nyx/tests/sb_trace_script.rs

//! `tools/sb-trace.sh` is the corpus walker that generates per-cap
//! seed files for the macOS sandbox-exec deny-default rollout.  Its
//! deny-record → allow-rule parser is implemented in bash; this test
//! drives the script's `--selftest` flag so the parser stays exercised
//! in CI on every host, including Linux runners that never run the
//! macOS-specific portion of the script.
//!
//! The selftest is a no-op when `bash` is not on PATH; CI rows that
//! lack a POSIX shell skip rather than fail.

use std::path::PathBuf;
use std::process::Command;

fn repo_root() -> PathBuf {
    PathBuf::from(env!("CARGO_MANIFEST_DIR"))
}

fn find_in_path(name: &str) -> Option<PathBuf> {
    let path = std::env::var_os("PATH")?;
    for dir in std::env::split_paths(&path) {
        let candidate = dir.join(name);
        if candidate.is_file() {
            return Some(candidate);
        }
    }
    None
}

#[test]
fn sb_trace_selftest_passes() {
    let script = repo_root().join("tools").join("sb-trace.sh");
    assert!(
        script.exists(),
        "tools/sb-trace.sh missing at {}",
        script.display()
    );

    let bash = match find_in_path("bash") {
        Some(p) => p,
        None => {
            eprintln!("SKIP: bash not on PATH; sb-trace.sh selftest cannot run");
            return;
        }
    };

    let output = Command::new(&bash)
        .arg(&script)
        .arg("--selftest")
        .output()
        .expect("invoke bash tools/sb-trace.sh --selftest");

    assert!(
        output.status.success(),
        "tools/sb-trace.sh --selftest failed: status={:?}\nstdout={}\nstderr={}",
        output.status,
        String::from_utf8_lossy(&output.stdout),
        String::from_utf8_lossy(&output.stderr),
    );

    let stdout = String::from_utf8_lossy(&output.stdout);
    assert!(
        stdout.contains("sb-trace selftest: all OK"),
        "expected selftest success banner; stdout was: {stdout}",
    );
}
Dynamic (#77) 2026-06-05 10:16:30 -05:00			//! `tools/sb-trace.sh` is the corpus walker that generates per-cap
			`//! seed files for the macOS sandbox-exec deny-default rollout. Its`
			`//! deny-record → allow-rule parser is implemented in bash; this test`
			//! drives the script's `--selftest` flag so the parser stays exercised
			`//! in CI on every host, including Linux runners that never run the`
			`//! macOS-specific portion of the script.`
			`//!`
			//! The selftest is a no-op when `bash` is not on PATH; CI rows that
			`//! lack a POSIX shell skip rather than fail.`

			`use std::path::PathBuf;`
			`use std::process::Command;`

			`fn repo_root() -> PathBuf {`
			`PathBuf::from(env!("CARGO_MANIFEST_DIR"))`
			`}`

			`fn find_in_path(name: &str) -> Option<PathBuf> {`
			`let path = std::env::var_os("PATH")?;`
			`for dir in std::env::split_paths(&path) {`
			`let candidate = dir.join(name);`
			`if candidate.is_file() {`
			`return Some(candidate);`
			`}`
			`}`
			`None`
			`}`

			`#[test]`
			`fn sb_trace_selftest_passes() {`
			`let script = repo_root().join("tools").join("sb-trace.sh");`
			`assert!(`
			`script.exists(),`
			`"tools/sb-trace.sh missing at {}",`
			`script.display()`
			`);`

			`let bash = match find_in_path("bash") {`
			`Some(p) => p,`
			`None => {`
			`eprintln!("SKIP: bash not on PATH; sb-trace.sh selftest cannot run");`
			`return;`
			`}`
			`};`

			`let output = Command::new(&bash)`
			`.arg(&script)`
			`.arg("--selftest")`
			`.output()`
			`.expect("invoke bash tools/sb-trace.sh --selftest");`

			`assert!(`
			`output.status.success(),`
			`"tools/sb-trace.sh --selftest failed: status={:?}\nstdout={}\nstderr={}",`
			`output.status,`
			`String::from_utf8_lossy(&output.stdout),`
			`String::from_utf8_lossy(&output.stderr),`
			`);`

			`let stdout = String::from_utf8_lossy(&output.stdout);`
			`assert!(`
			`stdout.contains("sb-trace selftest: all OK"),`
			`"expected selftest success banner; stdout was: {stdout}",`
			`);`
			`}`