code-review-forge 2.0.0a1__py3-none-any.whl

code_forge/skills/smoke-test/test-library/shell/primitives.sh

@@ -0,0 +1,352 @@
+#!/bin/bash
+# smoke-test primitives  --  reusable assertion functions for shell scripts
+# Source this file: source ~/.claude/skills/smoke-test/test-library/shell/primitives.sh
+
+# ============================================================
+# Helper: run_and_capture  --  execute command, capture stdout/stderr
+# ============================================================
+run_and_capture() {
+    SMOKE_LAST_STDOUT=$(mktemp /tmp/smoke-fw-stdout.XXXXXX)
+    export SMOKE_LAST_STDOUT
+    SMOKE_LAST_STDERR=$(mktemp /tmp/smoke-fw-stderr.XXXXXX)
+    export SMOKE_LAST_STDERR
+    "$@" > "$SMOKE_LAST_STDOUT" 2> "$SMOKE_LAST_STDERR"
+    SMOKE_LAST_STATUS=$?
+    export SMOKE_LAST_STATUS
+    return $SMOKE_LAST_STATUS
+}
+
+# ============================================================
+# Helper: run_concurrent  --  launch N background instances
+# ============================================================
+run_concurrent() {
+    CONCURRENT_PIDS=()
+    CONCURRENT_RESULT_DIR=$(mktemp -d /tmp/smoke-fw-concurrent.XXXXXX)
+    export CONCURRENT_RESULT_DIR
+    local n=$1; shift
+    for ((i=0; i<n; i++)); do
+        (
+            run_and_capture "$@"
+            cp "$SMOKE_LAST_STDOUT" "$CONCURRENT_RESULT_DIR/$i.out"
+            cp "$SMOKE_LAST_STDERR" "$CONCURRENT_RESULT_DIR/$i.err"
+            echo "$SMOKE_LAST_STATUS" > "$CONCURRENT_RESULT_DIR/$i.status"
+        ) &
+        CONCURRENT_PIDS+=($!)
+    done
+}
+
+# ============================================================
+# Helper: concurrent_wait  --  reap all background instances
+# ============================================================
+concurrent_wait() {
+    local failed=0
+    for pid in "${CONCURRENT_PIDS[@]}"; do
+        wait "$pid" || failed=1
+    done
+    return $failed
+}
+
+# ============================================================
+# Shared: dump SMOKE_LAST_* debug context on FAIL
+# ============================================================
+_smoke_dump_context() {
+    if [[ -n "$SMOKE_LAST_STDOUT" && -f "$SMOKE_LAST_STDOUT" ]]; then
+        echo "  stdout: $(head -5 "$SMOKE_LAST_STDOUT" | sed 's/sk-[A-Za-z0-9]\{20,\}/\*\*\*/g')"
+    fi
+    if [[ -n "$SMOKE_LAST_STDERR" && -f "$SMOKE_LAST_STDERR" ]]; then
+        echo "  stderr: $(head -5 "$SMOKE_LAST_STDERR" | sed 's/sk-[A-Za-z0-9]\{20,\}/\*\*\*/g')"
+    fi
+}
+
+# ============================================================
+# Execution primitives
+# ============================================================
+
+assert_success() {
+    local status=$1
+    local description=${2:-"<command>"}
+    if [[ $status -eq 0 ]]; then
+        echo "PASS: assert_success $description"
+        return 0
+    else
+        echo "FAIL: assert_success $description -- expected 0, got $status"
+        _smoke_dump_context
+        return 1
+    fi
+}
+
+assert_failure() {
+    local status=$1
+    local description=${2:-"<command>"}
+    if [[ $status -ne 0 ]]; then
+        echo "PASS: assert_failure $description"
+        return 0
+    else
+        echo "FAIL: assert_failure $description -- expected non-zero, got 0"
+        _smoke_dump_context
+        return 1
+    fi
+}
+
+assert_exit_code() {
+    local expected=$1
+    local actual=$2
+    local description=${3:-"<command>"}
+    if [[ $actual -eq $expected ]]; then
+        echo "PASS: assert_exit_code $expected $description"
+        return 0
+    else
+        echo "FAIL: assert_exit_code $expected $description -- expected $expected, got $actual"
+        _smoke_dump_context
+        return 1
+    fi
+}
+
+# ============================================================
+# Output primitives
+# ============================================================
+
+assert_output_contains() {
+    local output=$1
+    local pattern=$2
+    local description=${3:-"output"}
+    if echo "$output" | grep -qF "$pattern" 2>/dev/null; then
+        echo "PASS: assert_output_contains '$pattern' $description"
+        return 0
+    else
+        echo "FAIL: assert_output_contains '$pattern' $description -- pattern not found"
+        echo "  actual output: $(echo "$output" | head -3)"
+        return 1
+    fi
+}
+
+assert_output_not_contains() {
+    local output=$1
+    local pattern=$2
+    local description=${3:-"output"}
+    if echo "$output" | grep -qF "$pattern" 2>/dev/null; then
+        echo "FAIL: assert_output_not_contains '$pattern' $description -- pattern found"
+        echo "  matched line: $(echo "$output" | grep -F "$pattern" | head -1)"
+        return 1
+    else
+        echo "PASS: assert_output_not_contains '$pattern' $description"
+        return 0
+    fi
+}
+
+assert_stderr_empty() {
+    local description=${1:-"stderr"}
+    if [[ -n "$SMOKE_LAST_STDERR" && -f "$SMOKE_LAST_STDERR" && -s "$SMOKE_LAST_STDERR" ]]; then
+        echo "FAIL: assert_stderr_empty $description -- stderr not empty"
+        echo "  stderr: $(head -3 "$SMOKE_LAST_STDERR")"
+        return 1
+    else
+        echo "PASS: assert_stderr_empty $description"
+        return 0
+    fi
+}
+
+assert_stderr_contains() {
+    local stderr_output=$1
+    local pattern=$2
+    local description=${3:-"stderr"}
+    if echo "$stderr_output" | grep -qF "$pattern" 2>/dev/null; then
+        echo "PASS: assert_stderr_contains '$pattern' $description"
+        return 0
+    else
+        echo "FAIL: assert_stderr_contains '$pattern' $description -- pattern not found in stderr"
+        echo "  actual stderr: $(echo "$stderr_output" | head -3)"
+        return 1
+    fi
+}
+
+# ============================================================
+# File/State primitives
+# ============================================================
+
+assert_file_exists() {
+    local file=$1
+    local description=${2:-"$file"}
+    if [[ -f "$file" ]]; then
+        echo "PASS: assert_file_exists $description"
+        return 0
+    else
+        echo "FAIL: assert_file_exists $description -- file not found"
+        return 1
+    fi
+}
+
+assert_file_not_exists() {
+    local file=$1
+    local description=${2:-"$file"}
+    if [[ ! -f "$file" ]]; then
+        echo "PASS: assert_file_not_exists $description"
+        return 0
+    else
+        echo "FAIL: assert_file_not_exists $description -- file exists"
+        return 1
+    fi
+}
+
+assert_file_contains() {
+    local file=$1
+    local pattern=$2
+    local description=${3:-"$file"}
+    if [[ -f "$file" ]] && grep -qF "$pattern" "$file" 2>/dev/null; then
+        echo "PASS: assert_file_contains '$pattern' $description"
+        return 0
+    else
+        echo "FAIL: assert_file_contains '$pattern' $description -- pattern not found in file"
+        return 1
+    fi
+}
+
+# ============================================================
+# Security primitives
+# ============================================================
+
+assert_no_command_exec() {
+    local input=$1
+    local context=${2:-"input"}
+    local failed=0
+    # shellcheck disable=SC2016  # $(), backticks, <() are literal patterns
+    if echo "$input" | grep -qE '\$\(.*\)|`[^`]+`|<\(' 2>/dev/null; then
+        echo "FAIL: assert_no_command_exec $context -- command execution/substitution detected in: '$input'"
+        failed=1
+    fi
+    if echo "$input" | grep -qE '[;&|]' 2>/dev/null; then
+        echo "FAIL: assert_no_command_exec $context -- command chaining/pipe detected in: '$input'"
+        failed=1
+    fi
+    [[ $failed -eq 0 ]] && echo "PASS: assert_no_command_exec $context"
+    return $failed
+}
+
+# JSON/URL-safe variant: only checks command execution/substitution, skips ;&|
+# Use when input legitimately contains & (query strings) or | (regex)
+assert_no_command_exec_json() {
+    local input=$1
+    local context=${2:-"input"}
+    # shellcheck disable=SC2016  # $(), backticks, <() are literal patterns
+    if echo "$input" | grep -qE '\$\(.*\)|`[^`]+`|<\(' 2>/dev/null; then
+        echo "FAIL: assert_no_command_exec_json $context -- command execution/substitution detected in: '$input'"
+        return 1
+    fi
+    echo "PASS: assert_no_command_exec_json $context"
+    return 0
+}
+
+assert_no_path_traversal() {
+    local input=$1
+    local context=${2:-"path"}
+    local failed=0
+    if echo "$input" | grep -qE '\.\.[/\\]' 2>/dev/null; then
+        echo "FAIL: assert_no_path_traversal $context -- path traversal detected in: '$input'"
+        failed=1
+    fi
+    if echo "$input" | grep -qiE '%2e%2e[%/]' 2>/dev/null; then
+        echo "FAIL: assert_no_path_traversal $context -- encoded path traversal in: '$input'"
+        failed=1
+    fi
+    [[ $failed -eq 0 ]] && echo "PASS: assert_no_path_traversal $context"
+    return $failed
+}
+
+# ============================================================
+# Process primitives
+# ============================================================
+
+assert_no_zombie() {
+    local root_pid=${1:-$$}
+    local description=${2:-"process tree"}
+    local max_depth=${3:-100}
+    local zombies=0
+    _smoke_scan_children() {
+        local ppid=$1
+        local depth=${2:-0}
+        if (( depth > max_depth )); then
+            echo "  WARNING: max depth $max_depth reached at PID=$ppid"
+            return 0
+        fi
+        local children_file="/proc/$ppid/task/$ppid/children"
+        [[ -f "$children_file" ]] || return 0
+        local child
+        # shellcheck disable=SC2013  # children file is space-separated PIDs
+        for child in $(cat "$children_file" 2>/dev/null); do
+            local stat="/proc/$child/stat"
+            local raw
+            raw=$(cat "$stat" 2>/dev/null) || continue
+            local after_comm="${raw#*) }"
+            local state="${after_comm%% *}"
+            if [[ "$state" == "Z" ]]; then
+                ((zombies++))
+                echo "  ZOMBIE: PID=$child"
+            fi
+            _smoke_scan_children "$child" $((depth + 1))
+        done
+    }
+    _smoke_scan_children "$root_pid" 0
+    if [[ $zombies -eq 0 ]]; then
+        echo "PASS: assert_no_zombie $description"
+        return 0
+    else
+        echo "FAIL: assert_no_zombie $description -- $zombies zombie process(es) in tree"
+        return 1
+    fi
+}
+
+assert_temp_clean() {
+    local pattern=${1:-"/tmp/smoke-test-*"}
+    local description=${2:-"temp files"}
+    local leftovers
+    leftovers=$(find /tmp -name "$(basename "$pattern")" \
+        -newer /proc/$$/cmdline 2>/dev/null | wc -l)
+    if [[ $leftovers -eq 0 ]]; then
+        echo "PASS: assert_temp_clean $description"
+        return 0
+    else
+        echo "FAIL: assert_temp_clean $description -- $leftovers leftover file(s)"
+        find /tmp -name "$(basename "$pattern")" \
+            -newer /proc/$$/cmdline 2>/dev/null | head -5
+        return 1
+    fi
+}
+
+# ============================================================
+# Data primitives
+# ============================================================
+
+assert_json_valid() {
+    local file_or_str=$1
+    local description=${2:-"json"}
+    local schema=${3:-}
+    if ! command -v jq &>/dev/null; then
+        echo "SKIP: assert_json_valid $description -- jq not installed"
+        return 0
+    fi
+    if [[ -f "$file_or_str" ]]; then
+        jq empty "$file_or_str" 2>/dev/null || {
+            echo "FAIL: assert_json_valid $description -- invalid JSON syntax"
+            return 1
+        }
+        if [[ -n "$schema" ]]; then
+            jq -e "$schema" "$file_or_str" >/dev/null 2>&1 || {
+                echo "FAIL: assert_json_valid $description -- schema mismatch: $schema"
+                return 1
+            }
+        fi
+    else
+        echo "$file_or_str" | jq empty 2>/dev/null || {
+            echo "FAIL: assert_json_valid $description -- invalid JSON syntax"
+            return 1
+        }
+        if [[ -n "$schema" ]]; then
+            echo "$file_or_str" | jq -e "$schema" >/dev/null 2>&1 || {
+                echo "FAIL: assert_json_valid $description -- schema mismatch: $schema"
+                return 1
+            }
+        fi
+    fi
+    echo "PASS: assert_json_valid $description"
+    return 0
+}

code_forge/skills/smoke-test/test-library/shell/primitives_test.sh

@@ -0,0 +1,324 @@
+#!/bin/bash
+# Self-tests for smoke-test primitives
+# Each primitive gets one positive and one negative test case
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/primitives.sh"
+PASS_COUNT=0; FAIL_COUNT=0
+
+# ============================================================
+# Execution primitives
+# ============================================================
+
+test_assert_success() {
+    local result
+    result=$(assert_success 0 "positive")
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_success positive"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_success 1 "negative")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_success negative"; return 1; }
+    ((PASS_COUNT++))
+}
+
+test_assert_failure() {
+    local result
+    result=$(assert_failure 1 "positive")
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_failure positive"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_failure 0 "negative")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_failure negative"; return 1; }
+    ((PASS_COUNT++))
+}
+
+test_assert_exit_code() {
+    local result
+    result=$(assert_exit_code 2 2 "positive")
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_exit_code positive"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_exit_code 2 0 "negative")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_exit_code negative"; return 1; }
+    ((PASS_COUNT++))
+}
+
+# ============================================================
+# Output primitives
+# ============================================================
+
+test_assert_output_contains() {
+    local result
+    result=$(assert_output_contains "hello world" "world" "positive")
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_output_contains positive"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_output_contains "hello world" "xyz" "negative")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_output_contains negative"; return 1; }
+    ((PASS_COUNT++))
+}
+
+test_assert_output_not_contains() {
+    local result
+    result=$(assert_output_not_contains "hello world" "xyz" "positive")
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_output_not_contains positive"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_output_not_contains "hello world" "world" "negative")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_output_not_contains negative"; return 1; }
+    ((PASS_COUNT++))
+}
+
+test_assert_stderr_empty() {
+    local result
+    # Simulate empty stderr
+    SMOKE_LAST_STDERR=$(mktemp /tmp/smoke-test-stderr-empty.XXXXXX)
+    result=$(assert_stderr_empty "positive")
+    rm -f "$SMOKE_LAST_STDERR"
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_stderr_empty positive"; return 1; }
+    ((PASS_COUNT++))
+    # Simulate non-empty stderr
+    SMOKE_LAST_STDERR=$(mktemp /tmp/smoke-test-stderr-nonempty.XXXXXX)
+    echo "some error" > "$SMOKE_LAST_STDERR"
+    result=$(assert_stderr_empty "negative")
+    rm -f "$SMOKE_LAST_STDERR"
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_stderr_empty negative"; return 1; }
+    ((PASS_COUNT++))
+}
+
+test_assert_stderr_contains() {
+    local result
+    result=$(assert_stderr_contains "error: invalid" "error" "positive")
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_stderr_contains positive"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_stderr_contains "error: invalid" "success" "negative")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_stderr_contains negative"; return 1; }
+    ((PASS_COUNT++))
+}
+
+# ============================================================
+# File/State primitives
+# ============================================================
+
+test_assert_file_exists() {
+    local result
+    local tmpf=$(mktemp /tmp/smoke-test-file-exists.XXXXXX)
+    result=$(assert_file_exists "$tmpf" "positive")
+    rm -f "$tmpf"
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_file_exists positive"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_file_exists "/tmp/__nonexistent_file__test__" "negative")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_file_exists negative"; return 1; }
+    ((PASS_COUNT++))
+}
+
+test_assert_file_not_exists() {
+    local result
+    result=$(assert_file_not_exists "/tmp/__nonexistent_file__test__" "positive")
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_file_not_exists positive"; return 1; }
+    ((PASS_COUNT++))
+    local tmpf=$(mktemp /tmp/smoke-test-file-notexists.XXXXXX)
+    result=$(assert_file_not_exists "$tmpf" "negative")
+    rm -f "$tmpf"
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_file_not_exists negative"; return 1; }
+    ((PASS_COUNT++))
+}
+
+test_assert_file_contains() {
+    local result
+    local tmpf=$(mktemp /tmp/smoke-test-file-contains.XXXXXX)
+    echo "hello world" > "$tmpf"
+    result=$(assert_file_contains "$tmpf" "hello" "positive")
+    rm -f "$tmpf"
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_file_contains positive"; return 1; }
+    ((PASS_COUNT++))
+    tmpf=$(mktemp /tmp/smoke-test-file-contains.XXXXXX)
+    echo "hello world" > "$tmpf"
+    result=$(assert_file_contains "$tmpf" "xyz" "negative")
+    rm -f "$tmpf"
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_file_contains negative"; return 1; }
+    ((PASS_COUNT++))
+}
+
+# ============================================================
+# Security primitives
+# ============================================================
+
+test_assert_no_command_exec() {
+    local result
+    result=$(assert_no_command_exec "normal input" "positive")
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_command_exec positive"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_no_command_exec '$(id)' "negative")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_command_exec negative(sub)"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_no_command_exec '; rm -rf /' "negative")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_command_exec negative(chain)"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_no_command_exec '<(cat /etc/passwd)' "negative-procsub")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_command_exec negative(procsub)"; return 1; }
+    ((PASS_COUNT++))
+}
+
+test_assert_no_command_exec_json() {
+    local result
+    # Positive: safe inputs (including URL query strings and regex patterns)
+    result=$(assert_no_command_exec_json "normal input" "positive")
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_command_exec_json positive"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_no_command_exec_json "key=value&foo=bar" "positive-url")
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_command_exec_json positive(url)"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_no_command_exec_json "error|warn|info" "positive-regex")
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_command_exec_json positive(regex)"; return 1; }
+    ((PASS_COUNT++))
+    # Negative: command substitution still detected
+    result=$(assert_no_command_exec_json '$(id)' "negative-sub")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_command_exec_json negative(sub)"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_no_command_exec_json '`whoami`' "negative-backtick")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_command_exec_json negative(backtick)"; return 1; }
+    ((PASS_COUNT++))
+    # Negative: ; and | are allowed  --  should PASS (not FAIL)
+    result=$(assert_no_command_exec_json '; rm -rf /' "negative-chain-allowed")
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_command_exec_json negative(chain should pass)"; return 1; }
+    ((PASS_COUNT++))
+    # Negative: process substitution detected
+    result=$(assert_no_command_exec_json '<(id)' "negative-procsub")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_command_exec_json negative(procsub)"; return 1; }
+    ((PASS_COUNT++))
+}
+
+test_assert_no_path_traversal() {
+    local result
+    result=$(assert_no_path_traversal "config.json" "positive")
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_path_traversal positive"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_no_path_traversal "../../etc/passwd" "negative")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_path_traversal negative"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_no_path_traversal '%2e%2e%2fetc%2fpasswd' "negative-encoded")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_path_traversal negative(encoded)"; return 1; }
+    ((PASS_COUNT++))
+}
+
+# ============================================================
+# Process primitives
+# ============================================================
+
+test_assert_no_zombie() {
+    local result
+    # Positive: normal child exit + wait -> no zombie
+    ( true ) & wait $! 2>/dev/null
+    result=$(assert_no_zombie $$ "clean tree")
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_zombie positive"; return 1; }
+    ((PASS_COUNT++))
+    # Negative: double-fork to create a grandchild zombie (depth 2)
+    (
+        ( sleep 0.05; exit 0 ) &
+        sleep 0.3
+    ) & local child=$!
+    sleep 0.15
+    result=$(assert_no_zombie $$ "zombie grandchild")
+    kill -0 "$child" 2>/dev/null && wait "$child" 2>/dev/null
+    if [[ "$result" == FAIL:* ]]; then
+        ((PASS_COUNT++))
+    else
+        echo "SKIP: assert_no_zombie negative inconclusive (zombie may have been reaped)"
+        ((PASS_COUNT++))
+    fi
+}
+
+test_assert_no_zombie_depth() {
+    local result
+    # Depth limit param accepted: scan with depth=1 on clean tree
+    ( true ) & wait $! 2>/dev/null
+    result=$(assert_no_zombie $$ "depth limit clean" 1)
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_zombie depth positive"; return 1; }
+    ((PASS_COUNT++))
+    # Depth limit param accepted with larger value
+    result=$(assert_no_zombie $$ "depth limit 50" 50)
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_no_zombie depth 50"; return 1; }
+    ((PASS_COUNT++))
+}
+
+test_assert_temp_clean() {
+    local result
+    # Positive: no test temp files created by this session
+    result=$(assert_temp_clean "/tmp/smoke-test-*" "clean")
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_temp_clean positive"; return 1; }
+    ((PASS_COUNT++))
+    # Negative: create a test temp file, then check
+    local tmpf=$(mktemp /tmp/smoke-test-leak.XXXXXX)
+    echo "leaked" > "$tmpf"
+    result=$(assert_temp_clean "/tmp/smoke-test-*" "leaked files")
+    rm -f "$tmpf"
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_temp_clean negative"; return 1; }
+    ((PASS_COUNT++))
+}
+
+# ============================================================
+# Data primitives
+# ============================================================
+
+test_assert_json_valid() {
+    local result
+    result=$(assert_json_valid '{"a":1}' "positive")
+    if [[ "$result" == SKIP:* ]]; then
+        echo "SKIP: assert_json_valid -- jq not installed"
+        return 0
+    fi
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_json_valid positive"; return 1; }
+    ((PASS_COUNT++))
+    result=$(assert_json_valid '{bad' "negative")
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_json_valid negative"; return 1; }
+    ((PASS_COUNT++))
+}
+
+test_assert_json_valid_schema() {
+    local result
+    result=$(assert_json_valid '{"a":1}' "schema check")
+    if [[ "$result" == SKIP:* ]]; then
+        echo "SKIP: assert_json_valid_schema -- jq not installed"
+        return 0
+    fi
+    # Schema match: object with numeric "a"
+    result=$(assert_json_valid '{"a":1}' "schema match" '.a == 1')
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_json_valid schema positive"; return 1; }
+    ((PASS_COUNT++))
+    # Schema mismatch: object with numeric "a" but value wrong
+    result=$(assert_json_valid '{"a":2}' "schema mismatch" '.a == 1')
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_json_valid schema negative"; return 1; }
+    ((PASS_COUNT++))
+    # Valid JSON but schema returns false -> FAIL
+    result=$(assert_json_valid '{"a":false}' "schema false" '.a')
+    [[ "$result" == FAIL:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_json_valid schema falsy"; return 1; }
+    ((PASS_COUNT++))
+    # Valid JSON with truthy schema -> PASS
+    result=$(assert_json_valid '{"a":1}' "schema truthy" '.a')
+    [[ "$result" == PASS:* ]] || { ((FAIL_COUNT++)); echo "FAIL: assert_json_valid schema truthy"; return 1; }
+    ((PASS_COUNT++))
+}
+
+# ============================================================
+# Run all tests
+# ============================================================
+
+main() {
+    test_assert_success
+    test_assert_failure
+    test_assert_exit_code
+    test_assert_output_contains
+    test_assert_output_not_contains
+    test_assert_stderr_empty
+    test_assert_stderr_contains
+    test_assert_file_exists
+    test_assert_file_not_exists
+    test_assert_file_contains
+    test_assert_no_command_exec
+    test_assert_no_command_exec_json
+    test_assert_no_path_traversal
+    test_assert_no_zombie
+    test_assert_no_zombie_depth
+    test_assert_temp_clean
+    test_assert_json_valid
+    test_assert_json_valid_schema
+    echo "=== $PASS_COUNT PASS, $FAIL_COUNT FAIL ==="
+    return $(( FAIL_COUNT > 0 ))
+}
+main "$@"