initial: Syntrex extraction from sentinel-community (615 files)

2026-04-28 22:06:22 +02:00 · 2026-03-11 15:12:02 +10:00 · 2026-03-11 15:12:02 +10:00 · 2c50c993b1
commit 2c50c993b1
175 changed files with 32396 additions and 0 deletions
--- a/internal/domain/pivot/executor_test.go
+++ b/internal/domain/pivot/executor_test.go
@ -0,0 +1,109 @@
+package pivot
+
+import (
+	"bytes"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type mockOracle struct {
+	verdict string
+	reason  string
+}
+
+func (m *mockOracle) VerifyAction(action string) (string, string) {
+	return m.verdict, m.reason
+}
+
+func TestExecutor_NoZeroG(t *testing.T) {
+	dir := t.TempDir()
+	rec := &mockRecorder{}
+	e := NewExecutor(dir, nil, rec)
+
+	result := e.Execute("echo hello")
+	assert.False(t, result.ZeroGMode)
+	assert.Contains(t, result.Error, "ZERO-G mode required")
+	assert.True(t, len(rec.decisions) > 0)
+	assert.Contains(t, rec.decisions[0], "EXEC_BLOCKED")
+}
+
+func TestExecutor_OracleDeny(t *testing.T) {
+	dir := t.TempDir()
+	// Create .sentinel_leash with ZERO-G.
+	createLeash(t, dir, "ZERO-G")
+
+	oracle := &mockOracle{verdict: "DENY", reason: "denied by policy"}
+	rec := &mockRecorder{}
+	e := NewExecutor(dir+"/.rlm", oracle, rec)
+
+	result := e.Execute("rm -rf /")
+	assert.True(t, result.ZeroGMode)
+	assert.False(t, result.OraclePass)
+	assert.Contains(t, result.Error, "BLOCKED by Oracle")
+}
+
+func TestExecutor_Success(t *testing.T) {
+	dir := t.TempDir()
+	createLeash(t, dir, "ZERO-G")
+
+	oracle := &mockOracle{verdict: "ALLOW", reason: "stealth"}
+	rec := &mockRecorder{}
+	e := NewExecutor(dir+"/.rlm", oracle, rec)
+	e.SetTimeout(5 * time.Second)
+
+	result := e.Execute("echo hello_pivot")
+	assert.True(t, result.ZeroGMode)
+	assert.True(t, result.OraclePass)
+	assert.Equal(t, 0, result.ExitCode)
+	assert.Contains(t, result.Stdout, "hello_pivot")
+}
+
+func TestExecutor_StealthPrefix(t *testing.T) {
+	dir := t.TempDir()
+	createLeash(t, dir, "ZERO-G")
+
+	rec := &mockRecorder{}
+	e := NewExecutor(dir+"/.rlm", nil, rec) // no oracle = passthrough
+
+	result := e.Execute("stealth echo stealth_test")
+	assert.True(t, result.OraclePass)
+	assert.Contains(t, result.Stdout, "stealth_test")
+}
+
+func TestExecutor_Timeout(t *testing.T) {
+	dir := t.TempDir()
+	createLeash(t, dir, "ZERO-G")
+
+	rec := &mockRecorder{}
+	e := NewExecutor(dir+"/.rlm", nil, rec)
+	e.SetTimeout(100 * time.Millisecond)
+
+	result := e.Execute("ping -n 10 127.0.0.1")
+	assert.NotEqual(t, 0, result.ExitCode)
+}
+
+func TestParseCommand(t *testing.T) {
+	parts := parseCommand("stealth echo hello")
+	// Should strip "stealth " prefix.
+	assert.Equal(t, "cmd", parts[0])
+	assert.Equal(t, "/C", parts[1])
+	assert.Equal(t, "echo hello", parts[2])
+}
+
+func TestLimitedWriter(t *testing.T) {
+	var buf = new(bytes.Buffer)
+	lw := &limitedWriter{w: buf, limit: 10}
+	lw.Write([]byte("12345"))
+	lw.Write([]byte("67890"))
+	lw.Write([]byte("overflow")) // Should be silently discarded.
+	assert.Equal(t, "1234567890", buf.String())
+}
+
+func createLeash(t *testing.T, dir, mode string) {
+	t.Helper()
+	os.MkdirAll(dir+"/.rlm", 0o755)
+	os.WriteFile(dir+"/.sentinel_leash", []byte(mode), 0o644)
+}