readd tests, remove markdown files

2026-02-17 16:08:53 -08:00 · 2026-02-17 16:08:53 -08:00 · 9a6fa76825
commit 9a6fa76825
parent e2634c72c2
17 changed files with 1352 additions and 0 deletions
--- a/src/runtime/docker.rs
+++ b/src/runtime/docker.rs
@ -196,4 +196,76 @@ mod tests {

        assert!(result.is_err());
    }
+
+    // ── §3.3 / §3.4 Docker mount & network isolation tests ──
+
+    #[test]
+    fn docker_build_shell_command_includes_network_flag() {
+        let cfg = DockerRuntimeConfig {
+            network: "none".into(),
+            ..DockerRuntimeConfig::default()
+        };
+        let runtime = DockerRuntime::new(cfg);
+        let workspace = std::env::temp_dir();
+        let cmd = runtime
+            .build_shell_command("echo hello", &workspace)
+            .unwrap();
+        let debug = format!("{cmd:?}");
+        assert!(
+            debug.contains("--network") && debug.contains("none"),
+            "must include --network none for isolation"
+        );
+    }
+
+    #[test]
+    fn docker_build_shell_command_includes_read_only_flag() {
+        let cfg = DockerRuntimeConfig {
+            read_only_rootfs: true,
+            ..DockerRuntimeConfig::default()
+        };
+        let runtime = DockerRuntime::new(cfg);
+        let workspace = std::env::temp_dir();
+        let cmd = runtime
+            .build_shell_command("echo hello", &workspace)
+            .unwrap();
+        let debug = format!("{cmd:?}");
+        assert!(
+            debug.contains("--read-only"),
+            "must include --read-only flag when read_only_rootfs is set"
+        );
+    }
+
+    #[cfg(unix)]
+    #[test]
+    fn docker_refuses_root_mount() {
+        let cfg = DockerRuntimeConfig {
+            mount_workspace: true,
+            ..DockerRuntimeConfig::default()
+        };
+        let runtime = DockerRuntime::new(cfg);
+        let result = runtime.build_shell_command("echo test", Path::new("/"));
+        assert!(
+            result.is_err(),
+            "mounting filesystem root (/) must be refused"
+        );
+        assert!(result.unwrap_err().to_string().contains("root"));
+    }
+
+    #[test]
+    fn docker_no_memory_flag_when_not_configured() {
+        let cfg = DockerRuntimeConfig {
+            memory_limit_mb: None,
+            ..DockerRuntimeConfig::default()
+        };
+        let runtime = DockerRuntime::new(cfg);
+        let workspace = std::env::temp_dir();
+        let cmd = runtime
+            .build_shell_command("echo hello", &workspace)
+            .unwrap();
+        let debug = format!("{cmd:?}");
+        assert!(
+            !debug.contains("--memory"),
+            "should not include --memory when not configured"
+        );
+    }
 }