Files
openclaw/test/scripts/security-sensitive-guard-script.test.ts
Peter Steinberger fe261b0f59 chore(tooling): typecheck root test/** with a dedicated tsgo lane (#104475)
* chore(types): add declaration files for scripts/lib and scripts/e2e modules

* chore(types): add declaration files for top-level script modules (a-m)

* chore(types): add declaration files for top-level script modules (n-z)

* test: use a non-secret-shaped gateway token fixture

* test: type ci workflow guard helpers for the root test lane

* chore(tooling): typecheck root test/** with a dedicated tsgo lane

- test/tsconfig/tsconfig.test.root.json: root-test program (strict unused checks,
  fixtures excluded; two Docker E2E clients that import built dist/** stay out,
  same rationale as the scripts/e2e exclusion in tsconfig.scripts.json)
- tsgo:test:root wired into tsgo:test, check:test-types, scripts/check.mjs, and
  the ci.yml test-types shard, mirroring the tsgo:scripts lane (#104348)
- changed-lane routing: test/**/*.ts (excluding fixtures) and the lane tsconfig
  now trigger 'typecheck test root' in check:changed; previously test/ paths ran
  lint only, so harness type errors surfaced first in CI (#104287 envDir case)
- burn down all 1071 latent type errors in the program: precise param/local
  types across test/scripts, test/vitest, test/e2e, and transitive scripts/e2e
  program members; 205 sibling .d.mts declaration files for imported .mjs
  modules (committed separately); zero any, zero ts-expect-error
- resolve the pre-existing testing star-export ambiguity in
  scripts/e2e/parallels/common.ts with an explicit re-export

Closes #104388

* chore(types): correct declaration fidelity per structured review

- re-derive 51 .d.mts files from implementation data flow instead of
  initializers: fix a wrong never return (runTestProjectsDelegation returns
  the child), add encoding-sensitive exec/spawn overloads (plain-gh), restore
  the full release profile union, make parsed paths string | null, add missing
  parseArgs fields via help/non-help unions, add a missing sibling declaration
  (budget-number-args), drop 15 unused lint directives
- precise install-record/tuple typing removes the type-aware oxlint
  regressions the first declarations caused in scripts/e2e implementations
- route .mts declaration edits under test/ to the testRoot lane and reference
  the test-root project from tsconfig.projects.json so tsgo:all covers it
  (closes both review findings against the lane wiring)

* chore(scripts): keep telegram runner dist typing structural for the boundary guard

* chore(types): declare runtime pack and gateway readiness exports added on main

* test: pin the importTargetPlan form of the plugin-contract plan import

The guard expectation still referenced the raw await import( form that
7ae5996bb3 (#103975) replaced with the importTargetPlan fallback helper;
the assertion fails on current main.
2026-07-11 06:15:41 -07:00

266 lines
9.7 KiB
TypeScript

// Security Sensitive Guard Script tests cover sensitive file guard behavior.
import { describe, expect, it } from "vitest";
import {
GITHUB_RESPONSE_BODY_MAX_BYTES,
allowSecuritySensitiveCommand,
collectSecuritySensitiveChanges,
findSecuritySensitiveOverrideCommand,
findSecuritySensitiveOverrideCommandAsync,
findTrustedSecuritySensitiveGuardActor,
githubApi,
isSecuritySensitiveFile,
isSecuritySensitiveGuardAuthorizedForHead,
isSecuritySensitiveGuardMarkerComment,
isSecuritySensitiveGuardTrustedForHead,
markdownCode,
renderAuthorizedSecuritySensitiveComment,
renderBlockedSecuritySensitiveComment,
renderClearedSecuritySensitiveGuardComment,
renderSecuritySensitiveAwarenessComment,
renderTrustedSecuritySensitiveComment,
sanitizeDisplayValue,
securityApproverSet,
securitySensitiveFileDefinition,
securitySensitiveFileDefinitions,
securitySensitiveGuardCommentAuthors,
securitySensitiveGuardCommentHeadSha,
securitySensitiveGuardMarker,
securitySensitiveGuardTrustedActorCandidates,
securitySensitiveOverrideExpectedSha,
} from "../../scripts/github/security-sensitive-guard.mjs";
const headSha = "a".repeat(40);
const staleSha = "b".repeat(40);
describe("security-sensitive guard script", () => {
it("detects only registered security-sensitive file surfaces", () => {
expect(securitySensitiveFileDefinitions()).toEqual([
{
path: ".gitignore",
reason:
"Controls ignored secret and local files, including common `.env` files, before they can be accidentally committed.",
},
]);
expect(isSecuritySensitiveFile(".gitignore")).toBe(true);
expect(isSecuritySensitiveFile("docs/.gitignore")).toBe(false);
expect(isSecuritySensitiveFile("package.json")).toBe(false);
expect(securitySensitiveFileDefinition(".gitignore")?.reason).toContain(".env");
});
it("detects renames away from registered security-sensitive file surfaces", () => {
expect(
collectSecuritySensitiveChanges([
{
filename: ".gitignore.disabled",
previous_filename: ".gitignore",
status: "renamed",
},
]),
).toEqual([securitySensitiveFileDefinition(".gitignore")]);
});
it("accepts only security-member override commands for the current head sha", () => {
const comments = [
{
body: "/allow-security-sensitive-change not enough",
created_at: "2026-05-28T20:00:00Z",
user: { login: "not-security" },
},
{
body: "/allow-security-sensitive-change stale approval",
created_at: "2026-05-28T20:01:00Z",
user: { login: "security-user" },
},
{
body: "/allow-security-sensitive-change reviewed .gitignore",
created_at: "2026-05-28T20:03:00Z",
html_url: "https://example.test/comment",
user: { login: "security-user" },
},
];
const override = findSecuritySensitiveOverrideCommand({
comments,
expectedSha: headSha,
isSecurityMember: (login) => login === "security-user",
newerThan: "2026-05-28T20:02:00Z",
});
expect(override).toEqual({
login: "security-user",
reason: "reviewed .gitignore",
sha: headSha,
url: "https://example.test/comment",
});
});
it("rejects stale or non-security override commands", async () => {
const comments = [
{
body: "/allow-security-sensitive-change stale approval",
created_at: "2026-05-28T20:00:00Z",
user: { login: "security-user" },
},
{
body: "/allow-security-sensitive-change not enough",
created_at: "2026-05-28T20:02:00Z",
user: { login: "not-security" },
},
];
await expect(
findSecuritySensitiveOverrideCommandAsync({
comments,
expectedSha: headSha,
isSecurityMember: async (login) => login === "security-user",
newerThan: "2026-05-28T20:01:00Z",
}),
).resolves.toBeNull();
});
it("binds override commands to the head sha in the blocked guard comment", () => {
const blockedComment = {
body: renderBlockedSecuritySensitiveComment({
changes: [securitySensitiveFileDefinition(".gitignore")],
headSha,
}),
};
const staleBlockedComment = {
body: renderBlockedSecuritySensitiveComment({
changes: [securitySensitiveFileDefinition(".gitignore")],
headSha: staleSha,
}),
};
expect(securitySensitiveGuardCommentHeadSha(blockedComment)).toBe(headSha);
expect(securitySensitiveOverrideExpectedSha(blockedComment, headSha)).toBe(headSha);
expect(securitySensitiveOverrideExpectedSha(staleBlockedComment, headSha)).toBeNull();
});
it("preserves same-head authorization across reruns", () => {
const authorizedComment = {
body: renderAuthorizedSecuritySensitiveComment({
login: "security-user",
reason: null,
sha: headSha,
}),
};
expect(securitySensitiveGuardCommentHeadSha(authorizedComment)).toBe(headSha);
expect(isSecuritySensitiveGuardAuthorizedForHead(authorizedComment, headSha)).toBe(true);
expect(isSecuritySensitiveGuardAuthorizedForHead(authorizedComment, staleSha)).toBe(false);
expect(securitySensitiveOverrideExpectedSha(authorizedComment, headSha)).toBeNull();
});
it("recognizes trusted security-sensitive guard actors automatically", async () => {
const sameActorCandidates = securitySensitiveGuardTrustedActorCandidates({
pullRequest: { user: { login: "repo-admin" } },
event: { pull_request: { head: { sha: headSha } }, sender: { login: "repo-admin" } },
currentHeadSha: headSha,
});
const staleAuthorCandidate = securitySensitiveGuardTrustedActorCandidates({
pullRequest: { user: { login: "repo-admin" } },
event: { pull_request: { head: { sha: staleSha } }, sender: { login: "repo-admin" } },
currentHeadSha: headSha,
});
expect(sameActorCandidates).toEqual([{ login: "repo-admin", source: "pull request author" }]);
expect(staleAuthorCandidate).toEqual([]);
await expect(
findTrustedSecuritySensitiveGuardActor({
candidates: sameActorCandidates,
isSecuritySensitiveApprover: async (login) =>
login === "repo-admin" ? "repository admin" : null,
}),
).resolves.toEqual({
login: "repo-admin",
reason: "pull request author; repository admin",
});
});
it("trusts only configured security-sensitive guard marker comment authors", () => {
const trustedAuthors = securitySensitiveGuardCommentAuthors(
"github-actions[bot], openclaw-security-guard[bot]",
);
expect(
isSecuritySensitiveGuardMarkerComment(
{
body: securitySensitiveGuardMarker,
user: { login: "openclaw-security-guard[bot]" },
},
trustedAuthors,
),
).toBe(true);
expect(
isSecuritySensitiveGuardMarkerComment(
{
body: securitySensitiveGuardMarker,
user: { login: "contributor" },
},
trustedAuthors,
),
).toBe(false);
});
it("renders deterministic awareness, blocked, trusted, authorized, and cleared comments", () => {
const changes = [securitySensitiveFileDefinition(".gitignore")!];
const awarenessBody = renderSecuritySensitiveAwarenessComment(changes);
const blockedBody = renderBlockedSecuritySensitiveComment({ changes, headSha });
const trustedBody = renderTrustedSecuritySensitiveComment({
actor: { login: "repo-admin", reason: "pull request author; repository admin" },
changes,
headSha,
});
const authorizedBody = renderAuthorizedSecuritySensitiveComment({
login: "security-user",
reason: "reviewed .gitignore",
sha: headSha,
});
const clearedBody = renderClearedSecuritySensitiveGuardComment({ headSha });
expect(awarenessBody).toContain(securitySensitiveGuardMarker);
expect(awarenessBody).toContain("Security-sensitive file changes detected");
expect(awarenessBody).toContain("`.gitignore`");
expect(awarenessBody).toContain(".env");
expect(blockedBody).toContain("Security-sensitive changes are blocked");
expect(blockedBody).toContain(allowSecuritySensitiveCommand);
expect(blockedBody).toContain(`current head SHA (\`${headSha}\`)`);
expect(trustedBody).toContain("Security-sensitive changes noted");
expect(trustedBody).toContain("@repo-admin");
expect(isSecuritySensitiveGuardTrustedForHead({ body: trustedBody }, headSha)).toBe(true);
expect(authorizedBody).toContain("Security-sensitive change authorized");
expect(authorizedBody).toContain("`reviewed .gitignore`");
expect(clearedBody).toContain("Security-sensitive guard cleared");
expect(clearedBody).toContain("requires a fresh `/allow-security-sensitive-change` comment");
});
it("sanitizes display values and markdown code", () => {
expect(sanitizeDisplayValue("abc\u0000def")).toBe("abc?def");
expect(sanitizeDisplayValue("x".repeat(300))).toHaveLength(240);
expect(markdownCode("`quoted`")).toBe("`\\`quoted\\``");
});
it("parses explicit security approver allowlists", () => {
expect(securityApproverSet("vincentkoc, steipete\njoshavant")).toEqual(
new Set(["vincentkoc", "steipete", "joshavant"]),
);
});
it("bounds successful GitHub API response bodies", async () => {
const request = githubApi("token", {
responseMaxBodyBytes: 64,
fetchImpl: (() =>
Promise.resolve(
new Response("x".repeat(65), {
headers: { "content-length": "65" },
}),
)) as typeof fetch,
}).request("/repos/openclaw/openclaw");
await expect(request).rejects.toThrow("GitHub response body exceeded 64 bytes");
expect(GITHUB_RESPONSE_BODY_MAX_BYTES).toBeGreaterThan(64);
});
});