skillrepo 3.1.1 → 3.1.2

package/src/test/lib/transient-runners.test.mjs

@@ -0,0 +1,270 @@
+/**
+ * Unit tests for src/lib/transient-runners.mjs (#894 / v3.1.2).
+ *
+ * Covers the three exports:
+ *   - detectTransientRunner — returns the runner's display NAME
+ *     (npx / pnpx / yarn dlx / bunx) or null. Used by init.mjs's
+ *     Next-Steps prefix.
+ *   - isTransientRunnerInvocation — boolean shortcut. Used as the
+ *     gate for auto-install and the npx-guard in mergers/session-hook.
+ *   - isTransientCachePath — boolean for filtering `where`/`which`
+ *     output. Used by the binary locator.
+ *
+ * The boolean shortcut's behavior is also covered transitively by
+ * `cli-config.test.mjs` (which re-exports it). This file specifically
+ * locks in:
+ *   - The runner-NAME return contract (v3.1.2 added this so init's
+ *     Next-Steps shows `pnpx skillrepo list` for pnpm dlx users
+ *     instead of always `npx skillrepo list`).
+ *   - The `isTransientCachePath` filter behavior the binary locator
+ *     depends on.
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+
+import {
+  detectTransientRunner,
+  isTransientRunnerInvocation,
+  isTransientCachePath,
+  globalInstallCommandFor,
+} from "../../lib/transient-runners.mjs";
+
+// ── detectTransientRunner — returns the runner display name ────────
+
+describe("detectTransientRunner", () => {
+  it("returns null for a vanilla stable-install argv", () => {
+    const result = detectTransientRunner({
+      argv: ["/usr/local/bin/node", "/usr/local/bin/skillrepo"],
+      env: {},
+    });
+    assert.equal(result, null);
+  });
+
+  it("returns 'npx' for an npm npx invocation", () => {
+    const result = detectTransientRunner({
+      argv: [
+        "/usr/local/bin/node",
+        "/Users/alice/.npm/_npx/abc123/node_modules/.bin/skillrepo",
+      ],
+      env: {},
+    });
+    assert.equal(result, "npx");
+  });
+
+  it("returns 'pnpx' for a pnpm dlx invocation (cache substring)", () => {
+    const result = detectTransientRunner({
+      argv: [
+        "/usr/local/bin/node",
+        "/Users/alice/.local/share/pnpm/store/dlx-abc123/node_modules/.bin/skillrepo",
+      ],
+      env: {},
+    });
+    assert.equal(result, "pnpx");
+  });
+
+  it("returns 'yarn dlx' for a yarn berry dlx invocation", () => {
+    const result = detectTransientRunner({
+      argv: [
+        "/usr/local/bin/node",
+        "/Users/alice/project/.yarn/berry/cache/skillrepo-npm-3.1.2-abc/node_modules/skillrepo/bin/skillrepo.mjs",
+      ],
+      env: {},
+    });
+    assert.equal(result, "yarn dlx");
+  });
+
+  it("returns 'bunx' for a bun bunx invocation (cache substring)", () => {
+    const result = detectTransientRunner({
+      argv: [
+        "/usr/local/bin/node",
+        "/Users/alice/.bun/install/cache/skillrepo@3.1.2/node_modules/.bin/skillrepo",
+      ],
+      env: {},
+    });
+    assert.equal(result, "bunx");
+  });
+
+  it("returns 'npx' from `_` env-var fallback when argv path doesn't match", () => {
+    // E.g., a wrapper script symlinks the npx binary somewhere
+    // outside the npx cache. The `_` signal still identifies the
+    // launcher.
+    const result = detectTransientRunner({
+      argv: ["/usr/local/bin/node", "/somewhere/bin/skillrepo"],
+      env: { _: "/usr/local/bin/npx" },
+    });
+    assert.equal(result, "npx");
+  });
+
+  it("returns 'pnpx' from `_` env-var fallback", () => {
+    const result = detectTransientRunner({
+      argv: ["/usr/local/bin/node", "/somewhere/bin/skillrepo"],
+      env: { _: "/usr/local/bin/pnpx" },
+    });
+    assert.equal(result, "pnpx");
+  });
+
+  it("returns 'bunx' from `_` env-var fallback", () => {
+    const result = detectTransientRunner({
+      argv: ["/usr/local/bin/node", "/somewhere/bin/skillrepo"],
+      env: { _: "/Users/alice/.bun/bin/bunx" },
+    });
+    assert.equal(result, "bunx");
+  });
+
+  it("argv signal beats `_` env-var (first-match wins on argv)", () => {
+    // If both signal a runner, argv wins. Realistically these would
+    // signal the SAME runner (npx invocation sets argv to the npx
+    // cache AND `_` to the npx binary), but the test pins the
+    // priority for the rare disagreement case.
+    const result = detectTransientRunner({
+      argv: [
+        "/usr/local/bin/node",
+        "/Users/alice/.bun/install/cache/skillrepo@3.1.2/node_modules/.bin/skillrepo",
+      ],
+      env: { _: "/usr/local/bin/npx" },
+    });
+    // bunx wins because argv is checked first.
+    assert.equal(result, "bunx");
+  });
+
+  it("does not false-positive on a directory named 'dlx-utils' (substring not in pnpm cache)", () => {
+    // Defensive: `/dlx-` is the substring, but a user-named directory
+    // like `/Users/alice/utility-dlx/` doesn't trigger because the
+    // substring requires a leading `/` separator before `dlx-`.
+    const result = detectTransientRunner({
+      argv: ["/usr/local/bin/node", "/Users/alice/utility-dlx/bin/skillrepo"],
+      env: {},
+    });
+    assert.equal(result, null);
+  });
+
+  it("does not false-positive on an `npx`-named user dir without the _npx cache pattern", () => {
+    const result = detectTransientRunner({
+      argv: ["/usr/local/bin/node", "/opt/npxtools/bin/skillrepo"],
+      env: {},
+    });
+    assert.equal(result, null);
+  });
+});
+
+// ── isTransientRunnerInvocation — boolean shortcut ──────────────────
+
+describe("isTransientRunnerInvocation (boolean shortcut)", () => {
+  // The boolean version reads from process.argv / process.env directly
+  // (no override hook for this convenience wrapper). The full table
+  // of detection cases is covered above via detectTransientRunner;
+  // these tests just verify the boolean shape.
+  let originalArgv;
+  let originalUnderscore;
+
+  function setup() {
+    originalArgv = process.argv;
+    originalUnderscore = process.env._;
+    delete process.env._;
+  }
+  function teardown() {
+    process.argv = originalArgv;
+    if (originalUnderscore === undefined) delete process.env._;
+    else process.env._ = originalUnderscore;
+  }
+
+  it("returns true when argv signals a transient runner", () => {
+    setup();
+    try {
+      process.argv = [
+        "/usr/local/bin/node",
+        "/Users/alice/.npm/_npx/abc/skillrepo",
+      ];
+      assert.equal(isTransientRunnerInvocation(), true);
+    } finally {
+      teardown();
+    }
+  });
+
+  it("returns false for a stable-install argv", () => {
+    setup();
+    try {
+      process.argv = ["/usr/local/bin/node", "/usr/local/bin/skillrepo"];
+      assert.equal(isTransientRunnerInvocation(), false);
+    } finally {
+      teardown();
+    }
+  });
+});
+
+// ── isTransientCachePath — used by binary locator ──────────────────
+
+describe("isTransientCachePath", () => {
+  it("identifies an npx cache path", () => {
+    assert.equal(
+      isTransientCachePath("/Users/alice/.npm/_npx/abc/node_modules/.bin/skillrepo"),
+      true,
+    );
+  });
+
+  it("identifies a pnpm dlx cache path", () => {
+    assert.equal(
+      isTransientCachePath("/Users/alice/.local/share/pnpm/store/dlx-abc/node_modules/.bin/skillrepo"),
+      true,
+    );
+  });
+
+  it("identifies a yarn berry cache path", () => {
+    assert.equal(
+      isTransientCachePath(
+        "/Users/alice/proj/.yarn/berry/cache/skillrepo-npm-3.1.2-abc/...",
+      ),
+      true,
+    );
+  });
+
+  it("identifies a bun cache path", () => {
+    assert.equal(
+      isTransientCachePath("/Users/alice/.bun/install/cache/skillrepo@3.1.2/bin/skillrepo"),
+      true,
+    );
+  });
+
+  it("identifies a Windows-style npx cache path", () => {
+    assert.equal(
+      isTransientCachePath(
+        "C:\\Users\\alice\\.npm\\_npx\\abc\\node_modules\\.bin\\skillrepo.cmd",
+      ),
+      true,
+    );
+  });
+
+  it("returns false for a stable global path", () => {
+    assert.equal(isTransientCachePath("/usr/local/bin/skillrepo"), false);
+    assert.equal(isTransientCachePath("/opt/homebrew/bin/skillrepo"), false);
+    assert.equal(
+      isTransientCachePath("C:\\Program Files\\nodejs\\skillrepo.cmd"),
+      false,
+    );
+    assert.equal(
+      isTransientCachePath("/Users/alice/.npm-global/bin/skillrepo"),
+      false,
+    );
+  });
+});
+
+// ── globalInstallCommandFor — per-runner install hint ──────────────
+
+describe("globalInstallCommandFor", () => {
+  it("returns the right install command for each known runner", () => {
+    assert.equal(globalInstallCommandFor("npx"), "npm install -g skillrepo");
+    assert.equal(globalInstallCommandFor("pnpx"), "pnpm add -g skillrepo");
+    // yarn berry has no `yarn global add`; falls back to npm
+    // (documented in the TRANSIENT_RUNNERS comment).
+    assert.equal(globalInstallCommandFor("yarn dlx"), "npm install -g skillrepo");
+    assert.equal(globalInstallCommandFor("bunx"), "bun add -g skillrepo");
+  });
+
+  it("returns null for unknown / null runner names so callers can fall back", () => {
+    assert.equal(globalInstallCommandFor(null), null);
+    assert.equal(globalInstallCommandFor(undefined), null);
+    assert.equal(globalInstallCommandFor(""), null);
+    assert.equal(globalInstallCommandFor("not-a-real-runner"), null);
+  });
+});

package/src/test/mergers/session-hook.test.mjs

@@ -76,10 +76,11 @@ function teardown() {
 
 describe("buildHookCommand", () => {
   it("produces the exact command shape Claude Code expects (POSIX)", () => {
-    // INTENT: the shape is load-bearing in three ways (per the
-    // installer's docstring): absolute path, --session-hook flag,
-    // `|| true` backstop. A refactor that drops any of the three
-    // must fail this test loudly.
+    // INTENT: the shape is load-bearing in four ways (per the
+    // installer's docstring): absolute path, single-quoted to
+    // tolerate spaces/parens, --session-hook flag, `|| true`
+    // backstop. A refactor that drops any of the four must fail
+    // this test loudly.
     //
     // The `platform: "linux"` override is explicit because this test
     // asserts the POSIX command shape. Without it, the test runs
@@ -93,7 +94,7 @@ describe("buildHookCommand", () => {
     });
     assert.equal(
       cmd,
-      "/usr/local/bin/skillrepo update --session-hook 2>&1 || true",
+      "'/usr/local/bin/skillrepo' update --session-hook 2>&1 || true",
     );
   });
 
@@ -128,8 +129,8 @@ describe("buildHookCommand", () => {
     );
     assert.match(
       cmd,
-      /skillrepo\.cmd update --session-hook 2>&1$/,
-      "Windows hook command ends at '2>&1' — no shell backstop",
+      /skillrepo\.cmd" update --session-hook 2>&1$/,
+      "Windows hook command ends at '2>&1' — no shell backstop, with closing quote on the path",
     );
     // Fingerprint still present — remover round-trip must work on
     // Windows too.
@@ -147,6 +148,85 @@ describe("buildHookCommand", () => {
     assert.match(cmdDarwin, /\|\| true$/);
   });
 
+  it("v3.1.2: POSIX path with spaces is single-quoted", () => {
+    // Real-world case: macOS users with a space in their home dir
+    // (`/Users/First Last/.npm-global/bin/skillrepo`). The unquoted
+    // command would be parsed by the shell as multiple arguments
+    // and silently fail on session start.
+    const cmd = buildHookCommand(
+      "/Users/First Last/.npm-global/bin/skillrepo",
+      { platform: "linux" },
+    );
+    assert.equal(
+      cmd,
+      "'/Users/First Last/.npm-global/bin/skillrepo' update --session-hook 2>&1 || true",
+    );
+    // Fingerprint still present after quoting.
+    assert.ok(cmd.includes(SESSION_HOOK_FINGERPRINT));
+  });
+
+  it("v3.1.2: POSIX path with single quote escapes correctly ('\\\\'')", () => {
+    // Hardcore edge case: a path with a literal single quote. POSIX
+    // shells require closing the quote, escaping the literal `'`,
+    // then reopening — the standard `'\\''` trick.
+    const cmd = buildHookCommand("/Users/J's bin/skillrepo", {
+      platform: "linux",
+    });
+    assert.equal(
+      cmd,
+      "'/Users/J'\\''s bin/skillrepo' update --session-hook 2>&1 || true",
+    );
+    assert.ok(cmd.includes(SESSION_HOOK_FINGERPRINT));
+  });
+
+  it("v3.1.2: Windows path with spaces is double-quoted", () => {
+    // Real-world: `C:\Program Files\nodejs\skillrepo.cmd` and
+    // `C:\Program Files (x86)\...`. cmd.exe needs double quotes;
+    // backslashes inside double quotes are NOT escape characters
+    // (they pass through to the resolved path verbatim).
+    const cmd = buildHookCommand(
+      "C:\\Program Files\\nodejs\\skillrepo.cmd",
+      { platform: "win32" },
+    );
+    assert.equal(
+      cmd,
+      '"C:\\Program Files\\nodejs\\skillrepo.cmd" update --session-hook 2>&1',
+    );
+    assert.ok(cmd.includes(SESSION_HOOK_FINGERPRINT));
+  });
+
+  it("v3.1.2: Windows path with parentheses (Program Files (x86)) is preserved verbatim inside double quotes", () => {
+    const cmd = buildHookCommand(
+      "C:\\Program Files (x86)\\node\\skillrepo.cmd",
+      { platform: "win32" },
+    );
+    assert.ok(cmd.startsWith('"C:\\Program Files (x86)\\node\\skillrepo.cmd"'));
+    assert.ok(cmd.includes(SESSION_HOOK_FINGERPRINT));
+  });
+
+  it("v3.1.2: backward-compat — fingerprint matches both unquoted (v3.1.0/3.1.1) and quoted (v3.1.2+) shapes", () => {
+    // The fingerprint is `" update --session-hook"` with a leading
+    // space. That space sits between the path's closing context
+    // (a `'`/`"` quote in v3.1.2, the bare path char in v3.1.0/3.1.1)
+    // and `update`. Both shapes contain the leading-space substring.
+    // Without this contract, an upgrade from v3.1.1 to v3.1.2 would
+    // duplicate the hook entry instead of updating it in place.
+    const v311Posix =
+      "/usr/local/bin/skillrepo update --session-hook 2>&1 || true";
+    const v312Posix =
+      "'/usr/local/bin/skillrepo' update --session-hook 2>&1 || true";
+    const v311Win =
+      "C:\\path\\skillrepo.cmd update --session-hook 2>&1";
+    const v312Win =
+      '"C:\\path\\skillrepo.cmd" update --session-hook 2>&1';
+    for (const cmd of [v311Posix, v312Posix, v311Win, v312Win]) {
+      assert.ok(
+        cmd.includes(SESSION_HOOK_FINGERPRINT),
+        `fingerprint must match shape: ${cmd}`,
+      );
+    }
+  });
+
   it("rejects empty or non-string binary paths", () => {
     // INTENT: no silent production of a malformed command. The
     // installer upstream should never pass null/empty, but defensive
@@ -400,8 +480,10 @@ describe("v3.1.1 Windows hook: fingerprint + round-trip contract", () => {
       `Windows hook must NOT contain "|| true" — cmd.exe has no such builtin. Got: "${cmd}"`,
     );
     // 3. Command ends exactly at "2>&1" — sanity on the full shape.
+    //    The closing `"` is the path's wrapping quote (v3.1.2:
+    //    paths are quoted to tolerate spaces).
     assert.ok(
-      cmd.endsWith("skillrepo.cmd update --session-hook 2>&1"),
+      cmd.endsWith(`skillrepo.cmd" update --session-hook 2>&1`),
       `Windows hook command must end at "2>&1". Got: "${cmd}"`,
     );
 
@@ -643,7 +725,13 @@ describe("mergeSessionHook — idempotency", () => {
       1,
       "still exactly one SkillRepo hook (not duplicated)",
     );
-    assert.ok(skillrepoHooks[0].command.startsWith("/new/path/skillrepo"));
+    // Path is shell-quoted (v3.1.2: see buildHookCommand docstring)
+    // so the absolute path appears INSIDE the command rather than
+    // at position 0.
+    assert.ok(
+      skillrepoHooks[0].command.includes("/new/path/skillrepo"),
+      `updated hook must use new path, got: ${skillrepoHooks[0].command}`,
+    );
   });
 });
 
@@ -818,15 +906,18 @@ describe("mergeSessionHook — failure modes", () => {
   afterEach(teardown);
 
   it("returns 'skipped' (not a throw) when the binary cannot be resolved", () => {
-    // INTENT: an npx user without a global install must not have
-    // init abort — skip session sync with a warning, let the rest
-    // of init complete. Passing `binaryPath: null` explicitly
-    // simulates the `which skillrepo` resolution failing.
+    // INTENT: a caller passing `binaryPath: null` (e.g. session-sync
+    // enable under npx) must not have the action throw. Skip
+    // gracefully with an actionable reason. Init bypasses this path
+    // in v3.1.2 by passing the post-auto-install absolute path
+    // explicitly via `binaryPath`.
     ASSERT_HOME_ISOLATED();
     const result = mergeSessionHook({ binaryPath: null });
     assert.equal(result.action, "skipped");
     assert.ok(result.reason);
-    assert.match(result.reason, /global install/i);
+    // The remediation hint must mention `npm install -g` so the user
+    // has a copy-pasteable next step.
+    assert.match(result.reason, /npm install -g/);
   });
 
   it("v3.1.1 fix: returns 'skipped' under npx invocation even when `which skillrepo` would succeed", async () => {
@@ -892,6 +983,185 @@ describe("mergeSessionHook — failure modes", () => {
       /Cannot parse/i,
     );
   });
+
+  it("v3.1.2 bypass: explicit binaryPath under npx → 'updated' when prior _npx-cache hook exists", async () => {
+    // QA gap fix: the bypass-via-binaryPath contract must work
+    // for ALL three success states (installed/updated/unchanged),
+    // not just "installed" (the empty-disk case). This test
+    // exercises "updated" — pre-seed a hook with an _npx cache
+    // path command, then call merge with an explicit non-npx
+    // binaryPath, assert action is "updated" and the new path
+    // replaced the cache path.
+    ASSERT_HOME_ISOLATED();
+
+    const originalArgv = process.argv;
+    process.argv = [
+      "/usr/local/bin/node",
+      "/Users/alice/.npm/_npx/abc123/node_modules/.bin/skillrepo",
+    ];
+
+    try {
+      // Pre-seed a v3.1.0-style hook with an _npx cache path baked
+      // in (the bug v3.1.1 was trying to prevent).
+      mkdirSync(join(process.cwd(), ".claude"), { recursive: true });
+      const STALE_NPX_PATH =
+        "/Users/alice/.npm/_npx/abc123/node_modules/.bin/skillrepo";
+      const stalePath = join(
+        process.cwd(),
+        ".claude",
+        "settings.local.json",
+      );
+      writeFileSync(
+        stalePath,
+        JSON.stringify(
+          {
+            hooks: {
+              SessionStart: [
+                {
+                  hooks: [
+                    {
+                      type: "command",
+                      command: `${STALE_NPX_PATH} update --session-hook 2>&1 || true`,
+                    },
+                  ],
+                },
+              ],
+            },
+          },
+          null,
+          2,
+        ),
+      );
+
+      const { mergeSessionHook: mergeFresh } = await import(
+        "../../lib/mergers/session-hook.mjs?v312-updated-test=" + Date.now()
+      );
+      const POST_INSTALL_PATH = "/usr/local/bin/skillrepo";
+      const result = mergeFresh({ binaryPath: POST_INSTALL_PATH });
+
+      assert.equal(
+        result.action,
+        "updated",
+        "stale _npx hook with new binaryPath must be 'updated', not 'installed' or 'skipped'",
+      );
+      // The on-disk file must reflect the new path, not the cache.
+      const written = JSON.parse(readFileSync(stalePath, "utf-8"));
+      const cmd = written.hooks.SessionStart[0].hooks[0].command;
+      assert.ok(
+        cmd.includes(POST_INSTALL_PATH),
+        `updated hook must use new path, got: ${cmd}`,
+      );
+      assert.ok(
+        !cmd.includes("_npx"),
+        "updated hook must NOT leak the prior _npx cache path",
+      );
+    } finally {
+      process.argv = originalArgv;
+    }
+  });
+
+  it("v3.1.2 bypass: explicit binaryPath under npx → 'unchanged' when same hook already present", async () => {
+    // The third success state — repeated init with the same
+    // global. Idempotency: no file write, action is "unchanged".
+    ASSERT_HOME_ISOLATED();
+
+    const originalArgv = process.argv;
+    process.argv = [
+      "/usr/local/bin/node",
+      "/Users/alice/.npm/_npx/abc123/node_modules/.bin/skillrepo",
+    ];
+
+    try {
+      const POST_INSTALL_PATH = "/usr/local/bin/skillrepo";
+      const { buildHookCommand: buildFresh, mergeSessionHook: mergeFresh } =
+        await import(
+          "../../lib/mergers/session-hook.mjs?v312-unchanged-test=" + Date.now()
+        );
+      const expectedCmd = buildFresh(POST_INSTALL_PATH);
+
+      // Pre-seed the EXACT command we'd write — idempotent re-run.
+      mkdirSync(join(process.cwd(), ".claude"), { recursive: true });
+      writeFileSync(
+        join(process.cwd(), ".claude", "settings.local.json"),
+        JSON.stringify(
+          {
+            hooks: {
+              SessionStart: [
+                {
+                  hooks: [{ type: "command", command: expectedCmd }],
+                },
+              ],
+            },
+          },
+          null,
+          2,
+        ),
+      );
+
+      const result = mergeFresh({ binaryPath: POST_INSTALL_PATH });
+      assert.equal(
+        result.action,
+        "unchanged",
+        "identical hook with same binaryPath must be 'unchanged'",
+      );
+      assert.equal(result.command, expectedCmd);
+    } finally {
+      process.argv = originalArgv;
+    }
+  });
+
+  it("v3.1.2: explicit binaryPath bypasses the isNpxInvocation guard", async () => {
+    // INTENT: init's v3.1.2 auto-install flow runs `npm install -g
+    // skillrepo` itself under npx, then calls mergeSessionHook with
+    // the resulting absolute path passed explicitly via `binaryPath`.
+    // The internal `resolveSkillrepoBinary` early-returns under npx —
+    // but when the caller already has the binary path, that guard
+    // must NOT block the install. The `binaryPath` parameter is the
+    // bypass mechanism.
+    //
+    // This test is the lock-in for the v3.1.2 contract: explicit
+    // `binaryPath` short-circuits the npx detection. If a future
+    // refactor moves the npx guard into mergeSessionHook itself
+    // (rather than resolveSkillrepoBinary), this test fails — and
+    // it should.
+    ASSERT_HOME_ISOLATED();
+
+    const originalArgv = process.argv;
+    process.argv = [
+      "/usr/local/bin/node",
+      "/Users/alice/.npm/_npx/abc123/node_modules/.bin/skillrepo",
+    ];
+
+    try {
+      const { mergeSessionHook: mergeFresh, buildHookCommand: buildFresh } =
+        await import(
+          "../../lib/mergers/session-hook.mjs?v312-bypass-test=" + Date.now()
+        );
+      // Pass an absolute, stable path explicitly — the kind init's
+      // auto-install flow obtains from `resolveGlobalBinary()` after
+      // a successful `npm install -g`.
+      const POST_INSTALL_PATH = "/usr/local/bin/skillrepo";
+      const result = mergeFresh({ binaryPath: POST_INSTALL_PATH });
+      assert.equal(
+        result.action,
+        "installed",
+        "explicit binaryPath under npx must succeed, not skip",
+      );
+      // The hook command must contain the explicit path (not the
+      // _npx cache path).
+      assert.equal(result.command, buildFresh(POST_INSTALL_PATH));
+      assert.ok(
+        result.command.includes(POST_INSTALL_PATH),
+        "hook command must use the explicit path verbatim",
+      );
+      assert.ok(
+        !result.command.includes("_npx"),
+        "hook command must NOT leak the _npx cache path",
+      );
+    } finally {
+      process.argv = originalArgv;
+    }
+  });
 });
 
 describe("removeSessionHook — inverse of install", () => {