test: add unified test runner (bin/test.sh) (#6)

Author: benvinegar

.github/workflows/ci.yml

@@ -34,23 +34,11 @@ jobs:
         with:
           node-version: "22"
 
-      - name: Install slack-bridge dependencies
+      - name: Install dependencies
         run: cd slack-bridge && npm ci
 
-      - name: Test — bridge security (71 tests)
-        run: cd slack-bridge && node --test security.test.mjs
-
-      - name: Test — tool-guard (60 tests)
-        run: cd pi/extensions && node --test tool-guard.test.mjs
-
-      - name: Test — extension scanner (15 tests)
-        run: cd bin && node --test scan-extensions.test.mjs
-
-      - name: Test — safe-bash wrapper (24 tests)
-        run: cd bin && bash hornet-safe-bash.test.sh
-
-      - name: Test — log redaction (11 tests)
-        run: cd bin && bash redact-logs.test.sh
+      - name: Run all tests
+        run: bin/test.sh
 
       # security-audit.sh checks live system state (running services, firewall,
       # /proc mounts) that doesn't exist in CI. Run it locally instead:

AGENTS.md

@@ -87,28 +87,18 @@ tmux new-window -n hornet 'sudo -u hornet_agent ~/runtime/start.sh'
 ## Running Tests
 
 ```bash
-# Tool-guard tests (86 tests)
-cd pi/extensions && node --test tool-guard.test.mjs
+# All tests (207 across 5 suites)
+bin/test.sh
 
-# Bridge security tests
-cd slack-bridge && node --test security.test.mjs
+# Only JS/TS tests
+bin/test.sh js
 
-# Extension scanner tests
-cd bin && node --test scan-extensions.test.mjs
-
-# Shell deny list tests
-cd bin && bash hornet-safe-bash.test.sh
-
-# Log redaction tests
-cd bin && bash redact-logs.test.sh
-
-# From deployed copies (as agent)
-sudo -u hornet_agent bash -c '
-  export PATH=~/opt/node-v22.14.0-linux-x64/bin:$PATH
-  cd ~/.pi/agent/extensions && node --test tool-guard.test.mjs
-'
+# Only shell tests
+bin/test.sh shell
 ```
 
+Add new test files to `bin/test.sh` — don't scatter test invocations across CI or docs.
+
 ## Conventions
 
 - Security functions must be pure, testable modules (no side effects, no env vars at module scope).

README.md

@@ -140,19 +140,17 @@ sudo -u hornet_agent cat ~/.pi/agent/hornet-version.json
 ## Tests
 
 ```bash
-# All tests (run from source as admin — agent can't read source)
-cd ~/hornet && \
-  node slack-bridge/security.test.mjs && \
-  node pi/extensions/tool-guard.test.mjs && \
-  node bin/scan-extensions.test.mjs && \
-  bash bin/hornet-safe-bash.test.sh && \
-  bash bin/redact-logs.test.sh
-
-# Or from deployed copies (as agent)
-sudo -u hornet_agent bash -c '
-  export PATH=~/opt/node-v22.14.0-linux-x64/bin:$PATH
-  cd ~/.pi/agent/extensions && node --test tool-guard.test.mjs
-'
+# All 207 tests across 5 suites
+bin/test.sh
+
+# JS/TS only
+bin/test.sh js
+
+# Shell only
+bin/test.sh shell
+
+# Lint + typecheck
+npm run lint && npm run typecheck
 ```
 
 ## How It Works

bin/test.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+# Run all Hornet tests. Exit code reflects overall pass/fail.
+#
+# Usage:
+#   bin/test.sh           # run all tests
+#   bin/test.sh js        # only JS/TS tests
+#   bin/test.sh shell     # only shell tests
+#
+# Add new test files here — don't scatter test invocations across CI/docs.
+
+set -uo pipefail
+cd "$(dirname "$0")/.."
+
+FILTER="${1:-all}"
+FAILED=0
+PASSED=0
+TOTAL=0
+
+run() {
+  local name="$1"
+  shift
+  TOTAL=$((TOTAL + 1))
+  printf "  %-40s " "$name"
+  local output=""
+  local rc=0
+  output=$("$@" 2>&1) || rc=$?
+  if [ "$rc" -eq 0 ]; then
+    # Extract test count if available
+    count=$(echo "$output" | awk '/ℹ pass [0-9]/ {for(i=1;i<=NF;i++) if($i=="pass") print $(i+1)}' | tail -1)
+    if [ -z "$count" ]; then
+      count=$(echo "$output" | awk '/[0-9]+ passed/ {for(i=1;i<=NF;i++) if($(i+1)=="passed," || $(i+1)=="passed") print $i}' | tail -1)
+    fi
+    if [ -n "$count" ]; then
+      echo "✓ ($count tests)"
+    else
+      echo "✓"
+    fi
+    PASSED=$((PASSED + 1))
+  else
+    echo "✗ FAILED (exit $rc)"
+    echo "$output" | tail -20 | sed 's/^/    /'
+    FAILED=$((FAILED + 1))
+  fi
+}
+
+echo "=== Hornet Tests ==="
+echo ""
+
+if [ "$FILTER" = "all" ] || [ "$FILTER" = "js" ]; then
+  echo "JS/TS:"
+  run "tool-guard"        node --test pi/extensions/tool-guard.test.mjs
+  run "bridge security"   node --test slack-bridge/security.test.mjs
+  run "extension scanner" node --test bin/scan-extensions.test.mjs
+  echo ""
+fi
+
+if [ "$FILTER" = "all" ] || [ "$FILTER" = "shell" ]; then
+  echo "Shell:"
+  run "safe-bash wrapper" bash bin/hornet-safe-bash.test.sh
+  run "log redaction"     bash bin/redact-logs.test.sh
+  echo ""
+fi
+
+echo "=== $PASSED/$TOTAL passed, $FAILED failed ==="
+
+if [ "$FAILED" -gt 0 ]; then
+  exit 1
+fi

package.json

@@ -2,6 +2,9 @@
   "name": "hornet",
   "private": true,
   "scripts": {
+    "test": "bin/test.sh",
+    "test:js": "bin/test.sh js",
+    "test:shell": "bin/test.sh shell",
     "lint": "biome lint",
     "lint:fix": "biome lint --write --unsafe",
     "typecheck": "tsc --noEmit"