@openparachute/agent 0.2.2 → 0.2.3-rc.3

package/src/daemon-jobs-api.test.ts

@@ -1,271 +0,0 @@
-/**
- * Integration tests for the scheduled-jobs API (`/api/jobs*`) on the REAL daemon
- * fetch handler (runner, design 2026-06-17). They cover:
- *
- *  - auth: all routes require `agent:admin` (no token → 401; agent:read → 403);
- *  - GET    /api/jobs          → lists `#agent/job` notes across the vault channels;
- *  - POST   /api/jobs          → 400 on bad cron / unknown / non-vault channel;
- *                                200 + writes a #agent/job note on success;
- *  - POST   /api/jobs/:id/run  → fires now (injects an inbound #agent/message note);
- *  - DELETE /api/jobs/:id      → deletes the job note.
- *
- * The vault REST API is stubbed via `globalThis.fetch` (no live vault); the hub
- * JWT validator is stubbed (sentinel tokens → fixed scopes) so the accept paths
- * run without a live hub/JWKS. Mirrors daemon-config-api.test.ts's approach.
- */
-import { describe, test, expect, mock, afterEach } from "bun:test";
-import { HubJwtError, looksLikeJwt } from "@openparachute/scope-guard";
-
-const ADMIN_TOKEN = "test-admin-token";
-const READ_TOKEN = "test-read-token";
-mock.module("./hub-jwt.ts", () => ({
-  AGENT_AUDIENCE: "agent",
-  CHANNEL_AUDIENCE: "channel",
-  async validateHubJwt(token: string) {
-    const base = { sub: "test", aud: "agent", jti: undefined, clientId: undefined, vaultScope: undefined };
-    if (token === ADMIN_TOKEN) return { ...base, scopes: ["agent:admin"] };
-    if (token === READ_TOKEN) return { ...base, scopes: ["agent:read"] };
-    throw new HubJwtError("issuer", "invalid token");
-  },
-  HubJwtError,
-  looksLikeJwt,
-  resetJwksCache() {},
-  resetRevocationCache() {},
-}));
-
-import { createFetchHandler } from "./daemon.ts";
-import { ClientRegistry } from "./routing.ts";
-import { VaultTransport } from "./transports/vault.ts";
-import type { Channel } from "./registry.ts";
-import type { TransportContext } from "./transport.ts";
-
-const realFetch = globalThis.fetch;
-afterEach(() => {
-  globalThis.fetch = realFetch;
-});
-
-const adminAuth = { authorization: "Bearer " + ADMIN_TOKEN } as const;
-const readAuth = { authorization: "Bearer " + READ_TOKEN } as const;
-
-/**
- * A live channels map: one vault channel ("eng") + one telegram-shaped channel
- * stub ("tg", non-vault) so the non-vault rejection path is exercised. The vault
- * REST calls are routed through the `vaultFetch` stub the caller installs.
- */
-function buildServer() {
-  const registry = new ClientRegistry();
-  const channels = new Map<string, Channel>();
-  const eng = new VaultTransport({ vault: "default", vaultUrl: "http://127.0.0.1:1940", token: "vtok" });
-  const ctx: TransportContext = { channel: "eng", emit() {}, emitPermissionVerdict() {} };
-  void eng.start(ctx);
-  channels.set("eng", { name: "eng", transport: eng, entry: { name: "eng", transport: "vault", config: { vault: "default" } } });
-
-  // A minimal non-vault transport stub for the "non-vault channel rejected" case.
-  const tgTransport = {
-    kind: "telegram",
-    async start() {},
-    async stop() {},
-    async reply() { return { sent: [] }; },
-  };
-  channels.set("tg", { name: "tg", transport: tgTransport as unknown as Channel["transport"], entry: { name: "tg", transport: "telegram" } });
-
-  const srv = Bun.serve({ port: 0, hostname: "127.0.0.1", idleTimeout: 0, fetch: createFetchHandler(channels, registry) });
-  return { srv, base: `http://127.0.0.1:${srv.port}`, channels };
-}
-
-/**
- * Install a fetch stub that intercepts ONLY vault REST calls (port 1940 — the
- * VaultTransport's `vaultUrl`) and records them + returns canned responses.
- * Requests to ANY other URL — crucially the test client's own calls to the
- * loopback test server — pass through to the real fetch, so overriding
- * `globalThis.fetch` doesn't swallow the request under test.
- */
-function stubVault(handler: (url: string, init: RequestInit) => Response) {
-  const calls: { url: string; init: RequestInit }[] = [];
-  globalThis.fetch = (async (url: string | URL | Request, init?: RequestInit) => {
-    const u = String(url);
-    if (u.includes(":1940/")) {
-      calls.push({ url: u, init: init ?? {} });
-      return handler(u, init ?? {});
-    }
-    return realFetch(url as Parameters<typeof fetch>[0], init);
-  }) as typeof fetch;
-  return calls;
-}
-
-describe("/api/jobs — auth", () => {
-  test("no token → 401", async () => {
-    const { srv, base } = buildServer();
-    try {
-      const res = await fetch(`${base}/api/jobs`);
-      expect(res.status).toBe(401);
-    } finally { srv.stop(true); }
-  });
-
-  test("agent:read (insufficient) → 403", async () => {
-    const { srv, base } = buildServer();
-    try {
-      const res = await fetch(`${base}/api/jobs`, { headers: readAuth });
-      expect(res.status).toBe(403);
-    } finally { srv.stop(true); }
-  });
-});
-
-describe("GET /api/jobs — list", () => {
-  test("lists #agent/job notes from the vault", async () => {
-    const { srv, base } = buildServer();
-    stubVault(() =>
-      new Response(
-        JSON.stringify([
-          { id: "Channels/eng/jobs/m", content: "go", metadata: { channel: "eng", cron: "0 9 * * *", enabled: "true", createdAt: "t0" } },
-        ]),
-        { status: 200, headers: { "content-type": "application/json" } },
-      ),
-    );
-    try {
-      const res = await fetch(`${base}/api/jobs`, { headers: adminAuth });
-      expect(res.status).toBe(200);
-      const body = await res.json();
-      expect(body.jobs).toHaveLength(1);
-      expect(body.jobs[0]).toMatchObject({ id: "Channels/eng/jobs/m", channel: "eng", message: "go" });
-    } finally { srv.stop(true); }
-  });
-});
-
-describe("POST /api/jobs — create + validation", () => {
-  test("bad cron → 400", async () => {
-    const { srv, base } = buildServer();
-    try {
-      const res = await fetch(`${base}/api/jobs`, {
-        method: "POST",
-        headers: { "content-type": "application/json", ...adminAuth },
-        body: JSON.stringify({ id: "x", channel: "eng", message: "m", schedule: { cron: "99 9 * * *" } }),
-      });
-      expect(res.status).toBe(400);
-      expect((await res.json()).error).toMatch(/cron/);
-    } finally { srv.stop(true); }
-  });
-
-  test("unknown channel → 400", async () => {
-    const { srv, base } = buildServer();
-    try {
-      const res = await fetch(`${base}/api/jobs`, {
-        method: "POST",
-        headers: { "content-type": "application/json", ...adminAuth },
-        body: JSON.stringify({ id: "x", channel: "ghost", message: "m", schedule: { cron: "0 9 * * *" } }),
-      });
-      expect(res.status).toBe(400);
-      expect((await res.json()).error).toMatch(/unknown channel/);
-    } finally { srv.stop(true); }
-  });
-
-  test("non-vault channel → 400", async () => {
-    const { srv, base } = buildServer();
-    try {
-      const res = await fetch(`${base}/api/jobs`, {
-        method: "POST",
-        headers: { "content-type": "application/json", ...adminAuth },
-        body: JSON.stringify({ id: "x", channel: "tg", message: "m", schedule: { cron: "0 9 * * *" } }),
-      });
-      expect(res.status).toBe(400);
-      expect((await res.json()).error).toMatch(/not a vault channel/);
-    } finally { srv.stop(true); }
-  });
-
-  test("valid → 200 + writes a #agent/job note", async () => {
-    const { srv, base } = buildServer();
-    const calls = stubVault((url, init) => {
-      // The job POST is to /api/notes; everything else (ensureSchema PUTs) is benign.
-      if (url.endsWith("/api/notes") && init.method === "POST") {
-        return new Response(JSON.stringify({ id: "Channels/eng/jobs/x" }), { status: 201, headers: { "content-type": "application/json" } });
-      }
-      return new Response("{}", { status: 200, headers: { "content-type": "application/json" } });
-    });
-    try {
-      const res = await fetch(`${base}/api/jobs`, {
-        method: "POST",
-        headers: { "content-type": "application/json", ...adminAuth },
-        body: JSON.stringify({ id: "x", channel: "eng", message: "  do it  ", schedule: { cron: "0 9 * * *", tz: "UTC" } }),
-      });
-      expect(res.status).toBe(200);
-      const body = await res.json();
-      expect(body.ok).toBe(true);
-      expect(body.job.id).toBe("x"); // the operator slug stays the id
-      expect(body.job.noteId).toBe("Channels/eng/jobs/x"); // vault note id for addressing
-      const post = calls.find((c) => c.url.endsWith("/api/notes") && c.init.method === "POST")!;
-      const sent = JSON.parse(String(post.init.body));
-      expect(sent.tags).toEqual(["#agent/job"]);
-      expect(sent.content).toBe("do it"); // trimmed
-      expect(sent.metadata.enabled).toBe("true");
-      expect(sent.metadata.jobId).toBe("x");
-    } finally { srv.stop(true); }
-  });
-});
-
-describe("POST /api/jobs/:id/run — fire now", () => {
-  test("injects an inbound #agent/message note + returns ok", async () => {
-    const { srv, base } = buildServer();
-    const calls = stubVault((url, init) => {
-      if (url.includes("/api/notes") && (init.method ?? "GET") === "GET") {
-        // The store's listAll → return the job to find.
-        return new Response(
-          JSON.stringify([{ id: "Channels/eng/jobs/x", content: "do it", metadata: { channel: "eng", cron: "0 9 * * *", enabled: "true", createdAt: "t0" } }]),
-          { status: 200, headers: { "content-type": "application/json" } },
-        );
-      }
-      // The inject POST (and any patch).
-      return new Response(JSON.stringify({ id: "inbound-1" }), { status: 201, headers: { "content-type": "application/json" } });
-    });
-    try {
-      // The "id" the route addresses is the vault NOTE id returned by the list.
-      const res = await fetch(`${base}/api/jobs/${encodeURIComponent("Channels/eng/jobs/x")}/run`, { method: "POST", headers: adminAuth });
-      expect(res.status).toBe(200);
-      expect((await res.json()).ok).toBe(true);
-      // The injected note is INBOUND with the #agent/message tags.
-      const inject = calls.find((c) => c.url.endsWith("/api/notes") && c.init.method === "POST")!;
-      const sent = JSON.parse(String(inject.init.body));
-      expect(sent.tags).toEqual(["#agent/message", "#agent/message/inbound"]);
-      expect(sent.metadata.sender).toBe("runner:Channels/eng/jobs/x");
-    } finally { srv.stop(true); }
-  });
-
-  test("unknown job id → 404", async () => {
-    const { srv, base } = buildServer();
-    stubVault(() => new Response(JSON.stringify([]), { status: 200, headers: { "content-type": "application/json" } }));
-    try {
-      const res = await fetch(`${base}/api/jobs/nope/run`, { method: "POST", headers: adminAuth });
-      expect(res.status).toBe(404);
-    } finally { srv.stop(true); }
-  });
-});
-
-describe("DELETE /api/jobs/:id", () => {
-  test("deletes the job note", async () => {
-    const { srv, base } = buildServer();
-    const calls = stubVault((url, init) => {
-      if (url.includes("/api/notes") && (init.method ?? "GET") === "GET") {
-        return new Response(
-          JSON.stringify([{ id: "Channels/eng/jobs/x", content: "go", metadata: { channel: "eng", cron: "0 9 * * *", enabled: "true" } }]),
-          { status: 200, headers: { "content-type": "application/json" } },
-        );
-      }
-      return new Response(null, { status: 204 });
-    });
-    try {
-      const res = await fetch(`${base}/api/jobs/Channels%2Feng%2Fjobs%2Fx`, { method: "DELETE", headers: adminAuth });
-      expect(res.status).toBe(200);
-      expect((await res.json()).removed).toBe(true);
-      expect(calls.some((c) => c.init.method === "DELETE")).toBe(true);
-    } finally { srv.stop(true); }
-  });
-
-  test("deleting an absent job is idempotent (removed:false)", async () => {
-    const { srv, base } = buildServer();
-    stubVault(() => new Response(JSON.stringify([]), { status: 200, headers: { "content-type": "application/json" } }));
-    try {
-      const res = await fetch(`${base}/api/jobs/gone`, { method: "DELETE", headers: adminAuth });
-      expect(res.status).toBe(200);
-      expect((await res.json()).removed).toBe(false);
-    } finally { srv.stop(true); }
-  });
-});

package/src/daemon-vault-chat.test.ts

@@ -1,250 +0,0 @@
-/**
- * Vault-backed chat — daemon route tests for the read/send the built-in chat uses
- * against a VAULT-transport channel (Phase 4).
- *
- *   - GET  /api/channels/<ch>/messages  (gate agent:read) →
- *       vault   → loadTranscript() → { messages }
- *       http-ui → { messages: [] }  (ephemeral transport, no durable store)
- *       unknown → 404
- *   - POST /api/channels/<ch>/send      (gate agent:send) →
- *       vault   → writeInbound(text, "operator") → { ok, id }   (the WAKE path)
- *
- * Auth: the same sentinel-token `mock.module("./hub-jwt.ts")` harness the other
- * daemon tests use — a `Bearer test-rw-token` validates with agent:read + send
- * WITHOUT a live hub/JWKS; the no-token path still hits the real 401 short-circuit.
- *
- * The vault I/O is exercised through a REAL `VaultTransport` instance (the daemon
- * branches on `instanceof VaultTransport`) whose `loadTranscript` / `writeInbound`
- * are MONKEYPATCHED on the instance — so we assert the daemon's dispatch + shaping
- * without writing to (or reading from) any real vault. NO live vault, NO uni-* writes.
- */
-import { describe, test, expect, mock } from "bun:test";
-
-const RW_TOKEN = "test-rw-token"; // agent:read + agent:send
-import { HubJwtError, looksLikeJwt } from "@openparachute/scope-guard";
-mock.module("./hub-jwt.ts", () => ({
-  AGENT_AUDIENCE: "agent",
-  CHANNEL_AUDIENCE: "channel",
-  async validateHubJwt(token: string) {
-    const base = { sub: "test", aud: "agent", jti: undefined, clientId: undefined, vaultScope: undefined };
-    if (token === RW_TOKEN) return { ...base, scopes: ["agent:read", "agent:send"] };
-    throw new HubJwtError("issuer", "invalid token");
-  },
-  HubJwtError,
-  looksLikeJwt,
-  resetJwksCache() {},
-  resetRevocationCache() {},
-}));
-
-import { createFetchHandler } from "./daemon.ts";
-import { ClientRegistry } from "./routing.ts";
-import { HttpUiTransport } from "./transports/http-ui.ts";
-import { VaultTransport, type ChannelMessage } from "./transports/vault.ts";
-import type { Channel } from "./registry.ts";
-
-/** A VaultTransport whose vault I/O is stubbed on the instance (instanceof holds). */
-function stubVault(opts: {
-  transcript?: ChannelMessage[];
-  loadThrows?: Error;
-  onWrite?: (text: string, sender?: string) => void;
-  writeThrows?: Error;
-  writeId?: string;
-}): VaultTransport {
-  const t = new VaultTransport({ vault: "default", vaultUrl: "http://127.0.0.1:1940", token: "x" });
-  // Bind ctx without firing the real ensureSchema network call.
-  (t as unknown as { ctx: { channel: string } }).ctx = { channel: "eng" };
-  t.loadTranscript = async () => {
-    if (opts.loadThrows) throw opts.loadThrows;
-    return opts.transcript ?? [];
-  };
-  t.writeInbound = async (text: string, sender?: string) => {
-    if (opts.writeThrows) throw opts.writeThrows;
-    opts.onWrite?.(text, sender);
-    return { id: opts.writeId ?? "written-note-1" };
-  };
-  return t;
-}
-
-function serverWith(channels: Map<string, Channel>) {
-  const registry = new ClientRegistry();
-  const srv = Bun.serve({
-    port: 0,
-    hostname: "127.0.0.1",
-    idleTimeout: 0,
-    fetch: createFetchHandler(channels, registry),
-  });
-  return { srv, base: `http://127.0.0.1:${srv.port}` };
-}
-
-const auth = { authorization: `Bearer ${RW_TOKEN}` };
-
-describe("GET /api/channels/<ch>/messages", () => {
-  test("vault channel → { messages } from loadTranscript()", async () => {
-    const transcript: ChannelMessage[] = [
-      { id: "n-in", text: "hi", direction: "inbound", sender: "aaron", ts: "2026-06-08T00:00:01Z" },
-      { id: "n-out", text: "hello", direction: "outbound", sender: "session", ts: "2026-06-08T00:00:02Z" },
-    ];
-    const t = stubVault({ transcript });
-    const channels = new Map<string, Channel>([
-      ["eng", { name: "eng", transport: t, entry: { name: "eng", transport: "vault" } }],
-    ]);
-    const { srv, base } = serverWith(channels);
-    try {
-      const res = await fetch(`${base}/api/channels/eng/messages`, { headers: auth });
-      expect(res.status).toBe(200);
-      const body = (await res.json()) as { messages: ChannelMessage[] };
-      expect(body.messages).toHaveLength(2);
-      expect(body.messages[0]!.id).toBe("n-in");
-      expect(body.messages[0]!.direction).toBe("inbound");
-      expect(body.messages[1]!.direction).toBe("outbound");
-    } finally {
-      srv.stop(true);
-    }
-  });
-
-  test("http-ui channel → { messages: [] } (no durable transcript)", async () => {
-    const transport = new HttpUiTransport({ channel: "ui1" });
-    await transport.start({ channel: "ui1", emit: () => {}, emitPermissionVerdict: () => {} });
-    const channels = new Map<string, Channel>([
-      ["ui1", { name: "ui1", transport, entry: { name: "ui1", transport: "http-ui" } }],
-    ]);
-    const { srv, base } = serverWith(channels);
-    try {
-      const res = await fetch(`${base}/api/channels/ui1/messages`, { headers: auth });
-      expect(res.status).toBe(200);
-      expect(await res.json()).toEqual({ messages: [] });
-    } finally {
-      srv.stop(true);
-    }
-  });
-
-  test("unknown channel → 404", async () => {
-    const channels = new Map<string, Channel>();
-    const { srv, base } = serverWith(channels);
-    try {
-      const res = await fetch(`${base}/api/channels/nope/messages`, { headers: auth });
-      expect(res.status).toBe(404);
-    } finally {
-      srv.stop(true);
-    }
-  });
-
-  test("no token → 401 (gate present), does not call the transport", async () => {
-    let loaded = false;
-    const t = stubVault({ transcript: [] });
-    t.loadTranscript = async () => { loaded = true; return []; };
-    const channels = new Map<string, Channel>([
-      ["eng", { name: "eng", transport: t, entry: { name: "eng", transport: "vault" } }],
-    ]);
-    const { srv, base } = serverWith(channels);
-    try {
-      const res = await fetch(`${base}/api/channels/eng/messages`);
-      expect(res.status).toBe(401);
-      expect(loaded).toBe(false);
-    } finally {
-      srv.stop(true);
-    }
-  });
-
-  test("a vault read failure → 502 (chat shows an error, not a silent empty)", async () => {
-    const t = stubVault({ loadThrows: new Error("vault transport: load transcript failed (502)") });
-    const channels = new Map<string, Channel>([
-      ["eng", { name: "eng", transport: t, entry: { name: "eng", transport: "vault" } }],
-    ]);
-    const { srv, base } = serverWith(channels);
-    try {
-      const res = await fetch(`${base}/api/channels/eng/messages`, { headers: auth });
-      expect(res.status).toBe(502);
-    } finally {
-      srv.stop(true);
-    }
-  });
-});
-
-describe("POST /api/channels/<ch>/send — vault path (writeInbound = the wake)", () => {
-  test("vault channel → writeInbound(text, 'operator') → { ok, id }", async () => {
-    let wrote: { text: string; sender?: string } | undefined;
-    const t = stubVault({ onWrite: (text, sender) => { wrote = { text, sender }; }, writeId: "inbound-99" });
-    const channels = new Map<string, Channel>([
-      ["eng", { name: "eng", transport: t, entry: { name: "eng", transport: "vault" } }],
-    ]);
-    const { srv, base } = serverWith(channels);
-    try {
-      const res = await fetch(`${base}/api/channels/eng/send`, {
-        method: "POST",
-        headers: { ...auth, "content-type": "application/json" },
-        body: JSON.stringify({ text: "wake up" }),
-      });
-      expect(res.status).toBe(200);
-      expect(await res.json()).toEqual({ ok: true, id: "inbound-99" });
-      expect(wrote).toEqual({ text: "wake up", sender: "operator" });
-    } finally {
-      srv.stop(true);
-    }
-  });
-
-  test("vault send with no token → 401, does not write", async () => {
-    let wrote = false;
-    const t = stubVault({ onWrite: () => { wrote = true; } });
-    const channels = new Map<string, Channel>([
-      ["eng", { name: "eng", transport: t, entry: { name: "eng", transport: "vault" } }],
-    ]);
-    const { srv, base } = serverWith(channels);
-    try {
-      const res = await fetch(`${base}/api/channels/eng/send`, {
-        method: "POST",
-        headers: { "content-type": "application/json" },
-        body: JSON.stringify({ text: "wake up" }),
-      });
-      expect(res.status).toBe(401);
-      expect(wrote).toBe(false);
-    } finally {
-      srv.stop(true);
-    }
-  });
-
-  test("vault send with empty text → 400", async () => {
-    const t = stubVault({});
-    const channels = new Map<string, Channel>([
-      ["eng", { name: "eng", transport: t, entry: { name: "eng", transport: "vault" } }],
-    ]);
-    const { srv, base } = serverWith(channels);
-    try {
-      const res = await fetch(`${base}/api/channels/eng/send`, {
-        method: "POST",
-        headers: { ...auth, "content-type": "application/json" },
-        body: JSON.stringify({ text: "" }),
-      });
-      expect(res.status).toBe(400);
-    } finally {
-      srv.stop(true);
-    }
-  });
-
-  test("http-ui send is NOT intercepted by the vault path — its own ingestHttp handles it", async () => {
-    const emitted: string[] = [];
-    const transport = new HttpUiTransport({ channel: "ui1" });
-    await transport.start({
-      channel: "ui1",
-      emit: (m) => emitted.push(m.content),
-      emitPermissionVerdict: () => {},
-    });
-    const channels = new Map<string, Channel>([
-      ["ui1", { name: "ui1", transport, entry: { name: "ui1", transport: "http-ui" } }],
-    ]);
-    const { srv, base } = serverWith(channels);
-    try {
-      const res = await fetch(`${base}/api/channels/ui1/send`, {
-        method: "POST",
-        headers: { ...auth, "content-type": "application/json" },
-        body: JSON.stringify({ text: "hi http-ui" }),
-      });
-      expect(res.status).toBe(200);
-      expect(await res.json()).toEqual({ ok: true });
-      // http-ui's ingestHttp emit'd it (vault path returns { ok, id }, not { ok }).
-      expect(emitted).toEqual(["hi http-ui"]);
-    } finally {
-      srv.stop(true);
-    }
-  });
-});