@vellumai/cli 0.8.6 → 0.8.7-dev.202606052118.34cd356

package/src/__tests__/client-token.test.ts

@@ -0,0 +1,87 @@
+/**
+ * Tests for `vellum client --token <jwt> --url <gateway>`: an ephemeral session
+ * that authenticates with a handed-over token and needs no lockfile entry.
+ */
+import {
+  afterAll,
+  afterEach,
+  beforeEach,
+  describe,
+  expect,
+  test,
+} from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+// NB: do NOT mock.module("../lib/guardian-token.js") here — that mock is
+// process-global in Bun and leaks into other test files (it dropped the
+// module's other exports and broke guardian-token-paths / setup suites in CI).
+// The "--token skips the credential lookup" behavior is enforced structurally
+// in parseArgs (the lookup is gated on the override) and reviewed there.
+
+// An EMPTY temp dir so there is no lockfile entry — the ephemeral path must
+// work without one. Env mutation is scoped to each test and restored after, so
+// it can't leak into other test files in the same Bun run.
+const testDir = mkdtempSync(join(tmpdir(), "client-token-test-"));
+const ORIGINAL_LOCKFILE_DIR = process.env.VELLUM_LOCKFILE_DIR;
+const ORIGINAL_ARGV = [...process.argv];
+
+import { parseArgs } from "../commands/client.js";
+
+// A clearly non-local URL so maybeSwapToLocalhost won't rewrite it to 127.0.0.1.
+const REMOTE_URL = "http://192.0.2.50:7830";
+
+describe("client --token (ephemeral)", () => {
+  beforeEach(() => {
+    process.env.VELLUM_LOCKFILE_DIR = testDir;
+  });
+
+  afterEach(() => {
+    process.argv = [...ORIGINAL_ARGV];
+    if (ORIGINAL_LOCKFILE_DIR === undefined) {
+      delete process.env.VELLUM_LOCKFILE_DIR;
+    } else {
+      process.env.VELLUM_LOCKFILE_DIR = ORIGINAL_LOCKFILE_DIR;
+    }
+  });
+
+  afterAll(() => {
+    rmSync(testDir, { recursive: true, force: true });
+  });
+
+  test("--url + --token resolves to a bearer session with no lockfile entry", () => {
+    process.argv = [
+      "bun",
+      "vellum",
+      "client",
+      "--url",
+      REMOTE_URL,
+      "--token",
+      "test-jwt-token",
+    ];
+    const parsed = parseArgs();
+
+    expect(parsed.runtimeUrl).toBe(REMOTE_URL);
+    expect(parsed.assistantId).toBe("self"); // DAEMON_INTERNAL_ASSISTANT_ID
+    expect(parsed.bearerToken).toBe("test-jwt-token");
+    expect(parsed.platformToken).toBeUndefined();
+  });
+
+  test("--assistant-id overrides the default 'self' segment", () => {
+    process.argv = [
+      "bun",
+      "vellum",
+      "client",
+      "--url",
+      REMOTE_URL,
+      "--token",
+      "tok",
+      "--assistant-id",
+      "remote-xyz",
+    ];
+    const parsed = parseArgs();
+    expect(parsed.assistantId).toBe("remote-xyz");
+    expect(parsed.bearerToken).toBe("tok");
+  });
+});

package/src/__tests__/client-tui-refresh.test.ts

@@ -0,0 +1,170 @@
+/**
+ * Tests for resolveFreshBearerToken: the `vellum client` TUI proactively
+ * refreshes a stale STORED guardian token at startup, while leaving platform
+ * session auth, ephemeral --token overrides, and still-fresh tokens untouched.
+ */
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+const ORIGINAL_XDG = process.env.XDG_CONFIG_HOME;
+const ORIGINAL_ENV = process.env.VELLUM_ENVIRONMENT;
+const ORIGINAL_FETCH = globalThis.fetch;
+
+import { resolveFreshBearerToken } from "../commands/client.js";
+import { saveGuardianToken } from "../lib/guardian-token.js";
+
+const RUNTIME = "http://10.0.0.9:7830";
+const past = () => new Date(Date.now() - 60_000).toISOString();
+const future = () => new Date(Date.now() + 60 * 60 * 1000).toISOString();
+
+function seed(opts: {
+  accessToken: string;
+  refreshToken: string;
+  refreshAfter: string;
+}): void {
+  saveGuardianToken("px", {
+    guardianPrincipalId: "imported",
+    accessToken: opts.accessToken,
+    accessTokenExpiresAt: future(),
+    refreshToken: opts.refreshToken,
+    refreshTokenExpiresAt: future(),
+    refreshAfter: opts.refreshAfter,
+    isNew: false,
+    deviceId: "dev",
+    leasedAt: new Date().toISOString(),
+  });
+}
+
+/** Stub global fetch; returns whether the refresh endpoint was hit. */
+function stubRefresh(ok: boolean): { hit: () => boolean } {
+  let called = false;
+  globalThis.fetch = (async (url: unknown, _init?: RequestInit) => {
+    if (String(url).includes("/v1/guardian/refresh")) {
+      called = true;
+      return new Response(
+        ok ? JSON.stringify({ accessToken: "new-acc" }) : "nope",
+        {
+          status: ok ? 200 : 401,
+          headers: { "content-type": "application/json" },
+        },
+      );
+    }
+    return new Response("", { status: 200 });
+  }) as typeof fetch;
+  return { hit: () => called };
+}
+
+describe("resolveFreshBearerToken", () => {
+  let tempHome: string;
+
+  beforeEach(() => {
+    tempHome = mkdtempSync(join(tmpdir(), "client-tui-refresh-test-"));
+    process.env.XDG_CONFIG_HOME = tempHome;
+    delete process.env.VELLUM_ENVIRONMENT; // prod config dir
+  });
+
+  afterEach(() => {
+    globalThis.fetch = ORIGINAL_FETCH;
+    if (ORIGINAL_XDG === undefined) delete process.env.XDG_CONFIG_HOME;
+    else process.env.XDG_CONFIG_HOME = ORIGINAL_XDG;
+    if (ORIGINAL_ENV === undefined) delete process.env.VELLUM_ENVIRONMENT;
+    else process.env.VELLUM_ENVIRONMENT = ORIGINAL_ENV;
+    rmSync(tempHome, { recursive: true, force: true });
+  });
+
+  test("refreshes a stale stored token and returns the new access token", async () => {
+    seed({ accessToken: "old-acc", refreshToken: "ref", refreshAfter: past() });
+    const refresh = stubRefresh(true);
+
+    const token = await resolveFreshBearerToken(
+      RUNTIME,
+      "px",
+      "old-acc",
+      "paired",
+    );
+
+    expect(token).toBe("new-acc");
+    expect(refresh.hit()).toBe(true);
+  });
+
+  test("leaves a still-fresh stored token unchanged (no refresh)", async () => {
+    seed({
+      accessToken: "old-acc",
+      refreshToken: "ref",
+      refreshAfter: future(),
+    });
+    const refresh = stubRefresh(true);
+
+    const token = await resolveFreshBearerToken(
+      RUNTIME,
+      "px",
+      "old-acc",
+      "paired",
+    );
+
+    expect(token).toBe("old-acc");
+    expect(refresh.hit()).toBe(false);
+  });
+
+  test("does not refresh an ephemeral --token (mismatches the store)", async () => {
+    seed({ accessToken: "old-acc", refreshToken: "ref", refreshAfter: past() });
+    const refresh = stubRefresh(true);
+
+    // bearerToken differs from the stored accessToken => ephemeral override.
+    const token = await resolveFreshBearerToken(
+      RUNTIME,
+      "px",
+      "ephemeral-tok",
+      "paired",
+    );
+
+    expect(token).toBe("ephemeral-tok");
+    expect(refresh.hit()).toBe(false);
+  });
+
+  test("never refreshes on the platform session-auth path", async () => {
+    seed({ accessToken: "old-acc", refreshToken: "ref", refreshAfter: past() });
+    const refresh = stubRefresh(true);
+
+    const token = await resolveFreshBearerToken(
+      RUNTIME,
+      "px",
+      "old-acc",
+      "vellum",
+    );
+
+    expect(token).toBe("old-acc");
+    expect(refresh.hit()).toBe(false);
+  });
+
+  test("falls back to the existing token when refresh fails", async () => {
+    seed({ accessToken: "old-acc", refreshToken: "ref", refreshAfter: past() });
+    stubRefresh(false); // refresh endpoint returns non-ok
+
+    const token = await resolveFreshBearerToken(
+      RUNTIME,
+      "px",
+      "old-acc",
+      "paired",
+    );
+
+    expect(token).toBe("old-acc");
+  });
+
+  test("does not refresh an access-only stored token (no refresh credential)", async () => {
+    seed({ accessToken: "old-acc", refreshToken: "", refreshAfter: past() });
+    const refresh = stubRefresh(true);
+
+    const token = await resolveFreshBearerToken(
+      RUNTIME,
+      "px",
+      "old-acc",
+      "paired",
+    );
+
+    expect(token).toBe("old-acc");
+    expect(refresh.hit()).toBe(false);
+  });
+});

package/src/__tests__/cloudflare-tunnel.test.ts

@@ -0,0 +1,137 @@
+import { describe, expect, test } from "bun:test";
+import { EventEmitter } from "node:events";
+import type { ChildProcess } from "node:child_process";
+
+import { waitForCloudflareTunnelUrl } from "../lib/cloudflare-tunnel.js";
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+
+/**
+ * Build a minimal fake ChildProcess whose stdout and stderr are plain
+ * EventEmitters. Tests control what data is emitted and when.
+ */
+function makeChild(): {
+  child: ChildProcess;
+  stdout: EventEmitter;
+  stderr: EventEmitter;
+  emitExit: (code: number | null) => void;
+} {
+  const stdout = new EventEmitter();
+  const stderr = new EventEmitter();
+  const childEmitter = new EventEmitter();
+
+  const child = Object.assign(childEmitter, {
+    stdout,
+    stderr,
+    killed: false,
+    kill: () => false,
+    pid: 99999,
+  }) as unknown as ChildProcess;
+
+  const emitExit = (code: number | null) => childEmitter.emit("exit", code);
+
+  return { child, stdout, stderr, emitExit };
+}
+
+// ── Tests ─────────────────────────────────────────────────────────────────────
+
+describe("waitForCloudflareTunnelUrl", () => {
+  test("resolves when the URL appears on stderr", async () => {
+    const { child, stderr } = makeChild();
+    const promise = waitForCloudflareTunnelUrl(child);
+
+    stderr.emit(
+      "data",
+      Buffer.from(
+        "2024-01-01T00:00:00Z INF |  https://quick-slug-test.trycloudflare.com  |\n",
+      ),
+    );
+
+    await expect(promise).resolves.toBe(
+      "https://quick-slug-test.trycloudflare.com",
+    );
+  });
+
+  test("resolves when the URL appears on stdout", async () => {
+    const { child, stdout } = makeChild();
+    const promise = waitForCloudflareTunnelUrl(child);
+
+    stdout.emit(
+      "data",
+      Buffer.from("https://another-slug.trycloudflare.com\n"),
+    );
+
+    await expect(promise).resolves.toBe(
+      "https://another-slug.trycloudflare.com",
+    );
+  });
+
+  test("resolves with the first URL when multiple lines contain one", async () => {
+    const { child, stderr } = makeChild();
+    const promise = waitForCloudflareTunnelUrl(child);
+
+    stderr.emit(
+      "data",
+      Buffer.from(
+        "INFO https://first-slug.trycloudflare.com\nINFO https://second-slug.trycloudflare.com\n",
+      ),
+    );
+
+    await expect(promise).resolves.toBe("https://first-slug.trycloudflare.com");
+  });
+
+  test("handles a URL split across two data chunks", async () => {
+    const { child, stderr } = makeChild();
+    const promise = waitForCloudflareTunnelUrl(child);
+
+    // First chunk ends mid-line before the URL
+    stderr.emit("data", Buffer.from("INFO Visit: "));
+    // Second chunk completes the line
+    stderr.emit(
+      "data",
+      Buffer.from("https://chunked-slug.trycloudflare.com\n"),
+    );
+
+    await expect(promise).resolves.toBe(
+      "https://chunked-slug.trycloudflare.com",
+    );
+  });
+
+  test("rejects when the process exits before a URL is found", async () => {
+    const { child, emitExit } = makeChild();
+    const promise = waitForCloudflareTunnelUrl(child);
+
+    emitExit(1);
+
+    await expect(promise).rejects.toThrow("exited with code 1");
+  });
+
+  test("rejects on null exit code (killed by signal)", async () => {
+    const { child, emitExit } = makeChild();
+    const promise = waitForCloudflareTunnelUrl(child);
+
+    emitExit(null);
+
+    await expect(promise).rejects.toThrow("exited with code unknown");
+  });
+
+  test("rejects after the timeout when no URL appears", async () => {
+    const { child } = makeChild();
+    // Use a very short timeout so the test runs fast
+    const promise = waitForCloudflareTunnelUrl(child, 50);
+
+    await expect(promise).rejects.toThrow("did not appear within");
+  });
+
+  test("does not resolve for non-trycloudflare.com hostnames", async () => {
+    const { child, stderr, emitExit } = makeChild();
+    const promise = waitForCloudflareTunnelUrl(child, 50);
+
+    // Emit a line with a URL that is not a Cloudflare quick-tunnel URL
+    stderr.emit("data", Buffer.from("Connecting to https://example.com/api\n"));
+
+    // Should still time out — the fake URL does not match the pattern
+    emitExit(null);
+    await expect(promise).rejects.toThrow();
+  });
+});