@vellumai/vellum-gateway 0.1.7

package/src/__tests__/runtime-client.test.ts

@@ -0,0 +1,228 @@
+import { describe, test, expect, mock, afterEach } from "bun:test";
+import { forwardToRuntime, downloadAttachment } from "../runtime/client.js";
+import type { RuntimeAttachmentMeta } from "../runtime/client.js";
+import type { GatewayConfig } from "../config.js";
+
+const makeConfig = (overrides: Partial<GatewayConfig> = {}): GatewayConfig => ({
+  telegramBotToken: "tok",
+  telegramWebhookSecret: "wh-ver",
+  telegramApiBaseUrl: "https://api.telegram.org",
+  assistantRuntimeBaseUrl: "http://localhost:7821",
+  routingEntries: [],
+  defaultAssistantId: undefined,
+  unmappedPolicy: "reject",
+  port: 7830,
+  runtimeBearerToken: undefined,
+  runtimeProxyEnabled: false,
+  runtimeProxyRequireAuth: true,
+  runtimeProxyBearerToken: undefined,
+  shutdownDrainMs: 5000,
+  runtimeTimeoutMs: 30000,
+  runtimeMaxRetries: 2,
+  runtimeInitialBackoffMs: 500,
+  telegramInitialBackoffMs: 1000,
+  telegramMaxRetries: 3,
+  telegramTimeoutMs: 15000,
+  maxWebhookPayloadBytes: 1048576,
+  logFile: { dir: undefined, retentionDays: 30 },
+  maxAttachmentBytes: 20971520,
+  maxAttachmentConcurrency: 3,
+  ...overrides,
+});
+
+const payload = {
+  sourceChannel: "telegram",
+  externalChatId: "99001",
+  externalMessageId: "123",
+  content: "Hello",
+  senderName: "Test User",
+};
+
+const testAttachment: RuntimeAttachmentMeta = {
+  id: "att-1",
+  filename: "chart.png",
+  mimeType: "image/png",
+  sizeBytes: 1024,
+  kind: "generated_image",
+};
+
+const successBody = {
+  accepted: true,
+  duplicate: false,
+  eventId: "evt-1",
+  assistantMessage: {
+    id: "msg-1",
+    role: "assistant" as const,
+    content: "Hi there!",
+    timestamp: new Date().toISOString(),
+    attachments: [testAttachment],
+  },
+};
+
+function mockFetch(fn: () => Promise<Response>) {
+  const m = mock(fn);
+  Object.assign(m, { preconnect: () => {} });
+  globalThis.fetch = m as unknown as typeof fetch;
+  return m;
+}
+
+describe("forwardToRuntime", () => {
+  const originalFetch = globalThis.fetch;
+
+  afterEach(() => {
+    globalThis.fetch = originalFetch;
+  });
+
+  test("successful forward returns runtime response", async () => {
+    mockFetch(() =>
+      Promise.resolve(
+        new Response(JSON.stringify(successBody), { status: 200 }),
+      ),
+    );
+
+    const config = makeConfig();
+    const result = await forwardToRuntime(config, "assistant-a", payload);
+    expect(result.accepted).toBe(true);
+    expect(result.eventId).toBe("evt-1");
+    expect(result.assistantMessage?.content).toBe("Hi there!");
+  });
+
+  test("4xx error throws immediately without retry", async () => {
+    const fetchMock = mockFetch(() =>
+      Promise.resolve(new Response("Bad request", { status: 400 })),
+    );
+
+    const config = makeConfig();
+    await expect(
+      forwardToRuntime(config, "assistant-a", payload),
+    ).rejects.toThrow("Runtime returned 400");
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+  });
+
+  test("5xx error retries and eventually succeeds", async () => {
+    let callCount = 0;
+    mockFetch(() => {
+      callCount++;
+      if (callCount <= 2) {
+        return Promise.resolve(
+          new Response("Internal error", { status: 500 }),
+        );
+      }
+      return Promise.resolve(
+        new Response(JSON.stringify(successBody), { status: 200 }),
+      );
+    });
+
+    const config = makeConfig();
+    const result = await forwardToRuntime(config, "assistant-a", payload);
+    expect(result.accepted).toBe(true);
+    expect(callCount).toBe(3);
+  });
+
+  test("5xx error exhausts retries and throws", async () => {
+    mockFetch(() =>
+      Promise.resolve(new Response("Server error", { status: 500 })),
+    );
+
+    const config = makeConfig();
+    await expect(
+      forwardToRuntime(config, "assistant-a", payload),
+    ).rejects.toThrow("Runtime returned 500");
+  });
+
+  test("response includes typed attachment metadata", async () => {
+    mockFetch(() =>
+      Promise.resolve(
+        new Response(JSON.stringify(successBody), { status: 200 }),
+      ),
+    );
+
+    const config = makeConfig();
+    const result = await forwardToRuntime(config, "assistant-a", payload);
+    const attachments = result.assistantMessage?.attachments ?? [];
+    expect(attachments).toHaveLength(1);
+    expect(attachments[0].id).toBe("att-1");
+    expect(attachments[0].filename).toBe("chart.png");
+    expect(attachments[0].mimeType).toBe("image/png");
+    expect(attachments[0].sizeBytes).toBe(1024);
+    expect(attachments[0].kind).toBe("generated_image");
+  });
+
+  test("sends Authorization header when runtimeBearerToken is configured", async () => {
+    const fetchMock = mockFetch(() =>
+      Promise.resolve(
+        new Response(JSON.stringify(successBody), { status: 200 }),
+      ),
+    );
+
+    const config = makeConfig({ runtimeBearerToken: "my-secret-token" });
+    await forwardToRuntime(config, "assistant-a", payload);
+
+    const calledInit = (fetchMock.mock.calls[0] as unknown[])[1] as RequestInit;
+    const headers = calledInit.headers as Record<string, string>;
+    expect(headers["Authorization"]).toBe("Bearer my-secret-token");
+  });
+
+  test("omits Authorization header when runtimeBearerToken is undefined", async () => {
+    const fetchMock = mockFetch(() =>
+      Promise.resolve(
+        new Response(JSON.stringify(successBody), { status: 200 }),
+      ),
+    );
+
+    const config = makeConfig();
+    await forwardToRuntime(config, "assistant-a", payload);
+
+    const calledInit = (fetchMock.mock.calls[0] as unknown[])[1] as RequestInit;
+    const headers = calledInit.headers as Record<string, string>;
+    expect(headers["Authorization"]).toBeUndefined();
+  });
+});
+
+describe("downloadAttachment", () => {
+  const originalFetch = globalThis.fetch;
+
+  afterEach(() => {
+    globalThis.fetch = originalFetch;
+  });
+
+  test("downloads attachment payload with base64 data", async () => {
+    const attachmentPayload = {
+      id: "att-1",
+      filename: "chart.png",
+      mimeType: "image/png",
+      sizeBytes: 1024,
+      kind: "generated_image",
+      data: "iVBORw0KGgo=",
+    };
+
+    const fetchMock = mockFetch(() =>
+      Promise.resolve(
+        new Response(JSON.stringify(attachmentPayload), { status: 200 }),
+      ),
+    );
+
+    const config = makeConfig();
+    const result = await downloadAttachment(config, "assistant-a", "att-1");
+    expect(result.id).toBe("att-1");
+    expect(result.filename).toBe("chart.png");
+    expect(result.data).toBe("iVBORw0KGgo=");
+
+    const calledUrl = (fetchMock.mock.calls[0] as unknown[])[0] as string;
+    expect(calledUrl).toContain("/attachments/att-1");
+  });
+
+  test("throws on 404 not found", async () => {
+    mockFetch(() =>
+      Promise.resolve(
+        new Response('{"error":"Attachment not found"}', { status: 404 }),
+      ),
+    );
+
+    const config = makeConfig();
+    await expect(
+      downloadAttachment(config, "assistant-a", "nonexistent"),
+    ).rejects.toThrow("Attachment download failed (404)");
+  });
+});

package/src/__tests__/runtime-proxy-auth.test.ts

@@ -0,0 +1,127 @@
+import { describe, test, expect, mock, afterEach } from "bun:test";
+import { createRuntimeProxyHandler } from "../http/routes/runtime-proxy.js";
+import type { GatewayConfig } from "../config.js";
+
+const TOKEN = "test-secret-token";
+
+function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
+  return {
+    telegramBotToken: "tok",
+    telegramWebhookSecret: "wh-ver",
+    telegramApiBaseUrl: "https://api.telegram.org",
+    assistantRuntimeBaseUrl: "http://localhost:7821",
+    routingEntries: [],
+    defaultAssistantId: undefined,
+    unmappedPolicy: "reject",
+    port: 7830,
+    runtimeBearerToken: undefined,
+    runtimeProxyEnabled: true,
+    runtimeProxyRequireAuth: true,
+    runtimeProxyBearerToken: TOKEN,
+    shutdownDrainMs: 5000,
+    runtimeTimeoutMs: 30000,
+    runtimeMaxRetries: 2,
+    runtimeInitialBackoffMs: 500,
+    telegramInitialBackoffMs: 1000,
+    telegramMaxRetries: 3,
+    telegramTimeoutMs: 15000,
+    maxWebhookPayloadBytes: 1048576,
+    logFile: { dir: undefined, retentionDays: 30 },
+    maxAttachmentBytes: 20971520,
+    maxAttachmentConcurrency: 3,
+    ...overrides,
+  };
+}
+
+const originalFetch = globalThis.fetch;
+
+afterEach(() => {
+  globalThis.fetch = originalFetch;
+});
+
+function mockUpstream() {
+  globalThis.fetch = mock(async () => {
+    return new Response(JSON.stringify({ ok: true }), {
+      status: 200,
+      headers: { "content-type": "application/json" },
+    });
+  }) as any;
+}
+
+describe("runtime proxy auth enforcement", () => {
+  test("auth required: rejects missing token with 401", async () => {
+    mockUpstream();
+    const handler = createRuntimeProxyHandler(makeConfig());
+    const req = new Request("http://localhost:7830/v1/health");
+    const res = await handler(req);
+
+    expect(res.status).toBe(401);
+    const body = await res.json();
+    expect(body.error).toBe("Unauthorized");
+  });
+
+  test("auth required: rejects invalid token with 401", async () => {
+    mockUpstream();
+    const handler = createRuntimeProxyHandler(makeConfig());
+    const req = new Request("http://localhost:7830/v1/health", {
+      headers: { authorization: "Bearer wrong-token" },
+    });
+    const res = await handler(req);
+
+    expect(res.status).toBe(401);
+  });
+
+  test("auth required: accepts valid token and proxies", async () => {
+    mockUpstream();
+    const handler = createRuntimeProxyHandler(makeConfig());
+    const req = new Request("http://localhost:7830/v1/health", {
+      headers: { authorization: `Bearer ${TOKEN}` },
+    });
+    const res = await handler(req);
+
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.ok).toBe(true);
+  });
+
+  test("auth required: replaces client authorization with configured bearer token for upstream", async () => {
+    let capturedHeaders: Headers | undefined;
+    globalThis.fetch = mock(async (_input: any, init?: any) => {
+      capturedHeaders = init?.headers;
+      return new Response(JSON.stringify({ ok: true }), {
+        status: 200,
+        headers: { "content-type": "application/json" },
+      });
+    }) as any;
+
+    const handler = createRuntimeProxyHandler(makeConfig());
+    const req = new Request("http://localhost:7830/v1/health", {
+      headers: { authorization: `Bearer ${TOKEN}` },
+    });
+    await handler(req);
+
+    expect(capturedHeaders!.get("authorization")).toBe(`Bearer ${TOKEN}`);
+  });
+
+  test("auth not required: proxies without token", async () => {
+    mockUpstream();
+    const handler = createRuntimeProxyHandler(
+      makeConfig({ runtimeProxyRequireAuth: false, runtimeProxyBearerToken: undefined }),
+    );
+    const req = new Request("http://localhost:7830/v1/health");
+    const res = await handler(req);
+
+    expect(res.status).toBe(200);
+  });
+
+  test("OPTIONS request bypasses auth", async () => {
+    mockUpstream();
+    const handler = createRuntimeProxyHandler(makeConfig());
+    const req = new Request("http://localhost:7830/v1/health", {
+      method: "OPTIONS",
+    });
+    const res = await handler(req);
+
+    expect(res.status).toBe(200);
+  });
+});

package/src/__tests__/runtime-proxy.test.ts

@@ -0,0 +1,262 @@
+import { describe, test, expect, mock, afterEach } from "bun:test";
+import { createRuntimeProxyHandler } from "../http/routes/runtime-proxy.js";
+import type { GatewayConfig } from "../config.js";
+
+function makeConfig(overrides: Partial<GatewayConfig> = {}): GatewayConfig {
+  return {
+    telegramBotToken: "tok",
+    telegramWebhookSecret: "wh-ver",
+    telegramApiBaseUrl: "https://api.telegram.org",
+    assistantRuntimeBaseUrl: "http://localhost:7821",
+    routingEntries: [],
+    defaultAssistantId: undefined,
+    unmappedPolicy: "reject",
+    port: 7830,
+    runtimeBearerToken: undefined,
+    runtimeProxyEnabled: true,
+    runtimeProxyRequireAuth: false,
+    runtimeProxyBearerToken: undefined,
+    shutdownDrainMs: 5000,
+    runtimeTimeoutMs: 30000,
+    runtimeMaxRetries: 2,
+    runtimeInitialBackoffMs: 500,
+    telegramInitialBackoffMs: 1000,
+    telegramMaxRetries: 3,
+    telegramTimeoutMs: 15000,
+    maxWebhookPayloadBytes: 1048576,
+    logFile: { dir: undefined, retentionDays: 30 },
+    maxAttachmentBytes: 20971520,
+    maxAttachmentConcurrency: 3,
+    ...overrides,
+  };
+}
+
+const originalFetch = globalThis.fetch;
+
+afterEach(() => {
+  globalThis.fetch = originalFetch;
+});
+
+describe("runtime proxy handler", () => {
+  test("forwards request to upstream with correct path and query", async () => {
+    const captured: { url: string; method: string }[] = [];
+    globalThis.fetch = mock(async (input: any, init?: any) => {
+      captured.push({ url: String(input), method: init?.method ?? "GET" });
+      return new Response(JSON.stringify({ ok: true }), {
+        status: 200,
+        headers: { "content-type": "application/json" },
+      });
+    }) as any;
+
+    const handler = createRuntimeProxyHandler(makeConfig());
+    const req = new Request("http://localhost:7830/v1/assistants/test/health?foo=bar");
+    const res = await handler(req);
+
+    expect(res.status).toBe(200);
+    expect(captured[0].url).toBe("http://localhost:7821/v1/assistants/test/health?foo=bar");
+    expect(captured[0].method).toBe("GET");
+    const body = await res.json();
+    expect(body).toEqual({ ok: true });
+  });
+
+  test("forwards POST body to upstream", async () => {
+    let capturedBody = "";
+    globalThis.fetch = mock(async (_input: any, init?: any) => {
+      if (init?.body) {
+        const reader = init.body.getReader();
+        const chunks: Uint8Array[] = [];
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) break;
+          chunks.push(value);
+        }
+        capturedBody = new TextDecoder().decode(
+          new Uint8Array(chunks.reduce((acc, c) => acc + c.length, 0)),
+        );
+        // Simpler: just read as text
+        capturedBody = Buffer.concat(chunks).toString();
+      }
+      return new Response("ok", { status: 200 });
+    }) as any;
+
+    const handler = createRuntimeProxyHandler(makeConfig());
+    const req = new Request("http://localhost:7830/v1/chat", {
+      method: "POST",
+      body: JSON.stringify({ message: "hello" }),
+      headers: { "content-type": "application/json" },
+    });
+    const res = await handler(req);
+
+    expect(res.status).toBe(200);
+    expect(capturedBody).toBe('{"message":"hello"}');
+  });
+
+  test("relays upstream status code", async () => {
+    globalThis.fetch = mock(async () => {
+      return new Response("Not Found", { status: 404 });
+    }) as any;
+
+    const handler = createRuntimeProxyHandler(makeConfig());
+    const req = new Request("http://localhost:7830/v1/nonexistent");
+    const res = await handler(req);
+
+    expect(res.status).toBe(404);
+  });
+
+  test("returns 502 on upstream connection failure", async () => {
+    globalThis.fetch = mock(async () => {
+      throw new Error("Connection refused");
+    }) as any;
+
+    const handler = createRuntimeProxyHandler(makeConfig());
+    const req = new Request("http://localhost:7830/v1/health");
+    const res = await handler(req);
+
+    expect(res.status).toBe(502);
+    const body = await res.json();
+    expect(body.error).toBe("Bad Gateway");
+  });
+
+  test("strips hop-by-hop headers from request", async () => {
+    let capturedHeaders: Headers | undefined;
+    globalThis.fetch = mock(async (_input: any, init?: any) => {
+      capturedHeaders = init?.headers;
+      return new Response("ok", { status: 200 });
+    }) as any;
+
+    const handler = createRuntimeProxyHandler(makeConfig());
+    const req = new Request("http://localhost:7830/v1/health", {
+      headers: {
+        connection: "keep-alive",
+        "keep-alive": "timeout=5",
+        "transfer-encoding": "chunked",
+        "x-custom": "preserved",
+      },
+    });
+    await handler(req);
+
+    expect(capturedHeaders!.has("connection")).toBe(false);
+    expect(capturedHeaders!.has("keep-alive")).toBe(false);
+    expect(capturedHeaders!.has("transfer-encoding")).toBe(false);
+    expect(capturedHeaders!.get("x-custom")).toBe("preserved");
+  });
+
+  test("strips hop-by-hop headers from response", async () => {
+    globalThis.fetch = mock(async () => {
+      return new Response("ok", {
+        status: 200,
+        headers: {
+          connection: "keep-alive",
+          "transfer-encoding": "chunked",
+          "x-custom": "preserved",
+          "content-type": "text/plain",
+        },
+      });
+    }) as any;
+
+    const handler = createRuntimeProxyHandler(makeConfig());
+    const req = new Request("http://localhost:7830/v1/health");
+    const res = await handler(req);
+
+    expect(res.headers.has("connection")).toBe(false);
+    expect(res.headers.has("transfer-encoding")).toBe(false);
+    expect(res.headers.get("x-custom")).toBe("preserved");
+    expect(res.headers.get("content-type")).toBe("text/plain");
+  });
+
+  test("returns 504 on upstream timeout", async () => {
+    const timeoutError = new DOMException("The operation was aborted due to timeout", "TimeoutError");
+    globalThis.fetch = mock(async () => {
+      throw timeoutError;
+    }) as any;
+
+    const handler = createRuntimeProxyHandler(makeConfig({ runtimeTimeoutMs: 100 }));
+    const req = new Request("http://localhost:7830/v1/health");
+    const res = await handler(req);
+
+    expect(res.status).toBe(504);
+    const body = await res.json();
+    expect(body.error).toBe("Gateway Timeout");
+  });
+
+  test("passes AbortSignal.timeout to upstream fetch", async () => {
+    let capturedSignal: AbortSignal | undefined;
+    globalThis.fetch = mock(async (_input: any, init?: any) => {
+      capturedSignal = init?.signal;
+      return new Response("ok", { status: 200 });
+    }) as any;
+
+    const handler = createRuntimeProxyHandler(makeConfig({ runtimeTimeoutMs: 5000 }));
+    const req = new Request("http://localhost:7830/v1/health");
+    await handler(req);
+
+    expect(capturedSignal).toBeDefined();
+    expect(capturedSignal).toBeInstanceOf(AbortSignal);
+  });
+
+  test("forwards authorization header when auth is not required", async () => {
+    let capturedHeaders: Headers | undefined;
+    globalThis.fetch = mock(async (_input: any, init?: any) => {
+      capturedHeaders = init?.headers;
+      return new Response("ok", { status: 200 });
+    }) as any;
+
+    const handler = createRuntimeProxyHandler(makeConfig());
+    const req = new Request("http://localhost:7830/v1/health", {
+      headers: { authorization: "Bearer upstream-token" },
+    });
+    await handler(req);
+
+    expect(capturedHeaders!.get("authorization")).toBe("Bearer upstream-token");
+  });
+
+  test("replaces client authorization with configured bearer token for upstream", async () => {
+    let capturedHeaders: Headers | undefined;
+    globalThis.fetch = mock(async (_input: any, init?: any) => {
+      capturedHeaders = init?.headers;
+      return new Response("ok", { status: 200 });
+    }) as any;
+
+    const handler = createRuntimeProxyHandler(
+      makeConfig({ runtimeProxyBearerToken: "daemon-token" }),
+    );
+    const req = new Request("http://localhost:7830/v1/health", {
+      headers: { authorization: "Bearer client-token" },
+    });
+    await handler(req);
+
+    expect(capturedHeaders!.get("authorization")).toBe("Bearer daemon-token");
+  });
+
+  test("truncates long upstream error bodies in logs", async () => {
+    const longBody = "x".repeat(512);
+    globalThis.fetch = mock(async () => {
+      return new Response(longBody, { status: 500 });
+    }) as any;
+
+    const handler = createRuntimeProxyHandler(makeConfig());
+    const req = new Request("http://localhost:7830/v1/fail");
+    const res = await handler(req);
+
+    expect(res.status).toBe(500);
+    // The full body is still returned to the client
+    const responseBody = await res.text();
+    expect(responseBody).toBe(longBody);
+  });
+
+  test("does not forward host header to upstream", async () => {
+    let capturedHeaders: Headers | undefined;
+    globalThis.fetch = mock(async (_input: any, init?: any) => {
+      capturedHeaders = init?.headers;
+      return new Response("ok", { status: 200 });
+    }) as any;
+
+    const handler = createRuntimeProxyHandler(makeConfig());
+    const req = new Request("http://localhost:7830/v1/health", {
+      headers: { host: "localhost:7830" },
+    });
+    await handler(req);
+
+    expect(capturedHeaders!.has("host")).toBe(false);
+  });
+});