@vibe80/vibe80 0.1.1

package/server/tests/unit/helpers.test.js

@@ -0,0 +1,95 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("docker-names", () => ({
+  default: {
+    getRandomName: vi.fn(() => "calm-turing"),
+  },
+}));
+
+import {
+  classifySessionCreationError,
+  createDebugId,
+  createMessageId,
+  formatDebugPayload,
+  generateId,
+  generateRefreshToken,
+  generateSessionName,
+  getSessionTmpDir,
+  hashRefreshToken,
+  parseCommandArgs,
+  sanitizeFilename,
+} from "../../src/helpers.js";
+
+describe("helpers", () => {
+  it("generateId préfixe correctement un id hexadécimal", () => {
+    const id = generateId("w");
+    expect(id).toMatch(/^w[0-9a-f]{24}$/);
+  });
+
+  it("generateSessionName retourne un nom docker", () => {
+    expect(generateSessionName()).toBe("calm-turing");
+  });
+
+  it("hashRefreshToken calcule un sha256 stable", () => {
+    expect(hashRefreshToken("abc")).toBe(
+      "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad"
+    );
+  });
+
+  it("generateRefreshToken retourne 64 chars hex", () => {
+    expect(generateRefreshToken()).toMatch(/^[0-9a-f]{64}$/);
+  });
+
+  it("createMessageId et createDebugId retournent des identifiants non vides", () => {
+    expect(createMessageId().length).toBeGreaterThan(0);
+    expect(createDebugId().length).toBeGreaterThan(0);
+  });
+
+  it("parseCommandArgs gère guillemets simples et doubles", () => {
+    expect(parseCommandArgs(`git commit -m "hello world" 'and more'`)).toEqual([
+      "git",
+      "commit",
+      "-m",
+      "hello world",
+      "and more",
+    ]);
+    expect(parseCommandArgs("")).toEqual([]);
+  });
+
+  it("sanitizeFilename supprime le path", () => {
+    expect(sanitizeFilename("../../etc/passwd")).toBe("passwd");
+    expect(sanitizeFilename("")).toBe("attachment");
+  });
+
+  it("getSessionTmpDir construit le chemin tmp", () => {
+    expect(getSessionTmpDir("/tmp/session-1")).toContain("/tmp/session-1");
+    expect(getSessionTmpDir("/tmp/session-1")).toMatch(/tmp$/);
+  });
+
+  it("formatDebugPayload gère string/buffer/object/troncature", () => {
+    expect(formatDebugPayload("abc")).toBe("abc");
+    expect(formatDebugPayload(Buffer.from("abc", "utf8"))).toBe("abc");
+    expect(formatDebugPayload({ a: 1 })).toBe("{\"a\":1}");
+    expect(formatDebugPayload("abcdef", 3)).toBe("abc…(truncated)");
+    expect(formatDebugPayload(null)).toBeNull();
+  });
+
+  it("classifySessionCreationError classe les erreurs connues", () => {
+    expect(
+      classifySessionCreationError(new Error("fatal: Authentication failed for repo"))
+    ).toMatchObject({ status: 403 });
+    expect(
+      classifySessionCreationError(new Error("Permission denied (publickey)"))
+    ).toMatchObject({ status: 403 });
+    expect(
+      classifySessionCreationError(new Error("repository not found"))
+    ).toMatchObject({ status: 404 });
+    expect(
+      classifySessionCreationError(new Error("Could not resolve host github.com"))
+    ).toMatchObject({ status: 400 });
+    expect(
+      classifySessionCreationError(new Error("Connection timed out"))
+    ).toMatchObject({ status: 504 });
+    expect(classifySessionCreationError(new Error("boom"))).toMatchObject({ status: 500 });
+  });
+});

package/server/tests/unit/services/auth.test.js

@@ -0,0 +1,181 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const storageMock = vi.hoisted(() => ({
+  saveWorkspaceRefreshToken: vi.fn(),
+  rotateWorkspaceRefreshToken: vi.fn(),
+}));
+const idSeq = vi.hoisted(() => ({ value: 0 }));
+
+vi.mock("../../../src/storage/index.js", () => ({
+  default: storageMock,
+}));
+
+vi.mock("../../../src/middleware/auth.js", () => ({
+  createWorkspaceToken: vi.fn((workspaceId) => `token-${workspaceId}`),
+  accessTokenTtlSeconds: 3600,
+}));
+
+vi.mock("../../../src/helpers.js", () => ({
+  generateId: vi.fn((prefix) => {
+    idSeq.value += 1;
+    return `${prefix}_generated_${idSeq.value}`;
+  }),
+  hashRefreshToken: vi.fn((token) => `hash-${token}`),
+  generateRefreshToken: vi.fn(() => "refresh-token"),
+}));
+
+describe("services/auth", () => {
+  const loadAuthModule = async () => {
+    vi.resetModules();
+    return import("../../../src/services/auth.js");
+  };
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    idSeq.value = 0;
+    vi.useRealTimers();
+    delete process.env.MONO_AUTH_TOKEN_TTL_MS;
+  });
+
+  it("issueWorkspaceTokens crée un refresh token indépendant", async () => {
+    storageMock.saveWorkspaceRefreshToken.mockResolvedValueOnce();
+
+    const { issueWorkspaceTokens } = await loadAuthModule();
+    const result = await issueWorkspaceTokens("w123");
+
+    expect(result.workspaceToken).toBe("token-w123");
+    expect(result.refreshToken).toBe("refresh-token");
+    expect(result.expiresIn).toBe(3600);
+    expect(typeof result.refreshExpiresIn).toBe("number");
+
+    expect(storageMock.saveWorkspaceRefreshToken).toHaveBeenCalledTimes(1);
+    const call = storageMock.saveWorkspaceRefreshToken.mock.calls[0];
+    expect(call[0]).toBe("w123");
+    expect(call[1]).toBe("hash-refresh-token");
+    expect(call[3]).toBeGreaterThan(0);
+  });
+
+  it("issueWorkspaceTokens n’ajoute pas de dépendance inter-token", async () => {
+    storageMock.saveWorkspaceRefreshToken.mockResolvedValueOnce();
+    const { issueWorkspaceTokens } = await loadAuthModule();
+
+    await issueWorkspaceTokens("w456");
+
+    const call = storageMock.saveWorkspaceRefreshToken.mock.calls[0];
+    expect(call[0]).toBe("w456");
+    expect(call[1]).toBe("hash-refresh-token");
+    expect(call[3]).toBeGreaterThan(0);
+  });
+
+  it("rotateWorkspaceRefreshToken renvoie de nouveaux tokens si rotation valide", async () => {
+    storageMock.rotateWorkspaceRefreshToken.mockResolvedValueOnce({
+      ok: true,
+      workspaceId: "w123",
+    });
+    const { rotateWorkspaceRefreshToken } = await loadAuthModule();
+
+    const result = await rotateWorkspaceRefreshToken("refresh-token");
+
+    expect(result.ok).toBe(true);
+    expect(result.payload.workspaceToken).toBe("token-w123");
+    expect(result.payload.refreshToken).toBe("refresh-token");
+    expect(storageMock.rotateWorkspaceRefreshToken).toHaveBeenCalledWith(
+      "hash-refresh-token",
+      "hash-refresh-token",
+      expect.any(Number),
+      expect.any(Number)
+    );
+  });
+
+  it("rotateWorkspaceRefreshToken mappe les erreurs token", async () => {
+    storageMock.rotateWorkspaceRefreshToken.mockResolvedValueOnce({
+      ok: false,
+      code: "refresh_token_reused",
+    });
+    const { rotateWorkspaceRefreshToken } = await loadAuthModule();
+    const reused = await rotateWorkspaceRefreshToken("refresh-token");
+    expect(reused.ok).toBe(false);
+    expect(reused.status).toBe(401);
+    expect(reused.payload.code).toBe("refresh_token_reused");
+
+    storageMock.rotateWorkspaceRefreshToken.mockResolvedValueOnce({
+      ok: false,
+      code: "refresh_token_expired",
+    });
+    const expired = await rotateWorkspaceRefreshToken("refresh-token");
+    expect(expired.ok).toBe(false);
+    expect(expired.status).toBe(401);
+    expect(expired.payload.code).toBe("refresh_token_expired");
+  });
+
+  it("createMonoAuthToken + consumeMonoAuthToken fonctionne puis invalide le token", async () => {
+    const { createMonoAuthToken, consumeMonoAuthToken } = await loadAuthModule();
+    const record = createMonoAuthToken("default");
+
+    const firstConsume = consumeMonoAuthToken(record.token);
+    expect(firstConsume).toEqual({ ok: true, workspaceId: "default" });
+
+    const secondConsume = consumeMonoAuthToken(record.token);
+    expect(secondConsume.ok).toBe(false);
+    expect(secondConsume.code).toBe("MONO_AUTH_TOKEN_INVALID");
+  });
+
+  it("consumeMonoAuthToken retourne INVALID pour un token inconnu", async () => {
+    const { consumeMonoAuthToken } = await loadAuthModule();
+    const result = consumeMonoAuthToken("unknown-token");
+    expect(result).toEqual({ ok: false, code: "MONO_AUTH_TOKEN_INVALID" });
+  });
+
+  it("consumeMonoAuthToken retourne EXPIRED pour un token expiré", async () => {
+    vi.useFakeTimers();
+    process.env.MONO_AUTH_TOKEN_TTL_MS = "1";
+    const { createMonoAuthToken, consumeMonoAuthToken } = await loadAuthModule();
+    const record = createMonoAuthToken("default");
+    vi.advanceTimersByTime(10);
+
+    const result = consumeMonoAuthToken(record.token);
+    expect(result).toEqual({ ok: false, code: "MONO_AUTH_TOKEN_EXPIRED" });
+  });
+
+  it("cleanupHandoffTokens supprime les tokens utilisés/expirés", async () => {
+    vi.useFakeTimers();
+    const {
+      createHandoffToken,
+      cleanupHandoffTokens,
+      handoffTokens,
+    } = await loadAuthModule();
+    handoffTokens.clear();
+    const expired = createHandoffToken({ sessionId: "s-exp", workspaceId: "w1" });
+    const used = createHandoffToken({ sessionId: "s-used", workspaceId: "w1" });
+    const willExpire = createHandoffToken({ sessionId: "s-exp", workspaceId: "w1" });
+    used.usedAt = Date.now();
+    vi.advanceTimersByTime(3 * 60 * 1000);
+    const fresh = createHandoffToken({ sessionId: "s-fresh", workspaceId: "w1" });
+
+    cleanupHandoffTokens();
+
+    expect(handoffTokens.has(expired.token)).toBe(false);
+    expect(handoffTokens.has(used.token)).toBe(false);
+    expect(handoffTokens.has(willExpire.token)).toBe(false);
+    expect(handoffTokens.has(fresh.token)).toBe(true);
+  });
+
+  it("cleanupMonoAuthTokens purge les tokens expirés", async () => {
+    vi.useFakeTimers();
+    process.env.MONO_AUTH_TOKEN_TTL_MS = "1";
+    const {
+      createMonoAuthToken,
+      cleanupMonoAuthTokens,
+      consumeMonoAuthToken,
+    } = await loadAuthModule();
+    const token = createMonoAuthToken("default").token;
+    vi.advanceTimersByTime(10);
+
+    cleanupMonoAuthTokens();
+
+    expect(consumeMonoAuthToken(token)).toEqual({
+      ok: false,
+      code: "MONO_AUTH_TOKEN_INVALID",
+    });
+  });
+});

package/server/tests/unit/services/workspace.test.js

@@ -0,0 +1,115 @@
+import crypto from "crypto";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const storageMock = vi.hoisted(() => ({
+  getWorkspace: vi.fn(),
+  saveWorkspace: vi.fn(),
+  appendWorkspaceAuditEvent: vi.fn(),
+}));
+
+vi.mock("../../../src/storage/index.js", () => ({
+  default: storageMock,
+}));
+
+describe("services/workspace", () => {
+  const loadWorkspaceModule = async () => {
+    vi.resetModules();
+    return import("../../../src/services/workspace.js");
+  };
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    storageMock.getWorkspace.mockResolvedValue({
+      workspaceId: "w0123456789abcdef01234567",
+      providers: {
+        codex: {
+          enabled: true,
+          auth: { type: "api_key", value: "x" },
+        },
+      },
+      workspaceSecretHash: crypto.createHash("sha256").update("old").digest("hex"),
+      uid: 200001,
+      gid: 200001,
+      createdAt: 1,
+      updatedAt: 1,
+    });
+    storageMock.saveWorkspace.mockResolvedValue();
+    storageMock.appendWorkspaceAuditEvent.mockResolvedValue();
+  });
+
+  it("rotateWorkspaceSecret rejette un workspaceId invalide", async () => {
+    const { rotateWorkspaceSecret } = await loadWorkspaceModule();
+    await expect(rotateWorkspaceSecret("invalid-id")).rejects.toThrow("Invalid workspaceId.");
+    expect(storageMock.getWorkspace).not.toHaveBeenCalled();
+  });
+
+  it("rotateWorkspaceSecret met à jour le hash avec un secret fourni", async () => {
+    const { rotateWorkspaceSecret } = await loadWorkspaceModule();
+    const result = await rotateWorkspaceSecret("w0123456789abcdef01234567", {
+      workspaceSecret: "my-new-secret",
+      actor: "cli",
+    });
+
+    expect(result).toEqual({
+      workspaceId: "w0123456789abcdef01234567",
+      workspaceSecret: "my-new-secret",
+    });
+
+    expect(storageMock.saveWorkspace).toHaveBeenCalledTimes(1);
+    const savedPayload = storageMock.saveWorkspace.mock.calls[0][1];
+    expect(savedPayload.workspaceSecretHash).toBe(
+      crypto.createHash("sha256").update("my-new-secret").digest("hex")
+    );
+    expect(savedPayload.createdAt).toBe(1);
+    expect(savedPayload.updatedAt).toBeGreaterThan(1);
+    expect(storageMock.appendWorkspaceAuditEvent).toHaveBeenCalledTimes(1);
+  });
+
+  it("rotateWorkspaceSecret génère un secret si absent", async () => {
+    const { rotateWorkspaceSecret } = await loadWorkspaceModule();
+    const result = await rotateWorkspaceSecret("w0123456789abcdef01234567");
+
+    expect(result.workspaceId).toBe("w0123456789abcdef01234567");
+    expect(result.workspaceSecret).toMatch(/^[0-9a-f]{64}$/);
+    const savedPayload = storageMock.saveWorkspace.mock.calls[0][1];
+    expect(savedPayload.workspaceSecretHash).toBe(
+      crypto.createHash("sha256").update(result.workspaceSecret).digest("hex")
+    );
+  });
+
+  it("verifyWorkspaceSecret retourne true/false selon le hash", async () => {
+    const { verifyWorkspaceSecret } = await loadWorkspaceModule();
+    await expect(
+      verifyWorkspaceSecret("w0123456789abcdef01234567", "old")
+    ).resolves.toBe(true);
+    await expect(
+      verifyWorkspaceSecret("w0123456789abcdef01234567", "wrong")
+    ).resolves.toBe(false);
+  });
+
+  it("validateProvidersConfig valide les cas principaux", async () => {
+    const { validateProvidersConfig } = await loadWorkspaceModule();
+
+    expect(validateProvidersConfig(null)).toBe("providers is required.");
+    expect(validateProvidersConfig({ unknown: { enabled: true } })).toBe(
+      "Unknown provider unknown."
+    );
+    expect(
+      validateProvidersConfig({
+        codex: { enabled: true, auth: null },
+      })
+    ).toBe("Provider codex auth is required when enabled.");
+    expect(
+      validateProvidersConfig({
+        codex: { enabled: true, auth: { type: "setup_token", value: "x" } },
+      })
+    ).toBe("Provider codex auth type setup_token is not supported.");
+
+    expect(
+      validateProvidersConfig({
+        codex: { enabled: true, auth: { type: "api_key", value: "x" } },
+        claude: { enabled: false, auth: null },
+      })
+    ).toBeNull();
+  });
+});

package/server/vitest.config.js

@@ -0,0 +1,23 @@
+import { defineConfig } from "vitest/config";
+
+export default defineConfig({
+  test: {
+    environment: "node",
+    globals: true,
+    include: ["tests/**/*.test.js"],
+    setupFiles: ["tests/setup/env.js"],
+    clearMocks: true,
+    restoreMocks: true,
+  },
+  coverage: {
+    provider: "v8",
+    reporter: ["text", "html"],
+    reportsDirectory: "./coverage",
+    thresholds: {
+      lines: 50,
+      functions: 50,
+      branches: 40,
+      statements: 50,
+    },
+  },
+});