@vellumai/vellum-gateway 0.6.5 → 0.6.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/vellum-gateway",
-  "version": "0.6.5",
+  "version": "0.6.6",
   "license": "MIT",
   "type": "module",
   "exports": {

package/src/__tests__/auto-approve-conversation-thresholds.test.ts

@@ -0,0 +1,190 @@
+import { describe, test, expect, beforeEach, afterEach } from "bun:test";
+import { initGatewayDb, resetGatewayDb } from "../db/connection.js";
+import {
+  createConversationThresholdGetHandler,
+  createConversationThresholdPutHandler,
+  createConversationThresholdDeleteHandler,
+} from "../http/routes/auto-approve-thresholds.js";
+
+beforeEach(async () => {
+  resetGatewayDb();
+  await initGatewayDb();
+});
+
+afterEach(() => {
+  resetGatewayDb();
+});
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+const BASE_URL = "http://gateway.test";
+
+function makeGet(conversationId: string): [Request, string[]] {
+  return [
+    new Request(
+      `${BASE_URL}/v1/permissions/thresholds/conversations/${conversationId}`,
+      { method: "GET" },
+    ),
+    [conversationId],
+  ];
+}
+
+function makePut(conversationId: string, body: unknown): [Request, string[]] {
+  return [
+    new Request(
+      `${BASE_URL}/v1/permissions/thresholds/conversations/${conversationId}`,
+      {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+      },
+    ),
+    [conversationId],
+  ];
+}
+
+function makeDelete(conversationId: string): [Request, string[]] {
+  return [
+    new Request(
+      `${BASE_URL}/v1/permissions/thresholds/conversations/${conversationId}`,
+      { method: "DELETE" },
+    ),
+    [conversationId],
+  ];
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("GET /v1/permissions/thresholds/conversations/:conversationId", () => {
+  test("returns 404 for nonexistent conversation", async () => {
+    const handler = createConversationThresholdGetHandler();
+    const [req, params] = makeGet("conv-xyz");
+
+    const res = await handler(req, params);
+    expect(res.status).toBe(404);
+
+    const body = await res.json();
+    expect(body.error).toBe("No override for this conversation");
+  });
+
+  test("returns threshold after PUT creates it", async () => {
+    const putHandler = createConversationThresholdPutHandler();
+    const getHandler = createConversationThresholdGetHandler();
+
+    // Create the override
+    const [putReq, putParams] = makePut("conv-xyz", { threshold: "medium" });
+    const putRes = await putHandler(putReq, putParams);
+    expect(putRes.status).toBe(200);
+
+    // Read it back
+    const [getReq, getParams] = makeGet("conv-xyz");
+    const getRes = await getHandler(getReq, getParams);
+    expect(getRes.status).toBe(200);
+
+    const body = await getRes.json();
+    expect(body.threshold).toBe("medium");
+  });
+});
+
+describe("PUT /v1/permissions/thresholds/conversations/:conversationId", () => {
+  test("creates override and returns conversationId + threshold", async () => {
+    const handler = createConversationThresholdPutHandler();
+    const [req, params] = makePut("conv-abc", { threshold: "low" });
+
+    const res = await handler(req, params);
+    expect(res.status).toBe(200);
+
+    const body = await res.json();
+    expect(body).toEqual({ conversationId: "conv-abc", threshold: "low" });
+  });
+
+  test("updates existing override with new value", async () => {
+    const handler = createConversationThresholdPutHandler();
+    const getHandler = createConversationThresholdGetHandler();
+
+    // Create initial
+    const [req1, params1] = makePut("conv-abc", { threshold: "low" });
+    await handler(req1, params1);
+
+    // Update
+    const [req2, params2] = makePut("conv-abc", { threshold: "none" });
+    const res = await handler(req2, params2);
+    expect(res.status).toBe(200);
+
+    const body = await res.json();
+    expect(body).toEqual({ conversationId: "conv-abc", threshold: "none" });
+
+    // Verify via GET
+    const [getReq, getParams] = makeGet("conv-abc");
+    const getRes = await getHandler(getReq, getParams);
+    const getBody = await getRes.json();
+    expect(getBody.threshold).toBe("none");
+  });
+
+  test("returns 400 for invalid threshold", async () => {
+    const handler = createConversationThresholdPutHandler();
+    const [req, params] = makePut("conv-abc", { threshold: "invalid" });
+
+    const res = await handler(req, params);
+    expect(res.status).toBe(400);
+
+    const body = await res.json();
+    expect(body.error).toContain("threshold");
+  });
+
+  test("returns 400 for missing threshold", async () => {
+    const handler = createConversationThresholdPutHandler();
+    const [req, params] = makePut("conv-abc", {});
+
+    const res = await handler(req, params);
+    expect(res.status).toBe(400);
+  });
+
+  test("returns 400 for non-JSON body", async () => {
+    const handler = createConversationThresholdPutHandler();
+    const req = new Request(
+      `${BASE_URL}/v1/permissions/thresholds/conversations/conv-abc`,
+      {
+        method: "PUT",
+        body: "not json",
+      },
+    );
+
+    const res = await handler(req, ["conv-abc"]);
+    expect(res.status).toBe(400);
+  });
+});
+
+describe("DELETE /v1/permissions/thresholds/conversations/:conversationId", () => {
+  test("removes existing override, subsequent GET returns 404", async () => {
+    const putHandler = createConversationThresholdPutHandler();
+    const getHandler = createConversationThresholdGetHandler();
+    const deleteHandler = createConversationThresholdDeleteHandler();
+
+    // Create
+    const [putReq, putParams] = makePut("conv-del", { threshold: "medium" });
+    await putHandler(putReq, putParams);
+
+    // Delete
+    const [delReq, delParams] = makeDelete("conv-del");
+    const delRes = await deleteHandler(delReq, delParams);
+    expect(delRes.status).toBe(204);
+
+    // Verify gone
+    const [getReq, getParams] = makeGet("conv-del");
+    const getRes = await getHandler(getReq, getParams);
+    expect(getRes.status).toBe(404);
+  });
+
+  test("returns 204 on nonexistent conversation (idempotent)", async () => {
+    const handler = createConversationThresholdDeleteHandler();
+    const [req, params] = makeDelete("conv-nonexistent");
+
+    const res = await handler(req, params);
+    expect(res.status).toBe(204);
+  });
+});

package/src/__tests__/auto-approve-thresholds.test.ts

@@ -0,0 +1,238 @@
+import { describe, test, expect, beforeEach, afterEach } from "bun:test";
+import { initGatewayDb, resetGatewayDb } from "../db/connection.js";
+import "./test-preload.js";
+
+import {
+  createGlobalThresholdGetHandler,
+  createGlobalThresholdPutHandler,
+} from "../http/routes/auto-approve-thresholds.js";
+
+// ---------------------------------------------------------------------------
+// Setup / teardown
+// ---------------------------------------------------------------------------
+
+beforeEach(async () => {
+  resetGatewayDb();
+  await initGatewayDb();
+});
+
+afterEach(() => {
+  resetGatewayDb();
+});
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function makeRequest(body?: unknown, method = "PUT"): Request {
+  if (body !== undefined) {
+    return new Request("http://localhost/v1/permissions/thresholds", {
+      method,
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+    });
+  }
+  return new Request("http://localhost/v1/permissions/thresholds", {
+    method,
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe("auto-approve thresholds", () => {
+  describe("GET handler", () => {
+    test("returns defaults when no row exists", async () => {
+      const handler = createGlobalThresholdGetHandler();
+      const res = await handler(makeRequest(undefined, "GET"));
+
+      expect(res.status).toBe(200);
+      const data = await res.json();
+      expect(data).toEqual({
+        interactive: "low",
+        background: "medium",
+        headless: "none",
+      });
+    });
+
+    test("returns updated values after PUT", async () => {
+      const putHandler = createGlobalThresholdPutHandler();
+      const getHandler = createGlobalThresholdGetHandler();
+
+      // First PUT to set values
+      await putHandler(makeRequest({ interactive: "medium" }));
+
+      // GET should reflect the update
+      const res = await getHandler(makeRequest(undefined, "GET"));
+      expect(res.status).toBe(200);
+      const data = await res.json();
+      expect(data).toEqual({
+        interactive: "medium",
+        background: "medium",
+        headless: "none",
+      });
+    });
+  });
+
+  describe("PUT handler", () => {
+    test("partial update only changes provided fields", async () => {
+      const handler = createGlobalThresholdPutHandler();
+
+      const res = await handler(makeRequest({ interactive: "medium" }));
+      expect(res.status).toBe(200);
+      const data = await res.json();
+      expect(data).toEqual({
+        interactive: "medium",
+        background: "medium",
+        headless: "none",
+      });
+    });
+
+    test("returns 400 for invalid threshold value", async () => {
+      const handler = createGlobalThresholdPutHandler();
+
+      const res = await handler(makeRequest({ interactive: "extreme" }));
+      expect(res.status).toBe(400);
+      const data = await res.json();
+      expect(data.error).toContain("interactive");
+      expect(data.error).toContain("none, low, medium, high");
+    });
+
+    test("accepts high as a valid threshold value", async () => {
+      const handler = createGlobalThresholdPutHandler();
+
+      const res = await handler(makeRequest({ interactive: "high" }));
+      expect(res.status).toBe(200);
+      const data = await res.json();
+      expect(data).toEqual({
+        interactive: "high",
+        background: "medium",
+        headless: "none",
+      });
+    });
+
+    test("returns 400 for invalid body (non-JSON)", async () => {
+      const handler = createGlobalThresholdPutHandler();
+
+      const req = new Request("http://localhost/v1/permissions/thresholds", {
+        method: "PUT",
+        body: "not json",
+      });
+      const res = await handler(req);
+      expect(res.status).toBe(400);
+      const data = await res.json();
+      expect(data.error).toContain("valid JSON");
+    });
+
+    test("returns 400 for non-object body", async () => {
+      const handler = createGlobalThresholdPutHandler();
+
+      const res = await handler(makeRequest("just a string"));
+      expect(res.status).toBe(400);
+      const data = await res.json();
+      expect(data.error).toContain("JSON object");
+    });
+
+    test("returns 400 for array body", async () => {
+      const handler = createGlobalThresholdPutHandler();
+
+      const res = await handler(makeRequest([1, 2, 3]));
+      expect(res.status).toBe(400);
+      const data = await res.json();
+      expect(data.error).toContain("JSON object");
+    });
+
+    test("returns 400 for invalid background value", async () => {
+      const handler = createGlobalThresholdPutHandler();
+
+      const res = await handler(makeRequest({ background: "invalid" }));
+      expect(res.status).toBe(400);
+      const data = await res.json();
+      expect(data.error).toContain("background");
+    });
+
+    test("returns 400 for invalid headless value", async () => {
+      const handler = createGlobalThresholdPutHandler();
+
+      const res = await handler(makeRequest({ headless: 42 }));
+      expect(res.status).toBe(400);
+      const data = await res.json();
+      expect(data.error).toContain("headless");
+    });
+
+    test("upserts correctly — first write creates, second write updates", async () => {
+      const handler = createGlobalThresholdPutHandler();
+
+      // First write — creates the row
+      const res1 = await handler(
+        makeRequest({ interactive: "none", background: "low" }),
+      );
+      expect(res1.status).toBe(200);
+      const data1 = await res1.json();
+      expect(data1).toEqual({
+        interactive: "none",
+        background: "low",
+        headless: "none",
+      });
+
+      // Second write — updates the existing row
+      const res2 = await handler(
+        makeRequest({ background: "medium", headless: "low" }),
+      );
+      expect(res2.status).toBe(200);
+      const data2 = await res2.json();
+      expect(data2).toEqual({
+        interactive: "none",
+        background: "medium",
+        headless: "low",
+      });
+    });
+
+    test("updates all fields at once", async () => {
+      const handler = createGlobalThresholdPutHandler();
+
+      const res = await handler(
+        makeRequest({
+          interactive: "medium",
+          background: "none",
+          headless: "low",
+        }),
+      );
+      expect(res.status).toBe(200);
+      const data = await res.json();
+      expect(data).toEqual({
+        interactive: "medium",
+        background: "none",
+        headless: "low",
+      });
+    });
+
+    test("empty object preserves existing values when row exists", async () => {
+      const putHandler = createGlobalThresholdPutHandler();
+
+      // First: set non-default values
+      await putHandler(
+        makeRequest({
+          interactive: "medium",
+          background: "none",
+          headless: "low",
+        }),
+      );
+
+      // Then PUT empty object — existing values should be preserved
+      const res = await putHandler(makeRequest({}));
+      expect(res.status).toBe(200);
+      const data = await res.json();
+      expect(data).toEqual({
+        interactive: "medium",
+        background: "none",
+        headless: "low",
+      });
+    });
+
+    // Note: "empty PUT inserts schema defaults when no row" is covered by
+    // the GET handler test suite. The PUT tests run after prior PUTs leave
+    // a row in the DB (bun test reuse), so we test preserve-existing above.
+  });
+});

package/src/__tests__/cloud-oauth-token.test.ts

@@ -1,41 +1,56 @@
-import { describe, test, expect, beforeAll } from "bun:test";
+import {
+  describe,
+  test,
+  expect,
+  beforeAll,
+  beforeEach,
+  afterEach,
+} from "bun:test";
 import "./test-preload.js";
 
 import {
   initSigningKey,
   loadOrCreateSigningKey,
-  mintToken,
   verifyToken,
 } from "../auth/token-service.js";
-import { CURRENT_POLICY_EPOCH } from "../auth/policy.js";
 import { createCloudOAuthTokenHandler } from "../http/routes/cloud-oauth-token.js";
 
-let serviceToken: string;
-
 beforeAll(() => {
   initSigningKey(loadOrCreateSigningKey());
-  // Mint a service token (svc:gateway:self) that the handler accepts.
-  serviceToken = mintToken({
-    aud: "vellum-gateway",
-    sub: "svc:gateway:self",
-    scope_profile: "gateway_service_v1",
-    policy_epoch: CURRENT_POLICY_EPOCH,
-    ttlSeconds: 60,
-  });
 });
 
 const handler = createCloudOAuthTokenHandler();
+const ASSISTANT_ID = "asst-123";
+const ACTOR_PRINCIPAL_ID = "user-456";
+const PLATFORM_INTERNAL_API_KEY = "platform-internal-key";
+const ORIGINAL_PLATFORM_INTERNAL_API_KEY =
+  process.env.PLATFORM_INTERNAL_API_KEY;
+
+beforeEach(() => {
+  process.env.PLATFORM_INTERNAL_API_KEY = PLATFORM_INTERNAL_API_KEY;
+});
 
-/** Build a POST request with the service-token Authorization header. */
-function makeRequest(body: unknown): Request {
+afterEach(() => {
+  if (ORIGINAL_PLATFORM_INTERNAL_API_KEY === undefined) {
+    delete process.env.PLATFORM_INTERNAL_API_KEY;
+    return;
+  }
+  process.env.PLATFORM_INTERNAL_API_KEY = ORIGINAL_PLATFORM_INTERNAL_API_KEY;
+});
+
+/** Build a POST request to the cloud OAuth token endpoint. */
+function makeRequest(body: unknown, authorization?: string): Request {
+  const headers: Record<string, string> = {
+    "content-type": "application/json",
+  };
+  if (authorization) {
+    headers.authorization = authorization;
+  }
   return new Request(
     "http://gateway.test/v1/internal/oauth/chrome-extension/token",
     {
       method: "POST",
-      headers: {
-        "content-type": "application/json",
-        authorization: `Bearer ${serviceToken}`,
-      },
+      headers,
       body: typeof body === "string" ? body : JSON.stringify(body),
     },
   );
@@ -44,7 +59,10 @@ function makeRequest(body: unknown): Request {
 describe("POST /v1/internal/oauth/chrome-extension/token", () => {
   test("happy path: valid body returns 200 with token, expiresIn, and guardianId", async () => {
     const res = await handler.handleMintToken(
-      makeRequest({ assistantId: "asst-123", actorPrincipalId: "user-456" }),
+      makeRequest(
+        { assistantId: ASSISTANT_ID, actorPrincipalId: ACTOR_PRINCIPAL_ID },
+        `Bearer ${PLATFORM_INTERNAL_API_KEY}`,
+      ),
     );
 
     expect(res.status).toBe(200);
@@ -57,13 +75,15 @@ describe("POST /v1/internal/oauth/chrome-extension/token", () => {
     expect(typeof body.token).toBe("string");
     expect(body.token.split(".").length).toBe(3); // JWT format
     expect(body.expiresIn).toBe(3600);
-    expect(body.guardianId).toBe("user-456");
+    expect(body.guardianId).toBe(ACTOR_PRINCIPAL_ID);
 
     // Verify the minted token has the correct claims
     const result = verifyToken(body.token, "vellum-gateway");
     expect(result.ok).toBe(true);
     if (result.ok) {
-      expect(result.claims.sub).toBe("actor:asst-123:user-456");
+      expect(result.claims.sub).toBe(
+        `actor:${ASSISTANT_ID}:${ACTOR_PRINCIPAL_ID}`,
+      );
       expect(result.claims.aud).toBe("vellum-gateway");
       expect(result.claims.scope_profile).toBe("actor_client_v1");
     }
@@ -80,7 +100,7 @@ describe("POST /v1/internal/oauth/chrome-extension/token", () => {
 
   test("missing actorPrincipalId returns 400", async () => {
     const res = await handler.handleMintToken(
-      makeRequest({ assistantId: "asst-123" }),
+      makeRequest({ assistantId: ASSISTANT_ID }),
     );
     expect(res.status).toBe(400);
     const body = (await res.json()) as { error: string };
@@ -98,7 +118,7 @@ describe("POST /v1/internal/oauth/chrome-extension/token", () => {
 
   test("empty actorPrincipalId string returns 400", async () => {
     const res = await handler.handleMintToken(
-      makeRequest({ assistantId: "asst-123", actorPrincipalId: "" }),
+      makeRequest({ assistantId: ASSISTANT_ID, actorPrincipalId: "" }),
     );
     expect(res.status).toBe(400);
     const body = (await res.json()) as { error: string };
@@ -107,7 +127,7 @@ describe("POST /v1/internal/oauth/chrome-extension/token", () => {
 
   test("whitespace-only strings return 400", async () => {
     const res = await handler.handleMintToken(
-      makeRequest({ assistantId: "   ", actorPrincipalId: "user-456" }),
+      makeRequest({ assistantId: "   ", actorPrincipalId: ACTOR_PRINCIPAL_ID }),
     );
     expect(res.status).toBe(400);
     const body = (await res.json()) as { error: string };
@@ -120,10 +140,7 @@ describe("POST /v1/internal/oauth/chrome-extension/token", () => {
         "http://gateway.test/v1/internal/oauth/chrome-extension/token",
         {
           method: "POST",
-          headers: {
-            "content-type": "application/json",
-            authorization: `Bearer ${serviceToken}`,
-          },
+          headers: { "content-type": "application/json" },
           body: "not-json",
         },
       ),
@@ -135,7 +152,7 @@ describe("POST /v1/internal/oauth/chrome-extension/token", () => {
 
   test("non-string assistantId returns 400", async () => {
     const res = await handler.handleMintToken(
-      makeRequest({ assistantId: 123, actorPrincipalId: "user-456" }),
+      makeRequest({ assistantId: 123, actorPrincipalId: ACTOR_PRINCIPAL_ID }),
     );
     expect(res.status).toBe(400);
     const body = (await res.json()) as { error: string };
@@ -144,7 +161,10 @@ describe("POST /v1/internal/oauth/chrome-extension/token", () => {
 
   test("colon in assistantId returns 400", async () => {
     const res = await handler.handleMintToken(
-      makeRequest({ assistantId: "asst:123", actorPrincipalId: "user-456" }),
+      makeRequest({
+        assistantId: "asst:123",
+        actorPrincipalId: ACTOR_PRINCIPAL_ID,
+      }),
     );
     expect(res.status).toBe(400);
     const body = (await res.json()) as { error: string };
@@ -153,7 +173,7 @@ describe("POST /v1/internal/oauth/chrome-extension/token", () => {
 
   test("colon in actorPrincipalId returns 400", async () => {
     const res = await handler.handleMintToken(
-      makeRequest({ assistantId: "asst-123", actorPrincipalId: "user:456" }),
+      makeRequest({ assistantId: ASSISTANT_ID, actorPrincipalId: "user:456" }),
     );
     expect(res.status).toBe(400);
     const body = (await res.json()) as { error: string };
@@ -162,45 +182,43 @@ describe("POST /v1/internal/oauth/chrome-extension/token", () => {
 
   test("request without authorization header returns 403", async () => {
     const res = await handler.handleMintToken(
-      new Request(
-        "http://gateway.test/v1/internal/oauth/chrome-extension/token",
-        {
-          method: "POST",
-          headers: { "content-type": "application/json" },
-          body: JSON.stringify({
-            assistantId: "asst-123",
-            actorPrincipalId: "user-456",
-          }),
-        },
+      makeRequest({
+        assistantId: ASSISTANT_ID,
+        actorPrincipalId: ACTOR_PRINCIPAL_ID,
+      }),
+    );
+    expect(res.status).toBe(403);
+  });
+
+  test("request with invalid bearer token returns 403", async () => {
+    const res = await handler.handleMintToken(
+      makeRequest(
+        { assistantId: ASSISTANT_ID, actorPrincipalId: ACTOR_PRINCIPAL_ID },
+        "Bearer wrong-internal-key",
       ),
     );
     expect(res.status).toBe(403);
   });
 
-  test("request with actor token (not service) returns 403", async () => {
-    const actorToken = mintToken({
-      aud: "vellum-gateway",
-      sub: "actor:asst-123:some-user",
-      scope_profile: "actor_client_v1",
-      policy_epoch: CURRENT_POLICY_EPOCH,
-      ttlSeconds: 60,
-    });
+  test("request with non-bearer authorization header returns 403", async () => {
     const res = await handler.handleMintToken(
-      new Request(
-        "http://gateway.test/v1/internal/oauth/chrome-extension/token",
-        {
-          method: "POST",
-          headers: {
-            "content-type": "application/json",
-            authorization: `Bearer ${actorToken}`,
-          },
-          body: JSON.stringify({
-            assistantId: "asst-123",
-            actorPrincipalId: "user-456",
-          }),
-        },
+      makeRequest(
+        { assistantId: ASSISTANT_ID, actorPrincipalId: ACTOR_PRINCIPAL_ID },
+        "Api-Key some-key",
       ),
     );
     expect(res.status).toBe(403);
   });
+
+  test("request returns 503 when PLATFORM_INTERNAL_API_KEY is not configured", async () => {
+    delete process.env.PLATFORM_INTERNAL_API_KEY;
+
+    const res = await handler.handleMintToken(
+      makeRequest(
+        { assistantId: ASSISTANT_ID, actorPrincipalId: ACTOR_PRINCIPAL_ID },
+        `Bearer ${PLATFORM_INTERNAL_API_KEY}`,
+      ),
+    );
+    expect(res.status).toBe(503);
+  });
 });