perf(test): replace module resets with direct spies and runtime seams

2026-03-30 01:06:11 +00:00 · 2026-02-13 16:04:43 +00:00
parent 59733a02c8
commit c2f7b66d22
11 changed files with 80 additions and 195 deletions
--- a/src/security/audit-extra.async.ts
+++ b/src/security/audit-extra.async.ts
@@ -9,6 +9,7 @@ import path from "node:path";
 import type { SandboxToolPolicy } from "../agents/sandbox/types.js";
 import type { OpenClawConfig, ConfigFileSnapshot } from "../config/config.js";
 import type { AgentToolsConfig } from "../config/types.tools.js";
+import type { SkillScanFinding } from "./skill-scanner.js";
 import type { ExecFn } from "./windows-acl.js";
 import { resolveAgentWorkspaceDir, resolveDefaultAgentId } from "../agents/agent-scope.js";
 import { isToolAllowedByPolicies } from "../agents/pi-tools.policy.js";
@@ -31,7 +32,7 @@ import {
  inspectPathPermissions,
  safeStat,
 } from "./audit-fs.js";
-import { scanDirectoryWithSummary, type SkillScanFinding } from "./skill-scanner.js";
+import * as skillScanner from "./skill-scanner.js";

 export type SecurityAuditFinding = {
  checkId: string;
@@ -812,19 +813,21 @@ export async function collectPluginsCodeSafetyFindings(params: {
      });
    }

-    const summary = await scanDirectoryWithSummary(pluginPath, {
-      includeFiles: forcedScanEntries,
-    }).catch((err) => {
-      findings.push({
-        checkId: "plugins.code_safety.scan_failed",
-        severity: "warn",
-        title: `Plugin "${pluginName}" code scan failed`,
-        detail: `Static code scan could not complete: ${String(err)}`,
-        remediation:
-          "Check file permissions and plugin layout, then rerun `openclaw security audit --deep`.",
+    const summary = await skillScanner
+      .scanDirectoryWithSummary(pluginPath, {
+        includeFiles: forcedScanEntries,
+      })
+      .catch((err) => {
+        findings.push({
+          checkId: "plugins.code_safety.scan_failed",
+          severity: "warn",
+          title: `Plugin "${pluginName}" code scan failed`,
+          detail: `Static code scan could not complete: ${String(err)}`,
+          remediation:
+            "Check file permissions and plugin layout, then rerun `openclaw security audit --deep`.",
+        });
+        return null;
      });
-      return null;
-    });
    if (!summary) {
      continue;
    }
@@ -885,7 +888,7 @@ export async function collectInstalledSkillsCodeSafetyFindings(params: {
      scannedSkillDirs.add(skillDir);

      const skillName = entry.skill.name;
-      const summary = await scanDirectoryWithSummary(skillDir).catch((err) => {
+      const summary = await skillScanner.scanDirectoryWithSummary(skillDir).catch((err) => {
        findings.push({
          checkId: "skills.code_safety.scan_failed",
          severity: "warn",
--- a/src/security/audit.test.ts
+++ b/src/security/audit.test.ts
@@ -7,7 +7,9 @@ import type { OpenClawConfig } from "../config/config.js";
 import { discordPlugin } from "../../extensions/discord/src/channel.js";
 import { slackPlugin } from "../../extensions/slack/src/channel.js";
 import { telegramPlugin } from "../../extensions/telegram/src/channel.js";
+import { collectPluginsCodeSafetyFindings } from "./audit-extra.js";
 import { runSecurityAudit } from "./audit.js";
+import * as skillScanner from "./skill-scanner.js";

 const isWindows = process.platform === "win32";

@@ -1492,17 +1494,9 @@ description: test skill
  });

  it("reports scan_failed when plugin code scanner throws during deep audit", async () => {
-    vi.resetModules();
-    vi.doMock("./skill-scanner.js", async () => {
-      const actual =
-        await vi.importActual<typeof import("./skill-scanner.js")>("./skill-scanner.js");
-      return {
-        ...actual,
-        scanDirectoryWithSummary: async () => {
-          throw new Error("boom");
-        },
-      };
-    });
+    const scanSpy = vi
+      .spyOn(skillScanner, "scanDirectoryWithSummary")
+      .mockRejectedValueOnce(new Error("boom"));

    const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-audit-scanner-"));
    try {
@@ -1517,12 +1511,10 @@ description: test skill
      );
      await fs.writeFile(path.join(pluginDir, "index.js"), "export {};");

-      const { collectPluginsCodeSafetyFindings } = await import("./audit-extra.js");
      const findings = await collectPluginsCodeSafetyFindings({ stateDir: tmpDir });
      expect(findings.some((f) => f.checkId === "plugins.code_safety.scan_failed")).toBe(true);
    } finally {
-      vi.doUnmock("./skill-scanner.js");
-      vi.resetModules();
+      scanSpy.mockRestore();
      await fs.rm(tmpDir, { recursive: true, force: true }).catch(() => undefined);
    }
  });