@openparachute/agent 0.2.3-rc.2 → 0.2.3-rc.3

package/src/mint-token.test.ts

@@ -1,152 +0,0 @@
-import { describe, test, expect } from "bun:test";
-import {
-  mintScopedToken,
-  agentScope,
-  vaultScope,
-  MintError,
-  type MintTokenDeps,
-} from "./mint-token.ts";
-
-/** A fake hub mint endpoint. Records the request; returns a scripted response. */
-function fakeHub(
-  handler: (body: Record<string, unknown>, headers: Headers) => { status: number; json: unknown },
-): { fetchFn: typeof fetch; calls: Array<{ body: Record<string, unknown>; auth: string | null }> } {
-  const calls: Array<{ body: Record<string, unknown>; auth: string | null }> = [];
-  const fetchFn = (async (url: string | URL | Request, init?: RequestInit) => {
-    const headers = new Headers(init?.headers);
-    const body = JSON.parse(String(init?.body ?? "{}")) as Record<string, unknown>;
-    calls.push({ body, auth: headers.get("authorization") });
-    const { status, json } = handler(body, headers);
-    return new Response(JSON.stringify(json), {
-      status,
-      headers: { "content-type": "application/json" },
-    });
-  }) as unknown as typeof fetch;
-  return { fetchFn, calls };
-}
-
-function depsWith(fetchFn: typeof fetch): MintTokenDeps {
-  return { hubOrigin: "https://hub.example.com", managerBearer: "MANAGER-BEARER", fetchFn };
-}
-
-describe("scope string helpers", () => {
-  test("agentScope", () => {
-    expect(agentScope({ write: false })).toBe("agent:read");
-    expect(agentScope({ write: true })).toBe("agent:read agent:write");
-  });
-  test("vaultScope", () => {
-    expect(vaultScope("default", "read")).toBe("vault:default:read");
-    expect(vaultScope("work", "write")).toBe("vault:work:write");
-  });
-});
-
-describe("mintScopedToken — happy path", () => {
-  test("POSTs to /api/auth/mint-token with the manager bearer + scope, returns the token", async () => {
-    const hub = fakeHub((body) => ({
-      status: 200,
-      json: {
-        jti: "j1",
-        token: "MINTED-TOKEN",
-        expires_at: "2026-09-01T00:00:00Z",
-        scope: body.scope,
-      },
-    }));
-    const res = await mintScopedToken({ scope: "agent:read agent:write" }, depsWith(hub.fetchFn));
-    expect(res.token).toBe("MINTED-TOKEN");
-    expect(res.jti).toBe("j1");
-    // Presented the MANAGER's bearer (the attenuation principal).
-    expect(hub.calls[0]!.auth).toBe("Bearer MANAGER-BEARER");
-    expect(hub.calls[0]!.body.scope).toBe("agent:read agent:write");
-  });
-
-  test("passes audience + permissions (scoped_tags) through to the hub", async () => {
-    const hub = fakeHub(() => ({
-      status: 200,
-      json: { jti: "j", token: "T", expires_at: "", scope: "vault:default:read" },
-    }));
-    await mintScopedToken(
-      {
-        scope: "vault:default:read",
-        audience: "vault.default",
-        permissions: { scoped_tags: ["agent/message"] },
-      },
-      depsWith(hub.fetchFn),
-    );
-    expect(hub.calls[0]!.body.audience).toBe("vault.default");
-    expect(hub.calls[0]!.body.permissions).toEqual({ scoped_tags: ["agent/message"] });
-  });
-});
-
-describe("mintScopedToken — attenuation + error surfacing", () => {
-  test("CAPABILITY ATTENUATION: the hub's 400 invalid_scope (over-broad request) becomes a MintError", async () => {
-    // Simulate the hub's canGrant guard: a vault:default:read manager bearer
-    // requests vault:default:write → the hub refuses 400 invalid_scope. The
-    // attenuation bound lives in the hub; this asserts the client surfaces the
-    // refusal as a hard error (never launches a session with an ungrantable cred).
-    const hub = fakeHub((body) => {
-      // Manager bearer in this scenario only holds vault:default:read; a write
-      // request exceeds it → hub returns 400.
-      if (String(body.scope).includes(":write")) {
-        return {
-          status: 400,
-          json: {
-            error: "invalid_scope",
-            error_description:
-              "scope vault:default:write is not grantable by this bearer; use OAuth flow or operator rotation",
-          },
-        };
-      }
-      return { status: 200, json: { jti: "j", token: "ok", expires_at: "", scope: body.scope } };
-    });
-
-    // The grantable read mint succeeds.
-    const ok = await mintScopedToken({ scope: "vault:default:read" }, depsWith(hub.fetchFn));
-    expect(ok.token).toBe("ok");
-
-    // The over-broad write mint is refused — surfaced as a MintError carrying the code.
-    let err: unknown;
-    try {
-      await mintScopedToken({ scope: "vault:default:write" }, depsWith(hub.fetchFn));
-    } catch (e) {
-      err = e;
-    }
-    expect(err).toBeInstanceOf(MintError);
-    expect((err as MintError).status).toBe(400);
-    expect((err as MintError).code).toBe("invalid_scope");
-  });
-
-  test("a 403 insufficient_scope (no minting authority) becomes a MintError", async () => {
-    const hub = fakeHub(() => ({
-      status: 403,
-      json: { error: "insufficient_scope", error_description: "bearer holds no minting authority" },
-    }));
-    let err: unknown;
-    try {
-      await mintScopedToken({ scope: "agent:read" }, depsWith(hub.fetchFn));
-    } catch (e) {
-      err = e;
-    }
-    expect(err).toBeInstanceOf(MintError);
-    expect((err as MintError).status).toBe(403);
-    expect((err as MintError).code).toBe("insufficient_scope");
-  });
-
-  test("a 200 with no token becomes a MintError (never returns a credential-less success)", async () => {
-    const hub = fakeHub(() => ({ status: 200, json: { jti: "j", expires_at: "" } }));
-    await expect(mintScopedToken({ scope: "agent:read" }, depsWith(hub.fetchFn))).rejects.toBeInstanceOf(MintError);
-  });
-
-  test("a network failure to reach the hub becomes a MintError (status 0)", async () => {
-    const fetchFn = (async () => {
-      throw new Error("ECONNREFUSED");
-    }) as unknown as typeof fetch;
-    let err: unknown;
-    try {
-      await mintScopedToken({ scope: "agent:read" }, depsWith(fetchFn));
-    } catch (e) {
-      err = e;
-    }
-    expect(err).toBeInstanceOf(MintError);
-    expect((err as MintError).status).toBe(0);
-  });
-});

package/src/module-manifest.test.ts

@@ -1,158 +0,0 @@
-/**
- * `.parachute/module.json` manifest contract tests.
- *
- * Moved out of the (now-deleted) admin-ui.test.ts in Phase 4c — the admin PAGE
- * retired into the SPA, but the manifest declarations it validated (modular-UI
- * fields, channel events, vault-trigger actions, connectionTemplates, the
- * existing name/port/scopes contract) are still load-bearing for the hub.
- */
-import { describe, expect, test } from "bun:test";
-import { join } from "node:path";
-
-describe("module.json — modular-UI declaration", () => {
-  // The manifest sits at <repo>/.parachute/module.json; this test file is in
-  // <repo>/src, so go up one.
-  const manifestPath = join(import.meta.dir, "..", ".parachute", "module.json");
-
-  test("parses as JSON and carries the modular-UI fields (SPA mount after Phase 4c)", async () => {
-    const raw = await Bun.file(manifestPath).text();
-    const m = JSON.parse(raw) as Record<string, unknown>;
-    // Phase 4c retired the server-rendered config page; configUiUrl now points
-    // at the SPA app mount the hub frames.
-    expect(m.configUiUrl).toBe("/agent/app/");
-    expect(m.focus).toBe("experimental");
-    expect(m.adminCapabilities).toEqual(["config"]);
-  });
-
-  test("declares the channel events (message.received / message.sent)", async () => {
-    const m = JSON.parse(await Bun.file(manifestPath).text()) as {
-      events?: Array<{ key: string; title: string }>;
-    };
-    const keys = (m.events ?? []).map((e) => e.key);
-    expect(keys).toContain("message.received");
-    expect(keys).toContain("message.sent");
-    for (const e of m.events ?? []) expect(typeof e.title).toBe("string");
-  });
-
-  test("declares the message.deliver action with a vault-trigger provision", async () => {
-    const m = JSON.parse(await Bun.file(manifestPath).text()) as {
-      actions?: Array<{ key: string; title: string; provision?: { type?: string } }>;
-    };
-    const deliver = (m.actions ?? []).find((a) => a.key === "message.deliver");
-    expect(deliver).toBeDefined();
-    expect(deliver?.provision?.type).toBe("vault-trigger");
-  });
-
-  test("message.deliver declares the hub-connection wiring (endpoint + scope)", async () => {
-    // The hub's general Connections engine (P5) wires a `vault-trigger` action
-    // GENERICALLY: the webhook the vault calls back on is derived from the sink
-    // action's `endpoint` (hub-proxied under the module's mount), and the bearer
-    // the vault re-presents is minted at the action's declared `scope` — NOT a
-    // channel-hardcoded path in hub code. So the deliver action must carry both.
-    const m = JSON.parse(await Bun.file(manifestPath).text()) as {
-      actions?: Array<{ key: string; endpoint?: string; scope?: string }>;
-    };
-    const deliver = (m.actions ?? []).find((a) => a.key === "message.deliver");
-    expect(deliver?.endpoint).toBe("/api/vault/inbound");
-    expect(deliver?.scope).toBe("agent:send");
-  });
-
-  test("declares a connectionTemplate for the parameterized link-to-vault connection (R2)", async () => {
-    const m = JSON.parse(await Bun.file(manifestPath).text()) as {
-      connectionTemplates?: Array<{
-        key: string;
-        requestedBy?: string;
-        source?: { module?: string; event?: string; filter?: { tags?: string[] } };
-        sink?: { module?: string; action?: string };
-        parameters?: Array<{ key: string; target: string }>;
-      }>;
-    };
-    const tmpl = (m.connectionTemplates ?? []).find((t) => t.key === "link-to-vault");
-    expect(tmpl).toBeDefined();
-    // The module declares WHAT it wants: vault.note.created (inbound tag) →
-    // agent.message.deliver, labeled module-initiated.
-    expect(tmpl?.requestedBy).toBe("agent");
-    expect(tmpl?.source?.module).toBe("vault");
-    expect(tmpl?.source?.event).toBe("note.created");
-    expect(tmpl?.source?.filter?.tags).toContain("agent/message/inbound");
-    expect(tmpl?.sink?.module).toBe("agent");
-    expect(tmpl?.sink?.action).toBe("message.deliver");
-    // It's PARAMETERIZED — the operator picks the vault + names the channel.
-    const paramKeys = (tmpl?.parameters ?? []).map((p) => p.key);
-    expect(paramKeys).toContain("vault");
-    expect(paramKeys).toContain("channel");
-    // The parameters point at the connection-body targets the UI fills in.
-    const vaultParam = (tmpl?.parameters ?? []).find((p) => p.key === "vault");
-    expect(vaultParam?.target).toBe("source.vault");
-    const channelParam = (tmpl?.parameters ?? []).find((p) => p.key === "channel");
-    expect(channelParam?.target).toBe("sink.params.channel");
-  });
-
-  test("declares the definition.reload action with a vault-trigger provision (Connector 1)", async () => {
-    // Make a vault #agent/definition change flow LIVE into the registry: the
-    // hub provisions a vault trigger that webhooks /api/vault/agent-def with an
-    // agent:send bearer, and the daemon re-reads + re-instantiates that one def.
-    const m = JSON.parse(await Bun.file(manifestPath).text()) as {
-      actions?: Array<{ key: string; provision?: { type?: string }; endpoint?: string; scope?: string }>;
-    };
-    const reload = (m.actions ?? []).find((a) => a.key === "definition.reload");
-    expect(reload).toBeDefined();
-    expect(reload?.provision?.type).toBe("vault-trigger");
-    // Wiring mirrors message.deliver: the webhook endpoint the daemon already
-    // serves, and the agent:send scope that endpoint gates on (daemon.ts).
-    expect(reload?.endpoint).toBe("/api/vault/agent-def");
-    expect(reload?.scope).toBe("agent:send");
-  });
-
-  test("declares TWO def-reload templates (created + updated) — the hub binds one event per connection", async () => {
-    // A connection carries a single `source.event` (admin-connections.ts:
-    // eventsForSourceEvent maps one note.<verb> → one trigger verb), so create
-    // and edit reactivity are two connections / two templates. note.deleted is
-    // deliberately ABSENT — the hub rejects it (Connector 2, platform-blocked).
-    const m = JSON.parse(await Bun.file(manifestPath).text()) as {
-      connectionTemplates?: Array<{
-        key: string;
-        requestedBy?: string;
-        source?: { module?: string; event?: string; filter?: { tags?: string[] } };
-        sink?: { module?: string; action?: string };
-        parameters?: Array<{ key: string; target: string }>;
-      }>;
-    };
-    const templates = m.connectionTemplates ?? [];
-    const onCreate = templates.find((t) => t.key === "reload-defs-on-create");
-    const onEdit = templates.find((t) => t.key === "reload-defs-on-edit");
-    expect(onCreate).toBeDefined();
-    expect(onEdit).toBeDefined();
-
-    for (const tmpl of [onCreate, onEdit]) {
-      expect(tmpl?.requestedBy).toBe("agent");
-      expect(tmpl?.source?.module).toBe("vault");
-      // Filters on the def tag — and ONLY that tag (no inbound-message keys).
-      expect(tmpl?.source?.filter?.tags).toEqual(["agent/definition"]);
-      expect(tmpl?.sink?.module).toBe("agent");
-      expect(tmpl?.sink?.action).toBe("definition.reload");
-      // Parameterized: the operator picks which def-vault. No channel param
-      // (a def-vault connection has no reply path — it's read-driven reload).
-      const paramKeys = (tmpl?.parameters ?? []).map((p) => p.key);
-      expect(paramKeys).toEqual(["vault"]);
-      const vaultParam = (tmpl?.parameters ?? []).find((p) => p.key === "vault");
-      expect(vaultParam?.target).toBe("source.vault");
-    }
-
-    // The two halves differ ONLY in the source event.
-    expect(onCreate?.source?.event).toBe("note.created");
-    expect(onEdit?.source?.event).toBe("note.updated");
-    // No template subscribes deleted (would 400 at the hub).
-    expect(templates.some((t) => t.source?.event === "note.deleted")).toBe(false);
-  });
-
-  test("preserves the existing manifest contract (name, port, uiUrl, scopes)", async () => {
-    const m = JSON.parse(await Bun.file(manifestPath).text()) as Record<string, unknown>;
-    expect(m.name).toBe("agent");
-    expect(m.port).toBe(1941);
-    // Phase 4c: uiUrl points at the SPA app root (the retired /home page is gone).
-    expect(m.uiUrl).toBe("/agent/app/");
-    const scopes = m.scopes as { defines?: string[] } | undefined;
-    expect(scopes?.defines).toContain("agent:admin");
-  });
-});