npm - @rubytech/create-realagent - Versions diffs - 1.0.614 → 1.0.616 - Mend

@rubytech/create-realagent 1.0.614 → 1.0.616

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (46) hide show

package/payload/platform/plugins/cloudflare/mcp/__tests__/verify-scenario-B.test.ts ADDED Viewed

@@ -0,0 +1,124 @@
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { mkdtempSync, mkdirSync, writeFileSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import {
+  _resetBrandCache,
+  cfVerifyCore,
+  writeAccountBinding,
+  type ScopeContext,
+} from "../src/lib/cloudflared.js";
+// Scenario B (per task spec): stale tunnel state. Brand declares
+// cloudflare.zones=["b.test"]. cert.pem and binding agree on account Y.
+// But tunnel.state references a deleted tunnel, config.yml names a
+// hostname under a zone NOT in declared scope, and alias-domains.json
+// has an entry for removed.test (also out of scope).
+//
+// We bypass the SDK (no live calls) by passing a ScopeContext with
+// client=null. The local-artefact analysis runs in full; the account-side
+// analysis surfaces declared zones as MISSING (no client = nothing to
+// enumerate), which is correct behaviour for this audit-only test.
+let tmpRoot: string;
+let homeRoot: string;
+let originalHome: string | undefined;
+const CONFIG_DIR = ".maxy";
+function home(...p: string[]): string {
+  return join(homeRoot, ...p);
+}
+function writeCertPem(accountId: string, apiToken: string): void {
+  const certDir = home(CONFIG_DIR, "cloudflared");
+  mkdirSync(certDir, { recursive: true });
+  const tokenJson = JSON.stringify({ APIToken: apiToken, AccountTag: accountId });
+  const b64 = Buffer.from(tokenJson, "utf-8").toString("base64");
+  const pem = `-----BEGIN ARGO TUNNEL TOKEN-----
+${b64}
+-----END ARGO TUNNEL TOKEN-----
+`;
+  writeFileSync(join(certDir, "cert.pem"), pem);
+}
+beforeEach(() => {
+  tmpRoot = mkdtempSync(join(tmpdir(), "maxy-cf-verifyB-"));
+  homeRoot = mkdtempSync(join(tmpdir(), "maxy-cf-home-"));
+  originalHome = process.env.HOME;
+  process.env.HOME = homeRoot;
+  process.env.PLATFORM_ROOT = tmpRoot;
+  _resetBrandCache();
+  const cfg = join(tmpRoot, "config");
+  mkdirSync(cfg, { recursive: true });
+  writeFileSync(
+    join(cfg, "brand.json"),
+    JSON.stringify({
+      productName: "Maxy",
+      configDir: CONFIG_DIR,
+      cloudflare: { zones: ["b.test"] },
+    }),
+  );
+});
+afterEach(() => {
+  if (originalHome !== undefined) process.env.HOME = originalHome;
+  else delete process.env.HOME;
+  delete process.env.PLATFORM_ROOT;
+  rmSync(tmpRoot, { recursive: true, force: true });
+  rmSync(homeRoot, { recursive: true, force: true });
+});
+describe("cfVerifyCore — Scenario B (stale tunnel state)", () => {
+  it("tags out-of-scope local artefacts even without a live SDK client", async () => {
+    writeCertPem("acct-Y", "cfut_dummy");
+    writeAccountBinding("acct-Y");
+    // Stale tunnel.state pointing at a deleted tunnel + off-scope hostname.
+    const cloudflaredDir = home(CONFIG_DIR, "cloudflared");
+    mkdirSync(cloudflaredDir, { recursive: true });
+    const configYmlPath = join(cloudflaredDir, "config.yml");
+    writeFileSync(configYmlPath, "tunnel: stale\n");
+    writeFileSync(
+      join(cloudflaredDir, "tunnel.state"),
+      JSON.stringify({
+        tunnelId: "stale-tunnel-id",
+        tunnelName: "stale",
+        domain: "removed.test", // NOT in brand.cloudflare.zones
+        configPath: configYmlPath,
+        credentialsPath: join(cloudflaredDir, "stale-tunnel-id.json"),
+        adminHostname: "admin.removed.test", // off-scope
+        publicHostname: null,
+        pid: null,
+        startedAt: null,
+      }),
+    );
+    // alias-domains entry for an off-scope hostname.
+    writeFileSync(
+      home(CONFIG_DIR, "alias-domains.json"),
+      JSON.stringify(["removed.test"]),
+    );
+    // Bypass the SDK — pass a ScopeContext with client=null. The audit
+    // tags every declared zone as MISSING (cannot enumerate without
+    // client) but completes the local-artefact analysis in full.
+    const ctx: ScopeContext = {
+      declaredZones: ["b.test"],
+      binding: { accountId: "acct-Y", boundAt: new Date().toISOString() },
+      client: null,
+    };
+    const report = await cfVerifyCore(ctx);
+    const tunnelState = report.artefacts.find((a) => a.type === "tunnel.state");
+    expect(tunnelState?.tag).toBe("out-of-scope");
+    expect(tunnelState?.reason).toContain("hostnames outside declared scope");
+    const aliasEntry = report.artefacts.find(
+      (a) => a.type === "alias-domain" && a.id === "removed.test",
+    );
+    expect(aliasEntry?.tag).toBe("out-of-scope");
+    // Counts: at least the two out-of-scope local artefacts identified above.
+    expect(report.counts.outOfScope).toBeGreaterThanOrEqual(2);
+  });
+});