comisai 1.0.10 → 1.0.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -3
- package/node_modules/@comis/agent/dist/executor/pi-executor.d.ts +1 -4
- package/node_modules/@comis/agent/package.json +1 -1
- package/node_modules/@comis/channels/package.json +1 -1
- package/node_modules/@comis/cli/dist/wizard/steps/06-channels.js +88 -11
- package/node_modules/@comis/cli/dist/wizard/steps/10-write-config.js +4 -0
- package/node_modules/@comis/cli/dist/wizard/types.d.ts +1 -0
- package/node_modules/@comis/cli/package.json +1 -1
- package/node_modules/@comis/core/package.json +1 -1
- package/node_modules/@comis/daemon/package.json +1 -1
- package/node_modules/@comis/gateway/package.json +1 -1
- package/node_modules/@comis/infra/package.json +1 -1
- package/node_modules/@comis/memory/package.json +1 -1
- package/node_modules/@comis/scheduler/package.json +1 -1
- package/node_modules/@comis/shared/package.json +1 -1
- package/node_modules/@comis/skills/package.json +1 -1
- package/package.json +18 -18
- package/node_modules/@comis/core/dist/approval/approval-gate.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/approval/approval-gate.test.js +0 -1003
- package/node_modules/@comis/core/dist/bootstrap.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/bootstrap.test.js +0 -150
- package/node_modules/@comis/core/dist/config/backup.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/backup.test.js +0 -160
- package/node_modules/@comis/core/dist/config/env-substitution.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/env-substitution.test.js +0 -259
- package/node_modules/@comis/core/dist/config/field-metadata.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/field-metadata.test.js +0 -72
- package/node_modules/@comis/core/dist/config/git-manager.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/git-manager.test.js +0 -1042
- package/node_modules/@comis/core/dist/config/immutable-keys.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/immutable-keys.test.js +0 -283
- package/node_modules/@comis/core/dist/config/include-resolver.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/include-resolver.test.js +0 -292
- package/node_modules/@comis/core/dist/config/layered.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/layered.test.js +0 -211
- package/node_modules/@comis/core/dist/config/loader.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/loader.test.js +0 -300
- package/node_modules/@comis/core/dist/config/migrate.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/migrate.test.js +0 -244
- package/node_modules/@comis/core/dist/config/partial-validator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/partial-validator.test.js +0 -98
- package/node_modules/@comis/core/dist/config/schema-agent-model.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-agent-model.test.js +0 -279
- package/node_modules/@comis/core/dist/config/schema-agent-session.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-agent-session.test.js +0 -242
- package/node_modules/@comis/core/dist/config/schema-agent.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-agent.test.js +0 -645
- package/node_modules/@comis/core/dist/config/schema-channel.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-channel.test.js +0 -341
- package/node_modules/@comis/core/dist/config/schema-coalescer.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-coalescer.test.js +0 -51
- package/node_modules/@comis/core/dist/config/schema-context-engine.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-context-engine.test.js +0 -797
- package/node_modules/@comis/core/dist/config/schema-context-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-context-guard.test.js +0 -111
- package/node_modules/@comis/core/dist/config/schema-daemon.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-daemon.test.js +0 -107
- package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.js +0 -51
- package/node_modules/@comis/core/dist/config/schema-documentation.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-documentation.test.js +0 -63
- package/node_modules/@comis/core/dist/config/schema-gateway.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-gateway.test.js +0 -219
- package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.js +0 -41
- package/node_modules/@comis/core/dist/config/schema-integrations.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-integrations.test.js +0 -92
- package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.js +0 -61
- package/node_modules/@comis/core/dist/config/schema-misc.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-misc.test.js +0 -394
- package/node_modules/@comis/core/dist/config/schema-observability.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-observability.test.js +0 -76
- package/node_modules/@comis/core/dist/config/schema-providers.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-providers.test.js +0 -294
- package/node_modules/@comis/core/dist/config/schema-queue.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-queue.test.js +0 -234
- package/node_modules/@comis/core/dist/config/schema-response-prefix.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-response-prefix.test.js +0 -36
- package/node_modules/@comis/core/dist/config/schema-security.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-security.test.js +0 -54
- package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.js +0 -60
- package/node_modules/@comis/core/dist/config/schema-serializer.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-serializer.test.js +0 -73
- package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.js +0 -39
- package/node_modules/@comis/core/dist/context/context.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/context/context.test.js +0 -276
- package/node_modules/@comis/core/dist/domain/agent-response.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/agent-response.test.js +0 -159
- package/node_modules/@comis/core/dist/domain/credential-mapping.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/credential-mapping.test.js +0 -135
- package/node_modules/@comis/core/dist/domain/delivery-origin.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/delivery-origin.test.js +0 -68
- package/node_modules/@comis/core/dist/domain/execution-graph.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/execution-graph.test.js +0 -441
- package/node_modules/@comis/core/dist/domain/memory-entry.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/memory-entry.test.js +0 -193
- package/node_modules/@comis/core/dist/domain/normalized-message.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/normalized-message.test.js +0 -255
- package/node_modules/@comis/core/dist/domain/session-key.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/session-key.test.js +0 -291
- package/node_modules/@comis/core/dist/domain/subagent-context-config.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/subagent-context-config.test.js +0 -131
- package/node_modules/@comis/core/dist/domain/subagent-context-types.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/domain/subagent-context-types.test.js +0 -182
- package/node_modules/@comis/core/dist/event-bus/bus.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/bus.test.js +0 -152
- package/node_modules/@comis/core/dist/event-bus/events-agent.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-agent.test.js +0 -409
- package/node_modules/@comis/core/dist/event-bus/events-channel.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-channel.test.js +0 -240
- package/node_modules/@comis/core/dist/event-bus/events-infra.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-infra.test.js +0 -416
- package/node_modules/@comis/core/dist/event-bus/events-messaging.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events-messaging.test.js +0 -433
- package/node_modules/@comis/core/dist/event-bus/events.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/event-bus/events.test.js +0 -93
- package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.js +0 -29
- package/node_modules/@comis/core/dist/hooks/hook-runner.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/hook-runner.test.js +0 -490
- package/node_modules/@comis/core/dist/hooks/hook-strategies.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/hook-strategies.test.js +0 -209
- package/node_modules/@comis/core/dist/hooks/integration.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/integration.test.js +0 -235
- package/node_modules/@comis/core/dist/hooks/plugin-registry.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/hooks/plugin-registry.test.js +0 -470
- package/node_modules/@comis/core/dist/load-env.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/load-env.test.js +0 -21
- package/node_modules/@comis/core/dist/security/action-classifier.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/action-classifier.test.js +0 -298
- package/node_modules/@comis/core/dist/security/audit-aggregator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/audit-aggregator.test.js +0 -128
- package/node_modules/@comis/core/dist/security/audit.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/audit.test.js +0 -154
- package/node_modules/@comis/core/dist/security/canary-token.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/canary-token.test.js +0 -45
- package/node_modules/@comis/core/dist/security/config-redaction.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/config-redaction.test.js +0 -107
- package/node_modules/@comis/core/dist/security/external-content.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/external-content.test.js +0 -210
- package/node_modules/@comis/core/dist/security/injection-patterns.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/injection-patterns.test.js +0 -213
- package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.js +0 -194
- package/node_modules/@comis/core/dist/security/input-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/input-guard.test.js +0 -215
- package/node_modules/@comis/core/dist/security/input-security-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/input-security-guard.test.js +0 -215
- package/node_modules/@comis/core/dist/security/input-validator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/input-validator.test.js +0 -133
- package/node_modules/@comis/core/dist/security/log-sanitizer.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/log-sanitizer.test.js +0 -260
- package/node_modules/@comis/core/dist/security/memory-write-validator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/memory-write-validator.test.js +0 -62
- package/node_modules/@comis/core/dist/security/output-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/output-guard.test.js +0 -397
- package/node_modules/@comis/core/dist/security/safe-path.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/safe-path.test.js +0 -95
- package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.js +0 -231
- package/node_modules/@comis/core/dist/security/secret-access.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-access.test.js +0 -41
- package/node_modules/@comis/core/dist/security/secret-crypto.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-crypto.test.js +0 -113
- package/node_modules/@comis/core/dist/security/secret-manager.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-manager.test.js +0 -394
- package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.js +0 -268
- package/node_modules/@comis/core/dist/security/secrets-audit.test.d.ts +0 -10
- package/node_modules/@comis/core/dist/security/secrets-audit.test.js +0 -295
- package/node_modules/@comis/core/dist/security/ssrf-guard.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/ssrf-guard.test.js +0 -127
- package/node_modules/@comis/core/dist/security/token-generator.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/security/token-generator.test.js +0 -35
- package/node_modules/@comis/core/dist/tool-metadata.test.d.ts +0 -1
- package/node_modules/@comis/core/dist/tool-metadata.test.js +0 -112
- package/node_modules/@comis/memory/dist/compaction.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/compaction.test.js +0 -298
- package/node_modules/@comis/memory/dist/context-schema.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/context-schema.test.js +0 -246
- package/node_modules/@comis/memory/dist/context-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/context-store.test.js +0 -708
- package/node_modules/@comis/memory/dist/credential-mapping-schema.test.d.ts +0 -7
- package/node_modules/@comis/memory/dist/credential-mapping-schema.test.js +0 -73
- package/node_modules/@comis/memory/dist/credential-mapping-store.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/credential-mapping-store.test.js +0 -340
- package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.js +0 -165
- package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.js +0 -263
- package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.js +0 -202
- package/node_modules/@comis/memory/dist/embedding-cache-lru.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-cache-lru.test.js +0 -241
- package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.js +0 -678
- package/node_modules/@comis/memory/dist/embedding-cache.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-cache.test.js +0 -213
- package/node_modules/@comis/memory/dist/embedding-fingerprint.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-fingerprint.test.js +0 -87
- package/node_modules/@comis/memory/dist/embedding-hash.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-hash.test.js +0 -31
- package/node_modules/@comis/memory/dist/embedding-integration.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-integration.test.js +0 -232
- package/node_modules/@comis/memory/dist/embedding-provider-factory.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-provider-factory.test.js +0 -176
- package/node_modules/@comis/memory/dist/embedding-provider-local.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-provider-local.test.js +0 -76
- package/node_modules/@comis/memory/dist/embedding-provider-openai.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/embedding-provider-openai.test.js +0 -100
- package/node_modules/@comis/memory/dist/embedding-queue.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/embedding-queue.test.js +0 -236
- package/node_modules/@comis/memory/dist/hybrid-search.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/hybrid-search.test.js +0 -476
- package/node_modules/@comis/memory/dist/identity-link-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/identity-link-store.test.js +0 -88
- package/node_modules/@comis/memory/dist/memory-api.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/memory-api.test.js +0 -495
- package/node_modules/@comis/memory/dist/memory-concurrency.test.d.ts +0 -20
- package/node_modules/@comis/memory/dist/memory-concurrency.test.js +0 -222
- package/node_modules/@comis/memory/dist/named-graph-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/named-graph-store.test.js +0 -227
- package/node_modules/@comis/memory/dist/observability-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/observability-store.test.js +0 -704
- package/node_modules/@comis/memory/dist/row-mapper.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/row-mapper.test.js +0 -409
- package/node_modules/@comis/memory/dist/schema.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/schema.test.js +0 -240
- package/node_modules/@comis/memory/dist/secret-store-schema.test.d.ts +0 -7
- package/node_modules/@comis/memory/dist/secret-store-schema.test.js +0 -90
- package/node_modules/@comis/memory/dist/session-store.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/session-store.test.js +0 -262
- package/node_modules/@comis/memory/dist/setup-secrets.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/setup-secrets.test.js +0 -140
- package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.d.ts +0 -1
- package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.js +0 -888
- package/node_modules/@comis/memory/dist/sqlite-secret-store.test.d.ts +0 -8
- package/node_modules/@comis/memory/dist/sqlite-secret-store.test.js +0 -245
- package/node_modules/@comis/shared/dist/abort.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/abort.test.js +0 -71
- package/node_modules/@comis/shared/dist/result.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/result.test.js +0 -178
- package/node_modules/@comis/shared/dist/suppress-error.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/suppress-error.test.js +0 -50
- package/node_modules/@comis/shared/dist/timeout.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/timeout.test.js +0 -75
- package/node_modules/@comis/shared/dist/ttl-cache.test.d.ts +0 -1
- package/node_modules/@comis/shared/dist/ttl-cache.test.js +0 -81
|
@@ -1,298 +0,0 @@
|
|
|
1
|
-
import { describe, it, expect, beforeEach } from "vitest";
|
|
2
|
-
import { classifyAction, requiresConfirmation, registerAction, lockRegistry, isRegistryLocked, _resetRegistryForTesting, } from "./action-classifier.js";
|
|
3
|
-
describe("classifyAction", () => {
|
|
4
|
-
describe("read actions", () => {
|
|
5
|
-
const readActions = [
|
|
6
|
-
"file.read",
|
|
7
|
-
"memory.search",
|
|
8
|
-
"memory.get",
|
|
9
|
-
"config.read",
|
|
10
|
-
"status.check",
|
|
11
|
-
"skill.list",
|
|
12
|
-
];
|
|
13
|
-
for (const action of readActions) {
|
|
14
|
-
it(`classifies "${action}" as read`, () => {
|
|
15
|
-
expect(classifyAction(action)).toBe("read");
|
|
16
|
-
});
|
|
17
|
-
}
|
|
18
|
-
});
|
|
19
|
-
describe("mutate actions", () => {
|
|
20
|
-
const mutateActions = [
|
|
21
|
-
"file.write",
|
|
22
|
-
"file.create",
|
|
23
|
-
"memory.store",
|
|
24
|
-
"memory.update",
|
|
25
|
-
"config.update",
|
|
26
|
-
"message.send",
|
|
27
|
-
];
|
|
28
|
-
for (const action of mutateActions) {
|
|
29
|
-
it(`classifies "${action}" as mutate`, () => {
|
|
30
|
-
expect(classifyAction(action)).toBe("mutate");
|
|
31
|
-
});
|
|
32
|
-
}
|
|
33
|
-
});
|
|
34
|
-
describe("destructive actions", () => {
|
|
35
|
-
const destructiveActions = [
|
|
36
|
-
"file.delete",
|
|
37
|
-
"memory.delete",
|
|
38
|
-
"memory.clear",
|
|
39
|
-
"session.destroy",
|
|
40
|
-
"system.exec",
|
|
41
|
-
"system.shutdown",
|
|
42
|
-
];
|
|
43
|
-
for (const action of destructiveActions) {
|
|
44
|
-
it(`classifies "${action}" as destructive`, () => {
|
|
45
|
-
expect(classifyAction(action)).toBe("destructive");
|
|
46
|
-
});
|
|
47
|
-
}
|
|
48
|
-
});
|
|
49
|
-
describe("v2.0 tool read actions", () => {
|
|
50
|
-
const v2ReadActions = [
|
|
51
|
-
"tool.execute",
|
|
52
|
-
"cron.list",
|
|
53
|
-
"cron.status",
|
|
54
|
-
"cron.runs",
|
|
55
|
-
"cron.wake",
|
|
56
|
-
"session.list",
|
|
57
|
-
"session.history",
|
|
58
|
-
"session.status",
|
|
59
|
-
"message.fetch",
|
|
60
|
-
"agents.list",
|
|
61
|
-
"gateway.status",
|
|
62
|
-
"config.schema",
|
|
63
|
-
"web.fetch",
|
|
64
|
-
"web.search",
|
|
65
|
-
"image.analyze",
|
|
66
|
-
"memory.search_files",
|
|
67
|
-
"memory.get_file",
|
|
68
|
-
];
|
|
69
|
-
for (const action of v2ReadActions) {
|
|
70
|
-
it(`classifies "${action}" as read`, () => {
|
|
71
|
-
expect(classifyAction(action)).toBe("read");
|
|
72
|
-
});
|
|
73
|
-
}
|
|
74
|
-
});
|
|
75
|
-
describe("v2.0 tool mutate actions", () => {
|
|
76
|
-
const v2MutateActions = [
|
|
77
|
-
"message.reply",
|
|
78
|
-
"message.react",
|
|
79
|
-
"message.edit",
|
|
80
|
-
"cron.add",
|
|
81
|
-
"cron.update",
|
|
82
|
-
"session.send",
|
|
83
|
-
"session.spawn",
|
|
84
|
-
"tts.synthesize",
|
|
85
|
-
"canvas.present",
|
|
86
|
-
"canvas.eval",
|
|
87
|
-
];
|
|
88
|
-
for (const action of v2MutateActions) {
|
|
89
|
-
it(`classifies "${action}" as mutate`, () => {
|
|
90
|
-
expect(classifyAction(action)).toBe("mutate");
|
|
91
|
-
});
|
|
92
|
-
}
|
|
93
|
-
});
|
|
94
|
-
describe("v2.0 tool destructive actions", () => {
|
|
95
|
-
const v2DestructiveActions = [
|
|
96
|
-
"cron.remove",
|
|
97
|
-
"message.delete",
|
|
98
|
-
"gateway.restart",
|
|
99
|
-
"gateway.update",
|
|
100
|
-
"config.patch",
|
|
101
|
-
"config.apply",
|
|
102
|
-
];
|
|
103
|
-
it('classifies "config.patch" as destructive (CFGSAFE-01)', () => {
|
|
104
|
-
expect(classifyAction("config.patch")).toBe("destructive");
|
|
105
|
-
});
|
|
106
|
-
it('classifies "config.apply" as destructive (CFGAPPLY-01)', () => {
|
|
107
|
-
expect(classifyAction("config.apply")).toBe("destructive");
|
|
108
|
-
});
|
|
109
|
-
for (const action of v2DestructiveActions) {
|
|
110
|
-
it(`classifies "${action}" as destructive`, () => {
|
|
111
|
-
expect(classifyAction(action)).toBe("destructive");
|
|
112
|
-
});
|
|
113
|
-
}
|
|
114
|
-
});
|
|
115
|
-
describe("v23.0 config management actions", () => {
|
|
116
|
-
it('classifies "config.history" as read', () => {
|
|
117
|
-
expect(classifyAction("config.history")).toBe("read");
|
|
118
|
-
});
|
|
119
|
-
it('classifies "config.diff" as read', () => {
|
|
120
|
-
expect(classifyAction("config.diff")).toBe("read");
|
|
121
|
-
});
|
|
122
|
-
it('classifies "config.rollback" as destructive', () => {
|
|
123
|
-
expect(classifyAction("config.rollback")).toBe("destructive");
|
|
124
|
-
});
|
|
125
|
-
it('classifies "config.apply" as destructive', () => {
|
|
126
|
-
expect(classifyAction("config.apply")).toBe("destructive");
|
|
127
|
-
});
|
|
128
|
-
it('classifies "config.gc" as destructive', () => {
|
|
129
|
-
expect(classifyAction("config.gc")).toBe("destructive");
|
|
130
|
-
});
|
|
131
|
-
it('classifies "daemon.setLogLevel" as mutate (in-memory only, resets on restart)', () => {
|
|
132
|
-
expect(classifyAction("daemon.setLogLevel")).toBe("mutate");
|
|
133
|
-
});
|
|
134
|
-
});
|
|
135
|
-
describe("v6.5 prompt skill actions", () => {
|
|
136
|
-
it('classifies "skill.prompt.load" as read', () => {
|
|
137
|
-
expect(classifyAction("skill.prompt.load")).toBe("read");
|
|
138
|
-
});
|
|
139
|
-
it('classifies "skill.prompt.invoke" as mutate', () => {
|
|
140
|
-
expect(classifyAction("skill.prompt.invoke")).toBe("mutate");
|
|
141
|
-
});
|
|
142
|
-
});
|
|
143
|
-
describe("v22.0 privileged tool actions", () => {
|
|
144
|
-
describe("read actions", () => {
|
|
145
|
-
const readActions = [
|
|
146
|
-
"agents.get",
|
|
147
|
-
"session.export",
|
|
148
|
-
"memory.stats",
|
|
149
|
-
"memory.browse",
|
|
150
|
-
"memory.export",
|
|
151
|
-
"channels.list",
|
|
152
|
-
"channels.get",
|
|
153
|
-
"tokens.list",
|
|
154
|
-
"models.list",
|
|
155
|
-
"models.test",
|
|
156
|
-
];
|
|
157
|
-
for (const action of readActions) {
|
|
158
|
-
it(`classifies "${action}" as read`, () => {
|
|
159
|
-
expect(classifyAction(action)).toBe("read");
|
|
160
|
-
});
|
|
161
|
-
}
|
|
162
|
-
});
|
|
163
|
-
describe("mutate actions", () => {
|
|
164
|
-
const mutateActions = ["agents.update", "agents.resume"];
|
|
165
|
-
for (const action of mutateActions) {
|
|
166
|
-
it(`classifies "${action}" as mutate`, () => {
|
|
167
|
-
expect(classifyAction(action)).toBe("mutate");
|
|
168
|
-
});
|
|
169
|
-
}
|
|
170
|
-
});
|
|
171
|
-
describe("destructive actions", () => {
|
|
172
|
-
const destructiveActions = [
|
|
173
|
-
"agents.create",
|
|
174
|
-
"agents.delete",
|
|
175
|
-
"agents.suspend",
|
|
176
|
-
"session.delete",
|
|
177
|
-
"memory.flush",
|
|
178
|
-
"channels.enable",
|
|
179
|
-
"channels.disable",
|
|
180
|
-
"channels.restart",
|
|
181
|
-
"tokens.create",
|
|
182
|
-
"tokens.revoke",
|
|
183
|
-
"tokens.rotate",
|
|
184
|
-
];
|
|
185
|
-
for (const action of destructiveActions) {
|
|
186
|
-
it(`classifies "${action}" as destructive`, () => {
|
|
187
|
-
expect(classifyAction(action)).toBe("destructive");
|
|
188
|
-
});
|
|
189
|
-
}
|
|
190
|
-
});
|
|
191
|
-
});
|
|
192
|
-
describe("unknown actions", () => {
|
|
193
|
-
it("defaults unknown action to destructive (fail-closed)", () => {
|
|
194
|
-
expect(classifyAction("totally.unknown.action")).toBe("destructive");
|
|
195
|
-
});
|
|
196
|
-
it("defaults empty string to destructive", () => {
|
|
197
|
-
expect(classifyAction("")).toBe("destructive");
|
|
198
|
-
});
|
|
199
|
-
it("defaults novel action to destructive", () => {
|
|
200
|
-
expect(classifyAction("custom.plugin.run")).toBe("destructive");
|
|
201
|
-
});
|
|
202
|
-
});
|
|
203
|
-
});
|
|
204
|
-
describe("requiresConfirmation", () => {
|
|
205
|
-
it("returns true for destructive actions", () => {
|
|
206
|
-
expect(requiresConfirmation("file.delete")).toBe(true);
|
|
207
|
-
expect(requiresConfirmation("system.exec")).toBe(true);
|
|
208
|
-
});
|
|
209
|
-
it("returns true for unknown actions (fail-closed)", () => {
|
|
210
|
-
expect(requiresConfirmation("unknown.action")).toBe(true);
|
|
211
|
-
});
|
|
212
|
-
it("returns false for read actions", () => {
|
|
213
|
-
expect(requiresConfirmation("file.read")).toBe(false);
|
|
214
|
-
expect(requiresConfirmation("memory.search")).toBe(false);
|
|
215
|
-
});
|
|
216
|
-
it("returns false for mutate actions", () => {
|
|
217
|
-
expect(requiresConfirmation("file.write")).toBe(false);
|
|
218
|
-
expect(requiresConfirmation("message.send")).toBe(false);
|
|
219
|
-
});
|
|
220
|
-
it("requires confirmation for config.patch (CFGSAFE-01)", () => {
|
|
221
|
-
expect(requiresConfirmation("config.patch")).toBe(true);
|
|
222
|
-
});
|
|
223
|
-
});
|
|
224
|
-
describe("requiresConfirmation - v23.0 daemon actions", () => {
|
|
225
|
-
it("returns false for daemon.setLogLevel (mutate, not destructive)", () => {
|
|
226
|
-
expect(requiresConfirmation("daemon.setLogLevel")).toBe(false);
|
|
227
|
-
});
|
|
228
|
-
it("returns true for config.rollback (destructive)", () => {
|
|
229
|
-
expect(requiresConfirmation("config.rollback")).toBe(true);
|
|
230
|
-
});
|
|
231
|
-
it("returns true for config.gc (destructive)", () => {
|
|
232
|
-
expect(requiresConfirmation("config.gc")).toBe(true);
|
|
233
|
-
});
|
|
234
|
-
});
|
|
235
|
-
describe("requiresConfirmation - v22.0 privileged actions", () => {
|
|
236
|
-
it("returns true for destructive privileged actions", () => {
|
|
237
|
-
expect(requiresConfirmation("agents.create")).toBe(true);
|
|
238
|
-
expect(requiresConfirmation("agents.delete")).toBe(true);
|
|
239
|
-
expect(requiresConfirmation("tokens.revoke")).toBe(true);
|
|
240
|
-
expect(requiresConfirmation("channels.restart")).toBe(true);
|
|
241
|
-
});
|
|
242
|
-
it("returns false for read privileged actions", () => {
|
|
243
|
-
expect(requiresConfirmation("agents.get")).toBe(false);
|
|
244
|
-
expect(requiresConfirmation("models.list")).toBe(false);
|
|
245
|
-
expect(requiresConfirmation("channels.list")).toBe(false);
|
|
246
|
-
});
|
|
247
|
-
});
|
|
248
|
-
describe("registerAction", () => {
|
|
249
|
-
it("registers a new action type", () => {
|
|
250
|
-
registerAction("custom.read", "read");
|
|
251
|
-
expect(classifyAction("custom.read")).toBe("read");
|
|
252
|
-
});
|
|
253
|
-
it("overwrites an existing registration", () => {
|
|
254
|
-
registerAction("custom.overwrite", "destructive");
|
|
255
|
-
expect(classifyAction("custom.overwrite")).toBe("destructive");
|
|
256
|
-
registerAction("custom.overwrite", "read");
|
|
257
|
-
expect(classifyAction("custom.overwrite")).toBe("read");
|
|
258
|
-
});
|
|
259
|
-
it("accepts all valid classifications", () => {
|
|
260
|
-
const classifications = ["read", "mutate", "destructive"];
|
|
261
|
-
for (const classification of classifications) {
|
|
262
|
-
registerAction(`test.${classification}`, classification);
|
|
263
|
-
expect(classifyAction(`test.${classification}`)).toBe(classification);
|
|
264
|
-
}
|
|
265
|
-
});
|
|
266
|
-
});
|
|
267
|
-
describe("lockRegistry (CORE-01)", () => {
|
|
268
|
-
beforeEach(() => {
|
|
269
|
-
_resetRegistryForTesting();
|
|
270
|
-
});
|
|
271
|
-
it("lockRegistry prevents subsequent registerAction calls", () => {
|
|
272
|
-
lockRegistry();
|
|
273
|
-
expect(() => registerAction("new.action", "read")).toThrow("locked");
|
|
274
|
-
});
|
|
275
|
-
it("isRegistryLocked returns true after locking", () => {
|
|
276
|
-
expect(isRegistryLocked()).toBe(false);
|
|
277
|
-
lockRegistry();
|
|
278
|
-
expect(isRegistryLocked()).toBe(true);
|
|
279
|
-
});
|
|
280
|
-
it("classifyAction still works after locking", () => {
|
|
281
|
-
lockRegistry();
|
|
282
|
-
// Pre-registered actions should still work
|
|
283
|
-
expect(classifyAction("file.read")).toBe("read");
|
|
284
|
-
expect(classifyAction("file.write")).toBe("mutate");
|
|
285
|
-
expect(classifyAction("file.delete")).toBe("destructive");
|
|
286
|
-
// Unknown actions still default to destructive
|
|
287
|
-
expect(classifyAction("totally.unknown")).toBe("destructive");
|
|
288
|
-
});
|
|
289
|
-
it("lockRegistry is idempotent", () => {
|
|
290
|
-
lockRegistry();
|
|
291
|
-
lockRegistry(); // second call should not throw
|
|
292
|
-
expect(isRegistryLocked()).toBe(true);
|
|
293
|
-
});
|
|
294
|
-
it("registerAction error message includes the rejected action type", () => {
|
|
295
|
-
lockRegistry();
|
|
296
|
-
expect(() => registerAction("malicious.downgrade", "read")).toThrow('registerAction() rejected for "malicious.downgrade"');
|
|
297
|
-
});
|
|
298
|
-
});
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export {};
|
|
@@ -1,128 +0,0 @@
|
|
|
1
|
-
import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
|
|
2
|
-
import { createAuditAggregator } from "./audit-aggregator.js";
|
|
3
|
-
function createMockEventBus() {
|
|
4
|
-
return { emit: vi.fn(), on: vi.fn(), off: vi.fn() };
|
|
5
|
-
}
|
|
6
|
-
describe("createAuditAggregator", () => {
|
|
7
|
-
beforeEach(() => {
|
|
8
|
-
vi.useFakeTimers();
|
|
9
|
-
});
|
|
10
|
-
afterEach(() => {
|
|
11
|
-
vi.useRealTimers();
|
|
12
|
-
});
|
|
13
|
-
it("deduplicates events within window", () => {
|
|
14
|
-
const eventBus = createMockEventBus();
|
|
15
|
-
const aggregator = createAuditAggregator(eventBus, { windowMs: 5000 });
|
|
16
|
-
aggregator.record({ source: "external_content", patterns: ["a"] });
|
|
17
|
-
aggregator.record({ source: "external_content", patterns: ["b"] });
|
|
18
|
-
aggregator.record({ source: "external_content", patterns: ["c"] });
|
|
19
|
-
// Not yet emitted
|
|
20
|
-
expect(eventBus.emit).not.toHaveBeenCalled();
|
|
21
|
-
// Advance past window
|
|
22
|
-
vi.advanceTimersByTime(5001);
|
|
23
|
-
// Should emit exactly once (deduplicated)
|
|
24
|
-
expect(eventBus.emit).toHaveBeenCalledTimes(1);
|
|
25
|
-
});
|
|
26
|
-
it("emits summary at window close with correct payload", () => {
|
|
27
|
-
const eventBus = createMockEventBus();
|
|
28
|
-
const aggregator = createAuditAggregator(eventBus, { windowMs: 5000 });
|
|
29
|
-
aggregator.record({ source: "external_content", patterns: ["pattern_a"] });
|
|
30
|
-
aggregator.record({ source: "external_content", patterns: ["pattern_b"] });
|
|
31
|
-
vi.advanceTimersByTime(5001);
|
|
32
|
-
expect(eventBus.emit).toHaveBeenCalledTimes(1);
|
|
33
|
-
const [eventName, payload] = eventBus.emit.mock.calls[0];
|
|
34
|
-
expect(eventName).toBe("security:injection_detected");
|
|
35
|
-
expect(payload.source).toBe("external_content");
|
|
36
|
-
expect(payload.riskLevel).toBe("medium");
|
|
37
|
-
expect(payload.patterns).toContain("pattern_a");
|
|
38
|
-
expect(payload.patterns).toContain("pattern_b");
|
|
39
|
-
expect(typeof payload.timestamp).toBe("number");
|
|
40
|
-
});
|
|
41
|
-
it("counts unique patterns", () => {
|
|
42
|
-
const eventBus = createMockEventBus();
|
|
43
|
-
const aggregator = createAuditAggregator(eventBus, { windowMs: 5000 });
|
|
44
|
-
aggregator.record({ source: "external_content", patterns: ["a", "b"] });
|
|
45
|
-
aggregator.record({ source: "external_content", patterns: ["b", "c"] });
|
|
46
|
-
vi.advanceTimersByTime(5001);
|
|
47
|
-
const [, payload] = eventBus.emit.mock.calls[0];
|
|
48
|
-
// Should have 3 unique patterns: a, b, c
|
|
49
|
-
expect(payload.patterns).toHaveLength(3);
|
|
50
|
-
expect(payload.patterns).toContain("a");
|
|
51
|
-
expect(payload.patterns).toContain("b");
|
|
52
|
-
expect(payload.patterns).toContain("c");
|
|
53
|
-
});
|
|
54
|
-
it("respects maxPatternsPerSummary cap", () => {
|
|
55
|
-
const eventBus = createMockEventBus();
|
|
56
|
-
const aggregator = createAuditAggregator(eventBus, {
|
|
57
|
-
windowMs: 5000,
|
|
58
|
-
maxPatternsPerSummary: 2,
|
|
59
|
-
});
|
|
60
|
-
aggregator.record({
|
|
61
|
-
source: "external_content",
|
|
62
|
-
patterns: ["a", "b", "c", "d", "e"],
|
|
63
|
-
});
|
|
64
|
-
vi.advanceTimersByTime(5001);
|
|
65
|
-
const [, payload] = eventBus.emit.mock.calls[0];
|
|
66
|
-
expect(payload.patterns).toHaveLength(2);
|
|
67
|
-
});
|
|
68
|
-
it("handles multiple concurrent windows for different sources", () => {
|
|
69
|
-
const eventBus = createMockEventBus();
|
|
70
|
-
const aggregator = createAuditAggregator(eventBus, { windowMs: 5000 });
|
|
71
|
-
aggregator.record({ source: "external_content", patterns: ["a"] });
|
|
72
|
-
aggregator.record({ source: "tool_output", patterns: ["b"] });
|
|
73
|
-
vi.advanceTimersByTime(5001);
|
|
74
|
-
// Two separate summary events -- one per source
|
|
75
|
-
expect(eventBus.emit).toHaveBeenCalledTimes(2);
|
|
76
|
-
const sources = eventBus.emit.mock.calls.map((call) => call[0]);
|
|
77
|
-
expect(sources).toEqual([
|
|
78
|
-
"security:injection_detected",
|
|
79
|
-
"security:injection_detected",
|
|
80
|
-
]);
|
|
81
|
-
});
|
|
82
|
-
it("flush() emits all pending windows immediately", () => {
|
|
83
|
-
const eventBus = createMockEventBus();
|
|
84
|
-
const aggregator = createAuditAggregator(eventBus, { windowMs: 60_000 });
|
|
85
|
-
aggregator.record({ source: "external_content", patterns: ["a"] });
|
|
86
|
-
aggregator.record({ source: "tool_output", patterns: ["b"] });
|
|
87
|
-
// Flush without advancing timers
|
|
88
|
-
aggregator.flush();
|
|
89
|
-
expect(eventBus.emit).toHaveBeenCalledTimes(2);
|
|
90
|
-
});
|
|
91
|
-
it("destroy() clears all timers without emitting", () => {
|
|
92
|
-
const eventBus = createMockEventBus();
|
|
93
|
-
const aggregator = createAuditAggregator(eventBus, { windowMs: 5000 });
|
|
94
|
-
aggregator.record({ source: "external_content", patterns: ["a"] });
|
|
95
|
-
aggregator.record({ source: "tool_output", patterns: ["b"] });
|
|
96
|
-
aggregator.destroy();
|
|
97
|
-
// Advance past window -- nothing should emit
|
|
98
|
-
vi.advanceTimersByTime(10_000);
|
|
99
|
-
expect(eventBus.emit).not.toHaveBeenCalled();
|
|
100
|
-
});
|
|
101
|
-
it("OBS-06: logs INFO summary at window close", () => {
|
|
102
|
-
const eventBus = createMockEventBus();
|
|
103
|
-
const mockLogger = { info: vi.fn() };
|
|
104
|
-
const aggregator = createAuditAggregator(eventBus, { windowMs: 5000 }, mockLogger);
|
|
105
|
-
aggregator.record({ source: "external_content", patterns: ["x"] });
|
|
106
|
-
aggregator.record({ source: "external_content", patterns: ["y"] });
|
|
107
|
-
aggregator.record({ source: "external_content", patterns: ["z"] });
|
|
108
|
-
vi.advanceTimersByTime(5001);
|
|
109
|
-
expect(mockLogger.info).toHaveBeenCalledTimes(1);
|
|
110
|
-
const [logObj, logMsg] = mockLogger.info.mock.calls[0];
|
|
111
|
-
expect(logObj.eventCount).toBe(3);
|
|
112
|
-
expect(logObj.uniquePatterns).toBe(3);
|
|
113
|
-
expect(logObj.suppressedCount).toBe(2); // 3 - 1 = 2
|
|
114
|
-
expect(logObj.windowKey).toBe("external_content");
|
|
115
|
-
expect(logMsg).toBe("Audit aggregation window closed");
|
|
116
|
-
});
|
|
117
|
-
it("accepts new events after window closes for same source", () => {
|
|
118
|
-
const eventBus = createMockEventBus();
|
|
119
|
-
const aggregator = createAuditAggregator(eventBus, { windowMs: 5000 });
|
|
120
|
-
aggregator.record({ source: "external_content", patterns: ["a"] });
|
|
121
|
-
vi.advanceTimersByTime(5001);
|
|
122
|
-
expect(eventBus.emit).toHaveBeenCalledTimes(1);
|
|
123
|
-
// Record again after window closed
|
|
124
|
-
aggregator.record({ source: "external_content", patterns: ["b"] });
|
|
125
|
-
vi.advanceTimersByTime(5001);
|
|
126
|
-
expect(eventBus.emit).toHaveBeenCalledTimes(2);
|
|
127
|
-
});
|
|
128
|
-
});
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export {};
|
|
@@ -1,154 +0,0 @@
|
|
|
1
|
-
import { describe, it, expect } from "vitest";
|
|
2
|
-
import { AuditEventSchema, createAuditEvent } from "./audit.js";
|
|
3
|
-
const VALID_PARAMS = {
|
|
4
|
-
tenantId: "tenant-1",
|
|
5
|
-
agentId: "agent-1",
|
|
6
|
-
userId: "user-1",
|
|
7
|
-
actionType: "file.read",
|
|
8
|
-
classification: "read",
|
|
9
|
-
outcome: "success",
|
|
10
|
-
};
|
|
11
|
-
describe("createAuditEvent", () => {
|
|
12
|
-
it("creates a valid audit event with auto-generated id and timestamp", () => {
|
|
13
|
-
const event = createAuditEvent(VALID_PARAMS);
|
|
14
|
-
expect(event.id).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/);
|
|
15
|
-
expect(event.timestamp).toMatch(/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/);
|
|
16
|
-
expect(event.tenantId).toBe("tenant-1");
|
|
17
|
-
expect(event.agentId).toBe("agent-1");
|
|
18
|
-
expect(event.userId).toBe("user-1");
|
|
19
|
-
expect(event.actionType).toBe("file.read");
|
|
20
|
-
expect(event.classification).toBe("read");
|
|
21
|
-
expect(event.outcome).toBe("success");
|
|
22
|
-
});
|
|
23
|
-
it("defaults metadata to empty object when not provided", () => {
|
|
24
|
-
const event = createAuditEvent(VALID_PARAMS);
|
|
25
|
-
expect(event.metadata).toEqual({});
|
|
26
|
-
});
|
|
27
|
-
it("includes metadata when provided", () => {
|
|
28
|
-
const event = createAuditEvent({
|
|
29
|
-
...VALID_PARAMS,
|
|
30
|
-
metadata: { filePath: "/tmp/test.txt", size: 1024 },
|
|
31
|
-
});
|
|
32
|
-
expect(event.metadata).toEqual({ filePath: "/tmp/test.txt", size: 1024 });
|
|
33
|
-
});
|
|
34
|
-
it("includes optional traceId when provided", () => {
|
|
35
|
-
const event = createAuditEvent({
|
|
36
|
-
...VALID_PARAMS,
|
|
37
|
-
traceId: "trace-abc-123",
|
|
38
|
-
});
|
|
39
|
-
expect(event.traceId).toBe("trace-abc-123");
|
|
40
|
-
});
|
|
41
|
-
it("includes optional duration when provided", () => {
|
|
42
|
-
const event = createAuditEvent({
|
|
43
|
-
...VALID_PARAMS,
|
|
44
|
-
duration: 42.5,
|
|
45
|
-
});
|
|
46
|
-
expect(event.duration).toBe(42.5);
|
|
47
|
-
});
|
|
48
|
-
it("generates unique ids for each event", () => {
|
|
49
|
-
const event1 = createAuditEvent(VALID_PARAMS);
|
|
50
|
-
const event2 = createAuditEvent(VALID_PARAMS);
|
|
51
|
-
expect(event1.id).not.toBe(event2.id);
|
|
52
|
-
});
|
|
53
|
-
it("supports all classification types", () => {
|
|
54
|
-
for (const classification of ["read", "mutate", "destructive"]) {
|
|
55
|
-
const event = createAuditEvent({ ...VALID_PARAMS, classification });
|
|
56
|
-
expect(event.classification).toBe(classification);
|
|
57
|
-
}
|
|
58
|
-
});
|
|
59
|
-
it("supports all outcome types", () => {
|
|
60
|
-
for (const outcome of ["success", "failure", "denied"]) {
|
|
61
|
-
const event = createAuditEvent({ ...VALID_PARAMS, outcome });
|
|
62
|
-
expect(event.outcome).toBe(outcome);
|
|
63
|
-
}
|
|
64
|
-
});
|
|
65
|
-
});
|
|
66
|
-
describe("AuditEventSchema", () => {
|
|
67
|
-
it("validates a complete audit event", () => {
|
|
68
|
-
const event = {
|
|
69
|
-
id: "550e8400-e29b-41d4-a716-446655440000",
|
|
70
|
-
timestamp: "2026-01-01T00:00:00.000Z",
|
|
71
|
-
tenantId: "tenant-1",
|
|
72
|
-
agentId: "agent-1",
|
|
73
|
-
userId: "user-1",
|
|
74
|
-
actionType: "file.read",
|
|
75
|
-
classification: "read",
|
|
76
|
-
outcome: "success",
|
|
77
|
-
metadata: {},
|
|
78
|
-
};
|
|
79
|
-
const result = AuditEventSchema.safeParse(event);
|
|
80
|
-
expect(result.success).toBe(true);
|
|
81
|
-
});
|
|
82
|
-
it("rejects invalid UUID", () => {
|
|
83
|
-
const result = AuditEventSchema.safeParse({
|
|
84
|
-
id: "not-a-uuid",
|
|
85
|
-
timestamp: "2026-01-01T00:00:00.000Z",
|
|
86
|
-
tenantId: "t",
|
|
87
|
-
agentId: "a",
|
|
88
|
-
userId: "u",
|
|
89
|
-
actionType: "file.read",
|
|
90
|
-
classification: "read",
|
|
91
|
-
outcome: "success",
|
|
92
|
-
metadata: {},
|
|
93
|
-
});
|
|
94
|
-
expect(result.success).toBe(false);
|
|
95
|
-
});
|
|
96
|
-
it("rejects empty tenantId", () => {
|
|
97
|
-
const result = AuditEventSchema.safeParse({
|
|
98
|
-
id: "550e8400-e29b-41d4-a716-446655440000",
|
|
99
|
-
timestamp: "2026-01-01T00:00:00.000Z",
|
|
100
|
-
tenantId: "",
|
|
101
|
-
agentId: "a",
|
|
102
|
-
userId: "u",
|
|
103
|
-
actionType: "file.read",
|
|
104
|
-
classification: "read",
|
|
105
|
-
outcome: "success",
|
|
106
|
-
metadata: {},
|
|
107
|
-
});
|
|
108
|
-
expect(result.success).toBe(false);
|
|
109
|
-
});
|
|
110
|
-
it("rejects unknown fields (strict mode)", () => {
|
|
111
|
-
const result = AuditEventSchema.safeParse({
|
|
112
|
-
id: "550e8400-e29b-41d4-a716-446655440000",
|
|
113
|
-
timestamp: "2026-01-01T00:00:00.000Z",
|
|
114
|
-
tenantId: "t",
|
|
115
|
-
agentId: "a",
|
|
116
|
-
userId: "u",
|
|
117
|
-
actionType: "file.read",
|
|
118
|
-
classification: "read",
|
|
119
|
-
outcome: "success",
|
|
120
|
-
metadata: {},
|
|
121
|
-
extraField: "should-fail",
|
|
122
|
-
});
|
|
123
|
-
expect(result.success).toBe(false);
|
|
124
|
-
});
|
|
125
|
-
it("rejects negative duration", () => {
|
|
126
|
-
const result = AuditEventSchema.safeParse({
|
|
127
|
-
id: "550e8400-e29b-41d4-a716-446655440000",
|
|
128
|
-
timestamp: "2026-01-01T00:00:00.000Z",
|
|
129
|
-
tenantId: "t",
|
|
130
|
-
agentId: "a",
|
|
131
|
-
userId: "u",
|
|
132
|
-
actionType: "file.read",
|
|
133
|
-
classification: "read",
|
|
134
|
-
outcome: "success",
|
|
135
|
-
metadata: {},
|
|
136
|
-
duration: -1,
|
|
137
|
-
});
|
|
138
|
-
expect(result.success).toBe(false);
|
|
139
|
-
});
|
|
140
|
-
it("rejects invalid classification", () => {
|
|
141
|
-
const result = AuditEventSchema.safeParse({
|
|
142
|
-
id: "550e8400-e29b-41d4-a716-446655440000",
|
|
143
|
-
timestamp: "2026-01-01T00:00:00.000Z",
|
|
144
|
-
tenantId: "t",
|
|
145
|
-
agentId: "a",
|
|
146
|
-
userId: "u",
|
|
147
|
-
actionType: "file.read",
|
|
148
|
-
classification: "unknown",
|
|
149
|
-
outcome: "success",
|
|
150
|
-
metadata: {},
|
|
151
|
-
});
|
|
152
|
-
expect(result.success).toBe(false);
|
|
153
|
-
});
|
|
154
|
-
});
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export {};
|
|
@@ -1,45 +0,0 @@
|
|
|
1
|
-
import { describe, it, expect } from "vitest";
|
|
2
|
-
import { generateCanaryToken, detectCanaryLeakage } from "./canary-token.js";
|
|
3
|
-
describe("generateCanaryToken", () => {
|
|
4
|
-
it("produces deterministic output for same session + secret", () => {
|
|
5
|
-
const token1 = generateCanaryToken("default:alice:ch-1", "test-secret");
|
|
6
|
-
const token2 = generateCanaryToken("default:alice:ch-1", "test-secret");
|
|
7
|
-
expect(token1).toBe(token2);
|
|
8
|
-
});
|
|
9
|
-
it("produces different tokens for different sessions", () => {
|
|
10
|
-
const token1 = generateCanaryToken("default:alice:ch-1", "test-secret");
|
|
11
|
-
const token2 = generateCanaryToken("default:bob:ch-2", "test-secret");
|
|
12
|
-
expect(token1).not.toBe(token2);
|
|
13
|
-
});
|
|
14
|
-
it("produces different tokens for different secrets", () => {
|
|
15
|
-
const token1 = generateCanaryToken("default:alice:ch-1", "secret-a");
|
|
16
|
-
const token2 = generateCanaryToken("default:alice:ch-1", "secret-b");
|
|
17
|
-
expect(token1).not.toBe(token2);
|
|
18
|
-
});
|
|
19
|
-
it('returns a token matching format "CTKN_" followed by 16 hex chars', () => {
|
|
20
|
-
const token = generateCanaryToken("default:alice:ch-1", "test-secret");
|
|
21
|
-
expect(token).toMatch(/^CTKN_[a-f0-9]{16}$/);
|
|
22
|
-
});
|
|
23
|
-
});
|
|
24
|
-
describe("detectCanaryLeakage", () => {
|
|
25
|
-
it("returns true when response contains the canary token", () => {
|
|
26
|
-
const canary = generateCanaryToken("default:alice:ch-1", "test-secret");
|
|
27
|
-
const response = `Here is some text with ${canary} embedded in it.`;
|
|
28
|
-
expect(detectCanaryLeakage(response, canary)).toBe(true);
|
|
29
|
-
});
|
|
30
|
-
it("returns false when response does not contain the canary token", () => {
|
|
31
|
-
const canary = generateCanaryToken("default:alice:ch-1", "test-secret");
|
|
32
|
-
const response = "This response has no canary token in it.";
|
|
33
|
-
expect(detectCanaryLeakage(response, canary)).toBe(false);
|
|
34
|
-
});
|
|
35
|
-
it("returns true when canary is at the start of the response", () => {
|
|
36
|
-
const canary = generateCanaryToken("default:alice:ch-1", "test-secret");
|
|
37
|
-
const response = `${canary} starts this response.`;
|
|
38
|
-
expect(detectCanaryLeakage(response, canary)).toBe(true);
|
|
39
|
-
});
|
|
40
|
-
it("returns true when canary is at the end of the response", () => {
|
|
41
|
-
const canary = generateCanaryToken("default:alice:ch-1", "test-secret");
|
|
42
|
-
const response = `This response ends with ${canary}`;
|
|
43
|
-
expect(detectCanaryLeakage(response, canary)).toBe(true);
|
|
44
|
-
});
|
|
45
|
-
});
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
export {};
|