@aria-cli/tools 1.0.9 → 1.0.11

package/tests/executors/web-integration.test.ts

@@ -1,633 +0,0 @@
-/**
- * Integration tests for web tool executors
- *
- * These tests verify the full integration of web executors including:
- * - web_search → SearchProviderRouter → mock provider → results
- * - web_fetch → fetchWithSsrf → content retrieval
- * - browse → Readability + Turndown → markdown extraction
- * - Retry on transient failures
- * - SSRF protection and redirect handling
- * - GitHub URL normalization
- *
- * Unlike web.test.ts which uses simple unit test mocks, these tests
- * verify the actual data flow through multiple layers.
- */
-
-import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
-import * as fs from "node:fs/promises";
-import * as path from "node:path";
-import * as os from "node:os";
-import type { ToolContext } from "../../src/types.js";
-import { executeWebSearch, executeWebFetch, executeBrowse } from "../../src/executors/web.js";
-import { searchCache, fetchCache, browseCache } from "../../src/cache/web-cache.js";
-
-const TEST_PUBLIC_LOOKUP_RESULT = [{ address: "93.184.216.34", family: 4 }] as const;
-
-function lookupTestAddresses(hostname: string) {
-  switch (hostname) {
-    case "metadata.internal.test":
-      return [{ address: "169.254.169.254", family: 4 }];
-    default:
-      return TEST_PUBLIC_LOOKUP_RESULT;
-  }
-}
-
-vi.mock("../../src/security/dns-pinning.js", async (importOriginal) => {
-  const actual = await importOriginal<typeof import("../../src/security/dns-pinning.js")>();
-  const ssrfModule = await import("../../src/security/ssrf.js");
-  return {
-    ...actual,
-    fetchWithDnsPinning: vi.fn(async (url: string, init: RequestInit) => {
-      const parsed = new URL(url);
-      const addresses = lookupTestAddresses(parsed.hostname);
-      const privateAddress = addresses.find((entry) => ssrfModule.isPrivateAddress(entry.address));
-      if (privateAddress) {
-        throw new Error(
-          `SSRF protection: ${parsed.hostname} resolves to private address ${privateAddress.address}`,
-        );
-      }
-      return global.fetch(url, init);
-    }),
-  };
-});
-
-// Helper to create a unique temp directory for each test
-const createTempDir = async (): Promise<string> => {
-  const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "aria-web-integration-"));
-  return fs.realpath(tempDir);
-};
-
-// Helper to clean up temp directory
-const cleanupTempDir = async (dir: string): Promise<void> => {
-  await fs.rm(dir, { recursive: true, force: true });
-};
-
-// Helper to create a context
-const createContext = (workingDir: string, env: Record<string, string> = {}): ToolContext => ({
-  workingDir,
-  env,
-});
-
-describe("Web Executors Integration Tests", () => {
-  let tempDir: string;
-  let ctx: ToolContext;
-  let originalFetch: typeof global.fetch;
-
-  beforeEach(async () => {
-    tempDir = await createTempDir();
-    ctx = createContext(tempDir);
-    originalFetch = global.fetch;
-    // Clear web caches between tests to prevent cross-test contamination
-    searchCache.clear();
-    fetchCache.clear();
-    browseCache.clear();
-  });
-
-  afterEach(async () => {
-    await cleanupTempDir(tempDir);
-    global.fetch = originalFetch;
-    vi.restoreAllMocks();
-  });
-
-  describe("executeWebSearch integration", () => {
-    it("should route through SearchProviderRouter to Tavily with valid results", async () => {
-      const mockResults = [
-        {
-          title: "Integration Test Result",
-          url: "https://example.com/integration",
-          content: "This is integration test content from Tavily",
-          score: 0.95,
-        },
-        {
-          title: "Second Result",
-          url: "https://example.com/second",
-          content: "More content here",
-          score: 0.85,
-        },
-      ];
-
-      const mockResponse = new Response(JSON.stringify({ results: mockResults }), {
-        status: 200,
-        headers: { "Content-Type": "application/json" },
-      });
-
-      const mockFetch = vi.fn().mockResolvedValue(mockResponse);
-      vi.stubGlobal("fetch", mockFetch);
-
-      const ctxWithKey = createContext(tempDir, { TAVILY_API_KEY: "test-integration-key" });
-      const result = await executeWebSearch(
-        { query: "integration testing best practices", limit: 10 },
-        ctxWithKey,
-      );
-
-      expect(result.success).toBe(true);
-      expect(result.message).toContain("integration testing best practices");
-      expect(result.data).toMatchObject({
-        query: "integration testing best practices",
-        results: expect.arrayContaining([
-          expect.objectContaining({
-            title: "Integration Test Result",
-            url: "https://example.com/integration",
-          }),
-        ]),
-      });
-
-      // Verify the API was called with correct parameters
-      expect(mockFetch).toHaveBeenCalledWith(
-        "https://api.tavily.com/search",
-        expect.objectContaining({
-          method: "POST",
-          body: expect.stringContaining("integration testing best practices"),
-        }),
-      );
-    });
-
-    it("should handle empty results from provider", async () => {
-      const mockResponse = new Response(JSON.stringify({ results: [] }), {
-        status: 200,
-        headers: { "Content-Type": "application/json" },
-      });
-
-      vi.stubGlobal("fetch", vi.fn().mockResolvedValue(mockResponse));
-
-      const ctxWithKey = createContext(tempDir, { TAVILY_API_KEY: "test-key" });
-      const result = await executeWebSearch({ query: "nonexistent query 12345xyz" }, ctxWithKey);
-
-      expect(result.success).toBe(true);
-      expect(result.data).toMatchObject({
-        query: "nonexistent query 12345xyz",
-        results: [],
-      });
-    });
-
-    it("should retry on transient failures", async () => {
-      let callCount = 0;
-      const mockFetch = vi.fn().mockImplementation(() => {
-        callCount++;
-        if (callCount < 2) {
-          // First call fails with network error
-          return Promise.reject(new Error("Network error"));
-        }
-        // Second call succeeds
-        return Promise.resolve(
-          new Response(
-            JSON.stringify({
-              results: [
-                { title: "Success", url: "https://example.com", content: "content", score: 0.9 },
-              ],
-            }),
-            {
-              status: 200,
-              headers: { "Content-Type": "application/json" },
-            },
-          ),
-        );
-      });
-
-      vi.stubGlobal("fetch", mockFetch);
-
-      const ctxWithKey = createContext(tempDir, { TAVILY_API_KEY: "test-key" });
-      const result = await executeWebSearch({ query: "retry test" }, ctxWithKey);
-
-      // SearchProviderRouter tries providers in priority order; a network error
-      // causes it to fall through to the next provider or fail.
-      // The assertion must be unconditional.
-      expect(callCount).toBeGreaterThanOrEqual(1);
-      expect(result).toHaveProperty("success");
-      expect(result).toHaveProperty("message");
-    });
-  });
-
-  describe("executeWebFetch integration", () => {
-    it("should fetch content with retry on transient failure", async () => {
-      let attemptCount = 0;
-      const mockFetch = vi.fn().mockImplementation(() => {
-        attemptCount++;
-        if (attemptCount === 1) {
-          // First attempt fails with retryable error
-          const err = Object.assign(new Error("ECONNRESET"), { code: "ECONNRESET" });
-          return Promise.reject(err);
-        }
-        // Second attempt succeeds
-        return Promise.resolve(
-          new Response("Fetched content after retry", {
-            status: 200,
-            headers: { "Content-Type": "text/plain" },
-          }),
-        );
-      });
-
-      vi.stubGlobal("fetch", mockFetch);
-
-      const result = await executeWebFetch({ url: "https://example.com/flaky" }, ctx);
-
-      // fetchWithRetry is wired in — retry should succeed
-      expect(attemptCount).toBe(2);
-      expect(result.success).toBe(true);
-      expect(result.data).toMatchObject({
-        status: 200,
-      });
-    });
-
-    it("should follow redirects with SSRF validation per hop", async () => {
-      const mockFetch = vi
-        .fn()
-        .mockResolvedValueOnce(
-          // First call: redirect
-          new Response(null, {
-            status: 302,
-            headers: { Location: "https://redirect.example.com/target" },
-          }),
-        )
-        .mockResolvedValueOnce(
-          // Second call: final content
-          new Response("Final content after redirect", {
-            status: 200,
-            headers: { "Content-Type": "text/plain" },
-          }),
-        );
-
-      vi.stubGlobal("fetch", mockFetch);
-
-      const result = await executeWebFetch({ url: "https://example.com/redirect-me" }, ctx);
-
-      expect(result.success).toBe(true);
-      expect(mockFetch).toHaveBeenCalledTimes(2);
-      expect(mockFetch).toHaveBeenNthCalledWith(
-        1,
-        "https://example.com/redirect-me",
-        expect.objectContaining({ redirect: "manual" }),
-      );
-      expect(mockFetch).toHaveBeenNthCalledWith(
-        2,
-        "https://redirect.example.com/target",
-        expect.objectContaining({ redirect: "manual" }),
-      );
-    });
-
-    it("should enforce response size limit with streaming", async () => {
-      // Create a large content stream that exceeds limit
-      const largeContent = "x".repeat(2 * 1024 * 1024); // 2MB
-      const mockResponse = new Response(largeContent, {
-        status: 200,
-        headers: { "Content-Type": "text/plain" },
-      });
-
-      vi.stubGlobal("fetch", vi.fn().mockResolvedValue(mockResponse));
-
-      const result = await executeWebFetch(
-        {
-          url: "https://example.com/large",
-          maxSizeBytes: 1024, // 1KB limit
-        },
-        ctx,
-      );
-
-      expect(result.success).toBe(false);
-      expect(result.message).toContain("exceeds maximum");
-    });
-
-    it("should handle JSON parsing with format option", async () => {
-      const jsonData = { status: "ok", data: [1, 2, 3], nested: { value: "test" } };
-      const mockResponse = new Response(JSON.stringify(jsonData), {
-        status: 200,
-        headers: { "Content-Type": "application/json" },
-      });
-
-      vi.stubGlobal("fetch", vi.fn().mockResolvedValue(mockResponse));
-
-      const result = await executeWebFetch(
-        { url: "https://api.example.com/data", format: "json" },
-        ctx,
-      );
-
-      expect(result.success).toBe(true);
-      const data = result.data as { content: typeof jsonData };
-      expect(data.content).toEqual(jsonData);
-    });
-  });
-
-  describe("executeBrowse integration", () => {
-    it("should extract markdown from HTML using Readability + Turndown", async () => {
-      const htmlContent = `
-        <!DOCTYPE html>
-        <html>
-          <head><title>Test Article</title></head>
-          <body>
-            <h1>Main Heading</h1>
-            <p>This is a paragraph with <strong>bold</strong> text.</p>
-            <ul>
-              <li>List item 1</li>
-              <li>List item 2</li>
-            </ul>
-            <script>console.log('should be removed');</script>
-          </body>
-        </html>
-      `;
-
-      const mockResponse = new Response(htmlContent, {
-        status: 200,
-        headers: { "Content-Type": "text/html" },
-      });
-
-      vi.stubGlobal("fetch", vi.fn().mockResolvedValue(mockResponse));
-
-      const result = await executeBrowse({ url: "https://example.com/article" }, ctx);
-
-      expect(result.success).toBe(true);
-      const data = result.data as { url: string; title: string; content: string };
-
-      expect(data.url).toBe("https://example.com/article");
-      expect(data.title).toBe("Test Article");
-
-      // Content should be stripped HTML (current implementation uses stripHtml, not Readability/Turndown)
-      // The content should not contain script tags
-      expect(data.content).not.toContain("console.log");
-      expect(data.content).toContain("Main Heading");
-      expect(data.content).toContain("This is a paragraph");
-    });
-
-    it("should handle GitHub URL normalization to raw content", async () => {
-      // GitHub URLs should be converted to raw URLs before fetching
-      const mockResponse = new Response("# README\n\nThis is raw markdown content", {
-        status: 200,
-        headers: { "Content-Type": "text/plain" },
-      });
-
-      vi.stubGlobal("fetch", vi.fn().mockResolvedValue(mockResponse));
-
-      const result = await executeBrowse(
-        { url: "https://github.com/user/repo/blob/main/README.md" },
-        ctx,
-      );
-
-      // Current implementation may not do GitHub URL normalization
-      // This documents expected behavior
-      expect(result.success).toBe(true);
-    });
-
-    it("should truncate content exceeding 50K characters", async () => {
-      const longContent = `
-        <!DOCTYPE html>
-        <html>
-          <head><title>Long Article</title></head>
-          <body>
-            <p>${"Very long content. ".repeat(10000)}</p>
-          </body>
-        </html>
-      `;
-
-      const mockResponse = new Response(longContent, {
-        status: 200,
-        headers: { "Content-Type": "text/html" },
-      });
-
-      vi.stubGlobal("fetch", vi.fn().mockResolvedValue(mockResponse));
-
-      const result = await executeBrowse({ url: "https://example.com/long" }, ctx);
-
-      expect(result.success).toBe(true);
-      const data = result.data as { content: string };
-
-      // Browse now uses 50K limit + external content security wrapping (~100 chars overhead)
-      // The content should contain truncation notice
-      expect(data.content).toContain("[Content truncated]");
-    });
-
-    it("should retry on transient network failures", async () => {
-      let attemptCount = 0;
-      const mockFetch = vi.fn().mockImplementation(() => {
-        attemptCount++;
-        if (attemptCount === 1) {
-          const err = Object.assign(new Error("ETIMEDOUT"), { code: "ETIMEDOUT" });
-          return Promise.reject(err);
-        }
-        return Promise.resolve(
-          new Response("<html><head><title>Success</title></head><body>Content</body></html>", {
-            status: 200,
-            headers: { "Content-Type": "text/html" },
-          }),
-        );
-      });
-
-      vi.stubGlobal("fetch", mockFetch);
-
-      const result = await executeBrowse({ url: "https://example.com/flaky" }, ctx);
-
-      // fetchWithRetry is wired in — retry should succeed
-      expect(attemptCount).toBe(2);
-      expect(result.success).toBe(true);
-      expect(result.data).toHaveProperty("content");
-    });
-
-    it("should handle timeout on slow responses", async () => {
-      vi.stubGlobal(
-        "fetch",
-        vi.fn().mockImplementation((_url: string, options?: RequestInit) => {
-          return new Promise((_resolve, reject) => {
-            const signal = options?.signal;
-            if (signal) {
-              signal.addEventListener("abort", () => {
-                const abortError = new Error("The operation was aborted");
-                abortError.name = "AbortError";
-                reject(abortError);
-              });
-            }
-          });
-        }),
-      );
-
-      const result = await executeBrowse({ url: "https://example.com/slow", timeoutMs: 100 }, ctx);
-
-      expect(result.success).toBe(false);
-      expect(result.message).toContain("timed out");
-    });
-  });
-
-  describe("SSRF protection integration", () => {
-    it("should validate URLs before making requests", async () => {
-      // Invalid URL format
-      const result1 = await executeWebFetch({ url: "not-a-url" }, ctx);
-      expect(result1.success).toBe(false);
-      expect(result1.message).toContain("Invalid URL");
-
-      // Non-HTTP protocol
-      const result2 = await executeWebFetch({ url: "file:///etc/passwd" }, ctx);
-      expect(result2.success).toBe(false);
-      expect(result2.message).toContain("protocol");
-
-      // FTP protocol
-      const result3 = await executeWebFetch({ url: "ftp://example.com/file" }, ctx);
-      expect(result3.success).toBe(false);
-      expect(result3.message).toContain("protocol");
-    });
-
-    it("should block requests resolving to private IPs", async () => {
-      // Mock DNS to resolve to private IP
-      const mockDns = {
-        promises: {
-          lookup: vi.fn().mockResolvedValue({ address: "192.168.1.1", family: 4 }),
-        },
-      };
-
-      // This test requires mocking the dns module, which is complex
-      // The behavior is tested in unit tests for validateUrl in ssrf.ts
-      // This integration test documents the expected behavior
-    });
-
-    it("should block redirects to private IPs", async () => {
-      // First fetch returns redirect to private IP
-      const mockFetch = vi.fn().mockResolvedValueOnce(
-        new Response(null, {
-          status: 302,
-          headers: { Location: "http://169.254.169.254/metadata" },
-        }),
-      );
-
-      vi.stubGlobal("fetch", mockFetch);
-
-      // This would be blocked by validateUrl on the redirect target
-      // The actual blocking is tested in web.test.ts SSRF redirect protection tests
-    });
-  });
-
-  describe("Response streaming and size limits", () => {
-    it("should stream response body and enforce byte limits", async () => {
-      // Create a response with chunked encoding (no Content-Length)
-      const chunks = ["chunk1", "chunk2", "chunk3"];
-      let chunkIndex = 0;
-
-      const stream = new ReadableStream({
-        async pull(controller) {
-          if (chunkIndex < chunks.length) {
-            controller.enqueue(new TextEncoder().encode(chunks[chunkIndex]!));
-            chunkIndex++;
-          } else {
-            controller.close();
-          }
-        },
-      });
-
-      const mockResponse = new Response(stream, {
-        status: 200,
-        headers: { "Content-Type": "text/plain" },
-      });
-
-      vi.stubGlobal("fetch", vi.fn().mockResolvedValue(mockResponse));
-
-      const result = await executeWebFetch(
-        { url: "https://example.com/chunked", maxSizeBytes: 100 },
-        ctx,
-      );
-
-      expect(result.success).toBe(true);
-      const data = result.data as { content: string };
-      // Content is now wrapped with security boundaries but should contain all chunks
-      expect(data.content).toContain("chunk1chunk2chunk3");
-    });
-  });
-
-  describe("Custom headers and request options", () => {
-    it("should pass custom headers to fetch", async () => {
-      const mockFetch = vi.fn().mockResolvedValue(
-        new Response("ok", {
-          status: 200,
-        }),
-      );
-
-      vi.stubGlobal("fetch", mockFetch);
-
-      const result = await executeWebFetch(
-        {
-          url: "https://api.example.com/endpoint",
-          headers: {
-            Authorization: "Bearer token123",
-            "X-Custom-Header": "custom-value",
-          },
-        },
-        ctx,
-      );
-
-      expect(result.success).toBe(true);
-      expect(mockFetch).toHaveBeenCalledTimes(1);
-      expect(mockFetch).toHaveBeenCalledWith(
-        "https://api.example.com/endpoint",
-        expect.objectContaining({
-          headers: {
-            Authorization: "Bearer token123",
-            "X-Custom-Header": "custom-value",
-          },
-          redirect: "manual",
-        }),
-      );
-    });
-
-    it("should respect custom timeout values", async () => {
-      let timeoutReceived = 0;
-
-      vi.stubGlobal(
-        "fetch",
-        vi.fn().mockImplementation((_url: string, options?: RequestInit) => {
-          return new Promise((_resolve, reject) => {
-            const signal = options?.signal;
-            if (signal) {
-              signal.addEventListener("abort", () => {
-                timeoutReceived = Date.now();
-                const abortError = new Error("The operation was aborted");
-                abortError.name = "AbortError";
-                reject(abortError);
-              });
-            }
-          });
-        }),
-      );
-
-      const startTime = Date.now();
-      const result = await executeWebFetch(
-        { url: "https://example.com/slow", timeoutMs: 200 },
-        ctx,
-      );
-
-      const elapsed = timeoutReceived - startTime;
-
-      expect(result.success).toBe(false);
-      expect(result.message).toContain("timed out");
-      expect(elapsed).toBeGreaterThanOrEqual(180); // Allow 10% margin
-      expect(elapsed).toBeLessThanOrEqual(300);
-    });
-  });
-
-  describe("Context abort signal integration", () => {
-    it("should cancel request when context abort signal is triggered", async () => {
-      const abortController = new AbortController();
-      const ctxWithSignal: ToolContext = {
-        ...ctx,
-        abortSignal: abortController.signal,
-      };
-
-      vi.stubGlobal(
-        "fetch",
-        vi.fn().mockImplementation((_url: string, options?: RequestInit) => {
-          return new Promise((_resolve, reject) => {
-            const signal = options?.signal;
-            if (signal) {
-              signal.addEventListener("abort", () => {
-                const abortError = new Error("The operation was aborted");
-                abortError.name = "AbortError";
-                reject(abortError);
-              });
-            }
-          });
-        }),
-      );
-
-      // Trigger abort after 50ms
-      setTimeout(() => abortController.abort(), 50);
-
-      const result = await executeWebFetch({ url: "https://example.com/slow" }, ctxWithSignal);
-
-      expect(result.success).toBe(false);
-      expect(result.message).toContain("cancelled");
-    });
-  });
-});

package/tests/executors/web-symlink.test.ts

@@ -1,18 +0,0 @@
-/**
- * @aria/tools - Web download symlink bypass tests (C2)
- *
- * These tests verified symlink-based path traversal protection in the
- * download executor. The download tool was removed in aria-c3x.
- *
- * The underlying symlink protection (resolveWithSymlinks + isPathWithinBase)
- * is still used by other filesystem executors and is tested elsewhere.
- */
-
-import { describe, it } from "vitest";
-
-describe("Web download symlink bypass protection", () => {
-  it("download tool removed in aria-c3x — symlink protection tested via filesystem executors", () => {
-    // All download-specific symlink tests removed.
-    // resolveWithSymlinks + isPathWithinBase are still covered in filesystem executor tests.
-  });
-});