@vellumai/cli 0.6.5 → 0.7.0

package/src/lib/__tests__/docker.test.ts

@@ -1,11 +1,9 @@
 import { afterEach, beforeEach, describe, test, expect } from "bun:test";
 import {
   ASSISTANT_INTERNAL_PORT,
-  DEFAULT_MEET_AVATAR_DEVICE_PATH,
+  AVATAR_DEVICE_ENV_VAR,
   dockerResourceNames,
-  MEET_AVATAR_DEVICE_ENV_VAR,
-  MEET_AVATAR_ENV_VAR,
-  resolveMeetAvatarDevicePath,
+  resolveAvatarDevicePath,
   serviceDockerRunArgs,
   type ServiceName,
 } from "../docker.js";
@@ -17,21 +15,42 @@ const imageTags: Record<ServiceName, string> = {
   gateway: "vellumai/vellum-gateway:test",
 };
 
-function buildAssistantArgs(): string[] {
+function buildAssistantArgs(
+  overrides: Partial<Parameters<typeof serviceDockerRunArgs>[0]> = {},
+): string[] {
   const res = dockerResourceNames(instanceName);
   const builders = serviceDockerRunArgs({
     gatewayPort: 7830,
     imageTags,
     instanceName,
     res,
+    ...overrides,
   });
   return builders.assistant();
 }
 
 describe("serviceDockerRunArgs — assistant", () => {
-  test("runs privileged so the inner dockerd can manage cgroups/iptables/overlayfs", () => {
+  test("grants the minimum capability set needed for DinD (SYS_ADMIN + NET_ADMIN) rather than --privileged", () => {
     const args = buildAssistantArgs();
-    expect(args).toContain("--privileged");
+    expect(args).not.toContain("--privileged");
+    // --cap-add SYS_ADMIN and --cap-add NET_ADMIN are each passed as two
+    // adjacent args: "--cap-add" followed by the capability name.
+    const sysAdminIdx = args.indexOf("SYS_ADMIN");
+    expect(sysAdminIdx).toBeGreaterThan(0);
+    expect(args[sysAdminIdx - 1]).toBe("--cap-add");
+    const netAdminIdx = args.indexOf("NET_ADMIN");
+    expect(netAdminIdx).toBeGreaterThan(0);
+    expect(args[netAdminIdx - 1]).toBe("--cap-add");
+  });
+
+  test("disables the default seccomp and AppArmor profiles so the inner dockerd can mount overlayfs and run pivot_root", () => {
+    const args = buildAssistantArgs();
+    const seccompIdx = args.indexOf("seccomp=unconfined");
+    expect(seccompIdx).toBeGreaterThan(0);
+    expect(args[seccompIdx - 1]).toBe("--security-opt");
+    const apparmorIdx = args.indexOf("apparmor=unconfined");
+    expect(apparmorIdx).toBeGreaterThan(0);
+    expect(args[apparmorIdx - 1]).toBe("--security-opt");
   });
 
   test("mounts a dedicated named volume at /var/lib/docker for the inner dockerd data store", () => {
@@ -79,90 +98,47 @@ describe("serviceDockerRunArgs — assistant", () => {
     expect(portIndex).toBeGreaterThan(0);
     expect(args[portIndex - 1]).toBe("-p");
   });
-});
-
-describe("Meet avatar device passthrough (VELLUM_MEET_AVATAR opt-in)", () => {
-  // Snapshot + restore the process env so tests can flip the env-var
-  // without leaking state to later suites or other CLI tests.
-  const originalEnv: Record<string, string | undefined> = {};
 
-  beforeEach(() => {
-    for (const key of [MEET_AVATAR_ENV_VAR, MEET_AVATAR_DEVICE_ENV_VAR]) {
-      originalEnv[key] = process.env[key];
-      delete process.env[key];
-    }
+  test("forwards GUARDIAN_BOOTSTRAP_SECRET into the assistant container when provided, so the runtime can validate the gateway's x-bootstrap-secret header and close the published-port bypass", () => {
+    const args = buildAssistantArgs({ bootstrapSecret: "super-secret-abc" });
+    expect(args).toContain("GUARDIAN_BOOTSTRAP_SECRET=super-secret-abc");
   });
 
-  afterEach(() => {
-    for (const [key, value] of Object.entries(originalEnv)) {
-      if (value === undefined) delete process.env[key];
-      else process.env[key] = value;
-    }
+  test("omits GUARDIAN_BOOTSTRAP_SECRET when no bootstrapSecret is provided (bare-metal-style caller should not inherit a stale secret)", () => {
+    const args = buildAssistantArgs();
+    expect(args.some((a) => a.startsWith("GUARDIAN_BOOTSTRAP_SECRET="))).toBe(
+      false,
+    );
   });
+});
+
+describe("VELLUM_AVATAR_DEVICE passthrough", () => {
+  const savedValue = process.env[AVATAR_DEVICE_ENV_VAR];
 
-  test("resolveMeetAvatarDevicePath returns null when the env var is unset", () => {
-    expect(resolveMeetAvatarDevicePath({})).toBeNull();
+  beforeEach(() => {
+    delete process.env[AVATAR_DEVICE_ENV_VAR];
   });
 
-  test("resolveMeetAvatarDevicePath treats 0/false/no as disabled", () => {
-    for (const value of ["", "0", "false", "FALSE", "no", " NO "]) {
-      expect(resolveMeetAvatarDevicePath({ [MEET_AVATAR_ENV_VAR]: value })).toBe(
-        null,
-      );
-    }
+  afterEach(() => {
+    if (savedValue === undefined) delete process.env[AVATAR_DEVICE_ENV_VAR];
+    else process.env[AVATAR_DEVICE_ENV_VAR] = savedValue;
   });
 
-  test("resolveMeetAvatarDevicePath returns the default device path when enabled with a truthy value", () => {
-    for (const value of ["1", "true", "YES"]) {
-      expect(resolveMeetAvatarDevicePath({ [MEET_AVATAR_ENV_VAR]: value })).toBe(
-        DEFAULT_MEET_AVATAR_DEVICE_PATH,
-      );
-    }
+  test("resolveAvatarDevicePath returns default when env var is unset", () => {
+    expect(resolveAvatarDevicePath({})).toBe("/dev/video10");
   });
 
-  test("resolveMeetAvatarDevicePath honors the VELLUM_MEET_AVATAR_DEVICE override", () => {
+  test("resolveAvatarDevicePath honors override", () => {
     expect(
-      resolveMeetAvatarDevicePath({
-        [MEET_AVATAR_ENV_VAR]: "1",
-        [MEET_AVATAR_DEVICE_ENV_VAR]: "/dev/video11",
-      }),
+      resolveAvatarDevicePath({ [AVATAR_DEVICE_ENV_VAR]: "/dev/video11" }),
     ).toBe("/dev/video11");
   });
 
-  test("assistant args omit --device and the avatar env vars when VELLUM_MEET_AVATAR is unset", () => {
+  test("assistant args omit --device and env var when device node is absent", () => {
     const args = buildAssistantArgs();
     expect(args).not.toContain("--device");
-    expect(
-      args.some((a) => a.startsWith(`${MEET_AVATAR_ENV_VAR}=`)),
-    ).toBe(false);
-    expect(
-      args.some((a) => a.startsWith(`${MEET_AVATAR_DEVICE_ENV_VAR}=`)),
-    ).toBe(false);
-  });
-
-  test("assistant args include --device=/dev/video10:/dev/video10 when VELLUM_MEET_AVATAR=1", () => {
-    process.env[MEET_AVATAR_ENV_VAR] = "1";
-    const args = buildAssistantArgs();
-    const deviceIdx = args.indexOf("--device");
-    expect(deviceIdx).toBeGreaterThan(0);
-    expect(args[deviceIdx + 1]).toBe(
-      `${DEFAULT_MEET_AVATAR_DEVICE_PATH}:${DEFAULT_MEET_AVATAR_DEVICE_PATH}`,
-    );
-    // The env var must also be propagated into the container so the daemon
-    // knows to turn on avatar passthrough when spawning the bot.
-    expect(args).toContain(`${MEET_AVATAR_ENV_VAR}=1`);
-    expect(args).toContain(
-      `${MEET_AVATAR_DEVICE_ENV_VAR}=${DEFAULT_MEET_AVATAR_DEVICE_PATH}`,
+    expect(args.some((a) => a.startsWith(`${AVATAR_DEVICE_ENV_VAR}=`))).toBe(
+      false,
     );
   });
-
-  test("assistant args honor a custom device path from VELLUM_MEET_AVATAR_DEVICE", () => {
-    process.env[MEET_AVATAR_ENV_VAR] = "1";
-    process.env[MEET_AVATAR_DEVICE_ENV_VAR] = "/dev/video11";
-    const args = buildAssistantArgs();
-    const deviceIdx = args.indexOf("--device");
-    expect(deviceIdx).toBeGreaterThan(0);
-    expect(args[deviceIdx + 1]).toBe("/dev/video11:/dev/video11");
-    expect(args).toContain(`${MEET_AVATAR_DEVICE_ENV_VAR}=/dev/video11`);
-  });
 });

package/src/lib/__tests__/job-polling.test.ts

@@ -0,0 +1,278 @@
+import { afterEach, beforeEach, describe, expect, spyOn, test } from "bun:test";
+
+import { pollJobUntilDone } from "../job-polling.js";
+import type { UnifiedJobStatus } from "../platform-client.js";
+
+describe("pollJobUntilDone", () => {
+  test("returns terminal 'complete' after N processing polls", async () => {
+    const statuses: UnifiedJobStatus[] = [
+      { jobId: "j1", type: "export", status: "processing" },
+      { jobId: "j1", type: "export", status: "processing" },
+      {
+        jobId: "j1",
+        type: "export",
+        status: "complete",
+        bundleKey: "bundles/j1.tar.gz",
+      },
+    ];
+    let i = 0;
+    const result = await pollJobUntilDone({
+      poll: async () => statuses[i++]!,
+      intervalMs: 1,
+      timeoutMs: 1_000,
+      label: "test export",
+    });
+
+    expect(result.status).toBe("complete");
+    if (result.status === "complete") {
+      expect(result.bundleKey).toBe("bundles/j1.tar.gz");
+    }
+    expect(i).toBe(3);
+  });
+
+  test("propagates terminal 'failed' status to caller without throwing", async () => {
+    const result = await pollJobUntilDone({
+      poll: async () => ({
+        jobId: "j2",
+        type: "import",
+        status: "failed",
+        error: "bad bundle",
+      }),
+      intervalMs: 1,
+      timeoutMs: 1_000,
+      label: "test import",
+    });
+
+    expect(result.status).toBe("failed");
+    if (result.status === "failed") {
+      expect(result.error).toBe("bad bundle");
+    }
+  });
+
+  test("throws with label when polling exceeds timeoutMs", async () => {
+    let calls = 0;
+    await expect(
+      pollJobUntilDone({
+        poll: async () => {
+          calls += 1;
+          return { jobId: "j3", type: "export", status: "processing" };
+        },
+        intervalMs: 20,
+        timeoutMs: 10,
+        label: "slow export",
+      }),
+    ).rejects.toThrow(/slow export/);
+
+    // The loop does one poll before checking the deadline, so calls ≥ 1.
+    expect(calls).toBeGreaterThanOrEqual(1);
+  });
+
+  test("uses defaults when intervalMs/timeoutMs are omitted (fast path)", async () => {
+    // Fast path: first poll is already terminal so neither default matters.
+    const result = await pollJobUntilDone({
+      poll: async () => ({ jobId: "j4", type: "export", status: "complete" }),
+      label: "defaults test",
+    });
+    expect(result.status).toBe("complete");
+  });
+
+  describe("transient-error retry", () => {
+    let warnSpy: ReturnType<typeof spyOn>;
+
+    beforeEach(() => {
+      warnSpy = spyOn(console, "warn").mockImplementation(() => {});
+    });
+
+    afterEach(() => {
+      warnSpy.mockRestore();
+    });
+
+    test("retries N-1 transient errors then returns terminal status", async () => {
+      const maxTransientErrors = 3;
+      let calls = 0;
+      const result = await pollJobUntilDone({
+        label: "flaky export",
+        intervalMs: 1,
+        timeoutMs: 1_000,
+        maxTransientErrors,
+        poll: async () => {
+          calls += 1;
+          if (calls < maxTransientErrors) {
+            throw new Error(
+              `Local job status check failed: 503 Service Unavailable`,
+            );
+          }
+          return {
+            jobId: "j5",
+            type: "export",
+            status: "complete",
+          } as UnifiedJobStatus;
+        },
+      });
+      expect(result.status).toBe("complete");
+      expect(calls).toBe(maxTransientErrors);
+      // One warning per retried transient error (first two attempts).
+      expect(warnSpy).toHaveBeenCalledTimes(maxTransientErrors - 1);
+    });
+
+    test("propagates the last error once maxTransientErrors is exceeded", async () => {
+      const maxTransientErrors = 2;
+      let calls = 0;
+      await expect(
+        pollJobUntilDone({
+          label: "always broken",
+          intervalMs: 1,
+          timeoutMs: 1_000,
+          maxTransientErrors,
+          poll: async () => {
+            calls += 1;
+            throw new Error(`Local job status check failed: 502 Bad Gateway`);
+          },
+        }),
+      ).rejects.toThrow(/502 Bad Gateway/);
+      // Helper makes `maxTransientErrors + 1` attempts before giving up: the
+      // first attempt plus N retries, counted against the budget.
+      expect(calls).toBe(maxTransientErrors + 1);
+    });
+
+    test("permanent 4xx errors (except 429) propagate immediately", async () => {
+      let calls = 0;
+      await expect(
+        pollJobUntilDone({
+          label: "auth broken",
+          intervalMs: 1,
+          timeoutMs: 1_000,
+          maxTransientErrors: 5,
+          poll: async () => {
+            calls += 1;
+            throw new Error(`Local job status check failed: 403 Forbidden`);
+          },
+        }),
+      ).rejects.toThrow(/403 Forbidden/);
+      expect(calls).toBe(1);
+      expect(warnSpy).not.toHaveBeenCalled();
+    });
+
+    test("429 rate-limit is retried as transient", async () => {
+      let calls = 0;
+      const result = await pollJobUntilDone({
+        label: "rate limited",
+        intervalMs: 1,
+        timeoutMs: 1_000,
+        maxTransientErrors: 3,
+        poll: async () => {
+          calls += 1;
+          if (calls === 1) {
+            throw new Error(`Local job status check failed: 429 Too Many`);
+          }
+          return {
+            jobId: "j6",
+            type: "export",
+            status: "complete",
+          } as UnifiedJobStatus;
+        },
+      });
+      expect(result.status).toBe("complete");
+      expect(calls).toBe(2);
+    });
+
+    test("refreshOn401 is invoked on 401 and polling continues after refresh", async () => {
+      let calls = 0;
+      let refreshes = 0;
+      const result = await pollJobUntilDone({
+        label: "expiring auth",
+        intervalMs: 1,
+        timeoutMs: 1_000,
+        maxTransientErrors: 0,
+        refreshOn401: async () => {
+          refreshes += 1;
+        },
+        poll: async () => {
+          calls += 1;
+          if (calls === 1) {
+            throw new Error("Local job status check failed: 401 Unauthorized");
+          }
+          return {
+            jobId: "j401",
+            type: "export",
+            status: "complete",
+          } as UnifiedJobStatus;
+        },
+      });
+      expect(result.status).toBe("complete");
+      expect(refreshes).toBe(1);
+      expect(calls).toBe(2);
+      // The 401 branch logs its own distinct warning (not the generic
+      // "polling failed, retrying" one) so operators can distinguish an
+      // auth refresh from a transient-error retry in the output.
+      expect(warnSpy).toHaveBeenCalledWith(
+        expect.stringContaining("refreshing auth"),
+      );
+    });
+
+    test("propagates 401 once maxAuthRefreshes is exceeded", async () => {
+      const maxAuthRefreshes = 2;
+      let calls = 0;
+      let refreshes = 0;
+      await expect(
+        pollJobUntilDone({
+          label: "persistently unauthorized",
+          intervalMs: 1,
+          timeoutMs: 1_000,
+          maxAuthRefreshes,
+          refreshOn401: async () => {
+            refreshes += 1;
+          },
+          poll: async () => {
+            calls += 1;
+            throw new Error("Local job status check failed: 401 Unauthorized");
+          },
+        }),
+      ).rejects.toThrow(/401 Unauthorized/);
+      // Helper allows `maxAuthRefreshes` successful refresh-and-retry cycles
+      // (each counted against the budget after the poll fails), plus one
+      // final attempt on the refreshed token that exceeds the budget.
+      expect(calls).toBe(maxAuthRefreshes + 1);
+      expect(refreshes).toBe(maxAuthRefreshes);
+    });
+
+    test("without refreshOn401, 401 still propagates as a permanent 4xx", async () => {
+      let calls = 0;
+      await expect(
+        pollJobUntilDone({
+          label: "no refresh hook",
+          intervalMs: 1,
+          timeoutMs: 1_000,
+          poll: async () => {
+            calls += 1;
+            throw new Error("Local job status check failed: 401 Unauthorized");
+          },
+        }),
+      ).rejects.toThrow(/401 Unauthorized/);
+      expect(calls).toBe(1);
+    });
+
+    test("unclassified network-style errors are treated as transient", async () => {
+      let calls = 0;
+      const result = await pollJobUntilDone({
+        label: "network blip",
+        intervalMs: 1,
+        timeoutMs: 1_000,
+        maxTransientErrors: 3,
+        poll: async () => {
+          calls += 1;
+          if (calls === 1) {
+            throw new Error("fetch failed");
+          }
+          return {
+            jobId: "j7",
+            type: "export",
+            status: "complete",
+          } as UnifiedJobStatus;
+        },
+      });
+      expect(result.status).toBe("complete");
+      expect(calls).toBe(2);
+    });
+  });
+});