skimpyclaw 0.3.14 → 0.4.0

package/dist/__tests__/codex-auth.test.js

@@ -0,0 +1,66 @@
+import { afterEach, describe, expect, it } from 'vitest';
+import { mkdtempSync, rmSync, writeFileSync } from 'fs';
+import { join } from 'path';
+import { homedir, tmpdir } from 'os';
+import { loadCodexAuth, resolveCodexAuthPath } from '../providers/codex.js';
+const tempDirs = [];
+function base64UrlJson(value) {
+    return Buffer.from(JSON.stringify(value))
+        .toString('base64')
+        .replace(/=/g, '')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_');
+}
+function fakeJwt(payload) {
+    return `${base64UrlJson({ alg: 'none' })}.${base64UrlJson(payload)}.signature`;
+}
+function writeAuthFile(raw) {
+    const dir = mkdtempSync(join(tmpdir(), 'skimpyclaw-codex-auth-'));
+    tempDirs.push(dir);
+    const path = join(dir, 'auth.json');
+    writeFileSync(path, JSON.stringify(raw), 'utf-8');
+    return path;
+}
+afterEach(() => {
+    for (const dir of tempDirs.splice(0)) {
+        rmSync(dir, { recursive: true, force: true });
+    }
+});
+describe('Codex auth loading', () => {
+    it('uses ~/.codex/auth.json as the default auth path', () => {
+        expect(resolveCodexAuthPath()).toBe(join(homedir(), '.codex', 'auth.json'));
+        expect(resolveCodexAuthPath('~/.codex/auth.json')).toBe(join(homedir(), '.codex', 'auth.json'));
+    });
+    it('reads the current Codex CLI account id field from tokens.account_id', () => {
+        const token = fakeJwt({ exp: Math.floor(Date.now() / 1000) + 3600 });
+        const path = writeAuthFile({
+            auth_mode: 'chatgpt',
+            tokens: {
+                access_token: token,
+                account_id: 'acct-from-file',
+            },
+        });
+        expect(loadCodexAuth(path)).toEqual({
+            accessToken: token,
+            accountId: 'acct-from-file',
+        });
+    });
+    it('falls back to the ChatGPT account id embedded in the access token', () => {
+        const token = fakeJwt({
+            exp: Math.floor(Date.now() / 1000) + 3600,
+            'https://api.openai.com/auth': {
+                chatgpt_account_id: 'acct-from-jwt',
+            },
+        });
+        const path = writeAuthFile({
+            auth_mode: 'chatgpt',
+            tokens: {
+                access_token: token,
+            },
+        });
+        expect(loadCodexAuth(path)).toEqual({
+            accessToken: token,
+            accountId: 'acct-from-jwt',
+        });
+    });
+});

package/dist/__tests__/codex-provider-gating.test.js

@@ -0,0 +1,35 @@
+import { describe, expect, it, vi } from 'vitest';
+import { chatWithToolsCodex } from '../providers/codex.js';
+const { mockRunToolLoop } = vi.hoisted(() => ({
+    mockRunToolLoop: vi.fn(),
+}));
+vi.mock('../providers/tool-loop.js', () => ({
+    runToolLoop: mockRunToolLoop,
+}));
+describe('chatWithToolsCodex unified loop gating', () => {
+    const baseConfig = {
+        gateway: { port: 18790, mode: 'local' },
+        agents: { default: 'main', list: {} },
+        models: { providers: {}, aliases: {} },
+        channels: { telegram: { enabled: false, token: 't', allowFrom: [] } },
+        cron: { jobs: [] },
+        heartbeat: { intervalMs: 300000, prompt: 'HEARTBEAT' },
+    };
+    const baseToolConfig = {
+        enabled: true,
+        allowedPaths: ['/tmp'],
+        maxIterations: 0,
+    };
+    it('uses unified runToolLoop with maxIterations default of 100', async () => {
+        mockRunToolLoop.mockResolvedValueOnce({ response: 'unified', toolCalls: [] });
+        const result = await chatWithToolsCodex({
+            messages: [{ role: 'user', content: 'hi' }],
+            options: { model: 'codex/gpt-5.3-codex' },
+            config: baseConfig,
+            toolConfig: baseToolConfig,
+        });
+        expect(mockRunToolLoop).toHaveBeenCalledOnce();
+        expect(mockRunToolLoop.mock.calls[0][4].maxIterations).toBe(100);
+        expect(result.response).toBe('unified');
+    });
+});

package/dist/__tests__/codex-unified-loop.test.js

@@ -0,0 +1,111 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+import { runToolLoop } from '../providers/tool-loop.js';
+import { CodexAdapter } from '../providers/adapters/codex-adapter.js';
+const { mockCodexFetch, mockParseCodexSSE, mockExecuteTool, mockGetToolDefinitions } = vi.hoisted(() => ({
+    mockCodexFetch: vi.fn(),
+    mockParseCodexSSE: vi.fn(),
+    mockExecuteTool: vi.fn(),
+    mockGetToolDefinitions: vi.fn(),
+}));
+vi.mock('../providers/codex.js', () => ({
+    codexFetch: mockCodexFetch,
+    parseCodexSSE: mockParseCodexSSE,
+    recordCodexUsage: vi.fn(),
+}));
+vi.mock('../tools.js', () => ({
+    getToolDefinitions: mockGetToolDefinitions,
+    executeTool: mockExecuteTool,
+}));
+vi.mock('../audit.js', () => ({
+    startTrace: vi.fn().mockReturnValue('trace-1'),
+    addEvent: vi.fn(),
+    endTrace: vi.fn().mockResolvedValue(undefined),
+}));
+describe('Codex unified tool loop', () => {
+    const adapter = new CodexAdapter();
+    let messages;
+    let options;
+    let config;
+    let toolConfig;
+    beforeEach(() => {
+        messages = [
+            { role: 'system', content: 'You are helpful' },
+            { role: 'user', content: 'Do the thing' },
+        ];
+        options = { model: 'codex/gpt-5.3-codex' };
+        config = {
+            gateway: { port: 18790, mode: 'local' },
+            agents: { default: 'main', list: {} },
+            models: { providers: {}, aliases: {} },
+            channels: { telegram: { enabled: false, token: 't', allowFrom: [] } },
+            cron: { jobs: [] },
+            heartbeat: { intervalMs: 300000, prompt: 'HEARTBEAT' },
+        };
+        toolConfig = { enabled: true, allowedPaths: ['/tmp'], maxIterations: 4 };
+        mockCodexFetch.mockReset();
+        mockParseCodexSSE.mockReset();
+        mockExecuteTool.mockReset();
+        mockGetToolDefinitions.mockReset();
+        mockGetToolDefinitions.mockResolvedValue([{ name: 'Read', description: 'Read', input_schema: { type: 'object' } }]);
+        mockExecuteTool.mockResolvedValue('tool output');
+    });
+    it('runs a normal tool-call cycle and returns final assistant response', async () => {
+        mockCodexFetch.mockResolvedValueOnce('sse-1').mockResolvedValueOnce('sse-2');
+        mockParseCodexSSE
+            .mockReturnValueOnce({
+            outputText: '',
+            functionCalls: [{ callId: 'fc_1', name: 'Read', arguments: '{"path":"a.txt"}' }],
+            response: {
+                usage: { input_tokens: 10, output_tokens: 5 },
+                output: [{ type: 'function_call', call_id: 'fc_1', name: 'Read', arguments: '{"path":"a.txt"}' }],
+            },
+        })
+            .mockReturnValueOnce({
+            outputText: 'Final answer',
+            functionCalls: [],
+            response: { usage: { input_tokens: 8, output_tokens: 4 }, output: [] },
+        });
+        const result = await runToolLoop(adapter, messages, options, config, toolConfig);
+        expect(result.response).toBe('Final answer');
+        expect(result.toolCalls).toHaveLength(1);
+        expect(mockExecuteTool).toHaveBeenCalledWith('Read', { path: 'a.txt' }, toolConfig, undefined);
+    });
+    it('terminates immediately when first response has no tool calls', async () => {
+        mockCodexFetch.mockResolvedValueOnce('sse-1');
+        mockParseCodexSSE.mockReturnValueOnce({
+            outputText: 'Done',
+            functionCalls: [],
+            response: { usage: { input_tokens: 3, output_tokens: 2 }, output: [] },
+        });
+        const result = await runToolLoop(adapter, messages, options, config, toolConfig);
+        expect(result.response).toBe('Done');
+        expect(result.toolCalls).toEqual([]);
+        expect(mockCodexFetch).toHaveBeenCalledTimes(1);
+    });
+    it('stops at max iterations when tool calls continue', async () => {
+        toolConfig.maxIterations = 2;
+        mockCodexFetch.mockResolvedValue('sse-loop');
+        mockParseCodexSSE.mockReturnValue({
+            outputText: '',
+            functionCalls: [{ callId: 'fc_loop', name: 'Read', arguments: '{"path":"a.txt"}' }],
+            response: {
+                usage: { input_tokens: 10, output_tokens: 5 },
+                output: [{ type: 'function_call', call_id: 'fc_loop', name: 'Read', arguments: '{"path":"a.txt"}' }],
+            },
+        });
+        const result = await runToolLoop(adapter, messages, options, config, toolConfig);
+        expect(result.response).toContain('maximum iterations');
+        expect(mockCodexFetch).toHaveBeenCalledTimes(3);
+        expect(mockCodexFetch.mock.calls[2][0].tools).toBeUndefined();
+    });
+    it('requests tool definitions with MCP enabled for Codex', async () => {
+        mockCodexFetch.mockResolvedValueOnce('sse-1');
+        mockParseCodexSSE.mockReturnValueOnce({
+            outputText: 'Done',
+            functionCalls: [],
+            response: { usage: { input_tokens: 1, output_tokens: 1 }, output: [] },
+        });
+        await runToolLoop(adapter, messages, options, config, toolConfig);
+        expect(mockGetToolDefinitions).toHaveBeenCalledWith(toolConfig, expect.objectContaining({ includeMcp: true }));
+    });
+});

package/dist/__tests__/config-security.test.js

@@ -0,0 +1,127 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+const mockFs = vi.hoisted(() => ({
+    existsSync: vi.fn(),
+    readFileSync: vi.fn(),
+    writeFileSync: vi.fn(),
+    chmodSync: vi.fn(),
+    mkdirSync: vi.fn(),
+    readdirSync: vi.fn(() => []),
+    statSync: vi.fn(() => ({ mtime: new Date(), size: 0 })),
+}));
+const mockDotenvConfig = vi.hoisted(() => vi.fn());
+const mockSecureStore = vi.hoisted(() => ({
+    getSecureValue: vi.fn(),
+    setSecureValue: vi.fn(),
+    requireSecureStore: vi.fn(),
+}));
+vi.mock('fs', () => ({
+    existsSync: mockFs.existsSync,
+    readFileSync: mockFs.readFileSync,
+    writeFileSync: mockFs.writeFileSync,
+    chmodSync: mockFs.chmodSync,
+    mkdirSync: mockFs.mkdirSync,
+    readdirSync: mockFs.readdirSync,
+    statSync: mockFs.statSync,
+}));
+vi.mock('dotenv', () => ({
+    default: {
+        config: mockDotenvConfig,
+    },
+}));
+vi.mock('../secure-store.js', () => ({
+    getSecureValue: mockSecureStore.getSecureValue,
+    setSecureValue: mockSecureStore.setSecureValue,
+    requireSecureStore: mockSecureStore.requireSecureStore,
+}));
+vi.mock('os', () => ({
+    homedir: () => '/mock-home',
+}));
+describe('config security hardening', () => {
+    beforeEach(() => {
+        vi.clearAllMocks();
+        vi.resetModules();
+        mockFs.existsSync.mockReturnValue(true);
+        mockFs.readFileSync.mockReturnValue('{}');
+        mockSecureStore.getSecureValue.mockReturnValue('resolved-secret');
+    });
+    it('enforces mode 0600 when saving config', async () => {
+        const { saveConfig } = await import('../config.js');
+        saveConfig({ gateway: { port: 18790 } });
+        expect(mockFs.mkdirSync).toHaveBeenCalledWith('/mock-home/.skimpyclaw', { recursive: true });
+        expect(mockFs.writeFileSync).toHaveBeenCalledWith('/mock-home/.skimpyclaw/config.json', expect.any(String), { encoding: 'utf-8', mode: 0o600 });
+        expect(mockFs.chmodSync).toHaveBeenCalledWith('/mock-home/.skimpyclaw/config.json', 0o600);
+    });
+    it('migrates plaintext secrets to keychain references when saving config', async () => {
+        const originalPlatform = process.platform;
+        Object.defineProperty(process, 'platform', { value: 'darwin', configurable: true });
+        try {
+            const { saveConfig } = await import('../config.js');
+            saveConfig({
+                gateway: { port: 18790 },
+                channels: { telegram: { token: 'tg-plain-secret' } },
+                models: { providers: { openai: { apiKey: 'sk-plain-secret' } } },
+            });
+            expect(mockSecureStore.requireSecureStore).toHaveBeenCalled();
+            expect(mockSecureStore.setSecureValue).toHaveBeenCalledWith('skimpyclaw-config', 'channels.telegram.token', 'tg-plain-secret');
+            expect(mockSecureStore.setSecureValue).toHaveBeenCalledWith('skimpyclaw-config', 'models.providers.openai.apiKey', 'sk-plain-secret');
+            const written = mockFs.writeFileSync.mock.calls[0][1];
+            expect(written).toContain('${KEYCHAIN:skimpyclaw-config/channels.telegram.token}');
+            expect(written).toContain('${KEYCHAIN:skimpyclaw-config/models.providers.openai.apiKey}');
+        }
+        finally {
+            Object.defineProperty(process, 'platform', { value: originalPlatform, configurable: true });
+        }
+    });
+    it('enforces mode 0600 when generating dashboard token', async () => {
+        mockFs.readFileSync.mockReturnValue(JSON.stringify({ gateway: { port: 18790 } }));
+        const { ensureDashboardToken } = await import('../config.js');
+        const cfg = { gateway: { port: 18790 } };
+        const token = ensureDashboardToken(cfg);
+        expect(typeof token).toBe('string');
+        expect(cfg.dashboard.token).toBe(token);
+        expect(mockFs.writeFileSync).toHaveBeenCalledWith('/mock-home/.skimpyclaw/config.json', expect.any(String), { encoding: 'utf-8', mode: 0o600 });
+        expect(mockFs.chmodSync).toHaveBeenCalledWith('/mock-home/.skimpyclaw/config.json', 0o600);
+    });
+    it('resolves ${KEYCHAIN:service/account} references', async () => {
+        mockFs.readFileSync.mockReturnValue(JSON.stringify({
+            models: { providers: { openai: { apiKey: '${KEYCHAIN:skimpy/service-account}' } } },
+        }));
+        const { loadConfig } = await import('../config.js');
+        const cfg = loadConfig();
+        expect(cfg.models.providers.openai.apiKey).toBe('resolved-secret');
+        expect(mockSecureStore.getSecureValue).toHaveBeenCalledWith('skimpy', 'service-account');
+    });
+    it('migrates legacy plaintext secrets on load for backward compatibility', async () => {
+        const originalPlatform = process.platform;
+        Object.defineProperty(process, 'platform', { value: 'darwin', configurable: true });
+        mockFs.readFileSync.mockReturnValue(JSON.stringify({
+            channels: { telegram: { token: 'legacy-token' } },
+            models: { providers: { openai: { apiKey: 'legacy-api-key' } } },
+        }));
+        try {
+            const { loadConfig } = await import('../config.js');
+            const cfg = loadConfig();
+            expect(cfg.channels.telegram.token).toBe('resolved-secret');
+            expect(cfg.models.providers.openai.apiKey).toBe('resolved-secret');
+            expect(mockSecureStore.setSecureValue).toHaveBeenCalledTimes(2);
+            expect(mockFs.writeFileSync).toHaveBeenCalled();
+        }
+        finally {
+            Object.defineProperty(process, 'platform', { value: originalPlatform, configurable: true });
+        }
+    });
+    it('throws a clear error when secure store is unavailable during migration', async () => {
+        const originalPlatform = process.platform;
+        Object.defineProperty(process, 'platform', { value: 'darwin', configurable: true });
+        mockSecureStore.requireSecureStore.mockImplementation(() => {
+            throw new Error('[secure-store] Secret storage requires macOS Keychain, but it is unavailable');
+        });
+        try {
+            const { saveConfig } = await import('../config.js');
+            expect(() => saveConfig({ channels: { telegram: { token: 'tg-secret' } } })).toThrow('requires macOS Keychain');
+        }
+        finally {
+            Object.defineProperty(process, 'platform', { value: originalPlatform, configurable: true });
+        }
+    });
+});

package/dist/__tests__/config.test.js

@@ -1,4 +1,5 @@
 import { describe, expect, it, vi } from 'vitest';
+import { resolveAllowedPaths } from '../config.js';
 describe('config env var expansion', () => {
     it('warns on console when expanding undefined env vars', async () => {
         // Ensure the test var doesn't exist
@@ -44,3 +45,25 @@ describe('config env var expansion', () => {
         delete process.env.SKIMPYCLAW_TEST_PRESENT_VAR;
     });
 });
+describe('resolveAllowedPaths', () => {
+    it('appends project paths to channel overrides', () => {
+        const config = {
+            projects: {
+                wpcom: '/Users/example/Sites/wpcom',
+            },
+        };
+        expect(resolveAllowedPaths(config, ['/Users/example/.skimpyclaw'])).toEqual([
+            '/Users/example/.skimpyclaw',
+            '/Users/example/Sites/wpcom',
+        ]);
+    });
+    it('deduplicates project paths already present in allowed paths', () => {
+        const config = {
+            allowedPaths: ['/Users/example/Sites/wpcom'],
+            projects: {
+                wpcom: '/Users/example/Sites/wpcom',
+            },
+        };
+        expect(resolveAllowedPaths(config)).toEqual(['/Users/example/Sites/wpcom']);
+    });
+});