From 7a4a068124d683ade0e071ce2ca2040c32493f42 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 16 Feb 2026 02:59:30 +0000
Subject: [PATCH] test(sessions): add access and resolution helper coverage

---
 src/agents/tools/sessions-access.test.ts     | 104 +++++++++++++++++++
 src/agents/tools/sessions-resolution.test.ts |  77 ++++++++++++++
 2 files changed, 181 insertions(+)
 create mode 100644 src/agents/tools/sessions-access.test.ts
 create mode 100644 src/agents/tools/sessions-resolution.test.ts

diff --git a/src/agents/tools/sessions-access.test.ts b/src/agents/tools/sessions-access.test.ts
new file mode 100644
index 00000000000..491d36a44aa
--- /dev/null
+++ b/src/agents/tools/sessions-access.test.ts
@@ -0,0 +1,104 @@
+import { describe, expect, it } from "vitest";
+import type { OpenClawConfig } from "../../config/config.js";
+import {
+  createAgentToAgentPolicy,
+  createSessionVisibilityGuard,
+  resolveEffectiveSessionToolsVisibility,
+  resolveSessionToolsVisibility,
+} from "./sessions-access.js";
+
+describe("resolveSessionToolsVisibility", () => {
+  it("defaults to tree when unset or invalid", () => {
+    expect(resolveSessionToolsVisibility({} as OpenClawConfig)).toBe("tree");
+    expect(
+      resolveSessionToolsVisibility({
+        tools: { sessions: { visibility: "invalid" } },
+      } as OpenClawConfig),
+    ).toBe("tree");
+  });
+
+  it("accepts known visibility values case-insensitively", () => {
+    expect(
+      resolveSessionToolsVisibility({
+        tools: { sessions: { visibility: "ALL" } },
+      } as OpenClawConfig),
+    ).toBe("all");
+  });
+});
+
+describe("resolveEffectiveSessionToolsVisibility", () => {
+  it("clamps to tree in sandbox when sandbox visibility is spawned", () => {
+    const cfg = {
+      tools: { sessions: { visibility: "all" } },
+      agents: { defaults: { sandbox: { sessionToolsVisibility: "spawned" } } },
+    } as OpenClawConfig;
+    expect(resolveEffectiveSessionToolsVisibility({ cfg, sandboxed: true })).toBe("tree");
+  });
+
+  it("preserves visibility when sandbox clamp is all", () => {
+    const cfg = {
+      tools: { sessions: { visibility: "all" } },
+      agents: { defaults: { sandbox: { sessionToolsVisibility: "all" } } },
+    } as OpenClawConfig;
+    expect(resolveEffectiveSessionToolsVisibility({ cfg, sandboxed: true })).toBe("all");
+  });
+});
+
+describe("createAgentToAgentPolicy", () => {
+  it("denies cross-agent access when disabled", () => {
+    const policy = createAgentToAgentPolicy({} as OpenClawConfig);
+    expect(policy.enabled).toBe(false);
+    expect(policy.isAllowed("main", "main")).toBe(true);
+    expect(policy.isAllowed("main", "ops")).toBe(false);
+  });
+
+  it("honors allow patterns when enabled", () => {
+    const policy = createAgentToAgentPolicy({
+      tools: {
+        agentToAgent: {
+          enabled: true,
+          allow: ["ops-*", "main"],
+        },
+      },
+    } as OpenClawConfig);
+
+    expect(policy.isAllowed("ops-a", "ops-b")).toBe(true);
+    expect(policy.isAllowed("main", "ops-a")).toBe(true);
+    expect(policy.isAllowed("guest", "ops-a")).toBe(false);
+  });
+});
+
+describe("createSessionVisibilityGuard", () => {
+  it("blocks cross-agent send when agent-to-agent is disabled", async () => {
+    const guard = await createSessionVisibilityGuard({
+      action: "send",
+      requesterSessionKey: "agent:main:main",
+      visibility: "all",
+      a2aPolicy: createAgentToAgentPolicy({} as OpenClawConfig),
+    });
+
+    expect(guard.check("agent:ops:main")).toEqual({
+      allowed: false,
+      status: "forbidden",
+      error:
+        "Agent-to-agent messaging is disabled. Set tools.agentToAgent.enabled=true to allow cross-agent sends.",
+    });
+  });
+
+  it("enforces self visibility for same-agent sessions", async () => {
+    const guard = await createSessionVisibilityGuard({
+      action: "history",
+      requesterSessionKey: "agent:main:main",
+      visibility: "self",
+      a2aPolicy: createAgentToAgentPolicy({} as OpenClawConfig),
+    });
+
+    expect(guard.check("agent:main:main")).toEqual({ allowed: true });
+    expect(guard.check("agent:main:telegram:group:1")).toEqual({
+      allowed: false,
+      status: "forbidden",
+      error:
+        "Session history visibility is restricted to the current session (tools.sessions.visibility=self).",
+    });
+  });
+});
diff --git a/src/agents/tools/sessions-resolution.test.ts b/src/agents/tools/sessions-resolution.test.ts
new file mode 100644
index 00000000000..a71bd4a6b7a
--- /dev/null
+++ b/src/agents/tools/sessions-resolution.test.ts
@@ -0,0 +1,77 @@
+import { describe, expect, it } from "vitest";
+import type { OpenClawConfig } from "../../config/config.js";
+import {
+  looksLikeSessionId,
+  looksLikeSessionKey,
+  resolveDisplaySessionKey,
+  resolveInternalSessionKey,
+  resolveMainSessionAlias,
+  shouldResolveSessionIdInput,
+} from "./sessions-resolution.js";
+
+describe("resolveMainSessionAlias", () => {
+  it("uses normalized main key and global alias for global scope", () => {
+    const cfg = {
+      session: { mainKey: " Primary ", scope: "global" },
+    } as OpenClawConfig;
+
+    expect(resolveMainSessionAlias(cfg)).toEqual({
+      mainKey: "primary",
+      alias: "global",
+      scope: "global",
+    });
+  });
+
+  it("falls back to per-sender defaults", () => {
+    expect(resolveMainSessionAlias({} as OpenClawConfig)).toEqual({
+      mainKey: "main",
+      alias: "main",
+      scope: "per-sender",
+    });
+  });
+});
+
+describe("session key display/internal mapping", () => {
+  it("maps alias and main key to display main", () => {
+    expect(resolveDisplaySessionKey({ key: "global", alias: "global", mainKey: "main" })).toBe(
+      "main",
+    );
+    expect(resolveDisplaySessionKey({ key: "main", alias: "global", mainKey: "main" })).toBe(
+      "main",
+    );
+    expect(
+      resolveDisplaySessionKey({ key: "agent:ops:main", alias: "global", mainKey: "main" }),
+    ).toBe("agent:ops:main");
+  });
+
+  it("maps input main to alias for internal routing", () => {
+    expect(resolveInternalSessionKey({ key: "main", alias: "global", mainKey: "main" })).toBe(
+      "global",
+    );
+    expect(
+      resolveInternalSessionKey({ key: "agent:ops:main", alias: "global", mainKey: "main" }),
+    ).toBe("agent:ops:main");
+  });
+});
+
+describe("session reference shape detection", () => {
+  it("detects session ids", () => {
+    expect(looksLikeSessionId("d4f5a5a1-9f75-42cf-83a6-8d170e6a1538")).toBe(true);
+    expect(looksLikeSessionId("not-a-uuid")).toBe(false);
+  });
+
+  it("detects canonical session key families", () => {
+    expect(looksLikeSessionKey("main")).toBe(true);
+    expect(looksLikeSessionKey("agent:main:main")).toBe(true);
+    expect(looksLikeSessionKey("cron:daily-report")).toBe(true);
+    expect(looksLikeSessionKey("node:macbook")).toBe(true);
+    expect(looksLikeSessionKey("telegram:group:123")).toBe(true);
+    expect(looksLikeSessionKey("random-slug")).toBe(false);
+  });
+
+  it("treats non-keys as session-id candidates", () => {
+    expect(shouldResolveSessionIdInput("agent:main:main")).toBe(false);
+    expect(shouldResolveSessionIdInput("d4f5a5a1-9f75-42cf-83a6-8d170e6a1538")).toBe(true);
+    expect(shouldResolveSessionIdInput("random-slug")).toBe(true);
+  });
+});