tests(js_repl): stabilize CI runtime test execution

git-stack-id: fjord/js_repl_seq---4htl2cund94dlu
git-stack-title: tests(js_repl): stabilize CI runtime test execution

Author: fjord-oai

.github/workflows/bazel.yml

@@ -47,6 +47,16 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
+      - name: Set up Node.js for js_repl tests
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: codex-rs/node-version.txt
+          check-latest: true
+
+      - name: Make Node.js available in PATH (Unix)
+        if: runner.os != 'Windows'
+        run: cp "$(which node)" /usr/local/bin
+
       # Some integration tests rely on DotSlash being installed.
       # See https://github.com/openai/codex/pull/7617.
       - name: Install DotSlash
@@ -117,6 +127,12 @@ jobs:
             --build_metadata=VISIBILITY=PUBLIC
           )
 
+          if [[ "${RUNNER_OS:-}" != "Windows" ]]; then
+            # Bazel test sandboxes on macOS may resolve an older Homebrew `node`
+            # before the `actions/setup-node` runtime on PATH.
+            bazel_args+=(--test_env=CODEX_JS_REPL_NODE_PATH=/usr/local/bin/node)
+          fi
+
           if [[ -n "${BUILDBUDDY_API_KEY:-}" ]]; then
             echo "BuildBuddy API key is available; using remote Bazel configuration."
             bazel $BAZEL_STARTUP_ARGS \

.github/workflows/rust-ci.yml

@@ -499,6 +499,11 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+      - name: Set up Node.js for js_repl tests
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: codex-rs/node-version.txt
+          check-latest: true
       - name: Install Linux build dependencies
         if: ${{ runner.os == 'Linux' }}
         shell: bash

codex-rs/.config/nextest.toml

@@ -11,3 +11,13 @@ slow-timeout = { period = "1m", terminate-after = 4 }
 [[profile.default.overrides]]
 filter = 'test(approval_matrix_covers_all_modes)'
 slow-timeout = { period = "30s", terminate-after = 2 }
+
+[[profile.default.overrides]]
+# js_repl runtime tests each spawn a Node kernel; on Windows x64 CI they can
+# timeout when nextest launches many of them concurrently. This covers both
+# unit tests and tool-level integration tests that exercise js_repl.
+filter = 'package(codex-core) and (test(tools::js_repl::tests::js_repl_) or test(suite::js_repl::js_repl_) or test(suite::view_image::js_repl_))'
+test-group = "js-repl-runtime-serial"
+
+[test-groups.js-repl-runtime-serial]
+max-threads = 1

codex-rs/core/src/tools/handlers/js_repl.rs

@@ -288,7 +288,6 @@ mod tests {
     use std::time::Duration;
 
     use super::parse_freeform_args;
-    use crate::codex::make_session_and_context_with_rx;
     use crate::protocol::EventMsg;
     use crate::protocol::ExecCommandSource;
     use pretty_assertions::assert_eq;
@@ -339,7 +338,7 @@ mod tests {
 
     #[tokio::test]
     async fn emit_js_repl_exec_end_sends_event() {
-        let (session, turn, rx) = make_session_and_context_with_rx().await;
+        let (session, turn, rx) = crate::codex::make_session_and_context_with_rx().await;
         super::emit_js_repl_exec_end(
             session.as_ref(),
             turn.as_ref(),

codex-rs/core/src/tools/js_repl/mod.rs

@@ -1287,18 +1287,25 @@ pub(crate) fn resolve_node(config_path: Option<&Path>) -> Option<PathBuf> {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::codex::make_session_and_context;
     use crate::protocol::AskForApproval;
     use crate::protocol::SandboxPolicy;
     use crate::turn_diff_tracker::TurnDiffTracker;
-    use codex_protocol::models::ContentItem;
-    use codex_protocol::models::ResponseInputItem;
-    use codex_protocol::openai_models::InputModality;
     use pretty_assertions::assert_eq;
     use std::fs;
     use std::path::Path;
     use tempfile::tempdir;
 
+    fn configure_js_repl_test_sandbox(turn: &mut crate::codex::TurnContext) {
+        // Manager-level runtime tests don't need to exercise Linux arg0 sandbox dispatch.
+        turn.sandbox_policy = SandboxPolicy::DangerFullAccess;
+    }
+
+    async fn make_session_and_context() -> (crate::codex::Session, crate::codex::TurnContext) {
+        let (session, mut turn) = crate::codex::make_session_and_context().await;
+        configure_js_repl_test_sandbox(&mut turn);
+        (session, turn)
+    }
+
     #[test]
     fn node_version_parses_v_prefix_and_suffix() {
         let version = NodeVersion::parse("v25.1.0-nightly.2024").unwrap();
@@ -1606,47 +1613,6 @@ mod tests {
         Ok(())
     }
 
-    #[tokio::test]
-    async fn js_repl_persists_top_level_bindings_and_supports_tla() -> anyhow::Result<()> {
-        if !can_run_js_repl_runtime_tests().await {
-            return Ok(());
-        }
-
-        let (session, turn) = make_session_and_context().await;
-        let session = Arc::new(session);
-        let turn = Arc::new(turn);
-        let tracker = Arc::new(tokio::sync::Mutex::new(TurnDiffTracker::default()));
-        let manager = turn.js_repl.manager().await?;
-
-        let first = manager
-            .execute(
-                Arc::clone(&session),
-                Arc::clone(&turn),
-                Arc::clone(&tracker),
-                JsReplArgs {
-                    code: "let x = await Promise.resolve(41); console.log(x);".to_string(),
-                    timeout_ms: Some(10_000),
-                },
-            )
-            .await?;
-        assert!(first.output.contains("41"));
-
-        let second = manager
-            .execute(
-                Arc::clone(&session),
-                Arc::clone(&turn),
-                Arc::clone(&tracker),
-                JsReplArgs {
-                    code: "console.log(x + 1);".to_string(),
-                    timeout_ms: Some(10_000),
-                },
-            )
-            .await?;
-
-        assert!(second.output.contains("42"));
-        Ok(())
-    }
-
     #[tokio::test]
     async fn js_repl_timeout_does_not_deadlock() -> anyhow::Result<()> {
         if !can_run_js_repl_runtime_tests().await {
@@ -1793,97 +1759,6 @@ mod tests {
         Ok(())
     }
 
-    #[tokio::test]
-    async fn js_repl_can_call_tools() -> anyhow::Result<()> {
-        if !can_run_js_repl_runtime_tests().await {
-            return Ok(());
-        }
-
-        let (session, mut turn) = make_session_and_context().await;
-        turn.approval_policy = AskForApproval::Never;
-        turn.sandbox_policy = SandboxPolicy::DangerFullAccess;
-
-        let session = Arc::new(session);
-        let turn = Arc::new(turn);
-        let tracker = Arc::new(tokio::sync::Mutex::new(TurnDiffTracker::default()));
-        let manager = turn.js_repl.manager().await?;
-
-        let shell = manager
-            .execute(
-                Arc::clone(&session),
-                Arc::clone(&turn),
-                Arc::clone(&tracker),
-                JsReplArgs {
-                    code: "const shellOut = await codex.tool(\"shell_command\", { command: \"printf js_repl_shell_ok\" }); console.log(JSON.stringify(shellOut));".to_string(),
-                    timeout_ms: Some(15_000),
-                },
-            )
-            .await?;
-        assert!(shell.output.contains("js_repl_shell_ok"));
-
-        let tool = manager
-            .execute(
-                Arc::clone(&session),
-                Arc::clone(&turn),
-                Arc::clone(&tracker),
-                JsReplArgs {
-                    code: "const toolOut = await codex.tool(\"list_mcp_resources\", {}); console.log(toolOut.type);".to_string(),
-                    timeout_ms: Some(15_000),
-                },
-            )
-            .await?;
-        assert!(tool.output.contains("function_call_output"));
-        Ok(())
-    }
-
-    #[tokio::test]
-    async fn js_repl_tool_call_rejects_recursive_js_repl_invocation() -> anyhow::Result<()> {
-        if !can_run_js_repl_runtime_tests().await {
-            return Ok(());
-        }
-
-        let (session, mut turn) = make_session_and_context().await;
-        turn.approval_policy = AskForApproval::Never;
-        turn.sandbox_policy = SandboxPolicy::DangerFullAccess;
-
-        let session = Arc::new(session);
-        let turn = Arc::new(turn);
-        let tracker = Arc::new(tokio::sync::Mutex::new(TurnDiffTracker::default()));
-        let manager = turn.js_repl.manager().await?;
-
-        let result = manager
-            .execute(
-                session,
-                turn,
-                tracker,
-                JsReplArgs {
-                    code: r#"
-try {
-  await codex.tool("js_repl", "console.log('recursive')");
-  console.log("unexpected-success");
-} catch (err) {
-  console.log(String(err));
-}
-"#
-                    .to_string(),
-                    timeout_ms: Some(15_000),
-                },
-            )
-            .await?;
-
-        assert!(
-            result.output.contains("js_repl cannot invoke itself"),
-            "expected recursion guard message, got output: {}",
-            result.output
-        );
-        assert!(
-            !result.output.contains("unexpected-success"),
-            "recursive js_repl tool call unexpectedly succeeded: {}",
-            result.output
-        );
-        Ok(())
-    }
-
     #[tokio::test]
     async fn js_repl_waits_for_unawaited_tool_calls_before_completion() -> anyhow::Result<()> {
         if !can_run_js_repl_runtime_tests().await || cfg!(windows) {
@@ -1927,132 +1802,6 @@ console.log("cell-complete");
         Ok(())
     }
 
-    #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-    async fn js_repl_can_attach_image_via_view_image_tool() -> anyhow::Result<()> {
-        if !can_run_js_repl_runtime_tests().await {
-            return Ok(());
-        }
-
-        let (session, mut turn) = make_session_and_context().await;
-        if !turn
-            .model_info
-            .input_modalities
-            .contains(&InputModality::Image)
-        {
-            return Ok(());
-        }
-        turn.approval_policy = AskForApproval::Never;
-        turn.sandbox_policy = SandboxPolicy::DangerFullAccess;
-
-        let session = Arc::new(session);
-        let turn = Arc::new(turn);
-        *session.active_turn.lock().await = Some(crate::state::ActiveTurn::default());
-
-        let tracker = Arc::new(tokio::sync::Mutex::new(TurnDiffTracker::default()));
-        let manager = turn.js_repl.manager().await?;
-        let code = r#"
-const fs = await import("node:fs/promises");
-const path = await import("node:path");
-const imagePath = path.join(codex.tmpDir, "js-repl-view-image.png");
-const png = Buffer.from(
-  "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR4nGP4z8DwHwAFAAH/iZk9HQAAAABJRU5ErkJggg==",
-  "base64"
-);
-await fs.writeFile(imagePath, png);
-const out = await codex.tool("view_image", { path: imagePath });
-console.log(out.type);
-console.log(out.output?.body?.text ?? "");
-"#;
-
-        let result = manager
-            .execute(
-                Arc::clone(&session),
-                turn,
-                tracker,
-                JsReplArgs {
-                    code: code.to_string(),
-                    timeout_ms: Some(15_000),
-                },
-            )
-            .await?;
-        assert!(result.output.contains("function_call_output"));
-
-        let pending_input = session.get_pending_input().await;
-        let image_url = pending_input
-            .iter()
-            .find_map(|item| match item {
-                ResponseInputItem::Message { content, .. } => {
-                    content.iter().find_map(|content_item| match content_item {
-                        ContentItem::InputImage { image_url } => Some(image_url.as_str()),
-                        _ => None,
-                    })
-                }
-                _ => None,
-            })
-            .expect("view_image should inject an input_image message for the active turn");
-        assert!(image_url.starts_with("data:image/png;base64,"));
-
-        Ok(())
-    }
-
-    #[tokio::test]
-    async fn js_repl_does_not_expose_process_global() -> anyhow::Result<()> {
-        if !can_run_js_repl_runtime_tests().await {
-            return Ok(());
-        }
-
-        let (session, turn) = make_session_and_context().await;
-        let session = Arc::new(session);
-        let turn = Arc::new(turn);
-        let tracker = Arc::new(tokio::sync::Mutex::new(TurnDiffTracker::default()));
-        let manager = turn.js_repl.manager().await?;
-
-        let result = manager
-            .execute(
-                session,
-                turn,
-                tracker,
-                JsReplArgs {
-                    code: "console.log(typeof process);".to_string(),
-                    timeout_ms: Some(10_000),
-                },
-            )
-            .await?;
-        assert!(result.output.contains("undefined"));
-        Ok(())
-    }
-
-    #[tokio::test]
-    async fn js_repl_blocks_sensitive_builtin_imports() -> anyhow::Result<()> {
-        if !can_run_js_repl_runtime_tests().await {
-            return Ok(());
-        }
-
-        let (session, turn) = make_session_and_context().await;
-        let session = Arc::new(session);
-        let turn = Arc::new(turn);
-        let tracker = Arc::new(tokio::sync::Mutex::new(TurnDiffTracker::default()));
-        let manager = turn.js_repl.manager().await?;
-
-        let err = manager
-            .execute(
-                session,
-                turn,
-                tracker,
-                JsReplArgs {
-                    code: "await import(\"node:process\");".to_string(),
-                    timeout_ms: Some(10_000),
-                },
-            )
-            .await
-            .expect_err("node:process import should be blocked");
-        assert!(
-            err.to_string()
-                .contains("Importing module \"node:process\" is not allowed in js_repl")
-        );
-        Ok(())
-    }
-
     #[tokio::test]
     async fn js_repl_prefers_env_node_module_dirs_over_config() -> anyhow::Result<()> {
         if !can_run_js_repl_runtime_tests().await {