@lobu/gateway 2.8.0 → 3.0.6

package/src/__tests__/http-proxy.test.ts

@@ -0,0 +1,281 @@
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import * as crypto from "node:crypto";
+import * as http from "node:http";
+import * as net from "node:net";
+import { generateWorkerToken } from "@lobu/core";
+import { __testOnly, startHttpProxy, stopHttpProxy } from "../proxy/http-proxy";
+
+// Generate a stable 32-byte encryption key for tests
+const TEST_ENCRYPTION_KEY = crypto.randomBytes(32).toString("base64");
+
+// Single proxy server shared across all test suites
+let proxyPort: number;
+let proxyServer: http.Server;
+
+beforeAll(async () => {
+  process.env.ENCRYPTION_KEY = TEST_ENCRYPTION_KEY;
+  // Default to unrestricted for auth tests; domain tests use per-deployment config
+  process.env.WORKER_ALLOWED_DOMAINS = "*";
+
+  proxyPort = 10000 + Math.floor(Math.random() * 50000);
+  proxyServer = await startHttpProxy(proxyPort, "127.0.0.1");
+});
+
+afterAll(async () => {
+  await stopHttpProxy(proxyServer);
+  delete process.env.ENCRYPTION_KEY;
+  delete process.env.WORKER_ALLOWED_DOMAINS;
+});
+
+function makeBasicAuth(username: string, password: string): string {
+  return `Basic ${Buffer.from(`${username}:${password}`).toString("base64")}`;
+}
+
+/**
+ * Send a raw HTTP proxy request via TCP socket to avoid Bun's HTTP client
+ * retrying on 407 responses.
+ */
+function rawProxyRequest(
+  targetUrl: string,
+  options: { proxyAuth?: string } = {}
+): Promise<{ statusCode: number; headers: string; body: string }> {
+  return new Promise((resolve, reject) => {
+    const socket = new net.Socket();
+    socket.connect(proxyPort, "127.0.0.1", () => {
+      let req = `GET ${targetUrl} HTTP/1.1\r\nHost: ${new URL(targetUrl).host}\r\n`;
+      if (options.proxyAuth) {
+        req += `Proxy-Authorization: ${options.proxyAuth}\r\n`;
+      }
+      req += "Connection: close\r\n\r\n";
+      socket.write(req);
+    });
+
+    let data = "";
+    socket.on("data", (chunk: Buffer) => {
+      data += chunk.toString();
+    });
+
+    socket.on("end", () => {
+      // Parse status code from first line: "HTTP/1.1 407 ..."
+      const firstLineEnd = data.indexOf("\r\n");
+      const statusLine = data.substring(0, firstLineEnd);
+      const statusMatch = statusLine.match(/HTTP\/\d\.\d (\d+)/);
+      const statusCode = statusMatch ? parseInt(statusMatch[1]!, 10) : 0;
+
+      const headerEnd = data.indexOf("\r\n\r\n");
+      const headers = data.substring(0, headerEnd);
+      const body = headerEnd !== -1 ? data.substring(headerEnd + 4) : "";
+
+      resolve({ statusCode, headers, body });
+    });
+
+    socket.on("error", reject);
+    socket.setTimeout(5000, () => {
+      socket.destroy();
+      reject(new Error("Request timed out"));
+    });
+  });
+}
+
+/**
+ * Send a CONNECT request through the proxy and return the raw response line.
+ */
+function connectRequest(
+  host: string,
+  port: number,
+  options: { proxyAuth?: string } = {}
+): Promise<{ statusLine: string }> {
+  return new Promise((resolve, reject) => {
+    const socket = new net.Socket();
+    socket.connect(proxyPort, "127.0.0.1", () => {
+      let req = `CONNECT ${host}:${port} HTTP/1.1\r\nHost: ${host}:${port}\r\n`;
+      if (options.proxyAuth) {
+        req += `Proxy-Authorization: ${options.proxyAuth}\r\n`;
+      }
+      req += "\r\n";
+      socket.write(req);
+    });
+
+    let data = "";
+    socket.on("data", (chunk: Buffer) => {
+      data += chunk.toString();
+      const lineEnd = data.indexOf("\r\n");
+      if (lineEnd !== -1) {
+        socket.destroy();
+        resolve({ statusLine: data.substring(0, lineEnd) });
+      }
+    });
+
+    socket.on("error", reject);
+    socket.setTimeout(5000, () => {
+      socket.destroy();
+      reject(new Error("CONNECT request timed out"));
+    });
+  });
+}
+
+function createValidToken(deploymentName: string): string {
+  return generateWorkerToken("test-user", "test-conv", deploymentName, {
+    channelId: "test-channel",
+    platform: "test",
+  });
+}
+
+// ─── Auth tests ──────────────────────────────────────────────────────────────
+
+describe("HTTP Proxy Authentication", () => {
+  describe("HTTP requests", () => {
+    test("rejects request with no auth (407)", async () => {
+      const res = await rawProxyRequest("http://example.com/test");
+      expect(res.statusCode).toBe(407);
+      expect(res.headers.toLowerCase()).toContain("proxy-authenticate");
+    });
+
+    test("rejects request with invalid token (407)", async () => {
+      const res = await rawProxyRequest("http://example.com/test", {
+        proxyAuth: makeBasicAuth("my-deployment", "not-a-valid-token"),
+      });
+      expect(res.statusCode).toBe(407);
+    });
+
+    test("rejects request with deployment name mismatch (407)", async () => {
+      const token = createValidToken("real-deployment");
+      const res = await rawProxyRequest("http://example.com/test", {
+        proxyAuth: makeBasicAuth("fake-deployment", token),
+      });
+      expect(res.statusCode).toBe(407);
+    });
+
+    test("rejects request with empty password (407)", async () => {
+      const res = await rawProxyRequest("http://example.com/test", {
+        proxyAuth: makeBasicAuth("my-deployment", ""),
+      });
+      expect(res.statusCode).toBe(407);
+    });
+
+    test("accepts request with valid token", async () => {
+      const deploymentName = "test-worker-http";
+      const token = createValidToken(deploymentName);
+      const res = await rawProxyRequest("http://example.com/", {
+        proxyAuth: makeBasicAuth(deploymentName, token),
+      });
+      // Should pass auth — either upstream response or 502 (network error)
+      expect(res.statusCode).not.toBe(407);
+    });
+  });
+
+  describe("CONNECT requests", () => {
+    test("rejects CONNECT with no auth (407)", async () => {
+      const res = await connectRequest("example.com", 443);
+      expect(res.statusLine).toContain("407");
+    });
+
+    test("rejects CONNECT with invalid token (407)", async () => {
+      const res = await connectRequest("example.com", 443, {
+        proxyAuth: makeBasicAuth("my-deployment", "garbage-token"),
+      });
+      expect(res.statusLine).toContain("407");
+    });
+
+    test("rejects CONNECT with deployment mismatch (407)", async () => {
+      const token = createValidToken("actual-deployment");
+      const res = await connectRequest("example.com", 443, {
+        proxyAuth: makeBasicAuth("wrong-deployment", token),
+      });
+      expect(res.statusLine).toContain("407");
+    });
+
+    test("accepts CONNECT with valid token (200)", async () => {
+      const deploymentName = "test-worker-connect";
+      const token = createValidToken(deploymentName);
+      const res = await connectRequest("example.com", 443, {
+        proxyAuth: makeBasicAuth(deploymentName, token),
+      });
+      expect(res.statusLine).toContain("200");
+    });
+  });
+});
+
+// ─── Startup tests ───────────────────────────────────────────────────────────
+
+describe("HTTP Proxy Startup", () => {
+  test("rejects on port conflict (EADDRINUSE)", async () => {
+    const blockingPort = 10000 + Math.floor(Math.random() * 50000);
+    const blocker = http.createServer();
+    await new Promise<void>((resolve) =>
+      blocker.listen(blockingPort, "127.0.0.1", resolve)
+    );
+
+    try {
+      await expect(
+        startHttpProxy(blockingPort, "127.0.0.1")
+      ).rejects.toMatchObject({ code: "EADDRINUSE" });
+    } finally {
+      await new Promise<void>((resolve, reject) =>
+        blocker.close((err) => (err ? reject(err) : resolve()))
+      );
+    }
+  });
+
+  test("binds to specified host and port", async () => {
+    const port = 10000 + Math.floor(Math.random() * 50000);
+    const server = await startHttpProxy(port, "127.0.0.1");
+    try {
+      const addr = server.address();
+      expect(addr).not.toBeNull();
+      if (typeof addr === "object" && addr) {
+        expect(addr.port).toBe(port);
+        expect(addr.address).toBe("127.0.0.1");
+      }
+    } finally {
+      await stopHttpProxy(server);
+    }
+  });
+});
+
+// ─── Domain filtering tests ──────────────────────────────────────────────────
+// Global config is WORKER_ALLOWED_DOMAINS=* (unrestricted), so all domains pass.
+// Domain restriction via per-agent grants requires Redis and is tested separately.
+
+describe("HTTP Proxy Domain Filtering (unrestricted mode)", () => {
+  const deploymentName = "domain-test-worker";
+
+  test("rejects request to loopback IP literal", async () => {
+    const token = createValidToken(deploymentName);
+    const res = await rawProxyRequest("http://127.0.0.1/", {
+      proxyAuth: makeBasicAuth(deploymentName, token),
+    });
+    expect(res.statusCode).toBe(403);
+    expect(res.body).toContain("Target IP not allowed");
+  });
+
+  test("rejects request to IPv4-mapped IPv6 loopback (hex form)", async () => {
+    expect(__testOnly.isBlockedIpAddress("::ffff:7f00:1")).toBe(true);
+  });
+
+  test("rejects CONNECT when hostname resolves to loopback", async () => {
+    const token = createValidToken(deploymentName);
+    const res = await connectRequest("localhost", 443, {
+      proxyAuth: makeBasicAuth(deploymentName, token),
+    });
+    expect(res.statusLine).toContain("403");
+  });
+
+  test("allows request to any domain in unrestricted mode", async () => {
+    const token = createValidToken(deploymentName);
+    const res = await rawProxyRequest("http://example.com/", {
+      proxyAuth: makeBasicAuth(deploymentName, token),
+    });
+    // Passes auth + domain check — either upstream response or 502
+    expect(res.statusCode).not.toBe(403);
+    expect(res.statusCode).not.toBe(407);
+  });
+
+  test("allows CONNECT to any domain in unrestricted mode", async () => {
+    const token = createValidToken(deploymentName);
+    const res = await connectRequest("example.com", 443, {
+      proxyAuth: makeBasicAuth(deploymentName, token),
+    });
+    expect(res.statusLine).toContain("200");
+  });
+});

package/src/__tests__/instruction-service.test.ts

@@ -0,0 +1,37 @@
+import { beforeEach, describe, expect, test } from "bun:test";
+import { MockRedisClient } from "@lobu/core/testing";
+import { AgentSettingsStore } from "../auth/settings/agent-settings-store";
+import { InstructionService } from "../services/instruction-service";
+
+describe("InstructionService", () => {
+  let store: AgentSettingsStore;
+  let service: InstructionService;
+
+  beforeEach(() => {
+    store = new AgentSettingsStore(new MockRedisClient() as any);
+    service = new InstructionService(undefined, store);
+  });
+
+  test("returns stronger fallback guidance when agent instructions are unconfigured", async () => {
+    const sessionContext = await service.getSessionContext(
+      "telegram",
+      {
+        agentId: "agent-1",
+        userId: "user-1",
+        workingDirectory: "/workspace/thread-1",
+      } as any,
+      { settingsUrl: "http://localhost:8080/api/v1/agents/agent-1/config" }
+    );
+
+    expect(sessionContext.agentInstructions).toContain(
+      "## Agent Configuration Notice"
+    );
+    expect(sessionContext.agentInstructions).toContain(
+      "IDENTITY.md, SOUL.md, USER.md"
+    );
+    expect(sessionContext.agentInstructions).not.toContain("ScheduleReminder");
+    expect(sessionContext.agentInstructions).not.toContain(
+      "Do not invent product capabilities"
+    );
+  });
+});

package/src/__tests__/link-buttons.test.ts

@@ -0,0 +1,112 @@
+import { describe, expect, test } from "bun:test";
+import { extractSettingsLinkButtons } from "../platform/link-buttons";
+
+describe("extractSettingsLinkButtons", () => {
+  test("extracts settings link and replaces with label", () => {
+    const content =
+      "Click [Open Settings](https://example.com/connect/claim?claim=abc123) to continue";
+    const { processedContent, linkButtons } =
+      extractSettingsLinkButtons(content);
+
+    expect(linkButtons).toHaveLength(1);
+    expect(linkButtons[0]!.text).toBe("Open Settings");
+    expect(linkButtons[0]!.url).toBe(
+      "https://example.com/connect/claim?claim=abc123"
+    );
+    expect(processedContent).toBe("Click Open Settings to continue");
+    expect(processedContent).not.toContain("https://");
+  });
+
+  test("extracts settings link with agent param", () => {
+    const content =
+      "[Settings](https://example.com/connect/claim?claim=abc&agent=agent-1)";
+    const { linkButtons } = extractSettingsLinkButtons(content);
+
+    expect(linkButtons).toHaveLength(1);
+    expect(linkButtons[0]!.url).toBe(
+      "https://example.com/connect/claim?claim=abc&agent=agent-1"
+    );
+  });
+
+  test("extracts multiple settings links", () => {
+    const content =
+      "[First](https://a.com/connect/claim?claim=1) and [Second](https://b.com/connect/claim?claim=2)";
+    const { processedContent, linkButtons } =
+      extractSettingsLinkButtons(content);
+
+    expect(linkButtons).toHaveLength(2);
+    expect(processedContent).toBe("First and Second");
+  });
+
+  test("filters out localhost URLs", () => {
+    const content =
+      "[Settings](http://localhost:3000/connect/claim?claim=token)";
+    const { processedContent, linkButtons } =
+      extractSettingsLinkButtons(content);
+
+    expect(linkButtons).toHaveLength(0);
+    // Label still replaces the link
+    expect(processedContent).toBe("Settings");
+  });
+
+  test("filters out 127.0.0.1 URLs", () => {
+    const content = "[Settings](http://127.0.0.1/connect/claim?claim=token)";
+    const { linkButtons } = extractSettingsLinkButtons(content);
+    expect(linkButtons).toHaveLength(0);
+  });
+
+  test("does not match non-settings links", () => {
+    const content = "[Home](https://example.com/home)";
+    const { processedContent, linkButtons } =
+      extractSettingsLinkButtons(content);
+
+    expect(linkButtons).toHaveLength(0);
+    expect(processedContent).toBe(content); // unchanged
+  });
+
+  test("does not match links without claim= parameter", () => {
+    const content = "[Settings](https://example.com/agent)";
+    const { processedContent, linkButtons } =
+      extractSettingsLinkButtons(content);
+
+    expect(linkButtons).toHaveLength(0);
+    expect(processedContent).toBe(content);
+  });
+
+  test("returns empty buttons for content without links", () => {
+    const content = "No links here, just plain text";
+    const { processedContent, linkButtons } =
+      extractSettingsLinkButtons(content);
+
+    expect(linkButtons).toHaveLength(0);
+    expect(processedContent).toBe(content);
+  });
+
+  test("handles HTTP and HTTPS", () => {
+    const httpContent = "[A](http://example.com/connect/claim?claim=x)";
+    const httpsContent = "[B](https://example.com/connect/claim?claim=y)";
+
+    const httpResult = extractSettingsLinkButtons(httpContent);
+    const httpsResult = extractSettingsLinkButtons(httpsContent);
+
+    expect(httpResult.linkButtons).toHaveLength(1);
+    expect(httpsResult.linkButtons).toHaveLength(1);
+  });
+
+  test("mixed localhost and remote links only keeps remote", () => {
+    const content =
+      "[Local](http://localhost/connect/claim?claim=a) and [Remote](https://app.com/connect/claim?claim=b)";
+    const { linkButtons } = extractSettingsLinkButtons(content);
+
+    expect(linkButtons).toHaveLength(1);
+    expect(linkButtons[0]!.url).toContain("app.com");
+  });
+
+  test("keeps backward compatibility with legacy /agent claim links", () => {
+    const content = "[Legacy](https://example.com/agent?claim=legacy)";
+    const { linkButtons } = extractSettingsLinkButtons(content);
+
+    expect(linkButtons).toHaveLength(1);
+    expect(linkButtons[0]!.url).toBe("https://example.com/agent?claim=legacy");
+  });
+});

package/src/__tests__/lobu.test.ts

@@ -0,0 +1,32 @@
+import { afterEach, describe, expect, test } from "bun:test";
+import { Lobu } from "../lobu";
+
+const originalMemoryUrl = process.env.MEMORY_URL;
+const originalAdminPassword = process.env.ADMIN_PASSWORD;
+
+afterEach(() => {
+  if (originalMemoryUrl === undefined) {
+    delete process.env.MEMORY_URL;
+  } else {
+    process.env.MEMORY_URL = originalMemoryUrl;
+  }
+
+  if (originalAdminPassword === undefined) {
+    delete process.env.ADMIN_PASSWORD;
+  } else {
+    process.env.ADMIN_PASSWORD = originalAdminPassword;
+  }
+});
+
+describe("Lobu", () => {
+  test("applies config.memory to the gateway environment", () => {
+    delete process.env.MEMORY_URL;
+
+    new Lobu({
+      redis: "redis://localhost:6379",
+      memory: "https://memory.example.com",
+    });
+
+    expect(process.env.MEMORY_URL).toBe("https://memory.example.com");
+  });
+});