@mochi.js/core 0.3.0 → 0.6.0

package/src/__tests__/inject.test.ts

@@ -5,132 +5,24 @@
  * browser reports its bare, un-spoofed fingerprint.
  *
  * No real Chromium process is spawned; we drive `Session` against a fake
- * `ChromiumProcess` whose pipe reader/writer let us observe every CDP
- * request sent and inject canned responses. The §8.2 forbidden-method
- * assertions still gate every send through `MessageRouter`, so the test
- * implicitly enforces those too.
+ * `ChromiumProcess` via the shared `tests/helpers/cdp-fixture.ts` helper.
+ * The §8.2 forbidden-method assertions still gate every send through
+ * `MessageRouter`, so the test implicitly enforces those too.
  *
  * @see PLAN.md §12.1 — capture must run against bare Chromium.
  * @see tasks/0040-mochi-capture.md — `bypassInject: true` requirement.
+ * @see tests/helpers/cdp-fixture.ts — shared helper consolidating fake-pipe boilerplate.
  */
 
 import { afterEach, beforeEach, describe, expect, it } from "bun:test";
 import { deriveMatrix, type ProfileV1 } from "@mochi.js/consistency";
-import type { PipeReader, PipeWriter } from "../cdp/transport";
-import type { ChromiumProcess } from "../proc";
+import {
+  type FakePipe,
+  fakeChromiumProcess,
+  makeFakePipe,
+} from "../../../../tests/helpers/cdp-fixture";
 import { Session } from "../session";
 
-interface FakeBrowser {
-  process: ChromiumProcess;
-  /** All CDP requests written to the pipe, decoded as JSON-RPC objects. */
-  written: Array<{ id?: number; method?: string; params?: unknown; sessionId?: string }>;
-  /** Inject one inbound JSON frame (CDP response or event). */
-  push(obj: unknown): void;
-  /** Auto-respond to any request matching `methodPredicate`. Returns the unsubscribe. */
-  autoRespond(methodPredicate: (m: string) => boolean, result: unknown): void;
-  /** Resolve when the next `n` writes have completed. */
-  waitForWrites(n: number): Promise<void>;
-}
-
-function makeFakeBrowser(): FakeBrowser {
-  const written: FakeBrowser["written"] = [];
-  let pumpController: ReadableStreamDefaultController<Uint8Array> | null = null;
-  const stream = new ReadableStream<Uint8Array>({
-    start(c) {
-      pumpController = c;
-    },
-  });
-  const enc = new TextEncoder();
-  const dec = new TextDecoder();
-  const autoResponders: Array<{ pred: (m: string) => boolean; result: unknown }> = [];
-  const writeListeners: Array<() => void> = [];
-
-  const reader: PipeReader = {
-    getReader: () => stream.getReader(),
-  };
-
-  const push = (obj: unknown): void => {
-    const bytes = enc.encode(JSON.stringify(obj));
-    const out = new Uint8Array(bytes.length + 1);
-    out.set(bytes, 0);
-    out[bytes.length] = 0;
-    pumpController?.enqueue(out);
-  };
-
-  const writer: PipeWriter = {
-    write: (chunk) => {
-      const last = chunk[chunk.length - 1] === 0 ? chunk.length - 1 : chunk.length;
-      const json = dec.decode(chunk.subarray(0, last));
-      try {
-        const parsed = JSON.parse(json) as {
-          id?: number;
-          method?: string;
-          params?: unknown;
-          sessionId?: string;
-        };
-        written.push(parsed);
-        // Notify listeners.
-        const ls = writeListeners.splice(0, writeListeners.length);
-        for (const fn of ls) fn();
-        // Auto-respond if matched.
-        if (typeof parsed.method === "string" && typeof parsed.id === "number") {
-          const r = autoResponders.find((a) => a.pred(parsed.method ?? ""));
-          if (r) {
-            queueMicrotask(() => push({ id: parsed.id, result: r.result }));
-          }
-        }
-      } catch {
-        // ignore malformed
-      }
-    },
-    flush: () => undefined,
-    end: () => undefined,
-  };
-
-  let resolveExit: ((code: number) => void) | undefined;
-  const exited = new Promise<number>((res) => {
-    resolveExit = res;
-  });
-
-  let killed = false;
-  const proc: ChromiumProcess = {
-    userDataDir: "/tmp/fake-mochi-test",
-    pid: 0,
-    exited,
-    reader,
-    writer,
-    close: async () => {
-      if (killed) return;
-      killed = true;
-      try {
-        pumpController?.close();
-      } catch {
-        // ignore
-      }
-      resolveExit?.(0);
-    },
-  };
-
-  return {
-    process: proc,
-    written,
-    push,
-    autoRespond(pred, result) {
-      autoResponders.push({ pred, result });
-    },
-    waitForWrites(n) {
-      if (written.length >= n) return Promise.resolve();
-      return new Promise<void>((resolve) => {
-        const check = (): void => {
-          if (written.length >= n) resolve();
-          else writeListeners.push(check);
-        };
-        writeListeners.push(check);
-      });
-    },
-  };
-}
-
 const TEST_PROFILE: ProfileV1 = {
   id: "bypass-inject-fixture",
   version: "0.0.0-test",
@@ -168,11 +60,18 @@ const TEST_PROFILE: ProfileV1 = {
 };
 
 describe("Session.bypassInject (PLAN.md §12.1, task 0040)", () => {
-  let fake: FakeBrowser;
+  let pipe: FakePipe;
   let session: Session | undefined;
 
   beforeEach(() => {
-    fake = makeFakeBrowser();
+    pipe = makeFakePipe({
+      responders: {
+        // Tests below assert on identifier shape — keep these stable.
+        "Target.createTarget": () => ({ targetId: "page-target-1" }),
+        "Target.attachToTarget": () => ({ sessionId: "session-1" }),
+        "Page.addScriptToEvaluateOnNewDocument": () => ({ identifier: "should-never-fire" }),
+      },
+    });
     session = undefined;
   });
 
@@ -186,47 +85,42 @@ describe("Session.bypassInject (PLAN.md §12.1, task 0040)", () => {
     }
   });
 
-  it("with bypassInject:true — newPage() never sends Page.addScriptToEvaluateOnNewDocument", async () => {
+  it("with bypassInject:true — newPage() never sends Page.addScriptToEvaluateOnNewDocument and no Fetch.enable for inject", async () => {
     const matrix = deriveMatrix(TEST_PROFILE, "bypass-test");
     session = new Session({
-      proc: fake.process,
+      proc: fakeChromiumProcess(pipe, { userDataDir: "/tmp/fake-mochi-test" }),
       matrix,
       seed: "bypass-test",
       bypassInject: true,
     });
 
-    // Auto-respond to the small set of CDP calls Session/newPage drives:
-    // Target.setAutoAttach (constructor), Target.createTarget, Target.attachToTarget,
-    // and Page.enable. These are the *only* writes we expect.
-    fake.autoRespond((m) => m === "Target.setAutoAttach", {});
-    fake.autoRespond((m) => m === "Target.createTarget", { targetId: "page-target-1" });
-    fake.autoRespond((m) => m === "Target.attachToTarget", { sessionId: "session-1" });
-    fake.autoRespond((m) => m === "Page.enable", {});
-    fake.autoRespond((m) => m === "Target.closeTarget", { success: true });
-    fake.autoRespond((m) => m === "Page.removeScriptToEvaluateOnNewDocument", {});
-    fake.autoRespond((m) => m === "Page.addScriptToEvaluateOnNewDocument", {
-      identifier: "should-never-fire",
-    });
-
     const page = await session.newPage();
     expect(page).toBeDefined();
+    // Allow the constructor's deferred init-injector promise to settle (it's
+    // a no-op in this case but the rejection-handler microtasks still queue).
+    await new Promise((r) => setTimeout(r, 5));
 
-    const methods = fake.written
-      .map((w) => w.method)
+    const methods = pipe.written
+      .map((w) => w.parsed.method)
       .filter((m): m is string => typeof m === "string");
     expect(methods).toContain("Target.createTarget");
     expect(methods).toContain("Target.attachToTarget");
     expect(methods).toContain("Page.enable");
-    // The contract: ZERO addScriptToEvaluateOnNewDocument sends.
+    // Task 0266 contract: no Page.addScriptToEvaluateOnNewDocument under
+    // bypassInject — the session-level injector is also short-circuited.
     expect(methods).not.toContain("Page.addScriptToEvaluateOnNewDocument");
-    // And no Runtime.evaluate either (worker injection is also bypassed).
+    // No Runtime.evaluate — worker injection is also bypassed.
     expect(methods).not.toContain("Runtime.evaluate");
+    // No proxy creds, no payload to deliver — the unified injector
+    // short-circuits and does NOT send Fetch.enable. Capture flow keeps a
+    // zero-extra-protocol-surface posture.
+    expect(methods).not.toContain("Fetch.enable");
   });
 
   it("with bypassInject:true — _internalPayload() is null", () => {
     const matrix = deriveMatrix(TEST_PROFILE, "null-payload");
     session = new Session({
-      proc: fake.process,
+      proc: fakeChromiumProcess(pipe, { userDataDir: "/tmp/fake-mochi-test" }),
       matrix,
       seed: "null-payload",
       bypassInject: true,
@@ -235,10 +129,20 @@ describe("Session.bypassInject (PLAN.md §12.1, task 0040)", () => {
     expect(session._internalBypassInject()).toBe(true);
   });
 
-  it("with bypassInject omitted — _internalPayload() is non-null and newPage installs the inject script", async () => {
+  it("with bypassInject omitted — Session installs the unified Fetch-domain injector instead of Page.addScriptToEvaluateOnNewDocument (task 0266)", async () => {
+    // Override the script identifier for this test — it asserts that the
+    // dual-mechanism `addScriptToEvaluateOnNewDocument` call (commit 2 of
+    // 0266) carries the wrapped matrix payload.
+    const localPipe = makeFakePipe({
+      responders: {
+        "Target.createTarget": () => ({ targetId: "page-target-2" }),
+        "Target.attachToTarget": () => ({ sessionId: "session-2" }),
+        "Page.addScriptToEvaluateOnNewDocument": () => ({ identifier: "inj-1" }),
+      },
+    });
     const matrix = deriveMatrix(TEST_PROFILE, "default-inject");
     session = new Session({
-      proc: fake.process,
+      proc: fakeChromiumProcess(localPipe, { userDataDir: "/tmp/fake-mochi-test" }),
       matrix,
       seed: "default-inject",
     });
@@ -247,34 +151,46 @@ describe("Session.bypassInject (PLAN.md §12.1, task 0040)", () => {
     expect(payload).not.toBeNull();
     expect(payload?.code.length ?? 0).toBeGreaterThan(0);
 
-    fake.autoRespond((m) => m === "Target.setAutoAttach", {});
-    fake.autoRespond((m) => m === "Target.createTarget", { targetId: "page-target-2" });
-    fake.autoRespond((m) => m === "Target.attachToTarget", { sessionId: "session-2" });
-    fake.autoRespond((m) => m === "Page.enable", {});
-    // Task 0262: Session sends Emulation.setTimezoneOverride per page.
-    fake.autoRespond((m) => m === "Emulation.setTimezoneOverride", {});
-    // Task 0255: Session now sends Network.setUserAgentOverride per page.
-    fake.autoRespond((m) => m === "Network.setUserAgentOverride", {});
-    fake.autoRespond((m) => m === "Target.closeTarget", { success: true });
-    fake.autoRespond((m) => m === "Page.removeScriptToEvaluateOnNewDocument", {});
-    fake.autoRespond((m) => m === "Page.addScriptToEvaluateOnNewDocument", {
-      identifier: "inj-1",
-    });
-
     const page = await session.newPage();
     expect(page).toBeDefined();
+    // Yield once so the deferred installInitInjector promise settles.
+    await new Promise((r) => setTimeout(r, 10));
 
-    const methods = fake.written
-      .map((w) => w.method)
+    const methods = localPipe.written
+      .map((w) => w.parsed.method)
       .filter((m): m is string => typeof m === "string");
-    // Default behavior: the inject script IS installed.
+    // Task 0266 dual-mechanism: Session uses BOTH Fetch.fulfillRequest body
+    // splice (HTTP/HTTPS Document responses — closes source-attribution
+    // leak) AND Page.addScriptToEvaluateOnNewDocument (per-page fallback for
+    // about:blank / data: / blob: where Fetch domain can't intercept). The
+    // wrapped payload's `__mochi_inject_marker` early-return prevents
+    // double-execution when both fire on the same realm.
     expect(methods).toContain("Page.addScriptToEvaluateOnNewDocument");
-    // And the params carry the compiled payload code.
-    const installCall = fake.written.find(
-      (w) => w.method === "Page.addScriptToEvaluateOnNewDocument",
+    const addScriptCall = localPipe.written.find(
+      (w) => w.parsed.method === "Page.addScriptToEvaluateOnNewDocument",
     );
-    const params = installCall?.params as { source?: string; runImmediately?: boolean } | undefined;
-    expect(params?.source).toBe(payload?.code);
-    expect(params?.runImmediately).toBe(true);
+    const addScriptParams = addScriptCall?.parsed.params as
+      | { source?: string; runImmediately?: boolean; worldName?: string }
+      | undefined;
+    expect(addScriptParams?.runImmediately).toBe(true);
+    expect(addScriptParams?.worldName).toBe(""); // PLAN.md §8.4 — main world
+    expect(addScriptParams?.source).toContain("__mochi_inject_marker"); // idempotency guard
+    // Fetch.enable is sent ONCE on session construction with the
+    // Document-first patterns. Auth is off because no proxyAuth was set.
+    expect(methods).toContain("Fetch.enable");
+    const enableCall = localPipe.written.find((w) => w.parsed.method === "Fetch.enable");
+    const enableParams = enableCall?.parsed.params as
+      | {
+          handleAuthRequests?: boolean;
+          patterns?: { urlPattern?: string; resourceType?: string }[];
+        }
+      | undefined;
+    expect(enableParams?.handleAuthRequests).toBe(false);
+    expect(enableParams?.patterns).toBeDefined();
+    expect(enableParams?.patterns?.[0]).toEqual({
+      urlPattern: "*",
+      resourceType: "Document",
+    });
+    expect(enableParams?.patterns?.[1]).toEqual({ urlPattern: "*" });
   });
 });

package/src/__tests__/page-dx-cluster.test.ts

@@ -0,0 +1,292 @@
+/**
+ * Unit tests for the Page DX cluster (task 0257):
+ *   - `Page.localStorage.{get,set}`   → DOMStorage.getDOMStorageItems /
+ *                                       DOMStorage.setDOMStorageItem.
+ *   - `Page.sessionStorage.{get,set}` → same shape, `isLocalStorage: false`.
+ *   - `Page.grantAllPermissions()`    → Browser.grantPermissions with the
+ *                                       full descriptor list.
+ *
+ * Driven against a hand-rolled fake CDP transport — same fixture pattern as
+ * the cookies-jar tests, kept inline here so each test file stands alone.
+ *
+ * @see tasks/0257-dx-cluster-cookies-storage-permissions.md
+ */
+
+import { afterEach, beforeEach, describe, expect, it } from "bun:test";
+import { MessageRouter } from "../cdp/router";
+import type { PipeReader, PipeWriter } from "../cdp/transport";
+import { ALL_BROWSER_PERMISSIONS, Page } from "../page";
+
+interface FakeBrowser {
+  reader: PipeReader;
+  writer: PipeWriter;
+  written: Array<{ id?: number; method?: string; params?: unknown; sessionId?: string }>;
+  push(obj: unknown): void;
+  autoRespond(methodPredicate: (m: string) => boolean, result: unknown): void;
+  close(): void;
+}
+
+function makeFakeBrowser(): FakeBrowser {
+  const written: FakeBrowser["written"] = [];
+  let pumpController: ReadableStreamDefaultController<Uint8Array> | null = null;
+  const stream = new ReadableStream<Uint8Array>({
+    start(c) {
+      pumpController = c;
+    },
+  });
+  const enc = new TextEncoder();
+  const dec = new TextDecoder();
+  const autoResponders: Array<{ pred: (m: string) => boolean; result: unknown }> = [];
+
+  const reader: PipeReader = { getReader: () => stream.getReader() };
+
+  const push = (obj: unknown): void => {
+    const bytes = enc.encode(JSON.stringify(obj));
+    const out = new Uint8Array(bytes.length + 1);
+    out.set(bytes, 0);
+    out[bytes.length] = 0;
+    pumpController?.enqueue(out);
+  };
+
+  const writer: PipeWriter = {
+    write: (chunk) => {
+      const last = chunk[chunk.length - 1] === 0 ? chunk.length - 1 : chunk.length;
+      const json = dec.decode(chunk.subarray(0, last));
+      try {
+        const parsed = JSON.parse(json) as {
+          id?: number;
+          method?: string;
+          params?: unknown;
+          sessionId?: string;
+        };
+        written.push(parsed);
+        if (typeof parsed.method === "string" && typeof parsed.id === "number") {
+          const r = autoResponders.find((a) => a.pred(parsed.method ?? ""));
+          if (r) {
+            queueMicrotask(() => push({ id: parsed.id, result: r.result }));
+          }
+        }
+      } catch {
+        // ignore
+      }
+    },
+    flush: () => undefined,
+    end: () => undefined,
+  };
+
+  return {
+    reader,
+    writer,
+    written,
+    push,
+    autoRespond(pred, result) {
+      autoResponders.push({ pred, result });
+    },
+    close() {
+      try {
+        pumpController?.close();
+      } catch {
+        // ignore
+      }
+    },
+  };
+}
+
+/**
+ * Auto-respond to the DOM-resolution chain `resolveOrigin` triggers. Two CDP
+ * calls fire:
+ *   1. `DOM.getDocument` → returns a synthetic root with a `backendNodeId`.
+ *   2. `DOM.resolveNode({ backendNodeId })` → returns `{ object: { objectId } }`.
+ *   3. `Runtime.callFunctionOn` → returns `{ result: { value: <origin> } }`.
+ *
+ * Used for the default-origin path; tests passing an explicit `origin` skip
+ * this fixture.
+ */
+function wireOriginResolver(fake: FakeBrowser, origin: string): void {
+  fake.autoRespond((m) => m === "DOM.getDocument", {
+    root: { nodeId: 1, backendNodeId: 100 },
+  });
+  fake.autoRespond((m) => m === "DOM.resolveNode", {
+    object: { objectId: "doc-obj-1" },
+  });
+  fake.autoRespond((m) => m === "Runtime.callFunctionOn", {
+    result: { value: origin },
+  });
+}
+
+describe("Page.localStorage / Page.sessionStorage (task 0257)", () => {
+  let fake: FakeBrowser;
+  let router: MessageRouter;
+  let page: Page;
+
+  beforeEach(() => {
+    fake = makeFakeBrowser();
+    router = new MessageRouter(fake.reader, fake.writer);
+    router.start();
+    page = new Page({
+      router,
+      targetId: "page-target",
+      sessionId: "page-session",
+      initialUrl: "https://example.com/",
+    });
+  });
+
+  afterEach(async () => {
+    await router.close();
+    fake.close();
+  });
+
+  it("localStorage.get() sends DOMStorage.getDOMStorageItems with isLocalStorage:true", async () => {
+    fake.autoRespond((m) => m === "DOMStorage.getDOMStorageItems", {
+      entries: [
+        ["foo", "bar"],
+        ["baz", "qux"],
+      ],
+    });
+
+    const items = await page.localStorage.get({ origin: "https://example.com" });
+    expect(items).toEqual({ foo: "bar", baz: "qux" });
+
+    const call = fake.written.find((w) => w.method === "DOMStorage.getDOMStorageItems");
+    expect(call).toBeDefined();
+    expect(call?.params).toEqual({
+      storageId: { securityOrigin: "https://example.com", isLocalStorage: true },
+    });
+  });
+
+  it("localStorage.get() defaults origin to current page origin", async () => {
+    wireOriginResolver(fake, "https://defaulted.test");
+    fake.autoRespond((m) => m === "DOMStorage.getDOMStorageItems", { entries: [] });
+    await page.localStorage.get();
+    const call = fake.written.find((w) => w.method === "DOMStorage.getDOMStorageItems");
+    expect(call?.params).toEqual({
+      storageId: { securityOrigin: "https://defaulted.test", isLocalStorage: true },
+    });
+  });
+
+  it("localStorage.set() fans out one DOMStorage.setDOMStorageItem per key", async () => {
+    fake.autoRespond((m) => m === "DOMStorage.setDOMStorageItem", {});
+    await page.localStorage.set({ foo: "bar", baz: "qux" }, { origin: "https://example.com" });
+    const calls = fake.written.filter((w) => w.method === "DOMStorage.setDOMStorageItem");
+    expect(calls.length).toBe(2);
+    expect(calls[0]?.params).toEqual({
+      storageId: { securityOrigin: "https://example.com", isLocalStorage: true },
+      key: "foo",
+      value: "bar",
+    });
+    expect(calls[1]?.params).toEqual({
+      storageId: { securityOrigin: "https://example.com", isLocalStorage: true },
+      key: "baz",
+      value: "qux",
+    });
+  });
+
+  it("sessionStorage.get() flips isLocalStorage to false", async () => {
+    fake.autoRespond((m) => m === "DOMStorage.getDOMStorageItems", {
+      entries: [["k", "v"]],
+    });
+    const items = await page.sessionStorage.get({ origin: "https://example.com" });
+    expect(items).toEqual({ k: "v" });
+    const call = fake.written.find((w) => w.method === "DOMStorage.getDOMStorageItems");
+    expect(call?.params).toEqual({
+      storageId: { securityOrigin: "https://example.com", isLocalStorage: false },
+    });
+  });
+
+  it("sessionStorage.set() also flips isLocalStorage to false", async () => {
+    fake.autoRespond((m) => m === "DOMStorage.setDOMStorageItem", {});
+    await page.sessionStorage.set({ a: "1" }, { origin: "https://example.com" });
+    const call = fake.written.find((w) => w.method === "DOMStorage.setDOMStorageItem");
+    expect(call?.params).toEqual({
+      storageId: { securityOrigin: "https://example.com", isLocalStorage: false },
+      key: "a",
+      value: "1",
+    });
+  });
+
+  it("localStorage.get() throws when origin defaults to opaque about:blank", async () => {
+    // resolveOrigin returns "" or "null" for opaque origins. Wire that.
+    fake.autoRespond((m) => m === "DOM.getDocument", {
+      root: { nodeId: 1, backendNodeId: 100 },
+    });
+    fake.autoRespond((m) => m === "DOM.resolveNode", {
+      object: { objectId: "doc-obj-1" },
+    });
+    fake.autoRespond((m) => m === "Runtime.callFunctionOn", { result: { value: "null" } });
+    let threw = false;
+    try {
+      await page.localStorage.get();
+    } catch (err) {
+      threw = true;
+      expect(String(err)).toContain("opaque");
+    }
+    expect(threw).toBe(true);
+  });
+});
+
+describe("Page.grantAllPermissions (task 0257)", () => {
+  let fake: FakeBrowser;
+  let router: MessageRouter;
+  let page: Page;
+
+  beforeEach(() => {
+    fake = makeFakeBrowser();
+    router = new MessageRouter(fake.reader, fake.writer);
+    router.start();
+    page = new Page({
+      router,
+      targetId: "page-target",
+      sessionId: "page-session",
+      initialUrl: "https://example.com/",
+    });
+  });
+
+  afterEach(async () => {
+    await router.close();
+    fake.close();
+  });
+
+  it("grantAllPermissions({ origin }) sends Browser.grantPermissions with the full list", async () => {
+    fake.autoRespond((m) => m === "Browser.grantPermissions", {});
+    await page.grantAllPermissions({ origin: "https://example.com" });
+    const call = fake.written.find((w) => w.method === "Browser.grantPermissions");
+    expect(call).toBeDefined();
+    expect(call?.params).toEqual({
+      permissions: [...ALL_BROWSER_PERMISSIONS],
+      origin: "https://example.com",
+    });
+  });
+
+  it("grantAllPermissions({ origin }) routes to ROOT browser target (no sessionId)", async () => {
+    fake.autoRespond((m) => m === "Browser.grantPermissions", {});
+    await page.grantAllPermissions({ origin: "https://example.com" });
+    const call = fake.written.find((w) => w.method === "Browser.grantPermissions");
+    // The router omits sessionId when unset → routes to root target. The
+    // fake captures a missing/undefined sessionId.
+    expect(call?.sessionId).toBeUndefined();
+  });
+
+  it("grantAllPermissions() defaults origin to the page's main-frame origin", async () => {
+    wireOriginResolver(fake, "https://granted.test");
+    fake.autoRespond((m) => m === "Browser.grantPermissions", {});
+    await page.grantAllPermissions();
+    const call = fake.written.find((w) => w.method === "Browser.grantPermissions");
+    expect(call?.params).toEqual({
+      permissions: [...ALL_BROWSER_PERMISSIONS],
+      origin: "https://granted.test",
+    });
+  });
+
+  it("ALL_BROWSER_PERMISSIONS contains canonical descriptors", () => {
+    // Sanity check: a couple of well-known permissions must be present so
+    // the conformance test catches a typo if someone hand-edits the list.
+    expect(ALL_BROWSER_PERMISSIONS).toContain("geolocation");
+    expect(ALL_BROWSER_PERMISSIONS).toContain("notifications");
+    expect(ALL_BROWSER_PERMISSIONS).toContain("audioCapture");
+    expect(ALL_BROWSER_PERMISSIONS).toContain("videoCapture");
+    expect(ALL_BROWSER_PERMISSIONS).toContain("clipboardReadWrite");
+    expect(ALL_BROWSER_PERMISSIONS).toContain("midiSysex");
+    // No duplicates.
+    expect(new Set(ALL_BROWSER_PERMISSIONS).size).toBe(ALL_BROWSER_PERMISSIONS.length);
+  });
+});