feat: US-020 - Add SFTP large file transfer and rename e2e-docker fixture

Author: NathanFlurry

packages/secure-exec/tests/e2e-docker/ssh2-sftp-large/fixture.json

@@ -0,0 +1,5 @@
+{
+	"entry": "src/index.js",
+	"expectation": "pass",
+	"services": ["ssh"]
+}

packages/secure-exec/tests/e2e-docker/ssh2-sftp-large/package.json

@@ -0,0 +1,8 @@
+{
+	"name": "e2e-docker-ssh2-sftp-large",
+	"private": true,
+	"type": "commonjs",
+	"dependencies": {
+		"ssh2": "1.17.0"
+	}
+}

packages/secure-exec/tests/e2e-docker/ssh2-sftp-large/src/index.js

@@ -0,0 +1,90 @@
+const { createHash } = require("crypto");
+const { Client } = require("ssh2");
+
+// Generate deterministic 1MB payload
+function generatePayload(size) {
+	const buf = Buffer.alloc(size);
+	for (let i = 0; i < size; i++) {
+		buf[i] = i & 0xff;
+	}
+	return buf;
+}
+
+function hashBuffer(buf) {
+	return createHash("sha256").update(buf).digest("hex");
+}
+
+async function main() {
+	const PAYLOAD_SIZE = 1024 * 1024; // 1MB
+	const payload = generatePayload(PAYLOAD_SIZE);
+	const uploadHash = hashBuffer(payload);
+
+	const result = await new Promise((resolve, reject) => {
+		const conn = new Client();
+
+		conn.on("ready", () => {
+			conn.sftp((err, sftp) => {
+				if (err) return reject(err);
+
+				const uploadPath = "/home/testuser/upload/large-test.bin";
+				const renamedPath = "/home/testuser/upload/large-renamed.bin";
+
+				// Upload via createWriteStream
+				const ws = sftp.createWriteStream(uploadPath);
+				ws.on("error", reject);
+				ws.end(payload, () => {
+					// Stat uploaded file
+					sftp.stat(uploadPath, (err, uploadStats) => {
+						if (err) return reject(err);
+
+						// Rename the file
+						sftp.rename(uploadPath, renamedPath, (err) => {
+							if (err) return reject(err);
+
+							// Download via createReadStream
+							const rs = sftp.createReadStream(renamedPath);
+							const chunks = [];
+							rs.on("data", (chunk) => chunks.push(chunk));
+							rs.on("error", reject);
+							rs.on("end", () => {
+								const downloaded = Buffer.concat(chunks);
+								const downloadHash = hashBuffer(downloaded);
+
+								// Cleanup
+								sftp.unlink(renamedPath, (err) => {
+									conn.end();
+									if (err) return reject(err);
+									resolve({
+										uploadSize: PAYLOAD_SIZE,
+										uploadHash,
+										statSize: uploadStats.size,
+										downloadSize: downloaded.length,
+										downloadHash,
+										hashMatch: uploadHash === downloadHash,
+										renamed: true,
+									});
+								});
+							});
+						});
+					});
+				});
+			});
+		});
+
+		conn.on("error", reject);
+
+		conn.connect({
+			host: process.env.SSH_HOST,
+			port: Number(process.env.SSH_PORT),
+			username: "testuser",
+			password: "testpass",
+		});
+	});
+
+	console.log(JSON.stringify(result));
+}
+
+main().catch((err) => {
+	console.error(err.message);
+	process.exit(1);
+});

progress.txt

@@ -2719,3 +2719,14 @@ PRD: ralph/kernel-hardening (46 stories)
   - For error path fixtures, only serialize err.message (and err.level for ssh2) — err.code/err.errno are missing in sandbox
   - ssh2 auth failure emits error with level="client-authentication" — useful for distinguishing auth errors from connection errors
 ---
+
+## 2026-03-19 - US-020
+- Added SFTP large file transfer and rename e2e-docker fixture
+- Fixture generates deterministic 1MB payload (byte pattern: i & 0xFF), uploads via createWriteStream, renames via sftp.rename(), downloads via createReadStream, verifies integrity via SHA-256 hash comparison
+- Files created: packages/secure-exec/tests/e2e-docker/ssh2-sftp-large/{package.json,fixture.json,src/index.js}
+- Host and sandbox produce identical output; parity test passes (~4.2s)
+- **Learnings for future iterations:**
+  - createWriteStream/createReadStream for SFTP work through the sandbox net bridge without issues — TCP buffer management handles 1MB+ transfers
+  - sftp.rename() works through the sandbox with no additional bridge work needed
+  - Deterministic payload generation (byte pattern loop) is simpler and more reliable than random data for parity testing
+---

scripts/ralph/prd.json

@@ -357,8 +357,8 @@
         "Tests pass"
       ],
       "priority": 20,
-      "passes": false,
-      "notes": "The current SFTP fixture only transfers 18 bytes. Larger transfers stress the sandbox's TCP buffer management, stream backpressure handling, and memory limits. Also tests createReadStream (streaming) which exercises different buffer management than readFile (buffered)."
+      "passes": true,
+      "notes": "Completed. Fixture ssh2-sftp-large generates deterministic 1MB payload, uploads via createWriteStream, renames via sftp.rename(), downloads via createReadStream, verifies integrity via SHA-256 hash comparison. Host and sandbox produce identical output."
     },
     {
       "id": "US-021",