Summary
The repo has no tests/ directory and no test script in package.json. CI only runs typecheck + build across Node 18/20/22.
Why this matters for a proxy
Users are piping every Claude Code request through this binary. The README explicitly frames open-sourcing as a trust ask. A test suite is a much stronger form of that trust than an audit-by-eye.
The places where regressions would actually bite:
- Request validation: 403 on non-
/v1/*, 400 on missing anthropic-version header
- Passthrough fallback: server-unreachable / timeout-exceeded / non-200 from
/prepare → request forwards untrimmed
- OAuth bridge:
x-api-key swap happens only when --oauth-bridge is set and keychain returns a token; Authorization: Bearer … must never be touched
- Body shape:
ergoRawPost handles non-JSON / truncated / >limit responses without crashing the proxy
Suggested starter scope
A tests/ directory with a few integration tests using Node's built-in node:test runner (no extra dep):
- Start the proxy on an ephemeral port, point it at a local mock ErgoSum server + a local mock upstream Anthropic.
- Hit
/v1/messages with various shapes; assert pass/trim/fallback behaviour.
- Cover the OAuth bridge path using an env-var-stubbable
getClaudeOAuthToken.
Then add "test": "node --test tests/**/*.test.js" to package.json and a test step in .github/workflows/ci.yml.
Non-goals
Unit-testing rough.js-style rendering, mocking api.anthropic.com byte-for-byte, or covering LaunchAgent install flow — those are fine to leave for a human.
Summary
The repo has no
tests/directory and notestscript inpackage.json. CI only runstypecheck+buildacross Node 18/20/22.Why this matters for a proxy
Users are piping every Claude Code request through this binary. The README explicitly frames open-sourcing as a trust ask. A test suite is a much stronger form of that trust than an audit-by-eye.
The places where regressions would actually bite:
/v1/*, 400 on missinganthropic-versionheader/prepare→ request forwards untrimmedx-api-keyswap happens only when--oauth-bridgeis set and keychain returns a token;Authorization: Bearer …must never be touchedergoRawPosthandles non-JSON / truncated / >limit responses without crashing the proxySuggested starter scope
A
tests/directory with a few integration tests using Node's built-innode:testrunner (no extra dep):/v1/messageswith various shapes; assert pass/trim/fallback behaviour.getClaudeOAuthToken.Then add
"test": "node --test tests/**/*.test.js"topackage.jsonand ateststep in.github/workflows/ci.yml.Non-goals
Unit-testing
rough.js-style rendering, mockingapi.anthropic.combyte-for-byte, or covering LaunchAgent install flow — those are fine to leave for a human.