@vellumai/assistant 0.5.16 → 0.6.1

package/src/runtime/routes/__tests__/user-route-dispatcher.test.ts

@@ -0,0 +1,378 @@
+import { mkdirSync, rmSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+
+// ---------------------------------------------------------------------------
+// Mocks
+// ---------------------------------------------------------------------------
+
+mock.module("../../../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+
+import { getWorkspaceRoutesDir } from "../../../util/platform.js";
+import { UserRouteDispatcher } from "../user-route-dispatcher.js";
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function makeRequest(
+  method: string,
+  path = "http://localhost/v1/x/test",
+): Request {
+  return new Request(path, { method });
+}
+
+function writeHandler(relativePath: string, content: string): string {
+  const routesDir = getWorkspaceRoutesDir();
+  const fullPath = join(routesDir, relativePath);
+  const dir = fullPath.substring(0, fullPath.lastIndexOf("/"));
+  mkdirSync(dir, { recursive: true });
+  writeFileSync(fullPath, content);
+  return fullPath;
+}
+
+async function readErrorBody(
+  response: Response,
+): Promise<{ error: { code: string; message: string } }> {
+  return response.json();
+}
+
+// ---------------------------------------------------------------------------
+// Setup / teardown
+// ---------------------------------------------------------------------------
+
+beforeEach(() => {
+  mkdirSync(getWorkspaceRoutesDir(), { recursive: true });
+});
+
+afterEach(() => {
+  rmSync(getWorkspaceRoutesDir(), { recursive: true, force: true });
+});
+
+// ---------------------------------------------------------------------------
+// Path traversal
+// ---------------------------------------------------------------------------
+
+describe("path traversal", () => {
+  test("rejects paths containing '..'", async () => {
+    const dispatcher = new UserRouteDispatcher();
+    const res = await dispatcher.dispatch("../etc/passwd", makeRequest("GET"));
+    expect(res.status).toBe(400);
+    const body = await readErrorBody(res);
+    expect(body.error.code).toBe("BAD_REQUEST");
+    expect(body.error.message).toContain("Path traversal");
+  });
+
+  test("rejects embedded '..' segments", async () => {
+    const dispatcher = new UserRouteDispatcher();
+    const res = await dispatcher.dispatch(
+      "foo/../../etc/passwd",
+      makeRequest("GET"),
+    );
+    expect(res.status).toBe(400);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// 404 — missing handler
+// ---------------------------------------------------------------------------
+
+describe("missing handler", () => {
+  test("returns 404 when no handler file exists", async () => {
+    const dispatcher = new UserRouteDispatcher();
+    const res = await dispatcher.dispatch("nonexistent", makeRequest("GET"));
+    expect(res.status).toBe(404);
+    const body = await readErrorBody(res);
+    expect(body.error.code).toBe("NOT_FOUND");
+    expect(body.error.message).toContain("/x/nonexistent");
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Successful dispatch
+// ---------------------------------------------------------------------------
+
+describe("successful dispatch", () => {
+  test("dispatches GET to handler exporting GET function", async () => {
+    writeHandler(
+      "hello.ts",
+      `export function GET(request) {
+        return Response.json({ greeting: "hello" });
+      }`,
+    );
+
+    const dispatcher = new UserRouteDispatcher();
+    const res = await dispatcher.dispatch("hello", makeRequest("GET"));
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.greeting).toBe("hello");
+  });
+
+  test("dispatches POST to handler exporting POST function", async () => {
+    writeHandler(
+      "submit.ts",
+      `export async function POST(request) {
+        return Response.json({ received: true }, { status: 201 });
+      }`,
+    );
+
+    const dispatcher = new UserRouteDispatcher();
+    const res = await dispatcher.dispatch("submit", makeRequest("POST"));
+    expect(res.status).toBe(201);
+    const body = await res.json();
+    expect(body.received).toBe(true);
+  });
+
+  test("dispatches to .js handler files", async () => {
+    writeHandler(
+      "legacy.js",
+      `export function GET(request) {
+        return Response.json({ format: "js" });
+      }`,
+    );
+
+    const dispatcher = new UserRouteDispatcher();
+    const res = await dispatcher.dispatch("legacy", makeRequest("GET"));
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.format).toBe("js");
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Index file convention
+// ---------------------------------------------------------------------------
+
+describe("index file convention", () => {
+  test("resolves directory to index.ts", async () => {
+    writeHandler(
+      "my-app/index.ts",
+      `export function GET(request) {
+        return Response.json({ index: true });
+      }`,
+    );
+
+    const dispatcher = new UserRouteDispatcher();
+    const res = await dispatcher.dispatch("my-app", makeRequest("GET"));
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.index).toBe(true);
+  });
+
+  test("resolves directory to index.js when no index.ts", async () => {
+    writeHandler(
+      "fallback-app/index.js",
+      `export function GET(request) {
+        return Response.json({ index: "js" });
+      }`,
+    );
+
+    const dispatcher = new UserRouteDispatcher();
+    const res = await dispatcher.dispatch("fallback-app", makeRequest("GET"));
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.index).toBe("js");
+  });
+
+  test("prefers direct file over index file", async () => {
+    writeHandler(
+      "dual.ts",
+      `export function GET(request) {
+        return Response.json({ source: "direct" });
+      }`,
+    );
+    writeHandler(
+      "dual/index.ts",
+      `export function GET(request) {
+        return Response.json({ source: "index" });
+      }`,
+    );
+
+    const dispatcher = new UserRouteDispatcher();
+    const res = await dispatcher.dispatch("dual", makeRequest("GET"));
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.source).toBe("direct");
+  });
+});
+
+// ---------------------------------------------------------------------------
+// 405 — method not allowed
+// ---------------------------------------------------------------------------
+
+describe("method not allowed", () => {
+  test("returns 405 with Allow header when method not exported", async () => {
+    writeHandler(
+      "get-only.ts",
+      `export function GET(request) {
+        return Response.json({ ok: true });
+      }`,
+    );
+
+    const dispatcher = new UserRouteDispatcher();
+    const res = await dispatcher.dispatch("get-only", makeRequest("POST"));
+    expect(res.status).toBe(405);
+    expect(res.headers.get("Allow")).toBe("GET");
+  });
+
+  test("lists multiple allowed methods in Allow header", async () => {
+    writeHandler(
+      "multi.ts",
+      `export function GET(request) { return new Response("ok"); }
+       export function POST(request) { return new Response("ok"); }
+       export function DELETE(request) { return new Response("ok"); }`,
+    );
+
+    const dispatcher = new UserRouteDispatcher();
+    const res = await dispatcher.dispatch("multi", makeRequest("PUT"));
+    expect(res.status).toBe(405);
+    const allow = res.headers.get("Allow");
+    expect(allow).toContain("GET");
+    expect(allow).toContain("POST");
+    expect(allow).toContain("DELETE");
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Handler timeout
+// ---------------------------------------------------------------------------
+
+describe("handler timeout", () => {
+  test("returns 504 when handler exceeds timeout", async () => {
+    writeHandler(
+      "slow.ts",
+      `export function GET(request) {
+        return new Promise(() => {});
+      }`,
+    );
+
+    // Use a very short timeout for testing
+    const dispatcher = new UserRouteDispatcher({ handlerTimeoutMs: 50 });
+    const res = await dispatcher.dispatch("slow", makeRequest("GET"));
+    expect(res.status).toBe(504);
+    const body = await readErrorBody(res);
+    expect(body.error.code).toBe("SERVICE_UNAVAILABLE");
+    expect(body.error.message).toContain("timed out");
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Handler errors
+// ---------------------------------------------------------------------------
+
+describe("handler errors", () => {
+  test("returns 500 when handler throws synchronously", async () => {
+    writeHandler(
+      "throws.ts",
+      `export function GET(request) {
+        throw new Error("boom");
+      }`,
+    );
+
+    const dispatcher = new UserRouteDispatcher();
+    const res = await dispatcher.dispatch("throws", makeRequest("GET"));
+    expect(res.status).toBe(500);
+    const body = await readErrorBody(res);
+    expect(body.error.code).toBe("INTERNAL_ERROR");
+    expect(body.error.message).toBe("boom");
+  });
+
+  test("returns 500 when handler rejects", async () => {
+    writeHandler(
+      "rejects.ts",
+      `export async function GET(request) {
+        throw new Error("async boom");
+      }`,
+    );
+
+    const dispatcher = new UserRouteDispatcher();
+    const res = await dispatcher.dispatch("rejects", makeRequest("GET"));
+    expect(res.status).toBe(500);
+    const body = await readErrorBody(res);
+    expect(body.error.message).toBe("async boom");
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Mtime-based cache invalidation
+// ---------------------------------------------------------------------------
+
+describe("mtime cache", () => {
+  test("serves updated content after file modification", async () => {
+    const filePath = writeHandler(
+      "mutable.ts",
+      `export function GET(request) {
+        return Response.json({ version: 1 });
+      }`,
+    );
+
+    const dispatcher = new UserRouteDispatcher();
+
+    // First request — version 1
+    const res1 = await dispatcher.dispatch("mutable", makeRequest("GET"));
+    expect(res1.status).toBe(200);
+    const body1 = await res1.json();
+    expect(body1.version).toBe(1);
+
+    // Wait briefly to ensure mtime changes, then rewrite
+    await new Promise((resolve) => setTimeout(resolve, 50));
+    writeFileSync(
+      filePath,
+      `export function GET(request) {
+        return Response.json({ version: 2 });
+      }`,
+    );
+
+    // Second request — should pick up version 2
+    const res2 = await dispatcher.dispatch("mutable", makeRequest("GET"));
+    expect(res2.status).toBe(200);
+    const body2 = await res2.json();
+    expect(body2.version).toBe(2);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Subdirectory routing
+// ---------------------------------------------------------------------------
+
+describe("subdirectory routing", () => {
+  test("dispatches to nested handler files", async () => {
+    writeHandler(
+      "api/v1/status.ts",
+      `export function GET(request) {
+        return Response.json({ nested: true });
+      }`,
+    );
+
+    const dispatcher = new UserRouteDispatcher();
+    const res = await dispatcher.dispatch("api/v1/status", makeRequest("GET"));
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.nested).toBe(true);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Description metadata
+// ---------------------------------------------------------------------------
+
+describe("description metadata", () => {
+  test("ignores non-handler exports without affecting dispatch", async () => {
+    writeHandler(
+      "with-meta.ts",
+      `export const description = "A test handler";
+       export function GET(request) {
+         return Response.json({ ok: true });
+       }`,
+    );
+
+    const dispatcher = new UserRouteDispatcher();
+    const res = await dispatcher.dispatch("with-meta", makeRequest("GET"));
+    expect(res.status).toBe(200);
+  });
+});

package/src/runtime/routes/app-management-routes.ts

@@ -24,6 +24,7 @@ import { packageApp } from "../../bundler/app-bundler.js";
 import { compileApp } from "../../bundler/app-compiler.js";
 import { scanBundle } from "../../bundler/bundle-scanner.js";
 import { verifyBundleSignature } from "../../bundler/signature-verifier.js";
+import { compareSemver } from "../../daemon/handlers/shared.js";
 import { defaultGallery } from "../../gallery/default-gallery.js";
 import {
   getAppDiff,
@@ -68,17 +69,6 @@ function getSharedAppsDir(): string {
   );
 }
 
-/** Compare two semver strings. Returns negative if a < b, 0 if equal, positive if a > b. */
-function compareSemver(a: string, b: string): number {
-  const pa = a.split(".").map(Number);
-  const pb = b.split(".").map(Number);
-  for (let i = 0; i < 3; i++) {
-    const diff = (pa[i] ?? 0) - (pb[i] ?? 0);
-    if (diff !== 0) return diff;
-  }
-  return 0;
-}
-
 // ---------------------------------------------------------------------------
 // Extracted business logic
 // ---------------------------------------------------------------------------

package/src/runtime/routes/approval-strategies/guardian-callback-strategy.ts

@@ -5,6 +5,7 @@
  */
 import { applyGuardianDecision } from "../../../approvals/guardian-decision-primitive.js";
 import type { ChannelId } from "../../../channels/types.js";
+import { findContactChannel } from "../../../contacts/contact-store.js";
 import {
   getAllPendingApprovalsByGuardianChat,
   getApprovalRequestById,
@@ -804,6 +805,25 @@ async function handleAccessRequestApproval(
     return { handled: true, type: "stale_ignored" };
   }
 
+  // Resolve display names from the contacts database for enriched payloads
+  const requesterContactResult = approval.requesterExternalUserId
+    ? findContactChannel({
+        channelType: approval.channel,
+        externalUserId: approval.requesterExternalUserId,
+      })
+    : null;
+  const requesterDisplayName =
+    requesterContactResult?.contact.displayName ?? null;
+
+  const decidedByContactResult = decidedByExternalUserId
+    ? findContactChannel({
+        channelType: approval.channel,
+        externalUserId: decidedByExternalUserId,
+      })
+    : null;
+  const decidedByDisplayName =
+    decidedByContactResult?.contact.displayName ?? null;
+
   if (decisionResult.type === "denied") {
     await notifyRequesterOfDenial({
       replyCallbackUrl,
@@ -821,6 +841,8 @@ async function handleAccessRequestApproval(
       requesterExternalUserId: approval.requesterExternalUserId,
       requesterChatId: approval.requesterChatId,
       decidedByExternalUserId,
+      requesterDisplayName,
+      decidedByDisplayName,
       decision: "denied" as const,
     };
 
@@ -952,6 +974,8 @@ async function handleAccessRequestApproval(
         requesterExternalUserId: approval.requesterExternalUserId,
         requesterChatId: approval.requesterChatId,
         decidedByExternalUserId,
+        requesterDisplayName,
+        decidedByDisplayName,
         decision: "approved",
       },
       dedupeKey: `trusted-contact:guardian-decision:${approval.id}`,
@@ -977,6 +1001,8 @@ async function handleAccessRequestApproval(
         sourceChannel: approval.channel as NotificationSourceChannel,
         requesterExternalUserId: approval.requesterExternalUserId,
         requesterChatId: approval.requesterChatId,
+        requesterDisplayName,
+        decidedByDisplayName,
         verificationSessionId: decisionResult.verificationSessionId,
       },
       dedupeKey: `trusted-contact:verification-sent:${decisionResult.verificationSessionId}`,

package/src/runtime/routes/archive-utils.ts

@@ -0,0 +1,29 @@
+/**
+ * Shared tar.gz archive creation utilities used by
+ * log export and profiler export routes.
+ */
+
+import { spawnSync } from "node:child_process";
+
+/** Maximum compressed archive size (50 MB). */
+export const MAX_ARCHIVE_BYTES = 50 * 1024 * 1024;
+
+/**
+ * Attempts to create a tar.gz archive of `staging` into a Buffer.
+ * Returns the Buffer on success, or `undefined` if the archive exceeds
+ * the size limit or tar otherwise fails.
+ */
+export function createTarGz(
+  staging: string,
+  maxBytes: number = MAX_ARCHIVE_BYTES,
+): ArrayBuffer | undefined {
+  const proc = spawnSync("tar", ["czf", "-", "-C", staging, "."], {
+    maxBuffer: maxBytes,
+    timeout: 30_000,
+  });
+  if (proc.status !== 0) return undefined;
+  const buf = Buffer.isBuffer(proc.stdout)
+    ? proc.stdout
+    : Buffer.from(proc.stdout);
+  return buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength);
+}

package/src/runtime/routes/attachment-routes.test.ts

@@ -0,0 +1,106 @@
+import {
+  mkdirSync,
+  mkdtempSync,
+  rmSync,
+  symlinkSync,
+  writeFileSync,
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterAll, beforeAll, describe, expect, mock, test } from "bun:test";
+
+const testWorkspaceDir = mkdtempSync(
+  join(tmpdir(), "attachment-routes-workspace-"),
+);
+const testHomeDir = mkdtempSync(join(tmpdir(), "attachment-routes-home-"));
+
+const attachmentsDir = join(testWorkspaceDir, "data", "attachments");
+const conversationsDir = join(testWorkspaceDir, "conversations");
+const recordingsDir = join(
+  testHomeDir,
+  "Library/Application Support/vellum-assistant/recordings",
+);
+const outsideDir = mkdtempSync(join(tmpdir(), "attachment-routes-outside-"));
+
+const originalHome = process.env.HOME;
+process.env.HOME = testHomeDir;
+
+mock.module("../../util/platform.js", () => ({
+  getWorkspaceDir: () => testWorkspaceDir,
+}));
+
+import { resolveAllowedFileBackedAttachmentPath } from "./attachment-routes.js";
+
+beforeAll(() => {
+  mkdirSync(attachmentsDir, { recursive: true });
+  mkdirSync(conversationsDir, { recursive: true });
+  mkdirSync(recordingsDir, { recursive: true });
+});
+
+afterAll(() => {
+  process.env.HOME = originalHome;
+  rmSync(testWorkspaceDir, { recursive: true, force: true });
+  rmSync(testHomeDir, { recursive: true, force: true });
+  rmSync(outsideDir, { recursive: true, force: true });
+});
+
+describe("resolveAllowedFileBackedAttachmentPath", () => {
+  test("allows files in workspace attachments directory", () => {
+    const attachmentFile = join(attachmentsDir, "sample.txt");
+    writeFileSync(attachmentFile, "ok");
+
+    expect(resolveAllowedFileBackedAttachmentPath(attachmentFile)).toBe(
+      attachmentFile,
+    );
+  });
+
+  test("allows files in recordings directory", () => {
+    const recordingFile = join(recordingsDir, "recording.mov");
+    writeFileSync(recordingFile, "ok");
+
+    expect(resolveAllowedFileBackedAttachmentPath(recordingFile)).toBe(
+      recordingFile,
+    );
+  });
+
+  test("allows files in conversation attachments directory", () => {
+    const convAttachDir = join(conversationsDir, "conv-123", "attachments");
+    mkdirSync(convAttachDir, { recursive: true });
+    const convFile = join(convAttachDir, "photo.jpg");
+    writeFileSync(convFile, "ok");
+
+    expect(resolveAllowedFileBackedAttachmentPath(convFile)).toBe(convFile);
+  });
+
+  test("rejects files in conversation dir outside attachments subdir", () => {
+    const convDir = join(conversationsDir, "conv-456");
+    mkdirSync(convDir, { recursive: true });
+    const metaFile = join(convDir, "meta.json");
+    writeFileSync(metaFile, "{}");
+
+    expect(resolveAllowedFileBackedAttachmentPath(metaFile)).toBeNull();
+  });
+
+  test("rejects files outside allowed directories", () => {
+    const outsideFile = join(outsideDir, "secret.txt");
+    writeFileSync(outsideFile, "secret");
+
+    expect(resolveAllowedFileBackedAttachmentPath(outsideFile)).toBeNull();
+  });
+
+  test("rejects path traversal via '..' segments", () => {
+    const traversalPath = join(attachmentsDir, "..", "..", "secret.txt");
+
+    expect(resolveAllowedFileBackedAttachmentPath(traversalPath)).toBeNull();
+  });
+
+  test("rejects symlinks inside allowed dir pointing outside", () => {
+    const outsideFile = join(outsideDir, "linked-secret.txt");
+    writeFileSync(outsideFile, "secret");
+
+    const symlinkPath = join(attachmentsDir, "sneaky-link.txt");
+    symlinkSync(outsideFile, symlinkPath);
+
+    expect(resolveAllowedFileBackedAttachmentPath(symlinkPath)).toBeNull();
+  });
+});