test: trim runtime approval matrix duplicates

src/node-host/invoke-system-run-plan.test.ts

@@ -284,51 +284,12 @@ const unsafeRuntimeInvocationCases: UnsafeRuntimeInvocationCase[] = [
       fs.writeFileSync(path.join(tmp, "awk"), "bait\n");
     },
   },
-  {
-    name: "rejects busybox shell applets that forward inline commands",
-    binName: "busybox",
-    tmpPrefix: "openclaw-busybox-shell-inline-",
-    command: ["busybox", "sh", "-c", "echo SAFE"],
-  },
-  {
-    name: "rejects busybox shell applets with script file operands",
-    binName: "busybox",
-    tmpPrefix: "openclaw-busybox-shell-file-",
-    command: ["busybox", "sh", "./run.sh"],
-    setup: (tmp) => {
-      fs.writeFileSync(path.join(tmp, "run.sh"), "#!/bin/sh\necho SAFE\n");
-    },
-  },
   {
     name: "rejects toybox applets that cannot be safely bound",
     binName: "toybox",
     tmpPrefix: "openclaw-toybox-awk-",
     command: ["toybox", "awk", 'BEGIN{system("id")}'],
   },
-  {
-    name: "rejects toybox applets even when cwd contains a file named after the applet",
-    binName: "toybox",
-    tmpPrefix: "openclaw-toybox-awk-file-bait-",
-    command: ["toybox", "awk", 'BEGIN{system("id")}'],
-    setup: (tmp) => {
-      fs.writeFileSync(path.join(tmp, "awk"), "bait\n");
-    },
-  },
-  {
-    name: "rejects toybox shell applets that forward inline commands",
-    binName: "toybox",
-    tmpPrefix: "openclaw-toybox-shell-inline-",
-    command: ["toybox", "ash", "-lc", "echo SAFE"],
-  },
-  {
-    name: "rejects toybox shell applets with script file operands",
-    binName: "toybox",
-    tmpPrefix: "openclaw-toybox-shell-file-",
-    command: ["toybox", "ash", "./run.sh"],
-    setup: (tmp) => {
-      fs.writeFileSync(path.join(tmp, "run.sh"), "#!/bin/sh\necho SAFE\n");
-    },
-  },
   {
     name: "rejects node inline import operands that cannot be bound to one stable file",
     binName: "node",
@@ -348,15 +309,6 @@ const unsafeRuntimeInvocationCases: UnsafeRuntimeInvocationCase[] = [
       fs.writeFileSync(path.join(tmp, "safe.rb"), 'puts "SAFE"\n');
     },
   },
-  {
-    name: "rejects ruby load-path flags that can redirect module resolution after approval",
-    binName: "ruby",
-    tmpPrefix: "openclaw-ruby-load-path-",
-    command: ["ruby", "-I.", "./safe.rb"],
-    setup: (tmp) => {
-      fs.writeFileSync(path.join(tmp, "safe.rb"), 'puts "SAFE"\n');
-    },
-  },
   {
     name: "rejects perl module preloads that approval cannot bind completely",
     binName: "perl",
@@ -375,15 +327,6 @@ const unsafeRuntimeInvocationCases: UnsafeRuntimeInvocationCase[] = [
       fs.writeFileSync(path.join(tmp, "safe.pl"), 'print "SAFE\\n";\n');
     },
   },
-  {
-    name: "rejects perl combined preload and load-path flags",
-    binName: "perl",
-    tmpPrefix: "openclaw-perl-preload-load-path-",
-    command: ["perl", "-Ilib", "-MPreload", "./safe.pl"],
-    setup: (tmp) => {
-      fs.writeFileSync(path.join(tmp, "safe.pl"), 'print "SAFE\\n";\n');
-    },
-  },
   {
     name: "rejects shell payloads that hide mutable interpreter scripts",
     binName: "node",
@@ -402,15 +345,6 @@ const unsafeRuntimeInvocationCases: UnsafeRuntimeInvocationCase[] = [
       fs.writeFileSync(path.join(tmp, "run.ts"), 'console.log("SAFE")\n');
     },
   },
-  {
-    name: "rejects pnpm dlx invocations with unrecognized global flags before dlx when they hide a mutable script",
-    binName: "pnpm",
-    tmpPrefix: "openclaw-pnpm-dlx-unknown-prefix-",
-    command: ["pnpm", "--future-flag", "dlx", "tsx", "./run.ts"],
-    setup: (tmp) => {
-      fs.writeFileSync(path.join(tmp, "run.ts"), 'console.log("SAFE")\n');
-    },
-  },
   {
     name: "rejects pnpm dlx invocations with unrecognized global flags that take a value before dlx",
     binName: "pnpm",
@@ -420,15 +354,6 @@ const unsafeRuntimeInvocationCases: UnsafeRuntimeInvocationCase[] = [
       fs.writeFileSync(path.join(tmp, "run.ts"), 'console.log("SAFE")\n');
     },
   },
-  {
-    name: "rejects pnpm dlx invocations with unrecognized flags after a global option terminator",
-    binName: "pnpm",
-    tmpPrefix: "openclaw-pnpm-dlx-global-double-dash-",
-    command: ["pnpm", "--", "dlx", "--future-flag", "tsx", "./run.ts"],
-    setup: (tmp) => {
-      fs.writeFileSync(path.join(tmp, "run.ts"), 'console.log("SAFE")\n');
-    },
-  },
 ];
 
 describe("hardenApprovedExecutionPaths", () => {
@@ -568,14 +493,6 @@ describe("hardenApprovedExecutionPaths", () => {
       initialBody: 'print("SAFE")\n',
       expectedArgvIndex: 1,
     },
-    {
-      name: "pypy direct file",
-      binName: "pypy",
-      argv: ["pypy", "./run.py"],
-      scriptName: "run.py",
-      initialBody: 'print("SAFE")\n',
-      expectedArgvIndex: 1,
-    },
     {
       name: "versioned node alias file",
       binName: "node20",
@@ -592,38 +509,6 @@ describe("hardenApprovedExecutionPaths", () => {
       initialBody: 'console.log("SAFE");\n',
       expectedArgvIndex: 1,
     },
-    {
-      name: "jiti direct file",
-      binName: "jiti",
-      argv: ["jiti", "./run.ts"],
-      scriptName: "run.ts",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 1,
-    },
-    {
-      name: "ts-node direct file",
-      binName: "ts-node",
-      argv: ["ts-node", "./run.ts"],
-      scriptName: "run.ts",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 1,
-    },
-    {
-      name: "vite-node direct file",
-      binName: "vite-node",
-      argv: ["vite-node", "./run.ts"],
-      scriptName: "run.ts",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 1,
-    },
-    {
-      name: "bun direct file",
-      binName: "bun",
-      argv: ["bun", "./run.ts"],
-      scriptName: "run.ts",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 1,
-    },
     {
       name: "bun run file",
       binName: "bun",
@@ -640,22 +525,6 @@ describe("hardenApprovedExecutionPaths", () => {
       initialBody: 'console.log("SAFE");\n',
       expectedArgvIndex: 5,
     },
-    {
-      name: "bun test file",
-      binName: "bun",
-      argv: ["bun", "test", "./run.test.ts"],
-      scriptName: "run.test.ts",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 2,
-    },
-    {
-      name: "deno test file",
-      binName: "deno",
-      argv: ["deno", "test", "./run.test.ts"],
-      scriptName: "run.test.ts",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 2,
-    },
     {
       name: "pnpm exec tsx file",
       argv: ["pnpm", "exec", "tsx", "./run.ts"],
@@ -663,27 +532,6 @@ describe("hardenApprovedExecutionPaths", () => {
       initialBody: 'console.log("SAFE");\n',
       expectedArgvIndex: 3,
     },
-    {
-      name: "pnpm parallel exec tsx file",
-      argv: ["pnpm", "--parallel", "exec", "tsx", "./run.ts"],
-      scriptName: "run.ts",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 4,
-    },
-    {
-      name: "pnpm workspace-root exec tsx file",
-      argv: ["pnpm", "-w", "exec", "tsx", "./run.ts"],
-      scriptName: "run.ts",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 4,
-    },
-    {
-      name: "pnpm workspace-root dlx tsx file",
-      argv: ["pnpm", "-w", "dlx", "tsx", "./run.ts"],
-      scriptName: "run.ts",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 4,
-    },
     {
       name: "pnpm dlx tsx file",
       argv: ["pnpm", "dlx", "tsx", "./run.ts"],
@@ -691,20 +539,6 @@ describe("hardenApprovedExecutionPaths", () => {
       initialBody: 'console.log("SAFE");\n',
       expectedArgvIndex: 3,
     },
-    {
-      name: "pnpm global double-dash dlx tsx file",
-      argv: ["pnpm", "--", "dlx", "tsx", "./run.ts"],
-      scriptName: "run.ts",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 4,
-    },
-    {
-      name: "pnpm pre-dlx package-equals tsx file",
-      argv: ["pnpm", "--package=tsx", "dlx", "tsx", "./run.ts"],
-      scriptName: "run.ts",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 4,
-    },
     {
       name: "pnpm reporter dlx package tsx file",
       argv: ["pnpm", "--reporter", "silent", "dlx", "--package", "tsx", "tsx", "./run.ts"],
@@ -712,20 +546,6 @@ describe("hardenApprovedExecutionPaths", () => {
       initialBody: 'console.log("SAFE");\n',
       expectedArgvIndex: 7,
     },
-    {
-      name: "pnpm reporter dlx short-package tsx file",
-      argv: ["pnpm", "--reporter", "silent", "dlx", "-p", "tsx", "tsx", "./run.ts"],
-      scriptName: "run.ts",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 7,
-    },
-    {
-      name: "pnpm silent dlx tsx file",
-      argv: ["pnpm", "dlx", "-s", "tsx", "./run.ts"],
-      scriptName: "run.ts",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 4,
-    },
     {
       name: "pnpm reporter exec tsx file",
       argv: ["pnpm", "--reporter", "silent", "exec", "tsx", "./run.ts"],
@@ -733,13 +553,6 @@ describe("hardenApprovedExecutionPaths", () => {
       initialBody: 'console.log("SAFE");\n',
       expectedArgvIndex: 5,
     },
-    {
-      name: "pnpm reporter-equals exec tsx file",
-      argv: ["pnpm", "--reporter=silent", "exec", "tsx", "./run.ts"],
-      scriptName: "run.ts",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 4,
-    },
     {
       name: "pnpm js shim exec tsx file",
       argv: ["./pnpm.js", "exec", "tsx", "./run.ts"],
@@ -763,21 +576,6 @@ describe("hardenApprovedExecutionPaths", () => {
       expectedArgvIndex: 2,
       binNames: ["pnpm", "node"],
     },
-    {
-      name: "pnpm node double-dash file",
-      argv: ["pnpm", "node", "--", "./run.js"],
-      scriptName: "run.js",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 3,
-      binNames: ["pnpm", "node"],
-    },
-    {
-      name: "npx tsx file",
-      argv: ["npx", "tsx", "./run.ts"],
-      scriptName: "run.ts",
-      initialBody: 'console.log("SAFE");\n',
-      expectedArgvIndex: 2,
-    },
     {
       name: "bunx tsx file",
       argv: ["bunx", "tsx", "./run.ts"],