saeeol 1.2.4 → 1.2.7

package/test/permission/next.toConfig.test.ts

@@ -1,110 +0,0 @@
-import { test, expect } from "bun:test"
-import { Permission } from "../../src/permission"
-
-// toConfig tests (inverse of fromConfig)
-
-test("toConfig - single wildcard rule uses object format", () => {
-  const result = Permission.toConfig([{ permission: "read", pattern: "*", action: "allow" }])
-  expect(result).toEqual({ read: { "*": "allow" } })
-})
-
-test("toConfig - single non-wildcard rule uses object format", () => {
-  const result = Permission.toConfig([{ permission: "bash", pattern: "npm *", action: "allow" }])
-  expect(result).toEqual({ bash: { "npm *": "allow" } })
-})
-
-test("toConfig - multiple rules for same permission use object format", () => {
-  const result = Permission.toConfig([
-    { permission: "bash", pattern: "*", action: "ask" },
-    { permission: "bash", pattern: "npm *", action: "allow" },
-  ])
-  expect(result).toEqual({ bash: { "*": "ask", "npm *": "allow" } })
-})
-
-test("toConfig - mixed permissions", () => {
-  const result = Permission.toConfig([
-    { permission: "read", pattern: "*", action: "allow" },
-    { permission: "bash", pattern: "npm *", action: "allow" },
-    { permission: "bash", pattern: "git *", action: "allow" },
-  ])
-  expect(result).toEqual({
-    read: { "*": "allow" },
-    bash: { "npm *": "allow", "git *": "allow" },
-  })
-})
-
-test("toConfig - empty rules returns empty object", () => {
-  const result = Permission.toConfig([])
-  expect(result).toEqual({})
-})
-
-test("toConfig - wildcard then specific promotes to object", () => {
-  const result = Permission.toConfig([
-    { permission: "bash", pattern: "*", action: "ask" },
-    { permission: "bash", pattern: "rm *", action: "deny" },
-  ])
-  expect(result).toEqual({ bash: { "*": "ask", "rm *": "deny" } })
-})
-
-test("toConfig - roundtrip with fromConfig (simple) always uses object format", () => {
-  const config = { read: "allow" as const, bash: "ask" as const }
-  const rules = Permission.fromConfig(config)
-  const result = Permission.toConfig(rules)
-  // toConfig always uses object format to avoid erasing existing granular rules on merge
-  expect(result).toEqual({ read: { "*": "allow" }, bash: { "*": "ask" } })
-})
-
-test("toConfig - roundtrip with fromConfig (object)", () => {
-  const config = { bash: { "*": "ask" as const, "npm *": "allow" as const, "git *": "allow" as const } }
-  const rules = Permission.fromConfig(config)
-  const result = Permission.toConfig(rules)
-  expect(result).toEqual(config)
-})
-
-test("toConfig - scalar-only permission uses scalar format", () => {
-  const result = Permission.toConfig([{ permission: "websearch", pattern: "*", action: "allow" }])
-  expect(result).toEqual({ websearch: "allow" })
-})
-
-test("toConfig - scalar-only permission with non-wildcard pattern is skipped", () => {
-  // doom_loop uses always: [toolName], so pattern can be "bash" etc.
-  // Non-wildcard patterns for scalar-only permissions can't be represented
-  // in the config schema — they only work in-memory (known limitation).
-  const result = Permission.toConfig([{ permission: "doom_loop", pattern: "bash", action: "allow" }])
-  expect(result).toEqual({})
-})
-
-test("toConfig - mixed scalar-only and rule-capable permissions", () => {
-  const result = Permission.toConfig([
-    { permission: "websearch", pattern: "*", action: "allow" },
-    { permission: "todowrite", pattern: "*", action: "allow" },
-    { permission: "bash", pattern: "npm *", action: "allow" },
-  ])
-  expect(result).toEqual({
-    websearch: "allow",
-    todowrite: "allow",
-    bash: { "npm *": "allow" },
-  })
-})
-
-// Tests for null delete sentinel handling (null = "remove this key from config")
-
-test("fromConfig - null entries in PermissionObject are skipped", () => {
-  const config = { bash: { "*": "ask" as const, "npm *": null } }
-  const rules = Permission.fromConfig(config)
-  // null is a delete sentinel — only the non-null entry should produce a rule
-  expect(rules).toEqual([{ permission: "bash", pattern: "*", action: "ask" }])
-})
-
-test("fromConfig - null top-level PermissionRule is skipped", () => {
-  const config = { bash: null }
-  const rules = Permission.fromConfig(config)
-  expect(rules).toEqual([])
-})
-
-test("toConfig - null existing entry is treated as absent (new rule wins)", () => {
-  // If result[permission] is null (shouldn't happen in practice but defensive),
-  // the new rule should be written as a fresh object entry.
-  const result = Permission.toConfig([{ permission: "bash", pattern: "npm *", action: "allow" }])
-  expect(result).toEqual({ bash: { "npm *": "allow" } })
-})

package/test/permission-task.test.ts

@@ -1,326 +0,0 @@
-import { afterEach, describe, test, expect } from "bun:test"
-import { Permission } from "../src/permission"
-import { Config } from "@/config/config"
-import { Instance } from "../src/project/instance"
-import { disposeAllInstances, tmpdir } from "./fixture/fixture"
-import { AppRuntime } from "../src/effect/app-runtime"
-
-const load = () => AppRuntime.runPromise(Config.Service.use((svc) => svc.get()))
-
-afterEach(async () => {
-  await disposeAllInstances()
-})
-
-describe("Permission.evaluate for permission.task", () => {
-  const createRuleset = (rules: Record<string, "allow" | "deny" | "ask">): Permission.Ruleset =>
-    Object.entries(rules).map(([pattern, action]) => ({
-      permission: "task",
-      pattern,
-      action,
-    }))
-
-  test("returns ask when no match (default)", () => {
-    expect(Permission.evaluate("task", "code-reviewer", []).action).toBe("ask")
-  })
-
-  test("returns deny for explicit deny", () => {
-    const ruleset = createRuleset({ "code-reviewer": "deny" })
-    expect(Permission.evaluate("task", "code-reviewer", ruleset).action).toBe("deny")
-  })
-
-  test("returns allow for explicit allow", () => {
-    const ruleset = createRuleset({ "code-reviewer": "allow" })
-    expect(Permission.evaluate("task", "code-reviewer", ruleset).action).toBe("allow")
-  })
-
-  test("returns ask for explicit ask", () => {
-    const ruleset = createRuleset({ "code-reviewer": "ask" })
-    expect(Permission.evaluate("task", "code-reviewer", ruleset).action).toBe("ask")
-  })
-
-  test("matches wildcard patterns with deny", () => {
-    const ruleset = createRuleset({ "orchestrator-*": "deny" })
-    expect(Permission.evaluate("task", "orchestrator-fast", ruleset).action).toBe("deny")
-    expect(Permission.evaluate("task", "orchestrator-slow", ruleset).action).toBe("deny")
-    expect(Permission.evaluate("task", "general", ruleset).action).toBe("ask")
-  })
-
-  test("matches wildcard patterns with allow", () => {
-    const ruleset = createRuleset({ "orchestrator-*": "allow" })
-    expect(Permission.evaluate("task", "orchestrator-fast", ruleset).action).toBe("allow")
-    expect(Permission.evaluate("task", "orchestrator-slow", ruleset).action).toBe("allow")
-  })
-
-  test("matches wildcard patterns with ask", () => {
-    const ruleset = createRuleset({ "orchestrator-*": "ask" })
-    expect(Permission.evaluate("task", "orchestrator-fast", ruleset).action).toBe("ask")
-    const globalRuleset = createRuleset({ "*": "ask" })
-    expect(Permission.evaluate("task", "code-reviewer", globalRuleset).action).toBe("ask")
-  })
-
-  test("later rules take precedence (last match wins)", () => {
-    const ruleset = createRuleset({
-      "orchestrator-*": "deny",
-      "orchestrator-fast": "allow",
-    })
-    expect(Permission.evaluate("task", "orchestrator-fast", ruleset).action).toBe("allow")
-    expect(Permission.evaluate("task", "orchestrator-slow", ruleset).action).toBe("deny")
-  })
-
-  test("matches global wildcard", () => {
-    expect(Permission.evaluate("task", "any-agent", createRuleset({ "*": "allow" })).action).toBe("allow")
-    expect(Permission.evaluate("task", "any-agent", createRuleset({ "*": "deny" })).action).toBe("deny")
-    expect(Permission.evaluate("task", "any-agent", createRuleset({ "*": "ask" })).action).toBe("ask")
-  })
-})
-
-describe("Permission.disabled for task tool", () => {
-  // Note: The `disabled` function checks if a TOOL should be completely removed from the tool list.
-  // It only disables a tool when there's a rule with `pattern: "*"` and `action: "deny"`.
-  // It does NOT evaluate complex subagent patterns - those are handled at runtime by `evaluate`.
-  const createRuleset = (rules: Record<string, "allow" | "deny" | "ask">): Permission.Ruleset =>
-    Object.entries(rules).map(([pattern, action]) => ({
-      permission: "task",
-      pattern,
-      action,
-    }))
-
-  test("task tool is disabled when global deny pattern exists (even with specific allows)", () => {
-    // When "*": "deny" exists, the task tool is disabled because the disabled() function
-    // only checks for wildcard deny patterns - it doesn't consider that specific subagents might be allowed
-    const ruleset = createRuleset({
-      "orchestrator-*": "allow",
-      "*": "deny",
-    })
-    const disabled = Permission.disabled(["task", "bash", "read"], ruleset)
-    // The task tool IS disabled because there's a pattern: "*" with action: "deny"
-    expect(disabled.has("task")).toBe(true)
-  })
-
-  test("task tool is disabled when global deny pattern exists (even with ask overrides)", () => {
-    const ruleset = createRuleset({
-      "orchestrator-*": "ask",
-      "*": "deny",
-    })
-    const disabled = Permission.disabled(["task"], ruleset)
-    // The task tool IS disabled because there's a pattern: "*" with action: "deny"
-    expect(disabled.has("task")).toBe(true)
-  })
-
-  test("task tool is disabled when global deny pattern exists", () => {
-    const ruleset = createRuleset({ "*": "deny" })
-    const disabled = Permission.disabled(["task"], ruleset)
-    expect(disabled.has("task")).toBe(true)
-  })
-
-  test("task tool is NOT disabled when only specific patterns are denied (no wildcard)", () => {
-    // The disabled() function only disables tools when pattern: "*" && action: "deny"
-    // Specific subagent denies don't disable the task tool - those are handled at runtime
-    const ruleset = createRuleset({
-      "orchestrator-*": "deny",
-      general: "deny",
-    })
-    const disabled = Permission.disabled(["task"], ruleset)
-    // The task tool is NOT disabled because no rule has pattern: "*" with action: "deny"
-    expect(disabled.has("task")).toBe(false)
-  })
-
-  test("task tool is enabled when no task rules exist (default ask)", () => {
-    const disabled = Permission.disabled(["task"], [])
-    expect(disabled.has("task")).toBe(false)
-  })
-
-  test("task tool is NOT disabled when last wildcard pattern is allow", () => {
-    // Last matching rule wins - if wildcard allow comes after wildcard deny, tool is enabled
-    const ruleset = createRuleset({
-      "*": "deny",
-      "orchestrator-coder": "allow",
-    })
-    const disabled = Permission.disabled(["task"], ruleset)
-    // The disabled() function uses findLast and checks if the last matching rule
-    // has pattern: "*" and action: "deny". In this case, the last rule matching
-    // "task" permission has pattern "orchestrator-coder", not "*", so not disabled
-    expect(disabled.has("task")).toBe(false)
-  })
-})
-
-// Integration tests that load permissions from real config files
-describe("permission.task with real config files", () => {
-  test("loads task permissions from saeeol.json config", async () => {
-    await using tmp = await tmpdir({
-      git: true,
-      config: {
-        permission: {
-          task: {
-            "*": "allow",
-            "code-reviewer": "deny",
-          },
-        },
-      },
-    })
-    await Instance.provide({
-      directory: tmp.path,
-      fn: async () => {
-        const config = await load()
-        const ruleset = Permission.fromConfig(config.permission ?? {})
-        // general and orchestrator-fast should be allowed, code-reviewer denied
-        expect(Permission.evaluate("task", "general", ruleset).action).toBe("allow")
-        expect(Permission.evaluate("task", "orchestrator-fast", ruleset).action).toBe("allow")
-        expect(Permission.evaluate("task", "code-reviewer", ruleset).action).toBe("deny")
-      },
-    })
-  })
-
-  test("loads task permissions with wildcard patterns from config", async () => {
-    await using tmp = await tmpdir({
-      git: true,
-      config: {
-        permission: {
-          task: {
-            "*": "ask",
-            "orchestrator-*": "deny",
-          },
-        },
-      },
-    })
-    await Instance.provide({
-      directory: tmp.path,
-      fn: async () => {
-        const config = await load()
-        const ruleset = Permission.fromConfig(config.permission ?? {})
-        // general and code-reviewer should be ask, orchestrator-* denied
-        expect(Permission.evaluate("task", "general", ruleset).action).toBe("ask")
-        expect(Permission.evaluate("task", "code-reviewer", ruleset).action).toBe("ask")
-        expect(Permission.evaluate("task", "orchestrator-fast", ruleset).action).toBe("deny")
-      },
-    })
-  })
-
-  test("evaluate respects task permission from config", async () => {
-    await using tmp = await tmpdir({
-      git: true,
-      config: {
-        permission: {
-          task: {
-            general: "allow",
-            "code-reviewer": "deny",
-          },
-        },
-      },
-    })
-    await Instance.provide({
-      directory: tmp.path,
-      fn: async () => {
-        const config = await load()
-        const ruleset = Permission.fromConfig(config.permission ?? {})
-        expect(Permission.evaluate("task", "general", ruleset).action).toBe("allow")
-        expect(Permission.evaluate("task", "code-reviewer", ruleset).action).toBe("deny")
-        // Unspecified agents default to "ask"
-        expect(Permission.evaluate("task", "unknown-agent", ruleset).action).toBe("ask")
-      },
-    })
-  })
-
-  test("mixed permission config with task and other tools", async () => {
-    await using tmp = await tmpdir({
-      git: true,
-      config: {
-        permission: {
-          bash: "allow",
-          edit: "ask",
-          task: {
-            "*": "deny",
-            general: "allow",
-          },
-        },
-      },
-    })
-    await Instance.provide({
-      directory: tmp.path,
-      fn: async () => {
-        const config = await load()
-        const ruleset = Permission.fromConfig(config.permission ?? {})
-
-        // Verify task permissions
-        expect(Permission.evaluate("task", "general", ruleset).action).toBe("allow")
-        expect(Permission.evaluate("task", "code-reviewer", ruleset).action).toBe("deny")
-
-        // Verify other tool permissions
-        expect(Permission.evaluate("bash", "*", ruleset).action).toBe("allow")
-        expect(Permission.evaluate("edit", "*", ruleset).action).toBe("ask")
-
-        // Verify disabled tools
-        const disabled = Permission.disabled(["bash", "edit", "task"], ruleset)
-        expect(disabled.has("bash")).toBe(false)
-        expect(disabled.has("edit")).toBe(false)
-        // task is NOT disabled because disabled() uses findLast, and the last rule
-        // matching "task" permission is {pattern: "general", action: "allow"}, not pattern: "*"
-        expect(disabled.has("task")).toBe(false)
-      },
-    })
-  })
-
-  test("task tool disabled when global deny comes last in config", async () => {
-    await using tmp = await tmpdir({
-      git: true,
-      config: {
-        permission: {
-          task: {
-            general: "allow",
-            "code-reviewer": "allow",
-            "*": "deny",
-          },
-        },
-      },
-    })
-    await Instance.provide({
-      directory: tmp.path,
-      fn: async () => {
-        const config = await load()
-        const ruleset = Permission.fromConfig(config.permission ?? {})
-
-        // Last matching rule wins - "*" deny is last, so all agents are denied
-        expect(Permission.evaluate("task", "general", ruleset).action).toBe("deny")
-        expect(Permission.evaluate("task", "code-reviewer", ruleset).action).toBe("deny")
-        expect(Permission.evaluate("task", "unknown", ruleset).action).toBe("deny")
-
-        // Since "*": "deny" is the last rule, disabled() finds it with findLast
-        // and sees pattern: "*" with action: "deny", so task is disabled
-        const disabled = Permission.disabled(["task"], ruleset)
-        expect(disabled.has("task")).toBe(true)
-      },
-    })
-  })
-
-  test("task tool NOT disabled when specific allow comes last in config", async () => {
-    await using tmp = await tmpdir({
-      git: true,
-      config: {
-        permission: {
-          task: {
-            "*": "deny",
-            general: "allow",
-          },
-        },
-      },
-    })
-    await Instance.provide({
-      directory: tmp.path,
-      fn: async () => {
-        const config = await load()
-        const ruleset = Permission.fromConfig(config.permission ?? {})
-
-        // Evaluate uses findLast - "general" allow comes after "*" deny
-        expect(Permission.evaluate("task", "general", ruleset).action).toBe("allow")
-        // Other agents still denied by the earlier "*" deny
-        expect(Permission.evaluate("task", "code-reviewer", ruleset).action).toBe("deny")
-
-        // disabled() uses findLast and checks if the last rule has pattern: "*" with action: "deny"
-        // In this case, the last rule is {pattern: "general", action: "allow"}, not pattern: "*"
-        // So the task tool is NOT disabled (even though most subagents are denied)
-        const disabled = Permission.disabled(["task"], ruleset)
-        expect(disabled.has("task")).toBe(false)
-      },
-    })
-  })
-})

package/test/plugin/auth-override.test.ts

@@ -1,79 +0,0 @@
-import { describe, expect, test } from "bun:test"
-import path from "path"
-import fs from "fs/promises"
-import { Effect } from "effect"
-import { tmpdir } from "../fixture/fixture"
-import { Instance } from "../../src/project/instance"
-import { ProviderAuth } from "@/provider/auth"
-import { ProviderID } from "../../src/provider/schema"
-
-describe("plugin.auth-override", () => {
-  test("user plugin overrides built-in github-copilot auth", async () => {
-    await using tmp = await tmpdir({
-      init: async (dir) => {
-        const pluginDir = path.join(dir, ".saeeol", "plugin")
-        await fs.mkdir(pluginDir, { recursive: true })
-
-        await Bun.write(
-          path.join(pluginDir, "custom-copilot-auth.ts"),
-          [
-            "export default {",
-            '  id: "demo.custom-copilot-auth",',
-            "  server: async () => ({",
-            "    auth: {",
-            '      provider: "github-copilot",',
-            "      methods: [",
-            '        { type: "api", label: "Test Override Auth" },',
-            "      ],",
-            "      loader: async () => ({ access: 'test-token' }),",
-            "    },",
-            "  }),",
-            "}",
-            "",
-          ].join("\n"),
-        )
-      },
-    })
-
-    await using plain = await tmpdir()
-
-    const methods = await Instance.provide({
-      directory: tmp.path,
-      fn: async () => {
-        return Effect.runPromise(
-          ProviderAuth.Service.use((svc) => svc.methods()).pipe(Effect.provide(ProviderAuth.defaultLayer)),
-        )
-      },
-    })
-
-    const plainMethods = await Instance.provide({
-      directory: plain.path,
-      fn: async () => {
-        return Effect.runPromise(
-          ProviderAuth.Service.use((svc) => svc.methods()).pipe(Effect.provide(ProviderAuth.defaultLayer)),
-        )
-      },
-    })
-
-    const copilot = methods[ProviderID.make("github-copilot")]
-    expect(copilot).toBeDefined()
-    expect(copilot.length).toBe(1)
-    expect(copilot[0].label).toBe("Test Override Auth")
-    expect(plainMethods[ProviderID.make("github-copilot")][0].label).not.toBe("Test Override Auth")
-  }, 30000) // Increased timeout for plugin installation
-})
-
-const file = path.join(import.meta.dir, "../../src/plugin/index.ts")
-
-describe("plugin.config-hook-error-isolation", () => {
-  test("config hooks are individually error-isolated in the layer factory", async () => {
-    const src = await Bun.file(file).text()
-
-    // Each hook's config call is wrapped in Effect.tryPromise with error logging + Effect.ignore
-    expect(src).toContain("plugin config hook failed")
-
-    const pattern =
-      /for\s*\(const hook of hooks\)\s*\{[\s\S]*?Effect\.tryPromise[\s\S]*?\.config\?\.\([\s\S]*?plugin config hook failed[\s\S]*?Effect\.ignore/
-    expect(pattern.test(src)).toBe(true)
-  })
-})

package/test/plugin/cloudflare.test.ts

@@ -1,68 +0,0 @@
-import { expect, test } from "bun:test"
-import { CloudflareAIGatewayAuthPlugin } from "@/plugin/cloudflare"
-
-const pluginInput = {
-  client: {} as never,
-  project: {} as never,
-  directory: "",
-  worktree: "",
-  experimental_workspace: {
-    register() {},
-  },
-  serverUrl: new URL("https://example.com"),
-  $: {} as never,
-}
-
-function makeHookInput(overrides: { providerID?: string; apiId?: string; reasoning?: boolean }) {
-  return {
-    sessionID: "s",
-    agent: "a",
-    provider: {} as never,
-    message: {} as never,
-    model: {
-      providerID: overrides.providerID ?? "cloudflare-ai-gateway",
-      api: { id: overrides.apiId ?? "openai/gpt-5.2-codex", url: "", npm: "ai-gateway-provider" },
-      capabilities: {
-        reasoning: overrides.reasoning ?? true,
-        temperature: false,
-        attachment: true,
-        toolcall: true,
-        input: { text: true, audio: false, image: false, video: false, pdf: false },
-        output: { text: true, audio: false, image: false, video: false, pdf: false },
-        interleaved: false,
-      },
-    } as never,
-  }
-}
-
-function makeHookOutput() {
-  return { temperature: 0, topP: 1, topK: 0, maxOutputTokens: 32_000 as number | undefined, options: {} }
-}
-
-test("omits maxOutputTokens for openai reasoning models on cloudflare-ai-gateway", async () => {
-  const hooks = await CloudflareAIGatewayAuthPlugin(pluginInput)
-  const out = makeHookOutput()
-  await hooks["chat.params"]!(makeHookInput({ apiId: "openai/gpt-5.2-codex", reasoning: true }), out)
-  expect(out.maxOutputTokens).toBeUndefined()
-})
-
-test("keeps maxOutputTokens for openai non-reasoning models", async () => {
-  const hooks = await CloudflareAIGatewayAuthPlugin(pluginInput)
-  const out = makeHookOutput()
-  await hooks["chat.params"]!(makeHookInput({ apiId: "openai/gpt-4-turbo", reasoning: false }), out)
-  expect(out.maxOutputTokens).toBe(32_000)
-})
-
-test("keeps maxOutputTokens for non-openai reasoning models on cloudflare-ai-gateway", async () => {
-  const hooks = await CloudflareAIGatewayAuthPlugin(pluginInput)
-  const out = makeHookOutput()
-  await hooks["chat.params"]!(makeHookInput({ apiId: "anthropic/claude-sonnet-4-5", reasoning: true }), out)
-  expect(out.maxOutputTokens).toBe(32_000)
-})
-
-test("ignores non-cloudflare-ai-gateway providers", async () => {
-  const hooks = await CloudflareAIGatewayAuthPlugin(pluginInput)
-  const out = makeHookOutput()
-  await hooks["chat.params"]!(makeHookInput({ providerID: "openai", apiId: "gpt-5.2-codex", reasoning: true }), out)
-  expect(out.maxOutputTokens).toBe(32_000)
-})