2', PLAIN: 'literal' });
-            }
-            finally {
-                delete process.env.MY_SECRET;
-            }
-        });
-        it('expands unset ${VAR} to empty string', async () => {
-            delete process.env.NONEXISTENT_VAR_XYZ;
-            const configWithEnv = {
-                ...testConfig,
-                env: { VAL: '${NONEXISTENT_VAR_XYZ}' },
-            };
-            await ensureContainer('env-test2', configWithEnv, ['/p']);
-            const opts = mockCreateContainer.mock.calls[0][1];
-            expect(opts.env).toEqual({ VAL: '' });
-        });
-    });
-    describe('releaseContainer', () => {
-        it('removes container and clears from map', async () => {
-            await ensureContainer('sess1', testConfig, ['/p']);
-            await releaseContainer('sess1');
-            expect(mockRemoveContainer).toHaveBeenCalledWith('skimpyclaw-sbx-sess1');
-            // Next ensureContainer should create fresh
-            await ensureContainer('sess1', testConfig, ['/p']);
-            expect(mockCreateContainer).toHaveBeenCalledTimes(2);
-        });
-        it('no-ops for unknown session', async () => {
-            await expect(releaseContainer('unknown')).resolves.toBeUndefined();
-            expect(mockRemoveContainer).not.toHaveBeenCalled();
-        });
-    });
-    describe('pruneIdle', () => {
-        it('removes containers older than threshold', async () => {
-            vi.useFakeTimers();
-            try {
-                await ensureContainer('old', testConfig, ['/p']);
-                // Advance time by 10 seconds so the container is idle
-                vi.advanceTimersByTime(10_000);
-                const pruned = await pruneIdle(5_000);
-                expect(pruned).toBe(1);
-                expect(mockRemoveContainer).toHaveBeenCalledWith('skimpyclaw-sbx-old');
-            }
-            finally {
-                vi.useRealTimers();
-            }
-        });
-        it('keeps recent containers', async () => {
-            await ensureContainer('new', testConfig, ['/p']);
-            const pruned = await pruneIdle(60_000);
-            expect(pruned).toBe(0);
-        });
-    });
-    describe('releaseAll', () => {
-        it('removes all containers', async () => {
-            mockIsContainerRunning.mockResolvedValue(true);
-            await ensureContainer('a', testConfig, ['/p']);
-            await ensureContainer('b', testConfig, ['/p']);
-            await releaseAll();
-            expect(mockRemoveContainer).toHaveBeenCalledTimes(2);
-        });
-    });
-    describe('resetForTesting', () => {
-        it('clears state without removing containers', async () => {
-            mockIsContainerRunning.mockResolvedValue(false);
-            await ensureContainer('x', testConfig, ['/p']);
-            resetForTesting();
-            // Next call should create fresh (map is empty)
-            await ensureContainer('x', testConfig, ['/p']);
-            expect(mockCreateContainer).toHaveBeenCalledTimes(2);
-        });
-    });
-});

package/dist/__tests__/sandbox-mount-security.test.js

@@ -1,139 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest';
-vi.mock('fs', async () => {
-    const actual = await vi.importActual('fs');
-    return {
-        ...actual,
-        existsSync: vi.fn(),
-        realpathSync: vi.fn(),
-    };
-});
-import { existsSync, realpathSync } from 'fs';
-import { isBlockedPath, validateMountPaths, translatePath } from '../sandbox/mount-security.js';
-const mockExistsSync = existsSync;
-const mockRealpathSync = realpathSync;
-describe('sandbox/mount-security', () => {
-    beforeEach(() => {
-        vi.clearAllMocks();
-    });
-    describe('isBlockedPath', () => {
-        it('blocks .ssh', () => {
-            expect(isBlockedPath('/home/user/.ssh')).toBe(true);
-            expect(isBlockedPath('/home/user/.ssh/id_rsa')).toBe(true);
-        });
-        it('blocks .gnupg', () => {
-            expect(isBlockedPath('/home/user/.gnupg')).toBe(true);
-        });
-        it('blocks .aws', () => {
-            expect(isBlockedPath('/home/user/.aws')).toBe(true);
-        });
-        it('blocks credentials', () => {
-            expect(isBlockedPath('/some/path/credentials')).toBe(true);
-        });
-        it('blocks .env', () => {
-            expect(isBlockedPath('/project/.env')).toBe(true);
-        });
-        it('blocks .kube', () => {
-            expect(isBlockedPath('/home/user/.kube/config')).toBe(true);
-        });
-        it('blocks .docker/config.json compound pattern', () => {
-            expect(isBlockedPath('/home/user/.docker/config.json')).toBe(true);
-        });
-        it('allows normal paths', () => {
-            expect(isBlockedPath('/home/user/project')).toBe(false);
-            expect(isBlockedPath('/workspace/src/index.ts')).toBe(false);
-            expect(isBlockedPath('/tmp/test')).toBe(false);
-        });
-    });
-    describe('validateMountPaths', () => {
-        beforeEach(() => {
-            mockExistsSync.mockReturnValue(true);
-            mockRealpathSync.mockImplementation((p) => p);
-        });
-        it('maps to /workspace/<basename>', () => {
-            const mounts = validateMountPaths(['/home/user/myproject']);
-            const projectMount = mounts.find((m) => m.host === '/home/user/myproject');
-            expect(projectMount).toBeDefined();
-            expect(projectMount.container).toBe('/workspace/myproject');
-            expect(projectMount.readOnly).toBe(false);
-        });
-        it('deduplicates basenames with suffix', () => {
-            const mounts = validateMountPaths(['/a/project', '/b/project']);
-            const containers = mounts.filter((m) => m.host.endsWith('/project')).map((m) => m.container);
-            expect(containers).toContain('/workspace/project');
-            expect(containers).toContain('/workspace/project_1');
-        });
-        it('adds ~/.skimpyclaw at /workspace/config', () => {
-            const mounts = validateMountPaths(['/home/user/project']);
-            const configMount = mounts.find((m) => m.container === '/workspace/config');
-            expect(configMount).toBeDefined();
-        });
-        it('throws on blocked paths', () => {
-            expect(() => validateMountPaths(['/home/user/.ssh'])).toThrow('Blocked path');
-        });
-        it('skips missing paths', () => {
-            mockExistsSync.mockImplementation((p) => {
-                // Only ~/.skimpyclaw exists for the auto-add
-                return typeof p === 'string' && p.includes('.skimpyclaw');
-            });
-            const mounts = validateMountPaths(['/nonexistent/path']);
-            // Should only have the auto-added config mount
-            const nonConfig = mounts.filter((m) => m.container !== '/workspace/config');
-            expect(nonConfig).toHaveLength(0);
-        });
-        it('does not duplicate ~/.skimpyclaw if already in list', () => {
-            // Simulate ~/.skimpyclaw being passed explicitly
-            const home = process.env.HOME || '/Users/katre';
-            const skDir = `${home}/.skimpyclaw`;
-            mockRealpathSync.mockImplementation((p) => p);
-            // .skimpyclaw is NOT blocked, so it should be mounted
-            // But it should not appear twice
-            const mounts = validateMountPaths([skDir]);
-            const configMounts = mounts.filter((m) => m.host === skDir);
-            expect(configMounts).toHaveLength(1);
-        });
-    });
-    describe('translatePath', () => {
-        const mounts = [
-            { host: '/Users/katre/Sites/skimpyclaw', container: '/workspace/skimpyclaw', readOnly: false },
-            { host: '/Users/katre/.skimpyclaw', container: '/workspace/config', readOnly: false },
-        ];
-        it('translates host path to container path', () => {
-            expect(translatePath('/Users/katre/Sites/skimpyclaw/src/index.ts', mounts))
-                .toBe('/workspace/skimpyclaw/src/index.ts');
-        });
-        it('translates exact mount root', () => {
-            expect(translatePath('/Users/katre/Sites/skimpyclaw', mounts))
-                .toBe('/workspace/skimpyclaw');
-        });
-        it('translates config path', () => {
-            expect(translatePath('/Users/katre/.skimpyclaw/config.json', mounts))
-                .toBe('/workspace/config/config.json');
-        });
-        it('translates /Users path to /System/Volumes/Data mount on macOS', () => {
-            const macMounts = [
-                { host: '/System/Volumes/Data/Users/katre/.skimpyclaw', container: '/workspace/config', readOnly: false },
-            ];
-            expect(translatePath('/Users/katre/.skimpyclaw/state/japan-flight-watch.json', macMounts))
-                .toBe('/workspace/config/state/japan-flight-watch.json');
-        });
-        it('returns original path if no mount matches', () => {
-            expect(translatePath('/tmp/random/file', mounts)).toBe('/tmp/random/file');
-        });
-        it('expands ~ to home directory before matching', () => {
-            const home = process.env.HOME || '/Users/katre';
-            const homeMounts = [
-                { host: `${home}/.skimpyclaw`, container: '/workspace/config', readOnly: false },
-            ];
-            expect(translatePath('~/.skimpyclaw/agents/main/HEARTBEAT.md', homeMounts))
-                .toBe('/workspace/config/agents/main/HEARTBEAT.md');
-        });
-        it('matches most specific mount first', () => {
-            const nestedMounts = [
-                { host: '/Users/katre', container: '/workspace/home', readOnly: false },
-                { host: '/Users/katre/Sites/skimpyclaw', container: '/workspace/skimpyclaw', readOnly: false },
-            ];
-            expect(translatePath('/Users/katre/Sites/skimpyclaw/src/file.ts', nestedMounts))
-                .toBe('/workspace/skimpyclaw/src/file.ts');
-        });
-    });
-});

package/dist/__tests__/sandbox-runtime.test.js

@@ -1,176 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest';
-const { mockSpawn, mockSpawnSync } = vi.hoisted(() => ({
-    mockSpawn: vi.fn(),
-    mockSpawnSync: vi.fn().mockReturnValue({ status: 0, stdout: '', stderr: '' }),
-}));
-vi.mock('child_process', () => ({ spawn: mockSpawn, spawnSync: mockSpawnSync }));
-import { createContainer, execInContainer, removeContainer, isContainerRunning, cleanupOrphans, setRuntime, resetRuntime, probeRuntime, } from '../sandbox/runtime.js';
-function fakeChild(exitCode, stdout = '', stderr = '', opts) {
-    const stdoutCallbacks = [];
-    const stderrCallbacks = [];
-    const eventCallbacks = {};
-    const child = {
-        stdout: { on: (_e, cb) => stdoutCallbacks.push(cb) },
-        stderr: { on: (_e, cb) => stderrCallbacks.push(cb) },
-        stdin: opts?.stdinNeeded ? { write: vi.fn(), end: vi.fn() } : null,
-        on(event, cb) {
-            if (!eventCallbacks[event])
-                eventCallbacks[event] = [];
-            eventCallbacks[event].push(cb);
-            return child;
-        },
-    };
-    // Emit data and close on next tick (setTimeout ensures listeners are attached first)
-    setTimeout(() => {
-        if (stdout)
-            for (const cb of stdoutCallbacks)
-                cb(Buffer.from(stdout));
-        if (stderr)
-            for (const cb of stderrCallbacks)
-                cb(Buffer.from(stderr));
-        for (const cb of eventCallbacks['close'] ?? [])
-            cb(exitCode);
-    }, 0);
-    return child;
-}
-describe('sandbox/runtime', () => {
-    beforeEach(() => {
-        vi.clearAllMocks();
-        resetRuntime();
-        setRuntime('container'); // skip auto-detection in tests
-    });
-    describe('createContainer', () => {
-        it('builds correct docker args', async () => {
-            mockSpawn.mockReturnValue(fakeChild(0));
-            await createContainer('test-ctr', {
-                image: 'myimg',
-                cpus: 2,
-                memory: '1G',
-                network: 'none',
-                user: '501:20',
-                mounts: [{ host: '/a', container: '/b', readOnly: true }],
-            });
-            const args = mockSpawn.mock.calls[0][1];
-            expect(args).toContain('--name');
-            expect(args).toContain('test-ctr');
-            expect(args).toContain('--cpus');
-            expect(args).toContain('2');
-            expect(args).toContain('--memory');
-            expect(args).toContain('1G');
-            expect(args).toContain('--network');
-            expect(args).toContain('none');
-            expect(args).toContain('--user');
-            expect(args).toContain('501:20');
-            expect(args.some((a) => a.includes('type=bind,src=/a,dst=/b,ro'))).toBe(true);
-            expect(args).toContain('myimg');
-        });
-        it('throws on non-zero exit', async () => {
-            mockSpawn.mockReturnValue(fakeChild(1, '', 'boom'));
-            await expect(createContainer('c1', { image: 'img' })).rejects.toThrow('Failed to create container');
-        });
-    });
-    describe('execInContainer', () => {
-        it('builds sh -c command', async () => {
-            mockSpawn.mockReturnValue(fakeChild(0, 'hello'));
-            const result = await execInContainer('ctr', ['echo hello']);
-            expect(result.stdout).toBe('hello');
-            const args = mockSpawn.mock.calls[0][1];
-            expect(args).toContain('sh');
-            expect(args).toContain('-c');
-        });
-        it('handles stdin', async () => {
-            mockSpawn.mockReturnValue(fakeChild(0, '', '', { stdinNeeded: true }));
-            await execInContainer('ctr', ['cat'], { stdin: 'data' });
-            const args = mockSpawn.mock.calls[0][1];
-            expect(args).toContain('-i');
-        });
-        it('handles env vars', async () => {
-            mockSpawn.mockReturnValue(fakeChild(0));
-            await execInContainer('ctr', ['cmd'], { env: { FOO: 'bar' } });
-            const args = mockSpawn.mock.calls[0][1];
-            expect(args).toContain('-e');
-            expect(args).toContain('FOO=bar');
-        });
-    });
-    describe('removeContainer', () => {
-        it('calls stop then rm', async () => {
-            mockSpawn.mockImplementation((_cmd, args) => {
-                return fakeChild(0);
-            });
-            await removeContainer('ctr');
-            expect(mockSpawn).toHaveBeenCalledTimes(2);
-            expect(mockSpawn.mock.calls[0][1]).toContain('stop');
-            expect(mockSpawn.mock.calls[1][1]).toContain('rm');
-        }, 10_000);
-        it('does not throw on failure', async () => {
-            mockSpawn.mockImplementation(() => fakeChild(1, '', 'fail'));
-            await expect(removeContainer('ctr')).resolves.toBeUndefined();
-        }, 10_000);
-    });
-    describe('isContainerRunning', () => {
-        it('returns true when inspect shows running state', async () => {
-            mockSpawn.mockReturnValue(fakeChild(0, '{"State": {"Status": "running"}}'));
-            expect(await isContainerRunning('ctr')).toBe(true);
-        });
-        it('returns false otherwise', async () => {
-            mockSpawn.mockReturnValue(fakeChild(1));
-            expect(await isContainerRunning('ctr')).toBe(false);
-        });
-    });
-    describe('probeRuntime', () => {
-        it('returns preferred runtime when available', () => {
-            mockSpawnSync.mockReturnValue({ status: 0 });
-            expect(probeRuntime('docker')).toBe('docker');
-            expect(mockSpawnSync).toHaveBeenCalledWith('docker', ['--version'], { stdio: 'ignore' });
-        });
-        it('falls back to auto-detect when preferred is unavailable', () => {
-            mockSpawnSync.mockImplementation((cmd) => {
-                // preferred 'docker' fails, but 'container' succeeds
-                if (cmd === 'docker')
-                    return { status: 1 };
-                if (cmd === 'container')
-                    return { status: 0 };
-                return { status: 1 };
-            });
-            expect(probeRuntime('docker')).toBe('container');
-        });
-        it('returns null when no runtime is available', () => {
-            mockSpawnSync.mockReturnValue({ status: 1 });
-            expect(probeRuntime('docker')).toBeNull();
-        });
-        it('auto-detects without preferred runtime', () => {
-            mockSpawnSync.mockImplementation((cmd) => {
-                if (cmd === 'container')
-                    return { status: 0 };
-                return { status: 1 };
-            });
-            expect(probeRuntime()).toBe('container');
-        });
-        it('prefers container over docker in auto-detect', () => {
-            mockSpawnSync.mockReturnValue({ status: 0 });
-            expect(probeRuntime()).toBe('container');
-            // First call should be to 'container'
-            expect(mockSpawnSync.mock.calls[0][0]).toBe('container');
-        });
-    });
-    describe('cleanupOrphans', () => {
-        it('lists containers, filters by prefix, removes matches', async () => {
-            let callCount = 0;
-            mockSpawn.mockImplementation(() => {
-                callCount++;
-                if (callCount === 1) {
-                    // ps call
-                    return fakeChild(0, 'skimpyclaw-sbx-abc\nother-ctr\nskimpyclaw-sbx-def\n');
-                }
-                // stop/rm calls
-                return fakeChild(0);
-            });
-            const count = await cleanupOrphans();
-            expect(count).toBe(2);
-        });
-        it('returns 0 on ps failure', async () => {
-            mockSpawn.mockImplementation(() => fakeChild(1));
-            expect(await cleanupOrphans()).toBe(0);
-        });
-    });
-});