test: stabilize directory guard coverage

chore: release 0.2.1
fix: isolate prepack types and secret symlink reads
2026-05-08 12:29:15 +01:00 · 2026-05-08 08:43:17 +01:00 · 2026-05-08 08:41:57 +01:00 · 2026-05-08 02:50:23 +01:00 · 2026-05-08 02:47:56 +01:00 · 2026-05-08 02:46:38 +01:00
24 changed files with 417 additions and 156 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -11,10 +11,10 @@ permissions:
  contents: read

 jobs:
-  check:
-    name: Node 22 check
+  lint-workflows:
+    name: Lint workflows
    runs-on: ubuntu-latest
-    timeout-minutes: 15
+    timeout-minutes: 5
    steps:
      - name: Check out
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@ -22,6 +22,24 @@ jobs:
      - name: Lint workflows
        uses: rhysd/actionlint@914e7df21a07ef503a81201c76d2b11c789d3fca # v1.7.12

+  check:
+    name: Node ${{ matrix.node }} check (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 20
+    strategy:
+      fail-fast: false
+      matrix:
+        node:
+          - 22
+          - 24
+        os:
+          - ubuntu-latest
+          - macos-latest
+          - windows-latest
+    steps:
+      - name: Check out
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
      - name: Set up pnpm
        uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5
        with:
@ -31,7 +49,7 @@ jobs:
      - name: Set up Node
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
-          node-version: "22"
+          node-version: ${{ matrix.node }}
          cache: pnpm
          cache-dependency-path: pnpm-lock.yaml

--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,4 @@ node_modules/
 coverage/
 *.tsbuildinfo
 .deepsec/
+.vscode
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,15 @@
 # Changelog

+## Unreleased
+
+## 0.2.1 - 2026-05-08
+
+### Fixes
+
+- Align POSIX and Windows handling for literal `..`-prefixed write targets, preserve whitespace in direct home-relative path inputs, and run the check suite on Windows CI. (#14; thanks @sjf)
+- Keep source prepack builds isolated from parent monorepo ambient type packages such as Bun typings. (#13; thanks @Kaspre)
+- Let secret-file reads follow symlink paths through the pinned real target unless callers opt into `rejectSymlink: true`.
+
 ## 0.2.0 - 2026-05-07

 ### Features
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "@openclaw/fs-safe",
-  "version": "0.2.0",
+  "version": "0.2.1",
  "description": "Capability-style filesystem roots for Node.js apps that handle untrusted relative paths.",
  "license": "MIT",
  "repository": {
--- a/scripts/check-file-size.mjs
+++ b/scripts/check-file-size.mjs
@ -6,10 +6,10 @@ const LINE_BUDGETS = new Map([
  ["src/file-store.ts", 580],
  ["src/permissions.ts", 566],
  ["src/pinned-python.ts", 655],
-  ["src/root-impl.ts", 1744],
+  ["src/root-impl.ts", 1750],
  ["src/root-path.ts", 862],
-  ["test/api-coverage.test.ts", 982],
-  ["test/new-primitives.test.ts", 998],
+  ["test/api-coverage.test.ts", 983],
+  ["test/new-primitives.test.ts", 1500],
 ]);

 function walk(dir) {
--- a/src/home-dir.ts
+++ b/src/home-dir.ts
@ -31,18 +31,21 @@ export function resolveOsHomeDir(

 function resolveRawHomeDir(env: NodeJS.ProcessEnv, homedir: () => string): string | undefined {
  const explicitHome = normalize(env.OPENCLAW_HOME);
-  if (explicitHome) {
-    if (explicitHome === "~" || explicitHome.startsWith("~/") || explicitHome.startsWith("~\\")) {
-      const fallbackHome = resolveRawOsHomeDir(env, homedir);
-      if (fallbackHome) {
-        return explicitHome.replace(/^~(?=$|[\\/])/, fallbackHome);
-      }
-      return undefined;
-    }
+  if (!explicitHome) {
+    return resolveRawOsHomeDir(env, homedir);
+  }
+  const segments = path.normalize(explicitHome).split(path.sep);
+  if (segments[0] !== "~") {
    return explicitHome;
  }
-
-  return resolveRawOsHomeDir(env, homedir);
+  // OPENCLAW_HOME starts with "~"; expand against the os home dir. Fall
+  // back to undefined when there is no os home to expand against rather
+  // than returning a raw "~"-prefixed path the caller cannot use.
+  const fallbackHome = resolveRawOsHomeDir(env, homedir);
+  if (!fallbackHome) {
+    return undefined;
+  }
+  return expandHomePrefix(explicitHome, { home: fallbackHome });
 }

 function resolveRawOsHomeDir(env: NodeJS.ProcessEnv, homedir: () => string): string | undefined {
@ -87,7 +90,8 @@ export function expandHomePrefix(
    homedir?: () => string;
  },
 ): string {
-  if (!input.startsWith("~")) {
+  const segments = path.normalize(input).split(path.sep);
+  if (segments[0] !== "~") {
    return input;
  }
  const home =
@ -96,7 +100,7 @@ export function expandHomePrefix(
  if (!home) {
    return input;
  }
-  return input.replace(/^~(?=$|[\\/])/, home);
+  return path.join(home, ...segments.slice(1));
 }

 export function resolveHomeRelativePath(
@ -106,19 +110,19 @@ export function resolveHomeRelativePath(
    homedir?: () => string;
  },
 ): string {
-  const trimmed = input.trim();
-  if (!trimmed) {
-    return trimmed;
+  if (!input) {
+    return input;
  }
-  if (trimmed.startsWith("~")) {
-    const expanded = expandHomePrefix(trimmed, {
-      home: resolveRequiredHomeDir(opts?.env ?? process.env, opts?.homedir ?? os.homedir),
-      env: opts?.env,
-      homedir: opts?.homedir,
-    });
-    return path.resolve(expanded);
+  const segments = path.normalize(input).split(path.sep)
+  if (segments[0] !== "~") {
+    return path.resolve(input);
  }
-  return path.resolve(trimmed);
+  const expanded = expandHomePrefix(input, {
+    home: resolveRequiredHomeDir(opts?.env ?? process.env, opts?.homedir ?? os.homedir),
+    env: opts?.env,
+    homedir: opts?.homedir,
+  });
+  return path.resolve(expanded);
 }

 export function resolveUserPath(
@ -145,17 +149,17 @@ export function resolveOsHomeRelativePath(
    homedir?: () => string;
  },
 ): string {
-  const trimmed = input.trim();
-  if (!trimmed) {
-    return trimmed;
+  if (!input) {
+    return input;
  }
-  if (trimmed.startsWith("~")) {
-    const expanded = expandHomePrefix(trimmed, {
-      home: resolveRequiredOsHomeDir(opts?.env ?? process.env, opts?.homedir ?? os.homedir),
-      env: opts?.env,
-      homedir: opts?.homedir,
-    });
-    return path.resolve(expanded);
+  const segments = path.normalize(input).split(path.sep);
+  if (segments[0] !== "~") {
+    return path.resolve(input);
  }
-  return path.resolve(trimmed);
+  const expanded = expandHomePrefix(input, {
+    home: resolveRequiredOsHomeDir(opts?.env ?? process.env, opts?.homedir ?? os.homedir),
+    env: opts?.env,
+    homedir: opts?.homedir,
+  });
+  return path.resolve(expanded);
 }
--- a/src/path.ts
+++ b/src/path.ts
@ -6,7 +6,6 @@ import { normalizeLowercaseStringOrEmpty } from "./string-coerce.js";

 const NOT_FOUND_CODES = new Set(["ENOENT", "ENOTDIR"]);
 const SYMLINK_OPEN_CODES = new Set(["ELOOP", "EINVAL", "ENOTSUP"]);
-const PARENT_SEGMENT_PREFIX = /^\.\.(?:[\\/]|$)/u;
 const POSIX_SEPARATOR_CHAR_CODE = 0x2f;

 export function normalizeWindowsPathForComparison(input: string): string {
@ -49,8 +48,9 @@ export function isPathInside(root: string, target: string): boolean {
    const rootForCompare = normalizeWindowsPathForComparison(path.win32.resolve(root));
    const targetForCompare = normalizeWindowsPathForComparison(path.win32.resolve(target));
    const relative = path.win32.relative(rootForCompare, targetForCompare);
+    const firstSegment = relative.split(path.win32.sep)[0];
    return (
-      relative === "" || (!PARENT_SEGMENT_PREFIX.test(relative) && !path.win32.isAbsolute(relative))
+      relative === "" || (firstSegment !== ".." && !path.win32.isAbsolute(relative))
    );
  }

@ -69,7 +69,8 @@ export function isPathInside(root: string, target: string): boolean {
  const resolvedRoot = path.resolve(root);
  const resolvedTarget = path.resolve(target);
  const relative = path.relative(resolvedRoot, resolvedTarget);
-  return relative === "" || (!PARENT_SEGMENT_PREFIX.test(relative) && !path.isAbsolute(relative));
+  const firstSegment = relative.split(path.posix.sep)[0];
+  return relative === "" || (firstSegment !== ".." && !path.isAbsolute(relative));
 }

 export function resolveSafeBaseDir(rootDir: string): string {
--- a/src/root-impl.ts
+++ b/src/root-impl.ts
@ -1250,8 +1250,10 @@ async function resolvePinnedWriteTargetInRoot(
    throw new FsSafeError("path-alias", "path alias escape blocked", { cause: err });
  }

+  // resolvePathInRoot already enforces isPathInside, so any actual escape
+  // is rejected upstream.
  const relativeResolved = path.relative(rootReal, resolved);
-  if (relativeResolved.startsWith("..") || path.isAbsolute(relativeResolved)) {
+  if (path.isAbsolute(relativeResolved)) {
    throw new FsSafeError("outside-workspace", "file is outside workspace root");
  }
  const relativePosix = relativeResolved
@ -1332,10 +1334,11 @@ async function resolvePinnedOperationPathInRoot(
  if ((relativeResolved === "" || relativeResolved === ".") && params.allowRoot === true) {
    return { rootReal: resolved.rootReal, resolved: resolved.canonicalPath, relativePosix: "" };
  }
+  const firstSegment = relativeResolved.split(path.sep)[0];
  if (
    relativeResolved === "" ||
    relativeResolved === "." ||
-    relativeResolved.startsWith("..") ||
+    firstSegment === ".." ||
    path.isAbsolute(relativeResolved)
  ) {
    throw new FsSafeError("outside-workspace", "file is outside workspace root");
--- a/src/secret-file.ts
+++ b/src/secret-file.ts
@ -55,12 +55,26 @@ function readSecretFileOutcomeSync(
    };
  }

-  if (options.rejectSymlink && previewStat.isSymbolicLink()) {
-    return {
-      ok: false,
-      code: "symlink",
-      message: `${label} file at ${resolvedPath} must not be a symlink.`,
-    };
+  if (previewStat.isSymbolicLink()) {
+    if (!options.rejectSymlink) {
+      try {
+        previewStat = fs.statSync(resolvedPath);
+      } catch (error) {
+        const normalized = normalizeSecretReadError(error);
+        return {
+          ok: false,
+          code: (error as NodeJS.ErrnoException).code === "ENOENT" ? "not-found" : "invalid-path",
+          error: normalized,
+          message: `Failed to inspect ${label} file at ${resolvedPath}: ${String(normalized)}`,
+        };
+      }
+    } else {
+      return {
+        ok: false,
+        code: "symlink",
+        message: `${label} file at ${resolvedPath} must not be a symlink.`,
+      };
+    }
  }
  if (!previewStat.isFile()) {
    return {
--- a/test/additional-boundary-bypass.test.ts
+++ b/test/additional-boundary-bypass.test.ts
@ -73,7 +73,12 @@ describe("additional helper boundary bypass attempts", () => {
  it("sanitizes temp file names and keeps temp file helpers inside their created directory", async () => {
    const layout = await makeTempLayout("fs-safe-temp");
    expect(sanitizeTempFileName("../../evil.txt")).toBe("evil.txt");
-    expect(sanitizeTempFileName("..\\evil.txt")).toBe("..-evil.txt");
+    if (process.platform !== "win32") {
+      // On windows "\" is a reserved path separator and cannot appear in a
+      // filename, so this case only exercises the posix sanitizer where "\"
+      // is a literal name character that needs neutralizing.
+      expect(sanitizeTempFileName("..\\evil.txt")).toBe("..-evil.txt");
+    }
    expect(sanitizeTempFileName("\u0000../evil.txt")).toBe("evil.txt");

    const target = await tempFile({ rootDir: layout.base, prefix: "../../prefix", fileName: "../../evil.txt" });
--- a/test/api-coverage.test.ts
+++ b/test/api-coverage.test.ts
@ -1,4 +1,5 @@
 import fs from "node:fs/promises";
+import { realpathSync } from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { Readable } from "node:stream";
@ -242,8 +243,11 @@ describe("path helpers", () => {
    expect(isSymlinkOpenError(Object.assign(new Error("x"), { code: "ELOOP" }))).toBe(true);
    expect(isPathInside(root, file)).toBe(true);
    expect(resolveSafeBaseDir(root)).toBe(`${path.resolve(root)}${path.sep}`);
-    expect(safeRealpathSync(file, cache)).toBe(await fs.realpath(file));
-    expect(safeRealpathSync(file, cache)).toBe(await fs.realpath(file));
+    // Use the sync realpath to compare against safeRealpathSync. On windows
+    // fs.realpathSync and fs.realpath (async) sometimes disagree on 8.3
+    // short-name canonicalization (e.g. "RUNNER~1" vs "runneradmin").
+    expect(safeRealpathSync(file, cache)).toBe(realpathSync(file));
+    expect(safeRealpathSync(file, cache)).toBe(realpathSync(file));
    expect(safeRealpathSync(path.join(root, "missing"), cache)).toBeNull();
    expect(isPathInsideWithRealpath(root, file, { cache })).toBe(true);
    expect(isPathInsideWithRealpath(root, path.join(root, "missing"), { requireRealpath: false }))
@ -457,7 +461,7 @@ describe("URL, install, and local-root helpers", () => {
        label: "media roots",
        requireFile: true,
      }),
-    ).toMatchObject({ path: await fs.realpath(file) });
+    ).toMatchObject({ path: realpathSync(file) });
    expect(() =>
      resolveLocalPathFromRootsSync({
        filePath: "bad\0path",
@ -788,7 +792,7 @@ describe("temporary workspace and symlink parent helpers", () => {
 });

 describe("file stores and private stores", () => {
-  it("writes, streams, copies, reads, removes, and prunes file-store entries", async () => {
+  it.skipIf(process.platform === "win32")("writes, streams, copies, reads, removes, and prunes file-store entries", async () => {
    const root = await tempRoot("fs-safe-store-");
    const sourceRoot = await tempRoot("fs-safe-store-source-");
    const source = path.join(sourceRoot, "source.txt");
@ -828,7 +832,7 @@ describe("file stores and private stores", () => {
    await expect(fs.stat(old)).rejects.toMatchObject({ code: "ENOENT" });
  });

-  it("covers private file store mode", async () => {
+  it.skipIf(process.platform === "win32")("covers private file store mode", async () => {
    const root = await tempRoot("fs-safe-private-store-");
    const store = fileStore({ rootDir: root, private: true });

--- a/test/coverage-gaps.test.ts
+++ b/test/coverage-gaps.test.ts
@ -121,9 +121,6 @@ describe("home directory helpers", () => {
    expect(resolveHomeRelativePath("~/state", { env })).toBe(path.resolve("/configured/state"));
    expect(resolveOsHomeRelativePath("~/state", { env })).toBe(path.resolve("/home/tester/state"));
    expect(resolveUserPath("~/state", env)).toBe(path.resolve("/configured/state"));
-    expect(resolveUserPath(" ./relative ", { env })).toBe(path.resolve("./relative"));
-    expect(resolveHomeRelativePath("   ", { env })).toBe("");
-    expect(resolveOsHomeRelativePath("   ", { env })).toBe("");
  });

  it("ignores unusable home values", () => {
--- a/test/coverage-more.test.ts
+++ b/test/coverage-more.test.ts
@ -2,7 +2,17 @@ import fsSync from "node:fs";
 import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
+import { Readable } from "node:stream";
 import { afterEach, describe, expect, it, vi } from "vitest";
+import { createBoundedReadStream, createMaxBytesTransform } from "../src/bounded-read-stream.js";
+import {
+  assertAsyncDirectoryGuard,
+  assertSyncDirectoryGuard,
+  createAsyncDirectoryGuard,
+  createNearestExistingDirectoryGuard,
+  createNearestExistingSyncDirectoryGuard,
+  createSyncDirectoryGuard,
+} from "../src/directory-guard.js";
 import { drainFileLockManagerForTest, resetFileLockManagerForTest } from "../src/file-lock.js";
 import { sameFileIdentity } from "../src/file-identity.js";
 import { readLocalFileFromRoots, resolveLocalPathFromRootsSync } from "../src/local-roots.js";
@ -138,6 +148,53 @@ describe("small identity and lock wrappers", () => {
  });
 });

+describe("bounded streams and directory guard coverage", () => {
+  it("returns raw streams without limits and rejects oversized limited streams", async () => {
+    const raw = Readable.from(["ok"]);
+    const returned = createBoundedReadStream({ handle: { createReadStream: () => raw } }, undefined);
+    expect(returned).toBe(raw);
+
+    await expect(async () => {
+      for await (const _chunk of Readable.from(["ab", "cd"]).pipe(createMaxBytesTransform(3))) {
+        // Drain the stream so transform errors surface.
+      }
+    }).rejects.toMatchObject({ code: "too-large" });
+  });
+
+  it("detects changed or invalid directory guards", async () => {
+    const root = await tempRoot("fs-safe-dir-guard-more-");
+    const nested = path.join(root, "nested");
+    const filePath = path.join(root, "file.txt");
+    await fs.mkdir(nested);
+    await fs.writeFile(filePath, "not a dir", "utf8");
+
+    await expect(createAsyncDirectoryGuard(filePath)).rejects.toMatchObject({ code: "not-file" });
+    expect(() => createSyncDirectoryGuard(filePath)).toThrow("directory component");
+
+    const asyncGuard = await createAsyncDirectoryGuard(nested);
+    const syncGuard = createSyncDirectoryGuard(nested);
+    await expect(assertAsyncDirectoryGuard({ ...asyncGuard, realPath: root })).rejects.toMatchObject({
+      code: "path-mismatch",
+    });
+    expect(() => assertSyncDirectoryGuard({ ...syncGuard, realPath: root })).toThrow(
+      "directory changed",
+    );
+
+    await fs.rm(nested, { recursive: true });
+    await fs.writeFile(nested, "not a dir", "utf8");
+
+    await expect(assertAsyncDirectoryGuard(asyncGuard)).rejects.toMatchObject({
+      code: "not-file",
+    });
+    expect(() => assertSyncDirectoryGuard(syncGuard)).toThrow("directory component");
+
+    const nearest = await createNearestExistingDirectoryGuard(root, path.join(root, "missing", "x"));
+    expect(nearest.dir).toBe(root);
+    expect(createNearestExistingSyncDirectoryGuard(root, path.join(root, "missing", "x")).dir)
+      .toBe(root);
+  });
+});
+
 describe("sibling temp coverage", () => {
  it("syncs temp files and parent dirs when requested", async () => {
    const root = await tempRoot("fs-safe-sibling-more-");
@ -156,7 +213,10 @@ describe("sibling temp coverage", () => {

    expect(result.filePath).toBe(path.join(root, "final.txt"));
    await expect(fs.readFile(result.filePath, "utf8")).resolves.toBe("synced");
-    expect((await fs.stat(result.filePath)).mode & 0o777).toBe(0o600);
+    if (process.platform !== "win32") {
+      // POSIX file modes don't fully apply on Windows.
+      expect((await fs.stat(result.filePath)).mode & 0o777).toBe(0o600);
+    }
  });

  it("removes sibling temp files when copy-in rejects the staged source", async () => {
@ -188,15 +248,15 @@ describe("temp target edge coverage", () => {
    const root = await tempRoot("fs-safe-temp-more-");

    expect(sanitizeTempFileName("???")).toBe("download.bin");
-    expect(
-      buildRandomTempFilePath({
-        rootDir: root,
-        prefix: "!!!",
-        extension: "._-",
-        now: Number.NaN,
-        uuid: "id",
-      }),
-    ).toMatch(new RegExp(`^${root.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}/tmp-\\d+-id$`));
+    const built = buildRandomTempFilePath({
+      rootDir: root,
+      prefix: "!!!",
+      extension: "._-",
+      now: Number.NaN,
+      uuid: "id",
+    });
+    expect(path.dirname(built)).toBe(root);
+    expect(path.basename(built)).toMatch(/^tmp-\d+-id$/);

    const tmp = await tempFile({ rootDir: root, prefix: "???", fileName: "???" });
    expect(path.basename(tmp.dir)).toMatch(/^tmp-/);
--- a/test/extracted-helpers.test.ts
+++ b/test/extracted-helpers.test.ts
@ -1,5 +1,4 @@
 import fs from "node:fs/promises";
-import { fileURLToPath } from "node:url";
 import os from "node:os";
 import path from "node:path";
 import { afterEach, describe, expect, it } from "vitest";
@ -43,8 +42,10 @@ afterEach(async () => {

 describe("local file access helpers", () => {
  it("accepts local file URLs and rejects remote hosts or encoded separators", () => {
-    const filePath = path.join(path.sep, "tmp", "demo.txt");
-    expect(safeFileURLToPath(new URL(`file://${filePath}`).href)).toBe(fileURLToPath(new URL(`file://${filePath}`)));
+    const [validUrl, expectedPath] = process.platform === "win32"
+      ? ["file:///C:/tmp/demo.txt", "C:\\tmp\\demo.txt"]
+      : ["file:///tmp/demo.txt", "/tmp/demo.txt"];
+    expect(safeFileURLToPath(validUrl)).toBe(expectedPath);
    expect(() => safeFileURLToPath("file://example.com/tmp/demo.txt")).toThrow(/remote hosts/);
    expect(() => safeFileURLToPath("file:///tmp/a%2Fb.txt")).toThrow(/encode path separators/);
  });
@ -57,10 +58,13 @@ describe("local file access helpers", () => {

 describe("path helpers", () => {
  it("checks containment and formats modes", () => {
-    const root = path.join(path.sep, "tmp", "root");
+    // Use path.resolve so on Windows the root carries a drive letter, which
+    // is what resolveSafeBaseDir / isPathInside both produce internally.
+    const root = path.resolve(path.sep, "tmp", "root");
+    const otherRoot = path.resolve(path.sep, "tmp", "root-other");
    expect(resolveSafeBaseDir(root)).toBe(`${root}${path.sep}`);
    expect(isWithinDir(root, path.join(root, "file.txt"))).toBe(true);
-    expect(isPathInside(root, path.join(path.sep, "tmp", "root-other"))).toBe(false);
+    expect(isPathInside(root, otherRoot)).toBe(false);
    expect(formatPosixMode(0o100755)).toBe("755");
  });
 });
--- a/test/fs-safe.test.ts
+++ b/test/fs-safe.test.ts
@ -6,6 +6,9 @@ import { afterEach, describe, expect, it } from "vitest";
 import { configureFsSafePython, FsSafeError, root as openRoot } from "../src/index.js";
 import { openLocalFileSafely, readLocalFileSafely } from "../src/root.js";
 import { __setFsSafeTestHooksForTest } from "../src/test-hooks.js";
+import { expectedFsSafeCode } from "./helpers/security.js";
+
+const skipOnWindows = process.platform === "win32";

 const tempDirs: string[] = [];

@ -23,7 +26,7 @@ afterEach(async () => {
 });

 describe("@openclaw/fs-safe", () => {
-  it("reuses a root capability across filesystem operations", async () => {
+  it.skipIf(skipOnWindows)("reuses a root capability across filesystem operations", async () => {
    const rootPath = await tempRoot("fs-root-object-");
    const root = await openRoot(rootPath);

@ -62,7 +65,7 @@ describe("@openclaw/fs-safe", () => {
    });
  });

-  it("can disable the Python helper and keep root operations available", async () => {
+  it.skipIf(skipOnWindows)("can disable the Python helper and keep root operations available", async () => {
    configureFsSafePython({ mode: "off" });
    const rootPath = await tempRoot("fs-safe-python-off-");
    const sourceRoot = await tempRoot("fs-safe-python-off-source-");
@ -125,7 +128,7 @@ describe("@openclaw/fs-safe", () => {
    );
  });

-  it("writes, reads, stats, and lists files within a root", async () => {
+  it.skipIf(skipOnWindows)("writes, reads, stats, and lists files within a root", async () => {
    const root = await openRoot(await tempRoot("fs-safe-basic-"));

    await root.mkdir("nested");
@ -234,7 +237,7 @@ describe("@openclaw/fs-safe", () => {
    await expect(root.read("link/secret.txt")).rejects.toMatchObject({
      code: "outside-workspace",
    });
-    await expect(root.list("link")).rejects.toMatchObject({ code: "path-alias" });
+    await expect(root.list("link")).rejects.toMatchObject({ code: expectedFsSafeCode("path-alias") });
  });

  it("rejects symlink leaves for stat and read", async () => {
@ -244,11 +247,11 @@ describe("@openclaw/fs-safe", () => {
    await writeFile(path.join(outside, "secret.txt"), "secret");
    await symlink(path.join(outside, "secret.txt"), path.join(rootPath, "secret-link"), "file");

-    await expect(root.stat("secret-link")).rejects.toMatchObject({ code: "path-alias" });
+    await expect(root.stat("secret-link")).rejects.toMatchObject({ code: expectedFsSafeCode("path-alias") });
    await expect(root.read("secret-link")).rejects.toMatchObject({ code: "symlink" });
  });

-  it("renames paths within the same root and rejects symlink sources", async () => {
+  it.skipIf(skipOnWindows)("renames paths within the same root and rejects symlink sources", async () => {
    const rootPath = await tempRoot("fs-safe-rename-");
    const root = await openRoot(rootPath);
    const outside = await tempRoot("fs-safe-outside-");
@ -264,7 +267,7 @@ describe("@openclaw/fs-safe", () => {
    });
  });

-  it("requires explicit overwrite for moves that replace a target", async () => {
+  it.skipIf(skipOnWindows)("requires explicit overwrite for moves that replace a target", async () => {
    const rootPath = await tempRoot("fs-safe-rename-overwrite-");
    const root = await openRoot(rootPath);
    await root.write("from.txt", "source");
@ -279,7 +282,7 @@ describe("@openclaw/fs-safe", () => {
    await expect(readFile(path.join(rootPath, "to.txt"), "utf8")).resolves.toBe("source");
  });

-  it("enforces copyIn maxBytes while streaming", async () => {
+  it.skipIf(skipOnWindows)("enforces copyIn maxBytes while streaming", async () => {
    const rootPath = await tempRoot("fs-safe-copy-limit-");
    const sourceRoot = await tempRoot("fs-safe-copy-source-");
    const sourcePath = path.join(sourceRoot, "source.txt");
@ -354,7 +357,7 @@ describe("@openclaw/fs-safe", () => {

    await expect(readFile(outsideFile, "utf8")).resolves.toBe("kept");
    await expect(root.stat("link")).rejects.toMatchObject({
-      code: "not-found",
+      code: expectedFsSafeCode("not-found"),
    });
  });

--- a/test/helpers/security.ts
+++ b/test/helpers/security.ts
@ -56,17 +56,19 @@ export const LITERAL_SUSPICIOUS_WRITE_PAYLOADS = [
  "%2e%2e/pwned.txt",
  "%2e%2e%2fpwned.txt",
  "%252e%252e%252fpwned.txt",
+  // ".." prefix without an actual separator: a single literal filename
+  // ("..%2fpwned.txt") or two literal segments ("..%00", "pwned.txt") that
+  // resolve fully inside root. Accepted on both platforms.
+  "..%2fpwned.txt",
+  "..%00/pwned.txt",
 ] as const;

 export const POSIX_LITERAL_SUSPICIOUS_WRITE_PAYLOADS = [
  "nested\\..\\..\\pwned.txt",
  "C:\\Windows\\win.ini",
  "\\\\server\\share\\pwned.txt",
-] as const;
-
-export const SAFE_REJECTED_SUSPICIOUS_WRITE_PAYLOADS = [
-  "..%2fpwned.txt",
-  "..%00/pwned.txt",
+  // "..\\" is a real traversal on Windows (separator) but a literal filename
+  // on POSIX (where "\\" is a regular name character).
  "..\\pwned.txt",
 ] as const;

@ -98,9 +100,20 @@ export async function makeTempLayout(
  return { outside, outsideFile, root };
 }

-export function expectFsSafeCode(error: unknown, codes: readonly string[]): void {
+export function expectFsSafeCode(
+  error: unknown,
+  codes: readonly string[],
+  opts: { allowUnsupportedPlatformOnWindows?: boolean } = {},
+): void {
  expect(error).toBeInstanceOf(FsSafeError);
-  expect(codes).toContain((error as FsSafeError).code);
+  const accepted = process.platform === "win32" && opts.allowUnsupportedPlatformOnWindows
+    ? [...codes, "unsupported-platform"]
+    : codes;
+  expect(accepted).toContain((error as FsSafeError).code);
+}
+
+export function expectedFsSafeCode(code: string): string {
+  return process.platform === "win32" ? "unsupported-platform" : code;
 }

 export async function expectNoOutsideWrite(
--- a/test/new-primitives.test.ts
+++ b/test/new-primitives.test.ts
@ -125,7 +125,7 @@ describe("private temp workspaces", () => {
 });

 describe("file store", () => {
-  it("writes, reads, copies, and prunes files under the store root", async () => {
+  it.skipIf(process.platform === "win32")("writes, reads, copies, and prunes files under the store root", async () => {
    const store = fileStore({ rootDir: root, maxBytes: 1024 });
    await store.write("media/a.txt", "hello");
    await expect(store.readBytes("media/a.txt")).resolves.toEqual(Buffer.from("hello"));
@ -175,7 +175,7 @@ describe("json store", () => {
 });

 describe("secure file reads", () => {
-  it("reads from a validated file handle", async () => {
+  it.runIf(process.platform !== "win32")("reads from a validated file handle", async () => {
    const filePath = path.join(root, "secret.json");
    await fs.writeFile(filePath, '{"token":"ok"}', { mode: 0o600 });
    await fs.chmod(filePath, 0o600).catch(() => undefined);
@ -190,6 +190,24 @@ describe("secure file reads", () => {
    expect(result.realPath).toBe(await fs.realpath(filePath));
  });

+  it.runIf(process.platform === "win32")(
+    "fails closed on windows when ACL inspection is unavailable",
+    async () => {
+      // See src/secure-file.ts:177 — readSecureFile throws permission-unverified
+      // on Windows because ACL inspection has no portable equivalent.
+      const filePath = path.join(root, "secret.json");
+      await fs.writeFile(filePath, '{"token":"ok"}', { mode: 0o600 });
+
+      await expect(
+        readSecureFile({
+          filePath,
+          label: "test secret",
+          io: { maxBytes: 1024 },
+        }),
+      ).rejects.toMatchObject({ code: "permission-unverified" });
+    },
+  );
+
  it("rejects symlinks and files outside trusted dirs", async () => {
    const trusted = path.join(root, "trusted");
    const outside = path.join(root, "outside");
--- a/test/pinned-python.test.ts
+++ b/test/pinned-python.test.ts
@ -180,6 +180,18 @@ describe("Python helper configuration", () => {

 describe("persistent Python helper worker", () => {
  it("reuses one worker and unreferences it while idle", async () => {
+    if (process.platform === "win32") {
+      configureFsSafePython({ mode: "auto", pythonPath: "/tmp/fake-python" });
+      await expect(
+        runPinnedPythonOperation<{ ok: boolean }>({
+          operation: "stat",
+          rootPath: "/tmp/root",
+          payload: { relativePath: "a.txt" },
+        }),
+      ).rejects.toMatchObject({ code: "unsupported-platform" });
+      return;
+    }
+
    const child = makeRespondingChild();
    spawnMock.mockReturnValue(child);
    configureFsSafePython({ mode: "auto", pythonPath: "/tmp/fake-python" });
@ -209,6 +221,21 @@ describe("persistent Python helper worker", () => {
    const rootDir = await tempRoot("fs-safe-python-policy-");
    await fs.writeFile(path.join(rootDir, "file.txt"), "ok");

+    if (process.platform === "win32") {
+      spawnMock.mockImplementation(makeFailingChild);
+      configureFsSafePython({ mode: "auto", pythonPath: "/tmp/missing-python" });
+      const autoRoot = await root(rootDir);
+      await expect(autoRoot.stat("file.txt")).rejects.toMatchObject({
+        code: "unsupported-platform",
+      });
+
+      configureFsSafePython({ mode: "require", pythonPath: "/tmp/missing-python" });
+      await expect((await root(rootDir)).stat("file.txt")).rejects.toMatchObject({
+        code: "unsupported-platform",
+      });
+      return;
+    }
+
    spawnMock.mockImplementation(makeFailingChild);
    configureFsSafePython({ mode: "auto", pythonPath: "/tmp/missing-python" });
    const autoRoot = await root(rootDir);
--- a/test/pinned-write-fallback-coverage.test.ts
+++ b/test/pinned-write-fallback-coverage.test.ts
@ -38,64 +38,89 @@ afterEach(async () => {
 });

 describe("pinned write fallback coverage", () => {
-  it("writes buffers, creates only when missing, streams, and enforces limits", async () => {
-    const { runPinnedWriteHelper } = await import("../src/pinned-write.js");
-    const root = await tempRoot("fs-safe-pinned-write-fallback-");
+  it.runIf(process.platform !== "win32")(
+    "writes buffers, creates only when missing, streams, and enforces limits",
+    async () => {
+      const { runPinnedWriteHelper } = await import("../src/pinned-write.js");
+      const root = await tempRoot("fs-safe-pinned-write-fallback-");

-    const created = await runPinnedWriteHelper({
-      rootPath: root,
-      relativeParentPath: "nested",
-      basename: "created.txt",
-      mkdir: true,
-      mode: 0o600,
-      overwrite: false,
-      input: { kind: "buffer", data: "created", encoding: "utf8" },
-    });
-    expect(created.ino).toBeGreaterThan(0);
-    await expect(fs.readFile(path.join(root, "nested", "created.txt"), "utf8")).resolves.toBe(
-      "created",
-    );
-    await expect(
-      runPinnedWriteHelper({
+      const created = await runPinnedWriteHelper({
        rootPath: root,
        relativeParentPath: "nested",
        basename: "created.txt",
        mkdir: true,
        mode: 0o600,
        overwrite: false,
-        input: { kind: "buffer", data: "again" },
-      }),
-    ).rejects.toMatchObject({ code: "EEXIST" });
+        input: { kind: "buffer", data: "created", encoding: "utf8" },
+      });
+      expect(created.ino).toBeGreaterThan(0);
+      await expect(fs.readFile(path.join(root, "nested", "created.txt"), "utf8")).resolves.toBe(
+        "created",
+      );
+      await expect(
+        runPinnedWriteHelper({
+          rootPath: root,
+          relativeParentPath: "nested",
+          basename: "created.txt",
+          mkdir: true,
+          mode: 0o600,
+          overwrite: false,
+          input: { kind: "buffer", data: "again" },
+        }),
+      ).rejects.toMatchObject({ code: "EEXIST" });

-    const streamed = await runPinnedWriteHelper({
-      rootPath: root,
-      relativeParentPath: "nested",
-      basename: "streamed.txt",
-      mkdir: true,
-      mode: 0o600,
-      overwrite: true,
-      maxBytes: 16,
-      input: { kind: "stream", stream: Readable.from(["stream", "ed"]) },
-    });
-    expect(streamed.dev).toBeGreaterThan(0);
-    await expect(fs.readFile(path.join(root, "nested", "streamed.txt"), "utf8")).resolves.toBe(
-      "streamed",
-    );
-
-    await expect(
-      runPinnedWriteHelper({
+      const streamed = await runPinnedWriteHelper({
        rootPath: root,
        relativeParentPath: "nested",
-        basename: "too-large.txt",
+        basename: "streamed.txt",
        mkdir: true,
        mode: 0o600,
        overwrite: true,
-        maxBytes: 2,
-        input: { kind: "buffer", data: Buffer.from("large") },
-      }),
-    ).rejects.toMatchObject({ code: "too-large" });
-    await expect(fs.stat(path.join(root, "nested", "too-large.txt"))).rejects.toMatchObject({
-      code: "ENOENT",
-    });
-  });
+        maxBytes: 16,
+        input: { kind: "stream", stream: Readable.from(["stream", "ed"]) },
+      });
+      expect(streamed.dev).toBeGreaterThan(0);
+      await expect(fs.readFile(path.join(root, "nested", "streamed.txt"), "utf8")).resolves.toBe(
+        "streamed",
+      );
+
+      await expect(
+        runPinnedWriteHelper({
+          rootPath: root,
+          relativeParentPath: "nested",
+          basename: "too-large.txt",
+          mkdir: true,
+          mode: 0o600,
+          overwrite: true,
+          maxBytes: 2,
+          input: { kind: "buffer", data: Buffer.from("large") },
+        }),
+      ).rejects.toMatchObject({ code: "too-large" });
+      await expect(fs.stat(path.join(root, "nested", "too-large.txt"))).rejects.toMatchObject({
+        code: "ENOENT",
+      });
+    },
+  );
+
+  it.runIf(process.platform === "win32")(
+    "rejects with unsupported-platform on windows",
+    async () => {
+      // fd-relative pinned filesystem operations are unavailable on windows
+      // (see src/pinned-python.ts), so the helper fails closed before any
+      // posix-only logic runs.
+      const { runPinnedWriteHelper } = await import("../src/pinned-write.js");
+      const root = await tempRoot("fs-safe-pinned-write-fallback-");
+      await expect(
+        runPinnedWriteHelper({
+          rootPath: root,
+          relativeParentPath: "nested",
+          basename: "created.txt",
+          mkdir: true,
+          mode: 0o600,
+          overwrite: false,
+          input: { kind: "buffer", data: "created", encoding: "utf8" },
+        }),
+      ).rejects.toMatchObject({ code: "unsupported-platform" });
+    },
+  );
 });
--- a/test/read-boundary-bypass.test.ts
+++ b/test/read-boundary-bypass.test.ts
@ -72,11 +72,15 @@ describe("read boundary bypass attempts", () => {
      return true;
    });
    await expect(safeRoot.stat("../secret.txt")).rejects.toSatisfy((error: unknown) => {
-      expectFsSafeCode(error, ["outside-workspace", "invalid-path", "path-alias"]);
+      expectFsSafeCode(error, ["outside-workspace", "invalid-path", "path-alias"], {
+        allowUnsupportedPlatformOnWindows: true,
+      });
      return true;
    });
    await expect(safeRoot.list(".." as string)).rejects.toSatisfy((error: unknown) => {
-      expectFsSafeCode(error, ["outside-workspace", "invalid-path", "path-alias"]);
+      expectFsSafeCode(error, ["outside-workspace", "invalid-path", "path-alias"], {
+        allowUnsupportedPlatformOnWindows: true,
+      });
      return true;
    });
    await expect(scope.files(["../secret.txt"])).resolves.toMatchObject({ ok: false });
@ -96,11 +100,15 @@ describe("read boundary bypass attempts", () => {
      return true;
    });
    await expect(safeRoot.stat("link/secret.txt")).rejects.toSatisfy((error: unknown) => {
-      expectFsSafeCode(error, ["outside-workspace", "path-alias", "symlink"]);
+      expectFsSafeCode(error, ["outside-workspace", "path-alias", "symlink"], {
+        allowUnsupportedPlatformOnWindows: true,
+      });
      return true;
    });
    await expect(safeRoot.list("link")).rejects.toSatisfy((error: unknown) => {
-      expectFsSafeCode(error, ["outside-workspace", "path-alias", "symlink"]);
+      expectFsSafeCode(error, ["outside-workspace", "path-alias", "symlink"], {
+        allowUnsupportedPlatformOnWindows: true,
+      });
      return true;
    });
  });
@ -120,7 +128,9 @@ describe("read boundary bypass attempts", () => {
      return true;
    });
    await expect(safeRoot.stat("secret-link.txt")).rejects.toSatisfy((error: unknown) => {
-      expectFsSafeCode(error, ["outside-workspace", "path-alias", "symlink"]);
+      expectFsSafeCode(error, ["outside-workspace", "path-alias", "symlink"], {
+        allowUnsupportedPlatformOnWindows: true,
+      });
      return true;
    });

@ -168,7 +178,9 @@ describe("read boundary bypass attempts", () => {
      return true;
    });
    await expect(safeRoot.stat(layout.outsideFile)).rejects.toSatisfy((error: unknown) => {
-      expectFsSafeCode(error, ["outside-workspace", "path-alias", "invalid-path"]);
+      expectFsSafeCode(error, ["outside-workspace", "path-alias", "invalid-path"], {
+        allowUnsupportedPlatformOnWindows: true,
+      });
      return true;
    });

--- a/test/root-paths.test.ts
+++ b/test/root-paths.test.ts
@ -1,4 +1,5 @@
 import fs from "node:fs/promises";
+import { realpathSync } from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { describe, expect, it } from "vitest";
@ -173,7 +174,10 @@ describe("local roots helpers", () => {
      const missingPath = path.join(uploadsDir, "new", "later.txt");
      const outsidePath = path.join(baseDir, "outside.txt");
      await fs.writeFile(filePath, "ok", "utf8");
-      const uploadsReal = await fs.realpath(uploadsDir);
+      // Use the sync realpath to compare against resolveLocalPathFromRootsSync.
+      // On windows fs.realpathSync and fs.realpath (async) sometimes disagree
+      // on 8.3 short-name canonicalization (e.g. "RUNNER~1" vs "runneradmin").
+      const uploadsReal = realpathSync(uploadsDir);

      expect(
        resolveLocalPathFromRootsSync({
@ -182,7 +186,7 @@ describe("local roots helpers", () => {
          label: "media roots",
          requireFile: true,
        }),
-      ).toEqual({ path: await fs.realpath(filePath), root: uploadsReal });
+      ).toEqual({ path: realpathSync(filePath), root: uploadsReal });
      expect(
        resolveLocalPathFromRootsSync({
          filePath: missingPath,
--- a/test/secret-file.test.ts
+++ b/test/secret-file.test.ts
@ -68,9 +68,15 @@ describe("secret file helpers", () => {
    const root = await tempRoot("fs-safe-secret-");
    const target = path.join(root, "target.txt");
    const link = path.join(root, "link.txt");
+    const broken = path.join(root, "broken.txt");
    await fs.writeFile(target, "secret", "utf8");
    await fs.symlink(target, link);
+    await fs.symlink(path.join(root, "missing.txt"), broken);

+    expect(readSecretFileSync(link, "API token")).toBe("secret");
+    expect(tryReadSecretFileSync(link, "API token")).toBe("secret");
+    expectSecretReadCode(() => readSecretFileSync(broken, "API token"), "not-found");
+    expect(tryReadSecretFileSync(broken, "API token")).toBeUndefined();
    expect(() => readSecretFileSync(link, "API token", { rejectSymlink: true })).toThrow(
      `API token file at ${link} must not be a symlink.`,
    );
--- a/test/write-boundary-bypass.test.ts
+++ b/test/write-boundary-bypass.test.ts
@ -3,7 +3,7 @@ import path from "node:path";
 import { Readable } from "node:stream";
 import { afterEach, describe, expect, it } from "vitest";
 import { fileStore, fileStoreSync } from "../src/file-store.js";
-import { root as openRoot } from "../src/index.js";
+import { configureFsSafePython, root as openRoot } from "../src/index.js";
 import {
  ESCAPING_DIRECTORY_PAYLOADS,
  ESCAPING_WRITE_PAYLOADS,
@ -14,7 +14,6 @@ import {
  makeTempLayout as makeSecurityTempLayout,
  POSIX_LITERAL_SUSPICIOUS_WRITE_PAYLOADS,
  SAFE_REJECTED_SUSPICIOUS_DIRECTORY_PAYLOADS,
-  SAFE_REJECTED_SUSPICIOUS_WRITE_PAYLOADS,
  WINDOWS_REJECTED_SUSPICIOUS_DIRECTORY_PAYLOADS,
 } from "./helpers/security.js";

@ -25,6 +24,7 @@ async function makeTempLayout(prefix: string) {
 }

 afterEach(async () => {
+  configureFsSafePython({ mode: "auto", pythonPath: undefined });
  await Promise.all(tempDirs.splice(0).map((dir) => fsp.rm(dir, { force: true, recursive: true })));
 });

@ -168,6 +168,17 @@ describe("write, move, and delete boundary bypass attempts", () => {
    await fsp.symlink(layout.outsideFile, path.join(layout.root, "dest-link.txt"), "file");
    const safeRoot = await openRoot(layout.root);

+    if (process.platform === "win32") {
+      await expect(safeRoot.move("source-link.txt", "moved.txt")).rejects.toMatchObject({
+        code: "unsupported-platform",
+      });
+      await expect(safeRoot.move("from.txt", "dest-link.txt", { overwrite: true })).rejects.toMatchObject({
+        code: "unsupported-platform",
+      });
+      await expectNoOutsideWrite(layout);
+      return;
+    }
+
    await expect(safeRoot.move("source-link.txt", "moved.txt")).rejects.toBeTruthy();
    await safeRoot.move("from.txt", "dest-link.txt", { overwrite: true });
    await expectNoOutsideWrite(layout);
@ -186,6 +197,8 @@ describe("write, move, and delete boundary bypass attempts", () => {
    await expectNoOutsideWrite(layout);
  });

+  // This test exercises many fs writes/reads/mkdirs; bump the timeout for
+  // slow windows fs under parallel test load (default 5s is sometimes tight).
  it("keeps encoded, backslash, Windows, and UNC-looking write payloads literal and inside root", async () => {
    const layout = await makeTempLayout("fs-safe-write-encoded-literal");
    const safeRoot = await openRoot(layout.root);
@ -202,9 +215,6 @@ describe("write, move, and delete boundary bypass attempts", () => {
        await expect(safeRoot.write(payload, "rejected"), `write safely rejects ${payload}`).rejects.toBeTruthy();
      }
    }
-    for (const payload of SAFE_REJECTED_SUSPICIOUS_WRITE_PAYLOADS) {
-      await expect(safeRoot.write(payload, "rejected"), `write safely rejects ${payload}`).rejects.toBeTruthy();
-    }
    for (const payload of SAFE_REJECTED_SUSPICIOUS_DIRECTORY_PAYLOADS) {
      await expect(safeRoot.mkdir(payload), `mkdir safely rejects ${payload}`).rejects.toBeTruthy();
    }
@ -222,8 +232,29 @@ describe("write, move, and delete boundary bypass attempts", () => {
    }
    for (const payload of LITERAL_SUSPICIOUS_DIRECTORY_PAYLOADS) {
      await safeRoot.mkdir(payload);
-      await expect(safeRoot.list(payload), `list literal ${payload}`).resolves.toBeInstanceOf(Array);
+      if (process.platform === "win32") {
+        // safeRoot.list uses the pinned helper which is unavailable on
+        // windows; verify the directory exists via fsp.stat instead.
+        await expect(fsp.stat(path.join(layout.root, payload)), `created literal ${payload}`)
+          .resolves.toSatisfy((stat) => stat.isDirectory());
+      } else {
+        await expect(safeRoot.list(payload), `list literal ${payload}`).resolves.toBeInstanceOf(Array);
+      }
    }
    await expectNoOutsideWrite(layout);
+  }, 15000);
+
+  it.runIf(process.platform !== "win32")("keeps literal '..'-prefixed paths available when the helper is disabled", async () => {
+    configureFsSafePython({ mode: "off" });
+    const layout = await makeTempLayout("fs-safe-write-helper-off-literal");
+    const safeRoot = await openRoot(layout.root);
+
+    await safeRoot.write("..%2fpwned.txt", "literal");
+    await expect(safeRoot.stat("..%2fpwned.txt")).resolves.toMatchObject({ isFile: true });
+    await safeRoot.remove("..%2fpwned.txt");
+    await expect(fsp.stat(path.join(layout.root, "..%2fpwned.txt"))).rejects.toMatchObject({
+      code: "ENOENT",
+    });
+    await expectNoOutsideWrite(layout);
  });
 });
--- a/tsconfig.json
+++ b/tsconfig.json
@ -11,6 +11,7 @@
    "rootDir": "src",
    "strict": true,
    "target": "ES2022",
+    "types": ["node"],
    "verbatimModuleSyntax": true
  },
  "include": ["src/**/*.ts"]
Author	SHA1	Message	Date
Peter Steinberger	393f980ad3	test: stabilize directory guard coverage Some checks failed ci / Lint workflows (push) Has been cancelled Details ci / Node ${{ matrix.node }} check (${{ matrix.os }}) (22, macos-latest) (push) Has been cancelled Details ci / Node ${{ matrix.node }} check (${{ matrix.os }}) (22, ubuntu-latest) (push) Has been cancelled Details ci / Node ${{ matrix.node }} check (${{ matrix.os }}) (22, windows-latest) (push) Has been cancelled Details ci / Node ${{ matrix.node }} check (${{ matrix.os }}) (24, macos-latest) (push) Has been cancelled Details ci / Node ${{ matrix.node }} check (${{ matrix.os }}) (24, ubuntu-latest) (push) Has been cancelled Details ci / Node ${{ matrix.node }} check (${{ matrix.os }}) (24, windows-latest) (push) Has been cancelled Details coverage / Node 22 coverage (push) Has been cancelled Details	2026-05-08 12:29:15 +01:00
Peter Steinberger	d3f37bc700	chore: release 0.2.1	2026-05-08 08:43:17 +01:00
Peter Steinberger	66a4dfba0e	fix: isolate prepack types and secret symlink reads	2026-05-08 08:41:57 +01:00
Peter Steinberger	638999ca7c	Merge pull request #15 from openclaw/codex/ci-all-oses-node-22-24 ci: test all OSes on Node 22 and 24	2026-05-08 02:50:23 +01:00
Peter Steinberger	b132712635	ci: test all supported OSes on Node 22 and 24	2026-05-08 02:47:56 +01:00
Peter Steinberger	b5ad5e9244	Merge pull request #14 from openclaw/ci/windows-runner fix: align posix/windows path handling and enable windows ci	2026-05-08 02:46:38 +01:00
Peter Steinberger	edca51be7c	docs(changelog): note windows path handling fix	2026-05-08 02:45:02 +01:00
Peter Steinberger	36dd0888a3	fix(root): align pinned fallback path boundary checks	2026-05-08 02:43:24 +01:00
Sarah Fortune	ecefc5bd53	test: avoid windows 8.3 short-name diff in realpath assertions On windows fs.realpathSync and fs.realpath (async) can disagree on 8.3 short-name canonicalization. The github actions windows runner exposes this: fs.realpathSync returns "C:\Users\RUNNER~1\..." while fs.realpath returns "C:\Users\runneradmin\...". Tests that compare a sync helper's output against await fs.realpath fail with the same path printed in two forms. Compare against fs.realpathSync (imported as realpathSync from node:fs) on both sides so the test exercises the same canonical form regardless of which short-name configuration the runner has. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 16:23:32 -07:00
Sarah Fortune	4a1e5d8b72	fix(root): drop spurious ".." prefix rejection on posix write path The posix write helper rejected any path whose computed path.relative(root, resolved) string-began with "..", even when the resolved path was fully inside the root. That matched literal filenames whose first segment merely starts with the two characters ".." (e.g. "..%2fpwned.txt", "..%00/pwned.txt") and produced an "outside-workspace" error for paths that do not actually escape the root. The real boundary is already enforced upstream by resolvePathInRoot's path.resolve + isPathInside check, so the extra startsWith("..") guard added no security value while introducing platform divergence (windows did not have it). Drop the guard, keep the path.isAbsolute check. Recategorize the three former SAFE_REJECTED_SUSPICIOUS_WRITE_PAYLOADS test inputs so the test reflects what each platform actually does: - "..%2fpwned.txt" and "..%00/pwned.txt" are literal names that resolve fully inside root on both platforms; move them to LITERAL_SUSPICIOUS_WRITE_PAYLOADS (accepted everywhere). - "..\pwned.txt" is a real traversal on windows where "\\" is a separator, but a literal filename on posix where "\\" is a regular name character; move it to POSIX_LITERAL_SUSPICIOUS_WRITE_PAYLOADS (accepted on posix, rejected on windows). The literal-directory check in the same test uses fsp.stat on windows since safeRoot.list goes through the pinned helper that is unavailable on win32, matching the pattern already used a few lines up. Bump the per-test timeout to 15s for slow windows fs under parallel test load. Drop a stale explanatory comment in expandHomePrefix. After: 254 passed, 0 failed, 66 skipped on windows. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 16:16:50 -07:00
Sarah Fortune	3be7ba6ee3	ci+test: run check on windows and guard windows-only test behavior Run the check job on windows-latest in addition to ubuntu so the windows code paths (no O_NOFOLLOW, node fallbacks for fd-relative ops, ACL inspection) are exercised on every PR rather than only documented. Make the test suite pass on the new windows runner by addressing the platform-specific failures: - Long happy-path tests that mix supported (mkdir, write, read) and unsupported (stat, list, move, exists) operations are guarded with skipIf(process.platform === "win32") since the pinned filesystem helper throws "unsupported-platform" on win32 by design (src/pinned-python.ts). - Short focused tests where the unsupported operation is the whole point (pinned-python, pinned-write-fallback-coverage, write-boundary-bypass symlink-move) split into runIf(non-win32) and runIf(win32) tests, with the windows variant asserting unsupported-platform. - The expectFsSafeCode helper accepts unsupported-platform on windows; new expectedFsSafeCode helper substitutes for per-rejects.toMatchObject sites where the windows code differs from posix (e.g. path-alias / not-found returning unsupported-platform via the helper layer). - secure-file-reads test split into a posix happy-path runIf and a windows runIf that asserts permission-unverified, since ACL inspection has no portable equivalent on windows (src/secure-file.ts:177). - safeFileURLToPath test uses hardcoded platform-specific input/ output instead of building the URL via pathToFileURL+fileURLToPath so the assertion verifies the function directly. - Fix expandHomePrefix to normalize path separators by splitting via path.normalize + path.sep and rejoining via path.join. Apply the same segment-based check to resolveHomeRelativePath and resolveOsHomeRelativePath. Drop input.trim() — whitespace is a valid filename character on both platforms and env-var inputs are already trimmed upstream via normalizeOptionalString. - coverage-more's "normalizes empty temp names" decomposes the result with path.dirname/path.basename instead of regex-matching a path-separator literal. - extracted-helpers' path-helpers test builds its root with path.resolve so the drive letter is present on windows. - additional-boundary-bypass guards its "..\evil.txt" sanitizer assertion behind a non-win32 check (windows reserves "\" as a path separator and cannot have it in a filename). - coverage-more's sibling temp test guards just the posix file-mode assertion (stat.mode & 0o777 === 0o600), which has no analog on windows. The syncing behaviour the test actually targets still runs on both platforms. - Raise test/new-primitives.test.ts size budget to 1500 to accommodate the secure-file-reads test split. After: 253 passed, 1 failed, 66 skipped on windows-11-arm64. The single remaining failure is a separate library-side gap (a SAFE_REJECTED_SUSPICIOUS_WRITE_PAYLOADS payload resolves on windows instead of rejecting) and will be tracked in a follow-up. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-07 14:59:24 -07:00