RomanNum3ral
/
gstack
mirror of https://github.com/garrytan/gstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
gstack/browse/test
History
Garry Tan 6022db2c9a
test(server): lock the shared-vs-own-only tab gate contract 
The pre-fix tests at tab-isolation.test.ts:43,57 encoded the broken
behavior as the contract — they specifically asserted "scoped agent
cannot write to unowned tab," which was the exact failure mode that
broke browser-skills. They passed because they tested the wrong
invariant.

This commit replaces those tests with explicit shared-vs-own-only
coverage that documents what each policy actually means:

- Shared scoped agents (skill spawns, default scoped clients) can
  read AND write any tab — unowned, their own, or another agent's.
  The capability is gated by scope checks + rate limits, not by tab
  ownership.
- Own-only scoped agents (pair-agent over tunnel) cannot read OR
  write any tab they don't own. Pre-fix this case was conflated with
  shared writes; now it's explicit.

9 unit assertions on checkTabAccess, up from 6. Each test names
the policy axis it's covering so a future refactor can't quietly
flip the contract.

Adds source-shape regression test 10a in server-auth.test.ts:
"tab gate predicate is own-only-scoped, not write-scoped." The
gate's `if (...)` line MUST contain `tabPolicy === 'own-only'` and
MUST NOT contain `WRITE_COMMANDS.has(command) ||`. If a future
refactor re-introduces the write-scoped gate, this fails immediately
in free-tier `bun test`.

Updates the marker for the existing newtab-excluded test to match
the new comment block ("Tab ownership check (own-only tokens /
pair-agent isolation)").

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 		2026-04-28 09:12:44 -07:00
..
fixtures v1.6.4.0: cut Haiku classifier FP from 44% to 23%, gate now enforced (#1135) 2026-04-23 10:23:40 -07:00
activity.test.ts feat: headed mode + sidebar agent + Chrome extension (v0.12.0) (#517) 2026-03-26 11:15:24 -06:00
adversarial-security.test.ts fix: security audit remediation — 12 fixes, 20 tests (v0.13.1.0) (#595) 2026-03-28 08:35:24 -06:00
batch.test.ts refactor: extract TabSession for per-tab state isolation (v0.15.16.0) (#873) 2026-04-07 00:23:36 -07:00
browse-client.test.ts feat(browse-client): SDK for browser-skill scripts 2026-04-26 04:52:16 -07:00
browser-manager-unit.test.ts feat: headed mode + sidebar agent + Chrome extension (v0.12.0) (#517) 2026-03-26 11:15:24 -06:00
browser-skill-commands.test.ts feat(browser-skills): \$B skill list/show/run/test/rm subcommands 2026-04-26 05:03:17 -07:00
browser-skill-write.test.ts feat(browse-skills): atomic write helper for /skillify (D3) 2026-04-27 18:33:26 -07:00
browser-skills-e2e.test.ts test(browser-skills-e2e): exercise dispatch with bundled hackernews-frontpage 2026-04-26 14:06:38 -07:00
browser-skills-storage.test.ts feat(browser-skills): 3-tier storage helpers 2026-04-26 04:55:38 -07:00
build.test.ts fix: ngrok Windows build + close CI error-swallowing gap (v0.18.0.1) (#1024) 2026-04-16 13:49:04 -07:00
bun-polyfill.test.ts fix: Windows support — Node.js server fallback for Playwright (#255) 2026-03-20 12:22:11 -07:00
cdp-allowlist.test.ts test(browse): CDP allowlist + two-tier mutex 2026-04-25 13:08:17 -07:00
cdp-e2e.test.ts test(browse): E2E gate-tier tests for domain-skills + CDP 2026-04-25 13:30:48 -07:00
cdp-mutex.test.ts test(browse): CDP allowlist + two-tier mutex 2026-04-25 13:08:17 -07:00
commands.test.ts feat(browse): Puppeteer parity — load-html, screenshot --selector, viewport --scale, file:// (v1.1.0.0) (#1062) 2026-04-18 23:25:33 +08:00
compare-board.test.ts refactor: extract TabSession for per-tab state isolation (v0.15.16.0) (#873) 2026-04-07 00:23:36 -07:00
config.test.ts fix: Windows browse — health-check-first ensureServer, detached startServer, Windows process mgmt (v0.11.11.0) (#431) 2026-03-24 00:38:10 -07:00
content-security.test.ts security: tunnel dual-listener + SSRF + envelope + path wave (v1.6.0.0) (#1137) 2026-04-21 21:58:27 -07:00
cookie-import-browser.test.ts feat: Wave 3 — community bug fixes & platform support (v0.11.6.0) (#359) 2026-03-23 22:15:23 -07:00
cookie-picker-routes.test.ts community wave: 6 PRs + hardening (v0.18.1.0) (#1028) 2026-04-17 00:45:13 -07:00
data-platform.test.ts feat: browser data platform for AI agents (v0.16.0.0) (#907) 2026-04-08 00:41:55 -07:00
domain-skills-e2e.test.ts test(browse): E2E gate-tier tests for domain-skills + CDP 2026-04-25 13:30:48 -07:00
domain-skills-storage.test.ts test(browse): domain-skills storage + state machine 2026-04-25 13:00:02 -07:00
dual-listener.test.ts v1.16.0.0 feat: tunnel allowlist 17→26 + canDispatchOverTunnel pure function (#1253) 2026-04-28 00:57:28 -07:00
dx-polish.test.ts feat(browse): Puppeteer parity — load-html, screenshot --selector, viewport --scale, file:// (v1.1.0.0) (#1062) 2026-04-18 23:25:33 +08:00
error-handling.test.ts refactor: AI slop reduction with cross-model quality review (v0.16.3.0) (#941) 2026-04-10 17:13:15 -10:00
file-drop.test.ts feat: headed mode + sidebar agent + Chrome extension (v0.12.0) (#517) 2026-03-26 11:15:24 -06:00
find-browse.test.ts feat: multi-agent support — gstack works on Codex, Gemini CLI, and Cursor (v0.9.0) (#226) 2026-03-19 18:20:50 -07:00
findport.test.ts feat: community PRs — faster install, skill namespacing, uninstall, Codex fallback, Windows fix, Python patterns (v0.12.9.0) (#561) 2026-03-27 00:44:37 -06:00
from-file-path-validation.test.ts security: tunnel dual-listener + SSRF + envelope + path wave (v1.6.0.0) (#1137) 2026-04-21 21:58:27 -07:00
gstack-config.test.ts feat: composable skills — INVOKE_SKILL resolver + factoring infrastructure (v0.13.7.0) (#644) 2026-03-29 23:35:17 -06:00
gstack-update-check.test.ts fix: community PRs + security hardening + E2E stability (v0.12.7.0) (#552) 2026-03-26 23:21:27 -06:00
handoff.test.ts refactor: extract TabSession for per-tab state isolation (v0.15.16.0) (#873) 2026-04-07 00:23:36 -07:00
learnings-injection.test.ts fix: community security wave — 8 PRs, 4 contributors (v0.15.13.0) (#847) 2026-04-06 00:47:04 -07:00
pair-agent-e2e.test.ts security: tunnel dual-listener + SSRF + envelope + path wave (v1.6.0.0) (#1137) 2026-04-21 21:58:27 -07:00
pair-agent-tunnel-eval.test.ts v1.16.0.0 feat: tunnel allowlist 17→26 + canDispatchOverTunnel pure function (#1253) 2026-04-28 00:57:28 -07:00
path-validation.test.ts fix: community security wave — 8 PRs, 4 contributors (v0.15.13.0) (#847) 2026-04-06 00:47:04 -07:00
pdf-flags.test.ts feat(v1.4.0.0): /make-pdf — markdown to publication-quality PDFs (#1086) 2026-04-20 13:20:30 +08:00
platform.test.ts fix: Windows support — Node.js server fallback for Playwright (#255) 2026-03-20 12:22:11 -07:00
security-adversarial-fixes.test.ts feat: gstack browser sidebar = interactive Claude Code REPL with live tab awareness (v1.14.0.0) (#1216) 2026-04-25 22:52:15 -07:00
security-adversarial.test.ts v1.6.4.0: cut Haiku classifier FP from 44% to 23%, gate now enforced (#1135) 2026-04-23 10:23:40 -07:00
security-audit-r2.test.ts feat: gstack browser sidebar = interactive Claude Code REPL with live tab awareness (v1.14.0.0) (#1216) 2026-04-25 22:52:15 -07:00
security-bench-ensemble-live.test.ts v1.6.4.0: cut Haiku classifier FP from 44% to 23%, gate now enforced (#1135) 2026-04-23 10:23:40 -07:00
security-bench-ensemble.test.ts v1.6.4.0: cut Haiku classifier FP from 44% to 23%, gate now enforced (#1135) 2026-04-23 10:23:40 -07:00
security-bench.test.ts v1.6.4.0: cut Haiku classifier FP from 44% to 23%, gate now enforced (#1135) 2026-04-23 10:23:40 -07:00
security-bunnative.test.ts feat(security): ML prompt injection defense for sidebar (v1.4.0.0) (#1089) 2026-04-20 22:18:37 +08:00
security-classifier.test.ts feat(security): ML prompt injection defense for sidebar (v1.4.0.0) (#1089) 2026-04-20 22:18:37 +08:00
security-integration.test.ts v1.6.4.0: cut Haiku classifier FP from 44% to 23%, gate now enforced (#1135) 2026-04-23 10:23:40 -07:00
security-live-playwright.test.ts feat(security): ML prompt injection defense for sidebar (v1.4.0.0) (#1089) 2026-04-20 22:18:37 +08:00
security-review-flow.test.ts feat(security): ML prompt injection defense for sidebar (v1.4.0.0) (#1089) 2026-04-20 22:18:37 +08:00
security-sidepanel-dom.test.ts feat(security): ML prompt injection defense for sidebar (v1.4.0.0) (#1089) 2026-04-20 22:18:37 +08:00
security-source-contracts.test.ts feat(security): ML prompt injection defense for sidebar (v1.4.0.0) (#1089) 2026-04-20 22:18:37 +08:00
security.test.ts v1.6.4.0: cut Haiku classifier FP from 44% to 23%, gate now enforced (#1135) 2026-04-23 10:23:40 -07:00
server-auth.test.ts test(server): lock the shared-vs-own-only tab gate contract 2026-04-28 09:12:44 -07:00
sidebar-integration.test.ts security: tunnel dual-listener + SSRF + envelope + path wave (v1.6.0.0) (#1137) 2026-04-21 21:58:27 -07:00
sidebar-security.test.ts feat(security): ML prompt injection defense for sidebar (v1.4.0.0) (#1089) 2026-04-20 22:18:37 +08:00
sidebar-tabs.test.ts feat: gstack browser sidebar = interactive Claude Code REPL with live tab awareness (v1.14.0.0) (#1216) 2026-04-25 22:52:15 -07:00
sidebar-unit.test.ts fix: sidebar agent uses real tab URL instead of stale Playwright URL (v0.12.6.0) (#544) 2026-03-26 22:07:03 -06:00
sidebar-ux.test.ts fix: community security wave — 8 PRs, 4 contributors (v0.15.13.0) (#847) 2026-04-06 00:47:04 -07:00
skill-token.test.ts feat(skill-token): mint scoped tokens per skill spawn 2026-04-26 04:49:34 -07:00
snapshot.test.ts refactor: extract TabSession for per-tab state isolation (v0.15.16.0) (#873) 2026-04-07 00:23:36 -07:00
sse-session-cookie.test.ts security: tunnel dual-listener + SSRF + envelope + path wave (v1.6.0.0) (#1137) 2026-04-21 21:58:27 -07:00
state-ttl.test.ts fix: security audit remediation — 12 fixes, 20 tests (v0.13.1.0) (#595) 2026-03-28 08:35:24 -06:00
tab-each.test.ts feat: gstack browser sidebar = interactive Claude Code REPL with live tab awareness (v1.14.0.0) (#1216) 2026-04-25 22:52:15 -07:00
tab-isolation.test.ts test(server): lock the shared-vs-own-only tab gate contract 2026-04-28 09:12:44 -07:00
telemetry.test.ts test(browse): telemetry module 2026-04-25 13:12:17 -07:00
terminal-agent-integration.test.ts feat: gstack browser sidebar = interactive Claude Code REPL with live tab awareness (v1.14.0.0) (#1216) 2026-04-25 22:52:15 -07:00
terminal-agent.test.ts feat: gstack browser sidebar = interactive Claude Code REPL with live tab awareness (v1.14.0.0) (#1216) 2026-04-25 22:52:15 -07:00
test-server.ts feat: Phase 3.5 — cookie import, QA testing, team retro (v0.3.1) (#29) 2026-03-13 00:31:41 -07:00
token-registry.test.ts feat: browser data platform for AI agents (v0.16.0.0) (#907) 2026-04-08 00:41:55 -07:00
tunnel-gate-unit.test.ts v1.16.0.0 feat: tunnel allowlist 17→26 + canDispatchOverTunnel pure function (#1253) 2026-04-28 00:57:28 -07:00
url-validation.test.ts security: tunnel dual-listener + SSRF + envelope + path wave (v1.6.0.0) (#1137) 2026-04-21 21:58:27 -07:00
watch.test.ts feat: headed mode + sidebar agent + Chrome extension (v0.12.0) (#517) 2026-03-26 11:15:24 -06:00
watchdog.test.ts community wave: 6 PRs + hardening (v0.18.1.0) (#1028) 2026-04-17 00:45:13 -07:00
welcome-page.test.ts feat: GStack Browser — double-click AI browser with anti-bot stealth (#695) 2026-04-04 10:17:05 -07:00