ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-17 03:10:38 +09:00
Code Issues Projects Releases Packages Wiki Activity
paperclip/packages/plugins/paperclip-plugin-fake-sandbox/src/plugin.test.ts

229 lines
6.9 KiB
TypeScript
Raw Normal View History

Add sandbox environment support (#4415) ## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies. > - The environment/runtime layer decides where agent work executes and how the control plane reaches those runtimes. > - Today Paperclip can run locally and over SSH, but sandboxed execution needs a first-class environment model instead of one-off adapter behavior. > - We also want sandbox providers to be pluggable so the core does not hardcode every provider implementation. > - This branch adds the Sandbox environment path, the provider contract, and a deterministic fake provider plugin. > - That required synchronized changes across shared contracts, plugin SDK surfaces, server runtime orchestration, and the UI environment/workspace flows. > - The result is that sandbox execution becomes a core control-plane capability while keeping provider implementations extensible and testable. ## What Changed - Added sandbox runtime support to the environment execution path, including runtime URL discovery, sandbox execution targeting, orchestration, and heartbeat integration. - Added plugin-provider support for sandbox environments so providers can be supplied via plugins instead of hardcoded server logic. - Added the fake sandbox provider plugin with deterministic behavior suitable for local and automated testing. - Updated shared types, validators, plugin protocol definitions, and SDK helpers to carry sandbox provider and workspace-runtime contracts across package boundaries. - Updated server routes and services so companies can create sandbox environments, select them for work, and execute work through the sandbox runtime path. - Updated the UI environment and workspace surfaces to expose sandbox environment configuration and selection. - Added test coverage for sandbox runtime behavior, provider seams, environment route guards, orchestration, and the fake provider plugin. ## Verification - Ran locally before the final fixture-only scrub: - `pnpm -r typecheck` - `pnpm test:run` - `pnpm build` - Ran locally after the final scrub amend: - `pnpm vitest run server/src/__tests__/runtime-api.test.ts` - Reviewer spot checks: - create a sandbox environment backed by the fake provider plugin - run work through that environment - confirm sandbox provider execution does not inherit host secrets implicitly ## Risks - This touches shared contracts, plugin SDK plumbing, server runtime orchestration, and UI environment/workspace flows, so regressions would likely show up as cross-layer mismatches rather than isolated type errors. - Runtime URL discovery and sandbox callback selection are sensitive to host/bind configuration; if that logic is wrong, sandbox-backed callbacks may fail even when execution succeeds. - The fake provider plugin is intentionally deterministic and test-oriented; future providers may expose capability gaps that this branch does not yet cover. ## Model Used - OpenAI Codex coding agent on a GPT-5-class backend in the Paperclip/Codex harness. Exact backend model ID is not exposed in-session. Tool-assisted workflow with shell execution, file editing, git history inspection, and local test execution. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [ ] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge
2026-04-24 12:15:53 -07:00
import { describe, expect, it } from "vitest";
import {
assertEnvironmentEventOrder,
createEnvironmentTestHarness,
} from "@paperclipai/plugin-sdk/testing";
import manifest from "./manifest.js";
import plugin from "./plugin.js";
describe("fake sandbox provider plugin", () => {
it("runs a deterministic provider lifecycle through environment hooks", async () => {
const definition = plugin.definition;
const harness = createEnvironmentTestHarness({
manifest,
environmentDriver: {
driverKey: "fake-plugin",
onValidateConfig: definition.onEnvironmentValidateConfig,
onProbe: definition.onEnvironmentProbe,
onAcquireLease: definition.onEnvironmentAcquireLease,
onResumeLease: definition.onEnvironmentResumeLease,
onReleaseLease: definition.onEnvironmentReleaseLease,
onDestroyLease: definition.onEnvironmentDestroyLease,
onRealizeWorkspace: definition.onEnvironmentRealizeWorkspace,
onExecute: definition.onEnvironmentExecute,
},
});
const base = {
driverKey: "fake-plugin",
companyId: "company-1",
environmentId: "env-1",
config: { image: "fake:test", reuseLease: false },
};
const validation = await harness.validateConfig({
driverKey: "fake-plugin",
config: base.config,
});
expect(validation).toMatchObject({
ok: true,
normalizedConfig: { image: "fake:test", reuseLease: false },
});
const probe = await harness.probe(base);
expect(probe).toMatchObject({
ok: true,
metadata: { provider: "fake-plugin", image: "fake:test" },
});
const lease = await harness.acquireLease({ ...base, runId: "run-1" });
expect(lease.providerLeaseId).toContain("fake-plugin://run-1/");
const realized = await harness.realizeWorkspace({
...base,
lease,
workspace: { mode: "isolated_workspace" },
});
expect(realized.cwd).toContain("paperclip-fake-sandbox-");
const executed = await harness.execute({
...base,
lease,
command: "sh",
args: ["-lc", "printf fake-plugin-ok"],
cwd: realized.cwd,
timeoutMs: 10_000,
});
expect(executed).toMatchObject({
exitCode: 0,
timedOut: false,
stdout: "fake-plugin-ok",
});
await harness.destroyLease({
...base,
providerLeaseId: lease.providerLeaseId,
});
assertEnvironmentEventOrder(harness.environmentEvents, [
"validateConfig",
"probe",
"acquireLease",
"realizeWorkspace",
"execute",
"destroyLease",
]);
});
it("does not expose host-only environment variables to executed commands", async () => {
const previousSecret = process.env.PAPERCLIP_FAKE_PLUGIN_HOST_SECRET;
process.env.PAPERCLIP_FAKE_PLUGIN_HOST_SECRET = "should-not-leak";
try {
const definition = plugin.definition;
const harness = createEnvironmentTestHarness({
manifest,
environmentDriver: {
driverKey: "fake-plugin",
onAcquireLease: definition.onEnvironmentAcquireLease,
onDestroyLease: definition.onEnvironmentDestroyLease,
onRealizeWorkspace: definition.onEnvironmentRealizeWorkspace,
onExecute: definition.onEnvironmentExecute,
},
});
const base = {
driverKey: "fake-plugin",
companyId: "company-1",
environmentId: "env-1",
config: { image: "fake:test", reuseLease: false },
};
const lease = await harness.acquireLease({ ...base, runId: "run-1" });
const realized = await harness.realizeWorkspace({
...base,
lease,
workspace: { mode: "isolated_workspace" },
});
const executed = await harness.execute({
...base,
lease,
command: "sh",
args: ["-lc", "test -z \"${PAPERCLIP_FAKE_PLUGIN_HOST_SECRET+x}\" && printf \"$EXPLICIT_ONLY\""],
cwd: realized.cwd,
env: { EXPLICIT_ONLY: "visible" },
timeoutMs: 10_000,
});
expect(executed).toMatchObject({
exitCode: 0,
timedOut: false,
stdout: "visible",
});
await harness.destroyLease({
...base,
providerLeaseId: lease.providerLeaseId,
});
} finally {
if (previousSecret === undefined) {
delete process.env.PAPERCLIP_FAKE_PLUGIN_HOST_SECRET;
} else {
process.env.PAPERCLIP_FAKE_PLUGIN_HOST_SECRET = previousSecret;
}
}
});
it("includes /usr/local/bin in the default PATH when no PATH override is provided", async () => {
const definition = plugin.definition;
const harness = createEnvironmentTestHarness({
manifest,
environmentDriver: {
driverKey: "fake-plugin",
onAcquireLease: definition.onEnvironmentAcquireLease,
onDestroyLease: definition.onEnvironmentDestroyLease,
onRealizeWorkspace: definition.onEnvironmentRealizeWorkspace,
onExecute: definition.onEnvironmentExecute,
},
});
const base = {
driverKey: "fake-plugin",
companyId: "company-1",
environmentId: "env-1",
config: { image: "fake:test", reuseLease: false },
};
const lease = await harness.acquireLease({ ...base, runId: "run-1" });
const realized = await harness.realizeWorkspace({
...base,
lease,
workspace: { mode: "isolated_workspace" },
});
const executed = await harness.execute({
...base,
lease,
command: "sh",
args: ["-lc", "printf %s \"$PATH\""],
cwd: realized.cwd,
timeoutMs: 10_000,
});
expect(executed.stdout).toContain("/usr/local/bin");
await harness.destroyLease({
...base,
providerLeaseId: lease.providerLeaseId,
});
});
it("escalates to SIGKILL after timeout if the child ignores SIGTERM", async () => {
const definition = plugin.definition;
const harness = createEnvironmentTestHarness({
manifest,
environmentDriver: {
driverKey: "fake-plugin",
onAcquireLease: definition.onEnvironmentAcquireLease,
onDestroyLease: definition.onEnvironmentDestroyLease,
onRealizeWorkspace: definition.onEnvironmentRealizeWorkspace,
onExecute: definition.onEnvironmentExecute,
},
});
const base = {
driverKey: "fake-plugin",
companyId: "company-1",
environmentId: "env-1",
config: { image: "fake:test", reuseLease: false },
};
const lease = await harness.acquireLease({ ...base, runId: "run-1" });
const realized = await harness.realizeWorkspace({
...base,
lease,
workspace: { mode: "isolated_workspace" },
});
const executed = await harness.execute({
...base,
lease,
command: "sh",
args: ["-lc", "trap '' TERM; while :; do sleep 1; done"],
cwd: realized.cwd,
timeoutMs: 100,
});
expect(executed.timedOut).toBe(true);
expect(executed.exitCode).toBeNull();
await harness.destroyLease({
...base,
providerLeaseId: lease.providerLeaseId,
});
});
});
Reference in a new issue Copy permalink