comisai 1.0.10 → 1.0.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (251) hide show
  1. package/README.md +3 -3
  2. package/node_modules/@comis/agent/dist/executor/pi-executor.d.ts +1 -4
  3. package/node_modules/@comis/agent/package.json +1 -1
  4. package/node_modules/@comis/channels/package.json +1 -1
  5. package/node_modules/@comis/cli/dist/wizard/steps/06-channels.js +88 -11
  6. package/node_modules/@comis/cli/dist/wizard/steps/10-write-config.js +4 -0
  7. package/node_modules/@comis/cli/dist/wizard/types.d.ts +1 -0
  8. package/node_modules/@comis/cli/package.json +1 -1
  9. package/node_modules/@comis/core/package.json +1 -1
  10. package/node_modules/@comis/daemon/package.json +1 -1
  11. package/node_modules/@comis/gateway/package.json +1 -1
  12. package/node_modules/@comis/infra/package.json +1 -1
  13. package/node_modules/@comis/memory/package.json +1 -1
  14. package/node_modules/@comis/scheduler/package.json +1 -1
  15. package/node_modules/@comis/shared/package.json +1 -1
  16. package/node_modules/@comis/skills/package.json +1 -1
  17. package/package.json +18 -18
  18. package/node_modules/@comis/core/dist/approval/approval-gate.test.d.ts +0 -1
  19. package/node_modules/@comis/core/dist/approval/approval-gate.test.js +0 -1003
  20. package/node_modules/@comis/core/dist/bootstrap.test.d.ts +0 -1
  21. package/node_modules/@comis/core/dist/bootstrap.test.js +0 -150
  22. package/node_modules/@comis/core/dist/config/backup.test.d.ts +0 -1
  23. package/node_modules/@comis/core/dist/config/backup.test.js +0 -160
  24. package/node_modules/@comis/core/dist/config/env-substitution.test.d.ts +0 -1
  25. package/node_modules/@comis/core/dist/config/env-substitution.test.js +0 -259
  26. package/node_modules/@comis/core/dist/config/field-metadata.test.d.ts +0 -1
  27. package/node_modules/@comis/core/dist/config/field-metadata.test.js +0 -72
  28. package/node_modules/@comis/core/dist/config/git-manager.test.d.ts +0 -1
  29. package/node_modules/@comis/core/dist/config/git-manager.test.js +0 -1042
  30. package/node_modules/@comis/core/dist/config/immutable-keys.test.d.ts +0 -1
  31. package/node_modules/@comis/core/dist/config/immutable-keys.test.js +0 -283
  32. package/node_modules/@comis/core/dist/config/include-resolver.test.d.ts +0 -1
  33. package/node_modules/@comis/core/dist/config/include-resolver.test.js +0 -292
  34. package/node_modules/@comis/core/dist/config/layered.test.d.ts +0 -1
  35. package/node_modules/@comis/core/dist/config/layered.test.js +0 -211
  36. package/node_modules/@comis/core/dist/config/loader.test.d.ts +0 -1
  37. package/node_modules/@comis/core/dist/config/loader.test.js +0 -300
  38. package/node_modules/@comis/core/dist/config/migrate.test.d.ts +0 -1
  39. package/node_modules/@comis/core/dist/config/migrate.test.js +0 -244
  40. package/node_modules/@comis/core/dist/config/partial-validator.test.d.ts +0 -1
  41. package/node_modules/@comis/core/dist/config/partial-validator.test.js +0 -98
  42. package/node_modules/@comis/core/dist/config/schema-agent-model.test.d.ts +0 -1
  43. package/node_modules/@comis/core/dist/config/schema-agent-model.test.js +0 -279
  44. package/node_modules/@comis/core/dist/config/schema-agent-session.test.d.ts +0 -1
  45. package/node_modules/@comis/core/dist/config/schema-agent-session.test.js +0 -242
  46. package/node_modules/@comis/core/dist/config/schema-agent.test.d.ts +0 -1
  47. package/node_modules/@comis/core/dist/config/schema-agent.test.js +0 -645
  48. package/node_modules/@comis/core/dist/config/schema-channel.test.d.ts +0 -1
  49. package/node_modules/@comis/core/dist/config/schema-channel.test.js +0 -341
  50. package/node_modules/@comis/core/dist/config/schema-coalescer.test.d.ts +0 -1
  51. package/node_modules/@comis/core/dist/config/schema-coalescer.test.js +0 -51
  52. package/node_modules/@comis/core/dist/config/schema-context-engine.test.d.ts +0 -1
  53. package/node_modules/@comis/core/dist/config/schema-context-engine.test.js +0 -797
  54. package/node_modules/@comis/core/dist/config/schema-context-guard.test.d.ts +0 -1
  55. package/node_modules/@comis/core/dist/config/schema-context-guard.test.js +0 -111
  56. package/node_modules/@comis/core/dist/config/schema-daemon.test.d.ts +0 -1
  57. package/node_modules/@comis/core/dist/config/schema-daemon.test.js +0 -107
  58. package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.d.ts +0 -1
  59. package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.js +0 -51
  60. package/node_modules/@comis/core/dist/config/schema-documentation.test.d.ts +0 -1
  61. package/node_modules/@comis/core/dist/config/schema-documentation.test.js +0 -63
  62. package/node_modules/@comis/core/dist/config/schema-gateway.test.d.ts +0 -1
  63. package/node_modules/@comis/core/dist/config/schema-gateway.test.js +0 -219
  64. package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.d.ts +0 -1
  65. package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.js +0 -41
  66. package/node_modules/@comis/core/dist/config/schema-integrations.test.d.ts +0 -1
  67. package/node_modules/@comis/core/dist/config/schema-integrations.test.js +0 -92
  68. package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.d.ts +0 -1
  69. package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.js +0 -61
  70. package/node_modules/@comis/core/dist/config/schema-misc.test.d.ts +0 -1
  71. package/node_modules/@comis/core/dist/config/schema-misc.test.js +0 -394
  72. package/node_modules/@comis/core/dist/config/schema-observability.test.d.ts +0 -1
  73. package/node_modules/@comis/core/dist/config/schema-observability.test.js +0 -76
  74. package/node_modules/@comis/core/dist/config/schema-providers.test.d.ts +0 -1
  75. package/node_modules/@comis/core/dist/config/schema-providers.test.js +0 -294
  76. package/node_modules/@comis/core/dist/config/schema-queue.test.d.ts +0 -1
  77. package/node_modules/@comis/core/dist/config/schema-queue.test.js +0 -234
  78. package/node_modules/@comis/core/dist/config/schema-response-prefix.test.d.ts +0 -1
  79. package/node_modules/@comis/core/dist/config/schema-response-prefix.test.js +0 -36
  80. package/node_modules/@comis/core/dist/config/schema-security.test.d.ts +0 -1
  81. package/node_modules/@comis/core/dist/config/schema-security.test.js +0 -54
  82. package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.d.ts +0 -1
  83. package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.js +0 -60
  84. package/node_modules/@comis/core/dist/config/schema-serializer.test.d.ts +0 -1
  85. package/node_modules/@comis/core/dist/config/schema-serializer.test.js +0 -73
  86. package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.d.ts +0 -1
  87. package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.js +0 -39
  88. package/node_modules/@comis/core/dist/context/context.test.d.ts +0 -1
  89. package/node_modules/@comis/core/dist/context/context.test.js +0 -276
  90. package/node_modules/@comis/core/dist/domain/agent-response.test.d.ts +0 -1
  91. package/node_modules/@comis/core/dist/domain/agent-response.test.js +0 -159
  92. package/node_modules/@comis/core/dist/domain/credential-mapping.test.d.ts +0 -1
  93. package/node_modules/@comis/core/dist/domain/credential-mapping.test.js +0 -135
  94. package/node_modules/@comis/core/dist/domain/delivery-origin.test.d.ts +0 -1
  95. package/node_modules/@comis/core/dist/domain/delivery-origin.test.js +0 -68
  96. package/node_modules/@comis/core/dist/domain/execution-graph.test.d.ts +0 -1
  97. package/node_modules/@comis/core/dist/domain/execution-graph.test.js +0 -441
  98. package/node_modules/@comis/core/dist/domain/memory-entry.test.d.ts +0 -1
  99. package/node_modules/@comis/core/dist/domain/memory-entry.test.js +0 -193
  100. package/node_modules/@comis/core/dist/domain/normalized-message.test.d.ts +0 -1
  101. package/node_modules/@comis/core/dist/domain/normalized-message.test.js +0 -255
  102. package/node_modules/@comis/core/dist/domain/session-key.test.d.ts +0 -1
  103. package/node_modules/@comis/core/dist/domain/session-key.test.js +0 -291
  104. package/node_modules/@comis/core/dist/domain/subagent-context-config.test.d.ts +0 -1
  105. package/node_modules/@comis/core/dist/domain/subagent-context-config.test.js +0 -131
  106. package/node_modules/@comis/core/dist/domain/subagent-context-types.test.d.ts +0 -1
  107. package/node_modules/@comis/core/dist/domain/subagent-context-types.test.js +0 -182
  108. package/node_modules/@comis/core/dist/event-bus/bus.test.d.ts +0 -1
  109. package/node_modules/@comis/core/dist/event-bus/bus.test.js +0 -152
  110. package/node_modules/@comis/core/dist/event-bus/events-agent.test.d.ts +0 -1
  111. package/node_modules/@comis/core/dist/event-bus/events-agent.test.js +0 -409
  112. package/node_modules/@comis/core/dist/event-bus/events-channel.test.d.ts +0 -1
  113. package/node_modules/@comis/core/dist/event-bus/events-channel.test.js +0 -240
  114. package/node_modules/@comis/core/dist/event-bus/events-infra.test.d.ts +0 -1
  115. package/node_modules/@comis/core/dist/event-bus/events-infra.test.js +0 -416
  116. package/node_modules/@comis/core/dist/event-bus/events-messaging.test.d.ts +0 -1
  117. package/node_modules/@comis/core/dist/event-bus/events-messaging.test.js +0 -433
  118. package/node_modules/@comis/core/dist/event-bus/events.test.d.ts +0 -1
  119. package/node_modules/@comis/core/dist/event-bus/events.test.js +0 -93
  120. package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.d.ts +0 -1
  121. package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.js +0 -29
  122. package/node_modules/@comis/core/dist/hooks/hook-runner.test.d.ts +0 -1
  123. package/node_modules/@comis/core/dist/hooks/hook-runner.test.js +0 -490
  124. package/node_modules/@comis/core/dist/hooks/hook-strategies.test.d.ts +0 -1
  125. package/node_modules/@comis/core/dist/hooks/hook-strategies.test.js +0 -209
  126. package/node_modules/@comis/core/dist/hooks/integration.test.d.ts +0 -1
  127. package/node_modules/@comis/core/dist/hooks/integration.test.js +0 -235
  128. package/node_modules/@comis/core/dist/hooks/plugin-registry.test.d.ts +0 -1
  129. package/node_modules/@comis/core/dist/hooks/plugin-registry.test.js +0 -470
  130. package/node_modules/@comis/core/dist/load-env.test.d.ts +0 -1
  131. package/node_modules/@comis/core/dist/load-env.test.js +0 -21
  132. package/node_modules/@comis/core/dist/security/action-classifier.test.d.ts +0 -1
  133. package/node_modules/@comis/core/dist/security/action-classifier.test.js +0 -298
  134. package/node_modules/@comis/core/dist/security/audit-aggregator.test.d.ts +0 -1
  135. package/node_modules/@comis/core/dist/security/audit-aggregator.test.js +0 -128
  136. package/node_modules/@comis/core/dist/security/audit.test.d.ts +0 -1
  137. package/node_modules/@comis/core/dist/security/audit.test.js +0 -154
  138. package/node_modules/@comis/core/dist/security/canary-token.test.d.ts +0 -1
  139. package/node_modules/@comis/core/dist/security/canary-token.test.js +0 -45
  140. package/node_modules/@comis/core/dist/security/config-redaction.test.d.ts +0 -1
  141. package/node_modules/@comis/core/dist/security/config-redaction.test.js +0 -107
  142. package/node_modules/@comis/core/dist/security/external-content.test.d.ts +0 -1
  143. package/node_modules/@comis/core/dist/security/external-content.test.js +0 -210
  144. package/node_modules/@comis/core/dist/security/injection-patterns.test.d.ts +0 -1
  145. package/node_modules/@comis/core/dist/security/injection-patterns.test.js +0 -213
  146. package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.d.ts +0 -1
  147. package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.js +0 -194
  148. package/node_modules/@comis/core/dist/security/input-guard.test.d.ts +0 -1
  149. package/node_modules/@comis/core/dist/security/input-guard.test.js +0 -215
  150. package/node_modules/@comis/core/dist/security/input-security-guard.test.d.ts +0 -1
  151. package/node_modules/@comis/core/dist/security/input-security-guard.test.js +0 -215
  152. package/node_modules/@comis/core/dist/security/input-validator.test.d.ts +0 -1
  153. package/node_modules/@comis/core/dist/security/input-validator.test.js +0 -133
  154. package/node_modules/@comis/core/dist/security/log-sanitizer.test.d.ts +0 -1
  155. package/node_modules/@comis/core/dist/security/log-sanitizer.test.js +0 -260
  156. package/node_modules/@comis/core/dist/security/memory-write-validator.test.d.ts +0 -1
  157. package/node_modules/@comis/core/dist/security/memory-write-validator.test.js +0 -62
  158. package/node_modules/@comis/core/dist/security/output-guard.test.d.ts +0 -1
  159. package/node_modules/@comis/core/dist/security/output-guard.test.js +0 -397
  160. package/node_modules/@comis/core/dist/security/safe-path.test.d.ts +0 -1
  161. package/node_modules/@comis/core/dist/security/safe-path.test.js +0 -95
  162. package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.d.ts +0 -1
  163. package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.js +0 -231
  164. package/node_modules/@comis/core/dist/security/secret-access.test.d.ts +0 -1
  165. package/node_modules/@comis/core/dist/security/secret-access.test.js +0 -41
  166. package/node_modules/@comis/core/dist/security/secret-crypto.test.d.ts +0 -1
  167. package/node_modules/@comis/core/dist/security/secret-crypto.test.js +0 -113
  168. package/node_modules/@comis/core/dist/security/secret-manager.test.d.ts +0 -1
  169. package/node_modules/@comis/core/dist/security/secret-manager.test.js +0 -394
  170. package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.d.ts +0 -1
  171. package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.js +0 -268
  172. package/node_modules/@comis/core/dist/security/secrets-audit.test.d.ts +0 -10
  173. package/node_modules/@comis/core/dist/security/secrets-audit.test.js +0 -295
  174. package/node_modules/@comis/core/dist/security/ssrf-guard.test.d.ts +0 -1
  175. package/node_modules/@comis/core/dist/security/ssrf-guard.test.js +0 -127
  176. package/node_modules/@comis/core/dist/security/token-generator.test.d.ts +0 -1
  177. package/node_modules/@comis/core/dist/security/token-generator.test.js +0 -35
  178. package/node_modules/@comis/core/dist/tool-metadata.test.d.ts +0 -1
  179. package/node_modules/@comis/core/dist/tool-metadata.test.js +0 -112
  180. package/node_modules/@comis/memory/dist/compaction.test.d.ts +0 -1
  181. package/node_modules/@comis/memory/dist/compaction.test.js +0 -298
  182. package/node_modules/@comis/memory/dist/context-schema.test.d.ts +0 -1
  183. package/node_modules/@comis/memory/dist/context-schema.test.js +0 -246
  184. package/node_modules/@comis/memory/dist/context-store.test.d.ts +0 -1
  185. package/node_modules/@comis/memory/dist/context-store.test.js +0 -708
  186. package/node_modules/@comis/memory/dist/credential-mapping-schema.test.d.ts +0 -7
  187. package/node_modules/@comis/memory/dist/credential-mapping-schema.test.js +0 -73
  188. package/node_modules/@comis/memory/dist/credential-mapping-store.test.d.ts +0 -8
  189. package/node_modules/@comis/memory/dist/credential-mapping-store.test.js +0 -340
  190. package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.d.ts +0 -1
  191. package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.js +0 -165
  192. package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.d.ts +0 -1
  193. package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.js +0 -263
  194. package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.d.ts +0 -1
  195. package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.js +0 -202
  196. package/node_modules/@comis/memory/dist/embedding-cache-lru.test.d.ts +0 -1
  197. package/node_modules/@comis/memory/dist/embedding-cache-lru.test.js +0 -241
  198. package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.d.ts +0 -8
  199. package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.js +0 -678
  200. package/node_modules/@comis/memory/dist/embedding-cache.test.d.ts +0 -1
  201. package/node_modules/@comis/memory/dist/embedding-cache.test.js +0 -213
  202. package/node_modules/@comis/memory/dist/embedding-fingerprint.test.d.ts +0 -1
  203. package/node_modules/@comis/memory/dist/embedding-fingerprint.test.js +0 -87
  204. package/node_modules/@comis/memory/dist/embedding-hash.test.d.ts +0 -1
  205. package/node_modules/@comis/memory/dist/embedding-hash.test.js +0 -31
  206. package/node_modules/@comis/memory/dist/embedding-integration.test.d.ts +0 -8
  207. package/node_modules/@comis/memory/dist/embedding-integration.test.js +0 -232
  208. package/node_modules/@comis/memory/dist/embedding-provider-factory.test.d.ts +0 -1
  209. package/node_modules/@comis/memory/dist/embedding-provider-factory.test.js +0 -176
  210. package/node_modules/@comis/memory/dist/embedding-provider-local.test.d.ts +0 -8
  211. package/node_modules/@comis/memory/dist/embedding-provider-local.test.js +0 -76
  212. package/node_modules/@comis/memory/dist/embedding-provider-openai.test.d.ts +0 -8
  213. package/node_modules/@comis/memory/dist/embedding-provider-openai.test.js +0 -100
  214. package/node_modules/@comis/memory/dist/embedding-queue.test.d.ts +0 -1
  215. package/node_modules/@comis/memory/dist/embedding-queue.test.js +0 -236
  216. package/node_modules/@comis/memory/dist/hybrid-search.test.d.ts +0 -1
  217. package/node_modules/@comis/memory/dist/hybrid-search.test.js +0 -476
  218. package/node_modules/@comis/memory/dist/identity-link-store.test.d.ts +0 -1
  219. package/node_modules/@comis/memory/dist/identity-link-store.test.js +0 -88
  220. package/node_modules/@comis/memory/dist/memory-api.test.d.ts +0 -1
  221. package/node_modules/@comis/memory/dist/memory-api.test.js +0 -495
  222. package/node_modules/@comis/memory/dist/memory-concurrency.test.d.ts +0 -20
  223. package/node_modules/@comis/memory/dist/memory-concurrency.test.js +0 -222
  224. package/node_modules/@comis/memory/dist/named-graph-store.test.d.ts +0 -1
  225. package/node_modules/@comis/memory/dist/named-graph-store.test.js +0 -227
  226. package/node_modules/@comis/memory/dist/observability-store.test.d.ts +0 -1
  227. package/node_modules/@comis/memory/dist/observability-store.test.js +0 -704
  228. package/node_modules/@comis/memory/dist/row-mapper.test.d.ts +0 -1
  229. package/node_modules/@comis/memory/dist/row-mapper.test.js +0 -409
  230. package/node_modules/@comis/memory/dist/schema.test.d.ts +0 -1
  231. package/node_modules/@comis/memory/dist/schema.test.js +0 -240
  232. package/node_modules/@comis/memory/dist/secret-store-schema.test.d.ts +0 -7
  233. package/node_modules/@comis/memory/dist/secret-store-schema.test.js +0 -90
  234. package/node_modules/@comis/memory/dist/session-store.test.d.ts +0 -1
  235. package/node_modules/@comis/memory/dist/session-store.test.js +0 -262
  236. package/node_modules/@comis/memory/dist/setup-secrets.test.d.ts +0 -1
  237. package/node_modules/@comis/memory/dist/setup-secrets.test.js +0 -140
  238. package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.d.ts +0 -1
  239. package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.js +0 -888
  240. package/node_modules/@comis/memory/dist/sqlite-secret-store.test.d.ts +0 -8
  241. package/node_modules/@comis/memory/dist/sqlite-secret-store.test.js +0 -245
  242. package/node_modules/@comis/shared/dist/abort.test.d.ts +0 -1
  243. package/node_modules/@comis/shared/dist/abort.test.js +0 -71
  244. package/node_modules/@comis/shared/dist/result.test.d.ts +0 -1
  245. package/node_modules/@comis/shared/dist/result.test.js +0 -178
  246. package/node_modules/@comis/shared/dist/suppress-error.test.d.ts +0 -1
  247. package/node_modules/@comis/shared/dist/suppress-error.test.js +0 -50
  248. package/node_modules/@comis/shared/dist/timeout.test.d.ts +0 -1
  249. package/node_modules/@comis/shared/dist/timeout.test.js +0 -75
  250. package/node_modules/@comis/shared/dist/ttl-cache.test.d.ts +0 -1
  251. package/node_modules/@comis/shared/dist/ttl-cache.test.js +0 -81
@@ -1,295 +0,0 @@
1
- /**
2
- * Unit tests for secrets audit scanner.
3
- *
4
- * Tests scanConfigForSecrets, scanEnvForSecrets, and auditSecrets
5
- * covering config YAML scanning, .env scanning, SecretRef detection,
6
- * and combined audit scenarios.
7
- *
8
- * @module
9
- */
10
- import { describe, it, expect, beforeEach, afterEach } from "vitest";
11
- import { writeFileSync, rmSync, mkdtempSync } from "node:fs";
12
- import { tmpdir } from "node:os";
13
- import { join } from "node:path";
14
- import { scanConfigForSecrets, scanEnvForSecrets, auditSecrets, } from "./secrets-audit.js";
15
- // ── scanConfigForSecrets ───────────────────────────────────────────
16
- describe("scanConfigForSecrets", () => {
17
- it("detects plaintext botToken string", () => {
18
- const config = {
19
- channels: {
20
- telegram: {
21
- botToken: "123456:ABC-DEF",
22
- enabled: true,
23
- },
24
- },
25
- };
26
- const findings = scanConfigForSecrets("/etc/comis/config.yaml", config);
27
- expect(findings).toHaveLength(1);
28
- expect(findings[0]).toEqual({
29
- code: "PLAINTEXT_SECRET",
30
- severity: "error",
31
- file: "/etc/comis/config.yaml",
32
- jsonPath: "channels.telegram.botToken",
33
- message: expect.stringContaining("Plaintext secret detected in field 'botToken'"),
34
- });
35
- });
36
- it("skips SecretRef objects (properly configured)", () => {
37
- const config = {
38
- channels: {
39
- telegram: {
40
- botToken: {
41
- source: "env",
42
- provider: "comis",
43
- id: "TELEGRAM_BOT_TOKEN",
44
- },
45
- },
46
- },
47
- };
48
- const findings = scanConfigForSecrets("/etc/comis/config.yaml", config);
49
- expect(findings).toHaveLength(0);
50
- });
51
- it("skips empty string values", () => {
52
- const config = {
53
- channels: {
54
- telegram: {
55
- botToken: "",
56
- },
57
- },
58
- };
59
- const findings = scanConfigForSecrets("/etc/comis/config.yaml", config);
60
- expect(findings).toHaveLength(0);
61
- });
62
- it("detects multiple nested secrets", () => {
63
- const config = {
64
- channels: {
65
- telegram: {
66
- botToken: "tg-token-value",
67
- },
68
- slack: {
69
- appToken: "xapp-slack-token",
70
- },
71
- },
72
- };
73
- const findings = scanConfigForSecrets("/config.yaml", config);
74
- expect(findings).toHaveLength(2);
75
- expect(findings[0].jsonPath).toBe("channels.telegram.botToken");
76
- expect(findings[1].jsonPath).toBe("channels.slack.appToken");
77
- });
78
- it("does not flag non-secret fields", () => {
79
- const config = {
80
- channels: {
81
- telegram: {
82
- enabled: true,
83
- chatId: "12345",
84
- pollingTimeout: 30,
85
- },
86
- },
87
- };
88
- const findings = scanConfigForSecrets("/config.yaml", config);
89
- expect(findings).toHaveLength(0);
90
- });
91
- it("handles array bracket notation in jsonPath", () => {
92
- const config = {
93
- gateway: {
94
- tokens: [
95
- { secret: "my-secret-token", label: "admin" },
96
- ],
97
- },
98
- };
99
- const findings = scanConfigForSecrets("/config.yaml", config);
100
- expect(findings).toHaveLength(1);
101
- expect(findings[0].jsonPath).toBe("gateway.tokens[0].secret");
102
- });
103
- it("handles deeply nested objects", () => {
104
- const config = {
105
- level1: {
106
- level2: {
107
- level3: {
108
- apiKey: "deep-api-key",
109
- },
110
- },
111
- },
112
- };
113
- const findings = scanConfigForSecrets("/config.yaml", config);
114
- expect(findings).toHaveLength(1);
115
- expect(findings[0].jsonPath).toBe("level1.level2.level3.apiKey");
116
- });
117
- it("detects various secret field name patterns", () => {
118
- const config = {
119
- myPassword: "pass123",
120
- someCredential: "cred456",
121
- private_key: "key789",
122
- api_key: "apikey000",
123
- };
124
- const findings = scanConfigForSecrets("/config.yaml", config);
125
- expect(findings).toHaveLength(4);
126
- });
127
- it("handles empty config object", () => {
128
- const findings = scanConfigForSecrets("/config.yaml", {});
129
- expect(findings).toHaveLength(0);
130
- });
131
- });
132
- // ── scanEnvForSecrets ──────────────────────────────────────────────
133
- describe("scanEnvForSecrets", () => {
134
- it("detects ANTHROPIC_API_KEY", () => {
135
- const env = {
136
- ANTHROPIC_API_KEY: "sk-ant-test-key",
137
- };
138
- const findings = scanEnvForSecrets("/home/user/.comis/.env", env);
139
- expect(findings).toHaveLength(1);
140
- expect(findings[0]).toEqual({
141
- code: "KNOWN_PROVIDER_ENV",
142
- severity: "warn",
143
- file: "/home/user/.comis/.env",
144
- jsonPath: "ANTHROPIC_API_KEY",
145
- message: expect.stringContaining("anthropic"),
146
- });
147
- });
148
- it("skips PATH and HOME", () => {
149
- const env = {
150
- PATH: "/usr/bin:/usr/local/bin",
151
- HOME: "/home/user",
152
- };
153
- const findings = scanEnvForSecrets("/.env", env);
154
- expect(findings).toHaveLength(0);
155
- });
156
- it("skips COMIS_ prefixed vars", () => {
157
- const env = {
158
- COMIS_CONFIG_PATHS: "/etc/comis/config.yaml",
159
- };
160
- const findings = scanEnvForSecrets("/.env", env);
161
- expect(findings).toHaveLength(0);
162
- });
163
- it("detects CUSTOM_API_KEY via wildcard pattern", () => {
164
- const env = {
165
- CUSTOM_API_KEY: "custom-key-value",
166
- };
167
- const findings = scanEnvForSecrets("/.env", env);
168
- expect(findings).toHaveLength(1);
169
- expect(findings[0].code).toBe("KNOWN_PROVIDER_ENV");
170
- expect(findings[0].message).toContain("unknown");
171
- });
172
- it("skips empty values", () => {
173
- const env = {
174
- OPENAI_API_KEY: "",
175
- };
176
- const findings = scanEnvForSecrets("/.env", env);
177
- expect(findings).toHaveLength(0);
178
- });
179
- it("skips undefined values", () => {
180
- const env = {
181
- OPENAI_API_KEY: undefined,
182
- };
183
- const findings = scanEnvForSecrets("/.env", env);
184
- expect(findings).toHaveLength(0);
185
- });
186
- it("detects multiple known providers", () => {
187
- const env = {
188
- OPENAI_API_KEY: "sk-test",
189
- DISCORD_BOT_TOKEN: "discord-token",
190
- SLACK_SIGNING_SECRET: "slack-secret",
191
- };
192
- const findings = scanEnvForSecrets("/.env", env);
193
- expect(findings).toHaveLength(3);
194
- const providers = findings.map(f => f.message);
195
- expect(providers.some(m => m.includes("openai"))).toBe(true);
196
- expect(providers.some(m => m.includes("discord"))).toBe(true);
197
- expect(providers.some(m => m.includes("slack"))).toBe(true);
198
- });
199
- it("skips NODE_ prefixed vars", () => {
200
- const env = {
201
- NODE_ENV: "production",
202
- NODE_OPTIONS: "--max-old-space-size=4096",
203
- };
204
- const findings = scanEnvForSecrets("/.env", env);
205
- expect(findings).toHaveLength(0);
206
- });
207
- });
208
- // ── auditSecrets ───────────────────────────────────────────────────
209
- describe("auditSecrets", () => {
210
- let tempDir;
211
- beforeEach(() => {
212
- tempDir = mkdtempSync(join(tmpdir(), "comis-audit-test-"));
213
- });
214
- afterEach(() => {
215
- rmSync(tempDir, { recursive: true, force: true });
216
- });
217
- it("returns empty array when no files exist", () => {
218
- const findings = auditSecrets({
219
- configPaths: [join(tempDir, "nonexistent.yaml")],
220
- envPath: join(tempDir, "nonexistent.env"),
221
- });
222
- expect(findings).toEqual([]);
223
- });
224
- it("returns empty array for empty config paths", () => {
225
- const findings = auditSecrets({
226
- configPaths: [],
227
- });
228
- expect(findings).toEqual([]);
229
- });
230
- it("scans YAML config file for plaintext secrets", () => {
231
- const configPath = join(tempDir, "config.yaml");
232
- writeFileSync(configPath, `
233
- channels:
234
- telegram:
235
- botToken: "plaintext-token"
236
- enabled: true
237
- `);
238
- const findings = auditSecrets({
239
- configPaths: [configPath],
240
- });
241
- expect(findings).toHaveLength(1);
242
- expect(findings[0].code).toBe("PLAINTEXT_SECRET");
243
- expect(findings[0].jsonPath).toBe("channels.telegram.botToken");
244
- });
245
- it("scans .env file for known provider secrets", () => {
246
- const envPath = join(tempDir, ".env");
247
- writeFileSync(envPath, `
248
- ANTHROPIC_API_KEY=sk-ant-test
249
- OPENAI_API_KEY=sk-test
250
- NODE_ENV=production
251
- `);
252
- const findings = auditSecrets({
253
- configPaths: [],
254
- envPath,
255
- });
256
- expect(findings).toHaveLength(2);
257
- expect(findings.every(f => f.code === "KNOWN_PROVIDER_ENV")).toBe(true);
258
- });
259
- it("sorts findings by severity (errors first, then warnings)", () => {
260
- const configPath = join(tempDir, "config.yaml");
261
- writeFileSync(configPath, `
262
- channels:
263
- telegram:
264
- botToken: "plaintext-token"
265
- `);
266
- const envPath = join(tempDir, ".env");
267
- writeFileSync(envPath, `OPENAI_API_KEY=sk-test`);
268
- const findings = auditSecrets({
269
- configPaths: [configPath],
270
- envPath,
271
- });
272
- expect(findings).toHaveLength(2);
273
- expect(findings[0].severity).toBe("error");
274
- expect(findings[1].severity).toBe("warn");
275
- });
276
- it("handles quoted values in .env", () => {
277
- const envPath = join(tempDir, ".env");
278
- writeFileSync(envPath, `ANTHROPIC_API_KEY="sk-ant-quoted"`);
279
- const findings = auditSecrets({
280
- configPaths: [],
281
- envPath,
282
- });
283
- expect(findings).toHaveLength(1);
284
- });
285
- it("gracefully handles invalid YAML", () => {
286
- const configPath = join(tempDir, "bad.yaml");
287
- writeFileSync(configPath, "{{invalid yaml: [}");
288
- // Should not throw
289
- const findings = auditSecrets({
290
- configPaths: [configPath],
291
- });
292
- // Findings may be empty or contain whatever the parser manages to extract
293
- expect(Array.isArray(findings)).toBe(true);
294
- });
295
- });
@@ -1,127 +0,0 @@
1
- import { describe, it, expect, vi, beforeEach } from "vitest";
2
- import { validateUrl, BLOCKED_RANGES, CLOUD_METADATA_IPS } from "./ssrf-guard.js";
3
- // Mock dns/promises so we get deterministic results without real DNS
4
- vi.mock("node:dns/promises", () => ({
5
- lookup: vi.fn(),
6
- }));
7
- // Import the mock after vi.mock
8
- import { lookup } from "node:dns/promises";
9
- const mockLookup = vi.mocked(lookup);
10
- beforeEach(() => {
11
- vi.clearAllMocks();
12
- });
13
- describe("SSRF Guard", () => {
14
- describe("exports", () => {
15
- it("exports BLOCKED_RANGES with expected entries", () => {
16
- expect(BLOCKED_RANGES).toContain("private");
17
- expect(BLOCKED_RANGES).toContain("loopback");
18
- expect(BLOCKED_RANGES).toContain("linkLocal");
19
- expect(BLOCKED_RANGES).toContain("uniqueLocal");
20
- expect(BLOCKED_RANGES).toContain("unspecified");
21
- expect(BLOCKED_RANGES).toContain("reserved");
22
- });
23
- it("exports CLOUD_METADATA_IPS with known addresses", () => {
24
- expect(CLOUD_METADATA_IPS).toContain("169.254.169.254");
25
- expect(CLOUD_METADATA_IPS).toContain("169.254.170.2");
26
- expect(CLOUD_METADATA_IPS).toContain("100.100.100.200");
27
- });
28
- });
29
- describe("validateUrl", () => {
30
- it("blocks loopback addresses (127.0.0.1)", async () => {
31
- mockLookup.mockResolvedValue({ address: "127.0.0.1", family: 4 });
32
- const result = await validateUrl("http://127.0.0.1/secret");
33
- expect(result.ok).toBe(false);
34
- if (!result.ok) {
35
- expect(result.error.message).toContain("loopback");
36
- }
37
- });
38
- it("blocks private addresses (192.168.x.x)", async () => {
39
- mockLookup.mockResolvedValue({ address: "192.168.1.1", family: 4 });
40
- const result = await validateUrl("http://192.168.1.1/admin");
41
- expect(result.ok).toBe(false);
42
- if (!result.ok) {
43
- expect(result.error.message).toContain("private");
44
- }
45
- });
46
- it("blocks private addresses (10.x.x.x)", async () => {
47
- mockLookup.mockResolvedValue({ address: "10.0.0.1", family: 4 });
48
- const result = await validateUrl("http://10.0.0.1/internal");
49
- expect(result.ok).toBe(false);
50
- if (!result.ok) {
51
- expect(result.error.message).toContain("private");
52
- }
53
- });
54
- it("blocks cloud metadata addresses (169.254.169.254)", async () => {
55
- mockLookup.mockResolvedValue({ address: "169.254.169.254", family: 4 });
56
- const result = await validateUrl("http://169.254.169.254/latest/meta-data/");
57
- expect(result.ok).toBe(false);
58
- if (!result.ok) {
59
- expect(result.error.message).toMatch(/cloud metadata|linkLocal/i);
60
- }
61
- });
62
- it("blocks non-http protocols (ftp)", async () => {
63
- const result = await validateUrl("ftp://example.com");
64
- expect(result.ok).toBe(false);
65
- if (!result.ok) {
66
- expect(result.error.message).toContain("Blocked protocol");
67
- }
68
- });
69
- it("rejects invalid URLs", async () => {
70
- const result = await validateUrl("not-a-url");
71
- expect(result.ok).toBe(false);
72
- if (!result.ok) {
73
- expect(result.error.message).toContain("Invalid URL");
74
- }
75
- });
76
- it("allows public IPs (example.com resolving to 93.184.216.34)", async () => {
77
- mockLookup.mockResolvedValue({ address: "93.184.216.34", family: 4 });
78
- const result = await validateUrl("https://example.com");
79
- expect(result.ok).toBe(true);
80
- if (result.ok) {
81
- expect(result.value.hostname).toBe("example.com");
82
- expect(result.value.ip).toBe("93.184.216.34");
83
- expect(result.value.url.protocol).toBe("https:");
84
- }
85
- });
86
- it("blocks IPv6 loopback (::1)", async () => {
87
- mockLookup.mockResolvedValue({ address: "::1", family: 6 });
88
- const result = await validateUrl("http://[::1]/secret");
89
- expect(result.ok).toBe(false);
90
- if (!result.ok) {
91
- expect(result.error.message).toContain("loopback");
92
- }
93
- });
94
- it("handles DNS resolution failures gracefully", async () => {
95
- mockLookup.mockRejectedValue(new Error("getaddrinfo ENOTFOUND bad.invalid"));
96
- const result = await validateUrl("http://bad.invalid");
97
- expect(result.ok).toBe(false);
98
- if (!result.ok) {
99
- expect(result.error.message).toContain("ENOTFOUND");
100
- }
101
- });
102
- it("blocks Alibaba Cloud metadata (100.100.100.200)", async () => {
103
- mockLookup.mockResolvedValue({ address: "100.100.100.200", family: 4 });
104
- const result = await validateUrl("http://metadata.tencentyun.com/");
105
- expect(result.ok).toBe(false);
106
- if (!result.ok) {
107
- expect(result.error.message).toContain("cloud metadata");
108
- }
109
- });
110
- it("blocks AWS ECS metadata (169.254.170.2)", async () => {
111
- mockLookup.mockResolvedValue({ address: "169.254.170.2", family: 4 });
112
- const result = await validateUrl("http://169.254.170.2/v2/metadata");
113
- expect(result.ok).toBe(false);
114
- if (!result.ok) {
115
- expect(result.error.message).toMatch(/cloud metadata|linkLocal/i);
116
- }
117
- });
118
- it("blocks unspecified address (0.0.0.0)", async () => {
119
- mockLookup.mockResolvedValue({ address: "0.0.0.0", family: 4 });
120
- const result = await validateUrl("http://0.0.0.0/");
121
- expect(result.ok).toBe(false);
122
- if (!result.ok) {
123
- expect(result.error.message).toContain("unspecified");
124
- }
125
- });
126
- });
127
- });
@@ -1,35 +0,0 @@
1
- import { describe, it, expect } from "vitest";
2
- import { generateStrongToken, generateRotationId } from "./token-generator.js";
3
- describe("generateStrongToken", () => {
4
- it("returns a string of exactly 64 characters", () => {
5
- const token = generateStrongToken();
6
- expect(token).toHaveLength(64);
7
- });
8
- it("output is URL-safe (base64url characters only)", () => {
9
- const token = generateStrongToken();
10
- expect(token).toMatch(/^[A-Za-z0-9_-]+$/);
11
- });
12
- it("produces different values on successive calls", () => {
13
- const token1 = generateStrongToken();
14
- const token2 = generateStrongToken();
15
- expect(token1).not.toBe(token2);
16
- });
17
- });
18
- describe("generateRotationId", () => {
19
- it("returns baseId-{suffix} where suffix is 11 chars", () => {
20
- const result = generateRotationId("my-token");
21
- const parts = result.split("my-token-");
22
- expect(parts).toHaveLength(2);
23
- expect(parts[1]).toHaveLength(11);
24
- });
25
- it("produces different suffixes for the same baseId on successive calls", () => {
26
- const id1 = generateRotationId("tok");
27
- const id2 = generateRotationId("tok");
28
- expect(id1).not.toBe(id2);
29
- });
30
- it("preserves the baseId prefix exactly", () => {
31
- const baseId = "complex-base-id-123";
32
- const result = generateRotationId(baseId);
33
- expect(result.startsWith(`${baseId}-`)).toBe(true);
34
- });
35
- });
@@ -1 +0,0 @@
1
- export {};
@@ -1,112 +0,0 @@
1
- import { describe, it, expect } from "vitest";
2
- import { registerToolMetadata, getToolMetadata, getAllToolMetadata, truncateContentBlocks, _clearRegistryForTest, } from "./tool-metadata.js";
3
- // ---------------------------------------------------------------------------
4
- // Registry tests
5
- // ---------------------------------------------------------------------------
6
- describe("tool metadata registry", () => {
7
- it("getToolMetadata returns undefined for unregistered tool", () => {
8
- expect(getToolMetadata("nonexistent_tool_xyz")).toBeUndefined();
9
- });
10
- it("registerToolMetadata stores and retrieves metadata", () => {
11
- registerToolMetadata("reg_test_store", {
12
- maxResultSizeChars: 5000,
13
- isReadOnly: true,
14
- });
15
- const meta = getToolMetadata("reg_test_store");
16
- expect(meta).toBeDefined();
17
- expect(meta.maxResultSizeChars).toBe(5000);
18
- expect(meta.isReadOnly).toBe(true);
19
- });
20
- it("registerToolMetadata merges metadata incrementally", () => {
21
- registerToolMetadata("reg_test_merge", { isReadOnly: true });
22
- registerToolMetadata("reg_test_merge", { maxResultSizeChars: 10000 });
23
- const meta = getToolMetadata("reg_test_merge");
24
- expect(meta).toEqual({ isReadOnly: true, maxResultSizeChars: 10000 });
25
- });
26
- it("registerToolMetadata overwrites fields on re-register", () => {
27
- registerToolMetadata("reg_test_overwrite", { maxResultSizeChars: 5000 });
28
- registerToolMetadata("reg_test_overwrite", { maxResultSizeChars: 10000 });
29
- const meta = getToolMetadata("reg_test_overwrite");
30
- expect(meta.maxResultSizeChars).toBe(10000);
31
- });
32
- it("getAllToolMetadata returns ReadonlyMap", () => {
33
- registerToolMetadata("reg_test_all_a", { isReadOnly: true });
34
- registerToolMetadata("reg_test_all_b", { maxResultSizeChars: 2000 });
35
- const all = getAllToolMetadata();
36
- expect(all.has("reg_test_all_a")).toBe(true);
37
- expect(all.has("reg_test_all_b")).toBe(true);
38
- });
39
- it("_clearRegistryForTest clears all entries", () => {
40
- registerToolMetadata("reg_test_clear", { isReadOnly: true });
41
- expect(getToolMetadata("reg_test_clear")).toBeDefined();
42
- _clearRegistryForTest();
43
- expect(getToolMetadata("reg_test_clear")).toBeUndefined();
44
- // Clean up (registry already clear, but be explicit)
45
- _clearRegistryForTest();
46
- });
47
- });
48
- // ---------------------------------------------------------------------------
49
- // Truncation tests
50
- // ---------------------------------------------------------------------------
51
- describe("truncateContentBlocks", () => {
52
- it("returns original array when total chars under budget", () => {
53
- const content = [{ type: "text", text: "x".repeat(100) }];
54
- const result = truncateContentBlocks(content, 200);
55
- expect(result).toBe(content); // Same reference
56
- });
57
- it("returns original array when total chars equal to budget", () => {
58
- const content = [{ type: "text", text: "x".repeat(100) }];
59
- const result = truncateContentBlocks(content, 100);
60
- expect(result).toBe(content); // Same reference
61
- });
62
- it("truncates text blocks proportionally with 60/40 split", () => {
63
- const content = [{ type: "text", text: "x".repeat(10000) }];
64
- const result = truncateContentBlocks(content, 2000);
65
- expect(result[0].text).toContain("chars truncated");
66
- // Verify the truncated text has head (60%) + marker + tail (40%) structure
67
- const text = result[0].text;
68
- const markerIdx = text.indexOf("\n[...");
69
- expect(markerIdx).toBeGreaterThan(0);
70
- // Head should be roughly 60% of budget (2000 * 0.6 = 1200)
71
- expect(markerIdx).toBeGreaterThanOrEqual(1100);
72
- expect(markerIdx).toBeLessThanOrEqual(1300);
73
- });
74
- it("preserves non-text blocks unchanged", () => {
75
- const imageBlock = { type: "image", url: "https://example.com/img.png" };
76
- const textBlock = { type: "text", text: "x".repeat(5000) };
77
- const content = [imageBlock, textBlock];
78
- const result = truncateContentBlocks(content, 1000);
79
- // Image block should be the exact same object reference
80
- expect(result[0]).toBe(imageBlock);
81
- // Text block should be truncated
82
- expect(result[1].text).toContain("chars truncated");
83
- });
84
- it("enforces 500-char minimum per block", () => {
85
- const content = [
86
- { type: "text", text: "x".repeat(8000) },
87
- { type: "text", text: "y".repeat(200) },
88
- ];
89
- const result = truncateContentBlocks(content, 100);
90
- // The small block (200 chars) gets minimum budget of 500, which is > its length
91
- // so it should NOT be truncated (200 < 500 min budget)
92
- expect(result[1].text).toBe("y".repeat(200));
93
- });
94
- it("marker text includes char count and guidance", () => {
95
- const content = [{ type: "text", text: "x".repeat(10000) }];
96
- const result = truncateContentBlocks(content, 2000);
97
- const text = result[0].text;
98
- expect(text).toContain("chars truncated");
99
- expect(text).toContain("Reduce output scope");
100
- });
101
- it("handles empty content array", () => {
102
- const content = [];
103
- const result = truncateContentBlocks(content, 1000);
104
- expect(result).toBe(content); // Same reference
105
- });
106
- it("handles blocks with no text field", () => {
107
- const content = [{ type: "text" }]; // no text property
108
- const result = truncateContentBlocks(content, 100);
109
- // Total chars is 0 (no text), 0 <= 100, returns original
110
- expect(result).toBe(content);
111
- });
112
- });
@@ -1 +0,0 @@
1
- export {};