refactor(security): enforce v1 node exec approval binding

2026-05-13 07:10:35 +00:00 · 2026-02-26 18:08:51 +01:00
parent f4391c1725
commit 10481097f8
19 changed files with 447 additions and 184 deletions
--- a/src/infra/system-run-approval-mismatch.contract.test.ts
+++ b/src/infra/system-run-approval-mismatch.contract.test.ts
@@ -0,0 +1,41 @@
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { describe, expect, test } from "vitest";
+import {
+  toSystemRunApprovalMismatchError,
+  type SystemRunApprovalMatchResult,
+} from "./system-run-approval-binding.js";
+
+type FixtureCase = {
+  name: string;
+  runId: string;
+  match: Extract<SystemRunApprovalMatchResult, { ok: false }>;
+  expected: {
+    ok: false;
+    message: string;
+    details: Record<string, unknown>;
+  };
+};
+
+type Fixture = {
+  cases: FixtureCase[];
+};
+
+const fixturePath = path.resolve(
+  path.dirname(fileURLToPath(import.meta.url)),
+  "../../test/fixtures/system-run-approval-mismatch-contract.json",
+);
+const fixture = JSON.parse(fs.readFileSync(fixturePath, "utf8")) as Fixture;
+
+describe("system-run approval mismatch contract fixtures", () => {
+  for (const entry of fixture.cases) {
+    test(entry.name, () => {
+      const result = toSystemRunApprovalMismatchError({
+        runId: entry.runId,
+        match: entry.match,
+      });
+      expect(result).toEqual(entry.expected);
+    });
+  }
+});