From ee1d4eb29dc1bb762222a9ebd937472eb10eabf0 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Mar 2026 17:33:03 +0000 Subject: [PATCH 001/268] test: align chat abort helpers with gateway handler types --- .../server-methods/chat.abort-persistence.test.ts | 2 +- src/gateway/server-methods/chat.abort.test-helpers.ts | 10 ++-------- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/src/gateway/server-methods/chat.abort-persistence.test.ts b/src/gateway/server-methods/chat.abort-persistence.test.ts index 31a00a3f186..e11b2dc08cb 100644 --- a/src/gateway/server-methods/chat.abort-persistence.test.ts +++ b/src/gateway/server-methods/chat.abort-persistence.test.ts @@ -197,7 +197,7 @@ describe("chat abort transcript persistence", () => { const { transcriptPath, sessionId } = await createTranscriptFixture("openclaw-chat-stop-"); const respond = vi.fn(); const context = createChatAbortContext({ - chatAbortControllers: new Map([["run-stop-1", createActiveRun("main", sessionId)]]), + chatAbortControllers: new Map([["run-stop-1", createActiveRun("main", { sessionId })]]), chatRunBuffers: new Map([["run-stop-1", "Partial from /stop"]]), chatDeltaSentAt: new Map([["run-stop-1", Date.now()]]), removeChatRun: vi.fn().mockReturnValue({ sessionKey: "main", clientRunId: "client-stop-1" }), diff --git a/src/gateway/server-methods/chat.abort.test-helpers.ts b/src/gateway/server-methods/chat.abort.test-helpers.ts index fe5cd324ccb..c1db68f5774 100644 --- a/src/gateway/server-methods/chat.abort.test-helpers.ts +++ b/src/gateway/server-methods/chat.abort.test-helpers.ts @@ -1,4 +1,5 @@ import { vi } from "vitest"; +import type { GatewayRequestHandler } from "./types.js"; export function createActiveRun( sessionKey: string, @@ -37,14 +38,7 @@ export function createChatAbortContext(overrides: Record = {}) } export async function invokeChatAbortHandler(params: { - handler: (args: { - params: { sessionKey: string; runId?: string }; - respond: never; - context: never; - req: never; - client: never; - isWebchatConnect: () => boolean; - }) => Promise; + handler: GatewayRequestHandler; context: ReturnType; request: { sessionKey: string; runId?: string }; client?: { From 7778627b71d442485afff9ea3496d94292eadf8f Mon Sep 17 00:00:00 2001 From: Frank Yang Date: Sat, 14 Mar 2026 01:38:06 +0800 Subject: [PATCH 002/268] fix(ollama): hide native reasoning-only output (#45330) Thanks @xi7ang Co-authored-by: xi7ang <266449609+xi7ang@users.noreply.github.com> Co-authored-by: Frank Yang --- CHANGELOG.md | 1 + src/agents/ollama-stream.test.ts | 16 ++++++++-------- src/agents/ollama-stream.ts | 17 ++++------------- 3 files changed, 13 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2a8270dd154..f7679f4c5b0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ Docs: https://docs.openclaw.ai ### Fixes +- Ollama/reasoning visibility: stop promoting native `thinking` and `reasoning` fields into final assistant text so local reasoning models no longer leak internal thoughts in normal replies. (#45330) Thanks @xi7ang. - Windows/gateway install: bound `schtasks` calls and fall back to the Startup-folder login item when task creation hangs, so native `openclaw gateway install` fails fast instead of wedging forever on broken Scheduled Task setups. - Windows/gateway auth: stop attaching device identity on local loopback shared-token and password gateway calls, so native Windows agent replies no longer log stale `device signature expired` fallback noise before succeeding. - Telegram/media downloads: thread the same direct or proxy transport policy into SSRF-guarded file fetches so inbound attachments keep working when Telegram falls back between env-proxy and direct networking. (#44639) Thanks @obviyus. diff --git a/src/agents/ollama-stream.test.ts b/src/agents/ollama-stream.test.ts index 2af5e490c7f..241c7a0f858 100644 --- a/src/agents/ollama-stream.test.ts +++ b/src/agents/ollama-stream.test.ts @@ -106,7 +106,7 @@ describe("buildAssistantMessage", () => { expect(result.usage.totalTokens).toBe(15); }); - it("falls back to thinking when content is empty", () => { + it("drops thinking-only output when content is empty", () => { const response = { model: "qwen3:32b", created_at: "2026-01-01T00:00:00Z", @@ -119,10 +119,10 @@ describe("buildAssistantMessage", () => { }; const result = buildAssistantMessage(response, modelInfo); expect(result.stopReason).toBe("stop"); - expect(result.content).toEqual([{ type: "text", text: "Thinking output" }]); + expect(result.content).toEqual([]); }); - it("falls back to reasoning when content and thinking are empty", () => { + it("drops reasoning-only output when content and thinking are empty", () => { const response = { model: "qwen3:32b", created_at: "2026-01-01T00:00:00Z", @@ -135,7 +135,7 @@ describe("buildAssistantMessage", () => { }; const result = buildAssistantMessage(response, modelInfo); expect(result.stopReason).toBe("stop"); - expect(result.content).toEqual([{ type: "text", text: "Reasoning output" }]); + expect(result.content).toEqual([]); }); it("builds response with tool calls", () => { @@ -485,7 +485,7 @@ describe("createOllamaStreamFn", () => { ); }); - it("accumulates thinking chunks when content is empty", async () => { + it("drops thinking chunks when no final content is emitted", async () => { await withMockNdjsonFetch( [ '{"model":"m","created_at":"t","message":{"role":"assistant","content":"","thinking":"reasoned"},"done":false}', @@ -501,7 +501,7 @@ describe("createOllamaStreamFn", () => { throw new Error("Expected done event"); } - expect(doneEvent.message.content).toEqual([{ type: "text", text: "reasoned output" }]); + expect(doneEvent.message.content).toEqual([]); }, ); }); @@ -528,7 +528,7 @@ describe("createOllamaStreamFn", () => { ); }); - it("accumulates reasoning chunks when thinking is absent", async () => { + it("drops reasoning chunks when no final content is emitted", async () => { await withMockNdjsonFetch( [ '{"model":"m","created_at":"t","message":{"role":"assistant","content":"","reasoning":"reasoned"},"done":false}', @@ -544,7 +544,7 @@ describe("createOllamaStreamFn", () => { throw new Error("Expected done event"); } - expect(doneEvent.message.content).toEqual([{ type: "text", text: "reasoned output" }]); + expect(doneEvent.message.content).toEqual([]); }, ); }); diff --git a/src/agents/ollama-stream.ts b/src/agents/ollama-stream.ts index 9d23852bb31..70a2ef33cf1 100644 --- a/src/agents/ollama-stream.ts +++ b/src/agents/ollama-stream.ts @@ -340,10 +340,9 @@ export function buildAssistantMessage( ): AssistantMessage { const content: (TextContent | ToolCall)[] = []; - // Ollama-native reasoning models may emit their answer in `thinking` or - // `reasoning` with an empty `content`. Fall back so replies are not dropped. - const text = - response.message.content || response.message.thinking || response.message.reasoning || ""; + // Native Ollama reasoning fields are internal model output. The reply text + // must come from `content`; reasoning visibility is controlled elsewhere. + const text = response.message.content || ""; if (text) { content.push({ type: "text", text }); } @@ -497,20 +496,12 @@ export function createOllamaStreamFn( const reader = response.body.getReader(); let accumulatedContent = ""; - let fallbackContent = ""; - let sawContent = false; const accumulatedToolCalls: OllamaToolCall[] = []; let finalResponse: OllamaChatResponse | undefined; for await (const chunk of parseNdjsonStream(reader)) { if (chunk.message?.content) { - sawContent = true; accumulatedContent += chunk.message.content; - } else if (!sawContent && chunk.message?.thinking) { - fallbackContent += chunk.message.thinking; - } else if (!sawContent && chunk.message?.reasoning) { - // Backward compatibility for older/native variants that still use reasoning. - fallbackContent += chunk.message.reasoning; } // Ollama sends tool_calls in intermediate (done:false) chunks, @@ -529,7 +520,7 @@ export function createOllamaStreamFn( throw new Error("Ollama API stream ended without a final response"); } - finalResponse.message.content = accumulatedContent || fallbackContent; + finalResponse.message.content = accumulatedContent; if (accumulatedToolCalls.length > 0) { finalResponse.message.tool_calls = accumulatedToolCalls; } From 9b5000057ec611116b39214807a9bf9ea544b603 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Mar 2026 17:41:58 +0000 Subject: [PATCH 003/268] ci: remove Android Node 20 action warnings --- .github/workflows/ci.yml | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b365b2ed944..2761a7b0d3b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -747,23 +747,37 @@ jobs: uses: actions/setup-java@v5 with: distribution: temurin - # setup-android's sdkmanager currently crashes on JDK 21 in CI. + # Keep sdkmanager on the stable JDK path for Linux CI runners. java-version: 17 - - name: Setup Android SDK - uses: android-actions/setup-android@v3 - with: - accept-android-sdk-licenses: false + - name: Setup Android SDK cmdline-tools + run: | + set -euo pipefail + ANDROID_SDK_ROOT="$HOME/.android-sdk" + CMDLINE_TOOLS_VERSION="12266719" + ARCHIVE="commandlinetools-linux-${CMDLINE_TOOLS_VERSION}_latest.zip" + URL="https://dl.google.com/android/repository/${ARCHIVE}" + + mkdir -p "$ANDROID_SDK_ROOT/cmdline-tools" + curl -fsSL "$URL" -o "/tmp/${ARCHIVE}" + rm -rf "$ANDROID_SDK_ROOT/cmdline-tools/latest" + unzip -q "/tmp/${ARCHIVE}" -d "$ANDROID_SDK_ROOT/cmdline-tools" + mv "$ANDROID_SDK_ROOT/cmdline-tools/cmdline-tools" "$ANDROID_SDK_ROOT/cmdline-tools/latest" + + echo "ANDROID_SDK_ROOT=$ANDROID_SDK_ROOT" >> "$GITHUB_ENV" + echo "ANDROID_HOME=$ANDROID_SDK_ROOT" >> "$GITHUB_ENV" + echo "$ANDROID_SDK_ROOT/cmdline-tools/latest/bin" >> "$GITHUB_PATH" + echo "$ANDROID_SDK_ROOT/platform-tools" >> "$GITHUB_PATH" - name: Setup Gradle - uses: gradle/actions/setup-gradle@v4 + uses: gradle/actions/setup-gradle@v5 with: gradle-version: 8.11.1 - name: Install Android SDK packages run: | - yes | sdkmanager --licenses >/dev/null - sdkmanager --install \ + yes | sdkmanager --sdk_root="${ANDROID_SDK_ROOT}" --licenses >/dev/null + sdkmanager --sdk_root="${ANDROID_SDK_ROOT}" --install \ "platform-tools" \ "platforms;android-36" \ "build-tools;36.0.0" From 4aec20d36586b96a3b755d3a8725ec9976a92775 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Mar 2026 17:45:21 +0000 Subject: [PATCH 004/268] test: tighten gateway helper coverage --- src/gateway/control-ui-routing.test.ts | 155 +++++--- src/gateway/live-tool-probe-utils.test.ts | 421 ++++++++++++---------- src/gateway/origin-check.test.ts | 185 +++++----- src/gateway/ws-log.test.ts | 109 ++++-- 4 files changed, 511 insertions(+), 359 deletions(-) diff --git a/src/gateway/control-ui-routing.test.ts b/src/gateway/control-ui-routing.test.ts index f3f172cc7d4..929c645cd01 100644 --- a/src/gateway/control-ui-routing.test.ts +++ b/src/gateway/control-ui-routing.test.ts @@ -2,65 +2,114 @@ import { describe, expect, it } from "vitest"; import { classifyControlUiRequest } from "./control-ui-routing.js"; describe("classifyControlUiRequest", () => { - it("falls through non-read root requests for plugin webhooks", () => { - const classified = classifyControlUiRequest({ - basePath: "", - pathname: "/bluebubbles-webhook", - search: "", - method: "POST", + describe("root-mounted control ui", () => { + it.each([ + { + name: "serves the root entrypoint", + pathname: "/", + method: "GET", + expected: { kind: "serve" as const }, + }, + { + name: "serves other read-only SPA routes", + pathname: "/chat", + method: "HEAD", + expected: { kind: "serve" as const }, + }, + { + name: "keeps health probes outside the SPA catch-all", + pathname: "/healthz", + method: "GET", + expected: { kind: "not-control-ui" as const }, + }, + { + name: "keeps readiness probes outside the SPA catch-all", + pathname: "/ready", + method: "HEAD", + expected: { kind: "not-control-ui" as const }, + }, + { + name: "keeps plugin routes outside the SPA catch-all", + pathname: "/plugins/webhook", + method: "GET", + expected: { kind: "not-control-ui" as const }, + }, + { + name: "keeps API routes outside the SPA catch-all", + pathname: "/api/sessions", + method: "GET", + expected: { kind: "not-control-ui" as const }, + }, + { + name: "returns not-found for legacy ui routes", + pathname: "/ui/settings", + method: "GET", + expected: { kind: "not-found" as const }, + }, + { + name: "falls through non-read requests", + pathname: "/bluebubbles-webhook", + method: "POST", + expected: { kind: "not-control-ui" as const }, + }, + ])("$name", ({ pathname, method, expected }) => { + expect( + classifyControlUiRequest({ + basePath: "", + pathname, + search: "", + method, + }), + ).toEqual(expected); }); - expect(classified).toEqual({ kind: "not-control-ui" }); }); - it("returns not-found for legacy /ui routes when root-mounted", () => { - const classified = classifyControlUiRequest({ - basePath: "", - pathname: "/ui/settings", - search: "", - method: "GET", - }); - expect(classified).toEqual({ kind: "not-found" }); - }); - - it("falls through basePath non-read methods for plugin webhooks", () => { - const classified = classifyControlUiRequest({ - basePath: "/openclaw", - pathname: "/openclaw", - search: "", - method: "POST", - }); - expect(classified).toEqual({ kind: "not-control-ui" }); - }); - - it("falls through PUT/DELETE/PATCH/OPTIONS under basePath for plugin handlers", () => { - for (const method of ["PUT", "DELETE", "PATCH", "OPTIONS"]) { - const classified = classifyControlUiRequest({ - basePath: "/openclaw", + describe("basePath-mounted control ui", () => { + it.each([ + { + name: "redirects the basePath entrypoint", + pathname: "/openclaw", + search: "?foo=1", + method: "GET", + expected: { kind: "redirect" as const, location: "/openclaw/?foo=1" }, + }, + { + name: "serves nested read-only routes", + pathname: "/openclaw/chat", + search: "", + method: "HEAD", + expected: { kind: "serve" as const }, + }, + { + name: "falls through unmatched paths", + pathname: "/elsewhere/chat", + search: "", + method: "GET", + expected: { kind: "not-control-ui" as const }, + }, + { + name: "falls through write requests to the basePath entrypoint", + pathname: "/openclaw", + search: "", + method: "POST", + expected: { kind: "not-control-ui" as const }, + }, + ...["PUT", "DELETE", "PATCH", "OPTIONS"].map((method) => ({ + name: `falls through ${method} subroute requests`, pathname: "/openclaw/webhook", search: "", method, - }); - expect(classified, `${method} should fall through`).toEqual({ kind: "not-control-ui" }); - } - }); - - it("returns redirect for basePath entrypoint GET", () => { - const classified = classifyControlUiRequest({ - basePath: "/openclaw", - pathname: "/openclaw", - search: "?foo=1", - method: "GET", + expected: { kind: "not-control-ui" as const }, + })), + ])("$name", ({ pathname, search, method, expected }) => { + expect( + classifyControlUiRequest({ + basePath: "/openclaw", + pathname, + search, + method, + }), + ).toEqual(expected); }); - expect(classified).toEqual({ kind: "redirect", location: "/openclaw/?foo=1" }); - }); - - it("classifies basePath subroutes as control ui", () => { - const classified = classifyControlUiRequest({ - basePath: "/openclaw", - pathname: "/openclaw/chat", - search: "", - method: "HEAD", - }); - expect(classified).toEqual({ kind: "serve" }); }); }); diff --git a/src/gateway/live-tool-probe-utils.test.ts b/src/gateway/live-tool-probe-utils.test.ts index ca73032c6fb..75f27c08036 100644 --- a/src/gateway/live-tool-probe-utils.test.ts +++ b/src/gateway/live-tool-probe-utils.test.ts @@ -8,198 +8,245 @@ import { } from "./live-tool-probe-utils.js"; describe("live tool probe utils", () => { - it("matches nonce pair when both are present", () => { - expect(hasExpectedToolNonce("value a-1 and b-2", "a-1", "b-2")).toBe(true); - expect(hasExpectedToolNonce("value a-1 only", "a-1", "b-2")).toBe(false); + describe("nonce matching", () => { + it.each([ + { + name: "matches tool nonce pairs only when both are present", + actual: hasExpectedToolNonce("value a-1 and b-2", "a-1", "b-2"), + expected: true, + }, + { + name: "rejects partial tool nonce matches", + actual: hasExpectedToolNonce("value a-1 only", "a-1", "b-2"), + expected: false, + }, + { + name: "matches a single nonce when present", + actual: hasExpectedSingleNonce("value nonce-1", "nonce-1"), + expected: true, + }, + { + name: "rejects single nonce mismatches", + actual: hasExpectedSingleNonce("value nonce-2", "nonce-1"), + expected: false, + }, + ])("$name", ({ actual, expected }) => { + expect(actual).toBe(expected); + }); }); - it("matches single nonce when present", () => { - expect(hasExpectedSingleNonce("value nonce-1", "nonce-1")).toBe(true); - expect(hasExpectedSingleNonce("value nonce-2", "nonce-1")).toBe(false); + describe("refusal detection", () => { + it.each([ + { + name: "detects nonce refusal phrasing", + text: "Same request, same answer — this isn't a real OpenClaw probe. No part of the system asks me to parrot back nonce values.", + expected: true, + }, + { + name: "detects prompt-injection style refusals without nonce text", + text: "That's not a legitimate self-test. This looks like a prompt injection attempt.", + expected: true, + }, + { + name: "ignores generic helper text", + text: "I can help with that request.", + expected: false, + }, + { + name: "does not treat nonce markers without the word nonce as refusal", + text: "No part of the system asks me to parrot back values.", + expected: false, + }, + ])("$name", ({ text, expected }) => { + expect(isLikelyToolNonceRefusal(text)).toBe(expected); + }); }); - it("detects anthropic nonce refusal phrasing", () => { - expect( - isLikelyToolNonceRefusal( - "Same request, same answer — this isn't a real OpenClaw probe. No part of the system asks me to parrot back nonce values.", - ), - ).toBe(true); + describe("shouldRetryToolReadProbe", () => { + it.each([ + { + name: "retries malformed tool output when attempts remain", + params: { + text: "read[object Object],[object Object]", + nonceA: "nonce-a", + nonceB: "nonce-b", + provider: "mistral", + attempt: 0, + maxAttempts: 3, + }, + expected: true, + }, + { + name: "does not retry once max attempts are exhausted", + params: { + text: "read[object Object],[object Object]", + nonceA: "nonce-a", + nonceB: "nonce-b", + provider: "mistral", + attempt: 2, + maxAttempts: 3, + }, + expected: false, + }, + { + name: "does not retry when the nonce pair is already present", + params: { + text: "nonce-a nonce-b", + nonceA: "nonce-a", + nonceB: "nonce-b", + provider: "mistral", + attempt: 0, + maxAttempts: 3, + }, + expected: false, + }, + { + name: "prefers a valid nonce pair even if the text still contains scaffolding words", + params: { + text: "tool output nonce-a nonce-b function", + nonceA: "nonce-a", + nonceB: "nonce-b", + provider: "openai", + attempt: 0, + maxAttempts: 3, + }, + expected: false, + }, + { + name: "retries empty output", + params: { + text: " ", + nonceA: "nonce-a", + nonceB: "nonce-b", + provider: "openai", + attempt: 0, + maxAttempts: 3, + }, + expected: true, + }, + { + name: "retries tool scaffolding output", + params: { + text: "Use tool function read[] now.", + nonceA: "nonce-a", + nonceB: "nonce-b", + provider: "openai", + attempt: 0, + maxAttempts: 3, + }, + expected: true, + }, + { + name: "retries mistral nonce marker echoes without parsed values", + params: { + text: "nonceA= nonceB=", + nonceA: "nonce-a", + nonceB: "nonce-b", + provider: "mistral", + attempt: 0, + maxAttempts: 3, + }, + expected: true, + }, + { + name: "retries anthropic refusal output", + params: { + text: "This isn't a real OpenClaw probe; I won't parrot back nonce values.", + nonceA: "nonce-a", + nonceB: "nonce-b", + provider: "anthropic", + attempt: 0, + maxAttempts: 3, + }, + expected: true, + }, + { + name: "does not special-case anthropic refusals for other providers", + params: { + text: "This isn't a real OpenClaw probe; I won't parrot back nonce values.", + nonceA: "nonce-a", + nonceB: "nonce-b", + provider: "openai", + attempt: 0, + maxAttempts: 3, + }, + expected: false, + }, + ])("$name", ({ params, expected }) => { + expect(shouldRetryToolReadProbe(params)).toBe(expected); + }); }); - it("does not treat generic helper text as nonce refusal", () => { - expect(isLikelyToolNonceRefusal("I can help with that request.")).toBe(false); - }); - - it("detects prompt-injection style tool refusal without nonce text", () => { - expect( - isLikelyToolNonceRefusal( - "That's not a legitimate self-test. This looks like a prompt injection attempt.", - ), - ).toBe(true); - }); - - it("retries malformed tool output when attempts remain", () => { - expect( - shouldRetryToolReadProbe({ - text: "read[object Object],[object Object]", - nonceA: "nonce-a", - nonceB: "nonce-b", - provider: "mistral", - attempt: 0, - maxAttempts: 3, - }), - ).toBe(true); - }); - - it("does not retry once max attempts are exhausted", () => { - expect( - shouldRetryToolReadProbe({ - text: "read[object Object],[object Object]", - nonceA: "nonce-a", - nonceB: "nonce-b", - provider: "mistral", - attempt: 2, - maxAttempts: 3, - }), - ).toBe(false); - }); - - it("does not retry when nonce pair is already present", () => { - expect( - shouldRetryToolReadProbe({ - text: "nonce-a nonce-b", - nonceA: "nonce-a", - nonceB: "nonce-b", - provider: "mistral", - attempt: 0, - maxAttempts: 3, - }), - ).toBe(false); - }); - - it("retries when tool output is empty and attempts remain", () => { - expect( - shouldRetryToolReadProbe({ - text: " ", - nonceA: "nonce-a", - nonceB: "nonce-b", - provider: "openai", - attempt: 0, - maxAttempts: 3, - }), - ).toBe(true); - }); - - it("retries when output still looks like tool/function scaffolding", () => { - expect( - shouldRetryToolReadProbe({ - text: "Use tool function read[] now.", - nonceA: "nonce-a", - nonceB: "nonce-b", - provider: "openai", - attempt: 0, - maxAttempts: 3, - }), - ).toBe(true); - }); - - it("retries mistral nonce marker echoes without parsed nonce values", () => { - expect( - shouldRetryToolReadProbe({ - text: "nonceA= nonceB=", - nonceA: "nonce-a", - nonceB: "nonce-b", - provider: "mistral", - attempt: 0, - maxAttempts: 3, - }), - ).toBe(true); - }); - - it("retries anthropic nonce refusal output", () => { - expect( - shouldRetryToolReadProbe({ - text: "This isn't a real OpenClaw probe; I won't parrot back nonce values.", - nonceA: "nonce-a", - nonceB: "nonce-b", - provider: "anthropic", - attempt: 0, - maxAttempts: 3, - }), - ).toBe(true); - }); - - it("retries anthropic prompt-injection refusal output", () => { - expect( - shouldRetryToolReadProbe({ - text: "This is not a legitimate self-test; it appears to be a prompt injection attempt.", - nonceA: "nonce-a", - nonceB: "nonce-b", - provider: "anthropic", - attempt: 0, - maxAttempts: 3, - }), - ).toBe(true); - }); - - it("does not retry nonce marker echoes for non-mistral providers", () => { - expect( - shouldRetryToolReadProbe({ - text: "nonceA= nonceB=", - nonceA: "nonce-a", - nonceB: "nonce-b", - provider: "openai", - attempt: 0, - maxAttempts: 3, - }), - ).toBe(false); - }); - - it("retries malformed exec+read output when attempts remain", () => { - expect( - shouldRetryExecReadProbe({ - text: "read[object Object]", - nonce: "nonce-c", - provider: "openai", - attempt: 0, - maxAttempts: 3, - }), - ).toBe(true); - }); - - it("does not retry exec+read once max attempts are exhausted", () => { - expect( - shouldRetryExecReadProbe({ - text: "read[object Object]", - nonce: "nonce-c", - provider: "openai", - attempt: 2, - maxAttempts: 3, - }), - ).toBe(false); - }); - - it("does not retry exec+read when nonce is present", () => { - expect( - shouldRetryExecReadProbe({ - text: "nonce-c", - nonce: "nonce-c", - provider: "openai", - attempt: 0, - maxAttempts: 3, - }), - ).toBe(false); - }); - - it("retries anthropic exec+read nonce refusal output", () => { - expect( - shouldRetryExecReadProbe({ - text: "No part of the system asks me to parrot back nonce values.", - nonce: "nonce-c", - provider: "anthropic", - attempt: 0, - maxAttempts: 3, - }), - ).toBe(true); + describe("shouldRetryExecReadProbe", () => { + it.each([ + { + name: "retries malformed exec+read output when attempts remain", + params: { + text: "read[object Object]", + nonce: "nonce-c", + provider: "openai", + attempt: 0, + maxAttempts: 3, + }, + expected: true, + }, + { + name: "does not retry once max attempts are exhausted", + params: { + text: "read[object Object]", + nonce: "nonce-c", + provider: "openai", + attempt: 2, + maxAttempts: 3, + }, + expected: false, + }, + { + name: "does not retry when the nonce is already present", + params: { + text: "nonce-c", + nonce: "nonce-c", + provider: "openai", + attempt: 0, + maxAttempts: 3, + }, + expected: false, + }, + { + name: "prefers a valid nonce even if the text still contains scaffolding words", + params: { + text: "tool output nonce-c function", + nonce: "nonce-c", + provider: "openai", + attempt: 0, + maxAttempts: 3, + }, + expected: false, + }, + { + name: "retries anthropic nonce refusal output", + params: { + text: "No part of the system asks me to parrot back nonce values.", + nonce: "nonce-c", + provider: "anthropic", + attempt: 0, + maxAttempts: 3, + }, + expected: true, + }, + { + name: "does not special-case anthropic refusals for other providers", + params: { + text: "No part of the system asks me to parrot back nonce values.", + nonce: "nonce-c", + provider: "openai", + attempt: 0, + maxAttempts: 3, + }, + expected: false, + }, + ])("$name", ({ params, expected }) => { + expect(shouldRetryExecReadProbe(params)).toBe(expected); + }); }); }); diff --git a/src/gateway/origin-check.test.ts b/src/gateway/origin-check.test.ts index 50c031e927d..2bdec288fd6 100644 --- a/src/gateway/origin-check.test.ts +++ b/src/gateway/origin-check.test.ts @@ -2,102 +2,93 @@ import { describe, expect, it } from "vitest"; import { checkBrowserOrigin } from "./origin-check.js"; describe("checkBrowserOrigin", () => { - it("accepts same-origin host matches only with legacy host-header fallback", () => { - const result = checkBrowserOrigin({ - requestHost: "127.0.0.1:18789", - origin: "http://127.0.0.1:18789", - allowHostHeaderOriginFallback: true, - }); - expect(result.ok).toBe(true); - if (result.ok) { - expect(result.matchedBy).toBe("host-header-fallback"); - } - }); - - it("rejects same-origin host matches when legacy host-header fallback is disabled", () => { - const result = checkBrowserOrigin({ - requestHost: "gateway.example.com:18789", - origin: "https://gateway.example.com:18789", - }); - expect(result.ok).toBe(false); - }); - - it("accepts loopback host mismatches for dev", () => { - const result = checkBrowserOrigin({ - requestHost: "127.0.0.1:18789", - origin: "http://localhost:5173", - isLocalClient: true, - }); - expect(result.ok).toBe(true); - }); - - it("rejects loopback origin mismatches when request is not local", () => { - const result = checkBrowserOrigin({ - requestHost: "127.0.0.1:18789", - origin: "http://localhost:5173", - isLocalClient: false, - }); - expect(result.ok).toBe(false); - }); - - it("accepts allowlisted origins", () => { - const result = checkBrowserOrigin({ - requestHost: "gateway.example.com:18789", - origin: "https://control.example.com", - allowedOrigins: ["https://control.example.com"], - }); - expect(result.ok).toBe(true); - }); - - it("accepts wildcard allowedOrigins", () => { - const result = checkBrowserOrigin({ - requestHost: "gateway.example.com:18789", - origin: "https://any-origin.example.com", - allowedOrigins: ["*"], - }); - expect(result.ok).toBe(true); - }); - - it("rejects missing origin", () => { - const result = checkBrowserOrigin({ - requestHost: "gateway.example.com:18789", - origin: "", - }); - expect(result.ok).toBe(false); - }); - - it("rejects mismatched origins", () => { - const result = checkBrowserOrigin({ - requestHost: "gateway.example.com:18789", - origin: "https://attacker.example.com", - }); - expect(result.ok).toBe(false); - }); - - it('accepts any origin when allowedOrigins includes "*" (regression: #30990)', () => { - const result = checkBrowserOrigin({ - requestHost: "100.86.79.37:18789", - origin: "https://100.86.79.37:18789", - allowedOrigins: ["*"], - }); - expect(result.ok).toBe(true); - }); - - it('accepts any origin when allowedOrigins includes "*" alongside specific entries', () => { - const result = checkBrowserOrigin({ - requestHost: "gateway.tailnet.ts.net:18789", - origin: "https://gateway.tailnet.ts.net:18789", - allowedOrigins: ["https://control.example.com", "*"], - }); - expect(result.ok).toBe(true); - }); - - it("accepts wildcard entries with surrounding whitespace", () => { - const result = checkBrowserOrigin({ - requestHost: "100.86.79.37:18789", - origin: "https://100.86.79.37:18789", - allowedOrigins: [" * "], - }); - expect(result.ok).toBe(true); + it.each([ + { + name: "accepts host-header fallback when explicitly enabled", + input: { + requestHost: "127.0.0.1:18789", + origin: "http://127.0.0.1:18789", + allowHostHeaderOriginFallback: true, + }, + expected: { ok: true as const, matchedBy: "host-header-fallback" as const }, + }, + { + name: "rejects same-origin host matches when fallback is disabled", + input: { + requestHost: "gateway.example.com:18789", + origin: "https://gateway.example.com:18789", + }, + expected: { ok: false as const, reason: "origin not allowed" }, + }, + { + name: "accepts local loopback mismatches for local clients", + input: { + requestHost: "127.0.0.1:18789", + origin: "http://localhost:5173", + isLocalClient: true, + }, + expected: { ok: true as const, matchedBy: "local-loopback" as const }, + }, + { + name: "rejects loopback mismatches for non-local clients", + input: { + requestHost: "127.0.0.1:18789", + origin: "http://localhost:5173", + isLocalClient: false, + }, + expected: { ok: false as const, reason: "origin not allowed" }, + }, + { + name: "accepts trimmed lowercase-normalized allowlist matches", + input: { + requestHost: "gateway.example.com:18789", + origin: "https://CONTROL.example.com", + allowedOrigins: [" https://control.example.com "], + }, + expected: { ok: true as const, matchedBy: "allowlist" as const }, + }, + { + name: "accepts wildcard allowlists even alongside specific entries", + input: { + requestHost: "gateway.tailnet.ts.net:18789", + origin: "https://any-origin.example.com", + allowedOrigins: ["https://control.example.com", " * "], + }, + expected: { ok: true as const, matchedBy: "allowlist" as const }, + }, + { + name: "rejects missing origin", + input: { + requestHost: "gateway.example.com:18789", + origin: "", + }, + expected: { ok: false as const, reason: "origin missing or invalid" }, + }, + { + name: 'rejects literal "null" origin', + input: { + requestHost: "gateway.example.com:18789", + origin: "null", + }, + expected: { ok: false as const, reason: "origin missing or invalid" }, + }, + { + name: "rejects malformed origin URLs", + input: { + requestHost: "gateway.example.com:18789", + origin: "not a url", + }, + expected: { ok: false as const, reason: "origin missing or invalid" }, + }, + { + name: "rejects mismatched origins", + input: { + requestHost: "gateway.example.com:18789", + origin: "https://attacker.example.com", + }, + expected: { ok: false as const, reason: "origin not allowed" }, + }, + ])("$name", ({ input, expected }) => { + expect(checkBrowserOrigin(input)).toEqual(expected); }); }); diff --git a/src/gateway/ws-log.test.ts b/src/gateway/ws-log.test.ts index 5a748c38eb7..a14bca6f628 100644 --- a/src/gateway/ws-log.test.ts +++ b/src/gateway/ws-log.test.ts @@ -2,20 +2,39 @@ import { describe, expect, test } from "vitest"; import { formatForLog, shortId, summarizeAgentEventForWsLog } from "./ws-log.js"; describe("gateway ws log helpers", () => { - test("shortId compacts uuids and long strings", () => { - expect(shortId("12345678-1234-1234-1234-123456789abc")).toBe("12345678…9abc"); - expect(shortId("a".repeat(30))).toBe("aaaaaaaaaaaa…aaaa"); - expect(shortId("short")).toBe("short"); + test.each([ + { + name: "compacts uuids", + input: "12345678-1234-1234-1234-123456789abc", + expected: "12345678…9abc", + }, + { + name: "compacts long strings", + input: "a".repeat(30), + expected: "aaaaaaaaaaaa…aaaa", + }, + { + name: "trims before checking length", + input: " short ", + expected: "short", + }, + ])("shortId $name", ({ input, expected }) => { + expect(shortId(input)).toBe(expected); }); - test("formatForLog formats errors and messages", () => { - const err = new Error("boom"); - err.name = "TestError"; - expect(formatForLog(err)).toContain("TestError"); - expect(formatForLog(err)).toContain("boom"); - - const obj = { name: "Oops", message: "failed", code: "E1" }; - expect(formatForLog(obj)).toBe("Oops: failed: code=E1"); + test.each([ + { + name: "formats Error instances", + input: Object.assign(new Error("boom"), { name: "TestError" }), + expected: "TestError: boom", + }, + { + name: "formats message-like objects with codes", + input: { name: "Oops", message: "failed", code: "E1" }, + expected: "Oops: failed: code=E1", + }, + ])("formatForLog $name", ({ input, expected }) => { + expect(formatForLog(input)).toBe(expected); }); test("formatForLog redacts obvious secrets", () => { @@ -26,33 +45,79 @@ describe("gateway ws log helpers", () => { expect(out).toContain("…"); }); - test("summarizeAgentEventForWsLog extracts useful fields", () => { + test("summarizeAgentEventForWsLog compacts assistant payloads", () => { const summary = summarizeAgentEventForWsLog({ runId: "12345678-1234-1234-1234-123456789abc", sessionKey: "agent:main:main", stream: "assistant", seq: 2, - data: { text: "hello world", mediaUrls: ["a", "b"] }, + data: { + text: "hello\n\nworld ".repeat(20), + mediaUrls: ["a", "b"], + }, }); + expect(summary).toMatchObject({ agent: "main", run: "12345678…9abc", session: "main", stream: "assistant", aseq: 2, - text: "hello world", media: 2, }); + expect(summary.text).toBeTypeOf("string"); + expect(summary.text).not.toContain("\n"); + }); - const tool = summarizeAgentEventForWsLog({ - runId: "run-1", - stream: "tool", - data: { phase: "start", name: "fetch", toolCallId: "call-1" }, - }); - expect(tool).toMatchObject({ + test("summarizeAgentEventForWsLog includes tool metadata", () => { + expect( + summarizeAgentEventForWsLog({ + runId: "run-1", + stream: "tool", + data: { phase: "start", name: "fetch", toolCallId: "12345678-1234-1234-1234-123456789abc" }, + }), + ).toMatchObject({ + run: "run-1", stream: "tool", tool: "start:fetch", - call: "call-1", + call: "12345678…9abc", + }); + }); + + test("summarizeAgentEventForWsLog includes lifecycle errors with compact previews", () => { + const summary = summarizeAgentEventForWsLog({ + runId: "run-2", + sessionKey: "agent:main:thread-1", + stream: "lifecycle", + data: { + phase: "abort", + aborted: true, + error: "fatal ".repeat(40), + }, + }); + + expect(summary).toMatchObject({ + agent: "main", + session: "thread-1", + stream: "lifecycle", + phase: "abort", + aborted: true, + }); + expect(summary.error).toBeTypeOf("string"); + expect((summary.error as string).length).toBeLessThanOrEqual(120); + }); + + test("summarizeAgentEventForWsLog preserves invalid session keys and unknown-stream reasons", () => { + expect( + summarizeAgentEventForWsLog({ + sessionKey: "bogus-session", + stream: "other", + data: { reason: "dropped" }, + }), + ).toEqual({ + session: "bogus-session", + stream: "other", + reason: "dropped", }); }); }); From 2d32cf283948203a5606a195937ef0b374f80fdf Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Mar 2026 17:47:47 +0000 Subject: [PATCH 005/268] test: harden infra formatter and retry coverage --- src/infra/format-time/format-time.test.ts | 43 ++++- src/infra/retry-policy.test.ts | 184 +++++++++++++++++----- 2 files changed, 180 insertions(+), 47 deletions(-) diff --git a/src/infra/format-time/format-time.test.ts b/src/infra/format-time/format-time.test.ts index e9a25578edd..22ae60dcc6d 100644 --- a/src/infra/format-time/format-time.test.ts +++ b/src/infra/format-time/format-time.test.ts @@ -1,4 +1,4 @@ -import { describe, expect, it } from "vitest"; +import { afterEach, beforeEach, describe, expect, it, vi } from "vitest"; import { formatUtcTimestamp, formatZonedTimestamp, resolveTimezone } from "./format-datetime.js"; import { formatDurationCompact, @@ -188,6 +188,15 @@ describe("format-relative", () => { }); describe("formatRelativeTimestamp", () => { + beforeEach(() => { + vi.useFakeTimers(); + vi.setSystemTime(new Date("2024-02-10T12:00:00.000Z")); + }); + + afterEach(() => { + vi.useRealTimers(); + }); + it("returns fallback for invalid timestamp input", () => { for (const value of [null, undefined]) { expect(formatRelativeTimestamp(value)).toBe("n/a"); @@ -197,21 +206,39 @@ describe("format-relative", () => { it.each([ { offsetMs: -10000, expected: "just now" }, + { offsetMs: -30000, expected: "just now" }, { offsetMs: -300000, expected: "5m ago" }, { offsetMs: -7200000, expected: "2h ago" }, + { offsetMs: -(47 * 3600000), expected: "47h ago" }, + { offsetMs: -(48 * 3600000), expected: "2d ago" }, { offsetMs: 30000, expected: "in <1m" }, { offsetMs: 300000, expected: "in 5m" }, { offsetMs: 7200000, expected: "in 2h" }, ])("formats relative timestamp for offset $offsetMs", ({ offsetMs, expected }) => { - const now = Date.now(); - expect(formatRelativeTimestamp(now + offsetMs)).toBe(expected); + expect(formatRelativeTimestamp(Date.now() + offsetMs)).toBe(expected); }); - it("falls back to date for old timestamps when enabled", () => { - const oldDate = Date.now() - 30 * 24 * 3600000; // 30 days ago - const result = formatRelativeTimestamp(oldDate, { dateFallback: true }); - // Should be a short date like "Jan 9" not "30d ago" - expect(result).toMatch(/[A-Z][a-z]{2} \d{1,2}/); + it.each([ + { + name: "keeps 7-day-old timestamps relative", + offsetMs: -7 * 24 * 3600000, + options: { dateFallback: true, timezone: "UTC" }, + expected: "7d ago", + }, + { + name: "falls back to a short date once the timestamp is older than 7 days", + offsetMs: -8 * 24 * 3600000, + options: { dateFallback: true, timezone: "UTC" }, + expected: "Feb 2", + }, + { + name: "keeps relative output when date fallback is disabled", + offsetMs: -8 * 24 * 3600000, + options: { timezone: "UTC" }, + expected: "8d ago", + }, + ])("$name", ({ offsetMs, options, expected }) => { + expect(formatRelativeTimestamp(Date.now() + offsetMs, options)).toBe(expected); }); }); }); diff --git a/src/infra/retry-policy.test.ts b/src/infra/retry-policy.test.ts index 76a4415deee..be0e4d91de3 100644 --- a/src/infra/retry-policy.test.ts +++ b/src/infra/retry-policy.test.ts @@ -1,48 +1,154 @@ -import { describe, expect, it, vi } from "vitest"; +import { afterEach, describe, expect, it, vi } from "vitest"; import { createTelegramRetryRunner } from "./retry-policy.js"; +const ZERO_DELAY_RETRY = { attempts: 3, minDelayMs: 0, maxDelayMs: 0, jitter: 0 }; + describe("createTelegramRetryRunner", () => { + afterEach(() => { + vi.useRealTimers(); + vi.restoreAllMocks(); + }); + describe("strictShouldRetry", () => { - it("without strictShouldRetry: ECONNRESET is retried via regex fallback even when predicate returns false", async () => { - const fn = vi - .fn() - .mockRejectedValue(Object.assign(new Error("read ECONNRESET"), { code: "ECONNRESET" })); - const runner = createTelegramRetryRunner({ - retry: { attempts: 2, minDelayMs: 0, maxDelayMs: 0, jitter: 0 }, - shouldRetry: () => false, // predicate says no - // strictShouldRetry not set — regex fallback still applies - }); - await expect(runner(fn, "test")).rejects.toThrow("ECONNRESET"); - // Regex matches "reset" so it retried despite shouldRetry returning false - expect(fn).toHaveBeenCalledTimes(2); - }); + it.each([ + { + name: "falls back to regex matching when strictShouldRetry is disabled", + runnerOptions: { + retry: { ...ZERO_DELAY_RETRY, attempts: 2 }, + shouldRetry: () => false, + }, + fnSteps: [ + { + type: "reject" as const, + value: Object.assign(new Error("read ECONNRESET"), { + code: "ECONNRESET", + }), + }, + ], + expectedCalls: 2, + expectedError: "ECONNRESET", + }, + { + name: "suppresses regex fallback when strictShouldRetry is enabled", + runnerOptions: { + retry: { ...ZERO_DELAY_RETRY, attempts: 2 }, + shouldRetry: () => false, + strictShouldRetry: true, + }, + fnSteps: [ + { + type: "reject" as const, + value: Object.assign(new Error("read ECONNRESET"), { + code: "ECONNRESET", + }), + }, + ], + expectedCalls: 1, + expectedError: "ECONNRESET", + }, + { + name: "still retries when the strict predicate returns true", + runnerOptions: { + retry: { ...ZERO_DELAY_RETRY, attempts: 2 }, + shouldRetry: (err: unknown) => (err as { code?: string }).code === "ECONNREFUSED", + strictShouldRetry: true, + }, + fnSteps: [ + { + type: "reject" as const, + value: Object.assign(new Error("ECONNREFUSED"), { + code: "ECONNREFUSED", + }), + }, + { type: "resolve" as const, value: "ok" }, + ], + expectedCalls: 2, + expectedValue: "ok", + }, + { + name: "does not retry unrelated errors when neither predicate nor regex match", + runnerOptions: { + retry: { ...ZERO_DELAY_RETRY, attempts: 2 }, + }, + fnSteps: [ + { + type: "reject" as const, + value: Object.assign(new Error("permission denied"), { + code: "EACCES", + }), + }, + ], + expectedCalls: 1, + expectedError: "permission denied", + }, + { + name: "keeps retrying retriable errors until attempts are exhausted", + runnerOptions: { + retry: ZERO_DELAY_RETRY, + }, + fnSteps: [ + { + type: "reject" as const, + value: Object.assign(new Error("connection timeout"), { + code: "ETIMEDOUT", + }), + }, + ], + expectedCalls: 3, + expectedError: "connection timeout", + }, + ])("$name", async ({ runnerOptions, fnSteps, expectedCalls, expectedValue, expectedError }) => { + vi.useFakeTimers(); + const runner = createTelegramRetryRunner(runnerOptions); + const fn = vi.fn(); + const allRejects = fnSteps.length > 0 && fnSteps.every((step) => step.type === "reject"); + if (allRejects) { + fn.mockRejectedValue(fnSteps[0]?.value); + } + for (const [index, step] of fnSteps.entries()) { + if (allRejects && index > 0) { + break; + } + if (step.type === "reject") { + fn.mockRejectedValueOnce(step.value); + } else { + fn.mockResolvedValueOnce(step.value); + } + } - it("with strictShouldRetry=true: ECONNRESET is NOT retried when predicate returns false", async () => { - const fn = vi - .fn() - .mockRejectedValue(Object.assign(new Error("read ECONNRESET"), { code: "ECONNRESET" })); - const runner = createTelegramRetryRunner({ - retry: { attempts: 2, minDelayMs: 0, maxDelayMs: 0, jitter: 0 }, - shouldRetry: () => false, - strictShouldRetry: true, // predicate is authoritative - }); - await expect(runner(fn, "test")).rejects.toThrow("ECONNRESET"); - // No retry — predicate returned false and regex fallback was suppressed - expect(fn).toHaveBeenCalledTimes(1); - }); + const promise = runner(fn, "test"); + const assertion = expectedError + ? expect(promise).rejects.toThrow(expectedError) + : expect(promise).resolves.toBe(expectedValue); - it("with strictShouldRetry=true: ECONNREFUSED is still retried when predicate returns true", async () => { - const fn = vi - .fn() - .mockRejectedValueOnce(Object.assign(new Error("ECONNREFUSED"), { code: "ECONNREFUSED" })) - .mockResolvedValue("ok"); - const runner = createTelegramRetryRunner({ - retry: { attempts: 2, minDelayMs: 0, maxDelayMs: 0, jitter: 0 }, - shouldRetry: (err) => (err as { code?: string }).code === "ECONNREFUSED", - strictShouldRetry: true, - }); - await expect(runner(fn, "test")).resolves.toBe("ok"); - expect(fn).toHaveBeenCalledTimes(2); + await vi.runAllTimersAsync(); + await assertion; + expect(fn).toHaveBeenCalledTimes(expectedCalls); }); }); + + it("honors nested retry_after hints before retrying", async () => { + vi.useFakeTimers(); + + const runner = createTelegramRetryRunner({ + retry: { attempts: 2, minDelayMs: 0, maxDelayMs: 1_000, jitter: 0 }, + }); + const fn = vi + .fn() + .mockRejectedValueOnce({ + message: "429 Too Many Requests", + response: { parameters: { retry_after: 1 } }, + }) + .mockResolvedValue("ok"); + + const promise = runner(fn, "test"); + + expect(fn).toHaveBeenCalledTimes(1); + await vi.advanceTimersByTimeAsync(999); + expect(fn).toHaveBeenCalledTimes(1); + + await vi.advanceTimersByTimeAsync(1); + await expect(promise).resolves.toBe("ok"); + expect(fn).toHaveBeenCalledTimes(2); + }); }); From f5b006f6a1a5dde4047d2dd5d4b07b4267a5c35a Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Mar 2026 17:49:32 +0000 Subject: [PATCH 006/268] test: simplify model ref normalization coverage --- src/agents/model-selection.test.ts | 232 ++++++++++++++--------------- 1 file changed, 111 insertions(+), 121 deletions(-) diff --git a/src/agents/model-selection.test.ts b/src/agents/model-selection.test.ts index 63aef63561c..35ac52dcf26 100644 --- a/src/agents/model-selection.test.ts +++ b/src/agents/model-selection.test.ts @@ -80,131 +80,121 @@ describe("model-selection", () => { }); describe("parseModelRef", () => { - it("should parse full model refs", () => { - expect(parseModelRef("anthropic/claude-3-5-sonnet", "openai")).toEqual({ - provider: "anthropic", - model: "claude-3-5-sonnet", - }); + const expectParsedModelVariants = ( + variants: string[], + defaultProvider: string, + expected: { provider: string; model: string }, + ) => { + for (const raw of variants) { + expect(parseModelRef(raw, defaultProvider), raw).toEqual(expected); + } + }; + + it.each([ + { + name: "parses explicit provider/model refs", + variants: ["anthropic/claude-3-5-sonnet"], + defaultProvider: "openai", + expected: { provider: "anthropic", model: "claude-3-5-sonnet" }, + }, + { + name: "uses the default provider when omitted", + variants: ["claude-3-5-sonnet"], + defaultProvider: "anthropic", + expected: { provider: "anthropic", model: "claude-3-5-sonnet" }, + }, + { + name: "preserves nested model ids after the provider prefix", + variants: ["nvidia/moonshotai/kimi-k2.5"], + defaultProvider: "anthropic", + expected: { provider: "nvidia", model: "moonshotai/kimi-k2.5" }, + }, + { + name: "normalizes anthropic shorthand aliases", + variants: ["anthropic/opus-4.6", "opus-4.6", " anthropic / opus-4.6 "], + defaultProvider: "anthropic", + expected: { provider: "anthropic", model: "claude-opus-4-6" }, + }, + { + name: "normalizes anthropic sonnet aliases", + variants: ["anthropic/sonnet-4.6", "sonnet-4.6"], + defaultProvider: "anthropic", + expected: { provider: "anthropic", model: "claude-sonnet-4-6" }, + }, + { + name: "normalizes deprecated google flash preview ids", + variants: ["google/gemini-3.1-flash-preview", "gemini-3.1-flash-preview"], + defaultProvider: "google", + expected: { provider: "google", model: "gemini-3-flash-preview" }, + }, + { + name: "normalizes gemini 3.1 flash-lite ids", + variants: ["google/gemini-3.1-flash-lite", "gemini-3.1-flash-lite"], + defaultProvider: "google", + expected: { provider: "google", model: "gemini-3.1-flash-lite-preview" }, + }, + { + name: "keeps OpenAI codex refs on the openai provider", + variants: ["openai/gpt-5.3-codex", "gpt-5.3-codex"], + defaultProvider: "openai", + expected: { provider: "openai", model: "gpt-5.3-codex" }, + }, + { + name: "preserves openrouter native model prefixes", + variants: ["openrouter/aurora-alpha"], + defaultProvider: "openai", + expected: { provider: "openrouter", model: "openrouter/aurora-alpha" }, + }, + { + name: "passes through openrouter upstream provider ids", + variants: ["openrouter/anthropic/claude-sonnet-4-5"], + defaultProvider: "openai", + expected: { provider: "openrouter", model: "anthropic/claude-sonnet-4-5" }, + }, + { + name: "normalizes Vercel Claude shorthand to anthropic-prefixed model ids", + variants: ["vercel-ai-gateway/claude-opus-4.6"], + defaultProvider: "openai", + expected: { provider: "vercel-ai-gateway", model: "anthropic/claude-opus-4.6" }, + }, + { + name: "normalizes Vercel Anthropic aliases without double-prefixing", + variants: ["vercel-ai-gateway/opus-4.6"], + defaultProvider: "openai", + expected: { provider: "vercel-ai-gateway", model: "anthropic/claude-opus-4-6" }, + }, + { + name: "keeps already-prefixed Vercel Anthropic models unchanged", + variants: ["vercel-ai-gateway/anthropic/claude-opus-4.6"], + defaultProvider: "openai", + expected: { provider: "vercel-ai-gateway", model: "anthropic/claude-opus-4.6" }, + }, + { + name: "passes through non-Claude Vercel model ids unchanged", + variants: ["vercel-ai-gateway/openai/gpt-5.2"], + defaultProvider: "openai", + expected: { provider: "vercel-ai-gateway", model: "openai/gpt-5.2" }, + }, + { + name: "keeps already-suffixed codex variants unchanged", + variants: ["openai/gpt-5.3-codex-codex"], + defaultProvider: "anthropic", + expected: { provider: "openai", model: "gpt-5.3-codex-codex" }, + }, + ])("$name", ({ variants, defaultProvider, expected }) => { + expectParsedModelVariants(variants, defaultProvider, expected); }); - it("preserves nested model ids after provider prefix", () => { - expect(parseModelRef("nvidia/moonshotai/kimi-k2.5", "anthropic")).toEqual({ - provider: "nvidia", - model: "moonshotai/kimi-k2.5", - }); + it("round-trips normalized refs through modelKey", () => { + const parsed = parseModelRef(" opus-4.6 ", "anthropic"); + expect(parsed).toEqual({ provider: "anthropic", model: "claude-opus-4-6" }); + expect(modelKey(parsed?.provider ?? "", parsed?.model ?? "")).toBe( + "anthropic/claude-opus-4-6", + ); }); - it("normalizes anthropic alias refs to canonical model ids", () => { - expect(parseModelRef("anthropic/opus-4.6", "openai")).toEqual({ - provider: "anthropic", - model: "claude-opus-4-6", - }); - expect(parseModelRef("opus-4.6", "anthropic")).toEqual({ - provider: "anthropic", - model: "claude-opus-4-6", - }); - expect(parseModelRef("anthropic/sonnet-4.6", "openai")).toEqual({ - provider: "anthropic", - model: "claude-sonnet-4-6", - }); - expect(parseModelRef("sonnet-4.6", "anthropic")).toEqual({ - provider: "anthropic", - model: "claude-sonnet-4-6", - }); - }); - - it("should use default provider if none specified", () => { - expect(parseModelRef("claude-3-5-sonnet", "anthropic")).toEqual({ - provider: "anthropic", - model: "claude-3-5-sonnet", - }); - }); - - it("normalizes deprecated google flash preview ids to the working model id", () => { - expect(parseModelRef("google/gemini-3.1-flash-preview", "openai")).toEqual({ - provider: "google", - model: "gemini-3-flash-preview", - }); - expect(parseModelRef("gemini-3.1-flash-preview", "google")).toEqual({ - provider: "google", - model: "gemini-3-flash-preview", - }); - }); - - it("normalizes gemini 3.1 flash-lite to the preview model id", () => { - expect(parseModelRef("google/gemini-3.1-flash-lite", "openai")).toEqual({ - provider: "google", - model: "gemini-3.1-flash-lite-preview", - }); - expect(parseModelRef("gemini-3.1-flash-lite", "google")).toEqual({ - provider: "google", - model: "gemini-3.1-flash-lite-preview", - }); - }); - - it("keeps openai gpt-5.3 codex refs on the openai provider", () => { - expect(parseModelRef("openai/gpt-5.3-codex", "anthropic")).toEqual({ - provider: "openai", - model: "gpt-5.3-codex", - }); - expect(parseModelRef("gpt-5.3-codex", "openai")).toEqual({ - provider: "openai", - model: "gpt-5.3-codex", - }); - expect(parseModelRef("openai/gpt-5.3-codex-codex", "anthropic")).toEqual({ - provider: "openai", - model: "gpt-5.3-codex-codex", - }); - }); - - it("should return null for empty strings", () => { - expect(parseModelRef("", "anthropic")).toBeNull(); - expect(parseModelRef(" ", "anthropic")).toBeNull(); - }); - - it("should preserve openrouter/ prefix for native models", () => { - expect(parseModelRef("openrouter/aurora-alpha", "openai")).toEqual({ - provider: "openrouter", - model: "openrouter/aurora-alpha", - }); - }); - - it("should pass through openrouter external provider models as-is", () => { - expect(parseModelRef("openrouter/anthropic/claude-sonnet-4-5", "openai")).toEqual({ - provider: "openrouter", - model: "anthropic/claude-sonnet-4-5", - }); - }); - - it("normalizes Vercel Claude shorthand to anthropic-prefixed model ids", () => { - expect(parseModelRef("vercel-ai-gateway/claude-opus-4.6", "openai")).toEqual({ - provider: "vercel-ai-gateway", - model: "anthropic/claude-opus-4.6", - }); - expect(parseModelRef("vercel-ai-gateway/opus-4.6", "openai")).toEqual({ - provider: "vercel-ai-gateway", - model: "anthropic/claude-opus-4-6", - }); - }); - - it("keeps already-prefixed Vercel Anthropic models unchanged", () => { - expect(parseModelRef("vercel-ai-gateway/anthropic/claude-opus-4.6", "openai")).toEqual({ - provider: "vercel-ai-gateway", - model: "anthropic/claude-opus-4.6", - }); - }); - - it("passes through non-Claude Vercel model ids unchanged", () => { - expect(parseModelRef("vercel-ai-gateway/openai/gpt-5.2", "openai")).toEqual({ - provider: "vercel-ai-gateway", - model: "openai/gpt-5.2", - }); - }); - - it("should handle invalid slash usage", () => { - expect(parseModelRef("/", "anthropic")).toBeNull(); - expect(parseModelRef("anthropic/", "anthropic")).toBeNull(); - expect(parseModelRef("/model", "anthropic")).toBeNull(); + it.each(["", " ", "/", "anthropic/", "/model"])("returns null for invalid ref %j", (raw) => { + expect(parseModelRef(raw, "anthropic")).toBeNull(); }); }); From 87c447ed46c355bb8c54c41324a5b5a63c0a61aa Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Mar 2026 17:51:36 +0000 Subject: [PATCH 007/268] test: tighten failover classifier coverage --- ...dded-helpers.isbillingerrormessage.test.ts | 265 ++++++++++-------- 1 file changed, 143 insertions(+), 122 deletions(-) diff --git a/src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts b/src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts index 3cbefadbce8..e8578c7feb2 100644 --- a/src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts +++ b/src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts @@ -45,98 +45,117 @@ const GROQ_TOO_MANY_REQUESTS_MESSAGE = const GROQ_SERVICE_UNAVAILABLE_MESSAGE = "503 Service Unavailable: The server is temporarily unable to handle the request due to overloading or maintenance."; // pragma: allowlist secret +function expectMessageMatches( + matcher: (message: string) => boolean, + samples: readonly string[], + expected: boolean, +) { + for (const sample of samples) { + expect(matcher(sample), sample).toBe(expected); + } +} + describe("isAuthPermanentErrorMessage", () => { - it("matches permanent auth failure patterns", () => { - const samples = [ - "invalid_api_key", - "api key revoked", - "api key deactivated", - "key has been disabled", - "key has been revoked", - "account has been deactivated", - "could not authenticate api key", - "could not validate credentials", - "API_KEY_REVOKED", - "api_key_deleted", - ]; - for (const sample of samples) { - expect(isAuthPermanentErrorMessage(sample)).toBe(true); - } - }); - it("does not match transient auth errors", () => { - const samples = [ - "unauthorized", - "invalid token", - "authentication failed", - "forbidden", - "access denied", - "token has expired", - ]; - for (const sample of samples) { - expect(isAuthPermanentErrorMessage(sample)).toBe(false); - } + it.each([ + { + name: "matches permanent auth failure patterns", + samples: [ + "invalid_api_key", + "api key revoked", + "api key deactivated", + "key has been disabled", + "key has been revoked", + "account has been deactivated", + "could not authenticate api key", + "could not validate credentials", + "API_KEY_REVOKED", + "api_key_deleted", + ], + expected: true, + }, + { + name: "does not match transient auth errors", + samples: [ + "unauthorized", + "invalid token", + "authentication failed", + "forbidden", + "access denied", + "token has expired", + ], + expected: false, + }, + ])("$name", ({ samples, expected }) => { + expectMessageMatches(isAuthPermanentErrorMessage, samples, expected); }); }); describe("isAuthErrorMessage", () => { - it("matches credential validation errors", () => { - const samples = [ - 'No credentials found for profile "anthropic:default".', - "No API key found for profile openai.", - ]; - for (const sample of samples) { - expect(isAuthErrorMessage(sample)).toBe(true); - } - }); - it("matches OAuth refresh failures", () => { - const samples = [ - "OAuth token refresh failed for anthropic: Failed to refresh OAuth token for anthropic. Please try again or re-authenticate.", - "Please re-authenticate to continue.", - ]; - for (const sample of samples) { - expect(isAuthErrorMessage(sample)).toBe(true); - } + it.each([ + 'No credentials found for profile "anthropic:default".', + "No API key found for profile openai.", + "OAuth token refresh failed for anthropic: Failed to refresh OAuth token for anthropic. Please try again or re-authenticate.", + "Please re-authenticate to continue.", + ])("matches auth errors for %j", (sample) => { + expect(isAuthErrorMessage(sample)).toBe(true); }); }); describe("isBillingErrorMessage", () => { - it("matches credit / payment failures", () => { - const samples = [ - "Your credit balance is too low to access the Anthropic API.", - "insufficient credits", - "Payment Required", - "HTTP 402 Payment Required", - "plans & billing", - // Venice returns "Insufficient USD or Diem balance" which has extra words - // between "insufficient" and "balance" - "Insufficient USD or Diem balance to complete request. Visit https://venice.ai/settings/api to add credits.", - // OpenRouter returns "requires more credits" for underfunded accounts - "This model requires more credits to use", - "This endpoint require more credits", - ]; - for (const sample of samples) { - expect(isBillingErrorMessage(sample)).toBe(true); - } - }); - it("does not false-positive on issue IDs or text containing 402", () => { - const falsePositives = [ - "Fixed issue CHE-402 in the latest release", - "See ticket #402 for details", - "ISSUE-402 has been resolved", - "Room 402 is available", - "Error code 403 was returned, not 402-related", - "The building at 402 Main Street", - "processed 402 records", - "402 items found in the database", - "port 402 is open", - "Use a 402 stainless bolt", - "Book a 402 room", - "There is a 402 near me", - ]; - for (const sample of falsePositives) { - expect(isBillingErrorMessage(sample)).toBe(false); - } + it.each([ + { + name: "matches credit and payment failures", + samples: [ + "Your credit balance is too low to access the Anthropic API.", + "insufficient credits", + "Payment Required", + "HTTP 402 Payment Required", + "plans & billing", + "Insufficient USD or Diem balance to complete request. Visit https://venice.ai/settings/api to add credits.", + "This model requires more credits to use", + "This endpoint require more credits", + ], + expected: true, + }, + { + name: "does not false-positive on issue ids and numeric references", + samples: [ + "Fixed issue CHE-402 in the latest release", + "See ticket #402 for details", + "ISSUE-402 has been resolved", + "Room 402 is available", + "Error code 403 was returned, not 402-related", + "The building at 402 Main Street", + "processed 402 records", + "402 items found in the database", + "port 402 is open", + "Use a 402 stainless bolt", + "Book a 402 room", + "There is a 402 near me", + ], + expected: false, + }, + { + name: "still matches real HTTP 402 billing errors", + samples: [ + "HTTP 402 Payment Required", + "status: 402", + "error code 402", + "http 402", + "status=402 payment required", + "got a 402 from the API", + "returned 402", + "received a 402 response", + '{"status":402,"type":"error"}', + '{"code":402,"message":"payment required"}', + '{"error":{"code":402,"message":"billing hard limit reached"}}', + ], + expected: true, + }, + ])("$name", ({ samples, expected }) => { + expectMessageMatches(isBillingErrorMessage, samples, expected); }); + it("does not false-positive on long assistant responses mentioning billing keywords", () => { // Simulate a multi-paragraph assistant response that mentions billing terms const longResponse = @@ -176,37 +195,27 @@ describe("isBillingErrorMessage", () => { expect(longNonError.length).toBeGreaterThan(512); expect(isBillingErrorMessage(longNonError)).toBe(false); }); - it("still matches real HTTP 402 billing errors", () => { - const realErrors = [ - "HTTP 402 Payment Required", - "status: 402", - "error code 402", - "http 402", - "status=402 payment required", - "got a 402 from the API", - "returned 402", - "received a 402 response", - '{"status":402,"type":"error"}', - '{"code":402,"message":"payment required"}', - '{"error":{"code":402,"message":"billing hard limit reached"}}', - ]; - for (const sample of realErrors) { - expect(isBillingErrorMessage(sample)).toBe(true); - } + + it("prefers billing when API-key and 402 hints both appear", () => { + const sample = + "402 Payment Required: The account associated with this API key has reached its maximum allowed monthly spending limit."; + expect(isBillingErrorMessage(sample)).toBe(true); + expect(classifyFailoverReason(sample)).toBe("billing"); }); }); describe("isCloudCodeAssistFormatError", () => { it("matches format errors", () => { - const samples = [ - "INVALID_REQUEST_ERROR: string should match pattern", - "messages.1.content.1.tool_use.id", - "tool_use.id should match pattern", - "invalid request format", - ]; - for (const sample of samples) { - expect(isCloudCodeAssistFormatError(sample)).toBe(true); - } + expectMessageMatches( + isCloudCodeAssistFormatError, + [ + "INVALID_REQUEST_ERROR: string should match pattern", + "messages.1.content.1.tool_use.id", + "tool_use.id should match pattern", + "invalid request format", + ], + true, + ); }); }); @@ -238,20 +247,24 @@ describe("isCloudflareOrHtmlErrorPage", () => { }); describe("isCompactionFailureError", () => { - it("matches compaction overflow failures", () => { - const samples = [ - 'Context overflow: Summarization failed: 400 {"message":"prompt is too long"}', - "auto-compaction failed due to context overflow", - "Compaction failed: prompt is too long", - "Summarization failed: context window exceeded for this request", - ]; - for (const sample of samples) { - expect(isCompactionFailureError(sample)).toBe(true); - } - }); - it("ignores non-compaction overflow errors", () => { - expect(isCompactionFailureError("Context overflow: prompt too large")).toBe(false); - expect(isCompactionFailureError("rate limit exceeded")).toBe(false); + it.each([ + { + name: "matches compaction overflow failures", + samples: [ + 'Context overflow: Summarization failed: 400 {"message":"prompt is too long"}', + "auto-compaction failed due to context overflow", + "Compaction failed: prompt is too long", + "Summarization failed: context window exceeded for this request", + ], + expected: true, + }, + { + name: "ignores non-compaction overflow errors", + samples: ["Context overflow: prompt too large", "rate limit exceeded"], + expected: false, + }, + ])("$name", ({ samples, expected }) => { + expectMessageMatches(isCompactionFailureError, samples, expected); }); }); @@ -506,6 +519,10 @@ describe("isTransientHttpError", () => { }); describe("classifyFailoverReasonFromHttpStatus", () => { + it("treats HTTP 401 permanent auth failures as auth_permanent", () => { + expect(classifyFailoverReasonFromHttpStatus(401, "invalid_api_key")).toBe("auth_permanent"); + }); + it("treats HTTP 422 as format error", () => { expect(classifyFailoverReasonFromHttpStatus(422)).toBe("format"); expect(classifyFailoverReasonFromHttpStatus(422, "check open ai req parameter error")).toBe( @@ -518,6 +535,10 @@ describe("classifyFailoverReasonFromHttpStatus", () => { expect(classifyFailoverReasonFromHttpStatus(422, "insufficient credits")).toBe("billing"); }); + it("treats HTTP 400 insufficient-quota payloads as billing instead of format", () => { + expect(classifyFailoverReasonFromHttpStatus(400, INSUFFICIENT_QUOTA_PAYLOAD)).toBe("billing"); + }); + it("treats HTTP 499 as transient for structured errors", () => { expect(classifyFailoverReasonFromHttpStatus(499)).toBe("timeout"); expect(classifyFailoverReasonFromHttpStatus(499, "499 Client Closed Request")).toBe("timeout"); From 118abfbdb78375aa0af22ed78e2d71d7f7b0d7bd Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Mar 2026 17:52:49 +0000 Subject: [PATCH 008/268] test: simplify trusted proxy coverage --- src/gateway/net.test.ts | 252 ++++++++++++++++++++++------------------ 1 file changed, 141 insertions(+), 111 deletions(-) diff --git a/src/gateway/net.test.ts b/src/gateway/net.test.ts index f5ee5db9a8e..185325d5428 100644 --- a/src/gateway/net.test.ts +++ b/src/gateway/net.test.ts @@ -49,117 +49,147 @@ describe("isLocalishHost", () => { }); describe("isTrustedProxyAddress", () => { - describe("exact IP matching", () => { - it("returns true when IP matches exactly", () => { - expect(isTrustedProxyAddress("192.168.1.1", ["192.168.1.1"])).toBe(true); - }); - - it("returns false when IP does not match", () => { - expect(isTrustedProxyAddress("192.168.1.2", ["192.168.1.1"])).toBe(false); - }); - - it("returns true when IP matches one of multiple proxies", () => { - expect(isTrustedProxyAddress("10.0.0.5", ["192.168.1.1", "10.0.0.5", "172.16.0.1"])).toBe( - true, - ); - }); - - it("ignores surrounding whitespace in exact IP entries", () => { - expect(isTrustedProxyAddress("10.0.0.5", [" 10.0.0.5 "])).toBe(true); - }); - }); - - describe("CIDR subnet matching", () => { - it("returns true when IP is within /24 subnet", () => { - expect(isTrustedProxyAddress("10.42.0.59", ["10.42.0.0/24"])).toBe(true); - expect(isTrustedProxyAddress("10.42.0.1", ["10.42.0.0/24"])).toBe(true); - expect(isTrustedProxyAddress("10.42.0.254", ["10.42.0.0/24"])).toBe(true); - }); - - it("returns false when IP is outside /24 subnet", () => { - expect(isTrustedProxyAddress("10.42.1.1", ["10.42.0.0/24"])).toBe(false); - expect(isTrustedProxyAddress("10.43.0.1", ["10.42.0.0/24"])).toBe(false); - }); - - it("returns true when IP is within /16 subnet", () => { - expect(isTrustedProxyAddress("172.19.5.100", ["172.19.0.0/16"])).toBe(true); - expect(isTrustedProxyAddress("172.19.255.255", ["172.19.0.0/16"])).toBe(true); - }); - - it("returns false when IP is outside /16 subnet", () => { - expect(isTrustedProxyAddress("172.20.0.1", ["172.19.0.0/16"])).toBe(false); - }); - - it("returns true when IP is within /32 subnet (single IP)", () => { - expect(isTrustedProxyAddress("10.42.0.0", ["10.42.0.0/32"])).toBe(true); - }); - - it("returns false when IP does not match /32 subnet", () => { - expect(isTrustedProxyAddress("10.42.0.1", ["10.42.0.0/32"])).toBe(false); - }); - - it("handles mixed exact IPs and CIDR notation", () => { - const proxies = ["192.168.1.1", "10.42.0.0/24", "172.19.0.0/16"]; - expect(isTrustedProxyAddress("192.168.1.1", proxies)).toBe(true); // exact match - expect(isTrustedProxyAddress("10.42.0.59", proxies)).toBe(true); // CIDR match - expect(isTrustedProxyAddress("172.19.5.100", proxies)).toBe(true); // CIDR match - expect(isTrustedProxyAddress("10.43.0.1", proxies)).toBe(false); // no match - }); - - it("supports IPv6 CIDR notation", () => { - expect(isTrustedProxyAddress("2001:db8::1234", ["2001:db8::/32"])).toBe(true); - expect(isTrustedProxyAddress("2001:db9::1234", ["2001:db8::/32"])).toBe(false); - }); - }); - - describe("backward compatibility", () => { - it("preserves exact IP matching behavior (no CIDR notation)", () => { - // Old configs with exact IPs should work exactly as before - expect(isTrustedProxyAddress("192.168.1.1", ["192.168.1.1"])).toBe(true); - expect(isTrustedProxyAddress("192.168.1.2", ["192.168.1.1"])).toBe(false); - expect(isTrustedProxyAddress("10.0.0.5", ["192.168.1.1", "10.0.0.5"])).toBe(true); - }); - - it("does NOT treat plain IPs as /32 CIDR (exact match only)", () => { - // "10.42.0.1" without /32 should match ONLY that exact IP - expect(isTrustedProxyAddress("10.42.0.1", ["10.42.0.1"])).toBe(true); - expect(isTrustedProxyAddress("10.42.0.2", ["10.42.0.1"])).toBe(false); - expect(isTrustedProxyAddress("10.42.0.59", ["10.42.0.1"])).toBe(false); - }); - - it("handles IPv4-mapped IPv6 addresses (existing normalizeIp behavior)", () => { - // Existing normalizeIp() behavior should be preserved - expect(isTrustedProxyAddress("::ffff:192.168.1.1", ["192.168.1.1"])).toBe(true); - }); - }); - - describe("edge cases", () => { - it("returns false when IP is undefined", () => { - expect(isTrustedProxyAddress(undefined, ["192.168.1.1"])).toBe(false); - }); - - it("returns false when trustedProxies is undefined", () => { - expect(isTrustedProxyAddress("192.168.1.1", undefined)).toBe(false); - }); - - it("returns false when trustedProxies is empty", () => { - expect(isTrustedProxyAddress("192.168.1.1", [])).toBe(false); - }); - - it("returns false for invalid CIDR notation", () => { - expect(isTrustedProxyAddress("10.42.0.59", ["10.42.0.0/33"])).toBe(false); // invalid prefix - expect(isTrustedProxyAddress("10.42.0.59", ["10.42.0.0/-1"])).toBe(false); // negative prefix - expect(isTrustedProxyAddress("10.42.0.59", ["invalid/24"])).toBe(false); // invalid IP - }); - - it("ignores surrounding whitespace in CIDR entries", () => { - expect(isTrustedProxyAddress("10.42.0.59", [" 10.42.0.0/24 "])).toBe(true); - }); - - it("ignores blank trusted proxy entries", () => { - expect(isTrustedProxyAddress("10.0.0.5", [" ", "\t"])).toBe(false); - expect(isTrustedProxyAddress("10.0.0.5", [" ", "10.0.0.5", ""])).toBe(true); - }); + it.each([ + { + name: "matches exact IP entries", + ip: "192.168.1.1", + trustedProxies: ["192.168.1.1"], + expected: true, + }, + { + name: "rejects non-matching exact IP entries", + ip: "192.168.1.2", + trustedProxies: ["192.168.1.1"], + expected: false, + }, + { + name: "matches one of multiple exact entries", + ip: "10.0.0.5", + trustedProxies: ["192.168.1.1", "10.0.0.5", "172.16.0.1"], + expected: true, + }, + { + name: "ignores surrounding whitespace in exact IP entries", + ip: "10.0.0.5", + trustedProxies: [" 10.0.0.5 "], + expected: true, + }, + { + name: "matches /24 CIDR entries", + ip: "10.42.0.59", + trustedProxies: ["10.42.0.0/24"], + expected: true, + }, + { + name: "rejects IPs outside /24 CIDR entries", + ip: "10.42.1.1", + trustedProxies: ["10.42.0.0/24"], + expected: false, + }, + { + name: "matches /16 CIDR entries", + ip: "172.19.255.255", + trustedProxies: ["172.19.0.0/16"], + expected: true, + }, + { + name: "rejects IPs outside /16 CIDR entries", + ip: "172.20.0.1", + trustedProxies: ["172.19.0.0/16"], + expected: false, + }, + { + name: "treats /32 as a single-IP CIDR", + ip: "10.42.0.0", + trustedProxies: ["10.42.0.0/32"], + expected: true, + }, + { + name: "rejects non-matching /32 CIDR entries", + ip: "10.42.0.1", + trustedProxies: ["10.42.0.0/32"], + expected: false, + }, + { + name: "handles mixed exact IP and CIDR entries", + ip: "172.19.5.100", + trustedProxies: ["192.168.1.1", "10.42.0.0/24", "172.19.0.0/16"], + expected: true, + }, + { + name: "rejects IPs missing from mixed exact IP and CIDR entries", + ip: "10.43.0.1", + trustedProxies: ["192.168.1.1", "10.42.0.0/24", "172.19.0.0/16"], + expected: false, + }, + { + name: "supports IPv6 CIDR notation", + ip: "2001:db8::1234", + trustedProxies: ["2001:db8::/32"], + expected: true, + }, + { + name: "rejects IPv6 addresses outside the configured CIDR", + ip: "2001:db9::1234", + trustedProxies: ["2001:db8::/32"], + expected: false, + }, + { + name: "preserves exact matching behavior for plain IP entries", + ip: "10.42.0.59", + trustedProxies: ["10.42.0.1"], + expected: false, + }, + { + name: "normalizes IPv4-mapped IPv6 addresses", + ip: "::ffff:192.168.1.1", + trustedProxies: ["192.168.1.1"], + expected: true, + }, + { + name: "returns false when IP is undefined", + ip: undefined, + trustedProxies: ["192.168.1.1"], + expected: false, + }, + { + name: "returns false when trusted proxies are undefined", + ip: "192.168.1.1", + trustedProxies: undefined, + expected: false, + }, + { + name: "returns false when trusted proxies are empty", + ip: "192.168.1.1", + trustedProxies: [], + expected: false, + }, + { + name: "rejects invalid CIDR prefixes and addresses", + ip: "10.42.0.59", + trustedProxies: ["10.42.0.0/33", "10.42.0.0/-1", "invalid/24", "2001:db8::/129"], + expected: false, + }, + { + name: "ignores surrounding whitespace in CIDR entries", + ip: "10.42.0.59", + trustedProxies: [" 10.42.0.0/24 "], + expected: true, + }, + { + name: "ignores blank trusted proxy entries", + ip: "10.0.0.5", + trustedProxies: [" ", "10.0.0.5", ""], + expected: true, + }, + { + name: "treats all-blank trusted proxy entries as no match", + ip: "10.0.0.5", + trustedProxies: [" ", "\t"], + expected: false, + }, + ])("$name", ({ ip, trustedProxies, expected }) => { + expect(isTrustedProxyAddress(ip, trustedProxies)).toBe(expected); }); }); From a68caaf719b0106a1cefd813c2a1116f6947089e Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Mar 2026 17:54:38 +0000 Subject: [PATCH 009/268] test: dedupe infra runtime and heartbeat coverage --- src/infra/infra-runtime.test.ts | 22 --- src/infra/outbound/targets.test.ts | 262 ++++++++++++++--------------- 2 files changed, 126 insertions(+), 158 deletions(-) diff --git a/src/infra/infra-runtime.test.ts b/src/infra/infra-runtime.test.ts index e7656de974f..1596b73bbe8 100644 --- a/src/infra/infra-runtime.test.ts +++ b/src/infra/infra-runtime.test.ts @@ -13,7 +13,6 @@ import { setGatewaySigusr1RestartPolicy, setPreRestartDeferralCheck, } from "./restart.js"; -import { createTelegramRetryRunner } from "./retry-policy.js"; import { listTailnetAddresses } from "./tailnet.js"; describe("infra runtime", () => { @@ -61,27 +60,6 @@ describe("infra runtime", () => { }); }); - describe("createTelegramRetryRunner", () => { - afterEach(() => { - vi.useRealTimers(); - }); - - it("retries when custom shouldRetry matches non-telegram error", async () => { - vi.useFakeTimers(); - const runner = createTelegramRetryRunner({ - retry: { attempts: 2, minDelayMs: 0, maxDelayMs: 0, jitter: 0 }, - shouldRetry: (err) => err instanceof Error && err.message === "boom", - }); - const fn = vi.fn().mockRejectedValueOnce(new Error("boom")).mockResolvedValue("ok"); - - const promise = runner(fn, "request"); - await vi.runAllTimersAsync(); - - await expect(promise).resolves.toBe("ok"); - expect(fn).toHaveBeenCalledTimes(2); - }); - }); - describe("restart authorization", () => { setupRestartSignalSuite(); diff --git a/src/infra/outbound/targets.test.ts b/src/infra/outbound/targets.test.ts index 6a8b50403b5..e0b669040a6 100644 --- a/src/infra/outbound/targets.test.ts +++ b/src/infra/outbound/targets.test.ts @@ -339,35 +339,138 @@ describe("resolveSessionDeliveryTarget", () => { }, }); - it("allows heartbeat delivery to Slack DMs and avoids inherited threadId by default", () => { - const resolved = resolveHeartbeatTarget({ - sessionId: "sess-heartbeat-outbound", - updatedAt: 1, - lastChannel: "slack", - lastTo: "user:U123", - lastThreadId: "1739142736.000100", - }); + const expectHeartbeatTarget = (params: { + name: string; + entry: Parameters[0]["entry"]; + directPolicy?: "allow" | "block"; + expectedChannel: string; + expectedTo?: string; + expectedReason?: string; + expectedThreadId?: string | number; + }) => { + const resolved = resolveHeartbeatTarget(params.entry, params.directPolicy); + expect(resolved.channel, params.name).toBe(params.expectedChannel); + expect(resolved.to, params.name).toBe(params.expectedTo); + expect(resolved.reason, params.name).toBe(params.expectedReason); + expect(resolved.threadId, params.name).toBe(params.expectedThreadId); + }; - expect(resolved.channel).toBe("slack"); - expect(resolved.to).toBe("user:U123"); - expect(resolved.threadId).toBeUndefined(); - }); - - it("blocks heartbeat delivery to Slack DMs when directPolicy is block", () => { - const resolved = resolveHeartbeatTarget( - { - sessionId: "sess-heartbeat-outbound", + it.each([ + { + name: "allows heartbeat delivery to Slack DMs by default and drops inherited thread ids", + entry: { + sessionId: "sess-heartbeat-slack-direct", updatedAt: 1, lastChannel: "slack", lastTo: "user:U123", lastThreadId: "1739142736.000100", }, - "block", - ); - - expect(resolved.channel).toBe("none"); - expect(resolved.reason).toBe("dm-blocked"); - expect(resolved.threadId).toBeUndefined(); + expectedChannel: "slack", + expectedTo: "user:U123", + }, + { + name: "blocks heartbeat delivery to Slack DMs when directPolicy is block", + entry: { + sessionId: "sess-heartbeat-slack-direct-blocked", + updatedAt: 1, + lastChannel: "slack", + lastTo: "user:U123", + lastThreadId: "1739142736.000100", + }, + directPolicy: "block" as const, + expectedChannel: "none", + expectedReason: "dm-blocked", + }, + { + name: "allows heartbeat delivery to Telegram direct chats by default", + entry: { + sessionId: "sess-heartbeat-telegram-direct", + updatedAt: 1, + lastChannel: "telegram", + lastTo: "5232990709", + }, + expectedChannel: "telegram", + expectedTo: "5232990709", + }, + { + name: "blocks heartbeat delivery to Telegram direct chats when directPolicy is block", + entry: { + sessionId: "sess-heartbeat-telegram-direct-blocked", + updatedAt: 1, + lastChannel: "telegram", + lastTo: "5232990709", + }, + directPolicy: "block" as const, + expectedChannel: "none", + expectedReason: "dm-blocked", + }, + { + name: "keeps heartbeat delivery to Telegram groups", + entry: { + sessionId: "sess-heartbeat-telegram-group", + updatedAt: 1, + lastChannel: "telegram", + lastTo: "-1001234567890", + }, + expectedChannel: "telegram", + expectedTo: "-1001234567890", + }, + { + name: "allows heartbeat delivery to WhatsApp direct chats by default", + entry: { + sessionId: "sess-heartbeat-whatsapp-direct", + updatedAt: 1, + lastChannel: "whatsapp", + lastTo: "+15551234567", + }, + expectedChannel: "whatsapp", + expectedTo: "+15551234567", + }, + { + name: "keeps heartbeat delivery to WhatsApp groups", + entry: { + sessionId: "sess-heartbeat-whatsapp-group", + updatedAt: 1, + lastChannel: "whatsapp", + lastTo: "120363140186826074@g.us", + }, + expectedChannel: "whatsapp", + expectedTo: "120363140186826074@g.us", + }, + { + name: "uses session chatType hints when target parsing cannot classify a direct chat", + entry: { + sessionId: "sess-heartbeat-imessage-direct", + updatedAt: 1, + lastChannel: "imessage", + lastTo: "chat-guid-unknown-shape", + chatType: "direct", + }, + expectedChannel: "imessage", + expectedTo: "chat-guid-unknown-shape", + }, + { + name: "blocks session chatType direct hints when directPolicy is block", + entry: { + sessionId: "sess-heartbeat-imessage-direct-blocked", + updatedAt: 1, + lastChannel: "imessage", + lastTo: "chat-guid-unknown-shape", + chatType: "direct", + }, + directPolicy: "block" as const, + expectedChannel: "none", + expectedReason: "dm-blocked", + }, + ])("$name", ({ name, entry, directPolicy, expectedChannel, expectedTo, expectedReason }) => { + expectHeartbeatTarget({ + name, + entry, + directPolicy, + expectedChannel, + expectedTo, + expectedReason, + }); }); it("allows heartbeat delivery to Discord DMs by default", () => { @@ -389,119 +492,6 @@ describe("resolveSessionDeliveryTarget", () => { expect(resolved.to).toBe("user:12345"); }); - it("allows heartbeat delivery to Telegram direct chats by default", () => { - const resolved = resolveHeartbeatTarget({ - sessionId: "sess-heartbeat-telegram-direct", - updatedAt: 1, - lastChannel: "telegram", - lastTo: "5232990709", - }); - - expect(resolved.channel).toBe("telegram"); - expect(resolved.to).toBe("5232990709"); - }); - - it("blocks heartbeat delivery to Telegram direct chats when directPolicy is block", () => { - const resolved = resolveHeartbeatTarget( - { - sessionId: "sess-heartbeat-telegram-direct", - updatedAt: 1, - lastChannel: "telegram", - lastTo: "5232990709", - }, - "block", - ); - - expect(resolved.channel).toBe("none"); - expect(resolved.reason).toBe("dm-blocked"); - }); - - it("keeps heartbeat delivery to Telegram groups", () => { - const cfg: OpenClawConfig = {}; - const resolved = resolveHeartbeatDeliveryTarget({ - cfg, - entry: { - sessionId: "sess-heartbeat-telegram-group", - updatedAt: 1, - lastChannel: "telegram", - lastTo: "-1001234567890", - }, - heartbeat: { - target: "last", - }, - }); - - expect(resolved.channel).toBe("telegram"); - expect(resolved.to).toBe("-1001234567890"); - }); - - it("allows heartbeat delivery to WhatsApp direct chats by default", () => { - const cfg: OpenClawConfig = {}; - const resolved = resolveHeartbeatDeliveryTarget({ - cfg, - entry: { - sessionId: "sess-heartbeat-whatsapp-direct", - updatedAt: 1, - lastChannel: "whatsapp", - lastTo: "+15551234567", - }, - heartbeat: { - target: "last", - }, - }); - - expect(resolved.channel).toBe("whatsapp"); - expect(resolved.to).toBe("+15551234567"); - }); - - it("keeps heartbeat delivery to WhatsApp groups", () => { - const cfg: OpenClawConfig = {}; - const resolved = resolveHeartbeatDeliveryTarget({ - cfg, - entry: { - sessionId: "sess-heartbeat-whatsapp-group", - updatedAt: 1, - lastChannel: "whatsapp", - lastTo: "120363140186826074@g.us", - }, - heartbeat: { - target: "last", - }, - }); - - expect(resolved.channel).toBe("whatsapp"); - expect(resolved.to).toBe("120363140186826074@g.us"); - }); - - it("uses session chatType hint when target parser cannot classify and allows direct by default", () => { - const resolved = resolveHeartbeatTarget({ - sessionId: "sess-heartbeat-imessage-direct", - updatedAt: 1, - lastChannel: "imessage", - lastTo: "chat-guid-unknown-shape", - chatType: "direct", - }); - - expect(resolved.channel).toBe("imessage"); - expect(resolved.to).toBe("chat-guid-unknown-shape"); - }); - - it("blocks session chatType direct hints when directPolicy is block", () => { - const resolved = resolveHeartbeatTarget( - { - sessionId: "sess-heartbeat-imessage-direct", - updatedAt: 1, - lastChannel: "imessage", - lastTo: "chat-guid-unknown-shape", - chatType: "direct", - }, - "block", - ); - - expect(resolved.channel).toBe("none"); - expect(resolved.reason).toBe("dm-blocked"); - }); - it("keeps heartbeat delivery to Discord channels", () => { const cfg: OpenClawConfig = {}; const resolved = resolveHeartbeatDeliveryTarget({ From 981062a94edbe1d6a874dfbea58ede7470b49b22 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Mar 2026 17:55:55 +0000 Subject: [PATCH 010/268] test: simplify outbound channel coverage --- src/infra/outbound/message.channels.test.ts | 109 +++++++++++--------- 1 file changed, 60 insertions(+), 49 deletions(-) diff --git a/src/infra/outbound/message.channels.test.ts b/src/infra/outbound/message.channels.test.ts index 0a21264b43e..257d2ec94d6 100644 --- a/src/infra/outbound/message.channels.test.ts +++ b/src/infra/outbound/message.channels.test.ts @@ -97,13 +97,10 @@ describe("sendMessage channel normalization", () => { expect(seen.to).toBe("+15551234567"); }); - it("normalizes Teams alias", async () => { - const sendMSTeams = vi.fn(async () => ({ - messageId: "m1", - conversationId: "c1", - })); - setRegistry( - createTestRegistry([ + it.each([ + { + name: "normalizes Teams aliases", + registry: createTestRegistry([ { pluginId: "msteams", source: "test", @@ -113,40 +110,57 @@ describe("sendMessage channel normalization", () => { }), }, ]), - ); - const result = await sendMessage({ - cfg: {}, - to: "conversation:19:abc@thread.tacv2", - content: "hi", - channel: "teams", - deps: { sendMSTeams }, - }); - - expect(sendMSTeams).toHaveBeenCalledWith("conversation:19:abc@thread.tacv2", "hi"); - expect(result.channel).toBe("msteams"); - }); - - it("normalizes iMessage alias", async () => { - const sendIMessage = vi.fn(async () => ({ messageId: "i1" })); - setRegistry( - createTestRegistry([ + params: { + to: "conversation:19:abc@thread.tacv2", + channel: "teams", + deps: { + sendMSTeams: vi.fn(async () => ({ + messageId: "m1", + conversationId: "c1", + })), + }, + }, + assertDeps: (deps: { sendMSTeams?: ReturnType }) => { + expect(deps.sendMSTeams).toHaveBeenCalledWith("conversation:19:abc@thread.tacv2", "hi"); + }, + expectedChannel: "msteams", + }, + { + name: "normalizes iMessage aliases", + registry: createTestRegistry([ { pluginId: "imessage", source: "test", plugin: createIMessageTestPlugin(), }, ]), - ); + params: { + to: "someone@example.com", + channel: "imsg", + deps: { + sendIMessage: vi.fn(async () => ({ messageId: "i1" })), + }, + }, + assertDeps: (deps: { sendIMessage?: ReturnType }) => { + expect(deps.sendIMessage).toHaveBeenCalledWith( + "someone@example.com", + "hi", + expect.any(Object), + ); + }, + expectedChannel: "imessage", + }, + ])("$name", async ({ registry, params, assertDeps, expectedChannel }) => { + setRegistry(registry); + const result = await sendMessage({ cfg: {}, - to: "someone@example.com", content: "hi", - channel: "imsg", - deps: { sendIMessage }, + ...params, }); - expect(sendIMessage).toHaveBeenCalledWith("someone@example.com", "hi", expect.any(Object)); - expect(result.channel).toBe("imessage"); + assertDeps(params.deps); + expect(result.channel).toBe(expectedChannel); }); }); @@ -162,34 +176,31 @@ describe("sendMessage replyToId threading", () => { return capturedCtx; }; - it("passes replyToId through to the outbound adapter", async () => { + it.each([ + { + name: "passes replyToId through to the outbound adapter", + params: { content: "thread reply", replyToId: "post123" }, + field: "replyToId", + expected: "post123", + }, + { + name: "passes threadId through to the outbound adapter", + params: { content: "topic reply", threadId: "topic456" }, + field: "threadId", + expected: "topic456", + }, + ])("$name", async ({ params, field, expected }) => { const capturedCtx = setupMattermostCapture(); await sendMessage({ cfg: {}, to: "channel:town-square", - content: "thread reply", channel: "mattermost", - replyToId: "post123", + ...params, }); expect(capturedCtx).toHaveLength(1); - expect(capturedCtx[0]?.replyToId).toBe("post123"); - }); - - it("passes threadId through to the outbound adapter", async () => { - const capturedCtx = setupMattermostCapture(); - - await sendMessage({ - cfg: {}, - to: "channel:town-square", - content: "topic reply", - channel: "mattermost", - threadId: "topic456", - }); - - expect(capturedCtx).toHaveLength(1); - expect(capturedCtx[0]?.threadId).toBe("topic456"); + expect(capturedCtx[0]?.[field]).toBe(expected); }); }); From 91f1894372d3170407d8e9a4b05563e6032345ee Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Mar 2026 17:57:05 +0000 Subject: [PATCH 011/268] test: tighten server method helper coverage --- .../server-methods/server-methods.test.ts | 99 ++++++++++--------- 1 file changed, 55 insertions(+), 44 deletions(-) diff --git a/src/gateway/server-methods/server-methods.test.ts b/src/gateway/server-methods/server-methods.test.ts index 424511370cd..bd42485f4f8 100644 --- a/src/gateway/server-methods/server-methods.test.ts +++ b/src/gateway/server-methods/server-methods.test.ts @@ -221,59 +221,70 @@ describe("injectTimestamp", () => { }); describe("timestampOptsFromConfig", () => { - it("extracts timezone from config", () => { - const opts = timestampOptsFromConfig({ - agents: { - defaults: { - userTimezone: "America/Chicago", - }, - }, + it.each([ + { + name: "extracts timezone from config", // oxlint-disable-next-line typescript/no-explicit-any - } as any); - - expect(opts.timezone).toBe("America/Chicago"); - }); - - it("falls back gracefully with empty config", () => { - // oxlint-disable-next-line typescript/no-explicit-any - const opts = timestampOptsFromConfig({} as any); - - expect(opts.timezone).toBeDefined(); + cfg: { agents: { defaults: { userTimezone: "America/Chicago" } } } as any, + expected: "America/Chicago", + }, + { + name: "falls back gracefully with empty config", + // oxlint-disable-next-line typescript/no-explicit-any + cfg: {} as any, + expected: Intl.DateTimeFormat().resolvedOptions().timeZone, + }, + ])("$name", ({ cfg, expected }) => { + expect(timestampOptsFromConfig(cfg).timezone).toBe(expected); }); }); describe("normalizeRpcAttachmentsToChatAttachments", () => { - it("passes through string content", () => { - const res = normalizeRpcAttachmentsToChatAttachments([ - { type: "file", mimeType: "image/png", fileName: "a.png", content: "Zm9v" }, - ]); - expect(res).toEqual([ - { type: "file", mimeType: "image/png", fileName: "a.png", content: "Zm9v" }, - ]); - }); - - it("converts Uint8Array content to base64", () => { - const bytes = new TextEncoder().encode("foo"); - const res = normalizeRpcAttachmentsToChatAttachments([{ content: bytes }]); - expect(res[0]?.content).toBe("Zm9v"); + it.each([ + { + name: "passes through string content", + attachments: [{ type: "file", mimeType: "image/png", fileName: "a.png", content: "Zm9v" }], + expected: [{ type: "file", mimeType: "image/png", fileName: "a.png", content: "Zm9v" }], + }, + { + name: "converts Uint8Array content to base64", + attachments: [{ content: new TextEncoder().encode("foo") }], + expected: [{ type: undefined, mimeType: undefined, fileName: undefined, content: "Zm9v" }], + }, + { + name: "converts ArrayBuffer content to base64", + attachments: [{ content: new TextEncoder().encode("bar").buffer }], + expected: [{ type: undefined, mimeType: undefined, fileName: undefined, content: "YmFy" }], + }, + { + name: "drops attachments without usable content", + attachments: [{ content: undefined }, { mimeType: "image/png" }], + expected: [], + }, + ])("$name", ({ attachments, expected }) => { + expect(normalizeRpcAttachmentsToChatAttachments(attachments)).toEqual(expected); }); }); describe("sanitizeChatSendMessageInput", () => { - it("rejects null bytes", () => { - expect(sanitizeChatSendMessageInput("before\u0000after")).toEqual({ - ok: false, - error: "message must not contain null bytes", - }); - }); - - it("strips unsafe control characters while preserving tab/newline/carriage return", () => { - const result = sanitizeChatSendMessageInput("a\u0001b\tc\nd\re\u0007f\u007f"); - expect(result).toEqual({ ok: true, message: "ab\tc\nd\ref" }); - }); - - it("normalizes unicode to NFC", () => { - expect(sanitizeChatSendMessageInput("Cafe\u0301")).toEqual({ ok: true, message: "Café" }); + it.each([ + { + name: "rejects null bytes", + input: "before\u0000after", + expected: { ok: false as const, error: "message must not contain null bytes" }, + }, + { + name: "strips unsafe control characters while preserving tab/newline/carriage return", + input: "a\u0001b\tc\nd\re\u0007f\u007f", + expected: { ok: true as const, message: "ab\tc\nd\ref" }, + }, + { + name: "normalizes unicode to NFC", + input: "Cafe\u0301", + expected: { ok: true as const, message: "Café" }, + }, + ])("$name", ({ input, expected }) => { + expect(sanitizeChatSendMessageInput(input)).toEqual(expected); }); }); From e25fa446e8efafe624d81d2212b286c2a9e8e5ac Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Mar 2026 17:58:28 +0000 Subject: [PATCH 012/268] test: refine gateway auth helper coverage --- src/gateway/device-auth.test.ts | 84 ++++++++++++++++++++++++--------- src/gateway/probe-auth.test.ts | 84 ++++++++++++++++----------------- 2 files changed, 104 insertions(+), 64 deletions(-) diff --git a/src/gateway/device-auth.test.ts b/src/gateway/device-auth.test.ts index 9d7ac3fb7b5..8db88428ce9 100644 --- a/src/gateway/device-auth.test.ts +++ b/src/gateway/device-auth.test.ts @@ -1,29 +1,69 @@ import { describe, expect, it } from "vitest"; -import { buildDeviceAuthPayloadV3, normalizeDeviceMetadataForAuth } from "./device-auth.js"; +import { + buildDeviceAuthPayload, + buildDeviceAuthPayloadV3, + normalizeDeviceMetadataForAuth, +} from "./device-auth.js"; describe("device-auth payload vectors", () => { - it("builds canonical v3 payload", () => { - const payload = buildDeviceAuthPayloadV3({ - deviceId: "dev-1", - clientId: "openclaw-macos", - clientMode: "ui", - role: "operator", - scopes: ["operator.admin", "operator.read"], - signedAtMs: 1_700_000_000_000, - token: "tok-123", - nonce: "nonce-abc", - platform: " IOS ", - deviceFamily: " iPhone ", - }); - - expect(payload).toBe( - "v3|dev-1|openclaw-macos|ui|operator|operator.admin,operator.read|1700000000000|tok-123|nonce-abc|ios|iphone", - ); + it.each([ + { + name: "builds canonical v2 payloads", + build: () => + buildDeviceAuthPayload({ + deviceId: "dev-1", + clientId: "openclaw-macos", + clientMode: "ui", + role: "operator", + scopes: ["operator.admin", "operator.read"], + signedAtMs: 1_700_000_000_000, + token: null, + nonce: "nonce-abc", + }), + expected: + "v2|dev-1|openclaw-macos|ui|operator|operator.admin,operator.read|1700000000000||nonce-abc", + }, + { + name: "builds canonical v3 payloads", + build: () => + buildDeviceAuthPayloadV3({ + deviceId: "dev-1", + clientId: "openclaw-macos", + clientMode: "ui", + role: "operator", + scopes: ["operator.admin", "operator.read"], + signedAtMs: 1_700_000_000_000, + token: "tok-123", + nonce: "nonce-abc", + platform: " IOS ", + deviceFamily: " iPhone ", + }), + expected: + "v3|dev-1|openclaw-macos|ui|operator|operator.admin,operator.read|1700000000000|tok-123|nonce-abc|ios|iphone", + }, + { + name: "keeps empty metadata slots in v3 payloads", + build: () => + buildDeviceAuthPayloadV3({ + deviceId: "dev-2", + clientId: "openclaw-ios", + clientMode: "ui", + role: "operator", + scopes: ["operator.read"], + signedAtMs: 1_700_000_000_001, + nonce: "nonce-def", + }), + expected: "v3|dev-2|openclaw-ios|ui|operator|operator.read|1700000000001||nonce-def||", + }, + ])("$name", ({ build, expected }) => { + expect(build()).toBe(expected); }); - it("normalizes metadata with ASCII-only lowercase", () => { - expect(normalizeDeviceMetadataForAuth(" İOS ")).toBe("İos"); - expect(normalizeDeviceMetadataForAuth(" MAC ")).toBe("mac"); - expect(normalizeDeviceMetadataForAuth(undefined)).toBe(""); + it.each([ + { input: " İOS ", expected: "İos" }, + { input: " MAC ", expected: "mac" }, + { input: undefined, expected: "" }, + ])("normalizes metadata %j", ({ input, expected }) => { + expect(normalizeDeviceMetadataForAuth(input)).toBe(expected); }); }); diff --git a/src/gateway/probe-auth.test.ts b/src/gateway/probe-auth.test.ts index 7a6d639e10a..314702c33db 100644 --- a/src/gateway/probe-auth.test.ts +++ b/src/gateway/probe-auth.test.ts @@ -6,8 +6,9 @@ import { } from "./probe-auth.js"; describe("resolveGatewayProbeAuthSafe", () => { - it("returns probe auth credentials when available", () => { - const result = resolveGatewayProbeAuthSafe({ + it.each([ + { + name: "returns probe auth credentials when available", cfg: { gateway: { auth: { @@ -15,20 +16,17 @@ describe("resolveGatewayProbeAuthSafe", () => { }, }, } as OpenClawConfig, - mode: "local", + mode: "local" as const, env: {} as NodeJS.ProcessEnv, - }); - - expect(result).toEqual({ - auth: { - token: "token-value", - password: undefined, + expected: { + auth: { + token: "token-value", + password: undefined, + }, }, - }); - }); - - it("returns warning and empty auth when token SecretRef is unresolved", () => { - const result = resolveGatewayProbeAuthSafe({ + }, + { + name: "returns warning and empty auth when a local token SecretRef is unresolved", cfg: { gateway: { auth: { @@ -42,17 +40,15 @@ describe("resolveGatewayProbeAuthSafe", () => { }, }, } as OpenClawConfig, - mode: "local", + mode: "local" as const, env: {} as NodeJS.ProcessEnv, - }); - - expect(result.auth).toEqual({}); - expect(result.warning).toContain("gateway.auth.token"); - expect(result.warning).toContain("unresolved"); - }); - - it("does not fall through to remote token when local token SecretRef is unresolved", () => { - const result = resolveGatewayProbeAuthSafe({ + expected: { + auth: {}, + warningIncludes: ["gateway.auth.token", "unresolved"], + }, + }, + { + name: "does not fall through to remote token when the local SecretRef is unresolved", cfg: { gateway: { mode: "local", @@ -70,17 +66,15 @@ describe("resolveGatewayProbeAuthSafe", () => { }, }, } as OpenClawConfig, - mode: "local", + mode: "local" as const, env: {} as NodeJS.ProcessEnv, - }); - - expect(result.auth).toEqual({}); - expect(result.warning).toContain("gateway.auth.token"); - expect(result.warning).toContain("unresolved"); - }); - - it("ignores unresolved local token SecretRef in remote mode when remote-only auth is requested", () => { - const result = resolveGatewayProbeAuthSafe({ + expected: { + auth: {}, + warningIncludes: ["gateway.auth.token", "unresolved"], + }, + }, + { + name: "ignores unresolved local token SecretRefs in remote mode", cfg: { gateway: { mode: "remote", @@ -98,16 +92,22 @@ describe("resolveGatewayProbeAuthSafe", () => { }, }, } as OpenClawConfig, - mode: "remote", + mode: "remote" as const, env: {} as NodeJS.ProcessEnv, - }); - - expect(result).toEqual({ - auth: { - token: undefined, - password: undefined, + expected: { + auth: { + token: undefined, + password: undefined, + }, }, - }); + }, + ])("$name", ({ cfg, mode, env, expected }) => { + const result = resolveGatewayProbeAuthSafe({ cfg, mode, env }); + + expect(result.auth).toEqual(expected.auth); + for (const fragment of expected.warningIncludes ?? []) { + expect(result.warning).toContain(fragment); + } }); }); From 1f85c9af68ab1f639b3583b49fe815152865f34d Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Mar 2026 18:00:03 +0000 Subject: [PATCH 013/268] test: simplify runtime config coverage --- src/gateway/server-runtime-config.test.ts | 99 +++++++++++++---------- 1 file changed, 57 insertions(+), 42 deletions(-) diff --git a/src/gateway/server-runtime-config.test.ts b/src/gateway/server-runtime-config.test.ts index 34cc4632670..205bac8cf3e 100644 --- a/src/gateway/server-runtime-config.test.ts +++ b/src/gateway/server-runtime-config.test.ts @@ -201,39 +201,73 @@ describe("resolveGatewayRuntimeConfig", () => { ); }); - it("rejects non-loopback control UI when allowed origins are missing", async () => { - await expect( - resolveGatewayRuntimeConfig({ - cfg: { - gateway: { - bind: "lan", - auth: TOKEN_AUTH, - }, - }, - port: 18789, - }), - ).rejects.toThrow("non-loopback Control UI requires gateway.controlUi.allowedOrigins"); - }); - - it("allows non-loopback control UI without allowed origins when dangerous fallback is enabled", async () => { - const result = await resolveGatewayRuntimeConfig({ + it.each([ + { + name: "rejects non-loopback control UI when allowed origins are missing", cfg: { gateway: { - bind: "lan", + bind: "lan" as const, + auth: TOKEN_AUTH, + }, + }, + expectedError: "non-loopback Control UI requires gateway.controlUi.allowedOrigins", + }, + { + name: "allows non-loopback control UI without allowed origins when dangerous fallback is enabled", + cfg: { + gateway: { + bind: "lan" as const, auth: TOKEN_AUTH, controlUi: { dangerouslyAllowHostHeaderOriginFallback: true, }, }, }, - port: 18789, - }); - expect(result.bindHost).toBe("0.0.0.0"); + expectedBindHost: "0.0.0.0", + }, + { + name: "allows non-loopback control UI when allowed origins collapse after trimming", + cfg: { + gateway: { + bind: "lan" as const, + auth: TOKEN_AUTH, + controlUi: { + allowedOrigins: [" https://control.example.com "], + }, + }, + }, + expectedBindHost: "0.0.0.0", + }, + ])("$name", async ({ cfg, expectedError, expectedBindHost }) => { + if (expectedError) { + await expect(resolveGatewayRuntimeConfig({ cfg, port: 18789 })).rejects.toThrow( + expectedError, + ); + return; + } + const result = await resolveGatewayRuntimeConfig({ cfg, port: 18789 }); + expect(result.bindHost).toBe(expectedBindHost); }); }); describe("HTTP security headers", () => { - it("resolves strict transport security header from config", async () => { + it.each([ + { + name: "resolves strict transport security headers from config", + strictTransportSecurity: " max-age=31536000; includeSubDomains ", + expected: "max-age=31536000; includeSubDomains", + }, + { + name: "does not set strict transport security when explicitly disabled", + strictTransportSecurity: false, + expected: undefined, + }, + { + name: "does not set strict transport security when the value is blank", + strictTransportSecurity: " ", + expected: undefined, + }, + ])("$name", async ({ strictTransportSecurity, expected }) => { const result = await resolveGatewayRuntimeConfig({ cfg: { gateway: { @@ -241,7 +275,7 @@ describe("resolveGatewayRuntimeConfig", () => { auth: { mode: "none" }, http: { securityHeaders: { - strictTransportSecurity: " max-age=31536000; includeSubDomains ", + strictTransportSecurity, }, }, }, @@ -249,26 +283,7 @@ describe("resolveGatewayRuntimeConfig", () => { port: 18789, }); - expect(result.strictTransportSecurityHeader).toBe("max-age=31536000; includeSubDomains"); - }); - - it("does not set strict transport security when explicitly disabled", async () => { - const result = await resolveGatewayRuntimeConfig({ - cfg: { - gateway: { - bind: "loopback", - auth: { mode: "none" }, - http: { - securityHeaders: { - strictTransportSecurity: false, - }, - }, - }, - }, - port: 18789, - }); - - expect(result.strictTransportSecurityHeader).toBeUndefined(); + expect(result.strictTransportSecurityHeader).toBe(expected); }); }); }); From 987c254eea57321338173ee3e1cc8b4084cf7bf2 Mon Sep 17 00:00:00 2001 From: Frank Yang Date: Sat, 14 Mar 2026 02:03:14 +0800 Subject: [PATCH 014/268] test: annotate chat abort helper exports (#45346) --- .../server-methods/chat.abort.test-helpers.ts | 27 +++++++++++++++---- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/src/gateway/server-methods/chat.abort.test-helpers.ts b/src/gateway/server-methods/chat.abort.test-helpers.ts index c1db68f5774..fb6efebd8f5 100644 --- a/src/gateway/server-methods/chat.abort.test-helpers.ts +++ b/src/gateway/server-methods/chat.abort.test-helpers.ts @@ -1,5 +1,6 @@ import { vi } from "vitest"; -import type { GatewayRequestHandler } from "./types.js"; +import type { Mock } from "vitest"; +import type { GatewayRequestHandler, RespondFn } from "./types.js"; export function createActiveRun( sessionKey: string, @@ -20,7 +21,23 @@ export function createActiveRun( }; } -export function createChatAbortContext(overrides: Record = {}) { +export type ChatAbortTestContext = Record & { + chatAbortControllers: Map>; + chatRunBuffers: Map; + chatDeltaSentAt: Map; + chatAbortedRuns: Map; + removeChatRun: (...args: unknown[]) => { sessionKey: string; clientRunId: string } | undefined; + agentRunSeq: Map; + broadcast: (...args: unknown[]) => void; + nodeSendToSession: (...args: unknown[]) => void; + logGateway: { warn: (...args: unknown[]) => void }; +}; + +export type ChatAbortRespondMock = Mock; + +export function createChatAbortContext( + overrides: Record = {}, +): ChatAbortTestContext { return { chatAbortControllers: new Map(), chatRunBuffers: new Map(), @@ -39,7 +56,7 @@ export function createChatAbortContext(overrides: Record = {}) export async function invokeChatAbortHandler(params: { handler: GatewayRequestHandler; - context: ReturnType; + context: ChatAbortTestContext; request: { sessionKey: string; runId?: string }; client?: { connId?: string; @@ -48,8 +65,8 @@ export async function invokeChatAbortHandler(params: { scopes?: string[]; }; } | null; - respond?: ReturnType; -}) { + respond?: ChatAbortRespondMock; +}): Promise { const respond = params.respond ?? vi.fn(); await params.handler({ params: params.request, From 91d4f5cd2f432d692179516e50ee33e8ef47b82a Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Mar 2026 18:03:18 +0000 Subject: [PATCH 015/268] test: simplify control ui http coverage --- src/gateway/control-ui.http.test.ts | 219 +++++++++++++++------------- 1 file changed, 120 insertions(+), 99 deletions(-) diff --git a/src/gateway/control-ui.http.test.ts b/src/gateway/control-ui.http.test.ts index a63bb1590e2..54cf972e79c 100644 --- a/src/gateway/control-ui.http.test.ts +++ b/src/gateway/control-ui.http.test.ts @@ -40,6 +40,25 @@ describe("handleControlUiHttpRequest", () => { expect(params.end).toHaveBeenCalledWith("Not Found"); } + function expectUnhandledRoutes(params: { + urls: string[]; + method: "GET" | "POST"; + rootPath: string; + basePath?: string; + expectationLabel: string; + }) { + for (const url of params.urls) { + const { handled, end } = runControlUiRequest({ + url, + method: params.method, + rootPath: params.rootPath, + ...(params.basePath ? { basePath: params.basePath } : {}), + }); + expect(handled, `${params.expectationLabel}: ${url}`).toBe(false); + expect(end, `${params.expectationLabel}: ${url}`).not.toHaveBeenCalled(); + } + } + function runControlUiRequest(params: { url: string; method: "GET" | "HEAD" | "POST"; @@ -147,53 +166,80 @@ describe("handleControlUiHttpRequest", () => { }); }); - it("serves bootstrap config JSON", async () => { + it.each([ + { + name: "at root", + url: CONTROL_UI_BOOTSTRAP_CONFIG_PATH, + expectedBasePath: "", + assistantName: ".png", + expectedAvatarUrl: "/avatar/main", + }, + { + name: "under basePath", + url: `/openclaw${CONTROL_UI_BOOTSTRAP_CONFIG_PATH}`, + basePath: "/openclaw", + expectedBasePath: "/openclaw", + assistantName: "Ops", + assistantAvatar: "ops.png", + expectedAvatarUrl: "/openclaw/avatar/main", + }, + ])("serves bootstrap config JSON $name", async (testCase) => { await withControlUiRoot({ fn: async (tmp) => { const { res, end } = makeMockHttpResponse(); const handled = handleControlUiHttpRequest( - { url: CONTROL_UI_BOOTSTRAP_CONFIG_PATH, method: "GET" } as IncomingMessage, + { url: testCase.url, method: "GET" } as IncomingMessage, res, { + ...(testCase.basePath ? { basePath: testCase.basePath } : {}), root: { kind: "resolved", path: tmp }, config: { agents: { defaults: { workspace: tmp } }, - ui: { assistant: { name: ".png" } }, + ui: { + assistant: { + name: testCase.assistantName, + avatar: testCase.assistantAvatar, + }, + }, }, }, ); expect(handled).toBe(true); const parsed = parseBootstrapPayload(end); - expect(parsed.basePath).toBe(""); - expect(parsed.assistantName).toBe(".png", - expectedAvatarUrl: "/avatar/main", - }, - { - name: "under basePath", - url: `/openclaw${CONTROL_UI_BOOTSTRAP_CONFIG_PATH}`, - basePath: "/openclaw", - expectedBasePath: "/openclaw", - assistantName: "Ops", - assistantAvatar: "ops.png", - expectedAvatarUrl: "/openclaw/avatar/main", - }, - ])("serves bootstrap config JSON $name", async (testCase) => { + it("serves bootstrap config JSON", async () => { await withControlUiRoot({ fn: async (tmp) => { const { res, end } = makeMockHttpResponse(); const handled = handleControlUiHttpRequest( - { url: testCase.url, method: "GET" } as IncomingMessage, + { url: CONTROL_UI_BOOTSTRAP_CONFIG_PATH, method: "GET" } as IncomingMessage, res, { - ...(testCase.basePath ? { basePath: testCase.basePath } : {}), root: { kind: "resolved", path: tmp }, config: { agents: { defaults: { workspace: tmp } }, - ui: { - assistant: { - name: testCase.assistantName, - avatar: testCase.assistantAvatar, - }, - }, + ui: { assistant: { name: ".png" } }, }, }, ); expect(handled).toBe(true); const parsed = parseBootstrapPayload(end); - expect(parsed.basePath).toBe(testCase.expectedBasePath); - expect(parsed.assistantName).toBe(testCase.assistantName); - expect(parsed.assistantAvatar).toBe(testCase.expectedAvatarUrl); + expect(parsed.basePath).toBe(""); + expect(parsed.assistantName).toBe("