@vellumai/assistant 0.7.2 → 0.7.3

package/src/__tests__/host-bash-proxy.test.ts

@@ -17,11 +17,20 @@ mock.module("../config/loader.js", () => ({
 const sentMessages: unknown[] = [];
 const sentMessageOptions: unknown[] = [];
 let mockHasClient = false;
-let mockCapableClients: Array<{ clientId: string; capabilities: string[] }> = [];
-let mockClientRegistry: Map<string, { clientId: string; capabilities: string[] }> = new Map();
+type MockClient = {
+  clientId: string;
+  capabilities: string[];
+  actorPrincipalId?: string;
+};
+let mockCapableClients: Array<MockClient> = [];
+let mockClientRegistry: Map<string, MockClient> = new Map();
 
 mock.module("../runtime/assistant-event-hub.js", () => ({
-  broadcastMessage: (msg: unknown, _conversationId?: string, options?: unknown) => {
+  broadcastMessage: (
+    msg: unknown,
+    _conversationId?: string,
+    options?: unknown,
+  ) => {
     sentMessages.push(msg);
     sentMessageOptions.push(options);
   },
@@ -30,6 +39,8 @@ mock.module("../runtime/assistant-event-hub.js", () => ({
       cap === "host_bash" && mockHasClient ? { id: "mock-client" } : null,
     listClientsByCapability: (_cap: string) => mockCapableClients,
     getClientById: (clientId: string) => mockClientRegistry.get(clientId),
+    getActorPrincipalIdForClient: (clientId: string) =>
+      mockClientRegistry.get(clientId)?.actorPrincipalId,
   },
 }));
 
@@ -50,8 +61,15 @@ describe("HostBashProxy", () => {
     proxy = new (HostBashProxy as any)();
   }
 
-  function setupSingleClient(clientId = "client-1") {
-    const entry = { clientId, capabilities: ["host_bash"] };
+  function setupSingleClient(
+    clientId: string = "client-1",
+    actorPrincipalId: string = "user-A",
+  ) {
+    const entry: MockClient = {
+      clientId,
+      capabilities: ["host_bash"],
+      actorPrincipalId,
+    };
     mockCapableClients = [entry];
     mockClientRegistry.set(clientId, entry);
   }
@@ -60,6 +78,7 @@ describe("HostBashProxy", () => {
     mockCapableClients = clientIds.map((id) => ({
       clientId: id,
       capabilities: ["host_bash"],
+      actorPrincipalId: "user-A",
     }));
     for (const entry of mockCapableClients) {
       mockClientRegistry.set(entry.clientId, entry);
@@ -551,11 +570,13 @@ describe("HostBashProxy", () => {
   describe("target client routing", () => {
     test("auto-resolves when exactly one capable client is connected", async () => {
       setup();
-      setupSingleClient("client-abc");
+      setupSingleClient("client-abc", "user-A");
 
       const resultPromise = proxy.request(
         { command: "echo hello" },
         "session-1",
+        undefined,
+        "user-A",
       );
 
       expect(sentMessages).toHaveLength(1);
@@ -580,15 +601,21 @@ describe("HostBashProxy", () => {
 
     test("uses explicit targetClientId when it is valid", async () => {
       setup();
-      setupSingleClient("client-abc");
+      setupSingleClient("client-abc", "user-A");
       // Also register a second client so we're sure explicit targeting works
-      const entry2 = { clientId: "client-xyz", capabilities: ["host_bash"] };
+      const entry2: MockClient = {
+        clientId: "client-xyz",
+        capabilities: ["host_bash"],
+        actorPrincipalId: "user-A",
+      };
       mockCapableClients.push(entry2);
       mockClientRegistry.set("client-xyz", entry2);
 
       const resultPromise = proxy.request(
         { command: "echo hello", targetClientId: "client-abc" },
         "session-1",
+        undefined,
+        "user-A",
       );
 
       expect(sentMessages).toHaveLength(1);
@@ -612,17 +639,21 @@ describe("HostBashProxy", () => {
 
     test("returns error for explicit targetClientId that is not connected", async () => {
       setup();
-      setupSingleClient("client-abc");
+      setupSingleClient("client-abc", "user-A");
 
       const result = await proxy.request(
         { command: "echo hello", targetClientId: "client-unknown" },
         "session-1",
+        undefined,
+        "user-A",
       );
 
       // Should return error without broadcasting
       expect(result.isError).toBe(true);
       expect(result.content).toContain("client-unknown");
-      expect(result.content).toContain("assistant clients list --capability host_bash");
+      expect(result.content).toContain(
+        "assistant clients list --capability host_bash",
+      );
       expect(sentMessages).toHaveLength(0);
     });
 
@@ -632,11 +663,14 @@ describe("HostBashProxy", () => {
       mockClientRegistry.set("client-no-bash", {
         clientId: "client-no-bash",
         capabilities: [],
+        actorPrincipalId: "user-A",
       });
 
       const result = await proxy.request(
         { command: "echo hello", targetClientId: "client-no-bash" },
         "session-1",
+        undefined,
+        "user-A",
       );
 
       expect(result.isError).toBe(true);
@@ -645,36 +679,23 @@ describe("HostBashProxy", () => {
       expect(sentMessages).toHaveLength(0);
     });
 
-    test("falls through to untargeted broadcast when multiple capable clients are connected and no targetClientId", async () => {
+    test("rejects ambiguously when multiple same-user capable clients are connected and no targetClientId", async () => {
+      // Regression: previously fell through to untargeted broadcast, fanning
+      // a single targeted-style request out across every same-user machine.
       setup();
       setupMultipleClients(["client-1", "client-2", "client-3"]);
 
-      const resultPromise = proxy.request(
+      const result = await proxy.request(
         { command: "echo hello" },
         "session-1",
+        undefined,
+        "user-A",
       );
 
-      // Should broadcast without an early error return
-      expect(sentMessages).toHaveLength(1);
-      const sent = sentMessages[0] as Record<string, unknown>;
-      expect(sent.type).toBe("host_bash_request");
-      // No target client resolved — untargeted broadcast
-      expect(sent.targetClientId).toBeUndefined();
-
-      const opts = sentMessageOptions[0] as Record<string, unknown> | undefined;
-      expect(opts?.targetClientId).toBeUndefined();
-
-      // Manually resolve to clean up
-      const requestId = sent.requestId as string;
-      proxy.resolveResult(requestId, {
-        stdout: "hello\n",
-        stderr: "",
-        exitCode: 0,
-        timedOut: false,
-      });
-
-      const result = await resultPromise;
-      expect(result.isError).toBe(false);
+      expect(result.isError).toBe(true);
+      expect(result.content).toContain("target_client_id");
+      // No broadcast happened
+      expect(sentMessages).toHaveLength(0);
     });
 
     test("falls through to broadcast when zero capable clients (existing timeout path)", async () => {
@@ -707,13 +728,15 @@ describe("HostBashProxy", () => {
 
     test("includes targetClientId in timeout error message when client was resolved", async () => {
       setup();
-      setupSingleClient("client-mac");
+      setupSingleClient("client-mac", "user-A");
 
       jest.useFakeTimers();
       try {
         const resultPromise = proxy.request(
           { command: "echo slow", timeout_seconds: 30 },
           "session-1",
+          undefined,
+          "user-A",
         );
 
         // Proxy timeout = 33s; advance past it
@@ -727,4 +750,174 @@ describe("HostBashProxy", () => {
       }
     });
   });
+
+  describe("same-user binding (sourceActorPrincipalId)", () => {
+    const SAME_USER_REJECTION =
+      "Submitting actor does not match the target client's actor for this request. The targeted client's authenticated user must submit the result.";
+
+    test("same-user targeted request succeeds", async () => {
+      setup();
+      setupSingleClient("client-abc", "user-A");
+
+      const resultPromise = proxy.request(
+        { command: "echo hello", targetClientId: "client-abc" },
+        "session-1",
+        undefined,
+        "user-A",
+      );
+
+      expect(sentMessages).toHaveLength(1);
+      const sent = sentMessages[0] as Record<string, unknown>;
+      expect(sent.type).toBe("host_bash_request");
+      expect(sent.targetClientId).toBe("client-abc");
+      const requestId = sent.requestId as string;
+      expect(pendingInteractions.get(requestId)).toBeDefined();
+
+      proxy.resolveResult(requestId, {
+        stdout: "hello\n",
+        stderr: "",
+        exitCode: 0,
+        timedOut: false,
+      });
+      await resultPromise;
+    });
+
+    test("cross-user targeted request rejected", async () => {
+      setup();
+      setupSingleClient("client-abc", "user-A");
+
+      const result = await proxy.request(
+        { command: "echo hello", targetClientId: "client-abc" },
+        "session-1",
+        undefined,
+        "user-B",
+      );
+
+      expect(result.isError).toBe(true);
+      expect(result.content).toBe(SAME_USER_REJECTION);
+      // No broadcast and no pending registration
+      expect(sentMessages).toHaveLength(0);
+    });
+
+    test("target client missing actorPrincipalId rejected", async () => {
+      setup();
+      // Register a client without an actorPrincipalId (legacy/service-token).
+      const entry: MockClient = {
+        clientId: "client-abc",
+        capabilities: ["host_bash"],
+      };
+      mockCapableClients = [entry];
+      mockClientRegistry.set("client-abc", entry);
+
+      const result = await proxy.request(
+        { command: "echo hello", targetClientId: "client-abc" },
+        "session-1",
+        undefined,
+        "user-A",
+      );
+
+      expect(result.isError).toBe(true);
+      expect(result.content).toBe(SAME_USER_REJECTION);
+      expect(sentMessages).toHaveLength(0);
+    });
+
+    test("source missing actorPrincipalId rejected when targeting", async () => {
+      setup();
+      setupSingleClient("client-abc", "user-A");
+
+      const result = await proxy.request(
+        { command: "echo hello", targetClientId: "client-abc" },
+        "session-1",
+        undefined,
+        undefined,
+      );
+
+      expect(result.isError).toBe(true);
+      expect(result.content).toBe(SAME_USER_REJECTION);
+      expect(sentMessages).toHaveLength(0);
+    });
+
+    test("untargeted local flow unchanged when no auto-resolve match", async () => {
+      setup();
+      // No capable clients connected — untargeted path runs.
+
+      const resultPromise = proxy.request(
+        { command: "echo hello" },
+        "session-1",
+        undefined,
+        "user-A",
+      );
+
+      expect(sentMessages).toHaveLength(1);
+      const sent = sentMessages[0] as Record<string, unknown>;
+      expect(sent.type).toBe("host_bash_request");
+      expect(sent.targetClientId).toBeUndefined();
+
+      const requestId = sent.requestId as string;
+      proxy.resolveResult(requestId, {
+        stdout: "hello\n",
+        stderr: "",
+        exitCode: 0,
+        timedOut: false,
+      });
+      await resultPromise;
+    });
+
+    test("auto-resolve to same-user client succeeds", async () => {
+      setup();
+      setupSingleClient("client-abc", "user-A");
+
+      const resultPromise = proxy.request(
+        { command: "echo hello" },
+        "session-1",
+        undefined,
+        "user-A",
+      );
+
+      expect(sentMessages).toHaveLength(1);
+      const sent = sentMessages[0] as Record<string, unknown>;
+      expect(sent.targetClientId).toBe("client-abc");
+
+      const requestId = sent.requestId as string;
+      proxy.resolveResult(requestId, {
+        stdout: "hello\n",
+        stderr: "",
+        exitCode: 0,
+        timedOut: false,
+      });
+      await resultPromise;
+    });
+
+    test("auto-resolve to different-user client falls through to untargeted", async () => {
+      setup();
+      // Single capable client owned by user-B; caller is user-A.
+      setupSingleClient("client-abc", "user-B");
+
+      const resultPromise = proxy.request(
+        { command: "echo hello" },
+        "session-1",
+        undefined,
+        "user-A",
+      );
+
+      // Auto-resolve must NOT pick the cross-user client; the untargeted
+      // broadcast path runs instead.
+      expect(sentMessages).toHaveLength(1);
+      const sent = sentMessages[0] as Record<string, unknown>;
+      expect(sent.type).toBe("host_bash_request");
+      expect(sent.targetClientId).toBeUndefined();
+
+      const opts = sentMessageOptions[0] as Record<string, unknown> | undefined;
+      expect(opts?.targetClientId).toBeUndefined();
+
+      const requestId = sent.requestId as string;
+      proxy.resolveResult(requestId, {
+        stdout: "hello\n",
+        stderr: "",
+        exitCode: 0,
+        timedOut: false,
+      });
+      await resultPromise;
+    });
+  });
 });

package/src/__tests__/host-bash-routes.test.ts

@@ -35,7 +35,12 @@ mock.module("../runtime/pending-interactions.js", () => ({
 
 interface ResolveCall {
   requestId: string;
-  result: { stdout: string; stderr: string; exitCode: number | null; timedOut: boolean };
+  result: {
+    stdout: string;
+    stderr: string;
+    exitCode: number | null;
+    timedOut: boolean;
+  };
 }
 
 const resolveSpy: ResolveCall[] = [];
@@ -46,7 +51,12 @@ mock.module("../daemon/host-bash-proxy.js", () => ({
       return {
         resolveResult(
           requestId: string,
-          result: { stdout: string; stderr: string; exitCode: number | null; timedOut: boolean },
+          result: {
+            stdout: string;
+            stderr: string;
+            exitCode: number | null;
+            timedOut: boolean;
+          },
         ) {
           // resolveResult() internally calls pendingInteractions.resolve() in the real
           // implementation; simulate that here so resolvedIds assertions still hold.
@@ -58,6 +68,16 @@ mock.module("../daemon/host-bash-proxy.js", () => ({
   },
 }));
 
+// Stored actor-principal-id keyed by clientId, populated by tests.
+const clientActorPrincipals = new Map<string, string>();
+
+mock.module("../runtime/assistant-event-hub.js", () => ({
+  assistantEventHub: {
+    getActorPrincipalIdForClient: (clientId: string) =>
+      clientActorPrincipals.get(clientId),
+  },
+}));
+
 // ── Real imports (after mocks) ───────────────────────────────────────
 
 import {
@@ -82,10 +102,19 @@ function registerPending(
   requestId: string,
   overrides: Partial<PendingInteraction> = {},
 ): void {
+  // Mirror the production proxy behavior: capture the target's actor
+  // principal at registration time so the result-route check compares
+  // against the persisted value rather than a live hub lookup.
+  const targetActorPrincipalId =
+    overrides.targetActorPrincipalId ??
+    (overrides.targetClientId
+      ? clientActorPrincipals.get(overrides.targetClientId)
+      : undefined);
   pendingStore.set(requestId, {
     conversationId: "conv-1",
     kind: "host_bash",
     ...overrides,
+    targetActorPrincipalId,
   });
 }
 
@@ -106,6 +135,7 @@ describe("handleHostBashResult", () => {
     pendingStore.clear();
     resolvedIds.length = 0;
     resolveSpy.length = 0;
+    clientActorPrincipals.clear();
   });
 
   // ── Happy paths ────────────────────────────────────────────────────
@@ -142,11 +172,15 @@ describe("handleHostBashResult", () => {
   describe("targeted request (targetClientId set)", () => {
     test("accepts when x-vellum-client-id matches targetClientId", async () => {
       const requestId = "req-targeted-match";
+      clientActorPrincipals.set("client-abc", "principal-1");
       registerPending(requestId, { targetClientId: "client-abc" });
 
       const result = await handleHostBashResult({
         body: bashBody(requestId),
-        headers: { "x-vellum-client-id": "client-abc" },
+        headers: {
+          "x-vellum-client-id": "client-abc",
+          "x-vellum-actor-principal-id": "principal-1",
+        },
       });
 
       expect(result).toEqual({ accepted: true });
@@ -157,14 +191,145 @@ describe("handleHostBashResult", () => {
 
     test("trims whitespace from x-vellum-client-id before comparing", async () => {
       const requestId = "req-targeted-trim";
+      clientActorPrincipals.set("client-abc", "principal-1");
+      registerPending(requestId, { targetClientId: "client-abc" });
+
+      const result = await handleHostBashResult({
+        body: bashBody(requestId),
+        headers: {
+          "x-vellum-client-id": "  client-abc  ",
+          "x-vellum-actor-principal-id": "principal-1",
+        },
+      });
+
+      expect(result).toEqual({ accepted: true });
+    });
+  });
+
+  // ── Same-user actor binding (defense-in-depth) ─────────────────────
+
+  describe("targeted request — actor principal binding", () => {
+    test("accepts when submitting actor matches target client's actor", async () => {
+      const requestId = "req-actor-match";
+      clientActorPrincipals.set("client-abc", "principal-shared");
+      registerPending(requestId, { targetClientId: "client-abc" });
+
+      const result = await handleHostBashResult({
+        body: bashBody(requestId),
+        headers: {
+          "x-vellum-client-id": "client-abc",
+          "x-vellum-actor-principal-id": "principal-shared",
+        },
+      });
+
+      expect(result).toEqual({ accepted: true });
+      expect(resolveSpy).toHaveLength(1);
+      expect(resolvedIds).toContain(requestId);
+    });
+
+    test("throws ForbiddenError (403) when submitting actor does not match target client's actor", () => {
+      const requestId = "req-actor-mismatch";
+      clientActorPrincipals.set("client-abc", "principal-victim");
+      registerPending(requestId, { targetClientId: "client-abc" });
+
+      expect(() =>
+        handleHostBashResult({
+          body: bashBody(requestId),
+          headers: {
+            "x-vellum-client-id": "client-abc",
+            "x-vellum-actor-principal-id": "principal-attacker",
+          },
+        }),
+      ).toThrow(ForbiddenError);
+    });
+
+    test("interaction is NOT resolved on cross-actor 403 (still pending)", () => {
+      const requestId = "req-actor-mismatch-stays";
+      clientActorPrincipals.set("client-abc", "principal-victim");
+      registerPending(requestId, { targetClientId: "client-abc" });
+
+      try {
+        handleHostBashResult({
+          body: bashBody(requestId),
+          headers: {
+            "x-vellum-client-id": "client-abc",
+            "x-vellum-actor-principal-id": "principal-attacker",
+          },
+        });
+      } catch {
+        // expected
+      }
+
+      expect(resolvedIds).not.toContain(requestId);
+      expect(pendingStore.has(requestId)).toBe(true);
+    });
+
+    test("throws ForbiddenError (403) when x-vellum-actor-principal-id header is missing entirely", () => {
+      const requestId = "req-actor-missing";
+      clientActorPrincipals.set("client-abc", "principal-victim");
+      registerPending(requestId, { targetClientId: "client-abc" });
+
+      expect(() =>
+        handleHostBashResult({
+          body: bashBody(requestId),
+          headers: { "x-vellum-client-id": "client-abc" },
+        }),
+      ).toThrow(ForbiddenError);
+    });
+
+    test("interaction is NOT resolved when submitting actor is missing (still pending)", () => {
+      const requestId = "req-actor-missing-stays";
+      clientActorPrincipals.set("client-abc", "principal-victim");
       registerPending(requestId, { targetClientId: "client-abc" });
 
+      try {
+        handleHostBashResult({
+          body: bashBody(requestId),
+          headers: { "x-vellum-client-id": "client-abc" },
+        });
+      } catch {
+        // expected
+      }
+
+      expect(resolvedIds).not.toContain(requestId);
+      expect(pendingStore.has(requestId)).toBe(true);
+    });
+
+    test("throws ForbiddenError (403) when target client has no stored actor principal", () => {
+      // Target client connected without a verified principal (e.g. legacy
+      // service token) — refuse the submission rather than silently allow
+      // any actor through.
+      const requestId = "req-actor-target-missing";
+      registerPending(requestId, { targetClientId: "client-abc" });
+      // Note: no entry in clientActorPrincipals for "client-abc".
+
+      expect(() =>
+        handleHostBashResult({
+          body: bashBody(requestId),
+          headers: {
+            "x-vellum-client-id": "client-abc",
+            "x-vellum-actor-principal-id": "principal-1",
+          },
+        }),
+      ).toThrow(ForbiddenError);
+    });
+  });
+
+  // ── Untargeted-request behavior (regression for new check) ─────────
+
+  describe("untargeted request — actor principal check is skipped", () => {
+    test("accepts even when submitting actor is absent and no target client is set", async () => {
+      const requestId = "req-untargeted-no-actor";
+      registerPending(requestId);
+
       const result = await handleHostBashResult({
         body: bashBody(requestId),
-        headers: { "x-vellum-client-id": "  client-abc  " },
+        headers: {},
       });
 
       expect(result).toEqual({ accepted: true });
+      expect(resolveSpy).toHaveLength(1);
+      expect(resolvedIds).toContain(requestId);
     });
   });
 
@@ -175,9 +340,9 @@ describe("handleHostBashResult", () => {
       const requestId = "req-targeted-no-header";
       registerPending(requestId, { targetClientId: "client-abc" });
 
-      expect(() =>
-        handleHostBashResult({ body: bashBody(requestId) }),
-      ).toThrow(BadRequestError);
+      expect(() => handleHostBashResult({ body: bashBody(requestId) })).toThrow(
+        BadRequestError,
+      );
     });
 
     test("throws BadRequestError (400) when header is empty string", () => {
@@ -267,9 +432,9 @@ describe("handleHostBashResult", () => {
   });
 
   test("throws BadRequestError when requestId is missing", () => {
-    expect(() =>
-      handleHostBashResult({ body: { stdout: "x" } }),
-    ).toThrow(BadRequestError);
+    expect(() => handleHostBashResult({ body: { stdout: "x" } })).toThrow(
+      BadRequestError,
+    );
   });
 
   test("throws NotFoundError for unknown requestId", () => {
@@ -287,8 +452,8 @@ describe("handleHostBashResult", () => {
       kind: "confirmation",
     });
 
-    expect(() =>
-      handleHostBashResult({ body: bashBody(requestId) }),
-    ).toThrow(ConflictError);
+    expect(() => handleHostBashResult({ body: bashBody(requestId) })).toThrow(
+      ConflictError,
+    );
   });
 });