@syntesseraai/opencode-feature-factory 0.2.3 → 0.2.4

package/src/stop-quality-gate.test.ts

@@ -1,655 +0,0 @@
-/**
- * Unit tests for stop-quality-gate module
- *
- * Tests focus on pure functions that can be tested in isolation:
- * - sanitizeOutput: redacts secrets from CI output
- * - isSessionReadOnly: determines if session has write permissions
- */
-
-import { sanitizeOutput, truncateOutput } from './stop-quality-gate';
-
-interface PermissionRule {
-  permission: string;
-  pattern: string;
-  action: 'allow' | 'deny' | 'ask';
-}
-
-function isSessionReadOnly(permission?: PermissionRule[]): boolean {
-  if (!permission) return false;
-  return permission.some(
-    (rule) => (rule.permission === 'edit' || rule.permission === 'bash') && rule.action === 'deny'
-  );
-}
-
-describe('sanitizeOutput', () => {
-  describe('AWS credentials', () => {
-    it('should redact AWS Access Key IDs', () => {
-      const input = 'Found credentials: AKIAIOSFODNN7EXAMPLE in config';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Found credentials: [REDACTED_AWS_KEY] in config');
-    });
-
-    it('should redact multiple AWS keys', () => {
-      const input = 'Key1: AKIAIOSFODNN7EXAMPLE Key2: AKIAI44QH8DHBEXAMPLE';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Key1: [REDACTED_AWS_KEY] Key2: [REDACTED_AWS_KEY]');
-    });
-
-    it('should not redact partial AWS key patterns', () => {
-      const input = 'AKIA123'; // Too short
-      const result = sanitizeOutput(input);
-      expect(result).toBe('AKIA123');
-    });
-  });
-
-  describe('GitHub tokens', () => {
-    it('should redact GitHub Personal Access Tokens (classic)', () => {
-      const input = 'Using ghp_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Using [REDACTED_GH_TOKEN]');
-    });
-
-    it('should redact GitHub Personal Access Tokens (fine-grained)', () => {
-      const input = 'Using github_pat_11ABCDEFG_abcdefghijklmnopqrstuvwxyz';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Using [REDACTED_GH_TOKEN]');
-    });
-
-    it('should redact GitHub OAuth tokens', () => {
-      const input = 'oauth=gho_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('oauth=[REDACTED_GH_TOKEN]');
-    });
-
-    it('should redact GitHub App user-to-server tokens', () => {
-      const input = 'Using ghu_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Using [REDACTED_GH_TOKEN]');
-    });
-
-    it('should redact GitHub App server-to-server tokens', () => {
-      const input = 'Using ghs_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Using [REDACTED_GH_TOKEN]');
-    });
-
-    it('should not redact partial GitHub token patterns', () => {
-      const input = 'ghp_abc'; // Too short
-      const result = sanitizeOutput(input);
-      expect(result).toBe('ghp_abc');
-    });
-  });
-
-  describe('GitLab tokens', () => {
-    it('should redact GitLab Personal Access Tokens', () => {
-      const input = 'Using glpat-abcdefghij1234567890';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Using [REDACTED_GITLAB_TOKEN]');
-    });
-
-    it('should redact GitLab tokens with hyphens', () => {
-      const input = 'Using glpat-abc-def-ghi-jkl-mnop-qrs';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Using [REDACTED_GITLAB_TOKEN]');
-    });
-
-    it('should not redact partial GitLab token patterns', () => {
-      const input = 'glpat-short'; // Too short
-      const result = sanitizeOutput(input);
-      expect(result).toBe('glpat-short');
-    });
-  });
-
-  describe('npm tokens', () => {
-    it('should redact npm tokens', () => {
-      const input = 'Using npm_aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Using [REDACTED_NPM_TOKEN]');
-    });
-
-    it('should not redact partial npm token patterns', () => {
-      const input = 'npm_abc'; // Too short
-      const result = sanitizeOutput(input);
-      expect(result).toBe('npm_abc');
-    });
-  });
-
-  describe('Bearer tokens', () => {
-    it('should redact Bearer tokens', () => {
-      const input = 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Authorization: Bearer [REDACTED]');
-    });
-
-    it('should handle case-insensitive Bearer', () => {
-      const input = 'bearer abc123-token.value';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Bearer [REDACTED]');
-    });
-  });
-
-  describe('API keys', () => {
-    it('should redact api_key assignments', () => {
-      const input = 'api_key=sk-1234567890abcdef';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('api_key=[REDACTED]');
-    });
-
-    it('should redact api-key with hyphen', () => {
-      const input = 'api-key: my-secret-key';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('api_key=[REDACTED]');
-    });
-
-    it('should redact apikey without separator', () => {
-      const input = 'apikey=abc123';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('api_key=[REDACTED]');
-    });
-
-    it('should redact quoted api keys', () => {
-      const input = "api_key='secret-value'";
-      const result = sanitizeOutput(input);
-      expect(result).toBe('api_key=[REDACTED]');
-    });
-  });
-
-  describe('tokens', () => {
-    it('should redact token assignments with 8+ char values', () => {
-      const input = 'token=ghp_xxxxxxxxxxxxxxxxxxxx';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('token=[REDACTED]');
-    });
-
-    it('should redact tokens plural with 8+ char values', () => {
-      const input = 'tokens: secret12345';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('token=[REDACTED]');
-    });
-
-    it('should NOT redact token with short values (less than 8 chars)', () => {
-      const input = 'token=abc123';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('token=abc123');
-    });
-
-    it('should NOT redact phrases like "token count: 5" (value too short)', () => {
-      const input = 'token count: 5';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('token count: 5');
-    });
-
-    it('should NOT redact "token: abc" (value too short)', () => {
-      const input = 'token: abc';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('token: abc');
-    });
-
-    it('should redact actual token values that are 8+ chars', () => {
-      const input = 'token=abcd1234efgh';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('token=[REDACTED]');
-    });
-
-    it('should redact quoted tokens with 8+ char values', () => {
-      const input = 'token="my-secret-token-value"';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('token=[REDACTED]');
-    });
-  });
-
-  describe('passwords', () => {
-    it('should redact password assignments', () => {
-      const input = 'password=super-secret-123!';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('password=[REDACTED]');
-    });
-
-    it('should redact passwords plural', () => {
-      const input = 'passwords: "admin123"';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('password=[REDACTED]');
-    });
-
-    it('should handle special characters in passwords', () => {
-      const input = 'password=P@$$w0rd!#%';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('password=[REDACTED]');
-    });
-  });
-
-  describe('generic secrets', () => {
-    it('should redact secret assignments', () => {
-      const input = 'secret=my-app-secret-key';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('secret=[REDACTED]');
-    });
-
-    it('should redact secrets plural', () => {
-      const input = 'secrets: "confidential-data"';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('secret=[REDACTED]');
-    });
-  });
-
-  describe('base64 strings', () => {
-    it('should redact long base64-like strings', () => {
-      const base64 = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY3ODk=';
-      const input = `Encoded value: ${base64}`;
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Encoded value: [REDACTED_BASE64]');
-    });
-
-    it('should not redact short base64 strings', () => {
-      const input = 'Short: abc123';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Short: abc123');
-    });
-
-    it('should redact base64 without padding', () => {
-      const base64 = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY3ODkw';
-      const result = sanitizeOutput(base64);
-      expect(result).toBe('[REDACTED_BASE64]');
-    });
-
-    it('should redact base64 strings up to 500 chars (ReDoS prevention)', () => {
-      // Generate a 500-char base64 string
-      const base64 = 'A'.repeat(500);
-      const result = sanitizeOutput(base64);
-      expect(result).toBe('[REDACTED_BASE64]');
-    });
-
-    it('should handle base64 strings over 500 chars by matching only first 500 (ReDoS prevention)', () => {
-      // Generate a 501-char base64 string - only first 500 chars match
-      const base64 = 'A'.repeat(501);
-      const result = sanitizeOutput(base64);
-      // Pattern matches the first 500 chars, leaving 1 char behind
-      expect(result).toBe('[REDACTED_BASE64]A');
-    });
-
-    it('should handle base64 at exactly 40 chars (minimum threshold)', () => {
-      const base64 = 'A'.repeat(40);
-      const result = sanitizeOutput(base64);
-      expect(result).toBe('[REDACTED_BASE64]');
-    });
-
-    it('should NOT redact base64 strings under 40 chars', () => {
-      const base64 = 'A'.repeat(39);
-      const result = sanitizeOutput(base64);
-      expect(result).toBe(base64);
-    });
-  });
-
-  describe('multiple secrets', () => {
-    it('should redact multiple different secret types', () => {
-      const input = `
-        AWS_KEY: AKIAIOSFODNN7EXAMPLE
-        Auth: Bearer my-jwt-token
-        password=admin123
-      `;
-      const result = sanitizeOutput(input);
-      expect(result).toContain('[REDACTED_AWS_KEY]');
-      expect(result).toContain('Bearer [REDACTED]');
-      expect(result).toContain('password=[REDACTED]');
-      expect(result).not.toContain('AKIAIOSFODNN7EXAMPLE');
-      expect(result).not.toContain('my-jwt-token');
-      expect(result).not.toContain('admin123');
-    });
-  });
-
-  describe('private keys', () => {
-    it('should redact RSA private keys', () => {
-      const input = `-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA0Z3VS5JJcds3xfn/ygWyF8PbnGy
------END RSA PRIVATE KEY-----`;
-      const result = sanitizeOutput(input);
-      expect(result).toBe('[REDACTED_PRIVATE_KEY]');
-    });
-
-    it('should redact OpenSSH private keys', () => {
-      const input = `-----BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAA
------END OPENSSH PRIVATE KEY-----`;
-      const result = sanitizeOutput(input);
-      expect(result).toBe('[REDACTED_PRIVATE_KEY]');
-    });
-
-    it('should redact EC private keys', () => {
-      const input = `-----BEGIN EC PRIVATE KEY-----
-MHQCAQEEICg7E4NN6YPWoU6/FXa5ON6Pt6LKBfA8WL
------END EC PRIVATE KEY-----`;
-      const result = sanitizeOutput(input);
-      expect(result).toBe('[REDACTED_PRIVATE_KEY]');
-    });
-
-    it('should redact generic private keys', () => {
-      const input = `-----BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASC
------END PRIVATE KEY-----`;
-      const result = sanitizeOutput(input);
-      expect(result).toBe('[REDACTED_PRIVATE_KEY]');
-    });
-
-    it('should redact private keys embedded in output', () => {
-      const input = `Loading configuration...
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA0Z3VS5JJcds3xfn/ygWyF8PbnGy
------END RSA PRIVATE KEY-----
-Done loading.`;
-      const result = sanitizeOutput(input);
-      expect(result).toBe(`Loading configuration...
-[REDACTED_PRIVATE_KEY]
-Done loading.`);
-    });
-  });
-
-  describe('GCP credentials', () => {
-    it('should redact GCP API keys', () => {
-      const input = 'Using GCP key: AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Using GCP key: [REDACTED_GCP_KEY]');
-    });
-
-    it('should redact multiple GCP API keys', () => {
-      const input =
-        'Key1: AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe Key2: AIzaSyB-1234567890abcdefghijklmnopqrstu';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Key1: [REDACTED_GCP_KEY] Key2: [REDACTED_GCP_KEY]');
-    });
-
-    it('should not redact partial GCP API key patterns', () => {
-      const input = 'AIza123'; // Too short
-      const result = sanitizeOutput(input);
-      expect(result).toBe('AIza123');
-    });
-
-    it('should redact GCP OAuth tokens', () => {
-      const input = 'Authorization: ya29.a0AfH6SMBx-example-token-value_123';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Authorization: [REDACTED_GCP_TOKEN]');
-    });
-
-    it('should redact GCP OAuth tokens with various characters', () => {
-      const input = 'token=ya29.Gl-abc_XYZ-123';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('token=[REDACTED_GCP_TOKEN]');
-    });
-  });
-
-  describe('Slack tokens', () => {
-    it('should redact Slack bot tokens', () => {
-      const input = 'SLACK_BOT_TOKEN=xoxb-123456789012-1234567890123-AbCdEfGhIjKlMnOpQrStUvWx';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('SLACK_BOT_TOKEN=[REDACTED_SLACK_TOKEN]');
-    });
-
-    it('should redact Slack user tokens', () => {
-      const input =
-        'Using xoxp-123456789012-123456789012-123456789012-abcdef1234567890abcdef1234567890';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Using [REDACTED_SLACK_TOKEN]');
-    });
-
-    it('should redact Slack app tokens', () => {
-      const input =
-        'APP_TOKEN=xapp-1-A0123BCDEFG-1234567890123-abcdefghijklmnopqrstuvwxyz0123456789';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('APP_TOKEN=[REDACTED_SLACK_TOKEN]');
-    });
-
-    it('should redact Slack webhook URLs', () => {
-      const input =
-        'Webhook: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Webhook: https://[REDACTED_SLACK_WEBHOOK]');
-    });
-
-    it('should redact multiple different Slack token types', () => {
-      const input = `
-        Bot: xoxb-123-456-abc
-        User: xoxp-789-012-def
-        App: xapp-345-ghi
-      `;
-      const result = sanitizeOutput(input);
-      expect(result).toContain('[REDACTED_SLACK_TOKEN]');
-      expect(result).not.toContain('xoxb-');
-      expect(result).not.toContain('xoxp-');
-      expect(result).not.toContain('xapp-');
-    });
-  });
-
-  describe('Stripe keys', () => {
-    it('should redact Stripe live secret keys', () => {
-      // 24 chars after sk_live_: 51ABC123DEF456GHI789JKLM
-      const input = 'STRIPE_SECRET_KEY=sk_live_51ABC123DEF456GHI789JKLM';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('STRIPE_SECRET_KEY=[REDACTED_STRIPE_KEY]');
-    });
-
-    it('should redact Stripe test secret keys', () => {
-      // 24 chars after sk_test_: 51ABC123DEF456GHI789JKLM
-      const input = 'Using sk_test_51ABC123DEF456GHI789JKLM for testing';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Using [REDACTED_STRIPE_KEY] for testing');
-    });
-
-    it('should redact Stripe live restricted keys', () => {
-      // 24 chars after rk_live_: 51ABC123DEF456GHI789JKLM
-      const input = 'RESTRICTED_KEY=rk_live_51ABC123DEF456GHI789JKLM';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('RESTRICTED_KEY=[REDACTED_STRIPE_KEY]');
-    });
-
-    it('should redact Stripe test restricted keys', () => {
-      // 24 chars after rk_test_: 51ABC123DEF456GHI789JKLM
-      const input = 'Using rk_test_51ABC123DEF456GHI789JKLM for testing';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Using [REDACTED_STRIPE_KEY] for testing');
-    });
-
-    it('should not redact Stripe keys that are too short', () => {
-      const input = 'sk_live_short'; // Less than 24 characters after prefix
-      const result = sanitizeOutput(input);
-      expect(result).toBe('sk_live_short');
-    });
-
-    it('should redact multiple Stripe keys', () => {
-      // 24 chars after each prefix
-      const input = 'Live: sk_live_51ABC123DEF456GHI789JKLM Test: sk_test_51XYZ789ABC123DEF456GHIJ';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Live: [REDACTED_STRIPE_KEY] Test: [REDACTED_STRIPE_KEY]');
-    });
-
-    it('should redact long Stripe keys', () => {
-      const input = 'sk_live_51ABC123DEF456GHI789JKLmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOP';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('[REDACTED_STRIPE_KEY]');
-    });
-  });
-
-  describe('database connection strings', () => {
-    it('should redact PostgreSQL connection strings', () => {
-      const input = 'DATABASE_URL=postgres://admin:secretpass123@db.example.com:5432/mydb';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('DATABASE_URL=[REDACTED_CONNECTION_STRING]');
-    });
-
-    it('should redact MongoDB connection strings with +srv', () => {
-      const input = 'Connecting to mongodb+srv://user:p@ssw0rd@cluster.mongodb.net/database';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('Connecting to [REDACTED_CONNECTION_STRING]');
-    });
-
-    it('should redact Redis connection strings', () => {
-      const input = 'REDIS_URL=redis://default:myredispassword@redis.example.com:6379';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('REDIS_URL=[REDACTED_CONNECTION_STRING]');
-    });
-
-    it('should redact MySQL connection strings', () => {
-      const input = 'mysql://root:rootpassword@localhost:3306/testdb';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
-    });
-
-    it('should redact rediss (TLS) connection strings', () => {
-      const input = 'rediss://user:password@secure-redis.example.com:6380';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
-    });
-
-    it('should redact connection strings with URL-encoded passwords', () => {
-      const input = 'mongodb://user:p%40ss%23word@host/db';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
-    });
-
-    it('should redact PostgreSQL with URL-encoded @ in password', () => {
-      const input = 'postgres://admin:secret%40pass@db.example.com:5432/mydb';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
-    });
-
-    it('should redact connection strings with multiple URL-encoded characters', () => {
-      const input = 'mysql://root:p%40ss%3Dw%26rd%21@localhost:3306/testdb';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
-    });
-
-    it('should redact MongoDB+srv with URL-encoded password', () => {
-      const input = 'mongodb+srv://user:my%40complex%23pass@cluster.mongodb.net/database';
-      const result = sanitizeOutput(input);
-      expect(result).toBe('[REDACTED_CONNECTION_STRING]');
-    });
-  });
-
-  describe('non-secret content', () => {
-    it('should preserve normal log output', () => {
-      const input = 'Build completed successfully in 2.5s';
-      const result = sanitizeOutput(input);
-      expect(result).toBe(input);
-    });
-
-    it('should preserve error messages without secrets', () => {
-      const input = 'Error: Cannot find module "./missing-file"';
-      const result = sanitizeOutput(input);
-      expect(result).toBe(input);
-    });
-
-    it('should preserve stack traces', () => {
-      const input = `
-        Error: Test failed
-          at Object.<anonymous> (/app/test.js:10:5)
-          at Module._compile (internal/modules/cjs/loader.js:1085:14)
-      `;
-      const result = sanitizeOutput(input);
-      expect(result).toBe(input);
-    });
-  });
-});
-
-describe('isSessionReadOnly', () => {
-  it('should return false when no permissions provided', () => {
-    expect(isSessionReadOnly(undefined)).toBe(false);
-  });
-
-  it('should return false for empty permissions array', () => {
-    expect(isSessionReadOnly([])).toBe(false);
-  });
-
-  it('should return true when edit permission is denied', () => {
-    const permissions: PermissionRule[] = [{ permission: 'edit', pattern: '*', action: 'deny' }];
-    expect(isSessionReadOnly(permissions)).toBe(true);
-  });
-
-  it('should return true when bash permission is denied', () => {
-    const permissions: PermissionRule[] = [{ permission: 'bash', pattern: '*', action: 'deny' }];
-    expect(isSessionReadOnly(permissions)).toBe(true);
-  });
-
-  it('should return false when edit permission is allowed', () => {
-    const permissions: PermissionRule[] = [{ permission: 'edit', pattern: '*', action: 'allow' }];
-    expect(isSessionReadOnly(permissions)).toBe(false);
-  });
-
-  it('should return false when edit permission requires ask', () => {
-    const permissions: PermissionRule[] = [{ permission: 'edit', pattern: '*', action: 'ask' }];
-    expect(isSessionReadOnly(permissions)).toBe(false);
-  });
-
-  it('should return false for other denied permissions', () => {
-    const permissions: PermissionRule[] = [{ permission: 'read', pattern: '*', action: 'deny' }];
-    expect(isSessionReadOnly(permissions)).toBe(false);
-  });
-
-  it('should check all permissions and return true if any edit/bash is denied', () => {
-    const permissions: PermissionRule[] = [
-      { permission: 'read', pattern: '*', action: 'allow' },
-      { permission: 'write', pattern: '*', action: 'allow' },
-      { permission: 'edit', pattern: '*.ts', action: 'deny' },
-    ];
-    expect(isSessionReadOnly(permissions)).toBe(true);
-  });
-
-  it('should return true if bash is denied even if edit is allowed', () => {
-    const permissions: PermissionRule[] = [
-      { permission: 'edit', pattern: '*', action: 'allow' },
-      { permission: 'bash', pattern: '*', action: 'deny' },
-    ];
-    expect(isSessionReadOnly(permissions)).toBe(true);
-  });
-});
-
-describe('truncateOutput', () => {
-  it('should return output unchanged if under maxLines', () => {
-    const input = 'line1\nline2\nline3';
-    expect(truncateOutput(input, 20)).toBe(input);
-  });
-
-  it('should return output unchanged if exactly at maxLines', () => {
-    const lines = Array.from({ length: 20 }, (_, i) => `line${i + 1}`);
-    const input = lines.join('\n');
-    expect(truncateOutput(input, 20)).toBe(input);
-  });
-
-  it('should truncate to last 20 lines by default', () => {
-    const lines = Array.from({ length: 30 }, (_, i) => `line${i + 1}`);
-    const input = lines.join('\n');
-    const result = truncateOutput(input);
-
-    expect(result).toContain('... (10 lines omitted)');
-    expect(result).toContain('line11');
-    expect(result).toContain('line30');
-    expect(result).not.toContain('line1\n');
-    expect(result).not.toContain('line10\n');
-  });
-
-  it('should truncate to custom maxLines', () => {
-    const lines = Array.from({ length: 15 }, (_, i) => `line${i + 1}`);
-    const input = lines.join('\n');
-    const result = truncateOutput(input, 5);
-
-    expect(result).toContain('... (10 lines omitted)');
-    expect(result).toContain('line11');
-    expect(result).toContain('line15');
-    expect(result).not.toContain('line10\n');
-  });
-
-  it('should handle single line output', () => {
-    const input = 'single line';
-    expect(truncateOutput(input, 20)).toBe(input);
-  });
-
-  it('should handle empty output', () => {
-    expect(truncateOutput('', 20)).toBe('');
-  });
-
-  it('should preserve line content exactly', () => {
-    const lines = Array.from({ length: 25 }, (_, i) => `Error at line ${i + 1}: something failed`);
-    const input = lines.join('\n');
-    const result = truncateOutput(input, 10);
-
-    expect(result).toContain('Error at line 16: something failed');
-    expect(result).toContain('Error at line 25: something failed');
-  });
-});