test: tighten shared avatar and scope coverage

2026-03-13 21:24:38 +00:00 · 2026-03-13 21:24:38 +00:00 · 42ccee658d
parent e8addf2ac2
commit 42ccee658d
2 changed files with 46 additions and 0 deletions
--- a/src/shared/avatar-policy.test.ts
+++ b/src/shared/avatar-policy.test.ts
@ -1,24 +1,42 @@
 import path from "node:path";
 import { describe, expect, it } from "vitest";
 import {
+  hasAvatarUriScheme,
+  isAvatarDataUrl,
+  isAvatarHttpUrl,
+  isAvatarImageDataUrl,
  isPathWithinRoot,
  isSupportedLocalAvatarExtension,
+  isWindowsAbsolutePath,
  isWorkspaceRelativeAvatarPath,
  looksLikeAvatarPath,
  resolveAvatarMime,
 } from "./avatar-policy.js";

 describe("avatar policy", () => {
+  it("classifies avatar URI and path helpers directly", () => {
+    expect(isAvatarDataUrl("data:text/plain,hello")).toBe(true);
+    expect(isAvatarImageDataUrl("data:image/png;base64,AAAA")).toBe(true);
+    expect(isAvatarImageDataUrl("data:text/plain,hello")).toBe(false);
+    expect(isAvatarHttpUrl("https://example.com/avatar.png")).toBe(true);
+    expect(isAvatarHttpUrl("ftp://example.com/avatar.png")).toBe(false);
+    expect(hasAvatarUriScheme("slack://avatar")).toBe(true);
+    expect(isWindowsAbsolutePath("C:\\\\avatars\\\\openclaw.png")).toBe(true);
+  });
+
  it("accepts workspace-relative avatar paths and rejects URI schemes", () => {
    expect(isWorkspaceRelativeAvatarPath("avatars/openclaw.png")).toBe(true);
    expect(isWorkspaceRelativeAvatarPath("C:\\\\avatars\\\\openclaw.png")).toBe(true);
    expect(isWorkspaceRelativeAvatarPath("https://example.com/avatar.png")).toBe(false);
    expect(isWorkspaceRelativeAvatarPath("data:image/png;base64,AAAA")).toBe(false);
    expect(isWorkspaceRelativeAvatarPath("~/avatar.png")).toBe(false);
+    expect(isWorkspaceRelativeAvatarPath("slack://avatar")).toBe(false);
+    expect(isWorkspaceRelativeAvatarPath("")).toBe(false);
  });

  it("checks path containment safely", () => {
    const root = path.resolve("/tmp/root");
+    expect(isPathWithinRoot(root, root)).toBe(true);
    expect(isPathWithinRoot(root, path.resolve("/tmp/root/avatars/a.png"))).toBe(true);
    expect(isPathWithinRoot(root, path.resolve("/tmp/root/../outside.png"))).toBe(false);
  });
@ -38,6 +56,7 @@ describe("avatar policy", () => {
  it("resolves mime type from extension", () => {
    expect(resolveAvatarMime("a.svg")).toBe("image/svg+xml");
    expect(resolveAvatarMime("a.tiff")).toBe("image/tiff");
+    expect(resolveAvatarMime("A.PNG")).toBe("image/png");
    expect(resolveAvatarMime("a.bin")).toBe("application/octet-stream");
  });
 });
--- a/src/shared/operator-scope-compat.test.ts
+++ b/src/shared/operator-scope-compat.test.ts
@ -86,4 +86,31 @@ describe("roleScopesAllow", () => {
      }),
    ).toBe(false);
  });
+
+  it("normalizes blank and duplicate scopes before evaluating", () => {
+    expect(
+      roleScopesAllow({
+        role: " operator ",
+        requestedScopes: [" operator.read ", "operator.read", "   "],
+        allowedScopes: [" operator.write ", "operator.write", ""],
+      }),
+    ).toBe(true);
+  });
+
+  it("rejects unsatisfied operator write scopes and empty allowed scopes", () => {
+    expect(
+      roleScopesAllow({
+        role: "operator",
+        requestedScopes: ["operator.write"],
+        allowedScopes: ["operator.read"],
+      }),
+    ).toBe(false);
+    expect(
+      roleScopesAllow({
+        role: "operator",
+        requestedScopes: ["operator.read"],
+        allowedScopes: ["   "],
+      }),
+    ).toBe(false);
+  });
 });