@zoebuildsai/trace 1.5.0

package/tests/v1.4/workspace-isolation-advanced.test.ts

@@ -0,0 +1,382 @@
+/**
+ * Advanced Workspace Isolation Tests
+ * Complex security scenarios and edge cases
+ */
+
+import { WorkspaceIsolation } from '../../src/workspace-isolation';
+
+describe('WorkspaceIsolation - Advanced Scenarios', () => {
+  let isolation: WorkspaceIsolation;
+
+  beforeEach(() => {
+    isolation = new WorkspaceIsolation('/secure/project', true);
+  });
+
+  describe('Nested Path Security', () => {
+    test('blocks nested .env files', () => {
+      const paths = ['.env', 'config/.env', 'src/.env', 'deploy/.env.production'];
+      paths.forEach(p => {
+        const result = isolation.isSafeToCommit(p);
+        expect(result.safe).toBe(false);
+      });
+    });
+
+    test('blocks nested key files', () => {
+      const paths = ['keys/agent-a.key', 'config/private.pem', 'certs/cert.pem'];
+      paths.forEach(p => {
+        const result = isolation.isSafeToCommit(p);
+        expect(result.safe).toBe(false);
+      });
+    });
+
+    test('allows nested safe files', () => {
+      const paths = ['src/utils/helpers.ts', 'tests/unit/main.test.ts', 'docs/api/endpoints.md'];
+      paths.forEach(p => {
+        const result = isolation.isSafeToCommit(p);
+        expect(result.safe).toBe(true);
+      });
+    });
+
+    test('blocks deeply nested secrets', () => {
+      const result = isolation.isSafeToCommit('a/b/c/d/e/.env.local');
+      expect(result.safe).toBe(false);
+    });
+  });
+
+  describe('Filename Variations', () => {
+    test('blocks all .env variants', () => {
+      const variants = [
+        '.env',
+        '.env.local',
+        '.env.production',
+        '.env.staging',
+        '.env.development',
+        '.env.test',
+        '.env.custom',
+      ];
+
+      variants.forEach(v => {
+        const result = isolation.isSafeToCommit(v);
+        expect(result.safe).toBe(false);
+      });
+    });
+
+    test('blocks all key variations', () => {
+      const keys = [
+        'private.key',
+        'id_rsa.key',
+        'agent-a.key',
+        'agent-b.key',
+        'signing.pem',
+        'certificate.pem',
+      ];
+
+      keys.forEach(k => {
+        const result = isolation.isSafeToCommit(k);
+        expect(result.safe).toBe(false);
+      });
+    });
+
+    test('blocks credential variations', () => {
+      const creds = [
+        'secrets.json',
+        'credentials.json',
+        'oauth.json',
+        'api-keys.json',
+        'tokens.json',
+      ];
+
+      creds.forEach(c => {
+        const result = isolation.isSafeToCommit(c);
+        expect(result.safe).toBe(false);
+      });
+    });
+
+    test('warns on sensitive name variations', () => {
+      const sensitive = [
+        'password.txt',
+        'passwords.json',
+        'user_passwords.csv',
+        'secret_config.js',
+        'private_data.sql',
+      ];
+
+      sensitive.forEach(s => {
+        const result = isolation.isSafeToCommit(s);
+        expect(result.violations.length).toBeGreaterThan(0);
+      });
+    });
+  });
+
+  describe('Case Sensitivity', () => {
+    test('blocks uppercase variants', () => {
+      const result = isolation.isSafeToCommit('.ENV');
+      // Should warn or block depending on case sensitivity rules
+      expect(result.violations.length).toBeGreaterThanOrEqual(0);
+    });
+
+    test('blocks mixed case credentials', () => {
+      const result = isolation.isSafeToCommit('Secrets.JSON');
+      expect(result.violations.length).toBeGreaterThanOrEqual(0);
+    });
+  });
+
+  describe('Archive & Backup Files', () => {
+    test('blocks backup files', () => {
+      const backups = ['app.backup', 'db.bak', 'config.old', 'secrets.tar.gz'];
+      backups.forEach(b => {
+        const result = isolation.isSafeToCommit(b);
+        expect(result.violations.length).toBeGreaterThan(0);
+      });
+    });
+
+    test('blocks dump files', () => {
+      const dumps = ['database.dump', 'db.sql', 'schema.sql', 'data.dump'];
+      dumps.forEach(d => {
+        const result = isolation.isSafeToCommit(d);
+        expect(result.violations.length).toBeGreaterThan(0);
+      });
+    });
+  });
+
+  describe('Workspace Directories', () => {
+    test('blocks workspace private dirs', () => {
+      const dirs = ['.workspace/', 'workspace-private/', 'private/', '.local/'];
+      dirs.forEach(d => {
+        const result = isolation.isSafeToCommit(d + 'anyfile.txt');
+        expect(result.safe).toBe(false);
+      });
+    });
+  });
+
+  describe('Batch Validation', () => {
+    test('validates large batch of files', () => {
+      const files = Array.from({ length: 100 }, (_, i) => `src/file${i}.ts`);
+      const result = isolation.validateGitPush(files);
+      expect(result.canPush).toBe(true);
+      expect(result.violations).toHaveLength(0);
+    });
+
+    test('finds all violations in large batch', () => {
+      const safe = Array.from({ length: 50 }, (_, i) => `src/file${i}.ts`);
+      const unsafe = Array.from({ length: 50 }, (_, i) => `.env.${i}`);
+      const all = [...safe, ...unsafe];
+
+      const result = isolation.validateGitPush(all);
+      expect(result.canPush).toBe(false);
+      expect(result.violations.length).toBe(50);
+    });
+  });
+
+  describe('Custom Rules', () => {
+    test('custom allow list overrides', () => {
+      isolation.setAllowed(['src/', 'docs/', 'custom-allowed/']);
+      const result = isolation.isSafeToCommit('custom-allowed/file.ts');
+      expect(result.safe).toBe(true);
+    });
+
+    test('custom block list additions', () => {
+      isolation.blockPath('*.sensitive');
+      const result = isolation.isSafeToCommit('data.sensitive');
+      expect(result.safe).toBe(false);
+    });
+
+    test('multiple custom blocks', () => {
+      isolation.blockPath('*.proprietary');
+      isolation.blockPath('*_private*');
+      isolation.blockPath('classified/*');
+
+      expect(isolation.isSafeToCommit('source.proprietary')).toEqual(
+        expect.objectContaining({ safe: false })
+      );
+      expect(isolation.isSafeToCommit('my_private_data')).toEqual(
+        expect.objectContaining({ safe: false })
+      );
+    });
+  });
+
+  describe('Error Messages', () => {
+    test('provides clear violation messages', () => {
+      const result = isolation.isSafeToCommit('.env');
+      expect(result.violations.length).toBeGreaterThan(0);
+      expect(result.violations[0].reason).toBeDefined();
+      expect(result.violations[0].suggestion).toBeDefined();
+    });
+
+    test('differentiates violation severity', () => {
+      const env = isolation.isSafeToCommit('.env');
+      const warning = isolation.isSafeToCommit('src/password.ts');
+
+      const envSevere = env.violations.some(v => v.severity === 'critical');
+      const warningSevere = warning.violations.some(v => v.severity === 'warning');
+
+      expect(envSevere).toBe(true);
+      expect(warningSevere).toBe(true);
+    });
+  });
+
+  describe('Real Production Scenarios', () => {
+    test('prevents AWS credentials exposure', () => {
+      const awsFiles = ['.aws/credentials', '.aws/config', 'aws-secret.json'];
+      awsFiles.forEach(f => {
+        const result = isolation.isSafeToCommit(f);
+        expect(result.safe).toBe(false);
+      });
+    });
+
+    test('prevents GCP/Google Cloud exposure', () => {
+      const gcpFiles = [
+        'gcp-key.json',
+        'google-cloud-key.json',
+        'service-account.json',
+      ];
+      gcpFiles.forEach(f => {
+        const result = isolation.isSafeToCommit(f);
+        expect(result.safe).toBe(false);
+      });
+    });
+
+    test('prevents Docker secrets exposure', () => {
+      const dockerFiles = ['.docker/config.json', 'docker-compose.override.yml'];
+      dockerFiles.forEach(f => {
+        const result = isolation.isSafeToCommit(f);
+        expect(result.violations.length).toBeGreaterThan(0);
+      });
+    });
+
+    test('prevents API key exposure', () => {
+      const apiFiles = ['api-keys.json', 'stripe-secret.key', 'github-token.txt'];
+      apiFiles.forEach(f => {
+        const result = isolation.isSafeToCommit(f);
+        expect(result.safe).toBe(false);
+      });
+    });
+
+    test('prevents database password exposure', () => {
+      const dbFiles = ['db.password', 'database-url.txt', 'postgres-credentials.env'];
+      dbFiles.forEach(f => {
+        const result = isolation.isSafeToCommit(f);
+        expect(result.violations.length).toBeGreaterThan(0);
+      });
+    });
+
+    test('allows safe production files', () => {
+      const safeFiles = [
+        'src/database.ts',
+        'src/api/client.ts',
+        'tests/integration.test.ts',
+        'docs/DEPLOYMENT.md',
+        'docker-compose.yml',
+        'Dockerfile',
+        'package.json',
+        'tsconfig.json',
+      ];
+
+      safeFiles.forEach(f => {
+        const result = isolation.isSafeToCommit(f);
+        expect(result.safe).toBe(true);
+      });
+    });
+  });
+
+  describe('Performance', () => {
+    test('validates 1000 files quickly', () => {
+      const files = Array.from({ length: 1000 }, (_, i) => `src/file${i}.ts`);
+      const start = Date.now();
+      isolation.validateGitPush(files);
+      const elapsed = Date.now() - start;
+      expect(elapsed).toBeLessThan(500);
+    });
+
+    test('handles mixed safe/unsafe efficiently', () => {
+      const mixed = Array.from({ length: 500 }, (_, i) =>
+        i % 2 === 0 ? `src/file${i}.ts` : `.env.${i}`
+      );
+      const start = Date.now();
+      isolation.validateGitPush(mixed);
+      const elapsed = Date.now() - start;
+      expect(elapsed).toBeLessThan(500);
+    });
+  });
+
+  describe('Workspace Boundary Enforcement', () => {
+    test('rejects files outside workspace root', () => {
+      const result = isolation.isSafeToCommit('../../sensitive.key');
+      expect(result.safe).toBe(false);
+      expect(result.violations.some(v => v.reason.includes('outside'))).toBe(true);
+    });
+
+    test('blocks absolute paths outside workspace', () => {
+      const result = isolation.isSafeToCommit('/etc/passwd');
+      expect(result.safe).toBe(false);
+    });
+  });
+
+  describe('Report Generation', () => {
+    test('generates comprehensive security report', () => {
+      isolation.isSafeToCommit('.env');
+      isolation.isSafeToCommit('secrets.json');
+
+      const report = isolation.generateReport();
+      expect(report).toContain('WORKSPACE SECURITY REPORT');
+      expect(report).toContain('ALLOWED PATHS');
+      expect(report).toContain('BLOCKED PATHS');
+    });
+
+    test('report includes file counts', () => {
+      const report = isolation.generateReport();
+      expect(report).toMatch(/\(\d+\)/); // Should have counts like (15)
+    });
+
+    test('report lists all patterns', () => {
+      const report = isolation.generateReport();
+      expect(report).toContain('.env');
+      expect(report).toContain('*.key');
+    });
+  });
+
+  describe('Pre-Commit Hook Integration', () => {
+    test('generates executable hook script', () => {
+      const hook = isolation.getPreCommitHook();
+      expect(hook).toMatch(/^#!/bin\/bash/);
+      expect(hook).toContain('git diff --cached --name-only');
+      expect(hook).toContain('exit 1');
+    });
+
+    test('hook detects .env files', () => {
+      const hook = isolation.getPreCommitHook();
+      expect(hook).toMatch(/\.env/);
+    });
+
+    test('hook detects key files', () => {
+      const hook = isolation.getPreCommitHook();
+      expect(hook).toMatch(/\.key.*\|\|.*\.pem/);
+    });
+
+    test('hook script is proper bash', () => {
+      const hook = isolation.getPreCommitHook();
+      expect(hook).toContain('if [');
+      expect(hook).toContain('then');
+      expect(hook).toContain('fi');
+    });
+  });
+
+  describe('Violation Details', () => {
+    test('violations include file path', () => {
+      const result = isolation.isSafeToCommit('config/.env');
+      expect(result.violations[0].path).toContain('.env');
+    });
+
+    test('violations include reason', () => {
+      const result = isolation.isSafeToCommit('.env.production');
+      expect(result.violations[0].reason).toBeDefined();
+      expect(result.violations[0].reason.length).toBeGreaterThan(0);
+    });
+
+    test('violations include suggestion', () => {
+      const result = isolation.isSafeToCommit('secrets.json');
+      expect(result.violations[0].suggestion).toBeDefined();
+      expect(result.violations[0].suggestion.includes('.gitignore')).toBe(true);
+    });
+  });
+});

package/tests/v1.4/workspace-isolation.test.ts

@@ -0,0 +1,268 @@
+/**
+ * Workspace Isolation Tests
+ * Security boundary enforcement
+ */
+
+import { WorkspaceIsolation } from '../../src/workspace-isolation';
+
+describe('WorkspaceIsolation', () => {
+  let isolation: WorkspaceIsolation;
+
+  beforeEach(() => {
+    isolation = new WorkspaceIsolation('/project', true);
+  });
+
+  describe('Safe Files', () => {
+    test('allows src files', () => {
+      const result = isolation.isSafeToCommit('src/index.ts');
+      expect(result.safe).toBe(true);
+    });
+
+    test('allows test files', () => {
+      const result = isolation.isSafeToCommit('tests/main.test.ts');
+      expect(result.safe).toBe(true);
+    });
+
+    test('allows docs', () => {
+      const result = isolation.isSafeToCommit('docs/README.md');
+      expect(result.safe).toBe(true);
+    });
+
+    test('allows package.json', () => {
+      const result = isolation.isSafeToCommit('package.json');
+      expect(result.safe).toBe(true);
+    });
+  });
+
+  describe('Blocked Files', () => {
+    test('blocks .env files', () => {
+      const result = isolation.isSafeToCommit('.env');
+      expect(result.safe).toBe(false);
+      expect(result.violations).toHaveLength(1);
+    });
+
+    test('blocks .env.local', () => {
+      const result = isolation.isSafeToCommit('.env.local');
+      expect(result.safe).toBe(false);
+    });
+
+    test('blocks .key files', () => {
+      const result = isolation.isSafeToCommit('private.key');
+      expect(result.safe).toBe(false);
+    });
+
+    test('blocks .pem files', () => {
+      const result = isolation.isSafeToCommit('certificate.pem');
+      expect(result.safe).toBe(false);
+    });
+
+    test('blocks secrets.json', () => {
+      const result = isolation.isSafeToCommit('secrets.json');
+      expect(result.safe).toBe(false);
+    });
+
+    test('blocks credentials.json', () => {
+      const result = isolation.isSafeToCommit('credentials.json');
+      expect(result.safe).toBe(false);
+    });
+
+    test('blocks agent keys', () => {
+      const result = isolation.isSafeToCommit('agent-a.key');
+      expect(result.safe).toBe(false);
+    });
+
+    test('blocks password files', () => {
+      const result = isolation.isSafeToCommit('passwords.txt');
+      expect(result.safe).toBe(false);
+    });
+  });
+
+  describe('Sensitive Names', () => {
+    test('warns on password files', () => {
+      const result = isolation.isSafeToCommit('src/password.ts');
+      expect(result.violations.length).toBeGreaterThan(0);
+      expect(result.violations[0].severity).toBe('warning');
+    });
+
+    test('warns on secret files', () => {
+      const result = isolation.isSafeToCommit('src/secret.ts');
+      expect(result.violations.length).toBeGreaterThan(0);
+    });
+
+    test('warns on token files', () => {
+      const result = isolation.isSafeToCommit('src/token.ts');
+      expect(result.violations.length).toBeGreaterThan(0);
+    });
+
+    test('warns on credential files', () => {
+      const result = isolation.isSafeToCommit('src/credentials.ts');
+      expect(result.violations.length).toBeGreaterThan(0);
+    });
+
+    test('warns on backup files', () => {
+      const result = isolation.isSafeToCommit('src/backup.tar.gz');
+      expect(result.violations.length).toBeGreaterThan(0);
+    });
+  });
+
+  describe('Git Push Validation', () => {
+    test('allows safe push', () => {
+      const files = ['src/index.ts', 'tests/main.test.ts', 'README.md'];
+      const result = isolation.validateGitPush(files);
+      expect(result.canPush).toBe(true);
+    });
+
+    test('blocks push with secrets', () => {
+      const files = ['src/index.ts', '.env', 'secrets.json'];
+      const result = isolation.validateGitPush(files);
+      expect(result.canPush).toBe(false);
+      expect(result.violations.length).toBeGreaterThan(0);
+    });
+
+    test('blocks push with keys', () => {
+      const files = ['src/index.ts', 'agent-a.key'];
+      const result = isolation.validateGitPush(files);
+      expect(result.canPush).toBe(false);
+    });
+
+    test('reports multiple violations', () => {
+      const files = ['.env', 'secrets.json', 'agent-a.key'];
+      const result = isolation.validateGitPush(files);
+      expect(result.violations.length).toBeGreaterThanOrEqual(3);
+    });
+  });
+
+  describe('Directory Scanning', () => {
+    test('scans directory', () => {
+      const result = isolation.scanDirectory('/project');
+      expect(result.safeFiles).toBeDefined();
+      expect(result.violatingFiles).toBeDefined();
+      expect(result.violations).toBeDefined();
+    });
+
+    test('identifies safe files in scan', () => {
+      const result = isolation.scanDirectory('/project');
+      expect(result.safeFiles.length).toBeGreaterThan(0);
+    });
+
+    test('identifies violating files in scan', () => {
+      const result = isolation.scanDirectory('/project');
+      expect(result.violatingFiles.length).toBeGreaterThan(0);
+    });
+  });
+
+  describe('Custom Configuration', () => {
+    test('sets custom allowed paths', () => {
+      isolation.setAllowed(['src/', 'docs/', 'custom/']);
+      const result = isolation.getBoundary();
+      expect(result.allowed).toContain('custom/');
+    });
+
+    test('adds blocked path', () => {
+      isolation.blockPath('*.secret');
+      const result = isolation.getBoundary();
+      expect(result.blocked).toContain('*.secret');
+    });
+
+    test('does not duplicate blocked paths', () => {
+      isolation.blockPath('*.secret');
+      isolation.blockPath('*.secret');
+      const result = isolation.getBoundary();
+      const count = result.blocked.filter(p => p === '*.secret').length;
+      expect(count).toBe(1);
+    });
+  });
+
+  describe('Workspace Boundary', () => {
+    test('gets boundary info', () => {
+      const boundary = isolation.getBoundary();
+      expect(boundary.root).toBe('/project');
+      expect(boundary.isPublic).toBe(true);
+      expect(boundary.allowed).toBeDefined();
+      expect(boundary.blocked).toBeDefined();
+    });
+
+    test('marks as private workspace', () => {
+      const private_isolation = new WorkspaceIsolation('/private', false);
+      const boundary = private_isolation.getBoundary();
+      expect(boundary.isPublic).toBe(false);
+    });
+  });
+
+  describe('Security Reports', () => {
+    test('generates security report', () => {
+      const report = isolation.generateReport();
+      expect(report).toContain('WORKSPACE SECURITY REPORT');
+      expect(report).toContain('ALLOWED PATHS');
+      expect(report).toContain('BLOCKED PATHS');
+    });
+
+    test('includes violations in report', () => {
+      isolation.isSafeToCommit('.env');
+      const report = isolation.generateReport();
+      // Note: violations are tracked separately in test
+    });
+  });
+
+  describe('Pre-Commit Hook', () => {
+    test('generates pre-commit hook script', () => {
+      const hook = isolation.getPreCommitHook();
+      expect(hook).toContain('#!/bin/bash');
+      expect(hook).toContain('Trace Pre-Commit Security Hook');
+      expect(hook).toContain('.env');
+      expect(hook).toContain('.key');
+    });
+  });
+
+  describe('Real-World Scenarios', () => {
+    test('prevents .env exposure', () => {
+      const files = ['src/main.ts', '.env', '.env.local', '.env.production'];
+      const result = isolation.validateGitPush(files);
+      expect(result.canPush).toBe(false);
+      expect(result.violations.filter(v => v.path.includes('.env')).length).toBe(3);
+    });
+
+    test('prevents credential leak', () => {
+      const files = [
+        'src/api.ts',
+        'credentials.json',
+        'oauth.json',
+        'api-keys.json',
+      ];
+      const result = isolation.validateGitPush(files);
+      expect(result.canPush).toBe(false);
+      expect(result.violations.length).toBe(3);
+    });
+
+    test('prevents agent key exposure', () => {
+      const files = ['src/index.ts', 'agent-a.key', 'agent-b.pem', 'agent-keys/'];
+      const result = isolation.validateGitPush(files);
+      expect(result.canPush).toBe(false);
+    });
+
+    test('allows safe production push', () => {
+      const files = [
+        'src/main.ts',
+        'src/utils.ts',
+        'tests/main.test.ts',
+        'README.md',
+        'package.json',
+        'LICENSE',
+      ];
+      const result = isolation.validateGitPush(files);
+      expect(result.canPush).toBe(true);
+    });
+  });
+
+  describe('Path Matching', () => {
+    test('matches glob patterns', () => {
+      const result = isolation.isSafeToCommit('.env.staging');
+      expect(result.safe).toBe(false);
+    });
+
+    test('handles nested paths', () => {
+      const result = isolation.isSafeToCommit('config/secrets.json');
+      expect(result.safe).toBe(false);
+    });
+  });
+});