"""Contract tests for the Tier 2 slash command, agent profile, and config fragment. These tests verify that the templates the bootstrap copies to the Tier 2 clone contain the protocol contract that Tier 2 autonomous relies on. """ import json import re from pathlib import Path COMMAND_PATH = Path("conductor/tier2/commands/tier-2-auto-execute.md") AGENT_PATH = Path("conductor/tier2/agents/tier2-autonomous.md") CONFIG_PATH = Path("conductor/tier2/opencode.json.fragment") def test_command_file_exists() -> None: assert COMMAND_PATH.exists() def test_command_prompt_no_appdata() -> None: """Regression test (2026-06-18, updated 2026-06-18 after Tier 2's project-relative relocation): the slash command prompt must NOT reference AppData paths and must point at the actual code defaults. The user directed 'NEVER USE APPDATA'. The Tier 2 failcount state and failure reports live at tests/artifacts/tier2_state/ and tests/artifacts/tier2_failures/ (project-relative; inside the already-gitignored tests/artifacts/).""" content = COMMAND_PATH.read_text(encoding="utf-8") assert "tests/artifacts/tier2_state" in content, "command prompt must point at tests/artifacts/tier2_state// for failcount state (Tier 2's project-relative default)" assert "" not in content, "command prompt must NOT reference (2026-06-18 NEVER USE APPDATA)" assert "AppData\\Local\\manual_slop\\tier2" not in content, "command prompt must NOT reference the AppData tier2 dir" def test_command_has_frontmatter() -> None: content = COMMAND_PATH.read_text(encoding="utf-8") assert re.match(r"^---\n.*?\n---\n", content, re.DOTALL) def test_command_takes_track_name_argument() -> None: content = COMMAND_PATH.read_text(encoding="utf-8") assert "$ARGUMENTS" in content assert "track-name" in content or "" in content def test_command_uses_git_switch_not_checkout() -> None: content = COMMAND_PATH.read_text(encoding="utf-8") assert "git switch -c" in content protocol_marker = "## Protocol" next_section_marker = "## Hard Bans" start = content.find(protocol_marker) end = content.find(next_section_marker) assert start != -1 and end != -1 protocol_section = content[start:end] import re as _re shell_lines = _re.findall(r"^\s*\d+\.\s*`(git [^`]+)`", protocol_section, _re.MULTILINE) assert shell_lines, "expected numbered git commands in protocol" assert all("checkout" not in line for line in shell_lines), f"protocol uses git checkout: {shell_lines}" def test_command_fetches_origin_master() -> None: content = COMMAND_PATH.read_text(encoding="utf-8") assert "git fetch origin master" in content def test_command_initializes_failcount_state() -> None: content = COMMAND_PATH.read_text(encoding="utf-8") assert "load_state" in content or "fresh state" in content.lower() def test_command_calls_should_give_up() -> None: content = COMMAND_PATH.read_text(encoding="utf-8") assert "should_give_up" in content def test_command_writes_report_on_give_up() -> None: content = COMMAND_PATH.read_text(encoding="utf-8") assert "write_failure_report" in content def test_command_prints_abort_banner() -> None: content = COMMAND_PATH.read_text(encoding="utf-8") assert "TRACK ABORTED" in content or "ABORTED" in content def test_agent_file_exists() -> None: assert AGENT_PATH.exists() def test_agent_denies_destructive_git() -> None: content = AGENT_PATH.read_text(encoding="utf-8") assert '"git push*": deny' in content assert '"git checkout*": deny' in content assert '"git restore*": deny' in content assert '"git reset*": deny' in content def test_agent_denies_temp_writes() -> None: """Regression test (2026-06-17, rewritten 2026-06-18, paths updated 2026-06-18 after Tier 2's project-relative relocation): 2026-06-17: the agent wrote an audit JSON to C:\\Users\\Ed\\AppData\\Local\\Temp\\, which is outside the sandbox allowlist, triggering the OpenCode session-level 'ask' prompt and halting ops. The agent's bash MUST deny commands targeting AppData\\Local\\Temp\\, and the agent prompt MUST tell the agent to use the sandbox's app-data dir for temp files. 2026-06-18: the user directed 'NEVER USE APPDATA'. The agent prompt must: - include the broader *AppData\\* bash deny rule (catches Local, LocalLow, Roaming, etc., not just Temp) - point at tests/artifacts/tier2_state//state.json for failcount state (Tier 2's project-relative default) - point at tests/artifacts/tier2_failures/ for failure reports - NOT reference AppData\\Local\\manual_slop\\tier2 (the old path)""" content = AGENT_PATH.read_text(encoding="utf-8") assert 'AppData\\Local\\Temp' in content, "agent prompt must include Temp deny rule in frontmatter bash (kept for self-documentation)" assert "*AppData\\\\*" in content, "agent prompt must include the broader *AppData\\* deny rule (added 2026-06-18)" assert "tests/artifacts/tier2_state" in content, "agent prompt must point agent at tests/artifacts/tier2_state// for failcount state (Tier 2's project-relative default)" assert "tests/artifacts/tier2_failures" in content, "agent prompt must point agent at tests/artifacts/tier2_failures/ for failure reports" assert "AppData\\Local\\manual_slop\\tier2" not in content, "agent prompt must NOT reference the AppData tier2 dir (2026-06-18 NEVER USE APPDATA)" def test_config_fragment_valid_json() -> None: data = json.loads(CONFIG_PATH.read_text(encoding="utf-8")) assert data["default_agent"] == "tier2-autonomous" perms = data["agent"]["tier2-autonomous"]["permission"] assert "git push*" in perms["bash"] assert "git checkout*" in perms["bash"] assert "git restore*" in perms["bash"] assert "git reset*" in perms["bash"] def test_config_fragment_has_top_level_model() -> None: """Top-level model MUST be minimax-coding-plan/MiniMax-M3 (the Tier 2 model), NOT the main repo's zai/glm-5. Regression test for the bug where the clone inherited the main repo's default model and Tier 2 ran on zai/glm-5 instead of MiniMax-M3 (2026-06-17).""" data = json.loads(CONFIG_PATH.read_text(encoding="utf-8")) assert "model" in data, "top-level model field is required" assert data["model"] == "minimax-coding-plan/MiniMax-M3", ( f"top-level model must be MiniMax-M3, got: {data['model']}" ) def test_config_fragment_has_top_level_permission() -> None: """Top-level permission.read/write MUST allow the sandbox dirs (added 2026-06-17 after the bug where the agent's permission.read was not enforced for the default agent, leading to ACCESS DENIED on manual_slop_tier2 paths).""" data = json.loads(CONFIG_PATH.read_text(encoding="utf-8")) assert "permission" in data top = data["permission"] assert "read" in top, "top-level permission.read is required" assert top["read"].get("*") == "deny", "top-level permission.read MUST deny *" assert top["read"].get("C:\\projects\\manual_slop_tier2\\**") == "allow", "sandbox clone path must be allowlisted" assert "write" in top assert top["write"].get("*") == "deny" assert top["write"].get("C:\\projects\\manual_slop_tier2\\**") == "allow" assert "bash" in top assert top["bash"].get("*") == "deny", "top-level bash MUST deny * (default agents are locked down)" assert top["bash"].get("git status*") == "allow", "read-only git commands must be in the allowlist" assert top["bash"].get("git push*") == "deny" assert top["bash"].get("git checkout*") == "deny" assert top["bash"].get("git restore*") == "deny" assert top["bash"].get("git reset*") == "deny" def test_config_fragment_denies_temp_writes() -> None: """Regression test (2026-06-17, expanded 2026-06-19 to catch all env-var forms): the agent wrote audit output to C:\\Users\\Ed\\AppData\\Local\\Temp\\ which is outside the sandbox. Both the top-level and the tier2-autonomous agent's bash MUST deny commands targeting the global temp dir in ANY form (literal path, $env:TEMP, $env:TMP, %TEMP%, %TMP%, GetTempPath, gettempdir, mkstemp, NamedTemporaryFile).""" data = json.loads(CONFIG_PATH.read_text(encoding="utf-8")) top_bash = data["permission"]["bash"] agent_bash = data["agent"]["tier2-autonomous"]["permission"]["bash"] # Required deny patterns (matched against the literal command string) required = [ "*AppData\\*", "*AppData\\Local\\Temp\\*", "*$env:TEMP*", "*$env:TMP*", "*%TEMP%*", "*%TMP%*", "*GetTempPath*", "*gettempdir*", "*mkstemp*", ] for pat in required: assert top_bash.get(pat) == "deny", f"top-level bash must deny pattern: {pat!r}" assert agent_bash.get(pat) == "deny", f"tier2-autonomous agent bash must deny pattern: {pat!r}"