reviewflow 3.32.0 → 3.34.0

package/dist/tests/units/security/gitlabTokenRotation.test.js

@@ -0,0 +1,39 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { createFastifyRequestStub } from '../../../tests/stubs/fastifyRequest.stub.js';
+import { verifyGitLabSignature } from '../../../security/verifier.js';
+import { __resetGitlabTokenCacheForTests } from '../../../security/gitlabWebhookTokenSource.js';
+const ENV_KEY = 'GITLAB_WEBHOOK_TOKEN';
+describe('verifyGitLabSignature token rotation (AC9)', () => {
+    let original;
+    beforeEach(() => {
+        original = process.env[ENV_KEY];
+        __resetGitlabTokenCacheForTests();
+    });
+    afterEach(() => {
+        if (original === undefined) {
+            Reflect.deleteProperty(process.env, ENV_KEY);
+        }
+        else {
+            process.env[ENV_KEY] = original;
+        }
+        __resetGitlabTokenCacheForTests();
+    });
+    it('reads the current configured token, not a value captured at bootstrap', () => {
+        process.env[ENV_KEY] = 'first-token-value';
+        const firstRequest = createFastifyRequestStub({ headers: { 'x-gitlab-token': 'first-token-value' } });
+        expect(verifyGitLabSignature(firstRequest).valid).toBe(true);
+        process.env[ENV_KEY] = 'rotated-token-value';
+        const staleRequest = createFastifyRequestStub({ headers: { 'x-gitlab-token': 'first-token-value' } });
+        expect(verifyGitLabSignature(staleRequest).valid).toBe(false);
+        const rotatedRequest = createFastifyRequestStub({ headers: { 'x-gitlab-token': 'rotated-token-value' } });
+        expect(verifyGitLabSignature(rotatedRequest).valid).toBe(true);
+    });
+    it('rejects a token of different length without a length-based short circuit', () => {
+        process.env[ENV_KEY] = 'a-token-of-some-length';
+        const shortRequest = createFastifyRequestStub({ headers: { 'x-gitlab-token': 'short' } });
+        const result = verifyGitLabSignature(shortRequest);
+        expect(result.valid).toBe(false);
+        expect(result.error).toContain('invalide');
+    });
+});
+//# sourceMappingURL=gitlabTokenRotation.test.js.map

package/dist/tests/units/security/gitlabTokenRotation.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gitlabTokenRotation.test.js","sourceRoot":"","sources":["../../../../src/tests/units/security/gitlabTokenRotation.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,wBAAwB,EAAE,MAAM,sCAAsC,CAAC;AAChF,OAAO,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,EAAE,+BAA+B,EAAE,MAAM,wCAAwC,CAAC;AAEzF,MAAM,OAAO,GAAG,sBAAsB,CAAC;AAEvC,QAAQ,CAAC,4CAA4C,EAAE,GAAG,EAAE;IAC1D,IAAI,QAA4B,CAAC;IAEjC,UAAU,CAAC,GAAG,EAAE;QACd,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAChC,+BAA+B,EAAE,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC/C,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,QAAQ,CAAC;QAClC,CAAC;QACD,+BAA+B,EAAE,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,mBAAmB,CAAC;QAC3C,MAAM,YAAY,GAAG,wBAAwB,CAAC,EAAE,OAAO,EAAE,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,EAAE,CAAC,CAAC;QACtG,MAAM,CAAC,qBAAqB,CAAC,YAAY,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE7D,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,qBAAqB,CAAC;QAE7C,MAAM,YAAY,GAAG,wBAAwB,CAAC,EAAE,OAAO,EAAE,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,EAAE,CAAC,CAAC;QACtG,MAAM,CAAC,qBAAqB,CAAC,YAAY,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAE9D,MAAM,cAAc,GAAG,wBAAwB,CAAC,EAAE,OAAO,EAAE,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,EAAE,CAAC,CAAC;QAC1G,MAAM,CAAC,qBAAqB,CAAC,cAAc,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,wBAAwB,CAAC;QAChD,MAAM,YAAY,GAAG,wBAAwB,CAAC,EAAE,OAAO,EAAE,EAAE,gBAAgB,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;QAE1F,MAAM,MAAM,GAAG,qBAAqB,CAAC,YAAY,CAAC,CAAC;QAEnD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/tests/units/security/noSpoofableTransportGuard.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=noSpoofableTransportGuard.test.d.ts.map

package/dist/tests/units/security/noSpoofableTransportGuard.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"noSpoofableTransportGuard.test.d.ts","sourceRoot":"","sources":["../../../../src/tests/units/security/noSpoofableTransportGuard.test.ts"],"names":[],"mappings":""}

package/dist/tests/units/security/noSpoofableTransportGuard.test.js

@@ -0,0 +1,30 @@
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { dirname, resolve } from 'node:path';
+const here = dirname(fileURLToPath(import.meta.url));
+const repoRoot = resolve(here, '..', '..', '..', '..');
+function readSource(relativePath) {
+    return readFileSync(resolve(repoRoot, relativePath), 'utf-8');
+}
+describe('no spoofable transport guard (AC6)', () => {
+    const middleware = readSource('src/modules/platform-integration/interface-adapters/controllers/webhook/transportGuard.middleware.ts');
+    const routes = readSource('src/main/routes.ts');
+    it('the transport guard never reads request.protocol or request.ip as a trust input', () => {
+        expect(middleware).not.toMatch(/\.protocol\b/);
+        expect(middleware).not.toMatch(/\brequest\.ip\b/);
+        expect(middleware).not.toMatch(/\breq\.ip\b/);
+    });
+    it('the transport guard derives the socket address from socket.remoteAddress only', () => {
+        expect(middleware).toContain('socket.remoteAddress');
+    });
+    it('the webhook routes never use request.protocol or request.ip as a trust guard', () => {
+        expect(routes).not.toMatch(/request\.protocol\b/);
+        expect(routes).not.toMatch(/\brequest\.ip\b/);
+        expect(routes).not.toMatch(/\breq\.ip\b/);
+    });
+    it('the webhook routes feed the guard from the raw socket address', () => {
+        expect(routes).toContain('request.socket.remoteAddress');
+    });
+});
+//# sourceMappingURL=noSpoofableTransportGuard.test.js.map

package/dist/tests/units/security/noSpoofableTransportGuard.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"noSpoofableTransportGuard.test.js","sourceRoot":"","sources":["../../../../src/tests/units/security/noSpoofableTransportGuard.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAE7C,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACrD,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;AAEvD,SAAS,UAAU,CAAC,YAAoB;IACtC,OAAO,YAAY,CAAC,OAAO,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE,OAAO,CAAC,CAAC;AAChE,CAAC;AAED,QAAQ,CAAC,oCAAoC,EAAE,GAAG,EAAE;IAClD,MAAM,UAAU,GAAG,UAAU,CAC3B,sGAAsG,CACvG,CAAC;IACF,MAAM,MAAM,GAAG,UAAU,CAAC,oBAAoB,CAAC,CAAC;IAEhD,EAAE,CAAC,iFAAiF,EAAE,GAAG,EAAE;QACzF,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QAC/C,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAClD,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+EAA+E,EAAE,GAAG,EAAE;QACvF,MAAM,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8EAA8E,EAAE,GAAG,EAAE;QACtF,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,8BAA8B,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/tests/units/security/transportGuardConfig.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=transportGuardConfig.test.d.ts.map

package/dist/tests/units/security/transportGuardConfig.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"transportGuardConfig.test.d.ts","sourceRoot":"","sources":["../../../../src/tests/units/security/transportGuardConfig.test.ts"],"names":[],"mappings":""}

package/dist/tests/units/security/transportGuardConfig.test.js

@@ -0,0 +1,38 @@
+import { describe, it, expect, afterEach } from 'vitest';
+import { DEFAULT_LOOPBACK_HOP, resolveTrustedHopAddress, resolveAllowedCidrRanges, transportTrustProxyValue, } from '../../../security/transportGuardConfig.js';
+const HOP_KEY = 'WEBHOOK_TRUSTED_HOP';
+const CIDR_KEY = 'WEBHOOK_ALLOWED_CIDR_RANGES';
+describe('transportGuardConfig (AC8)', () => {
+    const originalHop = process.env[HOP_KEY];
+    const originalCidr = process.env[CIDR_KEY];
+    afterEach(() => {
+        if (originalHop === undefined)
+            Reflect.deleteProperty(process.env, HOP_KEY);
+        else
+            process.env[HOP_KEY] = originalHop;
+        if (originalCidr === undefined)
+            Reflect.deleteProperty(process.env, CIDR_KEY);
+        else
+            process.env[CIDR_KEY] = originalCidr;
+    });
+    it('defaults the trusted hop to the loopback address', () => {
+        Reflect.deleteProperty(process.env, HOP_KEY);
+        expect(resolveTrustedHopAddress()).toBe(DEFAULT_LOOPBACK_HOP);
+    });
+    it('the trust proxy value equals the configured hop and is never the boolean true', () => {
+        process.env[HOP_KEY] = '127.0.0.1';
+        const value = transportTrustProxyValue();
+        expect(value).toBe('127.0.0.1');
+        expect(typeof value).toBe('string');
+        expect(value).not.toBe(true);
+    });
+    it('parses a comma-separated CIDR allowlist into trimmed entries', () => {
+        process.env[CIDR_KEY] = ' 10.0.0.0/8 , 172.16.0.0/12 ';
+        expect(resolveAllowedCidrRanges()).toEqual(['10.0.0.0/8', '172.16.0.0/12']);
+    });
+    it('returns an empty allowlist when none is configured', () => {
+        Reflect.deleteProperty(process.env, CIDR_KEY);
+        expect(resolveAllowedCidrRanges()).toEqual([]);
+    });
+});
+//# sourceMappingURL=transportGuardConfig.test.js.map

package/dist/tests/units/security/transportGuardConfig.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"transportGuardConfig.test.js","sourceRoot":"","sources":["../../../../src/tests/units/security/transportGuardConfig.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzD,OAAO,EACL,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,EACxB,wBAAwB,GACzB,MAAM,oCAAoC,CAAC;AAE5C,MAAM,OAAO,GAAG,qBAAqB,CAAC;AACtC,MAAM,QAAQ,GAAG,6BAA6B,CAAC;AAE/C,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;IAC1C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACzC,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAE3C,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,WAAW,KAAK,SAAS;YAAE,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;;YACvE,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,WAAW,CAAC;QACxC,IAAI,YAAY,KAAK,SAAS;YAAE,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;;YACzE,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC7C,MAAM,CAAC,wBAAwB,EAAE,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+EAA+E,EAAE,GAAG,EAAE;QACvF,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,WAAW,CAAC;QACnC,MAAM,KAAK,GAAG,wBAAwB,EAAE,CAAC;QAEzC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAChC,MAAM,CAAC,OAAO,KAAK,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACpC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,8BAA8B,CAAC;QACvD,MAAM,CAAC,wBAAwB,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC,CAAC;IAC9E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC9C,MAAM,CAAC,wBAAwB,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/tests/units/security/verifier.test.js

@@ -1,4 +1,4 @@
-import { vi } from 'vitest';
+import { vi, beforeAll, afterAll } from 'vitest';
 import { createHmac } from 'node:crypto';
 import { createFastifyRequestStub } from '../../stubs/fastifyRequest.stub.js';
 const TEST_GITLAB_TOKEN = 'gitlab-secret-token-123';
@@ -9,8 +9,21 @@ vi.mock('../../../config/loader.js', () => ({
         githubWebhookSecret: TEST_GITHUB_SECRET,
     })),
 }));
-import { verifyGitLabSignature, verifyGitHubSignature, getGitLabEventType, getGitHubEventType, } from '../../../security/verifier.js';
+import { verifyGitLabSignature, verifyGitHubSignature, getGitLabEventType, getGitLabEventUuid, getGitHubEventType, } from '../../../security/verifier.js';
 describe('verifyGitLabSignature', () => {
+    let originalToken;
+    beforeAll(() => {
+        originalToken = process.env.GITLAB_WEBHOOK_TOKEN;
+        process.env.GITLAB_WEBHOOK_TOKEN = TEST_GITLAB_TOKEN;
+    });
+    afterAll(() => {
+        if (originalToken === undefined) {
+            Reflect.deleteProperty(process.env, 'GITLAB_WEBHOOK_TOKEN');
+        }
+        else {
+            process.env.GITLAB_WEBHOOK_TOKEN = originalToken;
+        }
+    });
     describe('when token is valid', () => {
         it('should return valid: true', () => {
             const request = createFastifyRequestStub({
@@ -179,6 +192,24 @@ describe('getGitLabEventType', () => {
         expect(result).toBeUndefined();
     });
 });
+describe('getGitLabEventUuid', () => {
+    it('should extract the event UUID from the header', () => {
+        const request = createFastifyRequestStub({
+            headers: {
+                'x-gitlab-event-uuid': '13be3e1e-1d3f-4c2a-9b1a-0f0e0d0c0b0a',
+            },
+        });
+        const result = getGitLabEventUuid(request);
+        expect(result).toBe('13be3e1e-1d3f-4c2a-9b1a-0f0e0d0c0b0a');
+    });
+    it('should return undefined when the header is missing', () => {
+        const request = createFastifyRequestStub({
+            headers: {},
+        });
+        const result = getGitLabEventUuid(request);
+        expect(result).toBeUndefined();
+    });
+});
 describe('getGitHubEventType', () => {
     it('should extract event type from header', () => {
         const request = createFastifyRequestStub({

package/dist/tests/units/security/verifier.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"verifier.test.js","sourceRoot":"","sources":["../../../../src/tests/units/security/verifier.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAA;AAC3B,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,wBAAwB,EAAE,MAAM,oCAAoC,CAAA;AAE7E,MAAM,iBAAiB,GAAG,yBAAyB,CAAA;AACnD,MAAM,kBAAkB,GAAG,2BAA2B,CAAA;AAEtD,EAAE,CAAC,IAAI,CAAC,2BAA2B,EAAE,GAAG,EAAE,CAAC,CAAC;IAC1C,cAAc,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3B,kBAAkB,EAAE,iBAAiB;QACrC,mBAAmB,EAAE,kBAAkB;KACxC,CAAC,CAAC;CACJ,CAAC,CAAC,CAAA;AAEH,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,+BAA+B,CAAA;AAEtC,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACnC,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;YACnC,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,gBAAgB,EAAE,iBAAiB;iBACpC;aACF,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAC/B,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,aAAa,EAAE,CAAA;QACtC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;QACrC,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,gBAAgB,EAAE,aAAa;iBAChC;aACF,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAChC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;QAC5C,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;QAC5C,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;YACvD,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE,EAAE;aACZ,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAChC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;QAC5C,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;QAC1C,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;YACpC,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,gBAAgB,EAAE,EAAE;iBACrB;aACF,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAClC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,iCAAiC,EAAE,GAAG,EAAE;QAC/C,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,gBAAgB,EAAE,OAAO;iBAC1B;aACF,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAChC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;QAC5C,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA;AAEF,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,SAAS,WAAW,CAAC,IAAY,EAAE,MAAc;QAC/C,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;QACzC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;QAC9B,OAAO,UAAU,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAA;IACvC,CAAC;IAED,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACvC,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;YACnC,MAAM,IAAI,GAAG,gBAAgB,CAAA;YAC7B,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;YAEvD,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,qBAAqB,EAAE,SAAS;iBACjC;gBACD,OAAO,EAAE,IAAI;aACd,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAC/B,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,aAAa,EAAE,CAAA;QACtC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACzC,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,IAAI,GAAG,gBAAgB,CAAA;YAC7B,MAAM,cAAc,GAAG,WAAW,CAAC,IAAI,EAAE,cAAc,CAAC,CAAA;YAExD,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,qBAAqB,EAAE,cAAc;iBACtC;gBACD,OAAO,EAAE,IAAI;aACd,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAChC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;QAC5C,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAChD,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;YACvD,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE,EAAE;gBACX,OAAO,EAAE,gBAAgB;aAC1B,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAChC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;QAC5C,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACvC,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;YACpD,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;YAEvD,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,qBAAqB,EAAE,SAAS;iBACjC;aACF,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAChC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;QACzC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACzC,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;YACpC,MAAM,YAAY,GAAG,oBAAoB,CAAA;YACzC,MAAM,YAAY,GAAG,oBAAoB,CAAA;YACzC,MAAM,SAAS,GAAG,WAAW,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAA;YAE/D,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,qBAAqB,EAAE,SAAS;iBACjC;gBACD,OAAO,EAAE,YAAY;aACtB,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAClC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,iCAAiC,EAAE,GAAG,EAAE;QAC/C,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;YACvD,MAAM,IAAI,GAAG,gBAAgB,CAAA;YAC7B,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAA;YACrD,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;YAC9B,MAAM,sBAAsB,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;YAEjD,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,qBAAqB,EAAE,sBAAsB;iBAC9C;gBACD,OAAO,EAAE,IAAI;aACd,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAClC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA;AAEF,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,OAAO,GAAG,wBAAwB,CAAC;YACvC,OAAO,EAAE;gBACP,gBAAgB,EAAE,oBAAoB;aACvC;SACF,CAAC,CAAA;QAEF,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAE1C,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAA;IAC3C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,OAAO,GAAG,wBAAwB,CAAC;YACvC,OAAO,EAAE,EAAE;SACZ,CAAC,CAAA;QAEF,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAE1C,MAAM,CAAC,MAAM,CAAC,CAAC,aAAa,EAAE,CAAA;IAChC,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA;AAEF,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,OAAO,GAAG,wBAAwB,CAAC;YACvC,OAAO,EAAE;gBACP,gBAAgB,EAAE,cAAc;aACjC;SACF,CAAC,CAAA;QAEF,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAE1C,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IACrC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,OAAO,GAAG,wBAAwB,CAAC;YACvC,OAAO,EAAE,EAAE;SACZ,CAAC,CAAA;QAEF,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAE1C,MAAM,CAAC,MAAM,CAAC,CAAC,aAAa,EAAE,CAAA;IAChC,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}
+{"version":3,"file":"verifier.test.js","sourceRoot":"","sources":["../../../../src/tests/units/security/verifier.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAA;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,wBAAwB,EAAE,MAAM,oCAAoC,CAAA;AAE7E,MAAM,iBAAiB,GAAG,yBAAyB,CAAA;AACnD,MAAM,kBAAkB,GAAG,2BAA2B,CAAA;AAEtD,EAAE,CAAC,IAAI,CAAC,2BAA2B,EAAE,GAAG,EAAE,CAAC,CAAC;IAC1C,cAAc,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3B,kBAAkB,EAAE,iBAAiB;QACrC,mBAAmB,EAAE,kBAAkB;KACxC,CAAC,CAAC;CACJ,CAAC,CAAC,CAAA;AAEH,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,EAClB,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,+BAA+B,CAAA;AAEtC,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,IAAI,aAAiC,CAAA;IAErC,SAAS,CAAC,GAAG,EAAE;QACb,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAA;QAChD,OAAO,CAAC,GAAG,CAAC,oBAAoB,GAAG,iBAAiB,CAAA;IACtD,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,GAAG,EAAE;QACZ,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;YAChC,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,sBAAsB,CAAC,CAAA;QAC7D,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,oBAAoB,GAAG,aAAa,CAAA;QAClD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACnC,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;YACnC,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,gBAAgB,EAAE,iBAAiB;iBACpC;aACF,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAC/B,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,aAAa,EAAE,CAAA;QACtC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;QACrC,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,gBAAgB,EAAE,aAAa;iBAChC;aACF,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAChC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;QAC5C,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;QAC5C,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;YACvD,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE,EAAE;aACZ,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAChC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;QAC5C,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;QAC1C,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;YACpC,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,gBAAgB,EAAE,EAAE;iBACrB;aACF,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAClC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,iCAAiC,EAAE,GAAG,EAAE;QAC/C,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,gBAAgB,EAAE,OAAO;iBAC1B;aACF,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAChC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;QAC5C,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA;AAEF,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,SAAS,WAAW,CAAC,IAAY,EAAE,MAAc;QAC/C,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;QACzC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;QAC9B,OAAO,UAAU,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAA;IACvC,CAAC;IAED,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACvC,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;YACnC,MAAM,IAAI,GAAG,gBAAgB,CAAA;YAC7B,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;YAEvD,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,qBAAqB,EAAE,SAAS;iBACjC;gBACD,OAAO,EAAE,IAAI;aACd,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAC/B,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,aAAa,EAAE,CAAA;QACtC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACzC,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,IAAI,GAAG,gBAAgB,CAAA;YAC7B,MAAM,cAAc,GAAG,WAAW,CAAC,IAAI,EAAE,cAAc,CAAC,CAAA;YAExD,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,qBAAqB,EAAE,cAAc;iBACtC;gBACD,OAAO,EAAE,IAAI;aACd,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAChC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;QAC5C,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAChD,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;YACvD,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE,EAAE;gBACX,OAAO,EAAE,gBAAgB;aAC1B,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAChC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;QAC5C,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACvC,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;YACpD,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAA;YAEvD,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,qBAAqB,EAAE,SAAS;iBACjC;aACF,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAChC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;QACzC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACzC,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;YACpC,MAAM,YAAY,GAAG,oBAAoB,CAAA;YACzC,MAAM,YAAY,GAAG,oBAAoB,CAAA;YACzC,MAAM,SAAS,GAAG,WAAW,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAA;YAE/D,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,qBAAqB,EAAE,SAAS;iBACjC;gBACD,OAAO,EAAE,YAAY;aACtB,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAClC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,QAAQ,CAAC,iCAAiC,EAAE,GAAG,EAAE;QAC/C,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;YACvD,MAAM,IAAI,GAAG,gBAAgB,CAAA;YAC7B,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAA;YACrD,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;YAC9B,MAAM,sBAAsB,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;YAEjD,MAAM,OAAO,GAAG,wBAAwB,CAAC;gBACvC,OAAO,EAAE;oBACP,qBAAqB,EAAE,sBAAsB;iBAC9C;gBACD,OAAO,EAAE,IAAI;aACd,CAAC,CAAA;YAEF,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;YAE7C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAClC,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA;AAEF,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,OAAO,GAAG,wBAAwB,CAAC;YACvC,OAAO,EAAE;gBACP,gBAAgB,EAAE,oBAAoB;aACvC;SACF,CAAC,CAAA;QAEF,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAE1C,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAA;IAC3C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,OAAO,GAAG,wBAAwB,CAAC;YACvC,OAAO,EAAE,EAAE;SACZ,CAAC,CAAA;QAEF,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAE1C,MAAM,CAAC,MAAM,CAAC,CAAC,aAAa,EAAE,CAAA;IAChC,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA;AAEF,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,OAAO,GAAG,wBAAwB,CAAC;YACvC,OAAO,EAAE;gBACP,qBAAqB,EAAE,sCAAsC;aAC9D;SACF,CAAC,CAAA;QAEF,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAE1C,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAA;IAC7D,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,OAAO,GAAG,wBAAwB,CAAC;YACvC,OAAO,EAAE,EAAE;SACZ,CAAC,CAAA;QAEF,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAE1C,MAAM,CAAC,MAAM,CAAC,CAAC,aAAa,EAAE,CAAA;IAChC,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA;AAEF,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,OAAO,GAAG,wBAAwB,CAAC;YACvC,OAAO,EAAE;gBACP,gBAAgB,EAAE,cAAc;aACjC;SACF,CAAC,CAAA;QAEF,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAE1C,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IACrC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,OAAO,GAAG,wBAAwB,CAAC;YACvC,OAAO,EAAE,EAAE;SACZ,CAAC,CAAA;QAEF,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAA;QAE1C,MAAM,CAAC,MAAM,CAAC,CAAC,aAAa,EAAE,CAAA;IAChC,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/dist/tests/units/services/contextActionsExecutor.egress.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=contextActionsExecutor.egress.test.d.ts.map

package/dist/tests/units/services/contextActionsExecutor.egress.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"contextActionsExecutor.egress.test.d.ts","sourceRoot":"","sources":["../../../../src/tests/units/services/contextActionsExecutor.egress.test.ts"],"names":[],"mappings":""}

package/dist/tests/units/services/contextActionsExecutor.egress.test.js

@@ -0,0 +1,117 @@
+import { describe, it, expect } from 'vitest';
+import { executeActionsFromContext } from '../../../modules/review-execution/services/contextActionsExecutor.js';
+import { EgressScannedNoteCommentPostGateway } from '../../../modules/platform-integration/interface-adapters/gateways/egressScanned.noteCommentPost.gateway.js';
+import { createEgressScanner } from '../../../modules/platform-integration/entities/egressScan/egressScan.scanner.js';
+import { StubNoteCommentPostGateway } from '../../../tests/stubs/noteCommentPost.stub.js';
+import { StubEgressTraceGateway } from '../../../tests/stubs/egressScan.stub.js';
+const SECRET = 'glpat-abcdefghij1234567890';
+const redactConfig = {
+    secretShapeMode: 'redact',
+    lengthMode: 'redact',
+    outOfScopeMode: 'redact',
+    maxBodyLength: 10000,
+    redactionMarker: '[REDACTED]',
+    truncationMarker: '…[TRUNCATED]',
+};
+const silentLogger = {
+    info: () => { },
+    warn: () => { },
+    error: () => { },
+    debug: () => { },
+};
+function buildDecoratedSink() {
+    const sink = new StubNoteCommentPostGateway();
+    const trace = new StubEgressTraceGateway();
+    const scanner = createEgressScanner(redactConfig);
+    const gateway = new EgressScannedNoteCommentPostGateway(sink, scanner, trace);
+    return { sink, gateway };
+}
+const baseContext = {
+    version: '1.0',
+    mergeRequestId: 'gitlab-group/app-7',
+    platform: 'gitlab',
+    projectPath: 'group/app',
+    mergeRequestNumber: 7,
+    createdAt: '2026-02-02T10:00:00Z',
+    threads: [],
+    actions: [],
+    progress: { phase: 'completed', currentStep: null },
+};
+describe('executeActionsFromContext — egress routing (pentest amendment AC7/AC9)', () => {
+    it('routes a POST_COMMENT body through the decorated sink, never the raw CLI primitive', async () => {
+        const { sink, gateway } = buildDecoratedSink();
+        const rawCalls = [];
+        const recordingExecutor = (_command, args) => {
+            rawCalls.push(args);
+        };
+        const context = {
+            ...baseContext,
+            actions: [{ type: 'POST_COMMENT', body: `## Review\ntoken ${SECRET}` }],
+        };
+        await executeActionsFromContext(context, '/tmp/repo', silentLogger, recordingExecutor, null, gateway);
+        expect(sink.calls).toHaveLength(1);
+        expect(sink.calls[0].body).toContain('[REDACTED]');
+        expect(sink.calls[0].body).not.toContain(SECRET);
+        const rawSecretCalls = rawCalls.filter((args) => args.some((arg) => arg.includes(SECRET)));
+        expect(rawSecretCalls).toHaveLength(0);
+    });
+    it('routes a THREAD_REPLY body through the decorated sink, never the raw CLI primitive', async () => {
+        const { sink, gateway } = buildDecoratedSink();
+        const rawCalls = [];
+        const recordingExecutor = (_command, args) => {
+            rawCalls.push(args);
+        };
+        const context = {
+            ...baseContext,
+            actions: [{ type: 'THREAD_REPLY', threadId: 'abc', message: `fixed ${SECRET}` }],
+        };
+        await executeActionsFromContext(context, '/tmp/repo', silentLogger, recordingExecutor, null, gateway);
+        expect(sink.calls).toHaveLength(1);
+        expect(sink.calls[0].body).not.toContain(SECRET);
+        const rawSecretCalls = rawCalls.filter((args) => args.some((arg) => arg.includes(SECRET)));
+        expect(rawSecretCalls).toHaveLength(0);
+    });
+    it('AC9 — public-output verbs reach the decorated sink while other allowed verbs use the CLI primitive', async () => {
+        const { sink, gateway } = buildDecoratedSink();
+        const rawCalls = [];
+        const recordingExecutor = (_command, args) => {
+            rawCalls.push(args);
+        };
+        const context = {
+            ...baseContext,
+            diffMetadata: { baseSha: 'base', headSha: 'head', startSha: 'start' },
+            actions: [
+                { type: 'POST_COMMENT', body: `comment ${SECRET}` },
+                { type: 'THREAD_REPLY', threadId: 't1', message: `reply ${SECRET}` },
+                { type: 'POST_INLINE_COMMENT', filePath: 'src/a.ts', line: 3, body: 'inline note' },
+            ],
+        };
+        await executeActionsFromContext(context, '/tmp/repo', silentLogger, recordingExecutor, null, gateway);
+        expect(sink.calls).toHaveLength(2);
+        for (const call of sink.calls) {
+            expect(call.body).not.toContain(SECRET);
+        }
+        const rawSecretCalls = rawCalls.filter((args) => args.some((arg) => arg.includes(SECRET)));
+        expect(rawSecretCalls).toHaveLength(0);
+        expect(rawCalls.some((args) => args.some((arg) => arg.includes('/discussions')))).toBe(true);
+    });
+    it('SPEC-196 unwire: THREAD_RESOLVE / ADD_LABEL are dropped from the sinked auto path', async () => {
+        const { sink, gateway } = buildDecoratedSink();
+        const rawCalls = [];
+        const recordingExecutor = (_command, args) => {
+            rawCalls.push(args);
+        };
+        const context = {
+            ...baseContext,
+            actions: [
+                { type: 'POST_COMMENT', body: 'comment' },
+                { type: 'THREAD_RESOLVE', threadId: 't1' },
+                { type: 'ADD_LABEL', label: 'approved' },
+            ],
+        };
+        await executeActionsFromContext(context, '/tmp/repo', silentLogger, recordingExecutor, null, gateway);
+        expect(sink.calls).toHaveLength(1);
+        expect(rawCalls.some((args) => args.includes('resolved=true'))).toBe(false);
+    });
+});
+//# sourceMappingURL=contextActionsExecutor.egress.test.js.map

package/dist/tests/units/services/contextActionsExecutor.egress.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"contextActionsExecutor.egress.test.js","sourceRoot":"","sources":["../../../../src/tests/units/services/contextActionsExecutor.egress.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,yBAAyB,EAAE,MAAM,+DAA+D,CAAC;AAG1G,OAAO,EAAE,mCAAmC,EAAE,MAAM,qGAAqG,CAAC;AAC1J,OAAO,EAAE,mBAAmB,EAAE,MAAM,0EAA0E,CAAC;AAE/G,OAAO,EAAE,0BAA0B,EAAE,MAAM,uCAAuC,CAAC;AACnF,OAAO,EAAE,sBAAsB,EAAE,MAAM,kCAAkC,CAAC;AAE1E,MAAM,MAAM,GAAG,4BAA4B,CAAC;AAE5C,MAAM,YAAY,GAAqB;IACrC,eAAe,EAAE,QAAQ;IACzB,UAAU,EAAE,QAAQ;IACpB,cAAc,EAAE,QAAQ;IACxB,aAAa,EAAE,KAAK;IACpB,eAAe,EAAE,YAAY;IAC7B,gBAAgB,EAAE,cAAc;CACjC,CAAC;AAEF,MAAM,YAAY,GAAG;IACnB,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;IACf,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;CAChB,CAAC;AAEF,SAAS,kBAAkB;IACzB,MAAM,IAAI,GAAG,IAAI,0BAA0B,EAAE,CAAC;IAC9C,MAAM,KAAK,GAAG,IAAI,sBAAsB,EAAE,CAAC;IAC3C,MAAM,OAAO,GAAG,mBAAmB,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,IAAI,mCAAmC,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IAC9E,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,WAAW,GAAkB;IACjC,OAAO,EAAE,KAAK;IACd,cAAc,EAAE,oBAAoB;IACpC,QAAQ,EAAE,QAAQ;IAClB,WAAW,EAAE,WAAW;IACxB,kBAAkB,EAAE,CAAC;IACrB,SAAS,EAAE,sBAAsB;IACjC,OAAO,EAAE,EAAE;IACX,OAAO,EAAE,EAAE;IACX,QAAQ,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE;CACpD,CAAC;AAEF,QAAQ,CAAC,wEAAwE,EAAE,GAAG,EAAE;IACtF,EAAE,CAAC,oFAAoF,EAAE,KAAK,IAAI,EAAE;QAClG,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,kBAAkB,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAe,EAAE,CAAC;QAChC,MAAM,iBAAiB,GAAoB,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE;YAC5D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC,CAAC;QACF,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,MAAM,EAAE,EAAE,CAAC;SACxE,CAAC;QAEF,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,iBAAiB,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QAEtG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACnD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAEjD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC3F,MAAM,CAAC,cAAc,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oFAAoF,EAAE,KAAK,IAAI,EAAE;QAClG,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,kBAAkB,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAe,EAAE,CAAC;QAChC,MAAM,iBAAiB,GAAoB,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE;YAC5D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC,CAAC;QACF,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,MAAM,EAAE,EAAE,CAAC;SACjF,CAAC;QAEF,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,iBAAiB,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QAEtG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAEjD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC3F,MAAM,CAAC,cAAc,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oGAAoG,EAAE,KAAK,IAAI,EAAE;QAClH,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,kBAAkB,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAe,EAAE,CAAC;QAChC,MAAM,iBAAiB,GAAoB,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE;YAC5D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC,CAAC;QACF,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,YAAY,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE;YACrE,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,WAAW,MAAM,EAAE,EAAE;gBACnD,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,MAAM,EAAE,EAAE;gBACpE,EAAE,IAAI,EAAE,qBAAqB,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE;aACpF;SACF,CAAC;QAEF,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,iBAAiB,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QAEtG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACnC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAC1C,CAAC;QACD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC3F,MAAM,CAAC,cAAc,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACvC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mFAAmF,EAAE,KAAK,IAAI,EAAE;QACjG,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,kBAAkB,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAe,EAAE,CAAC;QAChC,MAAM,iBAAiB,GAAoB,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE;YAC5D,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC,CAAC;QACF,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,SAAS,EAAE;gBACzC,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,IAAI,EAAE;gBAC1C,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE;aACzC;SACF,CAAC;QAEF,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,iBAAiB,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QAEtG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9E,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/tests/units/services/contextActionsExecutor.test.js

@@ -1,6 +1,8 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { executeActionsFromContext } from '../../../modules/review-execution/services/contextActionsExecutor.js';
-describe('executeActionsFromContext', () => {
+// AC6/AC7: the context auto-path executor is bounded to read + postComment.
+// THREAD_RESOLVE / ADD_LABEL are dropped (no-op, logged), POST_COMMENT executes.
+describe('executeActionsFromContext (auto path, capability-bounded)', () => {
     const mockLogger = {
         info: vi.fn(),
         warn: vi.fn(),
@@ -22,50 +24,42 @@ describe('executeActionsFromContext', () => {
     beforeEach(() => {
         vi.clearAllMocks();
     });
-    it('should return empty result when no actions in context', async () => {
+    it('returns an empty result when no actions are present', async () => {
         const context = { ...baseContext, actions: [] };
         const result = await executeActionsFromContext(context, '/tmp/repo', mockLogger, mockExecutor);
         expect(result.total).toBe(0);
         expect(result.succeeded).toBe(0);
         expect(mockExecutor).not.toHaveBeenCalled();
     });
-    it('should execute THREAD_RESOLVE action via GitHub API', async () => {
+    it('drops THREAD_RESOLVE without invoking the executor', async () => {
         const context = {
             ...baseContext,
-            actions: [
-                { type: 'THREAD_RESOLVE', threadId: 'PRRT_kwDONxxx' },
-            ],
+            actions: [{ type: 'THREAD_RESOLVE', threadId: 'PRRT_kwDONxxx' }],
         };
         const result = await executeActionsFromContext(context, '/tmp/repo', mockLogger, mockExecutor);
-        expect(result.total).toBe(1);
-        expect(result.succeeded).toBe(1);
-        expect(mockExecutor).toHaveBeenCalledWith('gh', expect.arrayContaining(['api', 'graphql']), '/tmp/repo');
+        expect(result.total).toBe(0);
+        expect(mockExecutor).not.toHaveBeenCalled();
     });
-    it('should execute POST_COMMENT action', async () => {
+    it('executes POST_COMMENT action', async () => {
         const context = {
             ...baseContext,
-            actions: [
-                { type: 'POST_COMMENT', body: '## Follow-up Review\n\nAll fixed.' },
-            ],
+            actions: [{ type: 'POST_COMMENT', body: '## Follow-up Review\n\nAll fixed.' }],
         };
         const result = await executeActionsFromContext(context, '/tmp/repo', mockLogger, mockExecutor);
         expect(result.total).toBe(1);
         expect(result.succeeded).toBe(1);
         expect(mockExecutor).toHaveBeenCalledWith('gh', expect.arrayContaining(['repos/owner/repo/issues/42/comments']), '/tmp/repo');
     });
-    it('should execute ADD_LABEL action', async () => {
+    it('drops ADD_LABEL without invoking the executor', async () => {
         const context = {
             ...baseContext,
-            actions: [
-                { type: 'ADD_LABEL', label: 'needs_approve' },
-            ],
+            actions: [{ type: 'ADD_LABEL', label: 'needs_approve' }],
         };
         const result = await executeActionsFromContext(context, '/tmp/repo', mockLogger, mockExecutor);
-        expect(result.total).toBe(1);
-        expect(result.succeeded).toBe(1);
-        expect(mockExecutor).toHaveBeenCalledWith('gh', expect.arrayContaining(['repos/owner/repo/issues/42/labels']), '/tmp/repo');
+        expect(result.total).toBe(0);
+        expect(mockExecutor).not.toHaveBeenCalled();
     });
-    it('should execute multiple actions in order', async () => {
+    it('keeps only allowed verbs in a mixed stream', async () => {
         const context = {
             ...baseContext,
             actions: [
@@ -76,31 +70,30 @@ describe('executeActionsFromContext', () => {
             ],
         };
         const result = await executeActionsFromContext(context, '/tmp/repo', mockLogger, mockExecutor);
-        expect(result.total).toBe(4);
-        expect(result.succeeded).toBe(4);
-        expect(mockExecutor).toHaveBeenCalledTimes(4);
+        // Only the single POST_COMMENT survives the capability filter.
+        expect(result.total).toBe(1);
+        expect(result.succeeded).toBe(1);
+        expect(mockExecutor).toHaveBeenCalledTimes(1);
     });
-    it('should handle GitLab platform', async () => {
+    it('handles GitLab platform postComment', async () => {
         const context = {
             ...baseContext,
             platform: 'gitlab',
-            actions: [
-                { type: 'THREAD_RESOLVE', threadId: 'abc123' },
-            ],
+            actions: [{ type: 'POST_COMMENT', body: 'note' }],
         };
         const result = await executeActionsFromContext(context, '/tmp/repo', mockLogger, mockExecutor);
         expect(result.succeeded).toBe(1);
         expect(mockExecutor).toHaveBeenCalledWith('glab', expect.arrayContaining(['api']), '/tmp/repo');
     });
-    it('should continue executing when one action fails', async () => {
+    it('continues executing when one allowed action fails', async () => {
         mockExecutor.mockImplementationOnce(() => {
             throw new Error('API error');
         });
         const context = {
             ...baseContext,
             actions: [
-                { type: 'THREAD_RESOLVE', threadId: 'thread-1' },
-                { type: 'POST_COMMENT', body: 'Done' },
+                { type: 'POST_COMMENT', body: 'first' },
+                { type: 'POST_COMMENT', body: 'second' },
             ],
         };
         const result = await executeActionsFromContext(context, '/tmp/repo', mockLogger, mockExecutor);

package/dist/tests/units/services/contextActionsExecutor.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"contextActionsExecutor.test.js","sourceRoot":"","sources":["../../../../src/tests/units/services/contextActionsExecutor.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AAC7D,OAAO,EAAE,yBAAyB,EAAE,MAAM,+DAA+D,CAAA;AAGzG,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,MAAM,UAAU,GAAG;QACjB,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE;QACb,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE;QACb,KAAK,EAAE,EAAE,CAAC,EAAE,EAAE;QACd,KAAK,EAAE,EAAE,CAAC,EAAE,EAAE;KACf,CAAA;IAED,MAAM,YAAY,GAAG,EAAE,CAAC,EAAE,EAAE,CAAA;IAE5B,MAAM,WAAW,GAAkB;QACjC,OAAO,EAAE,KAAK;QACd,cAAc,EAAE,sBAAsB;QACtC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,YAAY;QACzB,kBAAkB,EAAE,EAAE;QACtB,SAAS,EAAE,sBAAsB;QACjC,OAAO,EAAE,EAAE;QACX,OAAO,EAAE,EAAE;QACX,QAAQ,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE;KACpD,CAAA;IAED,UAAU,CAAC,GAAG,EAAE;QACd,EAAE,CAAC,aAAa,EAAE,CAAA;IACpB,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,OAAO,GAAG,EAAE,GAAG,WAAW,EAAE,OAAO,EAAE,EAAE,EAAE,CAAA;QAE/C,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;QAE9F,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAC5B,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAChC,MAAM,CAAC,YAAY,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAA;IAC7C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,eAAe,EAAE;aACtD;SACF,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;QAE9F,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAC5B,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAChC,MAAM,CAAC,YAAY,CAAC,CAAC,oBAAoB,CACvC,IAAI,EACJ,MAAM,CAAC,eAAe,CAAC,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC,EAC1C,WAAW,CACZ,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,mCAAmC,EAAE;aACpE;SACF,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;QAE9F,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAC5B,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAChC,MAAM,CAAC,YAAY,CAAC,CAAC,oBAAoB,CACvC,IAAI,EACJ,MAAM,CAAC,eAAe,CAAC,CAAC,qCAAqC,CAAC,CAAC,EAC/D,WAAW,CACZ,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,eAAe,EAAE;aAC9C;SACF,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;QAE9F,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAC5B,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAChC,MAAM,CAAC,YAAY,CAAC,CAAC,oBAAoB,CACvC,IAAI,EACJ,MAAM,CAAC,eAAe,CAAC,CAAC,mCAAmC,CAAC,CAAC,EAC7D,WAAW,CACZ,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,UAAU,EAAE;gBAChD,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,UAAU,EAAE;gBAChD,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,EAAE;gBACtC,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE;aACzC;SACF,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;QAE9F,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAC5B,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAChC,MAAM,CAAC,YAAY,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAA;IAC/C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAQ,EAAE;aAC/C;SACF,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;QAE9F,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAChC,MAAM,CAAC,YAAY,CAAC,CAAC,oBAAoB,CACvC,MAAM,EACN,MAAM,CAAC,eAAe,CAAC,CAAC,KAAK,CAAC,CAAC,EAC/B,WAAW,CACZ,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,YAAY,CAAC,sBAAsB,CAAC,GAAG,EAAE;YACvC,MAAM,IAAI,KAAK,CAAC,WAAW,CAAC,CAAA;QAC9B,CAAC,CAAC,CAAA;QAEF,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,UAAU,EAAE;gBAChD,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,EAAE;aACvC;SACF,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;QAE9F,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAC5B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAC7B,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IAClC,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}
+{"version":3,"file":"contextActionsExecutor.test.js","sourceRoot":"","sources":["../../../../src/tests/units/services/contextActionsExecutor.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AAC7D,OAAO,EAAE,yBAAyB,EAAE,MAAM,+DAA+D,CAAA;AAGzG,4EAA4E;AAC5E,iFAAiF;AACjF,QAAQ,CAAC,2DAA2D,EAAE,GAAG,EAAE;IACzE,MAAM,UAAU,GAAG;QACjB,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE;QACb,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE;QACb,KAAK,EAAE,EAAE,CAAC,EAAE,EAAE;QACd,KAAK,EAAE,EAAE,CAAC,EAAE,EAAE;KACf,CAAA;IAED,MAAM,YAAY,GAAG,EAAE,CAAC,EAAE,EAAE,CAAA;IAE5B,MAAM,WAAW,GAAkB;QACjC,OAAO,EAAE,KAAK;QACd,cAAc,EAAE,sBAAsB;QACtC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,YAAY;QACzB,kBAAkB,EAAE,EAAE;QACtB,SAAS,EAAE,sBAAsB;QACjC,OAAO,EAAE,EAAE;QACX,OAAO,EAAE,EAAE;QACX,QAAQ,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE;KACpD,CAAA;IAED,UAAU,CAAC,GAAG,EAAE;QACd,EAAE,CAAC,aAAa,EAAE,CAAA;IACpB,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,OAAO,GAAG,EAAE,GAAG,WAAW,EAAE,OAAO,EAAE,EAAE,EAAE,CAAA;QAE/C,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;QAE9F,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAC5B,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAChC,MAAM,CAAC,YAAY,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAA;IAC7C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,eAAe,EAAE,CAAC;SACjE,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;QAE9F,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAC5B,MAAM,CAAC,YAAY,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAA;IAC7C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,mCAAmC,EAAE,CAAC;SAC/E,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;QAE9F,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAC5B,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAChC,MAAM,CAAC,YAAY,CAAC,CAAC,oBAAoB,CACvC,IAAI,EACJ,MAAM,CAAC,eAAe,CAAC,CAAC,qCAAqC,CAAC,CAAC,EAC/D,WAAW,CACZ,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;SACzD,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;QAE9F,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAC5B,MAAM,CAAC,YAAY,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAA;IAC7C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,UAAU,EAAE;gBAChD,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,UAAU,EAAE;gBAChD,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,EAAE;gBACtC,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE;aACzC;SACF,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;QAE9F,+DAA+D;QAC/D,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAC5B,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAChC,MAAM,CAAC,YAAY,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAA;IAC/C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;SAClD,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;QAE9F,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAChC,MAAM,CAAC,YAAY,CAAC,CAAC,oBAAoB,CACvC,MAAM,EACN,MAAM,CAAC,eAAe,CAAC,CAAC,KAAK,CAAC,CAAC,EAC/B,WAAW,CACZ,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,YAAY,CAAC,sBAAsB,CAAC,GAAG,EAAE;YACvC,MAAM,IAAI,KAAK,CAAC,WAAW,CAAC,CAAA;QAC9B,CAAC,CAAC,CAAA;QAEF,MAAM,OAAO,GAAkB;YAC7B,GAAG,WAAW;YACd,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,OAAO,EAAE;gBACvC,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,QAAQ,EAAE;aACzC;SACF,CAAA;QAED,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,CAAC,CAAA;QAE9F,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAC5B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAC7B,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IAClC,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/dist/tests/units/services/publicOutputExecutor.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=publicOutputExecutor.test.d.ts.map

package/dist/tests/units/services/publicOutputExecutor.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"publicOutputExecutor.test.d.ts","sourceRoot":"","sources":["../../../../src/tests/units/services/publicOutputExecutor.test.ts"],"names":[],"mappings":""}

package/dist/tests/units/services/publicOutputExecutor.test.js

@@ -0,0 +1,72 @@
+import { executePublicOutput } from '../../../modules/review-execution/services/publicOutputExecutor.js';
+import { EgressScannedNoteCommentPostGateway } from '../../../modules/platform-integration/interface-adapters/gateways/egressScanned.noteCommentPost.gateway.js';
+import { createEgressScanner } from '../../../modules/platform-integration/entities/egressScan/egressScan.scanner.js';
+import { StubNoteCommentPostGateway } from '../../../tests/stubs/noteCommentPost.stub.js';
+import { StubEgressTraceGateway } from '../../../tests/stubs/egressScan.stub.js';
+const SECRET = 'glpat-abcdefghij1234567890';
+const redactConfig = {
+    secretShapeMode: 'redact',
+    lengthMode: 'redact',
+    outOfScopeMode: 'redact',
+    maxBodyLength: 10000,
+    redactionMarker: '[REDACTED]',
+    truncationMarker: '…[TRUNCATED]',
+};
+function buildDecoratedGateway() {
+    const sink = new StubNoteCommentPostGateway();
+    const trace = new StubEgressTraceGateway();
+    const scanner = createEgressScanner(redactConfig);
+    const gateway = new EgressScannedNoteCommentPostGateway(sink, scanner, trace);
+    return { sink, gateway };
+}
+const context = { projectPath: 'group/project', mrNumber: 42 };
+describe('executePublicOutput', () => {
+    describe('AC7 — THREAD_REPLY egress is scanned', () => {
+        it('routes a THREAD_REPLY body through the decorated sink with redaction', async () => {
+            const { sink, gateway } = buildDecoratedGateway();
+            const actions = [
+                { type: 'THREAD_REPLY', threadId: 'abc', message: `fixed, token ${SECRET}` },
+            ];
+            await executePublicOutput(actions, context, gateway);
+            expect(sink.calls).toHaveLength(1);
+            expect(sink.calls[0].body).toContain('[REDACTED]');
+            expect(sink.calls[0].body).not.toContain(SECRET);
+        });
+    });
+    describe('AC9 — channel exhaustiveness', () => {
+        const verbCases = [
+            { label: 'THREAD_REPLY', action: { type: 'THREAD_REPLY', threadId: 'abc', message: `m ${SECRET}` } },
+            { label: 'POST_COMMENT', action: { type: 'POST_COMMENT', body: `c ${SECRET}` } },
+        ];
+        it.each(verbCases)('routes %s through the same decorated sink', async ({ action }) => {
+            const { sink, gateway } = buildDecoratedGateway();
+            await executePublicOutput([action], context, gateway);
+            expect(sink.calls).toHaveLength(1);
+            expect(sink.calls[0].body).not.toContain(SECRET);
+            expect(sink.calls[0].body).toContain('[REDACTED]');
+        });
+        it('every auto-path public-output verb resolves to one shared decorated sink', async () => {
+            const { sink, gateway } = buildDecoratedGateway();
+            const actions = [
+                { type: 'POST_COMMENT', body: `comment ${SECRET}` },
+                { type: 'THREAD_REPLY', threadId: 't1', message: `reply ${SECRET}` },
+            ];
+            await executePublicOutput(actions, context, gateway);
+            expect(sink.calls).toHaveLength(2);
+            for (const call of sink.calls) {
+                expect(call.body).not.toContain(SECRET);
+                expect(call.body).toContain('[REDACTED]');
+            }
+        });
+        it('ignores non-public-output verbs (no body leaves the system)', async () => {
+            const { sink, gateway } = buildDecoratedGateway();
+            const actions = [
+                { type: 'THREAD_RESOLVE', threadId: 't1' },
+                { type: 'FETCH_THREADS' },
+            ];
+            await executePublicOutput(actions, context, gateway);
+            expect(sink.calls).toHaveLength(0);
+        });
+    });
+});
+//# sourceMappingURL=publicOutputExecutor.test.js.map

package/dist/tests/units/services/publicOutputExecutor.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"publicOutputExecutor.test.js","sourceRoot":"","sources":["../../../../src/tests/units/services/publicOutputExecutor.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,6DAA6D,CAAC;AAElG,OAAO,EAAE,mCAAmC,EAAE,MAAM,qGAAqG,CAAC;AAC1J,OAAO,EAAE,mBAAmB,EAAE,MAAM,0EAA0E,CAAC;AAE/G,OAAO,EAAE,0BAA0B,EAAE,MAAM,uCAAuC,CAAC;AACnF,OAAO,EAAE,sBAAsB,EAAE,MAAM,kCAAkC,CAAC;AAE1E,MAAM,MAAM,GAAG,4BAA4B,CAAC;AAE5C,MAAM,YAAY,GAAqB;IACrC,eAAe,EAAE,QAAQ;IACzB,UAAU,EAAE,QAAQ;IACpB,cAAc,EAAE,QAAQ;IACxB,aAAa,EAAE,KAAK;IACpB,eAAe,EAAE,YAAY;IAC7B,gBAAgB,EAAE,cAAc;CACjC,CAAC;AAEF,SAAS,qBAAqB;IAC5B,MAAM,IAAI,GAAG,IAAI,0BAA0B,EAAE,CAAC;IAC9C,MAAM,KAAK,GAAG,IAAI,sBAAsB,EAAE,CAAC;IAC3C,MAAM,OAAO,GAAG,mBAAmB,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,IAAI,mCAAmC,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IAC9E,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,OAAO,GAAG,EAAE,WAAW,EAAE,eAAe,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;AAE/D,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,QAAQ,CAAC,sCAAsC,EAAE,GAAG,EAAE;QACpD,EAAE,CAAC,sEAAsE,EAAE,KAAK,IAAI,EAAE;YACpF,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,qBAAqB,EAAE,CAAC;YAClD,MAAM,OAAO,GAAyB;gBACpC,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,gBAAgB,MAAM,EAAE,EAAE;aAC7E,CAAC;YAEF,MAAM,mBAAmB,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;YAErD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;YACnD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;QAC5C,MAAM,SAAS,GAAoD;YACjE,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,MAAM,EAAE,EAAE,EAAE;YACpG,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,KAAK,MAAM,EAAE,EAAE,EAAE;SACjF,CAAC;QAEF,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,2CAA2C,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;YACnF,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,qBAAqB,EAAE,CAAC;YAElD,MAAM,mBAAmB,CAAC,CAAC,MAAM,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;YAEtD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YACjD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0EAA0E,EAAE,KAAK,IAAI,EAAE;YACxF,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,qBAAqB,EAAE,CAAC;YAClD,MAAM,OAAO,GAAyB;gBACpC,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,WAAW,MAAM,EAAE,EAAE;gBACnD,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,MAAM,EAAE,EAAE;aACrE,CAAC;YAEF,MAAM,mBAAmB,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;YAErD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACnC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBAC9B,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;gBACxC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;YAC5C,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6DAA6D,EAAE,KAAK,IAAI,EAAE;YAC3E,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,qBAAqB,EAAE,CAAC;YAClD,MAAM,OAAO,GAAyB;gBACpC,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,IAAI,EAAE;gBAC1C,EAAE,IAAI,EAAE,eAAe,EAAE;aAC1B,CAAC;YAEF,MAAM,mBAAmB,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;YAErD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/tests/units/services/threadActionsExecutor.egress.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=threadActionsExecutor.egress.test.d.ts.map

package/dist/tests/units/services/threadActionsExecutor.egress.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"threadActionsExecutor.egress.test.d.ts","sourceRoot":"","sources":["../../../../src/tests/units/services/threadActionsExecutor.egress.test.ts"],"names":[],"mappings":""}