test(sessions): add access and resolution helper coverage

2026-05-10 04:52:43 +00:00 · 2026-02-16 02:59:30 +00:00
parent 1a03aad246
commit 7a4a068124
2 changed files with 181 additions and 0 deletions
--- a/src/agents/tools/sessions-access.test.ts
+++ b/src/agents/tools/sessions-access.test.ts
@@ -0,0 +1,104 @@
+import { describe, expect, it } from "vitest";
+import type { OpenClawConfig } from "../../config/config.js";
+import {
+  createAgentToAgentPolicy,
+  createSessionVisibilityGuard,
+  resolveEffectiveSessionToolsVisibility,
+  resolveSessionToolsVisibility,
+} from "./sessions-access.js";
+
+describe("resolveSessionToolsVisibility", () => {
+  it("defaults to tree when unset or invalid", () => {
+    expect(resolveSessionToolsVisibility({} as OpenClawConfig)).toBe("tree");
+    expect(
+      resolveSessionToolsVisibility({
+        tools: { sessions: { visibility: "invalid" } },
+      } as OpenClawConfig),
+    ).toBe("tree");
+  });
+
+  it("accepts known visibility values case-insensitively", () => {
+    expect(
+      resolveSessionToolsVisibility({
+        tools: { sessions: { visibility: "ALL" } },
+      } as OpenClawConfig),
+    ).toBe("all");
+  });
+});
+
+describe("resolveEffectiveSessionToolsVisibility", () => {
+  it("clamps to tree in sandbox when sandbox visibility is spawned", () => {
+    const cfg = {
+      tools: { sessions: { visibility: "all" } },
+      agents: { defaults: { sandbox: { sessionToolsVisibility: "spawned" } } },
+    } as OpenClawConfig;
+    expect(resolveEffectiveSessionToolsVisibility({ cfg, sandboxed: true })).toBe("tree");
+  });
+
+  it("preserves visibility when sandbox clamp is all", () => {
+    const cfg = {
+      tools: { sessions: { visibility: "all" } },
+      agents: { defaults: { sandbox: { sessionToolsVisibility: "all" } } },
+    } as OpenClawConfig;
+    expect(resolveEffectiveSessionToolsVisibility({ cfg, sandboxed: true })).toBe("all");
+  });
+});
+
+describe("createAgentToAgentPolicy", () => {
+  it("denies cross-agent access when disabled", () => {
+    const policy = createAgentToAgentPolicy({} as OpenClawConfig);
+    expect(policy.enabled).toBe(false);
+    expect(policy.isAllowed("main", "main")).toBe(true);
+    expect(policy.isAllowed("main", "ops")).toBe(false);
+  });
+
+  it("honors allow patterns when enabled", () => {
+    const policy = createAgentToAgentPolicy({
+      tools: {
+        agentToAgent: {
+          enabled: true,
+          allow: ["ops-*", "main"],
+        },
+      },
+    } as OpenClawConfig);
+
+    expect(policy.isAllowed("ops-a", "ops-b")).toBe(true);
+    expect(policy.isAllowed("main", "ops-a")).toBe(true);
+    expect(policy.isAllowed("guest", "ops-a")).toBe(false);
+  });
+});
+
+describe("createSessionVisibilityGuard", () => {
+  it("blocks cross-agent send when agent-to-agent is disabled", async () => {
+    const guard = await createSessionVisibilityGuard({
+      action: "send",
+      requesterSessionKey: "agent:main:main",
+      visibility: "all",
+      a2aPolicy: createAgentToAgentPolicy({} as OpenClawConfig),
+    });
+
+    expect(guard.check("agent:ops:main")).toEqual({
+      allowed: false,
+      status: "forbidden",
+      error:
+        "Agent-to-agent messaging is disabled. Set tools.agentToAgent.enabled=true to allow cross-agent sends.",
+    });
+  });
+
+  it("enforces self visibility for same-agent sessions", async () => {
+    const guard = await createSessionVisibilityGuard({
+      action: "history",
+      requesterSessionKey: "agent:main:main",
+      visibility: "self",
+      a2aPolicy: createAgentToAgentPolicy({} as OpenClawConfig),
+    });
+
+    expect(guard.check("agent:main:main")).toEqual({ allowed: true });
+    expect(guard.check("agent:main:telegram:group:1")).toEqual({
+      allowed: false,
+      status: "forbidden",
+      error:
+        "Session history visibility is restricted to the current session (tools.sessions.visibility=self).",
+    });
+  });
+});