@lobu/worker 6.0.1 → 7.0.0

package/src/__tests__/sandbox-leak-harden.test.ts

@@ -0,0 +1,200 @@
+/**
+ * Hardening tests for checkSandboxLeak — edge cases not covered by sandbox-leak.test.ts.
+ *
+ * Covers:
+ * - Multiple leak patterns in one message (all redacted, single note appended)
+ * - Real-secret-shaped strings that are NOT workspace paths (no false positive)
+ * - Boundary: path with no extension is NOT flagged by delivery-phrase regex
+ * - sandbox:// URL inside a code block (still flagged — delivery claim)
+ * - HTML src attribute without a file extension (still a workspace link → flagged)
+ * - The "exported to" / "written to" / "generated at" delivery phrase variants
+ * - Regex lastIndex stability under rapid repeated calls (stress)
+ * - Large input with no leaks: does not incorrectly set leaked=true
+ */
+
+import { describe, expect, test } from "bun:test";
+import { checkSandboxLeak } from "../openclaw/sandbox-leak";
+
+// ---------------------------------------------------------------------------
+// Multiple patterns in one message
+// ---------------------------------------------------------------------------
+
+describe("checkSandboxLeak — multiple leak patterns", () => {
+  test("redacts all offending patterns and appends a single note", () => {
+    const text = [
+      "Your files: sandbox:/report.pdf",
+      "[csv](/app/workspaces/org/123/data.csv)",
+      '<img src="/workspace/chart.png" />',
+    ].join("\n");
+
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+
+    // sandbox URL replaced
+    expect(res.redactedText).toContain("[local file, not uploaded]");
+    // markdown link target replaced
+    expect(res.redactedText).toContain("](about:blank)");
+    // HTML src replaced
+    expect(res.redactedText).toContain('src="about:blank"');
+
+    // Only one appended note block
+    const noteCount = (
+      res.redactedText.match(/_Note: I referenced a local file/g) ?? []
+    ).length;
+    expect(noteCount).toBe(1);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// False-positive guard: real-secret-shaped text not in a workspace path
+// ---------------------------------------------------------------------------
+
+describe("checkSandboxLeak — false-positive guards", () => {
+  test("ANTHROPIC_API_KEY in plain prose is not flagged", () => {
+    const text =
+      "Never log ANTHROPIC_API_KEY or sk-ant-api03-xxxx values in responses.";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(false);
+    expect(res.redactedText).toBe(text);
+  });
+
+  test("lobu_secret placeholder string in prose is not flagged", () => {
+    const text =
+      "The API key is lobu_secret_abc123 — a proxy placeholder, not the real key.";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(false);
+    expect(res.redactedText).toBe(text);
+  });
+
+  test("HTTP URL starting with https is not flagged", () => {
+    const text = "Download from https://example.com/report.pdf.";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(false);
+  });
+
+  test("/tmp path without workspace prefix is not flagged", () => {
+    const text = "Temp file at /tmp/output.csv is ephemeral.";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(false);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Delivery phrase variants
+// ---------------------------------------------------------------------------
+
+describe("checkSandboxLeak — delivery phrase variants", () => {
+  test("'exported to' triggers detection", () => {
+    const text = "exported to /app/workspaces/org/123/report.csv";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+  });
+
+  test("'written to' triggers detection", () => {
+    const text = "written to /workspace/output/final.txt";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+  });
+
+  test("'generated at' triggers detection", () => {
+    const text = "generated at /workspace/artifacts/report.pdf";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+  });
+
+  test("'created at' triggers detection", () => {
+    const text = "The summary was created at /workspace/summary.md";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+  });
+
+  test("'stored at' triggers detection", () => {
+    const text = "The data is stored at /app/workspaces/org/run/data.json";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+  });
+
+  test("delivery phrase with a very long extension is still caught (up to 10 chars)", () => {
+    const text = "located at /workspace/compressed.tar.gz";
+    // tar.gz — the regex matches \.\w{1,10} so 'gz' qualifies
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// sandbox:// inside prose / code blocks
+// ---------------------------------------------------------------------------
+
+describe("checkSandboxLeak — sandbox:// variants", () => {
+  test("sandbox:// inside backtick code span is still flagged", () => {
+    const text = "Run `curl sandbox://output/data.csv` to download.";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+  });
+
+  test("sandbox://workspace/path with query string is flagged", () => {
+    // The regex stops at whitespace/special chars — but ? is included until space
+    const text = "Here: sandbox://workspace/report.pdf";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// HTML attribute variants
+// ---------------------------------------------------------------------------
+
+describe("checkSandboxLeak — HTML attributes", () => {
+  test("single-quote HTML href is flagged", () => {
+    const text = "<a href='/app/workspaces/org/report.pdf'>click</a>";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+    expect(res.redactedText).toContain('href="about:blank"');
+  });
+
+  test("HTML src without extension is still flagged (binary without ext)", () => {
+    const text = '<img src="/workspace/artifact" />';
+    // No extension — the LOCAL_HREF_RE doesn't require an extension
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Regex stability under rapid repeated calls (lastIndex leak check)
+// ---------------------------------------------------------------------------
+
+describe("checkSandboxLeak — regex stability under rapid invocations", () => {
+  test("alternating positive/negative checks remain accurate across 20 calls", () => {
+    const good = "Workspace information: `/workspace/dir`";
+    const bad = "sandbox:/workspace/file.txt";
+
+    for (let i = 0; i < 20; i++) {
+      const g = checkSandboxLeak(good, false);
+      const b = checkSandboxLeak(bad, false);
+      expect(g.leaked).toBe(false);
+      expect(b.leaked).toBe(true);
+    }
+  });
+
+  test("100 consecutive 'no leak' calls return consistent false", () => {
+    const text = "The workspace directory is at `/app/workspaces/org/run`.";
+    for (let i = 0; i < 100; i++) {
+      expect(checkSandboxLeak(text, false).leaked).toBe(false);
+    }
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Large input with no leaks
+// ---------------------------------------------------------------------------
+
+describe("checkSandboxLeak — large clean input", () => {
+  test("large prose with no workspace paths is not flagged", () => {
+    const para = "This is a paragraph about agent workflows. ".repeat(200);
+    const res = checkSandboxLeak(para, false);
+    expect(res.leaked).toBe(false);
+    expect(res.redactedText).toBe(para);
+  });
+});

package/src/__tests__/sandbox-leak.test.ts

@@ -0,0 +1,167 @@
+/**
+ * Unit tests for the sandbox-leak detector. These cover the false-positive
+ * cases that broke the Slack "probe" response (descriptive path mentions
+ * got nuked) plus the true-positive cases we still need to catch.
+ */
+
+import { describe, expect, test } from "bun:test";
+import { checkSandboxLeak } from "../openclaw/sandbox-leak";
+
+describe("checkSandboxLeak", () => {
+  test("passes through empty input", () => {
+    const res = checkSandboxLeak("", false);
+    expect(res.leaked).toBe(false);
+    expect(res.redactedText).toBe("");
+  });
+
+  test("suppresses check when UploadUserFile event was seen", () => {
+    const text =
+      "Here is your report. Also my notes live at /app/workspaces/foo/bar.md.";
+    const res = checkSandboxLeak(text, true);
+    expect(res.leaked).toBe(false);
+    expect(res.redactedText).toBe(text);
+  });
+
+  test("allows descriptive probe response mentioning workspace path", () => {
+    const text = [
+      "## Workspace Probe Results",
+      "",
+      "**Workspace Location:** `/app/workspaces/careops/C09EH3ASNQ1`",
+      "",
+      "**Directory Structure:**",
+      "- `.openclaw/` - Configuration files",
+      "- `input/` - Empty",
+    ].join("\n");
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(false);
+    expect(res.redactedText).toBe(text);
+  });
+
+  test("allows /workspace/ path in plain prose", () => {
+    const text =
+      "I inspected /workspace/careops and it contains three directories.";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(false);
+  });
+
+  test("flags sandbox:// URL as delivery claim", () => {
+    const text = "Here is your file: sandbox:/output/report.pdf";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+    expect(res.redactedText).not.toContain("sandbox:/output/report.pdf");
+    expect(res.redactedText).toContain("[local file, not uploaded]");
+    expect(res.redactedText).toContain("did not actually upload");
+  });
+
+  test("flags sandbox:// URL with double-slash form", () => {
+    const text = "Download: sandbox://workspace/x.csv";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+    expect(res.redactedText).not.toContain("sandbox://workspace/x.csv");
+  });
+
+  test("flags markdown link to /app/workspaces/ as delivery claim", () => {
+    const text =
+      "Your report is ready: [report.pdf](/app/workspaces/foo/report.pdf)";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+    expect(res.redactedText).not.toContain("/app/workspaces/foo/report.pdf");
+    expect(res.redactedText).toContain("](about:blank)");
+    expect(res.redactedText).toContain("did not actually upload");
+  });
+
+  test("flags markdown link with file:// scheme", () => {
+    const text = "Download [here](file:///workspace/out.csv).";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+    expect(res.redactedText).not.toContain("file:///workspace/out.csv");
+  });
+
+  test("flags HTML href pointing at workspace path", () => {
+    const text = '<a href="/app/workspaces/foo/bar.pdf">click</a>';
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+    expect(res.redactedText).toContain('href="about:blank"');
+    expect(res.redactedText).not.toContain("/app/workspaces/foo/bar.pdf");
+  });
+
+  test("flags HTML src preserving attribute name", () => {
+    const text = '<img src="/workspace/chart.png" />';
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+    expect(res.redactedText).toContain('src="about:blank"');
+    expect(res.redactedText).not.toContain("/workspace/chart.png");
+  });
+
+  test("preserves surrounding prose when redacting", () => {
+    const text =
+      "Intro paragraph.\n\n[report.pdf](/app/workspaces/x/report.pdf)\n\nClosing remarks.";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+    expect(res.redactedText).toContain("Intro paragraph.");
+    expect(res.redactedText).toContain("Closing remarks.");
+  });
+
+  test("does not flag bare workspace path in backticks", () => {
+    // This is the probe-style case that the broad regex was false-positive on.
+    const text = "The workspace is at `/app/workspaces/careops/foo`.";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(false);
+    expect(res.redactedText).toBe(text);
+  });
+
+  test("does not flag non-workspace markdown links", () => {
+    const text = "See [docs](https://example.com/path).";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(false);
+  });
+
+  // --- delivery-phrase detection ---
+
+  test("flags 'located at' with workspace file path", () => {
+    const text =
+      "The file is located at: /app/workspaces/careops/123/input/sample_patient.json";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+    expect(res.redactedText).not.toContain("/app/workspaces/careops");
+    expect(res.redactedText).toContain("not uploaded");
+  });
+
+  test("flags 'saved to' with backticked workspace path", () => {
+    const text = "Report saved to `/workspace/output/report.pdf` successfully.";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(true);
+    expect(res.redactedText).not.toContain("/workspace/output/report.pdf");
+  });
+
+  test("does not flag delivery phrase with directory (no extension)", () => {
+    const text = "Files are stored in /app/workspaces/careops/123/input";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(false);
+  });
+
+  test("does not flag delivery phrase about non-workspace paths", () => {
+    const text = "The file is located at: /home/user/documents/report.pdf";
+    const res = checkSandboxLeak(text, false);
+    expect(res.leaked).toBe(false);
+  });
+
+  test("suppresses delivery-phrase check when UploadUserFile was used", () => {
+    const text =
+      "I saved the file to `/workspace/output/data.csv` and uploaded it.";
+    const res = checkSandboxLeak(text, true);
+    expect(res.leaked).toBe(false);
+    expect(res.redactedText).toBe(text);
+  });
+
+  test("is stable across repeated invocations (no lastIndex leakage)", () => {
+    const bad = "Here: sandbox:/a.pdf";
+    const good = "Workspace at /app/workspaces/careops.";
+    const deliveryBad = "File saved to /app/workspaces/foo/report.pdf for you.";
+    expect(checkSandboxLeak(bad, false).leaked).toBe(true);
+    expect(checkSandboxLeak(good, false).leaked).toBe(false);
+    expect(checkSandboxLeak(deliveryBad, false).leaked).toBe(true);
+    expect(checkSandboxLeak(bad, false).leaked).toBe(true);
+    expect(checkSandboxLeak(good, false).leaked).toBe(false);
+  });
+});

package/src/__tests__/setup.ts

@@ -0,0 +1,102 @@
+/**
+ * Test setup and configuration for worker tests.
+ *
+ * Shared mocks live in @lobu/core fixtures.
+ * This file re-exports them and adds worker-specific helpers.
+ */
+
+import { afterAll, beforeAll } from "bun:test";
+import {
+  createWorkerConfig,
+  mockFetch as sharedMockFetch,
+} from "@lobu/core/testing";
+
+export const mockWorkerConfig = createWorkerConfig();
+
+// Mock environment variables for testing
+const mockEnvVars: Record<string, string> = {
+  DISPATCHER_URL: "https://test-dispatcher.example.com",
+  WORKER_TOKEN: "test-worker-token-123",
+  CONVERSATION_ID: "1234567890.123456",
+  WORKER_SESSION_KEY: "test-session-key",
+  WORKER_USER_ID: "U1234567890",
+  WORKER_CHANNEL_ID: "C1234567890",
+  WORKER_USER_PROMPT: Buffer.from("Test user prompt").toString("base64"),
+  WORKER_RESPONSE_CHANNEL: "C1234567890",
+  WORKER_RESPONSE_TS: "1234567890.123457",
+  WORKER_CLAUDE_OPTIONS: JSON.stringify({
+    model: "claude-sonnet-4-20250514",
+    max_tokens: 8192,
+  }),
+  WORKER_TEAM_ID: "T1234567890",
+  WORKER_WORKSPACE_BASE_DIRECTORY: "/tmp/test-workspace",
+};
+
+export class TestHelpers {
+  static mockFetch(responses?: Record<string, any>): () => void {
+    return sharedMockFetch(responses);
+  }
+
+  static createMockProgressUpdate(
+    type: "output" | "completion" | "error",
+    data: any
+  ) {
+    return { type, data, timestamp: Date.now() };
+  }
+
+  static async delay(ms: number): Promise<void> {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+
+  static mockEventSource() {
+    class MockEventSource {
+      url: string;
+      readyState = 1;
+      onopen: ((event: Event) => void) | null = null;
+      onmessage: ((event: MessageEvent) => void) | null = null;
+      onerror: ((event: Event) => void) | null = null;
+
+      constructor(url: string) {
+        this.url = url;
+        setTimeout(() => {
+          if (this.onopen) this.onopen(new Event("open"));
+        }, 10);
+      }
+
+      close() {
+        this.readyState = 2;
+      }
+
+      simulateMessage(data: any) {
+        if (this.onmessage) {
+          this.onmessage(
+            new MessageEvent("message", { data: JSON.stringify(data) })
+          );
+        }
+      }
+
+      simulateError() {
+        if (this.onerror) this.onerror(new Event("error"));
+      }
+    }
+
+    const originalEventSource = globalThis.EventSource;
+    globalThis.EventSource = MockEventSource as any;
+    return () => {
+      globalThis.EventSource = originalEventSource;
+    };
+  }
+}
+
+// Global test setup
+beforeAll(() => {
+  for (const [key, value] of Object.entries(mockEnvVars)) {
+    process.env[key] = value;
+  }
+});
+
+afterAll(() => {
+  for (const key of Object.keys(mockEnvVars)) {
+    delete process.env[key];
+  }
+});