@aj-archipelago/cortex 1.4.1 → 1.4.2

package/tests/integration/graphql/async/stream/vendors/openai_streaming.test.js

@@ -52,7 +52,6 @@ test('OpenAI vendor streaming over subscriptions emits OAI-style deltas', async
 
   t.true(events.length > 0);
 
-  // Ensure streamed chunks (when they include model) use gpt-4.1 (not mini)
   const models = events
     .map(e => {
       try {
@@ -64,8 +63,7 @@ test('OpenAI vendor streaming over subscriptions emits OAI-style deltas', async
     .filter(Boolean);
 
   if (models.length > 0) {
-    t.truthy(models.find(m => /gpt-4\.1(?!-mini)/.test(m)));
-    t.falsy(models.find(m => /gpt-4\.1-mini/.test(m)));
+    t.truthy(models.find(m => /gpt-5-chat/.test(m)));
   }
 });
 

package/tests/unit/core/crypto.test.js

@@ -2,7 +2,7 @@
 // Tests for encryption and decryption functions in cortex/lib/crypto.js
 
 import test from 'ava';
-import { encrypt, decrypt, doubleEncrypt, doubleDecrypt } from '../../../lib/crypto.js';
+import { encrypt, decrypt } from '../../../lib/crypto.js';
 
 // Test data
 const testData = 'Hello, this is test data!';
@@ -35,85 +35,6 @@ test('decrypt should return original data when no key provided', t => {
     t.is(result, testData);
 });
 
-// Double encryption tests
-test('doubleEncrypt should encrypt with system key only when no user key', t => {
-    const encrypted = doubleEncrypt(testData, null, systemKey);
-    t.truthy(encrypted);
-    t.not(encrypted, testData);
-    
-    // Should be decryptable with system key only
-    const decrypted = decrypt(encrypted, systemKey);
-    t.is(decrypted, testData);
-});
-
-test('doubleEncrypt should encrypt with both keys when user key provided', t => {
-    const encrypted = doubleEncrypt(testData, userKey, systemKey);
-    t.truthy(encrypted);
-    t.not(encrypted, testData);
-    
-    // Should NOT be decryptable with system key only (it will be user-encrypted data)
-    const systemOnlyDecrypted = decrypt(encrypted, systemKey);
-    t.not(systemOnlyDecrypted, testData);
-    t.truthy(systemOnlyDecrypted); // Should return user-encrypted data, not null
-});
-
-test('doubleEncrypt should fail when no system key provided', t => {
-    const encrypted = doubleEncrypt(testData, userKey, null);
-    t.is(encrypted, null);
-});
-
-test('doubleEncrypt should fallback to system key when user encryption fails', t => {
-    // Use invalid user key to force fallback
-    const invalidUserKey = 'invalid';
-    const encrypted = doubleEncrypt(testData, invalidUserKey, systemKey);
-    t.truthy(encrypted);
-    
-    // Should be decryptable with system key only (fallback behavior)
-    const decrypted = decrypt(encrypted, systemKey);
-    t.is(decrypted, testData);
-});
-
-// Double decryption tests
-test('doubleDecrypt should decrypt with system key only when no user key', t => {
-    const encrypted = encrypt(testData, systemKey);
-    const decrypted = doubleDecrypt(encrypted, null, systemKey);
-    t.is(decrypted, testData);
-});
-
-test('doubleDecrypt should decrypt double-encrypted data with both keys', t => {
-    const encrypted = doubleEncrypt(testData, userKey, systemKey);
-    const decrypted = doubleDecrypt(encrypted, userKey, systemKey);
-    t.is(decrypted, testData);
-});
-
-test('doubleDecrypt should handle single-encrypted data when user key provided', t => {
-    // This is the key scenario we fixed!
-    const singleEncrypted = encrypt(testData, systemKey);
-    const decrypted = doubleDecrypt(singleEncrypted, userKey, systemKey);
-    t.is(decrypted, testData);
-});
-
-test('doubleDecrypt should fail when no system key provided', t => {
-    const encrypted = encrypt(testData, systemKey);
-    const decrypted = doubleDecrypt(encrypted, userKey, null);
-    t.is(decrypted, null);
-});
-
-test('doubleDecrypt should fail when system decryption fails', t => {
-    const encrypted = encrypt(testData, systemKey);
-    const wrongSystemKey = 'wrongkey123456789012345678901234567890123456789012345678901234567890';
-    const decrypted = doubleDecrypt(encrypted, userKey, wrongSystemKey);
-    t.is(decrypted, null);
-});
-
-test('doubleDecrypt should return system-decrypted data when user decryption fails for double-encrypted data', t => {
-    const encrypted = doubleEncrypt(testData, userKey, systemKey);
-    const decrypted = doubleDecrypt(encrypted, wrongUserKey, systemKey);
-    // Should return the user-encrypted data (system decryption succeeded, user decryption failed)
-    t.not(decrypted, testData); // Should not be the original data
-    t.truthy(decrypted); // Should return some data (user-encrypted)
-});
-
 // Edge cases and error handling
 test('encrypt should handle empty string', t => {
     const encrypted = encrypt('', systemKey);
@@ -136,28 +57,9 @@ test('encrypt should handle unicode characters', t => {
     t.is(decrypted, unicodeData);
 });
 
-test('doubleEncrypt should handle JSON data', t => {
+test('encrypt should handle JSON data', t => {
     const jsonData = JSON.stringify({ message: 'test', number: 42, array: [1, 2, 3] });
-    const encrypted = doubleEncrypt(jsonData, userKey, systemKey);
-    const decrypted = doubleDecrypt(encrypted, userKey, systemKey);
+    const encrypted = encrypt(jsonData, systemKey);
+    const decrypted = decrypt(encrypted, systemKey);
     t.is(decrypted, jsonData);
 });
-
-// Integration test for the specific scenario we fixed
-test('CRITICAL: doubleDecrypt should handle mixed encryption states', t => {
-    // Simulate a migration scenario where some data is single-encrypted
-    // and some is double-encrypted, but we always pass both keys
-    
-    // Single-encrypted data (old format)
-    const singleEncrypted = encrypt(testData, systemKey);
-    
-    // Double-encrypted data (new format)  
-    const doubleEncrypted = doubleEncrypt(testData, userKey, systemKey);
-    
-    // Both should be readable with both keys provided
-    const singleDecrypted = doubleDecrypt(singleEncrypted, userKey, systemKey);
-    const doubleDecrypted = doubleDecrypt(doubleEncrypted, userKey, systemKey);
-    
-    t.is(singleDecrypted, testData, 'Single-encrypted data should be readable with both keys');
-    t.is(doubleDecrypted, testData, 'Double-encrypted data should be readable with both keys');
-});

package/tests/unit/core/doubleEncryptionStorageClient.test.js

@@ -0,0 +1,262 @@
+// doubleEncryptionStorageClient.test.js
+// Tests for context key encryption integration in keyValueStorageClient
+
+import test from 'ava';
+import { setvWithDoubleEncryption, getvWithDoubleDecryption, setv, getv } from '../../../lib/keyValueStorageClient.js';
+import { encrypt, decrypt } from '../../../lib/crypto.js';
+
+// Test data
+const testData = { message: 'Hello, this is test data!', number: 42, array: [1, 2, 3] };
+const systemKey = '1234567890123456789012345678901234567890123456789012345678901234'; // 64 hex chars
+const userKey = 'abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890'; // 64 hex chars
+
+// Mock the config to provide test keys
+import { config } from '../../../config.js';
+const originalGet = config.get;
+const mockGet = (key) => {
+    switch (key) {
+        case 'storageConnectionString':
+            return 'redis://localhost:6379'; // Use in-memory Redis for tests
+        case 'cortexId':
+            return 'test-cortex';
+        case 'redisEncryptionKey':
+            return systemKey;
+        default:
+            return originalGet(key);
+    }
+};
+config.get = mockGet;
+
+// Helper function to clear storage between tests
+async function clearStorage() {
+    // Clear any existing test data
+    try {
+        await setvWithDoubleEncryption('test-key', null, userKey);
+        await setv('test-key', null);
+    } catch (error) {
+        // Ignore errors when clearing
+    }
+}
+
+test.beforeEach(async t => {
+    await clearStorage();
+});
+
+// Test 1: Double encryption/decryption with both contextKey and redisEncryptionKey
+test('should store and retrieve data with double encryption when both keys provided', async t => {
+    const key = 'test-double-encryption';
+    
+    // Store with double encryption
+    await setvWithDoubleEncryption(key, testData, userKey);
+    
+    // Retrieve with double decryption
+    const retrieved = await getvWithDoubleDecryption(key, userKey);
+    
+    t.deepEqual(retrieved, testData);
+});
+
+// Test 2: Double encryption/decryption with only redisEncryptionKey (no contextKey)
+test('should store and retrieve data with single encryption when no contextKey provided', async t => {
+    const key = 'test-single-encryption';
+    
+    // Store with single encryption (no contextKey)
+    await setvWithDoubleEncryption(key, testData, null);
+    
+    // Retrieve with single decryption
+    const retrieved = await getvWithDoubleDecryption(key, null);
+    
+    t.deepEqual(retrieved, testData);
+});
+
+// Test 3: Reading single-encrypted data (from keyValueStorageClient) with doubleDecryption
+test('should read single-encrypted data from keyValueStorageClient with doubleDecryption', async t => {
+    const key = 'test-single-to-double';
+    
+    // Store using keyValueStorageClient (single encryption)
+    await setv(key, testData);
+    
+    // Read using doubleEncryptionStorageClient (should handle single-encrypted data)
+    const retrieved = await getvWithDoubleDecryption(key, userKey);
+    
+    t.deepEqual(retrieved, testData);
+});
+
+// Test 4: Reading single-encrypted data without contextKey
+test('should read single-encrypted data from keyValueStorageClient without contextKey', async t => {
+    const key = 'test-single-to-double-no-context';
+    
+    // Store using keyValueStorageClient (single encryption)
+    await setv(key, testData);
+    
+    // Read using doubleEncryptionStorageClient without contextKey
+    const retrieved = await getvWithDoubleDecryption(key, null);
+    
+    t.deepEqual(retrieved, testData);
+});
+
+// Test 5: Reading unencrypted data with doubleDecryption
+test('should read unencrypted data with doubleDecryption', async t => {
+    const key = 'test-unencrypted';
+    
+    // Store unencrypted data using keyValueStorageClient with no encryption key
+    const originalRedisKey = config.get('redisEncryptionKey');
+    config.get = (key) => {
+        switch (key) {
+            case 'storageConnectionString':
+                return 'redis://localhost:6379';
+            case 'cortexId':
+                return 'test-cortex';
+            case 'redisEncryptionKey':
+                return null; // No encryption
+            default:
+                return originalGet(key);
+        }
+    };
+    
+    // Store unencrypted data
+    await setv(key, testData);
+    
+    // Restore mock config
+    config.get = mockGet;
+    
+    // Read using doubleEncryptionStorageClient (should handle unencrypted data)
+    const retrieved = await getvWithDoubleDecryption(key, userKey);
+    
+    t.deepEqual(retrieved, testData);
+});
+
+// Test 6: Reading unencrypted data without contextKey
+test('should read unencrypted data without contextKey', async t => {
+    const key = 'test-unencrypted-no-context';
+    
+    // Store unencrypted data using keyValueStorageClient with no encryption key
+    const originalRedisKey = config.get('redisEncryptionKey');
+    config.get = (key) => {
+        switch (key) {
+            case 'storageConnectionString':
+                return 'redis://localhost:6379';
+            case 'cortexId':
+                return 'test-cortex';
+            case 'redisEncryptionKey':
+                return null; // No encryption
+            default:
+                return originalGet(key);
+        }
+    };
+    
+    // Store unencrypted data
+    await setv(key, testData);
+    
+    // Restore mock config
+    config.get = mockGet;
+    
+    // Read using doubleEncryptionStorageClient without contextKey
+    const retrieved = await getvWithDoubleDecryption(key, null);
+    
+    t.deepEqual(retrieved, testData);
+});
+
+// Test 7: Mixed data types - some double-encrypted, some single-encrypted
+test('should handle mixed encryption states in storage', async t => {
+    const doubleKey = 'test-mixed-double';
+    const singleKey = 'test-mixed-single';
+    
+    // Store with different encryption methods
+    await setvWithDoubleEncryption(doubleKey, testData, userKey); // Double encrypted
+    await setv(singleKey, testData); // Single encrypted
+    
+    // Both should be readable with doubleDecryption
+    const doubleRetrieved = await getvWithDoubleDecryption(doubleKey, userKey);
+    const singleRetrieved = await getvWithDoubleDecryption(singleKey, userKey);
+    
+    t.deepEqual(doubleRetrieved, testData, 'Double-encrypted data should be readable');
+    t.deepEqual(singleRetrieved, testData, 'Single-encrypted data should be readable');
+});
+
+// Test 8: Edge case - null/undefined data handling
+test('should handle null and undefined data gracefully', async t => {
+    const key1 = 'test-null-data';
+    const key2 = 'test-undefined-data';
+    
+    // Store null data
+    await setvWithDoubleEncryption(key1, null, userKey);
+    const retrieved1 = await getvWithDoubleDecryption(key1, userKey);
+    t.is(retrieved1, null);
+    
+    // Store undefined data
+    await setvWithDoubleEncryption(key2, undefined, userKey);
+    const retrieved2 = await getvWithDoubleDecryption(key2, userKey);
+    t.is(retrieved2, undefined);
+});
+
+// Test 9: Edge case - empty object handling
+test('should handle empty objects', async t => {
+    const key = 'test-empty-object';
+    const emptyData = {};
+    
+    await setvWithDoubleEncryption(key, emptyData, userKey);
+    const retrieved = await getvWithDoubleDecryption(key, userKey);
+    
+    t.deepEqual(retrieved, emptyData);
+});
+
+// Test 10: Context key changes between operations
+test('should handle context key changes between operations', async t => {
+    const key1 = 'test-context-change-1';
+    const key2 = 'test-context-change-2';
+    const newUserKey = '1111111111111111111111111111111111111111111111111111111111111111';
+    
+    // Store with first context key
+    await setvWithDoubleEncryption(key1, testData, userKey);
+    
+    // Retrieve with same context key
+    const retrieved1 = await getvWithDoubleDecryption(key1, userKey);
+    t.deepEqual(retrieved1, testData);
+    
+    // Store with different context key (different key to avoid conflicts)
+    await setvWithDoubleEncryption(key2, testData, newUserKey);
+    
+    // Retrieve with new context key
+    const retrieved2 = await getvWithDoubleDecryption(key2, newUserKey);
+    t.deepEqual(retrieved2, testData);
+    
+    // Verify that data encrypted with one key cannot be decrypted with another
+    const wrongKeyRetrieved = await getvWithDoubleDecryption(key1, newUserKey);
+    t.notDeepEqual(wrongKeyRetrieved, testData, 'Data encrypted with one key should not be readable with different key');
+});
+
+// Test 11: Large data handling
+test('should handle large data objects', async t => {
+    const key = 'test-large-data';
+    const largeData = {
+        message: 'Large data test',
+        array: Array(1000).fill(0).map((_, i) => i),
+        nested: {
+            level1: {
+                level2: {
+                    level3: Array(100).fill('test')
+                }
+            }
+        }
+    };
+    
+    await setvWithDoubleEncryption(key, largeData, userKey);
+    const retrieved = await getvWithDoubleDecryption(key, userKey);
+    
+    t.deepEqual(retrieved, largeData);
+});
+
+// Test 12: Special characters and unicode
+test('should handle special characters and unicode', async t => {
+    const key = 'test-special-chars';
+    const specialData = {
+        message: 'Special chars: !@#$%^&*()_+-=[]{}|;:,.<>?',
+        unicode: 'Unicode: 🚀 🌟 ñáéíóú 中文 العربية',
+        emoji: '😀😁😂🤣😃😄😅😆😉😊'
+    };
+    
+    await setvWithDoubleEncryption(key, specialData, userKey);
+    const retrieved = await getvWithDoubleDecryption(key, userKey);
+    
+    t.deepEqual(retrieved, specialData);
+});

package/lib/doubleEncryptionStorageClient.js

@@ -1,97 +0,0 @@
-import Keyv from 'keyv';
-import { config } from '../config.js';
-import { encrypt, decrypt, doubleEncrypt, doubleDecrypt } from './crypto.js';
-import logger from './logger.js';
-
-const storageConnectionString = config.get('storageConnectionString');
-const cortexId = config.get('cortexId');
-const redisEncryptionKey = config.get('redisEncryptionKey');
-
-// Create a keyv client to store data with double encryption support
-const doubleEncryptionStorageClient = new Keyv(storageConnectionString, {
-    ssl: true,
-    abortConnect: false,
-    serialize: (data) => JSON.stringify(data),
-    deserialize: (data) => {
-        try {
-            return JSON.parse(data);
-        } catch (error) {
-            logger.error(`Failed to parse stored data: ${error}`);
-            return {};
-        }
-    },
-    namespace: `${cortexId}-cortex-context`
-});
-
-// Handle Redis connection errors to prevent crashes
-doubleEncryptionStorageClient.on('error', (error) => {
-    logger.error(`Keyv Redis connection error: ${error}`);
-});
-
-// Set values with double encryption support
-async function setvWithDoubleEncryption(key, value, userContextKey) {
-    if (!doubleEncryptionStorageClient) return false;
-    
-    // Validate that system key is present
-    if (!redisEncryptionKey) {
-        logger.error('System encryption key is required but not configured');
-        return false;
-    }
-    
-    try {
-        // Always use doubleEncrypt which handles both scenarios:
-        // 1. systemKey only (when userContextKey is null/undefined)
-        // 2. userContextKey + systemKey (when userContextKey is provided)
-        const encryptedValue = doubleEncrypt(JSON.stringify(value), userContextKey, redisEncryptionKey);
-            
-        if (!encryptedValue) {
-            logger.error('Encryption failed, cannot store data');
-            return false;
-        }
-        
-        return await doubleEncryptionStorageClient.set(key, encryptedValue);
-    } catch (error) {
-        logger.error(`Failed to store data with double encryption: ${error}`);
-        return false;
-    }
-}
-
-// Get values with double decryption support
-async function getvWithDoubleDecryption(key, userContextKey) {
-    if (!doubleEncryptionStorageClient) return null;
-    
-    // Validate that system key is present
-    if (!redisEncryptionKey) {
-        logger.error('System encryption key is required but not configured');
-        return null;
-    }
-    
-    try {
-        const encryptedData = await doubleEncryptionStorageClient.get(key);
-        if (!encryptedData) return null;
-        
-        // Always use doubleDecrypt which handles both scenarios:
-        // 1. systemKey only (when userContextKey is null/undefined)
-        // 2. userContextKey + systemKey (when userContextKey is provided)
-        const decryptedData = doubleDecrypt(encryptedData, userContextKey, redisEncryptionKey);
-        if (decryptedData) {
-            return JSON.parse(decryptedData);
-        }
-        
-        // If decryption fails, try to parse as plain JSON (for backward compatibility with unencrypted data)
-        try {
-            return JSON.parse(encryptedData);
-        } catch {
-            return encryptedData;
-        }
-    } catch (error) {
-        logger.error(`Failed to retrieve and decrypt data: ${error}`);
-        return null;
-    }
-}
-
-export {
-    doubleEncryptionStorageClient,
-    setvWithDoubleEncryption,
-    getvWithDoubleDecryption
-};