mirror of
https://github.com/garrytan/gstack.git
synced 2026-07-01 14:05:43 +02:00
Merge remote-tracking branch 'origin/main' into garrytan/tallahassee-v3
Brings in v1.30.0.0 (21 community fix wave + Windows CI extension + codex flag-semantics smoke). Conflicts resolved: - VERSION: kept 1.31.0.0 (queue util correctly advanced past main's 1.30.0.0 during the original ship; sibling melbourne-v1 was at 1.30.0.0 active). - CHANGELOG.md: kept v1.31.0.0 entry on top of v1.30.0.0 (the wave), v1.29.0.0 (sync-gbrain worktree fix), and prior history. No content loss — both new entries preserved verbatim. - All other auto-merges (codex/SKILL.md, plan-devex-review, review/SKILL.md, ship/SKILL.md, etc.) were clean. Verified post-merge: 431/431 free tests pass (touchfiles + claude-pty-runner.unit + skill-validation). bun run gen:skill-docs --host all is clean (no host outputs drifted from templates). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -54,6 +54,13 @@ interface ResolvedAuth {
|
||||
source: 'env' | 'state-file';
|
||||
}
|
||||
|
||||
function parseIntegerEnvValue(value: string | undefined): number | undefined {
|
||||
const trimmed = value?.trim();
|
||||
if (!trimmed || !/^-?\d+$/.test(trimmed)) return undefined;
|
||||
const parsed = parseInt(trimmed, 10);
|
||||
return Number.isFinite(parsed) ? parsed : undefined;
|
||||
}
|
||||
|
||||
/** Resolve the daemon port + token. Throws a clear error if neither path works. */
|
||||
export function resolveBrowseAuth(opts: BrowseClientOptions = {}): ResolvedAuth {
|
||||
if (opts.port !== undefined && opts.token !== undefined) {
|
||||
@@ -64,8 +71,8 @@ export function resolveBrowseAuth(opts: BrowseClientOptions = {}): ResolvedAuth
|
||||
const envPort = process.env.GSTACK_PORT;
|
||||
const envToken = process.env.GSTACK_SKILL_TOKEN;
|
||||
if (envPort && envToken) {
|
||||
const port = opts.port ?? parseInt(envPort, 10);
|
||||
if (!isNaN(port)) {
|
||||
const port = opts.port ?? parseIntegerEnvValue(envPort);
|
||||
if (port !== undefined) {
|
||||
return { port, token: opts.token ?? envToken, source: 'env' };
|
||||
}
|
||||
}
|
||||
@@ -132,7 +139,7 @@ export class BrowseClient {
|
||||
const auth = resolveBrowseAuth(opts);
|
||||
this.port = auth.port;
|
||||
this.token = auth.token;
|
||||
this.tabId = opts.tabId ?? (process.env.BROWSE_TAB ? parseInt(process.env.BROWSE_TAB, 10) : undefined);
|
||||
this.tabId = opts.tabId ?? parseIntegerEnvValue(process.env.BROWSE_TAB);
|
||||
this.timeoutMs = opts.timeoutMs ?? 30_000;
|
||||
}
|
||||
|
||||
|
||||
@@ -16,6 +16,7 @@
|
||||
*/
|
||||
|
||||
import { chromium, type Browser, type BrowserContext, type BrowserContextOptions, type Page, type Locator, type Cookie } from 'playwright';
|
||||
import { writeSecureFile, mkdirSecure } from './file-permissions';
|
||||
import { addConsoleEntry, addNetworkEntry, addDialogEntry, networkBuffer, type DialogEntry } from './buffers';
|
||||
import { validateNavigationUrl } from './url-validation';
|
||||
import { TabSession, type RefEntry } from './tab-session';
|
||||
@@ -197,10 +198,11 @@ export class BrowserManager {
|
||||
const launchArgs: string[] = [...STEALTH_LAUNCH_ARGS];
|
||||
let useHeadless = true;
|
||||
|
||||
// Docker/CI: Chromium sandbox requires unprivileged user namespaces which
|
||||
// are typically disabled in containers. Detect container environment and
|
||||
// add --no-sandbox automatically.
|
||||
if (process.env.CI || process.env.CONTAINER) {
|
||||
// Docker/CI/root: Chromium sandbox requires unprivileged user namespaces which
|
||||
// are typically disabled in containers and are never available for the root
|
||||
// user on Linux. Detect all three cases and add --no-sandbox automatically.
|
||||
const isRoot = typeof process.getuid === 'function' && process.getuid() === 0;
|
||||
if (process.env.CI || process.env.CONTAINER || isRoot) {
|
||||
launchArgs.push('--no-sandbox');
|
||||
}
|
||||
|
||||
@@ -290,10 +292,10 @@ export class BrowserManager {
|
||||
const fs = require('fs');
|
||||
const path = require('path');
|
||||
const gstackDir = path.join(process.env.HOME || '/tmp', '.gstack');
|
||||
fs.mkdirSync(gstackDir, { recursive: true });
|
||||
mkdirSecure(gstackDir);
|
||||
const authFile = path.join(gstackDir, '.auth.json');
|
||||
try {
|
||||
fs.writeFileSync(authFile, JSON.stringify({ token: authToken, port: this.serverPort || 34567 }), { mode: 0o600 });
|
||||
writeSecureFile(authFile, JSON.stringify({ token: authToken, port: this.serverPort || 34567 }));
|
||||
} catch (err: any) {
|
||||
console.warn(`[browse] Could not write .auth.json: ${err.message}`);
|
||||
}
|
||||
|
||||
@@ -19,6 +19,7 @@
|
||||
import * as fs from 'fs';
|
||||
import * as path from 'path';
|
||||
import * as os from 'os';
|
||||
import { mkdirSecure } from './file-permissions';
|
||||
import { isPathWithin } from './platform';
|
||||
import type { TierPaths } from './browser-skills';
|
||||
import { defaultTierPaths } from './browser-skills';
|
||||
@@ -74,8 +75,8 @@ export function stageSkill(opts: StageSkillOptions): string {
|
||||
const wrapperDir = path.join(tmpRoot, `skillify-${spawnId}`);
|
||||
const stagedDir = path.join(wrapperDir, opts.name);
|
||||
|
||||
fs.mkdirSync(wrapperDir, { recursive: true, mode: 0o700 });
|
||||
fs.mkdirSync(stagedDir, { recursive: true, mode: 0o700 });
|
||||
mkdirSecure(wrapperDir);
|
||||
mkdirSecure(stagedDir);
|
||||
|
||||
for (const [relPath, contents] of opts.files) {
|
||||
if (relPath.startsWith('/') || relPath.includes('..')) {
|
||||
|
||||
+2
-1
@@ -12,6 +12,7 @@
|
||||
import * as fs from 'fs';
|
||||
import * as path from 'path';
|
||||
import { safeUnlink, safeUnlinkQuiet, safeKill, isProcessAlive } from './error-handling';
|
||||
import { writeSecureFile, mkdirSecure } from './file-permissions';
|
||||
import { resolveConfig, ensureStateDir, readVersionHash } from './config';
|
||||
import { parseProxyConfig, computeConfigHash, ProxyConfigError } from './proxy-config';
|
||||
import { redactProxyUrl } from './proxy-redact';
|
||||
@@ -852,7 +853,7 @@ async function handlePairAgent(state: ServerState, args: string[]): Promise<void
|
||||
scopes: pairData.scopes,
|
||||
expires_at: pairData.expires_at,
|
||||
};
|
||||
fs.writeFileSync(configFile, JSON.stringify(configData, null, 2), { mode: 0o600 });
|
||||
writeSecureFile(configFile, JSON.stringify(configData, null, 2));
|
||||
console.log(`Connected. ${localHost} can now use the browser.`);
|
||||
console.log(`Config written to: ${configFile}`);
|
||||
} catch (err: any) {
|
||||
|
||||
@@ -12,6 +12,7 @@
|
||||
|
||||
import * as fs from 'fs';
|
||||
import * as path from 'path';
|
||||
import { mkdirSecure } from './file-permissions';
|
||||
|
||||
export interface BrowseConfig {
|
||||
projectDir: string;
|
||||
@@ -81,7 +82,7 @@ export function resolveConfig(
|
||||
*/
|
||||
export function ensureStateDir(config: BrowseConfig): void {
|
||||
try {
|
||||
fs.mkdirSync(config.stateDir, { recursive: true, mode: 0o700 });
|
||||
mkdirSecure(config.stateDir);
|
||||
} catch (err: any) {
|
||||
if (err.code === 'EACCES') {
|
||||
throw new Error(`Cannot create state directory ${config.stateDir}: permission denied`);
|
||||
|
||||
@@ -291,8 +291,20 @@ export async function writeSkill(input: WriteSkillInput): Promise<DomainSkillRow
|
||||
*
|
||||
* Auto-promote logic:
|
||||
* - increment use_count
|
||||
* - if use_count >= PROMOTE_THRESHOLD AND flag_count == 0 → state:active
|
||||
* - else stay quarantined with updated counter
|
||||
* - if use_count >= PROMOTE_THRESHOLD AND flag_count == 0 AND L4 has scored
|
||||
* the body (classifier_score > 0) → state:active
|
||||
* - else stay quarantined with updated counter; user must run
|
||||
* `domain-skill promote-to-global` manually
|
||||
*
|
||||
* The classifier_score > 0 gate is load-bearing: handleSave currently writes
|
||||
* classifier_score=0 with the comment "L4 deferred to load-time / sidebar-agent
|
||||
* fills this in on first prompt-injection load," but sidebar-agent was ripped
|
||||
* (CLAUDE.md "Sidebar architecture") and nothing else updates the score, so
|
||||
* skills authored via the production path never had their body scanned by L4.
|
||||
* Without this gate, three benign uses promote any quarantined skill — including
|
||||
* one written under the influence of a poisoned page — into the prompt context
|
||||
* for every subsequent visit. The gate re-opens automatically the day L4 is
|
||||
* rewired and writeSkill / recordSkillUse start receiving non-zero scores.
|
||||
*/
|
||||
export async function recordSkillUse(host: string, projectSlug: string, classifierFlagged: boolean): Promise<DomainSkillRow | null> {
|
||||
const normalized = normalizeHost(host);
|
||||
@@ -303,7 +315,12 @@ export async function recordSkillUse(host: string, projectSlug: string, classifi
|
||||
const useCount = current.use_count + 1;
|
||||
const flagCount = current.flag_count + (classifierFlagged ? 1 : 0);
|
||||
let state: SkillState = current.state;
|
||||
if (state === 'quarantined' && useCount >= PROMOTE_THRESHOLD && flagCount === 0) {
|
||||
if (
|
||||
state === 'quarantined' &&
|
||||
useCount >= PROMOTE_THRESHOLD &&
|
||||
flagCount === 0 &&
|
||||
current.classifier_score > 0
|
||||
) {
|
||||
state = 'active';
|
||||
}
|
||||
const updated: DomainSkillRow = {
|
||||
|
||||
@@ -0,0 +1,157 @@
|
||||
/**
|
||||
* Cross-platform file permission restriction for sensitive gstack state.
|
||||
*
|
||||
* Why this exists
|
||||
* ----------------
|
||||
* POSIX mode bits (`0o600` for files, `0o700` for dirs) are how gstack marks
|
||||
* sensitive state files — auth tokens, canary tokens, chat history, agent
|
||||
* queue, device salt, per-tab security decisions. On Linux and macOS,
|
||||
* `fs.chmodSync(path, 0o600)` and `fs.writeFileSync(path, data, { mode: 0o600 })`
|
||||
* do exactly what you'd hope: the file ends up readable and writable only
|
||||
* by the owning user, no access for group / other.
|
||||
*
|
||||
* On Windows, both calls are effectively no-ops. NTFS uses ACLs, not POSIX
|
||||
* mode bits, and Node's fs module doesn't translate. So on every Windows
|
||||
* install, sensitive gstack state files inherit whatever ACL the parent
|
||||
* directory grants — typically user-full + inherited admin-full. That's
|
||||
* fine on a single-user laptop but leaks on:
|
||||
*
|
||||
* - Self-hosted CI runners (GitHub Actions / GitLab / Jenkins agents
|
||||
* running as a different service account on the same box — they can
|
||||
* read developer state)
|
||||
* - Shared development machines (agencies, studios, lab machines)
|
||||
* - Multi-tenant servers with shared home directories
|
||||
* - Malware running as the same user (no in-user-account isolation)
|
||||
*
|
||||
* This module wraps the platform-correct call. POSIX: chmod. Windows:
|
||||
* icacls with inheritance break + explicit user grant. Failures on either
|
||||
* platform are best-effort — the filesystem is still functional if ACL
|
||||
* restriction fails; we just don't hit the intended hardening target.
|
||||
*
|
||||
* Warning behavior: to avoid spamming the console on a machine where
|
||||
* icacls is unavailable (rare — it ships in System32 on every Windows
|
||||
* version since 7), we log the first failure per process and stay silent
|
||||
* afterward. The warning includes the advice "sensitive files may be
|
||||
* readable by other accounts on this machine" so operators know to audit
|
||||
* their runner / share setup.
|
||||
*/
|
||||
|
||||
import { execFileSync } from 'child_process';
|
||||
import * as fs from 'fs';
|
||||
import * as os from 'os';
|
||||
|
||||
let warnedOnce = false;
|
||||
|
||||
function warnIcaclsFailure(fsPath: string, err: unknown): void {
|
||||
if (warnedOnce) return;
|
||||
warnedOnce = true;
|
||||
const msg = err instanceof Error ? err.message : String(err);
|
||||
// biome-ignore lint/suspicious/noConsole: intentional user-facing warning
|
||||
console.warn(
|
||||
`[gstack] Failed to restrict Windows ACL on ${fsPath}: ${msg}\n` +
|
||||
` Sensitive files may be readable by other accounts on this machine.\n` +
|
||||
` This warning appears once per process; subsequent failures are silent.`
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Restrict a file to owner-only access (POSIX 0o600 equivalent).
|
||||
*
|
||||
* POSIX: `fs.chmodSync(path, 0o600)`. Idempotent if the file was already
|
||||
* written with `{ mode: 0o600 }`, so safe to call regardless.
|
||||
*
|
||||
* Windows: invokes `icacls /inheritance:r /grant:r <user>:(F)` to remove
|
||||
* any inherited ACLs and replace the ACL with a single entry granting the
|
||||
* current user full control.
|
||||
*/
|
||||
export function restrictFilePermissions(filePath: string): void {
|
||||
if (process.platform === 'win32') {
|
||||
try {
|
||||
const user = os.userInfo().username;
|
||||
execFileSync(
|
||||
'icacls',
|
||||
[filePath, '/inheritance:r', '/grant:r', `${user}:(F)`],
|
||||
{ stdio: 'ignore' },
|
||||
);
|
||||
} catch (err) {
|
||||
warnIcaclsFailure(filePath, err);
|
||||
}
|
||||
return;
|
||||
}
|
||||
try { fs.chmodSync(filePath, 0o600); } catch { /* best-effort */ }
|
||||
}
|
||||
|
||||
/**
|
||||
* Restrict a directory to owner-only access (POSIX 0o700 equivalent),
|
||||
* with new children inheriting the restricted ACL.
|
||||
*
|
||||
* POSIX: `fs.chmodSync(path, 0o700)`. Idempotent if the dir was already
|
||||
* created with `{ mode: 0o700 }`.
|
||||
*
|
||||
* Windows: `icacls /inheritance:r /grant:r <user>:(OI)(CI)(F)`. The
|
||||
* `(OI)(CI)` flags make new files (OI = object inherit) and subdirs
|
||||
* (CI = container inherit) inherit the single-user-full ACL — important
|
||||
* because child creations in `fs.writeFileSync(...)` without explicit
|
||||
* `restrictFilePermissions` still end up owner-only.
|
||||
*/
|
||||
export function restrictDirectoryPermissions(dirPath: string): void {
|
||||
if (process.platform === 'win32') {
|
||||
try {
|
||||
const user = os.userInfo().username;
|
||||
execFileSync(
|
||||
'icacls',
|
||||
[dirPath, '/inheritance:r', '/grant:r', `${user}:(OI)(CI)(F)`],
|
||||
{ stdio: 'ignore' },
|
||||
);
|
||||
} catch (err) {
|
||||
warnIcaclsFailure(dirPath, err);
|
||||
}
|
||||
return;
|
||||
}
|
||||
try { fs.chmodSync(dirPath, 0o700); } catch { /* best-effort */ }
|
||||
}
|
||||
|
||||
/**
|
||||
* Write a file and restrict it to owner-only access, cross-platform.
|
||||
* Replaces `fs.writeFileSync(path, data, { mode: 0o600 })` + Windows ACL.
|
||||
*/
|
||||
export function writeSecureFile(
|
||||
filePath: string,
|
||||
data: string | NodeJS.ArrayBufferView,
|
||||
): void {
|
||||
fs.writeFileSync(filePath, data, { mode: 0o600 });
|
||||
restrictFilePermissions(filePath);
|
||||
}
|
||||
|
||||
/**
|
||||
* Append to a file with owner-only permissions, cross-platform.
|
||||
* Replaces `fs.appendFileSync(path, data, { mode: 0o600 })` + Windows ACL.
|
||||
*
|
||||
* ACL is applied only on first write — subsequent appends are fire-and-forget
|
||||
* (no need to re-run icacls on every log line).
|
||||
*/
|
||||
export function appendSecureFile(
|
||||
filePath: string,
|
||||
data: string | NodeJS.ArrayBufferView,
|
||||
): void {
|
||||
const existed = fs.existsSync(filePath);
|
||||
fs.appendFileSync(filePath, data, { mode: 0o600 });
|
||||
if (!existed) restrictFilePermissions(filePath);
|
||||
}
|
||||
|
||||
/**
|
||||
* `mkdir -p` with owner-only directory permissions, cross-platform.
|
||||
* Replaces `fs.mkdirSync(path, { recursive: true, mode: 0o700 })` + Windows ACL.
|
||||
* Safe to call on an existing directory — re-applies the ACL idempotently.
|
||||
*/
|
||||
export function mkdirSecure(dirPath: string): void {
|
||||
fs.mkdirSync(dirPath, { recursive: true, mode: 0o700 });
|
||||
restrictDirectoryPermissions(dirPath);
|
||||
}
|
||||
|
||||
/**
|
||||
* Reset the once-per-process warning gate. Test-only.
|
||||
*/
|
||||
export function __resetWarnedForTests(): void {
|
||||
warnedOnce = false;
|
||||
}
|
||||
@@ -16,6 +16,7 @@ export { validateOutputPath, escapeRegExp } from './path-security';
|
||||
import * as Diff from 'diff';
|
||||
import * as fs from 'fs';
|
||||
import * as path from 'path';
|
||||
import { writeSecureFile, mkdirSecure } from './file-permissions';
|
||||
import { TEMP_DIR } from './platform';
|
||||
import { resolveConfig } from './config';
|
||||
import type { Frame } from 'playwright';
|
||||
@@ -917,7 +918,7 @@ export async function handleMetaCommand(
|
||||
|
||||
const config = resolveConfig();
|
||||
const stateDir = path.join(config.stateDir, 'browse-states');
|
||||
fs.mkdirSync(stateDir, { recursive: true });
|
||||
mkdirSecure(stateDir);
|
||||
const statePath = path.join(stateDir, `${name}.json`);
|
||||
|
||||
if (action === 'save') {
|
||||
@@ -929,7 +930,7 @@ export async function handleMetaCommand(
|
||||
cookies: state.cookies,
|
||||
pages: state.pages.map(p => ({ url: p.url, isActive: p.isActive })),
|
||||
};
|
||||
fs.writeFileSync(statePath, JSON.stringify(saveData, null, 2), { mode: 0o600 });
|
||||
writeSecureFile(statePath, JSON.stringify(saveData, null, 2));
|
||||
return `State saved: ${statePath} (${state.cookies.length} cookies, ${state.pages.length} pages)\n⚠️ Cookies stored in plaintext. Delete when no longer needed.`;
|
||||
}
|
||||
|
||||
|
||||
@@ -29,6 +29,7 @@ import { spawn } from 'child_process';
|
||||
import * as fs from 'fs';
|
||||
import * as path from 'path';
|
||||
import * as os from 'os';
|
||||
import { mkdirSecure } from './file-permissions';
|
||||
import { THRESHOLDS, type LayerSignal } from './security';
|
||||
import { resolveClaudeCommand } from './claude-bin';
|
||||
|
||||
@@ -156,7 +157,7 @@ async function downloadFile(url: string, dest: string): Promise<void> {
|
||||
}
|
||||
|
||||
async function ensureTestsavantStaged(onProgress?: (msg: string) => void): Promise<void> {
|
||||
fs.mkdirSync(path.join(TESTSAVANT_DIR, 'onnx'), { recursive: true, mode: 0o700 });
|
||||
mkdirSecure(path.join(TESTSAVANT_DIR, 'onnx'));
|
||||
|
||||
// Small config/tokenizer files
|
||||
for (const f of TESTSAVANT_FILES) {
|
||||
@@ -301,7 +302,7 @@ export async function scanPageContent(text: string): Promise<LayerSignal> {
|
||||
// ─── L4c: DeBERTa-v3 ensemble (opt-in) ───────────────────────
|
||||
|
||||
async function ensureDebertaStaged(onProgress?: (msg: string) => void): Promise<void> {
|
||||
fs.mkdirSync(path.join(DEBERTA_DIR, 'onnx'), { recursive: true, mode: 0o700 });
|
||||
mkdirSecure(path.join(DEBERTA_DIR, 'onnx'));
|
||||
for (const f of DEBERTA_FILES) {
|
||||
const dst = path.join(DEBERTA_DIR, f);
|
||||
if (fs.existsSync(dst)) continue;
|
||||
|
||||
+68
-10
@@ -24,6 +24,7 @@ import { spawn } from 'child_process';
|
||||
import * as fs from 'fs';
|
||||
import * as path from 'path';
|
||||
import * as os from 'os';
|
||||
import { writeSecureFile, appendSecureFile, mkdirSecure } from './file-permissions';
|
||||
|
||||
// ─── Thresholds + verdict types ──────────────────────────────
|
||||
|
||||
@@ -344,11 +345,11 @@ function getDeviceSalt(): string {
|
||||
// fall through to generate
|
||||
}
|
||||
try {
|
||||
fs.mkdirSync(SECURITY_DIR, { recursive: true, mode: 0o700 });
|
||||
mkdirSecure(SECURITY_DIR);
|
||||
} catch {}
|
||||
cachedSalt = randomBytes(16).toString('hex');
|
||||
try {
|
||||
fs.writeFileSync(SALT_FILE, cachedSalt, { mode: 0o600 });
|
||||
writeSecureFile(SALT_FILE, cachedSalt);
|
||||
} catch {
|
||||
// Can't persist (read-only fs, disk full). Keep the in-memory salt
|
||||
// for this process so cross-log correlation still works within a
|
||||
@@ -413,6 +414,61 @@ function findTelemetryBinary(): string | null {
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Resolve a bash binary for invoking shebang scripts on Windows. Mirrors the
|
||||
* GSTACK_*_BIN override pattern from `browse/src/claude-bin.ts:resolveClaudeCommand`
|
||||
* (introduced in v1.24.0.0 #1252) so users on WSL/MSYS2/non-default Git Bash
|
||||
* installs can redirect.
|
||||
*
|
||||
* Override precedence:
|
||||
* 1. GSTACK_BASH_BIN (or BASH_BIN) — absolute path or PATH-resolvable command.
|
||||
* 2. Plain Bun.which('bash') — finds Git Bash on the standard Windows install.
|
||||
*
|
||||
* Returns null if nothing resolves; callers must degrade gracefully (telemetry
|
||||
* already swallows spawn errors, so a null here means the local attempts.jsonl
|
||||
* audit trail keeps working without surfacing a Windows-only failure).
|
||||
*/
|
||||
export function resolveBashBinary(env: NodeJS.ProcessEnv = process.env): string | null {
|
||||
const PATH = env.PATH ?? env.Path ?? '';
|
||||
const override = (env.GSTACK_BASH_BIN ?? env.BASH_BIN)?.trim();
|
||||
if (override) {
|
||||
const trimmed = override.replace(/^"(.*)"$/, '$1');
|
||||
return path.isAbsolute(trimmed) ? trimmed : (Bun.which(trimmed, { PATH }) ?? null);
|
||||
}
|
||||
return Bun.which('bash', { PATH }) ?? null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Build the [cmd, args] tuple for invoking a bash-script telemetry binary
|
||||
* in a way that works on both POSIX and Windows.
|
||||
*
|
||||
* POSIX: returns [bin, args] unchanged — shebang gets honored by execve.
|
||||
* Win32: wraps in bash explicitly. `gstack-telemetry-log` is a shell script
|
||||
* (`#!/usr/bin/env bash`) and Windows `CreateProcess` can't dispatch on a
|
||||
* shebang — it tries to load the file as a PE image, fails with ENOEXEC,
|
||||
* and our 'error' handler silently swallows it. Resolves bash via the same
|
||||
* Bun.which + GSTACK_*_BIN override pattern as claude-bin.ts.
|
||||
*
|
||||
* Returns null when bash can't be resolved on Windows (rare — Git Bash ships
|
||||
* with the standard gstack install path). Caller skips spawn; the local
|
||||
* attempts.jsonl write still gives the audit trail.
|
||||
*
|
||||
* Exported for testability — resolution is a pure function of (platform,
|
||||
* env, bin, args) so we can assert on it without actually spawning.
|
||||
*/
|
||||
export function buildTelemetrySpawnCommand(
|
||||
bin: string,
|
||||
args: string[],
|
||||
env: NodeJS.ProcessEnv = process.env,
|
||||
): { cmd: string; cmdArgs: string[] } | null {
|
||||
if (process.platform === 'win32') {
|
||||
const bashPath = resolveBashBinary(env);
|
||||
if (!bashPath) return null;
|
||||
return { cmd: bashPath, cmdArgs: [bin, ...args] };
|
||||
}
|
||||
return { cmd: bin, cmdArgs: args };
|
||||
}
|
||||
|
||||
/**
|
||||
* Fire-and-forget subprocess invocation of gstack-telemetry-log with the
|
||||
* attack_attempt event type. The binary handles tier gating internally
|
||||
@@ -426,14 +482,16 @@ function reportAttemptTelemetry(record: AttemptRecord): void {
|
||||
const bin = findTelemetryBinary();
|
||||
if (!bin) return;
|
||||
try {
|
||||
const child = spawn(bin, [
|
||||
const result = buildTelemetrySpawnCommand(bin, [
|
||||
'--event-type', 'attack_attempt',
|
||||
'--url-domain', record.urlDomain || '',
|
||||
'--payload-hash', record.payloadHash,
|
||||
'--confidence', String(record.confidence),
|
||||
'--layer', record.layer,
|
||||
'--verdict', record.verdict,
|
||||
], {
|
||||
]);
|
||||
if (!result) return;
|
||||
const child = spawn(result.cmd, result.cmdArgs, {
|
||||
stdio: 'ignore',
|
||||
detached: true,
|
||||
});
|
||||
@@ -456,10 +514,10 @@ export function logAttempt(record: AttemptRecord): boolean {
|
||||
// the event reported (it goes to a different directory anyway).
|
||||
reportAttemptTelemetry(record);
|
||||
try {
|
||||
fs.mkdirSync(SECURITY_DIR, { recursive: true, mode: 0o700 });
|
||||
mkdirSecure(SECURITY_DIR);
|
||||
rotateIfNeeded();
|
||||
const line = JSON.stringify(record) + '\n';
|
||||
fs.appendFileSync(ATTEMPTS_LOG, line, { mode: 0o600 });
|
||||
appendSecureFile(ATTEMPTS_LOG, line);
|
||||
return true;
|
||||
} catch (err) {
|
||||
// Non-fatal. Log to stderr for debugging but don't block.
|
||||
@@ -489,9 +547,9 @@ export interface SessionState {
|
||||
*/
|
||||
export function writeSessionState(state: SessionState): void {
|
||||
try {
|
||||
fs.mkdirSync(SECURITY_DIR, { recursive: true, mode: 0o700 });
|
||||
mkdirSecure(SECURITY_DIR);
|
||||
const tmp = `${STATE_FILE}.tmp.${process.pid}`;
|
||||
fs.writeFileSync(tmp, JSON.stringify(state, null, 2), { mode: 0o600 });
|
||||
writeSecureFile(tmp, JSON.stringify(state, null, 2));
|
||||
fs.renameSync(tmp, STATE_FILE);
|
||||
} catch (err) {
|
||||
console.error('[security] writeSessionState failed:', (err as Error).message);
|
||||
@@ -532,10 +590,10 @@ export interface DecisionRecord {
|
||||
|
||||
export function writeDecision(record: DecisionRecord): void {
|
||||
try {
|
||||
fs.mkdirSync(DECISIONS_DIR, { recursive: true, mode: 0o700 });
|
||||
mkdirSecure(DECISIONS_DIR);
|
||||
const file = decisionFileForTab(record.tabId);
|
||||
const tmp = `${file}.tmp.${process.pid}`;
|
||||
fs.writeFileSync(tmp, JSON.stringify(record), { mode: 0o600 });
|
||||
writeSecureFile(tmp, JSON.stringify(record));
|
||||
fs.renameSync(tmp, file);
|
||||
} catch (err) {
|
||||
console.error('[security] writeDecision failed:', (err as Error).message);
|
||||
|
||||
+29
-6
@@ -26,6 +26,7 @@ import {
|
||||
markHiddenElements, getCleanTextWithStripping, cleanupHiddenMarkers,
|
||||
} from './content-security';
|
||||
import { generateCanary, injectCanary, getStatus as getSecurityStatus, writeDecision } from './security';
|
||||
import { writeSecureFile, mkdirSecure } from './file-permissions';
|
||||
import { handleSnapshot, SNAPSHOT_FLAGS } from './snapshot';
|
||||
import {
|
||||
initRegistry, validateToken as validateScopedToken, checkScope, checkDomain,
|
||||
@@ -317,6 +318,27 @@ const CONSOLE_LOG_PATH = config.consoleLog;
|
||||
const NETWORK_LOG_PATH = config.networkLog;
|
||||
const DIALOG_LOG_PATH = config.dialogLog;
|
||||
|
||||
/**
|
||||
* Per-process state-file temp path. The state-file write pattern is
|
||||
* `writeFileSync(tmp, ...) → renameSync(tmp, stateFile)` for atomicity,
|
||||
* but a shared `${stateFile}.tmp` filename means two concurrent writers
|
||||
* (cold-start race when N CLIs hit a fresh repo simultaneously, parallel
|
||||
* /tunnel/start handlers, or a combination) collide on the rename: the
|
||||
* first writer's renameSync moves the shared temp file out of the way,
|
||||
* the second writer's writeFileSync re-creates it, the second rename
|
||||
* then races with the first writer's already-renamed state. Worst case
|
||||
* the second renameSync throws ENOENT mid-air, killing one of the
|
||||
* spawning daemons during startup.
|
||||
*
|
||||
* Per-process suffix (pid + 4 random bytes) makes each writer's temp
|
||||
* path unique. The atomic rename still gives last-writer-wins semantics
|
||||
* for the final state.json content; the only behavior change is that
|
||||
* concurrent writers no longer kill each other on the rename.
|
||||
*/
|
||||
function tmpStatePath(): string {
|
||||
return `${config.stateFile}.tmp.${process.pid}.${crypto.randomBytes(4).toString('hex')}`;
|
||||
}
|
||||
|
||||
|
||||
// ─── Sidebar agent / chat state ripped ──────────────────────────────
|
||||
// ChatEntry, SidebarSession, TabAgentState interfaces; chatBuffer,
|
||||
@@ -328,6 +350,7 @@ const DIALOG_LOG_PATH = config.dialogLog;
|
||||
// terminal-agent.ts; chat queue + per-tab agent multiplexing are no
|
||||
// longer needed.
|
||||
|
||||
let lastConsoleFlushed = 0;
|
||||
let lastNetworkFlushed = 0;
|
||||
let lastDialogFlushed = 0;
|
||||
let flushInProgress = false;
|
||||
@@ -1596,7 +1619,7 @@ async function start() {
|
||||
// Update state file
|
||||
const stateContent = JSON.parse(fs.readFileSync(config.stateFile, 'utf-8'));
|
||||
stateContent.tunnel = { url: tunnelUrl, domain: domain || null, startedAt: new Date().toISOString() };
|
||||
const tmpState = config.stateFile + '.tmp';
|
||||
const tmpState = tmpStatePath();
|
||||
fs.writeFileSync(tmpState, JSON.stringify(stateContent, null, 2), { mode: 0o600 });
|
||||
fs.renameSync(tmpState, config.stateFile);
|
||||
|
||||
@@ -2126,7 +2149,7 @@ async function start() {
|
||||
// without clobbering a recycled PID.
|
||||
...(xvfb ? { xvfbPid: xvfb.pid, xvfbStartTime: xvfb.startTime, xvfbDisplay: xvfb.display } : {}),
|
||||
};
|
||||
const tmpFile = config.stateFile + '.tmp';
|
||||
const tmpFile = tmpStatePath();
|
||||
fs.writeFileSync(tmpFile, JSON.stringify(state, null, 2), { mode: 0o600 });
|
||||
fs.renameSync(tmpFile, config.stateFile);
|
||||
|
||||
@@ -2207,7 +2230,7 @@ async function start() {
|
||||
// Update state file with tunnel URL
|
||||
const stateContent = JSON.parse(fs.readFileSync(config.stateFile, 'utf-8'));
|
||||
stateContent.tunnel = { url: tunnelUrl, domain: domain || null, startedAt: new Date().toISOString() };
|
||||
const tmpState = config.stateFile + '.tmp';
|
||||
const tmpState = tmpStatePath();
|
||||
fs.writeFileSync(tmpState, JSON.stringify(stateContent, null, 2), { mode: 0o600 });
|
||||
fs.renameSync(tmpState, config.stateFile);
|
||||
} catch (err: any) {
|
||||
@@ -2237,7 +2260,7 @@ async function start() {
|
||||
console.log(`[browse] Tunnel listener bound (local-only test mode) on 127.0.0.1:${tunnelPort}`);
|
||||
const stateContent = JSON.parse(fs.readFileSync(config.stateFile, 'utf-8'));
|
||||
stateContent.tunnelLocalPort = tunnelPort;
|
||||
const tmpState = config.stateFile + '.tmp';
|
||||
const tmpState = tmpStatePath();
|
||||
fs.writeFileSync(tmpState, JSON.stringify(stateContent, null, 2), { mode: 0o600 });
|
||||
fs.renameSync(tmpState, config.stateFile);
|
||||
} catch (err: any) {
|
||||
@@ -2252,8 +2275,8 @@ start().catch((err) => {
|
||||
// stderr because the server is launched with detached: true, stdio: 'ignore'.
|
||||
try {
|
||||
const errorLogPath = path.join(config.stateDir, 'browse-startup-error.log');
|
||||
fs.mkdirSync(config.stateDir, { recursive: true, mode: 0o700 });
|
||||
fs.writeFileSync(errorLogPath, `${new Date().toISOString()} ${err.message}\n${err.stack || ''}\n`, { mode: 0o600 });
|
||||
mkdirSecure(config.stateDir);
|
||||
writeSecureFile(errorLogPath, `${new Date().toISOString()} ${err.message}\n${err.stack || ''}\n`);
|
||||
} catch {
|
||||
// stateDir may not exist — nothing more we can do
|
||||
}
|
||||
|
||||
@@ -149,9 +149,16 @@ export class TabSession {
|
||||
* Use this for operations that work on both Page and Frame (locator, evaluate, etc.).
|
||||
*/
|
||||
getActiveFrameOrPage(): Page | Frame {
|
||||
// Auto-recover from detached frames (iframe removed/navigated)
|
||||
// Auto-recover from detached frames (iframe removed/navigated). Clear
|
||||
// refs alongside the activeFrame — same staleness condition as
|
||||
// onMainFrameNavigated() below: refs were captured against a frame
|
||||
// that no longer exists. Without this, refMap entries linger against
|
||||
// a dead frame after silently falling back to the main page; the
|
||||
// next snapshot's role+name keys collide with stale entries and the
|
||||
// resolver picks one at random.
|
||||
if (this.activeFrame?.isDetached()) {
|
||||
this.activeFrame = null;
|
||||
this.clearRefs();
|
||||
}
|
||||
return this.activeFrame ?? this.page;
|
||||
}
|
||||
|
||||
@@ -23,6 +23,7 @@
|
||||
import * as fs from 'fs';
|
||||
import * as path from 'path';
|
||||
import * as crypto from 'crypto';
|
||||
import { writeSecureFile, mkdirSecure } from './file-permissions';
|
||||
import { safeUnlink } from './error-handling';
|
||||
|
||||
const STATE_FILE = process.env.BROWSE_STATE_FILE || path.join(process.env.HOME || '/tmp', '.gstack', 'browse.json');
|
||||
@@ -83,7 +84,7 @@ function findClaude(): string | null {
|
||||
/** Probe + persist claude availability for the bootstrap card. */
|
||||
function writeClaudeAvailable(): void {
|
||||
const stateDir = path.dirname(STATE_FILE);
|
||||
try { fs.mkdirSync(stateDir, { recursive: true, mode: 0o700 }); } catch {}
|
||||
try { mkdirSecure(stateDir); } catch {}
|
||||
const found = findClaude();
|
||||
const status = {
|
||||
available: !!found,
|
||||
@@ -94,7 +95,7 @@ function writeClaudeAvailable(): void {
|
||||
const target = path.join(stateDir, 'claude-available.json');
|
||||
const tmp = path.join(stateDir, `.tmp-claude-${process.pid}`);
|
||||
try {
|
||||
fs.writeFileSync(tmp, JSON.stringify(status, null, 2), { mode: 0o600 });
|
||||
writeSecureFile(tmp, JSON.stringify(status, null, 2));
|
||||
fs.renameSync(tmp, target);
|
||||
} catch {
|
||||
safeUnlink(tmp);
|
||||
@@ -361,8 +362,26 @@ function buildServer() {
|
||||
// Binary input. Lazy-spawn claude on the first byte.
|
||||
if (!session.spawned) {
|
||||
session.spawned = true;
|
||||
// UTF-8 boundary detection to prevent splitting multi-byte characters (issue #1272).
|
||||
// Buffer incomplete UTF-8 sequences until the next chunk completes them.
|
||||
let leftover = Buffer.alloc(0);
|
||||
const proc = spawnClaude(session.cols, session.rows, (chunk) => {
|
||||
try { ws.sendBinary(chunk); } catch {}
|
||||
const combined = Buffer.concat([leftover, Buffer.from(chunk)]);
|
||||
// Find the last index where a UTF-8 codepoint ends. Look back at most 3 bytes.
|
||||
let safeEnd = combined.length;
|
||||
for (let i = combined.length - 1; i >= Math.max(0, combined.length - 3); i--) {
|
||||
const b = combined[i];
|
||||
if ((b & 0x80) === 0) { safeEnd = i + 1; break; } // ASCII
|
||||
if ((b & 0xC0) === 0x80) continue; // continuation byte
|
||||
const expected = (b & 0xE0) === 0xC0 ? 2 : (b & 0xF0) === 0xE0 ? 3 : 4;
|
||||
safeEnd = (combined.length - i >= expected) ? combined.length : i;
|
||||
break;
|
||||
}
|
||||
const flush = combined.slice(0, safeEnd);
|
||||
leftover = combined.slice(safeEnd);
|
||||
if (flush.length) {
|
||||
try { ws.sendBinary(flush); } catch {}
|
||||
}
|
||||
});
|
||||
if (!proc) {
|
||||
try {
|
||||
@@ -422,7 +441,7 @@ function handleTabState(msg: {
|
||||
reason?: string;
|
||||
}): void {
|
||||
const stateDir = path.dirname(STATE_FILE);
|
||||
try { fs.mkdirSync(stateDir, { recursive: true, mode: 0o700 }); } catch {}
|
||||
try { mkdirSecure(stateDir); } catch {}
|
||||
|
||||
// tabs.json — full list
|
||||
if (Array.isArray(msg.tabs)) {
|
||||
@@ -442,7 +461,7 @@ function handleTabState(msg: {
|
||||
const target = path.join(stateDir, 'tabs.json');
|
||||
const tmp = path.join(stateDir, `.tmp-tabs-${process.pid}`);
|
||||
try {
|
||||
fs.writeFileSync(tmp, JSON.stringify(payload, null, 2), { mode: 0o600 });
|
||||
writeSecureFile(tmp, JSON.stringify(payload, null, 2));
|
||||
fs.renameSync(tmp, target);
|
||||
} catch {
|
||||
safeUnlink(tmp);
|
||||
@@ -457,11 +476,11 @@ function handleTabState(msg: {
|
||||
const ctxFile = path.join(stateDir, 'active-tab.json');
|
||||
const tmp = path.join(stateDir, `.tmp-tab-${process.pid}`);
|
||||
try {
|
||||
fs.writeFileSync(tmp, JSON.stringify({
|
||||
writeSecureFile(tmp, JSON.stringify({
|
||||
tabId: active.tabId ?? null,
|
||||
url: active.url,
|
||||
title: active.title ?? '',
|
||||
}), { mode: 0o600 });
|
||||
}));
|
||||
fs.renameSync(tmp, ctxFile);
|
||||
} catch {
|
||||
safeUnlink(tmp);
|
||||
@@ -477,11 +496,11 @@ function handleTabSwitch(msg: { tabId?: number; url?: string; title?: string }):
|
||||
const ctxFile = path.join(stateDir, 'active-tab.json');
|
||||
const tmp = path.join(stateDir, `.tmp-tab-${process.pid}`);
|
||||
try {
|
||||
fs.writeFileSync(tmp, JSON.stringify({
|
||||
writeSecureFile(tmp, JSON.stringify({
|
||||
tabId: msg.tabId ?? null,
|
||||
url,
|
||||
title: msg.title ?? '',
|
||||
}), { mode: 0o600 });
|
||||
}));
|
||||
fs.renameSync(tmp, ctxFile);
|
||||
} catch {
|
||||
safeUnlink(tmp);
|
||||
@@ -524,9 +543,9 @@ function main() {
|
||||
|
||||
// Write port file atomically so the parent server can pick it up.
|
||||
const dir = path.dirname(PORT_FILE);
|
||||
try { fs.mkdirSync(dir, { recursive: true, mode: 0o700 }); } catch {}
|
||||
try { mkdirSecure(dir); } catch {}
|
||||
const tmp = `${PORT_FILE}.tmp-${process.pid}`;
|
||||
fs.writeFileSync(tmp, String(port), { mode: 0o600 });
|
||||
writeSecureFile(tmp, String(port));
|
||||
fs.renameSync(tmp, PORT_FILE);
|
||||
|
||||
// Hand the parent the internal token so it can call /internal/grant.
|
||||
@@ -549,8 +568,8 @@ function main() {
|
||||
// to a state file the parent reads. This avoids env-passing races. See main().
|
||||
const INTERNAL_TOKEN_FILE = path.join(path.dirname(STATE_FILE), 'terminal-internal-token');
|
||||
try {
|
||||
fs.mkdirSync(path.dirname(INTERNAL_TOKEN_FILE), { recursive: true, mode: 0o700 });
|
||||
fs.writeFileSync(INTERNAL_TOKEN_FILE, INTERNAL_TOKEN, { mode: 0o600 });
|
||||
mkdirSecure(path.dirname(INTERNAL_TOKEN_FILE));
|
||||
writeSecureFile(INTERNAL_TOKEN_FILE, INTERNAL_TOKEN);
|
||||
} catch {}
|
||||
|
||||
main();
|
||||
|
||||
@@ -18,6 +18,7 @@
|
||||
import { promises as fsp } from 'fs';
|
||||
import * as path from 'path';
|
||||
import * as os from 'os';
|
||||
import { mkdirSecure } from './file-permissions';
|
||||
|
||||
const LOG_DIR = path.join(os.homedir(), '.gstack', 'security');
|
||||
const LOG_PATH = path.join(LOG_DIR, 'attempts.jsonl');
|
||||
@@ -31,7 +32,10 @@ let dirEnsured = false;
|
||||
async function ensureDir(): Promise<void> {
|
||||
if (dirEnsured) return;
|
||||
try {
|
||||
await fsp.mkdir(LOG_DIR, { recursive: true, mode: 0o700 });
|
||||
// Sync mkdir is fine here — runs once per process at first denial. The
|
||||
// (OI)(CI) inheritance set on Windows means subsequent fsp.appendFile
|
||||
// writes pick up the owner-only ACL automatically.
|
||||
mkdirSecure(LOG_DIR);
|
||||
dirEnsured = true;
|
||||
} catch {
|
||||
// Swallow — log writes are best-effort. Failure to mkdir just means
|
||||
|
||||
@@ -87,6 +87,18 @@ describe('browse-client', () => {
|
||||
expect(auth.source).toBe('env');
|
||||
});
|
||||
|
||||
it('rejects GSTACK_PORT env values with trailing characters', () => {
|
||||
process.env.GSTACK_PORT = `${server.port}abc`;
|
||||
process.env.GSTACK_SKILL_TOKEN = 'scoped-token';
|
||||
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'browse-client-test-'));
|
||||
try {
|
||||
expect(() => resolveBrowseAuth({ stateFile: path.join(tmpDir, 'missing.json') }))
|
||||
.toThrow('browse-client: cannot find daemon port + token');
|
||||
} finally {
|
||||
fs.rmSync(tmpDir, { recursive: true, force: true });
|
||||
}
|
||||
});
|
||||
|
||||
it('falls back to state file when env vars missing', () => {
|
||||
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'browse-client-test-'));
|
||||
const stateFile = path.join(tmpDir, 'browse.json');
|
||||
@@ -154,6 +166,13 @@ describe('browse-client', () => {
|
||||
expect(server.requests[0].body).toEqual({ command: 'text', args: [], tabId: 7 });
|
||||
});
|
||||
|
||||
it('omits tabId when BROWSE_TAB has trailing characters', async () => {
|
||||
process.env.BROWSE_TAB = '7abc';
|
||||
const client = new BrowseClient({ port: server.port, token: 't' });
|
||||
await client.command('text', []);
|
||||
expect(server.requests[0].body).toEqual({ command: 'text', args: [] });
|
||||
});
|
||||
|
||||
it('throws BrowseClientError with status on non-2xx', async () => {
|
||||
const client = new BrowseClient({ port: server.port, token: 't' });
|
||||
server.setResponse(403, JSON.stringify({ error: 'Insufficient scope' }));
|
||||
|
||||
@@ -84,11 +84,34 @@ describe('$B domain-skill (E2E gate tier)', () => {
|
||||
expect(out).toContain('[quarantined] 127.0.0.1');
|
||||
});
|
||||
|
||||
test('readSkill returns null until the skill is promoted to active (T6)', async () => {
|
||||
test('readSkill returns null while quarantined; classifier_score=0 blocks auto-promote (#1369)', async () => {
|
||||
const { readSkill, recordSkillUse } = await import('../src/domain-skills');
|
||||
const jsonlPath = path.join(TMP_HOME, 'projects', 'e2e-test-slug', 'learnings.jsonl');
|
||||
|
||||
// While quarantined, readSkill returns null
|
||||
expect(await readSkill('127.0.0.1', 'e2e-test-slug')).toBeNull();
|
||||
// Three uses without flag triggers auto-promote
|
||||
|
||||
// Three uses without flag with classifier_score=0 (the default until L4 is
|
||||
// rewired) MUST stay quarantined per #1369. The gate is load-bearing: a
|
||||
// quarantined skill written under the influence of a poisoned page would
|
||||
// otherwise auto-promote after three benign uses without the L4 body scan
|
||||
// ever running.
|
||||
await recordSkillUse('127.0.0.1', 'e2e-test-slug', false);
|
||||
await recordSkillUse('127.0.0.1', 'e2e-test-slug', false);
|
||||
await recordSkillUse('127.0.0.1', 'e2e-test-slug', false);
|
||||
expect(await readSkill('127.0.0.1', 'e2e-test-slug')).toBeNull();
|
||||
|
||||
// Simulate L4 having scored the body (classifier_score > 0) by appending a
|
||||
// new tombstone row with a non-zero score, then verify the next use
|
||||
// promotes. This documents the unblock path the day L4 starts populating
|
||||
// classifier_score for skill writes again.
|
||||
const lines = (await fs.readFile(jsonlPath, 'utf8')).trim().split('\n').map((l) => JSON.parse(l));
|
||||
const latest = lines.filter((r: any) => r.type === 'domain' && r.host === '127.0.0.1').pop();
|
||||
expect(latest).toBeTruthy();
|
||||
const scored = { ...latest, classifier_score: 0.05, version: latest.version + 1, updated_ts: new Date().toISOString() };
|
||||
await fs.appendFile(jsonlPath, JSON.stringify(scored) + '\n');
|
||||
|
||||
// Now three uses promote
|
||||
await recordSkillUse('127.0.0.1', 'e2e-test-slug', false);
|
||||
await recordSkillUse('127.0.0.1', 'e2e-test-slug', false);
|
||||
await recordSkillUse('127.0.0.1', 'e2e-test-slug', false);
|
||||
|
||||
@@ -106,6 +106,31 @@ describe('domain-skills: state machine (T6)', () => {
|
||||
})
|
||||
).rejects.toThrow(/classifier flagged/);
|
||||
});
|
||||
|
||||
// domain-skill-commands.ts:140 (handleSave) writes classifier_score=0 with
|
||||
// the comment "L4 deferred to load-time" — but sidebar-agent (the deferred
|
||||
// scanner) was ripped per CLAUDE.md "Sidebar architecture." Without an
|
||||
// explicit gate, three benign uses promote any quarantined skill, including
|
||||
// one authored under a poisoned page, into prompt context permanently.
|
||||
it('does NOT auto-promote when classifier_score is 0 (production handleSave shape)', async () => {
|
||||
const m = await freshImport();
|
||||
await m.writeSkill({
|
||||
host: 'linkedin.com',
|
||||
body: '# LinkedIn',
|
||||
projectSlug: 'test-slug',
|
||||
source: 'agent',
|
||||
classifierScore: 0, // matches domain-skill-commands.ts:140 production path
|
||||
});
|
||||
const after3 = await m.recordSkillUse('linkedin.com', 'test-slug', false);
|
||||
await m.recordSkillUse('linkedin.com', 'test-slug', false);
|
||||
const final = await m.recordSkillUse('linkedin.com', 'test-slug', false);
|
||||
expect(after3?.state).toBe('quarantined');
|
||||
expect(final?.state).toBe('quarantined');
|
||||
expect(final?.use_count).toBe(3);
|
||||
// readSkill returns null for quarantined skills — they don't fire.
|
||||
const read = await m.readSkill('linkedin.com', 'test-slug');
|
||||
expect(read).toBeNull();
|
||||
});
|
||||
});
|
||||
|
||||
describe('domain-skills: scope shadowing (T4)', () => {
|
||||
|
||||
@@ -0,0 +1,148 @@
|
||||
/**
|
||||
* Unit tests for browse/src/file-permissions.ts
|
||||
*
|
||||
* Strategy:
|
||||
* - POSIX assertions check fs.statSync.mode bits directly (cheap, reliable,
|
||||
* runs on every CI config).
|
||||
* - Windows assertions don't check ACLs (that'd require parsing icacls
|
||||
* output, which is brittle across Windows versions / locales). Instead
|
||||
* we verify the helper doesn't throw and the file ends up accessible
|
||||
* to the current user — the "doesn't crash, file still usable"
|
||||
* contract the callers rely on.
|
||||
*/
|
||||
|
||||
import { afterEach, beforeEach, describe, expect, test } from 'bun:test';
|
||||
import * as fs from 'fs';
|
||||
import * as os from 'os';
|
||||
import * as path from 'path';
|
||||
|
||||
import {
|
||||
restrictFilePermissions,
|
||||
restrictDirectoryPermissions,
|
||||
writeSecureFile,
|
||||
appendSecureFile,
|
||||
mkdirSecure,
|
||||
__resetWarnedForTests,
|
||||
} from '../src/file-permissions';
|
||||
|
||||
let tmpDir: string;
|
||||
|
||||
beforeEach(() => {
|
||||
tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'file-perms-'));
|
||||
__resetWarnedForTests();
|
||||
});
|
||||
|
||||
afterEach(() => {
|
||||
try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch { /* best-effort */ }
|
||||
});
|
||||
|
||||
describe('restrictFilePermissions', () => {
|
||||
test('on POSIX, sets file mode to 0o600', () => {
|
||||
if (process.platform === 'win32') return;
|
||||
const p = path.join(tmpDir, 'secret');
|
||||
fs.writeFileSync(p, 'token');
|
||||
fs.chmodSync(p, 0o644); // start world-readable to prove the call mutates it
|
||||
restrictFilePermissions(p);
|
||||
expect(fs.statSync(p).mode & 0o777).toBe(0o600);
|
||||
});
|
||||
|
||||
test('on Windows, does not throw on an existing file', () => {
|
||||
if (process.platform !== 'win32') return;
|
||||
const p = path.join(tmpDir, 'secret');
|
||||
fs.writeFileSync(p, 'token');
|
||||
expect(() => restrictFilePermissions(p)).not.toThrow();
|
||||
// File remains readable by the caller — core contract.
|
||||
expect(fs.readFileSync(p, 'utf8')).toBe('token');
|
||||
});
|
||||
|
||||
test('on Windows, does not throw when icacls fails (bad path)', () => {
|
||||
if (process.platform !== 'win32') return;
|
||||
// icacls emits an error for a nonexistent path; helper must swallow.
|
||||
expect(() => restrictFilePermissions(path.join(tmpDir, 'nonexistent'))).not.toThrow();
|
||||
});
|
||||
});
|
||||
|
||||
describe('restrictDirectoryPermissions', () => {
|
||||
test('on POSIX, sets directory mode to 0o700', () => {
|
||||
if (process.platform === 'win32') return;
|
||||
const d = path.join(tmpDir, 'subdir');
|
||||
fs.mkdirSync(d, { mode: 0o755 });
|
||||
restrictDirectoryPermissions(d);
|
||||
expect(fs.statSync(d).mode & 0o777).toBe(0o700);
|
||||
});
|
||||
|
||||
test('on Windows, does not throw on an existing directory', () => {
|
||||
if (process.platform !== 'win32') return;
|
||||
const d = path.join(tmpDir, 'subdir');
|
||||
fs.mkdirSync(d);
|
||||
expect(() => restrictDirectoryPermissions(d)).not.toThrow();
|
||||
});
|
||||
});
|
||||
|
||||
describe('writeSecureFile', () => {
|
||||
test('writes the payload and restricts permissions atomically', () => {
|
||||
const p = path.join(tmpDir, 'data');
|
||||
writeSecureFile(p, 'hello');
|
||||
expect(fs.readFileSync(p, 'utf8')).toBe('hello');
|
||||
if (process.platform !== 'win32') {
|
||||
expect(fs.statSync(p).mode & 0o777).toBe(0o600);
|
||||
}
|
||||
});
|
||||
|
||||
test('accepts Buffer payloads', () => {
|
||||
const p = path.join(tmpDir, 'buffer');
|
||||
writeSecureFile(p, Buffer.from([0xde, 0xad, 0xbe, 0xef]));
|
||||
const out = fs.readFileSync(p);
|
||||
expect(out.length).toBe(4);
|
||||
expect(out[0]).toBe(0xde);
|
||||
});
|
||||
|
||||
test('overwrites existing file', () => {
|
||||
const p = path.join(tmpDir, 'existing');
|
||||
fs.writeFileSync(p, 'old', { mode: 0o644 });
|
||||
writeSecureFile(p, 'new');
|
||||
expect(fs.readFileSync(p, 'utf8')).toBe('new');
|
||||
});
|
||||
});
|
||||
|
||||
describe('appendSecureFile', () => {
|
||||
test('appends to a new file and sets owner-only permissions', () => {
|
||||
const p = path.join(tmpDir, 'log');
|
||||
appendSecureFile(p, 'line1\n');
|
||||
expect(fs.readFileSync(p, 'utf8')).toBe('line1\n');
|
||||
if (process.platform !== 'win32') {
|
||||
expect(fs.statSync(p).mode & 0o777).toBe(0o600);
|
||||
}
|
||||
});
|
||||
|
||||
test('appends without re-applying ACL on subsequent writes', () => {
|
||||
const p = path.join(tmpDir, 'log');
|
||||
appendSecureFile(p, 'line1\n');
|
||||
appendSecureFile(p, 'line2\n');
|
||||
expect(fs.readFileSync(p, 'utf8')).toBe('line1\nline2\n');
|
||||
});
|
||||
});
|
||||
|
||||
describe('mkdirSecure', () => {
|
||||
test('creates directory with owner-only mode (POSIX)', () => {
|
||||
if (process.platform === 'win32') return;
|
||||
const d = path.join(tmpDir, 'nested', 'deep');
|
||||
mkdirSecure(d);
|
||||
expect(fs.statSync(d).isDirectory()).toBe(true);
|
||||
expect(fs.statSync(d).mode & 0o777).toBe(0o700);
|
||||
});
|
||||
|
||||
test('is idempotent — safe to call on existing directory', () => {
|
||||
const d = path.join(tmpDir, 'dir');
|
||||
mkdirSecure(d);
|
||||
expect(() => mkdirSecure(d)).not.toThrow();
|
||||
});
|
||||
|
||||
test('recursive behavior: creates intermediate directories', () => {
|
||||
const d = path.join(tmpDir, 'a', 'b', 'c');
|
||||
mkdirSecure(d);
|
||||
expect(fs.existsSync(path.join(tmpDir, 'a'))).toBe(true);
|
||||
expect(fs.existsSync(path.join(tmpDir, 'a', 'b'))).toBe(true);
|
||||
expect(fs.existsSync(d)).toBe(true);
|
||||
});
|
||||
});
|
||||
@@ -20,6 +20,8 @@ import {
|
||||
readSessionState,
|
||||
getStatus,
|
||||
extractDomain,
|
||||
buildTelemetrySpawnCommand,
|
||||
resolveBashBinary,
|
||||
type LayerSignal,
|
||||
} from '../src/security';
|
||||
|
||||
@@ -325,3 +327,77 @@ describe('extractDomain', () => {
|
||||
expect(extractDomain('')).toBe('');
|
||||
});
|
||||
});
|
||||
|
||||
// ─── Bash binary resolution (Windows shebang-script invocation) ─────
|
||||
|
||||
describe('resolveBashBinary', () => {
|
||||
test('on POSIX, returns the system bash via Bun.which', () => {
|
||||
if (process.platform === 'win32') return;
|
||||
const out = resolveBashBinary({ PATH: process.env.PATH ?? '' });
|
||||
expect(out).toBeTruthy();
|
||||
expect(out!.endsWith('bash')).toBe(true);
|
||||
});
|
||||
|
||||
test('honors GSTACK_BASH_BIN absolute-path override', () => {
|
||||
// Construct a synthetic absolute path; the helper short-circuits on
|
||||
// path.isAbsolute and never touches the filesystem, so this is portable.
|
||||
const fake = process.platform === 'win32' ? 'C:\\opt\\bash.exe' : '/opt/custom/bash';
|
||||
const out = resolveBashBinary({ GSTACK_BASH_BIN: fake, PATH: '' });
|
||||
expect(out).toBe(fake);
|
||||
});
|
||||
|
||||
test('strips wrapping double quotes from override values', () => {
|
||||
const fake = process.platform === 'win32' ? 'C:\\opt\\bash.exe' : '/opt/custom/bash';
|
||||
const out = resolveBashBinary({ GSTACK_BASH_BIN: `"${fake}"`, PATH: '' });
|
||||
expect(out).toBe(fake);
|
||||
});
|
||||
|
||||
test('BASH_BIN works as a fallback when GSTACK_BASH_BIN is unset', () => {
|
||||
const fake = process.platform === 'win32' ? 'C:\\opt\\bash.exe' : '/opt/custom/bash';
|
||||
const out = resolveBashBinary({ BASH_BIN: fake, PATH: '' });
|
||||
expect(out).toBe(fake);
|
||||
});
|
||||
|
||||
test('returns null when nothing resolves (override is unset and PATH is empty)', () => {
|
||||
// Empty PATH means Bun.which finds nothing.
|
||||
const out = resolveBashBinary({ PATH: '' });
|
||||
expect(out).toBeNull();
|
||||
});
|
||||
});
|
||||
|
||||
// ─── Telemetry spawn command (Windows bash wrapper, v1.24-aligned) ──
|
||||
|
||||
describe('buildTelemetrySpawnCommand', () => {
|
||||
const bin = '/home/user/.claude/skills/gstack/bin/gstack-telemetry-log';
|
||||
const args = ['--event-type', 'attack_attempt', '--confidence', '0.95'];
|
||||
|
||||
test('on POSIX, returns the binary path and args unchanged', () => {
|
||||
if (process.platform === 'win32') return;
|
||||
const out = buildTelemetrySpawnCommand(bin, args);
|
||||
expect(out).not.toBeNull();
|
||||
expect(out!.cmd).toBe(bin);
|
||||
expect(out!.cmdArgs).toEqual(args);
|
||||
});
|
||||
|
||||
test('on win32 with bash resolvable, wraps the call in bash with the script as first arg', () => {
|
||||
if (process.platform !== 'win32') return;
|
||||
const fakeBash = 'C:\\Program Files\\Git\\bin\\bash.exe';
|
||||
const out = buildTelemetrySpawnCommand(bin, args, { GSTACK_BASH_BIN: fakeBash, PATH: '' });
|
||||
expect(out).not.toBeNull();
|
||||
expect(out!.cmd).toBe(fakeBash);
|
||||
expect(out!.cmdArgs).toEqual([bin, ...args]);
|
||||
});
|
||||
|
||||
test('on win32 with bash unresolvable, returns null so caller skips spawn', () => {
|
||||
if (process.platform !== 'win32') return;
|
||||
// No override, empty PATH — Bun.which finds nothing on Windows.
|
||||
const out = buildTelemetrySpawnCommand(bin, args, { PATH: '' });
|
||||
expect(out).toBeNull();
|
||||
});
|
||||
|
||||
test('does not mutate the caller-supplied args array', () => {
|
||||
const originalArgs = [...args];
|
||||
buildTelemetrySpawnCommand(bin, args);
|
||||
expect(args).toEqual(originalArgs);
|
||||
});
|
||||
});
|
||||
|
||||
@@ -0,0 +1,73 @@
|
||||
/**
|
||||
* Regression: flushBuffers state-tracker declaration audit.
|
||||
*
|
||||
* `flushBuffers()` (server.ts) maintains per-buffer cursors so it only
|
||||
* appends *new* entries to each on-disk log on every interval tick:
|
||||
*
|
||||
* const newConsoleCount = consoleBuffer.totalAdded - lastConsoleFlushed;
|
||||
* const newNetworkCount = networkBuffer.totalAdded - lastNetworkFlushed;
|
||||
* const newDialogCount = dialogBuffer.totalAdded - lastDialogFlushed;
|
||||
*
|
||||
* The trackers must be declared with `let X = 0;` at module scope so the
|
||||
* subtraction returns a real number on the first tick. If a tracker is
|
||||
* referenced inside flushBuffers but never declared at module scope, the
|
||||
* interval throws `ReferenceError: X is not defined` every second — the
|
||||
* throw is swallowed by the catch at the bottom of flushBuffers (logged
|
||||
* as `[browse] Buffer flush failed: <name> is not defined`), the
|
||||
* corresponding on-disk log file is *never written*, and the regression
|
||||
* is silent in production.
|
||||
*
|
||||
* This source-level guard catches that exact class of regression — a
|
||||
* future flush-perf refactor that adds a fourth buffer cursor (or a
|
||||
* future contributor that copy-pastes the `last*Flushed` pattern without
|
||||
* the matching declaration) will fail this test before it ships.
|
||||
*
|
||||
* Pattern matches `terminal-agent.test.ts` and `dual-listener.test.ts`:
|
||||
* read source as text, assert an invariant, no daemon required.
|
||||
*/
|
||||
|
||||
import { describe, test, expect } from 'bun:test';
|
||||
import { readFileSync } from 'fs';
|
||||
import * as path from 'path';
|
||||
|
||||
const SERVER_TS = readFileSync(
|
||||
path.resolve(import.meta.dir, '../src/server.ts'),
|
||||
'utf-8',
|
||||
);
|
||||
|
||||
describe('server.ts — flushBuffers tracker declarations', () => {
|
||||
test('every `last*Flushed` tracker referenced inside flushBuffers is declared at module scope', () => {
|
||||
// Locate the flushBuffers function body. The function is `async function
|
||||
// flushBuffers() { ... }` — match through the closing brace at the start
|
||||
// of a line (one-level-deep function in the file).
|
||||
const fnMatch = SERVER_TS.match(
|
||||
/async function flushBuffers\([^)]*\)[^{]*\{([\s\S]*?)\n\}/,
|
||||
);
|
||||
expect(fnMatch, 'flushBuffers function not found in server.ts').not.toBeNull();
|
||||
const body = fnMatch![1]!;
|
||||
|
||||
// Pull every identifier matching the `lastXxxFlushed` cursor pattern.
|
||||
const trackerMatches = [...body.matchAll(/\blast([A-Z]\w+)Flushed\b/g)];
|
||||
const trackers = Array.from(new Set(trackerMatches.map((m) => `last${m[1]}Flushed`)));
|
||||
|
||||
expect(
|
||||
trackers.length,
|
||||
'flushBuffers should reference at least one last*Flushed tracker',
|
||||
).toBeGreaterThan(0);
|
||||
|
||||
for (const tracker of trackers) {
|
||||
// Module-level `let X = 0;` declaration (not inside a function body).
|
||||
// Anchored start-of-line to avoid matching nested re-declarations or
|
||||
// string literals.
|
||||
const declared = new RegExp(
|
||||
`(?:^|\\n)let\\s+${tracker}\\s*=\\s*0\\s*;`,
|
||||
).test(SERVER_TS);
|
||||
expect(
|
||||
declared,
|
||||
`\`${tracker}\` is referenced inside flushBuffers but never declared at module scope ` +
|
||||
`with \`let ${tracker} = 0;\` — the interval will throw ReferenceError every tick ` +
|
||||
`and the corresponding on-disk log will never be written`,
|
||||
).toBe(true);
|
||||
}
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,110 @@
|
||||
/**
|
||||
* Regression: state-file temp path uniqueness.
|
||||
*
|
||||
* The daemon writes `.gstack/browse.json` via the standard atomic-rename
|
||||
* pattern: `writeFileSync(tmp, …) → renameSync(tmp, stateFile)`. The
|
||||
* pattern is correct for a single writer. It breaks for *concurrent*
|
||||
* writers when they share a single temp filename:
|
||||
*
|
||||
* t0 Writer A: writeFileSync(stateFile + '.tmp', payloadA)
|
||||
* t1 Writer B: writeFileSync(stateFile + '.tmp', payloadB) // overwrites A
|
||||
* t2 Writer A: renameSync(stateFile + '.tmp', stateFile) // moves B's payload
|
||||
* t3 Writer B: renameSync(stateFile + '.tmp', stateFile) // ENOENT — file gone
|
||||
*
|
||||
* A 15-CLI cold-start race against a fresh repo reproduces this in the
|
||||
* wild — one of the spawned daemons dies with:
|
||||
*
|
||||
* [browse] Failed to start: ENOENT: no such file or directory,
|
||||
* rename '…/.gstack/browse.json.tmp' -> '…/.gstack/browse.json'
|
||||
*
|
||||
* Fix: per-process temp path via `tmpStatePath()` (pid + 4 random bytes
|
||||
* of suffix). Each concurrent writer gets a unique path; the atomic
|
||||
* rename still gives last-writer-wins semantics on the final state file
|
||||
* content, but writers no longer kill each other on the rename step.
|
||||
*
|
||||
* This source-level guard locks two invariants:
|
||||
* 1. No remaining `stateFile + '.tmp'` literals in server.ts (regression
|
||||
* catch — a future copy-paste or revert would re-introduce the bug)
|
||||
* 2. The 4 known state-write call sites all use `tmpStatePath()`
|
||||
* (positive coverage)
|
||||
*
|
||||
* Same pattern as terminal-agent.test.ts and dual-listener.test.ts:
|
||||
* read source as text, assert invariant, no daemon required.
|
||||
*/
|
||||
|
||||
import { describe, test, expect } from 'bun:test';
|
||||
import { readFileSync } from 'fs';
|
||||
import * as path from 'path';
|
||||
|
||||
const SERVER_TS = readFileSync(
|
||||
path.resolve(import.meta.dir, '../src/server.ts'),
|
||||
'utf-8',
|
||||
);
|
||||
|
||||
describe('server.ts — state-file temp-path uniqueness', () => {
|
||||
test('no remaining `stateFile + \'.tmp\'` literals (regression catch)', () => {
|
||||
// The shared-temp-filename pattern that caused the cold-start ENOENT
|
||||
// race. A future contributor that copy-pastes the old pattern (or a
|
||||
// revert) will fail this test.
|
||||
const sharedTempLiterals = [
|
||||
...SERVER_TS.matchAll(/stateFile\s*\+\s*['"`]\.tmp['"`]/g),
|
||||
];
|
||||
expect(
|
||||
sharedTempLiterals.length,
|
||||
`Found ${sharedTempLiterals.length} reference(s) to the shared ` +
|
||||
`\`stateFile + '.tmp'\` pattern. Use \`tmpStatePath()\` instead — ` +
|
||||
`the shared pattern races on rename when two daemons spawn ` +
|
||||
`concurrently (cold-start race + parallel /tunnel/start).`,
|
||||
).toBe(0);
|
||||
});
|
||||
|
||||
test('every state-file writeFileSync call uses tmpStatePath()', () => {
|
||||
// Find every `writeFileSync(X, JSON.stringify(stateContent...` or
|
||||
// `…(state, …)` call and verify X is `tmpStatePath()` or a variable
|
||||
// assigned from `tmpStatePath()`.
|
||||
const writeCalls = [
|
||||
...SERVER_TS.matchAll(
|
||||
/fs\.writeFileSync\s*\(\s*(\w+)\s*,\s*JSON\.stringify\(\s*(state|stateContent)/g,
|
||||
),
|
||||
];
|
||||
expect(
|
||||
writeCalls.length,
|
||||
'expected at least one state-file write site',
|
||||
).toBeGreaterThan(0);
|
||||
|
||||
for (const m of writeCalls) {
|
||||
const varName = m[1]!;
|
||||
// Walk back to the assignment of varName — must come from tmpStatePath()
|
||||
const assignRe = new RegExp(
|
||||
`(?:const|let)\\s+${varName}\\s*=\\s*tmpStatePath\\(\\)`,
|
||||
);
|
||||
expect(
|
||||
assignRe.test(SERVER_TS),
|
||||
`state-file writeFileSync uses \`${varName}\` but no \`const ${varName} = tmpStatePath()\` ` +
|
||||
`assignment was found upstream. Either assign from tmpStatePath() ` +
|
||||
`or pass tmpStatePath() inline — the shared \`stateFile + '.tmp'\` ` +
|
||||
`pattern races under concurrent daemon startup`,
|
||||
).toBe(true);
|
||||
}
|
||||
});
|
||||
|
||||
test('tmpStatePath() declaration includes a per-process unique suffix', () => {
|
||||
// Lock the suffix shape so a future contributor doesn't accidentally
|
||||
// strip the uniqueness back out by simplifying the helper.
|
||||
const declMatch = SERVER_TS.match(
|
||||
/function tmpStatePath\(\)[^{]*\{([\s\S]*?)\n\}/,
|
||||
);
|
||||
expect(declMatch, 'tmpStatePath() declaration not found').not.toBeNull();
|
||||
const body = declMatch![1]!;
|
||||
|
||||
// Must reference both process.pid and crypto.randomBytes — two
|
||||
// independent sources of uniqueness.
|
||||
expect(body, 'tmpStatePath() must include process.pid in the suffix').toContain(
|
||||
'process.pid',
|
||||
);
|
||||
expect(
|
||||
body,
|
||||
'tmpStatePath() must include a random suffix via crypto.randomBytes',
|
||||
).toContain('crypto.randomBytes');
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,154 @@
|
||||
/**
|
||||
* Regression: refMap must be cleared when an iframe detaches.
|
||||
*
|
||||
* `TabSession.getActiveFrameOrPage()` (tab-session.ts:151) auto-recovers
|
||||
* from detached iframes by setting `activeFrame = null` and silently
|
||||
* falling back to the main page. The asymmetric bug: the matching
|
||||
* `clearRefs()` call is missing.
|
||||
*
|
||||
* Compare to `onMainFrameNavigated()` (tab-session.ts:167) — the
|
||||
* staleness condition is equivalent (refs were captured against a frame
|
||||
* that no longer exists), and the main-frame path correctly clears both
|
||||
* the activeFrame AND the refMap:
|
||||
*
|
||||
* onMainFrameNavigated(): void {
|
||||
* this.clearRefs(); // ← clears refs
|
||||
* this.activeFrame = null;
|
||||
* this.loadedHtml = null;
|
||||
* this.loadedHtmlWaitUntil = undefined;
|
||||
* }
|
||||
*
|
||||
* getActiveFrameOrPage(): Page | Frame {
|
||||
* if (this.activeFrame?.isDetached()) {
|
||||
* this.activeFrame = null; // ← but no clearRefs() here
|
||||
* }
|
||||
* return this.activeFrame ?? this.page;
|
||||
* }
|
||||
*
|
||||
* The lazy click-time staleness check at `resolveRef` (tab-session.ts:97)
|
||||
* partially saves us — `entry.locator.count()` on a detached-frame
|
||||
* locator throws or returns 0, so a click against a stale ref errors out
|
||||
* with "Ref X is stale". But the user has no signal that frame context
|
||||
* silently changed underfoot: the next `snapshot` runs against
|
||||
* `this.page` (main) while old iframe refs still litter `refMap` with
|
||||
* the same role+name keys. New refs collide with stale ones, the
|
||||
* resolver picks one at random, the user clicks the wrong element.
|
||||
*
|
||||
* Behavior the test locks: when an iframe detaches and
|
||||
* `getActiveFrameOrPage()` auto-recovers, the refMap is cleared in the
|
||||
* same step (matching the `onMainFrameNavigated` symmetry). TODOS.md
|
||||
* line 816-820 documents "Detached frame auto-recovery" as a feature;
|
||||
* this restores the documented intent.
|
||||
*/
|
||||
|
||||
import { describe, test, expect, beforeEach } from 'bun:test';
|
||||
import { TabSession, type RefEntry } from '../src/tab-session';
|
||||
import type { Page, Frame, Locator } from 'playwright';
|
||||
|
||||
// Minimal type-cast mocks. Same pattern as tab-isolation.test.ts —
|
||||
// pure-logic tests don't launch a browser.
|
||||
function mockPage(): Page {
|
||||
return {} as Page;
|
||||
}
|
||||
|
||||
function mockDetachedFrame(): Frame {
|
||||
return { isDetached: () => true } as unknown as Frame;
|
||||
}
|
||||
|
||||
function mockAttachedFrame(): Frame {
|
||||
return { isDetached: () => false } as unknown as Frame;
|
||||
}
|
||||
|
||||
function mockRefEntry(role: string, name: string): RefEntry {
|
||||
return {
|
||||
locator: {} as Locator,
|
||||
role,
|
||||
name,
|
||||
};
|
||||
}
|
||||
|
||||
// Fresh refs Map per call — avoid by-reference mutation poisoning across
|
||||
// halves of the symmetry test (clearRefs() clears the same Map instance
|
||||
// the test holds a reference to).
|
||||
function makeRefs(): Map<string, RefEntry> {
|
||||
const r = new Map<string, RefEntry>();
|
||||
r.set('e1', mockRefEntry('button', 'Submit'));
|
||||
r.set('e2', mockRefEntry('textbox', 'Email'));
|
||||
r.set('e3', mockRefEntry('link', 'Forgot password'));
|
||||
return r;
|
||||
}
|
||||
|
||||
describe('TabSession — frame detach + ref staleness', () => {
|
||||
let session: TabSession;
|
||||
|
||||
beforeEach(() => {
|
||||
session = new TabSession(mockPage());
|
||||
session.setRefMap(makeRefs());
|
||||
});
|
||||
|
||||
test('refs cleared when getActiveFrameOrPage detects detached iframe', () => {
|
||||
// Pre-condition: refs captured inside an iframe context
|
||||
session.setFrame(mockDetachedFrame());
|
||||
expect(session.getRefCount()).toBe(3);
|
||||
|
||||
// Act: caller invokes getActiveFrameOrPage (e.g. via the next /command
|
||||
// dispatch). The detach gets noticed inside.
|
||||
const result = session.getActiveFrameOrPage();
|
||||
|
||||
// Auto-recovery: activeFrame nulled (already worked pre-fix)
|
||||
expect(session.getFrame()).toBeNull();
|
||||
|
||||
// The fix: refs ALSO cleared so the next snapshot runs against a
|
||||
// clean ref namespace. Pre-fix this was 3 — refs lingered against a
|
||||
// dead frame, colliding with refs the next snapshot would emit.
|
||||
expect(session.getRefCount()).toBe(0);
|
||||
});
|
||||
|
||||
test('refs preserved when active frame is still attached', () => {
|
||||
// No regression on the happy path — attached frame should NOT
|
||||
// trigger the cleanup.
|
||||
session.setFrame(mockAttachedFrame());
|
||||
expect(session.getRefCount()).toBe(3);
|
||||
|
||||
session.getActiveFrameOrPage();
|
||||
|
||||
// Frame still set, refs still present.
|
||||
expect(session.getFrame()).not.toBeNull();
|
||||
expect(session.getRefCount()).toBe(3);
|
||||
});
|
||||
|
||||
test('refs preserved when no frame is set (page-level snapshot)', () => {
|
||||
// No frame ever set → the if-branch never enters → refs untouched.
|
||||
expect(session.getFrame()).toBeNull();
|
||||
expect(session.getRefCount()).toBe(3);
|
||||
|
||||
session.getActiveFrameOrPage();
|
||||
|
||||
expect(session.getRefCount()).toBe(3);
|
||||
});
|
||||
|
||||
test('matches onMainFrameNavigated symmetry (refs+frame both cleared)', () => {
|
||||
// Pin the design symmetry: both staleness paths (main-frame nav AND
|
||||
// iframe detach) must clear both pieces of state together. If a
|
||||
// future refactor splits these, the test fails before merge.
|
||||
session.setFrame(mockDetachedFrame());
|
||||
expect(session.getRefCount()).toBe(3);
|
||||
|
||||
session.onMainFrameNavigated();
|
||||
|
||||
expect(session.getFrame()).toBeNull();
|
||||
expect(session.getRefCount()).toBe(0);
|
||||
|
||||
// Reset with a FRESH Map (the previous one was emptied by clearRefs
|
||||
// by-reference) and exercise the iframe-detach path. End state must
|
||||
// match.
|
||||
session.setRefMap(makeRefs());
|
||||
session.setFrame(mockDetachedFrame());
|
||||
expect(session.getRefCount()).toBe(3);
|
||||
|
||||
session.getActiveFrameOrPage();
|
||||
|
||||
expect(session.getFrame()).toBeNull();
|
||||
expect(session.getRefCount()).toBe(0);
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user