airkjw/claude-mem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2d146b78f22d427a8bd7eed68fbb2aa8973c59de
claude-mem/tests/utils/tag-stripping.test.ts
T
Alex Newman 703c64c756 v12.4.3: one-time pollution cleanup migration + v12.4.1/v12.4.2 fixes (#2133) 
* fix: 5 trivial bugs from v12.4.1 issue triage

- #2092: emit CJS-safe banner (no import.meta.url) in worker-service.cjs
- #2100: PreToolUse Read hook timeout 2000s → 60s
- #2131: add "shell": "bash" to every hook for Windows compat
- #2132: Antigravity dir typo .agent → .agents
- #2088: clear inherited MCP servers in worker SDK query() calls

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: stop context overflow loop + block task-notification leak

- SDKAgent: clear memorySessionId on "prompt is too long" so crash-recovery
  starts a fresh SDK session instead of resuming the same poisoned context
  forever (was producing 68+ failed pending_messages on a single stuck
  session in the wild)
- tag-stripping: new isInternalProtocolPayload() predicate; session-init
  hook + SessionRoutes both skip storage when entire prompt is one of
  Claude Code's autonomous protocol blocks (currently <task-notification>;
  conservative deny-list — does NOT touch <command-name>/<command-message>
  which wrap real user slash-commands)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: bump version to 12.4.2

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs: update CHANGELOG.md for v12.4.2

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(cleanup): one-time v12.4.3 migration purges observer-sessions and stuck pending_messages

Adds CleanupV12_4_3 module that runs once per data dir on worker startup
(after migrations apply, before Chroma backfill). Drops accumulated pollution
that v12.4.0 (observer-sessions filter) and v12.4.2 (context-overflow guard +
task-notification leak block) prevent from recurring:

- DELETE FROM sdk_sessions WHERE project='observer-sessions' (cascades to
  user_prompts, observations, session_summaries via existing FK ON DELETE CASCADE)
- DELETE FROM pending_messages stuck in 'failed'/'processing' for any session
  with >=10 such rows (poisoned chains from the pre-v12.4.2 retry loop;
  threshold spares legitimate transient failures)
- Wipes ~/.claude-mem/chroma and chroma-sync-state.json so backfillAllProjects
  rebuilds the vector store from cleaned SQLite

Pre-flight checks free disk (1.2x DB size + 100MB) via fs.statfsSync; backs up
via VACUUM INTO with copyFileSync fallback; PRAGMA foreign_keys=ON on the
cleanup connection (off by default in bun:sqlite). Marker file
~/.claude-mem/.cleanup-v12.4.3-applied records backup path and counts. Opt-out
via CLAUDE_MEM_SKIP_CLEANUP_V12_4_3=1.

Verified locally: 311MB DB backed up to 277MB in 943ms; 11 observer sessions
+ 3 cascade rows + 141 stuck pending_messages purged; chroma rebuilt via
backfill. Total cleanup time 1.1s.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: address PR #2133 code review

- SessionRoutes: check isInternalProtocolPayload before stripping tags
  so internal protocol prompts skip the strip work entirely.
- tag-stripping: bound isInternalProtocolPayload input length to
  256KB to prevent ReDoS-class scans on malformed unclosed tags.
- SDKAgent: extract resetSessionForFreshStart helper; both
  context-overflow paths now share one nullification routine.
- worker-service: drop the per-startup "Checking for one-time
  v12.4.3 cleanup" info log — runs every boot even after marker
  exists; the function already logs at debug/warn when relevant.
- tests: add isInternalProtocolPayload edge cases (whitespace,
  attributes, partial tags, unrelated tags, oversize input).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: address Greptile P2 comments on PR #2133

CleanupV12_4_3.ts: derive backup directory and restore-hint path from
effectiveDataDir instead of the module-level BACKUPS_DIR/DB_PATH
constants. The dataDirectory override is meant for test isolation;
the prior version still wrote backups to the production directory.

SessionRoutes.ts: move isInternalProtocolPayload guard to the top of
handleSessionInitByClaudeId, before createSDKSession. The previous
position blocked the user_prompts insert but still created an empty
sdk_sessions row, asymmetric with the hook-layer guard in
session-init.ts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(cleanup): retry on disk-skip; survive chroma wipe failure

CodeRabbit Major + Claude review:

- Disk pre-flight skip no longer writes the marker. A user temporarily
  low on disk would otherwise have the cleanup permanently disabled
  even after freeing space. Retry on next startup instead.

- Wrap wipeChromaArtifacts in try/catch and write the marker even on
  failure (with chromaWipeError captured). Without this, an rmSync
  permission failure on chroma/ left writeMarker unreached, so every
  subsequent boot re-ran the SQL purge AND created a fresh backup,
  consuming disk indefinitely.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(cleanup): close backup handle before copyFileSync fallback

Claude review:

- backupDb is now closed before falling into the copyFileSync fallback.
  On Windows an open SQLite handle holds a file lock that can prevent
  the fallback copy from reading the source. The previous version only
  closed after both branches completed.

- Add empty-body <task-notification></task-notification> case to the
  isInternalProtocolPayload tests for completeness.

Cascade-row count queries already match the actual FK columns
(content_session_id for user_prompts, memory_session_id for
observations / session_summaries) — no fix needed there.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(cleanup): accurate session count + add migration tests

Claude review v3:

session-init.ts: filter on rawPrompt before the [media prompt]
substitution. Functionally equivalent but explicit — the check no
longer depends on the substitution leaving real protocol payloads
untouched.

CleanupV12_4_3.ts: counts.observerSessions now comes from a pre-DELETE
COUNT(*), not from result.changes. bun:sqlite inflates result.changes
with FTS-trigger and cascade row counts (the user_prompts_fts triggers
inflate a 3-session purge to 19 changes). The previous code logged a
misleading total and wrote it to the marker.

tests/infrastructure/cleanup-v12_4_3.test.ts: happy-path coverage of
the migration against a real on-disk SQLite under a tmpdir. Verifies
observer-session purge with cascades, stuck pending_messages purge,
chroma artifact wipe, marker payload shape, idempotency on re-run, and
CLAUDE_MEM_SKIP_CLEANUP_V12_4_3 opt-out.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(protocol-filter): close two-block false positive; address review

CodeRabbit + Claude review v5:

tag-stripping.ts: PROTOCOL_ONLY_REGEX rewritten with a negative-lookahead
body so a prompt like "<task-notification>x</task-notification> hi
<task-notification>y</task-notification>" no longer matches as a single
outer block — the prior greedy [\s\S]* spanned the middle user text and
would have silently dropped a real prompt. Confirmed via probe.

tag-stripping.test.ts: drop the 50ms wall-clock assertion (CI flake);
add the two-block-with-text case as a regression test.

SessionRoutes.ts: filter on req.body.prompt directly, before the
[media prompt] substitution and 256KB truncation. Mirrors the
session-init.ts hook-layer ordering and ensures a protocol payload
that happens to be near the byte limit isn't truncated before the
filter runs.

cleanup-v12_4_3.test.ts: add stuckCount=9 below-threshold case
verifying pending_messages with <10 stuck rows are preserved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(cleanup): include WAL/SHM in backup fallback; safer rollback

CodeRabbit Major + Claude review v6:

CleanupV12_4_3.ts: when VACUUM INTO fails and copyFileSync runs, also
copy any -wal/-shm sidecars. The DB is configured WAL mode, so recent
committed pages can live in those files; copying only the .db would
miss them. VACUUM INTO already captures everything in one file, so
the happy path is unaffected.

CleanupV12_4_3.ts: wrap ROLLBACK in try/catch so a no-op rollback
(SQLite already rolled back on a constraint failure) cannot shadow
the original purge error.

SDKAgent.ts: align both context-overflow log levels to error. Both
branches are fatal-recovery paths; the previous warn/error split was
inconsistent and made the throw branch easy to miss in logs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: pre-count stuck pending_messages; document adjacent-block fall-through

Claude review v7:

CleanupV12_4_3.ts: runStuckPendingPurge now uses a SELECT COUNT(*)
before the DELETE, matching the pattern in runObserverSessionsPurge.
result.changes is reliable today (no FTS on pending_messages) but the
explicit count protects against future schema additions, and keeps
the two purges symmetric.

tag-stripping.test.ts: add test documenting that adjacent protocol
blocks (no user text between) deliberately fall through to storage.
The deny-list is per-block; concatenations are out of scope.

Skipped per project rules / Node API constraints:
- frsize fallback in disk check: Node/Bun StatFs doesn't expose frsize
- VACUUM-INTO comment: comment-only suggestion
- Overflow string constant extraction: low value

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-25 16:30:34 -07:00

470 lines
18 KiB
TypeScript
Raw Blame History

/**
* Tag Stripping Utility Tests
*
* Tests the tag privacy system for <private>, <claude-mem-context>, and <system_instruction> tags.
* These tags enable users and the system to exclude content from memory storage.
*
* Sources:
* - Implementation from src/utils/tag-stripping.ts
* - Privacy patterns from src/services/worker/http/routes/SessionRoutes.ts
*/
import { describe, it, expect, beforeEach, afterEach, spyOn, mock } from 'bun:test';
import { stripMemoryTagsFromPrompt, stripMemoryTagsFromJson, isInternalProtocolPayload } from '../../src/utils/tag-stripping.js';
import { logger } from '../../src/utils/logger.js';
// Suppress logger output during tests
let loggerSpies: ReturnType<typeof spyOn>[] = [];
describe('Tag Stripping Utilities', () => {
beforeEach(() => {
loggerSpies = [
spyOn(logger, 'info').mockImplementation(() => {}),
spyOn(logger, 'debug').mockImplementation(() => {}),
spyOn(logger, 'warn').mockImplementation(() => {}),
spyOn(logger, 'error').mockImplementation(() => {}),
];
});
afterEach(() => {
loggerSpies.forEach(spy => spy.mockRestore());
});
describe('stripMemoryTagsFromPrompt', () => {
describe('basic tag removal', () => {
it('should strip single <private> tag and preserve surrounding content', () => {
const input = 'public content <private>secret stuff</private> more public';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('public content more public');
});
it('should strip single <claude-mem-context> tag', () => {
const input = 'public content <claude-mem-context>injected context</claude-mem-context> more public';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('public content more public');
});
it('should strip both tag types in mixed content', () => {
const input = '<private>secret</private> public <claude-mem-context>context</claude-mem-context> end';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('public end');
});
it('should strip <persisted-output> tags', () => {
const input = 'public <persisted-output>large output</persisted-output> after';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('public after');
});
});
describe('multiple tags handling', () => {
it('should strip multiple <private> blocks', () => {
const input = '<private>first secret</private> middle <private>second secret</private> end';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('middle end');
});
it('should strip multiple <claude-mem-context> blocks', () => {
const input = '<claude-mem-context>ctx1</claude-mem-context><claude-mem-context>ctx2</claude-mem-context> content';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('content');
});
it('should handle many interleaved tags', () => {
let input = 'start';
for (let i = 0; i < 10; i++) {
input += ` <private>p${i}</private> <claude-mem-context>c${i}</claude-mem-context>`;
}
input += ' end';
const result = stripMemoryTagsFromPrompt(input);
// Tags are stripped but spaces between them remain
expect(result).not.toContain('<private>');
expect(result).not.toContain('<claude-mem-context>');
expect(result).toContain('start');
expect(result).toContain('end');
});
});
describe('empty and private-only prompts', () => {
it('should return empty string for entirely private prompt', () => {
const input = '<private>entire prompt is private</private>';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('');
});
it('should return empty string for entirely context-tagged prompt', () => {
const input = '<claude-mem-context>all is context</claude-mem-context>';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('');
});
it('should preserve content with no tags', () => {
const input = 'no tags here at all';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('no tags here at all');
});
it('should handle empty input', () => {
const result = stripMemoryTagsFromPrompt('');
expect(result).toBe('');
});
it('should handle whitespace-only after stripping', () => {
const input = '<private>content</private> <claude-mem-context>more</claude-mem-context>';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('');
});
});
describe('content preservation', () => {
it('should preserve non-tagged content exactly', () => {
const input = 'keep this <private>remove this</private> and this';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('keep this and this');
});
it('should preserve special characters in non-tagged content', () => {
const input = 'code: const x = 1; <private>secret</private> more: { "key": "value" }';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('code: const x = 1; more: { "key": "value" }');
});
it('should preserve newlines in non-tagged content', () => {
const input = 'line1\n<private>secret</private>\nline2';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('line1\n\nline2');
});
});
describe('multiline content in tags', () => {
it('should strip multiline content within <private> tags', () => {
const input = `public
<private>
multi
line
secret
</private>
end`;
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('public\n\nend');
});
it('should strip multiline content within <claude-mem-context> tags', () => {
const input = `start
<claude-mem-context>
# Recent Activity
- Item 1
- Item 2
</claude-mem-context>
finish`;
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('start\n\nfinish');
});
});
describe('ReDoS protection', () => {
it('should handle content with many tags without hanging (< 1 second)', async () => {
// Generate content with many tags
let content = '';
for (let i = 0; i < 150; i++) {
content += `<private>secret${i}</private> text${i} `;
}
const startTime = Date.now();
const result = stripMemoryTagsFromPrompt(content);
const duration = Date.now() - startTime;
// Should complete quickly despite many tags
expect(duration).toBeLessThan(1000);
// Should not contain any private content
expect(result).not.toContain('<private>');
// Should warn about exceeding tag limit
expect(loggerSpies[2]).toHaveBeenCalled(); // warn spy
});
it('should process within reasonable time with nested-looking patterns', () => {
// Content that looks like it could cause backtracking
const content = '<private>' + 'x'.repeat(10000) + '</private> keep this';
const startTime = Date.now();
const result = stripMemoryTagsFromPrompt(content);
const duration = Date.now() - startTime;
expect(duration).toBeLessThan(1000);
expect(result).toBe('keep this');
});
});
});
describe('stripMemoryTagsFromJson', () => {
describe('JSON content stripping', () => {
it('should strip tags from stringified JSON', () => {
const jsonContent = JSON.stringify({
file_path: '/path/to/file',
content: '<private>secret</private> public'
});
const result = stripMemoryTagsFromJson(jsonContent);
const parsed = JSON.parse(result);
expect(parsed.content).toBe(' public');
});
it('should strip claude-mem-context tags from JSON', () => {
const jsonContent = JSON.stringify({
data: '<claude-mem-context>injected</claude-mem-context> real data'
});
const result = stripMemoryTagsFromJson(jsonContent);
const parsed = JSON.parse(result);
expect(parsed.data).toBe(' real data');
});
it('should handle tool_input with tags', () => {
const toolInput = {
command: 'echo hello',
args: '<private>secret args</private>'
};
const result = stripMemoryTagsFromJson(JSON.stringify(toolInput));
const parsed = JSON.parse(result);
expect(parsed.args).toBe('');
});
it('should handle tool_response with tags', () => {
const toolResponse = {
output: 'result <claude-mem-context>context data</claude-mem-context>',
status: 'success'
};
const result = stripMemoryTagsFromJson(JSON.stringify(toolResponse));
const parsed = JSON.parse(result);
expect(parsed.output).toBe('result ');
});
it('should strip persisted-output tags from JSON', () => {
const jsonContent = JSON.stringify({
output: '<persisted-output>big output</persisted-output> keep'
});
const result = stripMemoryTagsFromJson(jsonContent);
const parsed = JSON.parse(result);
expect(parsed.output).toBe(' keep');
});
});
describe('edge cases', () => {
it('should handle empty JSON object', () => {
const result = stripMemoryTagsFromJson('{}');
expect(result).toBe('{}');
});
it('should handle JSON with no tags', () => {
const input = JSON.stringify({ key: 'value' });
const result = stripMemoryTagsFromJson(input);
expect(result).toBe(input);
});
it('should handle nested JSON structures', () => {
const input = JSON.stringify({
outer: {
inner: '<private>secret</private> visible'
}
});
const result = stripMemoryTagsFromJson(input);
const parsed = JSON.parse(result);
expect(parsed.outer.inner).toBe(' visible');
});
});
});
describe('system_instruction tag stripping', () => {
describe('basic system_instruction removal', () => {
it('should strip single <system_instruction> tag from prompt', () => {
const input = 'user content <system_instruction>injected instructions</system_instruction> more content';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('user content more content');
});
it('should strip <system_instruction> mixed with <private> tags', () => {
const input = '<system_instruction>instructions</system_instruction> public <private>secret</private> end';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('public end');
});
it('should return empty string for entirely <system_instruction> content', () => {
const input = '<system_instruction>entire prompt is system instructions</system_instruction>';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('');
});
it('should strip <system_instruction> tags from JSON content', () => {
const jsonContent = JSON.stringify({
data: '<system_instruction>injected</system_instruction> real data'
});
const result = stripMemoryTagsFromJson(jsonContent);
const parsed = JSON.parse(result);
expect(parsed.data).toBe(' real data');
});
it('should strip multiline content within <system_instruction> tags', () => {
const input = `before
<system_instruction>
line one
line two
line three
</system_instruction>
after`;
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('before\n\nafter');
});
});
});
describe('system-instruction (hyphen variant) tag stripping', () => {
it('should strip single <system-instruction> tag from prompt', () => {
const input = 'user content <system-instruction>injected instructions</system-instruction> more content';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('user content more content');
});
it('should strip both underscore and hyphen variants in same prompt', () => {
const input = '<system_instruction>underscore</system_instruction> middle <system-instruction>hyphen</system-instruction> end';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('middle end');
});
it('should strip multiline <system-instruction> content', () => {
const input = `before
<system-instruction>
line one
line two
</system-instruction>
after`;
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('before\n\nafter');
});
});
describe('system-reminder tag stripping', () => {
it('should strip single <system-reminder> tag from prompt', () => {
const input = 'user content <system-reminder>CLAUDE.md contents here</system-reminder> more content';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('user content more content');
});
it('should strip <system-reminder> mixed with other tag types', () => {
const input = '<system-reminder>reminder</system-reminder> public <private>secret</private> <claude-mem-context>ctx</claude-mem-context> end';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('public end');
});
it('should return empty string for entirely <system-reminder> content', () => {
const input = '<system-reminder>entire content is a system reminder</system-reminder>';
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('');
});
it('should strip <system-reminder> tags from JSON content', () => {
const jsonContent = JSON.stringify({
data: '<system-reminder>injected reminder</system-reminder> real data'
});
const result = stripMemoryTagsFromJson(jsonContent);
const parsed = JSON.parse(result);
expect(parsed.data).toBe(' real data');
});
it('should strip multiline content within <system-reminder> tags', () => {
const input = `before
<system-reminder>
Contents of /path/to/CLAUDE.md:
<claude-mem-context>
# Recent Activity
- Item 1
</claude-mem-context>
</system-reminder>
after`;
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('before\n\nafter');
});
it('should strip realistic tool result with nested CLAUDE.md content', () => {
const input = `Here is the file content.\n\n<system-reminder>\nContents of /project/src/CLAUDE.md:\n\n<claude-mem-context>\n# Recent Activity\n\n### Dec 14, 2025\n| ID | Time | Title |\n|-----|------|-------|\n| #123 | 11:30 PM | Some observation |\n</claude-mem-context>\n</system-reminder>`;
const result = stripMemoryTagsFromPrompt(input);
expect(result).toBe('Here is the file content.');
});
});
describe('privacy enforcement integration', () => {
it('should allow empty result to trigger privacy skip', () => {
// Simulates what SessionRoutes does with private-only prompts
const prompt = '<private>entirely private prompt</private>';
const cleanedPrompt = stripMemoryTagsFromPrompt(prompt);
// Empty/whitespace prompts should trigger skip
const shouldSkip = !cleanedPrompt || cleanedPrompt.trim() === '';
expect(shouldSkip).toBe(true);
});
it('should allow partial content when not entirely private', () => {
const prompt = '<private>password123</private> Please help me with my code';
const cleanedPrompt = stripMemoryTagsFromPrompt(prompt);
const shouldSkip = !cleanedPrompt || cleanedPrompt.trim() === '';
expect(shouldSkip).toBe(false);
expect(cleanedPrompt.trim()).toBe('Please help me with my code');
});
});
describe('isInternalProtocolPayload', () => {
it('returns false for empty input', () => {
expect(isInternalProtocolPayload('')).toBe(false);
});
it('returns true for a bare task-notification block', () => {
expect(isInternalProtocolPayload('<task-notification>agent done</task-notification>')).toBe(true);
});
it('returns true for an empty-body task-notification block', () => {
expect(isInternalProtocolPayload('<task-notification></task-notification>')).toBe(true);
});
it('returns true with surrounding whitespace', () => {
expect(isInternalProtocolPayload('\n <task-notification>x</task-notification>\n')).toBe(true);
});
it('returns true for multi-line payload', () => {
const payload = '<task-notification>\nline1\nline2\n</task-notification>';
expect(isInternalProtocolPayload(payload)).toBe(true);
});
it('returns true when tag has attributes', () => {
expect(isInternalProtocolPayload('<task-notification data-id="42">x</task-notification>')).toBe(true);
});
it('returns false for partial / unclosed tag', () => {
expect(isInternalProtocolPayload('<task-notification>oops')).toBe(false);
});
it('returns false when surrounded by user text', () => {
const text = 'hi <task-notification>x</task-notification> more';
expect(isInternalProtocolPayload(text)).toBe(false);
});
it('returns false for unrelated tags', () => {
expect(isInternalProtocolPayload('<private>secret</private>')).toBe(false);
expect(isInternalProtocolPayload('<system-reminder>hi</system-reminder>')).toBe(false);
});
it('returns false for over-large input', () => {
const huge = '<task-notification>' + 'a'.repeat(300 * 1024);
expect(isInternalProtocolPayload(huge)).toBe(false);
});
it('returns false for two protocol blocks separated by user text', () => {
const text = '<task-notification>a</task-notification> hello <task-notification>b</task-notification>';
expect(isInternalProtocolPayload(text)).toBe(false);
});
it('returns false for two adjacent protocol blocks (deliberate: deny-list per single block, not concatenations)', () => {
const text = '<task-notification>a</task-notification><task-notification>b</task-notification>';
expect(isInternalProtocolPayload(text)).toBe(false);
});
});
});
Reference in New Issue View Git Blame Copy Permalink