From 690b4851ea0afd8b214ddaa5450eec3a8c3a7ec9 Mon Sep 17 00:00:00 2001 From: main Date: Tue, 24 Mar 2026 01:19:25 -0400 Subject: Share live Claude credentials with sandbox --- crates/phone-opus/tests/mcp_hardening.rs | 35 +++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) (limited to 'crates/phone-opus/tests') diff --git a/crates/phone-opus/tests/mcp_hardening.rs b/crates/phone-opus/tests/mcp_hardening.rs index 107a578..06861f8 100644 --- a/crates/phone-opus/tests/mcp_hardening.rs +++ b/crates/phone-opus/tests/mcp_hardening.rs @@ -209,6 +209,15 @@ if [ -n "${PHONE_OPUS_TEST_CWD_WRITE_PROBE_FILE:-}" ]; then printf 'write_failed\n' >"$PHONE_OPUS_TEST_CWD_WRITE_PROBE_FILE" fi fi +if [ -n "${PHONE_OPUS_TEST_CREDENTIAL_WRITE_PROBE_FILE:-}" ]; then + credentials_target="${HOME}/.claude/.credentials.json" + credentials_error="${PHONE_OPUS_TEST_CREDENTIAL_WRITE_ERROR_FILE:-/tmp/phone-opus-credentials.err}" + if : >>"$credentials_target" 2>"$credentials_error"; then + printf 'write_succeeded\n' >"$PHONE_OPUS_TEST_CREDENTIAL_WRITE_PROBE_FILE" + else + printf 'write_failed\n' >"$PHONE_OPUS_TEST_CREDENTIAL_WRITE_PROBE_FILE" + fi +fi if [ -n "${PHONE_OPUS_TEST_STDERR:-}" ]; then printf '%s\n' "$PHONE_OPUS_TEST_STDERR" >&2 fi @@ -331,6 +340,8 @@ fn consult_can_resume_a_prior_session_with_read_only_toolset_and_requested_worki let env_file = root.join("env.txt"); let cwd_probe_file = root.join("cwd-write-probe.txt"); let cwd_probe_error_file = root.join("cwd-write-probe.err"); + let credential_probe_file = root.join("credential-write-probe.txt"); + let credential_probe_error_file = root.join("credential-write-probe.err"); let resumed_session = "81f218eb-568b-409b-871b-f6e86d8f666f"; write_fake_claude_script(&fake_claude)?; must( @@ -372,6 +383,8 @@ fn consult_can_resume_a_prior_session_with_read_only_toolset_and_requested_worki let env_path = env_file.display().to_string(); let cwd_probe_path = cwd_probe_file.display().to_string(); let cwd_probe_error_path = cwd_probe_error_file.display().to_string(); + let credential_probe_path = credential_probe_file.display().to_string(); + let credential_probe_error_path = credential_probe_error_file.display().to_string(); let caller_home_path = caller_home.display().to_string(); let env = [ ("HOME", caller_home_path.as_str()), @@ -388,6 +401,14 @@ fn consult_can_resume_a_prior_session_with_read_only_toolset_and_requested_worki "PHONE_OPUS_TEST_CWD_WRITE_ERROR_FILE", cwd_probe_error_path.as_str(), ), + ( + "PHONE_OPUS_TEST_CREDENTIAL_WRITE_PROBE_FILE", + credential_probe_path.as_str(), + ), + ( + "PHONE_OPUS_TEST_CREDENTIAL_WRITE_ERROR_FILE", + credential_probe_error_path.as_str(), + ), ]; let mut harness = McpHarness::spawn(&state_home, &env)?; let _ = harness.initialize()?; @@ -492,10 +513,17 @@ fn consult_can_resume_a_prior_session_with_read_only_toolset_and_requested_worki assert!(env_dump.contains(format!("XDG_CACHE_HOME={}", xdg_cache_home.display()).as_str())); assert!(env_dump.contains(format!("XDG_STATE_HOME={}", xdg_state_home.display()).as_str())); + assert_eq!( + must( + fs::read_link(claude_home.join(".claude").join(".credentials.json")), + "read credentials symlink" + )?, + caller_home.join(".claude").join(".credentials.json") + ); assert_eq!( must( fs::read_to_string(claude_home.join(".claude").join(".credentials.json")), - "read mirrored credentials" + "read linked credentials" )?, "{\n \"auth\": \"token\"\n}\n" ); @@ -538,6 +566,11 @@ fn consult_can_resume_a_prior_session_with_read_only_toolset_and_requested_worki "read cwd write probe result", )?; assert_eq!(cwd_probe.trim(), "write_failed"); + let credential_probe = must( + fs::read_to_string(&credential_probe_file), + "read credential write probe result", + )?; + assert_eq!(credential_probe.trim(), "write_succeeded"); let telemetry = harness.call_tool(4, "telemetry_snapshot", json!({}))?; assert_tool_ok(&telemetry); -- cgit v1.2.3