npm - groove-dev - Versions diffs - 0.27.92 → 0.27.94 - Mend

groove-dev 0.27.92 → 0.27.94

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (501) hide show

package/node_modules/moe-training/test/server/verifier.test.js ADDED Viewed

@@ -0,0 +1,232 @@
+// FSL-1.1-Apache-2.0 — see LICENSE
+import { describe, it, beforeEach, afterEach } from 'node:test';
+import assert from 'node:assert/strict';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { generateECDHKeypair, deriveSharedSecret, signEnvelope } from '../../shared/crypto.js';
+import { SessionRegistry } from '../../server/session-registry.js';
+import { EnvelopeVerifier } from '../../server/verifier.js';
+const VALID_CONTRIBUTOR = 'c'.repeat(32);
+const VALID_APP_HASH = 'b'.repeat(64);
+function makeSignedEnvelope(sessionId, sequence, sharedSecret, extra = {}) {
+  const envelope = {
+    envelope_id: `env_test_${sequence}`,
+    session_id: sessionId,
+    chunk_sequence: sequence,
+    contributor_id: VALID_CONTRIBUTOR,
+    metadata: { model_engine: 'claude-opus-4-6', provider: 'claude-code', agent_role: 'frontend', agent_id: 'frontend-1' },
+    trajectory_log: [{ step: 1, type: 'thought', timestamp: Date.now() / 1000, content: 'test', token_count: 10 }],
+    ...extra,
+  };
+  const forHmac = { ...envelope };
+  const envelopeBytes = JSON.stringify(forHmac);
+  const hmac = signEnvelope(sharedSecret, envelopeBytes, sequence);
+  envelope.attestation = {
+    session_hmac: hmac,
+    sequence,
+    app_version_hash: VALID_APP_HASH,
+  };
+  return envelope;
+}
+function makeSignedCloseEnvelope(sessionId, sequence, sharedSecret) {
+  const envelope = {
+    envelope_id: `env_close_${sequence}`,
+    session_id: sessionId,
+    type: 'SESSION_CLOSE',
+    outcome: {
+      status: 'SUCCESS',
+      total_steps: 10,
+      total_chunks: 1,
+      user_interventions: 0,
+      total_tokens: 500,
+      duration_seconds: 60,
+      files_modified: 1,
+      errors_encountered: 0,
+      errors_recovered: 0,
+      coordination_events: 0,
+    },
+  };
+  const forHmac = { ...envelope };
+  const envelopeBytes = JSON.stringify(forHmac);
+  const hmac = signEnvelope(sharedSecret, envelopeBytes, sequence);
+  envelope.attestation = {
+    session_hmac: hmac,
+    sequence,
+    app_version_hash: VALID_APP_HASH,
+  };
+  return envelope;
+}
+describe('EnvelopeVerifier', () => {
+  let registry;
+  let verifier;
+  let tmpDir;
+  let sharedSecret;
+  const sessionId = 'sess_verify_001';
+  beforeEach(() => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'verify-test-'));
+    registry = new SessionRegistry(join(tmpDir, 'sessions.db'));
+    verifier = new EnvelopeVerifier(registry);
+    const clientKeypair = generateECDHKeypair();
+    const result = registry.openSession(
+      sessionId, clientKeypair.publicKey, 'claude-code', 'claude-opus-4-6',
+      'fp_verify', 'hash_verify', '0.27.77'
+    );
+    const session = registry.getSession(sessionId);
+    sharedSecret = session.shared_secret;
+  });
+  afterEach(() => {
+    registry.close();
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+  it('accepts a valid envelope with correct HMAC', () => {
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, true);
+  });
+  it('rejects a tampered envelope (HMAC fails)', () => {
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    envelope.trajectory_log.push({ step: 2, type: 'action', content: 'injected' });
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('HMAC'));
+  });
+  it('rejects wrong sequence number', () => {
+    const envelope = makeSignedEnvelope(sessionId, 5, sharedSecret);
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('sequence'));
+  });
+  it('rejects unknown session_id', () => {
+    const envelope = makeSignedEnvelope('sess_nonexistent', 0, sharedSecret);
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('unknown session_id'));
+  });
+  it('rejects envelope for closed session', () => {
+    registry.closeSession(sessionId);
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('closed'));
+  });
+  it('rejects envelope missing attestation', () => {
+    const envelope = {
+      session_id: sessionId,
+      envelope_id: 'env_no_att',
+      trajectory_log: [],
+    };
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('attestation'));
+  });
+  it('increments sequence after successful verification', () => {
+    const env0 = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    const r0 = verifier.verify(env0);
+    assert.equal(r0.valid, true);
+    const env1 = makeSignedEnvelope(sessionId, 1, sharedSecret);
+    const r1 = verifier.verify(env1);
+    assert.equal(r1.valid, true);
+    const session = registry.getSession(sessionId);
+    assert.equal(session.expected_sequence, 2);
+  });
+  // --- New security tests ---
+  it('rejects empty HMAC string', () => {
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    envelope.attestation.session_hmac = '';
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('HMAC'));
+  });
+  it('rejects missing HMAC field', () => {
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    delete envelope.attestation.session_hmac;
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('HMAC'));
+  });
+  it('atomic sequence prevents duplicate sequence acceptance', () => {
+    const env0 = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    const r0 = verifier.verify(env0);
+    assert.equal(r0.valid, true);
+    // Re-sign with sequence 0 again (replay attempt)
+    const env0replay = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    const rReplay = verifier.verify(env0replay);
+    assert.equal(rReplay.valid, false);
+    assert.ok(rReplay.reason.includes('sequence'));
+  });
+  it('verifyClose checks sequence number', () => {
+    // Send one regular envelope first (sequence 0)
+    const env0 = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    verifier.verify(env0);
+    // Close with wrong sequence
+    const closeWrong = makeSignedCloseEnvelope(sessionId, 0, sharedSecret);
+    const resultWrong = verifyClose(verifier, closeWrong);
+    assert.equal(resultWrong.valid, false);
+    assert.ok(resultWrong.reason.includes('sequence'));
+    // Close with correct sequence
+    const closeRight = makeSignedCloseEnvelope(sessionId, 1, sharedSecret);
+    const resultRight = verifyClose(verifier, closeRight);
+    assert.equal(resultRight.valid, true);
+  });
+  it('verifyClose rejects empty HMAC', () => {
+    const closeEnv = makeSignedCloseEnvelope(sessionId, 0, sharedSecret);
+    closeEnv.attestation.session_hmac = '';
+    const result = verifier.verifyClose(closeEnv);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('HMAC'));
+  });
+  it('rejects OFFLINE HMAC marker from offline client', () => {
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    envelope.attestation.session_hmac = 'OFFLINE';
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('HMAC'));
+  });
+  it('rejects mega-length HMAC string', () => {
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    envelope.attestation.session_hmac = 'a'.repeat(1_000_000);
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('HMAC'));
+  });
+});
+function verifyClose(verifier, envelope) {
+  return verifier.verifyClose(envelope);
+}

package/node_modules/moe-training/test/shared/crypto.test.js ADDED Viewed

@@ -0,0 +1,87 @@
+// FSL-1.1-Apache-2.0 — see LICENSE
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { writeFileSync, mkdtempSync, rmSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import {
+  generateECDHKeypair,
+  deriveSharedSecret,
+  signEnvelope,
+  verifyEnvelope,
+  computeAppHash,
+} from '../../shared/crypto.js';
+describe('crypto', () => {
+  it('generates ECDH keypairs with base64 encoded keys', () => {
+    const kp = generateECDHKeypair();
+    assert.ok(kp.publicKey);
+    assert.ok(kp.privateKey);
+    assert.ok(Buffer.from(kp.publicKey, 'base64').length > 0);
+    assert.ok(Buffer.from(kp.privateKey, 'base64').length > 0);
+  });
+  it('derives the same shared secret from both sides', () => {
+    const alice = generateECDHKeypair();
+    const bob = generateECDHKeypair();
+    const secretA = deriveSharedSecret(alice.privateKey, bob.publicKey);
+    const secretB = deriveSharedSecret(bob.privateKey, alice.publicKey);
+    assert.equal(secretA, secretB);
+    assert.ok(Buffer.from(secretA, 'base64').length > 0);
+  });
+  it('HMAC sign and verify round-trip', () => {
+    const alice = generateECDHKeypair();
+    const bob = generateECDHKeypair();
+    const secret = deriveSharedSecret(alice.privateKey, bob.publicKey);
+    const payload = JSON.stringify({ data: 'test envelope content' });
+    const seq = 1;
+    const hmac = signEnvelope(secret, payload, seq);
+    assert.ok(typeof hmac === 'string');
+    assert.ok(hmac.length > 0);
+    assert.ok(verifyEnvelope(secret, payload, seq, hmac));
+  });
+  it('verification fails with tampered payload', () => {
+    const alice = generateECDHKeypair();
+    const bob = generateECDHKeypair();
+    const secret = deriveSharedSecret(alice.privateKey, bob.publicKey);
+    const payload = JSON.stringify({ data: 'original' });
+    const hmac = signEnvelope(secret, payload, 1);
+    const tampered = JSON.stringify({ data: 'tampered' });
+    assert.equal(verifyEnvelope(secret, tampered, 1, hmac), false);
+  });
+  it('verification fails with wrong sequence number', () => {
+    const alice = generateECDHKeypair();
+    const bob = generateECDHKeypair();
+    const secret = deriveSharedSecret(alice.privateKey, bob.publicKey);
+    const payload = JSON.stringify({ data: 'test' });
+    const hmac = signEnvelope(secret, payload, 1);
+    assert.equal(verifyEnvelope(secret, payload, 2, hmac), false);
+  });
+  it('computeAppHash returns SHA256 of file contents', () => {
+    const dir = mkdtempSync(join(tmpdir(), 'crypto-test-'));
+    const filePath = join(dir, 'test-file.txt');
+    writeFileSync(filePath, 'hello world');
+    const hash = computeAppHash(filePath);
+    assert.ok(typeof hash === 'string');
+    assert.equal(hash.length, 64);
+    const hash2 = computeAppHash(filePath);
+    assert.equal(hash, hash2);
+    rmSync(dir, { recursive: true });
+  });
+});

package/node_modules/moe-training/test/shared/envelope-schema.test.js ADDED Viewed

@@ -0,0 +1,351 @@
+// FSL-1.1-Apache-2.0 — see LICENSE
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { validateEnvelope, STEP_TYPES } from '../../shared/envelope-schema.js';
+const VALID_HMAC = 'a'.repeat(64);
+const VALID_APP_HASH = 'b'.repeat(64);
+const VALID_CONTRIBUTOR = 'c'.repeat(32);
+function validEnvelope() {
+  return {
+    envelope_id: 'env_test-123',
+    session_id: 'sess_test-456',
+    chunk_sequence: 0,
+    contributor_id: VALID_CONTRIBUTOR,
+    attestation: { session_hmac: VALID_HMAC, sequence: 0, app_version_hash: VALID_APP_HASH },
+    metadata: {
+      model_engine: 'claude-opus-4-6',
+      provider: 'claude-code',
+      agent_role: 'backend',
+      agent_id: 'backend-1',
+      task_complexity: 'medium',
+      team_size: 2,
+      groove_version: '0.27.0',
+    },
+    trajectory_log: [
+      { step: 1, type: 'thought', timestamp: Date.now() / 1000, content: 'thinking...', token_count: 10 },
+      { step: 2, type: 'action', timestamp: Date.now() / 1000, tool: 'Read', content: 'reading file' },
+    ],
+  };
+}
+describe('envelope-schema', () => {
+  it('valid envelope passes validation', () => {
+    const result = validateEnvelope(validEnvelope());
+    assert.equal(result.valid, true);
+    assert.equal(result.errors.length, 0);
+  });
+  it('null envelope fails', () => {
+    const result = validateEnvelope(null);
+    assert.equal(result.valid, false);
+  });
+  it('missing session_id fails', () => {
+    const env = validEnvelope();
+    delete env.session_id;
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+  });
+  it('missing metadata.provider fails', () => {
+    const env = validEnvelope();
+    delete env.metadata.provider;
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some((e) => e.includes('provider')));
+  });
+  it('invalid step type fails', () => {
+    const env = validEnvelope();
+    env.trajectory_log[0].type = 'invalid_type';
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some((e) => e.includes('invalid_type')));
+  });
+  it('missing step number fails', () => {
+    const env = validEnvelope();
+    delete env.trajectory_log[0].step;
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+  });
+  it('missing timestamp fails', () => {
+    const env = validEnvelope();
+    delete env.trajectory_log[0].timestamp;
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+  });
+  it('all STEP_TYPES are valid', () => {
+    for (const type of STEP_TYPES) {
+      const env = validEnvelope();
+      env.trajectory_log = [{ step: 1, type, timestamp: Date.now() / 1000 }];
+      const result = validateEnvelope(env);
+      assert.equal(result.valid, true, `Type "${type}" should be valid`);
+    }
+  });
+  // --- New security tests ---
+  it('rejects trajectory_log with > 500 steps', () => {
+    const env = validEnvelope();
+    env.trajectory_log = Array.from({ length: 501 }, (_, i) => ({
+      step: i, type: 'thought', timestamp: Date.now() / 1000,
+    }));
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('500')));
+  });
+  it('rejects step with content > 10KB', () => {
+    const env = validEnvelope();
+    env.trajectory_log[0].content = 'x'.repeat(10_001);
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('10000')));
+  });
+  it('rejects step with token_count > 100,000', () => {
+    const env = validEnvelope();
+    env.trajectory_log[0].token_count = 100_001;
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('token_count')));
+  });
+  it('rejects step with negative token_count', () => {
+    const env = validEnvelope();
+    env.trajectory_log[0].token_count = -1;
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('token_count')));
+  });
+  it('rejects step with step number > 50,000', () => {
+    const env = validEnvelope();
+    env.trajectory_log[0].step = 50_001;
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+  });
+  it('rejects step with negative step number', () => {
+    const env = validEnvelope();
+    env.trajectory_log[0].step = -1;
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+  });
+  it('rejects invalid provider', () => {
+    const env = validEnvelope();
+    env.metadata.provider = 'fake-provider';
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('provider')));
+  });
+  it('rejects invalid model_engine', () => {
+    const env = validEnvelope();
+    env.metadata.model_engine = 'gpt-5-turbo';
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('model_engine')));
+  });
+  it('rejects contributor_id that is not 32-char hex', () => {
+    const env = validEnvelope();
+    env.contributor_id = 'user_abc';
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('contributor_id')));
+  });
+  it('rejects contributor_id with uppercase hex', () => {
+    const env = validEnvelope();
+    env.contributor_id = 'A'.repeat(32);
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('contributor_id')));
+  });
+  it('rejects attestation.session_hmac that is not 64-char hex', () => {
+    const env = validEnvelope();
+    env.attestation.session_hmac = 'abc';
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('session_hmac')));
+  });
+  it('rejects attestation.app_version_hash that is not 64-char hex', () => {
+    const env = validEnvelope();
+    env.attestation.app_version_hash = 'def';
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('app_version_hash')));
+  });
+  it('rejects future timestamps beyond 1 hour', () => {
+    const env = validEnvelope();
+    env.trajectory_log[0].timestamp = (Date.now() + 2 * 60 * 60 * 1000) / 1000;
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('Timestamp out of range')));
+  });
+  it('rejects timestamps older than 7 days', () => {
+    const env = validEnvelope();
+    env.trajectory_log[0].timestamp = (Date.now() - 8 * 24 * 60 * 60 * 1000) / 1000;
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('Timestamp out of range')));
+  });
+  it('rejects team_size outside 1-50', () => {
+    const env = validEnvelope();
+    env.metadata.team_size = 0;
+    let result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    env.metadata.team_size = 51;
+    result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+  });
+  it('rejects invalid task_complexity', () => {
+    const env = validEnvelope();
+    env.metadata.task_complexity = 'extreme';
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('task_complexity')));
+  });
+  it('accepts absent optional metadata fields', () => {
+    const env = validEnvelope();
+    delete env.metadata.team_size;
+    delete env.metadata.task_complexity;
+    delete env.metadata.groove_version;
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, true);
+  });
+  it('valid SESSION_CLOSE passes', () => {
+    const close = {
+      envelope_id: 'env_close-1',
+      session_id: 'sess_test-1',
+      type: 'SESSION_CLOSE',
+      attestation: { session_hmac: VALID_HMAC, sequence: 5, app_version_hash: VALID_APP_HASH },
+      outcome: {
+        status: 'SUCCESS',
+        user_interventions: 1,
+        total_steps: 100,
+        total_chunks: 2,
+        total_tokens: 5000,
+        duration_seconds: 300,
+        files_modified: 3,
+        errors_encountered: 1,
+        errors_recovered: 1,
+        coordination_events: 0,
+      },
+    };
+    const result = validateEnvelope(close);
+    assert.equal(result.valid, true);
+  });
+  it('SESSION_CLOSE missing outcome fails', () => {
+    const close = {
+      envelope_id: 'env_close-1',
+      session_id: 'sess_test-1',
+      type: 'SESSION_CLOSE',
+      attestation: { session_hmac: VALID_HMAC, sequence: 5, app_version_hash: VALID_APP_HASH },
+    };
+    const result = validateEnvelope(close);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some((e) => e.includes('outcome')));
+  });
+  it('SESSION_CLOSE missing status fails', () => {
+    const close = {
+      envelope_id: 'env_close-1',
+      session_id: 'sess_test-1',
+      type: 'SESSION_CLOSE',
+      attestation: { session_hmac: VALID_HMAC, sequence: 0, app_version_hash: VALID_APP_HASH },
+      outcome: { total_steps: 10, total_chunks: 1 },
+    };
+    const result = validateEnvelope(close);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some((e) => e.includes('status')));
+  });
+  it('SESSION_CLOSE rejects invalid outcome status', () => {
+    const close = {
+      envelope_id: 'env_close-1',
+      session_id: 'sess_test-1',
+      type: 'SESSION_CLOSE',
+      attestation: { session_hmac: VALID_HMAC, sequence: 0, app_version_hash: VALID_APP_HASH },
+      outcome: { status: 'TIMEOUT', total_steps: 10, total_chunks: 1 },
+    };
+    const result = validateEnvelope(close);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('status')));
+  });
+  it('SESSION_CLOSE rejects negative outcome numerics', () => {
+    const close = {
+      envelope_id: 'env_close-1',
+      session_id: 'sess_test-1',
+      type: 'SESSION_CLOSE',
+      attestation: { session_hmac: VALID_HMAC, sequence: 0, app_version_hash: VALID_APP_HASH },
+      outcome: { status: 'SUCCESS', total_steps: 10, total_chunks: 1, user_interventions: -5 },
+    };
+    const result = validateEnvelope(close);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('user_interventions')));
+  });
+  it('SESSION_CLOSE rejects outcome numerics > 50,000', () => {
+    const close = {
+      envelope_id: 'env_close-1',
+      session_id: 'sess_test-1',
+      type: 'SESSION_CLOSE',
+      attestation: { session_hmac: VALID_HMAC, sequence: 0, app_version_hash: VALID_APP_HASH },
+      outcome: { status: 'SUCCESS', total_steps: 50_001, total_chunks: 1 },
+    };
+    const result = validateEnvelope(close);
+    assert.equal(result.valid, false);
+  });
+  it('rejects token_count = 999999', () => {
+    const env = validEnvelope();
+    env.trajectory_log[0].token_count = 999_999;
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('token_count')));
+  });
+  it('rejects SQL injection in contributor_id', () => {
+    const env = validEnvelope();
+    env.contributor_id = "'; DROP TABLE balances; --";
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('contributor_id')));
+  });
+  it('rejects attestation.session_hmac = giant string', () => {
+    const env = validEnvelope();
+    env.attestation.session_hmac = 'x'.repeat(1_000_000);
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('session_hmac')));
+  });
+  it('rejects empty attestation.session_hmac', () => {
+    const env = validEnvelope();
+    env.attestation.session_hmac = '';
+    const result = validateEnvelope(env);
+    assert.equal(result.valid, false);
+    assert.ok(result.errors.some(e => e.includes('session_hmac')));
+  });
+});

package/node_modules/napi-build-utils/.github/workflows/run-npm-tests.yml ADDED Viewed

@@ -0,0 +1,31 @@
+name: Run npm Tests
+on:
+  workflow_dispatch:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [22, 23]
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+    - name: Set up Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v3
+      with:
+        node-version: ${{ matrix.node-version }}
+    - name: Install dependencies
+      run: npm install
+    - name: Run tests
+      run: npm test