|
| 1 | +"""Server-side invariant tests for run_cmd: recipe-read prohibition and write-target boundary.""" |
| 2 | + |
| 3 | +from __future__ import annotations |
| 4 | + |
| 5 | +import json |
| 6 | + |
| 7 | +import pytest |
| 8 | + |
| 9 | +from autoskillit.server._guards import RECIPE_READ_DENY_TRIGGER |
| 10 | +from autoskillit.server.tools.tools_execution import run_cmd |
| 11 | +from tests.conftest import _make_result |
| 12 | + |
| 13 | +pytestmark = [pytest.mark.layer("server"), pytest.mark.small] |
| 14 | + |
| 15 | + |
| 16 | +class TestRecipeReadProhibitionCmd: |
| 17 | + """run_cmd denies recipe/skill/agent file access in headless sessions.""" |
| 18 | + |
| 19 | + @pytest.fixture(autouse=True) |
| 20 | + def _headless(self, monkeypatch): |
| 21 | + monkeypatch.setenv("AUTOSKILLIT_HEADLESS", "1") |
| 22 | + monkeypatch.setenv("AUTOSKILLIT_SESSION_TYPE", "orchestrator") |
| 23 | + |
| 24 | + @pytest.mark.anyio |
| 25 | + async def test_denies_recipe_yaml_path(self, tool_ctx_kitchen_open): |
| 26 | + result = json.loads(await run_cmd(cmd="cat .autoskillit/recipes/deploy.yaml", cwd="/tmp")) |
| 27 | + assert result["success"] is False |
| 28 | + assert result["subtype"] == "gate_error" |
| 29 | + assert RECIPE_READ_DENY_TRIGGER in result["result"] |
| 30 | + |
| 31 | + @pytest.mark.anyio |
| 32 | + async def test_denies_src_recipe_yaml(self, tool_ctx_kitchen_open): |
| 33 | + result = json.loads(await run_cmd(cmd="head src/autoskillit/recipes/base.yml", cwd="/tmp")) |
| 34 | + assert result["subtype"] == "gate_error" |
| 35 | + |
| 36 | + @pytest.mark.anyio |
| 37 | + async def test_denies_skill_md_path(self, tool_ctx_kitchen_open): |
| 38 | + result = json.loads( |
| 39 | + await run_cmd(cmd="cat src/autoskillit/skills/open-kitchen/SKILL.md", cwd="/tmp") |
| 40 | + ) |
| 41 | + assert result["subtype"] == "gate_error" |
| 42 | + |
| 43 | + @pytest.mark.anyio |
| 44 | + async def test_denies_skills_extended_skill_md(self, tool_ctx_kitchen_open): |
| 45 | + result = json.loads( |
| 46 | + await run_cmd( |
| 47 | + cmd="cat src/autoskillit/skills_extended/audit-arch/SKILL.md", |
| 48 | + cwd="/tmp", |
| 49 | + ) |
| 50 | + ) |
| 51 | + assert result["subtype"] == "gate_error" |
| 52 | + |
| 53 | + @pytest.mark.anyio |
| 54 | + async def test_denies_agent_md_path(self, tool_ctx_kitchen_open): |
| 55 | + result = json.loads( |
| 56 | + await run_cmd(cmd="cat src/autoskillit/agents/explorer.md", cwd="/tmp") |
| 57 | + ) |
| 58 | + assert result["subtype"] == "gate_error" |
| 59 | + |
| 60 | + @pytest.mark.anyio |
| 61 | + async def test_allows_benign_cmd(self, tool_ctx_kitchen_open): |
| 62 | + tool_ctx_kitchen_open.runner.push(_make_result(0, "hello\n", "")) |
| 63 | + result = json.loads(await run_cmd(cmd="echo hello", cwd="/tmp")) |
| 64 | + assert result["success"] is True |
| 65 | + |
| 66 | + @pytest.mark.anyio |
| 67 | + async def test_allows_non_recipe_python_file(self, tool_ctx_kitchen_open): |
| 68 | + tool_ctx_kitchen_open.runner.push(_make_result(0, "", "")) |
| 69 | + result = json.loads(await run_cmd(cmd="cat src/autoskillit/core/__init__.py", cwd="/tmp")) |
| 70 | + assert result["success"] is True |
| 71 | + |
| 72 | + @pytest.mark.anyio |
| 73 | + async def test_allows_in_non_headless(self, tool_ctx_kitchen_open, monkeypatch): |
| 74 | + monkeypatch.delenv("AUTOSKILLIT_HEADLESS", raising=False) |
| 75 | + tool_ctx_kitchen_open.runner.push(_make_result(0, "", "")) |
| 76 | + result = json.loads(await run_cmd(cmd="cat .autoskillit/recipes/deploy.yaml", cwd="/tmp")) |
| 77 | + assert result["success"] is True |
| 78 | + |
| 79 | + |
| 80 | +class TestWriteTargetBoundaryCmd: |
| 81 | + """run_cmd denies writes outside allowed prefixes; fails open when unset.""" |
| 82 | + |
| 83 | + @pytest.fixture(autouse=True) |
| 84 | + def _headless(self, monkeypatch): |
| 85 | + monkeypatch.setenv("AUTOSKILLIT_HEADLESS", "1") |
| 86 | + monkeypatch.setenv("AUTOSKILLIT_SESSION_TYPE", "orchestrator") |
| 87 | + |
| 88 | + @pytest.mark.anyio |
| 89 | + async def test_denies_write_outside_allowed_prefix(self, tool_ctx_kitchen_open, monkeypatch): |
| 90 | + monkeypatch.setenv("AUTOSKILLIT_ALLOWED_WRITE_PREFIXES", "/safe/dir") |
| 91 | + result = json.loads(await run_cmd(cmd="echo x > /forbidden/file.txt", cwd="/tmp")) |
| 92 | + assert result["success"] is False |
| 93 | + assert result["subtype"] == "gate_error" |
| 94 | + assert "outside allowed write prefixes" in result["result"] |
| 95 | + |
| 96 | + @pytest.mark.anyio |
| 97 | + async def test_allows_write_inside_prefix(self, tool_ctx_kitchen_open, monkeypatch): |
| 98 | + monkeypatch.setenv("AUTOSKILLIT_ALLOWED_WRITE_PREFIXES", "/safe/dir") |
| 99 | + tool_ctx_kitchen_open.runner.push(_make_result(0, "", "")) |
| 100 | + result = json.loads(await run_cmd(cmd="echo x > /safe/dir/file.txt", cwd="/tmp")) |
| 101 | + assert result["success"] is True |
| 102 | + |
| 103 | + @pytest.mark.anyio |
| 104 | + async def test_allows_any_write_when_no_prefix(self, tool_ctx_kitchen_open): |
| 105 | + tool_ctx_kitchen_open.runner.push(_make_result(0, "", "")) |
| 106 | + result = json.loads(await run_cmd(cmd="echo x > /anywhere/file.txt", cwd="/tmp")) |
| 107 | + assert result["success"] is True |
| 108 | + |
| 109 | + @pytest.mark.anyio |
| 110 | + async def test_allows_read_only_cmd_with_prefix(self, tool_ctx_kitchen_open, monkeypatch): |
| 111 | + monkeypatch.setenv("AUTOSKILLIT_ALLOWED_WRITE_PREFIXES", "/safe/dir") |
| 112 | + tool_ctx_kitchen_open.runner.push(_make_result(0, "", "")) |
| 113 | + result = json.loads(await run_cmd(cmd="ls /forbidden/", cwd="/tmp")) |
| 114 | + assert result["success"] is True |
0 commit comments