test(ext/sw): router accepts/rejects backup messages per sender

extension/src/service-worker/router/__tests__/router.test.ts

@@ -786,3 +786,54 @@ describe('upload_attachment / download_attachment', () => {
     expect(result).toEqual({ ok: false, error: 'unauthorized_sender' });
   });
 });
+
+// --- export_backup / restore_backup sender check ---
+
+describe('export_backup / restore_backup sender check', () => {
+  it('accepts vault tab for export_backup', async () => {
+    const state = makeState();
+    const result = await route(
+      { type: 'export_backup', passphrase: 'p', includeImage: false },
+      state,
+      makeVaultSender(),
+    );
+    // The handler may return ok: false (vault_locked / missing state) but the
+    // router must NOT reject it as unauthorized_sender.
+    expect(result).not.toEqual({ ok: false, error: 'unauthorized_sender' });
+  });
+
+  it('accepts popup for export_backup', async () => {
+    const state = makeState();
+    const result = await route(
+      { type: 'export_backup', passphrase: 'p', includeImage: false },
+      state,
+      makePopupSender(),
+    );
+    expect(result).not.toEqual({ ok: false, error: 'unauthorized_sender' });
+  });
+
+  it('rejects setup tab for export_backup', async () => {
+    const state = makeState();
+    const result = await route(
+      { type: 'export_backup', passphrase: 'p', includeImage: false },
+      state,
+      makeSetupSender(),
+    );
+    expect(result).toEqual({ ok: false, error: 'unauthorized_sender' });
+  });
+
+  it('rejects content top frame for restore_backup', async () => {
+    const state = makeState();
+    const result = await route(
+      {
+        type: 'restore_backup',
+        bytes: new ArrayBuffer(8),
+        passphrase: 'p',
+        newRemote: { hostType: 'gitea', hostUrl: 'https://x', repoPath: 'a/b', apiToken: 't' },
+      },
+      state,
+      makeContentSender('https://example.com'),
+    );
+    expect(result).toEqual({ ok: false, error: 'unauthorized_sender' });
+  });
+});