outcome-cli 1.0.0

package/src/modules/omnibridge/__tests__/semantic-normalizer.test.ts

@@ -0,0 +1,254 @@
+/**
+ * Unit Tests for Semantic Normalizer
+ *
+ * Tests for HTML parsing, noise stripping, Intent_ID assignment, and form extraction.
+ * Requirements: 1.1-1.6
+ */
+
+import { describe, test, expect } from 'vitest';
+import { SemanticNormalizer } from '../core/semantic-normalizer.js';
+
+const normalizer = new SemanticNormalizer();
+
+describe('SemanticNormalizer', () => {
+  describe('stripNoise', () => {
+    test('removes script tags', () => {
+      const html = '<html><body><script>alert("test")</script><p>Content</p></body></html>';
+      const result = normalizer.stripNoise(html);
+      expect(result).not.toContain('<script>');
+      expect(result).toContain('<p>Content</p>');
+    });
+
+    test('removes style tags', () => {
+      const html = '<html><head><style>.test { color: red; }</style></head><body><p>Content</p></body></html>';
+      const result = normalizer.stripNoise(html);
+      expect(result).not.toContain('<style>');
+      expect(result).toContain('<p>Content</p>');
+    });
+
+    test('removes inline styles', () => {
+      const html = '<html><body><div style="color: red; margin: 10px;">Content</div></body></html>';
+      const result = normalizer.stripNoise(html);
+      expect(result).not.toContain('style=');
+    });
+
+    test('removes tracking attributes', () => {
+      const html = '<html><body><div data-tracking="click" data-analytics="view">Content</div></body></html>';
+      const result = normalizer.stripNoise(html);
+      expect(result).not.toContain('data-tracking');
+      expect(result).not.toContain('data-analytics');
+    });
+
+    test('removes meta tags', () => {
+      const html = '<html><head><meta name="description" content="test"><meta name="keywords" content="test"></head><body><p>Content</p></body></html>';
+      const result = normalizer.stripNoise(html);
+      expect(result).not.toContain('<meta');
+    });
+
+    test('removes stylesheet links', () => {
+      const html = '<html><head><link rel="stylesheet" href="styles.css"></head><body><p>Content</p></body></html>';
+      const result = normalizer.stripNoise(html);
+      expect(result).not.toContain('stylesheet');
+    });
+  });
+
+  describe('assignIntentId', () => {
+    test('assigns ACTION category for button elements', () => {
+      const result = normalizer.assignIntentId('button', undefined, {}, 'Submit', []);
+      expect(result.category).toBe('ACTION');
+    });
+
+    test('assigns NAV category for anchor elements', () => {
+      const result = normalizer.assignIntentId('a', undefined, { href: '/home' }, 'Home', []);
+      expect(result.category).toBe('NAV');
+    });
+
+    test('assigns INPUT category for input elements', () => {
+      const result = normalizer.assignIntentId('input', undefined, { type: 'text' }, '', []);
+      expect(result.category).toBe('INPUT');
+    });
+
+    test('prioritizes ARIA role over tag name', () => {
+      // div with role="button" should be ACTION, not DISPLAY
+      const result = normalizer.assignIntentId('div', 'button', {}, 'Click me', []);
+      expect(result.category).toBe('ACTION');
+      expect(result.confidence).toBe(0.95);
+    });
+
+    test('infers LOGIN purpose from text content', () => {
+      const result = normalizer.assignIntentId('button', undefined, {}, 'Login', []);
+      expect(result.purpose).toBe('LOGIN');
+    });
+
+    test('infers SEARCH purpose from placeholder', () => {
+      const result = normalizer.assignIntentId('input', undefined, { placeholder: 'Search...' }, '', []);
+      expect(result.purpose).toBe('SEARCH');
+    });
+
+    test('infers EMAIL_INPUT purpose from type', () => {
+      const result = normalizer.assignIntentId('input', undefined, { type: 'email' }, '', []);
+      expect(result.purpose).toBe('EMAIL_INPUT');
+    });
+
+    test('infers PASSWORD_INPUT purpose from type', () => {
+      const result = normalizer.assignIntentId('input', undefined, { type: 'password' }, '', []);
+      expect(result.purpose).toBe('PASSWORD_INPUT');
+    });
+
+    test('increases confidence with more signals', () => {
+      const lowConfidence = normalizer.assignIntentId('div', undefined, {}, '', []);
+      const highConfidence = normalizer.assignIntentId('div', undefined, { id: 'main' }, 'Content', ['context']);
+      expect(highConfidence.confidence).toBeGreaterThan(lowConfidence.confidence);
+    });
+  });
+
+
+  describe('normalize', () => {
+    test('extracts semantic elements from HTML', () => {
+      const html = `
+        <html>
+        <body>
+          <button id="submit-btn">Submit</button>
+          <a href="/home">Home</a>
+          <input type="text" name="username" placeholder="Username">
+        </body>
+        </html>
+      `;
+      const result = normalizer.normalize(html, 'https://test.com');
+
+      expect(result.elements.length).toBeGreaterThan(0);
+      expect(result.sourceUrl).toBe('https://test.com');
+      expect(result.createdAt).toBeDefined();
+    });
+
+    test('extracts forms with fields', () => {
+      const html = `
+        <html>
+        <body>
+          <form action="/login" method="POST">
+            <label for="email">Email</label>
+            <input type="email" id="email" name="email" required>
+            <label for="password">Password</label>
+            <input type="password" id="password" name="password" required minlength="8">
+            <button type="submit">Login</button>
+          </form>
+        </body>
+        </html>
+      `;
+      const result = normalizer.normalize(html, 'https://test.com');
+
+      expect(result.forms.length).toBe(1);
+      const form = result.forms[0];
+      expect(form.action).toBe('/login');
+      expect(form.method).toBe('POST');
+      expect(form.fields.length).toBe(2);
+
+      const emailField = form.fields.find((f) => f.name === 'email');
+      expect(emailField).toBeDefined();
+      expect(emailField?.required).toBe(true);
+      expect(emailField?.type).toBe('email');
+
+      const passwordField = form.fields.find((f) => f.name === 'password');
+      expect(passwordField).toBeDefined();
+      expect(passwordField?.required).toBe(true);
+      expect(passwordField?.validationRules).toContain('minlength:8');
+    });
+
+    test('extracts navigation links', () => {
+      const html = `
+        <html>
+        <body>
+          <nav>
+            <a href="/home">Home</a>
+            <a href="/about">About</a>
+            <a href="/contact">Contact</a>
+          </nav>
+        </body>
+        </html>
+      `;
+      const result = normalizer.normalize(html, 'https://test.com');
+
+      expect(result.navigation.primaryLinks.length).toBe(3);
+      expect(result.navigation.primaryLinks.map((l) => l.label)).toContain('Home');
+      expect(result.navigation.primaryLinks.map((l) => l.label)).toContain('About');
+      expect(result.navigation.primaryLinks.map((l) => l.label)).toContain('Contact');
+    });
+
+    test('calculates build time', () => {
+      const html = '<html><body><p>Test</p></body></html>';
+      const result = normalizer.normalize(html, 'https://test.com');
+
+      expect(result.buildTimeMs).toBeGreaterThanOrEqual(0);
+    });
+
+    test('calculates token reduction', () => {
+      const html = `
+        <html>
+        <head>
+          <style>.test { color: red; background: blue; margin: 10px; padding: 20px; }</style>
+          <script>console.log("tracking"); analytics.track("pageview");</script>
+          <meta name="description" content="A very long description that takes up tokens">
+        </head>
+        <body>
+          <div style="color: red; margin: 10px; padding: 20px; background: white;">
+            <p>Simple content</p>
+          </div>
+        </body>
+        </html>
+      `;
+      const result = normalizer.normalize(html, 'https://test.com');
+
+      // Token reduction should be calculated
+      expect(typeof result.tokenReduction).toBe('number');
+    });
+
+    test('handles elements with ARIA roles', () => {
+      const html = `
+        <html>
+        <body>
+          <div role="button" id="custom-btn">Click me</div>
+          <div role="navigation">
+            <span role="link">Nav item</span>
+          </div>
+        </body>
+        </html>
+      `;
+      const result = normalizer.normalize(html, 'https://test.com');
+
+      const buttonElement = result.elements.find((e) => e.ariaRole === 'button');
+      expect(buttonElement).toBeDefined();
+      expect(buttonElement?.intentId).toContain('ACTION');
+
+      const navElement = result.elements.find((e) => e.ariaRole === 'navigation');
+      expect(navElement).toBeDefined();
+      expect(navElement?.intentId).toContain('NAV');
+    });
+
+    test('skips hidden elements', () => {
+      const html = `
+        <html>
+        <body>
+          <button hidden>Hidden button</button>
+          <button aria-hidden="true">Also hidden</button>
+          <button>Visible button</button>
+        </body>
+        </html>
+      `;
+      const result = normalizer.normalize(html, 'https://test.com');
+
+      const buttons = result.elements.filter((e) => e.tagName === 'button');
+      expect(buttons.length).toBe(1);
+      expect(buttons[0].label).toBe('Visible button');
+    });
+  });
+
+  describe('countTokens', () => {
+    test('approximates token count', () => {
+      const text = 'Hello world this is a test';
+      const tokens = normalizer.countTokens(text);
+      // ~4 chars per token, 26 chars = ~7 tokens
+      expect(tokens).toBeGreaterThan(0);
+      expect(tokens).toBeLessThan(text.length);
+    });
+  });
+});

package/src/modules/omnibridge/__tests__/session-vault.property.test.ts

@@ -0,0 +1,367 @@
+/**
+ * Property-Based Tests for Session Vault
+ *
+ * These tests validate the correctness properties defined in the design document.
+ * Each property test runs minimum 100 iterations with randomly generated inputs.
+ */
+
+import { describe, test, expect, beforeEach } from 'vitest';
+import * as fc from 'fast-check';
+import {
+  SessionVault,
+  createSessionVault,
+  generateEncryptionKey,
+  type RawSessionData,
+} from '../auth/session-vault.js';
+import type { ActionScope, CapabilityToken } from '../core/types.js';
+
+// =============================================================================
+// Test Setup
+// =============================================================================
+
+// Note: Each property test creates its own vault instance to ensure isolation
+// The beforeEach vault is only used for tests that explicitly need shared state
+
+let vault: SessionVault;
+
+beforeEach(() => {
+  vault = createSessionVault({
+    encryptionKey: generateEncryptionKey(),
+    defaultTokenExpirationMs: 3600000, // 1 hour
+    defaultMaxExecutions: 100,
+  });
+});
+
+// =============================================================================
+// Arbitraries (Test Data Generators)
+// =============================================================================
+
+/**
+ * Generate a valid domain name.
+ */
+const domainArb = fc.stringMatching(/^[a-z][a-z0-9-]{2,20}\.(com|org|net|io)$/);
+
+/**
+ * Generate raw session data (simulating cookies, localStorage, sessionStorage).
+ */
+const rawSessionDataArb: fc.Arbitrary<RawSessionData> = fc.record({
+  cookies: fc.string({ minLength: 10, maxLength: 500 }),
+  localStorage: fc.string({ minLength: 10, maxLength: 500 }),
+  sessionStorage: fc.string({ minLength: 10, maxLength: 500 }),
+});
+
+/**
+ * Generate action names.
+ */
+const actionNameArb = fc.stringMatching(/^[a-z][a-z_]{2,20}$/);
+
+/**
+ * Fixed base timestamp for deterministic test behavior.
+ */
+const BASE_TIME = 1700000000000;
+
+/**
+ * Generate an action scope.
+ * Uses fixed timestamps relative to BASE_TIME for deterministic tests.
+ */
+const actionScopeArb: fc.Arbitrary<Partial<ActionScope>> = fc.record({
+  allowedActions: fc.array(actionNameArb, { minLength: 1, maxLength: 10 }),
+  blockedActions: fc.array(actionNameArb, { minLength: 0, maxLength: 5 }),
+  maxExecutions: fc.integer({ min: 1, max: 1000 }),
+  expiresAt: fc.integer({ min: BASE_TIME + 60000, max: BASE_TIME + 86400000 }),
+});
+
+/**
+ * Generate credential-like strings that should NEVER appear in tokens.
+ */
+const credentialPatternArb = fc.oneof(
+  fc.constant('password: "secret123"'),
+  fc.constant('api_key: "sk_live_abc123xyz"'),
+  fc.constant('secret: "my-secret-value"'),
+  fc.constant('Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9'),
+  fc.constant('Basic dXNlcm5hbWU6cGFzc3dvcmQ='),
+  fc.constant('cookie: "session_id=abc123"'),
+  fc.constant('session: "authenticated_session_token"')
+);
+
+// =============================================================================
+// Property Tests
+// =============================================================================
+
+describe('Session Vault Property Tests', () => {
+  /**
+   * **Feature: omnibridge, Property 12: Zero-Knowledge Credentials**
+   *
+   * *For any* Capability_Token issued to an agent, the token SHALL NOT contain
+   * raw credentials (passwords, API keys, session secrets)—only capability references.
+   *
+   * **Validates: Requirements 6.1**
+   */
+  test.each([{ numRuns: 100 }])(
+    'Property 12: Zero-Knowledge Credentials - tokens never contain raw credentials',
+    async () => {
+      await fc.assert(
+        fc.asyncProperty(
+          domainArb,
+          rawSessionDataArb,
+          actionScopeArb,
+          async (domain, sessionData, scope) => {
+            // Store session with potentially sensitive data
+            await vault.store(domain, sessionData);
+
+            // Issue a capability token
+            const token = await vault.issueToken(domain, scope);
+
+            // PROPERTY: Token must NOT contain any raw credentials
+            const containsCredentials = vault.tokenContainsCredentials(token);
+            expect(containsCredentials).toBe(false);
+
+            // Additional checks: token should only contain capability info
+            expect(token.id).toMatch(/^cap_[a-f0-9]{32}$/);
+            expect(token.domain).toBe(domain);
+            expect(token.scope).toBeDefined();
+            expect(token.issuedAt).toBeGreaterThan(0);
+            expect(token.executionCount).toBe(0);
+
+            // Token should NOT contain the raw session data
+            const tokenStr = JSON.stringify(token);
+            expect(tokenStr).not.toContain(sessionData.cookies);
+            expect(tokenStr).not.toContain(sessionData.localStorage);
+            expect(tokenStr).not.toContain(sessionData.sessionStorage);
+
+            // Clean up for next iteration
+            vault.clear();
+
+            return true;
+          }
+        ),
+        { numRuns: 100 }
+      );
+    }
+  );
+
+  /**
+   * **Feature: omnibridge, Property 13: Capability Token Scoping**
+   *
+   * *For any* Capability_Token, attempting an action in `blockedActions` SHALL fail
+   * with a scope_violation error, while actions in `allowedActions` SHALL succeed.
+   *
+   * **Validates: Requirements 6.2, 6.3**
+   */
+  test.each([{ numRuns: 100 }])(
+    'Property 13: Capability Token Scoping - blocked actions fail, allowed actions succeed',
+    async () => {
+      await fc.assert(
+        fc.asyncProperty(
+          domainArb,
+          rawSessionDataArb,
+          fc.array(actionNameArb, { minLength: 2, maxLength: 10 }),
+          fc.array(actionNameArb, { minLength: 1, maxLength: 5 }),
+          async (domain, sessionData, allowedActions, blockedActions) => {
+            // Ensure no overlap between allowed and blocked
+            const uniqueAllowed = allowedActions.filter((a) => !blockedActions.includes(a));
+            if (uniqueAllowed.length === 0) {
+              return true; // Skip if no unique allowed actions
+            }
+
+            await vault.store(domain, sessionData);
+
+            const token = await vault.issueToken(domain, {
+              allowedActions: uniqueAllowed,
+              blockedActions,
+              maxExecutions: 1000,
+              expiresAt: Date.now() + 3600000,
+            });
+
+            // PROPERTY: Allowed actions should succeed
+            for (const action of uniqueAllowed) {
+              const result = vault.checkScope(token.id, action);
+              expect(result.allowed).toBe(true);
+              expect(result.error).toBeUndefined();
+            }
+
+            // PROPERTY: Blocked actions should fail with scope_violation
+            for (const action of blockedActions) {
+              const result = vault.checkScope(token.id, action);
+              expect(result.allowed).toBe(false);
+              expect(result.error).toBeDefined();
+              expect(result.error?.type).toBe('scope_violation');
+            }
+
+            vault.clear();
+            return true;
+          }
+        ),
+        { numRuns: 100 }
+      );
+    }
+  );
+
+  /**
+   * **Feature: omnibridge, Property 14: Scope Violation Termination**
+   *
+   * *For any* scope violation attempt, the Session_Vault SHALL immediately revoke
+   * the Capability_Token AND terminate the associated Shadow_Session.
+   *
+   * **Validates: Requirements 6.7**
+   */
+  test.each([{ numRuns: 100 }])(
+    'Property 14: Scope Violation Termination - violations revoke token immediately',
+    async () => {
+      await fc.assert(
+        fc.asyncProperty(
+          domainArb,
+          rawSessionDataArb,
+          fc.array(actionNameArb, { minLength: 1, maxLength: 5 }),
+          actionNameArb,
+          async (domain, sessionData, allowedActions, blockedAction) => {
+            // Ensure blocked action is not in allowed list
+            if (allowedActions.includes(blockedAction)) {
+              return true; // Skip this case
+            }
+
+            await vault.store(domain, sessionData);
+
+            const token = await vault.issueToken(domain, {
+              allowedActions,
+              blockedActions: [blockedAction],
+              maxExecutions: 100,
+              expiresAt: Date.now() + 3600000,
+            });
+
+            // Token should be valid initially
+            expect(vault.getToken(token.id)).not.toBeNull();
+            expect(vault.isTokenRevoked(token.id)).toBe(false);
+
+            // Attempt a scope violation
+            const violationResult = await vault.handleScopeViolation(token.id, blockedAction);
+
+            // PROPERTY: Token must be revoked immediately
+            expect(violationResult.terminated).toBe(true);
+            expect(violationResult.error.type).toBe('scope_violation');
+            // Type guard for scope_violation error
+            if (violationResult.error.type === 'scope_violation') {
+              expect(violationResult.error.attemptedAction).toBe(blockedAction);
+            }
+
+            // PROPERTY: Token should no longer be retrievable
+            expect(vault.getToken(token.id)).toBeNull();
+            expect(vault.isTokenRevoked(token.id)).toBe(true);
+
+            // PROPERTY: Further operations with this token should fail
+            const checkResult = vault.checkScope(token.id, allowedActions[0]);
+            expect(checkResult.allowed).toBe(false);
+
+            vault.clear();
+            return true;
+          }
+        ),
+        { numRuns: 100 }
+      );
+    }
+  );
+});
+
+// =============================================================================
+// Additional Unit Tests for Edge Cases
+// =============================================================================
+
+describe('Session Vault Unit Tests', () => {
+  test('encryption round-trip preserves data', async () => {
+    const testData = 'sensitive_cookie_data=abc123; session_id=xyz789';
+
+    const encrypted = vault.encrypt(testData);
+    const decrypted = vault.decrypt(encrypted);
+
+    expect(decrypted).toBe(testData);
+    expect(encrypted.algorithm).toBe('AES-256-GCM');
+    expect(encrypted.iv).toBeDefined();
+    expect(encrypted.data).not.toBe(testData);
+  });
+
+  test('session storage and retrieval works correctly', async () => {
+    const domain = 'example.com';
+    const sessionData: RawSessionData = {
+      cookies: 'session_id=abc123',
+      localStorage: '{"user": "test"}',
+      sessionStorage: '{"temp": "data"}',
+    };
+
+    await vault.store(domain, sessionData);
+
+    const retrieved = await vault.retrieve(domain);
+    expect(retrieved).not.toBeNull();
+    expect(retrieved?.expiresAt).toBeGreaterThan(Date.now());
+
+    const decrypted = await vault.retrieveDecrypted(domain);
+    expect(decrypted).toEqual(sessionData);
+  });
+
+  test('expired sessions are not retrieved', async () => {
+    const domain = 'expired.com';
+    const sessionData: RawSessionData = {
+      cookies: 'test',
+      localStorage: 'test',
+      sessionStorage: 'test',
+    };
+
+    // Store with past expiration
+    await vault.store(domain, sessionData, Date.now() - 1000);
+
+    const retrieved = await vault.retrieve(domain);
+    expect(retrieved).toBeNull();
+  });
+
+  test('token revocation on bounty completion', async () => {
+    const domain = 'bounty.com';
+    const sessionData: RawSessionData = {
+      cookies: 'test',
+      localStorage: 'test',
+      sessionStorage: 'test',
+    };
+
+    await vault.store(domain, sessionData);
+
+    // Issue multiple tokens
+    const token1 = await vault.issueToken(domain, { allowedActions: ['read'] });
+    const token2 = await vault.issueToken(domain, { allowedActions: ['write'] });
+
+    // Both tokens should be valid
+    expect(vault.getToken(token1.id)).not.toBeNull();
+    expect(vault.getToken(token2.id)).not.toBeNull();
+
+    // Revoke all tokens for domain (bounty completion)
+    const revokedCount = vault.revokeAllTokensForDomain(domain);
+
+    expect(revokedCount).toBe(2);
+    expect(vault.getToken(token1.id)).toBeNull();
+    expect(vault.getToken(token2.id)).toBeNull();
+  });
+
+  test('access logs are recorded correctly', async () => {
+    const domain = 'logged.com';
+    const sessionData: RawSessionData = {
+      cookies: 'test',
+      localStorage: 'test',
+      sessionStorage: 'test',
+    };
+
+    await vault.store(domain, sessionData);
+    const token = await vault.issueToken(domain, { allowedActions: ['read'] });
+    await vault.useToken(token.id, 'read');
+    vault.revokeToken(token.id);
+
+    const logs = vault.getAccessLogs(domain);
+
+    // Should have: store, issue, use, revoke
+    expect(logs.length).toBeGreaterThanOrEqual(4);
+    expect(logs.some((l) => l.action === 'issued')).toBe(true);
+    expect(logs.some((l) => l.action === 'used')).toBe(true);
+    expect(logs.some((l) => l.action === 'revoked')).toBe(true);
+
+    // Logs should not contain actual credentials
+    for (const log of logs) {
+      expect(log.details).not.toContain(sessionData.cookies);
+    }
+  });
+});