mirror of
http://192.168.0.88:13333/lywsvip/openclaw-zero-token.git
synced 2026-05-08 16:17:54 +08:00
571e14a236
Major upgrade from e26988a38 to upstream v2026.3.28 (f9b107928).
Key changes:
- Upstream src/, ui/, extensions/ (89 bundled extensions)
- Zero-token web providers preserved in src/zero-token/
- AskOnce plugin restored and registered as CLI command
- Added missing packages: @anthropic-ai/vertex-sdk, @modelcontextprotocol/sdk
- Fixed tsconfig rootDir, skipLibCheck for plugin-sdk DTS build
- Added askonce to bundled plugin metadata and package.json exports
- Fixed AskOnce CLI command registration (missing commands metadata)
- Restored AskOnce adapter imports (correct 5-level relative paths)
- Removed stale migration artifacts from root directory
78 lines
2.6 KiB
TypeScript
78 lines
2.6 KiB
TypeScript
import { describe, expect, it } from "vitest";
|
|
import type { OpenClawConfig } from "../config/config.js";
|
|
import {
|
|
collectAttackSurfaceSummaryFindings,
|
|
collectSmallModelRiskFindings,
|
|
} from "./audit-extra.sync.js";
|
|
import { safeEqualSecret } from "./secret-equal.js";
|
|
|
|
describe("collectAttackSurfaceSummaryFindings", () => {
|
|
it.each([
|
|
{
|
|
name: "distinguishes external webhooks from internal hooks when only internal hooks are enabled",
|
|
cfg: {
|
|
hooks: { internal: { enabled: true } },
|
|
} satisfies OpenClawConfig,
|
|
expectedDetail: ["hooks.webhooks: disabled", "hooks.internal: enabled"],
|
|
},
|
|
{
|
|
name: "reports both hook systems as enabled when both are configured",
|
|
cfg: {
|
|
hooks: { enabled: true, internal: { enabled: true } },
|
|
} satisfies OpenClawConfig,
|
|
expectedDetail: ["hooks.webhooks: enabled", "hooks.internal: enabled"],
|
|
},
|
|
{
|
|
name: "reports both hook systems as disabled when neither is configured",
|
|
cfg: {} satisfies OpenClawConfig,
|
|
expectedDetail: ["hooks.webhooks: disabled", "hooks.internal: disabled"],
|
|
},
|
|
])("$name", ({ cfg, expectedDetail }) => {
|
|
const [finding] = collectAttackSurfaceSummaryFindings(cfg);
|
|
expect(finding.checkId).toBe("summary.attack_surface");
|
|
for (const snippet of expectedDetail) {
|
|
expect(finding.detail).toContain(snippet);
|
|
}
|
|
});
|
|
});
|
|
|
|
describe("safeEqualSecret", () => {
|
|
it.each([
|
|
["secret-token", "secret-token", true],
|
|
["secret-token", "secret-tokEn", false],
|
|
["short", "much-longer", false],
|
|
[undefined, "secret", false],
|
|
["secret", undefined, false],
|
|
[null, "secret", false],
|
|
] as const)("compares %o and %o", (left, right, expected) => {
|
|
expect(safeEqualSecret(left, right)).toBe(expected);
|
|
});
|
|
});
|
|
|
|
describe("collectSmallModelRiskFindings", () => {
|
|
const baseCfg = {
|
|
agents: { defaults: { model: { primary: "ollama/mistral-8b" } } },
|
|
browser: { enabled: false },
|
|
tools: { web: { fetch: { enabled: false } } },
|
|
} satisfies OpenClawConfig;
|
|
|
|
it.each([
|
|
{
|
|
name: "small model without sandbox all stays critical even when browser/web tools are off",
|
|
cfg: baseCfg,
|
|
env: {},
|
|
},
|
|
])("$name", ({ cfg, env }) => {
|
|
const [finding] = collectSmallModelRiskFindings({
|
|
cfg,
|
|
env,
|
|
});
|
|
|
|
expect(finding?.checkId).toBe("models.small_params");
|
|
expect(finding?.severity).toBe("critical");
|
|
expect(finding?.detail).toContain("ollama/mistral-8b");
|
|
expect(finding?.detail).toContain("web=[off]");
|
|
expect(finding?.detail).toContain("No web/browser tools detected");
|
|
});
|
|
});
|