HKV: add Setup, UserPromptExpansion, PostToolBatch to VALID_EVENTS, verified live against code.claude.com/docs/en/hooks.md (2026-06-19). A valid hook using one of these was wrongly flagged "will never fire" — a user could delete a working hook. Made the "(N total)" hint dynamic so it can't drift again. Flagged the unverified kebab 'post-session' in a comment (an existing test depends on it; follow-up check needed). RUL: reword the globs finding. Only `paths:` is documented; whether CC ever read `globs` is unverified, so the old "deprecated/legacy" framing overclaimed (Verifiseringsplikt). New wording steers to the documented `paths:` field. Updated the coupled fix-engine title match and the humanizer entry (which also carried the "field was renamed" overclaim). Suite 950 -> 954 (badge bumped). self-audit A/A, scanner count 13. No version bump — these land in the pending v5.4.1 patch. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
213 lines
8.5 KiB
JavaScript
213 lines
8.5 KiB
JavaScript
import { describe, it, beforeEach, afterEach } from 'node:test';
|
|
import assert from 'node:assert/strict';
|
|
import { resolve, join } from 'node:path';
|
|
import { fileURLToPath } from 'node:url';
|
|
import { mkdtemp, mkdir, writeFile, rm } from 'node:fs/promises';
|
|
import { tmpdir } from 'node:os';
|
|
import { resetCounter } from '../../scanners/lib/output.mjs';
|
|
import { discoverConfigFiles } from '../../scanners/lib/file-discovery.mjs';
|
|
import { scan } from '../../scanners/hook-validator.mjs';
|
|
|
|
const __dirname = fileURLToPath(new URL('.', import.meta.url));
|
|
const FIXTURES = resolve(__dirname, '../fixtures');
|
|
|
|
describe('HKV scanner — healthy project', () => {
|
|
let result;
|
|
beforeEach(async () => {
|
|
resetCounter();
|
|
const discovery = await discoverConfigFiles(resolve(FIXTURES, 'healthy-project'));
|
|
result = await scan(resolve(FIXTURES, 'healthy-project'), discovery);
|
|
});
|
|
|
|
it('returns status ok', () => {
|
|
assert.strictEqual(result.status, 'ok');
|
|
});
|
|
|
|
it('has scanner prefix HKV', () => {
|
|
assert.strictEqual(result.scanner, 'HKV');
|
|
});
|
|
|
|
it('finds no critical or high issues', () => {
|
|
const serious = result.findings.filter(f => f.severity === 'critical' || f.severity === 'high');
|
|
assert.strictEqual(serious.length, 0, `Found: ${serious.map(f => f.title).join(', ')}`);
|
|
});
|
|
|
|
it('all finding IDs match CA-HKV-NNN', () => {
|
|
for (const f of result.findings) {
|
|
assert.match(f.id, /^CA-HKV-\d{3}$/);
|
|
}
|
|
});
|
|
});
|
|
|
|
describe('HKV scanner — broken project', () => {
|
|
let result;
|
|
beforeEach(async () => {
|
|
resetCounter();
|
|
const discovery = await discoverConfigFiles(resolve(FIXTURES, 'broken-project'));
|
|
result = await scan(resolve(FIXTURES, 'broken-project'), discovery);
|
|
});
|
|
|
|
it('detects unknown hook event', () => {
|
|
// CA-HKV-001 in broken-project, evidence='InvalidEvent'.
|
|
const found = result.findings.some(f => f.scanner === 'HKV' && /InvalidEvent/.test(f.evidence || ''));
|
|
assert.ok(found, 'Should detect InvalidEvent');
|
|
});
|
|
|
|
it('detects object matcher (should be string)', () => {
|
|
// CA-HKV-002 in broken-project, evidence contains the object matcher snippet.
|
|
const found = result.findings.some(f => f.scanner === 'HKV' && f.id === 'CA-HKV-002');
|
|
assert.ok(found, 'Should detect nested object matcher');
|
|
});
|
|
|
|
it('detects invalid handler type', () => {
|
|
// CA-HKV-003 in broken-project, evidence='type: "invalid_type"'.
|
|
const found = result.findings.some(f => f.scanner === 'HKV' && /invalid_type/.test(f.evidence || ''));
|
|
assert.ok(found, 'Should detect invalid_type');
|
|
});
|
|
|
|
it('detects timeout below minimum', () => {
|
|
// CA-HKV-004 in broken-project, evidence='timeout: 500'.
|
|
const found = result.findings.some(f => f.scanner === 'HKV' && /timeout:\s*500/.test(f.evidence || ''));
|
|
assert.ok(found, 'Should detect timeout of 500ms');
|
|
});
|
|
|
|
it('marks unknown event as high severity', () => {
|
|
// CA-HKV-001 in broken-project = unknown-event finding (evidence='InvalidEvent').
|
|
const f = result.findings.find(x => x.scanner === 'HKV' && /InvalidEvent/.test(x.evidence || ''));
|
|
assert.strictEqual(f?.severity, 'high');
|
|
});
|
|
});
|
|
|
|
describe('HKV scanner — verbose hook output (v5 M5)', () => {
|
|
it('flags hook script with > 50 console.log/stdout.write lines (low)', async () => {
|
|
resetCounter();
|
|
const path = resolve(FIXTURES, 'hooks-verbose');
|
|
const discovery = await discoverConfigFiles(path);
|
|
const result = await scan(path, discovery);
|
|
// Verbose-hook finding in hooks-verbose; evidence carries the line-count metric.
|
|
const f = result.findings.find(x => x.scanner === 'HKV' && /console_log_or_stdout_lines=/.test(x.evidence || ''));
|
|
assert.ok(f, `expected verbose-hook finding; got: ${result.findings.map(x => x.title).join(' | ')}`);
|
|
assert.equal(f.severity, 'low', `expected low, got ${f.severity}`);
|
|
assert.match(f.evidence || '', /console_log_or_stdout_lines=6\d/);
|
|
});
|
|
|
|
it('does NOT flag a quiet hook script', async () => {
|
|
resetCounter();
|
|
const path = resolve(FIXTURES, 'hooks-quiet');
|
|
const discovery = await discoverConfigFiles(path);
|
|
const result = await scan(path, discovery);
|
|
const f = result.findings.find(x => x.scanner === 'HKV' && /console_log_or_stdout_lines=/.test(x.evidence || ''));
|
|
assert.equal(f, undefined, `expected no verbose-hook finding; got id=${f?.id}`);
|
|
});
|
|
});
|
|
|
|
describe('HKV scanner — CC 2.1.152/2.1.169 hook events (Batch 1 false-positive fix)', () => {
|
|
// The pre-write path-guard blocks committing settings.json/hooks.json, so
|
|
// this suite materializes a hermetic temp fixture at runtime.
|
|
let tmpRoot;
|
|
let result;
|
|
|
|
const NEW_EVENTS = ['MessageDisplay', 'post-session'];
|
|
|
|
beforeEach(async () => {
|
|
resetCounter();
|
|
tmpRoot = await mkdtemp(join(tmpdir(), 'ca-hkv-events-'));
|
|
await mkdir(join(tmpRoot, '.claude'), { recursive: true });
|
|
const settings = {
|
|
hooks: {
|
|
// 'echo …' commands skip the script-existence check (extractScriptPath
|
|
// only resolves bash/node/sh), isolating the event-name validation.
|
|
MessageDisplay: [{ hooks: [{ type: 'command', command: 'echo display' }] }],
|
|
'post-session': [{ hooks: [{ type: 'command', command: 'echo bye' }] }],
|
|
},
|
|
};
|
|
await writeFile(
|
|
join(tmpRoot, '.claude', 'settings.json'),
|
|
JSON.stringify(settings, null, 2) + '\n',
|
|
'utf8',
|
|
);
|
|
const discovery = await discoverConfigFiles(tmpRoot);
|
|
result = await scan(tmpRoot, discovery);
|
|
});
|
|
|
|
afterEach(async () => {
|
|
if (tmpRoot) await rm(tmpRoot, { recursive: true, force: true });
|
|
});
|
|
|
|
for (const event of NEW_EVENTS) {
|
|
it(`does NOT flag "${event}" as an unknown hook event`, () => {
|
|
const unknown = result.findings.find(f =>
|
|
f.title === 'Unknown hook event' && f.evidence === event);
|
|
assert.equal(unknown, undefined, `${event} should be in VALID_EVENTS`);
|
|
});
|
|
}
|
|
|
|
it('produces zero findings for a valid MessageDisplay + post-session config', () => {
|
|
assert.equal(result.findings.length, 0,
|
|
`expected clean scan; got: ${result.findings.map(f => `${f.title}:${f.evidence || ''}`).join(' | ')}`);
|
|
});
|
|
});
|
|
|
|
describe('HKV scanner — Setup/UserPromptExpansion/PostToolBatch events (Batch 2 false-positive fix)', () => {
|
|
// Three more events verified live against code.claude.com/docs/en/hooks.md
|
|
// (2026-06-19): Setup (session-level), UserPromptExpansion (per-turn),
|
|
// PostToolBatch (agentic loop). Same hermetic temp-fixture pattern — the
|
|
// path-guard blocks committing settings.json/hooks.json fixtures.
|
|
let tmpRoot;
|
|
let result;
|
|
|
|
const NEW_EVENTS = ['Setup', 'UserPromptExpansion', 'PostToolBatch'];
|
|
|
|
beforeEach(async () => {
|
|
resetCounter();
|
|
tmpRoot = await mkdtemp(join(tmpdir(), 'ca-hkv-events2-'));
|
|
await mkdir(join(tmpRoot, '.claude'), { recursive: true });
|
|
const settings = {
|
|
hooks: {
|
|
// 'echo …' commands skip the script-existence check, isolating
|
|
// event-name validation.
|
|
Setup: [{ hooks: [{ type: 'command', command: 'echo setup' }] }],
|
|
UserPromptExpansion: [{ hooks: [{ type: 'command', command: 'echo expand' }] }],
|
|
PostToolBatch: [{ hooks: [{ type: 'command', command: 'echo batch' }] }],
|
|
},
|
|
};
|
|
await writeFile(
|
|
join(tmpRoot, '.claude', 'settings.json'),
|
|
JSON.stringify(settings, null, 2) + '\n',
|
|
'utf8',
|
|
);
|
|
const discovery = await discoverConfigFiles(tmpRoot);
|
|
result = await scan(tmpRoot, discovery);
|
|
});
|
|
|
|
afterEach(async () => {
|
|
if (tmpRoot) await rm(tmpRoot, { recursive: true, force: true });
|
|
});
|
|
|
|
for (const event of NEW_EVENTS) {
|
|
it(`does NOT flag "${event}" as an unknown hook event`, () => {
|
|
const unknown = result.findings.find(f =>
|
|
f.title === 'Unknown hook event' && f.evidence === event);
|
|
assert.equal(unknown, undefined, `${event} should be in VALID_EVENTS`);
|
|
});
|
|
}
|
|
|
|
it('produces zero findings for a valid Setup + UserPromptExpansion + PostToolBatch config', () => {
|
|
assert.equal(result.findings.length, 0,
|
|
`expected clean scan; got: ${result.findings.map(f => `${f.title}:${f.evidence || ''}`).join(' | ')}`);
|
|
});
|
|
});
|
|
|
|
describe('HKV scanner — empty project', () => {
|
|
let result;
|
|
beforeEach(async () => {
|
|
resetCounter();
|
|
const discovery = await discoverConfigFiles(resolve(FIXTURES, 'empty-project'));
|
|
result = await scan(resolve(FIXTURES, 'empty-project'), discovery);
|
|
});
|
|
|
|
it('returns status ok with 0 findings', () => {
|
|
assert.strictEqual(result.status, 'ok');
|
|
assert.strictEqual(result.findings.length, 0);
|
|
});
|
|
});
|