Detect AWS IAM errors as infra failures, allow date in run_command

constants/shell.py

@@ -24,4 +24,6 @@
     "pip index",
     "pip list",
     "pip show",
+    # System info (read-only)
+    "date",
 )

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "GitAuto"
-version = "1.12.0"
+version = "1.12.2"
 requires-python = ">=3.14"
 dependencies = [
     "annotated-doc==0.0.4",

services/shell/run_command.py

@@ -16,9 +16,9 @@
 RUN_COMMAND: ToolUnionParam = {
     "name": "run_command",
     "description": (
-        "Run a read-only shell command to look up package versions or dependencies. "
+        "Run a read-only shell command to look up package versions, dependencies, or system info. "
         "Allowed: npm (view/list/outdated/search), yarn (info/list/why), "
-        "composer (show/outdated), pip (show/list/index), node -v, php -v/-m. "
+        "composer (show/outdated), pip (show/list/index), node -v, php -v/-m, date. "
         "Use this instead of fetching HTML pages for package version lookups."
     ),
     "input_schema": {

services/shell/test_run_command.py

@@ -82,6 +82,13 @@ def test_ls_blocked_outside_tmp(self, _mock_slack, create_test_base_args):
         assert result is not None
         assert "not allowed" in result.lower()
 
+    @patch("services.shell.run_command.slack_notify")
+    def test_date_returns_current_date(self, _mock_slack, create_test_base_args):
+        base_args = create_test_base_args()
+        result = run_command(base_args, "date")
+        assert result is not None
+        assert len(result.strip()) > 0
+
     @pytest.mark.parametrize("prefix", ALLOWED_PREFIXES)
     def test_all_allowed_prefixes_are_read_only(self, prefix):
         # Verify no write commands snuck into the whitelist

utils/logs/detect_infra_failure.py

@@ -25,6 +25,9 @@
     # MongoMemoryServer binary crash (version/distro mismatch with cached S3 binary)
     "MongoMemoryServer Instance failed",
     'signal "SIGABRT"',
+    # AWS IAM permission errors (Lambda role lacks access to SSM/SecretsManager/etc.)
+    "AccessDeniedException",
+    "no identity-based policy allows",
 ]
 
 

utils/logs/test_detect_infra_failure.py

@@ -24,7 +24,7 @@
 
 
 def test_detect_infra_failure_real_segfault_log():
-    real_log = SEGFAULT_LOG_PATH.read_text()
+    real_log = SEGFAULT_LOG_PATH.read_text(encoding="utf-8")
     result = detect_infra_failure(real_log)
     assert result == "Segmentation fault"
 
@@ -75,6 +75,18 @@ def test_detect_infra_failure_real_segfault_log():
             "    at ChildProcess.emit (node:events:519:28)",
             'signal "SIGABRT"',
         ),
+        # AWS IAM permission errors
+        (
+            "AccessDeniedException: User: arn:aws:sts::948023073771:assumed-role/pr-agent-prod-role/pr-agent-prod "
+            "is not authorized to perform: secretsmanager:GetSecretValue on resource: dev/foxden-billing "
+            "because no identity-based policy allows the secretsmanager:GetSecretValue action",
+            "AccessDeniedException",
+        ),
+        (
+            "User: arn:aws:sts::123:assumed-role/role/func is not authorized to perform: ssm:GetParameter "
+            "because no identity-based policy allows the ssm:GetParameter action",
+            "no identity-based policy allows",
+        ),
     ],
     ids=[
         "yarn_502",
@@ -91,6 +103,8 @@ def test_detect_infra_failure_real_segfault_log():
         "enomem",
         "mongoms_instance_failed",
         "sigabrt",
+        "aws_access_denied",
+        "aws_iam_policy_denied",
     ],
 )
 def test_detect_infra_failure_matches(error_log, expected):