roboticus-agent 0.10.0

Agent core with ReAct loop, policy engine, injection defense, memory system, and skill loader
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236

//! Verify all filesystem tools respect `tool_allowed_paths` consistently.

use super::*;
use std::path::PathBuf;

fn ctx_with_allowed(root: PathBuf, allowed: Vec<PathBuf>) -> ToolContext {
    ToolContext {
        session_id: "test-sandbox".into(),
        agent_id: "test-agent".into(),
        agent_name: "test-agent".into(),
        authority: InputAuthority::Creator,
        workspace_root: root,
        tool_allowed_paths: allowed,
        channel: None,
        db: None,
        sandbox: ToolSandboxSnapshot::default(),
    }
}

fn setup_allowed_dir() -> (tempfile::TempDir, PathBuf, tempfile::TempDir, PathBuf) {
    let ws_dir = tempfile::tempdir().unwrap();
    let ws_root = std::fs::canonicalize(ws_dir.path()).unwrap();
    std::fs::write(ws_root.join("local.txt"), "workspace file").unwrap();

    let ext_dir = tempfile::tempdir().unwrap();
    let ext_root = std::fs::canonicalize(ext_dir.path()).unwrap();
    std::fs::write(ext_root.join("external.txt"), "external file").unwrap();
    std::fs::create_dir_all(ext_root.join("sub")).unwrap();
    std::fs::write(ext_root.join("sub/nested.txt"), "nested").unwrap();

    (ws_dir, ws_root, ext_dir, ext_root)
}

#[tokio::test]
async fn read_file_respects_allowed_paths() {
    let (_ws, ws_root, _ext, ext_root) = setup_allowed_dir();
    let ctx = ctx_with_allowed(ws_root, vec![ext_root.clone()]);
    let tool = ReadFileTool;
    let result = tool
        .execute(
            serde_json::json!({"path": ext_root.join("external.txt").to_str().unwrap()}),
            &ctx,
        )
        .await;
    assert!(result.is_ok(), "got: {:?}", result);
    assert!(result.unwrap().output.contains("external file"));
}

#[tokio::test]
async fn read_file_blocks_unallowed_absolute() {
    let (_ws, ws_root, _ext, ext_root) = setup_allowed_dir();
    // Do NOT add ext_root to allowed
    let ctx = ctx_with_allowed(ws_root, vec![]);
    let tool = ReadFileTool;
    let result = tool
        .execute(
            serde_json::json!({"path": ext_root.join("external.txt").to_str().unwrap()}),
            &ctx,
        )
        .await;
    assert!(result.is_err());
}

#[tokio::test]
async fn write_file_respects_allowed_paths() {
    let (_ws, ws_root, _ext, ext_root) = setup_allowed_dir();
    let ctx = ctx_with_allowed(ws_root, vec![ext_root.clone()]);
    let tool = WriteFileTool;
    let target = ext_root.join("new_file.txt");
    let result = tool
        .execute(
            serde_json::json!({
                "path": target.to_str().unwrap(),
                "content": "written via tool"
            }),
            &ctx,
        )
        .await;
    assert!(result.is_ok(), "got: {:?}", result);
    assert_eq!(
        std::fs::read_to_string(&target).unwrap(),
        "written via tool"
    );
}

#[tokio::test]
async fn write_file_blocks_unallowed_path() {
    let (_ws, ws_root, _ext, ext_root) = setup_allowed_dir();
    let ctx = ctx_with_allowed(ws_root, vec![]); // no allowed
    let tool = WriteFileTool;
    let result = tool
        .execute(
            serde_json::json!({
                "path": ext_root.join("sneaky.txt").to_str().unwrap(),
                "content": "nope"
            }),
            &ctx,
        )
        .await;
    assert!(result.is_err());
}

#[tokio::test]
async fn list_dir_respects_allowed_paths() {
    let (_ws, ws_root, _ext, ext_root) = setup_allowed_dir();
    let ctx = ctx_with_allowed(ws_root, vec![ext_root.clone()]);
    let tool = ListDirectoryTool;
    let result = tool
        .execute(
            serde_json::json!({"path": ext_root.to_str().unwrap()}),
            &ctx,
        )
        .await;
    assert!(result.is_ok(), "got: {:?}", result);
    assert!(result.unwrap().output.contains("external.txt"));
}

#[tokio::test]
async fn list_dir_blocks_unallowed_path() {
    let (_ws, ws_root, _ext, ext_root) = setup_allowed_dir();
    let ctx = ctx_with_allowed(ws_root, vec![]); // no allowed
    let tool = ListDirectoryTool;
    let result = tool
        .execute(
            serde_json::json!({"path": ext_root.to_str().unwrap()}),
            &ctx,
        )
        .await;
    assert!(result.is_err());
}

#[tokio::test]
async fn search_files_respects_allowed_paths() {
    let (_ws, ws_root, _ext, ext_root) = setup_allowed_dir();
    let ctx = ctx_with_allowed(ws_root, vec![ext_root.clone()]);
    let tool = SearchFilesTool;
    let result = tool
        .execute(
            serde_json::json!({
                "path": ext_root.to_str().unwrap(),
                "query": "external"
            }),
            &ctx,
        )
        .await;
    assert!(result.is_ok(), "got: {:?}", result);
}

#[tokio::test]
async fn grep_tool_respects_allowed_paths() {
    let (_ws, ws_root, _ext, ext_root) = setup_allowed_dir();
    let ctx = ctx_with_allowed(ws_root, vec![ext_root.clone()]);
    let tool = GlobFilesTool;
    let result = tool
        .execute(
            serde_json::json!({
                "path": ext_root.to_str().unwrap(),
                "pattern": "*.txt"
            }),
            &ctx,
        )
        .await;
    assert!(result.is_ok(), "got: {:?}", result);
}

// ── BashTool cwd confinement tests ──────────────────────────

#[tokio::test]
async fn bash_cwd_in_allowed_path_ok() {
    let (_ws, ws_root, _ext, ext_root) = setup_allowed_dir();
    let ctx = ctx_with_allowed(ws_root, vec![ext_root.clone()]);
    let tool = BashTool;
    let result = tool
        .execute(
            serde_json::json!({
                "command": "ls",
                "cwd": ext_root.to_str().unwrap()
            }),
            &ctx,
        )
        .await;
    assert!(result.is_ok(), "got: {:?}", result);
    assert!(result.unwrap().output.contains("external.txt"));
}

#[tokio::test]
async fn bash_cwd_outside_allowed_blocked() {
    let (_ws, ws_root, _ext, ext_root) = setup_allowed_dir();
    let ctx = ctx_with_allowed(ws_root, vec![]);
    let tool = BashTool;
    let result = tool
        .execute(
            serde_json::json!({
                "command": "ls",
                "cwd": ext_root.to_str().unwrap()
            }),
            &ctx,
        )
        .await;
    assert!(result.is_err());
}

#[tokio::test]
async fn bash_cwd_workspace_relative_ok() {
    let (_ws, ws_root, _ext, _ext_root) = setup_allowed_dir();
    let ctx = ctx_with_allowed(ws_root, vec![]);
    let tool = BashTool;
    let result = tool
        .execute(
            serde_json::json!({
                "command": "echo ok",
                "cwd": "."
            }),
            &ctx,
        )
        .await;
    assert!(result.is_ok(), "got: {:?}", result);
    assert!(result.unwrap().output.contains("ok"));
}

#[tokio::test]
async fn bash_cwd_traversal_blocked() {
    let (_ws, ws_root, _ext, _ext_root) = setup_allowed_dir();
    let ctx = ctx_with_allowed(ws_root, vec![]);
    let tool = BashTool;
    let result = tool
        .execute(
            serde_json::json!({
                "command": "echo pwned",
                "cwd": "../../tmp"
            }),
            &ctx,
        )
        .await;
    assert!(result.is_err());
}