fix(security): properly test Windows ACL audit for config includes (#2403)

* fix(security): properly test Windows ACL audit for config includes The test expected fs.config_include.perms_writable on Windows but chmod 0o644 has no effect on Windows ACLs. Use icacls to grant Everyone write access, which properly triggers the security check. Also stubs execIcacls to return proper ACL output so the audit can parse permissions without running actual icacls on the system. Adds cleanup via try/finally to remove temp directory containing world-writable test file. Fixes checks-windows CI failure. * test: isolate heartbeat runner tests from user workspace * docs: update changelog for #2403 --------- Co-authored-by: Tyler Yust <TYTYYUST@YAHOO.COM>
2026-01-26 18:27:53 -06:00
parent 343882d45c
commit a8ad242f88
3 changed files with 52 additions and 35 deletions
--- a/src/infra/heartbeat-runner.returns-default-unset.test.ts
+++ b/src/infra/heartbeat-runner.returns-default-unset.test.ts
@@ -333,6 +333,7 @@ describe("runHeartbeatOnce", () => {
      const cfg: ClawdbotConfig = {
        agents: {
          defaults: {
+            workspace: tmpDir,
            heartbeat: { every: "5m", target: "whatsapp" },
          },
        },
@@ -461,6 +462,7 @@ describe("runHeartbeatOnce", () => {
      const cfg: ClawdbotConfig = {
        agents: {
          defaults: {
+            workspace: tmpDir,
            heartbeat: {
              every: "5m",
              target: "last",
@@ -542,6 +544,7 @@ describe("runHeartbeatOnce", () => {
      const cfg: ClawdbotConfig = {
        agents: {
          defaults: {
+            workspace: tmpDir,
            heartbeat: { every: "5m", target: "whatsapp" },
          },
        },
@@ -597,6 +600,7 @@ describe("runHeartbeatOnce", () => {
      const cfg: ClawdbotConfig = {
        agents: {
          defaults: {
+            workspace: tmpDir,
            heartbeat: {
              every: "5m",
              target: "whatsapp",
@@ -668,6 +672,7 @@ describe("runHeartbeatOnce", () => {
      const cfg: ClawdbotConfig = {
        agents: {
          defaults: {
+            workspace: tmpDir,
            heartbeat: {
              every: "5m",
              target: "whatsapp",
@@ -737,7 +742,7 @@ describe("runHeartbeatOnce", () => {
    try {
      const cfg: ClawdbotConfig = {
        agents: {
-          defaults: { heartbeat: { every: "5m" } },
+          defaults: { workspace: tmpDir, heartbeat: { every: "5m" } },
          list: [{ id: "work", default: true }],
        },
        channels: { whatsapp: { allowFrom: ["*"] } },