import assert from 'node:assert/strict'; import { config } from './src/config/index.js'; import { runBacktest } from './src/backtest/index.js'; import { assertBacktestBodyDoesNotContainInlineCode, assertBacktestStrategyConfigSafe, UnsafeCodeStrategyError, } from './src/backtest/strategySafety.js'; import type { BacktestRequest } from './src/backtest/types.js'; const unsafeError = (error: unknown): boolean => error instanceof UnsafeCodeStrategyError && error.message.includes('sandboxed evaluator'); const buildUnsafeRequest = (): BacktestRequest => ({ mode: 'backtest', symbols: ['BTC/USDT'], timeframe: '15m', dateRange: { from: '2025-01-01T00:00:00.000Z', to: '2025-01-02T00:00:00.000Z', }, dataSource: { type: 'json', payload: { candles: { 'BTC/USDT': { '15m': [], }, }, }, }, strategyConfig: { type: 'code', language: 'javascript', code: 'return true;', }, }); const originalFlag = config.ENABLE_BACKTEST; config.ENABLE_BACKTEST = true; try { assert.doesNotThrow( () => assertBacktestStrategyConfigSafe({ rules: [] }), 'rule-based strategy configs must stay accepted', ); assert.throws( () => assertBacktestStrategyConfigSafe({ type: ' CODE ', code: 'return true;' }), unsafeError, 'strategyConfig.type=code must be refused before execution', ); assert.throws( () => assertBacktestBodyDoesNotContainInlineCode({ strategyCode: 'return true;' }), unsafeError, 'legacy strategyCode payloads must be refused before execution', ); assert.doesNotThrow( () => assertBacktestBodyDoesNotContainInlineCode({ strategyCode: ' ' }), 'empty legacy strategyCode payloads should not mask normal validation errors', ); await assert.rejects( () => runBacktest(buildUnsafeRequest()), unsafeError, 'runBacktest must refuse code strategies even when called outside the API route', ); } finally { config.ENABLE_BACKTEST = originalFlag; } console.log('[backtest-strategy-safety] OK: code strategy backtests are refused before execution');