@semalt-ai/code 1.8.5 → 1.20.0

package/test/background.test.js

@@ -0,0 +1,414 @@
+'use strict';
+
+// Tests for background tasks (Task 5.3) — detached agent processes + the task
+// registry. Coverage:
+//   * task store CRUD: create / patch / events / result / list ordering;
+//   * validation BEFORE detach surfaces config/policy/sandbox errors, and a
+//     validation failure spawns NO process (no orphan);
+//   * launchBackground writes the spec + registry record and detaches via an
+//     injected spawn; sandbox defaults ON in the spec, opt-out is explicit;
+//   * runBackgroundChild (REAL createAgent ↔ mock-LLM) runs to completion and
+//     writes the result envelope;
+//   * SAFE POSTURE: no policy → a mutating write is refused (paired with: an
+//     allow rule lets it proceed);
+//   * deny-list stays active in the background process;
+//   * lifecycle reconciliation: a dead "running" task is detected as stale and
+//     prunable; killTask tree-kills + marks terminated;
+//   * a REAL detached process is tree-killable by PID;
+//   * TOOL-EXPOSURE DECISION: background-launch is NOT an agent tool.
+
+const { test, before, after } = require('node:test');
+const assert = require('node:assert');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const bg = require('../lib/background');
+const proc = require('../lib/proc');
+const { startMockLLM } = require('./harness/mock-llm');
+
+let prevKey;
+let prevCwd;
+let tmpCwd;
+let roots = [];
+
+function freshRoot() {
+  const d = fs.mkdtempSync(path.join(os.tmpdir(), 'bg-tasks-'));
+  roots.push(d);
+  return d;
+}
+
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+
+before(() => {
+  prevKey = process.env.SEMALT_API_KEY;
+  process.env.SEMALT_API_KEY = 'test-key';
+  prevCwd = process.cwd();
+  tmpCwd = fs.mkdtempSync(path.join(os.tmpdir(), 'bg-cwd-'));
+  process.chdir(tmpCwd);
+});
+
+after(() => {
+  if (prevKey === undefined) delete process.env.SEMALT_API_KEY;
+  else process.env.SEMALT_API_KEY = prevKey;
+  process.chdir(prevCwd);
+  for (const d of roots.concat([tmpCwd])) {
+    try { fs.rmSync(d, { recursive: true, force: true }); } catch {}
+  }
+});
+
+// --------------------------------------------------------------------------
+// Task store
+// --------------------------------------------------------------------------
+test('task store: create writes spec + meta, patch/events/result round-trip, list newest-first', () => {
+  let clock = 1000;
+  const store = bg.createTaskStore({ rootDir: freshRoot(), now: () => clock });
+
+  const a = store.genId();
+  store.create({ id: a, spec: { prompt: 'first', model: 'm' }, prompt: 'first task', model: 'm' });
+  assert.deepStrictEqual(store.readSpec(a), { prompt: 'first', model: 'm' });
+  let meta = store.readMeta(a);
+  assert.strictEqual(meta.status, 'starting');
+  assert.strictEqual(meta.model, 'm');
+  assert.strictEqual(meta.prompt_summary, 'first task');
+
+  store.patchMeta(a, { pid: 4242, status: 'running' });
+  meta = store.readMeta(a);
+  assert.strictEqual(meta.pid, 4242);
+  assert.strictEqual(meta.status, 'running');
+
+  store.appendEvent(a, { type: 'status', status: 'running' });
+  store.appendEvent(a, { type: 'tool', tag: 'read', ms: 3 });
+  const events = store.readEvents(a);
+  assert.strictEqual(events.length, 2);
+  assert.strictEqual(events[1].tag, 'read');
+  assert.ok(events[0].ts, 'events carry a timestamp');
+
+  const envelope = { result: 'ok', toolCalls: [], usage: {}, cost: null, stopReason: 'end_turn', verifyStatus: 'skipped' };
+  store.writeResult(a, envelope);
+  assert.deepStrictEqual(store.readResult(a), envelope);
+
+  clock = 2000;
+  const b = store.genId();
+  store.create({ id: b, spec: { prompt: 'second' }, prompt: 'second task' });
+  const list = store.list();
+  assert.strictEqual(list.length, 2);
+  assert.strictEqual(list[0].id, b, 'newest task first');
+  assert.strictEqual(list[1].id, a);
+
+  assert.strictEqual(store.remove(a), true);
+  assert.strictEqual(store.readMeta(a), null);
+});
+
+// --------------------------------------------------------------------------
+// Validation (before detach)
+// --------------------------------------------------------------------------
+test('validateLaunch flags empty prompt, missing model, malformed policy, and unavailable strict sandbox', async () => {
+  const okConfig = { api_base: 'http://x', default_model: 'm' };
+
+  assert.deepStrictEqual(await bg.validateLaunch({ prompt: 'hi', config: okConfig, policy: {} }), [], 'valid launch → no errors');
+
+  const e1 = await bg.validateLaunch({ prompt: '   ', config: okConfig });
+  assert.ok(e1.some((m) => /prompt is empty/.test(m)));
+
+  const e2 = await bg.validateLaunch({ prompt: 'hi', config: { api_base: 'http://x' } });
+  assert.ok(e2.some((m) => /no model/.test(m)), 'missing model surfaced');
+
+  const e3 = await bg.validateLaunch({ prompt: 'hi', config: okConfig, policy: { rules: [{ tool: 'shell', action: 'banana' }] } });
+  assert.ok(e3.some((m) => /action must be one of/.test(m)), 'bad rule action surfaced');
+
+  const e3b = await bg.validateLaunch({ prompt: 'hi', config: okConfig, policy: { rules: [{ tool: 'shell', pattern: 'a', path: 'b', action: 'allow' }] } });
+  assert.ok(e3b.some((m) => /more than one matcher/.test(m)), 'multi-matcher rule surfaced');
+
+  const e4 = await bg.validateLaunch({
+    prompt: 'hi', config: okConfig,
+    sandboxConfig: { mode: 'auto', failIfUnavailable: true },
+    detection: { available: false, reason: 'no bwrap' },
+  });
+  assert.ok(e4.some((m) => /sandbox unavailable/.test(m)), 'strict sandbox unavailable surfaced');
+
+  // Same sandbox unavailable but NOT strict → not a launch error (fail-safe at runtime).
+  const e5 = await bg.validateLaunch({
+    prompt: 'hi', config: okConfig,
+    sandboxConfig: { mode: 'auto', failIfUnavailable: false },
+    detection: { available: false, reason: 'no bwrap' },
+  });
+  assert.deepStrictEqual(e5, [], 'non-strict unavailable sandbox is not a launch error');
+});
+
+test('launchBackground: validation failure throws BEFORE detach — no process spawned', async () => {
+  let spawned = 0;
+  const spawn = () => { spawned++; return { pid: 1, unref() {} }; };
+  const store = bg.createTaskStore({ rootDir: freshRoot() });
+  await assert.rejects(
+    () => bg.launchBackground({ prompt: '', config: { api_base: 'http://x', default_model: 'm' }, store, spawn }),
+    /Cannot launch background task/,
+  );
+  assert.strictEqual(spawned, 0, 'no child spawned on validation failure (no orphan)');
+  assert.strictEqual(store.list().length, 0, 'no registry record created on validation failure');
+});
+
+test('launchBackground: persists spec + record, detaches, records pid; sandbox defaults ON, opt-out explicit', async () => {
+  const calls = [];
+  const spawn = (cmd, args, opts) => { calls.push({ cmd, args, opts }); return { pid: 9999, unref() {} }; };
+
+  // Default sandbox (auto) — ON in the spec.
+  const store1 = bg.createTaskStore({ rootDir: freshRoot() });
+  const r1 = await bg.launchBackground({
+    prompt: 'do a thing', config: { api_base: 'http://x', default_model: 'm', sandbox: { mode: 'auto' } },
+    store: store1, spawn, resolveKey: () => 'secret-key',
+  });
+  assert.ok(r1.id && r1.pid === 9999);
+  const spec1 = store1.readSpec(r1.id);
+  assert.strictEqual(spec1.sandbox.mode, 'auto', 'sandbox ON by default in the spec');
+  assert.strictEqual(spec1.apiBase, 'http://x');
+  assert.ok(!('apiKey' in spec1) && !JSON.stringify(spec1).includes('secret-key'), 'API key never written to the spec');
+  const meta1 = store1.readMeta(r1.id);
+  assert.strictEqual(meta1.pid, 9999);
+  assert.strictEqual(meta1.status, 'running');
+  // Child argv targets the internal __bg-exec entry with the task dir.
+  const launched = calls.find((c) => c.args.includes('__bg-exec'));
+  assert.ok(launched, '__bg-exec child launched');
+  assert.ok(launched.args.includes(store1.dir(r1.id)), 'task dir passed to child');
+  assert.strictEqual(launched.opts.detached, true, 'child detached');
+  assert.strictEqual(launched.opts.env.SEMALT_API_KEY, 'secret-key', 'key passed via env, not disk');
+  assert.ok(!launched.args.includes('--dangerously-skip-permissions'), 'no skip flag by default');
+
+  // Explicit opt-out: sandbox off + skip-permissions propagated.
+  const store2 = bg.createTaskStore({ rootDir: freshRoot() });
+  const r2 = await bg.launchBackground({
+    prompt: 'danger', config: { api_base: 'http://x', default_model: 'm', sandbox: { mode: 'off' } },
+    policy: bg.buildPolicy({ dangerouslySkipPermissions: true }),
+    store: store2, spawn,
+  });
+  assert.strictEqual(store2.readSpec(r2.id).sandbox.mode, 'off', 'explicit sandbox off honored');
+  const launched2 = calls.filter((c) => c.args.includes('__bg-exec')).pop();
+  assert.ok(launched2.args.includes('--dangerously-skip-permissions'), 'skip flag propagated to child argv');
+});
+
+// --------------------------------------------------------------------------
+// Child execution (real createAgent ↔ mock-LLM)
+// --------------------------------------------------------------------------
+function specFor(store, id, mock, extra = {}) {
+  store.create({
+    id,
+    prompt: extra.prompt || 'do it',
+    model: 'test-model',
+    spec: {
+      version: 1,
+      prompt: extra.prompt || 'do it',
+      apiBase: mock.base,
+      model: 'test-model',
+      contextLength: null,
+      maxIterations: 50,
+      cwd: tmpCwd,
+      policy: extra.policy || bg.buildPolicy({}),
+      sandbox: { mode: 'off', failIfUnavailable: false },
+    },
+  });
+}
+
+test('runBackgroundChild: completes and writes the result envelope', async () => {
+  const mock = await startMockLLM();
+  mock.replyWith('All done — 42.');
+  const store = bg.createTaskStore({ rootDir: freshRoot() });
+  const id = store.genId();
+  specFor(store, id, mock, { prompt: 'answer please' });
+  try {
+    const r = await bg.runBackgroundChild({ taskDir: store.dir(id), store });
+    assert.strictEqual(r.status, 'completed');
+    const result = store.readResult(id);
+    assert.ok(result, 'result.json written');
+    assert.match(result.result, /42/);
+    assert.strictEqual(result.stopReason, 'end_turn');
+    assert.strictEqual(result.verifyStatus, 'skipped');
+    assert.ok(Array.isArray(result.toolCalls));
+    const meta = store.readMeta(id);
+    assert.strictEqual(meta.status, 'completed');
+    assert.ok(meta.finished_at, 'finished_at recorded');
+    const events = store.readEvents(id);
+    assert.ok(events.some((e) => e.type === 'result'), 'result event appended');
+  } finally {
+    await mock.close();
+  }
+});
+
+test('SAFE POSTURE: no policy → a mutating write is REFUSED (paired with: an allow rule permits it)', async () => {
+  // Refuse case — empty policy.
+  const mock1 = await startMockLLM();
+  mock1.replyWith('<write_file path="bg-should-not-exist.txt">secret</write_file>');
+  const store1 = bg.createTaskStore({ rootDir: freshRoot() });
+  const id1 = store1.genId();
+  specFor(store1, id1, mock1, { policy: bg.buildPolicy({}) });
+  try {
+    await bg.runBackgroundChild({ taskDir: store1.dir(id1), store: store1 });
+    assert.strictEqual(fs.existsSync(path.join(tmpCwd, 'bg-should-not-exist.txt')), false, 'write refused with no policy');
+  } finally {
+    await mock1.close();
+  }
+
+  // Paired positive — an allow rule lets the same write proceed.
+  const mock2 = await startMockLLM();
+  mock2.replyWith('<write_file path="bg-allowed.txt">hello bg</write_file>');
+  mock2.replyWith('Wrote it.');
+  const store2 = bg.createTaskStore({ rootDir: freshRoot() });
+  const id2 = store2.genId();
+  specFor(store2, id2, mock2, { policy: bg.buildPolicy({ rules: [{ tool: 'write_file', path: '**', action: 'allow' }] }) });
+  try {
+    const r = await bg.runBackgroundChild({ taskDir: store2.dir(id2), store: store2 });
+    assert.strictEqual(r.status, 'completed');
+    const target = path.join(tmpCwd, 'bg-allowed.txt');
+    assert.strictEqual(fs.existsSync(target), true, 'allow rule permitted the write');
+    assert.strictEqual(fs.readFileSync(target, 'utf8'), 'hello bg');
+  } finally {
+    await mock2.close();
+  }
+});
+
+test('deny-list stays active in the background process', async () => {
+  const mock = await startMockLLM();
+  mock.replyWith('<exec>rm -rf /</exec>');
+  mock.replyWith('Stopped.');
+  const store = bg.createTaskStore({ rootDir: freshRoot() });
+  const id = store.genId();
+  // Allow the exec tier so the GATE passes — the deny-list (which a tier can't
+  // bypass) must still block the destructive command.
+  specFor(store, id, mock, { policy: bg.buildPolicy({ allowedTiers: ['exec'] }) });
+  try {
+    await bg.runBackgroundChild({ taskDir: store.dir(id), store });
+    const events = store.readEvents(id);
+    const blocked = events.some((e) => e.type === 'tool' && e.ok === false && /deny-list/i.test(e.detail || ''));
+    assert.ok(blocked, 'rm -rf / blocked by the deny-list inside the background process');
+  } finally {
+    await mock.close();
+  }
+});
+
+// --------------------------------------------------------------------------
+// Lifecycle reconciliation + kill
+// --------------------------------------------------------------------------
+test('stale detection + prune: a dead "running" task is stale and prunable; a live one is kept', () => {
+  const store = bg.createTaskStore({ rootDir: freshRoot() });
+  const dead = store.genId();
+  store.create({ id: dead, spec: {}, prompt: 'dead' });
+  store.patchMeta(dead, { pid: 424242, status: 'running' });
+  const live = store.genId();
+  store.create({ id: live, spec: {}, prompt: 'live' });
+  store.patchMeta(live, { pid: process.pid, status: 'running' }); // our own pid = alive
+  const done = store.genId();
+  store.create({ id: done, spec: {}, prompt: 'done' });
+  store.patchMeta(done, { status: 'completed' });
+
+  const alive = (pid) => pid === process.pid;
+  assert.strictEqual(bg.effectiveStatus(store.readMeta(dead), alive), 'stale');
+  assert.strictEqual(bg.effectiveStatus(store.readMeta(live), alive), 'running');
+  assert.strictEqual(bg.effectiveStatus(store.readMeta(done), alive), 'completed');
+
+  const prunable = bg.prunableIds(store.list(), alive).sort();
+  assert.deepStrictEqual(prunable.sort(), [dead, done].sort(), 'stale + completed are prunable; live is kept');
+
+  const list = bg.formatTaskList(store.list(), { alive });
+  assert.match(list, /stale task\(s\)/, 'list warns about stale tasks');
+});
+
+test('killTask: tree-kills the recorded pid then marks terminated', async () => {
+  const store = bg.createTaskStore({ rootDir: freshRoot() });
+  const id = store.genId();
+  store.create({ id, spec: {}, prompt: 'runaway' });
+  store.patchMeta(id, { pid: 555, status: 'running' });
+
+  const killed = [];
+  let aliveCalls = 0;
+  // Alive for the first check (so a SIGTERM is sent), dead after the grace wait.
+  const alive = () => { aliveCalls++; return aliveCalls < 2; };
+  const r = await bg.killTask(store, id, {
+    alive,
+    kill: (pid, sig) => { killed.push([pid, sig]); return true; },
+    delay: () => Promise.resolve(),
+  });
+  assert.ok(r.ok);
+  assert.deepStrictEqual(killed[0], [555, 'SIGTERM'], 'SIGTERM sent to the pid');
+  assert.strictEqual(store.readMeta(id).status, 'terminated');
+  assert.ok(store.readMeta(id).finished_at, 'finished_at recorded on kill');
+});
+
+test('killTask: a task whose process already died is finalized, not re-killed', async () => {
+  const store = bg.createTaskStore({ rootDir: freshRoot() });
+  const id = store.genId();
+  store.create({ id, spec: {}, prompt: 'gone' });
+  store.patchMeta(id, { pid: 4242, status: 'running' });
+  let killCalls = 0;
+  const r = await bg.killTask(store, id, { alive: () => false, kill: () => { killCalls++; }, delay: () => Promise.resolve() });
+  assert.ok(r.ok);
+  assert.strictEqual(killCalls, 0, 'no signal sent to an already-dead process');
+  assert.strictEqual(store.readMeta(id).status, 'terminated');
+});
+
+test('a REAL detached process is alive then tree-killable by PID', async () => {
+  const { spawn } = require('child_process');
+  const child = proc.spawnDetached(spawn, process.execPath, ['-e', 'setInterval(() => {}, 1e9)'], { cwd: tmpCwd });
+  child.unref();
+  const pid = child.pid;
+  assert.ok(proc.isProcessAlive(pid), 'detached child is alive');
+  proc.killTreeByPid(pid, 'SIGKILL');
+  // Poll for death (tree-kill is async at the OS level).
+  let aliveAfter = true;
+  for (let i = 0; i < 50; i++) {
+    if (!proc.isProcessAlive(pid)) { aliveAfter = false; break; }
+    await sleep(20);
+  }
+  assert.strictEqual(aliveAfter, false, 'real detached process is dead after tree-kill');
+});
+
+// --------------------------------------------------------------------------
+// End-to-end: a REAL detached `__bg-exec` process writes the result envelope
+// --------------------------------------------------------------------------
+test('E2E: a real detached child runs the agent and writes the result envelope (survives parent return)', async () => {
+  const mock = await startMockLLM();
+  mock.replyWith('Background says hello.');
+  const root = freshRoot();
+  const store = bg.createTaskStore({ rootDir: root });
+  const { spawn } = require('child_process');
+  const { id } = await bg.launchBackground({
+    prompt: 'say hello',
+    config: { api_base: mock.base, default_model: 'test-model', sandbox: { mode: 'off' }, max_iterations: 50 },
+    sandboxConfig: { mode: 'off' },
+    model: 'test-model',
+    cwd: tmpCwd,
+    store,
+    spawn,
+    resolveKey: () => 'test-key',
+  });
+  try {
+    // The launcher has returned; the detached child runs independently.
+    let meta;
+    for (let i = 0; i < 200; i++) {
+      meta = store.readMeta(id);
+      if (meta && bg.TERMINAL_STATUSES.has(meta.status)) break;
+      await sleep(50);
+    }
+    assert.ok(meta && meta.status === 'completed', `child completed (status=${meta && meta.status})`);
+    const result = store.readResult(id);
+    assert.ok(result, 'result envelope written by the detached child');
+    assert.match(result.result, /hello/i);
+    assert.strictEqual(result.stopReason, 'end_turn');
+  } finally {
+    await mock.close();
+  }
+});
+
+// --------------------------------------------------------------------------
+// Tool-exposure decision (constraint 5)
+// --------------------------------------------------------------------------
+test('background-launch is NOT exposed as an agent tool', () => {
+  const { TOOL_SPECS } = require('../lib/tool_specs');
+  const { TAG_REGISTRY } = require('../lib/constants');
+  const reg = require('../lib/tool_registry');
+  const forbidden = ['run_background', 'spawn_background', 'background', 'launch_background', 'bg_run'];
+  for (const name of forbidden) {
+    assert.ok(!(name in TOOL_SPECS), `${name} must not be a tool spec`);
+    assert.ok(!(name in TAG_REGISTRY), `${name} must not be a registered tag`);
+  }
+  const dynamic = reg.dynamicToolEntries().map((e) => e.tool);
+  assert.ok(!dynamic.some((n) => /background/i.test(n)), 'no dynamic background-launch tool registered');
+});

package/test/chat-history-nocolor.test.js

@@ -0,0 +1,155 @@
+'use strict';
+
+// NO_COLOR sweep for lib/ui/chat-history.js chrome.
+//
+// Two-sided per surface (mirrors theme-palette.test.js): under NO_COLOR=1 (or
+// non-TTY) every chrome site must emit ZERO ANSI, while a colour-ON render must
+// still carry an `\x1b[` escape — proving the gate is CONDITIONAL, not a blanket
+// strip. Glyphs (✓ ✗ ● ⚠ •) are NOT colour and must survive into NO_COLOR.
+
+const { test } = require('node:test');
+const assert = require('node:assert');
+
+const { ChatHistory } = require('../lib/ui/chat-history');
+const { UI_ICONS } = require('../lib/ui/theme');
+
+// Render one message through a ChatHistory, capturing everything that would
+// reach scrollback (incl. any committed detail band). Seams overridden the same
+// way the class documents for tests (_commit / _setDetail / _commitDetail).
+function render(msg, { color }) {
+  const origTTY = process.stdout.isTTY;
+  const origNoColor = process.env.NO_COLOR;
+  if (color) {
+    process.stdout.isTTY = true;
+    delete process.env.NO_COLOR;
+  } else {
+    process.stdout.isTTY = true;       // TTY on, NO_COLOR forces it off
+    process.env.NO_COLOR = '1';
+  }
+  try {
+    const h = new ChatHistory();
+    const chunks = [];
+    h._commit = (t) => chunks.push(t);
+    h._setDetail = () => {};
+    h._commitDetail = (t) => { if (t) chunks.push(t); };
+    h.addMessage(msg);
+    return chunks.join('');
+  } finally {
+    process.stdout.isTTY = origTTY;
+    if (origNoColor === undefined) delete process.env.NO_COLOR;
+    else process.env.NO_COLOR = origNoColor;
+  }
+}
+
+// Assert the gate is conditional for a given message: plain under NO_COLOR,
+// escaped under colour-ON. `glyphs` (if any) must appear in BOTH renders.
+function assertGated(label, msg, glyphs = []) {
+  const off = render(msg, { color: false });
+  const on = render(msg, { color: true });
+  assert.ok(!off.includes('\x1b'), `${label}: zero ANSI under NO_COLOR`);
+  assert.ok(on.includes('\x1b['), `${label}: colour-ON still emits ANSI`);
+  for (const g of glyphs) {
+    assert.ok(off.includes(g), `${label}: glyph ${JSON.stringify(g)} survives NO_COLOR`);
+    assert.ok(on.includes(g), `${label}: glyph ${JSON.stringify(g)} present colour-ON`);
+  }
+}
+
+// (a) user bubble — also the EL (\x1b[K) must be gone, not just the SGR colours.
+test('user bubble: gated, and NO_COLOR carries no stray EL escape', () => {
+  const msg = { role: 'user', content: 'hello\nworld', ts: new Date('2026-06-22T10:00:00Z') };
+  assertGated('user bubble', msg);
+  const off = render(msg, { color: false });
+  assert.ok(!off.includes('\x1b[K'), 'no erase-to-EOL leaks under NO_COLOR');
+  assert.ok(!off.includes('\x1b'), 'user bubble is byte-clean of every escape');
+  const on = render(msg, { color: true });
+  assert.ok(on.includes('\x1b[K'), 'EL still present colour-ON (fills bg tint to edge)');
+});
+
+// (b) tool summary — both the history (summarizeToolResult) and legacy-header
+// branches. Status glyph must survive.
+test('tool summary (history branch): gated, ✓ glyph preserved', () => {
+  assertGated('tool summary history', { role: 'tool', content: 'Read 5 lines' }, [UI_ICONS.success]);
+});
+
+test('tool summary (legacy header branch): gated, ✓ glyph + category preserved', () => {
+  const msg = { role: 'tool', tag: 'read_file', content: 'foo.js', output: 'line one\n' };
+  assertGated('tool summary legacy', msg, [UI_ICONS.success]);
+  const off = render(msg, { color: false });
+  assert.ok(off.includes('file:'), 'category label still rendered under NO_COLOR');
+});
+
+// (c) shell echo.
+test('shell echo: gated', () => {
+  assertGated('shell echo', { role: 'shell', cmd: 'ls -la', content: 'file1\nfile2' });
+});
+
+// (d) permission message — ⚠ glyph preserved.
+test('permission message: gated, ⚠ glyph preserved', () => {
+  assertGated('permission', { role: 'permission', content: 'approve shell?' }, [UI_ICONS.warn]);
+});
+
+// (e) system/fallback error — ✗ glyph preserved, multi-line continuation gated.
+test('system/fallback error: gated, ✗ glyph preserved', () => {
+  assertGated('system error', { role: 'system', isError: true, content: 'boom\ndetail line' }, [UI_ICONS.error]);
+});
+
+// (f) output-preview band (collapsible shell/MCP/subagent body).
+//
+// The band's BODY lines route their content through formatOutputPreview →
+// truncateVisible (lib/ui/utils.js). truncateVisible now appends its defensive
+// `\x1b[0m` ONLY when the (possibly truncated) output already contains an escape
+// (content-conditional), so for escape-free body content the band is fully
+// escape-clean under NO_COLOR — body lines included. We assert that here in
+// addition to this file's own chrome gating (DIM / subtle / FG_DARK wrappers).
+//
+// A tool's output can carry the child process's OWN SGR escapes into the body.
+// formatOutputPreview now strips those under NO_COLOR (a stripAnsi pass gated on
+// colorEnabled, BEFORE truncateVisible) so the body line is byte-clean; with
+// colour on the captured colour is preserved. Asserted two-sided below.
+//
+// NOTE (out of scope, deferred): the strip is SGR-only (the shared stripAnsi
+// regex /\x1b\[[^m]*m/g). A non-SGR escape in the body (EL `\x1b[K`, cursor
+// moves, OSC titles) is NOT removed and would still trip truncateVisible's
+// defensive RST, so such a line would not be fully byte-clean under NO_COLOR.
+// Closing that needs a broader strip with over-stripping/measurement trade-offs.
+const DIM = '\x1b[2m';
+const SUBTLE = '\x1b[38;5;244m';
+const FG_DARK = '\x1b[38;5;240m';
+
+test('output-preview band: escape-free body is fully clean under NO_COLOR; chrome gated', () => {
+  const output = ['l1', 'l2', 'l3', 'l4', 'l5', 'l6'].join('\n');
+  const msg = { role: 'tool', output, previewLines: 2 };
+  const off = render(msg, { color: false });
+  const on = render(msg, { color: true });
+  // None of this file's chrome colours leak when colour is off.
+  for (const code of [DIM, SUBTLE, FG_DARK]) {
+    assert.ok(!off.includes(code), `band chrome ${JSON.stringify(code)} gated under NO_COLOR`);
+  }
+  // With escape-free body content the WHOLE band — body lines + hint — is now
+  // byte-clean of every escape (no residual truncateVisible RST leak).
+  assert.ok(!off.includes('\x1b'), 'whole band is escape-clean under NO_COLOR for escape-free body');
+  const bodyLine = off.split('\n').find((l) => l.includes('l1'));
+  assert.ok(bodyLine && !bodyLine.includes('\x1b'), 'preview body line carries no trailing RST under NO_COLOR');
+  const hint = off.split('\n').find((l) => l.includes('more lines'));
+  assert.ok(hint && !hint.includes('\x1b'), 'the "… more lines" hint is escape-clean');
+  // Colour-ON still paints the chrome — proving the gate is conditional.
+  assert.ok(on.includes(DIM) && on.includes(SUBTLE), 'band chrome present colour-ON');
+});
+
+// (g) subprocess ANSI in the body — the leak this fix closes. A child process's
+// own SGR (e.g. a coloured compiler/test line) is stripped under NO_COLOR so the
+// body line is byte-clean, and preserved when colour is on.
+test('output-preview band: subprocess SGR stripped under NO_COLOR, preserved colour-ON', () => {
+  const output = ['\x1b[31mred\x1b[0m line', 'plain line'].join('\n');
+  const msg = { role: 'tool', output, previewLines: 5 };
+  const off = render(msg, { color: false });
+  const on = render(msg, { color: true });
+  // Under NO_COLOR the body line carrying subprocess SGR is fully escape-clean.
+  const offBody = off.split('\n').find((l) => l.includes('red'));
+  assert.ok(offBody, 'the subprocess-coloured body line is rendered');
+  assert.ok(!offBody.includes('\x1b'), 'subprocess SGR stripped from body under NO_COLOR');
+  assert.ok(!off.includes('\x1b'), 'whole band escape-clean under NO_COLOR with subprocess SGR input');
+  // Colour-ON preserves the captured command colour in the body.
+  const onBody = on.split('\n').find((l) => l.includes('red'));
+  assert.ok(onBody && onBody.includes('\x1b[31m'), 'command colour preserved in body colour-ON');
+});