@hienlh/ppm 0.9.19 → 0.9.21

package/test-tokens.mjs

@@ -0,0 +1,212 @@
+#!/usr/bin/env bun
+/**
+ * Test script to check access token & refresh token expiry behavior.
+ *
+ * Usage:
+ *   bun test-tokens.mjs                  # test all accounts in dev DB
+ *   bun test-tokens.mjs <account-id>     # test specific account
+ *   bun test-tokens.mjs --refresh <id>   # force refresh and show new expiry
+ */
+
+import Database from "bun:sqlite";
+import { join } from "node:path";
+import { homedir } from "node:os";
+import { createDecipheriv } from "node:crypto";
+
+// --- Config ---
+const DB_PATH = join(homedir(), ".ppm", "ppm.dev.db");
+const OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+const OAUTH_TOKEN_URL = "https://api.anthropic.com/v1/oauth/token";
+const PROFILE_URL = "https://api.anthropic.com/api/oauth/profile";
+
+// --- Crypto (matches src/lib/account-crypto.ts) ---
+function getEncryptionKey() {
+  const keyPath = join(homedir(), ".ppm", "account.key");
+  try {
+    const hex = require("node:fs").readFileSync(keyPath, "utf-8").trim();
+    return Buffer.from(hex, "hex");
+  } catch {
+    console.error(`Cannot find encryption key at ${keyPath}`);
+    process.exit(1);
+  }
+}
+
+function decrypt(encryptedValue) {
+  if (!encryptedValue || encryptedValue === "") return "";
+  const parts = encryptedValue.split(":");
+  if (parts.length !== 3) return encryptedValue; // not encrypted
+  const [ivHex, authTagHex, cipherHex] = parts;
+  const key = getEncryptionKey();
+  const decipher = createDecipheriv("aes-256-gcm", key, Buffer.from(ivHex, "hex"));
+  decipher.setAuthTag(Buffer.from(authTagHex, "hex"));
+  let decrypted = decipher.update(Buffer.from(cipherHex, "hex"), undefined, "utf8");
+  decrypted += decipher.final("utf8");
+  return decrypted;
+}
+
+// --- Helpers ---
+function formatExpiry(expiresAt) {
+  if (!expiresAt) return "N/A (no expiry)";
+  const now = Math.floor(Date.now() / 1000);
+  const diff = expiresAt - now;
+  const absMin = Math.abs(Math.floor(diff / 60));
+  const absHr = Math.floor(absMin / 60);
+  const remMin = absMin % 60;
+  const date = new Date(expiresAt * 1000).toLocaleString("vi-VN", { timeZone: "Asia/Saigon" });
+  if (diff > 0) {
+    return `${date} (còn ${absHr}h${remMin}m)`;
+  } else {
+    return `${date} (HẾT HẠN ${absHr}h${remMin}m trước)`;
+  }
+}
+
+async function testAccessToken(token) {
+  try {
+    const res = await fetch(PROFILE_URL, {
+      headers: {
+        Accept: "application/json",
+        Authorization: `Bearer ${token}`,
+        "anthropic-beta": "oauth-2025-04-20",
+        "User-Agent": "ppm-token-test/1.0",
+      },
+      signal: AbortSignal.timeout(10_000),
+    });
+    if (res.status === 200) {
+      const data = await res.json();
+      return { status: "VALID", code: 200, email: data.account?.email, name: data.account?.display_name };
+    }
+    if (res.status === 429) return { status: "VALID (rate-limited)", code: 429 };
+    const body = await res.text().catch(() => "");
+    return { status: "INVALID", code: res.status, error: body.slice(0, 200) };
+  } catch (e) {
+    return { status: "ERROR", error: e.message };
+  }
+}
+
+async function testRefreshToken(refreshToken) {
+  if (!refreshToken || refreshToken === "") {
+    return { status: "NO_TOKEN", error: "Empty refresh token (temporary account)" };
+  }
+  try {
+    const res = await fetch(OAUTH_TOKEN_URL, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "refresh_token",
+        client_id: OAUTH_CLIENT_ID,
+        refresh_token: refreshToken,
+      }),
+    });
+    if (res.ok) {
+      const data = await res.json();
+      return {
+        status: "VALID",
+        code: 200,
+        newAccessToken: data.access_token?.slice(0, 20) + "...",
+        newRefreshToken: data.refresh_token ? "YES (rotated)" : "NO (same)",
+        expiresIn: data.expires_in,
+        expiresInReadable: `${Math.floor(data.expires_in / 3600)}h${Math.floor((data.expires_in % 3600) / 60)}m`,
+      };
+    }
+    const body = await res.text().catch(() => "");
+    return { status: "INVALID", code: res.status, error: body.slice(0, 300) };
+  } catch (e) {
+    return { status: "ERROR", error: e.message };
+  }
+}
+
+// --- Main ---
+const args = process.argv.slice(2);
+const doRefresh = args.includes("--refresh");
+const targetId = args.find((a) => a !== "--refresh");
+
+console.log("=".repeat(70));
+console.log("PPM Token Expiry Test");
+console.log(`DB: ${DB_PATH}`);
+console.log(`Time: ${new Date().toLocaleString("vi-VN", { timeZone: "Asia/Saigon" })}`);
+console.log("=".repeat(70));
+
+let db;
+try {
+  db = new Database(DB_PATH, { readonly: true });
+} catch (e) {
+  console.error(`Cannot open DB: ${e.message}`);
+  process.exit(1);
+}
+
+const query = targetId
+  ? db.prepare("SELECT * FROM accounts WHERE id = ?").all(targetId)
+  : db.prepare("SELECT * FROM accounts ORDER BY priority ASC, created_at ASC").all();
+
+if (query.length === 0) {
+  console.log("No accounts found.");
+  process.exit(0);
+}
+
+for (const row of query) {
+  console.log("\n" + "-".repeat(70));
+  console.log(`Account: ${row.label ?? "N/A"}`);
+  console.log(`  ID:       ${row.id}`);
+  console.log(`  Email:    ${row.email ?? "N/A"}`);
+  console.log(`  Status:   ${row.status}`);
+  console.log(`  Expires:  ${formatExpiry(row.expires_at)}`);
+
+  let accessToken, refreshToken;
+  try {
+    accessToken = decrypt(row.access_token);
+    refreshToken = decrypt(row.refresh_token);
+  } catch (e) {
+    console.log(`  ⚠ Decrypt failed: ${e.message}`);
+    continue;
+  }
+
+  const isOAuth = accessToken.startsWith("sk-ant-oat");
+  console.log(`  Type:     ${isOAuth ? "OAuth token" : "API key"}`);
+  console.log(`  Has refresh token: ${refreshToken && refreshToken !== "" ? "YES" : "NO"}`);
+
+  if (!isOAuth) {
+    console.log(`  → API keys don't expire. Skipping token tests.`);
+    continue;
+  }
+
+  // Test 1: Is access token still valid?
+  console.log("\n  [1] Testing access token against profile API...");
+  const accessResult = await testAccessToken(accessToken);
+  if (accessResult.status.startsWith("VALID")) {
+    console.log(`  ✓ Access token: ${accessResult.status}`);
+    if (accessResult.email) console.log(`    Email: ${accessResult.email}, Name: ${accessResult.name}`);
+  } else {
+    console.log(`  ✗ Access token: ${accessResult.status} (HTTP ${accessResult.code})`);
+    if (accessResult.error) console.log(`    Error: ${accessResult.error}`);
+  }
+
+  // Test 2: Is refresh token still valid?
+  if (doRefresh) {
+    console.log("\n  [2] Testing refresh token (will actually refresh!)...");
+    const refreshResult = await testRefreshToken(refreshToken);
+    if (refreshResult.status === "VALID") {
+      console.log(`  ✓ Refresh token: VALID`);
+      console.log(`    New access token: ${refreshResult.newAccessToken}`);
+      console.log(`    New refresh token: ${refreshResult.newRefreshToken}`);
+      console.log(`    New expires_in: ${refreshResult.expiresIn}s (${refreshResult.expiresInReadable})`);
+      console.log(`    ⚠ NOTE: Old access token may now be invalidated!`);
+      console.log(`    ⚠ Run this script WITHOUT --refresh to avoid side effects.`);
+    } else {
+      console.log(`  ✗ Refresh token: ${refreshResult.status}`);
+      if (refreshResult.error) console.log(`    Error: ${refreshResult.error}`);
+    }
+  } else {
+    console.log("\n  [2] Refresh token: SKIPPED (use --refresh to test)");
+    console.log(`      ⚠ --refresh sẽ tạo access token MỚI, token cũ có thể bị invalidate!`);
+  }
+}
+
+console.log("\n" + "=".repeat(70));
+console.log("Summary:");
+console.log("  - Access token (sk-ant-oat*): thường hết hạn sau ~1h (expires_in từ OAuth)");
+console.log("  - Refresh token: không có expiry rõ ràng, chết khi Anthropic trả invalid_grant");
+console.log("  - Khi refresh: Anthropic CÓ THỂ rotate refresh token (trả token mới)");
+console.log("  - PPM auto-refresh mỗi 5 phút cho token sắp hết hạn (<5 phút)");
+console.log("=".repeat(70));
+
+db.close();

package/.claude.bak/agent-memory/tester/MEMORY.md

@@ -1,3 +0,0 @@
-# Tester Agent Memory Index
-
-- [project-ppm-test-conventions.md](project-ppm-test-conventions.md) - PPM test setup, gotchas, and conventions

package/.claude.bak/agent-memory/tester/project-ppm-test-conventions.md

@@ -1,32 +0,0 @@
----
-name: PPM test conventions and gotchas
-description: Key patterns, pitfalls, and setup details for writing tests in the PPM project
-type: project
----
-
-## Test runner: `bun test` (Jest-compatible API from `bun:test`)
-
-## Test structure
-- `tests/setup.ts` — shared helpers: `createTempDir`, `cleanupDir`, `createTempGitRepo`, `buildTestApp`
-- `tests/unit/services/` — unit tests for ConfigService, ProjectService, FileService, GitService
-- `tests/integration/api/` — integration tests using `app.request()` (no real server needed)
-
-## Critical gotchas
-
-### ppm.yaml in CWD
-The project root has a real `ppm.yaml` with `port: 5555`. `ConfigService.load(missingPath)` falls through to `LOCAL_CONFIG = "ppm.yaml"` in CWD when the given path doesn't exist. Always write an actual file before calling `load()` to avoid picking up this real config.
-
-### Global configService in git routes
-`src/server/routes/git.ts` imports and uses the global `configService` singleton (not injected). Integration tests for git API must mutate `configService.config.projects` directly to register the test repo. Restore to `[]` in `afterEach`.
-
-### ConfigService.load() fallback behavior
-Candidates checked in order: explicit path → PPM_CONFIG env → LOCAL_CONFIG (ppm.yaml) → HOME_CONFIG (~/.ppm/config.yaml). A missing explicit path does NOT stop the fallback chain.
-
-### buildTestApp in setup.ts
-Overrides `configService.save = () => {}` (no-op) to prevent tests writing to disk. Injects config directly by mutating private fields via `as unknown as`.
-
-### Real git repos for git tests
-`createTempGitRepo()` uses `Bun.spawn` with git env vars (author name/email) to create a real repo with an initial commit. No mocks for git operations.
-
-**Why:** Tests must use real implementations — no fakes/mocks that diverge from production behavior.
-**How to apply:** Always use `createTempGitRepo` for anything touching GitService or git API routes.