mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-11 08:42:11 +00:00
0edeee14c6
Extract the remote-detection helpers (canonicalGitHubRemote, isSshRemote,
isOfficialSshRemote) from main.cjs into a testable update-remote.cjs sibling
module and add a node:test suite, wired into test:desktop:platforms.
main.cjs requires('electron') at load, so its inline helpers weren't unit
testable. The Python side of #43754 shipped a regression test; this gives the
desktop side the same coverage for the security-critical detection that keeps
passive update checks off the SSH origin (avoiding FIDO2/passkey touch
prompts). Tests assert SSH/HTTPS forms canonicalize equal, official SSH is
detected case-insensitively, and forks / other hosts / the HTTPS remote are
NOT misclassified.
78 lines
4 KiB
JavaScript
78 lines
4 KiB
JavaScript
/**
|
|
* Tests for electron/update-remote.cjs — the remote-detection helpers that
|
|
* keep passive update checks off the SSH origin for official installs.
|
|
*
|
|
* Run with: node --test electron/update-remote.test.cjs
|
|
* (Wired into npm test:desktop:platforms in package.json.)
|
|
*
|
|
* Why this matters: a public install can carry
|
|
* origin=git@github.com:NousResearch/hermes-agent.git. A background
|
|
* `git fetch origin` then authenticates over SSH and, with a FIDO2/passkey
|
|
* key, triggers an unexplained hardware-touch prompt. isOfficialSshRemote
|
|
* must reliably recognize the official SSH remote (in every URL form,
|
|
* case-insensitively) so the caller can swap in the anonymous HTTPS path —
|
|
* while NOT misclassifying forks, other hosts, or the HTTPS remote (which
|
|
* never prompts and should keep the normal fetch path).
|
|
*/
|
|
|
|
const test = require('node:test')
|
|
const assert = require('node:assert/strict')
|
|
|
|
const {
|
|
OFFICIAL_REPO_HTTPS_URL,
|
|
OFFICIAL_REPO_CANONICAL,
|
|
canonicalGitHubRemote,
|
|
isSshRemote,
|
|
isOfficialSshRemote
|
|
} = require('./update-remote.cjs')
|
|
|
|
test('canonicalGitHubRemote normalizes SSH and HTTPS forms to the same value', () => {
|
|
assert.equal(canonicalGitHubRemote('git@github.com:NousResearch/hermes-agent.git'), OFFICIAL_REPO_CANONICAL)
|
|
assert.equal(canonicalGitHubRemote('git@github.com:NousResearch/hermes-agent'), OFFICIAL_REPO_CANONICAL)
|
|
assert.equal(canonicalGitHubRemote('ssh://git@github.com/NousResearch/hermes-agent.git'), OFFICIAL_REPO_CANONICAL)
|
|
assert.equal(canonicalGitHubRemote('https://github.com/NousResearch/hermes-agent.git'), OFFICIAL_REPO_CANONICAL)
|
|
// Case-insensitive: an uppercased owner still canonicalizes to the same repo.
|
|
assert.equal(canonicalGitHubRemote('git@github.com:nousresearch/hermes-agent.git'), OFFICIAL_REPO_CANONICAL)
|
|
// Trailing slashes are stripped.
|
|
assert.equal(canonicalGitHubRemote('https://github.com/NousResearch/hermes-agent/'), OFFICIAL_REPO_CANONICAL)
|
|
})
|
|
|
|
test('canonicalGitHubRemote is empty for falsy input', () => {
|
|
assert.equal(canonicalGitHubRemote(''), '')
|
|
assert.equal(canonicalGitHubRemote(null), '')
|
|
assert.equal(canonicalGitHubRemote(undefined), '')
|
|
})
|
|
|
|
test('isSshRemote detects scp-like and ssh:// forms only', () => {
|
|
assert.equal(isSshRemote('git@github.com:NousResearch/hermes-agent.git'), true)
|
|
assert.equal(isSshRemote('ssh://git@github.com/NousResearch/hermes-agent.git'), true)
|
|
assert.equal(isSshRemote('https://github.com/NousResearch/hermes-agent.git'), false)
|
|
assert.equal(isSshRemote(''), false)
|
|
assert.equal(isSshRemote(null), false)
|
|
})
|
|
|
|
test('isOfficialSshRemote is true only for the official repo over SSH', () => {
|
|
assert.equal(isOfficialSshRemote('git@github.com:NousResearch/hermes-agent.git'), true)
|
|
assert.equal(isOfficialSshRemote('git@github.com:NousResearch/hermes-agent'), true)
|
|
assert.equal(isOfficialSshRemote('ssh://git@github.com/NousResearch/hermes-agent.git'), true)
|
|
// Case-insensitive owner/repo match.
|
|
assert.equal(isOfficialSshRemote('git@github.com:nousresearch/hermes-agent.git'), true)
|
|
})
|
|
|
|
test('isOfficialSshRemote does NOT match forks, other hosts, or HTTPS', () => {
|
|
// A fork over SSH belongs to the user — fetching it is their own remote,
|
|
// not the official upstream, so the SSH-avoidance swap must not apply.
|
|
assert.equal(isOfficialSshRemote('git@github.com:someuser/hermes-agent.git'), false)
|
|
// Same repo name on a different host is not the official repo.
|
|
assert.equal(isOfficialSshRemote('git@gitlab.com:NousResearch/hermes-agent.git'), false)
|
|
// HTTPS to the official repo never prompts for SSH/FIDO2, so it keeps the
|
|
// normal fetch path — must not be flagged as an official SSH remote.
|
|
assert.equal(isOfficialSshRemote('https://github.com/NousResearch/hermes-agent.git'), false)
|
|
assert.equal(isOfficialSshRemote(''), false)
|
|
assert.equal(isOfficialSshRemote(null), false)
|
|
})
|
|
|
|
test('OFFICIAL_REPO_HTTPS_URL canonicalizes to OFFICIAL_REPO_CANONICAL', () => {
|
|
// Invariant: the URL we substitute in must be the same repo we detect.
|
|
assert.equal(canonicalGitHubRemote(OFFICIAL_REPO_HTTPS_URL), OFFICIAL_REPO_CANONICAL)
|
|
})
|