@intelmesh/sdk 0.1.0

package/tests/client/errors.test.ts

@@ -0,0 +1,159 @@
+import { describe, expect, it } from 'vitest';
+import {
+  ForbiddenError,
+  IntelMeshError,
+  InternalError,
+  isForbidden,
+  isIntelMeshError,
+  isNetwork,
+  isNotFound,
+  isUnauthorized,
+  isValidation,
+  mapStatusToError,
+  NetworkError,
+  NotFoundError,
+  ParseError,
+  UnavailableError,
+  UnauthorizedError,
+  ValidationError,
+} from '../../src/client/errors.js';
+
+describe('IntelMeshError', () => {
+  it('stores status, code, and message', () => {
+    const err = new IntelMeshError('test', 500, 'ERR');
+    expect(err.message).toBe('test');
+    expect(err.status).toBe(500);
+    expect(err.code).toBe('ERR');
+    expect(err.name).toBe('IntelMeshError');
+  });
+
+  it('extends Error', () => {
+    const err = new IntelMeshError('test', 500, 'ERR');
+    expect(err).toBeInstanceOf(Error);
+  });
+});
+
+describe('Typed error subclasses', () => {
+  it('ValidationError has status 400', () => {
+    const err = new ValidationError('bad input');
+    expect(err.status).toBe(400);
+    expect(err.name).toBe('ValidationError');
+    expect(err).toBeInstanceOf(IntelMeshError);
+  });
+
+  it('NotFoundError has status 404', () => {
+    const err = new NotFoundError('missing');
+    expect(err.status).toBe(404);
+    expect(err.name).toBe('NotFoundError');
+  });
+
+  it('UnauthorizedError has status 401', () => {
+    const err = new UnauthorizedError('no auth');
+    expect(err.status).toBe(401);
+    expect(err.name).toBe('UnauthorizedError');
+  });
+
+  it('ForbiddenError has status 403', () => {
+    const err = new ForbiddenError('denied');
+    expect(err.status).toBe(403);
+    expect(err.name).toBe('ForbiddenError');
+  });
+
+  it('InternalError has status 500', () => {
+    const err = new InternalError('boom');
+    expect(err.status).toBe(500);
+    expect(err.name).toBe('InternalError');
+  });
+
+  it('UnavailableError has status 503', () => {
+    const err = new UnavailableError('down');
+    expect(err.status).toBe(503);
+    expect(err.name).toBe('UnavailableError');
+  });
+
+  it('NetworkError has status 0', () => {
+    const err = new NetworkError('offline');
+    expect(err.status).toBe(0);
+    expect(err.code).toBe('NETWORK_ERROR');
+  });
+
+  it('ParseError has status 0', () => {
+    const err = new ParseError('bad json');
+    expect(err.status).toBe(0);
+    expect(err.code).toBe('PARSE_ERROR');
+  });
+});
+
+describe('Type guard helpers', () => {
+  it('isNotFound identifies NotFoundError', () => {
+    expect(isNotFound(new NotFoundError('x'))).toBe(true);
+    expect(isNotFound(new ValidationError('x'))).toBe(false);
+    expect(isNotFound(new Error('x'))).toBe(false);
+    expect(isNotFound(null)).toBe(false);
+  });
+
+  it('isValidation identifies ValidationError', () => {
+    expect(isValidation(new ValidationError('x'))).toBe(true);
+    expect(isValidation(new NotFoundError('x'))).toBe(false);
+  });
+
+  it('isUnauthorized identifies UnauthorizedError', () => {
+    expect(isUnauthorized(new UnauthorizedError('x'))).toBe(true);
+    expect(isUnauthorized(new ForbiddenError('x'))).toBe(false);
+  });
+
+  it('isForbidden identifies ForbiddenError', () => {
+    expect(isForbidden(new ForbiddenError('x'))).toBe(true);
+    expect(isForbidden(new UnauthorizedError('x'))).toBe(false);
+  });
+
+  it('isNetwork identifies NetworkError', () => {
+    expect(isNetwork(new NetworkError('x'))).toBe(true);
+    expect(isNetwork(new ParseError('x'))).toBe(false);
+  });
+
+  it('isIntelMeshError matches all subclasses', () => {
+    expect(isIntelMeshError(new ValidationError('x'))).toBe(true);
+    expect(isIntelMeshError(new NetworkError('x'))).toBe(true);
+    expect(isIntelMeshError(new Error('x'))).toBe(false);
+  });
+});
+
+describe('mapStatusToError', () => {
+  it('maps 400 to ValidationError', () => {
+    const err = mapStatusToError(400, 'bad', 'INVALID');
+    expect(err).toBeInstanceOf(ValidationError);
+    expect(err.code).toBe('INVALID');
+  });
+
+  it('maps 401 to UnauthorizedError', () => {
+    const err = mapStatusToError(401, 'no auth', 'UNAUTH');
+    expect(err).toBeInstanceOf(UnauthorizedError);
+  });
+
+  it('maps 403 to ForbiddenError', () => {
+    const err = mapStatusToError(403, 'denied', 'FORBIDDEN');
+    expect(err).toBeInstanceOf(ForbiddenError);
+  });
+
+  it('maps 404 to NotFoundError', () => {
+    const err = mapStatusToError(404, 'gone', 'MISSING');
+    expect(err).toBeInstanceOf(NotFoundError);
+  });
+
+  it('maps 503 to UnavailableError', () => {
+    const err = mapStatusToError(503, 'down', 'UNAVAIL');
+    expect(err).toBeInstanceOf(UnavailableError);
+  });
+
+  it('maps 502 to InternalError', () => {
+    const err = mapStatusToError(502, 'gateway', 'GW');
+    expect(err).toBeInstanceOf(InternalError);
+  });
+
+  it('maps unknown status to IntelMeshError', () => {
+    const err = mapStatusToError(429, 'rate', 'RATE');
+    expect(err).toBeInstanceOf(IntelMeshError);
+    expect(err.status).toBe(429);
+  });
+});

package/tests/provision/provisioner.test.ts

@@ -0,0 +1,311 @@
+// ---------------------------------------------------------------------------
+// Provisioner unit tests — mock fetch, no network calls
+// ---------------------------------------------------------------------------
+
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+import { IntelMesh } from '../../src/client/intelmesh.js';
+import { Provisioner } from '../../src/provision/provisioner.js';
+
+/** Tracks resource creation and deletion counts. */
+interface MockState {
+  created: Record<string, number>;
+  deleted: Record<string, number>;
+  idSeq: number;
+}
+
+/**
+ * Handles POST requests in the mock fetch.
+ * @param url
+ * @param state
+ */
+// eslint-disable-next-line max-lines-per-function -- each branch is a simple JSON fixture; splitting further would obscure test data
+function handlePost(url: string, state: MockState): Response | null {
+  if (url.includes('/api/v1/phases')) {
+    state.created['phases'] = (state.created['phases'] ?? 0) + 1;
+    state.idSeq++;
+    return jsonResponse({
+      data: {
+        id: `phase-${String(state.idSeq)}`,
+        name: 'p',
+        position: 1,
+        created_at: '2025-01-01T00:00:00Z',
+      },
+    });
+  }
+  if (url.includes('/api/v1/scopes')) {
+    state.created['scopes'] = (state.created['scopes'] ?? 0) + 1;
+    state.idSeq++;
+    return jsonResponse({
+      data: {
+        id: `scope-${String(state.idSeq)}`,
+        name: 's',
+        json_path: '$.x',
+        created_at: '2025-01-01T00:00:00Z',
+      },
+    });
+  }
+  if (url.includes('/api/v1/lists')) {
+    state.created['lists'] = (state.created['lists'] ?? 0) + 1;
+    state.idSeq++;
+    return jsonResponse({
+      data: {
+        id: `list-${String(state.idSeq)}`,
+        name: 'l',
+        description: '',
+        created_at: '2025-01-01T00:00:00Z',
+        updated_at: '2025-01-01T00:00:00Z',
+      },
+    });
+  }
+  if (url.includes('/api/v1/rules')) {
+    state.created['rules'] = (state.created['rules'] ?? 0) + 1;
+    state.idSeq++;
+    return jsonResponse({
+      data: {
+        id: `rule-${String(state.idSeq)}`,
+        name: 'r',
+        phase_id: 'p1',
+        priority: 1,
+        expression: 'true',
+        applicable_when: '',
+        actions: {},
+        enabled: true,
+        dry_run: false,
+        current_version_id: 'v1',
+        created_at: '2025-01-01T00:00:00Z',
+        updated_at: '2025-01-01T00:00:00Z',
+      },
+    });
+  }
+  return null;
+}
+
+/**
+ * Handles DELETE requests in the mock fetch.
+ * @param url
+ * @param state
+ */
+function handleDelete(url: string, state: MockState): Response | null {
+  if (url.includes('/api/v1/phases/')) {
+    state.deleted['phases'] = (state.deleted['phases'] ?? 0) + 1;
+    return jsonResponse({ data: null });
+  }
+  if (url.includes('/api/v1/scopes/')) {
+    state.deleted['scopes'] = (state.deleted['scopes'] ?? 0) + 1;
+    return jsonResponse({ data: null });
+  }
+  if (url.includes('/api/v1/lists/')) {
+    state.deleted['lists'] = (state.deleted['lists'] ?? 0) + 1;
+    return jsonResponse({ data: null });
+  }
+  if (url.includes('/api/v1/rules/')) {
+    state.deleted['rules'] = (state.deleted['rules'] ?? 0) + 1;
+    return jsonResponse({ data: null });
+  }
+  return null;
+}
+
+/**
+ * Creates a mock fetch that simulates the IntelMesh API.
+ * @param state
+ */
+function createMockFetch(state: MockState): typeof globalThis.fetch {
+  return vi.fn((input: string | URL | Request, init?: RequestInit) => {
+    const url =
+      typeof input === 'string' ? input : input instanceof URL ? input.toString() : input.url;
+    const method = init?.method ?? 'GET';
+
+    if (method === 'POST') {
+      const res = handlePost(url, state);
+      if (res) return Promise.resolve(res);
+    }
+
+    if (method === 'DELETE') {
+      const res = handleDelete(url, state);
+      if (res) return Promise.resolve(res);
+    }
+
+    return Promise.resolve(new Response('Not Found', { status: 404 }));
+  }) as typeof globalThis.fetch;
+}
+
+/**
+ * Creates a JSON Response.
+ * @param body
+ */
+function jsonResponse(body: unknown): Response {
+  return new Response(JSON.stringify(body), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' },
+  });
+}
+
+// eslint-disable-next-line max-lines-per-function -- describe block spans many test cases; splitting into multiple files would obscure test coverage
+describe('Provisioner', () => {
+  let state: MockState;
+  let client: IntelMesh;
+
+  beforeEach(() => {
+    state = { created: {}, deleted: {}, idSeq: 0 };
+    client = new IntelMesh({
+      baseUrl: 'http://localhost:8080',
+      apiKey: 'test-key',
+      fetch: createMockFetch(state),
+    });
+  });
+
+  it('applies phases, scopes, lists, and rules in order', async () => {
+    const p = new Provisioner(client)
+      .phase('screening', 1)
+      .scope('client_uuid', 'event.metadata.client_uuid')
+      .list('blocklist')
+      .rule('block-rule')
+      .inPhase('screening')
+      .priority(1)
+      .when('true')
+      .decide('block', 'critical')
+      .halt()
+      .done();
+
+    await p.apply();
+
+    expect(state.created['phases']).toBe(1);
+    expect(state.created['scopes']).toBe(1);
+    expect(state.created['lists']).toBe(1);
+    expect(state.created['rules']).toBe(1);
+  });
+
+  it('stores resolved IDs after apply', async () => {
+    const p = new Provisioner(client)
+      .phase('screening', 1)
+      .scope('client_uuid', 'event.metadata.client_uuid')
+      .list('blocklist')
+      .rule('block-rule')
+      .inPhase('screening')
+      .priority(1)
+      .when('true')
+      .done();
+
+    await p.apply();
+
+    expect(p.phaseId('screening')).toBeTruthy();
+    expect(p.scopeId('client_uuid')).toBeTruthy();
+    expect(p.listId('blocklist')).toBeTruthy();
+    expect(p.ruleId('block-rule')).toBeTruthy();
+  });
+
+  it('returns empty string for unknown names', () => {
+    const p = new Provisioner(client);
+    expect(p.phaseId('unknown')).toBe('');
+    expect(p.scopeId('unknown')).toBe('');
+    expect(p.listId('unknown')).toBe('');
+    expect(p.ruleId('unknown')).toBe('');
+  });
+
+  it('throws when rule references missing phase', async () => {
+    const p = new Provisioner(client)
+      .rule('orphan-rule')
+      .inPhase('nonexistent')
+      .priority(1)
+      .when('true')
+      .done();
+
+    await expect(p.apply()).rejects.toThrow('phase not found');
+  });
+
+  it('tears down resources in reverse order', async () => {
+    const p = new Provisioner(client)
+      .phase('screening', 1)
+      .scope('client_uuid', 'event.metadata.client_uuid')
+      .list('blocklist')
+      .rule('block-rule')
+      .inPhase('screening')
+      .priority(1)
+      .when('true')
+      .done();
+
+    await p.apply();
+    await p.teardown();
+
+    expect(state.deleted['rules']).toBe(1);
+    expect(state.deleted['lists']).toBe(1);
+    expect(state.deleted['scopes']).toBe(1);
+    expect(state.deleted['phases']).toBe(1);
+  });
+
+  it('supports multiple phases', async () => {
+    const p = new Provisioner(client)
+      .phase('screening', 1)
+      .phase('scoring', 2)
+      .phase('decision', 3);
+
+    await p.apply();
+
+    expect(state.created['phases']).toBe(3);
+  });
+
+  it('supports rule with score delta', async () => {
+    const p = new Provisioner(client)
+      .phase('scoring', 1)
+      .rule('add-score')
+      .inPhase('scoring')
+      .priority(1)
+      .when('true')
+      .addScore(10)
+      .continue()
+      .done();
+
+    await p.apply();
+
+    expect(state.created['rules']).toBe(1);
+  });
+
+  it('supports rule with list mutation', async () => {
+    const p = new Provisioner(client)
+      .phase('scoring', 1)
+      .list('med_blocked')
+      .rule('med-add')
+      .inPhase('scoring')
+      .priority(1)
+      .applicableWhen("event.type == 'bacen.med.add'")
+      .when('true')
+      .mutateList('list.add', 'med_blocked', 'event.metadata.client_uuid')
+      .continue()
+      .done();
+
+    await p.apply();
+
+    expect(state.created['lists']).toBe(1);
+    expect(state.created['rules']).toBe(1);
+  });
+
+  it('supports dry-run rules', async () => {
+    const p = new Provisioner(client)
+      .phase('screening', 1)
+      .rule('dry-rule')
+      .inPhase('screening')
+      .priority(1)
+      .when('true')
+      .dryRun()
+      .done();
+
+    await p.apply();
+
+    expect(state.created['rules']).toBe(1);
+  });
+
+  it('supports skip-phase flow', async () => {
+    const p = new Provisioner(client)
+      .phase('screening', 1)
+      .rule('skip-rule')
+      .inPhase('screening')
+      .priority(1)
+      .when('true')
+      .skipPhase()
+      .done();
+
+    await p.apply();
+
+    expect(state.created['rules']).toBe(1);
+  });
+});

package/tests/scripts/compute-disttag.test.ts

@@ -0,0 +1,178 @@
+import { describe, expect, it } from 'vitest';
+import { spawnSync } from 'node:child_process';
+import { mkdtempSync, readFileSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { dirname, join, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const here = dirname(fileURLToPath(import.meta.url));
+const scriptPath = resolve(here, '../../.github/scripts/compute-disttag.sh');
+
+interface ScriptOutput {
+  version: string;
+  disttag: string;
+  is_prerelease: string;
+}
+
+interface RawResult {
+  status: number;
+  stderr: string;
+}
+
+function parseOutput(raw: string): ScriptOutput {
+  const map = new Map<string, string>();
+  for (const line of raw.split(/\r?\n/)) {
+    const idx = line.indexOf('=');
+    if (idx === -1) continue;
+    map.set(line.slice(0, idx), line.slice(idx + 1));
+  }
+  return {
+    version: map.get('version') ?? '',
+    disttag: map.get('disttag') ?? '',
+    is_prerelease: map.get('is_prerelease') ?? '',
+  };
+}
+
+function runScriptRaw(env: Record<string, string>): RawResult {
+  const dir = mkdtempSync(join(tmpdir(), 'disttag-'));
+  // Ensure we do NOT inherit GITHUB_REF_NAME or GITHUB_OUTPUT from
+  // the parent process — compose the env from scratch with only
+  // PATH (needed for bash discovery) and whatever the caller passes.
+  const cleanEnv: Record<string, string> = { PATH: process.env.PATH ?? '' };
+  Object.assign(cleanEnv, env);
+  const result = spawnSync('bash', [scriptPath], {
+    env: cleanEnv,
+    encoding: 'utf-8',
+    cwd: dir,
+  });
+  return {
+    status: result.status ?? -1,
+    stderr: result.stderr,
+  };
+}
+
+function runScript(refName: string): ScriptOutput {
+  const dir = mkdtempSync(join(tmpdir(), 'disttag-'));
+  const outputFile = join(dir, 'github_output');
+  // eslint-disable-next-line security/detect-non-literal-fs-filename
+  writeFileSync(outputFile, '');
+  const result = spawnSync('bash', [scriptPath], {
+    env: {
+      ...process.env,
+      GITHUB_REF_NAME: refName,
+      GITHUB_OUTPUT: outputFile,
+    },
+    encoding: 'utf-8',
+    cwd: dir,
+  });
+  if (result.status !== 0) {
+    throw new Error(`Script failed (status=${String(result.status)}): ${result.stderr}`);
+  }
+  // eslint-disable-next-line security/detect-non-literal-fs-filename
+  return parseOutput(readFileSync(outputFile, 'utf-8'));
+}
+
+describe('compute-disttag.sh', () => {
+  it('stable v1.2.3 resolves to latest', () => {
+    const out = runScript('v1.2.3');
+    expect(out.version).toBe('1.2.3');
+    expect(out.disttag).toBe('latest');
+    expect(out.is_prerelease).toBe('false');
+  });
+
+  it('v1.2.3-beta.1 resolves to beta dist-tag', () => {
+    const out = runScript('v1.2.3-beta.1');
+    expect(out.version).toBe('1.2.3-beta.1');
+    expect(out.disttag).toBe('beta');
+    expect(out.is_prerelease).toBe('true');
+  });
+
+  it('v1.2.3-rc.2 resolves to rc dist-tag', () => {
+    const out = runScript('v1.2.3-rc.2');
+    expect(out.disttag).toBe('rc');
+    expect(out.is_prerelease).toBe('true');
+  });
+
+  it('v2.0.0-alpha.7 resolves to alpha dist-tag', () => {
+    const out = runScript('v2.0.0-alpha.7');
+    expect(out.disttag).toBe('alpha');
+    expect(out.is_prerelease).toBe('true');
+  });
+
+  it('v2.0.0-next.0 resolves to next dist-tag', () => {
+    const out = runScript('v2.0.0-next.0');
+    expect(out.disttag).toBe('next');
+    expect(out.is_prerelease).toBe('true');
+  });
+
+  it('v1.0.0-beta without dot suffix resolves to beta', () => {
+    const out = runScript('v1.0.0-beta');
+    expect(out.version).toBe('1.0.0-beta');
+    expect(out.disttag).toBe('beta');
+    expect(out.is_prerelease).toBe('true');
+  });
+
+  it('v1.0.0-beta-2 (valid semver, hyphen in prerelease) resolves to beta-2', () => {
+    const out = runScript('v1.0.0-beta-2');
+    expect(out.version).toBe('1.0.0-beta-2');
+    expect(out.disttag).toBe('beta-2');
+    expect(out.is_prerelease).toBe('true');
+  });
+
+  it('v1.2.3-BETA.1 lowercases the disttag to beta', () => {
+    const out = runScript('v1.2.3-BETA.1');
+    expect(out.version).toBe('1.2.3-BETA.1');
+    expect(out.disttag).toBe('beta');
+    expect(out.is_prerelease).toBe('true');
+  });
+});
+
+describe('compute-disttag.sh — error handling', () => {
+  it('exits non-zero when GITHUB_REF_NAME is unset', () => {
+    const result = runScriptRaw({ GITHUB_OUTPUT: join(tmpdir(), 'unused') });
+    expect(result.status).not.toBe(0);
+    expect(result.stderr).toContain('GITHUB_REF_NAME');
+  });
+
+  it('exits non-zero when GITHUB_REF_NAME is empty', () => {
+    const result = runScriptRaw({
+      GITHUB_REF_NAME: '',
+      GITHUB_OUTPUT: join(tmpdir(), 'unused'),
+    });
+    expect(result.status).not.toBe(0);
+    expect(result.stderr).toContain('GITHUB_REF_NAME');
+  });
+
+  it('exits non-zero when GITHUB_OUTPUT is unset', () => {
+    const result = runScriptRaw({ GITHUB_REF_NAME: 'v1.2.3' });
+    expect(result.status).not.toBe(0);
+    expect(result.stderr).toContain('GITHUB_OUTPUT');
+  });
+
+  it('rejects non-semver tag vA.B.C', () => {
+    const result = runScriptRaw({
+      GITHUB_REF_NAME: 'vA.B.C',
+      GITHUB_OUTPUT: join(tmpdir(), 'unused'),
+    });
+    expect(result.status).not.toBe(0);
+    expect(result.stderr).toContain('not a valid semver tag');
+  });
+
+  it('rejects non-semver tag v1.2', () => {
+    const result = runScriptRaw({
+      GITHUB_REF_NAME: 'v1.2',
+      GITHUB_OUTPUT: join(tmpdir(), 'unused'),
+    });
+    expect(result.status).not.toBe(0);
+    expect(result.stderr).toContain('not a valid semver tag');
+  });
+
+  it('rejects build-metadata tag v1.2.3+build.1', () => {
+    const result = runScriptRaw({
+      GITHUB_REF_NAME: 'v1.2.3+build.1',
+      GITHUB_OUTPUT: join(tmpdir(), 'unused'),
+    });
+    expect(result.status).not.toBe(0);
+    expect(result.stderr).toContain('not a valid semver tag');
+  });
+});