github/openclaw
1
1
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-03 03:03:24 -04:00
Code Issues Packages Projects Releases Wiki Activity

test(agents): share pi-tools sandbox fixture context

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 09:21:33 +00:00
parent bf3f8ec428
commit b96419fab9
5 changed files with 97 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
src/agents/pi-tools.create-openclaw-coding-tools.adds-claude-style-aliases-schemas-without-dropping-d.e2e.test.ts
View File

@@ -6,6 +6,7 @@ import { describe, expect, it } from "vitest";
import "./test-helpers/fast-coding-tools.js"; import "./test-helpers/fast-coding-tools.js";
import { createOpenClawCodingTools } from "./pi-tools.js"; import { createOpenClawCodingTools } from "./pi-tools.js";
import { createHostSandboxFsBridge } from "./test-helpers/host-sandbox-fs-bridge.js"; import { createHostSandboxFsBridge } from "./test-helpers/host-sandbox-fs-bridge.js";
import { createPiToolsSandboxContext } from "./test-helpers/pi-tools-sandbox-context.js";
const defaultTools = createOpenClawCodingTools(); const defaultTools = createOpenClawCodingTools();
@@ -74,32 +75,16 @@ describe("createOpenClawCodingTools", () => {
}); });
it("filters tools by sandbox policy", () => { it("filters tools by sandbox policy", () => {
const sandboxDir = path.join(os.tmpdir(), "moltbot-sandbox"); const sandboxDir = path.join(os.tmpdir(), "moltbot-sandbox");
const sandbox = { const sandbox = createPiToolsSandboxContext({
enabled: true,
sessionKey: "sandbox:test",
workspaceDir: sandboxDir, workspaceDir: sandboxDir,
agentWorkspaceDir: path.join(os.tmpdir(), "moltbot-workspace"), agentWorkspaceDir: path.join(os.tmpdir(), "moltbot-workspace"),
workspaceAccess: "none" as const, workspaceAccess: "none" as const,
containerName: "openclaw-sbx-test",
containerWorkdir: "/workspace",
fsBridge: createHostSandboxFsBridge(sandboxDir), fsBridge: createHostSandboxFsBridge(sandboxDir),
docker: {
image: "openclaw-sandbox:bookworm-slim",
containerPrefix: "openclaw-sbx-",
workdir: "/workspace",
readOnlyRoot: true,
tmpfs: [],
network: "none",
user: "1000:1000",
capDrop: ["ALL"],
env: { LANG: "C.UTF-8" },
},
tools: { tools: {
allow: ["bash"], allow: ["bash"],
deny: ["browser"], deny: ["browser"],
}, },
browserAllowHostControl: false, });
};
const tools = createOpenClawCodingTools({ sandbox }); const tools = createOpenClawCodingTools({ sandbox });
expect(tools.some((tool) => tool.name === "exec")).toBe(true); expect(tools.some((tool) => tool.name === "exec")).toBe(true);
expect(tools.some((tool) => tool.name === "read")).toBe(false); expect(tools.some((tool) => tool.name === "read")).toBe(false);
@@ -107,32 +92,16 @@ describe("createOpenClawCodingTools", () => {
}); });
it("hard-disables write/edit when sandbox workspaceAccess is ro", () => { it("hard-disables write/edit when sandbox workspaceAccess is ro", () => {
const sandboxDir = path.join(os.tmpdir(), "moltbot-sandbox"); const sandboxDir = path.join(os.tmpdir(), "moltbot-sandbox");
const sandbox = { const sandbox = createPiToolsSandboxContext({
enabled: true,
sessionKey: "sandbox:test",
workspaceDir: sandboxDir, workspaceDir: sandboxDir,
agentWorkspaceDir: path.join(os.tmpdir(), "moltbot-workspace"), agentWorkspaceDir: path.join(os.tmpdir(), "moltbot-workspace"),
workspaceAccess: "ro" as const, workspaceAccess: "ro" as const,
containerName: "openclaw-sbx-test",
containerWorkdir: "/workspace",
fsBridge: createHostSandboxFsBridge(sandboxDir), fsBridge: createHostSandboxFsBridge(sandboxDir),
docker: {
image: "openclaw-sandbox:bookworm-slim",
containerPrefix: "openclaw-sbx-",
workdir: "/workspace",
readOnlyRoot: true,
tmpfs: [],
network: "none",
user: "1000:1000",
capDrop: ["ALL"],
env: { LANG: "C.UTF-8" },
},
tools: { tools: {
allow: ["read", "write", "edit"], allow: ["read", "write", "edit"],
deny: [], deny: [],
}, },
browserAllowHostControl: false, });
};
const tools = createOpenClawCodingTools({ sandbox }); const tools = createOpenClawCodingTools({ sandbox });
expect(tools.some((tool) => tool.name === "read")).toBe(true); expect(tools.some((tool) => tool.name === "read")).toBe(true);
expect(tools.some((tool) => tool.name === "write")).toBe(false); expect(tools.some((tool) => tool.name === "write")).toBe(false);

21
src/agents/pi-tools.sandbox-mounted-paths.workspace-only.test.ts
View File

@@ -7,6 +7,7 @@ import { createOpenClawCodingTools } from "./pi-tools.js";
import type { SandboxContext } from "./sandbox.js"; import type { SandboxContext } from "./sandbox.js";
import type { SandboxFsBridge, SandboxResolvedPath } from "./sandbox/fs-bridge.js"; import type { SandboxFsBridge, SandboxResolvedPath } from "./sandbox/fs-bridge.js";
import { createSandboxFsBridgeFromResolver } from "./test-helpers/host-sandbox-fs-bridge.js"; import { createSandboxFsBridgeFromResolver } from "./test-helpers/host-sandbox-fs-bridge.js";
import { createPiToolsSandboxContext } from "./test-helpers/pi-tools-sandbox-context.js";
vi.mock("../infra/shell-env.js", async (importOriginal) => { vi.mock("../infra/shell-env.js", async (importOriginal) => {
const mod = await importOriginal<typeof import("../infra/shell-env.js")>(); const mod = await importOriginal<typeof import("../infra/shell-env.js")>();
@@ -63,29 +64,13 @@ function createSandbox(params: {
agentRoot: string; agentRoot: string;
fsBridge: SandboxFsBridge; fsBridge: SandboxFsBridge;
}): SandboxContext { }): SandboxContext {
return { return createPiToolsSandboxContext({
enabled: true,
sessionKey: "sandbox:test",
workspaceDir: params.sandboxRoot, workspaceDir: params.sandboxRoot,
agentWorkspaceDir: params.agentRoot, agentWorkspaceDir: params.agentRoot,
workspaceAccess: "rw", workspaceAccess: "rw",
containerName: "openclaw-sbx-test",
containerWorkdir: "/workspace",
fsBridge: params.fsBridge, fsBridge: params.fsBridge,
docker: {
image: "openclaw-sandbox:bookworm-slim",
containerPrefix: "openclaw-sbx-",
workdir: "/workspace",
readOnlyRoot: true,
tmpfs: [],
network: "none",
user: "1000:1000",
capDrop: ["ALL"],
env: { LANG: "C.UTF-8" },
},
tools: { allow: [], deny: [] }, tools: { allow: [], deny: [] },
browserAllowHostControl: false, });
};
} }
async function withUnsafeMountedSandboxHarness( async function withUnsafeMountedSandboxHarness(

21
src/agents/pi-tools.workspace-paths.e2e.test.ts
View File

@@ -4,6 +4,7 @@ import path from "node:path";
import { describe, expect, it, vi } from "vitest"; import { describe, expect, it, vi } from "vitest";
import { createOpenClawCodingTools } from "./pi-tools.js"; import { createOpenClawCodingTools } from "./pi-tools.js";
import { createHostSandboxFsBridge } from "./test-helpers/host-sandbox-fs-bridge.js"; import { createHostSandboxFsBridge } from "./test-helpers/host-sandbox-fs-bridge.js";
import { createPiToolsSandboxContext } from "./test-helpers/pi-tools-sandbox-context.js";
vi.mock("../infra/shell-env.js", async (importOriginal) => { vi.mock("../infra/shell-env.js", async (importOriginal) => {
const mod = await importOriginal<typeof import("../infra/shell-env.js")>(); const mod = await importOriginal<typeof import("../infra/shell-env.js")>();
@@ -157,29 +158,13 @@ describe("sandboxed workspace paths", () => {
it("uses sandbox workspace for relative read/write/edit", async () => { it("uses sandbox workspace for relative read/write/edit", async () => {
await withTempDir("openclaw-sandbox-", async (sandboxDir) => { await withTempDir("openclaw-sandbox-", async (sandboxDir) => {
await withTempDir("openclaw-workspace-", async (workspaceDir) => { await withTempDir("openclaw-workspace-", async (workspaceDir) => {
const sandbox = { const sandbox = createPiToolsSandboxContext({
enabled: true,
sessionKey: "sandbox:test",
workspaceDir: sandboxDir, workspaceDir: sandboxDir,
agentWorkspaceDir: workspaceDir, agentWorkspaceDir: workspaceDir,
workspaceAccess: "rw" as const, workspaceAccess: "rw" as const,
containerName: "openclaw-sbx-test",
containerWorkdir: "/workspace",
fsBridge: createHostSandboxFsBridge(sandboxDir), fsBridge: createHostSandboxFsBridge(sandboxDir),
docker: {
image: "openclaw-sandbox:bookworm-slim",
containerPrefix: "openclaw-sbx-",
workdir: "/workspace",
readOnlyRoot: true,
tmpfs: [],
network: "none",
user: "1000:1000",
capDrop: ["ALL"],
env: { LANG: "C.UTF-8" },
},
tools: { allow: [], deny: [] }, tools: { allow: [], deny: [] },
browserAllowHostControl: false, });
};
const testFile = "sandbox.txt"; const testFile = "sandbox.txt";
await fs.writeFile(path.join(sandboxDir, testFile), "sandbox read", "utf8"); await fs.writeFile(path.join(sandboxDir, testFile), "sandbox read", "utf8");

43
src/agents/test-helpers/pi-tools-sandbox-context.test.ts Normal file
View File

@@ -0,0 +1,43 @@
import { describe, expect, it } from "vitest";
import { createPiToolsSandboxContext } from "./pi-tools-sandbox-context.js";
describe("createPiToolsSandboxContext", () => {
it("provides stable defaults for pi-tools sandbox tests", () => {
const sandbox = createPiToolsSandboxContext({
workspaceDir: "/tmp/sandbox",
});
expect(sandbox.enabled).toBe(true);
expect(sandbox.sessionKey).toBe("sandbox:test");
expect(sandbox.workspaceDir).toBe("/tmp/sandbox");
expect(sandbox.agentWorkspaceDir).toBe("/tmp/sandbox");
expect(sandbox.workspaceAccess).toBe("rw");
expect(sandbox.containerName).toBe("openclaw-sbx-test");
expect(sandbox.containerWorkdir).toBe("/workspace");
expect(sandbox.docker.image).toBe("openclaw-sandbox:bookworm-slim");
expect(sandbox.docker.containerPrefix).toBe("openclaw-sbx-");
expect(sandbox.tools).toEqual({ allow: [], deny: [] });
expect(sandbox.browserAllowHostControl).toBe(false);
});
it("applies provided overrides", () => {
const sandbox = createPiToolsSandboxContext({
workspaceDir: "/tmp/sandbox",
agentWorkspaceDir: "/tmp/workspace",
workspaceAccess: "ro",
tools: { allow: ["read"], deny: ["exec"] },
browserAllowHostControl: true,
dockerOverrides: {
readOnlyRoot: false,
tmpfs: ["/tmp"],
},
});
expect(sandbox.agentWorkspaceDir).toBe("/tmp/workspace");
expect(sandbox.workspaceAccess).toBe("ro");
expect(sandbox.tools).toEqual({ allow: ["read"], deny: ["exec"] });
expect(sandbox.browserAllowHostControl).toBe(true);
expect(sandbox.docker.readOnlyRoot).toBe(false);
expect(sandbox.docker.tmpfs).toEqual(["/tmp"]);
});
});

43
src/agents/test-helpers/pi-tools-sandbox-context.ts Normal file
View File

@@ -0,0 +1,43 @@
import type { SandboxContext, SandboxToolPolicy, SandboxWorkspaceAccess } from "../sandbox.js";
import type { SandboxFsBridge } from "../sandbox/fs-bridge.js";
type PiToolsSandboxContextParams = {
workspaceDir: string;
agentWorkspaceDir?: string;
workspaceAccess?: SandboxWorkspaceAccess;
fsBridge?: SandboxFsBridge;
tools?: SandboxToolPolicy;
browserAllowHostControl?: boolean;
sessionKey?: string;
containerName?: string;
containerWorkdir?: string;
dockerOverrides?: Partial<SandboxContext["docker"]>;
};
export function createPiToolsSandboxContext(params: PiToolsSandboxContextParams): SandboxContext {
const workspaceDir = params.workspaceDir;
return {
enabled: true,
sessionKey: params.sessionKey ?? "sandbox:test",
workspaceDir,
agentWorkspaceDir: params.agentWorkspaceDir ?? workspaceDir,
workspaceAccess: params.workspaceAccess ?? "rw",
containerName: params.containerName ?? "openclaw-sbx-test",
containerWorkdir: params.containerWorkdir ?? "/workspace",
fsBridge: params.fsBridge,
docker: {
image: "openclaw-sandbox:bookworm-slim",
containerPrefix: "openclaw-sbx-",
workdir: "/workspace",
readOnlyRoot: true,
tmpfs: [],
network: "none",
user: "1000:1000",
capDrop: ["ALL"],
env: { LANG: "C.UTF-8" },
...params.dockerOverrides,
},
tools: params.tools ?? { allow: [], deny: [] },
browserAllowHostControl: params.browserAllowHostControl ?? false,
};
}