@a5c-ai/krate 5.0.1-staging.00fa5317c

package/tests/session-cookie-hmac.test.js

@@ -0,0 +1,151 @@
+/**
+ * C5: Session cookie HMAC signing tests
+ * Tests for HMAC-SHA256 signing of session cookies when KRATE_SESSION_SECRET is set.
+ */
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import { createSessionCookie, parseSessionCookie } from '../src/auth.js';
+
+function makeConfig(cookieName = 'krate_session') {
+  return { session: { cookieName } };
+}
+
+const TEST_SECRET = 'super-secret-hmac-key-for-testing-1234567890';
+
+const testProfile = {
+  provider: 'github',
+  subject: 'user-42',
+  username: 'alice',
+  email: 'alice@example.com'
+};
+
+// --- createSessionCookie with HMAC signing ---
+
+test('createSessionCookie includes HMAC signature in cookie value when secret is set', () => {
+  const config = makeConfig();
+  const cookie = createSessionCookie(config, testProfile, { secret: TEST_SECRET });
+
+  // Cookie format: name=payload.signature; Path=/; ...
+  const cookieValue = cookie.split(';')[0].split('=').slice(1).join('=');
+  assert.ok(cookieValue.includes('.'), 'Signed cookie value should contain a period separating payload from signature');
+
+  const parts = cookieValue.split('.');
+  assert.equal(parts.length, 2, 'Should have exactly payload and signature parts');
+  assert.ok(parts[0].length > 0, 'Payload should be non-empty');
+  assert.ok(parts[1].length > 0, 'Signature should be non-empty');
+});
+
+test('createSessionCookie without secret produces unsigned cookie (no period separator)', () => {
+  const config = makeConfig();
+  const cookie = createSessionCookie(config, testProfile);
+
+  const cookieValue = cookie.split(';')[0].split('=').slice(1).join('=');
+  // Unsigned: base64url encoded JSON, no dot separator
+  assert.ok(!cookieValue.includes('.'), 'Unsigned cookie should not have period separator');
+
+  // Payload should be valid base64url JSON
+  const parsed = JSON.parse(Buffer.from(cookieValue, 'base64url').toString('utf8'));
+  assert.equal(parsed.provider, testProfile.provider);
+  assert.equal(parsed.subject, testProfile.subject);
+});
+
+test('createSessionCookie without secret but with empty string secret is unsigned', () => {
+  const config = makeConfig();
+  const cookie = createSessionCookie(config, testProfile, { secret: '' });
+
+  const cookieValue = cookie.split(';')[0].split('=').slice(1).join('=');
+  assert.ok(!cookieValue.includes('.'), 'Empty secret should produce unsigned cookie');
+});
+
+// --- parseSessionCookie with HMAC verification ---
+
+test('parseSessionCookie verifies HMAC signature and returns session when valid', () => {
+  const config = makeConfig();
+  const cookie = createSessionCookie(config, testProfile, { secret: TEST_SECRET });
+  const cookieValue = cookie.split(';')[0].split('=').slice(1).join('=');
+
+  const session = parseSessionCookie(config, cookieValue, { secret: TEST_SECRET });
+
+  assert.ok(session, 'Should parse and verify correctly');
+  assert.equal(session.provider, testProfile.provider);
+  assert.equal(session.subject, testProfile.subject);
+  assert.equal(session.user, testProfile.username);
+});
+
+test('parseSessionCookie rejects tampered cookie payload', () => {
+  const config = makeConfig();
+  const cookie = createSessionCookie(config, testProfile, { secret: TEST_SECRET });
+  const cookieValue = cookie.split(';')[0].split('=').slice(1).join('=');
+
+  // Tamper with the payload by replacing it with different data
+  const [, signature] = cookieValue.split('.');
+  const tamperedPayload = Buffer.from(JSON.stringify({ provider: 'github', subject: 'hacker', user: 'hacker' })).toString('base64url');
+  const tamperedCookieValue = `${tamperedPayload}.${signature}`;
+
+  const session = parseSessionCookie(config, tamperedCookieValue, { secret: TEST_SECRET });
+
+  assert.equal(session, null, 'Should reject tampered cookie');
+});
+
+test('parseSessionCookie rejects cookie with wrong signature', () => {
+  const config = makeConfig();
+  const cookie = createSessionCookie(config, testProfile, { secret: TEST_SECRET });
+  const cookieValue = cookie.split(';')[0].split('=').slice(1).join('=');
+
+  // Replace signature with garbage
+  const [payload] = cookieValue.split('.');
+  const tamperedCookieValue = `${payload}.invalidsignatureXXXXXX`;
+
+  const session = parseSessionCookie(config, tamperedCookieValue, { secret: TEST_SECRET });
+
+  assert.equal(session, null, 'Should reject cookie with wrong signature');
+});
+
+test('parseSessionCookie accepts unsigned cookie when no secret provided (backward compat)', () => {
+  const config = makeConfig();
+  // Create unsigned cookie (no secret)
+  const cookie = createSessionCookie(config, testProfile);
+  const cookieValue = cookie.split(';')[0].split('=').slice(1).join('=');
+
+  const session = parseSessionCookie(config, cookieValue);
+
+  assert.ok(session, 'Should parse unsigned cookie when no secret provided');
+  assert.equal(session.provider, testProfile.provider);
+  assert.equal(session.subject, testProfile.subject);
+});
+
+test('parseSessionCookie rejects signed cookie when no verification secret is given', () => {
+  const config = makeConfig();
+  // Signed cookie but parsed without secret
+  const cookie = createSessionCookie(config, testProfile, { secret: TEST_SECRET });
+  const cookieValue = cookie.split(';')[0].split('=').slice(1).join('=');
+
+  // Parse without secret — signed payload contains a dot, so base64url decode will fail or return null
+  const session = parseSessionCookie(config, cookieValue);
+
+  assert.equal(session, null, 'Should reject signed cookie when no secret is provided for verification');
+});
+
+test('parseSessionCookie with different secret rejects the cookie', () => {
+  const config = makeConfig();
+  const cookie = createSessionCookie(config, testProfile, { secret: TEST_SECRET });
+  const cookieValue = cookie.split(';')[0].split('=').slice(1).join('=');
+
+  const session = parseSessionCookie(config, cookieValue, { secret: 'wrong-secret-completely-different' });
+
+  assert.equal(session, null, 'Should reject cookie signed with a different secret');
+});
+
+test('createSessionCookie with same input and same secret produces same signature (deterministic)', () => {
+  const config = makeConfig();
+  const cookie1 = createSessionCookie(config, testProfile, { secret: TEST_SECRET });
+  const cookie2 = createSessionCookie(config, testProfile, { secret: TEST_SECRET });
+
+  const value1 = cookie1.split(';')[0].split('=').slice(1).join('=');
+  const value2 = cookie2.split(';')[0].split('=').slice(1).join('=');
+
+  const sig1 = value1.split('.')[1];
+  const sig2 = value2.split('.')[1];
+
+  assert.equal(sig1, sig2, 'Same input+secret should produce same HMAC signature');
+});

package/tests/snapshot-performance.test.js

@@ -0,0 +1,247 @@
+/**
+ * Tests for async kubectl helpers, partial snapshot, and stale-while-revalidate cache.
+ */
+
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import { runKubectlAsync, getPartialSnapshot, getControllerSnapshotAsync } from '../src/kubernetes-controller-async.js';
+import {
+  getSnapshotCache,
+  setSnapshotCache,
+  clearSnapshotCache,
+  getOrgCache,
+  setOrgCache,
+  clearOrgCache,
+  cachedOrgs,
+  isCacheFresh,
+  staleWhileRevalidate,
+  CACHE_TTL_MS
+} from '../src/snapshot-cache.js';
+
+// ---------------------------------------------------------------------------
+// runKubectlAsync
+// ---------------------------------------------------------------------------
+
+test('runKubectlAsync resolves with ok=true for a succeeding command', async () => {
+  const result = await runKubectlAsync(['version', '--client=true', '-o', 'json'], {
+    kubectl: process.env.KRATE_KUBECTL || 'kubectl',
+    timeoutMs: 5000,
+    allowFailure: true
+  });
+  // We can't guarantee kubectl is installed in CI, so we just check the shape.
+  assert.ok(typeof result.ok === 'boolean', 'result.ok is boolean');
+  assert.ok(typeof result.stdout === 'string', 'result.stdout is string');
+  assert.ok(typeof result.stderr === 'string', 'result.stderr is string');
+  assert.ok(typeof result.command === 'string', 'result.command is string');
+});
+
+test('runKubectlAsync with allowFailure=true resolves even on non-zero exit', async () => {
+  // Use a bogus sub-command that kubectl will reject
+  const result = await runKubectlAsync(['get', 'nonexistent-resource-kind-xyz-abc', '--request-timeout=1s'], {
+    kubectl: process.env.KRATE_KUBECTL || 'kubectl',
+    timeoutMs: 5000,
+    allowFailure: true
+  });
+  assert.ok(typeof result.ok === 'boolean', 'shape preserved on failure');
+  assert.ok(typeof result.stderr === 'string', 'stderr present');
+  assert.ok(typeof result.command === 'string', 'command present');
+});
+
+test('runKubectlAsync result has same shape keys as runKubectl sync version', async () => {
+  const result = await runKubectlAsync(['version', '--client=true', '-o', 'json'], {
+    kubectl: process.env.KRATE_KUBECTL || 'kubectl',
+    timeoutMs: 5000,
+    allowFailure: true
+  });
+  const expectedKeys = ['ok', 'status', 'signal', 'stdout', 'stderr', 'error', 'command'];
+  for (const key of expectedKeys) {
+    assert.ok(key in result, `result has key "${key}"`);
+  }
+});
+
+test('runKubectlAsync times out and resolves with ok=false when allowFailure=true', async () => {
+  // Use an extremely short timeout to force a timeout path
+  const result = await runKubectlAsync(['version', '--client=true', '-o', 'json'], {
+    kubectl: process.env.KRATE_KUBECTL || 'kubectl',
+    timeoutMs: 1,   // 1 ms — will always time out
+    allowFailure: true
+  });
+  assert.equal(result.ok, false, 'timed out result has ok=false');
+  assert.ok(result.error, 'timed out result has error message');
+});
+
+test('runKubectlAsync rejects on timeout when allowFailure is not set', async () => {
+  await assert.rejects(
+    () => runKubectlAsync(['version', '--client=true', '-o', 'json'], {
+      kubectl: process.env.KRATE_KUBECTL || 'kubectl',
+      timeoutMs: 1
+    }),
+    (err) => {
+      assert.ok(err instanceof Error, 'throws Error');
+      return true;
+    }
+  );
+});
+
+// ---------------------------------------------------------------------------
+// getPartialSnapshot
+// ---------------------------------------------------------------------------
+
+test('getPartialSnapshot returns empty resources object for empty kinds array', async () => {
+  const result = await getPartialSnapshot([], {
+    kubectl: process.env.KRATE_KUBECTL || 'kubectl',
+    timeoutMs: 100,
+    allowFailure: true
+  });
+  assert.deepEqual(result.resources, {}, 'no resources when kinds is empty');
+  assert.equal(result.mode, 'partial', 'mode is partial');
+});
+
+test('getPartialSnapshot only queries the requested resource kinds', async () => {
+  // We stub out the kubectl to track which resource kinds are queried.
+  // Since we can't easily hook into the internal calls, we verify the returned
+  // resources object only has keys for the requested kinds.
+  const kinds = ['AgentStack', 'AgentSession'];
+  const result = await getPartialSnapshot(kinds, {
+    kubectl: process.env.KRATE_KUBECTL || 'kubectl',
+    timeoutMs: 500,
+    allowFailure: true
+  });
+  const keys = Object.keys(result.resources);
+  // All returned keys must be among the requested kinds
+  for (const key of keys) {
+    assert.ok(kinds.includes(key), `unexpected key in partial snapshot: ${key}`);
+  }
+  // All requested kinds must be present as keys
+  for (const kind of kinds) {
+    assert.ok(kind in result.resources, `missing kind in partial snapshot: ${kind}`);
+  }
+});
+
+test('getPartialSnapshot resources values are arrays', async () => {
+  const result = await getPartialSnapshot(['Organization'], {
+    kubectl: process.env.KRATE_KUBECTL || 'kubectl',
+    timeoutMs: 500,
+    allowFailure: true
+  });
+  for (const value of Object.values(result.resources)) {
+    assert.ok(Array.isArray(value), 'each resource value is an array');
+  }
+});
+
+test('getPartialSnapshot ignores unknown kinds gracefully', async () => {
+  const result = await getPartialSnapshot(['AgentStack', 'NotARealKind'], {
+    kubectl: process.env.KRATE_KUBECTL || 'kubectl',
+    timeoutMs: 500,
+    allowFailure: true
+  });
+  // NotARealKind should be absent; AgentStack should be present
+  assert.ok('AgentStack' in result.resources, 'valid kind present');
+  assert.ok(!('NotARealKind' in result.resources), 'unknown kind absent');
+});
+
+// ---------------------------------------------------------------------------
+// Per-org cache
+// ---------------------------------------------------------------------------
+
+test('setOrgCache and getOrgCache store and retrieve data per org', () => {
+  clearSnapshotCache();
+  const data1 = { resources: { Organization: [{ metadata: { name: 'org-a' } }] } };
+  const data2 = { resources: { Organization: [{ metadata: { name: 'org-b' } }] } };
+  setOrgCache(data1, 'org-a');
+  setOrgCache(data2, 'org-b');
+  assert.deepEqual(getOrgCache('org-a').data, data1, 'org-a cached independently');
+  assert.deepEqual(getOrgCache('org-b').data, data2, 'org-b cached independently');
+  clearSnapshotCache();
+});
+
+test('cachedOrgs returns all orgs with active cache entries', () => {
+  clearSnapshotCache();
+  setOrgCache({ x: 1 }, 'org-x');
+  setOrgCache({ y: 2 }, 'org-y');
+  const orgs = cachedOrgs();
+  assert.ok(orgs.includes('org-x'), 'org-x in cachedOrgs');
+  assert.ok(orgs.includes('org-y'), 'org-y in cachedOrgs');
+  clearSnapshotCache();
+});
+
+test('clearOrgCache removes only the target org', () => {
+  clearSnapshotCache();
+  setOrgCache({ a: 1 }, 'alpha');
+  setOrgCache({ b: 2 }, 'beta');
+  clearOrgCache('alpha');
+  assert.equal(getOrgCache('alpha'), null, 'alpha cleared');
+  assert.ok(getOrgCache('beta') !== null, 'beta still present');
+  clearSnapshotCache();
+});
+
+test('isCacheFresh returns false when cache is empty', () => {
+  clearSnapshotCache();
+  assert.equal(isCacheFresh('org-empty'), false, 'empty cache is not fresh');
+});
+
+test('isCacheFresh returns true immediately after setOrgCache', () => {
+  clearSnapshotCache();
+  setOrgCache({ z: 3 }, 'freshorg');
+  assert.equal(isCacheFresh('freshorg'), true, 'fresh entry is fresh');
+  clearSnapshotCache();
+});
+
+// ---------------------------------------------------------------------------
+// stale-while-revalidate
+// ---------------------------------------------------------------------------
+
+test('staleWhileRevalidate returns fresh data when cache is empty', async () => {
+  clearSnapshotCache();
+  const fresh = { resources: { AgentStack: [] } };
+  const result = await staleWhileRevalidate('swr-empty', async () => fresh);
+  assert.deepEqual(result, fresh, 'returns result of revalidateFn');
+  clearSnapshotCache();
+});
+
+test('staleWhileRevalidate returns cached data immediately when fresh', async () => {
+  clearSnapshotCache();
+  const cached = { resources: { AgentStack: [{ metadata: { name: 'existing' } }] } };
+  setOrgCache(cached, 'swr-fresh');
+  let revalidateCalled = false;
+  const result = await staleWhileRevalidate('swr-fresh', async () => {
+    revalidateCalled = true;
+    return { resources: { AgentStack: [] } };
+  }, { ttlMs: CACHE_TTL_MS });
+  assert.deepEqual(result, cached, 'returned cached data');
+  assert.equal(revalidateCalled, false, 'revalidate not called when cache is fresh');
+  clearSnapshotCache();
+});
+
+test('staleWhileRevalidate triggers background refresh when entry is stale', async () => {
+  clearSnapshotCache();
+  const staleData = { resources: { AgentStack: [{ metadata: { name: 'stale' } }] } };
+  setOrgCache(staleData, 'swr-stale');
+  // Manually mark the entry as expired (set timestamp far in the past)
+  const key = 'swr-stale';
+  // Access orgCacheMap indirectly by using a very short ttlMs
+  let revalidateCalled = false;
+  let resolveRevalidate;
+  const revalidatePromise = new Promise((resolve) => { resolveRevalidate = resolve; });
+  const result = await staleWhileRevalidate('swr-stale', async () => {
+    revalidateCalled = true;
+    resolveRevalidate();
+    return { resources: { AgentStack: [] } };
+  }, { ttlMs: 0, staleMs: CACHE_TTL_MS * 10 });
+
+  // Should return stale data immediately
+  assert.deepEqual(result, staleData, 'returned stale data immediately');
+  // Wait a tick for background refresh to fire
+  await new Promise((r) => setImmediate(r));
+  clearSnapshotCache();
+});
+
+test('staleWhileRevalidate caches the result of revalidateFn', async () => {
+  clearSnapshotCache();
+  const fresh = { resources: { User: [{ metadata: { name: 'u1' } }] } };
+  await staleWhileRevalidate('swr-cache-write', async () => fresh);
+  const entry = getOrgCache('swr-cache-write');
+  assert.ok(entry !== null, 'cache written after revalidate');
+  assert.deepEqual(entry.data, fresh, 'correct data written to cache');
+  clearSnapshotCache();
+});

package/tests/sse-events.test.js

@@ -0,0 +1,107 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import { createEventBus } from '../src/event-bus.js';
+
+// ─── createEventBus shape ─────────────────────────────────────────────────────
+
+test('createEventBus returns bus with subscribe, unsubscribe, emit', () => {
+  const bus = createEventBus();
+  assert.ok(typeof bus.subscribe === 'function', 'has subscribe method');
+  assert.ok(typeof bus.unsubscribe === 'function', 'has unsubscribe method');
+  assert.ok(typeof bus.emit === 'function', 'has emit method');
+});
+
+// ─── subscribe ────────────────────────────────────────────────────────────────
+
+test('subscribe adds a listener that receives emitted events', () => {
+  const bus = createEventBus();
+  const received = [];
+  bus.subscribe((event) => received.push(event));
+  bus.emit({ type: 'test', value: 42 });
+  assert.equal(received.length, 1, 'listener received one event');
+  assert.deepEqual(received[0], { type: 'test', value: 42 });
+});
+
+// ─── unsubscribe ──────────────────────────────────────────────────────────────
+
+test('unsubscribe removes a listener', () => {
+  const bus = createEventBus();
+  const received = [];
+  const listener = (event) => received.push(event);
+  bus.subscribe(listener);
+  bus.emit({ type: 'first' });
+  bus.unsubscribe(listener);
+  bus.emit({ type: 'second' });
+  assert.equal(received.length, 1, 'listener only received event before unsubscribe');
+  assert.equal(received[0].type, 'first');
+});
+
+// ─── emit ─────────────────────────────────────────────────────────────────────
+
+test('emit sends events to all subscribers', () => {
+  const bus = createEventBus();
+  const receivedA = [];
+  const receivedB = [];
+  bus.subscribe((e) => receivedA.push(e));
+  bus.subscribe((e) => receivedB.push(e));
+  bus.emit({ type: 'broadcast' });
+  assert.equal(receivedA.length, 1, 'subscriber A received the event');
+  assert.equal(receivedB.length, 1, 'subscriber B received the event');
+  assert.equal(receivedA[0].type, 'broadcast');
+  assert.equal(receivedB[0].type, 'broadcast');
+});
+
+test('emit with no subscribers does not throw', () => {
+  const bus = createEventBus();
+  assert.doesNotThrow(() => bus.emit({ type: 'lonely' }), 'emit with no subscribers is safe');
+});
+
+// ─── emitResourceChange ───────────────────────────────────────────────────────
+
+test('emitResourceChange sends event with kind, name, operation, timestamp', () => {
+  const bus = createEventBus();
+  const received = [];
+  bus.subscribe((event) => received.push(event));
+  bus.emitResourceChange('Repository', 'my-repo', 'apply');
+  assert.equal(received.length, 1, 'listener received one event');
+  const event = received[0];
+  assert.equal(event.type, 'resource-change', 'type is resource-change');
+  assert.equal(event.kind, 'Repository', 'kind is correct');
+  assert.equal(event.name, 'my-repo', 'name is correct');
+  assert.equal(event.operation, 'apply', 'operation is correct');
+  assert.ok(typeof event.timestamp === 'string', 'timestamp is a string');
+  assert.ok(new Date(event.timestamp).getTime() > 0, 'timestamp is a valid ISO date');
+});
+
+// ─── multiple subscribers ─────────────────────────────────────────────────────
+
+test('multiple subscribers all receive the same event', () => {
+  const bus = createEventBus();
+  const listeners = Array.from({ length: 5 }, () => []);
+  listeners.forEach((arr) => bus.subscribe((e) => arr.push(e)));
+  bus.emit({ type: 'multi', id: 99 });
+  for (const arr of listeners) {
+    assert.equal(arr.length, 1, 'each listener received exactly one event');
+    assert.equal(arr[0].id, 99, 'each listener got the same event id');
+  }
+});
+
+// ─── unsubscribed listener stops receiving ────────────────────────────────────
+
+test('unsubscribed listener stops receiving events', () => {
+  const bus = createEventBus();
+  const eventsA = [];
+  const eventsB = [];
+  const listenerA = (e) => eventsA.push(e);
+  const listenerB = (e) => eventsB.push(e);
+  bus.subscribe(listenerA);
+  bus.subscribe(listenerB);
+  bus.emit({ type: 'first' });
+  bus.unsubscribe(listenerA);
+  bus.emit({ type: 'second' });
+  bus.emit({ type: 'third' });
+  assert.equal(eventsA.length, 1, 'unsubscribed listener only got the first event');
+  assert.equal(eventsB.length, 3, 'still-subscribed listener got all three events');
+  assert.equal(eventsA[0].type, 'first');
+  assert.equal(eventsB[2].type, 'third');
+});