mirror of
https://github.com/garrytan/gstack.git
synced 2026-05-02 11:45:20 +02:00
Garry Tan
27962738db
domain-skills-e2e.test.ts (4 tests): - save derives host from active tab top-level origin (T3) - save lands quarantined; list surfaces it - readSkill returns null until 3 uses without flag promote to active (T6) - save without an active page errors with structured guidance cdp-e2e.test.ts (8 tests): - Accessibility.getFullAXTree returns wrapped JSON (allowed, untrusted-output) - Performance.getMetrics returns plain JSON (allowed, trusted-output) - Runtime.evaluate DENIED with structured guidance (T2 RCE block) - Page.navigate DENIED (must use $B goto for blocklist routing) - Network.getResponseBody DENIED (exfil block) - malformed JSON params surfaces clear error - non Domain.method format surfaces clear error - $B cdp help returns help text Both files boot a real Chromium via BrowserManager.launch() and exercise the dispatch handlers end-to-end. Total 12 E2E tests in <2s. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
107 lines
4.5 KiB
TypeScript
107 lines
4.5 KiB
TypeScript
/**
|
|
* E2E (gate tier): boots a real Chromium via BrowserManager.launch(), navigates
|
|
* to the fixture server, exercises $B cdp end-to-end against a Playwright-owned
|
|
* CDPSession (Path A from the spike).
|
|
*
|
|
* Verifies (T2 + T7):
|
|
* - allowed methods (Accessibility, Performance, DOM, CSS read-only) succeed
|
|
* - dangerous methods are DENIED with structured error
|
|
* - untrusted-output methods get UNTRUSTED envelope
|
|
* - mutex works against a real CDPSession
|
|
*/
|
|
|
|
import { describe, test, expect, beforeAll, afterAll } from 'bun:test';
|
|
import * as path from 'path';
|
|
import * as os from 'os';
|
|
import { promises as fs } from 'fs';
|
|
import { startTestServer } from './test-server';
|
|
import { BrowserManager } from '../src/browser-manager';
|
|
|
|
const TMP_HOME = path.join(os.tmpdir(), `gstack-cdp-e2e-${process.pid}-${Date.now()}`);
|
|
process.env.GSTACK_HOME = TMP_HOME;
|
|
process.env.GSTACK_TELEMETRY_OFF = '1'; // don't pollute analytics during tests
|
|
|
|
let testServer: ReturnType<typeof startTestServer>;
|
|
let bm: BrowserManager;
|
|
let baseUrl: string;
|
|
|
|
beforeAll(async () => {
|
|
await fs.rm(TMP_HOME, { recursive: true, force: true });
|
|
await fs.mkdir(TMP_HOME, { recursive: true });
|
|
testServer = startTestServer(0);
|
|
baseUrl = testServer.url;
|
|
bm = new BrowserManager();
|
|
await bm.launch();
|
|
await bm.getPage().goto(baseUrl + '/basic.html');
|
|
});
|
|
|
|
afterAll(async () => {
|
|
try { await bm.cleanup?.(); } catch {}
|
|
try { testServer.server.stop(); } catch {}
|
|
await fs.rm(TMP_HOME, { recursive: true, force: true });
|
|
});
|
|
|
|
describe('$B cdp (E2E gate tier)', () => {
|
|
test('Accessibility.getFullAXTree (allowed, untrusted-output) returns wrapped JSON', async () => {
|
|
const { handleCdpCommand } = await import('../src/cdp-commands');
|
|
const out = await handleCdpCommand(['Accessibility.getFullAXTree', '{}'], bm);
|
|
// Untrusted-output methods get the envelope
|
|
expect(out).toContain('--- BEGIN UNTRUSTED EXTERNAL CONTENT');
|
|
expect(out).toContain('--- END UNTRUSTED EXTERNAL CONTENT ---');
|
|
// The envelope wraps a JSON tree
|
|
const inner = out.replace(/--- BEGIN .*?\n/s, '').replace(/\n--- END .*$/s, '');
|
|
const parsed = JSON.parse(inner);
|
|
expect(parsed).toHaveProperty('nodes');
|
|
expect(Array.isArray(parsed.nodes)).toBe(true);
|
|
});
|
|
|
|
test('Performance.getMetrics (allowed, trusted-output) returns plain JSON', async () => {
|
|
const { handleCdpCommand } = await import('../src/cdp-commands');
|
|
// Performance domain needs to be enabled first
|
|
await handleCdpCommand(['Performance.enable', '{}'], bm);
|
|
const out = await handleCdpCommand(['Performance.getMetrics', '{}'], bm);
|
|
// Trusted-output = no envelope
|
|
expect(out).not.toContain('UNTRUSTED');
|
|
const parsed = JSON.parse(out);
|
|
expect(parsed).toHaveProperty('metrics');
|
|
expect(Array.isArray(parsed.metrics)).toBe(true);
|
|
});
|
|
|
|
test('Runtime.evaluate (DENIED) errors with structured guidance', async () => {
|
|
const { handleCdpCommand } = await import('../src/cdp-commands');
|
|
await expect(handleCdpCommand(['Runtime.evaluate', '{"expression":"1+1"}'], bm))
|
|
.rejects.toThrow(/DENIED.*Runtime\.evaluate/);
|
|
});
|
|
|
|
test('Page.navigate (DENIED — must use $B goto for blocklist routing)', async () => {
|
|
const { handleCdpCommand } = await import('../src/cdp-commands');
|
|
await expect(handleCdpCommand(['Page.navigate', '{"url":"http://example.com"}'], bm))
|
|
.rejects.toThrow(/DENIED.*Page\.navigate/);
|
|
});
|
|
|
|
test('Network.getResponseBody (DENIED — exfil surface)', async () => {
|
|
const { handleCdpCommand } = await import('../src/cdp-commands');
|
|
await expect(handleCdpCommand(['Network.getResponseBody', '{}'], bm))
|
|
.rejects.toThrow(/DENIED.*Network\.getResponseBody/);
|
|
});
|
|
|
|
test('malformed JSON params surfaces a clear error', async () => {
|
|
const { handleCdpCommand } = await import('../src/cdp-commands');
|
|
await expect(handleCdpCommand(['Accessibility.getFullAXTree', 'not-json'], bm))
|
|
.rejects.toThrow(/Cannot parse params as JSON/);
|
|
});
|
|
|
|
test('non Domain.method format surfaces a clear error', async () => {
|
|
const { handleCdpCommand } = await import('../src/cdp-commands');
|
|
await expect(handleCdpCommand(['justOneWord'], bm))
|
|
.rejects.toThrow(/Domain\.method format/);
|
|
});
|
|
|
|
test('--help returns the help text', async () => {
|
|
const { handleCdpCommand } = await import('../src/cdp-commands');
|
|
const out = await handleCdpCommand(['help'], bm);
|
|
expect(out).toContain('deny-default escape hatch');
|
|
expect(out).toContain('cdp-allowlist.ts');
|
|
});
|
|
});
|