@aria-cli/tools 1.0.9 → 1.0.11

package/tests/executors/deploy.test.ts

@@ -1,746 +0,0 @@
-/**
- * Deploy tool executor tests (TDD — tests written before implementation of missing features)
- *
- * Tests cover:
- * - OS detection parsing from SSH output
- * - Linux distro detection (apt/dnf/apk)
- * - Package manager + Node install command selection
- * - Firewall command generation (ufw/iptables/firewalld/Windows)
- * - TLS cert discovery logic
- * - Config JSON generation
- * - Health check URL construction
- * - Auto-deny in daemon autorun mode
- * - Target validation / injection prevention
- * - Deploy output shape (including tlsType)
- */
-
-import { describe, it, expect, vi, beforeEach } from "vitest";
-import type { ToolContext } from "../../src/types.js";
-import {
-  detectOS,
-  detectLinuxDistro,
-  getNodeInstallCommand,
-  getFirewallCommands,
-  discoverTlsCerts,
-  buildConfigJson,
-  buildHealthCheckUrl,
-  validateRepoUrl,
-  validateBranch,
-  validateArionName,
-  validateSshKeyPath,
-  validateCommitHash,
-  getFirewallUndoCommands,
-  buildRollbackCommands,
-  deepMergeConfig,
-  getKeyPermissionCommands,
-  PINNED_PNPM_VERSION,
-  type OSInfo,
-  type LinuxDistro,
-  type TlsDiscoveryResult,
-  type DeployStep,
-} from "../../src/executors/deploy.js";
-import { executeDeploy } from "../../src/executors/deploy.js";
-
-// ============================================================================
-// OS Detection
-// ============================================================================
-
-describe("detectOS", () => {
-  it("should detect Linux from uname output", () => {
-    const result = detectOS("Linux");
-    expect(result.os).toBe("linux");
-  });
-
-  it("should detect macOS from uname output", () => {
-    const result = detectOS("Darwin");
-    expect(result.os).toBe("darwin");
-  });
-
-  it("should detect Windows from systeminfo-style output", () => {
-    const result = detectOS("MINGW64_NT-10.0-19045");
-    expect(result.os).toBe("windows");
-  });
-
-  it("should return unknown for unrecognized OS", () => {
-    const result = detectOS("FreeBSD");
-    expect(result.os).toBe("unknown");
-  });
-
-  it("should handle empty string", () => {
-    const result = detectOS("");
-    expect(result.os).toBe("unknown");
-  });
-
-  it("should handle UNKNOWN string from failed uname", () => {
-    const result = detectOS("UNKNOWN");
-    expect(result.os).toBe("unknown");
-  });
-});
-
-// ============================================================================
-// Linux Distro Detection
-// ============================================================================
-
-describe("detectLinuxDistro", () => {
-  it("should detect Debian/Ubuntu (apt)", () => {
-    const osRelease = `NAME="Ubuntu"
-VERSION="22.04.3 LTS (Jammy Jellyfish)"
-ID=ubuntu
-ID_LIKE=debian`;
-    const result = detectLinuxDistro(osRelease);
-    expect(result).toBe("apt");
-  });
-
-  it("should detect Fedora/RHEL (dnf)", () => {
-    const osRelease = `NAME="Fedora Linux"
-VERSION="39 (Workstation Edition)"
-ID=fedora`;
-    const result = detectLinuxDistro(osRelease);
-    expect(result).toBe("dnf");
-  });
-
-  it("should detect RHEL with yum fallback (dnf)", () => {
-    const osRelease = `NAME="Red Hat Enterprise Linux"
-ID=rhel
-ID_LIKE="fedora"`;
-    const result = detectLinuxDistro(osRelease);
-    expect(result).toBe("dnf");
-  });
-
-  it("should detect Alpine (apk)", () => {
-    const osRelease = `NAME="Alpine Linux"
-ID=alpine`;
-    const result = detectLinuxDistro(osRelease);
-    expect(result).toBe("apk");
-  });
-
-  it("should detect Amazon Linux (dnf)", () => {
-    const osRelease = `NAME="Amazon Linux"
-ID=amzn
-ID_LIKE="centos rhel fedora"`;
-    const result = detectLinuxDistro(osRelease);
-    expect(result).toBe("dnf");
-  });
-
-  it("should detect SUSE (zypper -> dnf fallback)", () => {
-    const osRelease = `NAME="openSUSE Leap"
-ID=opensuse-leap
-ID_LIKE="suse opensuse"`;
-    const result = detectLinuxDistro(osRelease);
-    expect(result).toBe("dnf");
-  });
-
-  it("should fall back to apt for unknown distro", () => {
-    const result = detectLinuxDistro("");
-    expect(result).toBe("apt");
-  });
-
-  it("should handle Arch (pacman -> apt fallback)", () => {
-    const osRelease = `NAME="Arch Linux"
-ID=arch`;
-    // We don't support pacman natively, so fallback to nvm-based install
-    const result = detectLinuxDistro(osRelease);
-    expect(result).toBe("apt"); // fallback
-  });
-});
-
-// ============================================================================
-// Node Install Command Selection
-// ============================================================================
-
-describe("getNodeInstallCommand", () => {
-  it("should return nvm command for Linux apt", () => {
-    const cmd = getNodeInstallCommand({ os: "linux" }, "apt");
-    expect(cmd).toContain("nvm");
-    expect(cmd).toContain("install");
-  });
-
-  it("should return dnf command for Linux dnf", () => {
-    const cmd = getNodeInstallCommand({ os: "linux" }, "dnf");
-    expect(cmd).toContain("dnf");
-    expect(cmd).toContain("nodejs");
-  });
-
-  it("should return apk command for Linux apk (Alpine)", () => {
-    const cmd = getNodeInstallCommand({ os: "linux" }, "apk");
-    expect(cmd).toContain("apk");
-    expect(cmd).toContain("nodejs");
-  });
-
-  it("should return brew/nvm command for macOS", () => {
-    const cmd = getNodeInstallCommand({ os: "darwin" }, "apt");
-    expect(cmd).toMatch(/brew|nvm/);
-  });
-
-  it("should return winget command for Windows", () => {
-    const cmd = getNodeInstallCommand({ os: "windows" }, "apt");
-    expect(cmd).toContain("winget");
-    expect(cmd).toContain("NodeJS");
-  });
-
-  it("should throw for unknown OS", () => {
-    expect(() => getNodeInstallCommand({ os: "unknown" }, "apt")).toThrow(/unsupported/i);
-  });
-});
-
-// ============================================================================
-// Firewall Command Generation
-// ============================================================================
-
-describe("getFirewallCommands", () => {
-  it("should generate ufw commands", () => {
-    const cmds = getFirewallCommands("ufw");
-    expect(cmds).toContain("ufw allow 443/tcp");
-    expect(cmds).toContain("ufw allow 51820/udp");
-  });
-
-  it("should generate iptables commands", () => {
-    const cmds = getFirewallCommands("iptables");
-    expect(cmds).toContain("iptables");
-    expect(cmds).toContain("443");
-    expect(cmds).toContain("51820");
-  });
-
-  it("should generate firewalld commands", () => {
-    const cmds = getFirewallCommands("firewalld");
-    expect(cmds).toContain("firewall-cmd");
-    expect(cmds).toContain("443/tcp");
-    expect(cmds).toContain("51820/udp");
-  });
-
-  it("should generate Windows firewall commands", () => {
-    const cmds = getFirewallCommands("windows");
-    expect(cmds).toContain("netsh");
-    expect(cmds).toContain("443");
-    expect(cmds).toContain("51820");
-  });
-
-  it("should return empty string for no firewall", () => {
-    const cmds = getFirewallCommands("none");
-    expect(cmds).toBe("");
-  });
-});
-
-// ============================================================================
-// TLS Cert Discovery
-// ============================================================================
-
-describe("discoverTlsCerts", () => {
-  it("should detect existing Let's Encrypt certs", () => {
-    // Simulated SSH output from cert discovery script
-    const sshOutput = JSON.stringify({
-      found: true,
-      type: "letsencrypt",
-      cert: "/etc/letsencrypt/live/example.com/fullchain.pem",
-      key: "/etc/letsencrypt/live/example.com/privkey.pem",
-    });
-    const result = discoverTlsCerts(sshOutput);
-    expect(result.found).toBe(true);
-    expect(result.type).toBe("letsencrypt");
-    expect(result.cert).toContain("letsencrypt");
-    expect(result.key).toContain("letsencrypt");
-  });
-
-  it("should detect real CA certs in /etc/ssl", () => {
-    const sshOutput = JSON.stringify({
-      found: true,
-      type: "real-ca",
-      cert: "/etc/ssl/certs/server.crt",
-      key: "/etc/ssl/private/server.key",
-    });
-    const result = discoverTlsCerts(sshOutput);
-    expect(result.found).toBe(true);
-    expect(result.type).toBe("real-ca");
-  });
-
-  it("should return not-found when no certs exist", () => {
-    const sshOutput = JSON.stringify({ found: false });
-    const result = discoverTlsCerts(sshOutput);
-    expect(result.found).toBe(false);
-    expect(result.type).toBeUndefined();
-  });
-
-  it("should handle malformed JSON gracefully", () => {
-    const result = discoverTlsCerts("not json at all");
-    expect(result.found).toBe(false);
-  });
-
-  it("should handle empty string", () => {
-    const result = discoverTlsCerts("");
-    expect(result.found).toBe(false);
-  });
-});
-
-// ============================================================================
-// Config JSON Generation
-// ============================================================================
-
-describe("buildConfigJson", () => {
-  it("should include arion_name", () => {
-    const config = buildConfigJson({ arionName: "alpha" });
-    expect(config.arion_name).toBe("alpha");
-  });
-
-  it("should include coordination_url when provided", () => {
-    const config = buildConfigJson({
-      arionName: "alpha",
-      coordinationUrl: "https://coord.example.com",
-    });
-    expect(config.coordination_url).toBe("https://coord.example.com");
-  });
-
-  it("should omit coordination_url when not provided", () => {
-    const config = buildConfigJson({ arionName: "alpha" });
-    expect(config).not.toHaveProperty("coordination_url");
-  });
-
-  it("should include TLS cert paths when provided", () => {
-    const config = buildConfigJson({
-      arionName: "alpha",
-      tlsCert: "/etc/ssl/certs/server.crt",
-      tlsKey: "/etc/ssl/private/server.key",
-    });
-    expect(config.tls).toEqual({
-      cert: "/etc/ssl/certs/server.crt",
-      key: "/etc/ssl/private/server.key",
-    });
-  });
-
-  it("should omit tls when no cert paths provided", () => {
-    const config = buildConfigJson({ arionName: "alpha" });
-    expect(config).not.toHaveProperty("tls");
-  });
-});
-
-// ============================================================================
-// Health Check URL Construction
-// ============================================================================
-
-describe("buildHealthCheckUrl", () => {
-  it("should construct HTTPS URL for host", () => {
-    const url = buildHealthCheckUrl("10.0.0.1", 443);
-    expect(url).toBe("https://10.0.0.1:443/api/v1/network/peers");
-  });
-
-  it("should use default port 443", () => {
-    const url = buildHealthCheckUrl("example.com");
-    expect(url).toBe("https://example.com:443/api/v1/network/peers");
-  });
-
-  it("should handle custom port", () => {
-    const url = buildHealthCheckUrl("10.0.0.1", 8443);
-    expect(url).toBe("https://10.0.0.1:8443/api/v1/network/peers");
-  });
-});
-
-// ============================================================================
-// Target Validation / Injection Prevention
-// ============================================================================
-
-describe("executeDeploy — target validation", () => {
-  let mockContext: ToolContext;
-
-  beforeEach(() => {
-    mockContext = {
-      workingDir: "/tmp",
-      env: {},
-      confirm: vi.fn().mockResolvedValue(true),
-    };
-  });
-
-  it("should reject empty target", async () => {
-    const result = await executeDeploy({ target: "" }, mockContext);
-    expect(result.success).toBe(false);
-    expect(result.message).toMatch(/target.*required/i);
-  });
-
-  it("should reject target with spaces (command injection)", async () => {
-    const result = await executeDeploy({ target: "user@host; rm -rf /" }, mockContext);
-    expect(result.success).toBe(false);
-    expect(result.message).toMatch(/invalid.*target/i);
-  });
-
-  it("should reject target with pipes (command injection)", async () => {
-    const result = await executeDeploy({ target: "user@host | cat /etc/passwd" }, mockContext);
-    expect(result.success).toBe(false);
-    expect(result.message).toMatch(/invalid.*target/i);
-  });
-
-  it("should reject target with semicolons", async () => {
-    const result = await executeDeploy({ target: "user@host;whoami" }, mockContext);
-    expect(result.success).toBe(false);
-    expect(result.message).toMatch(/invalid.*target/i);
-  });
-
-  it("should reject target with backticks", async () => {
-    const result = await executeDeploy({ target: "user@`whoami`" }, mockContext);
-    expect(result.success).toBe(false);
-    expect(result.message).toMatch(/invalid.*target/i);
-  });
-
-  it("should reject when user cancels confirmation", async () => {
-    (mockContext.confirm as ReturnType<typeof vi.fn>).mockResolvedValue(false);
-    const result = await executeDeploy({ target: "claude@10.0.0.1" }, mockContext);
-    expect(result.success).toBe(false);
-    expect(result.message).toMatch(/cancel/i);
-  });
-});
-
-// ============================================================================
-// Input Validation (A1)
-// ============================================================================
-
-describe("input validation", () => {
-  it("rejects repo_url with shell metacharacters", () => {
-    const err = validateRepoUrl("https://evil.com/repo; rm -rf /");
-    expect(err).toContain("Invalid repo URL");
-  });
-
-  it("rejects repo_url with pipe injection", () => {
-    const err = validateRepoUrl("https://evil.com/repo | cat /etc/passwd");
-    expect(err).toContain("Invalid repo URL");
-  });
-
-  it("rejects repo_url with backtick injection", () => {
-    const err = validateRepoUrl("https://evil.com/`whoami`/repo");
-    expect(err).toContain("Invalid repo URL");
-  });
-
-  it("accepts valid HTTPS repo_url", () => {
-    expect(validateRepoUrl("https://github.com/aria-ai/aria.git")).toBeNull();
-  });
-
-  it("accepts valid HTTPS repo_url without .git suffix", () => {
-    expect(validateRepoUrl("https://github.com/aria-ai/aria")).toBeNull();
-  });
-
-  it("returns null for empty repo_url", () => {
-    expect(validateRepoUrl("")).toBeNull();
-  });
-
-  it("rejects branch with shell injection", () => {
-    const err = validateBranch("main; rm -rf /");
-    expect(err).toContain("Invalid branch");
-  });
-
-  it("rejects branch with path traversal", () => {
-    const err = validateBranch("../../etc/passwd");
-    expect(err).toContain("Invalid branch");
-  });
-
-  it("rejects branch with backtick injection", () => {
-    const err = validateBranch("main`whoami`");
-    expect(err).toContain("Invalid branch");
-  });
-
-  it("accepts valid branch name", () => {
-    expect(validateBranch("feature/my-branch")).toBeNull();
-  });
-
-  it("accepts branch with dots", () => {
-    expect(validateBranch("release/v1.2.3")).toBeNull();
-  });
-
-  it("returns null for empty branch", () => {
-    expect(validateBranch("")).toBeNull();
-  });
-
-  it("rejects arion_name with backticks", () => {
-    const err = validateArionName("test`whoami`");
-    expect(err).toContain("Invalid arion name");
-  });
-
-  it("rejects arion_name with semicolons", () => {
-    const err = validateArionName("test;whoami");
-    expect(err).toContain("Invalid arion name");
-  });
-
-  it("rejects arion_name with spaces", () => {
-    const err = validateArionName("test name");
-    expect(err).toContain("Invalid arion name");
-  });
-
-  it("accepts valid arion_name with alphanumeric, underscores, hyphens", () => {
-    expect(validateArionName("my-arion-01")).toBeNull();
-  });
-
-  it("accepts valid arion_name with underscores", () => {
-    expect(validateArionName("my_arion_01")).toBeNull();
-  });
-
-  it("returns null for empty arion_name", () => {
-    expect(validateArionName("")).toBeNull();
-  });
-
-  it("rejects ssh_key_path with traversal", () => {
-    const err = validateSshKeyPath("../../etc/shadow");
-    expect(err).toContain("Invalid SSH key path");
-  });
-
-  it("rejects ssh_key_path with shell chars", () => {
-    const err = validateSshKeyPath("/tmp/key; cat /etc/passwd");
-    expect(err).toContain("Invalid SSH key path");
-  });
-
-  it("rejects ssh_key_path with pipe", () => {
-    const err = validateSshKeyPath("/tmp/key | cat /etc/passwd");
-    expect(err).toContain("Invalid SSH key path");
-  });
-
-  it("rejects ssh_key_path with backticks", () => {
-    const err = validateSshKeyPath("/tmp/`whoami`/key");
-    expect(err).toContain("Invalid SSH key path");
-  });
-
-  it("accepts valid ssh_key_path", () => {
-    expect(validateSshKeyPath("/home/user/.ssh/id_ed25519")).toBeNull();
-  });
-
-  it("accepts ssh_key_path with tilde", () => {
-    expect(validateSshKeyPath("~/.ssh/id_ed25519")).toBeNull();
-  });
-
-  it("returns null for empty ssh_key_path", () => {
-    expect(validateSshKeyPath("")).toBeNull();
-  });
-});
-
-// ============================================================================
-// Rollback Mechanism (A2)
-// ============================================================================
-
-describe("rollback", () => {
-  it("getFirewallUndoCommands returns reverse commands for ufw", () => {
-    const undo = getFirewallUndoCommands("ufw");
-    expect(undo).toContain("ufw delete allow 443/tcp");
-    expect(undo).toContain("ufw delete allow 51820/udp");
-  });
-
-  it("getFirewallUndoCommands returns reverse commands for iptables", () => {
-    const undo = getFirewallUndoCommands("iptables");
-    expect(undo).toContain("iptables -D INPUT");
-  });
-
-  it("getFirewallUndoCommands returns reverse commands for firewalld", () => {
-    const undo = getFirewallUndoCommands("firewalld");
-    expect(undo).toContain("firewall-cmd --permanent --remove-port=443/tcp");
-    expect(undo).toContain("firewall-cmd --permanent --remove-port=51820/udp");
-    expect(undo).toContain("firewall-cmd --reload");
-  });
-
-  it("getFirewallUndoCommands returns empty string for none", () => {
-    expect(getFirewallUndoCommands("none")).toBe("");
-  });
-
-  it("buildRollbackCommands reverses steps in order", () => {
-    const steps: DeployStep[] = [
-      { name: "firewall", undoCmd: "ufw delete allow 443/tcp" },
-      { name: "config", undoCmd: "rm -f ~/.aria/config.json" },
-    ];
-    const cmds = buildRollbackCommands(steps);
-    expect(cmds[0]).toContain("rm -f"); // config first (reverse)
-    expect(cmds[1]).toContain("ufw delete"); // firewall second
-  });
-
-  it("buildRollbackCommands returns empty array for empty steps", () => {
-    expect(buildRollbackCommands([])).toEqual([]);
-  });
-
-  it("buildRollbackCommands skips steps with empty undoCmd", () => {
-    const steps: DeployStep[] = [
-      { name: "step1", undoCmd: "echo undo1" },
-      { name: "step2", undoCmd: "" },
-      { name: "step3", undoCmd: "echo undo3" },
-    ];
-    const cmds = buildRollbackCommands(steps);
-    expect(cmds).toHaveLength(2);
-    expect(cmds[0]).toContain("undo3"); // step3 reversed first
-    expect(cmds[1]).toContain("undo1"); // step1 reversed second
-  });
-});
-
-// ============================================================================
-// Idempotency — Deep Merge Config (A3)
-// ============================================================================
-
-describe("idempotency", () => {
-  it("deepMergeConfig preserves nested objects", () => {
-    const existing = { tls: { cert: "/old", extra: true }, name: "old" };
-    const update = { tls: { cert: "/new" }, name: "new" };
-    const result = deepMergeConfig(existing, update);
-    expect(result.tls.cert).toBe("/new");
-    expect(result.tls.extra).toBe(true); // preserved
-    expect(result.name).toBe("new");
-  });
-
-  it("deepMergeConfig adds new top-level keys", () => {
-    const existing = { name: "old" };
-    const update = { port: 443 };
-    const result = deepMergeConfig(existing, update);
-    expect(result.name).toBe("old");
-    expect(result.port).toBe(443);
-  });
-
-  it("deepMergeConfig handles empty existing config", () => {
-    const result = deepMergeConfig({}, { name: "new" });
-    expect(result.name).toBe("new");
-  });
-
-  it("deepMergeConfig does not mutate inputs", () => {
-    const existing = { tls: { cert: "/old" } };
-    const update = { tls: { cert: "/new" } };
-    deepMergeConfig(existing, update);
-    expect(existing.tls.cert).toBe("/old"); // unchanged
-  });
-});
-
-// ============================================================================
-// Key Permissions (A3)
-// ============================================================================
-
-describe("key permissions", () => {
-  it("getKeyPermissionCommands returns chmod 600 for signing key", () => {
-    const cmds = getKeyPermissionCommands();
-    expect(cmds).toContain("chmod 600 ~/.aria/signing-key.json");
-  });
-
-  it("getKeyPermissionCommands returns chmod 600 for config", () => {
-    const cmds = getKeyPermissionCommands();
-    expect(cmds).toContain("chmod 600 ~/.aria/config.json");
-  });
-});
-
-// ============================================================================
-// Deploy Output Shape
-// ============================================================================
-
-describe("DeployOutput shape", () => {
-  it("should include tlsType field in output", async () => {
-    // This validates the type definition includes tlsType
-    const output = {
-      success: true,
-      host: "10.0.0.1",
-      port: 443,
-      fingerprint: "abc123",
-      arionName: "alpha",
-      tlsType: "letsencrypt" as const,
-    };
-    expect(output.tlsType).toBe("letsencrypt");
-    expect(["real-ca", "letsencrypt", "private-ca"]).toContain(output.tlsType);
-  });
-});
-
-// ============================================================================
-// Commit Hash Validation (Supply Chain Hardening)
-// ============================================================================
-
-describe("validateCommitHash", () => {
-  it("accepts valid full-length SHA-1 hash", () => {
-    expect(validateCommitHash("a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2")).toBeNull();
-  });
-
-  it("accepts valid short hash (7 chars)", () => {
-    expect(validateCommitHash("a1b2c3d")).toBeNull();
-  });
-
-  it("accepts valid SHA-256 length hash (64 chars)", () => {
-    expect(
-      validateCommitHash("a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"),
-    ).toBeNull();
-  });
-
-  it("rejects uppercase hex (prevents mixed-case ambiguity)", () => {
-    const err = validateCommitHash("A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2");
-    expect(err).toContain("Invalid commit hash");
-  });
-
-  it("rejects non-hex characters", () => {
-    const err = validateCommitHash("g1b2c3d4e5f6zzzz");
-    expect(err).toContain("Invalid commit hash");
-  });
-
-  it("rejects hash too short (< 7 chars)", () => {
-    const err = validateCommitHash("a1b2c3");
-    expect(err).toContain("Invalid commit hash");
-  });
-
-  it("rejects hash too long (> 64 chars)", () => {
-    const err = validateCommitHash("a".repeat(65));
-    expect(err).toContain("Invalid commit hash");
-  });
-
-  it("rejects shell injection via semicolons", () => {
-    const err = validateCommitHash("a1b2c3d; rm -rf /");
-    expect(err).toContain("Invalid commit hash");
-  });
-
-  it("rejects shell injection via backticks", () => {
-    const err = validateCommitHash("a1b2c3d`whoami`");
-    expect(err).toContain("Invalid commit hash");
-  });
-
-  it("rejects shell injection via $() substitution", () => {
-    const err = validateCommitHash("a1b2c3d$(cat /etc/passwd)");
-    expect(err).toContain("Invalid commit hash");
-  });
-
-  it("rejects empty-ish whitespace", () => {
-    const err = validateCommitHash("  a1b2c3d  ");
-    expect(err).toContain("Invalid commit hash");
-  });
-
-  it("returns null for empty string (optional param)", () => {
-    expect(validateCommitHash("")).toBeNull();
-  });
-});
-
-// ============================================================================
-// Pinned pnpm Version (Supply Chain Hardening)
-// ============================================================================
-
-describe("PINNED_PNPM_VERSION", () => {
-  it("is a valid semver-like version string", () => {
-    expect(PINNED_PNPM_VERSION).toMatch(/^\d+\.\d+\.\d+$/);
-  });
-
-  it("is not 'latest' or a range", () => {
-    expect(PINNED_PNPM_VERSION).not.toBe("latest");
-    expect(PINNED_PNPM_VERSION).not.toContain("^");
-    expect(PINNED_PNPM_VERSION).not.toContain("~");
-    expect(PINNED_PNPM_VERSION).not.toContain("*");
-  });
-});
-
-// ============================================================================
-// Supply Chain: commit_hash param in tool definition schema
-// ============================================================================
-
-describe("executeDeploy — commit_hash validation", () => {
-  let mockContext: ToolContext;
-
-  beforeEach(() => {
-    mockContext = {
-      workingDir: "/tmp",
-      env: {},
-      confirm: vi.fn().mockResolvedValue(true),
-    };
-  });
-
-  it("should reject invalid commit_hash before SSH", async () => {
-    const result = await executeDeploy(
-      { target: "user@host", commit_hash: "not-a-hash!" },
-      mockContext,
-    );
-    expect(result.success).toBe(false);
-    expect(result.message).toMatch(/invalid commit hash/i);
-  });
-
-  it("should reject commit_hash with shell injection", async () => {
-    const result = await executeDeploy(
-      { target: "user@host", commit_hash: "abc1234; rm -rf /" },
-      mockContext,
-    );
-    expect(result.success).toBe(false);
-    expect(result.message).toMatch(/invalid commit hash/i);
-  });
-});