@elvatis_com/openclaw-cli-bridge-elvatis 2.0.0 → 2.1.1

package/test/codex-auth-import.test.ts

@@ -0,0 +1,244 @@
+/**
+ * Unit tests for Codex auth import (Issue #2).
+ *
+ * Uses real temp files instead of mocks for reliable FS testing.
+ */
+
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { writeFileSync, mkdirSync, readFileSync, existsSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { importCodexAuth } from "../src/codex-auth-import.js";
+
+const TEST_BASE = join(tmpdir(), `codex-import-test-${process.pid}`);
+const CODEX_AUTH_PATH = join(TEST_BASE, "codex", "auth.json");
+const AUTH_STORE_PATH = join(TEST_BASE, "openclaw", "auth-profiles.json");
+
+function writeCodexAuth(data: Record<string, unknown>) {
+  mkdirSync(join(TEST_BASE, "codex"), { recursive: true });
+  writeFileSync(CODEX_AUTH_PATH, JSON.stringify(data));
+}
+
+function writeAuthStore(data: Record<string, unknown>) {
+  mkdirSync(join(TEST_BASE, "openclaw"), { recursive: true });
+  writeFileSync(AUTH_STORE_PATH, JSON.stringify(data, null, 4));
+}
+
+function readAuthStore(): Record<string, unknown> {
+  return JSON.parse(readFileSync(AUTH_STORE_PATH, "utf8"));
+}
+
+beforeEach(() => {
+  mkdirSync(TEST_BASE, { recursive: true });
+});
+
+afterEach(() => {
+  try {
+    rmSync(TEST_BASE, { recursive: true, force: true });
+  } catch { /* ignore */ }
+});
+
+describe("importCodexAuth()", () => {
+  it("imports Codex OAuth tokens into auth store", async () => {
+    writeCodexAuth({
+      auth_mode: "oauth",
+      tokens: {
+        access_token: "test-access-token",
+        refresh_token: "test-refresh-token",
+      },
+      last_refresh: new Date().toISOString(),
+    });
+
+    const result = await importCodexAuth({
+      codexAuthPath: CODEX_AUTH_PATH,
+      authStorePath: AUTH_STORE_PATH,
+    });
+
+    expect(result.imported).toBe(true);
+    expect(result.skipped).toBe(false);
+    expect(result.error).toBeUndefined();
+
+    const store = readAuthStore() as { profiles: Record<string, { access: string; refresh: string }> };
+    expect(store.profiles["openai-codex:default"]).toBeDefined();
+    expect(store.profiles["openai-codex:default"].access).toBe("test-access-token");
+    expect(store.profiles["openai-codex:default"].refresh).toBe("test-refresh-token");
+  });
+
+  it("imports API key when OAuth tokens are not available", async () => {
+    writeCodexAuth({
+      auth_mode: "api-key",
+      OPENAI_API_KEY: "sk-test-key-123",
+    });
+
+    const result = await importCodexAuth({
+      codexAuthPath: CODEX_AUTH_PATH,
+      authStorePath: AUTH_STORE_PATH,
+    });
+
+    expect(result.imported).toBe(true);
+    const store = readAuthStore() as { profiles: Record<string, { access: string }> };
+    expect(store.profiles["openai-codex:default"].access).toBe("sk-test-key-123");
+  });
+
+  it("creates auth store directory if it does not exist", async () => {
+    writeCodexAuth({
+      auth_mode: "oauth",
+      tokens: { access_token: "new-token" },
+    });
+
+    const deepStorePath = join(TEST_BASE, "deep", "nested", "auth-profiles.json");
+    const result = await importCodexAuth({
+      codexAuthPath: CODEX_AUTH_PATH,
+      authStorePath: deepStorePath,
+    });
+
+    expect(result.imported).toBe(true);
+    expect(existsSync(deepStorePath)).toBe(true);
+  });
+
+  it("preserves existing profiles in auth store", async () => {
+    writeCodexAuth({
+      auth_mode: "oauth",
+      tokens: { access_token: "codex-token" },
+    });
+    writeAuthStore({
+      version: 1,
+      profiles: {
+        "anthropic:default": {
+          type: "token",
+          provider: "anthropic",
+          token: "sk-ant-test",
+        },
+      },
+    });
+
+    const result = await importCodexAuth({
+      codexAuthPath: CODEX_AUTH_PATH,
+      authStorePath: AUTH_STORE_PATH,
+    });
+
+    expect(result.imported).toBe(true);
+    const store = readAuthStore() as { profiles: Record<string, { token?: string; access?: string }> };
+    // Codex profile added
+    expect(store.profiles["openai-codex:default"].access).toBe("codex-token");
+    // Anthropic profile preserved
+    expect(store.profiles["anthropic:default"].token).toBe("sk-ant-test");
+  });
+
+  it("skips import when tokens are already up-to-date", async () => {
+    writeCodexAuth({
+      auth_mode: "oauth",
+      tokens: { access_token: "same-token", refresh_token: "same-refresh" },
+    });
+    writeAuthStore({
+      version: 1,
+      profiles: {
+        "openai-codex:default": {
+          type: "oauth",
+          provider: "openai-codex",
+          access: "same-token",
+          refresh: "same-refresh",
+        },
+      },
+    });
+
+    const result = await importCodexAuth({
+      codexAuthPath: CODEX_AUTH_PATH,
+      authStorePath: AUTH_STORE_PATH,
+    });
+
+    expect(result.imported).toBe(false);
+    expect(result.skipped).toBe(true);
+  });
+
+  it("updates when access token has changed", async () => {
+    writeCodexAuth({
+      auth_mode: "oauth",
+      tokens: { access_token: "new-token", refresh_token: "new-refresh" },
+    });
+    writeAuthStore({
+      version: 1,
+      profiles: {
+        "openai-codex:default": {
+          type: "oauth",
+          provider: "openai-codex",
+          access: "old-token",
+          refresh: "old-refresh",
+        },
+      },
+    });
+
+    const result = await importCodexAuth({
+      codexAuthPath: CODEX_AUTH_PATH,
+      authStorePath: AUTH_STORE_PATH,
+    });
+
+    expect(result.imported).toBe(true);
+    const store = readAuthStore() as { profiles: Record<string, { access: string }> };
+    expect(store.profiles["openai-codex:default"].access).toBe("new-token");
+  });
+
+  it("returns error when codex auth file does not exist", async () => {
+    const result = await importCodexAuth({
+      codexAuthPath: join(TEST_BASE, "nonexistent", "auth.json"),
+      authStorePath: AUTH_STORE_PATH,
+    });
+
+    expect(result.imported).toBe(false);
+    expect(result.skipped).toBe(false);
+    expect(result.error).toContain("Cannot read Codex auth file");
+  });
+
+  it("returns error when codex auth has no token", async () => {
+    writeCodexAuth({
+      auth_mode: "oauth",
+      // No tokens, no API key
+    });
+
+    const result = await importCodexAuth({
+      codexAuthPath: CODEX_AUTH_PATH,
+      authStorePath: AUTH_STORE_PATH,
+    });
+
+    expect(result.imported).toBe(false);
+    expect(result.error).toContain("No access token found");
+  });
+
+  it("includes expiry when last_refresh is present", async () => {
+    const now = new Date();
+    writeCodexAuth({
+      auth_mode: "oauth",
+      tokens: { access_token: "token-with-expiry" },
+      last_refresh: now.toISOString(),
+    });
+
+    const result = await importCodexAuth({
+      codexAuthPath: CODEX_AUTH_PATH,
+      authStorePath: AUTH_STORE_PATH,
+    });
+
+    expect(result.imported).toBe(true);
+    const store = readAuthStore() as { profiles: Record<string, { expires: number }> };
+    const profile = store.profiles["openai-codex:default"];
+    // Expiry should be ~1h after last_refresh
+    expect(profile.expires).toBeGreaterThan(now.getTime());
+    expect(profile.expires).toBeLessThanOrEqual(now.getTime() + 3600 * 1000 + 1000);
+  });
+
+  it("calls log function when provided", async () => {
+    writeCodexAuth({
+      auth_mode: "oauth",
+      tokens: { access_token: "logged-token" },
+    });
+
+    const logs: string[] = [];
+    await importCodexAuth({
+      codexAuthPath: CODEX_AUTH_PATH,
+      authStorePath: AUTH_STORE_PATH,
+      log: (msg) => logs.push(msg),
+    });
+
+    expect(logs.length).toBeGreaterThan(0);
+    expect(logs.some(l => l.includes("imported"))).toBe(true);
+  });
+});

package/test/session-manager.test.ts

@@ -32,10 +32,13 @@ function makeFakeProc(): ChildProcess & {
 }
 
 // vi.hoisted variables are available inside vi.mock factories
-const { mockSpawn, mockExecSync, latestProcRef } = vi.hoisted(() => ({
+const { mockSpawn, mockExecSync, latestProcRef, mockCreateIsolatedWorkdir, mockCleanupWorkdir, mockSweepOrphanedWorkdirs } = vi.hoisted(() => ({
   mockSpawn: vi.fn(),
   mockExecSync: vi.fn(),
   latestProcRef: { current: null as any },
+  mockCreateIsolatedWorkdir: vi.fn(() => "/tmp/cli-bridge-fake123"),
+  mockCleanupWorkdir: vi.fn(() => true),
+  mockSweepOrphanedWorkdirs: vi.fn(() => 0),
 }));
 
 vi.mock("node:child_process", async (importOriginal) => {
@@ -52,6 +55,13 @@ vi.mock("../src/claude-auth.js", () => ({
   setAuthLogger: vi.fn(),
 }));
 
+// Mock workdir module to prevent real FS operations in unit tests
+vi.mock("../src/workdir.js", () => ({
+  createIsolatedWorkdir: mockCreateIsolatedWorkdir,
+  cleanupWorkdir: mockCleanupWorkdir,
+  sweepOrphanedWorkdirs: mockSweepOrphanedWorkdirs,
+}));
+
 // Now import SessionManager (uses the mocked spawn)
 import { SessionManager } from "../src/session-manager.js";
 
@@ -335,5 +345,102 @@ describe("SessionManager", () => {
       expect(proc1.kill).toHaveBeenCalledWith("SIGTERM");
       expect(proc2.kill).toHaveBeenCalledWith("SIGTERM");
     });
+
+    it("cleans up isolated workdirs on stop", () => {
+      mockCleanupWorkdir.mockClear();
+      mgr.spawn("cli-gemini/gemini-2.5-pro", [{ role: "user", content: "a" }], { isolateWorkdir: true });
+
+      mgr.stop();
+
+      expect(mockCleanupWorkdir).toHaveBeenCalledWith("/tmp/cli-bridge-fake123");
+    });
+  });
+
+  // ── workdir isolation (Issue #6) ───────────────────────────────────────
+
+  describe("workdir isolation", () => {
+    beforeEach(() => {
+      mockCreateIsolatedWorkdir.mockClear();
+      mockCleanupWorkdir.mockClear();
+      mockSweepOrphanedWorkdirs.mockClear();
+    });
+
+    it("creates an isolated workdir when isolateWorkdir is true", () => {
+      const id = mgr.spawn("cli-gemini/gemini-2.5-pro", [{ role: "user", content: "hi" }], { isolateWorkdir: true });
+      expect(mockCreateIsolatedWorkdir).toHaveBeenCalledTimes(1);
+
+      // The session should use the created workdir as cwd
+      expect(mockSpawn).toHaveBeenCalledWith(
+        "gemini",
+        expect.any(Array),
+        expect.objectContaining({ cwd: "/tmp/cli-bridge-fake123" })
+      );
+
+      // Session info should include the isolated workdir
+      const list = mgr.list();
+      const session = list.find(s => s.sessionId === id);
+      expect(session?.isolatedWorkdir).toBe("/tmp/cli-bridge-fake123");
+    });
+
+    it("does not create isolated workdir when isolateWorkdir is false", () => {
+      mgr.spawn("cli-gemini/gemini-2.5-pro", [{ role: "user", content: "hi" }]);
+      expect(mockCreateIsolatedWorkdir).not.toHaveBeenCalled();
+    });
+
+    it("does not create isolated workdir when explicit workdir is provided", () => {
+      mgr.spawn("cli-gemini/gemini-2.5-pro", [{ role: "user", content: "hi" }], {
+        isolateWorkdir: true,
+        workdir: "/explicit/dir",
+      });
+      expect(mockCreateIsolatedWorkdir).not.toHaveBeenCalled();
+
+      // Should use the explicit workdir
+      expect(mockSpawn).toHaveBeenCalledWith(
+        "gemini",
+        expect.any(Array),
+        expect.objectContaining({ cwd: "/explicit/dir" })
+      );
+    });
+
+    it("cleans up isolated workdir when process exits", () => {
+      mockCleanupWorkdir.mockClear();
+      mgr.spawn("cli-gemini/gemini-2.5-pro", [{ role: "user", content: "hi" }], { isolateWorkdir: true });
+
+      // Simulate process exit
+      latestProcRef.current._emit("close", 0);
+
+      expect(mockCleanupWorkdir).toHaveBeenCalledWith("/tmp/cli-bridge-fake123");
+    });
+
+    it("cleans up isolated workdir on process error", () => {
+      mockCleanupWorkdir.mockClear();
+      mgr.spawn("cli-gemini/gemini-2.5-pro", [{ role: "user", content: "hi" }], { isolateWorkdir: true });
+
+      // Simulate process error
+      latestProcRef.current._emit("error", new Error("spawn ENOENT"));
+
+      expect(mockCleanupWorkdir).toHaveBeenCalledWith("/tmp/cli-bridge-fake123");
+    });
+
+    it("cleans up isolated workdir during cleanup sweep", () => {
+      mockCleanupWorkdir.mockClear();
+      const id = mgr.spawn("cli-gemini/gemini-2.5-pro", [{ role: "user", content: "hi" }], { isolateWorkdir: true });
+
+      // Make the session old enough for cleanup
+      const sessions = (mgr as any).sessions as Map<string, any>;
+      sessions.get(id)!.startTime = Date.now() - 31 * 60 * 1000;
+
+      mgr.cleanup();
+
+      expect(mockCleanupWorkdir).toHaveBeenCalledWith("/tmp/cli-bridge-fake123");
+      expect(mockSweepOrphanedWorkdirs).toHaveBeenCalled();
+    });
+
+    it("session without isolation has null isolatedWorkdir", () => {
+      const id = mgr.spawn("cli-gemini/gemini-2.5-pro", [{ role: "user", content: "hi" }]);
+      const list = mgr.list();
+      const session = list.find(s => s.sessionId === id);
+      expect(session?.isolatedWorkdir).toBeNull();
+    });
   });
 });

package/test/workdir.test.ts

@@ -0,0 +1,152 @@
+/**
+ * Unit tests for workdir isolation (Issue #6).
+ */
+
+import { describe, it, expect, afterEach } from "vitest";
+import { existsSync, writeFileSync, mkdirSync, statSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join, basename } from "node:path";
+import {
+  createIsolatedWorkdir,
+  cleanupWorkdir,
+  sweepOrphanedWorkdirs,
+  getWorkdirBase,
+} from "../src/workdir.js";
+
+// Track created dirs for cleanup in case tests fail
+const createdDirs: string[] = [];
+
+afterEach(() => {
+  for (const dir of createdDirs) {
+    try {
+      const { rmSync } = require("node:fs");
+      rmSync(dir, { recursive: true, force: true });
+    } catch { /* ignore */ }
+  }
+  createdDirs.length = 0;
+});
+
+describe("createIsolatedWorkdir()", () => {
+  it("creates a directory that exists", () => {
+    const dir = createIsolatedWorkdir();
+    createdDirs.push(dir);
+    expect(existsSync(dir)).toBe(true);
+  });
+
+  it("creates a directory with the cli-bridge- prefix", () => {
+    const dir = createIsolatedWorkdir();
+    createdDirs.push(dir);
+    expect(basename(dir)).toMatch(/^cli-bridge-/);
+  });
+
+  it("creates unique directories on repeated calls", () => {
+    const dir1 = createIsolatedWorkdir();
+    const dir2 = createIsolatedWorkdir();
+    createdDirs.push(dir1, dir2);
+    expect(dir1).not.toBe(dir2);
+  });
+
+  it("accepts a custom base directory", () => {
+    const customBase = join(tmpdir(), "workdir-test-base");
+    mkdirSync(customBase, { recursive: true });
+    createdDirs.push(customBase);
+
+    const dir = createIsolatedWorkdir(customBase);
+    createdDirs.push(dir);
+    expect(dir.startsWith(customBase)).toBe(true);
+  });
+});
+
+describe("cleanupWorkdir()", () => {
+  it("removes an existing workdir", () => {
+    const dir = createIsolatedWorkdir();
+    // Create a file inside to verify recursive removal
+    writeFileSync(join(dir, "test.txt"), "hello");
+    expect(existsSync(dir)).toBe(true);
+
+    const result = cleanupWorkdir(dir);
+    expect(result).toBe(true);
+    expect(existsSync(dir)).toBe(false);
+  });
+
+  it("returns false for non-existent directory", () => {
+    const result = cleanupWorkdir(join(tmpdir(), "cli-bridge-nonexistent"));
+    // rmSync with force:true doesn't throw for non-existent
+    expect(result).toBe(true);
+  });
+
+  it("refuses to remove directories without cli-bridge- prefix", () => {
+    const result = cleanupWorkdir("/tmp/some-other-dir");
+    expect(result).toBe(false);
+  });
+
+  it("refuses to remove empty string", () => {
+    const result = cleanupWorkdir("");
+    expect(result).toBe(false);
+  });
+});
+
+describe("sweepOrphanedWorkdirs()", () => {
+  it("removes workdirs older than the threshold", () => {
+    const base = join(tmpdir(), "sweep-test-" + Date.now());
+    mkdirSync(base, { recursive: true });
+    createdDirs.push(base);
+
+    // Create a fake old workdir
+    const oldDir = join(base, "cli-bridge-oldone");
+    mkdirSync(oldDir);
+    // Set mtime to 2 hours ago
+    const twoHoursAgo = new Date(Date.now() - 2 * 60 * 60 * 1000);
+    const { utimesSync } = require("node:fs");
+    utimesSync(oldDir, twoHoursAgo, twoHoursAgo);
+
+    const removed = sweepOrphanedWorkdirs(base);
+    expect(removed).toBe(1);
+    expect(existsSync(oldDir)).toBe(false);
+  });
+
+  it("does not remove recent workdirs", () => {
+    const base = join(tmpdir(), "sweep-test-recent-" + Date.now());
+    mkdirSync(base, { recursive: true });
+    createdDirs.push(base);
+
+    const recentDir = join(base, "cli-bridge-recent");
+    mkdirSync(recentDir);
+
+    const removed = sweepOrphanedWorkdirs(base);
+    expect(removed).toBe(0);
+    expect(existsSync(recentDir)).toBe(true);
+  });
+
+  it("ignores non-cli-bridge directories", () => {
+    const base = join(tmpdir(), "sweep-test-ignore-" + Date.now());
+    mkdirSync(base, { recursive: true });
+    createdDirs.push(base);
+
+    const otherDir = join(base, "other-dir");
+    mkdirSync(otherDir);
+    const twoHoursAgo = new Date(Date.now() - 2 * 60 * 60 * 1000);
+    const { utimesSync } = require("node:fs");
+    utimesSync(otherDir, twoHoursAgo, twoHoursAgo);
+
+    const removed = sweepOrphanedWorkdirs(base);
+    expect(removed).toBe(0);
+    expect(existsSync(otherDir)).toBe(true);
+  });
+
+  it("returns 0 for non-existent base", () => {
+    const removed = sweepOrphanedWorkdirs("/nonexistent/path");
+    expect(removed).toBe(0);
+  });
+});
+
+describe("getWorkdirBase()", () => {
+  it("returns tmpdir by default", () => {
+    // Clear env var if set
+    const prev = process.env.OPENCLAW_CLI_BRIDGE_WORKDIR_BASE;
+    delete process.env.OPENCLAW_CLI_BRIDGE_WORKDIR_BASE;
+    expect(getWorkdirBase()).toBe(tmpdir());
+    // Restore
+    if (prev !== undefined) process.env.OPENCLAW_CLI_BRIDGE_WORKDIR_BASE = prev;
+  });
+});