test: add --block-domains integration tests (#1051)

Mossaka · claude · web-flow · commit 37158024d83a · 2026-02-25T14:45:08.000-08:00
* test: add --block-domains integration tests Add blockDomains option to AwfRunner test fixture and integration tests for the --block-domains deny-list feature: - Block specific subdomain while allowing parent domain - Block takes precedence over allow - Wildcard blocking patterns (*.github.com) - Multiple blocked domains - Debug output verification Closes #1041 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * test: verify both blocked domains in multiple-domains test Address Copilot review: test both api.github.com and raw.githubusercontent.com are blocked, and add githubusercontent.com to allowDomains so the blocklist (not the allowlist) is what blocks them. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/tests/fixtures/awf-runner.ts b/tests/fixtures/awf-runner.ts
@@ -5,6 +5,7 @@ type ExecaReturnValue = execa.ExecaReturnValue<string>;
 
 export interface AwfOptions {
   allowDomains?: string[];
+  blockDomains?: string[];
   keepContainers?: boolean;
   logLevel?: 'debug' | 'info' | 'warn' | 'error';
   buildLocal?: boolean;
@@ -52,6 +53,11 @@ export class AwfRunner {
       args.push('--allow-domains', options.allowDomains.join(','));
     }
 
+    // Add block-domains
+    if (options.blockDomains && options.blockDomains.length > 0) {
+      args.push('--block-domains', options.blockDomains.join(','));
+    }
+
     // Add other flags
     if (options.keepContainers) {
       args.push('--keep-containers');
@@ -206,6 +212,11 @@ export class AwfRunner {
       args.push('--allow-domains', options.allowDomains.join(','));
     }
 
+    // Add block-domains
+    if (options.blockDomains && options.blockDomains.length > 0) {
+      args.push('--block-domains', options.blockDomains.join(','));
+    }
+
     // Add other flags
     if (options.keepContainers) {
       args.push('--keep-containers');
diff --git a/tests/integration/blocked-domains.test.ts b/tests/integration/blocked-domains.test.ts
@@ -183,3 +183,100 @@ describe('Domain Allowlist Edge Cases', () => {
     expect(result.stdout).toMatch(/blocked|error|fail/i);
   }, 120000);
 });
+
+describe('Block Domains Deny-List (--block-domains)', () => {
+  let runner: AwfRunner;
+
+  beforeAll(async () => {
+    await cleanup(false);
+    runner = createRunner();
+  });
+
+  afterAll(async () => {
+    await cleanup(false);
+  });
+
+  test('should block specific subdomain while allowing parent domain', async () => {
+    const result = await runner.runWithSudo(
+      'curl -f --max-time 10 https://api.github.com/zen',
+      {
+        allowDomains: ['github.com'],
+        blockDomains: ['api.github.com'],
+        logLevel: 'debug',
+        timeout: 60000,
+      }
+    );
+    expect(result).toFail();
+  }, 120000);
+
+  test('should still allow non-blocked subdomains when parent is allowed', async () => {
+    const result = await runner.runWithSudo(
+      'curl -f --max-time 10 https://github.com',
+      {
+        allowDomains: ['github.com'],
+        blockDomains: ['api.github.com'],
+        logLevel: 'debug',
+        timeout: 60000,
+      }
+    );
+    expect(result).toSucceed();
+  }, 120000);
+
+  test('should block domain that is also in the allow list (block takes precedence)', async () => {
+    const result = await runner.runWithSudo(
+      'curl -f --max-time 5 https://example.com',
+      {
+        allowDomains: ['example.com'],
+        blockDomains: ['example.com'],
+        logLevel: 'debug',
+        timeout: 60000,
+      }
+    );
+    expect(result).toFail();
+  }, 120000);
+
+  test('should block wildcard pattern while allowing parent domain', async () => {
+    const result = await runner.runWithSudo(
+      'curl -f --max-time 10 https://api.github.com/zen',
+      {
+        allowDomains: ['github.com'],
+        blockDomains: ['*.github.com'],
+        logLevel: 'debug',
+        timeout: 60000,
+      }
+    );
+    expect(result).toFail();
+  }, 120000);
+
+  test('should handle multiple blocked domains', async () => {
+    const result = await runner.runWithSudo(
+      'bash -c "' +
+        'curl -f --max-time 10 https://api.github.com/zen 2>&1; api_exit=$?; ' +
+        'curl -f --max-time 10 https://raw.githubusercontent.com 2>&1; raw_exit=$?; ' +
+        'echo api_exit=$api_exit raw_exit=$raw_exit"',
+      {
+        allowDomains: ['github.com', 'githubusercontent.com'],
+        blockDomains: ['api.github.com', 'raw.githubusercontent.com'],
+        logLevel: 'debug',
+        timeout: 60000,
+      }
+    );
+    // Both blocked domains should fail even though their parent domains are allowed
+    expect(result.stdout).not.toContain('api_exit=0');
+    expect(result.stdout).not.toContain('raw_exit=0');
+  }, 120000);
+
+  test('should show blocked domains in debug output', async () => {
+    const result = await runner.runWithSudo(
+      'echo "test"',
+      {
+        allowDomains: ['github.com'],
+        blockDomains: ['api.github.com'],
+        logLevel: 'debug',
+        timeout: 60000,
+      }
+    );
+    expect(result).toSucceed();
+    expect(result.stderr).toMatch(/[Bb]locked domains:/i);
+  }, 120000);
+});
