test: add unit test coverage for 6 security-critical gaps in compile/standalone.rs

[Copilot]

Automated test gap analysis identified 6 untested functions in compile/standalone.rs, all with security or correctness implications. This PR adds 30 unit tests covering them.

New test coverage

• validate_docker_args — dangerous flag detection (--privileged, --entrypoint), volume smuggling via -v/--volume= (both split and equals forms), safe args no-panic
• validate_mount_source — Docker socket escape, sensitive prefixes (/etc, /proc), case-insensitive matching (/ETC/shadow), path-boundary false-positive guard (/etc-configs must not match)
• validate_container_image — empty name, shell metacharacters, valid references
• warn_potential_secrets — secret-named env var with inline value triggers; empty passthrough ("") does not; Authorization header and Bearer value trigger
• generate_allowed_domains — network.blocked takes precedence over network.allow; host.docker.internal always present; user-specified host included; blocked core host removed (uses exact split match to avoid api.github.com false-positive); invalid DNS chars return error
• generate_prepare_steps — has_memory=true emits DownloadPipelineArtifact + memory prompt; has_memory=false with no steps returns empty; both memory and user steps coexist correctly

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.github.com (HTTP Only)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com --as-needed -dynamic-linker 6gho5pdg3qcc6imv8ae.03ai1re.rcgu.o b11g1torib5b8kf3tyq.03ai1re.rcgu.o vske8pir6qp7uwgmkra.03ai1re.rcgu.o 1kko1k42n6zoayjfrxk.03ai1re.rcgu.o pijo9cmb3mn0cjr0cs3.03ai1re.rcgu.o jy7p22v5y4xea6nw3uz.03ai1re.rcgu.o f44po5obfesbuktq145.03ai1re.rcgu.o xm80y5r6fqpc0kvsm54.03ai1re.rcgu.o w1l7t53fmyrqyygq9yc.03ai1re.rcgu.o pxfj6bodtbq5vvdmxb0.03ai1re.rcgu.o l0suhk86je6snmds865.03ai1re.rcgu.o x45qthlhzbsei17w176.03ai1re.rcgu.o 8ex5glrrub0lb4w33d6.03ai1re.rcgu.o rwvgjbj8u7wkgi227cu.03ai1re.rcgu.o (packet block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com g/de�� lib/rustlib/x86_--error-format=json lib/rustlib/x86_--json=diagnostic-rendered-ansi,artifacts,future-incompat bin/rustc res-0d1f7d618793cc res-0d1f7d618793-m64 res-0d1f7d618793/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/rustc0RUv2z/symbols.o bin/rustc res-�� res-0d1f7d618793/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/mcp_http_tests-04474f03c5ca2c4/home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw res-0d1f7d618793/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/mcp_http_tests-04474f03c5ca2c4compile f/encoding_rs-0./home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/mcp_http_tests-04474f03c5ca2c4/home/REDACTED/work/ado-aw/ado-aw/tests/fixtures/azure-devops-mcp-agent.md res-0d1f7d618793/home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw eta.o res-0d1f7d618793/tmp/agentic-pipeline-uprnotvote-10218/upr-agent.md known-linux-gnu/-o (packet block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com g/de�� lib/rustlib/x86_/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/async_trait-f6d12dc65cce50cb.aiptables lib/rustlib/x86_/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/async_trait-f6d12dc65cce50cb.a-w lib/rustlib/x86_64-REDACTED-linux-gnu/bin/cc fe0dd3cb6f860c.ccc fe0dd3cb6f860c.c-m64 fe0dd3cb6f860c.c/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/rustcQshIru/symbols.o fe0dd3cb6f860c.c/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2dc3dfb3700e1b69.017qwv-d fe0d�� mbols.o -04474f03c5ca2c4/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2dc3dfb3700e1b69.057ulncompile -04474f03c5ca2c4/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2dc3dfb3700e1b69.09vese/home/REDACTED/work/ado-aw/ado-aw/tests/fixtures/azure-devops-mcp-agent.md -04474f03c5ca2c4/home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw -04474f03c5ca2c4compile -04474f03c5ca2c4/home/REDACTED/work/ado-aw/ado-aw/tests/fixtures/1es-test-agent.md -04474f03c5ca2c4-o (packet block)
• dev.azure.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-e07c5709f9b8ed2e /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-e07c5709f9b8ed2e --emit=dep-info,metadata,link -C embed-bitcode=no -C debuginfo=2 19xv9jm5rv1lqvwtrdayt68c.114b5c7.rcgu.o kfvqav2vxwob5emy3jyjhdyk.114b5c7.rcgu.o 3udnxujnyqlwki7eb55ujuz0.114b5c7.rcgu.o 6szb9gfg72lgmff75ks5v4oy.114b5c7.rcgu.o 98ylokwc4o0a1lwljih6e7dy.114b5c7.rcgu.o haslg5xpfds7r4ldv8ob2bhs.114b5c7.rcgu.o nfqjni1abcpgns9aw4rz3gi5.114b5c7.rcgu.o p2mzj4wl2mzvz8nuv8fobwn2.114b5c7.rcgu.o vk14clagoudz75k9tcqdef6e.114b5c7.rcgu.o 0k59no41h8pf7zq2kdw3ebcq.114b5c7.rcgu.o 2va92i8c0nlgeutzt6fhd04a.114b5c7.rcgu.o 4a6y3mt2496l6t08p14wvjtj.114b5c7.rcgu.o u995prndo1dh5c3j5xwvivfn.114b5c7.rcgu.o z5wgysxdci4oufxhqds0ix9w.114b5c7.rcgu.o (dns block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-e07c5709f9b8ed2e /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-e07c5709f9b8ed2e /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-fc040786449fc516.1nfqjni1abcpgns9aw4rz3gi5.114b5c7.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-fc040786449fc516.1p2mzj4wl2mzvz8nuv8fobwn2.114b5c7.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-fc040786449fc516.1vk14clagoudz75k9tcqdef6e.114b5c7.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-fc040786449fc516.20k59no41h8pf7zq2kdw3ebcq.114b5c7.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-fc040786449fc516.22va92i8c0nlgeutzt6fhd04a.114b5c7.rcgu.o 6gho5pdg3qcc6imv8ae.0pdls67.rcgu.o b11g1torib5b8kf3tyq.0pdls67.rcgu.o vske8pir6qp7uwgmkra.0pdls67.rcgu.o 1kko1k42n6zoayjfrxk.0pdls67.rcgu.o pijo9cmb3mn0cjr0cs3.0pdls67.rcgu.o jy7p22v5y4xea6nw3uz.0pdls67.rcgu.o f44po5obfesbuktq145.0pdls67.rcgu.o xm80y5r6fqpc0kvsm54.0pdls67.rcgu.o w1l7t53fmyrqyygq9yc.0pdls67.rcgu.o pxfj6bodtbq5vvdmxb0.0pdls67.rcgu.o l0suhk86je6snmds865.0pdls67.rcgu.o x45qthlhzbsei17w176.0pdls67.rcgu.o 8ex5glrrub0lb4w33d6.0pdls67.rcgu.o rwvgjbj8u7wkgi227cu.0pdls67.rcgu.o (dns block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com --allow dev.azure.com --allow *.visualstudio.com vske8pir6qp7uwgmkra.03ai1re.rcgu.o 1kko1k42n6zoayjfrxk.03ai1re.rcgu.o pijo9cmb3mn0cjr0cs3.03ai1re.rcgu.o jy7p22v5y4xea6nw3uz.03ai1re.rcgu.o f44po5obfesbuktq145.03ai1re.rcgu.o xm80y5r6fqpc0kvsm54.03ai1re.rcgu.o w1l7t53fmyrqyygq9yc.03ai1re.rcgu.o pxfj6bodtbq5vvdmxb0.03ai1re.rcgu.o l0suhk86je6snmds865.03ai1re.rcgu.o x45qthlhzbsei17w176.03ai1re.rcgu.o 8ex5glrrub0lb4w33d6.03ai1re.rcgu.o rwvgjbj8u7wkgi227cu.03ai1re.rcgu.o (dns block)
• msazuresphere.visualstudio.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com --allow dev.azure.com --allow *.visualstudio.com vske8pir6qp7uwgmkra.03ai1re.rcgu.o 1kko1k42n6zoayjfrxk.03ai1re.rcgu.o pijo9cmb3mn0cjr0cs3.03ai1re.rcgu.o jy7p22v5y4xea6nw3uz.03ai1re.rcgu.o f44po5obfesbuktq145.03ai1re.rcgu.o xm80y5r6fqpc0kvsm54.03ai1re.rcgu.o w1l7t53fmyrqyygq9yc.03ai1re.rcgu.o pxfj6bodtbq5vvdmxb0.03ai1re.rcgu.o l0suhk86je6snmds865.03ai1re.rcgu.o x45qthlhzbsei17w176.03ai1re.rcgu.o 8ex5glrrub0lb4w33d6.03ai1re.rcgu.o rwvgjbj8u7wkgi227cu.03ai1re.rcgu.o (dns block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com --allow dev.azure.com --allow *.visualstudio.com c1063f.rlib s/serde_derive-7-m64 s/serde_derive-7/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/rustc0RUv2z/symbols.o bin/rustc (dns block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com --allow dev.azure.com --allow *.visualstudio.com fe0dd3cb6f860c.c/usr/libexec/gcc/x86_64-linux-gnu/13/collect2 fe0dd3cb6f860c.c-plugin fe0dd3cb6f860c.c/usr/libexec/gcc/x86_64-linux-gnu/13/liblto_plugin.so fe0dd3cb6f860c.c-plugin-opt=/usr/libexec/gcc/x86_64-linux-gnu/13/lto-wrapper fe0d�� mbols.o -04474f03c5ca2c4--eh-frame-hdr -04474f03c5ca2c4-m -04474f03c5ca2c4/home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw -04474f03c5ca2c4compile -04474f03c5ca2c4/tmp/agentic-pipeline-cwi-pass-11451/cwi-agent.md -04474f03c5ca2c4-o (dns block)
• raw.github.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow *.github.com /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2dc3dfb3700e1b69.0mlxr4pxfj6bodtbq5vvdmxb0.0pdls67.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2dc3dfb3700e1b69.0p9ee7l0suhk86je6snmds865.0pdls67.rcgu.o 6gho5pdg3qcc6imv8ae.03ai1re.rcgu.o b11g1torib5b8kf3tyq.03ai1re.rcgu.o vske8pir6qp7uwgmkra.03ai1re.rcgu.o 1kko1k42n6zoayjfrxk.03ai1re.rcgu.o pijo9cmb3mn0cjr0cs3.03ai1re.rcgu.o jy7p22v5y4xea6nw3uz.03ai1re.rcgu.o f44po5obfesbuktq145.03ai1re.rcgu.o xm80y5r6fqpc0kvsm54.03ai1re.rcgu.o w1l7t53fmyrqyygq9yc.03ai1re.rcgu.o pxfj6bodtbq5vvdmxb0.03ai1re.rcgu.o l0suhk86je6snmds865.03ai1re.rcgu.o x45qthlhzbsei17w176.03ai1re.rcgu.o 8ex5glrrub0lb4w33d6.03ai1re.rcgu.o rwvgjbj8u7wkgi227cu.03ai1re.rcgu.o (dns block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow *.github.com g/de�� (dns block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow *.github.com 7.2b�� 7.2uobun4n1xgd04x1d5e7u1y4h.165v8ul.rcgu.o 7.330c18cwdvgi96e9ysiyncy21.165v8ul.rcgu.o mbols.o fe0dd3cb6f860c.ccc fe0dd3cb6f860c.c-m64 fe0dd3cb6f860c.c/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/rustcQshIru/symbols.o fe0dd3cb6f860c.c/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2dc3dfb3700e1b69.017qwv--property=CPUQuota=5% fe0d�� mbols.o -d9ec3e202ea6353/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2dc3dfb3700e1b69.057ulncompile -d9ec3e202ea6353/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2dc3dfb3700e1b69.09vese/home/REDACTED/work/ado-aw/ado-aw/tests/fixtures/minimal-agent.md -d9ec3e202ea6353cargo -d9ec3e202ea6353test -d9ec3e202ea6353/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2dc3dfb3700e1b69.0jvkevxm80y5r6fqpc0kvsm54.03ai1re.rcgu.o -d9ec3e202ea6353/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-2dc3dfb3700e1b69.0k51kow1l7t53fmyrqyygq9yc.03ai1re.rcgu.o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[jamesadevine]

/rust-review

[github-actions]

✅ Rust PR Reviewer completed successfully!

[github-actions]

🔍 Rust PR Review

Summary: Good coverage addition — all 30 tests pass. One structural weakness worth addressing: the warning-emitting functions are only smoke-tested (no-panic), so the behavioral contracts remain unverified.

---

Findings

⚠️ Suggestions

validate_* / warn_potential_secrets tests are smoke tests only

The 18 tests covering validate_docker_args, validate_mount_source, validate_container_image, and warn_potential_secrets call the functions and assert they don't panic — but none assert that warnings are or are not emitted. Test comments say things like "should NOT trigger a warning" (e.g. test_warn_potential_secrets_empty_passthrough_no_panic) but there is no assertion to back it up. If someone inverted the if !value.is_empty() guard in warn_potential_secrets, the test would still be green.

The standard approach for this in Rust is to refactor the functions to return a Vec<String> of warnings (or take an impl Write sink) so tests can assert on the contents. That's a bigger refactor — but at minimum the comments should be updated to clearly say "smoke test: exercises the code path, does not verify warning emission" to avoid misleading future contributors.

Specific misleading cases:

• src/compile/standalone.rs — test_warn_potential_secrets_empty_passthrough_no_panic: comment says "should NOT trigger a warning" — untestable as written
• src/compile/standalone.rs — test_validate_mount_source_no_false_positive_on_etc_configs: comment says "handles the boundary correctly" — only asserts no panic

test_generate_allowed_domains_blocked_core_host_removed has a subtle pass-through

The test blocks "github.com" and asserts it's not in the split domain list. This is correct. However "*.github.com" (a distinct core host) remains in the list. The test comment says "blocked host must be removed even if it is in the core allowlist" — true, but a reader might incorrectly conclude that blocking a domain also removes wildcard variants. The behaviour is intentional (exact-string removal), but a brief comment noting this would prevent confusion.

---

✅ What Looks Good

• The generate_allowed_domains and generate_prepare_steps groups have real assertions on return values — these are the most valuable tests in the PR
• The blocked_takes_precedence_over_allow and invalid_host_returns_error tests properly exercise the Result return path
• test_generate_prepare_steps_without_memory_and_no_steps_is_empty is a clean edge-case check
• The memory tests correctly probe both DownloadPipelineArtifact task presence and the prompt content, which guards against silent regressions in generated YAML
• No new unwrap()/expect() on user-facing paths; all new code is test-only

Generated by Rust PR Reviewer for issue #186 · ● 936.2K · ◷

[github-actions]

🔍 Rust PR Review

Summary: Looks good — clean, well-structured test-addition PR that all passes; one minor inconsistency worth noting.

Findings

⚠️ Suggestions

• src/compile/standalone.rs:900 — validate_mcp_url left behind: All four other void-warning functions (validate_container_image, validate_mount_source, validate_docker_args, warn_potential_secrets) were refactored to return Vec<String> to enable unit testing. validate_mcp_url (line 900–907) still calls eprintln! directly and remains untestable. The PR description lists 6 targeted functions but only covers 5 distinct validators. Worth a follow-up to complete the pattern.

• src/compile/standalone.rs:877 — silent no-op when -v is the last arg: if arg == "-v" || arg == "--volume" only warns if args.get(i + 1) returns Some. If -v is the final element, the flag is silently ignored. This isn't a regression (the old code had the same behaviour), but since you're here it's worth a test and/or a warning for a malformed args list.

• Test comment on exact-string block semantics (test_generate_allowed_domains_blocked_core_host_removed): The in-test comment documenting that blocking github.com does not remove *.github.com is helpful, but this asymmetry could genuinely surprise users configuring network.blocked. Consider surfacing it in AGENTS.md under the network: section.

✅ What Looks Good

• Refactoring is mechanically correct: all four functions now collect warnings into a Vec<String> and return them; call-sites immediately eprintln! each entry, preserving identical observable behaviour.
• warnings.extend(validate_mount_source(...)) propagation in validate_docker_args is correct — both the "bypasses mounts validation" and the downstream sensitive-path/docker-socket warnings are preserved for smuggled -v/--volume args.
• False-positive guard (/etc-configs must not match /etc) is correctly implemented via starts_with(&format!("{}/", prefix)) and is explicitly tested.
• All 30 new tests pass; all 44 pre-existing tests remain green.

Generated by Rust PR Reviewer for issue #186 · ● 1.1M · ◷

[jamesadevine]

approved after final change

[github-actions]

🔍 Rust PR Review

Summary: Looks good — clean testability refactor with 30 correct unit tests. One minor observation below.

Findings

✅ What Looks Good

• Refactoring is sound: converting fn f() { eprintln!(...) } → fn f() -> Vec<String> while looping at each callsite preserves identical runtime behaviour. The callers at lines 669–725 all follow the same for w in f() { eprintln!("{}", w); } pattern consistently.

• All 30 test assertions verified against the implementation:

  • test_validate_docker_args_entrypoint_in_args_warns: asserts w.contains("entrypoint:") — the extra hint is " Use the 'entrypoint:' field instead..." which does contain entrypoint:. ✓
  • test_validate_docker_args_volume_flag_calls_mount_validation: the two any() checks correctly trace through -v /var/run/docker.sock:... → 1 bypass-warning + 1 validate_mount_source docker-socket-warning. ✓
  • test_warn_potential_secrets_authorization_header_triggers expects len == 1: the if value.contains("bearer ") || key == "authorization" is a single if-block per header entry, so one header → one warning even when both sub-conditions are true. ✓
  • All generate_prepare_steps string literals (DownloadPipelineArtifact, agent_memory, Agent Memory) match what generate_memory_download() / generate_memory_prompt() actually emit. ✓

• AGENTS.md update accurately documents the exact-string blocking semantics and the *.github.com vs github.com split — matches the split(',').collect() logic in generate_allowed_domains.

⚠️ Suggestions

• [standalone.rs:test_generate_allowed_domains_*] No test covers blocking host.docker.internal itself. Since generate_allowed_domains applies blocked entries without any carve-outs, a user who adds host.docker.internal to network.blocked will silently break MCPG connectivity at runtime. A compile-time warning (or at minimum a test documenting the behaviour) would close this gap. This is a pre-existing issue rather than something introduced here, but it was exposed by the new test suite and this would be a natural place to add it.

• [standalone.rs:test_validate_docker_args_volume_equals_form] The test stops after asserting "bypasses mounts validation" but --volume=/var/run/docker.sock:... actually produces a second "Docker socket" warning too (via warnings.extend(validate_mount_source(...))). Consider adding that assertion for completeness, or at least asserting warnings.len() == 2 to make the expected count explicit.

Generated by Rust PR Reviewer for issue #186 · ● 989K · ◷