@openchamber/web 1.11.5 → 1.11.7

package/server/lib/opencode/plugin-routes.test.js

@@ -0,0 +1,384 @@
+import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, mock, test } from 'bun:test';
+import express from 'express';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import request from 'supertest';
+
+import { registerPluginRoutes } from './plugin-routes.js';
+
+let projectDir;
+let userConfigPath;
+let rootDir;
+let plugins;
+let refreshOpenCodeAfterConfigChange;
+let app;
+let cleanupPaths;
+
+const testUnlessRoot = typeof process.getuid === 'function' && process.getuid() === 0 ? test.skip : test;
+
+function readJson(filePath) {
+  return JSON.parse(fs.readFileSync(filePath, 'utf8'));
+}
+
+function createApp(overrides = {}) {
+  const testApp = express();
+  testApp.use(express.json());
+  registerPluginRoutes(testApp, {
+    resolveOptionalProjectDirectory: async () => ({ directory: projectDir, error: null }),
+    refreshOpenCodeAfterConfigChange,
+    clientReloadDelayMs: 25,
+    listPluginEntries: plugins.listPluginEntries,
+    getPluginEntry: plugins.getPluginEntry,
+    createPluginEntry: plugins.createPluginEntry,
+    updatePluginEntry: plugins.updatePluginEntry,
+    deletePluginEntry: plugins.deletePluginEntry,
+    listPluginDirFiles: plugins.listPluginDirFiles,
+    readPluginDirFile: plugins.readPluginDirFile,
+    writePluginDirFile: plugins.writePluginDirFile,
+    deletePluginDirFile: plugins.deletePluginDirFile,
+    encodePluginId: plugins.encodePluginId,
+    decodePluginId: plugins.decodePluginId,
+    ...overrides,
+  });
+  return testApp;
+}
+
+function createRegistryApp(getNpmInfo) {
+  app = createApp({ getNpmInfo });
+  return app;
+}
+
+async function createEntry(spec = 'a') {
+  return request(app)
+    .post('/api/config/plugins/entry')
+    .send({ spec, scope: 'user' })
+    .expect(200);
+}
+
+async function createFile(fileName = 'test.js', content = '//x') {
+  return request(app)
+    .post('/api/config/plugins/file')
+    .send({ fileName, content, scope: 'user' })
+    .expect(200);
+}
+
+describe('opencode plugin routes', () => {
+  beforeAll(async () => {
+    rootDir = fs.mkdtempSync(path.join(os.tmpdir(), 'openchamber-plugin-routes-'));
+    userConfigPath = path.join(rootDir, 'user-opencode.json');
+    process.env.OPENCODE_CONFIG = userConfigPath;
+    plugins = await import('./plugins.js');
+  });
+
+  beforeEach(() => {
+    projectDir = fs.mkdtempSync(path.join(rootDir, 'project-'));
+    fs.rmSync(userConfigPath, { force: true });
+    fs.rmSync(path.join(rootDir, 'plugins'), { recursive: true, force: true });
+    refreshOpenCodeAfterConfigChange = mock(async () => undefined);
+    cleanupPaths = [];
+    app = createApp();
+  });
+
+  afterEach(() => {
+    for (const target of cleanupPaths) {
+      try {
+        fs.chmodSync(target, 0o600);
+      } catch {
+      }
+    }
+  });
+
+  afterAll(() => {
+    fs.rmSync(rootDir, { recursive: true, force: true });
+    delete process.env.OPENCODE_CONFIG;
+  });
+
+  test('GET /api/config/plugins empty returns entries and files arrays', async () => {
+    const response = await request(app).get('/api/config/plugins').expect(200);
+
+    expect(response.body).toEqual({ entries: [], files: [] });
+  });
+
+  test('GET /registry with empty specs returns empty results', async () => {
+    const getNpmInfo = mock(async () => ({ ok: true, latest: '1.0.0', versions: ['1.0.0'], distTags: { latest: '1.0.0' } }));
+    createRegistryApp(getNpmInfo);
+
+    const response = await request(app).get('/api/config/plugins/registry?specs=').expect(200);
+
+    expect(response.body).toEqual({ results: [] });
+    expect(getNpmInfo).not.toHaveBeenCalled();
+  });
+
+  test('GET /registry reports update for exact npm version behind latest', async () => {
+    createRegistryApp(mock(async () => ({ ok: true, latest: '2.0.0', versions: ['1.0.0', '2.0.0'], distTags: { latest: '2.0.0' } })));
+
+    const response = await request(app).get('/api/config/plugins/registry?specs=foo@1.0.0').expect(200);
+
+    expect(response.body.results[0]).toMatchObject({
+      kind: 'npm-ok',
+      spec: 'foo@1.0.0',
+      name: 'foo',
+      currentVersion: '1.0.0',
+      latestVersion: '2.0.0',
+      hasUpdate: true,
+    });
+  });
+
+  test('GET /registry reports no update when exact npm version matches latest', async () => {
+    createRegistryApp(mock(async () => ({ ok: true, latest: '1.0.0', versions: ['1.0.0'], distTags: { latest: '1.0.0' } })));
+
+    const response = await request(app).get('/api/config/plugins/registry?specs=foo@1.0.0').expect(200);
+
+    expect(response.body.results[0]).toMatchObject({ kind: 'npm-ok', hasUpdate: false, latestVersion: '1.0.0', currentVersion: '1.0.0' });
+  });
+
+  test('GET /registry reports missing exact npm version', async () => {
+    createRegistryApp(mock(async () => ({ ok: true, latest: '2.0.0', versions: ['1.0.0', '2.0.0'], distTags: { latest: '2.0.0' } })));
+
+    const response = await request(app).get('/api/config/plugins/registry?specs=foo@99.99.99').expect(200);
+
+    expect(response.body.results[0]).toMatchObject({ kind: 'npm-missing-version', name: 'foo', currentVersion: '99.99.99', latestVersion: '2.0.0' });
+  });
+
+  test('GET /registry reports missing npm package', async () => {
+    createRegistryApp(mock(async () => ({ ok: false, status: 404, error: 'Package not found' })));
+
+    const response = await request(app).get('/api/config/plugins/registry?specs=nonexistent@1.0.0').expect(200);
+
+    expect(response.body.results[0]).toMatchObject({ kind: 'npm-missing-package', spec: 'nonexistent@1.0.0', name: 'nonexistent', error: 'Package not found' });
+  });
+
+  test('GET /registry reports malformed npm spec', async () => {
+    const getNpmInfo = mock(async () => ({ ok: true, latest: '1.0.0', versions: ['1.0.0'], distTags: { latest: '1.0.0' } }));
+    createRegistryApp(getNpmInfo);
+
+    const response = await request(app).get('/api/config/plugins/registry?specs=%40%40malformed').expect(200);
+
+    expect(response.body.results[0]).toEqual({ kind: 'npm-malformed', spec: '@@malformed', error: 'Spec syntax is malformed' });
+    expect(getNpmInfo).not.toHaveBeenCalled();
+  });
+
+  test('GET /registry reports existing path plugin ok', async () => {
+    createRegistryApp(mock(async () => ({ ok: true, latest: '1.0.0', versions: ['1.0.0'], distTags: { latest: '1.0.0' } })));
+    const tmpFile = path.join(fs.mkdtempSync(path.join(rootDir, 'plugin-path-')), 'plugin.js');
+    fs.writeFileSync(tmpFile, '// plugin', 'utf8');
+
+    const response = await request(app).get(`/api/config/plugins/registry?specs=${encodeURIComponent(tmpFile)}`).expect(200);
+
+    expect(response.body.results[0]).toEqual({ kind: 'path-ok', spec: tmpFile, absolutePath: tmpFile });
+  });
+
+  test('GET /registry reports missing path plugin', async () => {
+    createRegistryApp(mock(async () => ({ ok: true, latest: '1.0.0', versions: ['1.0.0'], distTags: { latest: '1.0.0' } })));
+
+    const response = await request(app).get('/api/config/plugins/registry?specs=%2Fnonexistent%2F__path%2Fxyz.js').expect(200);
+
+    expect(response.body.results[0]).toEqual({ kind: 'path-missing', spec: '/nonexistent/__path/xyz.js', absolutePath: '/nonexistent/__path/xyz.js' });
+  });
+
+  test('GET /registry treats Windows absolute paths as local paths', async () => {
+    const getNpmInfo = mock(async () => ({ ok: true, latest: '1.0.0', versions: ['1.0.0'], distTags: { latest: '1.0.0' } }));
+    createRegistryApp(getNpmInfo);
+
+    const windowsPath = 'C:\\Users\\me\\plugin.js';
+    const response = await request(app)
+      .get(`/api/config/plugins/registry?specs=${encodeURIComponent(windowsPath)}`)
+      .expect(200);
+
+    expect(response.body.results[0]).toEqual({ kind: 'path-missing', spec: windowsPath, absolutePath: windowsPath });
+    expect(getNpmInfo).not.toHaveBeenCalled();
+  });
+
+  testUnlessRoot('GET /registry reports unreadable path plugin', async () => {
+    createRegistryApp(mock(async () => ({ ok: true, latest: '1.0.0', versions: ['1.0.0'], distTags: { latest: '1.0.0' } })));
+    const tmpFile = path.join(fs.mkdtempSync(path.join(rootDir, 'plugin-unreadable-')), 'plugin.js');
+    fs.writeFileSync(tmpFile, '// plugin', 'utf8');
+    cleanupPaths.push(tmpFile);
+    fs.chmodSync(tmpFile, 0);
+
+    const response = await request(app).get(`/api/config/plugins/registry?specs=${encodeURIComponent(tmpFile)}`).expect(200);
+
+    expect(response.body.results[0]).toEqual({ kind: 'path-unreadable', spec: tmpFile, absolutePath: tmpFile });
+  });
+
+  test('GET /registry reports npm network failure without failing route', async () => {
+    createRegistryApp(mock(async () => ({ ok: false, status: 'network', error: 'socket closed' })));
+
+    const response = await request(app).get('/api/config/plugins/registry?specs=foo@1.0.0').expect(200);
+
+    expect(response.body.results[0]).toMatchObject({ kind: 'npm-network', spec: 'foo@1.0.0', error: 'socket closed' });
+  });
+
+  test('GET /registry deduplicates npm package lookups by name', async () => {
+    const getNpmInfo = mock(async () => ({ ok: true, latest: '3.0.0', versions: ['1', '2', '3'], distTags: { latest: '3.0.0' } }));
+    createRegistryApp(getNpmInfo);
+
+    await request(app).get('/api/config/plugins/registry?specs=foo@1,foo@2,foo@3').expect(200);
+
+    expect(getNpmInfo).toHaveBeenCalledTimes(1);
+    expect(getNpmInfo).toHaveBeenCalledWith('foo', { forceRefresh: false });
+  });
+
+  test('GET /registry forwards refresh true to npm lookup', async () => {
+    const getNpmInfo = mock(async () => ({ ok: true, latest: '1.0.0', versions: ['1.0.0'], distTags: { latest: '1.0.0' } }));
+    createRegistryApp(getNpmInfo);
+
+    await request(app).get('/api/config/plugins/registry?specs=foo&refresh=true').expect(200);
+
+    expect(getNpmInfo).toHaveBeenCalledWith('foo', { forceRefresh: true });
+  });
+
+  test('GET /registry rejects more than 100 unique specs', async () => {
+    const specs = Array.from({ length: 101 }, (_, index) => `pkg-${index}`).join(',');
+
+    const response = await request(app).get(`/api/config/plugins/registry?specs=${specs}`).expect(400);
+
+    expect(response.body).toEqual({ error: 'too many specs' });
+  });
+
+  test('GET /registry reports bare npm name with null current version', async () => {
+    createRegistryApp(mock(async () => ({ ok: true, latest: '2.0.0', versions: ['1.0.0', '2.0.0'], distTags: { latest: '2.0.0' } })));
+
+    const response = await request(app).get('/api/config/plugins/registry?specs=foo').expect(200);
+
+    expect(response.body.results[0]).toMatchObject({ kind: 'npm-ok', spec: 'foo', name: 'foo', currentVersion: null, hasUpdate: false });
+  });
+
+  test('GET /registry accepts non-exact npm range without missing-version noise', async () => {
+    createRegistryApp(mock(async () => ({ ok: true, latest: '2.0.0', versions: ['1.0.0', '2.0.0'], distTags: { latest: '2.0.0' } })));
+
+    const response = await request(app).get('/api/config/plugins/registry?specs=foo@%5E1.0').expect(200);
+
+    expect(response.body.results[0]).toMatchObject({ kind: 'npm-ok', spec: 'foo@^1.0', name: 'foo', currentVersion: '^1.0', hasUpdate: false });
+  });
+
+  test('GET /registry supports scoped npm package specs', async () => {
+    const getNpmInfo = mock(async () => ({ ok: true, latest: '1.0.0', versions: ['1.0.0'], distTags: { latest: '1.0.0' } }));
+    createRegistryApp(getNpmInfo);
+
+    const response = await request(app).get('/api/config/plugins/registry?specs=%40scope%2Ffoo%401.0.0').expect(200);
+
+    expect(getNpmInfo).toHaveBeenCalledWith('@scope/foo', { forceRefresh: false });
+    expect(response.body.results[0]).toMatchObject({ kind: 'npm-ok', spec: '@scope/foo@1.0.0', name: '@scope/foo' });
+  });
+
+  test('POST /entry creates entry and requires reload', async () => {
+    const response = await createEntry('a');
+
+    expect(response.body).toMatchObject({ success: true, requiresReload: true, reloadDelayMs: 25 });
+    expect(refreshOpenCodeAfterConfigChange).toHaveBeenCalledWith('plugin entry creation');
+  });
+
+  test('GET after POST returns created entry', async () => {
+    await createEntry('a');
+
+    const response = await request(app).get('/api/config/plugins').expect(200);
+
+    expect(response.body.entries).toEqual([expect.objectContaining({ spec: 'a', scope: 'user' })]);
+  });
+
+  test('POST duplicate entry returns 409', async () => {
+    await createEntry('a');
+
+    const response = await request(app)
+      .post('/api/config/plugins/entry')
+      .send({ spec: 'a', scope: 'user' })
+      .expect(409);
+
+    expect(response.body.error).toContain('already exists');
+  });
+
+  test('PATCH /entry/:id updates entry in same array index', async () => {
+    await createEntry('a');
+    const before = await request(app).get('/api/config/plugins').expect(200);
+    const id = before.body.entries[0].id;
+
+    const response = await request(app)
+      .patch(`/api/config/plugins/entry/${encodeURIComponent(id)}`)
+      .send({ spec: 'b' })
+      .expect(200);
+
+    expect(response.body.success).toBe(true);
+    const after = await request(app).get('/api/config/plugins').expect(200);
+    expect(after.body.entries[0]).toEqual(expect.objectContaining({ spec: 'b', scope: 'user' }));
+    expect(refreshOpenCodeAfterConfigChange).toHaveBeenCalledWith('plugin entry update');
+  });
+
+  test('DELETE /entry/:id removes entry and prunes plugin key', async () => {
+    await createEntry('a');
+    const listed = await request(app).get('/api/config/plugins').expect(200);
+    const id = listed.body.entries[0].id;
+
+    await request(app).delete(`/api/config/plugins/entry/${encodeURIComponent(id)}`).expect(200);
+
+    const after = await request(app).get('/api/config/plugins').expect(200);
+    expect(after.body.entries).toEqual([]);
+    expect(readJson(userConfigPath).plugin).toBeUndefined();
+    expect(refreshOpenCodeAfterConfigChange).toHaveBeenCalledWith('plugin entry deletion');
+  });
+
+  test('POST /file writes plugin dir file', async () => {
+    const response = await createFile('test.js', '//x');
+
+    expect(response.body).toMatchObject({ success: true, requiresReload: true });
+    expect(fs.readFileSync(path.join(rootDir, 'plugins', 'test.js'), 'utf8')).toBe('//x');
+    expect(refreshOpenCodeAfterConfigChange).toHaveBeenCalledWith('plugin file creation');
+  });
+
+  test('POST duplicate file returns 409', async () => {
+    await createFile('test.js', '//x');
+
+    const response = await request(app)
+      .post('/api/config/plugins/file')
+      .send({ fileName: 'test.js', content: '//again', scope: 'user' })
+      .expect(409);
+
+    expect(response.body.error).toContain('already exists');
+  });
+
+  test('PUT /file/:id updates file content', async () => {
+    await createFile('test.js', '//x');
+    const listed = await request(app).get('/api/config/plugins').expect(200);
+    const id = listed.body.files[0].id;
+
+    await request(app)
+      .put(`/api/config/plugins/file/${encodeURIComponent(id)}`)
+      .send({ content: '//y' })
+      .expect(200);
+
+    expect(fs.readFileSync(path.join(rootDir, 'plugins', 'test.js'), 'utf8')).toBe('//y');
+    expect(refreshOpenCodeAfterConfigChange).toHaveBeenCalledWith('plugin file update');
+  });
+
+  test('DELETE /file/:id unlinks file', async () => {
+    await createFile('test.js', '//x');
+    const listed = await request(app).get('/api/config/plugins').expect(200);
+    const id = listed.body.files[0].id;
+
+    await request(app).delete(`/api/config/plugins/file/${encodeURIComponent(id)}`).expect(200);
+
+    expect(fs.existsSync(path.join(rootDir, 'plugins', 'test.js'))).toBe(false);
+    expect(refreshOpenCodeAfterConfigChange).toHaveBeenCalledWith('plugin file deletion');
+  });
+
+  test('PATCH unknown entry id returns 404', async () => {
+    const id = plugins.encodePluginId('config', 'user:missing');
+
+    const response = await request(app)
+      .patch(`/api/config/plugins/entry/${encodeURIComponent(id)}`)
+      .send({ spec: 'b' })
+      .expect(404);
+
+    expect(response.body.error).toContain('not found');
+  });
+
+  test('POST invalid fileName returns 400', async () => {
+    const response = await request(app)
+      .post('/api/config/plugins/file')
+      .send({ fileName: '../escape.js', content: '//x', scope: 'user' })
+      .expect(400);
+
+    expect(response.body.error).toContain('Plugin file name');
+  });
+});

package/server/lib/opencode/plugin-spec.js

@@ -0,0 +1,107 @@
+import path from 'path';
+
+/**
+ * @typedef {Object} ParsedNpmSpec
+ * @property {string} name
+ * @property {string|null} version
+ */
+
+/**
+ * @typedef {Object} MalformedSpec
+ * @property {true} malformed
+ * @property {string} raw
+ */
+
+/**
+ * @typedef {Object} ParsedPathSpec
+ * @property {string} absolutePath
+ */
+
+/**
+ * Parse an npm package spec string into name + version.
+ * Handles scoped packages (`@scope/name[@version]`) and unscoped (`name[@version]`).
+ * Non-string inputs are coerced via `String()` and returned as malformed.
+ *
+ * @param {unknown} spec
+ * @returns {ParsedNpmSpec | MalformedSpec}
+ */
+export function parseNpmSpec(spec) {
+  if (typeof spec !== 'string') {
+    return { malformed: true, raw: String(spec) };
+  }
+
+  if (spec.startsWith('@')) {
+    // scoped: '@scope/name' or '@scope/name@version'
+    const slashIdx = spec.indexOf('/');
+    if (slashIdx < 2) return { malformed: true, raw: spec }; // '@' or '@/foo'
+    const afterSlash = spec.slice(slashIdx + 1);
+    if (afterSlash === '') return { malformed: true, raw: spec }; // '@scope/'
+    const atIdx = afterSlash.indexOf('@');
+    if (atIdx === -1) return { name: spec, version: null };
+    const namePart = spec.slice(0, slashIdx + 1 + atIdx); // '@scope/name'
+    const versionPart = afterSlash.slice(atIdx + 1);
+    if (versionPart === '') return { malformed: true, raw: spec }; // '@scope/foo@'
+    return { name: namePart, version: versionPart };
+  }
+
+  // unscoped
+  if (spec === '') return { malformed: true, raw: spec };
+  const atIdx = spec.indexOf('@');
+  if (atIdx === -1) return { name: spec, version: null };
+  if (atIdx === 0) return { malformed: true, raw: spec }; // bare '@'
+  const namePart = spec.slice(0, atIdx);
+  const versionPart = spec.slice(atIdx + 1);
+  if (versionPart === '') return { malformed: true, raw: spec }; // 'foo@'
+  return { name: namePart, version: versionPart };
+}
+
+/**
+ * Check whether a version string is an exact semver (no range operators).
+ * Accepts optional pre-release (`-label`) or build metadata (`+label`) suffixes.
+ *
+ * @param {string} version
+ * @returns {boolean}
+ */
+export function isExactSemver(version) {
+  return /^\d+\.\d+\.\d+([-+][\w.-]+)?$/.test(version);
+}
+
+/**
+ * Check whether a plugin spec is path-like instead of an npm package spec.
+ * Includes Windows absolute paths so local paths are never queried against npm.
+ *
+ * @param {string} spec
+ * @returns {boolean}
+ */
+export function isPathSpec(spec) {
+  return spec.startsWith('/')
+    || spec.startsWith('./')
+    || spec.startsWith('../')
+    || spec.startsWith('~')
+    || path.win32.isAbsolute(spec);
+}
+
+/**
+ * Resolve a path-style plugin spec to an absolute path.
+ * Supports `~` (home), `./`, `../` (relative to cwd), and absolute paths.
+ * Pure — no filesystem access; uses only `path.resolve`.
+ *
+ * @param {string} spec
+ * @param {{ homedir: string, cwd: string }} options
+ * @returns {ParsedPathSpec}
+ */
+export function parsePathSpec(spec, { homedir, cwd }) {
+  if (spec === '~') {
+    return { absolutePath: path.resolve(homedir) };
+  }
+  if (spec.startsWith('~/')) {
+    return { absolutePath: path.resolve(homedir, spec.slice(2)) };
+  }
+  if (spec.startsWith('./') || spec.startsWith('../')) {
+    return { absolutePath: path.resolve(cwd, spec) };
+  }
+  if (path.win32.isAbsolute(spec)) {
+    return { absolutePath: spec };
+  }
+  return { absolutePath: path.resolve(spec) };
+}

package/server/lib/opencode/plugin-spec.test.js

@@ -0,0 +1,154 @@
+import { describe, expect, test } from 'bun:test';
+import * as spec from './plugin-spec.js';
+
+describe('parseNpmSpec', () => {
+  test('unscoped: no version', () => {
+    expect(spec.parseNpmSpec('foo')).toEqual({ name: 'foo', version: null });
+  });
+
+  test('unscoped: exact version', () => {
+    expect(spec.parseNpmSpec('foo@1.2.3')).toEqual({ name: 'foo', version: '1.2.3' });
+  });
+
+  test('unscoped: range version', () => {
+    expect(spec.parseNpmSpec('foo@^1.2.0')).toEqual({ name: 'foo', version: '^1.2.0' });
+  });
+
+  test('unscoped: dist-tag', () => {
+    expect(spec.parseNpmSpec('foo@latest')).toEqual({ name: 'foo', version: 'latest' });
+  });
+
+  test('scoped: no version', () => {
+    expect(spec.parseNpmSpec('@scope/foo')).toEqual({ name: '@scope/foo', version: null });
+  });
+
+  test('scoped: exact version', () => {
+    expect(spec.parseNpmSpec('@scope/foo@1.2.3')).toEqual({ name: '@scope/foo', version: '1.2.3' });
+  });
+
+  test('scoped: dist-tag', () => {
+    expect(spec.parseNpmSpec('@scope/foo@beta')).toEqual({ name: '@scope/foo', version: 'beta' });
+  });
+
+  test('malformed: empty string', () => {
+    expect(spec.parseNpmSpec('')).toEqual({ malformed: true, raw: '' });
+  });
+
+  test('malformed: bare @', () => {
+    expect(spec.parseNpmSpec('@')).toEqual({ malformed: true, raw: '@' });
+  });
+
+  test('malformed: @@', () => {
+    expect(spec.parseNpmSpec('@@')).toEqual({ malformed: true, raw: '@@' });
+  });
+
+  test('malformed: empty version after @', () => {
+    expect(spec.parseNpmSpec('foo@')).toEqual({ malformed: true, raw: 'foo@' });
+  });
+
+  test('malformed: scoped empty name after slash', () => {
+    expect(spec.parseNpmSpec('@scope/')).toEqual({ malformed: true, raw: '@scope/' });
+  });
+
+  test('malformed: scoped empty version', () => {
+    expect(spec.parseNpmSpec('@scope/foo@')).toEqual({ malformed: true, raw: '@scope/foo@' });
+  });
+
+  test('malformed: null input', () => {
+    expect(spec.parseNpmSpec(null)).toEqual({ malformed: true, raw: 'null' });
+  });
+
+  test('malformed: undefined input', () => {
+    expect(spec.parseNpmSpec(undefined)).toEqual({ malformed: true, raw: 'undefined' });
+  });
+
+  test('malformed: number input', () => {
+    expect(spec.parseNpmSpec(42)).toEqual({ malformed: true, raw: '42' });
+  });
+
+  test('malformed: array input', () => {
+    expect(spec.parseNpmSpec(['foo'])).toEqual({ malformed: true, raw: 'foo' });
+  });
+
+  test('malformed: object input', () => {
+    expect(spec.parseNpmSpec({})).toEqual({ malformed: true, raw: '[object Object]' });
+  });
+});
+
+describe('isExactSemver', () => {
+  test('plain semver', () => {
+    expect(spec.isExactSemver('1.2.3')).toBe(true);
+  });
+
+  test('semver with pre-release', () => {
+    expect(spec.isExactSemver('1.2.3-beta.1')).toBe(true);
+  });
+
+  test('semver with build metadata', () => {
+    expect(spec.isExactSemver('1.2.3+build.5')).toBe(true);
+  });
+
+  test('range: caret', () => {
+    expect(spec.isExactSemver('^1.2.0')).toBe(false);
+  });
+
+  test('dist-tag', () => {
+    expect(spec.isExactSemver('latest')).toBe(false);
+  });
+
+  test('empty string', () => {
+    expect(spec.isExactSemver('')).toBe(false);
+  });
+
+  test('partial: major.minor only', () => {
+    expect(spec.isExactSemver('1.2')).toBe(false);
+  });
+
+  test('partial: major only', () => {
+    expect(spec.isExactSemver('1')).toBe(false);
+  });
+});
+
+describe('parsePathSpec', () => {
+  test('identifies Windows absolute paths as path specs', () => {
+    expect(spec.isPathSpec('C:\\Users\\me\\plugin.js')).toBe(true);
+    expect(spec.isPathSpec('\\\\server\\share\\plugin.js')).toBe(true);
+    expect(spec.isPathSpec('@scope/plugin')).toBe(false);
+  });
+
+  test('tilde home shorthand with subpath', () => {
+    expect(spec.parsePathSpec('~/x.js', { homedir: '/home/u', cwd: '/p' })).toEqual({
+      absolutePath: '/home/u/x.js',
+    });
+  });
+
+  test('bare tilde = homedir', () => {
+    expect(spec.parsePathSpec('~', { homedir: '/home/u', cwd: '/p' })).toEqual({
+      absolutePath: '/home/u',
+    });
+  });
+
+  test('relative ./', () => {
+    expect(spec.parsePathSpec('./x.js', { homedir: '/home/u', cwd: '/p' })).toEqual({
+      absolutePath: '/p/x.js',
+    });
+  });
+
+  test('relative ../', () => {
+    expect(spec.parsePathSpec('../x.js', { homedir: '/home/u', cwd: '/p/a' })).toEqual({
+      absolutePath: '/p/x.js',
+    });
+  });
+
+  test('absolute path passthrough', () => {
+    expect(spec.parsePathSpec('/abs/x.js', { homedir: '/home/u', cwd: '/p' })).toEqual({
+      absolutePath: '/abs/x.js',
+    });
+  });
+
+  test('Windows absolute path passthrough', () => {
+    expect(spec.parsePathSpec('C:\\Users\\me\\plugin.js', { homedir: '/home/u', cwd: '/p' })).toEqual({
+      absolutePath: 'C:\\Users\\me\\plugin.js',
+    });
+  });
+});