sk4nz/skz-sloptrap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e7112db3d7a5172c8b9b031447e9901ee281dd9a
skz-sloptrap/tests/README.md
Samuel Aubertin e7112db3d7 Harden launcher overrides and fix opencode backend regressions 
- remove codex auth mounts from opencode run/shell paths
  - reject opencode login and invalid backend values
  - harden opencode config writes against symlink clobbering
  - fix opencode build args and packages_extra handling
  - enforce cap-drop and read-only rootfs in runtime commands
  - reject dangerous runtime/build env overrides
  - update README and test docs to match actual behavior
  - extend regression coverage for backend safety and hardening
2026-04-16 18:17:17 +02:00

19 lines
1.6 KiB
Markdown
Raw Blame History

# Test Scenarios
This directory contains cases that stress sloptrap's hardening and deployment flow. Each subdirectory mimics a user repository and focuses on a single class of behaviour. Use `run_tests.sh` to execute the automated checks with stubbed tooling.
Current scenarios:
- `mount_injection/` — exercises `.sloptrapignore` entries with `,` and `=` to ensure mount escape characters remain escaped and forces `build_if_missing` to execute the Codex download/build path.
- `root_target/` — ensures attempts to mask the project root are rejected.
- `symlink_escape/` — confirms symlink targets resolving outside the project are blocked.
- `manifest_injection/` — ensures disallowed `make.*` overrides abort parsing.
- `helper_symlink/` — ensures `.sloptrap-ignores` cannot be a symlink to directories outside the project.
- `secret_mask/` — verifies masked files remain hidden even when sloptrap remaps the workspace mount.
- `resume_target/` — verifies the resume target passes the requested session identifier to Codex.
- `auth_file_mount` — verifies `~/.codex/auth.json` is mounted directly into `/codex/auth.json`.
- `runtime_hardening_flags` — verifies standard runs add `--cap-drop=ALL` and keep the root filesystem read-only.
- `project_state_isolation` — verifies different projects map `/codex` to different host state directories.
- `auto_login_empty_auth` — verifies an empty `auth.json` still triggers automatic login before the main target.
- `opencode_*` — exercises opencode build/download, localhost rewriting, config generation, and backend-specific safety checks.
Reference in New Issue View Git Blame Copy Permalink