@86d-app/search 0.0.4 → 0.0.6

package/src/__tests__/embedding-provider.test.ts

@@ -0,0 +1,195 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import {
+	cosineSimilarity,
+	OpenAIEmbeddingProvider,
+} from "../embedding-provider";
+
+// ── cosineSimilarity ───────────────────────────────────────────────────
+
+describe("cosineSimilarity", () => {
+	it("returns 1 for identical vectors", () => {
+		expect(cosineSimilarity([1, 2, 3], [1, 2, 3])).toBeCloseTo(1);
+	});
+
+	it("returns -1 for opposite vectors", () => {
+		expect(cosineSimilarity([1, 0, 0], [-1, 0, 0])).toBeCloseTo(-1);
+	});
+
+	it("returns 0 for orthogonal vectors", () => {
+		expect(cosineSimilarity([1, 0], [0, 1])).toBeCloseTo(0);
+	});
+
+	it("returns 0 for empty vectors", () => {
+		expect(cosineSimilarity([], [])).toBe(0);
+	});
+
+	it("returns 0 for mismatched lengths", () => {
+		expect(cosineSimilarity([1, 2], [1, 2, 3])).toBe(0);
+	});
+
+	it("returns 0 for zero vectors", () => {
+		expect(cosineSimilarity([0, 0, 0], [0, 0, 0])).toBe(0);
+	});
+
+	it("computes correct similarity for non-trivial vectors", () => {
+		// cos([1,2,3], [4,5,6]) = 32 / (sqrt(14) * sqrt(77)) ≈ 0.9746
+		expect(cosineSimilarity([1, 2, 3], [4, 5, 6])).toBeCloseTo(0.9746, 3);
+	});
+});
+
+// ── OpenAIEmbeddingProvider ────────────────────────────────────────────
+
+describe("OpenAIEmbeddingProvider", () => {
+	const originalFetch = globalThis.fetch;
+	let mockFetch: ReturnType<typeof vi.fn>;
+
+	beforeEach(() => {
+		mockFetch = vi.fn();
+		globalThis.fetch = mockFetch as typeof fetch;
+	});
+
+	afterEach(() => {
+		globalThis.fetch = originalFetch;
+	});
+
+	function makeProvider(opts?: { model?: string; baseUrl?: string }) {
+		return new OpenAIEmbeddingProvider("test-api-key", opts);
+	}
+
+	function mockEmbeddingResponse(embeddings: number[][]) {
+		mockFetch.mockResolvedValueOnce({
+			ok: true,
+			json: async () => ({
+				data: embeddings.map((embedding, index) => ({ embedding, index })),
+				model: "text-embedding-3-small",
+				usage: { prompt_tokens: 10, total_tokens: 10 },
+			}),
+		});
+	}
+
+	// ── generateEmbedding ──────────────────────────────────────────────
+
+	describe("generateEmbedding", () => {
+		it("returns an embedding vector", async () => {
+			const vec = [0.1, 0.2, 0.3];
+			mockEmbeddingResponse([vec]);
+
+			const provider = makeProvider();
+			const result = await provider.generateEmbedding("hello world");
+
+			expect(result).toEqual(vec);
+			expect(mockFetch).toHaveBeenCalledOnce();
+		});
+
+		it("sends correct request to OpenAI", async () => {
+			mockEmbeddingResponse([[0.1]]);
+
+			const provider = makeProvider();
+			await provider.generateEmbedding("test input");
+
+			const [url, options] = mockFetch.mock.calls[0];
+			expect(url).toBe("https://api.openai.com/v1/embeddings");
+			expect(options.method).toBe("POST");
+			expect(options.headers.Authorization).toBe("Bearer test-api-key");
+			const body = JSON.parse(options.body);
+			expect(body.input).toEqual(["test input"]);
+			expect(body.model).toBe("text-embedding-3-small");
+		});
+
+		it("uses custom base URL and model", async () => {
+			mockEmbeddingResponse([[0.1]]);
+
+			const provider = makeProvider({
+				model: "custom-model",
+				baseUrl: "https://custom.api/v1",
+			});
+			await provider.generateEmbedding("test");
+
+			const [url, options] = mockFetch.mock.calls[0];
+			expect(url).toBe("https://custom.api/v1/embeddings");
+			const body = JSON.parse(options.body);
+			expect(body.model).toBe("custom-model");
+		});
+
+		it("returns null on API error", async () => {
+			mockFetch.mockResolvedValueOnce({
+				ok: false,
+				status: 429,
+				json: async () => ({
+					error: { message: "Rate limit exceeded", type: "rate_limit" },
+				}),
+			});
+
+			const provider = makeProvider();
+			const result = await provider.generateEmbedding("test");
+			expect(result).toBeNull();
+		});
+
+		it("returns null on network error", async () => {
+			mockFetch.mockRejectedValueOnce(new Error("Network error"));
+
+			const provider = makeProvider();
+			const result = await provider.generateEmbedding("test");
+			expect(result).toBeNull();
+		});
+	});
+
+	// ── generateEmbeddings ─────────────────────────────────────────────
+
+	describe("generateEmbeddings", () => {
+		it("returns multiple embeddings", async () => {
+			const vecs = [
+				[0.1, 0.2],
+				[0.3, 0.4],
+			];
+			mockEmbeddingResponse(vecs);
+
+			const provider = makeProvider();
+			const results = await provider.generateEmbeddings(["foo", "bar"]);
+
+			expect(results).toEqual(vecs);
+		});
+
+		it("returns empty array for empty input", async () => {
+			const provider = makeProvider();
+			const results = await provider.generateEmbeddings([]);
+
+			expect(results).toEqual([]);
+			expect(mockFetch).not.toHaveBeenCalled();
+		});
+
+		it("returns nulls for all-whitespace inputs", async () => {
+			const provider = makeProvider();
+			const results = await provider.generateEmbeddings(["  ", "\t", "\n"]);
+
+			expect(results).toEqual([null, null, null]);
+			expect(mockFetch).not.toHaveBeenCalled();
+		});
+
+		it("truncates inputs longer than 8000 chars", async () => {
+			mockEmbeddingResponse([[0.1]]);
+
+			const provider = makeProvider();
+			const longText = "a".repeat(10000);
+			await provider.generateEmbeddings([longText]);
+
+			const body = JSON.parse(mockFetch.mock.calls[0][1].body);
+			expect(body.input[0].length).toBe(8000);
+		});
+
+		it("returns nulls on API error", async () => {
+			mockFetch.mockResolvedValueOnce({
+				ok: false,
+				status: 500,
+				json: async () => ({
+					error: { message: "Internal error", type: "server_error" },
+				}),
+			});
+
+			const provider = makeProvider();
+			const results = await provider.generateEmbeddings(["a", "b"]);
+
+			expect(results).toEqual([null, null]);
+		});
+	});
+});

package/src/__tests__/endpoint-security.test.ts

@@ -0,0 +1,300 @@
+import { createMockDataService } from "@86d-app/core/test-utils";
+import { beforeEach, describe, expect, it } from "vitest";
+import { createSearchController } from "../service-impl";
+
+/**
+ * Security regression tests for search endpoints.
+ *
+ * Search is public-facing and accepts user-supplied text.
+ * These tests verify:
+ * - Session isolation: recent queries are scoped to sessionId
+ * - Index integrity: removing an item doesn't leak leftover results
+ * - Synonym injection: adding synonyms doesn't corrupt unrelated searches
+ * - Query recording: fire-and-forget recording doesn't affect results
+ * - Boundary conditions: extreme input lengths, empty strings, special chars
+ */
+
+describe("search endpoint security", () => {
+	let mockData: ReturnType<typeof createMockDataService>;
+	let controller: ReturnType<typeof createSearchController>;
+
+	beforeEach(() => {
+		mockData = createMockDataService();
+		controller = createSearchController(mockData);
+	});
+
+	// ── Session Isolation ──────────────────────────────────────────
+
+	describe("session isolation on recent queries", () => {
+		it("getRecentQueries only returns queries for the given session", async () => {
+			await controller.recordQuery("shoes", 5, "session_A");
+			await controller.recordQuery("boots", 3, "session_B");
+			await controller.recordQuery("sandals", 2, "session_A");
+
+			const sessionA = await controller.getRecentQueries("session_A");
+			expect(sessionA).toHaveLength(2);
+			for (const q of sessionA) {
+				expect(q.sessionId).toBe("session_A");
+			}
+
+			const sessionB = await controller.getRecentQueries("session_B");
+			expect(sessionB).toHaveLength(1);
+			expect(sessionB[0].sessionId).toBe("session_B");
+		});
+
+		it("queries without sessionId do not appear in any session results", async () => {
+			await controller.recordQuery("anonymous-search", 1);
+
+			const results = await controller.getRecentQueries("any_session");
+			expect(results).toHaveLength(0);
+		});
+
+		it("session A cannot see session B recent queries even with same term", async () => {
+			await controller.recordQuery("laptop", 10, "session_A");
+			await controller.recordQuery("laptop", 10, "session_B");
+
+			const a = await controller.getRecentQueries("session_A");
+			const b = await controller.getRecentQueries("session_B");
+			expect(a).toHaveLength(1);
+			expect(b).toHaveLength(1);
+		});
+	});
+
+	// ── Index Integrity ────────────────────────────────────────────
+
+	describe("index integrity after removal", () => {
+		it("removed item does not appear in search results", async () => {
+			await controller.indexItem({
+				entityType: "product",
+				entityId: "secret_prod",
+				title: "Classified Widget",
+				url: "/products/secret",
+			});
+
+			const before = await controller.search("Classified");
+			expect(before.total).toBeGreaterThan(0);
+
+			await controller.removeFromIndex("product", "secret_prod");
+
+			const after = await controller.search("Classified");
+			expect(after.total).toBe(0);
+		});
+
+		it("removing one entityType does not remove same entityId in another type", async () => {
+			await controller.indexItem({
+				entityType: "product",
+				entityId: "shared_id",
+				title: "Product Item",
+				url: "/product/shared",
+			});
+			await controller.indexItem({
+				entityType: "blog",
+				entityId: "shared_id",
+				title: "Blog Post Item",
+				url: "/blog/shared",
+			});
+
+			await controller.removeFromIndex("product", "shared_id");
+
+			const results = await controller.search("Item");
+			expect(results.total).toBe(1);
+			expect(results.results[0].item.entityType).toBe("blog");
+		});
+	});
+
+	// ── Synonym Safety ─────────────────────────────────────────────
+
+	describe("synonym management safety", () => {
+		it("synonyms only expand for configured terms", async () => {
+			await controller.indexItem({
+				entityType: "product",
+				entityId: "tshirt_1",
+				title: "Cotton T-Shirt",
+				url: "/products/tshirt",
+			});
+			await controller.indexItem({
+				entityType: "product",
+				entityId: "pants_1",
+				title: "Denim Pants",
+				url: "/products/pants",
+			});
+
+			await controller.addSynonym("tee", ["t-shirt"]);
+
+			// "tee" should find t-shirt
+			const teeResults = await controller.search("tee");
+			expect(teeResults.total).toBeGreaterThan(0);
+
+			// "tee" should NOT find pants
+			for (const r of teeResults.results) {
+				expect(r.item.title).not.toContain("Pants");
+			}
+		});
+
+		it("removing a synonym stops expansion", async () => {
+			await controller.indexItem({
+				entityType: "product",
+				entityId: "shoe_1",
+				title: "Running Shoes",
+				url: "/products/shoes",
+			});
+
+			const syn = await controller.addSynonym("sneakers", ["shoes"]);
+			const before = await controller.search("sneakers");
+			expect(before.total).toBeGreaterThan(0);
+
+			await controller.removeSynonym(syn.id);
+			const after = await controller.search("sneakers");
+			expect(after.total).toBe(0);
+		});
+	});
+
+	// ── Boundary Conditions ────────────────────────────────────────
+
+	describe("input boundary handling", () => {
+		it("empty query returns no results without error", async () => {
+			await controller.indexItem({
+				entityType: "product",
+				entityId: "p1",
+				title: "Widget",
+				url: "/p",
+			});
+
+			const result = await controller.search("");
+			expect(result.results).toHaveLength(0);
+			expect(result.total).toBe(0);
+		});
+
+		it("whitespace-only query returns no results", async () => {
+			await controller.indexItem({
+				entityType: "product",
+				entityId: "p1",
+				title: "Widget",
+				url: "/p",
+			});
+
+			const result = await controller.search("   ");
+			expect(result.results).toHaveLength(0);
+		});
+
+		it("suggest with empty prefix returns empty", async () => {
+			await controller.recordQuery("popular term", 10);
+			const suggestions = await controller.suggest("");
+			expect(suggestions).toHaveLength(0);
+		});
+
+		it("search with special characters does not crash", async () => {
+			await controller.indexItem({
+				entityType: "product",
+				entityId: "p1",
+				title: "Widget",
+				url: "/p",
+			});
+
+			// These should not throw
+			await controller.search("<script>alert(1)</script>");
+			await controller.search("'; DROP TABLE--");
+			await controller.search("../../etc/passwd");
+		});
+
+		it("entityType filter prevents cross-type leakage", async () => {
+			await controller.indexItem({
+				entityType: "product",
+				entityId: "p1",
+				title: "Shared Name Widget",
+				url: "/products/p1",
+			});
+			await controller.indexItem({
+				entityType: "page",
+				entityId: "pg1",
+				title: "Shared Name Widget",
+				url: "/pages/pg1",
+			});
+
+			const products = await controller.search("Shared Name", {
+				entityType: "product",
+			});
+			expect(products.total).toBe(1);
+			expect(products.results[0].item.entityType).toBe("product");
+		});
+	});
+
+	// ── Analytics Integrity ────────────────────────────────────────
+
+	describe("analytics data integrity", () => {
+		it("analytics counts reflect actual query history", async () => {
+			await controller.recordQuery("shoes", 5);
+			await controller.recordQuery("shoes", 5);
+			await controller.recordQuery("boots", 0);
+
+			const analytics = await controller.getAnalytics();
+			expect(analytics.totalQueries).toBe(3);
+			expect(analytics.zeroResultCount).toBe(1);
+		});
+
+		it("zero-result queries are tracked accurately", async () => {
+			await controller.recordQuery("nonexistent", 0);
+			await controller.recordQuery("also-missing", 0);
+			await controller.recordQuery("found-it", 3);
+
+			const zeroResults = await controller.getZeroResultQueries();
+			expect(zeroResults).toHaveLength(2);
+			for (const term of zeroResults) {
+				expect(["nonexistent", "also-missing"]).toContain(term.term);
+			}
+		});
+
+		it("popular terms exclude zero-result queries from suggestions", async () => {
+			await controller.recordQuery("widget", 10);
+			await controller.recordQuery("widget", 10);
+			await controller.recordQuery("nope", 0);
+
+			const popular = await controller.getPopularTerms();
+			const terms = popular.map((p) => p.term);
+			expect(terms).toContain("widget");
+		});
+	});
+
+	// ── Re-indexing Deduplication ───────────────────────────────────
+
+	describe("re-indexing deduplication", () => {
+		it("re-indexing same entity updates rather than duplicates", async () => {
+			await controller.indexItem({
+				entityType: "product",
+				entityId: "p1",
+				title: "Old Title",
+				url: "/p1",
+			});
+			await controller.indexItem({
+				entityType: "product",
+				entityId: "p1",
+				title: "New Title",
+				url: "/p1",
+			});
+
+			const results = await controller.search("Title");
+			expect(results.total).toBe(1);
+			expect(results.results[0].item.title).toBe("New Title");
+		});
+
+		it("indexCount does not grow on re-index", async () => {
+			await controller.indexItem({
+				entityType: "product",
+				entityId: "p1",
+				title: "Widget",
+				url: "/p",
+			});
+			const count1 = await controller.getIndexCount();
+
+			await controller.indexItem({
+				entityType: "product",
+				entityId: "p1",
+				title: "Updated Widget",
+				url: "/p",
+			});
+			const count2 = await controller.getIndexCount();
+
+			expect(count2).toBe(count1);
+		});
+	});
+});