feat: record risk policy decisions
This commit is contained in:
@@ -1,6 +1,6 @@
|
||||
import assert from "node:assert/strict";
|
||||
import { test } from "node:test";
|
||||
import { classifyClickRisk, isLowRiskClickable } from "../src/risk.js";
|
||||
import { classifyActionRisk, classifyClickRisk, defaultExploreDecision, isLowRiskClickable } from "../src/risk.js";
|
||||
import type { ActionableElement } from "../src/types.js";
|
||||
|
||||
function element(overrides: Partial<ActionableElement>): ActionableElement {
|
||||
@@ -49,3 +49,29 @@ test("default explorer only clicks low-risk visible clickable elements", () => {
|
||||
assert.equal(isLowRiskClickable(element({ accessibleName: "Delete account" })), false);
|
||||
assert.equal(isLowRiskClickable(element({ interactability: { visible: true, enabled: false, editable: false, receivesEvents: true } })), false);
|
||||
});
|
||||
|
||||
test("risk policy exposes category, level, and reasons", () => {
|
||||
const decision = defaultExploreDecision(element({ accessibleName: "Authorize payment" }), "click");
|
||||
assert.equal(decision.allowed, false);
|
||||
assert.equal(decision.risk.category, "payment_sensitive");
|
||||
assert.equal(decision.risk.level, "high");
|
||||
assert.equal(decision.reason.includes("payment_sensitive"), true);
|
||||
});
|
||||
|
||||
test("risk policy treats UI reveal as default explorable", () => {
|
||||
const risk = classifyActionRisk(element({ accessibleName: "Open settings" }), "click");
|
||||
assert.equal(risk.category, "ui_reveal");
|
||||
assert.equal(defaultExploreDecision(element({ accessibleName: "Open settings" }), "click").allowed, true);
|
||||
});
|
||||
|
||||
test("risk policy blocks spaced auth and payment phrases", () => {
|
||||
const logOut = defaultExploreDecision(element({ accessibleName: "Log out" }), "click");
|
||||
assert.equal(logOut.allowed, false);
|
||||
assert.equal(logOut.risk.category, "auth_sensitive");
|
||||
assert.equal(logOut.risk.level, "high");
|
||||
|
||||
const checkOut = defaultExploreDecision(element({ accessibleName: "Check out" }), "click");
|
||||
assert.equal(checkOut.allowed, false);
|
||||
assert.equal(checkOut.risk.category, "payment_sensitive");
|
||||
assert.equal(checkOut.risk.level, "high");
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user