@semalt-ai/code 1.8.5 → 1.19.0

package/test/hooks-verify-sandbox.test.js

@@ -0,0 +1,232 @@
+'use strict';
+
+// Pre-Task 5.0a — verify + command-type hooks must run through the SAME OS
+// sandbox as agentExecShell. Two layers of coverage:
+//
+//   1. Fallback rules (deterministic, no real bwrap needed): the shared detection
+//      cache is primed to "unavailable" so we assert the fail-safe path —
+//      failIfUnavailable hard error / no-approver refuse / approver-yes run —
+//      identically to test/sandbox-agent.test.js but for verify/hooks.
+//   2. Kernel-level enforcement (REAL bwrap/sandbox-exec): a verify command and a
+//      command hook that write OUTSIDE the working dir are blocked by the OS.
+//      These SKIP gracefully when the primitive is absent on the runner.
+
+const { test } = require('node:test');
+const assert = require('node:assert');
+const fs = require('fs');
+const path = require('path');
+
+const { createVerifyRunner } = require('../lib/verify');
+const { createHookRunner } = require('../lib/hooks');
+const { detectSandbox, _resetSandboxDetection } = require('../lib/sandbox');
+
+const NODE = JSON.stringify(process.execPath);
+
+// Force the shared detection cache to "unavailable" so the fallback tests are
+// deterministic on ANY runner (mirrors test/sandbox-agent.test.js).
+function primeUnavailable() {
+  _resetSandboxDetection();
+  detectSandbox({ platform: 'linux', which: () => null, readFile: () => 'Linux version 6.0', force: true });
+}
+
+// ---------------------------------------------------------------------------
+// 1. Fallback rules — verify
+// ---------------------------------------------------------------------------
+
+test('verify: sandbox unavailable + auto + NO approver → REFUSED (never a silent unsandboxed run)', async () => {
+  primeUnavailable();
+  const runner = createVerifyRunner({
+    getConfig: () => ({ verify: { command: `${NODE} -e "process.exit(0)"` }, sandbox: { mode: 'auto' } }),
+  });
+  const res = await runner.run();
+  assert.strictEqual(res.ran, false, 'the command was never executed');
+  assert.strictEqual(res.passed, false, 'a refused verify cannot pass');
+  assert.match(res.output, /refused to run unsandboxed/i);
+  assert.match(res.fenced, /UNTRUSTED_EXTERNAL_CONTENT/);
+  _resetSandboxDetection();
+});
+
+test('verify: sandbox unavailable + failIfUnavailable → hard error (non-passing, names the gate)', async () => {
+  primeUnavailable();
+  const runner = createVerifyRunner({
+    getConfig: () => ({ verify: { command: `${NODE} -e "process.exit(0)"` }, sandbox: { mode: 'auto', failIfUnavailable: true } }),
+  });
+  const res = await runner.run();
+  assert.strictEqual(res.ran, false);
+  assert.strictEqual(res.passed, false);
+  assert.match(res.output, /failIfUnavailable/);
+  _resetSandboxDetection();
+});
+
+test('verify: sandbox unavailable + human approver says YES → runs unsandboxed and can pass', async () => {
+  primeUnavailable();
+  let asked = null;
+  const runner = createVerifyRunner({
+    getConfig: () => ({ verify: { command: `${NODE} -e "process.exit(0)"` }, sandbox: { mode: 'auto' } }),
+    onUnsandboxed: async (info) => { asked = info; return true; },
+  });
+  const res = await runner.run();
+  assert.ok(asked && /bwrap|bubblewrap|not found/i.test(asked.reason), 'approver receives the reason');
+  assert.strictEqual(res.ran, true);
+  assert.strictEqual(res.passed, true, 'exit 0 passes when the human approved an unsandboxed run');
+  _resetSandboxDetection();
+});
+
+test('verify: deny-list still fires BEFORE the sandbox layer (defense in depth)', async () => {
+  primeUnavailable(); // would refuse anyway — but the deny-list must win first
+  let sandboxCalls = 0;
+  const runner = createVerifyRunner({
+    getConfig: () => ({ verify: { command: 'rm -rf /' }, sandbox: { mode: 'auto' } }),
+    sandbox: () => { sandboxCalls++; return { run: true, useShell: true, file: 'x', args: [], sandbox: 'off' }; },
+  });
+  const res = await runner.run();
+  assert.ok(res.denied, 'deny-list label recorded');
+  assert.strictEqual(res.ran, false);
+  assert.strictEqual(sandboxCalls, 0, 'a deny-listed command never reaches the sandbox resolver');
+  _resetSandboxDetection();
+});
+
+// ---------------------------------------------------------------------------
+// 1. Fallback rules — command hooks
+// ---------------------------------------------------------------------------
+
+test('hook (command): sandbox unavailable + auto + NO approver → NOT run, contained (does not block)', async () => {
+  primeUnavailable();
+  const logs = [];
+  const runner = createHookRunner({
+    getConfig: () => ({ hooks: { PreToolUse: [{ type: 'command', command: `${NODE} -e "process.exit(1)"` }] }, sandbox: { mode: 'auto' } }),
+    log: (m) => logs.push(m),
+  });
+  const r = await runner.run('PreToolUse', { tool: 'shell' });
+  assert.strictEqual(r.blocked, false, 'a refused hook does not block the tool (contained like a timeout)');
+  assert.strictEqual(r.ran[0].ok, false);
+  assert.match(r.ran[0].error, /refused to run unsandboxed/i);
+  assert.ok(logs.some((l) => /not run/i.test(l)));
+  _resetSandboxDetection();
+});
+
+test('hook (command): deny-listed command never reaches the sandbox resolver', async () => {
+  primeUnavailable();
+  let sandboxCalls = 0;
+  const runner = createHookRunner({
+    getConfig: () => ({ hooks: { PreToolUse: [{ type: 'command', command: 'rm -rf /' }] }, sandbox: { mode: 'auto' } }),
+    sandbox: () => { sandboxCalls++; return { run: true, useShell: true, file: 'x', args: [], sandbox: 'off' }; },
+  });
+  const r = await runner.run('PreToolUse', { tool: 'shell' });
+  assert.strictEqual(sandboxCalls, 0, 'deny-list short-circuits before the sandbox');
+  assert.ok(r.ran[0].denied);
+  _resetSandboxDetection();
+});
+
+test('hook (prompt): unaffected by the sandbox (no shell, just injects text)', async () => {
+  primeUnavailable(); // even with an unavailable sandbox, a prompt hook still injects
+  const runner = createHookRunner({
+    getConfig: () => ({ hooks: { UserPromptSubmit: [{ type: 'prompt', prompt: 'Mind the style guide.' }] }, sandbox: { mode: 'auto' } }),
+  });
+  const r = await runner.run('UserPromptSubmit', { prompt: 'go' });
+  assert.strictEqual(r.feedback.length, 1, 'prompt hook injects regardless of sandbox availability');
+  assert.match(r.feedback[0], /Mind the style guide/);
+  _resetSandboxDetection();
+});
+
+// ---------------------------------------------------------------------------
+// 2. Kernel-level enforcement (REAL bwrap / sandbox-exec) — skip gracefully
+// ---------------------------------------------------------------------------
+
+function realDetect() {
+  _resetSandboxDetection();
+  return detectSandbox({ force: true });
+}
+const det = realDetect();
+const SKIP = det.available ? false : `OS sandbox tool unavailable on this runner (${det.reason || det.platform})`;
+
+// A target OUTSIDE the working dir AND outside the OS temp dir (both are writable
+// roots in the real wrap). The repo parent satisfies both — the sandbox must
+// block a write there. Cleaned up regardless of outcome.
+function outsideTarget(tag) {
+  return path.join(path.dirname(process.cwd()), `semalt-sbx-${tag}-${process.pid}.txt`);
+}
+
+// Quote-free shell redirects keep the command robust under the sh -c wrapper, so
+// a non-zero exit is unambiguously the SANDBOX denying the write — not a parsing
+// artifact. The target paths contain no spaces/quotes.
+test('verify (REAL jail): a command writing OUTSIDE the working dir is blocked by the kernel', { skip: SKIP }, async () => {
+  realDetect();
+  const escape = outsideTarget('verify-escape');
+  try { fs.unlinkSync(escape); } catch {}
+  const runner = createVerifyRunner({ getConfig: () => ({ verify: { command: `echo pwned > ${escape}` }, sandbox: { mode: 'auto' } }) });
+  try {
+    const res = await runner.run();
+    assert.strictEqual(res.passed, false, 'the out-of-CWD write must fail under the jail');
+    assert.ok(!fs.existsSync(escape), 'the out-of-jail file must NOT have been created');
+  } finally {
+    try { fs.unlinkSync(escape); } catch {}
+    _resetSandboxDetection();
+  }
+});
+
+test('hook (REAL jail): a command hook writing OUTSIDE the working dir is blocked by the kernel', { skip: SKIP }, async () => {
+  realDetect();
+  const escape = outsideTarget('hook-escape');
+  try { fs.unlinkSync(escape); } catch {}
+  const runner = createHookRunner({ getConfig: () => ({ hooks: { PostToolUse: [{ type: 'command', command: `echo pwned > ${escape}` }] }, sandbox: { mode: 'auto' } }) });
+  try {
+    const r = await runner.run('PostToolUse', { tool: 'shell', result: 'x' });
+    assert.strictEqual(r.ran[0].ok, false, 'the hook command must fail under the jail (out-of-CWD write blocked)');
+    assert.ok(!fs.existsSync(escape), 'the out-of-jail file must NOT have been created');
+  } finally {
+    try { fs.unlinkSync(escape); } catch {}
+    _resetSandboxDetection();
+  }
+});
+
+test('verify (REAL jail): a command writing to the OS temp dir (a writable root) still passes', { skip: SKIP }, async () => {
+  realDetect();
+  const os = require('os');
+  const inside = path.join(os.tmpdir(), `semalt-sbx-verify-ok-${process.pid}.txt`);
+  try { fs.unlinkSync(inside); } catch {}
+  const runner = createVerifyRunner({ getConfig: () => ({ verify: { command: `echo ok > ${inside}` }, sandbox: { mode: 'auto' } }) });
+  try {
+    const res = await runner.run();
+    assert.strictEqual(res.passed, true, 'a write to a writable root succeeds under the jail');
+    assert.ok(fs.existsSync(inside), 'the in-jail file was written');
+  } finally {
+    try { fs.unlinkSync(inside); } catch {}
+    _resetSandboxDetection();
+  }
+});
+
+// ---------------------------------------------------------------------------
+// 3. Binary network isolation reaches verify + hooks too (Task 4.4b).
+// ---------------------------------------------------------------------------
+//
+// sandbox.network: 'off' must apply through the SAME shared shim to verify and
+// command hooks — not just the agent's shell tool. Gated to bwrap, where the
+// no-network jail is observable by counting non-loopback interfaces. A node
+// one-liner exits 0 when it sees NO network (only loopback), non-zero otherwise.
+const NET_SKIP = (det.available && det.tool === 'bwrap') ? false
+  : `network-isolation kernel test needs bwrap (got ${det.tool || det.platform})`;
+const NONET_PROBE = `${NODE} -e 'const i=require("os").networkInterfaces();const n=Object.keys(i).filter(x=>x!=="lo"&&x!=="lo0");process.exit(n.length?5:0)'`;
+
+test('verify (REAL jail): sandbox.network off runs the verify command with NO network', { skip: NET_SKIP }, async () => {
+  realDetect();
+  // expected_exit_code 0 == "the probe saw no network" ⇒ passing proves the verify
+  // shell ran kernel-isolated from the network.
+  const runner = createVerifyRunner({ getConfig: () => ({ verify: { command: NONET_PROBE }, sandbox: { mode: 'auto', network: 'off' } }) });
+  try {
+    const res = await runner.run();
+    assert.strictEqual(res.ran, true);
+    assert.strictEqual(res.passed, true, 'the verify command observed no network (exit 0) under the no-network jail');
+    assert.strictEqual(res.exitCode, 0);
+  } finally { _resetSandboxDetection(); }
+});
+
+test('hook (REAL jail): sandbox.network off runs the command hook with NO network', { skip: NET_SKIP }, async () => {
+  realDetect();
+  const runner = createHookRunner({ getConfig: () => ({ hooks: { PostToolUse: [{ type: 'command', command: NONET_PROBE }] }, sandbox: { mode: 'auto', network: 'off' } }) });
+  try {
+    const r = await runner.run('PostToolUse', { tool: 'shell', result: 'x' });
+    assert.strictEqual(r.ran[0].ok, true, 'the hook command observed no network (exit 0) under the no-network jail');
+    assert.strictEqual(r.ran[0].exitCode, 0, 'no non-loopback interface inside the no-network jail');
+  } finally { _resetSandboxDetection(); }
+});

package/test/hooks.test.js

@@ -0,0 +1,216 @@
+'use strict';
+
+// Unit tests for lib/hooks.js (Task 3.4). Cover the pure normalization/matching
+// helpers and the dispatcher with an INJECTED spawn so exit-code semantics,
+// deny-list enforcement, timeout handling, and failure containment are tested
+// deterministically with no real subprocesses.
+
+const { test } = require('node:test');
+const assert = require('node:assert');
+
+const {
+  HOOK_EVENTS,
+  normalizeHooks,
+  normalizeHookDef,
+  hookMatches,
+  wrapUntrusted,
+  createHookRunner: _createHookRunner,
+} = require('../lib/hooks');
+
+// These tests exercise hook ORCHESTRATION (deny-list, exit semantics, matcher,
+// timeout/failure containment, payload) with an injected spawn — NOT the OS
+// sandbox, which has its own dedicated tests (hooks-verify-sandbox.test.js).
+// Inject a pass-through sandbox resolver so the command runs plain via the
+// 2-arg spawn(command, opts) form the injected stubs assume. The real sandbox
+// routing is proven separately.
+const NO_SANDBOX = (command) => ({ run: true, useShell: true, file: command, args: [], sandbox: 'off' });
+const createHookRunner = (opts = {}) => _createHookRunner({ sandbox: NO_SANDBOX, ...opts });
+
+// ---------------------------------------------------------------------------
+// normalizeHooks / normalizeHookDef
+// ---------------------------------------------------------------------------
+
+test('normalizeHooks always returns one array per known event', () => {
+  const out = normalizeHooks(undefined);
+  assert.deepStrictEqual(Object.keys(out).sort(), [...HOOK_EVENTS].sort());
+  for (const ev of HOOK_EVENTS) assert.deepStrictEqual(out[ev], []);
+});
+
+test('normalizeHooks drops malformed entries and unknown events', () => {
+  const out = normalizeHooks({
+    PreToolUse: [
+      { command: 'echo ok' },
+      { type: 'command' },              // no command → dropped
+      { type: 'prompt', prompt: '' },   // empty prompt → dropped
+      'not-an-object',                  // dropped
+      { type: 'prompt', prompt: 'hi' },
+    ],
+    BogusEvent: [{ command: 'echo nope' }], // unknown event key → ignored
+  });
+  assert.strictEqual(out.PreToolUse.length, 2);
+  assert.deepStrictEqual(out.PreToolUse[0], { type: 'command', command: 'echo ok' });
+  assert.deepStrictEqual(out.PreToolUse[1], { type: 'prompt', prompt: 'hi' });
+  assert.ok(!('BogusEvent' in out));
+});
+
+test('normalizeHookDef keeps matcher and positive integer timeout', () => {
+  const def = normalizeHookDef({ command: 'x', matcher: ' shell ', timeout_ms: 1500 });
+  assert.deepStrictEqual(def, { type: 'command', command: 'x', matcher: 'shell', timeout_ms: 1500 });
+  // Non-positive / non-integer timeouts are dropped.
+  assert.strictEqual(normalizeHookDef({ command: 'x', timeout_ms: 0 }).timeout_ms, undefined);
+  assert.strictEqual(normalizeHookDef({ command: 'x', timeout_ms: 1.5 }).timeout_ms, undefined);
+});
+
+// ---------------------------------------------------------------------------
+// hookMatches
+// ---------------------------------------------------------------------------
+
+test('hookMatches: no matcher / * matches everything', () => {
+  assert.ok(hookMatches({}, 'shell'));
+  assert.ok(hookMatches({ matcher: '*' }, 'anything'));
+});
+
+test('hookMatches: exact, pipe-list, and regex', () => {
+  assert.ok(hookMatches({ matcher: 'shell' }, 'shell'));
+  assert.ok(!hookMatches({ matcher: 'shell' }, 'read'));
+  assert.ok(hookMatches({ matcher: 'shell|exec' }, 'exec'));
+  assert.ok(hookMatches({ matcher: 'mcp__.*' }, 'mcp__fs__read'));
+  assert.ok(!hookMatches({ matcher: 'mcp__.*' }, 'shell'));
+  // Anchored: a partial name does not match.
+  assert.ok(!hookMatches({ matcher: 'read' }, 'read_file'));
+});
+
+test('wrapUntrusted fences text in the shared delimiter', () => {
+  const w = wrapUntrusted('payload', '[hook X]');
+  assert.match(w, /<<<UNTRUSTED_EXTERNAL_CONTENT/);
+  assert.match(w, /<<<END_UNTRUSTED_EXTERNAL_CONTENT>>>/);
+  assert.match(w, /payload/);
+  assert.match(w, /\[hook X\]/);
+});
+
+// ---------------------------------------------------------------------------
+// createHookRunner — dispatch with an injected spawn
+// ---------------------------------------------------------------------------
+
+// A spawn stub: maps a command string → a spawnSync-shaped result.
+function fakeSpawn(map) {
+  const calls = [];
+  const fn = (command, opts) => {
+    calls.push({ command, opts });
+    const r = typeof map === 'function' ? map(command, opts) : map[command];
+    return r || { status: 0, stdout: '', stderr: '' };
+  };
+  fn.calls = calls;
+  return fn;
+}
+
+test('PreToolUse: non-zero exit BLOCKS and surfaces the reason', async () => {
+  const getConfig = () => ({ hooks: { PreToolUse: [{ type: 'command', command: 'guard' }] } });
+  const spawn = fakeSpawn({ guard: { status: 1, stdout: 'not allowed to touch prod', stderr: '' } });
+  const runner = createHookRunner({ getConfig, spawn });
+  const r = await runner.run('PreToolUse', { tool: 'shell', input: { command: 'deploy' } });
+  assert.strictEqual(r.blocked, true);
+  assert.match(r.blockReason, /not allowed to touch prod/);
+  assert.strictEqual(r.feedback.length, 0, 'a blocking hook does not also emit feedback');
+});
+
+test('PreToolUse: exit 0 ALLOWS, and stdout is surfaced as untrusted feedback', async () => {
+  const getConfig = () => ({ hooks: { PreToolUse: [{ type: 'command', command: 'note' }] } });
+  const spawn = fakeSpawn({ note: { status: 0, stdout: 'fyi: linting first', stderr: '' } });
+  const runner = createHookRunner({ getConfig, spawn });
+  const r = await runner.run('PreToolUse', { tool: 'shell' });
+  assert.strictEqual(r.blocked, false);
+  assert.strictEqual(r.feedback.length, 1);
+  assert.match(r.feedback[0], /fyi: linting first/);
+  assert.match(r.feedback[0], /UNTRUSTED_EXTERNAL_CONTENT/);
+});
+
+test('matcher filters which hooks run for a tool event', async () => {
+  const getConfig = () => ({ hooks: { PreToolUse: [
+    { type: 'command', command: 'only-shell', matcher: 'shell' },
+  ] } });
+  const spawn = fakeSpawn({ 'only-shell': { status: 1, stdout: 'blocked', stderr: '' } });
+  const runner = createHookRunner({ getConfig, spawn });
+
+  const blocked = await runner.run('PreToolUse', { tool: 'shell' });
+  assert.strictEqual(blocked.blocked, true);
+
+  const other = await runner.run('PreToolUse', { tool: 'read' });
+  assert.strictEqual(other.blocked, false, 'non-matching tool is unaffected');
+  assert.strictEqual(spawn.calls.length, 1, 'the hook only ran for the matching tool');
+});
+
+test('deny-listed hook command is NOT run (skipped, contained)', async () => {
+  const getConfig = () => ({ hooks: { PreToolUse: [{ type: 'command', command: 'rm -rf /' }] } });
+  const spawn = fakeSpawn(() => { throw new Error('spawn must not be called for a denied hook'); });
+  const logs = [];
+  const runner = createHookRunner({ getConfig, spawn, log: (m) => logs.push(m) });
+  const r = await runner.run('PreToolUse', { tool: 'shell' });
+  assert.strictEqual(spawn.calls.length, 0, 'deny-listed command never spawned');
+  assert.strictEqual(r.blocked, false, 'a denied hook does not block the tool');
+  assert.strictEqual(r.ran[0].denied && typeof r.ran[0].denied, 'string');
+  assert.ok(logs.some((l) => /deny-list/i.test(l)));
+});
+
+test('timeout is contained: not a block, not feedback, just logged', async () => {
+  const getConfig = () => ({ hooks: { PreToolUse: [{ type: 'command', command: 'slow', timeout_ms: 10 }] } });
+  // spawnSync surfaces a timeout via error.code ETIMEDOUT + signal SIGTERM.
+  const spawn = fakeSpawn({ slow: { status: null, signal: 'SIGTERM', stdout: '', stderr: '', error: { code: 'ETIMEDOUT', message: 'spawnSync timed out' } } });
+  const logs = [];
+  const runner = createHookRunner({ getConfig, spawn, log: (m) => logs.push(m) });
+  const r = await runner.run('PreToolUse', { tool: 'shell' });
+  assert.strictEqual(r.blocked, false, 'a timed-out PreToolUse hook does not block');
+  assert.strictEqual(r.feedback.length, 0);
+  assert.strictEqual(r.ran[0].timedOut, true);
+  assert.ok(logs.some((l) => /timed out/i.test(l)));
+});
+
+test('a spawn that throws is contained (no crash, recorded as failed)', async () => {
+  const getConfig = () => ({ hooks: { PostToolUse: [{ type: 'command', command: 'boom' }] } });
+  const spawn = fakeSpawn(() => { throw new Error('kaboom'); });
+  const runner = createHookRunner({ getConfig, spawn });
+  const r = await runner.run('PostToolUse', { tool: 'shell', result: 'x' });
+  assert.strictEqual(r.blocked, false);
+  assert.strictEqual(r.ran[0].ok, false);
+  assert.match(r.ran[0].error, /kaboom/);
+});
+
+test('prompt hook injects its text as untrusted feedback (no shell)', async () => {
+  const getConfig = () => ({ hooks: { UserPromptSubmit: [{ type: 'prompt', prompt: 'Follow the style guide.' }] } });
+  const spawn = fakeSpawn(() => { throw new Error('prompt hooks never spawn'); });
+  const runner = createHookRunner({ getConfig, spawn });
+  const r = await runner.run('UserPromptSubmit', { prompt: 'do a thing' });
+  assert.strictEqual(spawn.calls.length, 0);
+  assert.strictEqual(r.feedback.length, 1);
+  assert.match(r.feedback[0], /Follow the style guide/);
+});
+
+test('payload reaches the hook via env vars and stdin', async () => {
+  const getConfig = () => ({ hooks: { PostToolUse: [{ type: 'command', command: 'capture' }] } });
+  let seen = null;
+  const spawn = fakeSpawn((command, opts) => { seen = opts; return { status: 0, stdout: '', stderr: '' }; });
+  const runner = createHookRunner({ getConfig, spawn });
+  await runner.run('PostToolUse', { tool: 'read', input: { path: '/a' }, result: 'contents' });
+  assert.strictEqual(seen.env.SEMALT_HOOK_EVENT, 'PostToolUse');
+  assert.strictEqual(seen.env.SEMALT_TOOL_NAME, 'read');
+  assert.strictEqual(seen.env.SEMALT_TOOL_INPUT, JSON.stringify({ path: '/a' }));
+  assert.strictEqual(seen.env.SEMALT_TOOL_RESULT, 'contents');
+  const stdin = JSON.parse(seen.input);
+  assert.strictEqual(stdin.event, 'PostToolUse');
+  assert.strictEqual(stdin.tool, 'read');
+});
+
+test('unknown event name is a no-op', async () => {
+  const getConfig = () => ({ hooks: {} });
+  const runner = createHookRunner({ getConfig, spawn: fakeSpawn({}) });
+  const r = await runner.run('NotARealEvent', {});
+  assert.deepStrictEqual(r.feedback, []);
+  assert.strictEqual(r.blocked, false);
+});
+
+test('a getConfig that throws is contained (no hooks, no crash)', async () => {
+  const runner = createHookRunner({ getConfig: () => { throw new Error('boom'); }, spawn: fakeSpawn({}) });
+  const r = await runner.run('PreToolUse', { tool: 'shell' });
+  assert.strictEqual(r.blocked, false);
+  assert.deepStrictEqual(r.ran, []);
+});

package/test/http-get-user-agent.test.js

@@ -0,0 +1,142 @@
+'use strict';
+
+// http_get / download User-Agent (Task W.3 Part 2). The fetch tools must send a
+// fixed, realistic browser User-Agent so sites that reject empty/curl-like UAs
+// (Wikipedia 403, the Guardian 406) are less likely to block. It is:
+//   - operator-overridable via config.web.user_agent,
+//   - NOT model-selectable (no UA parameter in the tool spec the model sees),
+//   - applied uniformly to both http_get and download.
+//
+// Home-based paths are redirected to a temp dir BEFORE any lib module loads so
+// the secret-file/config guards resolve against the temp config path.
+
+const os = require('node:os');
+const fs = require('node:fs');
+const path = require('node:path');
+
+const TMP_HOME = fs.mkdtempSync(path.join(os.tmpdir(), 'semalt-ua-home-'));
+const PREV_HOME = process.env.HOME;
+const PREV_USERPROFILE = process.env.USERPROFILE;
+process.env.HOME = TMP_HOME;
+process.env.USERPROFILE = TMP_HOME;
+
+const { test, before, after } = require('node:test');
+const assert = require('node:assert');
+const http = require('node:http');
+
+const ui = require('../lib/ui');
+const { createPermissionManager } = require('../lib/permissions');
+const { createToolExecutor } = require('../lib/tools');
+const { DEFAULT_USER_AGENT } = require('../lib/constants');
+const { normalizeConfig } = require('../lib/config');
+const { TOOL_SPECS } = require('../lib/tool_specs');
+
+let CWD;
+let PREV_CWD;
+let server;
+let baseUrl;
+let lastUserAgent; // captured from the most recent inbound request
+
+function mkExec({ web } = {}) {
+  const pm = createPermissionManager(ui, {});
+  const getConfig = () => ({
+    max_file_size_kb: 512,
+    command_timeout_ms: 30000,
+    http_fetch_max_bytes: 262144,
+    download_max_bytes: 1048576,
+    // summarize off → predictable pass-through, no summarizer needed.
+    web: { summarize: false, summary_model: '', max_content_tokens: 6000, ...(web || {}) },
+  });
+  return createToolExecutor(pm, ui, getConfig, {});
+}
+
+before(async () => {
+  PREV_CWD = process.cwd();
+  CWD = fs.mkdtempSync(path.join(os.tmpdir(), 'semalt-ua-cwd-'));
+  process.chdir(CWD);
+  server = http.createServer((req, res) => {
+    lastUserAgent = req.headers['user-agent'];
+    res.writeHead(200, { 'Content-Type': 'text/plain' });
+    res.end('hello body');
+  });
+  await new Promise((r) => server.listen(0, '127.0.0.1', r));
+  baseUrl = `http://127.0.0.1:${server.address().port}`;
+});
+
+after(async () => {
+  await new Promise((r) => server.close(r));
+  process.chdir(PREV_CWD);
+  if (PREV_HOME === undefined) delete process.env.HOME; else process.env.HOME = PREV_HOME;
+  if (PREV_USERPROFILE === undefined) delete process.env.USERPROFILE; else process.env.USERPROFILE = PREV_USERPROFILE;
+});
+
+// ---------------------------------------------------------------------------
+// http_get sends the default / configured UA
+// ---------------------------------------------------------------------------
+
+test('http_get: sends the default browser User-Agent', async () => {
+  const exec = mkExec();
+  lastUserAgent = undefined;
+  const r = await exec.agentExecFile('http_get', `${baseUrl}/page`, {}, { signal: null });
+  assert.ok(!r.error, `valid URL should not error: ${r.error}`);
+  assert.strictEqual(lastUserAgent, DEFAULT_USER_AGENT);
+  // The default looks like a real browser, not curl / empty.
+  assert.match(lastUserAgent, /Mozilla\/5\.0/);
+  assert.match(lastUserAgent, /Chrome\/\d+/);
+});
+
+test('http_get: a config web.user_agent override is honored', async () => {
+  const exec = mkExec({ web: { user_agent: 'AcmeCorpBot/2.0 (+https://acme.example/bot)' } });
+  lastUserAgent = undefined;
+  await exec.agentExecFile('http_get', `${baseUrl}/page`, {}, { signal: null });
+  assert.strictEqual(lastUserAgent, 'AcmeCorpBot/2.0 (+https://acme.example/bot)');
+});
+
+// ---------------------------------------------------------------------------
+// download carries the same UA
+// ---------------------------------------------------------------------------
+
+test('download: sends the default browser User-Agent', async () => {
+  const exec = mkExec();
+  lastUserAgent = undefined;
+  const r = await exec.agentExecFile('download', `${baseUrl}/file.txt`, 'file.txt');
+  assert.strictEqual(r.status, 'ok');
+  assert.strictEqual(lastUserAgent, DEFAULT_USER_AGENT);
+});
+
+test('download: a config web.user_agent override is honored', async () => {
+  const exec = mkExec({ web: { user_agent: 'AcmeCorpBot/2.0' } });
+  lastUserAgent = undefined;
+  await exec.agentExecFile('download', `${baseUrl}/file2.txt`, 'file2.txt');
+  assert.strictEqual(lastUserAgent, 'AcmeCorpBot/2.0');
+});
+
+// ---------------------------------------------------------------------------
+// The UA is operator-only — never exposed to the model
+// ---------------------------------------------------------------------------
+
+test('the tool spec exposes NO user-agent parameter (not model-selectable)', () => {
+  for (const tool of ['http_get', 'download']) {
+    const spec = TOOL_SPECS[tool];
+    const props = (spec && spec.parameters && spec.parameters.properties) || {};
+    for (const key of Object.keys(props)) {
+      assert.ok(!/user.?agent|^ua$|headers?/i.test(key),
+        `${tool} spec must not expose a UA/header parameter, found "${key}"`);
+    }
+    // Belt-and-suspenders: the whole spec JSON never mentions a user-agent knob.
+    assert.ok(!/user.?agent/i.test(JSON.stringify(spec)),
+      `${tool} spec text must not mention user-agent`);
+  }
+});
+
+// ---------------------------------------------------------------------------
+// Normalization: config.web.user_agent defaults to the fixed UA
+// ---------------------------------------------------------------------------
+
+test('config normalization: web.user_agent defaults to DEFAULT_USER_AGENT, override trims', () => {
+  assert.strictEqual(normalizeConfig({}).web.user_agent, DEFAULT_USER_AGENT);
+  assert.strictEqual(normalizeConfig({ web: {} }).web.user_agent, DEFAULT_USER_AGENT);
+  assert.strictEqual(normalizeConfig({ web: { user_agent: '  CustomUA/1  ' } }).web.user_agent, 'CustomUA/1');
+  // An empty/whitespace override falls back to the default, not ''.
+  assert.strictEqual(normalizeConfig({ web: { user_agent: '   ' } }).web.user_agent, DEFAULT_USER_AGENT);
+});