@wlfi-agent/cli 1.4.15 → 1.4.17

package/packages/cache/src/service/index.test.ts

@@ -1,5 +1,6 @@
 import { createHash } from 'node:crypto';
 import { describe, expect, it } from 'vitest';
+import { CacheError, cacheErrorCodes } from '../errors/index.js';
 import { RelayCacheService } from './index.js';
 
 class InMemoryCacheClient {
@@ -78,6 +79,84 @@ class InMemoryCacheClient {
   }
 }
 
+class ClaimRaceCacheClient extends InMemoryCacheClient {
+  constructor(private readonly barrierKey: string) {
+    super();
+  }
+
+  private barrierOpen = false;
+  private barrierPromise: Promise<void> | null = null;
+  private releaseBarrier: (() => void) | null = null;
+  private waitingReaders = 0;
+
+  override async get(key: string): Promise<string | null> {
+    const snapshot = await super.get(key);
+    if (key !== this.barrierKey || this.barrierOpen) {
+      return snapshot;
+    }
+
+    this.waitingReaders += 1;
+    if (!this.barrierPromise) {
+      this.barrierPromise = new Promise<void>((resolve) => {
+        this.releaseBarrier = resolve;
+      });
+      setTimeout(() => {
+        if (!this.barrierOpen) {
+          this.barrierOpen = true;
+          this.releaseBarrier?.();
+        }
+      }, 0);
+    }
+
+    if (this.waitingReaders >= 2 && !this.barrierOpen) {
+      this.barrierOpen = true;
+      this.releaseBarrier?.();
+    }
+
+    await this.barrierPromise;
+    return snapshot;
+  }
+}
+
+class MutableInMemoryCacheClient extends InMemoryCacheClient {
+  async forceGet(key: string): Promise<string | null> {
+    return await super.get(key);
+  }
+
+  async forceSet(key: string, value: string): Promise<void> {
+    await super.set(key, value);
+  }
+}
+
+async function seedPendingApproval(
+  service: RelayCacheService,
+  daemonId: string,
+  approvalRequestId: string,
+): Promise<void> {
+  await service.syncDaemonRegistration({
+    daemon: {
+      daemonId,
+      daemonPublicKey: 'aa'.repeat(32),
+      ethereumAddress: '0x9999999999999999999999999999999999999999',
+      lastSeenAt: new Date().toISOString(),
+      registeredAt: new Date().toISOString(),
+      status: 'active',
+      updatedAt: new Date().toISOString(),
+    },
+    approvalRequests: [
+      {
+        approvalRequestId,
+        daemonId,
+        destination: '0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
+        requestedAt: new Date().toISOString(),
+        status: 'pending',
+        transactionType: 'transfer_native',
+        updatedAt: new Date().toISOString(),
+      },
+    ],
+  });
+}
+
 describe('RelayCacheService approval capability guards', () => {
   it('consumes an approval capability only once', async () => {
     const service = new RelayCacheService({
@@ -225,6 +304,85 @@ describe('RelayCacheService approval capability guards', () => {
     );
   });
 
+  it('preserves a rotated approval capability across later daemon syncs', async () => {
+    const service = new RelayCacheService({
+      client: new InMemoryCacheClient() as never,
+      namespace: 'test:relay',
+    });
+
+    const daemonId = '12'.repeat(32);
+    const originalToken = '34'.repeat(32);
+    const originalHash = createHash('sha256').update(originalToken).digest('hex');
+    const approvalRequestId = 'cccccccc-cccc-4ccc-8ccc-cccccccccccc';
+
+    await service.syncDaemonRegistration({
+      daemon: {
+        daemonId,
+        daemonPublicKey: '56'.repeat(32),
+        ethereumAddress: '0x9999999999999999999999999999999999999999',
+        lastSeenAt: new Date().toISOString(),
+        registeredAt: new Date().toISOString(),
+        status: 'active',
+        updatedAt: new Date().toISOString(),
+      },
+      approvalRequests: [
+        {
+          approvalRequestId,
+          daemonId,
+          destination: '0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
+          metadata: {
+            approvalCapabilityHash: originalHash,
+            approvalCapabilityToken: originalToken,
+            source: 'daemon',
+          },
+          requestedAt: new Date().toISOString(),
+          status: 'pending',
+          transactionType: 'transfer_native',
+          updatedAt: new Date().toISOString(),
+        },
+      ],
+    });
+
+    const rotated = await service.rotateApprovalCapability(approvalRequestId);
+
+    await service.syncDaemonRegistration({
+      daemon: {
+        daemonId,
+        daemonPublicKey: '56'.repeat(32),
+        ethereumAddress: '0x9999999999999999999999999999999999999999',
+        lastSeenAt: new Date().toISOString(),
+        registeredAt: new Date().toISOString(),
+        status: 'active',
+        updatedAt: new Date().toISOString(),
+      },
+      approvalRequests: [
+        {
+          approvalRequestId,
+          daemonId,
+          destination: '0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
+          metadata: {
+            approvalCapabilityHash: originalHash,
+            approvalCapabilityToken: originalToken,
+            source: 'daemon',
+          },
+          requestedAt: new Date().toISOString(),
+          status: 'pending',
+          transactionType: 'transfer_native',
+          updatedAt: new Date().toISOString(),
+        },
+      ],
+    });
+
+    const synced = await service.getApprovalRequest(approvalRequestId);
+
+    expect(synced?.metadata).toMatchObject({
+      source: 'daemon',
+      approvalCapabilityHash: rotated.metadata?.approvalCapabilityHash,
+      approvalCapabilityToken: rotated.metadata?.approvalCapabilityToken,
+    });
+    expect(synced?.metadata?.approvalCapabilityToken).not.toBe(originalToken);
+  });
+
   it('rejects secure approval capability rotation for non-pending approvals', async () => {
     const service = new RelayCacheService({
       client: new InMemoryCacheClient() as never,
@@ -260,4 +418,421 @@ describe('RelayCacheService approval capability guards', () => {
       service.rotateApprovalCapability('cccccccc-cccc-4ccc-8ccc-cccccccccccc'),
     ).rejects.toThrow(/cannot accept a new secure approval link/);
   });
+
+  it('tracks active manual approval updates beyond the scan window', async () => {
+    const service = new RelayCacheService({
+      client: new InMemoryCacheClient() as never,
+      namespace: 'test:relay',
+    });
+
+    const daemonId = 'ab'.repeat(32);
+    const approvalRequestId = 'dddddddd-dddd-4ddd-8ddd-dddddddddddd';
+    await seedPendingApproval(service, daemonId, approvalRequestId);
+
+    await service.createEncryptedUpdate({
+      daemonId,
+      metadata: {
+        source: 'approval_console',
+      },
+      payload: {
+        algorithm: 'x25519-xchacha20poly1305-v1',
+        ciphertextBase64: 'aa',
+        encapsulatedKeyBase64: 'bb',
+        nonceBase64: 'cc',
+        schemaVersion: 1,
+      },
+      targetApprovalRequestId: approvalRequestId,
+      type: 'manual_approval_decision',
+    });
+
+    for (let index = 0; index < 300; index += 1) {
+      await service.createEncryptedUpdate({
+        daemonId,
+        metadata: {
+          source: 'test-seed',
+        },
+        payload: {
+          algorithm: 'x25519-xchacha20poly1305-v1',
+          ciphertextBase64: `seed-${index}`,
+          encapsulatedKeyBase64: 'bb',
+          nonceBase64: 'cc',
+          schemaVersion: 1,
+        },
+        type: 'daemon_status',
+      });
+    }
+
+    await expect(service.hasActiveApprovalUpdate(daemonId, approvalRequestId)).resolves.toBe(true);
+  });
+
+  it('rejects duplicate manual approval updates until feedback clears the active slot', async () => {
+    const service = new RelayCacheService({
+      client: new InMemoryCacheClient() as never,
+      namespace: 'test:relay',
+    });
+
+    const daemonId = 'cd'.repeat(32);
+    const approvalRequestId = 'eeeeeeee-eeee-4eee-8eee-eeeeeeeeeeee';
+    await seedPendingApproval(service, daemonId, approvalRequestId);
+    const first = await service.createEncryptedUpdate({
+      daemonId,
+      metadata: {
+        source: 'approval_console',
+      },
+      payload: {
+        algorithm: 'x25519-xchacha20poly1305-v1',
+        ciphertextBase64: 'aa',
+        encapsulatedKeyBase64: 'bb',
+        nonceBase64: 'cc',
+        schemaVersion: 1,
+      },
+      targetApprovalRequestId: approvalRequestId,
+      type: 'manual_approval_decision',
+    });
+
+    await expect(
+      service.createEncryptedUpdate({
+        daemonId,
+        metadata: {
+          source: 'approval_console',
+        },
+        payload: {
+          algorithm: 'x25519-xchacha20poly1305-v1',
+          ciphertextBase64: 'dd',
+          encapsulatedKeyBase64: 'ee',
+          nonceBase64: 'ff',
+          schemaVersion: 1,
+        },
+        targetApprovalRequestId: approvalRequestId,
+        type: 'manual_approval_decision',
+      }),
+    ).rejects.toThrow(/already has a queued operator update/);
+
+    const [claimed] = await service.claimEncryptedUpdates({
+      daemonId,
+      leaseSeconds: 30,
+      limit: 1,
+    });
+
+    await expect(
+      service.submitUpdateFeedback({
+        claimToken: claimed.claimToken ?? '',
+        daemonId,
+        status: 'applied',
+        updateId: first.updateId,
+      }),
+    ).resolves.toMatchObject({
+      status: 'applied',
+      updateId: first.updateId,
+    });
+
+    await expect(
+      service.createEncryptedUpdate({
+        daemonId,
+        metadata: {
+          source: 'approval_console',
+        },
+        payload: {
+          algorithm: 'x25519-xchacha20poly1305-v1',
+          ciphertextBase64: '11',
+          encapsulatedKeyBase64: '22',
+          nonceBase64: '33',
+          schemaVersion: 1,
+        },
+        targetApprovalRequestId: approvalRequestId,
+        type: 'manual_approval_decision',
+      }),
+    ).resolves.toMatchObject({
+      daemonId,
+      targetApprovalRequestId: approvalRequestId,
+      type: 'manual_approval_decision',
+    });
+  });
+
+  it('rejects manual approval updates once the approval is no longer pending', async () => {
+    const service = new RelayCacheService({
+      client: new InMemoryCacheClient() as never,
+      namespace: 'test:relay',
+    });
+
+    const daemonId = 'de'.repeat(32);
+    const approvalRequestId = '12121212-1212-4212-8212-121212121212';
+
+    await service.syncDaemonRegistration({
+      daemon: {
+        daemonId,
+        daemonPublicKey: '34'.repeat(32),
+        ethereumAddress: '0x1111111111111111111111111111111111111111',
+        lastSeenAt: new Date().toISOString(),
+        registeredAt: new Date().toISOString(),
+        status: 'active',
+        updatedAt: new Date().toISOString(),
+      },
+      approvalRequests: [
+        {
+          approvalRequestId,
+          daemonId,
+          destination: '0x2222222222222222222222222222222222222222',
+          requestedAt: new Date().toISOString(),
+          status: 'approved',
+          transactionType: 'transfer_native',
+          updatedAt: new Date().toISOString(),
+        },
+      ],
+    });
+
+    await expect(
+      service.createEncryptedUpdate({
+        daemonId,
+        metadata: {
+          source: 'approval_console',
+        },
+        payload: {
+          algorithm: 'x25519-xchacha20poly1305-v1',
+          ciphertextBase64: 'aa',
+          encapsulatedKeyBase64: 'bb',
+          nonceBase64: 'cc',
+          schemaVersion: 1,
+        },
+        targetApprovalRequestId: approvalRequestId,
+        type: 'manual_approval_decision',
+      }),
+    ).rejects.toMatchObject<Partial<CacheError>>({
+      code: cacheErrorCodes.invalidPayload,
+      message: `Approval '${approvalRequestId}' is 'approved' and cannot accept new updates`,
+    });
+  });
+
+  it('rejects manual approval updates that target another daemon approval', async () => {
+    const service = new RelayCacheService({
+      client: new InMemoryCacheClient() as never,
+      namespace: 'test:relay',
+    });
+
+    const approvalDaemonId = '01'.repeat(32);
+    const updateDaemonId = '02'.repeat(32);
+    const approvalRequestId = '34343434-3434-4434-8434-343434343434';
+
+    await service.syncDaemonRegistration({
+      daemon: {
+        daemonId: approvalDaemonId,
+        daemonPublicKey: '56'.repeat(32),
+        ethereumAddress: '0x3333333333333333333333333333333333333333',
+        lastSeenAt: new Date().toISOString(),
+        registeredAt: new Date().toISOString(),
+        status: 'active',
+        updatedAt: new Date().toISOString(),
+      },
+      approvalRequests: [
+        {
+          approvalRequestId,
+          daemonId: approvalDaemonId,
+          destination: '0x4444444444444444444444444444444444444444',
+          requestedAt: new Date().toISOString(),
+          status: 'pending',
+          transactionType: 'transfer_native',
+          updatedAt: new Date().toISOString(),
+        },
+      ],
+    });
+
+    await expect(
+      service.createEncryptedUpdate({
+        daemonId: updateDaemonId,
+        metadata: {
+          source: 'approval_console',
+        },
+        payload: {
+          algorithm: 'x25519-xchacha20poly1305-v1',
+          ciphertextBase64: 'aa',
+          encapsulatedKeyBase64: 'bb',
+          nonceBase64: 'cc',
+          schemaVersion: 1,
+        },
+        targetApprovalRequestId: approvalRequestId,
+        type: 'manual_approval_decision',
+      }),
+    ).rejects.toMatchObject<Partial<CacheError>>({
+      code: cacheErrorCodes.invalidPayload,
+      message: `Approval '${approvalRequestId}' belongs to daemon '${approvalDaemonId}', not '${updateDaemonId}'`,
+    });
+  });
+
+  it('keeps the original active slot intact after rejecting a duplicate manual approval update', async () => {
+    const service = new RelayCacheService({
+      client: new InMemoryCacheClient() as never,
+      namespace: 'test:relay',
+    });
+
+    const daemonId = 'ef'.repeat(32);
+    const approvalRequestId = 'ffffffff-ffff-4fff-8fff-ffffffffffff';
+    await seedPendingApproval(service, daemonId, approvalRequestId);
+    const original = await service.createEncryptedUpdate({
+      daemonId,
+      metadata: {
+        source: 'approval_console',
+      },
+      payload: {
+        algorithm: 'x25519-xchacha20poly1305-v1',
+        ciphertextBase64: 'aa',
+        encapsulatedKeyBase64: 'bb',
+        nonceBase64: 'cc',
+        schemaVersion: 1,
+      },
+      targetApprovalRequestId: approvalRequestId,
+      type: 'manual_approval_decision',
+    });
+
+    await expect(
+      service.createEncryptedUpdate({
+        daemonId,
+        metadata: {
+          source: 'approval_console',
+        },
+        payload: {
+          algorithm: 'x25519-xchacha20poly1305-v1',
+          ciphertextBase64: 'dd',
+          encapsulatedKeyBase64: 'ee',
+          nonceBase64: 'ff',
+          schemaVersion: 1,
+        },
+        targetApprovalRequestId: approvalRequestId,
+        type: 'manual_approval_decision',
+      }),
+    ).rejects.toThrow(/already has a queued operator update/);
+
+    await expect(service.hasActiveApprovalUpdate(daemonId, approvalRequestId)).resolves.toBe(true);
+    await expect(service.getEncryptedUpdate(original.updateId)).resolves.toMatchObject({
+      status: 'pending',
+      targetApprovalRequestId: approvalRequestId,
+      updateId: original.updateId,
+    });
+  });
+
+  it('claims each update at most once across concurrent pollers', async () => {
+    const daemonId = '98'.repeat(32);
+    const updateId = '56565656-5656-4565-8565-565656565656';
+    const service = new RelayCacheService({
+      client: new ClaimRaceCacheClient(`test:relay:update:${updateId}`) as never,
+      namespace: 'test:relay',
+    });
+
+    await service.createEncryptedUpdate({
+      daemonId,
+      metadata: {
+        source: 'test-seed',
+      },
+      payload: {
+        algorithm: 'x25519-xchacha20poly1305-v1',
+        ciphertextBase64: 'aa',
+        encapsulatedKeyBase64: 'bb',
+        nonceBase64: 'cc',
+        schemaVersion: 1,
+      },
+      type: 'daemon_status',
+      updateId,
+    });
+
+    const [firstClaim, secondClaim] = await Promise.all([
+      service.claimEncryptedUpdates({
+        daemonId,
+        leaseSeconds: 30,
+        limit: 1,
+      }),
+      service.claimEncryptedUpdates({
+        daemonId,
+        leaseSeconds: 30,
+        limit: 1,
+      }),
+    ]);
+
+    expect([...firstClaim, ...secondClaim]).toHaveLength(1);
+    await expect(service.getEncryptedUpdate(updateId)).resolves.toMatchObject({
+      status: 'inflight',
+      updateId,
+    });
+  });
+
+  it('rejects removing an update through the wrong daemon namespace', async () => {
+    const service = new RelayCacheService({
+      client: new InMemoryCacheClient() as never,
+      namespace: 'test:relay',
+    });
+
+    const update = await service.createEncryptedUpdate({
+      daemonId: '10'.repeat(32),
+      metadata: {
+        source: 'test-seed',
+      },
+      payload: {
+        algorithm: 'x25519-xchacha20poly1305-v1',
+        ciphertextBase64: 'aa',
+        encapsulatedKeyBase64: 'bb',
+        nonceBase64: 'cc',
+        schemaVersion: 1,
+      },
+      type: 'daemon_status',
+    });
+
+    await expect(service.removeEncryptedUpdate('20'.repeat(32), update.updateId)).rejects.toMatchObject<
+      Partial<CacheError>
+    >({
+      code: cacheErrorCodes.notFound,
+      message: `Unknown update '${update.updateId}' for daemon '${'20'.repeat(32)}'`,
+    });
+    await expect(service.getEncryptedUpdate(update.updateId)).resolves.toMatchObject({
+      daemonId: '10'.repeat(32),
+      updateId: update.updateId,
+    });
+  });
+
+  it('preserves a foreign active slot when feedback completes an older update record', async () => {
+    const client = new MutableInMemoryCacheClient();
+    const service = new RelayCacheService({
+      client: client as never,
+      namespace: 'test:relay',
+    });
+
+    const daemonId = '77'.repeat(32);
+    const approvalRequestId = '78787878-7878-4787-8787-787878787878';
+    await seedPendingApproval(service, daemonId, approvalRequestId);
+
+    const update = await service.createEncryptedUpdate({
+      daemonId,
+      metadata: {
+        source: 'approval_console',
+      },
+      payload: {
+        algorithm: 'x25519-xchacha20poly1305-v1',
+        ciphertextBase64: 'aa',
+        encapsulatedKeyBase64: 'bb',
+        nonceBase64: 'cc',
+        schemaVersion: 1,
+      },
+      targetApprovalRequestId: approvalRequestId,
+      type: 'manual_approval_decision',
+    });
+
+    const [claimed] = await service.claimEncryptedUpdates({
+      daemonId,
+      leaseSeconds: 30,
+      limit: 1,
+    });
+    const activeApprovalKey = `test:relay:approval:${approvalRequestId}:active-update`;
+    await client.forceSet(activeApprovalKey, 'other-update-id');
+
+    await expect(
+      service.submitUpdateFeedback({
+        claimToken: claimed.claimToken ?? '',
+        daemonId,
+        status: 'applied',
+        updateId: update.updateId,
+      }),
+    ).resolves.toMatchObject({
+      status: 'applied',
+      updateId: update.updateId,
+    });
+
+    await expect(client.forceGet(activeApprovalKey)).resolves.toBe('other-update-id');
+  });
 });