23f7624596
ADR-166 MCP Bridge Security Lock / Static-source security lock (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / Compose default binds loopback + Mongo has auth (push) Failing after 2s
CodeQL Advanced / Analyze (rust) (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / plugin-agent-federation bindHost default (push) Failing after 1s
ADR-166 MCP Bridge Security Lock / Runtime behavior — 401 + terminal gate + fail-closed (push) Failing after 4s
business-pods-smoke / smoke (push) Failing after 1s
all-plugins-smoke / smoke-all (push) Failing after 2s
CI/CD Pipeline / Security & Code Quality (push) Failing after 1s
CI/CD Pipeline / Test Suite (ubuntu-latest) (push) Failing after 1s
CI/CD Pipeline / Build & Package (macos-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (ubuntu-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (windows-latest) (push) Has been skipped
CI/CD Pipeline / Documentation & Examples (push) Failing after 1s
Clone Tracker (14-day rolling) / Snapshot clones for ruflo ecosystem (push) Failing after 1s
CodeQL Advanced / Analyze (actions) (push) Failing after 1s
CodeQL Advanced / Analyze (javascript-typescript) (push) Failing after 1s
federation-peer-rust / stable-noop (push) Failing after 1s
metaharness-ci / score (push) Failing after 1s
metaharness-ci / router-compat (push) Failing after 0s
metaharness-ci / similarity-tests (push) Failing after 0s
no-agentbbs-smoke / smoke-without-agentbbs (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (windows-latest) (push) Has been skipped
codex-integration-audit / Codex integration audit (push) Failing after 1s
helpers-manifest-guard / guard (push) Failing after 1s
🔗 Cross-Agent Integration Tests / 🤝 Agent Coordination Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🧠 Memory Sharing Integration (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🛡️ Fault Tolerance Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / ⚡ Performance Integration Tests (push) Has been skipped
metaharness-ci / mcp-scan (push) Failing after 1s
metaharness-ci / eject-dryrun (push) Failing after 1s
metaharness-ci / metaharness-real-data (push) Failing after 0s
no-cli-optdep-bloat-2561 / guard (push) Failing after 1s
no-metaharness-smoke / smoke-without-metaharness (push) Failing after 1s
no-phantom-agentic-flow-subpath / guard (push) Failing after 1s
🔄 Automated Rollback Manager / 🚨 Failure Detection (push) Failing after 1s
V3 CI/CD Pipeline / Plugin hooks smoke / ubuntu-latest / Node 22 (push) Failing after 1s
V3 CI/CD Pipeline / ruflo-graph-intelligence build + test smoke (#2044, ADR-123) (push) Failing after 1s
CVE Audit Gate / Audit root (critical-blocking) (push) Failing after 2s
cost-tracker-smoke / smoke (push) Failing after 3s
oia-audit-weekly / audit (push) Failing after 2s
ruflo-agent-smoke / ruflo-agent structural smoke (push) Failing after 1s
📊 Status Badges Update / 📊 Update Status Badges (push) Failing after 1s
V3 CI/CD Pipeline / Static regression guards (#2267 YAML + (push) Failing after 1s
V3 CI/CD Pipeline / Test V3 Packages (push) Failing after 0s
V3 CI/CD Pipeline / agent_execute provider routing smoke (#2042) (push) Failing after 0s
CVE Audit Gate / Audit v3 (critical-blocking) (push) Failing after 1s
federation-peer-rust / stable-native (push) Failing after 2s
🔗 Cross-Agent Integration Tests / 🚀 Integration Test Setup (push) Failing after 2s
neural-trader-smoke / runtime-smoke (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (macos-latest) (push) Has been skipped
V3 CI/CD Pipeline / Build V3 (ubuntu-latest) (push) Has been skipped
V3 CI/CD Pipeline / Type Check V3 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 24 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 22 (push) Failing after 2s
V3 CI/CD Pipeline / browser rvf create flag smoke (#2015) (push) Failing after 0s
V3 CI/CD Pipeline / Dependency review (#2046) (push) Has been skipped
V3 CI/CD Pipeline / Supply-chain audit (#2046) (push) Failing after 0s
V3 CI/CD Pipeline / witness marker drift smoke (#2021) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader portfolio CG smoke (#2068, ADR-126 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader backtest signing smoke (#2068, ADR-126 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / kg-extract type-import classification smoke (#2049) (push) Failing after 0s
V3 CI/CD Pipeline / witness verify precondition smoke (#1880) (push) Failing after 2s
V3 CI/CD Pipeline / neural-trader pipeline risk-gate smoke (#2068, ADR-126 Phase 5) (push) Failing after 0s
V3 CI/CD Pipeline / neural-trader feature attribution smoke (#2068, ADR-126 Phase 6) (push) Failing after 0s
V3 CI/CD Pipeline / plugin-registry signature verification smoke (#1922, CWE-347) (push) Failing after 4s
V3 CI/CD Pipeline / memory stats legacy-DB smoke (#2120) (push) Failing after 4s
V3 CI/CD Pipeline / github deprecated actions smoke (#2089, ADR-127 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / graph query + pathfinder smoke (ADR-130 P2+P5) (push) Has been skipped
V3 CI/CD Pipeline / graph trajectory hooks smoke (ADR-130 P3) (push) Has been skipped
V3 CI/CD Pipeline / graph plugin adapter smoke (ADR-130 P4) (push) Has been skipped
V3 CI/CD Pipeline / graph benchmark (ADR-130 P6) (push) Has been skipped
V3 CI/CD Pipeline / statusline generator delegation smoke (#2195) (push) Failing after 1s
V3 CI/CD Pipeline / wizard init regression guard (#2206 (push) Failing after 1s
V3 CI/CD Pipeline / memory no-stray-db smoke (ADR-125 P7) (push) Failing after 1s
V3 CI/CD Pipeline / github-safe injection smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github actions pin smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github attribution opt-in smoke (#2089, ADR-127 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / pre-bash hook safety smoke (#2017) (push) Failing after 1s
V3 CI/CD Pipeline / Memory import smoke / ubuntu-latest (push) Failing after 0s
V3 CI/CD Pipeline / MCP protocol smoke / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / ruvllm WASM auto-init smoke (#2086) (push) Failing after 4s
V3 CI/CD Pipeline / MCP paired-tool round-trip smoke (#1889) (push) Failing after 1s
V3 CI/CD Pipeline / Plugin package install-safety (#1902/#1903/#1904) (push) Failing after 1s
V3 CI/CD Pipeline / Tool description discoverability (ADR-112) (push) Failing after 3s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (22) (push) Failing after 1s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (24) (push) Failing after 1s
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Vector-index dimension audit (#1947) (push) Failing after 0s
V3 CI/CD Pipeline / Hook-command install safety (#1921) (push) Failing after 1s
V3 CI/CD Pipeline / ToolOutputGuardrail smoke (ADR-131, (push) Failing after 1s
V3 CI/CD Pipeline / init-bundle invariants smoke (#2095, ADR-128 Phase 5) (push) Failing after 1s
V3 CI/CD Pipeline / wasm provider bridge smoke (ADR-129 P1) (push) Failing after 2s
V3 CI/CD Pipeline / wasm gallery CRUD smoke (ADR-129 P3) (push) Failing after 1s
V3 CI/CD Pipeline / wasm plugin bridge smoke (ADR-129 P4) (push) Failing after 0s
V3 CI/CD Pipeline / wasm compose smoke (ADR-129 P2) (push) Failing after 4s
V3 CI/CD Pipeline / graph schema smoke (ADR-130 P1) (push) Failing after 0s
Validate Marketplace / validate (push) Failing after 1s
🔍 Verification Pipeline / 🚀 Setup Verification (push) Failing after 1s
🔍 Verification Pipeline / 🛡️ Security Verification (push) Has been skipped
🔍 Verification Pipeline / 📝 Code Quality (push) Has been skipped
🔍 Verification Pipeline / 🧪 Test Verification (${{ matrix.os }}, Node ${{ matrix.node }}) (push) Has been skipped
🔍 Verification Pipeline / 🏗️ Build Verification (push) Has been skipped
🔍 Verification Pipeline / 📚 Documentation Verification (push) Has been skipped
CVE Audit Gate / High-severity report (warn only) (push) Has been cancelled
🔄 Automated Rollback Manager / 🔄 Execute Rollback (push) Has been cancelled
🔄 Automated Rollback Manager / ✅ Post-Rollback Verification (push) Has been cancelled
🔄 Automated Rollback Manager / 📊 Rollback Monitoring (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / windows-latest (push) Has been cancelled
🔄 Automated Rollback Manager / ⏳ Manual Rollback Approval (push) Has been cancelled
V3 CI/CD Pipeline / MCP protocol smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Memory import smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / ubuntu-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Publish to npm (alpha) (push) Has been cancelled
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / macos-latest / Node 22 (push) Has been cancelled
V3 CI/CD Pipeline / Plugin hooks smoke / macos-latest / Node 22 (push) Has been cancelled
CI/CD Pipeline / Deploy & Release (push) Has been cancelled
CI/CD Pipeline / CI Status (push) Has been cancelled
🔗 Cross-Agent Integration Tests / 📊 Integration Test Report (push) Has been cancelled
🔄 Automated Rollback Manager / 🔍 Pre-Rollback Validation (push) Has been cancelled
🔍 Verification Pipeline / ⚡ Performance Verification (push) Has been cancelled
🔍 Verification Pipeline / 📊 Verification Report (push) Has been cancelled
711 lines
26 KiB
TypeScript
711 lines
26 KiB
TypeScript
/**
|
|
* Tests for Guidance Hook Integration Layer
|
|
*/
|
|
import { describe, it, expect, beforeEach, vi } from 'vitest';
|
|
import { GuidanceHookProvider, createGuidanceHooks, gateResultsToHookResult } from '../src/hooks.js';
|
|
import { EnforcementGates } from '../src/gates.js';
|
|
import { ShardRetriever, HashEmbeddingProvider } from '../src/retriever.js';
|
|
import { RunLedger } from '../src/ledger.js';
|
|
import { HookRegistry } from '@claude-flow/hooks';
|
|
import { HookEvent, HookPriority } from '@claude-flow/hooks';
|
|
import type { HookContext, HookResult } from '@claude-flow/hooks';
|
|
import type { GateResult, RunEvent, PolicyBundle } from '../src/types.js';
|
|
|
|
// ============================================================================
|
|
// Helpers
|
|
// ============================================================================
|
|
|
|
function makeHookContext(overrides: Partial<HookContext> = {}): HookContext {
|
|
return {
|
|
event: HookEvent.PreCommand,
|
|
timestamp: new Date(),
|
|
...overrides,
|
|
};
|
|
}
|
|
|
|
function makePolicyBundle(): PolicyBundle {
|
|
return {
|
|
constitution: {
|
|
rules: [
|
|
{
|
|
id: 'R001',
|
|
text: 'Never commit secrets',
|
|
riskClass: 'critical',
|
|
toolClasses: ['all'],
|
|
intents: ['security'],
|
|
repoScopes: ['**/*'],
|
|
domains: ['security'],
|
|
priority: 100,
|
|
source: 'root',
|
|
isConstitution: true,
|
|
createdAt: Date.now(),
|
|
updatedAt: Date.now(),
|
|
},
|
|
],
|
|
text: '# Constitution\n\n- Never commit secrets',
|
|
hash: 'test-hash-001',
|
|
},
|
|
shards: [
|
|
{
|
|
rule: {
|
|
id: 'R002',
|
|
text: 'Always run tests before committing',
|
|
riskClass: 'high',
|
|
toolClasses: ['bash'],
|
|
intents: ['testing', 'feature'],
|
|
repoScopes: ['**/*'],
|
|
domains: ['testing'],
|
|
priority: 80,
|
|
source: 'root',
|
|
isConstitution: false,
|
|
createdAt: Date.now(),
|
|
updatedAt: Date.now(),
|
|
},
|
|
compactText: 'Run tests before committing code changes.',
|
|
},
|
|
{
|
|
rule: {
|
|
id: 'R003',
|
|
text: 'Use staged commits for large changes',
|
|
riskClass: 'medium',
|
|
toolClasses: ['edit'],
|
|
intents: ['feature', 'refactor'],
|
|
repoScopes: ['**/*'],
|
|
domains: ['architecture'],
|
|
priority: 50,
|
|
source: 'root',
|
|
isConstitution: false,
|
|
createdAt: Date.now(),
|
|
updatedAt: Date.now(),
|
|
},
|
|
compactText: 'Break large changes into staged commits.',
|
|
},
|
|
],
|
|
manifest: {
|
|
rules: [],
|
|
compiledAt: Date.now(),
|
|
sourceHashes: {},
|
|
totalRules: 3,
|
|
constitutionRules: 1,
|
|
shardRules: 2,
|
|
},
|
|
};
|
|
}
|
|
|
|
// ============================================================================
|
|
// gateResultsToHookResult
|
|
// ============================================================================
|
|
|
|
describe('gateResultsToHookResult', () => {
|
|
it('should return success for empty gate results', () => {
|
|
const result = gateResultsToHookResult([]);
|
|
expect(result.success).toBe(true);
|
|
expect(result.abort).toBeUndefined();
|
|
});
|
|
|
|
it('should map block decision to abort', () => {
|
|
const gateResults: GateResult[] = [
|
|
{
|
|
decision: 'block',
|
|
gateName: 'secrets',
|
|
reason: 'Secret detected',
|
|
triggeredRules: ['R001'],
|
|
remediation: 'Remove the secret',
|
|
},
|
|
];
|
|
|
|
const result = gateResultsToHookResult(gateResults);
|
|
expect(result.success).toBe(false);
|
|
expect(result.abort).toBe(true);
|
|
expect(result.error).toContain('Secret detected');
|
|
});
|
|
|
|
it('should map require-confirmation to abort', () => {
|
|
const gateResults: GateResult[] = [
|
|
{
|
|
decision: 'require-confirmation',
|
|
gateName: 'destructive-ops',
|
|
reason: 'Destructive op detected',
|
|
triggeredRules: [],
|
|
remediation: 'Confirm the operation',
|
|
},
|
|
];
|
|
|
|
const result = gateResultsToHookResult(gateResults);
|
|
expect(result.success).toBe(false);
|
|
expect(result.abort).toBe(true);
|
|
expect(result.data).toBeDefined();
|
|
expect((result.data as Record<string, unknown>).gateDecision).toBe('require-confirmation');
|
|
});
|
|
|
|
it('should map warn to success with warnings', () => {
|
|
const gateResults: GateResult[] = [
|
|
{
|
|
decision: 'warn',
|
|
gateName: 'diff-size',
|
|
reason: 'Large diff detected',
|
|
triggeredRules: [],
|
|
remediation: 'Stage incrementally',
|
|
},
|
|
];
|
|
|
|
const result = gateResultsToHookResult(gateResults);
|
|
expect(result.success).toBe(true);
|
|
expect(result.abort).toBeUndefined();
|
|
expect(result.warnings).toBeDefined();
|
|
expect(result.warnings!.length).toBeGreaterThan(0);
|
|
});
|
|
|
|
it('should pick the most restrictive decision among mixed results', () => {
|
|
const gateResults: GateResult[] = [
|
|
{ decision: 'warn', gateName: 'diff-size', reason: 'Large', triggeredRules: [] },
|
|
{ decision: 'block', gateName: 'secrets', reason: 'Secret', triggeredRules: [] },
|
|
];
|
|
|
|
const result = gateResultsToHookResult(gateResults);
|
|
expect(result.success).toBe(false);
|
|
expect(result.abort).toBe(true);
|
|
expect((result.data as Record<string, unknown>).gateDecision).toBe('block');
|
|
});
|
|
});
|
|
|
|
// ============================================================================
|
|
// GuidanceHookProvider - Registration
|
|
// ============================================================================
|
|
|
|
describe('GuidanceHookProvider', () => {
|
|
let gates: EnforcementGates;
|
|
let retriever: ShardRetriever;
|
|
let ledger: RunLedger;
|
|
let registry: HookRegistry;
|
|
let provider: GuidanceHookProvider;
|
|
|
|
beforeEach(async () => {
|
|
gates = new EnforcementGates();
|
|
retriever = new ShardRetriever(new HashEmbeddingProvider());
|
|
ledger = new RunLedger();
|
|
registry = new HookRegistry();
|
|
provider = new GuidanceHookProvider(gates, retriever, ledger);
|
|
|
|
// Load a bundle so the retriever is functional
|
|
await retriever.loadBundle(makePolicyBundle());
|
|
});
|
|
|
|
describe('registerAll', () => {
|
|
it('should register 5 hooks on the registry', () => {
|
|
const ids = provider.registerAll(registry);
|
|
expect(ids).toHaveLength(5);
|
|
expect(registry.size).toBe(5);
|
|
});
|
|
|
|
it('should register a hook for PreCommand', () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreCommand);
|
|
expect(hooks.length).toBeGreaterThanOrEqual(1);
|
|
const guidanceHook = hooks.find(h => h.name === 'guidance-gate-pre-command');
|
|
expect(guidanceHook).toBeDefined();
|
|
expect(guidanceHook!.priority).toBe(HookPriority.Critical);
|
|
});
|
|
|
|
it('should register a hook for PreToolUse', () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreToolUse);
|
|
const guidanceHook = hooks.find(h => h.name === 'guidance-gate-pre-tool-use');
|
|
expect(guidanceHook).toBeDefined();
|
|
expect(guidanceHook!.priority).toBe(HookPriority.Critical);
|
|
});
|
|
|
|
it('should register a hook for PreEdit at High priority', () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreEdit);
|
|
const guidanceHook = hooks.find(h => h.name === 'guidance-gate-pre-edit');
|
|
expect(guidanceHook).toBeDefined();
|
|
expect(guidanceHook!.priority).toBe(HookPriority.High);
|
|
});
|
|
|
|
it('should register a hook for PreTask at Normal priority', () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreTask);
|
|
const guidanceHook = hooks.find(h => h.name === 'guidance-retriever-pre-task');
|
|
expect(guidanceHook).toBeDefined();
|
|
expect(guidanceHook!.priority).toBe(HookPriority.Normal);
|
|
});
|
|
|
|
it('should register a hook for PostTask at Normal priority', () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PostTask);
|
|
const guidanceHook = hooks.find(h => h.name === 'guidance-ledger-post-task');
|
|
expect(guidanceHook).toBeDefined();
|
|
expect(guidanceHook!.priority).toBe(HookPriority.Normal);
|
|
});
|
|
});
|
|
|
|
describe('unregisterAll', () => {
|
|
it('should remove all registered hooks from the registry', () => {
|
|
provider.registerAll(registry);
|
|
expect(registry.size).toBe(5);
|
|
|
|
provider.unregisterAll(registry);
|
|
expect(registry.size).toBe(0);
|
|
expect(provider.getHookIds()).toHaveLength(0);
|
|
});
|
|
});
|
|
|
|
// ==========================================================================
|
|
// PreCommand hook
|
|
// ==========================================================================
|
|
|
|
describe('PreCommand hook', () => {
|
|
it('should block destructive commands', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreCommand);
|
|
const handler = hooks.find(h => h.name === 'guidance-gate-pre-command')!.handler;
|
|
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PreCommand,
|
|
command: { raw: 'rm -rf /' },
|
|
});
|
|
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(false);
|
|
expect(result.abort).toBe(true);
|
|
expect(result.message).toContain('Destructive operation');
|
|
});
|
|
|
|
it('should block git push --force', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreCommand);
|
|
const handler = hooks.find(h => h.name === 'guidance-gate-pre-command')!.handler;
|
|
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PreCommand,
|
|
command: { raw: 'git push origin main --force' },
|
|
});
|
|
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(false);
|
|
expect(result.abort).toBe(true);
|
|
});
|
|
|
|
it('should detect secrets in commands', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreCommand);
|
|
const handler = hooks.find(h => h.name === 'guidance-gate-pre-command')!.handler;
|
|
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PreCommand,
|
|
command: { raw: 'export API_KEY="sk-abc123456789012345678901234567890"' },
|
|
});
|
|
|
|
const result = await handler(ctx);
|
|
// Secrets gate fires with 'block'
|
|
expect(result.success).toBe(false);
|
|
expect(result.abort).toBe(true);
|
|
});
|
|
|
|
it('should allow safe commands', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreCommand);
|
|
const handler = hooks.find(h => h.name === 'guidance-gate-pre-command')!.handler;
|
|
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PreCommand,
|
|
command: { raw: 'git status' },
|
|
});
|
|
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(true);
|
|
});
|
|
|
|
it('should succeed when no command is provided', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreCommand);
|
|
const handler = hooks.find(h => h.name === 'guidance-gate-pre-command')!.handler;
|
|
|
|
const ctx = makeHookContext({ event: HookEvent.PreCommand });
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(true);
|
|
});
|
|
});
|
|
|
|
// ==========================================================================
|
|
// PreToolUse hook
|
|
// ==========================================================================
|
|
|
|
describe('PreToolUse hook', () => {
|
|
it('should block non-allowlisted tools when allowlist is enabled', async () => {
|
|
const restrictedGates = new EnforcementGates({
|
|
toolAllowlist: true,
|
|
allowedTools: ['Read', 'Write'],
|
|
});
|
|
const restrictedProvider = new GuidanceHookProvider(restrictedGates, retriever, ledger);
|
|
restrictedProvider.registerAll(registry);
|
|
|
|
const hooks = registry.getForEvent(HookEvent.PreToolUse);
|
|
const handler = hooks.find(h => h.name === 'guidance-gate-pre-tool-use')!.handler;
|
|
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PreToolUse,
|
|
tool: { name: 'Bash', parameters: {} },
|
|
});
|
|
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(false);
|
|
expect(result.abort).toBe(true);
|
|
});
|
|
|
|
it('should detect secrets in tool parameters', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreToolUse);
|
|
const handler = hooks.find(h => h.name === 'guidance-gate-pre-tool-use')!.handler;
|
|
|
|
// Use an sk- prefixed key which is detected even through JSON.stringify
|
|
// (the password pattern requires surrounding quotes which get escaped by
|
|
// JSON.stringify in evaluateToolUse, so we use a pattern without quote delimiters)
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PreToolUse,
|
|
tool: {
|
|
name: 'Write',
|
|
parameters: {
|
|
content: 'const key = sk-abcdefghij0123456789abcdef',
|
|
},
|
|
},
|
|
});
|
|
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(false);
|
|
expect(result.abort).toBe(true);
|
|
});
|
|
|
|
it('should allow safe tool use', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreToolUse);
|
|
const handler = hooks.find(h => h.name === 'guidance-gate-pre-tool-use')!.handler;
|
|
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PreToolUse,
|
|
tool: { name: 'Read', parameters: { path: '/src/main.ts' } },
|
|
});
|
|
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(true);
|
|
});
|
|
|
|
it('should succeed when no tool info is provided', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreToolUse);
|
|
const handler = hooks.find(h => h.name === 'guidance-gate-pre-tool-use')!.handler;
|
|
|
|
const ctx = makeHookContext({ event: HookEvent.PreToolUse });
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(true);
|
|
});
|
|
});
|
|
|
|
// ==========================================================================
|
|
// PreEdit hook
|
|
// ==========================================================================
|
|
|
|
describe('PreEdit hook', () => {
|
|
it('should detect secrets in edit content', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreEdit);
|
|
const handler = hooks.find(h => h.name === 'guidance-gate-pre-edit')!.handler;
|
|
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PreEdit,
|
|
file: { path: '/src/config.ts', operation: 'modify' },
|
|
metadata: {
|
|
content: 'const token = "ghp_abcdefghijklmnopqrstuvwxyz1234567890"',
|
|
diffLines: 5,
|
|
},
|
|
});
|
|
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(false);
|
|
expect(result.abort).toBe(true);
|
|
});
|
|
|
|
it('should warn on large diffs', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreEdit);
|
|
const handler = hooks.find(h => h.name === 'guidance-gate-pre-edit')!.handler;
|
|
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PreEdit,
|
|
file: { path: '/src/main.ts', operation: 'modify' },
|
|
metadata: {
|
|
content: 'const foo = "bar"',
|
|
diffLines: 500,
|
|
},
|
|
});
|
|
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(true);
|
|
expect(result.warnings).toBeDefined();
|
|
expect(result.warnings!.length).toBeGreaterThan(0);
|
|
});
|
|
|
|
it('should allow clean small edits', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreEdit);
|
|
const handler = hooks.find(h => h.name === 'guidance-gate-pre-edit')!.handler;
|
|
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PreEdit,
|
|
file: { path: '/src/utils.ts', operation: 'modify' },
|
|
metadata: {
|
|
content: 'export const VERSION = "1.0.0"',
|
|
diffLines: 1,
|
|
},
|
|
});
|
|
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(true);
|
|
});
|
|
|
|
it('should succeed when no file info is provided', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreEdit);
|
|
const handler = hooks.find(h => h.name === 'guidance-gate-pre-edit')!.handler;
|
|
|
|
const ctx = makeHookContext({ event: HookEvent.PreEdit });
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(true);
|
|
});
|
|
});
|
|
|
|
// ==========================================================================
|
|
// PreTask hook
|
|
// ==========================================================================
|
|
|
|
describe('PreTask hook', () => {
|
|
it('should retrieve shards and classify intent', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreTask);
|
|
const handler = hooks.find(h => h.name === 'guidance-retriever-pre-task')!.handler;
|
|
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PreTask,
|
|
task: { id: 'task-001', description: 'Fix the authentication bug in login flow' },
|
|
});
|
|
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(true);
|
|
expect(result.data).toBeDefined();
|
|
expect((result.data as Record<string, unknown>).intent).toBeDefined();
|
|
expect((result.data as Record<string, unknown>).shardCount).toBeDefined();
|
|
});
|
|
|
|
it('should classify intent as bug-fix for bug descriptions', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreTask);
|
|
const handler = hooks.find(h => h.name === 'guidance-retriever-pre-task')!.handler;
|
|
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PreTask,
|
|
task: { id: 'task-002', description: 'Fix broken error handling' },
|
|
});
|
|
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(true);
|
|
expect((result.data as Record<string, unknown>).intent).toBe('bug-fix');
|
|
});
|
|
|
|
it('should classify intent as security for security descriptions', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreTask);
|
|
const handler = hooks.find(h => h.name === 'guidance-retriever-pre-task')!.handler;
|
|
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PreTask,
|
|
task: { id: 'task-003', description: 'Fix XSS vulnerability in input sanitization' },
|
|
});
|
|
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(true);
|
|
expect((result.data as Record<string, unknown>).intent).toBe('security');
|
|
});
|
|
|
|
it('should create an active run event for the task', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreTask);
|
|
const handler = hooks.find(h => h.name === 'guidance-retriever-pre-task')!.handler;
|
|
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PreTask,
|
|
task: { id: 'task-004', description: 'Add new feature for user profiles' },
|
|
});
|
|
|
|
await handler(ctx);
|
|
const activeRun = provider.getActiveRun('task-004');
|
|
expect(activeRun).toBeDefined();
|
|
expect(activeRun!.taskId).toBe('task-004');
|
|
});
|
|
|
|
it('should succeed when task info is missing', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PreTask);
|
|
const handler = hooks.find(h => h.name === 'guidance-retriever-pre-task')!.handler;
|
|
|
|
const ctx = makeHookContext({ event: HookEvent.PreTask });
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(true);
|
|
});
|
|
|
|
it('should gracefully handle retriever without a loaded bundle', async () => {
|
|
const emptyRetriever = new ShardRetriever(new HashEmbeddingProvider());
|
|
const emptyProvider = new GuidanceHookProvider(gates, emptyRetriever, ledger);
|
|
emptyProvider.registerAll(registry);
|
|
|
|
const hooks = registry.getForEvent(HookEvent.PreTask);
|
|
// Get the one from emptyProvider (last registered for this event)
|
|
const handler = hooks.find(h => h.name === 'guidance-retriever-pre-task')!.handler;
|
|
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PreTask,
|
|
task: { id: 'task-005', description: 'Implement caching layer' },
|
|
});
|
|
|
|
const result = await handler(ctx);
|
|
// Should succeed despite retriever not having a bundle
|
|
expect(result.success).toBe(true);
|
|
});
|
|
});
|
|
|
|
// ==========================================================================
|
|
// PostTask hook
|
|
// ==========================================================================
|
|
|
|
describe('PostTask hook', () => {
|
|
it('should finalize a previously created run event', async () => {
|
|
provider.registerAll(registry);
|
|
|
|
// First trigger PreTask to create the run event
|
|
const preTaskHooks = registry.getForEvent(HookEvent.PreTask);
|
|
const preTaskHandler = preTaskHooks.find(h => h.name === 'guidance-retriever-pre-task')!.handler;
|
|
await preTaskHandler(makeHookContext({
|
|
event: HookEvent.PreTask,
|
|
task: { id: 'task-010', description: 'Add user dashboard feature' },
|
|
}));
|
|
|
|
// Confirm the run event exists
|
|
expect(provider.getActiveRun('task-010')).toBeDefined();
|
|
|
|
// Now trigger PostTask
|
|
const postTaskHooks = registry.getForEvent(HookEvent.PostTask);
|
|
const postTaskHandler = postTaskHooks.find(h => h.name === 'guidance-ledger-post-task')!.handler;
|
|
const result = await postTaskHandler(makeHookContext({
|
|
event: HookEvent.PostTask,
|
|
task: { id: 'task-010', description: 'Add user dashboard feature', status: 'completed' },
|
|
}));
|
|
|
|
expect(result.success).toBe(true);
|
|
expect(result.data).toBeDefined();
|
|
expect((result.data as Record<string, unknown>).taskId).toBe('task-010');
|
|
|
|
// Active run should be cleaned up
|
|
expect(provider.getActiveRun('task-010')).toBeUndefined();
|
|
});
|
|
|
|
it('should record the event in the ledger', async () => {
|
|
provider.registerAll(registry);
|
|
|
|
const initialCount = ledger.eventCount;
|
|
|
|
// Create run via PreTask
|
|
const preTaskHooks = registry.getForEvent(HookEvent.PreTask);
|
|
const preTaskHandler = preTaskHooks.find(h => h.name === 'guidance-retriever-pre-task')!.handler;
|
|
await preTaskHandler(makeHookContext({
|
|
event: HookEvent.PreTask,
|
|
task: { id: 'task-011', description: 'Refactor database module' },
|
|
}));
|
|
|
|
// Finalize via PostTask
|
|
const postTaskHooks = registry.getForEvent(HookEvent.PostTask);
|
|
const postTaskHandler = postTaskHooks.find(h => h.name === 'guidance-ledger-post-task')!.handler;
|
|
await postTaskHandler(makeHookContext({
|
|
event: HookEvent.PostTask,
|
|
task: { id: 'task-011', description: 'Refactor database module', status: 'completed' },
|
|
}));
|
|
|
|
expect(ledger.eventCount).toBe(initialCount + 1);
|
|
});
|
|
|
|
it('should handle PostTask without a matching PreTask gracefully', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PostTask);
|
|
const handler = hooks.find(h => h.name === 'guidance-ledger-post-task')!.handler;
|
|
|
|
const ctx = makeHookContext({
|
|
event: HookEvent.PostTask,
|
|
task: { id: 'task-unknown', description: 'Unknown task' },
|
|
});
|
|
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(true);
|
|
expect(result.message).toContain('No active run event');
|
|
});
|
|
|
|
it('should succeed when no task info is provided', async () => {
|
|
provider.registerAll(registry);
|
|
const hooks = registry.getForEvent(HookEvent.PostTask);
|
|
const handler = hooks.find(h => h.name === 'guidance-ledger-post-task')!.handler;
|
|
|
|
const ctx = makeHookContext({ event: HookEvent.PostTask });
|
|
const result = await handler(ctx);
|
|
expect(result.success).toBe(true);
|
|
});
|
|
|
|
it('should populate metadata from context', async () => {
|
|
provider.registerAll(registry);
|
|
|
|
// Create run via PreTask
|
|
const preTaskHooks = registry.getForEvent(HookEvent.PreTask);
|
|
const preTaskHandler = preTaskHooks.find(h => h.name === 'guidance-retriever-pre-task')!.handler;
|
|
await preTaskHandler(makeHookContext({
|
|
event: HookEvent.PreTask,
|
|
task: { id: 'task-012', description: 'Add feature with tools' },
|
|
}));
|
|
|
|
// Finalize via PostTask with metadata
|
|
const postTaskHooks = registry.getForEvent(HookEvent.PostTask);
|
|
const postTaskHandler = postTaskHooks.find(h => h.name === 'guidance-ledger-post-task')!.handler;
|
|
await postTaskHandler(makeHookContext({
|
|
event: HookEvent.PostTask,
|
|
task: { id: 'task-012', description: 'Add feature with tools', status: 'completed' },
|
|
metadata: {
|
|
toolsUsed: ['Edit', 'Bash'],
|
|
filesTouched: ['/src/main.ts', '/tests/main.test.ts'],
|
|
},
|
|
}));
|
|
|
|
// Verify the event was stored with the metadata
|
|
const events = ledger.getEventsByTask('task-012');
|
|
expect(events.length).toBe(1);
|
|
expect(events[0].toolsUsed).toEqual(['Edit', 'Bash']);
|
|
expect(events[0].filesTouched).toEqual(['/src/main.ts', '/tests/main.test.ts']);
|
|
expect(events[0].outcomeAccepted).toBe(true);
|
|
});
|
|
});
|
|
|
|
// ==========================================================================
|
|
// createGuidanceHooks factory
|
|
// ==========================================================================
|
|
|
|
describe('createGuidanceHooks', () => {
|
|
it('should create a provider without registering when no registry given', () => {
|
|
const result = createGuidanceHooks(gates, retriever, ledger);
|
|
expect(result.provider).toBeInstanceOf(GuidanceHookProvider);
|
|
expect(result.hookIds).toHaveLength(0);
|
|
});
|
|
|
|
it('should create and register when registry is given', () => {
|
|
const result = createGuidanceHooks(gates, retriever, ledger, registry);
|
|
expect(result.provider).toBeInstanceOf(GuidanceHookProvider);
|
|
expect(result.hookIds).toHaveLength(5);
|
|
expect(registry.size).toBe(5);
|
|
});
|
|
});
|
|
});
|