mirror of
https://github.com/openclaw/openclaw.git
synced 2026-06-03 09:14:06 +00:00
bb46b79d3c
* refactor: extract agent core package Introduce packages/agent-core as the OpenClaw-owned home for reusable agent loop, harness, session, prompt, and runtime dependency contracts. * refactor: extract shared llm runtime Move provider model registries, stream wrappers, OAuth helpers, and LLM utilities into src/llm with plugin-sdk barrels instead of depending on the old embedded runtime layout. * refactor: remove pi runtime internals Rename remaining Pi-shaped agent surfaces to OpenClaw agent runtime names, delete obsolete Pi docs and package graph checks, and add the third-party notice for incorporated code. * refactor: tighten agent session runtime Make agent-core/runtime dependencies explicit, consolidate compaction and session transcript helpers, and move model/session helpers behind OpenClaw-owned contracts. * refactor: remove static model and pi auth paths Drop static model catalogs and Pi auth bridges, move model/provider facts to manifest-owned runtime contracts, and harden internal embedded-agent utilities. * refactor: remove legacy provider compat paths * docs: remove agent parity notes * fix: skip provider wildcard metadata parsing * refactor: share session extension sdk loading * refactor: inline acpx proxy error formatter * refactor: fold edit recovery into edit tool * fix: accept extension batch separator * test: align startup provider plugin expectations * fix: restore provider-scoped release discovery * test: align static asset packaging expectations * fix: run static provider catalogs during scoped discovery * fix: add provider entry catalogs for scoped live discovery * fix: load lightweight provider catalog entries * fix: refresh provider-scoped plugin metadata * fix: keep provider catalog entries on release live path * fix: keep static manifest models in release live checks * fix: harden release model discovery * fix: reduce OpenAI live cache probe reasoning * fix: disable OpenAI cache probe reasoning * ci: extend OpenAI gateway live timeout * fix: extend live gateway model budget * fix: stabilize release validation regressions * fix: honor provider aliases in model rows * fix: stabilize release validation lanes * fix: stabilize release memory qa * ci: stabilize release validation lanes * ci: prefer ipv4 for live docker node calls * fix: restore shared tool-call stream wrapper * ci: remove legacy pi test shard alias * fix: clean up embedded agent test drift * fix: stabilize runtime alias status * fix: clean up embedded agent ci drift * fix: restore release ci invariants * fix: clean up post-rebase runtime drift * fix: restore release ci checks * fix: restore release ci after rebase * fix: remove stale pi runtime path * test: align compaction runtime expectations * test: update plugin prerelease expectations * fix: handle claude live tool approvals * fix: stabilize release validation gates * fix: finish agent runtime import * test: finish post-rebase agent runtime mocks * fix: keep codex compaction native * fix: stabilize codex app-server hook tests * test: isolate codex diagnostic active run * test: remove codex diagnostic completion race # Conflicts: # extensions/codex/src/app-server/run-attempt.test.ts * ci: fix full release manifest performance run id * refactor: narrow llm plugin sdk boundary * chore: drop generated google boundary stamps * fix: repair rebase fallout * fix: clean up rebased runtime references * fix: decode codex jwt payloads as base64url * fix: preserve shipped pi runtime alias * fix: add scoped sdk virtual modules * fix: decode llm codex oauth jwt as base64url * fix: avoid stale vertex adc negative cache * fix: harden tool arg decoding and codeql path * fix: keep vertex adc negative checks live * refactor: consolidate codex jwt and edit helpers * fix: await codex oauth node runtime imports * fix: preserve sdk tool and notice contracts * fix: preserve shipped compat config boundaries * fix: align codex oauth callback host * fix: terminate agent-core loop streams on failure * fix: keep codex oauth callback alive during fallback * ci: include session tools in critical codeql scans * fix: keep Cloudflare Anthropic provider auth header * docs: redirect legacy pi runtime pages * fix: honor bundled web provider compat discovery * fix: protect session output spill files * fix: keep legacy agent dir env blocked * fix: contain auto-discovered skill symlinks * fix: harden agent core sdk proxy surfaces * fix: restore approval reaction sdk compat * fix: keep live docker runs bounded * fix: keep codex oauth redirect host aligned * fix: resolve post-rebase agent runtime drift * fix: redact anthropic oauth parse failures * fix: preserve responses strict tool shaping * fix: repair agent runtime rebase cleanup * docs: redirect retired parity pages * fix: bound auto-discovered resources to roots * fix: repair post-rebase agent test drift * fix: preserve bundled provider allowlist migration * fix: preserve manifest-owned provider aliases * fix: declare photon image dependency * fix: keep provider headers out of proxy body * fix: preserve shipped env aliases * fix: refresh control ui i18n generated state * fix: quote read fallback paths * fix: preview edits through configured backend * test: satisfy core test typecheck * fix: preserve ZAI usage auth fallback * test: repair codex diagnostic test * fix: repair agent runtime rebase drift * test: finish embedded runner import rename * fix: repair agent runtime rebase integrations * test: align compaction oauth fallback expectations * fix: allow sdk-auth session models * fix: update doctor tool schema import * fix: preserve bedrock plugin region * fix: stream harmony-like prose immediately * ci: include session runtime in codeql shards * fix: repair latest rebase integrations * fix: honor explicit codex websocket transport * fix: keep openai-compatible credentials provider-scoped * fix: refresh sdk api baseline after rebase * fix: route cli runtime aliases through openclaw harness * test: rename stale harness mock expectation * test: rename embedded agent overflow calls * test: clean embedded auth test wording * test: use openclaw stream types in deepinfra cache test * fix: refresh sdk api baseline on latest main * fix: honor bundled discovery compat allowlists * fix: refresh sdk api baseline after latest rebase * fix: remove stale rebase imports * test: rename stale model catalog mock * test: mock renamed doctor runtime modules * fix: map canonical kimi env auth * fix: use internal model registry in bench script * fix: migrate deepinfra provider catalog entry * fix: enforce builtin tool suppression * fix: route compaction auth and proxy payloads safely * refactor: prune unused llm registry leftovers * test: update codex hooks session import * test: fix model picker ci coverage * test: align model picker auth mock types
178 lines
6.8 KiB
TypeScript
178 lines
6.8 KiB
TypeScript
import { describe, expect, it } from "vitest";
|
|
import {
|
|
createTransitiveManifestRiskReport,
|
|
renderTransitiveManifestRiskMarkdownReport,
|
|
} from "../../scripts/transitive-manifest-risk-report.mjs";
|
|
|
|
describe("transitive-manifest-risk-report", () => {
|
|
it("reports floating transitive specs, lifecycle scripts, exotic sources, and recently published versions", async () => {
|
|
const report = await createTransitiveManifestRiskReport({
|
|
packageVersions: [
|
|
{ packageName: "parent", version: "1.0.0" },
|
|
{ packageName: "tarball-package", version: "https://example.test/pkg.tgz" },
|
|
],
|
|
now: new Date("2026-05-12T00:00:00Z"),
|
|
minimumReleaseAgeMinutes: 2_880,
|
|
manifestLoader: async ({ packageName, version }) => {
|
|
if (packageName !== "parent" || version !== "1.0.0") {
|
|
throw new Error("unexpected manifest request");
|
|
}
|
|
return {
|
|
publishedAt: "2026-05-11T23:00:00Z",
|
|
manifest: {
|
|
dependencies: {
|
|
floating: "^1.2.3",
|
|
exact: "2.0.0",
|
|
gitdep: "github:owner/repo#main",
|
|
},
|
|
optionalDependencies: {
|
|
optionalFloating: "~3.0.0",
|
|
},
|
|
scripts: {
|
|
install: "node install.js",
|
|
},
|
|
},
|
|
};
|
|
},
|
|
});
|
|
|
|
expect(report.byType).toEqual({
|
|
"exotic-source": 2,
|
|
"floating-transitive-spec": 3,
|
|
"lifecycle-script": 1,
|
|
"recently-published-version": 1,
|
|
});
|
|
expect(report.workspaceExcludedFindings).toEqual([]);
|
|
expect(report.metadataFailures).toEqual([]);
|
|
});
|
|
|
|
it("uses pnpm minimum release age exclusions for recently published versions", async () => {
|
|
const report = await createTransitiveManifestRiskReport({
|
|
packageVersions: [
|
|
{ packageName: "regular", version: "1.0.0" },
|
|
{ packageName: "exact-package", version: "2.0.0" },
|
|
{ packageName: "either-version", version: "5.102.1" },
|
|
{ packageName: "@scope/native-linux-x64", version: "3.0.0" },
|
|
],
|
|
now: new Date("2026-05-12T00:00:00Z"),
|
|
minimumReleaseAgeMinutes: 2_880,
|
|
minimumReleaseAgeExclude: [
|
|
"exact-package@2.0.0",
|
|
"either-version@4.47.0 || 5.102.1",
|
|
"@scope/native-*",
|
|
],
|
|
manifestLoader: async () => ({
|
|
publishedAt: "2026-05-11T23:00:00Z",
|
|
manifest: {},
|
|
}),
|
|
});
|
|
|
|
expect(report.byType).toEqual({
|
|
"recently-published-version": 1,
|
|
});
|
|
expect(report.workspaceExcludedByType).toEqual({
|
|
"recently-published-version": 3,
|
|
});
|
|
expect(report.findings).toMatchObject([
|
|
{
|
|
packageName: "regular",
|
|
type: "recently-published-version",
|
|
},
|
|
]);
|
|
expect(report.workspaceExcludedFindings).toMatchObject([
|
|
{
|
|
packageName: "@scope/native-linux-x64",
|
|
type: "recently-published-version",
|
|
workspaceExcluded: true,
|
|
workspaceExclusion: "@scope/native-*",
|
|
},
|
|
{
|
|
packageName: "either-version",
|
|
type: "recently-published-version",
|
|
workspaceExcluded: true,
|
|
workspaceExclusion: "either-version@4.47.0 || 5.102.1",
|
|
},
|
|
{
|
|
packageName: "exact-package",
|
|
type: "recently-published-version",
|
|
workspaceExcluded: true,
|
|
workspaceExclusion: "exact-package@2.0.0",
|
|
},
|
|
]);
|
|
|
|
const markdown = renderTransitiveManifestRiskMarkdownReport(report);
|
|
expect(markdown).toContain(
|
|
"## Recently Published Versions Not Covered By Workspace Exclusions",
|
|
);
|
|
expect(markdown).toContain("## Recently Published Versions Covered By Workspace Exclusions");
|
|
expect(markdown).toContain("Workspace minimum release age: 2880 minutes.");
|
|
expect(markdown).toContain("`regular@1.0.0`: published 2026-05-11T23:00:00Z");
|
|
expect(markdown).toContain(
|
|
"`exact-package@2.0.0`: published 2026-05-11T23:00:00Z; workspace exclusion `exact-package@2.0.0`",
|
|
);
|
|
expect(markdown).not.toContain(
|
|
"`regular@1.0.0`: published 2026-05-11T23:00:00Z; minimum release age 2880 minutes",
|
|
);
|
|
});
|
|
|
|
it("documents JSON completeness and renders grouped Markdown summaries", async () => {
|
|
const report = await createTransitiveManifestRiskReport({
|
|
packageVersions: [
|
|
{ packageName: "openclaw/plugin-sdk/llm", version: "0.74.0" },
|
|
{ packageName: "aaa-package", version: "1.0.0" },
|
|
{ packageName: "recent-package", version: "1.0.0" },
|
|
],
|
|
now: new Date("2026-05-12T00:00:00Z"),
|
|
minimumReleaseAgeMinutes: 2_880,
|
|
minimumReleaseAgeExclude: ["recent-package@1.0.0"],
|
|
manifestLoader: async ({ packageName }) => ({
|
|
publishedAt:
|
|
packageName === "recent-package" ? "2026-05-11T23:00:00Z" : "2026-04-01T00:00:00Z",
|
|
manifest:
|
|
packageName === "openclaw/plugin-sdk/llm"
|
|
? {
|
|
dependencies: {
|
|
"@mistralai/mistralai": "^2.2.0",
|
|
},
|
|
}
|
|
: packageName === "recent-package"
|
|
? {
|
|
dependencies: {
|
|
"recent-dependency": "^1.0.0",
|
|
},
|
|
}
|
|
: {
|
|
dependencies: {
|
|
"aaa-dependency": "^1.0.0",
|
|
},
|
|
},
|
|
}),
|
|
});
|
|
|
|
const markdown = renderTransitiveManifestRiskMarkdownReport(report);
|
|
|
|
expect(markdown).toContain("# Transitive Manifest Risk Report");
|
|
expect(markdown).toContain("## Scope");
|
|
expect(markdown).toContain("published package manifests for resolved packages");
|
|
expect(markdown).toContain("It is report-only.");
|
|
expect(markdown).toContain("Resolved package versions inspected");
|
|
expect(markdown).toContain("Reported risk signals");
|
|
expect(markdown).toContain("Signals covered by workspace policy exclusions");
|
|
expect(markdown).toContain("## Reported Risk Signals By Type");
|
|
expect(markdown).toContain("## Signals Covered By Workspace Policy Exclusions");
|
|
expect(markdown).toContain("not included in the reported risk signal totals");
|
|
expect(markdown).toContain("## Complete Evidence");
|
|
expect(markdown).toContain("The complete reported signal list is available in the JSON report");
|
|
expect(markdown).toContain("## Published Package Manifests With Risk Findings");
|
|
expect(markdown).toContain("`openclaw/plugin-sdk/llm@0.74.0`: 1 manifest finding");
|
|
expect(markdown).toContain("`aaa-package@1.0.0`: 1 manifest finding");
|
|
expect(markdown).toContain("## Floating Dependency Targets");
|
|
expect(markdown).toContain("`@mistralai/mistralai`: 1 declarations");
|
|
expect(markdown).toContain("`aaa-dependency`: 1 declarations");
|
|
expect(markdown).not.toContain("## Packages With Findings");
|
|
expect(markdown).not.toContain("## Finding Details");
|
|
expect(markdown).not.toContain("## Notable Findings");
|
|
expect(markdown).not.toContain("## Additional Sample Findings");
|
|
});
|
|
});
|