fix(render): E_PATH_ESCAPE suggests vendor-or-declare remediation#33
Merged
Conversation
Closes spike-1 issue #7. The path-escape error produced by the sandbox guard (`PathError::Escape`) now carries an actionable `suggestion` field naming both correct remediations: 1. Vendor the dependency under the Package directory. 2. Declare it in `akua.toml` `[dependencies]` and reference the resolved alias (`charts.<name>.path` for Helm; `import <alias>` for KCL/Akua packages). Three pieces: - `crates/akua-cli/src/verbs/render.rs` — refactor the path-escape to_structured arms to use a shared `PATH_ESCAPE_SUGGESTION` const, and add an `ESCAPE_MARKER` substring sniffer mirroring the existing `STRICT_MARKER`. The sandboxed render path collapses every plugin failure to `KclEval(string)`, so the typed `PathError::Escape` match arm only fires on the in-process path; without the marker the user got the generic `E_RENDER_KCL` with no remediation. - `docs/errors/E_PATH_ESCAPE.md` — new dedicated error page covering the two remediations with concrete examples + cross-links to lockfile-format and security-model docs. - `crates/akua-cli/tests/cli_integration.rs` — regression test drives a Package whose `pkg.render` argument escapes the Package dir, asserts E_PATH_ESCAPE on stderr with `suggestion` mentioning both `vendor`, `akua.toml`, and the error doc URL. Issue #8 (`akua render --debug`) deferred to follow-up #480 — its JSON shape depends on the eventual sentinel-mechanism resolution (#475/#479) and shouldn't be locked in until that's settled.
…sjoint Pin both error-message sniffers as non-overlapping so a future edit to either can't silently misroute KCL plugin-panic messages between E_STRICT_UNTYPED_CHART and E_PATH_ESCAPE.
3 tasks
robinbraemer
added a commit
that referenced
this pull request
Apr 28, 2026
…ker (#39) `find_package_root` now accepts either `kcl.mod` (kpm-published) or `package.k` (Akua-published) as a `KclModule` marker. Annotation detection (`detect_package`) and filesystem detection (`detect_kind`) already recognize `dev.akua.*` annotations + `akua.toml + package.k` directories from PR #34; the missing piece was the cache-root descent step that finalizes a fetched OCI artifact. End result: `[dependencies] upstream = { oci = "...", version = "..." }` where the artifact is an Akua-published OCI package now resolves through to the cached directory and lands as a `KclModule` dep. Also fixes a pre-existing test-only build break in `verbs/render.rs` where the `args(...)` test helper was missing the `debug` field added in PR #33. Test plan: - `cargo test -p akua-core --features oci-fetch --lib oci_fetcher::tests` — 12/12 (new: `extract_blob_unpacks_akua_published_plain_tar`) - `cargo test --workspace --all-features` — green - `cargo clippy --workspace --all-features` — clean
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes spike-1 #7. (#8 deferred — see #480.)
PathError::Escapenow carries an actionablesuggestionfield naming both correct remediations: vendor under the Package directory, or declare inakua.toml [dependencies]and reference the resolved alias. Added a stringly-typed marker so the sandboxed render path (which collapses everything toKclEval(string)) hits the same suggestion as the in-process path.New
docs/errors/E_PATH_ESCAPE.mdcovers both remediations with examples.Test plan
pkg.renderpath; assertsE_PATH_ESCAPE+suggestionmentioning vendor + akua.toml + the doc URL