fix: harden runtime profile selection

cmd/crabbox-ssh-gateway/main.go

@@ -562,8 +562,9 @@ func printHelp(out io.Writer, user user) {
 	fmt.Fprintln(out, "commands:")
 	fmt.Fprintln(out, "  whoami")
 	fmt.Fprintln(out, "  list")
-	fmt.Fprintln(out, "  new [--repo owner/repo] [--branch main] [--runtime crabbox|container] [--parent id] [--purpose text] [--command codex] [--vnc] [prompt]")
+	fmt.Fprintln(out, "  new [--repo owner/repo] [--branch main] [--runtime crabbox|container] [--profile name] [--parent id] [--purpose text] [--command codex] [--vnc] [prompt]")
 	fmt.Fprintln(out, "      --runtime overrides the deployment default")
+	fmt.Fprintln(out, "      --profile overrides the deployment default")
 	fmt.Fprintln(out, "  attach SESSION_ID")
 	fmt.Fprintln(out, "  vnc SESSION_ID")
 	fmt.Fprintln(out, "  delete SESSION_ID")

cmd/crabbox-ssh-gateway/main_test.go

@@ -215,6 +215,15 @@ func TestHelpNamesDeleteAsCanonicalCommand(t *testing.T) {
 	}
 }
 
+func TestHelpDocumentsProfileOverride(t *testing.T) {
+	var output bytes.Buffer
+	printHelp(&output, user{Login: "operator", Role: "owner"})
+	if got := output.String(); !strings.Contains(got, "[--profile name]") ||
+		!strings.Contains(got, "--profile overrides the deployment default") {
+		t.Fatalf("help = %q", got)
+	}
+}
+
 func TestLegacyProviderCleanupWarningRequiresConfirmedLegacyStop(t *testing.T) {
 	if !legacyProviderCleanupMayBeRequired(interactiveSession{Status: "stopped"}) {
 		t.Fatal("confirmed legacy stop should retain the cleanup warning")

src/app/utils.js

@@ -394,14 +394,20 @@ export function runtimeProfileOptionLabel(profile) {
   if (profile?.target && String(profile.target).toLowerCase() !== label.toLowerCase()) {
     details.push(String(profile.target));
   }
+  const effectiveCapabilities = {
+    terminal: true,
+    desktop: true,
+    vnc: true,
+    ...profile?.capabilities,
+  };
   const capabilities = [
     ["terminal", "terminal"],
     ["desktop", "desktop"],
     ["vnc", "VNC"],
   ]
-    .filter(([name]) => profile?.capabilities?.[name] === true)
+    .filter(([name]) => effectiveCapabilities[name] === true)
     .map(([, name]) => name);
-  if (capabilities.length > 0) details.push(capabilities.join(", "));
+  details.push(capabilities.length > 0 ? capabilities.join(", ") : "no terminal or desktop");
   return details.length > 0 ? `${label} — ${details.join(" · ")}` : label;
 }
 

src/index.ts

@@ -1093,6 +1093,18 @@ function deploymentConfig(env: RuntimeEnv): DeploymentConfig {
   };
 }
 
+function selectedRuntimeProfile(
+  deployment: DeploymentConfig,
+  value: unknown,
+): { profile: string; descriptor: RuntimeProfileDescriptor | undefined } {
+  const profile = clean(value, 120) || deployment.defaultProfile;
+  const descriptor = runtimeProfileByID(deployment.runtimeProfiles, profile);
+  if (deployment.runtimeProfiles.length > 0 && !descriptor) {
+    throw badRequest("profile is not configured");
+  }
+  return { profile, descriptor };
+}
+
 function publicDeploymentConfig(env: RuntimeEnv): PublicDeploymentConfig {
   const { label, canonicalUrl, productUrl, sshHost } = deploymentConfig(env);
   return {
@@ -4113,11 +4125,7 @@ async function createInteractiveSessionFromInput(
     | "crabbox"
     | "container";
   requireRuntimeAdapterCreatePreflight(env, runtime);
-  const profile = clean(body.profile, 120) || deployment.defaultProfile;
-  const runtimeProfile = runtimeProfileByID(deployment.runtimeProfiles, profile);
-  if (deployment.runtimeProfiles.length > 0 && !runtimeProfile) {
-    throw badRequest("profile is not configured");
-  }
+  const { profile, descriptor: runtimeProfile } = selectedRuntimeProfile(deployment, body.profile);
   const requestedCapabilities = runtimeProfileCapabilities(
     runtime === "crabbox" ? runtimeProfile : undefined,
     runtime === "crabbox" ? crabboxCapabilities : containerCapabilities,
@@ -8767,7 +8775,7 @@ async function provisionInteractiveEndpoint(
     | "crabbox"
     | "container";
   const command = interactiveCommand(session.command);
-  const profile = clean(session.profile, 120) || deploymentConfig(env).defaultProfile;
+  const { profile } = selectedRuntimeProfile(deploymentConfig(env), session.profile);
   const prompt = clean(session.prompt, 4000);
   const purpose = interactiveSessionPurpose(session.purpose, prompt, repo, branch, command);
   const summary = interactiveSessionSummary(session.summary, purpose, prompt);

src/runtime-profiles.ts

@@ -60,7 +60,7 @@ export function parseRuntimeProfiles(value: string | undefined): RuntimeProfileD
     seen.add(id);
     seenLabels.add(normalizedLabel);
 
-    const rawCapabilities = entry.capabilities ?? {};
+    const rawCapabilities = entry.capabilities === undefined ? {} : entry.capabilities;
     if (
       !isRecord(rawCapabilities) ||
       Object.keys(rawCapabilities).some((key) => !capabilityNameSet.has(key))

tests/app-utils.test.ts

@@ -129,7 +129,7 @@ test("runtime profile options expose target and enabled capabilities", () => {
       target: "linux",
       capabilities: {},
     }),
-    "Linux",
+    "Linux — terminal, desktop, VNC",
   );
 });
 

tests/runtime-adapter.test.ts

@@ -110,15 +110,18 @@ test("configured profiles fence every adapter runtime and preserve requested cap
   const createStart = source.indexOf("async function createInteractiveSessionFromInput");
   const createEnd = source.indexOf("function initialRuntimeAdapterWorkspaceId", createStart);
   const createSource = source.slice(createStart, createEnd);
+  const profileStart = source.indexOf("function selectedRuntimeProfile");
+  const profileEnd = source.indexOf("function publicDeploymentConfig", profileStart);
+  const profileSource = source.slice(profileStart, profileEnd);
   const resultStart = source.indexOf("function runtimeAdapterProvisionResult");
   const resultEnd = source.indexOf(
     "async function reconcileStoppingRuntimeAdapterWorkspace",
     resultStart,
   );
   const resultSource = source.slice(resultStart, resultEnd);
 
-  assert.match(createSource, /deployment\.runtimeProfiles\.length > 0 && !runtimeProfile/);
-  assert.doesNotMatch(createSource, /runtime === "crabbox" && deployment\.runtimeProfiles/);
+  assert.match(createSource, /selectedRuntimeProfile\(deployment, body\.profile\)/);
+  assert.match(profileSource, /deployment\.runtimeProfiles\.length > 0 && !descriptor/);
   assert.match(resultSource, /session\.adapterRequestedCapabilities \?\?/);
 });
 

tests/runtime-profiles.test.ts

@@ -52,6 +52,7 @@ test("runtime profile catalog fails closed on malformed or ambiguous input", ()
     '[{"id":"a","label":" A"}]',
     '[{"id":"a","label":"A\\nB"}]',
     '[{"id":"a","label":"A","capabilities":{"desktop":"yes"}}]',
+    '[{"id":"a","label":"A","capabilities":null}]',
     '[{"id":"a","label":"A","capabilities":{"unknown":true}}]',
     '[{"id":"a","label":"A","privateProvider":"hidden"}]',
   ];
@@ -65,9 +66,12 @@ test("runtime profile catalog fails closed on malformed or ambiguous input", ()
 test("profile allowlisting and capability withdrawals stay enforced at provisioning", async () => {
   const source = await readFile(new URL("../src/index.ts", import.meta.url), "utf8");
   const selectionStart = source.indexOf("const profile = clean(body.profile");
-  const selectionEnd = source.indexOf("const command = interactiveCommand", selectionStart);
-  const selection = source.slice(selectionStart, selectionEnd);
-  assert.match(selection, /deployment\.runtimeProfiles\.length > 0 && !runtimeProfile/);
+  assert.equal(selectionStart, -1);
+  const helperStart = source.indexOf("function selectedRuntimeProfile");
+  const helperEnd = source.indexOf("function publicDeploymentConfig", helperStart);
+  const helper = source.slice(helperStart, helperEnd);
+  assert.match(helper, /deployment\.runtimeProfiles\.length > 0 && !descriptor/);
+  assert.ok(source.indexOf("selectedRuntimeProfile(deploymentConfig(env), session.profile)") > 0);
 
   const resultStart = source.indexOf("function runtimeAdapterProvisionResult");
   const resultEnd = source.indexOf(