@semalt-ai/code 1.8.5 → 1.19.0

package/test/cost-doctor.test.js

@@ -0,0 +1,142 @@
+'use strict';
+
+// Tests for the cost calculation (Task 2.6) and the /doctor check aggregation.
+// Both are pure; runDoctor is exercised with mocked deps.
+
+const { test } = require('node:test');
+const assert = require('node:assert');
+
+const { priceForModel, computeCost, formatCost } = require('../lib/pricing');
+const { aggregateChecks, formatDoctorReport, runDoctor } = require('../lib/doctor');
+
+// ---------------------------------------------------------------------------
+// Pricing
+// ---------------------------------------------------------------------------
+
+test('priceForModel resolves built-in models, prefers the most specific key', () => {
+  assert.deepStrictEqual(priceForModel('gpt-4o'), { input: 2.5, output: 10 });
+  // substring + longest-key-wins: a name containing gpt-4o-mini must not match gpt-4o
+  assert.deepStrictEqual(priceForModel('openai/gpt-4o-mini'), { input: 0.15, output: 0.6 });
+});
+
+test('priceForModel returns null for an unknown model', () => {
+  assert.strictEqual(priceForModel('local-llama-3'), null);
+  assert.strictEqual(priceForModel(''), null);
+  assert.strictEqual(priceForModel(undefined), null);
+});
+
+test('priceForModel honors config overrides', () => {
+  const price = priceForModel('my-custom-model', { 'my-custom-model': { input: 1, output: 2 } });
+  assert.deepStrictEqual(price, { input: 1, output: 2 });
+});
+
+test('computeCost multiplies usage by the per-Mtok price', () => {
+  const price = { input: 2.5, output: 10 };
+  assert.strictEqual(computeCost({ prompt_tokens: 1_000_000, completion_tokens: 1_000_000 }, price), 12.5);
+  assert.strictEqual(computeCost({ prompt_tokens: 1000, completion_tokens: 500 }, price), 0.0075);
+});
+
+test('computeCost returns null (unknown) when the price is unknown — never a fake 0', () => {
+  assert.strictEqual(computeCost({ prompt_tokens: 1000, completion_tokens: 1000 }, null), null);
+});
+
+test('formatCost renders unknown vs amounts', () => {
+  assert.strictEqual(formatCost(null), 'unknown');
+  assert.strictEqual(formatCost(undefined), 'unknown');
+  assert.strictEqual(formatCost(0), '$0.00');
+  assert.strictEqual(formatCost(12.5), '$12.5000');
+  assert.strictEqual(formatCost(0.0075), '$0.007500');
+});
+
+// ---------------------------------------------------------------------------
+// Doctor aggregation
+// ---------------------------------------------------------------------------
+
+test('aggregateChecks: overall is fail if any fail', () => {
+  const r = aggregateChecks([
+    { name: 'a', status: 'pass', detail: '' },
+    { name: 'b', status: 'warn', detail: '' },
+    { name: 'c', status: 'fail', detail: '' },
+  ]);
+  assert.strictEqual(r.overall, 'fail');
+  assert.deepStrictEqual(r.counts, { pass: 1, warn: 1, fail: 1 });
+});
+
+test('aggregateChecks: overall is warn if any warn but no fail', () => {
+  const r = aggregateChecks([
+    { name: 'a', status: 'pass', detail: '' },
+    { name: 'b', status: 'warn', detail: '' },
+  ]);
+  assert.strictEqual(r.overall, 'warn');
+});
+
+test('aggregateChecks: overall is pass when all pass', () => {
+  const r = aggregateChecks([{ name: 'a', status: 'pass', detail: '' }]);
+  assert.strictEqual(r.overall, 'pass');
+  assert.strictEqual(r.counts.pass, 1);
+});
+
+test('formatDoctorReport renders an icon per check and an overall line', () => {
+  const out = formatDoctorReport(aggregateChecks([
+    { name: 'config', status: 'pass', detail: 'ok' },
+    { name: 'dashboard', status: 'fail', detail: 'unreachable' },
+  ]));
+  assert.ok(out.includes('✓ config: ok'));
+  assert.ok(out.includes('✗ dashboard: unreachable'));
+  assert.ok(/Overall: FAIL/.test(out));
+});
+
+// ---------------------------------------------------------------------------
+// runDoctor with mocked deps
+// ---------------------------------------------------------------------------
+
+test('runDoctor builds the expected checks and overall verdict', async () => {
+  const result = await runDoctor({
+    config: { default_model: 'gpt-4o', context_length: 128000, dashboard_url: 'http://dash' },
+    layers: { userPresent: true, projectPath: '/repo/.semalt/config.json', envKeys: ['api_base'], flagKeys: [] },
+    apiKeySource: 'keychain',
+    memoryFiles: [{ path: '/repo/AGENTS.md' }],
+    auditWritable: () => true,
+    pingDashboard: async () => true,
+  });
+  assert.strictEqual(result.overall, 'pass');
+  const byName = Object.fromEntries(result.checks.map((c) => [c.name, c]));
+  assert.strictEqual(byName.config.status, 'pass');
+  assert.ok(/project\(\/repo/.test(byName.config.detail));
+  assert.strictEqual(byName['api key'].status, 'pass');
+  assert.strictEqual(byName.model.status, 'pass');
+  assert.strictEqual(byName.dashboard.status, 'pass');
+  assert.strictEqual(byName['audit log'].status, 'pass');
+  assert.strictEqual(byName.memory.status, 'pass');
+});
+
+test('runDoctor flags an unreachable dashboard and unwritable audit log as fail', async () => {
+  const result = await runDoctor({
+    config: { default_model: 'gpt-4o', context_length: 128000, dashboard_url: 'http://dash' },
+    layers: { userPresent: true },
+    apiKeySource: 'config',
+    memoryFiles: [],
+    auditWritable: () => false,
+    pingDashboard: async () => false,
+  });
+  assert.strictEqual(result.overall, 'fail');
+  const byName = Object.fromEntries(result.checks.map((c) => [c.name, c]));
+  assert.strictEqual(byName.dashboard.status, 'fail');
+  assert.strictEqual(byName['audit log'].status, 'fail');
+});
+
+test('runDoctor warns when not logged in (dashboard skipped) and no model selected', async () => {
+  const result = await runDoctor({
+    config: { default_model: '', dashboard_url: 'http://dash' },
+    layers: { userPresent: false },
+    apiKeySource: 'none',
+    memoryFiles: [],
+    auditWritable: () => true,
+    pingDashboard: async () => null,
+  });
+  assert.strictEqual(result.overall, 'warn');
+  const byName = Object.fromEntries(result.checks.map((c) => [c.name, c]));
+  assert.strictEqual(byName.dashboard.status, 'warn');
+  assert.strictEqual(byName.model.status, 'warn');
+  assert.strictEqual(byName['api key'].status, 'warn');
+});

package/test/custom-commands-chat.test.js

@@ -0,0 +1,106 @@
+'use strict';
+
+// End-to-end (via the chat harness): a Markdown-defined custom command, once
+// discovered at chat startup, renders its template and submits the result to the
+// agent as a user prompt. The harness redirects $HOME to a temp dir before any
+// lib module loads, so we stage command files under that temp global dir.
+
+const { test } = require('node:test');
+const assert = require('node:assert');
+const fs = require('node:fs');
+const path = require('node:path');
+
+// Requiring the harness fixes process.env.HOME to its temp dir; read it after.
+const { startChat } = require('./harness/chat-harness');
+const { clearCustomCommands } = require('../lib/commands/registry');
+
+const GLOBAL_CMD_DIR = path.join(process.env.HOME, '.semalt-ai', 'commands');
+
+function stage(name, content) {
+  fs.mkdirSync(GLOBAL_CMD_DIR, { recursive: true });
+  fs.writeFileSync(path.join(GLOBAL_CMD_DIR, name), content);
+}
+function clearStaged() {
+  try { fs.rmSync(GLOBAL_CMD_DIR, { recursive: true, force: true }); } catch {}
+  clearCustomCommands();
+}
+
+test('custom command is discovered at startup and announced', async () => {
+  clearStaged();
+  stage('review.md', '---\ndescription: Review code\n---\nReview $ARGUMENTS');
+  const c = await startChat({ config: { auth_token: 'tok' } });
+  try {
+    assert.ok(c.chatHistory.find(/Loaded 1 custom command\(s\): \/review/), 'startup announces the custom command');
+  } finally {
+    await c.submit('exit'); await c.done; c.cleanup(); clearStaged();
+  }
+});
+
+test('invoking a custom command submits its rendered template to the agent', async () => {
+  clearStaged();
+  stage('review.md', 'Please review $ARGUMENTS for correctness.');
+  const c = await startChat({ config: { auth_token: 'tok' } });
+  try {
+    await c.submit('/review src/app.js');
+    assert.strictEqual(c.calls.runAgentLoop.length, 1, 'agent invoked once');
+    const turn = c.calls.runAgentLoop[0];
+    const userMsgs = turn.messages.filter((m) => m.role === 'user').map((m) => m.content);
+    assert.deepStrictEqual(
+      userMsgs,
+      ['Please review src/app.js for correctness.'],
+      'the rendered template (not the raw /review ...) reaches the agent',
+    );
+    // And it is shown in the chat history as a user message.
+    assert.ok(
+      c.chatHistory.messages.some((m) => m.role === 'user' && m.content === 'Please review src/app.js for correctness.'),
+      'rendered prompt shown in history',
+    );
+  } finally {
+    await c.submit('exit'); await c.done; c.cleanup(); clearStaged();
+  }
+});
+
+test('custom command with positional args renders $1/$2', async () => {
+  clearStaged();
+  stage('greet.md', 'Say $1 to $2');
+  const c = await startChat({ config: { auth_token: 'tok' } });
+  try {
+    await c.submit('/greet hello world');
+    const turn = c.calls.runAgentLoop[0];
+    const userMsgs = turn.messages.filter((m) => m.role === 'user').map((m) => m.content);
+    assert.deepStrictEqual(userMsgs, ['Say hello to world']);
+  } finally {
+    await c.submit('exit'); await c.done; c.cleanup(); clearStaged();
+  }
+});
+
+test('a built-in is never overridden by a same-named custom command', async () => {
+  clearStaged();
+  stage('clear.md', 'this should never run as a prompt');
+  const c = await startChat({ config: { auth_token: 'tok' } });
+  try {
+    // Startup should warn that the custom /clear was shadowed by the built-in.
+    assert.ok(c.chatHistory.find(/\/clear.*built-in/i), 'collision warning shown');
+    await c.submit('a message');
+    const before = c.calls.runAgentLoop.length;
+    await c.submit('/clear');
+    // Built-in /clear ran (reset notice), and the custom template was NOT sent to the agent.
+    assert.ok(c.chatHistory.find(/cleared/i), 'built-in /clear executed');
+    assert.strictEqual(c.calls.runAgentLoop.length, before, 'custom /clear did not invoke the agent');
+  } finally {
+    await c.submit('exit'); await c.done; c.cleanup(); clearStaged();
+  }
+});
+
+test('custom command rendered prompt is blocked when not logged in (agent path)', async () => {
+  clearStaged();
+  stage('ask.md', 'Do $ARGUMENTS');
+  const c = await startChat({ config: { auth_token: '' } });
+  try {
+    await c.submit('/ask something');
+    assert.ok(c.chatHistory.find(/Not logged in/), 'rendered prompt goes through the auth-gated agent path');
+    assert.strictEqual(c.calls.runAgentLoop.length, 0, 'agent not invoked while unauthenticated');
+  } finally {
+    await c.submit('exit'); await c.done; c.cleanup(); clearStaged();
+  }
+});

package/test/custom-commands.test.js

@@ -0,0 +1,230 @@
+'use strict';
+
+// Tests for Markdown-defined custom slash commands (Task 3.1). Covers discovery
+// under temp $HOME/$cwd, frontmatter parsing, $ARGUMENTS / positional rendering,
+// project-over-global precedence, repo-root-bounded upward discovery, and the
+// registry registration (built-in collision handling + completion/help/resolve
+// surfaces). Filesystem state is isolated to per-test temp directories.
+
+const { test } = require('node:test');
+const assert = require('node:assert');
+const fs = require('node:fs');
+const os = require('node:os');
+const path = require('node:path');
+
+const {
+  parseFrontmatter,
+  parseAliasList,
+  renderTemplate,
+  discoverCustomCommands,
+  findProjectCommandsDir,
+} = require('../lib/commands/custom');
+const {
+  registerCustomCommands,
+  clearCustomCommands,
+  resolveCommand,
+  completionNames,
+  helpText,
+  commandNames,
+} = require('../lib/commands/registry');
+
+function tmp(prefix) {
+  return fs.mkdtempSync(path.join(os.tmpdir(), prefix));
+}
+function writeCmd(dir, name, content) {
+  fs.mkdirSync(dir, { recursive: true });
+  fs.writeFileSync(path.join(dir, name), content);
+}
+function rmrf(p) { try { fs.rmSync(p, { recursive: true, force: true }); } catch {} }
+
+// ---------------------------------------------------------------------------
+// Frontmatter parsing
+// ---------------------------------------------------------------------------
+
+test('parseFrontmatter: no frontmatter → whole text is the body', () => {
+  const { meta, body } = parseFrontmatter('Just a prompt $ARGUMENTS');
+  assert.strictEqual(body, 'Just a prompt $ARGUMENTS');
+  assert.strictEqual(meta.description, '');
+  assert.strictEqual(meta.argumentHint, '');
+  assert.deepStrictEqual(meta.aliases, []);
+});
+
+test('parseFrontmatter: description, argument-hint, aliases parsed; body follows', () => {
+  const src = [
+    '---',
+    'description: Review a file for bugs',
+    'argument-hint: <path>',
+    'aliases: [rev, cr]',
+    '---',
+    'Review the file at $1 carefully.',
+  ].join('\n');
+  const { meta, body } = parseFrontmatter(src);
+  assert.strictEqual(meta.description, 'Review a file for bugs');
+  assert.strictEqual(meta.argumentHint, '<path>');
+  assert.deepStrictEqual(meta.aliases, ['rev', 'cr']);
+  assert.strictEqual(body, 'Review the file at $1 carefully.');
+});
+
+test('parseFrontmatter: comma-separated aliases and quoted values', () => {
+  const src = '---\ndescription: "quoted desc"\naliases: rev, cr\n---\nbody';
+  const { meta } = parseFrontmatter(src);
+  assert.strictEqual(meta.description, 'quoted desc');
+  assert.deepStrictEqual(meta.aliases, ['rev', 'cr']);
+});
+
+test('parseFrontmatter: unknown keys ignored, CRLF tolerated', () => {
+  const src = '---\r\ndescription: d\r\nmodel: gpt-4o\r\n---\r\nthe body\r\nline2';
+  const { meta, body } = parseFrontmatter(src);
+  assert.strictEqual(meta.description, 'd');
+  assert.strictEqual(body, 'the body\nline2');
+});
+
+test('parseAliasList: flow list and comma forms', () => {
+  assert.deepStrictEqual(parseAliasList('[a, b, c]'), ['a', 'b', 'c']);
+  assert.deepStrictEqual(parseAliasList('a, b'), ['a', 'b']);
+  assert.deepStrictEqual(parseAliasList(''), []);
+});
+
+// ---------------------------------------------------------------------------
+// Template rendering
+// ---------------------------------------------------------------------------
+
+test('renderTemplate: $ARGUMENTS substitutes the full argument string', () => {
+  assert.strictEqual(renderTemplate('Fix: $ARGUMENTS', 'the login bug'), 'Fix: the login bug');
+  assert.strictEqual(renderTemplate('Fix: $ARGUMENTS', ''), 'Fix: ');
+});
+
+test('renderTemplate: positional $1/$2 substitution', () => {
+  assert.strictEqual(renderTemplate('$1 then $2', 'alpha beta'), 'alpha then beta');
+});
+
+test('renderTemplate: missing positionals render empty', () => {
+  assert.strictEqual(renderTemplate('[$1][$2][$3]', 'only'), '[only][][]');
+});
+
+test('renderTemplate: $ARGUMENTS injected text is not re-expanded as positionals', () => {
+  // args contain a literal "$1" — single-pass rendering must leave it intact.
+  assert.strictEqual(renderTemplate('X: $ARGUMENTS', 'a $1 b'), 'X: a $1 b');
+});
+
+test('renderTemplate: both $ARGUMENTS and positionals in one template', () => {
+  assert.strictEqual(renderTemplate('all=[$ARGUMENTS] first=$1', 'a b c'), 'all=[a b c] first=a');
+});
+
+// ---------------------------------------------------------------------------
+// Discovery (global / project / precedence / repo-root bound)
+// ---------------------------------------------------------------------------
+
+test('discoverCustomCommands: global commands from ~/.semalt-ai/commands', () => {
+  const home = tmp('semalt-home-');
+  try {
+    writeCmd(path.join(home, '.semalt-ai', 'commands'), 'review.md', 'Review $ARGUMENTS');
+    const cmds = discoverCustomCommands({ home, cwd: home });
+    assert.strictEqual(cmds.length, 1);
+    assert.strictEqual(cmds[0].name, '/review');
+    assert.strictEqual(cmds[0].source, 'global');
+    assert.strictEqual(cmds[0].template, 'Review $ARGUMENTS');
+  } finally { rmrf(home); }
+});
+
+test('discoverCustomCommands: project commands from nearest .semalt/commands', () => {
+  const home = tmp('semalt-home-');
+  const repo = tmp('semalt-repo-');
+  try {
+    fs.mkdirSync(path.join(repo, '.git'), { recursive: true });
+    const sub = path.join(repo, 'src', 'deep');
+    fs.mkdirSync(sub, { recursive: true });
+    writeCmd(path.join(repo, '.semalt', 'commands'), 'deploy.md', 'Deploy now');
+    const cmds = discoverCustomCommands({ home, cwd: sub });
+    assert.strictEqual(cmds.length, 1);
+    assert.strictEqual(cmds[0].name, '/deploy');
+    assert.strictEqual(cmds[0].source, 'project');
+  } finally { rmrf(home); rmrf(repo); }
+});
+
+test('discoverCustomCommands: project overrides global on name collision', () => {
+  const home = tmp('semalt-home-');
+  const repo = tmp('semalt-repo-');
+  try {
+    fs.mkdirSync(path.join(repo, '.git'), { recursive: true });
+    writeCmd(path.join(home, '.semalt-ai', 'commands'), 'review.md', 'GLOBAL review');
+    writeCmd(path.join(repo, '.semalt', 'commands'), 'review.md', 'PROJECT review');
+    writeCmd(path.join(home, '.semalt-ai', 'commands'), 'onlyglobal.md', 'global only');
+    const cmds = discoverCustomCommands({ home, cwd: repo });
+    const review = cmds.find((c) => c.name === '/review');
+    assert.strictEqual(review.template, 'PROJECT review');
+    assert.strictEqual(review.source, 'project');
+    // The global-only command still surfaces.
+    assert.ok(cmds.find((c) => c.name === '/onlyglobal'));
+  } finally { rmrf(home); rmrf(repo); }
+});
+
+test('findProjectCommandsDir: bounded by repo root — does not escape above .git', () => {
+  const outer = tmp('semalt-outer-');
+  try {
+    // .semalt/commands lives ABOVE the repo root; discovery must not reach it.
+    writeCmd(path.join(outer, '.semalt', 'commands'), 'x.md', 'nope');
+    const repo = path.join(outer, 'repo');
+    fs.mkdirSync(path.join(repo, '.git'), { recursive: true });
+    const sub = path.join(repo, 'a', 'b');
+    fs.mkdirSync(sub, { recursive: true });
+    assert.strictEqual(findProjectCommandsDir(sub), null);
+  } finally { rmrf(outer); }
+});
+
+// ---------------------------------------------------------------------------
+// Registry registration
+// ---------------------------------------------------------------------------
+
+test('registerCustomCommands: custom resolves and completes; built-ins win on collision', () => {
+  clearCustomCommands();
+  try {
+    const { registered, warnings } = registerCustomCommands([
+      { name: '/review', template: 'Review $ARGUMENTS', description: 'Do a review', argumentHint: '<path>', source: 'global' },
+      { name: '/model', template: 'shadow attempt', source: 'global' }, // collides with built-in
+    ]);
+    assert.strictEqual(registered.length, 1, 'only the non-colliding custom registers');
+    assert.strictEqual(registered[0].name, '/review');
+    assert.strictEqual(warnings.length, 1, 'collision produced a warning');
+    assert.match(warnings[0], /\/model/);
+
+    // /model still resolves to the built-in, not the custom.
+    const m = resolveCommand('/model');
+    assert.strictEqual(m.name, '/model');
+    assert.ok(!m.spec.custom, 'built-in /model not shadowed by custom');
+
+    // /review resolves to the custom with its arg + template carried on the spec.
+    const r = resolveCommand('/review src/app.js');
+    assert.strictEqual(r.name, '/review');
+    assert.strictEqual(r.arg, 'src/app.js');
+    assert.ok(r.spec.custom, 'custom flagged on the spec');
+    assert.strictEqual(r.spec.template, 'Review $ARGUMENTS');
+
+    // Bare invocation (no arg) also resolves (optional-arg behavior).
+    assert.strictEqual(resolveCommand('/review').name, '/review');
+
+    // Completion + help surface the custom command.
+    assert.ok(completionNames().includes('/review'));
+    assert.match(helpText(), /Custom commands:/);
+    assert.match(helpText(), /\/review <path>   Do a review/);
+
+    // The parity-check name list stays built-ins only (no custom handler needed).
+    assert.ok(!commandNames().includes('/review'));
+  } finally { clearCustomCommands(); }
+});
+
+test('registerCustomCommands replaces the prior set (idempotent re-registration)', () => {
+  clearCustomCommands();
+  try {
+    registerCustomCommands([{ name: '/one', template: 'a' }]);
+    assert.ok(resolveCommand('/one'));
+    registerCustomCommands([{ name: '/two', template: 'b' }]);
+    assert.strictEqual(resolveCommand('/one'), null, 'prior custom dropped on re-register');
+    assert.ok(resolveCommand('/two'));
+  } finally { clearCustomCommands(); }
+});
+
+test('helpText is unchanged when no custom commands are registered', () => {
+  clearCustomCommands();
+  assert.ok(!/Custom commands:/.test(helpText()));
+});

package/test/deny-windows.test.js

@@ -0,0 +1,120 @@
+'use strict';
+
+// Unit tests for the Windows (cmd.exe / PowerShell) destructive deny-list set
+// and the procfs-root canonicalization added in Task 4.4. These run on ANY
+// platform — the deny-list is pattern-based, so the Windows coverage is testable
+// without Windows.
+
+const { test } = require('node:test');
+const assert = require('node:assert');
+
+const { checkShellDenylist, classifyShellCommand } = require('../lib/deny');
+
+// ---------------------------------------------------------------------------
+// Windows recursive delete
+// ---------------------------------------------------------------------------
+
+test('Windows recursive delete (del /s, rd /s, rmdir /s) is denied', () => {
+  const cases = [
+    'del /s /q C:\\Users\\me\\project',
+    'del /q /s data',
+    'del /f /s /q *.*',
+    'rd /s /q C:\\temp',
+    'rmdir /s /q build',
+    'RD /S C:\\Windows\\Temp',
+  ];
+  for (const cmd of cases) {
+    const r = checkShellDenylist(cmd);
+    assert.ok(r, `${cmd} should be denied`);
+    assert.match(r.label, /Windows recursive delete/);
+  }
+});
+
+test('plain del / rd without /s are allowed', () => {
+  for (const cmd of ['del stale.log', 'del /q one.txt', 'rd emptydir', 'rmdir olddir']) {
+    assert.strictEqual(checkShellDenylist(cmd), null, `${cmd} should be allowed`);
+  }
+});
+
+// ---------------------------------------------------------------------------
+// PowerShell recursive force delete
+// ---------------------------------------------------------------------------
+
+test('PowerShell Remove-Item -Recurse -Force is denied', () => {
+  const cases = [
+    'Remove-Item -Recurse -Force C:\\data',
+    'Remove-Item -Force -Recurse .\\node_modules',
+    'Remove-Item -Recurse -Force -Path C:\\x',
+  ];
+  for (const cmd of cases) {
+    const r = checkShellDenylist(cmd);
+    assert.ok(r, `${cmd} should be denied`);
+    assert.match(r.label, /PowerShell recursive force delete/);
+  }
+});
+
+test('Remove-Item without BOTH -Recurse and -Force is allowed', () => {
+  for (const cmd of ['Remove-Item one.txt', 'Remove-Item -Recurse logs', 'Remove-Item -Force single.tmp']) {
+    assert.strictEqual(checkShellDenylist(cmd), null, `${cmd} should be allowed`);
+  }
+});
+
+// ---------------------------------------------------------------------------
+// Windows format / disk wipe (catastrophic)
+// ---------------------------------------------------------------------------
+
+test('Windows format / disk-wipe set is denied AND flagged catastrophic', () => {
+  const cases = [
+    'format C: /fs:ntfs',
+    'format D:',
+    'Format-Volume -DriveLetter D',
+    'Clear-Disk -Number 0 -RemoveData',
+    'cipher /w:C',
+    'diskpart /s script.txt clean',
+  ];
+  for (const cmd of cases) {
+    const r = checkShellDenylist(cmd);
+    assert.ok(r, `${cmd} should be denied`);
+    assert.strictEqual(r.catastrophic, true, `${cmd} should be catastrophic`);
+  }
+});
+
+test('benign uses of similar words are not caught', () => {
+  for (const cmd of ['git format-patch -1', 'npm run format', 'echo format the report']) {
+    assert.strictEqual(checkShellDenylist(cmd), null, `${cmd} should be allowed`);
+  }
+});
+
+// ---------------------------------------------------------------------------
+// classifyShellCommand integration — Windows catastrophic gets the typo guard
+// ---------------------------------------------------------------------------
+
+test('user-initiated Windows format asks for confirmation (catastrophic typo guard)', () => {
+  assert.strictEqual(classifyShellCommand('format C:', 'user').action, 'confirm');
+  // del /s is destructive but not catastrophic → user keeps the bypass.
+  assert.strictEqual(classifyShellCommand('del /s /q C:\\x', 'user').action, 'allow');
+  // agent-initiated → hard block for both.
+  assert.strictEqual(classifyShellCommand('format C:', 'agent').action, 'block');
+  assert.strictEqual(classifyShellCommand('del /s /q C:\\x', 'agent').action, 'block');
+});
+
+// ---------------------------------------------------------------------------
+// procfs-root canonicalization (constraint #3)
+// ---------------------------------------------------------------------------
+
+test('/proc/self/root path-rewrite is canonicalized so /etc matchers still fire', () => {
+  // The textual path dodges a naive /etc matcher; canonicalization rewrites the
+  // procfs-root prefix back to / so the existing system-path rule catches it.
+  const r = checkShellDenylist('echo pwned > /proc/self/root/etc/passwd');
+  assert.ok(r, 'write via /proc/self/root/etc must be denied');
+  assert.match(r.label, /system/i);
+});
+
+test('/proc/<pid>/root rewrite is canonicalized too', () => {
+  const r = checkShellDenylist('tee /proc/1234/root/etc/cron.d/x');
+  assert.ok(r, 'write via /proc/<pid>/root/etc must be denied');
+});
+
+test('a benign /proc read is still allowed', () => {
+  assert.strictEqual(checkShellDenylist('cat /proc/self/status'), null);
+});