From 53c6807daeb3dae72cdf245c9b150fc02c43f055 Mon Sep 17 00:00:00 2001
From: Mariano Belinky <mbelinky@gmail.com>
Date: Sat, 14 Feb 2026 14:52:01 +0000
Subject: [PATCH] iOS tests: assert no dangerous system exec commands in node
 declarations

---
 .../GatewayConnectionControllerTests.swift    | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/apps/ios/Tests/GatewayConnectionControllerTests.swift b/apps/ios/Tests/GatewayConnectionControllerTests.swift
index 0d3bdbba0ee..609721784d8 100644
--- a/apps/ios/Tests/GatewayConnectionControllerTests.swift
+++ b/apps/ios/Tests/GatewayConnectionControllerTests.swift
@@ -76,4 +76,46 @@ private func withUserDefaults<T>(_ updates: [String: Any?], _ body: () throws ->
             #expect(commands.contains(OpenClawLocationCommand.get.rawValue))
         }
     }
+    @Test @MainActor func currentCommandsExcludeDangerousSystemExecCommands() {
+        withUserDefaults([
+            "node.instanceId": "ios-test",
+            "camera.enabled": true,
+            "location.enabledMode": OpenClawLocationMode.whileUsing.rawValue,
+        ]) {
+            let appModel = NodeAppModel()
+            let controller = GatewayConnectionController(appModel: appModel, startDiscovery: false)
+            let commands = Set(controller._test_currentCommands())
+
+            // iOS should expose notify, but not host shell/exec-approval commands.
+            #expect(commands.contains(OpenClawSystemCommand.notify.rawValue))
+            #expect(!commands.contains(OpenClawSystemCommand.run.rawValue))
+            #expect(!commands.contains(OpenClawSystemCommand.which.rawValue))
+            #expect(!commands.contains(OpenClawSystemCommand.execApprovalsGet.rawValue))
+            #expect(!commands.contains(OpenClawSystemCommand.execApprovalsSet.rawValue))
+        }
+    }
+
+    @Test @MainActor func loadLastConnectionReadsSavedValues() {
+        withUserDefaults([
+            "gateway.lastHost": "gateway.example.com",
+            "gateway.lastPort": 443,
+            "gateway.lastTls": true,
+        ]) {
+            let loaded = GatewayConnectionController.loadLastConnection(defaults: .standard)
+            #expect(loaded?.host == "gateway.example.com")
+            #expect(loaded?.port == 443)
+            #expect(loaded?.useTLS == true)
+        }
+    }
+
+    @Test @MainActor func loadLastConnectionReturnsNilForInvalidData() {
+        withUserDefaults([
+            "gateway.lastHost": "",
+            "gateway.lastPort": 0,
+            "gateway.lastTls": false,
+        ]) {
+            let loaded = GatewayConnectionController.loadLastConnection(defaults: .standard)
+            #expect(loaded == nil)
+        }
+    }
 }