fix: fold session manager blockers into one candidate

tests/hooks/config-protection.test.js

@@ -0,0 +1,101 @@
+/**
+ * Tests for scripts/hooks/config-protection.js via run-with-flags.js
+ */
+
+const assert = require('assert');
+const path = require('path');
+const { spawnSync } = require('child_process');
+
+const runner = path.join(__dirname, '..', '..', 'scripts', 'hooks', 'run-with-flags.js');
+
+function test(name, fn) {
+  try {
+    fn();
+    console.log(`  ✓ ${name}`);
+    return true;
+  } catch (error) {
+    console.log(`  ✗ ${name}`);
+    console.log(`    Error: ${error.message}`);
+    return false;
+  }
+}
+
+function runHook(input, env = {}) {
+  const rawInput = typeof input === 'string' ? input : JSON.stringify(input);
+  const result = spawnSync('node', [runner, 'pre:config-protection', 'scripts/hooks/config-protection.js', 'standard,strict'], {
+    input: rawInput,
+    encoding: 'utf8',
+    env: {
+      ...process.env,
+      ECC_HOOK_PROFILE: 'standard',
+      ...env
+    },
+    timeout: 15000,
+    stdio: ['pipe', 'pipe', 'pipe']
+  });
+
+  return {
+    code: result.status ?? 0,
+    stdout: result.stdout || '',
+    stderr: result.stderr || ''
+  };
+}
+
+function runTests() {
+  console.log('\n=== Testing config-protection ===\n');
+
+  let passed = 0;
+  let failed = 0;
+
+  if (test('blocks protected config file edits through run-with-flags', () => {
+    const input = {
+      tool_name: 'Write',
+      tool_input: {
+        file_path: '.eslintrc.js',
+        content: 'module.exports = {};'
+      }
+    };
+
+    const result = runHook(input);
+    assert.strictEqual(result.code, 2, 'Expected protected config edit to be blocked');
+    assert.strictEqual(result.stdout, '', 'Blocked hook should not echo raw input');
+    assert.ok(result.stderr.includes('BLOCKED: Modifying .eslintrc.js is not allowed.'), `Expected block message, got: ${result.stderr}`);
+  })) passed++; else failed++;
+
+  if (test('passes through safe file edits unchanged', () => {
+    const input = {
+      tool_name: 'Write',
+      tool_input: {
+        file_path: 'src/index.js',
+        content: 'console.log("ok");'
+      }
+    };
+
+    const rawInput = JSON.stringify(input);
+    const result = runHook(input);
+    assert.strictEqual(result.code, 0, 'Expected safe file edit to pass');
+    assert.strictEqual(result.stdout, rawInput, 'Expected exact raw JSON passthrough');
+    assert.strictEqual(result.stderr, '', 'Expected no stderr for safe edits');
+  })) passed++; else failed++;
+
+  if (test('blocks truncated protected config payloads instead of failing open', () => {
+    const rawInput = JSON.stringify({
+      tool_name: 'Write',
+      tool_input: {
+        file_path: '.eslintrc.js',
+        content: 'x'.repeat(1024 * 1024 + 2048)
+      }
+    });
+
+    const result = runHook(rawInput);
+    assert.strictEqual(result.code, 2, 'Expected truncated protected payload to be blocked');
+    assert.strictEqual(result.stdout, '', 'Blocked truncated payload should not echo raw input');
+    assert.ok(result.stderr.includes('Hook input exceeded 1048576 bytes'), `Expected size warning, got: ${result.stderr}`);
+    assert.ok(result.stderr.includes('truncated payload'), `Expected truncated payload warning, got: ${result.stderr}`);
+  })) passed++; else failed++;
+
+  console.log(`\nResults: Passed: ${passed}, Failed: ${failed}`);
+  process.exit(failed > 0 ? 1 : 0);
+}
+
+runTests();