@adobe/spacecat-shared-tokowaka-client 1.13.5 → 1.14.0

package/CHANGELOG.md

@@ -1,3 +1,9 @@
+## [@adobe/spacecat-shared-tokowaka-client-v1.14.0](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-tokowaka-client-v1.13.5...@adobe/spacecat-shared-tokowaka-client-v1.14.0) (2026-05-04)
+
+### Features
+
+* **tokowaka-client:** add checkWafConnectivity method ([#1552](https://github.com/adobe/spacecat-shared/issues/1552)) ([46f72e3](https://github.com/adobe/spacecat-shared/commit/46f72e39964d2e6906746e2d72f843a7d4a08428))
+
 ## [@adobe/spacecat-shared-tokowaka-client-v1.13.5](https://github.com/adobe/spacecat-shared/compare/@adobe/spacecat-shared-tokowaka-client-v1.13.4...@adobe/spacecat-shared-tokowaka-client-v1.13.5) (2026-05-04)
 
 ### Bug Fixes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/spacecat-shared-tokowaka-client",
-  "version": "1.13.5",
+  "version": "1.14.0",
   "description": "Tokowaka Client for SpaceCat - Edge optimization config management",
   "type": "module",
   "engines": {

package/src/index.js

@@ -12,7 +12,9 @@
 
 import crypto from 'crypto';
 import { GetObjectCommand, PutObjectCommand } from '@aws-sdk/client-s3';
-import { hasText, isNonEmptyObject, tracingFetch } from '@adobe/spacecat-shared-utils';
+import {
+  hasText, isNonEmptyObject, prependSchema, tracingFetch,
+} from '@adobe/spacecat-shared-utils';
 import { v4 as uuidv4 } from 'uuid';
 import MapperRegistry from './mappers/mapper-registry.js';
 import CdnClientRegistry from './cdn/cdn-client-registry.js';
@@ -26,6 +28,12 @@ import {
 import { groupSuggestionsByUrlPath, filterEligibleSuggestions } from './utils/suggestion-utils.js';
 import { getEffectiveBaseURL } from './utils/site-utils.js';
 import { fetchHtmlWithWarmup, calculateForwardedHost } from './utils/custom-html-utils.js';
+import {
+  EDGE_OPTIMIZE_PROXY_BASE_URL_DEFAULT,
+  PRIVATE_HOST_RE,
+  WAF_PROBE_TIMEOUT_MS,
+  classifyProbeResponse,
+} from './utils/waf-probe-utils.js';
 
 export { FastlyKVClient } from './fastly-kv-client.js';
 export { calculateForwardedHost } from './utils/custom-html-utils.js';
@@ -1209,6 +1217,55 @@ class TokowakaClient {
     /* c8 ignore stop */
   }
 
+  /**
+   * Probes whether a WAF or Bot Manager is blocking AdobeEdgeOptimize/1.0 traffic
+   * for the site.
+   *
+   * Probe outcomes:
+   * - Hard block: HTTP 401/403/406/429/503 → `{ reachable: false, blocked: true }`
+   * - CF challenge: cf-mitigated: challenge header → `{ reachable: false, blocked: true }`
+   * - Soft block: 2xx with bot-challenge HTML → `{ reachable: false, blocked: true }`
+   * - Pass: 2xx with real content → `{ reachable: true, blocked: false }`
+   * - Network/timeout error → `{ reachable: false, blocked: null }`
+   *
+   * This method never throws — all errors are captured into the return value.
+   * Use the separate edge-optimize status API to determine if edge optimize is active.
+   *
+   * @param {Object} site - Site entity with a `getBaseURL()` method.
+   * @returns {Promise<Object>} WAF probe result.
+   */
+  async checkWafConnectivity(site) {
+    const siteBaseUrl = site.getBaseURL();
+    let probeResult = { probedUrl: String(siteBaseUrl) };
+
+    try {
+      const normalizedUrl = prependSchema(siteBaseUrl);
+      const { host: targetHost, hostname, href: probedUrl } = new URL(normalizedUrl);
+      probeResult = { probedUrl };
+
+      if (PRIVATE_HOST_RE.test(hostname)) {
+        this.log.warn(`[edge-optimize-probe] Refusing to probe private/loopback host: ${hostname}`);
+        return { ...probeResult, reachable: false, blocked: null };
+      }
+
+      this.log.info(`[edge-optimize-probe] Probing ${targetHost} via edge optimize proxy`);
+
+      const response = await tracingFetch(EDGE_OPTIMIZE_PROXY_BASE_URL_DEFAULT, {
+        method: 'GET',
+        headers: { 'x-forwarded-host': targetHost },
+        signal: AbortSignal.timeout(WAF_PROBE_TIMEOUT_MS),
+      });
+
+      const classification = await classifyProbeResponse(response, targetHost, this.log);
+      probeResult = { ...probeResult, ...classification };
+    } catch (error) {
+      this.log.warn(`[edge-optimize-probe] Probe failed for ${siteBaseUrl}: ${error.message}`);
+      probeResult = { ...probeResult, reachable: false, blocked: null };
+    }
+
+    return probeResult;
+  }
+
   /**
    * Deploys suggestions to edge, handling both regular and domain-wide suggestions.
    *

package/src/utils/waf-probe-utils.js

@@ -0,0 +1,82 @@
+/*
+ * Copyright 2026 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+export const EDGE_OPTIMIZE_PROXY_BASE_URL_DEFAULT = 'https://live.edgeoptimize.net';
+
+// Blocks loopback, link-local, and RFC1918 ranges — never forward these as probe targets.
+export const PRIVATE_HOST_RE = /^(localhost$|127\.|10\.|192\.168\.|172\.(1[6-9]|2\d|3[01])\.|169\.254\.)/i;
+
+export const WAF_PROBE_TIMEOUT_MS = 15000;
+
+// Soft-block detection: vendor-specific technical identifiers that only appear in
+// WAF-generated challenge pages, never in real page content. Broad natural-language
+// terms ('challenge', 'captcha', 'access denied') are intentionally excluded — they
+// match legitimate marketing copy and reCAPTCHA script tags, producing false positives
+// at any body scan depth.
+export const BOT_CHALLENGE_KEYWORDS = [
+  'cf-chl-widget', // Cloudflare challenge widget CSS class
+  'completing the challenge', // Cloudflare-specific challenge phrase
+  '_incapsula_resource', // Imperva/Incapsula JS artifact — only in WAF-generated pages
+  'errors.edgesuite.net', // Akamai error page domain
+  'errors.edgekey.net', // Akamai edge key domain
+];
+
+// 403 and 429 are universal WAF block signals; 406 is Fastly Next-Gen WAF (Signal Sciences)
+// and some Imperva configurations. 401 covers WAF-gated auth challenges. 503 is used by
+// Akamai and others as a block response in certain configurations.
+export const HARD_BLOCK_STATUS_CODES = new Set([401, 403, 406, 429, 503]);
+
+/**
+ * Classifies an already-fetched Tokowaka-proxied response into one of four probe outcomes:
+ *   - Hard block  : HTTP status in HARD_BLOCK_STATUS_CODES → { reachable: false, blocked: true }
+ *   - CF challenge: cf-mitigated: challenge header         → { reachable: false, blocked: true }
+ *   - Soft block  : 2xx HTML body with vendor keywords     → { reachable: false, blocked: true }
+ *   - Clean pass  : 2xx with real content                  → { reachable: true,  blocked: false }
+ *   - Other       : unexpected status (e.g. redirect)      → { reachable: false, blocked: false }
+ *
+ * @param {Response} response - Fetch response from the Tokowaka proxy.
+ * @param {string} targetHost - Customer hostname, used only for log messages.
+ * @param {Object} log - Logger with an `info` method.
+ * @returns {Promise<Object>} Classification result.
+ */
+export async function classifyProbeResponse(response, targetHost, log) {
+  const { status } = response;
+
+  if (HARD_BLOCK_STATUS_CODES.has(status)) {
+    log.info(`[edge-optimize-probe] Hard block for ${targetHost}: HTTP ${status}`);
+    return { reachable: false, blocked: true, statusCode: status };
+  }
+
+  // Cloudflare active challenge: present on any response where CF is serving a managed
+  // challenge — definitive block signal regardless of HTTP status code.
+  if (response.headers.get('cf-mitigated') === 'challenge') {
+    log.info(`[edge-optimize-probe] Cloudflare challenge for ${targetHost} (cf-mitigated: challenge)`);
+    return { reachable: false, blocked: true, statusCode: status };
+  }
+
+  if (status >= 200 && status < 300) {
+    const contentType = response.headers.get('content-type') || '';
+    if (contentType.includes('text/html')) {
+      const text = await response.text();
+      const isSoftBlock = BOT_CHALLENGE_KEYWORDS.some((kw) => text.toLowerCase().includes(kw));
+      if (isSoftBlock) {
+        log.info(`[edge-optimize-probe] Soft block (challenge page) for ${targetHost}: HTTP ${status}`);
+        return { reachable: false, blocked: true, statusCode: status };
+      }
+    }
+    log.info(`[edge-optimize-probe] Clean pass for ${targetHost}: HTTP ${status}`);
+    return { reachable: true, blocked: false, statusCode: status };
+  }
+
+  log.info(`[edge-optimize-probe] Unexpected status for ${targetHost}: HTTP ${status}`);
+  return { reachable: false, blocked: false, statusCode: status };
+}

package/test/index.test.js

@@ -4338,6 +4338,194 @@ describe('TokowakaClient', () => {
     });
   });
 
+  describe('checkWafConnectivity', () => {
+    let tracingFetchStub;
+    let esmockClient;
+    let mockSiteWaf;
+
+    beforeEach(async () => {
+      tracingFetchStub = sinon.stub();
+
+      const MockedTokowakaClient = await esmock('../src/index.js', {
+        '@adobe/spacecat-shared-utils': {
+          hasText: (val) => typeof val === 'string' && val.trim().length > 0,
+          isNonEmptyObject: (val) => val !== null && typeof val === 'object' && Object.keys(val).length > 0,
+          prependSchema: (url) => (url.startsWith('http') ? url : `https://${url}`),
+          tracingFetch: tracingFetchStub,
+        },
+      });
+
+      esmockClient = new MockedTokowakaClient(
+        {
+          bucketName: 'test-bucket',
+          previewBucketName: 'test-preview-bucket',
+          s3Client: { send: sinon.stub().resolves() },
+          env: {
+            TOKOWAKA_CDN_PROVIDER: 'cloudfront',
+            TOKOWAKA_CDN_CONFIG: JSON.stringify({ cloudfront: { distributionId: 'E123456', region: 'us-east-1' } }),
+          },
+        },
+        log,
+      );
+
+      mockSiteWaf = {
+        getId: () => 'waf-site-id',
+        getBaseURL: () => 'https://example.com',
+      };
+    });
+
+    const makeHeaders = (plain = {}) => new Headers(plain);
+
+    describe('Hard block — status codes', () => {
+      [401, 403, 406, 429, 503].forEach((status) => {
+        it(`returns blocked:true for HTTP ${status}`, async () => {
+          tracingFetchStub.resolves({ status, headers: makeHeaders() });
+          const result = await esmockClient.checkWafConnectivity(mockSiteWaf);
+          expect(result.blocked).to.equal(true);
+          expect(result.reachable).to.equal(false);
+          expect(result.statusCode).to.equal(status);
+        });
+      });
+    });
+
+    describe('Cloudflare header detection', () => {
+      it('returns blocked:true when cf-mitigated: challenge header is present', async () => {
+        tracingFetchStub.resolves({
+          status: 200,
+          headers: makeHeaders({ 'cf-mitigated': 'challenge' }),
+          text: sinon.stub().resolves('<html>Just a moment</html>'),
+        });
+        const result = await esmockClient.checkWafConnectivity(mockSiteWaf);
+        expect(result.blocked).to.equal(true);
+        expect(result.reachable).to.equal(false);
+        expect(result.statusCode).to.equal(200);
+      });
+
+      it('returns blocked:false when cf-mitigated header is absent (Cloudflare passing)', async () => {
+        tracingFetchStub.resolves({
+          status: 200,
+          headers: makeHeaders({ 'cf-ray': 'abc123-LHR' }),
+          text: sinon.stub().resolves('<html><body>Welcome</body></html>'),
+        });
+        const result = await esmockClient.checkWafConnectivity(mockSiteWaf);
+        expect(result.blocked).to.equal(false);
+        expect(result.reachable).to.equal(true);
+      });
+    });
+
+    describe('Soft block — vendor-specific keyword detection', () => {
+      const makeSoftBlockResponse = (bodyKeyword) => ({
+        status: 200,
+        headers: makeHeaders({ 'content-type': 'text/html' }),
+        text: sinon.stub().resolves(`<html><body>${bodyKeyword}</body></html>`),
+      });
+
+      it('detects Cloudflare challenge via cf-chl-widget', async () => {
+        tracingFetchStub.resolves(makeSoftBlockResponse('<div class="cf-chl-widget"></div>'));
+        const result = await esmockClient.checkWafConnectivity(mockSiteWaf);
+        expect(result.blocked).to.equal(true);
+      });
+
+      it('detects Imperva challenge via _Incapsula_Resource', async () => {
+        tracingFetchStub.resolves(makeSoftBlockResponse('window._incapsula_resource={}'));
+        const result = await esmockClient.checkWafConnectivity(mockSiteWaf);
+        expect(result.blocked).to.equal(true);
+      });
+
+      it('detects Akamai error page via errors.edgesuite.net', async () => {
+        tracingFetchStub.resolves(makeSoftBlockResponse('<a href="https://errors.edgesuite.net/abc">Reference</a>'));
+        const result = await esmockClient.checkWafConnectivity(mockSiteWaf);
+        expect(result.blocked).to.equal(true);
+      });
+
+      it('detects Akamai error page via errors.edgekey.net', async () => {
+        tracingFetchStub.resolves(makeSoftBlockResponse('<a href="https://errors.edgekey.net/abc">Reference</a>'));
+        const result = await esmockClient.checkWafConnectivity(mockSiteWaf);
+        expect(result.blocked).to.equal(true);
+      });
+    });
+
+    describe('False positive prevention — broad natural-language terms no longer trigger block', () => {
+      const makeNormalPage = (text) => ({
+        status: 200,
+        headers: makeHeaders({ 'content-type': 'text/html' }),
+        text: sinon.stub().resolves(`<html><body>${text}</body></html>`),
+      });
+
+      it('does not flag page containing the word "challenge" in marketing copy', async () => {
+        tracingFetchStub.resolves(makeNormalPage('Take the 30-day challenge today!'));
+        const result = await esmockClient.checkWafConnectivity(mockSiteWaf);
+        expect(result.blocked).to.equal(false);
+        expect(result.reachable).to.equal(true);
+      });
+
+      it('does not flag page containing "captcha" in reCAPTCHA script tag', async () => {
+        tracingFetchStub.resolves(makeNormalPage(
+          '<script src="https://www.google.com/recaptcha/api.js"></script>',
+        ));
+        const result = await esmockClient.checkWafConnectivity(mockSiteWaf);
+        expect(result.blocked).to.equal(false);
+        expect(result.reachable).to.equal(true);
+      });
+
+      it('does not flag page containing "access denied" in help text', async () => {
+        tracingFetchStub.resolves(makeNormalPage(
+          '<p>If access is denied, contact your administrator.</p>',
+        ));
+        const result = await esmockClient.checkWafConnectivity(mockSiteWaf);
+        expect(result.blocked).to.equal(false);
+        expect(result.reachable).to.equal(true);
+      });
+
+      it('does not flag 200 JSON response', async () => {
+        tracingFetchStub.resolves({
+          status: 200,
+          headers: makeHeaders({ 'content-type': 'application/json' }),
+        });
+        const result = await esmockClient.checkWafConnectivity(mockSiteWaf);
+        expect(result.blocked).to.equal(false);
+        expect(result.reachable).to.equal(true);
+      });
+    });
+
+    describe('Network errors', () => {
+      it('returns blocked:null on AbortError (timeout)', async () => {
+        const err = new Error('The operation was aborted');
+        err.name = 'TimeoutError';
+        tracingFetchStub.rejects(err);
+        const result = await esmockClient.checkWafConnectivity(mockSiteWaf);
+        expect(result.blocked).to.equal(null);
+        expect(result.reachable).to.equal(false);
+      });
+
+      it('returns blocked:null on network failure', async () => {
+        tracingFetchStub.rejects(new Error('ECONNREFUSED'));
+        const result = await esmockClient.checkWafConnectivity(mockSiteWaf);
+        expect(result.blocked).to.equal(null);
+        expect(result.reachable).to.equal(false);
+      });
+    });
+
+    describe('Unexpected status (e.g. redirect)', () => {
+      it('returns blocked:false for a 301 redirect response', async () => {
+        tracingFetchStub.resolves({ status: 301, headers: makeHeaders() });
+        const result = await esmockClient.checkWafConnectivity(mockSiteWaf);
+        expect(result.blocked).to.equal(false);
+        expect(result.reachable).to.equal(false);
+        expect(result.statusCode).to.equal(301);
+      });
+    });
+
+    describe('Private host rejection', () => {
+      it('returns blocked:null without probing for private IP host', async () => {
+        const privateSite = { getId: () => 'p1', getBaseURL: () => 'http://192.168.1.1' };
+        const result = await esmockClient.checkWafConnectivity(privateSite);
+        expect(result.blocked).to.equal(null);
+        expect(tracingFetchStub).to.not.have.been.called;
+      });
+    });
+  });
+
   describe('deployToEdge', () => {
     let deploySuggestionsStub;
     let fetchMetaconfigStub;

package/test/utils/waf-probe-utils.test.js

@@ -0,0 +1,197 @@
+/*
+ * Copyright 2026 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+import { expect } from 'chai';
+import sinon from 'sinon';
+import {
+  classifyProbeResponse,
+  BOT_CHALLENGE_KEYWORDS,
+  HARD_BLOCK_STATUS_CODES,
+  PRIVATE_HOST_RE,
+  WAF_PROBE_TIMEOUT_MS,
+  EDGE_OPTIMIZE_PROXY_BASE_URL_DEFAULT,
+} from '../../src/utils/waf-probe-utils.js';
+
+function makeResponse(status, headers = {}, body = '') {
+  return {
+    status,
+    headers: { get: (name) => headers[name.toLowerCase()] ?? null },
+    text: async () => body,
+  };
+}
+
+describe('waf-probe-utils', () => {
+  let log;
+
+  beforeEach(() => {
+    log = { info: sinon.stub() };
+  });
+
+  // ── Exported constants ──────────────────────────────────────────────────────
+
+  describe('constants', () => {
+    it('exports the correct proxy base URL', () => {
+      expect(EDGE_OPTIMIZE_PROXY_BASE_URL_DEFAULT).to.equal('https://live.edgeoptimize.net');
+    });
+
+    it('exports the correct timeout', () => {
+      expect(WAF_PROBE_TIMEOUT_MS).to.equal(15000);
+    });
+
+    it('HARD_BLOCK_STATUS_CODES covers expected codes', () => {
+      const hardCodes = [401, 403, 406, 429, 503];
+      expect(hardCodes.every((code) => HARD_BLOCK_STATUS_CODES.has(code))).to.be.true;
+      expect(HARD_BLOCK_STATUS_CODES.has(200)).to.be.false;
+    });
+
+    it('PRIVATE_HOST_RE blocks loopback, link-local, and RFC1918 ranges', () => {
+      ['localhost', '127.0.0.1', '10.0.0.1', '192.168.1.1', '172.16.0.1', '169.254.1.1'].forEach(
+        (host) => expect(PRIVATE_HOST_RE.test(host), host).to.be.true,
+      );
+      expect(PRIVATE_HOST_RE.test('example.com')).to.be.false;
+    });
+
+    it('BOT_CHALLENGE_KEYWORDS are all vendor-specific identifiers', () => {
+      expect(BOT_CHALLENGE_KEYWORDS).to.be.an('array').with.length.above(0);
+      // Broad natural-language terms must not appear — they cause false positives
+      ['challenge', 'captcha', 'access denied'].forEach(
+        (broad) => expect(BOT_CHALLENGE_KEYWORDS).to.not.include(broad),
+      );
+    });
+  });
+
+  // ── classifyProbeResponse ───────────────────────────────────────────────────
+
+  describe('classifyProbeResponse', () => {
+    describe('hard block status codes', () => {
+      [401, 403, 406, 429, 503].forEach((code) => {
+        it(`classifies HTTP ${code} as blocked`, async () => {
+          const result = await classifyProbeResponse(makeResponse(code), 'example.com', log);
+          expect(result).to.deep.equal({ reachable: false, blocked: true, statusCode: code });
+        });
+      });
+    });
+
+    describe('Cloudflare active challenge', () => {
+      it('classifies cf-mitigated: challenge header as blocked on 200', async () => {
+        const response = makeResponse(200, { 'cf-mitigated': 'challenge' });
+        const result = await classifyProbeResponse(response, 'example.com', log);
+        expect(result).to.deep.equal({ reachable: false, blocked: true, statusCode: 200 });
+      });
+
+      it('classifies cf-mitigated: challenge header as blocked on non-block status', async () => {
+        const response = makeResponse(202, { 'cf-mitigated': 'challenge' });
+        const result = await classifyProbeResponse(response, 'example.com', log);
+        expect(result).to.deep.equal({ reachable: false, blocked: true, statusCode: 202 });
+      });
+    });
+
+    describe('soft block — vendor keyword detection', () => {
+      [
+        ['Cloudflare widget class', 'cf-chl-widget', '<div class="cf-chl-widget"></div>'],
+        ['Cloudflare challenge phrase', 'completing the challenge', 'Please completing the challenge to continue'],
+        ['Imperva artifact', '_incapsula_resource', 'window._incapsula_resource={}'],
+        ['Akamai edgesuite domain', 'errors.edgesuite.net', 'See errors.edgesuite.net for details'],
+        ['Akamai edgekey domain', 'errors.edgekey.net', 'See errors.edgekey.net for details'],
+      ].forEach(([label, , body]) => {
+        it(`detects soft block: ${label}`, async () => {
+          const response = makeResponse(200, { 'content-type': 'text/html' }, body);
+          const result = await classifyProbeResponse(response, 'example.com', log);
+          expect(result).to.deep.equal({ reachable: false, blocked: true, statusCode: 200 });
+        });
+      });
+
+      it('is case-insensitive for keyword matching', async () => {
+        const response = makeResponse(200, { 'content-type': 'text/html' }, 'CF-CHL-WIDGET visible');
+        const result = await classifyProbeResponse(response, 'example.com', log);
+        expect(result).to.deep.equal({ reachable: false, blocked: true, statusCode: 200 });
+      });
+    });
+
+    describe('false positive prevention — real content must not trigger soft block', () => {
+      [
+        ['reCAPTCHA script tag', '<script src="recaptcha/api.js">'],
+        ['legitimate captcha link text', 'Complete the CAPTCHA to prove you are human'],
+        ['marketing copy with challenge', 'This challenge will test your creativity'],
+        ['access denied in content', '<p>Access denied to premium content without subscription</p>'],
+        ['JSON non-HTML response', '{"status":"ok"}'],
+        ['plain text non-HTML', 'Hello world'],
+      ].forEach(([label, body]) => {
+        it(`passes clean: ${label}`, async () => {
+          const response = makeResponse(200, { 'content-type': 'text/html' }, body);
+          const result = await classifyProbeResponse(response, 'example.com', log);
+          expect(result).to.deep.equal({ reachable: true, blocked: false, statusCode: 200 });
+        });
+      });
+
+      it('skips body scan for non-HTML content types', async () => {
+        const response = makeResponse(200, { 'content-type': 'application/json' }, 'cf-chl-widget');
+        const result = await classifyProbeResponse(response, 'example.com', log);
+        expect(result).to.deep.equal({ reachable: true, blocked: false, statusCode: 200 });
+      });
+
+      it('skips body scan when content-type header is absent', async () => {
+        const response = makeResponse(200, {}, 'cf-chl-widget');
+        const result = await classifyProbeResponse(response, 'example.com', log);
+        expect(result).to.deep.equal({ reachable: true, blocked: false, statusCode: 200 });
+      });
+    });
+
+    describe('clean pass', () => {
+      [200, 201, 204].forEach((code) => {
+        it(`classifies HTTP ${code} clean HTML as reachable`, async () => {
+          const response = makeResponse(code, { 'content-type': 'text/html' }, '<h1>Welcome</h1>');
+          const result = await classifyProbeResponse(response, 'example.com', log);
+          expect(result).to.deep.equal({ reachable: true, blocked: false, statusCode: code });
+        });
+      });
+    });
+
+    describe('unexpected / redirect status codes', () => {
+      [301, 302, 307].forEach((code) => {
+        it(`classifies HTTP ${code} as not reachable, not blocked`, async () => {
+          const result = await classifyProbeResponse(makeResponse(code), 'example.com', log);
+          expect(result).to.deep.equal({ reachable: false, blocked: false, statusCode: code });
+        });
+      });
+    });
+
+    describe('logging', () => {
+      it('logs hard block with status code', async () => {
+        await classifyProbeResponse(makeResponse(403), 'example.com', log);
+        expect(log.info.calledWithMatch('[edge-optimize-probe] Hard block for example.com: HTTP 403')).to.be.true;
+      });
+
+      it('logs Cloudflare challenge with header info', async () => {
+        await classifyProbeResponse(makeResponse(200, { 'cf-mitigated': 'challenge' }), 'example.com', log);
+        expect(log.info.calledWithMatch('cf-mitigated: challenge')).to.be.true;
+      });
+
+      it('logs soft block with status code', async () => {
+        const response = makeResponse(200, { 'content-type': 'text/html' }, 'cf-chl-widget');
+        await classifyProbeResponse(response, 'example.com', log);
+        expect(log.info.calledWithMatch('[edge-optimize-probe] Soft block')).to.be.true;
+      });
+
+      it('logs clean pass with status code', async () => {
+        const response = makeResponse(200, { 'content-type': 'text/html' }, '<h1>OK</h1>');
+        await classifyProbeResponse(response, 'example.com', log);
+        expect(log.info.calledWithMatch('[edge-optimize-probe] Clean pass for example.com: HTTP 200')).to.be.true;
+      });
+
+      it('logs unexpected status', async () => {
+        await classifyProbeResponse(makeResponse(302), 'example.com', log);
+        expect(log.info.calledWithMatch('[edge-optimize-probe] Unexpected status for example.com: HTTP 302')).to.be.true;
+      });
+    });
+  });
+});