mino 1.6.0

Secure AI agent sandbox using rootless containers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289

//! Home volume setup for persistent per-project home directories

use crate::cli::args::RunArgs;
use crate::config::Config;
use crate::error::MinoResult;
use crate::home::{self, HomeVolume};
use crate::orchestration::ContainerRuntime;
use std::path::Path;
use tracing::debug;

use super::image::LAYER_BASE_IMAGE;

/// Set up a persistent home volume for the project, if applicable.
///
/// Returns `Some("volume_name:/home/developer")` when a home volume should
/// be mounted, or `None` when home volumes are disabled or not applicable.
pub(super) async fn setup_home_volume(
    runtime: &dyn ContainerRuntime,
    args: &RunArgs,
    config: &Config,
    project_dir: &Path,
    image: &str,
) -> MinoResult<Option<String>> {
    // Guard: disabled by CLI flag or config
    if args.no_home || !config.home.enabled {
        debug!("Home volume disabled by flag/config");
        return Ok(None);
    }

    // Guard: only for mino-managed images
    if !is_mino_image(image) {
        debug!("Skipping home volume for custom image: {}", image);
        return Ok(None);
    }

    // Guard: user-specified volume already targets /home/developer
    if has_home_mount(&args.volume, &config.container.volumes) {
        debug!("Skipping home volume: user-specified mount at /home/developer");
        return Ok(None);
    }

    let volume_name = home::home_volume_name(project_dir);

    // Check if volume already exists
    let existing = runtime.volume_inspect(&volume_name).await?;
    if existing.is_some() {
        debug!("Reusing existing home volume: {}", volume_name);
    } else {
        debug!("Creating home volume: {}", volume_name);
        let labels = HomeVolume::labels(project_dir);
        runtime.volume_create(&volume_name, &labels).await?;
    }

    Ok(Some(format!("{}:/home/developer", volume_name)))
}

/// Check whether the resolved image is a mino-managed image.
///
/// Returns true for the GHCR base image and composed layer images.
pub(super) fn is_mino_image(image: &str) -> bool {
    image == LAYER_BASE_IMAGE || image.starts_with("mino-composed-")
}

/// Check whether user-specified volumes include a mount at /home/developer.
pub(super) fn has_home_mount(cli_volumes: &[String], config_volumes: &[String]) -> bool {
    cli_volumes
        .iter()
        .chain(config_volumes.iter())
        .any(|v| v.contains(":/home/developer"))
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::orchestration::mock::MockRuntime;
    use crate::orchestration::VolumeInfo;
    use std::collections::HashMap;
    use std::path::PathBuf;
    use std::sync::Arc;

    fn test_args() -> RunArgs {
        RunArgs {
            name: None,
            project: None,
            aws: false,
            gcp: false,
            azure: false,
            all_clouds: false,
            no_ssh_agent: false,
            no_github: false,
            strict_credentials: false,
            image: None,
            layers: vec![],
            env: vec![],
            volume: vec![],
            detach: false,
            read_only: false,
            no_cache: false,
            no_home: false,
            cache_fresh: false,
            network: None,
            network_allow: vec![],
            network_preset: None,
            command: vec![],
        }
    }

    // -- setup_home_volume integration tests --

    #[tokio::test]
    async fn setup_creates_volume_on_miss() {
        let mock = Arc::new(MockRuntime::new());
        let args = test_args();
        let config = Config::default();
        let project = PathBuf::from("/tmp/test-project");

        let result = setup_home_volume(&*mock, &args, &config, &project, LAYER_BASE_IMAGE)
            .await
            .unwrap();

        assert!(result.is_some());
        assert!(result.unwrap().contains(":/home/developer"));
        mock.assert_called("volume_inspect", 1);
        mock.assert_called("volume_create", 1);
    }

    #[tokio::test]
    async fn setup_reuses_existing_volume() {
        use crate::orchestration::mock::MockResponse;
        let vol = VolumeInfo {
            name: "mino-home-existing".to_string(),
            labels: HashMap::new(),
            mountpoint: None,
            created_at: None,
            size_bytes: None,
        };
        let mock = Arc::new(MockRuntime::new().on(
            "volume_inspect",
            Ok(MockResponse::OptionalVolumeInfo(Some(vol))),
        ));
        let args = test_args();
        let config = Config::default();
        let project = PathBuf::from("/tmp/test-project");

        let result = setup_home_volume(&*mock, &args, &config, &project, LAYER_BASE_IMAGE)
            .await
            .unwrap();

        assert!(result.is_some());
        mock.assert_called("volume_inspect", 1);
        mock.assert_called("volume_create", 0);
    }

    #[tokio::test]
    async fn setup_disabled_by_no_home_flag() {
        let mock = Arc::new(MockRuntime::new());
        let mut args = test_args();
        args.no_home = true;
        let config = Config::default();
        let project = PathBuf::from("/tmp/test-project");

        let result = setup_home_volume(&*mock, &args, &config, &project, LAYER_BASE_IMAGE)
            .await
            .unwrap();

        assert!(result.is_none());
        mock.assert_called("volume_inspect", 0);
        mock.assert_called("volume_create", 0);
    }

    #[tokio::test]
    async fn setup_disabled_by_config() {
        let mock = Arc::new(MockRuntime::new());
        let args = test_args();
        let mut config = Config::default();
        config.home.enabled = false;
        let project = PathBuf::from("/tmp/test-project");

        let result = setup_home_volume(&*mock, &args, &config, &project, LAYER_BASE_IMAGE)
            .await
            .unwrap();

        assert!(result.is_none());
        mock.assert_called("volume_inspect", 0);
    }

    #[tokio::test]
    async fn setup_skips_custom_image() {
        let mock = Arc::new(MockRuntime::new());
        let args = test_args();
        let config = Config::default();
        let project = PathBuf::from("/tmp/test-project");

        let result = setup_home_volume(&*mock, &args, &config, &project, "fedora:43")
            .await
            .unwrap();

        assert!(result.is_none());
        mock.assert_called("volume_inspect", 0);
    }

    #[tokio::test]
    async fn setup_works_with_composed_image() {
        let mock = Arc::new(MockRuntime::new());
        let args = test_args();
        let config = Config::default();
        let project = PathBuf::from("/tmp/test-project");

        let result = setup_home_volume(
            &*mock,
            &args,
            &config,
            &project,
            "mino-composed-abc123def456",
        )
        .await
        .unwrap();

        assert!(result.is_some());
        mock.assert_called("volume_create", 1);
    }

    #[tokio::test]
    async fn setup_skips_when_user_volume_at_home() {
        let mock = Arc::new(MockRuntime::new());
        let mut args = test_args();
        args.volume = vec!["/my/dir:/home/developer".to_string()];
        let config = Config::default();
        let project = PathBuf::from("/tmp/test-project");

        let result = setup_home_volume(&*mock, &args, &config, &project, LAYER_BASE_IMAGE)
            .await
            .unwrap();

        assert!(result.is_none());
        mock.assert_called("volume_inspect", 0);
    }

    // -- is_mino_image tests --

    #[test]
    fn is_mino_image_base() {
        assert!(is_mino_image(LAYER_BASE_IMAGE));
    }

    #[test]
    fn is_mino_image_composed() {
        assert!(is_mino_image("mino-composed-abc123def456"));
    }

    #[test]
    fn is_mino_image_custom_false() {
        assert!(!is_mino_image("fedora:43"));
        assert!(!is_mino_image("custom:tag"));
        assert!(!is_mino_image("ghcr.io/other/image:latest"));
    }

    // -- has_home_mount tests --

    #[test]
    fn has_home_mount_cli_volume() {
        let cli = vec!["/my/dir:/home/developer".to_string()];
        assert!(has_home_mount(&cli, &[]));
    }

    #[test]
    fn has_home_mount_cli_volume_with_options() {
        let cli = vec!["/my/dir:/home/developer:rw".to_string()];
        assert!(has_home_mount(&cli, &[]));
    }

    #[test]
    fn has_home_mount_config_volume() {
        let config = vec!["/my/dir:/home/developer".to_string()];
        assert!(has_home_mount(&[], &config));
    }

    #[test]
    fn has_home_mount_no_match() {
        let cli = vec!["/my/dir:/workspace".to_string()];
        let config = vec!["/my/dir:/home/other".to_string()];
        assert!(!has_home_mount(&cli, &config));
    }

    #[test]
    fn has_home_mount_empty() {
        assert!(!has_home_mount(&[], &[]));
    }
}