Hundao
8cb0531959
* fix(lint): organize imports in queen_orchestrator.create_queen Ruff I001 blocks CI on every PR against main. The deferred imports inside create_queen were not in alphabetical order between the queen package and the framework package; ruff auto-fix moves framework.config below the framework.agents.queen.nodes block. No behavior change. * fix(ci): install Playwright Chromium before Test Tools job The new chart_tools smoke tests added infeabf327require a Chromium build for ECharts/Mermaid rendering, but the test-tools workflow only ran `uv sync` and went straight to pytest. Three tests (test_render_echarts_bar_chart, test_render_echarts_accepts_string_spec, test_render_mermaid_flowchart) crash on every PR with: BrowserType.launch: Executable doesn't exist at /home/runner/.cache/ms-playwright/chromium_headless_shell-1208/... Split the install/run into separate steps and add `playwright install chromium` before pytest. Use `--with-deps` on Linux to pull system libraries; Windows runners only need the browser binary. * fix(tests): adapt test_file_state_cache to new file_ops API The file_ops rewrite infeabf327dropped the standalone hashline_edit tool (the file_system_toolkits/hashline_edit/ directory was removed) and switched edit_file to a mode-first signature (mode, path, old_string, new_string, ...). The test fixture still tried to look up "hashline_edit" via the MCP tool manager and crashed with KeyError before any test could run, and the edit_file calls were positional in the old order so they hit "unknown mode 'e.py'" once the fixture was fixed. Drop the stale hashline_edit lookup and pass mode="replace" explicitly to every edit_file call. All 11 tests pass locally. * fix(tests): skip terminal_tools tests on Windows (POSIX-only) The new terminal_tools package added infeabf327imports the Unix-only `resource` module in tools/src/terminal_tools/common/limits.py to set RLIMIT_CPU / RLIMIT_AS / RLIMIT_FSIZE on subprocesses. Five of the six terminal_tools test files therefore crash on windows-latest with `ModuleNotFoundError: No module named 'resource'` once their fixtures trigger the import chain. test_terminal_tools_pty.py already has the right module-level skip (PTY is POSIX-only). Apply the same `pytestmark = skipif(win32)` to the other five so the whole suite skips cleanly on Windows. The terminal-tools package is bash-only by design (zsh refused at the shell-resolver level), so a Windows port is out of scope.
107 lines
3.3 KiB
Python
107 lines
3.3 KiB
Python
"""Security/policy tests: zsh refusal, env stripping, destructive catalog."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import sys
|
|
|
|
import pytest
|
|
|
|
pytestmark = pytest.mark.skipif(sys.platform == "win32", reason="terminal_tools is POSIX-only (uses resource module)")
|
|
|
|
|
|
def test_resolve_shell_rejects_zsh():
|
|
from terminal_tools.common.limits import ZshRefused, _resolve_shell
|
|
|
|
for path in ("/bin/zsh", "/usr/bin/zsh", "/usr/local/bin/zsh", "ZSH"):
|
|
with pytest.raises(ZshRefused):
|
|
_resolve_shell(path)
|
|
|
|
|
|
def test_resolve_shell_accepts_bash():
|
|
from terminal_tools.common.limits import _resolve_shell
|
|
|
|
assert _resolve_shell(True) == "/bin/bash"
|
|
assert _resolve_shell("/bin/bash") == "/bin/bash"
|
|
assert _resolve_shell(False) is None
|
|
|
|
|
|
def test_sanitized_env_strips_zsh_vars(monkeypatch):
|
|
from terminal_tools.common.limits import sanitized_env
|
|
|
|
monkeypatch.setenv("ZDOTDIR", "/some/path")
|
|
monkeypatch.setenv("ZSH_VERSION", "5.9")
|
|
monkeypatch.setenv("ZSH_NAME", "zsh")
|
|
monkeypatch.setenv("PATH", "/usr/bin:/bin")
|
|
|
|
env = sanitized_env()
|
|
assert "ZDOTDIR" not in env
|
|
assert "ZSH_VERSION" not in env
|
|
assert "ZSH_NAME" not in env
|
|
# Non-zsh vars survive
|
|
assert env["PATH"] == "/usr/bin:/bin"
|
|
|
|
|
|
def test_destructive_warning_catalog():
|
|
from terminal_tools.common.destructive_warning import get_warning
|
|
|
|
cases = [
|
|
("rm -rf /tmp/foo", "force-remove"),
|
|
("rm -r /tmp/foo", "recursively remove"),
|
|
("git reset --hard HEAD~1", "discard"),
|
|
("git push --force origin main", "remote history"),
|
|
("git push -f origin main", "remote history"),
|
|
("git commit --amend -m 'x'", "rewrite"),
|
|
("DROP TABLE users;", "drop or truncate"),
|
|
("DELETE FROM users;", "delete rows"),
|
|
("kubectl delete pod foo", "Kubernetes"),
|
|
("terraform destroy", "Terraform"),
|
|
]
|
|
for cmd, expected in cases:
|
|
warning = get_warning(cmd)
|
|
assert warning is not None, f"expected warning for {cmd!r}"
|
|
assert expected in warning, f"warning {warning!r} should mention {expected!r}"
|
|
|
|
|
|
def test_destructive_warning_clean_commands():
|
|
from terminal_tools.common.destructive_warning import get_warning
|
|
|
|
for cmd in ["ls -la", "echo hi", "git status", "git commit -m 'x'"]:
|
|
assert get_warning(cmd) is None, f"unexpected warning for {cmd!r}"
|
|
|
|
|
|
def test_semantic_exit_grep():
|
|
from terminal_tools.common.semantic_exit import classify
|
|
|
|
status, msg = classify("grep foo /tmp/x", 0)
|
|
assert status == "ok"
|
|
status, msg = classify("grep foo /tmp/x", 1)
|
|
assert status == "ok"
|
|
assert "No matches" in msg
|
|
status, msg = classify("grep foo /tmp/x", 2)
|
|
assert status == "error"
|
|
|
|
|
|
def test_semantic_exit_default():
|
|
from terminal_tools.common.semantic_exit import classify
|
|
|
|
status, msg = classify("ls", 0)
|
|
assert status == "ok"
|
|
assert msg is None
|
|
status, msg = classify("ls", 1)
|
|
assert status == "error"
|
|
|
|
|
|
def test_semantic_exit_signaled():
|
|
from terminal_tools.common.semantic_exit import classify
|
|
|
|
status, msg = classify("sleep 999", -15, signaled=True)
|
|
assert status == "signal"
|
|
|
|
|
|
def test_semantic_exit_timed_out():
|
|
from terminal_tools.common.semantic_exit import classify
|
|
|
|
status, msg = classify("sleep 999", None, timed_out=True)
|
|
assert status == "error"
|
|
assert "timed out" in msg.lower()
|