@gencow/core 0.1.18 → 0.1.21

package/src/__tests__/rls-crud-basic.test.ts

@@ -0,0 +1,431 @@
+/**
+ * fixtures/basic + PGlite — apply migrations, explicit fixtures, verify tasks.list CRUD handler.
+ *
+ * Users and tasks: fixed `id` / FK / `done` per row. Any other column omitted from the fixture is
+ * filled by drizzle-seed’s same per-type generators as `seed()` (see `fillPartialRowsForInsert`).
+ *
+ * Migrations run as the PGlite bootstrap user (table owner). We then create `gencow_rls_app` and
+ * `SET ROLE` so the session is non-owner → RLS policies apply. `createRlsDb` + crud’s use of
+ * `db.transaction` sets `app.current_user_id` per operation.
+ * We rely on `current_setting('app.current_user_id', true)` (missing_ok=true): this avoids
+ * missing-GUC errors before `set_config` and keeps PGlite behavior aligned with PostgreSQL.
+ *
+ * Run: bun test packages/core/src/__tests__/rls-crud-basic.test.ts
+ */
+
+import {
+  describe,
+  it,
+  expect,
+  beforeAll,
+  afterAll,
+} from "bun:test";
+import { dirname, join } from "path";
+import { fileURLToPath } from "url";
+import type { InferSelectModel } from "drizzle-orm";
+import { PGlite } from "@electric-sql/pglite";
+import { drizzle } from "drizzle-orm/pglite";
+import { crud } from "../crud";
+import type { UserIdentity } from "../reactive";
+import { tasks, user } from "./fixtures/basic/schema";
+import {
+  createPgliteRlsAppRole,
+  DEFAULT_PGLITE_RLS_APP_ROLE,
+  setPgliteSessionRole,
+} from "./helpers/pglite-rls-session";
+import { loadAndApplyMigrations } from "./helpers/pglite-migrations";
+import { fillPartialRowsForInsert } from "./helpers/seed-like-fill";
+import {
+  makeTestGencowCtxWithRls,
+  runWithRollbackTestGencowCtxWithRls,
+} from "./helpers/test-gencow-ctx-rls";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+const fixtureUsers = [
+  { id: "us_000", name: "User 0", email: "user-0@s.com", emailVerified: true },
+  { id: "us_001", name: "User 1", email: "user-1@s.com", emailVerified: true },
+];
+
+/** Realistic titles; "Project Alpha" appears on two rows for us_000 and one for us_001 (RLS). */
+const fixtureTasks = [
+  {
+    id: "tk-000",
+    userId: fixtureUsers[0].id,
+    done: false,
+    title: "Project Alpha — Q4 review prep",
+  },
+  {
+    id: "tk-001",
+    userId: fixtureUsers[1].id,
+    done: true,
+    title: "Project Alpha — teammate handoff",
+  },
+  {
+    id: "tk-002",
+    userId: fixtureUsers[0].id,
+    done: false,
+    title: "Project Alpha — backlog grooming",
+  },
+  {
+    id: "tk-003",
+    userId: fixtureUsers[0].id,
+    done: false,
+    title: "Quarterly planning — Q4",
+  },
+  {
+    id: "tk-004",
+    userId: fixtureUsers[1].id,
+    done: false,
+    title: "Project Beta — API docs",
+  },
+  {
+    id: "tk-005",
+    userId: fixtureUsers[1].id,
+    done: false,
+    title: "Project Gamma — research notes",
+  },
+  {
+    id: "tk-006",
+    userId: fixtureUsers[0].id,
+    done: false,
+    title: "Project Beta — spike",
+  },
+];
+
+const user0Identity = {
+  id: fixtureUsers[0].id,
+  email: fixtureUsers[0].email,
+} satisfies UserIdentity;
+
+const user1Identity = {
+  id: fixtureUsers[1].id,
+  email: fixtureUsers[1].email,
+} satisfies UserIdentity;
+
+type TaskRow = InferSelectModel<typeof tasks>;
+type CrudDefs = ReturnType<typeof crud<typeof tasks>>;
+type TaskListResult = { data: TaskRow[]; total: number };
+
+async function seedBasicFixtures(db: ReturnType<typeof drizzle>) {
+  await db.insert(user).values(fillPartialRowsForInsert(user, fixtureUsers));
+  const taskRows = fillPartialRowsForInsert(
+    tasks,
+    fixtureTasks
+  ) as TaskRow[];
+  await db.insert(tasks).values(taskRows);
+  return taskRows;
+}
+
+async function createSeededCrudEnv() {
+  const client = new PGlite();
+  await client.waitReady;
+  await loadAndApplyMigrations(
+    client,
+    join(__dirname, "fixtures/basic/migrations")
+  );
+  const db = drizzle(client);
+  const taskRows = await seedBasicFixtures(db);
+  await createPgliteRlsAppRole(client, {
+    roleName: DEFAULT_PGLITE_RLS_APP_ROLE,
+  });
+  await setPgliteSessionRole(client, DEFAULT_PGLITE_RLS_APP_ROLE);
+
+  const defs = crud(tasks, {
+    prefix: "fixture_basic_pglite_tasks",
+    searchFields: ["title", "description"],
+    defaultLimit: 50,
+  });
+
+  return { client, db, taskRows, defs };
+}
+
+describe("fixtures/basic + PGlite + CRUD + RLS", () => {
+  let client: PGlite;
+  let db: ReturnType<typeof drizzle>;
+  let seededTaskRows: TaskRow[];
+  let listDef: CrudDefs["list"];
+  let listHandler: (ctx: unknown, args: unknown) => Promise<TaskListResult>;
+  let getHandler: NonNullable<CrudDefs["get"]>["handler"];
+  let createHandler: NonNullable<CrudDefs["create"]>["handler"];
+  let updateHandler: NonNullable<CrudDefs["update"]>["handler"];
+  let removeHandler: NonNullable<CrudDefs["remove"]>["handler"];
+
+  beforeAll(async () => {
+    const env = await createSeededCrudEnv();
+    client = env.client;
+    db = env.db;
+    seededTaskRows = env.taskRows;
+    listDef = env.defs.list;
+    listHandler = env.defs.list!.handler as (
+      ctx: unknown,
+      args: unknown
+    ) => Promise<TaskListResult>;
+    getHandler = env.defs.get!.handler as (
+      ctx: unknown,
+      args: unknown
+    ) => Promise<TaskRow | null>;
+    createHandler = env.defs.create!.handler as (
+      ctx: unknown,
+      args: unknown
+    ) => Promise<TaskRow>;
+    updateHandler = env.defs.update!.handler as (
+      ctx: unknown,
+      args: unknown
+    ) => Promise<TaskRow | undefined>;
+    removeHandler = env.defs.remove!.handler as (
+      ctx: unknown,
+      args: unknown
+    ) => Promise<{ success: boolean }>;
+  });
+
+  afterAll(async () => {
+    try {
+      await client.close();
+    } catch {
+      /* ignore */
+    }
+  });
+
+  it("tasks.list returns only the current user (us_000) rows per RLS and total matches", async () => {
+    expect(listDef).toBeDefined();
+
+    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
+      const listResult = await listHandler(ctx, {});
+
+      const expected = seededTaskRows.filter(
+        (r) => r.userId === fixtureUsers[0].id
+      );
+
+      expect(listResult).toHaveProperty("data");
+      expect(listResult).toHaveProperty("total");
+      expect(listResult.total).toBe(expected.length);
+
+      const rows = listResult.data;
+
+      const byId = new Map(rows.map((r) => [r.id, r]));
+      expect(byId.size).toBe(expected.length);
+
+      for (const seeded of expected) {
+        const row = byId.get(seeded.id);
+        expect(row).toBeDefined();
+        expect(row!.id).toBe(seeded.id);
+        expect(row!.userId).toBe(seeded.userId);
+        expect(row!.done).toBe(seeded.done);
+        expect(row!.title).toBe(seeded.title);
+      }
+    });
+  });
+
+  it("search parameter applies to title/description ilike search", async () => {
+    expect(listDef).toBeDefined();
+
+    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
+      const sharedSubstring = "Project Alpha";
+      const expectedForUser0 = seededTaskRows.filter(
+        (r) =>
+          r.userId === user0Identity.id &&
+          r.title.toLowerCase().includes(sharedSubstring.toLowerCase())
+      );
+      expect(expectedForUser0.length).toBe(2);
+
+      const result = await listHandler(ctx, { search: sharedSubstring });
+      const rows = result.data;
+      expect(rows.length).toBe(expectedForUser0.length);
+
+      const byId = new Map(rows.map((r) => [r.id, r]));
+      for (const seeded of expectedForUser0) {
+        expect(byId.get(seeded.id)?.title).toBe(seeded.title);
+      }
+    });
+  });
+
+  it("tasks.get succeeds when current user reads own task", async () => {
+    const ownTaskId = "tk-003";
+
+    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
+      const task = await getHandler(ctx, { id: ownTaskId });
+
+      expect(task).toBeDefined();
+      expect(task?.id).toBe(ownTaskId);
+      expect(task?.userId).toBe(user0Identity.id);
+    });
+  });
+
+  it("tasks.get fails when current user tries to read another user's task", async () => {
+    const user1TaskId = "tk-001";
+
+    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
+      const task = await getHandler(ctx, { id: user1TaskId });
+      expect(task).toBeNull();
+    });
+  });
+
+  it("tasks.update succeeds when updating a task owned by current user", async () => {
+    const ownTaskId = "tk-000";
+    const updatedTitle = "Project Alpha — updated by owner";
+    const updatedDone = true;
+
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (ctx) => {
+        const before = await getHandler(ctx, {
+          id: ownTaskId,
+        });
+        expect(before?.title).not.toBe(updatedTitle);
+        expect(before?.done).not.toBe(updatedDone);
+
+        const updated = await updateHandler(ctx, {
+          id: ownTaskId,
+          title: updatedTitle,
+          done: updatedDone,
+        });
+
+        expect(updated).toBeDefined();
+        expect(updated?.id).toBe(ownTaskId);
+        expect(updated?.userId).toBe(user0Identity.id);
+        expect(updated?.title).toBe(updatedTitle);
+        expect(updated?.done).toBe(updatedDone);
+
+        const fetched = await getHandler(ctx, {
+          id: ownTaskId,
+        });
+        expect(fetched?.id).toBe(ownTaskId);
+        expect(fetched?.title).toBe(updatedTitle);
+        expect(fetched?.done).toBe(updatedDone);
+      }
+    );
+  });
+
+  it("tasks.create succeeds when creating a task with current userId", async () => {
+    const ownTaskId = "tk-own-create";
+    const ownTaskTitle = "Project Delta — created by owner";
+
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (user0Ctx) => {
+        const created = await createHandler(user0Ctx, {
+          id: ownTaskId,
+          userId: user0Identity.id,
+          title: ownTaskTitle,
+          done: false,
+        });
+
+        expect(created).toBeDefined();
+        expect(created.id).toBe(ownTaskId);
+        expect(created.userId).toBe(user0Identity.id);
+        expect(created.title).toBe(ownTaskTitle);
+        expect(created.done).toBe(false);
+
+        const fetched = await getHandler(user0Ctx, {
+          id: ownTaskId,
+        });
+        expect(fetched).toBeDefined();
+        expect(fetched?.id).toBe(ownTaskId);
+        expect(fetched?.userId).toBe(user0Identity.id);
+      }
+    );
+  });
+
+  it("tasks.create fails when current user tries to create with another userId", async () => {
+    const unauthorizedTaskId = "tk-other-user-create";
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (user0Ctx) => {
+        await expect(
+          createHandler(user0Ctx, {
+            id: unauthorizedTaskId,
+            userId: user1Identity.id,
+            title: "Unauthorized create attempt",
+            done: false,
+          })
+        ).rejects.toThrow();
+
+        const user1Ctx = makeTestGencowCtxWithRls(user0Ctx.unsafeDb as any, user1Identity);
+        const after = await getHandler(user1Ctx, { id: unauthorizedTaskId });
+        expect(after).toBeNull();
+      }
+    );
+  });
+
+  it("tasks.update fails when current user tries to update user1 task", async () => {
+    const user1TaskId = "tk-001";
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (user0Ctx) => {
+        const user1Ctx = makeTestGencowCtxWithRls(user0Ctx.unsafeDb as any, user1Identity);
+
+        const before = await getHandler(user1Ctx, {
+          id: user1TaskId,
+        });
+        expect(before).toBeDefined();
+        const beforeTitle = before?.title;
+        const beforeDone = before?.done ?? false;
+
+        const unauthorizedUpdate = await updateHandler(user0Ctx, {
+          id: user1TaskId,
+          title: "Unauthorized update attempt",
+          done: !beforeDone,
+        });
+
+        expect(unauthorizedUpdate).toBeUndefined();
+
+        const after = await getHandler(user1Ctx, {
+          id: user1TaskId,
+        });
+        expect(after).toBeDefined();
+        expect(after?.title).toBe(beforeTitle);
+        expect(after?.done).toBe(beforeDone);
+      }
+    );
+  });
+
+  it("tasks.remove succeeds when deleting a task owned by current user", async () => {
+    const ownTaskId = "tk-002";
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (user0Ctx) => {
+        const before = await getHandler(user0Ctx, { id: ownTaskId });
+        expect(before).toBeDefined();
+
+        const removeResult = await removeHandler(user0Ctx, {
+          id: ownTaskId,
+        });
+        expect(removeResult.success).toBe(true);
+
+        const after = await getHandler(user0Ctx, { id: ownTaskId });
+        expect(after).toBeNull();
+      }
+    );
+  });
+
+  it("tasks.remove cannot delete a task owned by another user", async () => {
+    const user1TaskId = "tk-004";
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (user0Ctx) => {
+        const user1Ctx = makeTestGencowCtxWithRls(user0Ctx.unsafeDb as any, user1Identity);
+
+        const before = await getHandler(user1Ctx, { id: user1TaskId });
+        expect(before).toBeDefined();
+
+        const removeResult = await removeHandler(user0Ctx, {
+          id: user1TaskId,
+        });
+        expect(removeResult.success).toBe(true);
+
+        const after = await getHandler(user1Ctx, {
+          id: user1TaskId,
+        });
+        expect(after).toBeDefined();
+        expect(after?.id).toBe(user1TaskId);
+      }
+    );
+  });
+});

package/src/__tests__/storage.test.ts

@@ -206,3 +206,116 @@ describe("createStorage()", () => {
         });
     });
 });
+
+// ─── _system_files 테이블 리네이밍 관련 테스트 ────────────
+// 2026-04-10 WSOD 사고 후 추가: files → _system_files 리네이밍 검증
+// 📄 참고: docs/analysis/analysis-files-page-wsod.md
+
+describe("_system_files 시스템 테이블 네이밍", () => {
+    it("rawSql로 실행되는 모든 SQL에 old 'files' 테이블 참조가 없다", async () => {
+        const executedSql: string[] = [];
+        const mockRawSql = async (sql: string) => {
+            executedSql.push(sql);
+            if (sql.includes("SUM")) return [{ total: "0" }];
+            if (sql.includes("INSERT")) return [];
+            return [];
+        };
+
+        const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), "gencow-naming-"));
+        const storage = createStorage(tmpDir, { rawSql: mockRawSql });
+
+        // store 트리거 (ensureFilesTable + checkQuota + recordFileToDb)
+        const file = new File(["test"], "test.txt", { type: "text/plain" });
+        try { await storage.store(file); } catch {}
+
+        // 모든 실행된 SQL에서 old 테이블명 'files'가 아닌 '_system_files'만 참조하는지 확인
+        // (files 단독 참조를 찾되, _system_files는 통과)
+        for (const sql of executedSql) {
+            // "FROM files", "INTO files", "TABLE files" 같은 old 패턴이 없어야 함
+            expect(sql).not.toMatch(/\bFROM\s+files\b(?!_)/i);
+            expect(sql).not.toMatch(/\bINTO\s+files\b(?!_)/i);
+            expect(sql).not.toMatch(/\bTABLE\s+files\b(?!_)/i);
+        }
+
+        await fs.rm(tmpDir, { recursive: true, force: true }).catch(() => {});
+    });
+
+    it("쿼터 검증 SQL이 _system_files 테이블을 참조한다", async () => {
+        const executedSql: string[] = [];
+        const mockRawSql = async (sql: string) => {
+            executedSql.push(sql);
+            if (sql.includes("SUM")) return [{ total: "0" }];
+            if (sql.includes("INSERT")) return [];
+            return [];
+        };
+
+        const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), "gencow-quota-"));
+        const storage = createStorage(tmpDir, {
+            rawSql: mockRawSql,
+            storageQuota: 1000000000,
+        });
+
+        const file = new File(["small"], "small.txt");
+        try { await storage.store(file); } catch {}
+
+        // SUM 쿼리가 _system_files 테이블을 참조하는지 확인
+        const sumSql = executedSql.find(s => s.includes("SUM"));
+        if (sumSql) {
+            expect(sumSql).toContain("_system_files");
+            expect(sumSql).not.toMatch(/FROM\s+files[^_]/);
+        }
+
+        await fs.rm(tmpDir, { recursive: true, force: true }).catch(() => {});
+    });
+
+    it("recordFileToDb SQL이 _system_files 테이블에 INSERT한다", async () => {
+        const executedSql: string[] = [];
+        const mockRawSql = async (sql: string) => {
+            executedSql.push(sql);
+            if (sql.includes("SUM")) return [{ total: "0" }];
+            return [];
+        };
+
+        const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), "gencow-insert-"));
+        const storage = createStorage(tmpDir, { rawSql: mockRawSql });
+
+        const file = new File(["data"], "data.txt", { type: "text/plain" });
+        try { await storage.store(file); } catch {}
+
+        const insertSql = executedSql.find(s => s.includes("INSERT"));
+        if (insertSql) {
+            expect(insertSql).toContain("_system_files");
+            expect(insertSql).not.toMatch(/INTO\s+files[^_]/);
+        }
+
+        await fs.rm(tmpDir, { recursive: true, force: true }).catch(() => {});
+    });
+
+    it("delete SQL이 _system_files 테이블에서 삭제한다", async () => {
+        const executedSql: string[] = [];
+        const mockRawSql = async (sql: string) => {
+            executedSql.push(sql);
+            if (sql.includes("SUM")) return [{ total: "0" }];
+            return [];
+        };
+
+        const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), "gencow-delete-"));
+        const storage = createStorage(tmpDir, { rawSql: mockRawSql });
+
+        // store 후 delete
+        const file = new File(["delete-me"], "del.txt");
+        let storageId: string | undefined;
+        try { storageId = await storage.store(file); } catch {}
+        if (storageId) {
+            try { await storage.delete(storageId); } catch {}
+        }
+
+        const deleteSql = executedSql.find(s => s.includes("DELETE"));
+        if (deleteSql) {
+            expect(deleteSql).toContain("_system_files");
+            expect(deleteSql).not.toMatch(/FROM\s+files[^_]/);
+        }
+
+        await fs.rm(tmpDir, { recursive: true, force: true }).catch(() => {});
+    });
+});

package/src/__tests__/tsconfig.json

@@ -0,0 +1,8 @@
+{
+    "extends": "../../tsconfig.json",
+    "compilerOptions": {
+        "noEmit": true
+    },
+    "include": ["./**/*.ts"],
+    "exclude": []
+}

package/src/__tests__/validator.test.ts

@@ -281,4 +281,39 @@ describe("parseArgs()", () => {
         expect(err.statusCode).toBe(400);
         expect(err.name).toBe("GencowValidationError");
     });
+
+    // ─── 빈 스키마 passthrough (FormData 업로드 버그 회귀 방지) ────
+
+    it("빈 스키마 {} → args 전체 passthrough (FormData file 필드 보존)", () => {
+        const schema = {};
+        const args = { file: new File(["hello"], "test.txt"), _mutation: "upload.store" };
+        const result = parseArgs(schema, args);
+        // 빈 스키마이므로 args가 그대로 반환되어야 함 (file 포함)
+        expect(result).toBe(args); // 참조 동일
+        expect(result.file).toBeInstanceOf(File);
+        expect(result._mutation).toBe("upload.store");
+    });
+
+    it("빈 스키마 {} + 일반 객체 → passthrough", () => {
+        const schema = {};
+        const args = { name: "test", count: 42, nested: { a: 1 } };
+        const result = parseArgs(schema, args);
+        expect(result).toBe(args);
+        expect(result.name).toBe("test");
+        expect(result.count).toBe(42);
+    });
+
+    it("빈 스키마 {} + 빈 args {} → 빈 객체 반환", () => {
+        const result = parseArgs({}, {});
+        expect(result).toEqual({});
+    });
+
+    it("키가 있는 스키마는 여전히 지정된 키만 추출 (file 제거됨)", () => {
+        const schema = { title: v.string() };
+        const args = { title: "hello", file: "should-be-stripped", extra: 123 };
+        const result = parseArgs(schema, args);
+        expect(result).toEqual({ title: "hello" });
+        expect(result.file).toBeUndefined();
+        expect(result.extra).toBeUndefined();
+    });
 });