npm - @synth-deploy/server - Versions diffs - 0.1.0 - Mend

@synth-deploy/server 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (317) hide show

package/dist/agent/debrief-retention.d.ts +12 -0
package/dist/agent/debrief-retention.d.ts.map +1 -0
package/dist/agent/debrief-retention.js +27 -0
package/dist/agent/debrief-retention.js.map +1 -0
package/dist/agent/envoy-client.d.ts +216 -0
package/dist/agent/envoy-client.d.ts.map +1 -0
package/dist/agent/envoy-client.js +266 -0
package/dist/agent/envoy-client.js.map +1 -0
package/dist/agent/envoy-registry.d.ts +102 -0
package/dist/agent/envoy-registry.d.ts.map +1 -0
package/dist/agent/envoy-registry.js +319 -0
package/dist/agent/envoy-registry.js.map +1 -0
package/dist/agent/health-checker.d.ts +39 -0
package/dist/agent/health-checker.d.ts.map +1 -0
package/dist/agent/health-checker.js +49 -0
package/dist/agent/health-checker.js.map +1 -0
package/dist/agent/mcp-client-manager.d.ts +36 -0
package/dist/agent/mcp-client-manager.d.ts.map +1 -0
package/dist/agent/mcp-client-manager.js +106 -0
package/dist/agent/mcp-client-manager.js.map +1 -0
package/dist/agent/stale-deployment-detector.d.ts +15 -0
package/dist/agent/stale-deployment-detector.d.ts.map +1 -0
package/dist/agent/stale-deployment-detector.js +50 -0
package/dist/agent/stale-deployment-detector.js.map +1 -0
package/dist/agent/step-runner.d.ts +31 -0
package/dist/agent/step-runner.d.ts.map +1 -0
package/dist/agent/step-runner.js +80 -0
package/dist/agent/step-runner.js.map +1 -0
package/dist/agent/synth-agent.d.ts +168 -0
package/dist/agent/synth-agent.d.ts.map +1 -0
package/dist/agent/synth-agent.js +1195 -0
package/dist/agent/synth-agent.js.map +1 -0
package/dist/api/agent.d.ts +36 -0
package/dist/api/agent.d.ts.map +1 -0
package/dist/api/agent.js +867 -0
package/dist/api/agent.js.map +1 -0
package/dist/api/api-keys.d.ts +4 -0
package/dist/api/api-keys.d.ts.map +1 -0
package/dist/api/api-keys.js +118 -0
package/dist/api/api-keys.js.map +1 -0
package/dist/api/artifacts.d.ts +5 -0
package/dist/api/artifacts.d.ts.map +1 -0
package/dist/api/artifacts.js +142 -0
package/dist/api/artifacts.js.map +1 -0
package/dist/api/auth.d.ts +4 -0
package/dist/api/auth.d.ts.map +1 -0
package/dist/api/auth.js +280 -0
package/dist/api/auth.js.map +1 -0
package/dist/api/deployments.d.ts +11 -0
package/dist/api/deployments.d.ts.map +1 -0
package/dist/api/deployments.js +1098 -0
package/dist/api/deployments.js.map +1 -0
package/dist/api/environments.d.ts +5 -0
package/dist/api/environments.d.ts.map +1 -0
package/dist/api/environments.js +69 -0
package/dist/api/environments.js.map +1 -0
package/dist/api/envoy-reports.d.ts +17 -0
package/dist/api/envoy-reports.d.ts.map +1 -0
package/dist/api/envoy-reports.js +138 -0
package/dist/api/envoy-reports.js.map +1 -0
package/dist/api/envoys.d.ts +5 -0
package/dist/api/envoys.d.ts.map +1 -0
package/dist/api/envoys.js +192 -0
package/dist/api/envoys.js.map +1 -0
package/dist/api/fleet.d.ts +11 -0
package/dist/api/fleet.d.ts.map +1 -0
package/dist/api/fleet.js +394 -0
package/dist/api/fleet.js.map +1 -0
package/dist/api/graph.d.ts +8 -0
package/dist/api/graph.d.ts.map +1 -0
package/dist/api/graph.js +355 -0
package/dist/api/graph.js.map +1 -0
package/dist/api/health.d.ts +20 -0
package/dist/api/health.d.ts.map +1 -0
package/dist/api/health.js +248 -0
package/dist/api/health.js.map +1 -0
package/dist/api/idp-schemas.d.ts +41 -0
package/dist/api/idp-schemas.d.ts.map +1 -0
package/dist/api/idp-schemas.js +17 -0
package/dist/api/idp-schemas.js.map +1 -0
package/dist/api/idp.d.ts +6 -0
package/dist/api/idp.d.ts.map +1 -0
package/dist/api/idp.js +620 -0
package/dist/api/idp.js.map +1 -0
package/dist/api/intake.d.ts +10 -0
package/dist/api/intake.d.ts.map +1 -0
package/dist/api/intake.js +418 -0
package/dist/api/intake.js.map +1 -0
package/dist/api/partitions.d.ts +5 -0
package/dist/api/partitions.d.ts.map +1 -0
package/dist/api/partitions.js +113 -0
package/dist/api/partitions.js.map +1 -0
package/dist/api/progress-event-store.d.ts +62 -0
package/dist/api/progress-event-store.d.ts.map +1 -0
package/dist/api/progress-event-store.js +118 -0
package/dist/api/progress-event-store.js.map +1 -0
package/dist/api/schemas.d.ts +1000 -0
package/dist/api/schemas.d.ts.map +1 -0
package/dist/api/schemas.js +328 -0
package/dist/api/schemas.js.map +1 -0
package/dist/api/security-boundaries.d.ts +4 -0
package/dist/api/security-boundaries.d.ts.map +1 -0
package/dist/api/security-boundaries.js +32 -0
package/dist/api/security-boundaries.js.map +1 -0
package/dist/api/settings.d.ts +4 -0
package/dist/api/settings.d.ts.map +1 -0
package/dist/api/settings.js +99 -0
package/dist/api/settings.js.map +1 -0
package/dist/api/system.d.ts +75 -0
package/dist/api/system.d.ts.map +1 -0
package/dist/api/system.js +558 -0
package/dist/api/system.js.map +1 -0
package/dist/api/telemetry.d.ts +4 -0
package/dist/api/telemetry.d.ts.map +1 -0
package/dist/api/telemetry.js +24 -0
package/dist/api/telemetry.js.map +1 -0
package/dist/api/users.d.ts +4 -0
package/dist/api/users.d.ts.map +1 -0
package/dist/api/users.js +173 -0
package/dist/api/users.js.map +1 -0
package/dist/archive-unpacker.d.ts +24 -0
package/dist/archive-unpacker.d.ts.map +1 -0
package/dist/archive-unpacker.js +239 -0
package/dist/archive-unpacker.js.map +1 -0
package/dist/artifact-analyzer.d.ts +59 -0
package/dist/artifact-analyzer.d.ts.map +1 -0
package/dist/artifact-analyzer.js +334 -0
package/dist/artifact-analyzer.js.map +1 -0
package/dist/auth/idp/index.d.ts +9 -0
package/dist/auth/idp/index.d.ts.map +1 -0
package/dist/auth/idp/index.js +5 -0
package/dist/auth/idp/index.js.map +1 -0
package/dist/auth/idp/ldap.d.ts +56 -0
package/dist/auth/idp/ldap.d.ts.map +1 -0
package/dist/auth/idp/ldap.js +276 -0
package/dist/auth/idp/ldap.js.map +1 -0
package/dist/auth/idp/oidc.d.ts +27 -0
package/dist/auth/idp/oidc.d.ts.map +1 -0
package/dist/auth/idp/oidc.js +97 -0
package/dist/auth/idp/oidc.js.map +1 -0
package/dist/auth/idp/role-mapping.d.ts +9 -0
package/dist/auth/idp/role-mapping.d.ts.map +1 -0
package/dist/auth/idp/role-mapping.js +16 -0
package/dist/auth/idp/role-mapping.js.map +1 -0
package/dist/auth/idp/saml.d.ts +40 -0
package/dist/auth/idp/saml.d.ts.map +1 -0
package/dist/auth/idp/saml.js +117 -0
package/dist/auth/idp/saml.js.map +1 -0
package/dist/auth/idp/types.d.ts +23 -0
package/dist/auth/idp/types.d.ts.map +1 -0
package/dist/auth/idp/types.js +2 -0
package/dist/auth/idp/types.js.map +1 -0
package/dist/fleet/fleet-executor.d.ts +35 -0
package/dist/fleet/fleet-executor.d.ts.map +1 -0
package/dist/fleet/fleet-executor.js +228 -0
package/dist/fleet/fleet-executor.js.map +1 -0
package/dist/fleet/fleet-store.d.ts +13 -0
package/dist/fleet/fleet-store.d.ts.map +1 -0
package/dist/fleet/fleet-store.js +13 -0
package/dist/fleet/fleet-store.js.map +1 -0
package/dist/fleet/index.d.ts +5 -0
package/dist/fleet/index.d.ts.map +1 -0
package/dist/fleet/index.js +4 -0
package/dist/fleet/index.js.map +1 -0
package/dist/fleet/representative-selector.d.ts +15 -0
package/dist/fleet/representative-selector.d.ts.map +1 -0
package/dist/fleet/representative-selector.js +71 -0
package/dist/fleet/representative-selector.js.map +1 -0
package/dist/graph/graph-executor.d.ts +36 -0
package/dist/graph/graph-executor.d.ts.map +1 -0
package/dist/graph/graph-executor.js +348 -0
package/dist/graph/graph-executor.js.map +1 -0
package/dist/graph/graph-inference.d.ts +22 -0
package/dist/graph/graph-inference.d.ts.map +1 -0
package/dist/graph/graph-inference.js +149 -0
package/dist/graph/graph-inference.js.map +1 -0
package/dist/graph/graph-store.d.ts +12 -0
package/dist/graph/graph-store.d.ts.map +1 -0
package/dist/graph/graph-store.js +61 -0
package/dist/graph/graph-store.js.map +1 -0
package/dist/graph/index.d.ts +5 -0
package/dist/graph/index.d.ts.map +1 -0
package/dist/graph/index.js +4 -0
package/dist/graph/index.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +837 -0
package/dist/index.js.map +1 -0
package/dist/intake/index.d.ts +6 -0
package/dist/intake/index.d.ts.map +1 -0
package/dist/intake/index.js +5 -0
package/dist/intake/index.js.map +1 -0
package/dist/intake/intake-processor.d.ts +17 -0
package/dist/intake/intake-processor.d.ts.map +1 -0
package/dist/intake/intake-processor.js +99 -0
package/dist/intake/intake-processor.js.map +1 -0
package/dist/intake/intake-store.d.ts +7 -0
package/dist/intake/intake-store.d.ts.map +1 -0
package/dist/intake/intake-store.js +7 -0
package/dist/intake/intake-store.js.map +1 -0
package/dist/intake/registry-poller.d.ts +41 -0
package/dist/intake/registry-poller.d.ts.map +1 -0
package/dist/intake/registry-poller.js +202 -0
package/dist/intake/registry-poller.js.map +1 -0
package/dist/intake/webhook-handlers.d.ts +37 -0
package/dist/intake/webhook-handlers.d.ts.map +1 -0
package/dist/intake/webhook-handlers.js +268 -0
package/dist/intake/webhook-handlers.js.map +1 -0
package/dist/logger.d.ts +5 -0
package/dist/logger.d.ts.map +1 -0
package/dist/logger.js +15 -0
package/dist/logger.js.map +1 -0
package/dist/mcp/resources.d.ts +9 -0
package/dist/mcp/resources.d.ts.map +1 -0
package/dist/mcp/resources.js +72 -0
package/dist/mcp/resources.js.map +1 -0
package/dist/mcp/server.d.ts +15 -0
package/dist/mcp/server.d.ts.map +1 -0
package/dist/mcp/server.js +20 -0
package/dist/mcp/server.js.map +1 -0
package/dist/mcp/tools.d.ts +9 -0
package/dist/mcp/tools.d.ts.map +1 -0
package/dist/mcp/tools.js +88 -0
package/dist/mcp/tools.js.map +1 -0
package/dist/middleware/auth.d.ts +29 -0
package/dist/middleware/auth.d.ts.map +1 -0
package/dist/middleware/auth.js +76 -0
package/dist/middleware/auth.js.map +1 -0
package/dist/middleware/permissions.d.ts +13 -0
package/dist/middleware/permissions.d.ts.map +1 -0
package/dist/middleware/permissions.js +32 -0
package/dist/middleware/permissions.js.map +1 -0
package/dist/pattern-store.d.ts +104 -0
package/dist/pattern-store.d.ts.map +1 -0
package/dist/pattern-store.js +299 -0
package/dist/pattern-store.js.map +1 -0
package/package.json +54 -0
package/src/agent/debrief-retention.ts +44 -0
package/src/agent/envoy-client.ts +474 -0
package/src/agent/envoy-registry.ts +384 -0
package/src/agent/health-checker.ts +70 -0
package/src/agent/mcp-client-manager.ts +131 -0
package/src/agent/stale-deployment-detector.ts +79 -0
package/src/agent/step-runner.ts +124 -0
package/src/agent/synth-agent.ts +1567 -0
package/src/api/agent.ts +1075 -0
package/src/api/api-keys.ts +129 -0
package/src/api/artifacts.ts +194 -0
package/src/api/auth.ts +320 -0
package/src/api/deployments.ts +1347 -0
package/src/api/environments.ts +97 -0
package/src/api/envoy-reports.ts +159 -0
package/src/api/envoys.ts +237 -0
package/src/api/fleet.ts +510 -0
package/src/api/graph.ts +516 -0
package/src/api/health.ts +311 -0
package/src/api/idp-schemas.ts +19 -0
package/src/api/idp.ts +735 -0
package/src/api/intake.ts +537 -0
package/src/api/partitions.ts +147 -0
package/src/api/progress-event-store.ts +153 -0
package/src/api/schemas.ts +376 -0
package/src/api/security-boundaries.ts +54 -0
package/src/api/settings.ts +118 -0
package/src/api/system.ts +704 -0
package/src/api/telemetry.ts +32 -0
package/src/api/users.ts +210 -0
package/src/archive-unpacker.ts +271 -0
package/src/artifact-analyzer.ts +438 -0
package/src/auth/idp/index.ts +8 -0
package/src/auth/idp/ldap.ts +340 -0
package/src/auth/idp/oidc.ts +117 -0
package/src/auth/idp/role-mapping.ts +22 -0
package/src/auth/idp/saml.ts +148 -0
package/src/auth/idp/types.ts +22 -0
package/src/fleet/fleet-executor.ts +309 -0
package/src/fleet/fleet-store.ts +13 -0
package/src/fleet/index.ts +4 -0
package/src/fleet/representative-selector.ts +83 -0
package/src/graph/graph-executor.ts +446 -0
package/src/graph/graph-inference.ts +184 -0
package/src/graph/graph-store.ts +75 -0
package/src/graph/index.ts +4 -0
package/src/index.ts +916 -0
package/src/intake/index.ts +5 -0
package/src/intake/intake-processor.ts +111 -0
package/src/intake/intake-store.ts +7 -0
package/src/intake/registry-poller.ts +230 -0
package/src/intake/webhook-handlers.ts +328 -0
package/src/logger.ts +19 -0
package/src/mcp/resources.ts +98 -0
package/src/mcp/server.ts +34 -0
package/src/mcp/tools.ts +117 -0
package/src/middleware/auth.ts +103 -0
package/src/middleware/permissions.ts +35 -0
package/src/pattern-store.ts +409 -0
package/tests/agent-mode.test.ts +536 -0
package/tests/api-handlers.test.ts +1245 -0
package/tests/archive-unpacker.test.ts +179 -0
package/tests/artifact-analyzer.test.ts +240 -0
package/tests/auth-middleware.test.ts +189 -0
package/tests/decision-diary.test.ts +957 -0
package/tests/diary-reader.test.ts +782 -0
package/tests/envoy-client.test.ts +342 -0
package/tests/envoy-reports.test.ts +156 -0
package/tests/mcp-tools.test.ts +213 -0
package/tests/orchestration.test.ts +536 -0
package/tests/partition-deletion.test.ts +143 -0
package/tests/partition-isolation.test.ts +830 -0
package/tests/pattern-store.test.ts +371 -0
package/tests/rbac-enforcement.test.ts +409 -0
package/tests/ssrf-validation.test.ts +56 -0
package/tests/stale-deployment.test.ts +85 -0
package/tests/step-runner.test.ts +308 -0
package/tests/ui-journey.test.ts +330 -0
package/tsconfig.json +11 -0
package/vitest.config.ts +27 -0

package/tests/rbac-enforcement.test.ts ADDED Viewed

@@ -0,0 +1,409 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import Fastify from "fastify";
+import type { FastifyInstance } from "fastify";
+import {
+  DecisionDebrief,
+  PartitionStore,
+  EnvironmentStore,
+  ArtifactStore,
+  SettingsStore,
+  TelemetryStore,
+  UserStore,
+  RoleStore,
+  UserRoleStore,
+  SessionStore,
+} from "@synth-deploy/core";
+import type { UserId, RoleId, Permission } from "@synth-deploy/core";
+import { InMemoryDeploymentStore } from "../src/agent/synth-agent.js";
+import { registerPartitionRoutes } from "../src/api/partitions.js";
+import { registerEnvironmentRoutes } from "../src/api/environments.js";
+import { registerSettingsRoutes } from "../src/api/settings.js";
+import { registerDeploymentRoutes } from "../src/api/deployments.js";
+import { registerArtifactRoutes } from "../src/api/artifacts.js";
+import { registerAuthMiddleware, generateTokens } from "../src/middleware/auth.js";
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const JWT_SECRET = new TextEncoder().encode("rbac-test-secret");
+const VIEWER_USER_ID = "viewer-user" as UserId;
+const DEPLOYER_USER_ID = "deployer-user" as UserId;
+const VIEWER_ROLE_ID = "role-viewer" as RoleId;
+const DEPLOYER_ROLE_ID = "role-deployer" as RoleId;
+// ---------------------------------------------------------------------------
+// Test helpers
+// ---------------------------------------------------------------------------
+interface TestContext {
+  app: FastifyInstance;
+  viewerToken: string;
+  deployerToken: string;
+}
+async function createTestServer(): Promise<TestContext> {
+  const userStore = new UserStore();
+  const roleStore = new RoleStore();
+  const userRoleStore = new UserRoleStore(roleStore);
+  const sessionStore = new SessionStore();
+  const diary = new DecisionDebrief();
+  const partitions = new PartitionStore();
+  const environments = new EnvironmentStore();
+  const deployments = new InMemoryDeploymentStore();
+  const artifactStore = new ArtifactStore();
+  const settings = new SettingsStore();
+  const telemetry = new TelemetryStore();
+  // Create viewer role — only view permissions
+  roleStore.create({
+    id: VIEWER_ROLE_ID,
+    name: "Viewer",
+    permissions: [
+      "deployment.view",
+      "artifact.view",
+      "environment.view",
+      "partition.view",
+      "envoy.view",
+    ] as Permission[],
+    isBuiltIn: false,
+    createdAt: new Date(),
+  });
+  // Create deployer role — create/approve but no settings/users
+  roleStore.create({
+    id: DEPLOYER_ROLE_ID,
+    name: "Deployer",
+    permissions: [
+      "deployment.create",
+      "deployment.approve",
+      "deployment.reject",
+      "deployment.view",
+      "deployment.rollback",
+      "artifact.create",
+      "artifact.update",
+      "artifact.view",
+      "environment.view",
+      "partition.view",
+      "envoy.view",
+    ] as Permission[],
+    isBuiltIn: false,
+    createdAt: new Date(),
+  });
+  // Create viewer user
+  userStore.create({
+    id: VIEWER_USER_ID,
+    email: "viewer@example.com",
+    name: "Viewer User",
+    passwordHash: "hashed",
+    createdAt: new Date(),
+    updatedAt: new Date(),
+  });
+  userRoleStore.assign(VIEWER_USER_ID, VIEWER_ROLE_ID, VIEWER_USER_ID);
+  // Create deployer user
+  userStore.create({
+    id: DEPLOYER_USER_ID,
+    email: "deployer@example.com",
+    name: "Deployer User",
+    passwordHash: "hashed",
+    createdAt: new Date(),
+    updatedAt: new Date(),
+  });
+  userRoleStore.assign(DEPLOYER_USER_ID, DEPLOYER_ROLE_ID, DEPLOYER_USER_ID);
+  const app = Fastify({ logger: false });
+  registerAuthMiddleware(app, userStore, userRoleStore, sessionStore, JWT_SECRET);
+  // Register routes
+  registerPartitionRoutes(app, partitions, deployments, diary, telemetry);
+  registerEnvironmentRoutes(app, environments, deployments, telemetry);
+  registerSettingsRoutes(app, settings, telemetry);
+  registerDeploymentRoutes(app, deployments, diary, partitions, environments, artifactStore, settings, telemetry);
+  registerArtifactRoutes(app, artifactStore, telemetry);
+  await app.ready();
+  // Generate tokens and sessions
+  const viewerTokens = await generateTokens(VIEWER_USER_ID, JWT_SECRET);
+  sessionStore.create({
+    id: "session-viewer",
+    userId: VIEWER_USER_ID,
+    token: viewerTokens.token,
+    refreshToken: viewerTokens.refreshToken,
+    expiresAt: viewerTokens.expiresAt,
+    createdAt: new Date(),
+  });
+  const deployerTokens = await generateTokens(DEPLOYER_USER_ID, JWT_SECRET);
+  sessionStore.create({
+    id: "session-deployer",
+    userId: DEPLOYER_USER_ID,
+    token: deployerTokens.token,
+    refreshToken: deployerTokens.refreshToken,
+    expiresAt: deployerTokens.expiresAt,
+    createdAt: new Date(),
+  });
+  return {
+    app,
+    viewerToken: viewerTokens.token,
+    deployerToken: deployerTokens.token,
+  };
+}
+// ===========================================================================
+// Tests
+// ===========================================================================
+describe("RBAC enforcement", () => {
+  let ctx: TestContext;
+  beforeEach(async () => {
+    ctx = await createTestServer();
+  });
+  afterEach(async () => {
+    await ctx.app.close();
+  });
+  // -------------------------------------------------------------------------
+  // 401 — no auth
+  // -------------------------------------------------------------------------
+  describe("unauthenticated requests return 401", () => {
+    const routes: Array<{ method: "GET" | "POST" | "PUT" | "DELETE"; url: string }> = [
+      // Deployments
+      { method: "GET", url: "/api/deployments" },
+      { method: "POST", url: "/api/deployments" },
+      { method: "GET", url: "/api/debrief" },
+      // Artifacts
+      { method: "GET", url: "/api/artifacts" },
+      { method: "POST", url: "/api/artifacts" },
+      { method: "GET", url: "/api/artifacts/fake-id" },
+      { method: "PUT", url: "/api/artifacts/fake-id" },
+      { method: "DELETE", url: "/api/artifacts/fake-id" },
+      // Environments
+      { method: "GET", url: "/api/environments" },
+      { method: "POST", url: "/api/environments" },
+      { method: "GET", url: "/api/environments/fake-id" },
+      { method: "PUT", url: "/api/environments/fake-id" },
+      { method: "DELETE", url: "/api/environments/fake-id" },
+      // Partitions
+      { method: "GET", url: "/api/partitions" },
+      { method: "POST", url: "/api/partitions" },
+      { method: "GET", url: "/api/partitions/fake-id" },
+      { method: "PUT", url: "/api/partitions/fake-id" },
+      { method: "DELETE", url: "/api/partitions/fake-id" },
+      // Settings
+      { method: "GET", url: "/api/settings" },
+      { method: "PUT", url: "/api/settings" },
+      { method: "GET", url: "/api/settings/command-info" },
+    ];
+    for (const { method, url } of routes) {
+      it(`${method} ${url} returns 401 without auth`, async () => {
+        const res = await ctx.app.inject({ method, url });
+        expect(res.statusCode).toBe(401);
+      });
+    }
+  });
+  // -------------------------------------------------------------------------
+  // 403 — wrong permissions
+  // -------------------------------------------------------------------------
+  describe("viewer cannot perform write operations (403)", () => {
+    it("POST /api/deployments returns 403 for viewer", async () => {
+      const res = await ctx.app.inject({
+        method: "POST",
+        url: "/api/deployments",
+        headers: { authorization: `Bearer ${ctx.viewerToken}` },
+        payload: { artifactId: "a1", environmentId: "e1" },
+      });
+      expect(res.statusCode).toBe(403);
+    });
+    it("POST /api/artifacts returns 403 for viewer", async () => {
+      const res = await ctx.app.inject({
+        method: "POST",
+        url: "/api/artifacts",
+        headers: { authorization: `Bearer ${ctx.viewerToken}` },
+        payload: { name: "test", type: "docker" },
+      });
+      expect(res.statusCode).toBe(403);
+    });
+    it("POST /api/environments returns 403 for viewer", async () => {
+      const res = await ctx.app.inject({
+        method: "POST",
+        url: "/api/environments",
+        headers: { authorization: `Bearer ${ctx.viewerToken}` },
+        payload: { name: "staging" },
+      });
+      expect(res.statusCode).toBe(403);
+    });
+    it("POST /api/partitions returns 403 for viewer", async () => {
+      const res = await ctx.app.inject({
+        method: "POST",
+        url: "/api/partitions",
+        headers: { authorization: `Bearer ${ctx.viewerToken}` },
+        payload: { name: "region-us" },
+      });
+      expect(res.statusCode).toBe(403);
+    });
+    it("DELETE /api/artifacts/fake-id returns 403 for viewer", async () => {
+      const res = await ctx.app.inject({
+        method: "DELETE",
+        url: "/api/artifacts/fake-id",
+        headers: { authorization: `Bearer ${ctx.viewerToken}` },
+      });
+      expect(res.statusCode).toBe(403);
+    });
+    it("DELETE /api/environments/fake-id returns 403 for viewer", async () => {
+      const res = await ctx.app.inject({
+        method: "DELETE",
+        url: "/api/environments/fake-id",
+        headers: { authorization: `Bearer ${ctx.viewerToken}` },
+      });
+      expect(res.statusCode).toBe(403);
+    });
+    it("DELETE /api/partitions/fake-id returns 403 for viewer", async () => {
+      const res = await ctx.app.inject({
+        method: "DELETE",
+        url: "/api/partitions/fake-id",
+        headers: { authorization: `Bearer ${ctx.viewerToken}` },
+      });
+      expect(res.statusCode).toBe(403);
+    });
+  });
+  describe("deployer cannot access settings (403)", () => {
+    it("GET /api/settings returns 403 for deployer", async () => {
+      const res = await ctx.app.inject({
+        method: "GET",
+        url: "/api/settings",
+        headers: { authorization: `Bearer ${ctx.deployerToken}` },
+      });
+      expect(res.statusCode).toBe(403);
+    });
+    it("PUT /api/settings returns 403 for deployer", async () => {
+      const res = await ctx.app.inject({
+        method: "PUT",
+        url: "/api/settings",
+        headers: { authorization: `Bearer ${ctx.deployerToken}` },
+        payload: { environmentsEnabled: true },
+      });
+      expect(res.statusCode).toBe(403);
+    });
+    it("GET /api/settings/command-info returns 403 for deployer", async () => {
+      const res = await ctx.app.inject({
+        method: "GET",
+        url: "/api/settings/command-info",
+        headers: { authorization: `Bearer ${ctx.deployerToken}` },
+      });
+      expect(res.statusCode).toBe(403);
+    });
+  });
+  // -------------------------------------------------------------------------
+  // 200 — correct permissions succeed
+  // -------------------------------------------------------------------------
+  describe("viewer can access read-only routes (200)", () => {
+    it("GET /api/deployments returns 200 for viewer", async () => {
+      const res = await ctx.app.inject({
+        method: "GET",
+        url: "/api/deployments",
+        headers: { authorization: `Bearer ${ctx.viewerToken}` },
+      });
+      expect(res.statusCode).toBe(200);
+    });
+    it("GET /api/artifacts returns 200 for viewer", async () => {
+      const res = await ctx.app.inject({
+        method: "GET",
+        url: "/api/artifacts",
+        headers: { authorization: `Bearer ${ctx.viewerToken}` },
+      });
+      expect(res.statusCode).toBe(200);
+    });
+    it("GET /api/environments returns 200 for viewer", async () => {
+      const res = await ctx.app.inject({
+        method: "GET",
+        url: "/api/environments",
+        headers: { authorization: `Bearer ${ctx.viewerToken}` },
+      });
+      expect(res.statusCode).toBe(200);
+    });
+    it("GET /api/partitions returns 200 for viewer", async () => {
+      const res = await ctx.app.inject({
+        method: "GET",
+        url: "/api/partitions",
+        headers: { authorization: `Bearer ${ctx.viewerToken}` },
+      });
+      expect(res.statusCode).toBe(200);
+    });
+    it("GET /api/debrief returns 200 for viewer", async () => {
+      const res = await ctx.app.inject({
+        method: "GET",
+        url: "/api/debrief",
+        headers: { authorization: `Bearer ${ctx.viewerToken}` },
+      });
+      expect(res.statusCode).toBe(200);
+    });
+  });
+  describe("deployer can create entities", () => {
+    it("POST /api/artifacts returns 201 for deployer", async () => {
+      const res = await ctx.app.inject({
+        method: "POST",
+        url: "/api/artifacts",
+        headers: { authorization: `Bearer ${ctx.deployerToken}` },
+        payload: { name: "my-app", type: "docker" },
+      });
+      expect(res.statusCode).toBe(201);
+    });
+    it("POST /api/partitions returns 201 for deployer (deployer lacks partition.create)", async () => {
+      const res = await ctx.app.inject({
+        method: "POST",
+        url: "/api/partitions",
+        headers: { authorization: `Bearer ${ctx.deployerToken}` },
+        payload: { name: "region-us" },
+      });
+      // Deployer role does NOT have partition.create — should be 403
+      expect(res.statusCode).toBe(403);
+    });
+  });
+  // -------------------------------------------------------------------------
+  // 403 error format
+  // -------------------------------------------------------------------------
+  describe("403 response includes required permissions", () => {
+    it("includes required and message fields", async () => {
+      const res = await ctx.app.inject({
+        method: "POST",
+        url: "/api/partitions",
+        headers: { authorization: `Bearer ${ctx.viewerToken}` },
+        payload: { name: "test" },
+      });
+      expect(res.statusCode).toBe(403);
+      const body = JSON.parse(res.payload);
+      expect(body.error).toBe("Forbidden");
+      expect(body.required).toContain("partition.create");
+      expect(body.message).toBeTruthy();
+    });
+  });
+});

package/tests/ssrf-validation.test.ts ADDED Viewed

@@ -0,0 +1,56 @@
+import { describe, it, expect } from "vitest";
+import { UpdateSettingsSchema } from "../src/api/schemas.js";
+describe("SSRF URL validation", () => {
+  function validateEnvoyUrl(url: string) {
+    return UpdateSettingsSchema.safeParse({
+      envoy: { url },
+    });
+  }
+  it("accepts valid external URLs", () => {
+    expect(validateEnvoyUrl("https://envoy.example.com").success).toBe(true);
+    expect(validateEnvoyUrl("http://deploy.company.com:8080").success).toBe(true);
+    expect(validateEnvoyUrl("https://203.0.113.50:3000").success).toBe(true);
+  });
+  it("rejects localhost", () => {
+    expect(validateEnvoyUrl("http://localhost:3000").success).toBe(false);
+    expect(validateEnvoyUrl("http://127.0.0.1:8080").success).toBe(false);
+  });
+  it("rejects private 10.x.x.x range", () => {
+    expect(validateEnvoyUrl("http://10.0.0.1:8080").success).toBe(false);
+    expect(validateEnvoyUrl("http://10.255.255.255").success).toBe(false);
+  });
+  it("rejects private 172.16-31.x.x range", () => {
+    expect(validateEnvoyUrl("http://172.16.0.1").success).toBe(false);
+    expect(validateEnvoyUrl("http://172.31.255.255").success).toBe(false);
+    // 172.15.x.x should be allowed
+    expect(validateEnvoyUrl("http://172.15.0.1").success).toBe(true);
+    // 172.32.x.x should be allowed
+    expect(validateEnvoyUrl("http://172.32.0.1").success).toBe(true);
+  });
+  it("rejects private 192.168.x.x range", () => {
+    expect(validateEnvoyUrl("http://192.168.1.1").success).toBe(false);
+    expect(validateEnvoyUrl("http://192.168.0.100").success).toBe(false);
+  });
+  it("rejects link-local / AWS metadata (169.254.x.x)", () => {
+    expect(validateEnvoyUrl("http://169.254.169.254/latest/meta-data/").success).toBe(false);
+  });
+  it("rejects non-http protocols", () => {
+    expect(validateEnvoyUrl("ftp://envoy.example.com").success).toBe(false);
+    expect(validateEnvoyUrl("file:///etc/passwd").success).toBe(false);
+  });
+  it("validates MCP server URLs too", () => {
+    const result = UpdateSettingsSchema.safeParse({
+      mcpServers: [{ name: "evil", url: "http://169.254.169.254" }],
+    });
+    expect(result.success).toBe(false);
+  });
+});

package/tests/stale-deployment.test.ts ADDED Viewed

@@ -0,0 +1,85 @@
+import { describe, it, expect, vi, afterEach } from "vitest";
+import { DecisionDebrief } from "@synth-deploy/core";
+import { InMemoryDeploymentStore } from "../src/agent/synth-agent.js";
+import { markStaleDeployments } from "../src/agent/stale-deployment-detector.js";
+import type { Deployment } from "@synth-deploy/core";
+function makeDeployment(overrides: Partial<Deployment> = {}): Deployment {
+  return {
+    id: "dep-1",
+    operationId: "op-1",
+    partitionId: "part-1",
+    environmentId: "env-1",
+    version: "1.0",
+    status: "running",
+    variables: {},
+    debriefEntryIds: [],
+    orderId: null,
+    createdAt: new Date(),
+    completedAt: null,
+    failureReason: null,
+    ...overrides,
+  };
+}
+describe("markStaleDeployments", () => {
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+  it("marks running deployments older than threshold as failed", () => {
+    const deployments = new InMemoryDeploymentStore();
+    const debrief = new DecisionDebrief();
+    // Deployment created 35 minutes ago
+    const oldDate = new Date(Date.now() - 35 * 60 * 1000);
+    deployments.save(makeDeployment({ createdAt: oldDate }));
+    const count = markStaleDeployments(deployments, debrief, 30 * 60 * 1000);
+    expect(count).toBe(1);
+    expect(deployments.get("dep-1")?.status).toBe("failed");
+    expect(debrief.getRecent(1)[0].decisionType).toBe("deployment-failure");
+  });
+  it("does not touch running deployments within threshold", () => {
+    const deployments = new InMemoryDeploymentStore();
+    const debrief = new DecisionDebrief();
+    // Deployment created 5 minutes ago
+    const recentDate = new Date(Date.now() - 5 * 60 * 1000);
+    deployments.save(makeDeployment({ createdAt: recentDate }));
+    const count = markStaleDeployments(deployments, debrief, 30 * 60 * 1000);
+    expect(count).toBe(0);
+    expect(deployments.get("dep-1")?.status).toBe("running");
+  });
+  it("does not touch completed deployments", () => {
+    const deployments = new InMemoryDeploymentStore();
+    const debrief = new DecisionDebrief();
+    const oldDate = new Date(Date.now() - 60 * 60 * 1000);
+    deployments.save(makeDeployment({ status: "completed" as any, createdAt: oldDate }));
+    const count = markStaleDeployments(deployments, debrief, 30 * 60 * 1000);
+    expect(count).toBe(0);
+  });
+  it("handles multiple stale deployments", () => {
+    const deployments = new InMemoryDeploymentStore();
+    const debrief = new DecisionDebrief();
+    const oldDate = new Date(Date.now() - 45 * 60 * 1000);
+    deployments.save(makeDeployment({ id: "d1", createdAt: oldDate }));
+    deployments.save(makeDeployment({ id: "d2", createdAt: oldDate }));
+    const count = markStaleDeployments(deployments, debrief, 30 * 60 * 1000);
+    expect(count).toBe(2);
+    expect(deployments.get("d1")?.status).toBe("failed");
+    expect(deployments.get("d2")?.status).toBe("failed");
+  });
+});