harivansh-afk/clanker-agent
1
1
Fork 0
mirror of https://github.com/harivansh-afk/clanker-agent.git synced 2026-04-19 18:04:45 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

move pi-mono into companion-cloud as apps/companion-os

Browse source 
- Copy all pi-mono source into apps/companion-os/
- Update Dockerfile to COPY pre-built binary instead of downloading from GitHub Releases
- Update deploy-staging.yml to build pi from source (bun compile) before Docker build
- Add apps/companion-os/** to path triggers
- No more cross-repo dispatch needed

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Harivansh Rathi 2026-03-07 09:22:50 -08:00
commit 0250f72976
579 changed files with 206942 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

39
packages/pi-teams/src/utils/security.test.ts Normal file
View file

@ -0,0 +1,39 @@
import { describe, expect, it } from "vitest";
import { inboxPath, sanitizeName, teamDir } from "./paths";
describe("Security Audit - Path Traversal (Prevention Check)", () => {
it("should throw an error for path traversal via teamName", () => {
const maliciousTeamName = "../../etc";
expect(() => teamDir(maliciousTeamName)).toThrow();
});
it("should throw an error for path traversal via agentName", () => {
const teamName = "audit-team";
const maliciousAgentName = "../../../.ssh/id_rsa";
expect(() => inboxPath(teamName, maliciousAgentName)).toThrow();
});
it("should throw an error for path traversal via taskId", () => {
const maliciousTaskId = "../../../etc/passwd";
// We need to import readTask/updateTask or just sanitizeName directly if we want to test the logic
// But since we already tested sanitizeName via other paths, this is just for completeness.
expect(() => sanitizeName(maliciousTaskId)).toThrow();
});
});
describe("Security Audit - Command Injection (Fixed)", () => {
it("should not be vulnerable to command injection in spawn_teammate (via parameters)", () => {
const maliciousCwd = "; rm -rf / ;";
const name = "attacker";
const team_name = "audit-team";
const piBinary = "pi";
const cmd = `PI_TEAM_NAME=${team_name} PI_AGENT_NAME=${name} ${piBinary}`;
// Simulating what happens in spawn_teammate (extensions/index.ts)
const itermCmd = `cd '${maliciousCwd}' && ${cmd}`;
// The command becomes: cd '; rm -rf / ;' && PI_TEAM_NAME=audit-team PI_AGENT_NAME=attacker pi
expect(itermCmd).toContain("cd '; rm -rf / ;' &&");
expect(itermCmd).not.toContain("cd ; rm -rf / ; &&");
});
});