@a5c-ai/krate 5.0.1-staging.00fa5317c

package/tests/agent-mux-client.test.js

@@ -0,0 +1,204 @@
+import assert from 'node:assert/strict';
+import { describe, it } from 'node:test';
+import { createAgentMuxClient, parseSseLines, AGENT_MUX_CLIENT_BOUNDARY } from '../src/agent-mux-client.js';
+
+describe('AGENT_MUX_CLIENT_BOUNDARY', () => {
+  it('declares the expected role and scope', () => {
+    assert.equal(AGENT_MUX_CLIENT_BOUNDARY.role, 'agent-mux-client');
+    assert.ok(AGENT_MUX_CLIENT_BOUNDARY.scope.includes('HTTP/SSE'));
+    assert.ok(AGENT_MUX_CLIENT_BOUNDARY.owns.includes('gateway HTTP calls'));
+    assert.ok(AGENT_MUX_CLIENT_BOUNDARY.delegatesTo.includes('resource-model'));
+  });
+});
+
+describe('createAgentMuxClient — isAvailable', () => {
+  it('returns false when enabled is false', () => {
+    const client = createAgentMuxClient({ gateway: 'http://localhost:8080', enabled: false });
+    assert.equal(client.isAvailable(), false);
+  });
+
+  it('returns false when gateway is empty', () => {
+    const client = createAgentMuxClient({ gateway: '', enabled: true });
+    assert.equal(client.isAvailable(), false);
+  });
+
+  it('returns false when no options are provided', () => {
+    const client = createAgentMuxClient();
+    assert.equal(client.isAvailable(), false);
+  });
+
+  it('returns true when enabled is true and gateway is set', () => {
+    const client = createAgentMuxClient({ gateway: 'http://localhost:8080', enabled: true });
+    assert.equal(client.isAvailable(), true);
+  });
+});
+
+describe('createAgentMuxClient — queryCapabilities', () => {
+  it('returns null when client is unavailable', async () => {
+    const client = createAgentMuxClient({ enabled: false });
+    const result = await client.queryCapabilities('claude-code');
+    assert.equal(result, null);
+  });
+});
+
+describe('createAgentMuxClient — launchSession', () => {
+  it('returns null when client is unavailable', async () => {
+    const client = createAgentMuxClient({ enabled: false });
+    const result = await client.launchSession({
+      stack: { baseAgent: 'claude-code' },
+      contextBundle: {},
+      permissionSnapshot: {},
+      workspace: {}
+    });
+    assert.equal(result, null);
+  });
+});
+
+describe('parseSseLines', () => {
+  it('parses valid SSE data lines', () => {
+    const text = [
+      'data: {"role":"assistant","content":"hello"}',
+      '',
+      'data: {"role":"user","content":"world"}',
+      '',
+    ].join('\n');
+    const events = parseSseLines(text);
+    assert.equal(events.length, 2);
+    assert.equal(events[0].role, 'assistant');
+    assert.equal(events[0].content, 'hello');
+    assert.equal(events[1].role, 'user');
+    assert.equal(events[1].content, 'world');
+  });
+
+  it('handles multiple data lines in a single block', () => {
+    const text = [
+      'data: {"seq":1}',
+      'data: {"seq":2}',
+      '',
+    ].join('\n');
+    const events = parseSseLines(text);
+    assert.equal(events.length, 2);
+    assert.equal(events[0].seq, 1);
+    assert.equal(events[1].seq, 2);
+  });
+
+  it('skips malformed JSON gracefully', () => {
+    const text = [
+      'data: {"valid":true}',
+      'data: not-json',
+      'data: {"also":"valid"}',
+      '',
+    ].join('\n');
+    const events = parseSseLines(text);
+    assert.equal(events.length, 2);
+    assert.equal(events[0].valid, true);
+    assert.equal(events[1].also, 'valid');
+  });
+
+  it('ignores non-data SSE lines', () => {
+    const text = [
+      'event: message',
+      'id: 42',
+      'data: {"role":"assistant","content":"test"}',
+      'retry: 3000',
+      '',
+    ].join('\n');
+    const events = parseSseLines(text);
+    assert.equal(events.length, 1);
+    assert.equal(events[0].role, 'assistant');
+  });
+
+  it('returns empty array for empty text', () => {
+    assert.deepEqual(parseSseLines(''), []);
+  });
+
+  it('returns empty array for text with no data lines', () => {
+    assert.deepEqual(parseSseLines('event: ping\nid: 1\n\n'), []);
+  });
+});
+
+describe('createAgentMuxClient — reconcileTranscript', () => {
+  it('creates a valid AgentSessionTranscript resource from events', () => {
+    const client = createAgentMuxClient({ gateway: 'http://localhost:8080', enabled: true });
+    const events = [
+      { role: 'user', content: 'Fix the bug', timestamp: '2026-01-01T00:00:00Z' },
+      { role: 'assistant', content: 'Looking at the code...', timestamp: '2026-01-01T00:00:01Z', usage: { inputTokens: 100, outputTokens: 50 } },
+      { role: 'assistant', content: 'Fixed it.', timestamp: '2026-01-01T00:00:02Z', usage: { inputTokens: 200, outputTokens: 80 } },
+    ];
+
+    const transcript = client.reconcileTranscript('sess-123', events, { namespace: 'krate-org-acme', organizationRef: 'acme' });
+
+    assert.equal(transcript.kind, 'AgentSessionTranscript');
+    assert.equal(transcript.apiVersion, 'krate.a5c.ai/v1alpha1');
+    assert.equal(transcript.metadata.name, 'transcript-sess-123');
+    assert.equal(transcript.metadata.namespace, 'krate-org-acme');
+    assert.equal(transcript.spec.organizationRef, 'acme');
+    assert.equal(transcript.spec.sessionRef, 'sess-123');
+    assert.equal(transcript.spec.messages.length, 3);
+    assert.equal(transcript.spec.messages[0].role, 'user');
+    assert.equal(transcript.spec.messages[0].content, 'Fix the bug');
+    assert.equal(transcript.spec.messages[1].role, 'assistant');
+    assert.equal(transcript.spec.cost.inputTokens, 300);
+    assert.equal(transcript.spec.cost.outputTokens, 130);
+    assert.equal(transcript.spec.cost.totalTokens, 430);
+    assert.equal(transcript.status.phase, 'Reconciled');
+  });
+
+  it('handles empty events array', () => {
+    const client = createAgentMuxClient({ gateway: 'http://localhost:8080', enabled: true });
+    const transcript = client.reconcileTranscript('sess-empty', [], { namespace: 'default', organizationRef: 'default' });
+
+    assert.equal(transcript.kind, 'AgentSessionTranscript');
+    assert.equal(transcript.spec.sessionRef, 'sess-empty');
+    assert.equal(transcript.spec.messages.length, 0);
+    assert.equal(transcript.spec.cost.inputTokens, 0);
+    assert.equal(transcript.spec.cost.outputTokens, 0);
+    assert.equal(transcript.spec.cost.totalTokens, 0);
+  });
+
+  it('handles events with toolUse and toolResult', () => {
+    const client = createAgentMuxClient({ gateway: 'http://localhost:8080', enabled: true });
+    const events = [
+      { role: 'assistant', content: 'Using tool...', toolUse: { name: 'read_file', input: { path: '/tmp/f' } }, timestamp: '2026-01-01T00:00:00Z' },
+      { role: 'tool', content: 'file contents', toolResult: { output: 'ok' }, timestamp: '2026-01-01T00:00:01Z' },
+    ];
+    const transcript = client.reconcileTranscript('sess-tools', events, { namespace: 'default', organizationRef: 'default' });
+
+    assert.equal(transcript.spec.messages.length, 2);
+    assert.deepEqual(transcript.spec.messages[0].toolUse, { name: 'read_file', input: { path: '/tmp/f' } });
+    assert.deepEqual(transcript.spec.messages[1].toolResult, { output: 'ok' });
+  });
+
+  it('handles events with non-string content', () => {
+    const client = createAgentMuxClient({ gateway: 'http://localhost:8080', enabled: true });
+    const events = [
+      { role: 'assistant', content: { type: 'structured', data: [1, 2, 3] }, timestamp: '2026-01-01T00:00:00Z' },
+    ];
+    const transcript = client.reconcileTranscript('sess-obj', events, { namespace: 'default', organizationRef: 'default' });
+
+    assert.equal(typeof transcript.spec.messages[0].content, 'string');
+    assert.ok(transcript.spec.messages[0].content.includes('"type":"structured"'));
+  });
+
+  it('skips null/non-object events gracefully', () => {
+    const client = createAgentMuxClient({ gateway: 'http://localhost:8080', enabled: true });
+    const events = [
+      null,
+      'not-an-object',
+      42,
+      { role: 'user', content: 'valid', timestamp: '2026-01-01T00:00:00Z' },
+    ];
+    const transcript = client.reconcileTranscript('sess-mixed', events, { namespace: 'default', organizationRef: 'default' });
+
+    assert.equal(transcript.spec.messages.length, 1);
+    assert.equal(transcript.spec.messages[0].role, 'user');
+  });
+
+  it('uses default namespace and organizationRef when not specified', () => {
+    const client = createAgentMuxClient({ gateway: 'http://localhost:8080', enabled: true });
+    const transcript = client.reconcileTranscript('sess-defaults', []);
+
+    assert.equal(transcript.metadata.namespace, 'default');
+    assert.equal(transcript.spec.organizationRef, 'default');
+  });
+});

package/tests/agent-permission-review-v2.test.js

@@ -0,0 +1,317 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { createPermissionReviewer } from '../src/agent-permission-review.js';
+import { createResource } from '../src/resource-model.js';
+
+// ---------- shared helpers ----------
+
+function makeStack(name, specOverrides = {}) {
+  return createResource('AgentStack', { name }, {
+    organizationRef: 'org-a',
+    baseAgent: 'claude-code',
+    adapter: 'babysitter',
+    runtimeIdentity: { serviceAccountRef: 'sa-agent' },
+    ...specOverrides
+  });
+}
+
+function makeServiceAccount(name, orgRef = 'org-a') {
+  return createResource('AgentServiceAccount', { name }, {
+    organizationRef: orgRef,
+    namespace: 'krate-agents',
+    serviceAccountName: name
+  });
+}
+
+function makeRoleBinding(name, subject, orgRef = 'org-a') {
+  return createResource('AgentRoleBinding', { name }, {
+    organizationRef: orgRef,
+    subject,
+    roleRef: 'agent-role',
+    scope: 'namespace'
+  });
+}
+
+function makeSecretGrant(name, subject, purpose, overrides = {}) {
+  return createResource('AgentSecretGrant', { name }, {
+    organizationRef: 'org-a',
+    subject,
+    secretRef: 'api-keys',
+    purpose,
+    ...overrides
+  });
+}
+
+function makeWorkspacePolicy(name, specOverrides = {}) {
+  return createResource('KrateWorkspacePolicy', { name }, {
+    organizationRef: 'org-a',
+    mode: 'ephemeral',
+    retentionPolicy: 'delete-on-completion',
+    ...specOverrides
+  });
+}
+
+function fullyGrantedResources(stackOverrides = {}) {
+  return {
+    AgentStack: [makeStack('test-stack', stackOverrides)],
+    AgentServiceAccount: [makeServiceAccount('sa-agent')],
+    AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-agent')],
+    AgentSecretGrant: [makeSecretGrant('sg-model', 'sa-agent', 'model-provider')],
+    AgentConfigGrant: [],
+    AgentMcpServer: [],
+    KrateWorkspacePolicy: []
+  };
+}
+
+const baseInput = {
+  repository: 'org-a/my-repo',
+  ref: 'refs/heads/main',
+  actor: 'user-1',
+  agentStack: 'test-stack',
+  triggerSource: 'manual',
+  taskKind: 'fix'
+};
+
+// ==========================================================
+// Group 1 — Cross-org denial
+// ==========================================================
+
+describe('agent permission review v2 — cross-org denial', () => {
+  it('allows access when agent org matches repository org', () => {
+    const reviewer = createPermissionReviewer();
+    const resources = fullyGrantedResources({ organizationRef: 'org-a' });
+    const result = reviewer.reviewPermissions({
+      ...baseInput,
+      repository: 'org-a/my-repo',
+      resources
+    });
+    assert.equal(result.decision, 'allowed');
+    assert.ok(Array.isArray(result.crossOrgDenials), 'crossOrgDenials should be present');
+    assert.equal(result.crossOrgDenials.length, 0, 'no cross-org denials expected');
+  });
+
+  it('denies access and populates crossOrgDenials when agent org differs from repository org', () => {
+    const reviewer = createPermissionReviewer();
+    // stack is in org-a but repository is in org-b
+    const resources = fullyGrantedResources({ organizationRef: 'org-a' });
+    const result = reviewer.reviewPermissions({
+      ...baseInput,
+      repository: 'org-b/their-repo',
+      resources
+    });
+    assert.equal(result.decision, 'denied');
+    assert.ok(Array.isArray(result.crossOrgDenials), 'crossOrgDenials must be an array');
+    assert.ok(result.crossOrgDenials.length > 0, 'should have at least one cross-org denial entry');
+    const denial = result.crossOrgDenials[0];
+    assert.ok(denial.agentOrg, 'denial should include agentOrg');
+    assert.ok(denial.resourceOrg, 'denial should include resourceOrg');
+  });
+
+  it('cross-org denial error is reflected in the reasons array with severity error', () => {
+    const reviewer = createPermissionReviewer();
+    const resources = fullyGrantedResources({ organizationRef: 'org-a' });
+    const result = reviewer.reviewPermissions({
+      ...baseInput,
+      repository: 'org-z/external-repo',
+      resources
+    });
+    assert.ok(
+      result.reasons.some((r) => r.severity === 'error' && r.message.toLowerCase().includes('org')),
+      'reasons should contain an error mentioning org mismatch'
+    );
+  });
+});
+
+// ==========================================================
+// Group 2 — Approval mode validation
+// ==========================================================
+
+describe('agent permission review v2 — approval mode', () => {
+  it("approvalMode 'yolo' auto-approves and decision is allowed when permissions are otherwise valid", () => {
+    const reviewer = createPermissionReviewer();
+    const resources = fullyGrantedResources({ approvalMode: 'yolo' });
+    const result = reviewer.reviewPermissions({
+      ...baseInput,
+      resources
+    });
+    assert.equal(result.decision, 'allowed');
+    assert.equal(result.approvalMode, 'yolo');
+  });
+
+  it("approvalMode 'deny' blocks all requests and returns denied", () => {
+    const reviewer = createPermissionReviewer();
+    const resources = fullyGrantedResources({ approvalMode: 'deny' });
+    const result = reviewer.reviewPermissions({
+      ...baseInput,
+      resources
+    });
+    assert.equal(result.decision, 'denied');
+    assert.equal(result.approvalMode, 'deny');
+    assert.ok(
+      result.reasons.some((r) => r.severity === 'error' && r.message.toLowerCase().includes('deny')),
+      'reason should mention deny mode'
+    );
+  });
+
+  it("approvalMode 'prompt' keeps requires-approval when grants need approval", () => {
+    const reviewer = createPermissionReviewer();
+    const mcpServer = createResource('AgentMcpServer', { name: 'mcp-prod' }, {
+      organizationRef: 'org-a',
+      transport: 'stdio',
+      scope: 'workspace',
+      secretRef: 'prod-secret'
+    });
+    const stack = makeStack('test-stack', {
+      approvalMode: 'prompt',
+      mcpServerRefs: ['mcp-prod']
+    });
+    const mcpGrant = makeSecretGrant('sg-prod', 'sa-agent', 'mcp-server:mcp-prod', {
+      requiredApproval: 'always'
+    });
+    const resources = {
+      AgentStack: [stack],
+      AgentServiceAccount: [makeServiceAccount('sa-agent')],
+      AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-agent')],
+      AgentSecretGrant: [mcpGrant, makeSecretGrant('sg-model', 'sa-agent', 'model-provider')],
+      AgentConfigGrant: [],
+      AgentMcpServer: [mcpServer],
+      KrateWorkspacePolicy: []
+    };
+    const result = reviewer.reviewPermissions({ ...baseInput, resources });
+    assert.equal(result.decision, 'requires-approval');
+    assert.equal(result.approvalMode, 'prompt');
+  });
+
+  it('invalid approvalMode value causes denied with validation error', () => {
+    const reviewer = createPermissionReviewer();
+    const resources = fullyGrantedResources({ approvalMode: 'auto-accept-everything' });
+    const result = reviewer.reviewPermissions({
+      ...baseInput,
+      resources
+    });
+    assert.equal(result.decision, 'denied');
+    assert.ok(
+      result.reasons.some((r) => r.severity === 'error' && r.message.toLowerCase().includes('approvalmode')),
+      'reasons should flag invalid approvalMode'
+    );
+  });
+});
+
+// ==========================================================
+// Group 3 — Workspace policy enforcement
+// ==========================================================
+
+describe('agent permission review v2 — workspace policy', () => {
+  it('allowed when requested tool is in workspace policy allowedTools', () => {
+    const reviewer = createPermissionReviewer();
+    const policy = makeWorkspacePolicy('wp-1', { allowedTools: ['bash', 'read_file'] });
+    const resources = {
+      ...fullyGrantedResources(),
+      KrateWorkspacePolicy: [policy]
+    };
+    const result = reviewer.reviewPermissions({
+      ...baseInput,
+      workspacePolicyRef: 'wp-1',
+      toolRefs: ['bash'],
+      resources
+    });
+    assert.equal(result.decision, 'allowed');
+  });
+
+  it('denied when requested tool is in workspace policy deniedTools', () => {
+    const reviewer = createPermissionReviewer();
+    const policy = makeWorkspacePolicy('wp-1', { deniedTools: ['bash'] });
+    const resources = {
+      ...fullyGrantedResources(),
+      KrateWorkspacePolicy: [policy]
+    };
+    const result = reviewer.reviewPermissions({
+      ...baseInput,
+      workspacePolicyRef: 'wp-1',
+      toolRefs: ['bash'],
+      resources
+    });
+    assert.equal(result.decision, 'denied');
+    assert.ok(
+      result.reasons.some((r) => r.severity === 'error' && r.message.toLowerCase().includes('denied')),
+      'reason should mention denied tool'
+    );
+  });
+
+  it('denied when maxConcurrentSessions is 0 (no sessions allowed by policy)', () => {
+    const reviewer = createPermissionReviewer();
+    const policy = makeWorkspacePolicy('wp-strict', { maxConcurrentSessions: 0 });
+    const resources = {
+      ...fullyGrantedResources(),
+      KrateWorkspacePolicy: [policy]
+    };
+    const result = reviewer.reviewPermissions({
+      ...baseInput,
+      workspacePolicyRef: 'wp-strict',
+      resources
+    });
+    assert.equal(result.decision, 'denied');
+    assert.ok(
+      result.reasons.some((r) => r.severity === 'error' && r.message.toLowerCase().includes('maxconcurrentsessions')),
+      'reason should mention maxConcurrentSessions'
+    );
+  });
+});
+
+// ==========================================================
+// Group 4 — Untrusted fork detection
+// ==========================================================
+
+describe('agent permission review v2 — untrusted fork detection', () => {
+  it('no untrustedForkWarnings when ref is from the canonical repository', () => {
+    const reviewer = createPermissionReviewer();
+    const resources = fullyGrantedResources();
+    const result = reviewer.reviewPermissions({
+      ...baseInput,
+      repository: 'org-a/my-repo',
+      ref: 'refs/heads/main',
+      resources
+    });
+    assert.ok(Array.isArray(result.untrustedForkWarnings), 'untrustedForkWarnings must be present');
+    assert.equal(result.untrustedForkWarnings.length, 0);
+  });
+
+  it('untrustedForkWarnings populated when ref indicates a fork (refs/pull/*/head from external fork)', () => {
+    const reviewer = createPermissionReviewer();
+    // A pull_request ref from a fork is commonly refs/pull/<n>/head where the head sha is from a fork
+    const resources = fullyGrantedResources();
+    const result = reviewer.reviewPermissions({
+      ...baseInput,
+      repository: 'org-a/my-repo',
+      ref: 'refs/pull/42/head',
+      isFork: true,
+      resources
+    });
+    assert.ok(Array.isArray(result.untrustedForkWarnings), 'untrustedForkWarnings must be present');
+    assert.ok(result.untrustedForkWarnings.length > 0, 'should have at least one fork warning');
+  });
+
+  it('privileged grants (ServiceAccount, Secret) are blocked for untrusted forks', () => {
+    const reviewer = createPermissionReviewer();
+    const resources = fullyGrantedResources();
+    const result = reviewer.reviewPermissions({
+      ...baseInput,
+      repository: 'org-a/my-repo',
+      ref: 'refs/pull/99/head',
+      isFork: true,
+      resources
+    });
+    // Privileged grants that existed should not be in the approved grants list
+    // or the decision should downgrade
+    const hasPrivilegedGrant = result.grants.some(
+      (g) => (g.kind === 'AgentServiceAccount' || g.kind === 'AgentSecretGrant') && g.status === 'granted'
+    );
+    // Either the grants are stripped or decision is denied/requires-approval
+    const isRestricted = !hasPrivilegedGrant || result.decision === 'denied' || result.decision === 'requires-approval';
+    assert.ok(isRestricted, 'privileged grants must not be silently approved for untrusted forks');
+    assert.ok(
+      result.untrustedForkWarnings.some((w) => w.blockedKinds && w.blockedKinds.length > 0),
+      'fork warning should list blocked kinds'
+    );
+  });
+});