@vellumai/vellum-gateway 0.8.7 → 0.8.8

package/Dockerfile

@@ -34,8 +34,11 @@ WORKDIR /app
 
 RUN apt-get update && apt-get upgrade -y && apt-get install -y \
     ca-certificates \
+    e2fsprogs \
     iproute2 \
+    mount \
     procps \
+    util-linux \
     && rm -rf /var/lib/apt/lists/*
 
 # Copy bun binary from builder
@@ -52,6 +55,13 @@ COPY --from=builder --chown=gateway:gateway /app/packages /app/packages
 
 RUN mkdir -p /gateway-security && chown gateway:gateway /gateway-security
 
+COPY packages/block-volume-bootstrap/scripts/*.sh /usr/local/bin/
+RUN chmod +x \
+    /usr/local/bin/vellum-block-volume-common.sh \
+    /usr/local/bin/vellum-block-volume-init.sh \
+    /usr/local/bin/vellum-block-volume-mount.sh \
+    /usr/local/bin/vellum-block-volume-resize.sh
+
 USER gateway
 
 EXPOSE 7830

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vellumai/vellum-gateway",
-  "version": "0.8.7",
+  "version": "0.8.8",
   "license": "MIT",
   "type": "module",
   "exports": {

package/src/__tests__/actor-token-revocation.test.ts

@@ -0,0 +1,267 @@
+/**
+ * Tests for the hot-path actor-token revocation check: a revoked actor token
+ * is rejected on live requests, with fail-open semantics for non-actor,
+ * unrecorded, and DB-error cases.
+ */
+import { describe, test, expect, beforeEach, afterEach } from "bun:test";
+import { mkdtempSync, mkdirSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+import { initSigningKey, mintToken } from "../auth/token-service.js";
+import { CURRENT_POLICY_EPOCH } from "../auth/policy.js";
+import type { TokenClaims } from "../auth/types.js";
+
+initSigningKey(Buffer.from("test-signing-key-at-least-32-bytes-long-xx"));
+
+const { initGatewayDb, resetGatewayDb, getGatewayDb } =
+  await import("../db/connection.js");
+const { actorTokenRecords } = await import("../db/schema.js");
+const { hashToken } = await import("../auth/guardian-bootstrap.js");
+const { isActorTokenRevoked } =
+  await import("../auth/actor-token-revocation.js");
+const { createRuntimeProxyHandler } =
+  await import("../http/routes/runtime-proxy.js");
+
+const ACTOR_SUB = "actor:self:guardian-001";
+const actorClaims = { sub: ACTOR_SUB } as TokenClaims;
+
+let testRoot: string;
+
+function insertTokenRecord(rawToken: string, status: "active" | "revoked") {
+  const now = Date.now();
+  getGatewayDb()
+    .insert(actorTokenRecords)
+    .values({
+      id: `id-${rawToken}`,
+      tokenHash: hashToken(rawToken),
+      guardianPrincipalId: "guardian-001",
+      hashedDeviceId: hashToken("device-A"),
+      platform: "web",
+      status,
+      issuedAt: now,
+      expiresAt: now + 86_400_000,
+      createdAt: now,
+      updatedAt: now,
+    })
+    .run();
+}
+
+beforeEach(async () => {
+  testRoot = mkdtempSync(join(tmpdir(), "revocation-test-"));
+  const securityDir = join(testRoot, "protected");
+  mkdirSync(securityDir, { recursive: true });
+  process.env.GATEWAY_SECURITY_DIR = securityDir;
+  await initGatewayDb();
+});
+
+afterEach(() => {
+  resetGatewayDb();
+  delete process.env.GATEWAY_SECURITY_DIR;
+  try {
+    rmSync(testRoot, { recursive: true, force: true });
+  } catch {
+    /* best effort */
+  }
+});
+
+describe("isActorTokenRevoked", () => {
+  test("returns true for an actor token whose record is revoked", () => {
+    insertTokenRecord("token-revoked", "revoked");
+    expect(isActorTokenRevoked("token-revoked", actorClaims)).toBe(true);
+  });
+
+  test("returns false for an actor token whose record is active", () => {
+    insertTokenRecord("token-active", "active");
+    expect(isActorTokenRevoked("token-active", actorClaims)).toBe(false);
+  });
+
+  test("returns false (fail-open) for an actor token with no record", () => {
+    expect(isActorTokenRevoked("token-unknown", actorClaims)).toBe(false);
+  });
+
+  test("never checks non-actor tokens (svc)", () => {
+    // Even if a row with this hash were revoked, a svc sub must be ignored.
+    insertTokenRecord("svc-token", "revoked");
+    const svcClaims = { sub: "svc:gateway:self" } as TokenClaims;
+    expect(isActorTokenRevoked("svc-token", svcClaims)).toBe(false);
+  });
+
+  test("returns false (fail-open) when the gateway DB is unavailable", () => {
+    resetGatewayDb();
+    expect(isActorTokenRevoked("token-anything", actorClaims)).toBe(false);
+  });
+
+  test("still detects revocation when the token has surrounding whitespace", () => {
+    // The record is stored under the canonical (trimmed) token hash; a token
+    // supplied with trailing whitespace (e.g. a `?token=<jwt>%20` WS param)
+    // must still resolve to the revoked record.
+    insertTokenRecord("token-revoked", "revoked");
+    expect(isActorTokenRevoked("token-revoked ", actorClaims)).toBe(true);
+    expect(isActorTokenRevoked(" token-revoked\n", actorClaims)).toBe(true);
+  });
+});
+
+describe("signature-encoding canonicalization (revocation bypass)", () => {
+  function mintActorJwt(): string {
+    return mintToken({
+      aud: "vellum-gateway",
+      sub: ACTOR_SUB,
+      scope_profile: "actor_client_v1",
+      policy_epoch: CURRENT_POLICY_EPOCH,
+      ttlSeconds: 3600,
+    });
+  }
+
+  // Append base64 padding to the signature segment. Buffer.from(.., "base64url")
+  // decodes it to the SAME bytes, so the JWT still verifies — but the raw string
+  // differs, which (pre-fix) made the revocation hash miss the stored record.
+  function padSignature(jwt: string): string {
+    const [h, p, sig] = jwt.split(".");
+    return `${h}.${p}.${sig}=`;
+  }
+
+  test("detects a revoked token whose signature segment is re-encoded with padding", () => {
+    const jwt = mintActorJwt();
+    insertTokenRecord(jwt, "revoked"); // stored under the canonical token hash
+
+    // Baseline: the canonical token is detected as revoked.
+    expect(isActorTokenRevoked(jwt, actorClaims)).toBe(true);
+
+    // Bypass attempt: same token, signature re-encoded (different string, same
+    // bytes). Must still resolve to the revoked record.
+    const padded = padSignature(jwt);
+    expect(padded).not.toBe(jwt);
+    expect(isActorTokenRevoked(padded, actorClaims)).toBe(true);
+  });
+
+  test("does not falsely revoke an active token re-encoded with padding", () => {
+    const jwt = mintActorJwt();
+    insertTokenRecord(jwt, "active");
+    expect(isActorTokenRevoked(padSignature(jwt), actorClaims)).toBe(false);
+  });
+});
+
+describe("runtime proxy enforcement", () => {
+  function makeConfig() {
+    return {
+      assistantRuntimeBaseUrl: "http://localhost:7821",
+      routingEntries: [],
+      defaultAssistantId: undefined,
+      unmappedPolicy: "reject" as const,
+      port: 7830,
+      runtimeProxyRequireAuth: true,
+      shutdownDrainMs: 5000,
+      runtimeTimeoutMs: 30000,
+      runtimeMaxRetries: 2,
+      runtimeInitialBackoffMs: 500,
+      maxWebhookPayloadBytes: 1048576,
+      logFile: { dir: undefined, retentionDays: 30 },
+      maxAttachmentBytes: {
+        telegram: 50 * 1024 * 1024,
+        slack: 100 * 1024 * 1024,
+        whatsapp: 16 * 1024 * 1024,
+        default: 50 * 1024 * 1024,
+      },
+      maxAttachmentConcurrency: 3,
+      gatewayInternalBaseUrl: "http://127.0.0.1:7830",
+      trustProxy: false,
+    };
+  }
+
+  function mintActorJwt(): string {
+    return mintToken({
+      aud: "vellum-gateway",
+      sub: ACTOR_SUB,
+      scope_profile: "actor_client_v1",
+      policy_epoch: CURRENT_POLICY_EPOCH,
+      ttlSeconds: 3600,
+    });
+  }
+
+  test("rejects a revoked actor token with 401 on the chat path", async () => {
+    const jwt = mintActorJwt();
+    insertTokenRecord(jwt, "revoked");
+
+    const handler = createRuntimeProxyHandler(makeConfig());
+    const res = await handler(
+      new Request("http://127.0.0.1:7830/v1/assistants/self/messages", {
+        method: "POST",
+        headers: {
+          authorization: `Bearer ${jwt}`,
+          "content-type": "application/json",
+        },
+        body: JSON.stringify({ content: "hi" }),
+      }),
+      "127.0.0.1",
+    );
+
+    expect(res.status).toBe(401);
+  });
+});
+
+describe("/auth/token revocation", () => {
+  function makeLoopbackServer() {
+    return {
+      requestIP: () => ({ address: "127.0.0.1", family: "IPv4", port: 5000 }),
+    } as unknown as import("bun").Server<unknown>;
+  }
+
+  test("rejects re-minting a token from a revoked source token", async () => {
+    const { handleCreateToken } = await import("../http/routes/auth-token.js");
+    const jwt = mintToken({
+      aud: "vellum-gateway",
+      sub: ACTOR_SUB,
+      scope_profile: "actor_client_v1",
+      policy_epoch: CURRENT_POLICY_EPOCH,
+      ttlSeconds: 3600,
+    });
+    insertTokenRecord(jwt, "revoked");
+
+    const res = await handleCreateToken(
+      new Request("http://127.0.0.1:7830/auth/token", {
+        method: "POST",
+        headers: {
+          authorization: `Bearer ${jwt}`,
+          origin: "http://localhost:3000",
+        },
+      }),
+      makeLoopbackServer(),
+    );
+
+    expect(res.status).toBe(401);
+  });
+});
+
+describe("m0004 token-hash index migration", () => {
+  function rawDb() {
+    return (
+      getGatewayDb() as unknown as { $client: import("bun:sqlite").Database }
+    ).$client;
+  }
+  function indexSql(): string {
+    const row = rawDb()
+      .prepare(
+        "SELECT sql FROM sqlite_master WHERE type='index' AND name='idx_actor_tokens_hash'",
+      )
+      .get() as { sql: string } | null;
+    return row?.sql ?? "";
+  }
+
+  test("recreates a pre-existing partial index as unfiltered", async () => {
+    // Simulate an upgraded gateway: replace the index with the OLD partial form.
+    rawDb().exec("DROP INDEX IF EXISTS idx_actor_tokens_hash");
+    rawDb().exec(
+      "CREATE INDEX idx_actor_tokens_hash ON actor_token_records (token_hash) WHERE status = 'active'",
+    );
+    expect(indexSql().toLowerCase()).toContain("where");
+
+    const m0004 =
+      await import("../db/data-migrations/m0004-actor-token-hash-index-unfiltered.js");
+    expect(m0004.up()).toBe("done");
+
+    // The index now exists and no longer filters on status.
+    expect(indexSql()).not.toBe("");
+    expect(indexSql().toLowerCase()).not.toContain("where");
+  });
+});

package/src/__tests__/auth-fallback-count-tracker.test.ts

@@ -0,0 +1,92 @@
+import { describe, expect, test } from "bun:test";
+
+import { AuthFallbackCountTracker } from "../auth-fallback-count-tracker.js";
+
+describe("AuthFallbackCountTracker", () => {
+  test("increments per (guard, path, failureKind) key", () => {
+    const t = new AuthFallbackCountTracker(0);
+    t.increment("edge", "/v1/chat", "missing_authorization");
+    t.increment("edge", "/v1/chat", "missing_authorization");
+    t.increment("edge", "/v1/chat", "token_validation_failed");
+    t.increment("edge-guardian", "/v1/chat", "missing_authorization");
+
+    const snap = t.snapshot();
+    expect(snap.length).toBe(3);
+    const find = (g: string, p: string, f: string) =>
+      snap.find((c) => c.guard === g && c.path === p && c.failureKind === f)
+        ?.count;
+    expect(find("edge", "/v1/chat", "missing_authorization")).toBe(2);
+    expect(find("edge", "/v1/chat", "token_validation_failed")).toBe(1);
+    expect(find("edge-guardian", "/v1/chat", "missing_authorization")).toBe(1);
+  });
+
+  test("drain returns the window + counts and resets", () => {
+    const t = new AuthFallbackCountTracker(1000);
+    t.increment("edge", "/v1/a", "missing_authorization");
+    t.increment("edge", "/v1/a", "missing_authorization");
+
+    const batch = t.drain(2000);
+    expect(batch.windowStart).toBe(1000);
+    expect(batch.windowEnd).toBe(2000);
+    expect(batch.counts).toEqual([
+      {
+        guard: "edge",
+        path: "/v1/a",
+        failureKind: "missing_authorization",
+        count: 2,
+      },
+    ]);
+
+    // Drained — tracker is empty and the window is re-anchored to the drain.
+    expect(t.snapshot()).toEqual([]);
+    const empty = t.drain(3000);
+    expect(empty.counts).toEqual([]);
+    expect(empty.windowStart).toBe(2000);
+    expect(empty.windowEnd).toBe(3000);
+  });
+
+  test("an empty drain leaves the window start anchored", () => {
+    const t = new AuthFallbackCountTracker(1000);
+    // Nothing recorded yet — draining must not shift windowStart forward.
+    expect(t.drain(2000)).toMatchObject({ windowStart: 1000, windowEnd: 2000 });
+    t.increment("edge", "/v1/a", "missing_authorization");
+    expect(t.drain(3000).windowStart).toBe(1000);
+  });
+
+  test("merge folds a drained batch back in", () => {
+    const t = new AuthFallbackCountTracker(0);
+    t.increment("edge", "/v1/a", "missing_authorization");
+    const batch = t.drain(100);
+
+    // Simulate a failed flush: counts come back, plus a newer count for the
+    // same key that accumulated after the drain.
+    t.increment("edge", "/v1/a", "missing_authorization");
+    t.merge(batch.counts);
+
+    const snap = t.snapshot();
+    expect(snap.length).toBe(1);
+    expect(snap[0].count).toBe(2);
+  });
+
+  test("caps distinct keys but keeps counting existing ones", () => {
+    const t = new AuthFallbackCountTracker(0);
+    // MAX_TRACKED_KEYS is 10_000; exceed it with distinct paths.
+    for (let i = 0; i < 10_050; i++) {
+      t.increment("edge", `/v1/p${i}`, "missing_authorization");
+    }
+    const snap = t.snapshot();
+    expect(snap.length).toBe(10_000);
+
+    // An already-tracked key still increments past the cap.
+    t.increment("edge", "/v1/p0", "missing_authorization");
+    expect(t.snapshot().find((c) => c.path === "/v1/p0")?.count).toBe(2);
+  });
+
+  test("reset clears counts", () => {
+    const t = new AuthFallbackCountTracker(0);
+    t.increment("edge", "/v1/a", "missing_authorization");
+    t.reset(500);
+    expect(t.snapshot()).toEqual([]);
+    expect(t.drain(600).windowStart).toBe(500);
+  });
+});

package/src/__tests__/auth-fallback-log-throttle.test.ts

@@ -0,0 +1,36 @@
+import { describe, expect, test } from "bun:test";
+
+import { AuthFallbackLogThrottle } from "../auth-fallback-log-throttle.js";
+
+describe("AuthFallbackLogThrottle", () => {
+  test("logs the first time a key is seen", () => {
+    const throttle = new AuthFallbackLogThrottle();
+    expect(throttle.shouldLog("edge /v1/chat", 0)).toBe(true);
+  });
+
+  test("suppresses repeats within the cooldown window", () => {
+    const throttle = new AuthFallbackLogThrottle(1000);
+    expect(throttle.shouldLog("edge /v1/chat", 0)).toBe(true);
+    expect(throttle.shouldLog("edge /v1/chat", 500)).toBe(false);
+    expect(throttle.shouldLog("edge /v1/chat", 999)).toBe(false);
+  });
+
+  test("logs again once the cooldown elapses", () => {
+    const throttle = new AuthFallbackLogThrottle(1000);
+    expect(throttle.shouldLog("edge /v1/chat", 0)).toBe(true);
+    // now - last === cooldownMs is not < cooldownMs, so it logs again.
+    expect(throttle.shouldLog("edge /v1/chat", 1000)).toBe(true);
+    expect(throttle.shouldLog("edge /v1/chat", 1500)).toBe(false);
+  });
+
+  test("tracks distinct endpoints independently", () => {
+    const throttle = new AuthFallbackLogThrottle(1000);
+    expect(throttle.shouldLog("edge /v1/chat", 0)).toBe(true);
+    expect(throttle.shouldLog("edge-guardian /v1/guardian/sync", 0)).toBe(true);
+    // Each key has its own window — neither suppresses the other.
+    expect(throttle.shouldLog("edge /v1/chat", 100)).toBe(false);
+    expect(throttle.shouldLog("edge-guardian /v1/guardian/sync", 100)).toBe(
+      false,
+    );
+  });
+});

package/src/__tests__/auth-fallback-reporter.test.ts

@@ -0,0 +1,101 @@
+import { describe, expect, mock, test } from "bun:test";
+
+import { AuthFallbackCountTracker } from "../auth-fallback-count-tracker.js";
+import { AuthFallbackReporter } from "../auth-fallback-reporter.js";
+
+const BASE_URL = "http://127.0.0.1:7821";
+
+function makeReporter(
+  tracker: AuthFallbackCountTracker,
+  fetchImpl: typeof import("../fetch.js").fetchImpl,
+) {
+  return new AuthFallbackReporter({
+    tracker,
+    baseUrl: BASE_URL,
+    intervalMs: 60_000,
+    fetchImpl,
+    mintToken: () => "test-service-token",
+  });
+}
+
+describe("AuthFallbackReporter", () => {
+  test("does nothing when there is nothing to flush", async () => {
+    const tracker = new AuthFallbackCountTracker(0);
+    const fetchMock = mock(async () => new Response("{}", { status: 200 }));
+    await makeReporter(tracker, fetchMock as never).flush();
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  test("drains and POSTs the counts to the daemon route with a service token", async () => {
+    const tracker = new AuthFallbackCountTracker(0);
+    tracker.increment("edge", "/v1/chat", "missing_authorization");
+    tracker.increment("edge", "/v1/chat", "missing_authorization");
+    tracker.increment("edge-guardian", "/v1/sync", "guardian_mismatch");
+
+    const fetchMock = mock(async () => new Response("{}", { status: 200 }));
+    await makeReporter(tracker, fetchMock as never).flush();
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    const [url, init] = fetchMock.mock.calls[0] as unknown as [
+      string,
+      RequestInit,
+    ];
+    expect(url).toBe(`${BASE_URL}/v1/internal/telemetry/auth-fallback`);
+    expect(init.method).toBe("POST");
+    const headers = init.headers as Record<string, string>;
+    expect(headers["Content-Type"]).toBe("application/json");
+    expect(headers["Authorization"]).toBe("Bearer test-service-token");
+
+    const body = JSON.parse(init.body as string);
+    expect(typeof body.window_start).toBe("number");
+    expect(typeof body.window_end).toBe("number");
+    expect(body.counts).toEqual(
+      expect.arrayContaining([
+        {
+          guard: "edge",
+          path: "/v1/chat",
+          failure_kind: "missing_authorization",
+          count: 2,
+        },
+        {
+          guard: "edge-guardian",
+          path: "/v1/sync",
+          failure_kind: "guardian_mismatch",
+          count: 1,
+        },
+      ]),
+    );
+
+    // Successful flush drains the tracker.
+    expect(tracker.snapshot()).toEqual([]);
+  });
+
+  test("re-queues counts when the daemon returns a non-OK status", async () => {
+    const tracker = new AuthFallbackCountTracker(0);
+    tracker.increment("edge", "/v1/chat", "missing_authorization");
+
+    const fetchMock = mock(async () => new Response("nope", { status: 404 }));
+    await makeReporter(tracker, fetchMock as never).flush();
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    // Counts merged back so the next flush retries them.
+    const snap = tracker.snapshot();
+    expect(snap.length).toBe(1);
+    expect(snap[0].count).toBe(1);
+  });
+
+  test("re-queues counts when the POST throws", async () => {
+    const tracker = new AuthFallbackCountTracker(0);
+    tracker.increment("edge", "/v1/chat", "missing_authorization");
+    tracker.increment("edge", "/v1/chat", "missing_authorization");
+
+    const fetchMock = mock(async () => {
+      throw new Error("connection refused");
+    });
+    await makeReporter(tracker, fetchMock as never).flush();
+
+    const snap = tracker.snapshot();
+    expect(snap.length).toBe(1);
+    expect(snap[0].count).toBe(2);
+  });
+});

package/src/__tests__/bash-risk-classifier.test.ts

@@ -218,4 +218,60 @@ describe("risk rule cache integration", () => {
     expect(result.risk).toBe("high");
     expect(result.matchType).toBe("registry");
   });
+
+  test("generalized action: rule with positional tokens applies (beyond registry subcommands)", () => {
+    // `ls` has no registry subcommands, but the rule editor offers positional
+    // action patterns such as `action:ls vellumtestfile` (for `ls vellumtestfile *`).
+    // The matcher must probe positional-derived action keys, not just the
+    // registry subcommand pattern (which would only see `ls`), or the saved
+    // rule is silently ignored.
+    store.create({
+      tool: "bash",
+      pattern: "action:ls vellumtestfile",
+      risk: "high",
+      description: "Generalized ls rule",
+    });
+
+    initTrustRuleCache(store);
+
+    const result = classifySegment(
+      segment("ls vellumtestfile extra"),
+      [],
+      DEFAULT_COMMAND_REGISTRY,
+    );
+
+    // The more specific positional action rule wins over the seeded `ls`
+    // program-level default.
+    expect(result.risk).toBe("high");
+    expect(result.matchType).toBe("user_rule");
+  });
+
+  test("generalized action: rule with a path positional applies", () => {
+    // Regression guard for the suspected save/match divergence on path-like
+    // positionals. `generateScopeOptions` drops positionals from the RIGHT and
+    // keeps order, so for `cat /etc/passwd notes.txt` the saveable ladder
+    // includes `action:cat /etc/passwd` (a leading-prefix action key that
+    // retains the path). The matcher builds the positional pattern
+    // `cat /etc/passwd notes.txt` and `findBaseRisk` walks leading prefixes, so
+    // `action:cat /etc/passwd` must resolve. Paths are NOT stripped on either
+    // side (that exclusion lives only in the dead `deriveShellActionKeys`
+    // path), so this matches.
+    store.create({
+      tool: "bash",
+      pattern: "action:cat /etc/passwd",
+      risk: "high",
+      description: "Generalized cat rule with a path token",
+    });
+
+    initTrustRuleCache(store);
+
+    const result = classifySegment(
+      segment("cat /etc/passwd notes.txt"),
+      [],
+      DEFAULT_COMMAND_REGISTRY,
+    );
+
+    expect(result.risk).toBe("high");
+    expect(result.matchType).toBe("user_rule");
+  });
 });

package/src/__tests__/config.test.ts

@@ -54,6 +54,26 @@ describe("config: hardcoded defaults", () => {
     }
   });
 
+  test("trustProxy is opt-in via GATEWAY_TRUST_PROXY", () => {
+    const saved = process.env.GATEWAY_TRUST_PROXY;
+    try {
+      process.env.GATEWAY_TRUST_PROXY = "true";
+      expect(loadConfig().trustProxy).toBe(true);
+
+      process.env.GATEWAY_TRUST_PROXY = "1";
+      expect(loadConfig().trustProxy).toBe(true);
+
+      process.env.GATEWAY_TRUST_PROXY = "false";
+      expect(loadConfig().trustProxy).toBe(false);
+
+      process.env.GATEWAY_TRUST_PROXY = "anything-else";
+      expect(loadConfig().trustProxy).toBe(false);
+    } finally {
+      if (saved !== undefined) process.env.GATEWAY_TRUST_PROXY = saved;
+      else delete process.env.GATEWAY_TRUST_PROXY;
+    }
+  });
+
   test("assistantRuntimeBaseUrl derives from RUNTIME_HTTP_PORT", () => {
     const saved = process.env.RUNTIME_HTTP_PORT;
     process.env.RUNTIME_HTTP_PORT = "9999";