@vellumai/assistant 0.7.2 → 0.7.3

package/src/__tests__/host-file-proxy.test.ts

@@ -3,16 +3,36 @@ import { afterEach, describe, expect, jest, mock, test } from "bun:test";
 const sentMessages: unknown[] = [];
 let mockHasClient = false;
 
+interface MockClient {
+  clientId: string;
+  capabilities: string[];
+  actorPrincipalId?: string;
+}
+
+let mockClients: MockClient[] = [];
+
 mock.module("../runtime/assistant-event-hub.js", () => ({
   broadcastMessage: (msg: unknown) => sentMessages.push(msg),
   assistantEventHub: {
-    getMostRecentClientByCapability: (cap: string) =>
-      cap === "host_file" && mockHasClient ? { id: "mock-client" } : null,
-    listClientsByCapability: (cap: string) =>
-      cap === "host_file" && mockHasClient
+    getMostRecentClientByCapability: (cap: string) => {
+      if (mockClients.length > 0) {
+        return mockClients.find((c) => c.capabilities.includes(cap));
+      }
+      return cap === "host_file" && mockHasClient
+        ? { id: "mock-client" }
+        : null;
+    },
+    listClientsByCapability: (cap: string) => {
+      if (mockClients.length > 0) {
+        return mockClients.filter((c) => c.capabilities.includes(cap));
+      }
+      return cap === "host_file" && mockHasClient
         ? [{ clientId: "mock-client", capabilities: ["host_file"] }]
-        : [],
-    getClientById: (_id: string) => undefined,
+        : [];
+    },
+    getClientById: (id: string) => mockClients.find((c) => c.clientId === id),
+    getActorPrincipalIdForClient: (id: string) =>
+      mockClients.find((c) => c.clientId === id)?.actorPrincipalId,
   },
 }));
 
@@ -32,6 +52,7 @@ describe("HostFileProxy", () => {
   function setup() {
     sentMessages.length = 0;
     mockHasClient = false;
+    mockClients = [];
     pendingInteractions.clear();
     proxy = new (HostFileProxy as any)();
   }
@@ -584,4 +605,245 @@ describe("HostFileProxy", () => {
       expect(pendingInteractions.get(requestId)).toBeUndefined();
     });
   });
+
+  describe("same-user binding (sourceActorPrincipalId)", () => {
+    test("targeted request from same user reaches pendingInteractions", async () => {
+      setup();
+      mockClients = [
+        {
+          clientId: "client-A",
+          capabilities: ["host_file"],
+          actorPrincipalId: "user-A",
+        },
+      ];
+
+      const resultPromise = proxy.request(
+        { operation: "read", path: "/tmp/test.txt" },
+        "session-1",
+        undefined,
+        "client-A",
+        "user-A",
+      );
+
+      // Request was registered (made it past the same-user gate).
+      expect(sentMessages).toHaveLength(1);
+      const sent = sentMessages[0] as Record<string, unknown>;
+      const requestId = sent.requestId as string;
+      expect(pendingInteractions.get(requestId)).toBeDefined();
+
+      // Drain to avoid leaks.
+      proxy.resolve(requestId, { content: "ok", isError: false });
+      await resultPromise;
+    });
+
+    test("targeted request from a different user is rejected", async () => {
+      setup();
+      mockClients = [
+        {
+          clientId: "client-A",
+          capabilities: ["host_file"],
+          actorPrincipalId: "user-A",
+        },
+      ];
+
+      const result = await proxy.request(
+        { operation: "read", path: "/tmp/test.txt" },
+        "session-1",
+        undefined,
+        "client-A",
+        "user-B",
+      );
+
+      expect(result.isError).toBe(true);
+      expect(result.content).toContain(
+        "Submitting actor does not match the target client's actor",
+      );
+      // No host_file_request was broadcast.
+      expect(sentMessages).toHaveLength(0);
+    });
+
+    test("targeted request to a client with no actor principal is rejected", async () => {
+      setup();
+      mockClients = [
+        {
+          clientId: "client-A",
+          capabilities: ["host_file"],
+          // actorPrincipalId omitted (legacy/service-token client).
+        },
+      ];
+
+      const result = await proxy.request(
+        { operation: "read", path: "/tmp/test.txt" },
+        "session-1",
+        undefined,
+        "client-A",
+        "user-A",
+      );
+
+      expect(result.isError).toBe(true);
+      expect(result.content).toContain(
+        "Submitting actor does not match the target client's actor",
+      );
+      expect(sentMessages).toHaveLength(0);
+    });
+
+    test("targeted request without source principal is rejected", async () => {
+      setup();
+      mockClients = [
+        {
+          clientId: "client-A",
+          capabilities: ["host_file"],
+          actorPrincipalId: "user-A",
+        },
+      ];
+
+      const result = await proxy.request(
+        { operation: "read", path: "/tmp/test.txt" },
+        "session-1",
+        undefined,
+        "client-A",
+        undefined,
+      );
+
+      expect(result.isError).toBe(true);
+      expect(result.content).toContain(
+        "Submitting actor does not match the target client's actor",
+      );
+      expect(sentMessages).toHaveLength(0);
+    });
+
+    test("untargeted request with no auto-resolve match still broadcasts (legacy path unchanged)", async () => {
+      setup();
+      // No matching same-user clients available.
+      mockClients = [
+        {
+          clientId: "client-A",
+          capabilities: ["host_file"],
+          actorPrincipalId: "user-A",
+        },
+      ];
+
+      const resultPromise = proxy.request(
+        { operation: "read", path: "/tmp/test.txt" },
+        "session-1",
+        undefined,
+        undefined,
+        "user-B", // No same-user match → no auto-resolve, broadcast untargeted.
+      );
+
+      expect(sentMessages).toHaveLength(1);
+      const sent = sentMessages[0] as Record<string, unknown>;
+      expect(sent.targetClientId).toBeUndefined();
+      const requestId = sent.requestId as string;
+
+      proxy.resolve(requestId, { content: "ok", isError: false });
+      await resultPromise;
+    });
+
+    test("auto-resolve picks the same-user client when there's exactly one", async () => {
+      setup();
+      mockClients = [
+        {
+          clientId: "client-A",
+          capabilities: ["host_file"],
+          actorPrincipalId: "user-A",
+        },
+        {
+          clientId: "client-B",
+          capabilities: ["host_file"],
+          actorPrincipalId: "user-B",
+        },
+      ];
+
+      const resultPromise = proxy.request(
+        { operation: "read", path: "/tmp/test.txt" },
+        "session-1",
+        undefined,
+        undefined,
+        "user-A",
+      );
+
+      // Auto-resolved to client-A and broadcast targeted at it.
+      expect(sentMessages).toHaveLength(1);
+      const sent = sentMessages[0] as Record<string, unknown>;
+      expect(sent.targetClientId).toBe("client-A");
+      const requestId = sent.requestId as string;
+
+      proxy.resolve(requestId, { content: "ok", isError: false });
+      await resultPromise;
+    });
+
+    test("auto-resolve falls through when no client matches the source user", async () => {
+      setup();
+      mockClients = [
+        {
+          clientId: "client-A",
+          capabilities: ["host_file"],
+          actorPrincipalId: "user-A",
+        },
+      ];
+
+      const resultPromise = proxy.request(
+        { operation: "read", path: "/tmp/test.txt" },
+        "session-1",
+        undefined,
+        undefined,
+        "user-C",
+      );
+
+      // No same-user client → no auto-resolve, broadcast untargeted.
+      expect(sentMessages).toHaveLength(1);
+      const sent = sentMessages[0] as Record<string, unknown>;
+      expect(sent.targetClientId).toBeUndefined();
+      const requestId = sent.requestId as string;
+
+      proxy.resolve(requestId, { content: "ok", isError: false });
+      await resultPromise;
+    });
+
+    test("legacy embedded targetClientId in input still goes through the same-user gate", async () => {
+      setup();
+      mockClients = [
+        {
+          clientId: "client-A",
+          capabilities: ["host_file"],
+          actorPrincipalId: "user-A",
+        },
+      ];
+
+      // Same-user via embedded input.targetClientId — should succeed.
+      const okPromise = proxy.request(
+        {
+          operation: "read",
+          path: "/tmp/ok.txt",
+          targetClientId: "client-A",
+        },
+        "session-1",
+        undefined,
+        undefined,
+        "user-A",
+      );
+      expect(sentMessages).toHaveLength(1);
+      const okRequestId = (sentMessages[0] as Record<string, unknown>)
+        .requestId as string;
+      proxy.resolve(okRequestId, { content: "ok", isError: false });
+      await okPromise;
+
+      // Cross-user via embedded input.targetClientId — should be rejected.
+      sentMessages.length = 0;
+      const rejectResult = await proxy.request(
+        {
+          operation: "read",
+          path: "/tmp/bad.txt",
+          targetClientId: "client-A",
+        },
+        "session-1",
+        undefined,
+        undefined,
+        "user-B",
+      );
+      expect(rejectResult.isError).toBe(true);
+      expect(sentMessages).toHaveLength(0);
+    });
+  });
 });

package/src/__tests__/host-file-routes-targeted.test.ts

@@ -1,11 +1,14 @@
 /**
- * Tests for the host-file-result route 403 guard introduced in Phase 2.
+ * Tests for the host-file-result route 403 guard.
  *
  * Covers:
- *  1. Targeted + correct x-vellum-client-id header → 200 accepted
- *  2. Targeted + missing header → 400 BadRequestError
- *  3. Targeted + wrong header → 403 ForbiddenError, interaction NOT consumed
+ *  1. Targeted + correct x-vellum-client-id header (and matching actor) → 200
+ *  2. Targeted + missing client-id header → 400 BadRequestError
+ *  3. Targeted + wrong client-id header → 403 ForbiddenError, interaction NOT consumed
  *  4. Untargeted (no targetClientId, no header) → 200 accepted (regression)
+ *  5. Targeted + matching client-id but mismatched actor principal → 403, NOT consumed
+ *  6. Targeted + matching client-id but missing actor principal header → 403, NOT consumed
+ *  7. Targeted + matching client-id but target client has no stored actor → 403, NOT consumed
  */
 import { afterAll, beforeEach, describe, expect, mock, test } from "bun:test";
 
@@ -61,12 +64,20 @@ mock.module("../daemon/host-file-proxy.js", () => ({
   },
 }));
 
+// Stub event hub so tests control what actorPrincipalId is associated with
+// each connected client.
+const clientActors = new Map<string, string>();
+
+mock.module("../runtime/assistant-event-hub.js", () => ({
+  assistantEventHub: {
+    getActorPrincipalIdForClient: (clientId: string) =>
+      clientActors.get(clientId),
+  },
+}));
+
 // ── Real imports (after mocks) ──────────────────────────────────────────────
 
-import {
-  BadRequestError,
-  ForbiddenError,
-} from "../runtime/routes/errors.js";
+import { BadRequestError, ForbiddenError } from "../runtime/routes/errors.js";
 import { ROUTES } from "../runtime/routes/host-file-routes.js";
 
 afterAll(() => {
@@ -83,10 +94,16 @@ function registerPending(
   requestId: string,
   overrides: Partial<PendingInteraction> = {},
 ): void {
+  const targetActorPrincipalId =
+    overrides.targetActorPrincipalId ??
+    (overrides.targetClientId
+      ? clientActors.get(overrides.targetClientId)
+      : undefined);
   pendingStore.set(requestId, {
     conversationId: "conv-1",
     kind: "host_file",
     ...overrides,
+    targetActorPrincipalId,
   });
 }
 
@@ -100,23 +117,28 @@ function fileBody(requestId: string): Record<string, unknown> {
 
 // ── Tests ────────────────────────────────────────────────────────────────────
 
-describe("handleHostFileResult — Phase 2 targetClientId guard", () => {
+describe("handleHostFileResult — targetClientId guard", () => {
   beforeEach(() => {
     pendingStore.clear();
     resolvedIds.length = 0;
     resolveSpy.length = 0;
+    clientActors.clear();
   });
 
-  // ── 1. Targeted + correct header → 200 ────────────────────────────────────
+  // ── 1. Targeted + correct headers (client + actor) → 200 ──────────────────
 
   describe("targeted + correct x-vellum-client-id header", () => {
     test("returns { accepted: true } and resolves the interaction", async () => {
       const requestId = "req-file-targeted-match";
+      clientActors.set("client-A", "actor-1");
       registerPending(requestId, { targetClientId: "client-A" });
 
       const result = await handleHostFileResult({
         body: fileBody(requestId),
-        headers: { "x-vellum-client-id": "client-A" },
+        headers: {
+          "x-vellum-client-id": "client-A",
+          "x-vellum-actor-principal-id": "actor-1",
+        },
       });
 
       expect(result).toEqual({ accepted: true });
@@ -127,27 +149,31 @@ describe("handleHostFileResult — Phase 2 targetClientId guard", () => {
 
     test("trims whitespace from header before comparing", async () => {
       const requestId = "req-file-targeted-trim";
+      clientActors.set("client-A", "actor-1");
       registerPending(requestId, { targetClientId: "client-A" });
 
       const result = await handleHostFileResult({
         body: fileBody(requestId),
-        headers: { "x-vellum-client-id": "  client-A  " },
+        headers: {
+          "x-vellum-client-id": "  client-A  ",
+          "x-vellum-actor-principal-id": "  actor-1  ",
+        },
       });
 
       expect(result).toEqual({ accepted: true });
     });
   });
 
-  // ── 2. Targeted + missing header → 400 ────────────────────────────────────
+  // ── 2. Targeted + missing client-id header → 400 ──────────────────────────
 
   describe("targeted + missing x-vellum-client-id header", () => {
     test("throws BadRequestError (400) when header is absent", () => {
       const requestId = "req-file-targeted-no-header";
       registerPending(requestId, { targetClientId: "client-A" });
 
-      expect(() =>
-        handleHostFileResult({ body: fileBody(requestId) }),
-      ).toThrow(BadRequestError);
+      expect(() => handleHostFileResult({ body: fileBody(requestId) })).toThrow(
+        BadRequestError,
+      );
     });
 
     test("throws BadRequestError (400) when header is empty string", () => {
@@ -177,7 +203,7 @@ describe("handleHostFileResult — Phase 2 targetClientId guard", () => {
     });
   });
 
-  // ── 3. Targeted + wrong header → 403 ──────────────────────────────────────
+  // ── 3. Targeted + wrong client-id header → 403 ────────────────────────────
 
   describe("targeted + wrong x-vellum-client-id header", () => {
     test("throws ForbiddenError (403) when client ID does not match", () => {
@@ -259,4 +285,136 @@ describe("handleHostFileResult — Phase 2 targetClientId guard", () => {
       expect(resolveSpy).toHaveLength(1);
     });
   });
+
+  // ── 5. Targeted + matching client but mismatched actor → 403 ──────────────
+
+  describe("targeted + actor principal mismatch", () => {
+    test("throws ForbiddenError (403) when submitting actor does not match target client's actor", () => {
+      const requestId = "req-file-actor-mismatch";
+      clientActors.set("client-A", "actor-1");
+      registerPending(requestId, { targetClientId: "client-A" });
+
+      expect(() =>
+        handleHostFileResult({
+          body: fileBody(requestId),
+          headers: {
+            "x-vellum-client-id": "client-A",
+            "x-vellum-actor-principal-id": "actor-2",
+          },
+        }),
+      ).toThrow(ForbiddenError);
+    });
+
+    test("interaction is NOT consumed on actor-mismatch 403", () => {
+      const requestId = "req-file-actor-mismatch-stays";
+      clientActors.set("client-A", "actor-1");
+      registerPending(requestId, { targetClientId: "client-A" });
+
+      try {
+        handleHostFileResult({
+          body: fileBody(requestId),
+          headers: {
+            "x-vellum-client-id": "client-A",
+            "x-vellum-actor-principal-id": "actor-2",
+          },
+        });
+      } catch {
+        // expected
+      }
+
+      expect(resolvedIds).not.toContain(requestId);
+      expect(pendingStore.has(requestId)).toBe(true);
+    });
+  });
+
+  // ── 6. Targeted + matching client but missing actor header → 403 ──────────
+
+  describe("targeted + missing x-vellum-actor-principal-id header", () => {
+    test("throws ForbiddenError (403) when submitting actor header is absent", () => {
+      const requestId = "req-file-actor-missing";
+      clientActors.set("client-A", "actor-1");
+      registerPending(requestId, { targetClientId: "client-A" });
+
+      expect(() =>
+        handleHostFileResult({
+          body: fileBody(requestId),
+          headers: { "x-vellum-client-id": "client-A" },
+        }),
+      ).toThrow(ForbiddenError);
+    });
+
+    test("throws ForbiddenError (403) when submitting actor header is empty string", () => {
+      const requestId = "req-file-actor-empty";
+      clientActors.set("client-A", "actor-1");
+      registerPending(requestId, { targetClientId: "client-A" });
+
+      expect(() =>
+        handleHostFileResult({
+          body: fileBody(requestId),
+          headers: {
+            "x-vellum-client-id": "client-A",
+            "x-vellum-actor-principal-id": "   ",
+          },
+        }),
+      ).toThrow(ForbiddenError);
+    });
+
+    test("interaction is NOT consumed when submitting actor is missing", () => {
+      const requestId = "req-file-actor-missing-stays";
+      clientActors.set("client-A", "actor-1");
+      registerPending(requestId, { targetClientId: "client-A" });
+
+      try {
+        handleHostFileResult({
+          body: fileBody(requestId),
+          headers: { "x-vellum-client-id": "client-A" },
+        });
+      } catch {
+        // expected
+      }
+
+      expect(resolvedIds).not.toContain(requestId);
+      expect(pendingStore.has(requestId)).toBe(true);
+    });
+  });
+
+  // ── 7. Targeted + target client has no stored actor → 403 ─────────────────
+
+  describe("targeted + target client has no stored actor", () => {
+    test("throws ForbiddenError (403) when target client has no actorPrincipalId on record", () => {
+      const requestId = "req-file-target-no-actor";
+      registerPending(requestId, { targetClientId: "client-A" });
+      // intentionally do not set clientActors entry for client-A
+
+      expect(() =>
+        handleHostFileResult({
+          body: fileBody(requestId),
+          headers: {
+            "x-vellum-client-id": "client-A",
+            "x-vellum-actor-principal-id": "actor-1",
+          },
+        }),
+      ).toThrow(ForbiddenError);
+    });
+
+    test("interaction is NOT consumed when target client has no stored actor", () => {
+      const requestId = "req-file-target-no-actor-stays";
+      registerPending(requestId, { targetClientId: "client-A" });
+
+      try {
+        handleHostFileResult({
+          body: fileBody(requestId),
+          headers: {
+            "x-vellum-client-id": "client-A",
+            "x-vellum-actor-principal-id": "actor-1",
+          },
+        });
+      } catch {
+        // expected
+      }
+
+      expect(resolvedIds).not.toContain(requestId);
+      expect(pendingStore.has(requestId)).toBe(true);
+    });
+  });
 });