limbo-ai 1.9.3 → 1.9.5

package/cli.js

@@ -813,8 +813,39 @@ function applyOpenClawConfig(cfg) {
   ok(t(cfg.language, 'configFlowDone'));
 }
 
-// Strip ANSI escape sequences so URL/text matching works on TTY output.
-const stripAnsi = (str) => str.replace(/\x1b\[[0-9;]*[A-Za-z]/g, '').replace(/\r/g, '');
+// Strip all ANSI/VT100 escape sequences from a string.
+// Uses standards-based ECMA-48 byte ranges:
+//   CSI: ESC [ <param bytes 0x30-0x3F>* <intermediate bytes 0x20-0x2F>* <final byte 0x40-0x7E>
+//   Two-char ESC: ESC <0x40-0x5F>  (e.g. ESC M, ESC =, ESC 7/8 save/restore cursor)
+//   OSC: ESC ] <any> BEL|ST
+// Covers private-mode sequences like \x1b[?25l (hide cursor) that the old [0-9;]* missed.
+const stripAnsi = (str) => str
+  .replace(/\x1b\[[0-?]*[ -/]*[@-~]/g, '')          // CSI sequences (all parameter byte combos)
+  .replace(/\x1b\][^\x07\x1b]*(?:\x07|\x1b\\)/g, '') // OSC sequences (before two-char — shares \x1b] prefix)
+  .replace(/\x1b[^[\]]/g, '')                         // two-char ESC sequences (e.g. ESC 7/8 save/restore)
+  .replace(/\r/g, '');
+
+// Matches OAuth/browser URLs emitted by OpenClaw during auth flows.
+const AUTH_URL_RE = /https?:\/\/[^\s"'<>\]]+/g;
+
+// Matches lines consisting entirely of TUI chrome: spinner glyphs, box-drawing chars, and
+// clack/prompt decorations. Used to suppress animation frame scatter from OpenClaw TUI output.
+const TUI_CHROME_RE = /^[\s\u2500-\u257f\u2580-\u259f\u25a0-\u25ff\u2600-\u26ff\u2190-\u21ff\u2700-\u27bf\u2800-\u28ff]*$/u;
+
+// Pure helper: flush complete lines from a raw buffer.
+// Normalises \r\n → \n, splits on \n, and within each segment keeps only the LAST
+// \r-separated piece — that's the final rendered state after TUI in-place overwrites.
+// Returns the lines to emit and the leftover incomplete segment.
+function flushStreamLines(buf) {
+  const normalized = buf.replace(/\r\n/g, '\n');
+  const segments = normalized.split('\n');
+  const remaining = segments.pop(); // no trailing \n yet
+  const lines = segments.map((seg) => {
+    const frames = seg.split('\r');
+    return frames[frames.length - 1]; // last frame = final rendered content
+  });
+  return { lines, remaining };
+}
 
 // Spawn OpenClaw auth with filtered output: extract OAuth URLs, suppress branding.
 // --tty is required so openclaw sees a TTY inside the container and runs the auth wizard.
@@ -827,21 +858,22 @@ function streamFilteredAuth(dockerArgs, onUrl = null) {
       stdio: ['inherit', 'pipe', 'pipe'],
     });
 
-    const urlRe = /https?:\/\/[^\s"'<>\]]+/g;
     const seenUrls = new Set();
     let buf = '';
 
     const handleData = (data) => {
       buf += data.toString();
-      // Split on \r\n, \n, or bare \r — TUIs use carriage returns for in-place redraws
-      const lines = buf.split(/\r?\n|\r/);
-      buf = lines.pop(); // hold incomplete last line
+      // flushStreamLines keeps only the final \r frame per \n-terminated line,
+      // discarding all intermediate TUI animation states (character-by-character
+      // reveals, spinner frames) that would otherwise scatter across the terminal.
+      const { lines, remaining } = flushStreamLines(buf);
+      buf = remaining;
       for (const line of lines) emitLine(line);
     };
 
     const emitLine = (rawLine) => {
       const line = stripAnsi(rawLine);
-      const urls = line.match(urlRe) || [];
+      const urls = line.match(AUTH_URL_RE) || [];
       if (urls.length > 0) {
         for (const url of urls) {
           if (!seenUrls.has(url)) {
@@ -852,15 +884,21 @@ function streamFilteredAuth(dockerArgs, onUrl = null) {
         }
         return; // don't double-print the line containing the URL
       }
-      // Suppress OpenClaw branding; show everything else (prompts, status, interactive questions)
+      // Suppress OpenClaw branding
       if (/openclaw/i.test(line)) return;
+      // Suppress TUI chrome: lines consisting only of spinner/decoration/box-drawing chars.
+      if (TUI_CHROME_RE.test(line)) return;
       if (line.trim()) console.log(`   ${line}`);
     };
 
     proc.stdout.on('data', handleData);
     proc.stderr.on('data', handleData);
     proc.on('close', (code) => {
-      if (buf.trim()) emitLine(buf);
+      if (buf.trim()) {
+        // Append a synthetic \n to flush the remaining buffer through flushStreamLines.
+        const { lines } = flushStreamLines(buf + '\n');
+        for (const line of lines) emitLine(line);
+      }
       resolve(code ?? 1);
     });
     proc.on('error', () => resolve(1));
@@ -1078,24 +1116,29 @@ ${c.bold}Data directory:${c.reset} ${LIMBO_DIR}
 
 // ─── Main ────────────────────────────────────────────────────────────────────
 
-const [,, cmd = 'start'] = process.argv;
-
-(async () => {
-  switch (cmd) {
-    case 'start':
-    case 'install': await cmdStart(); break;
-    case 'stop':    cmdStop(); break;
-    case 'logs':    cmdLogs(); break;
-    case 'update':  cmdUpdate(); break;
-    case 'status':  cmdStatus(); break;
-    case 'help':
-    case '--help':
-    case '-h':      cmdHelp(); break;
-    default:
-      warn(t('en', 'unknownCommand', cmd));
-      cmdHelp();
-      process.exit(1);
-  }
-})().catch((err) => {
-  die(err.message || String(err));
-});
+if (require.main === module) {
+  const [,, cmd = 'start'] = process.argv;
+
+  (async () => {
+    switch (cmd) {
+      case 'start':
+      case 'install': await cmdStart(); break;
+      case 'stop':    cmdStop(); break;
+      case 'logs':    cmdLogs(); break;
+      case 'update':  cmdUpdate(); break;
+      case 'status':  cmdStatus(); break;
+      case 'help':
+      case '--help':
+      case '-h':      cmdHelp(); break;
+      default:
+        warn(t('en', 'unknownCommand', cmd));
+        cmdHelp();
+        process.exit(1);
+    }
+  })().catch((err) => {
+    die(err.message || String(err));
+  });
+} else {
+  // Exported for unit testing — not part of the public CLI API.
+  module.exports = { stripAnsi, AUTH_URL_RE, TUI_CHROME_RE, flushStreamLines };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "limbo-ai",
-  "version": "1.9.3",
+  "version": "1.9.5",
   "description": "Your personal AI memory agent — install and manage Limbo via npx",
   "type": "commonjs",
   "bin": {
@@ -13,7 +13,8 @@
     "@clack/prompts": "^1.1.0"
   },
   "scripts": {
-    "start": "node cli.js start"
+    "start": "node cli.js start",
+    "test": "node --test test/**/*.test.js"
   },
   "keywords": [
     "limbo",

package/test/cli-auth.test.js

@@ -0,0 +1,250 @@
+// test/cli-auth.test.js
+// Unit tests for the streamFilteredAuth pure-logic functions exported from cli.js.
+// Run with: node --test test/cli-auth.test.js
+'use strict';
+
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+
+const { stripAnsi, AUTH_URL_RE, TUI_CHROME_RE, flushStreamLines } = require('../cli.js');
+
+// ─── stripAnsi ────────────────────────────────────────────────────────────────
+
+test('stripAnsi: strips standard CSI sequences', () => {
+  assert.equal(stripAnsi('\x1b[32mgreen\x1b[0m'), 'green');
+  assert.equal(stripAnsi('\x1b[1;31mbold red\x1b[0m'), 'bold red');
+  assert.equal(stripAnsi('\x1b[2Kclear line'), 'clear line');
+});
+
+test('stripAnsi: strips ?-prefixed private-mode CSI sequences', () => {
+  // \x1b[?25l hide cursor, \x1b[?25h show cursor
+  assert.equal(stripAnsi('\x1b[?25lhello\x1b[?25h'), 'hello');
+  // \x1b[?2004h / \x1b[?2004l bracketed paste mode
+  assert.equal(stripAnsi('\x1b[?2004htext\x1b[?2004l'), 'text');
+});
+
+test('stripAnsi: strips two-char ESC sequences (0x40-0x5F range)', () => {
+  // ESC M (0x4D) — reverse index (cursor up with scroll)
+  assert.equal(stripAnsi('\x1bMline'), 'line');
+  // ESC E (0x45) — next line
+  assert.equal(stripAnsi('text\x1bEafter'), 'textafter');
+  // ESC ^ (0x5E) — privacy message (PM)
+  assert.equal(stripAnsi('before\x1b^after'), 'beforeafter');
+});
+
+test('stripAnsi: strips OSC sequences (BEL-terminated)', () => {
+  // OSC 0 ; title BEL — window title sequence
+  assert.equal(stripAnsi('\x1b]0;My Terminal Title\x07visible'), 'visible');
+});
+
+test('stripAnsi: strips OSC sequences (ST-terminated)', () => {
+  assert.equal(stripAnsi('\x1b]0;title\x1b\\visible'), 'visible');
+});
+
+test('stripAnsi: strips bare carriage returns', () => {
+  assert.equal(stripAnsi('line1\rline2'), 'line1line2');
+  assert.equal(stripAnsi('\r'), '');
+});
+
+test('stripAnsi: leaves plain text untouched', () => {
+  const plain = 'Hello, world! 123 !@#';
+  assert.equal(stripAnsi(plain), plain);
+});
+
+test('stripAnsi: handles empty string', () => {
+  assert.equal(stripAnsi(''), '');
+});
+
+test('stripAnsi: strips mixed sequences in one pass', () => {
+  // CSI (?25l hide cursor) + CSI (32m color) + OSC (window title) + bare CR
+  const input = '\x1b[?25l\x1b[32mProcessing\x1b[0m...\x1b]0;term\x07done\r';
+  assert.equal(stripAnsi(input), 'Processing...done');
+  // CSI + two-char ESC (M) mixed with real text
+  const input2 = '\x1b[1mbold\x1b[0m\x1bMnext';
+  assert.equal(stripAnsi(input2), 'boldnext');
+});
+
+// ─── TUI_CHROME_RE ────────────────────────────────────────────────────────────
+
+test('TUI_CHROME_RE: suppresses Braille spinner chars', () => {
+  // Common clack/openclaw spinner frames
+  for (const ch of ['⠋', '⠙', '⠹', '⠸', '⠼', '⠴', '⠦', '⠧', '⠇', '⠏']) {
+    assert.equal(TUI_CHROME_RE.test(ch), true, `expected ${ch} to match TUI_CHROME_RE`);
+  }
+});
+
+test('TUI_CHROME_RE: suppresses box-drawing chars', () => {
+  assert.equal(TUI_CHROME_RE.test('─'), true);
+  assert.equal(TUI_CHROME_RE.test('│'), true);
+  assert.equal(TUI_CHROME_RE.test('┌┐└┘'), true);
+  assert.equal(TUI_CHROME_RE.test('═══'), true);
+});
+
+test('TUI_CHROME_RE: suppresses clack decoration chars', () => {
+  assert.equal(TUI_CHROME_RE.test('◇'), true);
+  assert.equal(TUI_CHROME_RE.test('●'), true);
+  assert.equal(TUI_CHROME_RE.test('◆'), true);
+  assert.equal(TUI_CHROME_RE.test('○'), true);
+});
+
+test('TUI_CHROME_RE: suppresses whitespace-only lines', () => {
+  assert.equal(TUI_CHROME_RE.test('   '), true);
+  assert.equal(TUI_CHROME_RE.test(''), true);
+  assert.equal(TUI_CHROME_RE.test('\t'), true);
+});
+
+test('TUI_CHROME_RE: suppresses mixed chrome lines (spinner + whitespace)', () => {
+  assert.equal(TUI_CHROME_RE.test('  ⠋  '), true);
+  assert.equal(TUI_CHROME_RE.test('◇  ─  ◇'), true);
+});
+
+test('TUI_CHROME_RE: passes lines with real text content', () => {
+  assert.equal(TUI_CHROME_RE.test('Please open this URL'), false);
+  assert.equal(TUI_CHROME_RE.test('Authenticating...'), false);
+  assert.equal(TUI_CHROME_RE.test('Press Enter to continue'), false);
+  assert.equal(TUI_CHROME_RE.test('Error: invalid token'), false);
+});
+
+test('TUI_CHROME_RE: passes lines starting with decoration but containing text', () => {
+  // clack prompts often have a leading decoration glyph followed by text
+  assert.equal(TUI_CHROME_RE.test('◇ Enter your API key'), false);
+  assert.equal(TUI_CHROME_RE.test('● Model selected: claude-opus-4-6'), false);
+});
+
+// ─── AUTH_URL_RE (URL extraction) ─────────────────────────────────────────────
+
+test('AUTH_URL_RE: detects http OAuth URLs', () => {
+  const line = 'Open this URL to authenticate: http://localhost:3000/oauth/callback?code=abc123';
+  const matches = line.match(AUTH_URL_RE);
+  assert.ok(matches, 'expected URL match');
+  assert.equal(matches[0], 'http://localhost:3000/oauth/callback?code=abc123');
+});
+
+test('AUTH_URL_RE: detects https OAuth URLs', () => {
+  const line = 'Visit https://auth.anthropic.com/oauth2/authorize?client_id=limbo&state=xyz to login';
+  const matches = line.match(AUTH_URL_RE);
+  assert.ok(matches, 'expected URL match');
+  assert.equal(matches[0], 'https://auth.anthropic.com/oauth2/authorize?client_id=limbo&state=xyz');
+});
+
+test('AUTH_URL_RE: does not match plain text without URL', () => {
+  const line = 'Waiting for authentication...';
+  const matches = line.match(AUTH_URL_RE);
+  assert.equal(matches, null);
+});
+
+test('AUTH_URL_RE: stops URL at whitespace', () => {
+  const line = 'URL: https://example.com/auth and then some text';
+  const matches = line.match(AUTH_URL_RE);
+  assert.ok(matches);
+  assert.equal(matches[0], 'https://example.com/auth');
+});
+
+test('AUTH_URL_RE: stops URL at angle bracket', () => {
+  const line = 'Go to <https://example.com/auth>';
+  const matches = line.match(AUTH_URL_RE);
+  assert.ok(matches);
+  assert.equal(matches[0], 'https://example.com/auth');
+});
+
+test('AUTH_URL_RE: extracts multiple URLs from a single line', () => {
+  const line = 'Primary: https://example.com/a Fallback: https://example.com/b';
+  const matches = line.match(AUTH_URL_RE);
+  assert.ok(matches);
+  assert.equal(matches.length, 2);
+  assert.equal(matches[0], 'https://example.com/a');
+  assert.equal(matches[1], 'https://example.com/b');
+});
+
+test('AUTH_URL_RE: URL deduplication — same URL seen twice is emitted once', () => {
+  // This tests the seenUrls Set logic conceptually — we verify that running AUTH_URL_RE
+  // against the same URL twice and filtering via a Set yields a single emission.
+  const url = 'https://auth.openai.com/oauth/callback?code=abc';
+  const lines = [
+    `Open: ${url}`,
+    `Retry: ${url}`,
+    'Different: https://example.com/other',
+  ];
+
+  const emitted = [];
+  const seenUrls = new Set();
+
+  for (const line of lines) {
+    const urls = line.match(AUTH_URL_RE) || [];
+    for (const u of urls) {
+      if (!seenUrls.has(u)) {
+        seenUrls.add(u);
+        emitted.push(u);
+      }
+    }
+  }
+
+  assert.equal(emitted.length, 2, 'duplicate URL should only be emitted once');
+  assert.equal(emitted[0], url);
+  assert.equal(emitted[1], 'https://example.com/other');
+});
+
+// ─── flushStreamLines (animation scatter regression) ──────────────────────────
+
+test('flushStreamLines: emits only final \\r frame — suppresses scatter', () => {
+  // This is the exact pattern that caused the diagonal scatter seen in the screenshot:
+  // clack's character-by-character reveal writes each progressive state separated by \r.
+  // Before the fix, every frame was emitted as a separate line causing staircase output.
+  const buf = '│ Y\r│ Yo\r│ You\r│ Your URL: https://auth.example.com\n';
+  const { lines, remaining } = flushStreamLines(buf);
+  assert.equal(remaining, '');
+  assert.equal(lines.length, 1, 'only the final frame should be emitted');
+  assert.equal(lines[0], '│ Your URL: https://auth.example.com');
+});
+
+test('flushStreamLines: handles spinner animation (pure chrome final frame)', () => {
+  // Spinner that completes and clears the line — final state is empty/chrome
+  const buf = '⠋\r⠙\r⠹\r⠸\r \n';
+  const { lines } = flushStreamLines(buf);
+  assert.equal(lines.length, 1);
+  assert.equal(lines[0], ' '); // final frame (space = cleared); TUI_CHROME_RE will suppress it
+});
+
+test('flushStreamLines: normalises \\r\\n to single newline', () => {
+  const buf = 'line one\r\nline two\r\n';
+  const { lines, remaining } = flushStreamLines(buf);
+  assert.equal(remaining, '');
+  assert.deepEqual(lines, ['line one', 'line two']);
+});
+
+test('flushStreamLines: holds incomplete segment in remaining', () => {
+  const buf = 'complete line\nstill coming';
+  const { lines, remaining } = flushStreamLines(buf);
+  assert.deepEqual(lines, ['complete line']);
+  assert.equal(remaining, 'still coming');
+});
+
+test('flushStreamLines: accumulating chunks yields same result as one chunk', () => {
+  // Simulate data arriving in two chunks mid-animation-frame
+  const chunk1 = '│ Y\r│ Yo\r';
+  const chunk2 = '│ You\r│ Your URL: https://auth.example.com\n';
+
+  // Chunk 1 alone: no complete \n-terminated line yet
+  const r1 = flushStreamLines(chunk1);
+  assert.deepEqual(r1.lines, []);
+  assert.equal(r1.remaining, '│ Y\r│ Yo\r');
+
+  // Chunk 2 appended to remaining: yields only the final frame
+  const r2 = flushStreamLines(r1.remaining + chunk2);
+  assert.equal(r2.lines.length, 1);
+  assert.equal(r2.lines[0], '│ Your URL: https://auth.example.com');
+  assert.equal(r2.remaining, '');
+});
+
+test('flushStreamLines: multiple \\n-terminated lines processed independently', () => {
+  // Two different lines, each with animation frames
+  const buf = '⠋ Loading...\r⠙ Loading...\r Done!\nEnter code: \r\n';
+  const { lines } = flushStreamLines(buf);
+  assert.deepEqual(lines, [' Done!', 'Enter code: ']);
+});
+
+test('flushStreamLines: empty buffer returns no lines', () => {
+  const { lines, remaining } = flushStreamLines('');
+  assert.deepEqual(lines, []);
+  assert.equal(remaining, '');
+});

package/test/cli-filter.test.js

@@ -0,0 +1,197 @@
+/**
+ * Unit tests for the CLI auth output filter logic.
+ *
+ * Tests stripAnsi, processLine (carriage-return collapse), and the emitLine
+ * filtering decisions in streamFilteredAuth. Zero external dependencies —
+ * uses Node.js built-in test runner (node:test, node >= 18).
+ *
+ * Run: node --test test/cli-filter.test.js
+ */
+
+'use strict';
+
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+
+// ─── Replicated filter logic (must stay in sync with cli.js) ─────────────────
+// If these start diverging, extract to a shared module.
+
+const stripAnsi = (str) => str
+  .replace(/\x1b\[[0-?]*[ -/]*[@-~]/g, '')          // CSI sequences (all parameter byte combos)
+  .replace(/\x1b\][^\x07\x1b]*(?:\x07|\x1b\\)/g, '') // OSC sequences (before two-char — shares \x1b] prefix)
+  .replace(/\x1b[^[\]]/g, '')                         // two-char ESC sequences (e.g. ESC 7/8 save/restore)
+  .replace(/\r/g, '');
+
+const urlRe = /https?:\/\/[^\s"'<>\]]+/g;
+const tuiChrome = /^[\s\u2500-\u257f\u2580-\u259f\u25a0-\u25ff\u2600-\u26ff\u2190-\u21ff\u2700-\u27bf\u2800-\u28ff]*$/u;
+
+/** Returns last \r-frame — the final visual state of any carriage-return animation. */
+function processLine(raw) {
+  return raw.split('\r').pop() || '';
+}
+
+/**
+ * Models the emitLine decision: 'url' | 'show' | 'suppress'.
+ * Reset urlRe.lastIndex before each call since it's a global regex.
+ */
+function classify(rawLine) {
+  urlRe.lastIndex = 0;
+  const line = stripAnsi(rawLine);
+  if (urlRe.test(line)) return 'url';
+  if (/openclaw/i.test(line)) return 'suppress';
+  if (tuiChrome.test(line)) return 'suppress';
+  if (!line.trim()) return 'suppress';
+  return 'show';
+}
+
+// ─── stripAnsi ────────────────────────────────────────────────────────────────
+
+test('stripAnsi: removes standard SGR color codes', () => {
+  assert.equal(stripAnsi('\x1b[31mRed text\x1b[0m'), 'Red text');
+  assert.equal(stripAnsi('\x1b[1;32mBold green\x1b[0m'), 'Bold green');
+});
+
+test('stripAnsi: removes private-mode sequences (the original bug — ?25l hide cursor)', () => {
+  assert.equal(stripAnsi('\x1b[?25l'), '');
+  assert.equal(stripAnsi('\x1b[?25lhello\x1b[?25h'), 'hello');
+  assert.equal(stripAnsi('\x1b[?2004h bracketed paste mode \x1b[?2004l'), ' bracketed paste mode ');
+});
+
+test('stripAnsi: removes cursor movement and erase sequences', () => {
+  assert.equal(stripAnsi('\x1b[5;10HY'), 'Y');   // cursor to row 5, col 10, then char
+  assert.equal(stripAnsi('\x1b[2K'), '');          // erase entire line
+  assert.equal(stripAnsi('\x1b[1A'), '');          // cursor up 1
+  assert.equal(stripAnsi('\x1b[G'), '');           // cursor to column 1
+});
+
+test('stripAnsi: removes two-char ESC sequences (save/restore cursor)', () => {
+  assert.equal(stripAnsi('\x1b7saved\x1b8'), 'saved');
+  assert.equal(stripAnsi('\x1bcReset'), 'Reset');
+});
+
+test('stripAnsi: removes OSC sequences (window title)', () => {
+  assert.equal(stripAnsi('\x1b]0;My Terminal\x07normal'), 'normal');
+  assert.equal(stripAnsi('\x1b]2;Title\x1b\\text'), 'text');
+});
+
+test('stripAnsi: strips \\r (carriage return)', () => {
+  assert.equal(stripAnsi('hello\rworld'), 'helloworld');
+});
+
+test('stripAnsi: passes through plain text unchanged', () => {
+  assert.equal(stripAnsi('Auth complete.'), 'Auth complete.');
+  assert.equal(stripAnsi(''), '');
+});
+
+// ─── processLine (carriage-return collapse) ───────────────────────────────────
+
+test('processLine: returns last \\r-frame (final typewriter state)', () => {
+  // This is the core fix. Typewriter animation builds text with \r between frames.
+  const input = '│  Y\r│  Yo\r│  You\r│  You \r│  You are running in a remote environment';
+  assert.equal(processLine(input), '│  You are running in a remote environment');
+});
+
+test('processLine: collapses spinner animation to final frame', () => {
+  assert.equal(processLine('⠋ Waiting\r⠙ Waiting\r⠹ Waiting\r⠸ Done'), '⠸ Done');
+});
+
+test('processLine: returns line unchanged if no \\r present', () => {
+  assert.equal(processLine('Auth complete.'), 'Auth complete.');
+  assert.equal(processLine(''), '');
+});
+
+test('processLine: handles trailing \\r (line ending with empty final frame)', () => {
+  // \r at end → final frame is empty string; processLine returns ''
+  assert.equal(processLine('clear this\r'), '');
+});
+
+// ─── emitLine classification ──────────────────────────────────────────────────
+
+test('classify: detects OAuth URLs', () => {
+  assert.equal(classify('https://auth.openai.com/oauth/authorize?foo=bar'), 'url');
+  assert.equal(classify('  → https://auth.openai.com/oauth/authorize?foo=bar  '), 'url');
+  assert.equal(classify('\x1b[36mhttps://example.com/auth\x1b[0m'), 'url');
+});
+
+test('classify: suppresses OpenClaw branding', () => {
+  assert.equal(classify('Starting OpenClaw gateway...'), 'suppress');
+  assert.equal(classify('openclaw v1.2.3'), 'suppress');
+  assert.equal(classify('  OpenClaw ready  '), 'suppress');
+});
+
+test('classify: suppresses pure TUI chrome — spinner chars', () => {
+  assert.equal(classify('⠋'), 'suppress');
+  assert.equal(classify('⠙'), 'suppress');
+  assert.equal(classify('⠹ '), 'suppress');  // spinner + whitespace
+});
+
+test('classify: suppresses pure TUI chrome — box-drawing and clack decorations', () => {
+  assert.equal(classify('│'), 'suppress');        // box drawing
+  assert.equal(classify('◇'), 'suppress');        // clack diamond
+  assert.equal(classify('●'), 'suppress');        // clack bullet
+  assert.equal(classify('─────'), 'suppress');    // horizontal rule
+  assert.equal(classify('  '), 'suppress');       // whitespace only
+  assert.equal(classify(''), 'suppress');         // empty
+});
+
+test('classify: suppresses lines with ANSI that reduce to chrome', () => {
+  // \x1b[?25l is "hide cursor" — stripping it leaves empty string
+  assert.equal(classify('\x1b[?25l'), 'suppress');
+  assert.equal(classify('\x1b[?25l◇\x1b[?25h'), 'suppress');
+});
+
+test('classify: shows actual text prompts (the lines we want to preserve)', () => {
+  assert.equal(classify('│  You are running in a remote environment'), 'show');
+  assert.equal(classify('Auth complete. Model connected.'), 'show');
+  assert.equal(classify('If the browser did not open, paste the callback URL:'), 'show');
+  assert.equal(classify('✓ Authentication successful'), 'show');
+});
+
+// ─── Full pipeline: typewriter animation ─────────────────────────────────────
+
+test('full pipeline: typewriter animation collapses to single clean line', () => {
+  // Simulate the exact failure pattern from the bug report.
+  // OpenClaw writes text character-by-character with \r between frames,
+  // terminated by \n when the message is complete.
+  const buffer = '│  Y\r│  Yo\r│  You\r│  You \r│  You are running in a remote environment\n';
+
+  // handleData splits on \n only
+  const lines = buffer.split(/\r?\n/);
+  lines.pop(); // drop trailing empty after final \n
+
+  const results = lines.map((raw) => {
+    const frame = processLine(raw);
+    return { frame, decision: classify(frame) };
+  });
+
+  // Should produce exactly one output, fully formed
+  assert.equal(results.length, 1);
+  assert.equal(results[0].frame, '│  You are running in a remote environment');
+  assert.equal(results[0].decision, 'show');
+});
+
+test('full pipeline: spinner-only animation is suppressed after collapse', () => {
+  // Spinner that ends without a meaningful final state (pure decoration)
+  const buffer = '⠋\r⠙\r⠹\r⠸\r⠼\r\n';
+
+  const lines = buffer.split(/\r?\n/);
+  lines.pop();
+
+  const results = lines.map((raw) => {
+    const frame = processLine(raw);
+    return classify(frame);
+  });
+
+  assert.deepEqual(results, ['suppress']);
+});
+
+test('full pipeline: URL line is extracted and not double-printed', () => {
+  const buffer = 'Open: https://auth.openai.com/oauth/authorize?response_type=code&client_id=app\n';
+
+  const lines = buffer.split(/\r?\n/);
+  lines.pop();
+
+  const [raw] = lines;
+  const frame = processLine(raw);
+  assert.equal(classify(frame), 'url');
+});