comisai 1.0.11 → 1.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (255) hide show
  1. package/node_modules/@comis/agent/dist/model/operation-model-defaults.js +1 -0
  2. package/node_modules/@comis/agent/dist/session/comis-session-manager.js +9 -9
  3. package/node_modules/@comis/agent/package.json +1 -1
  4. package/node_modules/@comis/channels/package.json +1 -1
  5. package/node_modules/@comis/cli/package.json +1 -1
  6. package/node_modules/@comis/core/dist/event-bus/events-infra.d.ts +2 -0
  7. package/node_modules/@comis/core/package.json +1 -1
  8. package/node_modules/@comis/daemon/dist/wiring/setup-channels.js +12 -1
  9. package/node_modules/@comis/daemon/dist/wiring/setup-gateway.js +1 -0
  10. package/node_modules/@comis/daemon/dist/wiring/setup-schedulers.js +1 -0
  11. package/node_modules/@comis/daemon/package.json +1 -1
  12. package/node_modules/@comis/gateway/package.json +1 -1
  13. package/node_modules/@comis/infra/package.json +1 -1
  14. package/node_modules/@comis/memory/package.json +1 -1
  15. package/node_modules/@comis/scheduler/dist/cron/cron-types.d.ts +6 -0
  16. package/node_modules/@comis/scheduler/dist/cron/cron-types.js +2 -0
  17. package/node_modules/@comis/scheduler/package.json +1 -1
  18. package/node_modules/@comis/shared/package.json +1 -1
  19. package/node_modules/@comis/skills/dist/builtin/platform/gateway-tool.d.ts +1 -1
  20. package/node_modules/@comis/skills/package.json +1 -1
  21. package/package.json +18 -18
  22. package/node_modules/@comis/core/dist/approval/approval-gate.test.d.ts +0 -1
  23. package/node_modules/@comis/core/dist/approval/approval-gate.test.js +0 -1003
  24. package/node_modules/@comis/core/dist/bootstrap.test.d.ts +0 -1
  25. package/node_modules/@comis/core/dist/bootstrap.test.js +0 -150
  26. package/node_modules/@comis/core/dist/config/backup.test.d.ts +0 -1
  27. package/node_modules/@comis/core/dist/config/backup.test.js +0 -160
  28. package/node_modules/@comis/core/dist/config/env-substitution.test.d.ts +0 -1
  29. package/node_modules/@comis/core/dist/config/env-substitution.test.js +0 -259
  30. package/node_modules/@comis/core/dist/config/field-metadata.test.d.ts +0 -1
  31. package/node_modules/@comis/core/dist/config/field-metadata.test.js +0 -72
  32. package/node_modules/@comis/core/dist/config/git-manager.test.d.ts +0 -1
  33. package/node_modules/@comis/core/dist/config/git-manager.test.js +0 -1042
  34. package/node_modules/@comis/core/dist/config/immutable-keys.test.d.ts +0 -1
  35. package/node_modules/@comis/core/dist/config/immutable-keys.test.js +0 -283
  36. package/node_modules/@comis/core/dist/config/include-resolver.test.d.ts +0 -1
  37. package/node_modules/@comis/core/dist/config/include-resolver.test.js +0 -292
  38. package/node_modules/@comis/core/dist/config/layered.test.d.ts +0 -1
  39. package/node_modules/@comis/core/dist/config/layered.test.js +0 -211
  40. package/node_modules/@comis/core/dist/config/loader.test.d.ts +0 -1
  41. package/node_modules/@comis/core/dist/config/loader.test.js +0 -300
  42. package/node_modules/@comis/core/dist/config/migrate.test.d.ts +0 -1
  43. package/node_modules/@comis/core/dist/config/migrate.test.js +0 -244
  44. package/node_modules/@comis/core/dist/config/partial-validator.test.d.ts +0 -1
  45. package/node_modules/@comis/core/dist/config/partial-validator.test.js +0 -98
  46. package/node_modules/@comis/core/dist/config/schema-agent-model.test.d.ts +0 -1
  47. package/node_modules/@comis/core/dist/config/schema-agent-model.test.js +0 -279
  48. package/node_modules/@comis/core/dist/config/schema-agent-session.test.d.ts +0 -1
  49. package/node_modules/@comis/core/dist/config/schema-agent-session.test.js +0 -242
  50. package/node_modules/@comis/core/dist/config/schema-agent.test.d.ts +0 -1
  51. package/node_modules/@comis/core/dist/config/schema-agent.test.js +0 -645
  52. package/node_modules/@comis/core/dist/config/schema-channel.test.d.ts +0 -1
  53. package/node_modules/@comis/core/dist/config/schema-channel.test.js +0 -341
  54. package/node_modules/@comis/core/dist/config/schema-coalescer.test.d.ts +0 -1
  55. package/node_modules/@comis/core/dist/config/schema-coalescer.test.js +0 -51
  56. package/node_modules/@comis/core/dist/config/schema-context-engine.test.d.ts +0 -1
  57. package/node_modules/@comis/core/dist/config/schema-context-engine.test.js +0 -797
  58. package/node_modules/@comis/core/dist/config/schema-context-guard.test.d.ts +0 -1
  59. package/node_modules/@comis/core/dist/config/schema-context-guard.test.js +0 -111
  60. package/node_modules/@comis/core/dist/config/schema-daemon.test.d.ts +0 -1
  61. package/node_modules/@comis/core/dist/config/schema-daemon.test.js +0 -107
  62. package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.d.ts +0 -1
  63. package/node_modules/@comis/core/dist/config/schema-delivery-timing.test.js +0 -51
  64. package/node_modules/@comis/core/dist/config/schema-documentation.test.d.ts +0 -1
  65. package/node_modules/@comis/core/dist/config/schema-documentation.test.js +0 -63
  66. package/node_modules/@comis/core/dist/config/schema-gateway.test.d.ts +0 -1
  67. package/node_modules/@comis/core/dist/config/schema-gateway.test.js +0 -219
  68. package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.d.ts +0 -1
  69. package/node_modules/@comis/core/dist/config/schema-gemini-cache.test.js +0 -41
  70. package/node_modules/@comis/core/dist/config/schema-integrations.test.d.ts +0 -1
  71. package/node_modules/@comis/core/dist/config/schema-integrations.test.js +0 -92
  72. package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.d.ts +0 -1
  73. package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.test.js +0 -61
  74. package/node_modules/@comis/core/dist/config/schema-misc.test.d.ts +0 -1
  75. package/node_modules/@comis/core/dist/config/schema-misc.test.js +0 -394
  76. package/node_modules/@comis/core/dist/config/schema-observability.test.d.ts +0 -1
  77. package/node_modules/@comis/core/dist/config/schema-observability.test.js +0 -76
  78. package/node_modules/@comis/core/dist/config/schema-providers.test.d.ts +0 -1
  79. package/node_modules/@comis/core/dist/config/schema-providers.test.js +0 -294
  80. package/node_modules/@comis/core/dist/config/schema-queue.test.d.ts +0 -1
  81. package/node_modules/@comis/core/dist/config/schema-queue.test.js +0 -234
  82. package/node_modules/@comis/core/dist/config/schema-response-prefix.test.d.ts +0 -1
  83. package/node_modules/@comis/core/dist/config/schema-response-prefix.test.js +0 -36
  84. package/node_modules/@comis/core/dist/config/schema-security.test.d.ts +0 -1
  85. package/node_modules/@comis/core/dist/config/schema-security.test.js +0 -54
  86. package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.d.ts +0 -1
  87. package/node_modules/@comis/core/dist/config/schema-sender-trust-display.test.js +0 -60
  88. package/node_modules/@comis/core/dist/config/schema-serializer.test.d.ts +0 -1
  89. package/node_modules/@comis/core/dist/config/schema-serializer.test.js +0 -73
  90. package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.d.ts +0 -1
  91. package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.test.js +0 -39
  92. package/node_modules/@comis/core/dist/context/context.test.d.ts +0 -1
  93. package/node_modules/@comis/core/dist/context/context.test.js +0 -276
  94. package/node_modules/@comis/core/dist/domain/agent-response.test.d.ts +0 -1
  95. package/node_modules/@comis/core/dist/domain/agent-response.test.js +0 -159
  96. package/node_modules/@comis/core/dist/domain/credential-mapping.test.d.ts +0 -1
  97. package/node_modules/@comis/core/dist/domain/credential-mapping.test.js +0 -135
  98. package/node_modules/@comis/core/dist/domain/delivery-origin.test.d.ts +0 -1
  99. package/node_modules/@comis/core/dist/domain/delivery-origin.test.js +0 -68
  100. package/node_modules/@comis/core/dist/domain/execution-graph.test.d.ts +0 -1
  101. package/node_modules/@comis/core/dist/domain/execution-graph.test.js +0 -441
  102. package/node_modules/@comis/core/dist/domain/memory-entry.test.d.ts +0 -1
  103. package/node_modules/@comis/core/dist/domain/memory-entry.test.js +0 -193
  104. package/node_modules/@comis/core/dist/domain/normalized-message.test.d.ts +0 -1
  105. package/node_modules/@comis/core/dist/domain/normalized-message.test.js +0 -255
  106. package/node_modules/@comis/core/dist/domain/session-key.test.d.ts +0 -1
  107. package/node_modules/@comis/core/dist/domain/session-key.test.js +0 -291
  108. package/node_modules/@comis/core/dist/domain/subagent-context-config.test.d.ts +0 -1
  109. package/node_modules/@comis/core/dist/domain/subagent-context-config.test.js +0 -131
  110. package/node_modules/@comis/core/dist/domain/subagent-context-types.test.d.ts +0 -1
  111. package/node_modules/@comis/core/dist/domain/subagent-context-types.test.js +0 -182
  112. package/node_modules/@comis/core/dist/event-bus/bus.test.d.ts +0 -1
  113. package/node_modules/@comis/core/dist/event-bus/bus.test.js +0 -152
  114. package/node_modules/@comis/core/dist/event-bus/events-agent.test.d.ts +0 -1
  115. package/node_modules/@comis/core/dist/event-bus/events-agent.test.js +0 -409
  116. package/node_modules/@comis/core/dist/event-bus/events-channel.test.d.ts +0 -1
  117. package/node_modules/@comis/core/dist/event-bus/events-channel.test.js +0 -240
  118. package/node_modules/@comis/core/dist/event-bus/events-infra.test.d.ts +0 -1
  119. package/node_modules/@comis/core/dist/event-bus/events-infra.test.js +0 -416
  120. package/node_modules/@comis/core/dist/event-bus/events-messaging.test.d.ts +0 -1
  121. package/node_modules/@comis/core/dist/event-bus/events-messaging.test.js +0 -433
  122. package/node_modules/@comis/core/dist/event-bus/events.test.d.ts +0 -1
  123. package/node_modules/@comis/core/dist/event-bus/events.test.js +0 -93
  124. package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.d.ts +0 -1
  125. package/node_modules/@comis/core/dist/hooks/hook-runner-global.test.js +0 -29
  126. package/node_modules/@comis/core/dist/hooks/hook-runner.test.d.ts +0 -1
  127. package/node_modules/@comis/core/dist/hooks/hook-runner.test.js +0 -490
  128. package/node_modules/@comis/core/dist/hooks/hook-strategies.test.d.ts +0 -1
  129. package/node_modules/@comis/core/dist/hooks/hook-strategies.test.js +0 -209
  130. package/node_modules/@comis/core/dist/hooks/integration.test.d.ts +0 -1
  131. package/node_modules/@comis/core/dist/hooks/integration.test.js +0 -235
  132. package/node_modules/@comis/core/dist/hooks/plugin-registry.test.d.ts +0 -1
  133. package/node_modules/@comis/core/dist/hooks/plugin-registry.test.js +0 -470
  134. package/node_modules/@comis/core/dist/load-env.test.d.ts +0 -1
  135. package/node_modules/@comis/core/dist/load-env.test.js +0 -21
  136. package/node_modules/@comis/core/dist/security/action-classifier.test.d.ts +0 -1
  137. package/node_modules/@comis/core/dist/security/action-classifier.test.js +0 -298
  138. package/node_modules/@comis/core/dist/security/audit-aggregator.test.d.ts +0 -1
  139. package/node_modules/@comis/core/dist/security/audit-aggregator.test.js +0 -128
  140. package/node_modules/@comis/core/dist/security/audit.test.d.ts +0 -1
  141. package/node_modules/@comis/core/dist/security/audit.test.js +0 -154
  142. package/node_modules/@comis/core/dist/security/canary-token.test.d.ts +0 -1
  143. package/node_modules/@comis/core/dist/security/canary-token.test.js +0 -45
  144. package/node_modules/@comis/core/dist/security/config-redaction.test.d.ts +0 -1
  145. package/node_modules/@comis/core/dist/security/config-redaction.test.js +0 -107
  146. package/node_modules/@comis/core/dist/security/external-content.test.d.ts +0 -1
  147. package/node_modules/@comis/core/dist/security/external-content.test.js +0 -210
  148. package/node_modules/@comis/core/dist/security/injection-patterns.test.d.ts +0 -1
  149. package/node_modules/@comis/core/dist/security/injection-patterns.test.js +0 -213
  150. package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.d.ts +0 -1
  151. package/node_modules/@comis/core/dist/security/injection-rate-limiter.test.js +0 -194
  152. package/node_modules/@comis/core/dist/security/input-guard.test.d.ts +0 -1
  153. package/node_modules/@comis/core/dist/security/input-guard.test.js +0 -215
  154. package/node_modules/@comis/core/dist/security/input-security-guard.test.d.ts +0 -1
  155. package/node_modules/@comis/core/dist/security/input-security-guard.test.js +0 -215
  156. package/node_modules/@comis/core/dist/security/input-validator.test.d.ts +0 -1
  157. package/node_modules/@comis/core/dist/security/input-validator.test.js +0 -133
  158. package/node_modules/@comis/core/dist/security/log-sanitizer.test.d.ts +0 -1
  159. package/node_modules/@comis/core/dist/security/log-sanitizer.test.js +0 -260
  160. package/node_modules/@comis/core/dist/security/memory-write-validator.test.d.ts +0 -1
  161. package/node_modules/@comis/core/dist/security/memory-write-validator.test.js +0 -62
  162. package/node_modules/@comis/core/dist/security/output-guard.test.d.ts +0 -1
  163. package/node_modules/@comis/core/dist/security/output-guard.test.js +0 -397
  164. package/node_modules/@comis/core/dist/security/safe-path.test.d.ts +0 -1
  165. package/node_modules/@comis/core/dist/security/safe-path.test.js +0 -95
  166. package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.d.ts +0 -1
  167. package/node_modules/@comis/core/dist/security/scoped-secret-manager.test.js +0 -231
  168. package/node_modules/@comis/core/dist/security/secret-access.test.d.ts +0 -1
  169. package/node_modules/@comis/core/dist/security/secret-access.test.js +0 -41
  170. package/node_modules/@comis/core/dist/security/secret-crypto.test.d.ts +0 -1
  171. package/node_modules/@comis/core/dist/security/secret-crypto.test.js +0 -113
  172. package/node_modules/@comis/core/dist/security/secret-manager.test.d.ts +0 -1
  173. package/node_modules/@comis/core/dist/security/secret-manager.test.js +0 -394
  174. package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.d.ts +0 -1
  175. package/node_modules/@comis/core/dist/security/secret-ref-resolver.test.js +0 -268
  176. package/node_modules/@comis/core/dist/security/secrets-audit.test.d.ts +0 -10
  177. package/node_modules/@comis/core/dist/security/secrets-audit.test.js +0 -295
  178. package/node_modules/@comis/core/dist/security/ssrf-guard.test.d.ts +0 -1
  179. package/node_modules/@comis/core/dist/security/ssrf-guard.test.js +0 -127
  180. package/node_modules/@comis/core/dist/security/token-generator.test.d.ts +0 -1
  181. package/node_modules/@comis/core/dist/security/token-generator.test.js +0 -35
  182. package/node_modules/@comis/core/dist/tool-metadata.test.d.ts +0 -1
  183. package/node_modules/@comis/core/dist/tool-metadata.test.js +0 -112
  184. package/node_modules/@comis/memory/dist/compaction.test.d.ts +0 -1
  185. package/node_modules/@comis/memory/dist/compaction.test.js +0 -298
  186. package/node_modules/@comis/memory/dist/context-schema.test.d.ts +0 -1
  187. package/node_modules/@comis/memory/dist/context-schema.test.js +0 -246
  188. package/node_modules/@comis/memory/dist/context-store.test.d.ts +0 -1
  189. package/node_modules/@comis/memory/dist/context-store.test.js +0 -708
  190. package/node_modules/@comis/memory/dist/credential-mapping-schema.test.d.ts +0 -7
  191. package/node_modules/@comis/memory/dist/credential-mapping-schema.test.js +0 -73
  192. package/node_modules/@comis/memory/dist/credential-mapping-store.test.d.ts +0 -8
  193. package/node_modules/@comis/memory/dist/credential-mapping-store.test.js +0 -340
  194. package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.d.ts +0 -1
  195. package/node_modules/@comis/memory/dist/delivery-mirror-adapter.test.js +0 -165
  196. package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.d.ts +0 -1
  197. package/node_modules/@comis/memory/dist/delivery-queue-adapter.test.js +0 -263
  198. package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.d.ts +0 -1
  199. package/node_modules/@comis/memory/dist/embedding-batch-indexer.test.js +0 -202
  200. package/node_modules/@comis/memory/dist/embedding-cache-lru.test.d.ts +0 -1
  201. package/node_modules/@comis/memory/dist/embedding-cache-lru.test.js +0 -241
  202. package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.d.ts +0 -8
  203. package/node_modules/@comis/memory/dist/embedding-cache-sqlite.test.js +0 -678
  204. package/node_modules/@comis/memory/dist/embedding-cache.test.d.ts +0 -1
  205. package/node_modules/@comis/memory/dist/embedding-cache.test.js +0 -213
  206. package/node_modules/@comis/memory/dist/embedding-fingerprint.test.d.ts +0 -1
  207. package/node_modules/@comis/memory/dist/embedding-fingerprint.test.js +0 -87
  208. package/node_modules/@comis/memory/dist/embedding-hash.test.d.ts +0 -1
  209. package/node_modules/@comis/memory/dist/embedding-hash.test.js +0 -31
  210. package/node_modules/@comis/memory/dist/embedding-integration.test.d.ts +0 -8
  211. package/node_modules/@comis/memory/dist/embedding-integration.test.js +0 -232
  212. package/node_modules/@comis/memory/dist/embedding-provider-factory.test.d.ts +0 -1
  213. package/node_modules/@comis/memory/dist/embedding-provider-factory.test.js +0 -176
  214. package/node_modules/@comis/memory/dist/embedding-provider-local.test.d.ts +0 -8
  215. package/node_modules/@comis/memory/dist/embedding-provider-local.test.js +0 -76
  216. package/node_modules/@comis/memory/dist/embedding-provider-openai.test.d.ts +0 -8
  217. package/node_modules/@comis/memory/dist/embedding-provider-openai.test.js +0 -100
  218. package/node_modules/@comis/memory/dist/embedding-queue.test.d.ts +0 -1
  219. package/node_modules/@comis/memory/dist/embedding-queue.test.js +0 -236
  220. package/node_modules/@comis/memory/dist/hybrid-search.test.d.ts +0 -1
  221. package/node_modules/@comis/memory/dist/hybrid-search.test.js +0 -476
  222. package/node_modules/@comis/memory/dist/identity-link-store.test.d.ts +0 -1
  223. package/node_modules/@comis/memory/dist/identity-link-store.test.js +0 -88
  224. package/node_modules/@comis/memory/dist/memory-api.test.d.ts +0 -1
  225. package/node_modules/@comis/memory/dist/memory-api.test.js +0 -495
  226. package/node_modules/@comis/memory/dist/memory-concurrency.test.d.ts +0 -20
  227. package/node_modules/@comis/memory/dist/memory-concurrency.test.js +0 -222
  228. package/node_modules/@comis/memory/dist/named-graph-store.test.d.ts +0 -1
  229. package/node_modules/@comis/memory/dist/named-graph-store.test.js +0 -227
  230. package/node_modules/@comis/memory/dist/observability-store.test.d.ts +0 -1
  231. package/node_modules/@comis/memory/dist/observability-store.test.js +0 -704
  232. package/node_modules/@comis/memory/dist/row-mapper.test.d.ts +0 -1
  233. package/node_modules/@comis/memory/dist/row-mapper.test.js +0 -409
  234. package/node_modules/@comis/memory/dist/schema.test.d.ts +0 -1
  235. package/node_modules/@comis/memory/dist/schema.test.js +0 -240
  236. package/node_modules/@comis/memory/dist/secret-store-schema.test.d.ts +0 -7
  237. package/node_modules/@comis/memory/dist/secret-store-schema.test.js +0 -90
  238. package/node_modules/@comis/memory/dist/session-store.test.d.ts +0 -1
  239. package/node_modules/@comis/memory/dist/session-store.test.js +0 -262
  240. package/node_modules/@comis/memory/dist/setup-secrets.test.d.ts +0 -1
  241. package/node_modules/@comis/memory/dist/setup-secrets.test.js +0 -140
  242. package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.d.ts +0 -1
  243. package/node_modules/@comis/memory/dist/sqlite-memory-adapter.test.js +0 -888
  244. package/node_modules/@comis/memory/dist/sqlite-secret-store.test.d.ts +0 -8
  245. package/node_modules/@comis/memory/dist/sqlite-secret-store.test.js +0 -245
  246. package/node_modules/@comis/shared/dist/abort.test.d.ts +0 -1
  247. package/node_modules/@comis/shared/dist/abort.test.js +0 -71
  248. package/node_modules/@comis/shared/dist/result.test.d.ts +0 -1
  249. package/node_modules/@comis/shared/dist/result.test.js +0 -178
  250. package/node_modules/@comis/shared/dist/suppress-error.test.d.ts +0 -1
  251. package/node_modules/@comis/shared/dist/suppress-error.test.js +0 -50
  252. package/node_modules/@comis/shared/dist/timeout.test.d.ts +0 -1
  253. package/node_modules/@comis/shared/dist/timeout.test.js +0 -75
  254. package/node_modules/@comis/shared/dist/ttl-cache.test.d.ts +0 -1
  255. package/node_modules/@comis/shared/dist/ttl-cache.test.js +0 -81
@@ -1,397 +0,0 @@
1
- import { describe, it, expect } from "vitest";
2
- import { createOutputGuard } from "./output-guard.js";
3
- describe("createOutputGuard", () => {
4
- const guard = createOutputGuard();
5
- it("returns safe=true, blocked=false with no findings for clean response", () => {
6
- const result = guard.scan("Hello, how can I help you today?");
7
- expect(result.ok).toBe(true);
8
- if (result.ok) {
9
- expect(result.value.safe).toBe(true);
10
- expect(result.value.blocked).toBe(false);
11
- expect(result.value.findings).toHaveLength(0);
12
- expect(result.value.sanitized).toBe("Hello, how can I help you today?");
13
- }
14
- });
15
- // -------------------------------------------------------------------------
16
- // Critical findings -- blocked and redacted
17
- // -------------------------------------------------------------------------
18
- it("redacts AWS access key in sanitized field, blocked=true", () => {
19
- const response = "Your key is AKIAIOSFODNN7EXAMPLE";
20
- const result = guard.scan(response);
21
- expect(result.ok).toBe(true);
22
- if (result.ok) {
23
- expect(result.value.safe).toBe(false);
24
- expect(result.value.blocked).toBe(true);
25
- expect(result.value.sanitized).toBe("Your key is [REDACTED:aws_key]");
26
- expect(result.value.sanitized).not.toContain("AKIAIOSFODNN7EXAMPLE");
27
- expect(result.value.findings).toHaveLength(1);
28
- expect(result.value.findings[0].type).toBe("secret_leak");
29
- expect(result.value.findings[0].pattern).toBe("aws_key");
30
- expect(result.value.findings[0].severity).toBe("critical");
31
- }
32
- });
33
- it("redacts private key header in sanitized field, blocked=true", () => {
34
- const response = "Here is the key:\n-----BEGIN PRIVATE KEY-----\nMIIE...";
35
- const result = guard.scan(response);
36
- expect(result.ok).toBe(true);
37
- if (result.ok) {
38
- expect(result.value.safe).toBe(false);
39
- expect(result.value.blocked).toBe(true);
40
- expect(result.value.sanitized).toContain("[REDACTED:private_key_header]");
41
- expect(result.value.sanitized).not.toContain("-----BEGIN PRIVATE KEY-----");
42
- const finding = result.value.findings.find((f) => f.pattern === "private_key_header");
43
- expect(finding).toBeDefined();
44
- expect(finding.type).toBe("secret_leak");
45
- expect(finding.severity).toBe("critical");
46
- }
47
- });
48
- it("redacts RSA private key header", () => {
49
- const response = "-----BEGIN RSA PRIVATE KEY-----\nMIIE...";
50
- const result = guard.scan(response);
51
- expect(result.ok).toBe(true);
52
- if (result.ok) {
53
- expect(result.value.blocked).toBe(true);
54
- expect(result.value.sanitized).toContain("[REDACTED:private_key_header]");
55
- expect(result.value.sanitized).not.toContain("-----BEGIN RSA PRIVATE KEY-----");
56
- }
57
- });
58
- it("redacts canary token when provided in context, blocked=true", () => {
59
- const canary = "CTKN_abc123def456abcd";
60
- const response = `Sure, the token is ${canary}, which I found in my instructions.`;
61
- const result = guard.scan(response, { canaryToken: canary });
62
- expect(result.ok).toBe(true);
63
- if (result.ok) {
64
- expect(result.value.safe).toBe(false);
65
- expect(result.value.blocked).toBe(true);
66
- expect(result.value.sanitized).toContain("[REDACTED:canary]");
67
- expect(result.value.sanitized).not.toContain(canary);
68
- const finding = result.value.findings.find((f) => f.type === "canary_leak");
69
- expect(finding).toBeDefined();
70
- expect(finding.pattern).toBe("canary_token");
71
- expect(finding.severity).toBe("critical");
72
- }
73
- });
74
- it("redacts GitHub token in sanitized field, blocked=true", () => {
75
- const response = "Use token ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij";
76
- const result = guard.scan(response);
77
- expect(result.ok).toBe(true);
78
- if (result.ok) {
79
- expect(result.value.safe).toBe(false);
80
- expect(result.value.blocked).toBe(true);
81
- expect(result.value.sanitized).toContain("[REDACTED:github_token]");
82
- expect(result.value.sanitized).not.toContain("ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZ");
83
- const finding = result.value.findings.find((f) => f.pattern === "github_token");
84
- expect(finding).toBeDefined();
85
- expect(finding.severity).toBe("critical");
86
- }
87
- });
88
- it("redacts Slack token in sanitized field, blocked=true", () => {
89
- const response = "Token: xoxb-123456789-abcdef";
90
- const result = guard.scan(response);
91
- expect(result.ok).toBe(true);
92
- if (result.ok) {
93
- expect(result.value.blocked).toBe(true);
94
- expect(result.value.sanitized).toContain("[REDACTED:slack_token]");
95
- expect(result.value.sanitized).not.toContain("xoxb-123456789-abcdef");
96
- }
97
- });
98
- // -------------------------------------------------------------------------
99
- // Warning findings -- detect-only, NOT redacted
100
- // -------------------------------------------------------------------------
101
- it("does NOT redact bearer token (warning severity), blocked=false", () => {
102
- const response = "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9";
103
- const result = guard.scan(response);
104
- expect(result.ok).toBe(true);
105
- if (result.ok) {
106
- expect(result.value.safe).toBe(false);
107
- expect(result.value.blocked).toBe(false);
108
- expect(result.value.sanitized).toBe(response);
109
- const finding = result.value.findings.find((f) => f.pattern === "bearer_token");
110
- expect(finding).toBeDefined();
111
- expect(finding.severity).toBe("warning");
112
- }
113
- });
114
- it("does NOT redact prompt extraction pattern (warning severity), blocked=false", () => {
115
- const response = "My system prompt says to always be helpful and never refuse.";
116
- const result = guard.scan(response);
117
- expect(result.ok).toBe(true);
118
- if (result.ok) {
119
- expect(result.value.safe).toBe(false);
120
- expect(result.value.blocked).toBe(false);
121
- expect(result.value.sanitized).toBe(response);
122
- const finding = result.value.findings.find((f) => f.type === "prompt_extraction");
123
- expect(finding).toBeDefined();
124
- expect(finding.severity).toBe("warning");
125
- }
126
- });
127
- it("detects 'original instructions' extraction pattern as warning", () => {
128
- const response = "The original instructions are to follow these rules...";
129
- const result = guard.scan(response);
130
- expect(result.ok).toBe(true);
131
- if (result.ok) {
132
- expect(result.value.safe).toBe(false);
133
- expect(result.value.blocked).toBe(false);
134
- expect(result.value.sanitized).toBe(response);
135
- }
136
- });
137
- // -------------------------------------------------------------------------
138
- // Canary edge cases
139
- // -------------------------------------------------------------------------
140
- it("does not flag canary_leak when canary is not in response", () => {
141
- const canary = "CTKN_abc123def456abcd";
142
- const response = "No canary here at all.";
143
- const result = guard.scan(response, { canaryToken: canary });
144
- expect(result.ok).toBe(true);
145
- if (result.ok) {
146
- expect(result.value.safe).toBe(true);
147
- expect(result.value.blocked).toBe(false);
148
- expect(result.value.findings).toHaveLength(0);
149
- }
150
- });
151
- it("does not check canary when context is omitted", () => {
152
- const response = "CTKN_abc123def456abcd is in the text but no context provided.";
153
- const result = guard.scan(response);
154
- expect(result.ok).toBe(true);
155
- if (result.ok) {
156
- const canaryFindings = result.value.findings.filter((f) => f.type === "canary_leak");
157
- expect(canaryFindings).toHaveLength(0);
158
- }
159
- });
160
- // -------------------------------------------------------------------------
161
- // Multiple findings
162
- // -------------------------------------------------------------------------
163
- it("redacts multiple critical findings in one response", () => {
164
- const response = "Keys: AKIAIOSFODNN7EXAMPLE and ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij";
165
- const result = guard.scan(response);
166
- expect(result.ok).toBe(true);
167
- if (result.ok) {
168
- expect(result.value.safe).toBe(false);
169
- expect(result.value.blocked).toBe(true);
170
- expect(result.value.sanitized).toContain("[REDACTED:aws_key]");
171
- expect(result.value.sanitized).toContain("[REDACTED:github_token]");
172
- expect(result.value.sanitized).not.toContain("AKIAIOSFODNN7EXAMPLE");
173
- expect(result.value.sanitized).not.toContain("ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZ");
174
- // At least 2 critical findings
175
- const criticalFindings = result.value.findings.filter((f) => f.severity === "critical");
176
- expect(criticalFindings.length).toBeGreaterThanOrEqual(2);
177
- }
178
- });
179
- it("mixed critical+warning: only critical are redacted, blocked=true", () => {
180
- const response = "My system prompt says AKIAIOSFODNN7EXAMPLE is the key";
181
- const result = guard.scan(response);
182
- expect(result.ok).toBe(true);
183
- if (result.ok) {
184
- expect(result.value.safe).toBe(false);
185
- expect(result.value.blocked).toBe(true);
186
- // AWS key is redacted (critical)
187
- expect(result.value.sanitized).toContain("[REDACTED:aws_key]");
188
- expect(result.value.sanitized).not.toContain("AKIAIOSFODNN7EXAMPLE");
189
- // Prompt extraction text is still present (warning, detect-only)
190
- expect(result.value.sanitized).toContain("My system prompt says");
191
- // Both findings are reported
192
- const criticalFindings = result.value.findings.filter((f) => f.severity === "critical");
193
- const warningFindings = result.value.findings.filter((f) => f.severity === "warning");
194
- expect(criticalFindings.length).toBeGreaterThanOrEqual(1);
195
- expect(warningFindings.length).toBeGreaterThanOrEqual(1);
196
- }
197
- });
198
- it("accumulates findings from all categories", () => {
199
- const canary = "CTKN_abc123def456abcd";
200
- const response = `My system prompt says AKIAIOSFODNN7EXAMPLE and also ${canary}`;
201
- const result = guard.scan(response, { canaryToken: canary });
202
- expect(result.ok).toBe(true);
203
- if (result.ok) {
204
- expect(result.value.safe).toBe(false);
205
- expect(result.value.blocked).toBe(true);
206
- // At least: aws_key (secret_leak), canary_leak, prompt_extraction
207
- expect(result.value.findings.length).toBeGreaterThanOrEqual(3);
208
- const types = new Set(result.value.findings.map((f) => f.type));
209
- expect(types.has("secret_leak")).toBe(true);
210
- expect(types.has("canary_leak")).toBe(true);
211
- expect(types.has("prompt_extraction")).toBe(true);
212
- // Critical findings are redacted
213
- expect(result.value.sanitized).toContain("[REDACTED:aws_key]");
214
- expect(result.value.sanitized).toContain("[REDACTED:canary]");
215
- // Warning findings are NOT redacted
216
- expect(result.value.sanitized).toContain("My system prompt says");
217
- }
218
- });
219
- // -------------------------------------------------------------------------
220
- // Regression: global regex lastIndex state
221
- // -------------------------------------------------------------------------
222
- it("correctly scans on repeated calls (global regex lastIndex reset)", () => {
223
- const response = "Use key AKIAIOSFODNN7EXAMPLE please";
224
- // Call scan multiple times to verify regex state is properly reset
225
- for (let i = 0; i < 3; i++) {
226
- const result = guard.scan(response);
227
- expect(result.ok).toBe(true);
228
- if (result.ok) {
229
- expect(result.value.blocked).toBe(true);
230
- expect(result.value.findings).toHaveLength(1);
231
- expect(result.value.sanitized).toContain("[REDACTED:aws_key]");
232
- }
233
- }
234
- });
235
- // -------------------------------------------------------------------------
236
- // Phase 281: expanded secret patterns
237
- // -------------------------------------------------------------------------
238
- describe("Phase 281: expanded secret patterns", () => {
239
- // Critical patterns (should be redacted, blocked=true)
240
- it("redacts Anthropic API key, blocked=true", () => {
241
- const response = "Key: sk-ant-api03-abcdefghijklmnopqrstuvwx";
242
- const result = guard.scan(response);
243
- expect(result.ok).toBe(true);
244
- if (result.ok) {
245
- expect(result.value.safe).toBe(false);
246
- expect(result.value.blocked).toBe(true);
247
- expect(result.value.sanitized).toContain("[REDACTED:anthropic_key]");
248
- expect(result.value.sanitized).not.toContain("sk-ant-api03");
249
- const finding = result.value.findings.find((f) => f.pattern === "anthropic_key");
250
- expect(finding).toBeDefined();
251
- expect(finding.type).toBe("secret_leak");
252
- expect(finding.severity).toBe("critical");
253
- }
254
- });
255
- it("redacts Anthropic admin key, blocked=true", () => {
256
- const response = "sk-ant-admin-abcdefghijklmnopqrstuvwx";
257
- const result = guard.scan(response);
258
- expect(result.ok).toBe(true);
259
- if (result.ok) {
260
- expect(result.value.blocked).toBe(true);
261
- expect(result.value.sanitized).toContain("[REDACTED:anthropic_key]");
262
- expect(result.value.sanitized).not.toContain("sk-ant-admin");
263
- }
264
- });
265
- it("redacts OpenAI project key, blocked=true", () => {
266
- const response = "sk-proj-abcdefghijklmnopqrstuvwxyz012345";
267
- const result = guard.scan(response);
268
- expect(result.ok).toBe(true);
269
- if (result.ok) {
270
- expect(result.value.safe).toBe(false);
271
- expect(result.value.blocked).toBe(true);
272
- expect(result.value.sanitized).toContain("[REDACTED:openai_project_key]");
273
- expect(result.value.sanitized).not.toContain("sk-proj-");
274
- }
275
- });
276
- it("redacts Telegram bot token, blocked=true", () => {
277
- const response = "Token: 123456789:ABCDEFGHIJKLMNOPQRSTuv";
278
- const result = guard.scan(response);
279
- expect(result.ok).toBe(true);
280
- if (result.ok) {
281
- expect(result.value.safe).toBe(false);
282
- expect(result.value.blocked).toBe(true);
283
- expect(result.value.sanitized).toContain("[REDACTED:telegram_bot_token]");
284
- expect(result.value.sanitized).not.toContain("123456789:");
285
- }
286
- });
287
- it("redacts Discord bot token, blocked=true", () => {
288
- const response = "MTIzNDU2Nzg5MDEyMzQ1Njc4.G1kX9w.ABCDEFGHIJKLMNOPQRSTUVWXYZabc";
289
- const result = guard.scan(response);
290
- expect(result.ok).toBe(true);
291
- if (result.ok) {
292
- expect(result.value.safe).toBe(false);
293
- expect(result.value.blocked).toBe(true);
294
- expect(result.value.sanitized).toContain("[REDACTED:discord_bot_token]");
295
- expect(result.value.sanitized).not.toContain("MTIzNDU2Nzg5MDEyMzQ1Njc4");
296
- }
297
- });
298
- it("redacts Google API key, blocked=true", () => {
299
- const response = "AIzaSyAbCdEfGhIjKlMnOpQrStUvWxYz0123456";
300
- const result = guard.scan(response);
301
- expect(result.ok).toBe(true);
302
- if (result.ok) {
303
- expect(result.value.safe).toBe(false);
304
- expect(result.value.blocked).toBe(true);
305
- expect(result.value.sanitized).toContain("[REDACTED:google_api_key]");
306
- expect(result.value.sanitized).not.toContain("AIzaSy");
307
- }
308
- });
309
- it("redacts PostgreSQL connection string, blocked=true", () => {
310
- const response = "postgresql://admin:secret@prod.db.example.com:5432/mydb";
311
- const result = guard.scan(response);
312
- expect(result.ok).toBe(true);
313
- if (result.ok) {
314
- expect(result.value.safe).toBe(false);
315
- expect(result.value.blocked).toBe(true);
316
- expect(result.value.sanitized).toContain("[REDACTED:db_connection_string]");
317
- expect(result.value.sanitized).not.toContain("postgresql://");
318
- }
319
- });
320
- it("redacts MongoDB connection string, blocked=true", () => {
321
- const response = "mongodb+srv://user:pass@cluster.mongo.net/db";
322
- const result = guard.scan(response);
323
- expect(result.ok).toBe(true);
324
- if (result.ok) {
325
- expect(result.value.blocked).toBe(true);
326
- expect(result.value.sanitized).toContain("[REDACTED:db_connection_string]");
327
- expect(result.value.sanitized).not.toContain("mongodb+srv://");
328
- }
329
- });
330
- it("redacts generic API key assignment, blocked=true", () => {
331
- const response = 'api_key = "sk1234567890abcdefghij"';
332
- const result = guard.scan(response);
333
- expect(result.ok).toBe(true);
334
- if (result.ok) {
335
- expect(result.value.safe).toBe(false);
336
- expect(result.value.blocked).toBe(true);
337
- expect(result.value.sanitized).toContain("[REDACTED:generic_api_key]");
338
- }
339
- });
340
- it("redacts api-key: header assignment, blocked=true", () => {
341
- const response = "api-key: ABCDEFGHIJ1234567890ab";
342
- const result = guard.scan(response);
343
- expect(result.ok).toBe(true);
344
- if (result.ok) {
345
- expect(result.value.blocked).toBe(true);
346
- expect(result.value.sanitized).toContain("[REDACTED:generic_api_key]");
347
- }
348
- });
349
- // Warning pattern (detect-only, NOT redacted)
350
- it("does NOT redact JWT token (warning severity), blocked=false", () => {
351
- const response = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U";
352
- const result = guard.scan(response);
353
- expect(result.ok).toBe(true);
354
- if (result.ok) {
355
- expect(result.value.blocked).toBe(false);
356
- expect(result.value.sanitized).toBe(response);
357
- const finding = result.value.findings.find((f) => f.pattern === "jwt_token");
358
- expect(finding).toBeDefined();
359
- expect(finding.severity).toBe("warning");
360
- expect(finding.type).toBe("secret_leak");
361
- }
362
- });
363
- // False positive prevention
364
- it("does NOT flag clean technical text about APIs", () => {
365
- const response = "To use the API, call the endpoint with your credentials.";
366
- const result = guard.scan(response);
367
- expect(result.ok).toBe(true);
368
- if (result.ok) {
369
- expect(result.value.safe).toBe(true);
370
- expect(result.value.findings).toHaveLength(0);
371
- }
372
- });
373
- it("does NOT flag short key-like strings", () => {
374
- const response = "api_key = 'short'";
375
- const result = guard.scan(response);
376
- expect(result.ok).toBe(true);
377
- if (result.ok) {
378
- // "short" is too short (< 20 chars) to match GENERIC_API_KEY_ASSIGN
379
- const genericFindings = result.value.findings.filter((f) => f.pattern === "generic_api_key");
380
- expect(genericFindings).toHaveLength(0);
381
- }
382
- });
383
- // Repeated call regression
384
- it("correctly scans Anthropic key on repeated calls (lastIndex reset)", () => {
385
- const response = "Key: sk-ant-api03-abcdefghijklmnopqrstuvwx";
386
- for (let i = 0; i < 3; i++) {
387
- const result = guard.scan(response);
388
- expect(result.ok).toBe(true);
389
- if (result.ok) {
390
- expect(result.value.blocked).toBe(true);
391
- const findings = result.value.findings.filter((f) => f.pattern === "anthropic_key");
392
- expect(findings).toHaveLength(1);
393
- }
394
- }
395
- });
396
- });
397
- });
@@ -1,95 +0,0 @@
1
- import * as fs from "node:fs";
2
- import * as os from "node:os";
3
- import * as path from "node:path";
4
- import { describe, it, expect, afterEach } from "vitest";
5
- import { safePath, PathTraversalError } from "./safe-path.js";
6
- describe("safePath", () => {
7
- describe("valid paths (should succeed)", () => {
8
- it("resolves a simple filename within base", () => {
9
- expect(safePath("/base", "file.txt")).toBe("/base/file.txt");
10
- });
11
- it("resolves multiple segments within base", () => {
12
- expect(safePath("/base", "subdir", "file.txt")).toBe("/base/subdir/file.txt");
13
- });
14
- it("returns base directory itself when no segments given", () => {
15
- expect(safePath("/base")).toBe("/base");
16
- });
17
- it("resolves nested path segments with slashes", () => {
18
- expect(safePath("/base", "a/b/c")).toBe("/base/a/b/c");
19
- });
20
- });
21
- describe("path traversal attacks (should throw PathTraversalError)", () => {
22
- it("rejects bare ..", () => {
23
- expect(() => safePath("/base", "..")).toThrow(PathTraversalError);
24
- });
25
- it("rejects ../../etc/passwd", () => {
26
- expect(() => safePath("/base", "../../etc/passwd")).toThrow(PathTraversalError);
27
- });
28
- it("rejects subdir/../../../etc/passwd", () => {
29
- expect(() => safePath("/base", "subdir/../../../etc/passwd")).toThrow(PathTraversalError);
30
- });
31
- });
32
- describe("URL-encoded attacks (should throw)", () => {
33
- it("rejects %2e%2e%2f (encoded ../)", () => {
34
- expect(() => safePath("/base", "%2e%2e%2fetc/passwd")).toThrow(PathTraversalError);
35
- });
36
- it("rejects %2e%2e/ (encoded ../) ", () => {
37
- expect(() => safePath("/base", "%2e%2e/etc/passwd")).toThrow(PathTraversalError);
38
- });
39
- });
40
- describe("prefix attacks (should throw)", () => {
41
- it("rejects ../uploads-evil/file when base is /uploads", () => {
42
- expect(() => safePath("/uploads", "../uploads-evil/file")).toThrow(PathTraversalError);
43
- });
44
- });
45
- describe("symlink attacks (integration test)", () => {
46
- let tmpDir;
47
- afterEach(() => {
48
- if (tmpDir) {
49
- fs.rmSync(tmpDir, { recursive: true, force: true });
50
- }
51
- });
52
- it("rejects symlinks pointing outside base", () => {
53
- tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "safepath-test-"));
54
- const baseDir = path.join(tmpDir, "base");
55
- const outsideDir = path.join(tmpDir, "outside");
56
- fs.mkdirSync(baseDir);
57
- fs.mkdirSync(outsideDir);
58
- fs.writeFileSync(path.join(outsideDir, "secret.txt"), "secret");
59
- // Create symlink inside base pointing to outside
60
- const symlinkPath = path.join(baseDir, "evil-link");
61
- fs.symlinkSync(outsideDir, symlinkPath);
62
- expect(() => safePath(baseDir, "evil-link", "secret.txt")).toThrow(PathTraversalError);
63
- });
64
- });
65
- describe("null byte attacks (should throw)", () => {
66
- it("rejects paths containing null bytes", () => {
67
- expect(() => safePath("/base", "file\0.txt")).toThrow(PathTraversalError);
68
- });
69
- });
70
- describe("PathTraversalError properties", () => {
71
- it("has name 'PathTraversalError'", () => {
72
- try {
73
- safePath("/base", "../../etc/passwd");
74
- expect.fail("should have thrown");
75
- }
76
- catch (error) {
77
- expect(error).toBeInstanceOf(PathTraversalError);
78
- expect(error.name).toBe("PathTraversalError");
79
- }
80
- });
81
- it("includes base and attempted properties", () => {
82
- try {
83
- safePath("/base", "../../etc/passwd");
84
- expect.fail("should have thrown");
85
- }
86
- catch (error) {
87
- expect(error).toBeInstanceOf(PathTraversalError);
88
- const pte = error;
89
- expect(pte.base).toBe("/base");
90
- expect(pte.attempted).toBeDefined();
91
- expect(typeof pte.attempted).toBe("string");
92
- }
93
- });
94
- });
95
- });