@lobu/gateway 3.0.9 → 3.0.12

package/src/__tests__/provider-inheritance.test.ts

@@ -1,212 +0,0 @@
-import { beforeEach, describe, expect, test } from "bun:test";
-import { MockRedisClient } from "@lobu/core/testing";
-import {
-  ProviderCatalogService,
-  resolveInstalledProviders,
-} from "../auth/provider-catalog";
-import { AgentSettingsStore } from "../auth/settings/agent-settings-store";
-import { AuthProfilesManager } from "../auth/settings/auth-profiles-manager";
-import {
-  canEditSettingsSection,
-  canViewSettingsSection,
-  resolveSettingsView,
-} from "../auth/settings/resolved-settings-view";
-import { buildDefaultSettingsFromSource } from "../auth/settings/template-utils";
-import { hasConfiguredProvider } from "../services/platform-helpers";
-
-describe("sandbox provider inheritance", () => {
-  let redis: MockRedisClient;
-  let store: AgentSettingsStore;
-  let authProfilesManager: AuthProfilesManager;
-
-  beforeEach(() => {
-    redis = new MockRedisClient();
-    store = new AgentSettingsStore(redis as any);
-    authProfilesManager = new AuthProfilesManager(store);
-  });
-
-  test("inherits installed providers through metadata and connection template fallback", async () => {
-    await store.saveSettings("template-agent", {
-      installedProviders: [{ providerId: "z-ai", installedAt: 1 }],
-    });
-    await redis.set(
-      "agent_metadata:telegram-6570514069",
-      JSON.stringify({ parentConnectionId: "conn-1" })
-    );
-    await redis.set(
-      "connection:conn-1",
-      JSON.stringify({ templateAgentId: "template-agent" })
-    );
-
-    const providers = await resolveInstalledProviders(
-      store,
-      "telegram-6570514069"
-    );
-
-    expect(providers).toEqual([{ providerId: "z-ai", installedAt: 1 }]);
-  });
-
-  test("inherits auth profiles through metadata and connection template fallback", async () => {
-    await store.saveSettings("template-agent", {
-      authProfiles: [
-        {
-          id: "profile-1",
-          provider: "z-ai",
-          credential: "secret",
-          authType: "api-key",
-          label: "z.ai",
-          model: "*",
-          createdAt: 1,
-        },
-      ],
-      installedProviders: [{ providerId: "z-ai", installedAt: 1 }],
-    });
-    await redis.set(
-      "agent_metadata:telegram-6570514069",
-      JSON.stringify({ parentConnectionId: "conn-1" })
-    );
-    await redis.set(
-      "connection:conn-1",
-      JSON.stringify({ templateAgentId: "template-agent" })
-    );
-
-    const profiles = await authProfilesManager.listProfiles(
-      "telegram-6570514069"
-    );
-
-    expect(profiles).toHaveLength(1);
-    expect(profiles[0]?.provider).toBe("z-ai");
-    expect(profiles[0]?.credential).toBe("secret");
-  });
-
-  test("inherits auth profiles for cloned sandbox settings that copied providers", async () => {
-    await store.saveSettings("template-agent", {
-      authProfiles: [
-        {
-          id: "profile-1",
-          provider: "z-ai",
-          credential: "secret",
-          authType: "api-key",
-          label: "z.ai",
-          model: "*",
-          createdAt: 1,
-        },
-      ],
-      installedProviders: [{ providerId: "z-ai", installedAt: 1 }],
-    });
-
-    const templateSettings = await store.getSettings("template-agent");
-    const cloned = buildDefaultSettingsFromSource(templateSettings);
-    cloned.templateAgentId = "template-agent";
-    await store.saveSettings("telegram-6570514069", cloned);
-
-    const effective = await store.getEffectiveSettings("telegram-6570514069");
-    const profiles = await authProfilesManager.listProfiles(
-      "telegram-6570514069"
-    );
-
-    expect(cloned.authProfiles).toBeUndefined();
-    expect(effective?.authProfiles).toHaveLength(1);
-    expect(profiles).toHaveLength(1);
-  });
-
-  test("treats cloned sandbox settings as configured when template provides credentials", async () => {
-    await store.saveSettings("template-agent", {
-      authProfiles: [
-        {
-          id: "profile-1",
-          provider: "z-ai",
-          credential: "secret",
-          authType: "api-key",
-          label: "z.ai",
-          model: "*",
-          createdAt: 1,
-        },
-      ],
-      installedProviders: [{ providerId: "z-ai", installedAt: 1 }],
-    });
-
-    const templateSettings = await store.getSettings("template-agent");
-    const cloned = buildDefaultSettingsFromSource(templateSettings);
-    cloned.templateAgentId = "template-agent";
-    await store.saveSettings("telegram-6570514069", cloned);
-
-    await expect(
-      hasConfiguredProvider("telegram-6570514069", store)
-    ).resolves.toBe(true);
-  });
-
-  test("exposes inherited provider state with read-only model visibility", async () => {
-    await store.saveSettings("template-agent", {
-      installedProviders: [{ providerId: "z-ai", installedAt: 1 }],
-    });
-    await redis.set(
-      "agent_metadata:telegram-6570514069",
-      JSON.stringify({ parentConnectionId: "conn-1" })
-    );
-    await redis.set(
-      "connection:conn-1",
-      JSON.stringify({ templateAgentId: "template-agent" })
-    );
-
-    const settingsView = await resolveSettingsView({
-      agentId: "telegram-6570514069",
-      agentSettingsStore: store,
-      viewer: {
-        settingsMode: "user",
-        allowedScopes: ["view-model"],
-        isAdmin: false,
-      },
-    });
-
-    expect(
-      canViewSettingsSection("model", {
-        settingsMode: "user",
-        allowedScopes: ["view-model"],
-        isAdmin: false,
-      })
-    ).toBe(true);
-    expect(
-      canEditSettingsSection("model", {
-        settingsMode: "user",
-        allowedScopes: ["view-model"],
-        isAdmin: false,
-      })
-    ).toBe(false);
-    expect(settingsView.scope).toBe("sandbox");
-    expect(settingsView.sections.model.source).toBe("inherited");
-    expect(settingsView.sections.model.editable).toBe(false);
-    expect(settingsView.providerSources["z-ai"]?.source).toBe("inherited");
-    expect(settingsView.providerSources["z-ai"]?.canEdit).toBe(false);
-  });
-
-  test("uninstalling an inherited sandbox provider writes a local override list", async () => {
-    await store.saveSettings("template-agent", {
-      installedProviders: [
-        { providerId: "z-ai", installedAt: 1 },
-        { providerId: "openai", installedAt: 2 },
-      ],
-    });
-    await redis.set(
-      "agent_metadata:telegram-6570514069",
-      JSON.stringify({ parentConnectionId: "conn-1" })
-    );
-    await redis.set(
-      "connection:conn-1",
-      JSON.stringify({ templateAgentId: "template-agent" })
-    );
-
-    const catalog = new ProviderCatalogService(store, authProfilesManager);
-    await catalog.uninstallProvider("telegram-6570514069", "z-ai");
-
-    const local = await store.getSettings("telegram-6570514069");
-    const effective = await store.getEffectiveSettings("telegram-6570514069");
-
-    expect(local?.installedProviders).toEqual([
-      { providerId: "openai", installedAt: 2 },
-    ]);
-    expect(effective?.installedProviders).toEqual([
-      { providerId: "openai", installedAt: 2 },
-    ]);
-  });
-});

package/src/__tests__/routes/cli-auth.test.ts

@@ -1,337 +0,0 @@
-import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
-import { decrypt } from "@lobu/core";
-import { MockRedisClient } from "../../../../core/src/__tests__/fixtures/mock-redis";
-import {
-  createCliAuthRoutes,
-  createConnectAuthRoutes,
-} from "../../routes/public/cli-auth";
-
-describe("cli auth routes", () => {
-  let originalKey: string | undefined;
-  let redis: MockRedisClient;
-  let queue: { getRedisClient(): MockRedisClient };
-
-  beforeEach(() => {
-    mock.restore();
-    originalKey = process.env.ENCRYPTION_KEY;
-    process.env.ENCRYPTION_KEY =
-      "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
-    redis = new MockRedisClient();
-    queue = {
-      getRedisClient: () => redis,
-    };
-  });
-
-  afterEach(() => {
-    if (originalKey !== undefined) {
-      process.env.ENCRYPTION_KEY = originalKey;
-    } else {
-      delete process.env.ENCRYPTION_KEY;
-    }
-  });
-
-  test("POST /cli/start returns device mode when the external provider supports device auth", async () => {
-    const router = createCliAuthRoutes({
-      queue: queue as any,
-      externalAuthClient: {
-        getCapabilities: mock(async () => ({ browser: true, device: true })),
-        startDeviceAuthorization: mock(async () => ({
-          deviceAuthId: "device-123",
-          userCode: "ABCD-EFGH",
-          verificationUri: "https://issuer.example.com/device",
-          verificationUriComplete:
-            "https://issuer.example.com/device?user_code=ABCD-EFGH",
-          interval: 5,
-          expiresIn: 600,
-        })),
-      } as any,
-    });
-
-    const res = await router.request("/cli/start", {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-    });
-
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.mode).toBe("device");
-    expect(body.deviceAuthId).toBe("device-123");
-    expect(body.userCode).toBe("ABCD-EFGH");
-  });
-
-  test("POST /cli/start falls back to browser mode when device auth is unavailable", async () => {
-    const router = createCliAuthRoutes({
-      queue: queue as any,
-      externalAuthClient: {
-        getCapabilities: mock(async () => ({ browser: true, device: false })),
-      } as any,
-    });
-
-    const res = await router.request("https://gateway.example.com/cli/start", {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-    });
-
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.mode).toBe("browser");
-    expect(typeof body.requestId).toBe("string");
-    expect(body.loginUrl).toContain("/api/v1/auth/cli/session/login?request=");
-  });
-
-  test("GET /connect/oauth/login redirects into external browser auth", async () => {
-    const router = createConnectAuthRoutes({
-      queue: queue as any,
-      externalAuthClient: {
-        generateCodeVerifier: () => "code-verifier",
-        buildAuthUrl: mock(async (state: string, codeVerifier: string) => {
-          expect(state).toBeTruthy();
-          expect(codeVerifier).toBe("code-verifier");
-          return "https://issuer.example.com/oauth/authorize";
-        }),
-      } as any,
-    });
-
-    const res = await router.request(
-      "https://gateway.example.com/connect/oauth/login?returnUrl=%2Fdone"
-    );
-
-    expect(res.status).toBe(302);
-    expect(res.headers.get("location")).toBe(
-      "https://issuer.example.com/oauth/authorize"
-    );
-  });
-
-  test("GET /connect/oauth/callback sets a settings session and redirects back", async () => {
-    await redis.setex(
-      "cli:auth:connect:state-123",
-      600,
-      JSON.stringify({
-        returnUrl: "/done",
-        codeVerifier: "code-verifier",
-      })
-    );
-
-    const router = createConnectAuthRoutes({
-      queue: queue as any,
-      externalAuthClient: {
-        exchangeCodeForToken: mock(async () => ({
-          accessToken: "provider-access-token",
-          refreshToken: "provider-refresh-token",
-          tokenType: "Bearer",
-          expiresAt: Date.now() + 3600_000,
-          scopes: ["profile:read"],
-        })),
-        fetchUserInfo: mock(async () => ({
-          sub: "user-123",
-          email: "user@example.com",
-          name: "Example User",
-        })),
-      } as any,
-    });
-
-    const res = await router.request(
-      "https://gateway.example.com/connect/oauth/callback?code=auth-code&state=state-123"
-    );
-
-    expect(res.status).toBe(302);
-    expect(res.headers.get("location")).toBe("/done");
-    expect(res.headers.get("set-cookie")).toContain("lobu_settings_session=");
-
-    const setCookie = res.headers.get("set-cookie");
-    const token = setCookie?.match(/lobu_settings_session=([^;]+)/)?.[1];
-    expect(token).toBeTruthy();
-
-    const payload = JSON.parse(decrypt(decodeURIComponent(token!))) as Record<
-      string,
-      unknown
-    >;
-    expect(payload.userId).toBe("user-123");
-    expect(payload.platform).toBe("external");
-    expect(payload.isAdmin).toBeUndefined();
-    expect(payload.settingsMode).toBeUndefined();
-  });
-
-  test("POST /cli/poll mints Lobu tokens after device auth completes", async () => {
-    await redis.setex(
-      "cli:auth:device:device-123",
-      600,
-      JSON.stringify({
-        status: "pending",
-        createdAt: Date.now(),
-        expiresAt: Date.now() + 600_000,
-        interval: 5,
-        userCode: "ABCD-EFGH",
-        verificationUri: "https://issuer.example.com/device",
-      })
-    );
-
-    const router = createCliAuthRoutes({
-      queue: queue as any,
-      externalAuthClient: {
-        pollDeviceAuthorization: mock(async () => ({
-          status: "complete",
-          credentials: {
-            accessToken: "provider-access-token",
-            refreshToken: "provider-refresh-token",
-            tokenType: "Bearer",
-            expiresAt: Date.now() + 3600_000,
-            scopes: ["profile:read"],
-          },
-          user: {
-            sub: "user-123",
-            email: "user@example.com",
-            name: "Example User",
-          },
-        })),
-      } as any,
-    });
-
-    const res = await router.request("/cli/poll", {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ deviceAuthId: "device-123" }),
-    });
-
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.status).toBe("complete");
-    expect(typeof body.accessToken).toBe("string");
-    expect(typeof body.refreshToken).toBe("string");
-    expect(body.user.userId).toBe("user-123");
-    expect(body.user.email).toBe("user@example.com");
-  });
-
-  test("POST /cli/poll returns a completed browser result from stored request state", async () => {
-    await redis.setex(
-      "cli:auth:request:req-123",
-      600,
-      JSON.stringify({
-        status: "complete",
-        createdAt: Date.now(),
-        result: {
-          accessToken: "lobu-access-token",
-          refreshToken: "lobu-refresh-token",
-          expiresAt: Date.now() + 3600_000,
-          user: {
-            userId: "user-123",
-            email: "user@example.com",
-            name: "Example User",
-          },
-        },
-      })
-    );
-
-    const router = createCliAuthRoutes({
-      queue: queue as any,
-      externalAuthClient: {} as any,
-    });
-
-    const res = await router.request("/cli/poll", {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ requestId: "req-123" }),
-    });
-
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.status).toBe("complete");
-    expect(body.user.userId).toBe("user-123");
-  });
-
-  test("POST /cli/admin-login mints tokens when development fallback is enabled", async () => {
-    const router = createCliAuthRoutes({
-      queue: queue as any,
-      allowAdminPasswordLogin: true,
-      adminPassword: "dev-secret",
-    });
-
-    const res = await router.request("/cli/admin-login", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "X-Forwarded-For": "10.0.0.1",
-      },
-      body: JSON.stringify({ password: "dev-secret" }),
-    });
-
-    expect(res.status).toBe(200);
-    const body = await res.json();
-    expect(body.status).toBe("complete");
-    expect(typeof body.accessToken).toBe("string");
-    expect(body.user.userId).toBe("admin");
-  });
-
-  test("POST /cli/admin-login is rejected when disabled or password is wrong", async () => {
-    const disabledRouter = createCliAuthRoutes({
-      queue: queue as any,
-      allowAdminPasswordLogin: false,
-      adminPassword: "dev-secret",
-    });
-
-    const disabled = await disabledRouter.request("/cli/admin-login", {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ password: "dev-secret" }),
-    });
-    expect(disabled.status).toBe(403);
-
-    const enabledRouter = createCliAuthRoutes({
-      queue: queue as any,
-      allowAdminPasswordLogin: true,
-      adminPassword: "dev-secret",
-    });
-
-    const wrong = await enabledRouter.request("/cli/admin-login", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "X-Forwarded-For": "10.0.0.1",
-      },
-      body: JSON.stringify({ password: "wrong-secret" }),
-    });
-    expect(wrong.status).toBe(401);
-  });
-
-  test("POST /cli/admin-login is rate limited per client IP", async () => {
-    const router = createCliAuthRoutes({
-      queue: queue as any,
-      allowAdminPasswordLogin: true,
-      adminPassword: "dev-secret",
-    });
-
-    for (let attempt = 0; attempt < 5; attempt += 1) {
-      const res = await router.request("/cli/admin-login", {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          "X-Forwarded-For": "10.0.0.9",
-        },
-        body: JSON.stringify({ password: "wrong-secret" }),
-      });
-      expect(res.status).toBe(401);
-    }
-
-    const limited = await router.request("/cli/admin-login", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "X-Forwarded-For": "10.0.0.9",
-      },
-      body: JSON.stringify({ password: "wrong-secret" }),
-    });
-
-    expect(limited.status).toBe(429);
-    expect(limited.headers.get("retry-after")).toBeTruthy();
-
-    const differentIp = await router.request("/cli/admin-login", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "X-Forwarded-For": "10.0.0.10",
-      },
-      body: JSON.stringify({ password: "dev-secret" }),
-    });
-    expect(differentIp.status).toBe(200);
-  });
-});

package/src/__tests__/routes/interactions.test.ts

@@ -1,121 +0,0 @@
-import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
-import { generateWorkerToken } from "@lobu/core";
-import { createInteractionRoutes } from "../../routes/internal/interactions";
-
-describe("interaction routes", () => {
-  let originalKey: string | undefined;
-  let workerToken: string;
-  let mockInteractionService: any;
-  let router: ReturnType<typeof createInteractionRoutes>;
-
-  beforeEach(() => {
-    originalKey = process.env.ENCRYPTION_KEY;
-    process.env.ENCRYPTION_KEY =
-      "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
-
-    workerToken = generateWorkerToken("user-1", "conv-1", "deploy-1", {
-      channelId: "chan-1",
-      teamId: "team-1",
-    });
-
-    mockInteractionService = {
-      postQuestion: mock(() => Promise.resolve({ id: "interaction-123" })),
-      createSuggestion: mock(() => Promise.resolve()),
-    };
-
-    router = createInteractionRoutes(mockInteractionService);
-  });
-
-  afterEach(() => {
-    if (originalKey !== undefined) {
-      process.env.ENCRYPTION_KEY = originalKey;
-    } else {
-      delete process.env.ENCRYPTION_KEY;
-    }
-  });
-
-  describe("POST /internal/interactions/create", () => {
-    test("returns 401 without auth header", async () => {
-      const res = await router.request("/internal/interactions/create", {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ question: "test?", options: [] }),
-      });
-      expect(res.status).toBe(401);
-    });
-
-    test("returns 401 with invalid token", async () => {
-      const res = await router.request("/internal/interactions/create", {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: "Bearer invalid-token",
-        },
-        body: JSON.stringify({ question: "test?", options: [] }),
-      });
-      expect(res.status).toBe(401);
-    });
-
-    test("posts question and returns id", async () => {
-      const res = await router.request("/internal/interactions/create", {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${workerToken}`,
-        },
-        body: JSON.stringify({
-          question: "Which option?",
-          options: ["A", "B"],
-        }),
-      });
-      expect(res.status).toBe(200);
-      const body = await res.json();
-      expect(body.id).toBe("interaction-123");
-      expect(body.status).toBe("posted");
-      expect(mockInteractionService.postQuestion).toHaveBeenCalledTimes(1);
-    });
-
-    test("returns 500 on service error", async () => {
-      mockInteractionService.postQuestion = mock(() =>
-        Promise.reject(new Error("service down"))
-      );
-      const res = await router.request("/internal/interactions/create", {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${workerToken}`,
-        },
-        body: JSON.stringify({ question: "test?", options: [] }),
-      });
-      expect(res.status).toBe(500);
-    });
-  });
-
-  describe("POST /internal/suggestions/create", () => {
-    test("creates suggestions", async () => {
-      const res = await router.request("/internal/suggestions/create", {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${workerToken}`,
-        },
-        body: JSON.stringify({
-          prompts: ["Try this", "Or this"],
-        }),
-      });
-      expect(res.status).toBe(200);
-      const body = await res.json();
-      expect(body.success).toBe(true);
-      expect(mockInteractionService.createSuggestion).toHaveBeenCalledTimes(1);
-    });
-
-    test("returns 401 without auth", async () => {
-      const res = await router.request("/internal/suggestions/create", {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ prompts: ["test"] }),
-      });
-      expect(res.status).toBe(401);
-    });
-  });
-});