fix: harden nordvpn wireguard verification

skills/nordvpn-client/scripts/nordvpn-client.test.js

@@ -0,0 +1,104 @@
+const test = require("node:test");
+const assert = require("node:assert/strict");
+const fs = require("node:fs");
+const path = require("node:path");
+const vm = require("node:vm");
+
+function loadInternals() {
+  const scriptPath = path.join(__dirname, "nordvpn-client.js");
+  const source = fs.readFileSync(scriptPath, "utf8").replace(/\nmain\(\);\s*$/, "\n");
+  const wrapped = `${source}
+module.exports = {
+  buildLookupResult:
+    typeof buildLookupResult === "function" ? buildLookupResult : undefined,
+  detectMacWireguardActiveFromIfconfig:
+    typeof detectMacWireguardActiveFromIfconfig === "function" ? detectMacWireguardActiveFromIfconfig : undefined,
+  resolveHostnameWithFallback:
+    typeof resolveHostnameWithFallback === "function" ? resolveHostnameWithFallback : undefined,
+  verifyConnectionWithRetry:
+    typeof verifyConnectionWithRetry === "function" ? verifyConnectionWithRetry : undefined,
+};`;
+
+  const sandbox = {
+    require,
+    module: { exports: {} },
+    exports: {},
+    __dirname,
+    __filename: scriptPath,
+    process: { ...process, exit() {} },
+    console,
+    setTimeout,
+    clearTimeout,
+    Buffer,
+  };
+
+  vm.runInNewContext(wrapped, sandbox, { filename: scriptPath });
+  return sandbox.module.exports;
+}
+
+test("detectMacWireguardActiveFromIfconfig detects nordvpn utun client address", () => {
+  const { detectMacWireguardActiveFromIfconfig } = loadInternals();
+  assert.equal(typeof detectMacWireguardActiveFromIfconfig, "function");
+
+  const ifconfig = `
+utun8: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
+utun9: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1420
+\tinet 10.5.0.2 --> 10.5.0.2 netmask 0xff000000
+`;
+
+  assert.equal(detectMacWireguardActiveFromIfconfig(ifconfig), true);
+  assert.equal(detectMacWireguardActiveFromIfconfig("utun7: flags=8051\n\tinet 100.64.0.4"), false);
+});
+
+test("buildLookupResult supports lookup all=true mode", () => {
+  const { buildLookupResult } = loadInternals();
+  assert.equal(typeof buildLookupResult, "function");
+  assert.equal(
+    JSON.stringify(buildLookupResult("104.26.9.44", { all: true })),
+    JSON.stringify([{ address: "104.26.9.44", family: 4 }])
+  );
+  assert.equal(JSON.stringify(buildLookupResult("104.26.9.44", { all: false })), JSON.stringify(["104.26.9.44", 4]));
+});
+
+test("verifyConnectionWithRetry retries transient reachability failures", async () => {
+  const { verifyConnectionWithRetry } = loadInternals();
+  assert.equal(typeof verifyConnectionWithRetry, "function");
+
+  let attempts = 0;
+  const result = await verifyConnectionWithRetry(
+    { country: "Italy", city: "Milan" },
+    {
+      attempts: 3,
+      delayMs: 1,
+      getPublicIpInfo: async () => {
+        attempts += 1;
+        if (attempts === 1) {
+          return { ok: false, error: "read EHOSTUNREACH" };
+        }
+        return { ok: true, country: "Italy", city: "Milan" };
+      },
+    }
+  );
+
+  assert.equal(result.ok, true);
+  assert.equal(result.ipInfo.country, "Italy");
+  assert.equal(attempts, 2);
+});
+
+test("resolveHostnameWithFallback uses fallback resolvers when system lookup fails", async () => {
+  const { resolveHostnameWithFallback } = loadInternals();
+  assert.equal(typeof resolveHostnameWithFallback, "function");
+
+  const calls = [];
+  const address = await resolveHostnameWithFallback("ipapi.co", {
+    resolvers: ["1.1.1.1", "8.8.8.8"],
+    resolveWithResolver: async (hostname, resolver) => {
+      calls.push(`${resolver}:${hostname}`);
+      if (resolver === "1.1.1.1") return [];
+      return ["104.26.9.44"];
+    },
+  });
+
+  assert.equal(address, "104.26.9.44");
+  assert.deepEqual(calls, ["1.1.1.1:ipapi.co", "8.8.8.8:ipapi.co"]);
+});