@clawnet/template-minimal 0.0.1

package/tests/constants.test.ts

@@ -0,0 +1,24 @@
+import { describe, expect, it } from "vitest";
+import {
+	AIP_PREFIX,
+	APP_NAME,
+	B_PREFIX,
+	BAP_PREFIX,
+	MAP_PREFIX,
+	MOLTBOOK_API_URL,
+} from "../src/constants";
+
+describe("constants", () => {
+	it("has correct protocol prefixes", () => {
+		expect(B_PREFIX).toBe("19HxigV4QyBv3tHpQVcUEQyq1pzZVdoAut");
+		expect(MAP_PREFIX).toBe("1PuQa7K62MiKCtssSLKy1kh56WWU7MtUR5");
+		expect(AIP_PREFIX).toBe("15PciHG22SNLQJXMoSUaWVi7WSqc7hCfva");
+		expect(BAP_PREFIX).toBe("1BAPSuaPnfGnSBM3GLV9yhxUdYe4vGbdMT");
+	});
+	it("app name is clawbook", () => {
+		expect(APP_NAME).toBe("clawbook");
+	});
+	it("MOLTBOOK_API_URL is correct", () => {
+		expect(MOLTBOOK_API_URL).toBe("https://www.moltbook.com/api/v1");
+	});
+});

package/tests/handlers/openai-compat.test.ts

@@ -0,0 +1,128 @@
+import { Hono } from "hono";
+import { describe, expect, it, vi } from "vitest";
+
+// Mock @vercel/sandbox
+vi.mock("@vercel/sandbox", () => ({
+	Sandbox: {
+		create: vi.fn().mockResolvedValue({
+			runCommand: vi.fn().mockImplementation(({ cmd, args }) => {
+				if (cmd === "node" && args?.[0] === "agent.mjs") {
+					return {
+						exitCode: 0,
+						stdout: async () =>
+							JSON.stringify({
+								success: true,
+								summary: "Here is what happened on Clawbook today.",
+								actions: [],
+							}),
+						stderr: async () => "",
+					};
+				}
+				return {
+					exitCode: 0,
+					stdout: async () => "",
+					stderr: async () => "",
+				};
+			}),
+			writeFiles: vi.fn().mockResolvedValue(undefined),
+			stop: vi.fn().mockResolvedValue(undefined),
+		}),
+	},
+}));
+
+// Import handler directly and wire to a test app (bypassing auth middleware)
+import { handleChatCompletions } from "../../src/handlers/openai-compat";
+
+function createTestApp() {
+	const app = new Hono();
+	app.post("/v1/chat/completions", handleChatCompletions);
+	return app;
+}
+
+describe("POST /v1/chat/completions", () => {
+	const app = createTestApp();
+
+	it("returns 400 for missing messages", async () => {
+		const res = await app.request("/v1/chat/completions", {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({}),
+		});
+		expect(res.status).toBe(400);
+		const body = await res.json();
+		expect(body.error).toContain("messages");
+	});
+
+	it("returns 400 for empty messages array", async () => {
+		const res = await app.request("/v1/chat/completions", {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ messages: [] }),
+		});
+		expect(res.status).toBe(400);
+	});
+
+	it("returns 400 when no user message in array", async () => {
+		const res = await app.request("/v1/chat/completions", {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				messages: [{ role: "system", content: "You are helpful" }],
+			}),
+		});
+		expect(res.status).toBe(400);
+		const body = await res.json();
+		expect(body.error).toContain("user message");
+	});
+
+	it("returns non-streaming chat completion format", async () => {
+		const res = await app.request("/v1/chat/completions", {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				messages: [{ role: "user", content: "What's on Clawbook?" }],
+			}),
+		});
+		expect(res.status).toBe(200);
+		const body = await res.json();
+		expect(body.object).toBe("chat.completion");
+		expect(body.model).toBe("clarkling");
+		expect(body.choices).toHaveLength(1);
+		expect(body.choices[0].message.role).toBe("assistant");
+		expect(body.choices[0].message.content).toContain("Clawbook");
+		expect(body.choices[0].finish_reason).toBe("stop");
+		expect(body.usage).toBeDefined();
+	});
+
+	it("extracts last user message from messages array", async () => {
+		const res = await app.request("/v1/chat/completions", {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				messages: [
+					{ role: "system", content: "You are helpful" },
+					{ role: "user", content: "First question" },
+					{ role: "assistant", content: "First answer" },
+					{ role: "user", content: "Second question" },
+				],
+			}),
+		});
+		expect(res.status).toBe(200);
+	});
+
+	it("returns streaming SSE format", async () => {
+		const res = await app.request("/v1/chat/completions", {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				messages: [{ role: "user", content: "Hello" }],
+				stream: true,
+			}),
+		});
+		expect(res.status).toBe(200);
+		const text = await res.text();
+		expect(text).toContain("data: ");
+		expect(text).toContain("[DONE]");
+		expect(text).toContain("chat.completion.chunk");
+	});
+});

package/tests/handlers.test.ts

@@ -0,0 +1,133 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+// Mock @vercel/sandbox so runAgentTurn doesn't try to create real sandboxes
+const mockRunCommand = vi.fn();
+const mockWriteFiles = vi.fn();
+const mockStop = vi.fn();
+const mockCreate = vi.fn().mockResolvedValue({
+	runCommand: mockRunCommand,
+	writeFiles: mockWriteFiles,
+	stop: mockStop,
+});
+
+vi.mock("@vercel/sandbox", () => ({
+	Sandbox: { create: mockCreate },
+}));
+
+function cmdResult(exitCode: number, stdoutStr: string, stderrStr = "") {
+	return {
+		exitCode,
+		stdout: async () => stdoutStr,
+		stderr: async () => stderrStr,
+	};
+}
+
+describe("handlers", () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+		process.env.SIGMA_MEMBER_WIF = "L1test";
+		process.env.ANTHROPIC_API_KEY = "sk-test";
+
+		// Default: script returns success
+		mockRunCommand.mockImplementation(({ cmd, args }) => {
+			if (cmd === "node" && args?.[0] === "agent.mjs") {
+				return cmdResult(
+					0,
+					JSON.stringify({
+						success: true,
+						summary: "Agent completed",
+						actions: [],
+					}),
+				);
+			}
+			return cmdResult(0, "");
+		});
+	});
+
+	describe("handlePost", () => {
+		it("runs agent with scheduled_post trigger", async () => {
+			mockRunCommand.mockImplementation(({ cmd, args }) => {
+				if (cmd === "node" && args?.[0] === "agent.mjs") {
+					return cmdResult(
+						0,
+						JSON.stringify({
+							success: true,
+							summary: "Posted something",
+							actions: [{ tool: "create_post", input: { content: "test" } }],
+						}),
+					);
+				}
+				return cmdResult(0, "");
+			});
+
+			const { handlePost } = await import("../src/handlers/post");
+			const result = await handlePost();
+
+			expect(mockCreate).toHaveBeenCalled();
+			expect(result.success).toBe(true);
+			expect(result.summary).toBe("Posted something");
+		});
+
+		it("returns error result on failure", async () => {
+			mockRunCommand.mockImplementation(({ cmd, args }) => {
+				if (cmd === "node" && args?.[0] === "agent.mjs") {
+					return cmdResult(1, "", "Sandbox timeout");
+				}
+				return cmdResult(0, "");
+			});
+
+			const { handlePost } = await import("../src/handlers/post");
+			const result = await handlePost();
+			expect(result.success).toBe(false);
+		});
+	});
+
+	describe("handleHeartbeat", () => {
+		it("runs agent with heartbeat trigger", async () => {
+			mockRunCommand.mockImplementation(({ cmd, args }) => {
+				if (cmd === "node" && args?.[0] === "agent.mjs") {
+					return cmdResult(
+						0,
+						JSON.stringify({
+							success: true,
+							summary: "Liked 2 posts",
+							actions: [
+								{ tool: "like_post", input: { targetTxId: "tx1" } },
+								{ tool: "like_post", input: { targetTxId: "tx2" } },
+							],
+						}),
+					);
+				}
+				return cmdResult(0, "");
+			});
+
+			const { handleHeartbeat } = await import("../src/handlers/heartbeat");
+			const result = await handleHeartbeat();
+
+			expect(mockCreate).toHaveBeenCalled();
+			expect(result.success).toBe(true);
+		});
+
+		it("catches thrown errors and returns failure result", async () => {
+			mockCreate.mockRejectedValueOnce(new Error("sandbox exploded"));
+
+			const { handleHeartbeat } = await import("../src/handlers/heartbeat");
+			const result = await handleHeartbeat();
+
+			expect(result.success).toBe(false);
+			expect(result.error).toBe("sandbox exploded");
+		});
+	});
+
+	describe("handlePost error handling", () => {
+		it("catches thrown errors and returns failure result", async () => {
+			mockCreate.mockRejectedValueOnce(new Error("sandbox exploded"));
+
+			const { handlePost } = await import("../src/handlers/post");
+			const result = await handlePost();
+
+			expect(result.success).toBe(false);
+			expect(result.error).toBe("sandbox exploded");
+		});
+	});
+});

package/tests/identity.test.ts

@@ -0,0 +1,66 @@
+import { PrivateKey } from "@bsv/sdk";
+import { describe, expect, test } from "vitest";
+import { createIdentity, getIdKey, signOpReturn } from "../src/identity";
+
+describe("BAP Identity", () => {
+	const testWif = PrivateKey.fromRandom().toWif();
+
+	test("createIdentity returns an identity object", () => {
+		const identity = createIdentity(testWif);
+		expect(identity).toBeDefined();
+	});
+
+	test("getIdKey returns a string BAP identity key", () => {
+		const identity = createIdentity(testWif);
+		const idKey = getIdKey(identity);
+		expect(typeof idKey).toBe("string");
+		expect(idKey.length).toBeGreaterThan(0);
+	});
+
+	test("signOpReturn produces AIP signature data", () => {
+		const identity = createIdentity(testWif);
+
+		// Example OP_RETURN data (hex encoded arrays)
+		const opReturnData: number[][] = [
+			Buffer.from("1PuQa7K62MiKCtssSLKy1kh56WWU7MtUR5").toJSON().data, // MAP prefix
+			Buffer.from("SET").toJSON().data,
+			Buffer.from("app").toJSON().data,
+			Buffer.from("clawbook").toJSON().data,
+		];
+
+		const signedData = signOpReturn(identity, opReturnData);
+
+		expect(Array.isArray(signedData)).toBe(true);
+		expect(signedData.length).toBeGreaterThan(opReturnData.length);
+
+		// AIP signature format: [...original data, "|", AIP_PREFIX, "BITCOIN_ECDSA", address, signature]
+		const pipeHex = Buffer.from("|").toString("hex");
+		const aipPrefixHex = Buffer.from(
+			"15PciHG22SNLQJXMoSUaWVi7WSqc7hCfva",
+		).toString("hex");
+
+		// Check for pipe separator
+		const pipeElementHex = Buffer.from(
+			signedData[opReturnData.length],
+		).toString("hex");
+		expect(pipeElementHex).toBe(pipeHex);
+
+		// Check that AIP prefix follows pipe
+		const aipElementHex = Buffer.from(
+			signedData[opReturnData.length + 1],
+		).toString("hex");
+		expect(aipElementHex).toBe(aipPrefixHex);
+	});
+
+	test("identity is deterministic (same WIF = same idKey)", () => {
+		const wif = PrivateKey.fromRandom().toWif();
+
+		const identity1 = createIdentity(wif);
+		const identity2 = createIdentity(wif);
+
+		const idKey1 = getIdKey(identity1);
+		const idKey2 = getIdKey(identity2);
+
+		expect(idKey1).toBe(idKey2);
+	});
+});

package/tests/index.test.ts

@@ -0,0 +1,108 @@
+import { Hono } from "hono";
+import { describe, expect, it, vi } from "vitest";
+
+// Mock @vercel/sandbox so agent turns don't create real sandboxes
+vi.mock("@vercel/sandbox", () => ({
+	Sandbox: {
+		create: vi.fn().mockResolvedValue({
+			runCommand: vi.fn().mockImplementation(({ cmd, args }) => {
+				if (cmd === "node" && args?.[0] === "agent.mjs") {
+					return {
+						exitCode: 0,
+						stdout: async () =>
+							JSON.stringify({
+								success: true,
+								summary: "Test",
+								actions: [],
+							}),
+						stderr: async () => "",
+					};
+				}
+				return {
+					exitCode: 0,
+					stdout: async () => "",
+					stderr: async () => "",
+				};
+			}),
+			writeFiles: vi.fn().mockResolvedValue(undefined),
+			stop: vi.fn().mockResolvedValue(undefined),
+		}),
+	},
+}));
+
+import app from "../src/index";
+
+describe("API", () => {
+	it("GET / returns status", async () => {
+		const res = await app.request("/");
+		expect(res.status).toBe(200);
+		const body = await res.json();
+		expect(body.name).toBe("clawbook-bot");
+		expect(body.status).toBe("ok");
+	});
+
+	it("POST /api/cron/heartbeat returns 200 (no CRON_SECRET = dev mode)", async () => {
+		const res = await app.request("/api/cron/heartbeat", { method: "POST" });
+		expect(res.status).toBe(200);
+	});
+
+	it("POST /api/cron/post returns 200 (no CRON_SECRET = dev mode)", async () => {
+		const res = await app.request("/api/cron/post", { method: "POST" });
+		expect(res.status).toBe(200);
+	});
+
+	it("POST /api/agent requires Sigma Auth", async () => {
+		const res = await app.request("/api/agent", { method: "POST" });
+		expect(res.status).toBe(401);
+	});
+
+	it("POST /api/hooks/wake requires Sigma Auth", async () => {
+		const res = await app.request("/api/hooks/wake", {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ text: "hello" }),
+		});
+		expect(res.status).toBe(401);
+	});
+
+	it("POST /api/hooks/agent requires Sigma Auth", async () => {
+		const res = await app.request("/api/hooks/agent", {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ message: "hello" }),
+		});
+		expect(res.status).toBe(401);
+	});
+
+	it("POST /v1/chat/completions requires Sigma Auth", async () => {
+		const res = await app.request("/v1/chat/completions", {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				messages: [{ role: "user", content: "hello" }],
+			}),
+		});
+		expect(res.status).toBe(401);
+	});
+
+	it("GET /api/runs/:runId returns 404 for unknown run", async () => {
+		const res = await app.request("/api/runs/nonexistent-id");
+		expect(res.status).toBe(404);
+	});
+
+	it("global error handler catches unhandled throws and returns 500 JSON", async () => {
+		// Use a fresh Hono app to test onError pattern (can't add routes after router is built)
+		const testApp = new Hono();
+		testApp.onError((_err, c) => {
+			return c.json({ error: "Internal server error" }, 500);
+		});
+		testApp.get("/boom", () => {
+			throw new Error("unhandled boom");
+		});
+
+		const res = await testApp.request("/boom");
+		expect(res.status).toBe(500);
+		const body = await res.json();
+		expect(body.error).toBe("Internal server error");
+	});
+});

package/tests/middleware/cron-auth.test.ts

@@ -0,0 +1,99 @@
+import { Hono } from "hono";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { cronAuth } from "../../src/middleware/cron-auth";
+
+describe("cronAuth middleware", () => {
+	let app: Hono;
+	const originalEnv = process.env.CRON_SECRET;
+
+	beforeEach(() => {
+		app = new Hono();
+		app.use("/cron/*", cronAuth);
+		app.get("/cron/test", (c) => c.json({ success: true }));
+	});
+
+	afterEach(() => {
+		// Restore original env
+		if (originalEnv !== undefined) {
+			process.env.CRON_SECRET = originalEnv;
+		} else {
+			delete process.env.CRON_SECRET;
+		}
+		vi.restoreAllMocks();
+	});
+
+	it("allows request with correct secret", async () => {
+		process.env.CRON_SECRET = "test-secret-123";
+
+		const res = await app.request("/cron/test", {
+			headers: { Authorization: "Bearer test-secret-123" },
+		});
+
+		expect(res.status).toBe(200);
+		const body = await res.json();
+		expect(body).toEqual({ success: true });
+	});
+
+	it("rejects request with wrong secret", async () => {
+		process.env.CRON_SECRET = "test-secret-123";
+
+		const res = await app.request("/cron/test", {
+			headers: { Authorization: "Bearer wrong-secret" },
+		});
+
+		expect(res.status).toBe(401);
+		const body = await res.json();
+		expect(body).toHaveProperty("error", "Unauthorized");
+	});
+
+	it("rejects request with missing Authorization header", async () => {
+		process.env.CRON_SECRET = "test-secret-123";
+
+		const res = await app.request("/cron/test");
+
+		expect(res.status).toBe(401);
+		const body = await res.json();
+		expect(body).toHaveProperty("error", "Missing Authorization header");
+	});
+
+	it("rejects request with invalid Authorization header format", async () => {
+		process.env.CRON_SECRET = "test-secret-123";
+
+		const res = await app.request("/cron/test", {
+			headers: { Authorization: "InvalidFormat" },
+		});
+
+		expect(res.status).toBe(401);
+		const body = await res.json();
+		expect(body).toHaveProperty("error", "Invalid Authorization header format");
+	});
+
+	it("rejects request with different length secret (timing attack protection)", async () => {
+		process.env.CRON_SECRET = "short";
+
+		const res = await app.request("/cron/test", {
+			headers: { Authorization: "Bearer verylongsecret" },
+		});
+
+		expect(res.status).toBe(401);
+		const body = await res.json();
+		expect(body).toHaveProperty("error", "Unauthorized");
+	});
+
+	it("allows request when CRON_SECRET is not set (dev mode)", async () => {
+		delete process.env.CRON_SECRET;
+
+		const consoleWarnSpy = vi
+			.spyOn(console, "warn")
+			.mockImplementation(() => {});
+
+		const res = await app.request("/cron/test");
+
+		expect(res.status).toBe(200);
+		const body = await res.json();
+		expect(body).toEqual({ success: true });
+		expect(consoleWarnSpy).toHaveBeenCalledWith(
+			"[cronAuth] CRON_SECRET not set - allowing request (dev mode)",
+		);
+	});
+});