switchroom 0.7.15 → 0.10.0

package/telegram-plugin/tests/sandbox-hint-posttool.test.ts

@@ -0,0 +1,155 @@
+/**
+ * Tests for the sandbox-hint-posttool hook (Layer 2 of the sandbox UX work).
+ *
+ * Hook contract:
+ *   stdin:  PostToolUse JSON event { tool_name, tool_response, ... }
+ *   stdout: optional JSON
+ *             {"hookSpecificOutput":{"hookEventName":"PostToolUse",
+ *              "additionalContext":"..."}}
+ *   exit:   0 always.
+ *
+ * Tests spawn the hook as a subprocess (mirroring how Claude Code invokes
+ * it), feed a tool_response, and assert whether additionalContext was
+ * emitted and that it carries the load-bearing strings the agent needs.
+ */
+
+import { describe, it, expect } from 'bun:test'
+import { join } from 'path'
+import { spawnSync } from 'child_process'
+
+const HOOK_SCRIPT = join(import.meta.dir, '..', 'hooks', 'sandbox-hint-posttool.mjs')
+
+function runHook(event: object) {
+  const result = spawnSync(process.execPath, [HOOK_SCRIPT], {
+    input: JSON.stringify(event),
+    encoding: 'utf8',
+    env: process.env,
+    timeout: 5_000,
+  })
+  return result
+}
+
+function parseContext(stdout: string): string | null {
+  if (!stdout.trim()) return null
+  const parsed = JSON.parse(stdout)
+  return parsed?.hookSpecificOutput?.additionalContext ?? null
+}
+
+describe('sandbox-hint-posttool', () => {
+  it('emits sandbox hint when tool_response contains EROFS', () => {
+    const result = runHook({
+      tool_name: 'Write',
+      tool_use_id: 'toolu_001',
+      tool_response: {
+        error: "EROFS: read-only file system, open '/opt/switchroom/skills/foo.md'",
+      },
+    })
+
+    expect(result.status).toBe(0)
+    const ctx = parseContext(result.stdout)
+    expect(ctx).not.toBeNull()
+    expect(ctx).toContain('Sandbox boundary hit')
+    expect(ctx).toContain('operator action')
+    expect(ctx).toContain('Writable paths')
+  })
+
+  it('emits sandbox hint when tool_response contains "Read-only file system"', () => {
+    const result = runHook({
+      tool_name: 'Edit',
+      tool_use_id: 'toolu_002',
+      tool_response: 'mkdir: cannot create directory: Read-only file system',
+    })
+
+    expect(result.status).toBe(0)
+    const ctx = parseContext(result.stdout)
+    expect(ctx).toContain('Sandbox boundary hit')
+  })
+
+  it('emits an apt-specific hint when tool_response shows dpkg permission denied', () => {
+    const result = runHook({
+      tool_name: 'Bash',
+      tool_use_id: 'toolu_003',
+      tool_response: {
+        stderr:
+          'E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?',
+      },
+    })
+
+    expect(result.status).toBe(0)
+    const ctx = parseContext(result.stdout)
+    expect(ctx).toContain('docker/Dockerfile.agent')
+    expect(ctx).toContain('rebuild')
+  })
+
+  it('emits a hint for EACCES on a rootfs path', () => {
+    const result = runHook({
+      tool_name: 'Bash',
+      tool_use_id: 'toolu_004',
+      tool_response: 'npm ERR! EACCES: permission denied, mkdir "/usr/lib/node_modules/foo"',
+    })
+
+    expect(result.status).toBe(0)
+    const ctx = parseContext(result.stdout)
+    expect(ctx).toContain('Sandbox boundary hit')
+  })
+
+  it('emits nothing when tool_response is a normal success', () => {
+    const result = runHook({
+      tool_name: 'Bash',
+      tool_use_id: 'toolu_005',
+      tool_response: { stdout: 'hello world\n', exit_code: 0 },
+    })
+
+    expect(result.status).toBe(0)
+    expect(result.stdout.trim()).toBe('')
+  })
+
+  it('emits nothing when tool_response merely mentions /usr but is not a sandbox error', () => {
+    // Guard against false positives — the agent may legitimately discuss
+    // paths under /usr in normal output (e.g. `which node` returning
+    // /usr/local/bin/node). Only EACCES / EROFS patterns should trigger.
+    const result = runHook({
+      tool_name: 'Bash',
+      tool_use_id: 'toolu_006',
+      tool_response: { stdout: '/usr/local/bin/node\n' },
+    })
+
+    expect(result.status).toBe(0)
+    expect(result.stdout.trim()).toBe('')
+  })
+
+  it('exits 0 on malformed stdin without crashing', () => {
+    const result = spawnSync(process.execPath, [HOOK_SCRIPT], {
+      input: 'not json at all',
+      encoding: 'utf8',
+      timeout: 5_000,
+    })
+    expect(result.status).toBe(0)
+    expect(result.stdout.trim()).toBe('')
+  })
+
+  it('exits 0 on empty stdin', () => {
+    const result = spawnSync(process.execPath, [HOOK_SCRIPT], {
+      input: '',
+      encoding: 'utf8',
+      timeout: 5_000,
+    })
+    expect(result.status).toBe(0)
+    expect(result.stdout.trim()).toBe('')
+  })
+
+  it('caps the scan window for huge tool_response payloads', () => {
+    // 100 KiB of harmless output followed by an EROFS — we cap at 64 KiB
+    // so this should NOT match. Keeps a runaway tool_response from
+    // pinning the hook on a regex scan.
+    const huge = 'x'.repeat(100 * 1024) + ' EROFS happened'
+    const result = runHook({
+      tool_name: 'Bash',
+      tool_use_id: 'toolu_007',
+      tool_response: { stdout: huge },
+    })
+
+    expect(result.status).toBe(0)
+    expect(result.stdout.trim()).toBe('')
+  })
+})

package/telegram-plugin/tests/secret-detect-delete-must-surface-failures.test.ts

@@ -0,0 +1,133 @@
+/**
+ * TDD-RED-first contract for the silent-delete-failure class the
+ * operator reported on 2026-05-12.
+ *
+ * Symptom: "🔒 captured a secret. we deleted it from chat" lands as
+ * a reply, but the raw secret-bearing message remains visible in
+ * chat history. The operator only finds out by scrolling, after
+ * the secret has already been screen-shot / cached / synced to
+ * other devices.
+ *
+ * Root cause: every secret-detect call site that invokes
+ * `bot.api.deleteMessage(chat_id, msgId)` does it via a raw
+ * `try { … } catch { … }` block that silently swallows the error
+ * (or, at best, logs to stderr — invisible to the operator). The
+ * gateway already has a `deleteSensitiveMessage(chat_id, msgId,
+ * reason)` helper that does the right thing — try delete, surface
+ * loudly on failure with an in-chat warning naming the message id
+ * the operator must delete manually. The four secret-detect sites
+ * weren't migrated when that helper was added (#44).
+ *
+ * The fix is mechanical: replace each `try { bot.api.deleteMessage
+ * } catch { }` in the secret-detect path with
+ * `deleteSensitiveMessage`. That's what this test pins.
+ *
+ * Failing means: at least one secret-detect path still has a raw
+ * `bot.api.deleteMessage` call wrapped in a swallow-catch — a
+ * regression of the silent-failure bug.
+ */
+
+import { describe, it, expect } from "vitest";
+import { readFileSync } from "node:fs";
+import { resolve } from "node:path";
+
+const gatewaySrc = readFileSync(
+  resolve(__dirname, "..", "gateway", "gateway.ts"),
+  "utf-8",
+);
+
+/** Slice the gateway source between two anchor strings. */
+function sliceBetween(src: string, from: string, to: string): string {
+  const start = src.indexOf(from);
+  if (start < 0) return "";
+  const end = src.indexOf(to, start);
+  return src.slice(start, end > 0 ? end : src.length);
+}
+
+describe("secret-detect — delete failures must NOT be silently swallowed (2026-05-12)", () => {
+  // The secret-detect block lives inside `handleInbound`. It runs
+  // through several branches:
+  //   - passphrase cached + high-confidence hit (stored path)
+  //   - passphrase cached + Channel-B auth-flow fallback
+  //   - no-passphrase deferred path
+  //   - pipeline-error fail-closed path
+  //
+  // Each branch deletes the raw message. None of them may use the
+  // raw `bot.api.deleteMessage` pattern wrapped in a swallow-catch
+  // — they must all route through `deleteSensitiveMessage` which
+  // surfaces failures via stderr + in-chat warning.
+
+  const secretDetectBlock = sliceBetween(
+    gatewaySrc,
+    "FAIL-CLOSED: if the pipeline throws",
+    "Status reaction controller",
+  );
+
+  it("the secret-detect block exists and is non-trivial (anchor sanity)", () => {
+    // fails when: the anchors above are renamed/moved. If this fails,
+    // update the anchors AND audit the other assertions in this file
+    // to make sure they still target the secret-detect path.
+    expect(secretDetectBlock.length).toBeGreaterThan(500);
+  });
+
+  it("no raw `bot.api.deleteMessage` calls inside the secret-detect block", () => {
+    // fails when: a code site reverts to the raw API call (which
+    // swallows on failure). All deletes here MUST route through the
+    // shared helper.
+    expect(secretDetectBlock).not.toMatch(/bot\.api\.deleteMessage/);
+  });
+
+  it("every delete in the secret-detect block goes through deleteSensitiveMessage", () => {
+    // The block currently performs deletes for four distinct cases
+    // (stored / auth-flow-fallback / deferred / pipeline-error). All
+    // four MUST land here.
+    //
+    // fails when: a refactor extracts one of the branches into a
+    // helper that doesn't use deleteSensitiveMessage, OR when a new
+    // branch is added without the helper. Either way the contract
+    // breaks.
+    const callMatches = secretDetectBlock.match(/deleteSensitiveMessage\s*\(/g) ?? [];
+    expect(
+      callMatches.length,
+      `expected ≥3 deleteSensitiveMessage calls inside the secret-detect block; got ${callMatches.length}`,
+    ).toBeGreaterThanOrEqual(3);
+  });
+
+  it("no swallow-catch pattern around delete calls in the secret-detect block", () => {
+    // The legacy pattern: `try { await bot.api.deleteMessage(...) } catch {}`
+    // OR `try { ... } catch { /* swallow */ }`. The helper handles
+    // failure surfacing, so call sites should NOT wrap the helper
+    // in another silencing catch.
+    //
+    // fails when: a refactor wraps the helper call in `try { ... } catch {}`
+    // for "robustness" — which would re-introduce the silent-failure
+    // class this PR exists to close.
+    expect(secretDetectBlock).not.toMatch(/try\s*\{[^}]*deleteSensitiveMessage[^}]*\}\s*catch\s*\{\s*\}/s);
+    // Also forbid the raw `try { bot.api.deleteMessage ... } catch {}` shape.
+    expect(secretDetectBlock).not.toMatch(/try\s*\{[^}]*bot\.api\.deleteMessage[^}]*\}\s*catch/s);
+  });
+});
+
+describe("secret-detect — deleteSensitiveMessage helper retains its 'surface failures' contract", () => {
+  // The fix only works if the helper itself surfaces failures.
+  // Pin the helper's load-bearing behavior so a future refactor
+  // can't quietly turn it into a silent-catch.
+  const helperBody = sliceBetween(
+    gatewaySrc,
+    "async function deleteSensitiveMessage",
+    "function getCommandArgs",
+  );
+
+  it("helper logs to stderr on delete failure", () => {
+    expect(helperBody).toMatch(/process\.stderr\.write/);
+    expect(helperBody).toMatch(/SECURITY:.*FAILED/);
+  });
+
+  it("helper posts an in-chat warning naming the leaked message id", () => {
+    // The warning is the only signal a mobile-only operator gets —
+    // stderr is invisible to them. Pinning the in-chat surface as
+    // the load-bearing piece.
+    expect(helperBody).toMatch(/sendMessage/);
+    expect(helperBody).toMatch(/delete message.*manually|delete it manually|manually|delete message <code>/i);
+  });
+});

package/telegram-plugin/tests/secret-detect-false-positives.test.ts

@@ -0,0 +1,137 @@
+/**
+ * TDD-RED-first contract tests for the false-positive class the
+ * operator reported on 2026-05-12.
+ *
+ * Symptom: casual chat that MENTIONS the words "secret", "token",
+ * "password", or an ALLCAPS *_KEY/_TOKEN/_SECRET identifier triggers
+ * the redaction pipeline as if the user just pasted a real credential
+ * — original message gets deleted, ambiguous-card lands, the operator
+ * has to dismiss it. Worst case: the operator is asking the agent
+ * *about* a secret ("delete the secret I sent yesterday") and gets
+ * stuck in a redaction-of-the-question loop.
+ *
+ * The pre-fix `env_key_value` pattern in patterns.ts:71 is the
+ * load-bearing culprit:
+ *
+ *   /\b([A-Z0-9_]*(?:KEY|TOKEN|SECRET|PASSWORD|PASSWD))\b\s*[=:]\s*
+ *     (["']?)([^\s"'\\]+)\2/g
+ *
+ * It matches ANY value after `SECRET=` / `TOKEN=` with no entropy
+ * gate, no length floor, no shape check on the value. Trivially fires
+ * on `SECRET=foo`, `MY_KEY=bar`, even `FATSECRET=hello`.
+ *
+ * The pre-fix `kv_entropy` pattern in kv-scanner.ts:30 has a 4.0
+ * entropy gate which catches some — but `kv_entropy` is the
+ * lower-confidence layer and doesn't run when the higher-confidence
+ * `env_key_value` already fired. Tightening env_key_value is the
+ * right place to land the fix.
+ *
+ * Each test is the contract: detection MUST NOT fire on the listed
+ * input. Failing means the pipeline still flags the input as a hit.
+ * The fix adds an entropy + length floor to env_key_value to match
+ * the existing kv_entropy precedent.
+ */
+
+import { describe, it, expect } from "vitest";
+import { detectSecrets } from "../secret-detect/index.js";
+
+describe("secret-detect — does NOT fire on casual mentions of 'secret' / 'token' / 'password'", () => {
+  // The "operator asking the agent about a secret" cases.
+  // Pre-fix: env_key_value matches "SECRET=" anywhere; these were
+  // tripping. Post-fix: entropy + length gate on the value.
+  it.each([
+    [
+      "operator asks for a secret by name",
+      "what's my fatsecret token?",
+    ],
+    [
+      "operator references a deleted prior message",
+      "please delete that secret you sent earlier",
+    ],
+    [
+      "agent name contains 'secret' as a substring (FatSecret API)",
+      "the FatSecret API needs an OAuth token — can you wire it up?",
+    ],
+    [
+      "human language sentence with 'password' as a noun",
+      "I keep forgetting my password again",
+    ],
+    [
+      "fragment that mentions an env var by name but no value",
+      "the FATSECRET_TOKEN env var is missing",
+    ],
+    [
+      "code-shaped placeholder, value is human-readable English",
+      "set FOO_SECRET=hello and try again",
+    ],
+    [
+      "shell example with placeholder value (test fixture style)",
+      "run: export OPENAI_API_KEY=sk-yourkey",
+    ],
+  ])("%s — %j", (_label, text) => {
+    const hits = detectSecrets(text);
+    expect(
+      hits,
+      `false positive on ${JSON.stringify(text)} — hits=${JSON.stringify(hits.map((h) => h.matched_text))}`,
+    ).toEqual([]);
+  });
+});
+
+describe("secret-detect — DOES still fire on actually-shaped secrets (regression guard)", () => {
+  // After tightening env_key_value, these MUST still be caught.
+  // Locking in so a future regex-tightening doesn't over-shoot.
+  // Values constructed at runtime so the source file doesn't trip
+  // GitHub Push Protection — same pattern as
+  // secret-detect-secretlint.test.ts:1.
+  const fakeApiKey = `sk-ant-${"a1b2c3d4".repeat(4)}XYZ987`; // sk-ant- + 32 chars
+  const fakeBearer = `${"abc123".repeat(8)}.${"def456".repeat(4)}`;
+  const fakeRandom = `${"x9zM4kP3qR7sT2vW".repeat(2)}`; // 32 chars, high entropy
+
+  it.each([
+    [
+      "real-shaped Anthropic API key (anchored prefix path)",
+      `export ANTHROPIC_API_KEY=${fakeApiKey}`,
+    ],
+    [
+      "real-shaped Bearer token (anchored Bearer path)",
+      `Authorization: Bearer ${fakeBearer}`,
+    ],
+    [
+      "uppercase env_key_value with high-entropy value (must still match)",
+      `MYAPP_API_KEY=${fakeRandom}`,
+    ],
+  ])("%s — %j", (_label, text) => {
+    const hits = detectSecrets(text);
+    expect(
+      hits.length,
+      `regression: expected a hit on ${JSON.stringify(text)} but pipeline returned 0`,
+    ).toBeGreaterThanOrEqual(1);
+  });
+});
+
+describe("secret-detect — boundary cases that pin the fix's shape", () => {
+  it("short low-entropy value after KEY= is NOT flagged", () => {
+    // pre-fix: matches; post-fix: filtered by entropy/length gate.
+    expect(detectSecrets("MY_API_KEY=foo")).toEqual([]);
+  });
+
+  it("English word after KEY= is NOT flagged", () => {
+    expect(detectSecrets("MY_TOKEN=hello")).toEqual([]);
+  });
+
+  it("long but low-entropy value after KEY= is NOT flagged (repeating chars)", () => {
+    // 32 chars but all 'a' — Shannon entropy ~0. Real secrets are
+    // dense; this is template/placeholder shape.
+    expect(detectSecrets(`MY_KEY=${"a".repeat(32)}`)).toEqual([]);
+  });
+
+  it("high-entropy value after KEY= IS flagged (the fix doesn't break detection)", () => {
+    // 32 chars of base64-ish noise. Should match.
+    const hits = detectSecrets(
+      // Build the value via concat to avoid Push-Protection trip on a
+      // contiguous secret-shaped literal.
+      `MY_API_KEY=${"k" + "9zMpQrT2vBxYuFnGwL8cHj"}`,
+    );
+    expect(hits.length).toBeGreaterThanOrEqual(1);
+  });
+});