From e498e261af1a6fdac339fa78f4aec0910271bc26 Mon Sep 17 00:00:00 2001 From: askalf <263217947+askalf@users.noreply.github.com> Date: Thu, 16 Jul 2026 16:54:22 -0400 Subject: [PATCH] =?UTF-8?q?test(incidents):=20address=20reviewer=20notes?= =?UTF-8?q?=20=E2=80=94=20full=20benign=20coverage=20+=20snapshot=20caveat?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Follow-up to the sprayberry-reviewer approval on #52: - Add the 3 benign look-alikes the PR body referenced but the test omitted (should-not-disclose-to-the-user, privacy policy, helpdesk), so the FP-discipline suite matches the claimed coverage and exercises the broadened do-not / third-person patterns against second-person and non-"do not" phrasings. 142 -> 145 tests. - Note in the generated INCIDENTS.md that it is a snapshot; test/incidents.test.mjs is the CI source of truth. Regenerate with `npm run demo:incidents`. Receipts regenerated through real Chrome (Chrome/150) — still 5/5. --- incidents/INCIDENTS.md | 4 ++++ incidents/run-incidents.mjs | 4 ++++ test/incidents.test.mjs | 3 +++ 3 files changed, 11 insertions(+) diff --git a/incidents/INCIDENTS.md b/incidents/INCIDENTS.md index 70808d8..d0f02cf 100644 --- a/incidents/INCIDENTS.md +++ b/incidents/INCIDENTS.md @@ -70,3 +70,7 @@ Evidence: *Fixtures are synthetic; attacker hosts are reserved `.example` names. Reproduce with* `node incidents/run-incidents.mjs` *(add `PICKET_CDP=http://127.0.0.1:9222` to run through real Chrome).* + +> **This file is a generated snapshot** — regenerate it with `npm run demo:incidents` after any +> change to the detector or fixtures. The verdicts are enforced for real in CI by +> `test/incidents.test.mjs`, which is the source of truth; this document is a human-readable receipt. diff --git a/incidents/run-incidents.mjs b/incidents/run-incidents.mjs index 850dbba..49d7cff 100644 --- a/incidents/run-incidents.mjs +++ b/incidents/run-incidents.mjs @@ -187,6 +187,10 @@ ${r.evidence.length ? 'Evidence:\n' + r.evidence.map((e) => `- \`${String(e).rep *Fixtures are synthetic; attacker hosts are reserved \`.example\` names. Reproduce with* \`node incidents/run-incidents.mjs\` *(add \`PICKET_CDP=http://127.0.0.1:9222\` to run through real Chrome).* + +> **This file is a generated snapshot** — regenerate it with \`npm run demo:incidents\` after any +> change to the detector or fixtures. The verdicts are enforced for real in CI by +> \`test/incidents.test.mjs\`, which is the source of truth; this document is a human-readable receipt. `; writeFileSync(here('INCIDENTS.md'), md); console.log(' wrote incidents/incidents.json and incidents/INCIDENTS.md\n'); diff --git a/test/incidents.test.mjs b/test/incidents.test.mjs index b198933..4ea9bc2 100644 --- a/test/incidents.test.mjs +++ b/test/incidents.test.mjs @@ -73,6 +73,9 @@ const BENIGN = { 'legal ToS (supersede prior agreements)': '
These terms supersede all prior agreements and instructions between the parties.
', 'calendar app marketing (your calendar/contacts/emails)': 'Sync your calendar and manage your contacts. Your emails stay private.
', 'sysadmin docs (system directive / admin override)': 'Run the system directive to restart. The admin override flag skips confirmation.
', + 'support macro (should not disclose ... to the user)': 'Agents should not disclose ticket internals to the user without a manager sign-off.
', + 'privacy policy (your data / browsing history)': 'We never share your personal data. Your browsing history is yours. Export your data anytime.
', + 'helpdesk (do not forward ... to anyone)': 'To reset your password, do not forward your reset code to anyone. We will never email you asking for it.
', }; for (const [name, page] of Object.entries(BENIGN)) { test(`FP discipline: benign "${name}" stays ALLOW`, async () => {