cloudllm 0.15.9

A batteries-included Rust toolkit for building intelligent agents with LLM integration, multi-protocol tool support, multi-agent orchestration, and MentisDB-backed durable memory.
Documentation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
//! Comprehensive tests for `BashTool` and `BashProtocol`.
//!
//! Organised into eight sections:
//!
//! 1. **Output & exit codes** — basic correctness of stdout/stderr capture and exit-code handling
//! 2. **Timeout enforcement** — actual deadline is applied, not just stored
//! 3. **Allowlist security** — only listed commands can run
//! 4. **Denylist security** — listed commands are blocked; denylist wins over allowlist
//! 5. **Environment variables** — custom env vars are visible inside the shell
//! 6. **Platform** — shell path and default-platform invariants
//! 7. **Thread safety** — shared `Arc<BashTool>` survives concurrent use
//! 8. **BashProtocol (ToolProtocol integration)** — wrapper behaviour, error mapping, metadata

use cloudllm::tool_protocol::ToolProtocol;
use cloudllm::tool_protocols::BashProtocol;
use cloudllm::tools::{BashError, BashTool, Platform};
use std::path::PathBuf;
use std::sync::Arc;
use std::time::Instant;

// ─── helpers ──────────────────────────────────────────────────────────────────

/// Detect the host OS so tests that exercise OS-specific behaviour can skip.
fn is_macos() -> bool {
    cfg!(target_os = "macos")
}

// ─── 1. Output & exit codes ───────────────────────────────────────────────────

#[tokio::test]
async fn test_stdout_is_captured() {
    let bash = BashTool::new(Platform::Linux);
    let r = bash.execute("echo hello").await.unwrap();
    assert!(r.success);
    assert_eq!(r.stdout.trim(), "hello");
    assert_eq!(r.exit_code, 0);
}

#[tokio::test]
async fn test_stderr_is_captured_separately() {
    let bash = BashTool::new(Platform::Linux);
    let r = bash.execute("echo error_text >&2").await.unwrap();
    assert!(r.success, "command should succeed");
    assert!(r.stdout.trim().is_empty(), "nothing on stdout");
    assert!(
        r.stderr.contains("error_text"),
        "stderr should have the text"
    );
}

#[tokio::test]
async fn test_stdout_and_stderr_simultaneously() {
    let bash = BashTool::new(Platform::Linux);
    let r = bash
        .execute("echo out_text; echo err_text >&2")
        .await
        .unwrap();
    assert!(r.success);
    assert!(r.stdout.contains("out_text"));
    assert!(r.stderr.contains("err_text"));
}

#[tokio::test]
async fn test_empty_output_command() {
    let bash = BashTool::new(Platform::Linux);
    let r = bash.execute("true").await.unwrap();
    assert!(r.success);
    assert!(r.stdout.is_empty());
    assert!(r.stderr.is_empty());
}

#[tokio::test]
async fn test_exit_code_zero_means_success() {
    let bash = BashTool::new(Platform::Linux);
    let r = bash.execute("exit 0").await.unwrap();
    assert!(r.success);
    assert_eq!(r.exit_code, 0);
}

#[tokio::test]
async fn test_exit_code_1() {
    let bash = BashTool::new(Platform::Linux);
    let r = bash.execute("exit 1").await.unwrap();
    assert!(!r.success);
    assert_eq!(r.exit_code, 1);
}

#[tokio::test]
async fn test_exit_code_42() {
    let bash = BashTool::new(Platform::Linux);
    let r = bash.execute("exit 42").await.unwrap();
    assert!(!r.success);
    assert_eq!(r.exit_code, 42);
}

#[tokio::test]
async fn test_exit_code_127_command_not_found() {
    let bash = BashTool::new(Platform::Linux);
    let r = bash
        .execute("this_command_does_not_exist_xyz_abc_123")
        .await
        .unwrap();
    assert!(!r.success);
    assert_eq!(r.exit_code, 127, "shell exit code for 'command not found'");
    // Every POSIX shell emits something about "not found"
    assert!(
        r.stderr.to_lowercase().contains("not found")
            || r.stderr.to_lowercase().contains("no such"),
        "stderr should mention 'not found'; got: {:?}",
        r.stderr
    );
}

#[tokio::test]
async fn test_multiline_output_order_is_preserved() {
    let bash = BashTool::new(Platform::Linux);
    let r = bash
        .execute("printf 'line1\nline2\nline3\n'")
        .await
        .unwrap();
    assert!(r.success);
    let lines: Vec<&str> = r.stdout.trim().lines().collect();
    assert_eq!(lines, vec!["line1", "line2", "line3"]);
}

#[tokio::test]
async fn test_unicode_output() {
    let bash = BashTool::new(Platform::Linux);
    // Three-byte UTF-8 characters (box-drawing) must not panic or corrupt output.
    let r = bash
        .execute("printf '┌──┐\\n│  │\\n└──┘\\n'")
        .await
        .unwrap();
    assert!(r.success);
    assert!(r.stdout.contains(''));
    assert!(r.stdout.contains(''));
}

#[tokio::test]
async fn test_duration_is_positive() {
    let bash = BashTool::new(Platform::Linux);
    let r = bash.execute("echo x").await.unwrap();
    assert!(r.duration_ms > 0, "duration_ms must be at least 1 ms");
}

#[tokio::test]
async fn test_slower_command_has_larger_duration() {
    let bash = BashTool::new(Platform::Linux);
    let fast = Instant::now();
    bash.execute("echo x").await.unwrap();
    let fast_ms = fast.elapsed().as_millis() as u64;

    let slow_r = bash.execute("sleep 0.05").await.unwrap();
    // The slow command's reported duration should exceed the fast command's wall time.
    assert!(
        slow_r.duration_ms >= fast_ms || slow_r.duration_ms >= 40,
        "slow command duration ({} ms) should be meaningfully longer",
        slow_r.duration_ms
    );
}

#[tokio::test]
async fn test_pipeline_command() {
    let bash = BashTool::new(Platform::Linux);
    let r = bash
        .execute("printf '3\\n1\\n2\\n' | sort -n")
        .await
        .unwrap();
    assert!(r.success);
    let lines: Vec<&str> = r.stdout.trim().lines().collect();
    assert_eq!(lines, ["1", "2", "3"]);
}

#[tokio::test]
async fn test_semicolon_chained_commands() {
    let bash = BashTool::new(Platform::Linux);
    let r = bash.execute("echo a; echo b; echo c").await.unwrap();
    assert!(r.success);
    assert!(r.stdout.contains('a'));
    assert!(r.stdout.contains('b'));
    assert!(r.stdout.contains('c'));
}

#[tokio::test]
async fn test_command_substitution() {
    let bash = BashTool::new(Platform::Linux);
    let r = bash.execute("echo $(echo inner)").await.unwrap();
    assert!(r.success);
    assert_eq!(r.stdout.trim(), "inner");
}

#[tokio::test]
async fn test_arithmetic_expansion() {
    let bash = BashTool::new(Platform::Linux);
    let r = bash.execute("echo $((6 * 7))").await.unwrap();
    assert!(r.success);
    assert_eq!(r.stdout.trim(), "42");
}

#[tokio::test]
async fn test_false_command_produces_failure() {
    let bash = BashTool::new(Platform::Linux);
    let r = bash.execute("false").await.unwrap();
    assert!(!r.success);
    assert_ne!(r.exit_code, 0);
}

// ─── 2. Timeout enforcement ───────────────────────────────────────────────────

#[tokio::test]
async fn test_timeout_default_is_30_seconds() {
    let bash = BashTool::new(Platform::Linux);
    assert_eq!(bash.timeout_secs(), 30);
}

#[tokio::test]
async fn test_timeout_builder_sets_value() {
    let bash = BashTool::new(Platform::Linux).with_timeout(5);
    assert_eq!(bash.timeout_secs(), 5);
}

#[tokio::test]
async fn test_timeout_is_actually_enforced() {
    // A 1-second timeout must abort a 10-second sleep.
    let bash = BashTool::new(Platform::Linux).with_timeout(1);
    let result = bash.execute("sleep 10").await;
    assert!(
        result.is_err(),
        "command that exceeds timeout must return Err"
    );
    match result.unwrap_err() {
        BashError::Timeout(_) => {}
        other => panic!("expected BashError::Timeout, got: {}", other),
    }
}

#[tokio::test]
async fn test_fast_command_finishes_before_tight_timeout() {
    // A quick echo must complete even with a very short (but non-zero) timeout.
    let bash = BashTool::new(Platform::Linux).with_timeout(5);
    let r = bash.execute("echo fast").await.unwrap();
    assert!(r.success);
    assert_eq!(r.stdout.trim(), "fast");
}

// ─── 3. Allowlist security ────────────────────────────────────────────────────

#[tokio::test]
async fn test_allowlist_permits_exact_command() {
    let bash = BashTool::new(Platform::Linux).with_allowed_commands(vec!["echo".to_string()]);
    let r = bash.execute("echo ok").await;
    assert!(r.is_ok(), "allowlisted command should be permitted");
    assert!(r.unwrap().success);
}

#[tokio::test]
async fn test_allowlist_permits_prefix_with_args() {
    // "ls" is in the allowlist; "ls -la /tmp" starts with "ls " so must be allowed.
    let bash = BashTool::new(Platform::Linux)
        .with_allowed_commands(vec!["ls".to_string(), "echo".to_string()]);
    let r = bash.execute("ls -la /tmp");
    // Just checking no CommandDenied is returned — the command may or may not succeed
    // depending on the environment, but it must not be blocked.
    assert!(r.await.is_ok(), "ls with args should pass allowlist check");
}

#[tokio::test]
async fn test_allowlist_blocks_unlisted_command() {
    let bash = BashTool::new(Platform::Linux).with_allowed_commands(vec!["echo".to_string()]);
    let result = bash.execute("cat /etc/hostname").await;
    assert!(result.is_err(), "non-allowlisted command must be rejected");
    match result.unwrap_err() {
        BashError::CommandDenied(_) => {}
        other => panic!("expected CommandDenied, got: {}", other),
    }
}

#[tokio::test]
async fn test_allowlist_is_case_insensitive() {
    // The check lowercases both sides, so "ECHO" should match "echo".
    let bash = BashTool::new(Platform::Linux).with_allowed_commands(vec!["echo".to_string()]);
    let r = bash.execute("ECHO hello").await;
    // Whether ECHO exists on the system is irrelevant; the allowlist must NOT block it.
    // If the system doesn't have ECHO uppercase it will give a 127, not a CommandDenied.
    match r {
        Ok(_) => {} // ran, fine
        Err(BashError::CommandDenied(_)) => {
            panic!("case-insensitive allowlist should not block ECHO when echo is listed")
        }
        Err(_) => {} // other errors (e.g. Timeout, IO) are acceptable
    }
}

#[tokio::test]
async fn test_allowlist_multiple_entries_all_work() {
    let bash = BashTool::new(Platform::Linux).with_allowed_commands(vec![
        "echo".to_string(),
        "printf".to_string(),
        "true".to_string(),
    ]);
    assert!(bash.execute("echo hi").await.is_ok());
    assert!(bash.execute("printf hi").await.is_ok());
    assert!(bash.execute("true").await.is_ok());
}

#[tokio::test]
async fn test_empty_allowlist_blocks_everything() {
    // An empty Vec means "allow nothing".
    let bash = BashTool::new(Platform::Linux).with_allowed_commands(vec![]);
    let r = bash.execute("echo hello").await;
    assert!(r.is_err(), "empty allowlist should block all commands");
    match r.unwrap_err() {
        BashError::CommandDenied(_) => {}
        other => panic!("expected CommandDenied, got: {}", other),
    }
}

// ─── 3b. Absolute-path bypass (was a real vulnerability) ─────────────────────

#[tokio::test]
async fn test_denylist_blocks_absolute_path_variant() {
    // "/bin/rm -rf /" must be caught by a denylist entry of "rm".
    let bash = BashTool::new(Platform::Linux).with_denied_commands(vec!["rm".to_string()]);
    let r = bash.execute("/bin/rm -rf /").await;
    assert!(
        r.is_err(),
        "/bin/rm must be blocked by a denylist entry of 'rm'"
    );
    match r.unwrap_err() {
        BashError::CommandDenied(_) => {}
        other => panic!("expected CommandDenied, got: {}", other),
    }
}

#[tokio::test]
async fn test_denylist_blocks_relative_path_variant() {
    // "../bin/rm" must also match the "rm" denylist entry.
    let bash = BashTool::new(Platform::Linux).with_denied_commands(vec!["rm".to_string()]);
    let r = bash.execute("../bin/rm -rf /").await;
    assert!(
        r.is_err(),
        "../bin/rm must be blocked by a denylist entry of 'rm'"
    );
}

#[tokio::test]
async fn test_allowlist_permits_absolute_path_variant() {
    // "/bin/echo hello" must be allowed when "echo" is in the allowlist.
    let bash = BashTool::new(Platform::Linux).with_allowed_commands(vec!["echo".to_string()]);
    // We only check the allowlist decision, not that /bin/echo exists.
    if let Err(BashError::CommandDenied(_)) = bash.execute("/bin/echo hello").await {
        panic!("/bin/echo should be allowed when 'echo' is in the allowlist");
    }
}

// ─── 4. Denylist security ────────────────────────────────────────────────────

#[tokio::test]
async fn test_denylist_blocks_exact_command() {
    let bash = BashTool::new(Platform::Linux).with_denied_commands(vec!["rm".to_string()]);
    let r = bash.execute("rm -rf /").await;
    assert!(r.is_err());
    match r.unwrap_err() {
        BashError::CommandDenied(_) => {}
        other => panic!("expected CommandDenied, got: {}", other),
    }
}

#[tokio::test]
async fn test_denylist_prefix_match_with_args() {
    // "rm" denied means "rm -rf /tmp/x" must also be blocked.
    let bash = BashTool::new(Platform::Linux).with_denied_commands(vec!["rm".to_string()]);
    assert!(bash.execute("rm -rf /tmp/x").await.is_err());
    assert!(bash.execute("rm somefile").await.is_err());
}

#[tokio::test]
async fn test_denylist_permits_unlisted_command() {
    let bash = BashTool::new(Platform::Linux).with_denied_commands(vec!["rm".to_string()]);
    let r = bash.execute("echo safe").await;
    assert!(r.is_ok());
    assert!(r.unwrap().success);
}

#[tokio::test]
async fn test_denylist_is_case_insensitive() {
    let bash = BashTool::new(Platform::Linux).with_denied_commands(vec!["rm".to_string()]);
    // "RM -rf /" should also be blocked.
    let r = bash.execute("RM -rf /").await;
    match r {
        Err(BashError::CommandDenied(_)) => {} // correct
        Ok(_) => panic!("RM should be blocked by case-insensitive denylist"),
        Err(other) => panic!("unexpected error: {}", other),
    }
}

#[tokio::test]
async fn test_denylist_multiple_entries() {
    let bash = BashTool::new(Platform::Linux).with_denied_commands(vec![
        "rm".to_string(),
        "sudo".to_string(),
        "mkfs".to_string(),
    ]);
    assert!(bash.execute("rm file").await.is_err());
    assert!(bash.execute("sudo su").await.is_err());
    assert!(bash.execute("mkfs.ext4 /dev/sda").await.is_err());
    // safe command still works
    assert!(bash.execute("echo hello").await.is_ok());
}

#[tokio::test]
async fn test_denylist_wins_over_allowlist() {
    // "rm" is in BOTH lists — denylist must take priority.
    let bash = BashTool::new(Platform::Linux)
        .with_allowed_commands(vec!["echo".to_string(), "rm".to_string()])
        .with_denied_commands(vec!["rm".to_string()]);
    assert!(
        bash.execute("rm file").await.is_err(),
        "denylist must override allowlist for the same prefix"
    );
    // But echo (only in allowlist, not denied) should still work.
    assert!(bash.execute("echo ok").await.is_ok());
}

#[tokio::test]
async fn test_leading_whitespace_does_not_bypass_denylist() {
    // is_command_allowed trims the input, so "  rm -rf /" must still be blocked.
    let bash = BashTool::new(Platform::Linux).with_denied_commands(vec!["rm".to_string()]);
    let r = bash.execute("   rm -rf /").await;
    assert!(
        r.is_err(),
        "leading whitespace must not bypass the denylist"
    );
}

/// Security note — documented known limitation:
///
/// `is_command_allowed` checks only the *prefix* of the command string.
/// A command like `"echo hello && rm -rf /"` starts with `"echo"` and
/// therefore passes an allowlist that only contains `"echo"`.  Callers
/// should treat the allowlist as a first-line guard, not a complete
/// sandbox.  Full sandboxing requires OS-level mechanisms (seccomp,
/// pledge, containers, etc.).
#[tokio::test]
async fn test_allowlist_prefix_only_does_not_stop_chained_commands() {
    let bash = BashTool::new(Platform::Linux).with_allowed_commands(vec!["echo".to_string()]);
    // "echo hello && date" starts with "echo" so it passes the prefix check,
    // and then the shell also executes `date` — demonstrating that allowlist
    // checking only inspects the command prefix, not the full pipeline.
    // No destructive commands are used; the test is purely observational.
    let r = bash.execute("echo hello && date").await;
    // The allowlist check passes; date runs fine.
    // The important thing is that CommandDenied was NOT returned.
    if let Err(BashError::CommandDenied(_)) = r {
        panic!(
            "prefix-only allowlist should NOT block chained commands — \
             this test documents the known limitation"
        );
    }
}

// ─── 5. Environment variables ─────────────────────────────────────────────────

#[tokio::test]
async fn test_single_env_var_is_visible() {
    let bash =
        BashTool::new(Platform::Linux).with_env_var("MY_VAR".to_string(), "my_value".to_string());
    let r = bash.execute("echo $MY_VAR").await.unwrap();
    assert!(r.success);
    assert_eq!(r.stdout.trim(), "my_value");
}

#[tokio::test]
async fn test_multiple_env_vars_are_all_visible() {
    let bash = BashTool::new(Platform::Linux)
        .with_env_var("VAR_A".to_string(), "alpha".to_string())
        .with_env_var("VAR_B".to_string(), "beta".to_string())
        .with_env_var("VAR_C".to_string(), "gamma".to_string());
    let r = bash.execute("echo $VAR_A $VAR_B $VAR_C").await.unwrap();
    assert!(r.success);
    let out = r.stdout.trim();
    assert!(out.contains("alpha"));
    assert!(out.contains("beta"));
    assert!(out.contains("gamma"));
}

#[tokio::test]
async fn test_env_var_with_spaces_in_value() {
    let bash = BashTool::new(Platform::Linux)
        .with_env_var("GREETING".to_string(), "hello world".to_string());
    let r = bash.execute("echo \"$GREETING\"").await.unwrap();
    assert!(r.success);
    assert!(r.stdout.contains("hello world"));
}

// ─── 6. Platform ──────────────────────────────────────────────────────────────

#[tokio::test]
async fn test_platform_linux() {
    let bash = BashTool::new(Platform::Linux);
    assert_eq!(bash.platform(), Platform::Linux);
    assert_eq!(bash.platform().shell_path(), "/bin/bash");
}

#[tokio::test]
async fn test_platform_macos() {
    let bash = BashTool::new(Platform::macOS);
    assert_eq!(bash.platform(), Platform::macOS);
    assert_eq!(bash.platform().shell_path(), "/bin/bash");
}

#[tokio::test]
async fn test_default_platform_is_linux() {
    let bash = BashTool::default();
    assert_eq!(bash.platform(), Platform::Linux);
    assert_eq!(bash.timeout_secs(), 30);
}

#[tokio::test]
async fn test_platform_actually_runs_bash() {
    // Confirm the tool really executes through bash (not sh or zsh).
    let bash = BashTool::new(if is_macos() {
        Platform::macOS
    } else {
        Platform::Linux
    });
    let r = bash.execute("echo $BASH_VERSION").await.unwrap();
    assert!(r.success);
    // BASH_VERSION is non-empty only when running under bash.
    assert!(
        !r.stdout.trim().is_empty(),
        "BASH_VERSION should be set when running through bash"
    );
}

// ─── 7. CWD restriction ───────────────────────────────────────────────────────

#[tokio::test]
async fn test_cwd_restriction_sets_working_directory() {
    // The shell's $PWD must equal the configured restriction.
    let bash = BashTool::new(Platform::Linux).with_cwd_restriction(PathBuf::from("/tmp"));
    let r = bash.execute("pwd").await.unwrap();
    assert!(r.success);
    // On macOS /tmp is a symlink to /private/tmp; canonicalise both sides.
    let got = r.stdout.trim().to_string();
    let got_canon = std::fs::canonicalize(&got).unwrap_or_else(|_| PathBuf::from(&got));
    let exp_canon = std::fs::canonicalize("/tmp").unwrap_or_else(|_| PathBuf::from("/tmp"));
    assert_eq!(
        got_canon, exp_canon,
        "cwd restriction must set the process working directory"
    );
}

#[tokio::test]
async fn test_cwd_restriction_files_are_relative_to_restricted_dir() {
    // Creating a file with a relative path must land inside the restricted dir.
    let dir = tempfile::tempdir().unwrap();
    let dir_path = dir.path().to_path_buf();

    let bash = BashTool::new(Platform::Linux).with_cwd_restriction(dir_path.clone());
    let r = bash
        .execute("touch cwd_test_marker.txt && echo ok")
        .await
        .unwrap();
    assert!(r.success);
    assert!(
        dir_path.join("cwd_test_marker.txt").exists(),
        "file created with relative path must land in the restricted dir"
    );
}

// ─── 8. Thread safety — concurrent execution ─────────────────────────────────

#[tokio::test]
async fn test_shared_tool_survives_concurrent_execution() {
    let bash = Arc::new(BashTool::new(Platform::Linux).with_timeout(10));
    let mut handles = Vec::new();

    for i in 0u32..10 {
        let b = bash.clone();
        handles.push(tokio::spawn(async move {
            let r = b.execute(&format!("echo {}", i)).await.unwrap();
            assert!(r.success);
            assert_eq!(r.stdout.trim(), i.to_string());
        }));
    }

    for h in handles {
        h.await.expect("task should not panic");
    }
}

#[tokio::test]
async fn test_tool_is_reusable_across_many_sequential_calls() {
    let bash = BashTool::new(Platform::Linux);
    for i in 0..20 {
        let r = bash.execute(&format!("echo {}", i)).await.unwrap();
        assert!(r.success);
        assert_eq!(r.stdout.trim(), i.to_string());
    }
}

// ─── 8b. Output size limit ────────────────────────────────────────────────────

#[tokio::test]
async fn test_output_within_limit_succeeds() {
    // Default limit is 10 MB; a small output must complete normally.
    let bash = BashTool::new(Platform::Linux);
    let r = bash.execute("echo small").await.unwrap();
    assert!(r.success);
    assert_eq!(r.stdout.trim(), "small");
}

#[tokio::test]
async fn test_output_exceeding_limit_returns_output_too_large() {
    // Set a tiny limit (1024 bytes) and generate more output than that.
    let bash = BashTool::new(Platform::Linux).with_max_output_size(1024);
    // Generate ~10 KB of output — well over the 1 KB limit.
    let result = bash.execute("yes x | head -c 10000").await;
    assert!(
        result.is_err(),
        "output exceeding the limit must return Err"
    );
    match result.unwrap_err() {
        BashError::OutputTooLarge(_) => {}
        other => panic!("expected OutputTooLarge, got: {}", other),
    }
}

#[tokio::test]
async fn test_output_at_exact_limit_succeeds() {
    // Output of exactly `limit` bytes must not trip the guard.
    // We generate exactly 100 bytes (100 'x' characters) with limit = 200.
    let bash = BashTool::new(Platform::Linux).with_max_output_size(200);
    let r = bash.execute("printf '%0.s x' {1..50}").await.unwrap();
    assert!(r.success);
}

// ─── 9. BashProtocol (ToolProtocol integration) ──────────────────────────────

#[tokio::test]
async fn test_protocol_name_is_bash() {
    let bash_tool = Arc::new(BashTool::new(Platform::Linux));
    let proto = BashProtocol::new(bash_tool);
    assert_eq!(proto.protocol_name(), "bash");
}

#[tokio::test]
async fn test_list_tools_returns_one_bash_tool() {
    let proto = BashProtocol::new(Arc::new(BashTool::new(Platform::Linux)));
    let tools = proto.list_tools().await.unwrap();
    assert_eq!(tools.len(), 1);
    assert_eq!(tools[0].name, "bash");
    assert!(!tools[0].description.is_empty());
    assert_eq!(tools[0].parameters.len(), 1);
    assert_eq!(tools[0].parameters[0].name, "command");
    assert!(tools[0].parameters[0].required);
}

#[tokio::test]
async fn test_get_tool_metadata_bash() {
    let proto = BashProtocol::new(Arc::new(BashTool::new(Platform::Linux)));
    let meta = proto.get_tool_metadata("bash").await.unwrap();
    assert_eq!(meta.name, "bash");
    assert!(meta
        .parameters
        .iter()
        .any(|p| p.name == "command" && p.required));
}

#[tokio::test]
async fn test_get_tool_metadata_unknown_returns_err() {
    let proto = BashProtocol::new(Arc::new(BashTool::new(Platform::Linux)));
    let r = proto.get_tool_metadata("nonexistent_tool").await;
    assert!(r.is_err(), "unknown tool name must return Err");
}

#[tokio::test]
async fn test_protocol_execute_success_returns_tool_result_success() {
    let proto = BashProtocol::new(Arc::new(BashTool::new(Platform::Linux)));
    let tr = proto
        .execute("bash", serde_json::json!({"command": "echo hi"}))
        .await
        .unwrap();
    assert!(tr.success);
    assert_eq!(tr.output["stdout"].as_str().unwrap().trim(), "hi");
    assert_eq!(tr.output["exit_code"].as_i64().unwrap(), 0);
    assert!(tr.output["duration_ms"].as_u64().unwrap() > 0);
}

/// Bash commands that exit with non-zero are "completed" at the protocol level:
/// `ToolResult.success` is `true` (the *call* succeeded) but `exit_code` is non-zero.
#[tokio::test]
async fn test_protocol_execute_nonzero_exit_returns_tool_success() {
    let proto = BashProtocol::new(Arc::new(BashTool::new(Platform::Linux)));
    // `false` exits 1 — the protocol call itself does not error.
    let tr = proto
        .execute("bash", serde_json::json!({"command": "false"}))
        .await
        .unwrap();
    assert!(
        tr.success,
        "ToolResult.success reflects whether the protocol call succeeded, \
         not whether the command exited 0"
    );
    assert_ne!(
        tr.output["exit_code"].as_i64().unwrap(),
        0,
        "exit_code in the output payload must reflect the command's actual exit code"
    );
}

/// Denied commands translate to `Ok(ToolResult::failure)`, NOT a protocol-level `Err`.
/// Callers should inspect `tr.success` and `tr.error`, not `is_err()`.
#[tokio::test]
async fn test_protocol_execute_denied_command_returns_tool_failure() {
    let proto = BashProtocol::new(Arc::new(
        BashTool::new(Platform::Linux).with_denied_commands(vec!["rm".to_string()]),
    ));
    let tr = proto
        .execute("bash", serde_json::json!({"command": "rm -rf /"}))
        .await
        .unwrap(); // method must return Ok(...)
    assert!(!tr.success, "denied command must yield ToolResult failure");
    assert!(
        tr.error.as_deref().unwrap_or("").contains("denied")
            || tr.error.as_deref().unwrap_or("").contains("Command"),
        "error message should mention denial; got: {:?}",
        tr.error
    );
}

/// Timed-out commands also translate to `Ok(ToolResult::failure)`.
#[tokio::test]
async fn test_protocol_execute_timeout_returns_tool_failure() {
    let proto = BashProtocol::new(Arc::new(BashTool::new(Platform::Linux).with_timeout(1)));
    let tr = proto
        .execute("bash", serde_json::json!({"command": "sleep 10"}))
        .await
        .unwrap();
    assert!(
        !tr.success,
        "timed-out command must yield ToolResult failure"
    );
    assert!(
        tr.error
            .as_deref()
            .unwrap_or("")
            .to_lowercase()
            .contains("timeout"),
        "error message should mention timeout; got: {:?}",
        tr.error
    );
}

#[tokio::test]
async fn test_protocol_execute_missing_command_param_returns_err() {
    let proto = BashProtocol::new(Arc::new(BashTool::new(Platform::Linux)));
    // No "command" key in the parameters object.
    let r = proto
        .execute("bash", serde_json::json!({"not_command": "echo hi"}))
        .await;
    assert!(r.is_err(), "missing 'command' parameter must return Err");
}

#[tokio::test]
async fn test_protocol_execute_stderr_captured_in_output() {
    let proto = BashProtocol::new(Arc::new(BashTool::new(Platform::Linux)));
    let tr = proto
        .execute("bash", serde_json::json!({"command": "echo err_text >&2"}))
        .await
        .unwrap();
    assert!(tr.success);
    assert!(
        tr.output["stderr"]
            .as_str()
            .unwrap_or("")
            .contains("err_text"),
        "stderr must be surfaced in ToolResult output"
    );
}