@elevasis/core 0.11.2 → 0.13.0

package/src/execution/engine/tools/integration/service.test.ts

@@ -0,0 +1,214 @@
+/**
+ * IntegrationService — credential cache regression tests
+ *
+ * Regression guard for the context.store plumbing bug fixed in commit 75205cd8e:
+ * IntegrationService.call() reads context.store.get(cacheKey) for per-execution
+ * credential caching. Before the fix, dispatchIntegrationTool never threaded `store`
+ * into the context, causing a V8 TypeError on every integration tool call.
+ *
+ * These tests exercise the real IntegrationService.call() code path — not a mock —
+ * so any future regression that removes context.store from the dispatch path will
+ * cause a real crash here, not a silent type error.
+ */
+
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { IntegrationService } from './service'
+import type { BaseIntegrationAdapter } from './base-integration-adapter'
+import type { ExecutionContext } from '../../base/types'
+
+// ---------------------------------------------------------------------------
+// Mock the registry that IntegrationService.call() uses internally
+// ---------------------------------------------------------------------------
+
+const mockGetCredential = vi.fn()
+
+vi.mock('../registry', () => ({
+  getToolServices: () => ({
+    credentialsService: {
+      getCredential: mockGetCredential
+    }
+  })
+}))
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/** Minimal stub adapter — always validates, always succeeds */
+function makeStubAdapter(name: string): BaseIntegrationAdapter {
+  return {
+    name,
+    validateCredentials: () => true,
+    call: vi.fn().mockResolvedValue({ stubResult: true })
+  }
+}
+
+/** Minimal ExecutionContext with a real Map for store */
+function makeContext(store: Map<string, unknown> = new Map()): ExecutionContext {
+  return {
+    executionId: 'exec-test-001',
+    organizationId: 'org-test-001',
+    organizationName: 'Test Org',
+    resourceId: 'resource-test-001',
+    executionDepth: 0,
+    logger: {
+      debug: () => {},
+      info: () => {},
+      warn: () => {},
+      error: () => {}
+    },
+    store
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe('IntegrationService — credential cache (context.store)', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  describe('call() with a valid store Map', () => {
+    it('does not throw when context.store is a real Map (regression: was crashing with undefined.get)', async () => {
+      const adapter = makeStubAdapter('stripe')
+      const service = new IntegrationService(new Map([['stripe', adapter]]))
+      const credentials = { apiKey: 'sk_test_123' }
+
+      mockGetCredential.mockResolvedValue(credentials)
+
+      const context = makeContext()
+
+      // This call must NOT throw "Cannot read properties of undefined (reading 'get')"
+      const result = await service.call('stripe', 'listPaymentLinks', {}, 'stripe-cred', context)
+
+      expect(result).toEqual({ stubResult: true })
+    })
+
+    it('fetches credentials from credentialsService on first call', async () => {
+      const adapter = makeStubAdapter('stripe')
+      const service = new IntegrationService(new Map([['stripe', adapter]]))
+      const credentials = { apiKey: 'sk_test_123' }
+
+      mockGetCredential.mockResolvedValue(credentials)
+
+      await service.call('stripe', 'listPaymentLinks', {}, 'stripe-cred', makeContext())
+
+      expect(mockGetCredential).toHaveBeenCalledOnce()
+      expect(mockGetCredential).toHaveBeenCalledWith('org-test-001', 'stripe-cred')
+    })
+
+    it('hits the cache and skips credentialsService on second call with the same store', async () => {
+      // This is the core regression: the second call should reuse the cached credential
+      // (store.get returns the value set by the first call) and NOT call credentialsService again.
+      const adapter = makeStubAdapter('stripe')
+      const service = new IntegrationService(new Map([['stripe', adapter]]))
+      const credentials = { apiKey: 'sk_test_123' }
+
+      mockGetCredential.mockResolvedValue(credentials)
+
+      // Use a SHARED store Map across both calls — as worker-executor does
+      const sharedStore = new Map<string, unknown>()
+      const ctx = makeContext(sharedStore)
+
+      await service.call('stripe', 'listPaymentLinks', {}, 'stripe-cred', ctx)
+      await service.call('stripe', 'listPaymentLinks', {}, 'stripe-cred', ctx)
+
+      // credentialsService should only have been called once — second call hit the cache
+      expect(mockGetCredential).toHaveBeenCalledOnce()
+    })
+
+    it('fetches credentials again when a fresh store is used (different execution)', async () => {
+      // Two distinct executions each own their own store Map.
+      // The credential cache must NOT leak across executions.
+      const adapter = makeStubAdapter('stripe')
+      const service = new IntegrationService(new Map([['stripe', adapter]]))
+      const credentials = { apiKey: 'sk_test_123' }
+
+      mockGetCredential.mockResolvedValue(credentials)
+
+      // Execution A — fresh store
+      await service.call('stripe', 'listPaymentLinks', {}, 'stripe-cred', makeContext(new Map()))
+      // Execution B — different fresh store
+      await service.call('stripe', 'listPaymentLinks', {}, 'stripe-cred', makeContext(new Map()))
+
+      // Each execution must independently fetch the credential
+      expect(mockGetCredential).toHaveBeenCalledTimes(2)
+    })
+
+    it('writes the credential to store.set after fetching so subsequent calls can retrieve it', async () => {
+      const adapter = makeStubAdapter('stripe')
+      const service = new IntegrationService(new Map([['stripe', adapter]]))
+      const credentials = { apiKey: 'sk_test_456' }
+
+      mockGetCredential.mockResolvedValue(credentials)
+
+      const store = new Map<string, unknown>()
+      await service.call('stripe', 'listPaymentLinks', {}, 'stripe-cred', makeContext(store))
+
+      // The credential must have been written into the store under the expected cache key
+      const cacheKey = '__cred_cache__:stripe-cred'
+      expect(store.has(cacheKey)).toBe(true)
+      expect(store.get(cacheKey)).toEqual(credentials)
+    })
+  })
+
+  describe('call() error conditions', () => {
+    it('throws with credentials_missing when credentialsService returns null', async () => {
+      const adapter = makeStubAdapter('stripe')
+      const service = new IntegrationService(new Map([['stripe', adapter]]))
+
+      mockGetCredential.mockResolvedValue(null)
+
+      await expect(service.call('stripe', 'listPaymentLinks', {}, 'missing-cred', makeContext())).rejects.toMatchObject(
+        {
+          errorType: 'credentials_missing'
+        }
+      )
+    })
+
+    it('throws with adapter_not_found when integration is not registered', async () => {
+      const service = new IntegrationService(new Map())
+
+      await expect(service.call('nonexistent', 'someMethod', {}, 'some-cred', makeContext())).rejects.toMatchObject({
+        errorType: 'adapter_not_found'
+      })
+    })
+
+    it('throws validation_error when context is undefined', async () => {
+      const adapter = makeStubAdapter('stripe')
+      const service = new IntegrationService(new Map([['stripe', adapter]]))
+
+      await expect(service.call('stripe', 'listPaymentLinks', {}, 'stripe-cred', undefined)).rejects.toMatchObject({
+        errorType: 'validation_error'
+      })
+    })
+
+    it('throws TypeError when context.store is undefined (simulates the pre-fix bug)', async () => {
+      // This documents the exact failure mode that shipped: dispatchIntegrationTool
+      // constructed a context without `store`. The crash was:
+      //   "Cannot read properties of undefined (reading 'get')"
+      const adapter = makeStubAdapter('stripe')
+      const service = new IntegrationService(new Map([['stripe', adapter]]))
+      const credentials = { apiKey: 'sk_test_123' }
+
+      mockGetCredential.mockResolvedValue(credentials)
+
+      // Deliberately construct a context without `store` (mimics the pre-fix bug)
+      const brokenContext = {
+        executionId: 'exec-broken',
+        organizationId: 'org-test-001',
+        organizationName: 'Test Org',
+        resourceId: 'resource-broken',
+        executionDepth: 0,
+        logger: { debug: () => {}, info: () => {}, warn: () => {}, error: () => {} }
+        // store is intentionally absent — this was the bug
+      } as unknown as ExecutionContext
+
+      await expect(service.call('stripe', 'listPaymentLinks', {}, 'stripe-cred', brokenContext)).rejects.toThrow(
+        /Cannot read properties of undefined \(reading '(get|set)'\)/
+      )
+    })
+  })
+})

package/src/execution/engine/tools/integration/service.ts

@@ -1,161 +1,169 @@
-import type { ExecutionContext } from '../../base/types'
-import type { BaseIntegrationAdapter } from './base-integration-adapter'
-import type { RateLimiter, RetryPolicy } from '../../../../platform/resilience'
-import { ToolingError } from '../types'
-import { withRetry, InMemoryRateLimiter, DEFAULT_RETRY_POLICY } from '../../../../platform/resilience'
-import {
-  INTEGRATION_RATE_LIMIT_CAPACITY,
-  INTEGRATION_RATE_LIMIT_WINDOW_MS
-} from '../../../../platform/constants/resilience'
-import { getToolServices } from '../registry'
-
-/**
- * Integration Service
- *
- * Central service for managing integration adapters, rate limiting, and retry.
- * Credentials accessed via global tool services registry.
- *
- * Pattern: Active Record (justified - owns state + behavior)
- *
- * @example
- * const service = new IntegrationService(
- *   new Map([['gmail', gmailAdapter]])
- * )
- *
- * const result = await service.call('gmail', 'sendEmail', params, 'gmail-cred', context)
- */
-export class IntegrationService {
-  private readonly rateLimiter: RateLimiter
-  private readonly retryPolicy: RetryPolicy
-
-  constructor(public readonly adapters: Map<string, BaseIntegrationAdapter>) {
-    this.rateLimiter = new InMemoryRateLimiter(INTEGRATION_RATE_LIMIT_CAPACITY, INTEGRATION_RATE_LIMIT_WINDOW_MS)
-    this.retryPolicy = DEFAULT_RETRY_POLICY
-  }
-
-  /**
-   * Call integration method with full orchestration
-   *
-   * Orchestrates the full integration call flow:
-   * 1. Validate execution context
-   * 2. Validate adapter exists
-   * 3. Check rate limit (per organization per integration)
-   * 4. Get credentials from registry
-   * 5. Validate credentials
-   * 6. Call adapter with retry
-   *
-   * @param integration - Integration adapter type (e.g., 'gmail', 'slack')
-   * @param method - Method name (e.g., 'sendEmail', 'postMessage')
-   * @param params - Method parameters
-   * @param credentialName - Credential name from credentials table
-   * @param context - Execution context (required for multi-tenant isolation)
-   * @returns Method result
-   * @throws ToolingError if call fails
-   */
-  async call(
-    integration: string,
-    method: string,
-    params: unknown,
-    credentialName: string,
-    context: ExecutionContext | undefined
-  ): Promise<unknown> {
-    // 1. Validate execution context (required for multi-tenant isolation)
-    if (!context) {
-      throw new ToolingError('validation_error', 'ExecutionContext required for integration calls', {
-        integration,
-        method,
-        credentialName
-      })
-    }
-
-    // 2. Validate adapter exists
-    const adapter = this.adapters.get(integration)
-    if (!adapter) {
-      throw new ToolingError('adapter_not_found', `Integration adapter not found: ${integration}`, {
-        integration,
-        availableAdapters: Array.from(this.adapters.keys())
-      })
-    }
-
-    // 3. Check rate limit (per organization per integration)
-    const rateLimitKey = `${context.organizationId}:${integration}`
-    const allowed = await this.rateLimiter.allow(rateLimitKey)
-    if (!allowed) {
-      const remaining = await this.rateLimiter.remaining(rateLimitKey)
-      throw new ToolingError('rate_limit_exceeded', 'Rate limit exceeded', {
-        integration,
-        organizationId: context.organizationId,
-        remaining
-      })
-    }
-
-    // 4. Get credentials from registry
-    const { credentialsService } = getToolServices()
-    if (!credentialsService) {
-      throw new ToolingError(
-        'service_unavailable',
-        'CredentialsService not initialized. Ensure toolServicesRegistry.initialize() was called in apps/api/src/main.ts',
-        { integration, credentialName }
-      )
-    }
-
-    const credentials = await credentialsService.getCredential(context.organizationId, credentialName)
-    if (!credentials) {
-      throw new ToolingError('credentials_missing', `No credentials found for credential name: ${credentialName}`, {
-        integration,
-        credentialName,
-        organizationId: context.organizationId
-      })
-    }
-
-    // Log credential retrieval for OAuth integrations
-    const isOAuth = !!(credentials as Record<string, unknown>).provider
-    if (isOAuth) {
-      const creds = credentials as Record<string, unknown>
-      context.logger?.debug(
-        `OAuth credential retrieved: integration=${integration}, credentialName=${credentialName}, provider=${creds.provider}, hasRefreshToken=${!!creds.refreshToken}, hasExpiresAt=${!!creds.expiresAt}, expiresAt=${creds.expiresAt}`
-      )
-    }
-
-    // 5. Validate credentials
-    const isValid = adapter.validateCredentials(credentials)
-    if (!isValid) {
-      throw new ToolingError('credentials_invalid', `Invalid credentials for integration: ${integration}`, {
-        integration,
-        organizationId: context.organizationId
-      })
-    }
-
-    // 6. Call adapter with retry (pass credentialName in context for token refresh persistence)
-    const contextWithCredential: ExecutionContext = {
-      ...context,
-      credentialName
-    }
-    return withRetry(() => adapter.call(method, params, credentials, contextWithCredential), this.retryPolicy)
-  }
-
-  /**
-   * Get adapter by name
-   * @param integration - Integration name
-   * @returns Adapter or undefined
-   */
-  getAdapter(integration: string): BaseIntegrationAdapter | undefined {
-    return this.adapters.get(integration)
-  }
-
-  /**
-   * Register adapter
-   * @param adapter - Adapter to register
-   */
-  registerAdapter(adapter: BaseIntegrationAdapter): void {
-    this.adapters.set(adapter.name, adapter)
-  }
-
-  /**
-   * Unregister adapter
-   * @param integration - Integration name to unregister
-   */
-  unregisterAdapter(integration: string): void {
-    this.adapters.delete(integration)
-  }
-}
+import type { ExecutionContext } from '../../base/types'
+import type { BaseIntegrationAdapter } from './base-integration-adapter'
+import type { RateLimiter, RetryPolicy } from '../../../../platform/resilience'
+import { ToolingError } from '../types'
+import { withRetry, InMemoryRateLimiter, DEFAULT_RETRY_POLICY } from '../../../../platform/resilience'
+import {
+  INTEGRATION_RATE_LIMIT_CAPACITY,
+  INTEGRATION_RATE_LIMIT_WINDOW_MS
+} from '../../../../platform/constants/resilience'
+import { getToolServices } from '../registry'
+
+/**
+ * Integration Service
+ *
+ * Central service for managing integration adapters, rate limiting, and retry.
+ * Credentials accessed via global tool services registry.
+ *
+ * Pattern: Active Record (justified - owns state + behavior)
+ *
+ * @example
+ * const service = new IntegrationService(
+ *   new Map([['gmail', gmailAdapter]])
+ * )
+ *
+ * const result = await service.call('gmail', 'sendEmail', params, 'gmail-cred', context)
+ */
+export class IntegrationService {
+  private readonly rateLimiter: RateLimiter
+  private readonly retryPolicy: RetryPolicy
+
+  constructor(public readonly adapters: Map<string, BaseIntegrationAdapter>) {
+    this.rateLimiter = new InMemoryRateLimiter(INTEGRATION_RATE_LIMIT_CAPACITY, INTEGRATION_RATE_LIMIT_WINDOW_MS)
+    this.retryPolicy = DEFAULT_RETRY_POLICY
+  }
+
+  /**
+   * Call integration method with full orchestration
+   *
+   * Orchestrates the full integration call flow:
+   * 1. Validate execution context
+   * 2. Validate adapter exists
+   * 3. Check rate limit (per organization per integration)
+   * 4. Get credentials from registry
+   * 5. Validate credentials
+   * 6. Call adapter with retry
+   *
+   * @param integration - Integration adapter type (e.g., 'gmail', 'slack')
+   * @param method - Method name (e.g., 'sendEmail', 'postMessage')
+   * @param params - Method parameters
+   * @param credentialName - Credential name from credentials table
+   * @param context - Execution context (required for multi-tenant isolation)
+   * @returns Method result
+   * @throws ToolingError if call fails
+   */
+  async call(
+    integration: string,
+    method: string,
+    params: unknown,
+    credentialName: string,
+    context: ExecutionContext | undefined
+  ): Promise<unknown> {
+    // 1. Validate execution context (required for multi-tenant isolation)
+    if (!context) {
+      throw new ToolingError('validation_error', 'ExecutionContext required for integration calls', {
+        integration,
+        method,
+        credentialName
+      })
+    }
+
+    // 2. Validate adapter exists
+    const adapter = this.adapters.get(integration)
+    if (!adapter) {
+      throw new ToolingError('adapter_not_found', `Integration adapter not found: ${integration}`, {
+        integration,
+        availableAdapters: Array.from(this.adapters.keys())
+      })
+    }
+
+    // 3. Check rate limit (per organization per integration)
+    const rateLimitKey = `${context.organizationId}:${integration}`
+    const allowed = await this.rateLimiter.allow(rateLimitKey)
+    if (!allowed) {
+      const remaining = await this.rateLimiter.remaining(rateLimitKey)
+      throw new ToolingError('rate_limit_exceeded', 'Rate limit exceeded', {
+        integration,
+        organizationId: context.organizationId,
+        remaining
+      })
+    }
+
+    // 4. Get credentials from registry (per-execution cache keyed by credential name)
+    const cacheKey = `__cred_cache__:${credentialName}`
+    let credentials = context.store.get(cacheKey) as Record<string, unknown> | undefined
+
+    if (!credentials) {
+      const { credentialsService } = getToolServices()
+      if (!credentialsService) {
+        throw new ToolingError(
+          'service_unavailable',
+          'CredentialsService not initialized. Ensure toolServicesRegistry.initialize() was called in apps/api/src/main.ts',
+          { integration, credentialName }
+        )
+      }
+
+      const fetched = await credentialsService.getCredential(context.organizationId, credentialName)
+      if (!fetched) {
+        throw new ToolingError('credentials_missing', `No credentials found for credential name: ${credentialName}`, {
+          integration,
+          credentialName,
+          organizationId: context.organizationId
+        })
+      }
+
+      context.store.set(cacheKey, fetched)
+      credentials = fetched
+    }
+
+    // Log credential retrieval for OAuth integrations
+    const isOAuth = !!credentials.provider
+    if (isOAuth) {
+      const creds = credentials
+      context.logger?.debug(
+        `OAuth credential retrieved: integration=${integration}, credentialName=${credentialName}, provider=${creds.provider}, hasRefreshToken=${!!creds.refreshToken}, hasExpiresAt=${!!creds.expiresAt}, expiresAt=${creds.expiresAt}`
+      )
+    }
+
+    // 5. Validate credentials
+    const isValid = adapter.validateCredentials(credentials)
+    if (!isValid) {
+      throw new ToolingError('credentials_invalid', `Invalid credentials for integration: ${integration}`, {
+        integration,
+        organizationId: context.organizationId
+      })
+    }
+
+    // 6. Call adapter with retry (pass credentialName in context for token refresh persistence)
+    const contextWithCredential: ExecutionContext = {
+      ...context,
+      credentialName
+    }
+    return withRetry(() => adapter.call(method, params, credentials, contextWithCredential), this.retryPolicy)
+  }
+
+  /**
+   * Get adapter by name
+   * @param integration - Integration name
+   * @returns Adapter or undefined
+   */
+  getAdapter(integration: string): BaseIntegrationAdapter | undefined {
+    return this.adapters.get(integration)
+  }
+
+  /**
+   * Register adapter
+   * @param adapter - Adapter to register
+   */
+  registerAdapter(adapter: BaseIntegrationAdapter): void {
+    this.adapters.set(adapter.name, adapter)
+  }
+
+  /**
+   * Unregister adapter
+   * @param integration - Integration name to unregister
+   */
+  unregisterAdapter(integration: string): void {
+    this.adapters.delete(integration)
+  }
+}