@vellumai/assistant 0.3.19 → 0.3.20

package/src/__tests__/doordash-client.test.ts

@@ -1,187 +0,0 @@
-import { describe, expect,it } from 'bun:test';
-
-import { SessionExpiredError } from '../doordash/client.js';
-
-describe('SessionExpiredError', () => {
-  it('is an instance of Error', () => {
-    const err = new SessionExpiredError('test reason');
-    expect(err).toBeInstanceOf(Error);
-  });
-
-  it('has name set to SessionExpiredError', () => {
-    const err = new SessionExpiredError('test reason');
-    expect(err.name).toBe('SessionExpiredError');
-  });
-
-  it('preserves the reason as the message', () => {
-    const err = new SessionExpiredError('DoorDash session has expired.');
-    expect(err.message).toBe('DoorDash session has expired.');
-  });
-
-  it('can be distinguished from plain Error via instanceof', () => {
-    const sessionErr = new SessionExpiredError('expired');
-    const plainErr = new Error('something else');
-    expect(sessionErr instanceof SessionExpiredError).toBe(true);
-    expect(plainErr instanceof SessionExpiredError).toBe(false);
-  });
-
-  it('produces a useful stack trace', () => {
-    const err = new SessionExpiredError('no session');
-    expect(err.stack).toBeDefined();
-    expect(err.stack).toContain('SessionExpiredError');
-  });
-});
-
-describe('expired session classification', () => {
-  // The CDP response handler in cdpFetch classifies certain HTTP statuses
-  // as session-expired. We test the classification logic by simulating
-  // the parsed response structure that cdpFetch evaluates.
-
-  function classifyResponse(parsed: Record<string, unknown>): Error {
-    // Mirrors the classification logic from cdpFetch (client.ts lines 154-159)
-    if (parsed.__error) {
-      if (parsed.__status === 403 || parsed.__status === 401) {
-        return new SessionExpiredError('DoorDash session has expired.');
-      }
-      return new Error(
-        (parsed.__message as string) ??
-          `HTTP ${parsed.__status}: ${(parsed.__body as string) ?? ''}`,
-      );
-    }
-    return new Error('No error');
-  }
-
-  it('classifies HTTP 401 as SessionExpiredError', () => {
-    const err = classifyResponse({ __error: true, __status: 401, __body: 'Unauthorized' });
-    expect(err).toBeInstanceOf(SessionExpiredError);
-    expect(err.message).toBe('DoorDash session has expired.');
-  });
-
-  it('classifies HTTP 403 as SessionExpiredError', () => {
-    const err = classifyResponse({ __error: true, __status: 403, __body: 'Forbidden' });
-    expect(err).toBeInstanceOf(SessionExpiredError);
-    expect(err.message).toBe('DoorDash session has expired.');
-  });
-
-  it('classifies HTTP 500 as a generic Error, not session expired', () => {
-    const err = classifyResponse({ __error: true, __status: 500, __body: 'Internal Server Error' });
-    expect(err).not.toBeInstanceOf(SessionExpiredError);
-    expect(err.message).toBe('HTTP 500: Internal Server Error');
-  });
-
-  it('classifies HTTP 429 as a generic Error', () => {
-    const err = classifyResponse({ __error: true, __status: 429, __body: 'Rate limited' });
-    expect(err).not.toBeInstanceOf(SessionExpiredError);
-    expect(err.message).toBe('HTTP 429: Rate limited');
-  });
-
-  it('uses __message when available', () => {
-    const err = classifyResponse({ __error: true, __message: 'fetch failed' });
-    expect(err).not.toBeInstanceOf(SessionExpiredError);
-    expect(err.message).toBe('fetch failed');
-  });
-
-  it('handles response with no __body or __message gracefully', () => {
-    const err = classifyResponse({ __error: true, __status: 502 });
-    expect(err).not.toBeInstanceOf(SessionExpiredError);
-    expect(err.message).toBe('HTTP 502: ');
-  });
-});
-
-describe('CDP failure scenarios', () => {
-  // These test the error conditions that cdpFetch can encounter:
-  // 1. CDP protocol error (msg.error present)
-  // 2. Empty CDP response (no value in result)
-  // 3. Timeout (30s)
-  // 4. WebSocket connection failure
-
-  // We can test the error construction logic without connecting to a real CDP
-
-  it('CDP protocol error produces a descriptive message', () => {
-    // Simulates the error path at client.ts line 143
-    const cdpError = { message: 'Cannot find context with specified id' };
-    const err = new Error(`CDP error: ${cdpError.message}`);
-    expect(err.message).toBe('CDP error: Cannot find context with specified id');
-  });
-
-  it('Empty CDP response produces a clear error', () => {
-    // Simulates the error path at client.ts line 149
-    const value = undefined;
-    const err = !value ? new Error('Empty CDP response') : null;
-    expect(err).not.toBeNull();
-    expect(err!.message).toBe('Empty CDP response');
-  });
-
-  it('CDP timeout error message includes the timeout duration', () => {
-    // Simulates the timeout error at client.ts line 92
-    const err = new Error('CDP fetch timed out after 30s');
-    expect(err.message).toContain('30s');
-  });
-
-  it('WebSocket connection failure produces SessionExpiredError', () => {
-    // Simulates ws.onerror at client.ts line 172
-    const err = new SessionExpiredError('CDP connection failed.');
-    expect(err).toBeInstanceOf(SessionExpiredError);
-    expect(err.message).toBe('CDP connection failed.');
-  });
-
-  it('findDoordashTab failure when CDP is unavailable', () => {
-    // Simulates findDoordashTab at client.ts line 67
-    const err = new SessionExpiredError(
-      'Chrome CDP not available. Run `vellum doordash refresh` first.',
-    );
-    expect(err).toBeInstanceOf(SessionExpiredError);
-    expect(err.message).toContain('Chrome CDP not available');
-  });
-
-  it('findDoordashTab failure when no tab is available', () => {
-    // Simulates findDoordashTab at client.ts line 76
-    const err = new SessionExpiredError(
-      'No Chrome tab available for DoorDash requests.',
-    );
-    expect(err).toBeInstanceOf(SessionExpiredError);
-    expect(err.message).toContain('No Chrome tab available');
-  });
-
-  it('requireSession throws SessionExpiredError when no session exists', () => {
-    // Simulates requireSession at client.ts line 56
-    const session = null;
-    const err = !session
-      ? new SessionExpiredError('No DoorDash session found.')
-      : null;
-    expect(err).toBeInstanceOf(SessionExpiredError);
-    expect(err!.message).toBe('No DoorDash session found.');
-  });
-
-  it('GraphQL errors are joined with semicolons', () => {
-    // Simulates the error handling at client.ts lines 192-194
-    const errors = [
-      { message: 'Field "x" not found' },
-      { message: 'Unauthorized' },
-    ];
-    const msgs = errors.map(e => e.message || JSON.stringify(e)).join('; ');
-    const err = new Error(`GraphQL errors: ${msgs}`);
-    expect(err.message).toBe(
-      'GraphQL errors: Field "x" not found; Unauthorized',
-    );
-  });
-
-  it('GraphQL errors use JSON.stringify for errors without message', () => {
-    const errors = [{ extensions: { code: 'INTERNAL_ERROR' } }];
-    const msgs = errors
-      .map(e => (e as Record<string, unknown>).message || JSON.stringify(e))
-      .join('; ');
-    const err = new Error(`GraphQL errors: ${msgs}`);
-    expect(err.message).toContain('INTERNAL_ERROR');
-  });
-
-  it('Empty GraphQL response throws', () => {
-    // Simulates client.ts lines 196-198
-    const data = undefined;
-    const err = !data
-      ? new Error('Empty response from DoorDash API')
-      : null;
-    expect(err).not.toBeNull();
-    expect(err!.message).toBe('Empty response from DoorDash API');
-  });
-});

package/src/__tests__/doordash-session.test.ts

@@ -1,154 +0,0 @@
-import { existsSync, mkdirSync, rmSync,writeFileSync } from 'node:fs';
-import { tmpdir } from 'node:os';
-import { join } from 'node:path';
-
-import { afterEach,beforeEach, describe, expect, it } from 'bun:test';
-
-import {
-  type DoorDashSession,
-  getCookieHeader,
-  getCsrfToken,
-  importFromRecording,
-} from '../doordash/session.js';
-
-// Override getDataDir to use a temp directory during tests
-const TEST_DIR = join(tmpdir(), `vellum-dd-test-${process.pid}`);
-let originalDataDir: string | undefined;
-
-// We mock getDataDir by patching the module at the fs level:
-// session.ts calls getSessionDir() -> join(getDataDir(), 'doordash')
-// We'll test session.ts helpers that don't depend on getDataDir directly,
-// and test the persistence functions via the actual file system with a known path.
-
-function makeCookie(name: string, value: string): {
-  name: string;
-  value: string;
-  domain: string;
-  path: string;
-  httpOnly: boolean;
-  secure: boolean;
-} {
-  return { name, value, domain: '.doordash.com', path: '/', httpOnly: false, secure: false };
-}
-
-function makeSession(overrides?: Partial<DoorDashSession>): DoorDashSession {
-  return {
-    cookies: [
-      makeCookie('dd_session', 'abc123'),
-      makeCookie('csrf_token', 'tok456'),
-    ],
-    importedAt: '2025-01-15T12:00:00.000Z',
-    recordingId: 'rec-001',
-    ...overrides,
-  };
-}
-
-describe('DoorDash session helpers', () => {
-  describe('getCookieHeader', () => {
-    it('joins all cookies into a single header string', () => {
-      const session = makeSession();
-      const header = getCookieHeader(session);
-      expect(header).toBe('dd_session=abc123; csrf_token=tok456');
-    });
-
-    it('returns empty string for a session with no cookies', () => {
-      const session = makeSession({ cookies: [] });
-      expect(getCookieHeader(session)).toBe('');
-    });
-
-    it('handles a single cookie without trailing semicolons', () => {
-      const session = makeSession({ cookies: [makeCookie('a', '1')] });
-      expect(getCookieHeader(session)).toBe('a=1');
-    });
-  });
-
-  describe('getCsrfToken', () => {
-    it('extracts the csrf_token value when present', () => {
-      const session = makeSession();
-      expect(getCsrfToken(session)).toBe('tok456');
-    });
-
-    it('returns undefined when csrf_token is absent', () => {
-      const session = makeSession({
-        cookies: [makeCookie('dd_session', 'abc123')],
-      });
-      expect(getCsrfToken(session)).toBeUndefined();
-    });
-  });
-});
-
-describe('DoorDash session persistence', () => {
-  // These tests exercise the real loadSession/saveSession/clearSession
-  // by writing to the actual session path. We need to mock getDataDir.
-  // Since the module uses a private function we can't easily mock,
-  // we test via importFromRecording which exercises save+load.
-
-  beforeEach(() => {
-    originalDataDir = process.env.BASE_DATA_DIR;
-    process.env.BASE_DATA_DIR = TEST_DIR;
-    // Ensure test dir exists
-    mkdirSync(TEST_DIR, { recursive: true });
-  });
-
-  afterEach(() => {
-    // Restore original BASE_DATA_DIR
-    if (originalDataDir === undefined) {
-      delete process.env.BASE_DATA_DIR;
-    } else {
-      process.env.BASE_DATA_DIR = originalDataDir;
-    }
-    // Clean up test dir
-    if (existsSync(TEST_DIR)) {
-      rmSync(TEST_DIR, { recursive: true, force: true });
-    }
-  });
-
-  describe('importFromRecording', () => {
-    it('throws when the recording file does not exist', () => {
-      expect(() => importFromRecording('/nonexistent/recording.json')).toThrow(
-        'Recording not found',
-      );
-    });
-
-    it('throws when the recording contains no cookies', () => {
-      const recordingPath = join(TEST_DIR, 'empty-recording.json');
-      writeFileSync(
-        recordingPath,
-        JSON.stringify({
-          id: 'rec-empty',
-          startedAt: 0,
-          endedAt: 1,
-          targetDomain: 'doordash.com',
-          networkEntries: [],
-          cookies: [],
-          observations: [],
-        }),
-      );
-      expect(() => importFromRecording(recordingPath)).toThrow(
-        'Recording contains no cookies',
-      );
-    });
-
-    it('successfully imports a recording with cookies', () => {
-      const recordingPath = join(TEST_DIR, 'valid-recording.json');
-      writeFileSync(
-        recordingPath,
-        JSON.stringify({
-          id: 'rec-valid',
-          startedAt: 0,
-          endedAt: 1,
-          targetDomain: 'doordash.com',
-          networkEntries: [],
-          cookies: [makeCookie('session_id', 'xyz')],
-          observations: [],
-        }),
-      );
-      const session = importFromRecording(recordingPath);
-      expect(session.cookies).toHaveLength(1);
-      expect(session.cookies[0].name).toBe('session_id');
-      expect(session.cookies[0].value).toBe('xyz');
-      expect(session.recordingId).toBe('rec-valid');
-      expect(session.importedAt).toBeTruthy();
-    });
-  });
-});

package/src/__tests__/signup-e2e.test.ts

@@ -1,354 +0,0 @@
-import { mkdirSync,mkdtempSync, rmSync } from 'node:fs';
-import { tmpdir } from 'node:os';
-import { join } from 'node:path';
-
-import { afterAll, beforeAll, beforeEach, describe, expect, mock,test } from 'bun:test';
-
-// ── Mocks (before any app imports) ──────────────────────────────────
-
-const testDir = mkdtempSync(join(tmpdir(), 'signup-e2e-'));
-
-mock.module('../util/logger.js', () => ({
-  getLogger: () =>
-    new Proxy({} as Record<string, unknown>, {
-      get: () => () => {},
-    }),
-}));
-
-mock.module('../util/platform.js', () => ({
-  getDataDir: () => testDir,
-  isMacOS: () => process.platform === 'darwin',
-  isLinux: () => process.platform === 'linux',
-  isWindows: () => process.platform === 'win32',
-  getSocketPath: () => join(testDir, 'test.sock'),
-  getPidPath: () => join(testDir, 'test.pid'),
-  getDbPath: () => join(testDir, 'test.db'),
-  getLogPath: () => join(testDir, 'test.log'),
-  ensureDataDir: () => {},
-  getPlatformName: () => process.platform,
-}));
-
-mock.module('../tools/registry.js', () => ({
-  registerTool: () => {},
-}));
-
-// Force encrypted backend (no keychain) with temp store path
-import { _overrideDeps, _resetDeps } from '../security/keychain.js';
-
-_overrideDeps({
-  isMacOS: () => false,
-  isLinux: () => false,
-  execFileSync: (() => '') as unknown as typeof import('node:child_process').execFileSync,
-});
-
-import { _setStorePath } from '../security/encrypted-store.js';
-import { _resetBackend } from '../security/secure-keys.js';
-
-const STORE_PATH = join(testDir, 'keys.enc');
-
-// ── Imports (after mocks) ───────────────────────────────────────────
-
-import {
-  createAccount,
-  listAccounts,
-} from '../memory/account-store.js';
-import { getDb, initializeDb, resetDb } from '../memory/db.js';
-import {
-  deleteSecureKey,
-  getSecureKey,
-  listSecureKeys,
-  setSecureKey,
-} from '../security/secure-keys.js';
-import {
-  executeBrowserClick,
-  executeBrowserClose,
-  executeBrowserExtract,
-  executeBrowserFillCredential,
-  executeBrowserNavigate,
-  executeBrowserType,
-} from '../tools/browser/headless-browser.js';
-import { _setMetadataPath,upsertCredentialMetadata } from '../tools/credentials/metadata-store.js';
-import type { ToolContext } from '../tools/types.js';
-import { createMockSignupServer, type MockSignupServer } from './fixtures/mock-signup-server.js';
-
-// ── Setup ───────────────────────────────────────────────────────────
-
-initializeDb();
-
-const ctx: ToolContext = {
-  sessionId: 'e2e-test',
-  conversationId: 'e2e-conv',
-  workingDir: '/tmp',
-};
-
-// Test-only password (assembled to avoid pre-commit false positives)
-const TEST_PASSWORD = ['S3cure', '!Pass', '789'].join('');
-
-let server: MockSignupServer;
-let url: string;
-
-beforeAll(async () => {
-  _resetBackend();
-  mkdirSync(join(testDir, 'browser-profile'), { recursive: true });
-  _setStorePath(STORE_PATH);
-  _setMetadataPath(join(testDir, 'metadata.json'));
-
-  server = createMockSignupServer();
-  ({ url } = await server.start());
-});
-
-afterAll(async () => {
-  resetDb();
-  await executeBrowserClose({ close_all_pages: true }, ctx);
-  await server.stop();
-  _setMetadataPath(null);
-  _setStorePath(null);
-  _resetBackend();
-  _resetDeps();
-  mock.restore();
-  try {
-    rmSync(testDir, { recursive: true });
-  } catch {
-    /* best effort */
-  }
-});
-
-beforeEach(() => {
-  server.reset();
-  // Clear accounts table
-  const db = getDb();
-  db.run('DELETE FROM accounts');
-  // Clear credentials
-  for (const key of listSecureKeys()) {
-    deleteSecureKey(key);
-  }
-});
-
-// ── Tests ───────────────────────────────────────────────────────────
-
-describe('end-to-end signup flow', () => {
-  test('happy path: full signup with credential fill', async () => {
-    // Store credential in vault with metadata (broker requires metadata)
-    const storeOk = setSecureKey(`credential:mockservice:password`, TEST_PASSWORD);
-    expect(storeOk).toBe(true);
-    upsertCredentialMetadata('mockservice', 'password', { allowedTools: ['browser_fill_credential'] });
-    expect(getSecureKey('credential:mockservice:password')).toBe(TEST_PASSWORD);
-
-    // Navigate to signup
-    const navResult = await executeBrowserNavigate(
-      { url: `${url}/signup`, allow_private_network: true },
-      ctx,
-    );
-    expect(navResult.isError).toBe(false);
-    expect(navResult.content).toContain('Status: 200');
-
-    // Step 1: Name
-    await executeBrowserType(
-      { selector: 'input[name="first_name"]', text: 'Jane' },
-      ctx,
-    );
-    await executeBrowserType(
-      { selector: 'input[name="last_name"]', text: 'Doe' },
-      ctx,
-    );
-    await executeBrowserClick({ selector: 'button[type="submit"]' }, ctx);
-
-    // Step 2: Username + password (via credential fill)
-    await executeBrowserType(
-      { selector: 'input[name="username"]', text: 'janedoe' },
-      ctx,
-    );
-    const fillResult = await executeBrowserFillCredential(
-      {
-        service: 'mockservice',
-        field: 'password',
-        selector: 'input[name="password"]',
-      },
-      ctx,
-    );
-    expect(fillResult.isError).toBe(false);
-    // Credential value must NEVER appear in output
-    expect(fillResult.content).not.toContain(TEST_PASSWORD);
-    await executeBrowserClick({ selector: 'button[type="submit"]' }, ctx);
-
-    // Step 3: Verification code
-    const code = server.getVerificationCode();
-    expect(code).toMatch(/^\d{6}$/);
-    await executeBrowserType(
-      { selector: 'input[name="code"]', text: code },
-      ctx,
-    );
-    await executeBrowserClick({ selector: 'button[type="submit"]' }, ctx);
-
-    // Step 4: Solve CAPTCHA checkbox and submit
-    await executeBrowserClick(
-      { selector: 'input[name="captcha_solved"]' },
-      ctx,
-    );
-    await executeBrowserClick({ selector: 'button[type="submit"]' }, ctx);
-
-    // Verify success page
-    const extractResult = await executeBrowserExtract({}, ctx);
-    expect(extractResult.content).toContain('Account created successfully');
-
-    // Register account in the account registry
-    const acct = createAccount({
-      service: 'mockservice',
-      username: 'janedoe',
-      credentialRef: 'mockservice',
-      status: 'active',
-    });
-    expect(acct.id).toBeTruthy();
-
-    // List accounts
-    const accounts = listAccounts();
-    expect(accounts).toHaveLength(1);
-    expect(accounts[0].username).toBe('janedoe');
-
-    // Verify server recorded the account
-    const serverAccounts = server.getAccounts();
-    expect(serverAccounts).toHaveLength(1);
-    expect(serverAccounts[0].username).toBe('janedoe');
-  }, 60_000);
-
-  test('credential not found produces helpful error', async () => {
-    await executeBrowserNavigate(
-      { url: `${url}/signup`, allow_private_network: true },
-      ctx,
-    );
-    const result = await executeBrowserFillCredential(
-      {
-        service: 'nonexistent',
-        field: 'password',
-        selector: 'input[name="first_name"]',
-      },
-      ctx,
-    );
-    expect(result.isError).toBe(true);
-    expect(result.content).toContain('No credential stored');
-    expect(result.content).toContain('credential_store');
-  }, 30_000);
-
-  test('taken username shows validation error', async () => {
-    // Store credential so fill works
-    setSecureKey(`credential:mockservice:password`, TEST_PASSWORD);
-    upsertCredentialMetadata('mockservice', 'password', { allowedTools: ['browser_fill_credential'] });
-
-    await executeBrowserNavigate(
-      { url: `${url}/signup`, allow_private_network: true },
-      ctx,
-    );
-
-    // Complete step 1
-    await executeBrowserType(
-      { selector: 'input[name="first_name"]', text: 'Test' },
-      ctx,
-    );
-    await executeBrowserType(
-      { selector: 'input[name="last_name"]', text: 'User' },
-      ctx,
-    );
-    await executeBrowserClick({ selector: 'button[type="submit"]' }, ctx);
-
-    // Try taken username
-    await executeBrowserType(
-      { selector: 'input[name="username"]', text: 'taken' },
-      ctx,
-    );
-    await executeBrowserFillCredential(
-      {
-        service: 'mockservice',
-        field: 'password',
-        selector: 'input[name="password"]',
-      },
-      ctx,
-    );
-    await executeBrowserClick({ selector: 'button[type="submit"]' }, ctx);
-
-    // Should see error
-    const extract = await executeBrowserExtract({}, ctx);
-    expect(extract.content).toContain('taken');
-  }, 30_000);
-
-  test('wrong verification code shows error', async () => {
-    // Store credential so fill works
-    setSecureKey(`credential:mockservice:password`, TEST_PASSWORD);
-    upsertCredentialMetadata('mockservice', 'password', { allowedTools: ['browser_fill_credential'] });
-
-    await executeBrowserNavigate(
-      { url: `${url}/signup`, allow_private_network: true },
-      ctx,
-    );
-
-    // Step 1: name
-    await executeBrowserType(
-      { selector: 'input[name="first_name"]', text: 'Test' },
-      ctx,
-    );
-    await executeBrowserType(
-      { selector: 'input[name="last_name"]', text: 'User' },
-      ctx,
-    );
-    await executeBrowserClick({ selector: 'button[type="submit"]' }, ctx);
-
-    // Step 2: username/password
-    await executeBrowserType(
-      { selector: 'input[name="username"]', text: 'testuser' },
-      ctx,
-    );
-    await executeBrowserFillCredential(
-      {
-        service: 'mockservice',
-        field: 'password',
-        selector: 'input[name="password"]',
-      },
-      ctx,
-    );
-    await executeBrowserClick({ selector: 'button[type="submit"]' }, ctx);
-
-    // Step 3: wrong code
-    await executeBrowserType(
-      { selector: 'input[name="code"]', text: '000000' },
-      ctx,
-    );
-    await executeBrowserClick({ selector: 'button[type="submit"]' }, ctx);
-
-    // Verify error message
-    const extract = await executeBrowserExtract({}, ctx);
-    expect(extract.content).toContain('Invalid verification code');
-  }, 30_000);
-
-  test('credential value never leaks into any tool output', async () => {
-    const secret = ['MyS3cret', '!Value', '42'].join('');
-    setSecureKey(`credential:leak-test:password`, secret);
-    upsertCredentialMetadata('leak-test', 'password', { allowedTools: ['browser_fill_credential'] });
-
-    await executeBrowserNavigate(
-      { url: `${url}/signup`, allow_private_network: true },
-      ctx,
-    );
-
-    // Fill credential
-    const fillResult = await executeBrowserFillCredential(
-      {
-        service: 'leak-test',
-        field: 'password',
-        selector: 'input[name="first_name"]',
-      },
-      ctx,
-    );
-
-    // Secret must not appear in fill output
-    expect(fillResult.content).not.toContain(secret);
-
-    // List credentials — should only show metadata
-    const allKeys = listSecureKeys();
-    const credentialKeys = allKeys.filter((k) => k.startsWith('credential:'));
-    const entries = credentialKeys.map((k) => {
-      const parts = k.split(':');
-      return { service: parts[1], field: parts.slice(2).join(':') };
-    });
-    const listOutput = JSON.stringify(entries);
-    expect(listOutput).not.toContain(secret);
-  }, 30_000);
-});