@openparachute/agent 0.1.2 → 0.2.2

package/src/daemon-jobs-api.test.ts

@@ -0,0 +1,271 @@
+/**
+ * Integration tests for the scheduled-jobs API (`/api/jobs*`) on the REAL daemon
+ * fetch handler (runner, design 2026-06-17). They cover:
+ *
+ *  - auth: all routes require `agent:admin` (no token → 401; agent:read → 403);
+ *  - GET    /api/jobs          → lists `#agent/job` notes across the vault channels;
+ *  - POST   /api/jobs          → 400 on bad cron / unknown / non-vault channel;
+ *                                200 + writes a #agent/job note on success;
+ *  - POST   /api/jobs/:id/run  → fires now (injects an inbound #agent/message note);
+ *  - DELETE /api/jobs/:id      → deletes the job note.
+ *
+ * The vault REST API is stubbed via `globalThis.fetch` (no live vault); the hub
+ * JWT validator is stubbed (sentinel tokens → fixed scopes) so the accept paths
+ * run without a live hub/JWKS. Mirrors daemon-config-api.test.ts's approach.
+ */
+import { describe, test, expect, mock, afterEach } from "bun:test";
+import { HubJwtError, looksLikeJwt } from "@openparachute/scope-guard";
+
+const ADMIN_TOKEN = "test-admin-token";
+const READ_TOKEN = "test-read-token";
+mock.module("./hub-jwt.ts", () => ({
+  AGENT_AUDIENCE: "agent",
+  CHANNEL_AUDIENCE: "channel",
+  async validateHubJwt(token: string) {
+    const base = { sub: "test", aud: "agent", jti: undefined, clientId: undefined, vaultScope: undefined };
+    if (token === ADMIN_TOKEN) return { ...base, scopes: ["agent:admin"] };
+    if (token === READ_TOKEN) return { ...base, scopes: ["agent:read"] };
+    throw new HubJwtError("issuer", "invalid token");
+  },
+  HubJwtError,
+  looksLikeJwt,
+  resetJwksCache() {},
+  resetRevocationCache() {},
+}));
+
+import { createFetchHandler } from "./daemon.ts";
+import { ClientRegistry } from "./routing.ts";
+import { VaultTransport } from "./transports/vault.ts";
+import type { Channel } from "./registry.ts";
+import type { TransportContext } from "./transport.ts";
+
+const realFetch = globalThis.fetch;
+afterEach(() => {
+  globalThis.fetch = realFetch;
+});
+
+const adminAuth = { authorization: "Bearer " + ADMIN_TOKEN } as const;
+const readAuth = { authorization: "Bearer " + READ_TOKEN } as const;
+
+/**
+ * A live channels map: one vault channel ("eng") + one telegram-shaped channel
+ * stub ("tg", non-vault) so the non-vault rejection path is exercised. The vault
+ * REST calls are routed through the `vaultFetch` stub the caller installs.
+ */
+function buildServer() {
+  const registry = new ClientRegistry();
+  const channels = new Map<string, Channel>();
+  const eng = new VaultTransport({ vault: "default", vaultUrl: "http://127.0.0.1:1940", token: "vtok" });
+  const ctx: TransportContext = { channel: "eng", emit() {}, emitPermissionVerdict() {} };
+  void eng.start(ctx);
+  channels.set("eng", { name: "eng", transport: eng, entry: { name: "eng", transport: "vault", config: { vault: "default" } } });
+
+  // A minimal non-vault transport stub for the "non-vault channel rejected" case.
+  const tgTransport = {
+    kind: "telegram",
+    async start() {},
+    async stop() {},
+    async reply() { return { sent: [] }; },
+  };
+  channels.set("tg", { name: "tg", transport: tgTransport as unknown as Channel["transport"], entry: { name: "tg", transport: "telegram" } });
+
+  const srv = Bun.serve({ port: 0, hostname: "127.0.0.1", idleTimeout: 0, fetch: createFetchHandler(channels, registry) });
+  return { srv, base: `http://127.0.0.1:${srv.port}`, channels };
+}
+
+/**
+ * Install a fetch stub that intercepts ONLY vault REST calls (port 1940 — the
+ * VaultTransport's `vaultUrl`) and records them + returns canned responses.
+ * Requests to ANY other URL — crucially the test client's own calls to the
+ * loopback test server — pass through to the real fetch, so overriding
+ * `globalThis.fetch` doesn't swallow the request under test.
+ */
+function stubVault(handler: (url: string, init: RequestInit) => Response) {
+  const calls: { url: string; init: RequestInit }[] = [];
+  globalThis.fetch = (async (url: string | URL | Request, init?: RequestInit) => {
+    const u = String(url);
+    if (u.includes(":1940/")) {
+      calls.push({ url: u, init: init ?? {} });
+      return handler(u, init ?? {});
+    }
+    return realFetch(url as Parameters<typeof fetch>[0], init);
+  }) as typeof fetch;
+  return calls;
+}
+
+describe("/api/jobs — auth", () => {
+  test("no token → 401", async () => {
+    const { srv, base } = buildServer();
+    try {
+      const res = await fetch(`${base}/api/jobs`);
+      expect(res.status).toBe(401);
+    } finally { srv.stop(true); }
+  });
+
+  test("agent:read (insufficient) → 403", async () => {
+    const { srv, base } = buildServer();
+    try {
+      const res = await fetch(`${base}/api/jobs`, { headers: readAuth });
+      expect(res.status).toBe(403);
+    } finally { srv.stop(true); }
+  });
+});
+
+describe("GET /api/jobs — list", () => {
+  test("lists #agent/job notes from the vault", async () => {
+    const { srv, base } = buildServer();
+    stubVault(() =>
+      new Response(
+        JSON.stringify([
+          { id: "Channels/eng/jobs/m", content: "go", metadata: { channel: "eng", cron: "0 9 * * *", enabled: "true", createdAt: "t0" } },
+        ]),
+        { status: 200, headers: { "content-type": "application/json" } },
+      ),
+    );
+    try {
+      const res = await fetch(`${base}/api/jobs`, { headers: adminAuth });
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.jobs).toHaveLength(1);
+      expect(body.jobs[0]).toMatchObject({ id: "Channels/eng/jobs/m", channel: "eng", message: "go" });
+    } finally { srv.stop(true); }
+  });
+});
+
+describe("POST /api/jobs — create + validation", () => {
+  test("bad cron → 400", async () => {
+    const { srv, base } = buildServer();
+    try {
+      const res = await fetch(`${base}/api/jobs`, {
+        method: "POST",
+        headers: { "content-type": "application/json", ...adminAuth },
+        body: JSON.stringify({ id: "x", channel: "eng", message: "m", schedule: { cron: "99 9 * * *" } }),
+      });
+      expect(res.status).toBe(400);
+      expect((await res.json()).error).toMatch(/cron/);
+    } finally { srv.stop(true); }
+  });
+
+  test("unknown channel → 400", async () => {
+    const { srv, base } = buildServer();
+    try {
+      const res = await fetch(`${base}/api/jobs`, {
+        method: "POST",
+        headers: { "content-type": "application/json", ...adminAuth },
+        body: JSON.stringify({ id: "x", channel: "ghost", message: "m", schedule: { cron: "0 9 * * *" } }),
+      });
+      expect(res.status).toBe(400);
+      expect((await res.json()).error).toMatch(/unknown channel/);
+    } finally { srv.stop(true); }
+  });
+
+  test("non-vault channel → 400", async () => {
+    const { srv, base } = buildServer();
+    try {
+      const res = await fetch(`${base}/api/jobs`, {
+        method: "POST",
+        headers: { "content-type": "application/json", ...adminAuth },
+        body: JSON.stringify({ id: "x", channel: "tg", message: "m", schedule: { cron: "0 9 * * *" } }),
+      });
+      expect(res.status).toBe(400);
+      expect((await res.json()).error).toMatch(/not a vault channel/);
+    } finally { srv.stop(true); }
+  });
+
+  test("valid → 200 + writes a #agent/job note", async () => {
+    const { srv, base } = buildServer();
+    const calls = stubVault((url, init) => {
+      // The job POST is to /api/notes; everything else (ensureSchema PUTs) is benign.
+      if (url.endsWith("/api/notes") && init.method === "POST") {
+        return new Response(JSON.stringify({ id: "Channels/eng/jobs/x" }), { status: 201, headers: { "content-type": "application/json" } });
+      }
+      return new Response("{}", { status: 200, headers: { "content-type": "application/json" } });
+    });
+    try {
+      const res = await fetch(`${base}/api/jobs`, {
+        method: "POST",
+        headers: { "content-type": "application/json", ...adminAuth },
+        body: JSON.stringify({ id: "x", channel: "eng", message: "  do it  ", schedule: { cron: "0 9 * * *", tz: "UTC" } }),
+      });
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.ok).toBe(true);
+      expect(body.job.id).toBe("x"); // the operator slug stays the id
+      expect(body.job.noteId).toBe("Channels/eng/jobs/x"); // vault note id for addressing
+      const post = calls.find((c) => c.url.endsWith("/api/notes") && c.init.method === "POST")!;
+      const sent = JSON.parse(String(post.init.body));
+      expect(sent.tags).toEqual(["#agent/job"]);
+      expect(sent.content).toBe("do it"); // trimmed
+      expect(sent.metadata.enabled).toBe("true");
+      expect(sent.metadata.jobId).toBe("x");
+    } finally { srv.stop(true); }
+  });
+});
+
+describe("POST /api/jobs/:id/run — fire now", () => {
+  test("injects an inbound #agent/message note + returns ok", async () => {
+    const { srv, base } = buildServer();
+    const calls = stubVault((url, init) => {
+      if (url.includes("/api/notes") && (init.method ?? "GET") === "GET") {
+        // The store's listAll → return the job to find.
+        return new Response(
+          JSON.stringify([{ id: "Channels/eng/jobs/x", content: "do it", metadata: { channel: "eng", cron: "0 9 * * *", enabled: "true", createdAt: "t0" } }]),
+          { status: 200, headers: { "content-type": "application/json" } },
+        );
+      }
+      // The inject POST (and any patch).
+      return new Response(JSON.stringify({ id: "inbound-1" }), { status: 201, headers: { "content-type": "application/json" } });
+    });
+    try {
+      // The "id" the route addresses is the vault NOTE id returned by the list.
+      const res = await fetch(`${base}/api/jobs/${encodeURIComponent("Channels/eng/jobs/x")}/run`, { method: "POST", headers: adminAuth });
+      expect(res.status).toBe(200);
+      expect((await res.json()).ok).toBe(true);
+      // The injected note is INBOUND with the #agent/message tags.
+      const inject = calls.find((c) => c.url.endsWith("/api/notes") && c.init.method === "POST")!;
+      const sent = JSON.parse(String(inject.init.body));
+      expect(sent.tags).toEqual(["#agent/message", "#agent/message/inbound"]);
+      expect(sent.metadata.sender).toBe("runner:Channels/eng/jobs/x");
+    } finally { srv.stop(true); }
+  });
+
+  test("unknown job id → 404", async () => {
+    const { srv, base } = buildServer();
+    stubVault(() => new Response(JSON.stringify([]), { status: 200, headers: { "content-type": "application/json" } }));
+    try {
+      const res = await fetch(`${base}/api/jobs/nope/run`, { method: "POST", headers: adminAuth });
+      expect(res.status).toBe(404);
+    } finally { srv.stop(true); }
+  });
+});
+
+describe("DELETE /api/jobs/:id", () => {
+  test("deletes the job note", async () => {
+    const { srv, base } = buildServer();
+    const calls = stubVault((url, init) => {
+      if (url.includes("/api/notes") && (init.method ?? "GET") === "GET") {
+        return new Response(
+          JSON.stringify([{ id: "Channels/eng/jobs/x", content: "go", metadata: { channel: "eng", cron: "0 9 * * *", enabled: "true" } }]),
+          { status: 200, headers: { "content-type": "application/json" } },
+        );
+      }
+      return new Response(null, { status: 204 });
+    });
+    try {
+      const res = await fetch(`${base}/api/jobs/Channels%2Feng%2Fjobs%2Fx`, { method: "DELETE", headers: adminAuth });
+      expect(res.status).toBe(200);
+      expect((await res.json()).removed).toBe(true);
+      expect(calls.some((c) => c.init.method === "DELETE")).toBe(true);
+    } finally { srv.stop(true); }
+  });
+
+  test("deleting an absent job is idempotent (removed:false)", async () => {
+    const { srv, base } = buildServer();
+    stubVault(() => new Response(JSON.stringify([]), { status: 200, headers: { "content-type": "application/json" } }));
+    try {
+      const res = await fetch(`${base}/api/jobs/gone`, { method: "DELETE", headers: adminAuth });
+      expect(res.status).toBe(200);
+      expect((await res.json()).removed).toBe(false);
+    } finally { srv.stop(true); }
+  });
+});

package/src/daemon-vault-chat.test.ts

@@ -0,0 +1,250 @@
+/**
+ * Vault-backed chat — daemon route tests for the read/send the built-in chat uses
+ * against a VAULT-transport channel (Phase 4).
+ *
+ *   - GET  /api/channels/<ch>/messages  (gate agent:read) →
+ *       vault   → loadTranscript() → { messages }
+ *       http-ui → { messages: [] }  (ephemeral transport, no durable store)
+ *       unknown → 404
+ *   - POST /api/channels/<ch>/send      (gate agent:send) →
+ *       vault   → writeInbound(text, "operator") → { ok, id }   (the WAKE path)
+ *
+ * Auth: the same sentinel-token `mock.module("./hub-jwt.ts")` harness the other
+ * daemon tests use — a `Bearer test-rw-token` validates with agent:read + send
+ * WITHOUT a live hub/JWKS; the no-token path still hits the real 401 short-circuit.
+ *
+ * The vault I/O is exercised through a REAL `VaultTransport` instance (the daemon
+ * branches on `instanceof VaultTransport`) whose `loadTranscript` / `writeInbound`
+ * are MONKEYPATCHED on the instance — so we assert the daemon's dispatch + shaping
+ * without writing to (or reading from) any real vault. NO live vault, NO uni-* writes.
+ */
+import { describe, test, expect, mock } from "bun:test";
+
+const RW_TOKEN = "test-rw-token"; // agent:read + agent:send
+import { HubJwtError, looksLikeJwt } from "@openparachute/scope-guard";
+mock.module("./hub-jwt.ts", () => ({
+  AGENT_AUDIENCE: "agent",
+  CHANNEL_AUDIENCE: "channel",
+  async validateHubJwt(token: string) {
+    const base = { sub: "test", aud: "agent", jti: undefined, clientId: undefined, vaultScope: undefined };
+    if (token === RW_TOKEN) return { ...base, scopes: ["agent:read", "agent:send"] };
+    throw new HubJwtError("issuer", "invalid token");
+  },
+  HubJwtError,
+  looksLikeJwt,
+  resetJwksCache() {},
+  resetRevocationCache() {},
+}));
+
+import { createFetchHandler } from "./daemon.ts";
+import { ClientRegistry } from "./routing.ts";
+import { HttpUiTransport } from "./transports/http-ui.ts";
+import { VaultTransport, type ChannelMessage } from "./transports/vault.ts";
+import type { Channel } from "./registry.ts";
+
+/** A VaultTransport whose vault I/O is stubbed on the instance (instanceof holds). */
+function stubVault(opts: {
+  transcript?: ChannelMessage[];
+  loadThrows?: Error;
+  onWrite?: (text: string, sender?: string) => void;
+  writeThrows?: Error;
+  writeId?: string;
+}): VaultTransport {
+  const t = new VaultTransport({ vault: "default", vaultUrl: "http://127.0.0.1:1940", token: "x" });
+  // Bind ctx without firing the real ensureSchema network call.
+  (t as unknown as { ctx: { channel: string } }).ctx = { channel: "eng" };
+  t.loadTranscript = async () => {
+    if (opts.loadThrows) throw opts.loadThrows;
+    return opts.transcript ?? [];
+  };
+  t.writeInbound = async (text: string, sender?: string) => {
+    if (opts.writeThrows) throw opts.writeThrows;
+    opts.onWrite?.(text, sender);
+    return { id: opts.writeId ?? "written-note-1" };
+  };
+  return t;
+}
+
+function serverWith(channels: Map<string, Channel>) {
+  const registry = new ClientRegistry();
+  const srv = Bun.serve({
+    port: 0,
+    hostname: "127.0.0.1",
+    idleTimeout: 0,
+    fetch: createFetchHandler(channels, registry),
+  });
+  return { srv, base: `http://127.0.0.1:${srv.port}` };
+}
+
+const auth = { authorization: `Bearer ${RW_TOKEN}` };
+
+describe("GET /api/channels/<ch>/messages", () => {
+  test("vault channel → { messages } from loadTranscript()", async () => {
+    const transcript: ChannelMessage[] = [
+      { id: "n-in", text: "hi", direction: "inbound", sender: "aaron", ts: "2026-06-08T00:00:01Z" },
+      { id: "n-out", text: "hello", direction: "outbound", sender: "session", ts: "2026-06-08T00:00:02Z" },
+    ];
+    const t = stubVault({ transcript });
+    const channels = new Map<string, Channel>([
+      ["eng", { name: "eng", transport: t, entry: { name: "eng", transport: "vault" } }],
+    ]);
+    const { srv, base } = serverWith(channels);
+    try {
+      const res = await fetch(`${base}/api/channels/eng/messages`, { headers: auth });
+      expect(res.status).toBe(200);
+      const body = (await res.json()) as { messages: ChannelMessage[] };
+      expect(body.messages).toHaveLength(2);
+      expect(body.messages[0]!.id).toBe("n-in");
+      expect(body.messages[0]!.direction).toBe("inbound");
+      expect(body.messages[1]!.direction).toBe("outbound");
+    } finally {
+      srv.stop(true);
+    }
+  });
+
+  test("http-ui channel → { messages: [] } (no durable transcript)", async () => {
+    const transport = new HttpUiTransport({ channel: "ui1" });
+    await transport.start({ channel: "ui1", emit: () => {}, emitPermissionVerdict: () => {} });
+    const channels = new Map<string, Channel>([
+      ["ui1", { name: "ui1", transport, entry: { name: "ui1", transport: "http-ui" } }],
+    ]);
+    const { srv, base } = serverWith(channels);
+    try {
+      const res = await fetch(`${base}/api/channels/ui1/messages`, { headers: auth });
+      expect(res.status).toBe(200);
+      expect(await res.json()).toEqual({ messages: [] });
+    } finally {
+      srv.stop(true);
+    }
+  });
+
+  test("unknown channel → 404", async () => {
+    const channels = new Map<string, Channel>();
+    const { srv, base } = serverWith(channels);
+    try {
+      const res = await fetch(`${base}/api/channels/nope/messages`, { headers: auth });
+      expect(res.status).toBe(404);
+    } finally {
+      srv.stop(true);
+    }
+  });
+
+  test("no token → 401 (gate present), does not call the transport", async () => {
+    let loaded = false;
+    const t = stubVault({ transcript: [] });
+    t.loadTranscript = async () => { loaded = true; return []; };
+    const channels = new Map<string, Channel>([
+      ["eng", { name: "eng", transport: t, entry: { name: "eng", transport: "vault" } }],
+    ]);
+    const { srv, base } = serverWith(channels);
+    try {
+      const res = await fetch(`${base}/api/channels/eng/messages`);
+      expect(res.status).toBe(401);
+      expect(loaded).toBe(false);
+    } finally {
+      srv.stop(true);
+    }
+  });
+
+  test("a vault read failure → 502 (chat shows an error, not a silent empty)", async () => {
+    const t = stubVault({ loadThrows: new Error("vault transport: load transcript failed (502)") });
+    const channels = new Map<string, Channel>([
+      ["eng", { name: "eng", transport: t, entry: { name: "eng", transport: "vault" } }],
+    ]);
+    const { srv, base } = serverWith(channels);
+    try {
+      const res = await fetch(`${base}/api/channels/eng/messages`, { headers: auth });
+      expect(res.status).toBe(502);
+    } finally {
+      srv.stop(true);
+    }
+  });
+});
+
+describe("POST /api/channels/<ch>/send — vault path (writeInbound = the wake)", () => {
+  test("vault channel → writeInbound(text, 'operator') → { ok, id }", async () => {
+    let wrote: { text: string; sender?: string } | undefined;
+    const t = stubVault({ onWrite: (text, sender) => { wrote = { text, sender }; }, writeId: "inbound-99" });
+    const channels = new Map<string, Channel>([
+      ["eng", { name: "eng", transport: t, entry: { name: "eng", transport: "vault" } }],
+    ]);
+    const { srv, base } = serverWith(channels);
+    try {
+      const res = await fetch(`${base}/api/channels/eng/send`, {
+        method: "POST",
+        headers: { ...auth, "content-type": "application/json" },
+        body: JSON.stringify({ text: "wake up" }),
+      });
+      expect(res.status).toBe(200);
+      expect(await res.json()).toEqual({ ok: true, id: "inbound-99" });
+      expect(wrote).toEqual({ text: "wake up", sender: "operator" });
+    } finally {
+      srv.stop(true);
+    }
+  });
+
+  test("vault send with no token → 401, does not write", async () => {
+    let wrote = false;
+    const t = stubVault({ onWrite: () => { wrote = true; } });
+    const channels = new Map<string, Channel>([
+      ["eng", { name: "eng", transport: t, entry: { name: "eng", transport: "vault" } }],
+    ]);
+    const { srv, base } = serverWith(channels);
+    try {
+      const res = await fetch(`${base}/api/channels/eng/send`, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ text: "wake up" }),
+      });
+      expect(res.status).toBe(401);
+      expect(wrote).toBe(false);
+    } finally {
+      srv.stop(true);
+    }
+  });
+
+  test("vault send with empty text → 400", async () => {
+    const t = stubVault({});
+    const channels = new Map<string, Channel>([
+      ["eng", { name: "eng", transport: t, entry: { name: "eng", transport: "vault" } }],
+    ]);
+    const { srv, base } = serverWith(channels);
+    try {
+      const res = await fetch(`${base}/api/channels/eng/send`, {
+        method: "POST",
+        headers: { ...auth, "content-type": "application/json" },
+        body: JSON.stringify({ text: "" }),
+      });
+      expect(res.status).toBe(400);
+    } finally {
+      srv.stop(true);
+    }
+  });
+
+  test("http-ui send is NOT intercepted by the vault path — its own ingestHttp handles it", async () => {
+    const emitted: string[] = [];
+    const transport = new HttpUiTransport({ channel: "ui1" });
+    await transport.start({
+      channel: "ui1",
+      emit: (m) => emitted.push(m.content),
+      emitPermissionVerdict: () => {},
+    });
+    const channels = new Map<string, Channel>([
+      ["ui1", { name: "ui1", transport, entry: { name: "ui1", transport: "http-ui" } }],
+    ]);
+    const { srv, base } = serverWith(channels);
+    try {
+      const res = await fetch(`${base}/api/channels/ui1/send`, {
+        method: "POST",
+        headers: { ...auth, "content-type": "application/json" },
+        body: JSON.stringify({ text: "hi http-ui" }),
+      });
+      expect(res.status).toBe(200);
+      expect(await res.json()).toEqual({ ok: true });
+      // http-ui's ingestHttp emit'd it (vault path returns { ok, id }, not { ok }).
+      expect(emitted).toEqual(["hi http-ui"]);
+    } finally {
+      srv.stop(true);
+    }
+  });
+});