Outcall
SpecificationsS013 · Agent-Name Rule Context

Edge cases

S013: Agent-Name Rule Context — Edge Cases

S013-EC-001: SO_PEERCRED not available (non-Unix socket)

Condition: Rule evaluation request arrives over a TCP socket instead of a Unix domain socket.

Expected behavior: EvalContext.agent is None. No error returned to caller. Rule evaluation proceeds with remaining context fields.

Test: Send a request via HTTP (TCP) and verify agent is absent from context JSON.


S013-EC-002: Container IP not found in DockerManager

Condition: SO_PEERCRED returns a valid PID, but the container's IP is not in DockerManager's container-name-by-IP map (e.g., container started before the cache was populated, or a system process not tracked by Outcall).

Expected behavior: EvalContext.agent is None. No error logged at ERROR level (INFO is acceptable). Rule evaluation proceeds.

Test: Mock DockerManager to return None for a known PID → verify agent is None.


S013-EC-003: Container name with no trailing -N suffix

Condition: Container name is standalone or myagent with no numeric suffix.

Expected behavior: agent.name equals the full container name (standalone, myagent). No error or warning emitted.

Test: Container named standaloneagent.name == "standalone" evaluates true.


S013-EC-004: Container name with trailing -0 (edge of suffix stripping)

Condition: Container name ends in -0 (e.g., agent-0).

Expected behavior: The suffix -0 is stripped, resulting in agent.name = "agent". This is correct behavior per the -[0-9]+$ regex — -0 is a valid numeric suffix.

Test: Container named agent-0agent.name == "agent" evaluates true.


S013-EC-005: Very long container name

Condition: Container name is a valid Docker name up to 128 characters.

Expected behavior: agent.name is derived correctly (possibly with suffix stripped). No truncation or buffer overflow.

Test: Container named a + 120 other chars + -1 → name derived correctly.


S013-EC-006: Concurrent rule evaluations with different agent identities

Condition: Two requests arrive simultaneously from different agents (foobar-1 and bar-1). build_eval_context resolves agent identity for each concurrently.

Expected behavior: Each EvalContext contains the correct agent name for its request. No race condition in the resolution chain.

Test: Parallel requests from two different agents → each gets correct agent.name.


S013-EC-007: Agent name resolution does not block rule evaluation latency budget

Condition: Rule evaluation must complete within 50ms (S003-EVAL-TIMEOUT).

Expected behavior: Agent name resolution adds ≤ 1ms to the evaluation path (in-memory cache lookup only). If resolution takes longer, it should timeout and set agent to None.

Test: Time build_eval_context with warm cache — must be less than 1ms on a cold run.


S013-EC-008: PID does not exist when reading /proc/<PID>/status

Condition: The PID from SO_PEERCRED has already exited between the accept and the time we read /proc/<PID>/status.

Expected behavior: EvalContext.agent is None. No error raised. The request still gets a verdict, just without agent identity.

Test: Send request from a quickly-exiting subprocess → verify graceful fallback.


S013-EC-009: DockerManager not yet initialized

Condition: build_eval_context is called before DockerManager has populated its container-name-by-IP map.

Expected behavior: EvalContext.agent is None. No error raised. DockerManager's cache will be populated as containers join (S008).

Test: Daemon starts and immediately receives a rule evaluation request → agent is None.

On this page