sparrow-cli 0.5.1

A local-first Rust agent cockpit — route, run, replay, rewind
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227

use std::collections::HashMap;
use std::path::PathBuf;

#[cfg(not(target_os = "linux"))]
use sparrow::sandbox::HardenedSandbox;
use sparrow::sandbox::backends::{
    DaytonaSandbox, ModalSandbox, SingularitySandbox, VercelSandbox, WorktreeSandbox,
};
use sparrow::sandbox::{
    Command, FsNetPolicy, Limits, LocalSandbox, Sandbox, default_denied_paths, path_is_denied,
};

fn limits() -> Limits {
    Limits {
        timeout_ms: 5_000,
        max_output_bytes: 65_536,
    }
}

#[test]
fn path_is_denied_matches_components() {
    let denied = default_denied_paths();
    assert!(path_is_denied(&PathBuf::from("repo/.git/config"), &denied));
    assert!(path_is_denied(&PathBuf::from(".env"), &denied));
    assert!(path_is_denied(
        &PathBuf::from("home/user/.ssh/id_rsa"),
        &denied
    ));
    assert!(!path_is_denied(&PathBuf::from("src/main.rs"), &denied));
    assert!(!path_is_denied(
        &PathBuf::from("docs/git-notes.md"),
        &denied
    ));
}

#[tokio::test]
async fn workdir_outside_root_is_rejected() {
    let tmp = tempfile::tempdir().expect("tmp");
    let root = tmp.path().to_path_buf();
    let sandbox = LocalSandbox::new(root);

    // Workdir is the parent of root → escapes
    let parent = tmp.path().parent().unwrap().to_path_buf();
    let cmd = Command {
        program: if cfg!(windows) {
            "cmd".into()
        } else {
            "true".into()
        },
        args: vec![],
        env: HashMap::new(),
        workdir: parent,
    };
    let res = sandbox.exec(&cmd, &limits()).await;
    assert!(
        res.is_err(),
        "expected workdir-escape error, got {:?}",
        res.ok().map(|r| r.exit_code)
    );
}

#[tokio::test]
async fn arg_referring_to_protected_path_is_rejected() {
    let tmp = tempfile::tempdir().expect("tmp");
    let root = tmp.path().to_path_buf();
    let policy = FsNetPolicy {
        allowed_paths: vec![root.clone()],
        allow_network: false,
        denied_paths: default_denied_paths(),
        env_allowlist: Vec::new(),
    };
    let sandbox = LocalSandbox::new(root.clone()).with_policy(policy);

    let cmd = Command {
        program: "echo".into(),
        args: vec!["read".into(), ".git/config".into()],
        env: HashMap::new(),
        workdir: root,
    };
    let res = sandbox.exec(&cmd, &limits()).await;
    assert!(res.is_err(), "protected path arg should be rejected");
}

#[tokio::test]
async fn env_allowlist_filters_environment() {
    let tmp = tempfile::tempdir().expect("tmp");
    let root = tmp.path().to_path_buf();

    let policy = FsNetPolicy {
        allowed_paths: vec![root.clone()],
        allow_network: true,
        denied_paths: vec![], // disable for this check
        env_allowlist: vec!["KEEP".into()],
    };
    let sandbox = LocalSandbox::new(root.clone()).with_policy(policy);

    let mut env = HashMap::new();
    env.insert("KEEP".into(), "yes".into());
    env.insert("STRIP".into(), "no".into());

    // On Windows, `cmd /c echo %KEEP% %STRIP%` would render literal `%STRIP%`
    // if STRIP is unset; on POSIX we use `sh -c 'echo $KEEP $STRIP'`.
    let (program, args) = if cfg!(windows) {
        (
            "cmd".to_string(),
            vec!["/c".into(), "echo %KEEP%-%STRIP%".into()],
        )
    } else {
        (
            "sh".to_string(),
            vec!["-c".into(), "echo \"$KEEP-$STRIP\"".into()],
        )
    };

    let cmd = Command {
        program,
        args,
        env,
        workdir: root,
    };
    let res = sandbox.exec(&cmd, &limits()).await.expect("exec ok");
    let out = res.stdout.trim().to_string();
    assert!(out.contains("yes"), "KEEP must be forwarded, got {:?}", out);
    assert!(
        !out.contains("no"),
        "STRIP must be filtered out, got {:?}",
        out
    );
}

#[tokio::test]
async fn modal_returns_honest_error_when_cli_missing() {
    let tmp = tempfile::tempdir().expect("tmp");
    let root = tmp.path().to_path_buf();
    let sandbox = ModalSandbox::new(root.clone());
    let cmd = Command {
        program: "echo".into(),
        args: vec!["hi".into()],
        env: HashMap::new(),
        workdir: root,
    };
    let res = sandbox.exec(&cmd, &limits()).await.expect("exec call");
    // Modal CLI is not installed in CI → must return exit 127 and a clear stderr.
    // (If a developer happens to have `modal` installed this test will still pass
    // because we only assert a property when the CLI is absent.)
    let modal_present = std::process::Command::new("modal")
        .arg("--version")
        .stdout(std::process::Stdio::null())
        .stderr(std::process::Stdio::null())
        .status()
        .map(|s| s.success())
        .unwrap_or(false);
    if !modal_present {
        assert_eq!(res.exit_code, 127);
        assert!(
            res.stderr.contains("not found") || res.stderr.contains("unavailable"),
            "stderr must be clear, got: {:?}",
            res.stderr
        );
    }
}

#[tokio::test]
async fn daytona_vercel_singularity_also_honest_when_missing() {
    let tmp = tempfile::tempdir().expect("tmp");
    let root = tmp.path().to_path_buf();
    for sb in [
        Box::new(DaytonaSandbox::new(root.clone())) as Box<dyn Sandbox>,
        Box::new(VercelSandbox::new(root.clone())),
        Box::new(SingularitySandbox::new(root.clone())),
    ] {
        let cmd = Command {
            program: "echo".into(),
            args: vec!["hi".into()],
            env: HashMap::new(),
            workdir: root.clone(),
        };
        let res = sb.exec(&cmd, &limits()).await.expect("exec call");
        // We never want a fake success when the CLI is missing.
        if res.exit_code != 0 {
            assert!(
                !res.stderr.is_empty(),
                "missing-CLI failures must report a reason"
            );
        }
    }
}

#[test]
fn worktree_sandbox_rejects_non_git_root() {
    let tmp = tempfile::tempdir().expect("tmp");
    let parent = tempfile::tempdir().expect("tmp2");
    let res = WorktreeSandbox::create(tmp.path(), parent.path(), "sparrow-test");
    let err = match res {
        Ok(_) => panic!("non-git root must fail clearly"),
        Err(e) => e.to_string(),
    };
    assert!(err.contains("git repo"), "error must explain why: {}", err);
}

#[cfg(not(target_os = "linux"))]
#[tokio::test]
async fn hardened_sandbox_non_linux_reports_honest_failure() {
    let tmp = tempfile::tempdir().expect("tmp");
    let root = tmp.path().to_path_buf();
    let sandbox = HardenedSandbox::new(root.clone());
    let cmd = Command {
        program: if cfg!(windows) {
            "cmd".into()
        } else {
            "true".into()
        },
        args: vec![],
        env: HashMap::new(),
        workdir: root,
    };
    let res = sandbox.exec(&cmd, &limits()).await.expect("exec result");
    assert_eq!(
        res.exit_code, 127,
        "unsupported hardened sandbox must not report success"
    );
    assert!(
        res.stderr.contains("requires Linux"),
        "stderr must explain unsupported platform, got {:?}",
        res.stderr
    );
}