apcore-js 0.1.0

package/tests/integration/test-acl-safety.test.ts

@@ -0,0 +1,268 @@
+import { describe, it, expect } from 'vitest';
+import { Type } from '@sinclair/typebox';
+import { Executor } from '../../src/executor.js';
+import { FunctionModule } from '../../src/decorator.js';
+import { Registry } from '../../src/registry/registry.js';
+import { ACL } from '../../src/acl.js';
+import { Context, createIdentity } from '../../src/context.js';
+import { Config } from '../../src/config.js';
+import {
+  ACLDeniedError,
+  CallDepthExceededError,
+  CallFrequencyExceededError,
+  CircularCallError,
+} from '../../src/errors.js';
+
+function makeModule(id: string, fn?: (inputs: Record<string, unknown>, ctx: Context) => Record<string, unknown> | Promise<Record<string, unknown>>): FunctionModule {
+  return new FunctionModule({
+    execute: fn ?? (() => ({ value: 'ok' })),
+    moduleId: id,
+    inputSchema: Type.Object({}),
+    outputSchema: Type.Object({ value: Type.String() }),
+    description: `Module ${id}`,
+  });
+}
+
+describe('ACL Integration', () => {
+  it('wildcard pattern allows matching modules', async () => {
+    const registry = new Registry();
+    registry.register('math.add', new FunctionModule({
+      execute: (inputs) => ({ result: (inputs['a'] as number) + (inputs['b'] as number) }),
+      moduleId: 'math.add',
+      inputSchema: Type.Object({ a: Type.Number(), b: Type.Number() }),
+      outputSchema: Type.Object({ result: Type.Number() }),
+      description: 'Add two numbers',
+    }));
+    registry.register('io.read', makeModule('io.read'));
+
+    const acl = new ACL([
+      { callers: ['*'], targets: ['math.*'], effect: 'allow', description: 'Allow math' },
+    ], 'deny');
+
+    const executor = new Executor({ registry, acl });
+
+    const result = await executor.call('math.add', { a: 2, b: 3 });
+    expect(result['result']).toBe(5);
+
+    await expect(executor.call('io.read', {})).rejects.toThrow(ACLDeniedError);
+  });
+
+  it('external caller denied by default', async () => {
+    const registry = new Registry();
+    registry.register('test.mod', makeModule('test.mod'));
+
+    const acl = new ACL([], 'deny');
+    const executor = new Executor({ registry, acl });
+
+    // No context = null caller = @external
+    await expect(executor.call('test.mod', {})).rejects.toThrow(ACLDeniedError);
+  });
+
+  it('system identity type allowed via conditions', async () => {
+    const registry = new Registry();
+    registry.register('test.mod', makeModule('test.mod'));
+
+    const acl = new ACL([
+      {
+        callers: ['*'],
+        targets: ['*'],
+        effect: 'allow',
+        description: 'Allow system identity',
+        conditions: { identity_types: ['system'] },
+      },
+    ], 'deny');
+
+    const executor = new Executor({ registry, acl });
+
+    // System identity - allowed
+    const sysCtx = Context.create(executor, createIdentity('sys', 'system'));
+    const result = await executor.call('test.mod', {}, sysCtx);
+    expect(result['value']).toBe('ok');
+
+    // User identity - denied
+    const userCtx = Context.create(executor, createIdentity('user1', 'user'));
+    await expect(executor.call('test.mod', {}, userCtx)).rejects.toThrow(ACLDeniedError);
+  });
+
+  it('role-based conditions', async () => {
+    const registry = new Registry();
+    registry.register('test.mod', makeModule('test.mod'));
+
+    const acl = new ACL([
+      {
+        callers: ['*'],
+        targets: ['*'],
+        effect: 'allow',
+        description: 'Allow admin role',
+        conditions: { roles: ['admin'] },
+      },
+    ], 'deny');
+
+    const executor = new Executor({ registry, acl });
+
+    // Admin role - allowed
+    const adminCtx = Context.create(executor, createIdentity('admin1', 'user', ['admin']));
+    const result = await executor.call('test.mod', {}, adminCtx);
+    expect(result['value']).toBe('ok');
+
+    // Viewer role - denied
+    const viewerCtx = Context.create(executor, createIdentity('viewer1', 'user', ['viewer']));
+    await expect(executor.call('test.mod', {}, viewerCtx)).rejects.toThrow(ACLDeniedError);
+  });
+
+  it('max call depth condition in ACL', async () => {
+    const registry = new Registry();
+    registry.register('test.mod', makeModule('test.mod'));
+
+    const acl = new ACL([
+      {
+        callers: ['*'],
+        targets: ['*'],
+        effect: 'allow',
+        description: 'Allow up to depth 2',
+        conditions: { max_call_depth: 2 },
+      },
+    ], 'deny');
+
+    const executor = new Executor({ registry, acl });
+
+    // Shallow call - allowed
+    const ctx = Context.create(executor);
+    const result = await executor.call('test.mod', {}, ctx);
+    expect(result['value']).toBe('ok');
+
+    // Deep call chain (depth > 2) - denied by ACL condition
+    const deepCtx = new Context(
+      crypto.randomUUID(),
+      'caller1',
+      ['mod1', 'mod2', 'mod3'],
+      executor,
+      null,
+      null,
+      {},
+    );
+    await expect(executor.call('test.mod', {}, deepCtx)).rejects.toThrow(ACLDeniedError);
+  });
+
+  it('multiple rules: first match wins', async () => {
+    const registry = new Registry();
+    registry.register('secret.data', makeModule('secret.data'));
+    registry.register('public.data', makeModule('public.data'));
+
+    const acl = new ACL([
+      { callers: ['*'], targets: ['secret.*'], effect: 'deny', description: 'Deny secret' },
+      { callers: ['*'], targets: ['*'], effect: 'allow', description: 'Allow rest' },
+    ], 'deny');
+
+    const executor = new Executor({ registry, acl });
+
+    await expect(executor.call('secret.data', {})).rejects.toThrow(ACLDeniedError);
+
+    const result = await executor.call('public.data', {});
+    expect(result['value']).toBe('ok');
+  });
+
+  it('addRule inserts at front and takes precedence', async () => {
+    const registry = new Registry();
+    registry.register('test.mod', makeModule('test.mod'));
+
+    const acl = new ACL([
+      { callers: ['*'], targets: ['*'], effect: 'deny', description: 'Deny all' },
+    ], 'deny');
+
+    const executor = new Executor({ registry, acl });
+
+    // Initially denied
+    await expect(executor.call('test.mod', {})).rejects.toThrow(ACLDeniedError);
+
+    // Add allow rule at front
+    acl.addRule({
+      callers: ['*'],
+      targets: ['test.mod'],
+      effect: 'allow',
+      description: 'Allow test.mod',
+    });
+
+    // Now allowed
+    const result = await executor.call('test.mod', {});
+    expect(result['value']).toBe('ok');
+  });
+});
+
+describe('Safety Checks', () => {
+  it('call depth exceeded', async () => {
+    const registry = new Registry();
+    registry.register('mod.recursive', new FunctionModule({
+      execute: async (inputs: Record<string, unknown>, context: Context) => {
+        const depth = inputs['depth'] as number;
+        if (depth > 0) {
+          const exec = context.executor as Executor;
+          return await exec.call('mod.recursive', { depth: depth - 1 }, context);
+        }
+        return { depth: 0 };
+      },
+      moduleId: 'mod.recursive',
+      inputSchema: Type.Object({ depth: Type.Number() }),
+      outputSchema: Type.Object({ depth: Type.Number() }),
+      description: 'Recursive module',
+    }));
+
+    const config = new Config({ executor: { max_call_depth: 3 } });
+    const executor = new Executor({ registry, config });
+
+    await expect(executor.call('mod.recursive', { depth: 10 })).rejects.toThrow(CallDepthExceededError);
+  });
+
+  it('circular call detection', async () => {
+    const registry = new Registry();
+
+    registry.register('mod.a', new FunctionModule({
+      execute: async (_inputs: Record<string, unknown>, context: Context) => {
+        const exec = context.executor as Executor;
+        return await exec.call('mod.b', {}, context);
+      },
+      moduleId: 'mod.a',
+      inputSchema: Type.Object({}),
+      outputSchema: Type.Object({ value: Type.String() }),
+      description: 'Module A',
+    }));
+
+    registry.register('mod.b', new FunctionModule({
+      execute: async (_inputs: Record<string, unknown>, context: Context) => {
+        const exec = context.executor as Executor;
+        return await exec.call('mod.a', {}, context);
+      },
+      moduleId: 'mod.b',
+      inputSchema: Type.Object({}),
+      outputSchema: Type.Object({ value: Type.String() }),
+      description: 'Module B',
+    }));
+
+    const executor = new Executor({ registry });
+
+    await expect(executor.call('mod.a', {})).rejects.toThrow(CircularCallError);
+  });
+
+  it('call frequency exceeded', async () => {
+    const registry = new Registry();
+    registry.register('mod.freq', new FunctionModule({
+      execute: async (inputs: Record<string, unknown>, context: Context) => {
+        const count = inputs['count'] as number;
+        if (count > 0) {
+          const exec = context.executor as Executor;
+          return await exec.call('mod.freq', { count: count - 1 }, context);
+        }
+        return { count: 0 };
+      },
+      moduleId: 'mod.freq',
+      inputSchema: Type.Object({ count: Type.Number() }),
+      outputSchema: Type.Object({ count: Type.Number() }),
+      description: 'Frequent module',
+    }));
+
+    const config = new Config({ executor: { max_module_repeat: 2 } });
+    const executor = new Executor({ registry, config });
+
+    await expect(executor.call('mod.freq', { count: 5 })).rejects.toThrow(CallFrequencyExceededError);
+  });
+});

package/tests/integration/test-binding-executor.test.ts

@@ -0,0 +1,194 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { mkdtempSync, writeFileSync, mkdirSync, rmSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { Type } from '@sinclair/typebox';
+import { BindingLoader } from '../../src/bindings.js';
+import { Registry } from '../../src/registry/registry.js';
+import { Executor } from '../../src/executor.js';
+import { FunctionModule } from '../../src/decorator.js';
+import { Context, createIdentity } from '../../src/context.js';
+import { InMemoryExporter, TracingMiddleware } from '../../src/observability/tracing.js';
+import { MetricsCollector, MetricsMiddleware } from '../../src/observability/metrics.js';
+
+let tmpDir: string;
+let registry: Registry;
+let loader: BindingLoader;
+
+beforeEach(() => {
+  tmpDir = mkdtempSync(join(tmpdir(), 'binding-executor-test-'));
+  registry = new Registry();
+  loader = new BindingLoader();
+});
+
+afterEach(() => {
+  rmSync(tmpDir, { recursive: true, force: true });
+});
+
+function writeTempModule(filename: string, content: string): string {
+  const filePath = join(tmpDir, filename);
+  writeFileSync(filePath, content, 'utf-8');
+  return filePath;
+}
+
+function writeTempYaml(filename: string, content: string): string {
+  const filePath = join(tmpDir, filename);
+  writeFileSync(filePath, content, 'utf-8');
+  return filePath;
+}
+
+describe('Binding + Registry + Executor', () => {
+  it('loads binding and executes through executor', async () => {
+    const modPath = writeTempModule(
+      'greet.mjs',
+      'export function greet(inputs) { return { greeting: "Hello, " + inputs.name }; }\n',
+    );
+    const yamlPath = writeTempYaml(
+      'greet.binding.yaml',
+      `bindings:\n  - module_id: "test.greet"\n    target: "${modPath}:greet"\n    description: "Greet module"\n`,
+    );
+
+    await loader.loadBindings(yamlPath, registry);
+    expect(registry.has('test.greet')).toBe(true);
+
+    const executor = new Executor({ registry });
+    const result = await executor.call('test.greet', { name: 'World' });
+    expect(result['greeting']).toBe('Hello, World');
+  });
+
+  it('binding with inline schemas validates inputs', async () => {
+    const modPath = writeTempModule(
+      'validated.mjs',
+      'export function handle(inputs) { return { result: inputs.name }; }\n',
+    );
+    const yamlPath = writeTempYaml(
+      'validated.binding.yaml',
+      `bindings:\n  - module_id: "test.validated"\n    target: "${modPath}:handle"\n    input_schema:\n      type: object\n      properties:\n        name:\n          type: string\n      required:\n        - name\n`,
+    );
+
+    await loader.loadBindings(yamlPath, registry);
+    const executor = new Executor({ registry });
+
+    // Valid input succeeds
+    const result = await executor.call('test.validated', { name: 'Alice' });
+    expect(result['result']).toBe('Alice');
+
+    // Invalid input fails (number instead of string)
+    await expect(executor.call('test.validated', { name: 123 })).rejects.toThrow();
+  });
+
+  it('loads multiple bindings from directory and executes all', async () => {
+    const modPath = writeTempModule(
+      'multi.mjs',
+      'export function alpha() { return { id: "alpha" }; }\nexport function beta() { return { id: "beta" }; }\n',
+    );
+
+    writeTempYaml(
+      'alpha.binding.yaml',
+      `bindings:\n  - module_id: "dir.alpha"\n    target: "${modPath}:alpha"\n`,
+    );
+    writeTempYaml(
+      'beta.binding.yaml',
+      `bindings:\n  - module_id: "dir.beta"\n    target: "${modPath}:beta"\n`,
+    );
+
+    await loader.loadBindingDir(tmpDir, registry);
+    expect(registry.has('dir.alpha')).toBe(true);
+    expect(registry.has('dir.beta')).toBe(true);
+
+    const executor = new Executor({ registry });
+
+    const r1 = await executor.call('dir.alpha', {});
+    expect(r1['id']).toBe('alpha');
+
+    const r2 = await executor.call('dir.beta', {});
+    expect(r2['id']).toBe('beta');
+  });
+
+  it('binding module with tracing and metrics', async () => {
+    const modPath = writeTempModule(
+      'traced.mjs',
+      'export function handler(inputs) { return { ok: true }; }\n',
+    );
+    const yamlPath = writeTempYaml(
+      'traced.binding.yaml',
+      `bindings:\n  - module_id: "test.traced"\n    target: "${modPath}:handler"\n`,
+    );
+
+    await loader.loadBindings(yamlPath, registry);
+
+    const exporter = new InMemoryExporter();
+    const metrics = new MetricsCollector();
+    const executor = new Executor({
+      registry,
+      middlewares: [new TracingMiddleware(exporter), new MetricsMiddleware(metrics)],
+    });
+
+    const result = await executor.call('test.traced', {});
+    expect(result['ok']).toBe(true);
+
+    // Verify span exported
+    const spans = exporter.getSpans();
+    expect(spans).toHaveLength(1);
+    expect(spans[0].status).toBe('ok');
+    expect(spans[0].attributes['moduleId']).toBe('test.traced');
+
+    // Verify metrics recorded
+    const snap = metrics.snapshot();
+    const counters = snap['counters'] as Record<string, number>;
+    expect(counters['apcore_module_calls_total|module_id=test.traced,status=success']).toBe(1);
+  });
+
+  it('binding module receives context with identity', async () => {
+    const modPath = writeTempModule(
+      'ctx_aware.mjs',
+      'export function handle(inputs, context) { return { callerId: context?.callerId ?? "none", hasIdentity: context?.identity != null }; }\n',
+    );
+    const yamlPath = writeTempYaml(
+      'ctx.binding.yaml',
+      `bindings:\n  - module_id: "test.ctx"\n    target: "${modPath}:handle"\n`,
+    );
+
+    await loader.loadBindings(yamlPath, registry);
+
+    const executor = new Executor({ registry });
+    const identity = createIdentity('user123', 'user', ['admin']);
+    const ctx = Context.create(executor, identity);
+
+    const result = await executor.call('test.ctx', {}, ctx);
+    expect(result['hasIdentity']).toBe(true);
+  });
+
+  it('mixed bindings and FunctionModule in same registry', async () => {
+    // Register FunctionModule directly
+    registry.register('direct.add', new FunctionModule({
+      execute: (inputs) => ({ sum: (inputs['a'] as number) + (inputs['b'] as number) }),
+      moduleId: 'direct.add',
+      inputSchema: Type.Object({ a: Type.Number(), b: Type.Number() }),
+      outputSchema: Type.Object({ sum: Type.Number() }),
+      description: 'Direct add',
+    }));
+
+    // Load binding
+    const modPath = writeTempModule(
+      'multiply.mjs',
+      'export function multiply(inputs) { return { product: inputs.a * inputs.b }; }\n',
+    );
+    const yamlPath = writeTempYaml(
+      'multiply.binding.yaml',
+      `bindings:\n  - module_id: "binding.multiply"\n    target: "${modPath}:multiply"\n`,
+    );
+    await loader.loadBindings(yamlPath, registry);
+
+    expect(registry.has('direct.add')).toBe(true);
+    expect(registry.has('binding.multiply')).toBe(true);
+
+    const executor = new Executor({ registry });
+
+    const addResult = await executor.call('direct.add', { a: 5, b: 3 });
+    expect(addResult['sum']).toBe(8);
+
+    const mulResult = await executor.call('binding.multiply', { a: 5, b: 3 });
+    expect(mulResult['product']).toBe(15);
+  });
+});

package/tests/integration/test-e2e-flow.test.ts

@@ -0,0 +1,117 @@
+import { describe, it, expect } from 'vitest';
+import { Type } from '@sinclair/typebox';
+import { Context, createIdentity } from '../../src/context.js';
+import { Executor } from '../../src/executor.js';
+import { FunctionModule } from '../../src/decorator.js';
+import { Registry } from '../../src/registry/registry.js';
+import { ACL } from '../../src/acl.js';
+import { Middleware } from '../../src/middleware/base.js';
+import { MetricsCollector, MetricsMiddleware } from '../../src/observability/metrics.js';
+import { InMemoryExporter, TracingMiddleware } from '../../src/observability/tracing.js';
+
+describe('E2E Flow', () => {
+  it('full pipeline: register, execute, collect metrics', async () => {
+    const registry = new Registry();
+    const greet = new FunctionModule({
+      execute: (inputs) => ({ greeting: `Hello, ${inputs['name']}!` }),
+      moduleId: 'example.greet',
+      inputSchema: Type.Object({ name: Type.String() }),
+      outputSchema: Type.Object({ greeting: Type.String() }),
+      description: 'Greet a user',
+    });
+    registry.register('example.greet', greet);
+
+    const metrics = new MetricsCollector();
+    const exporter = new InMemoryExporter();
+    const executor = new Executor({
+      registry,
+      middlewares: [
+        new MetricsMiddleware(metrics),
+        new TracingMiddleware(exporter),
+      ],
+    });
+
+    const result = await executor.call('example.greet', { name: 'World' });
+    expect(result['greeting']).toBe('Hello, World!');
+
+    const snap = metrics.snapshot();
+    const counters = snap['counters'] as Record<string, number>;
+    expect(counters['apcore_module_calls_total|module_id=example.greet,status=success']).toBe(1);
+
+    const spans = exporter.getSpans();
+    expect(spans).toHaveLength(1);
+    expect(spans[0].status).toBe('ok');
+  });
+
+  it('ACL deny blocks execution', async () => {
+    const registry = new Registry();
+    registry.register('secret', new FunctionModule({
+      execute: () => ({ data: 'classified' }),
+      moduleId: 'secret',
+      inputSchema: Type.Object({}),
+      outputSchema: Type.Object({ data: Type.String() }),
+      description: 'Secret module',
+    }));
+
+    const acl = new ACL([
+      { callers: ['@external'], targets: ['secret'], effect: 'deny', description: 'block externals' },
+    ], 'deny');
+
+    const executor = new Executor({ registry, acl });
+    await expect(executor.call('secret')).rejects.toThrow();
+  });
+
+  it('multiple module calls with context chaining', async () => {
+    const registry = new Registry();
+    const modA = new FunctionModule({
+      execute: (inputs) => ({ value: (inputs['x'] as number) * 2 }),
+      moduleId: 'math.double',
+      inputSchema: Type.Object({ x: Type.Number() }),
+      outputSchema: Type.Object({ value: Type.Number() }),
+      description: 'Double a number',
+    });
+    const modB = new FunctionModule({
+      execute: (inputs) => ({ value: (inputs['x'] as number) + 10 }),
+      moduleId: 'math.addTen',
+      inputSchema: Type.Object({ x: Type.Number() }),
+      outputSchema: Type.Object({ value: Type.Number() }),
+      description: 'Add ten',
+    });
+    registry.register('math.double', modA);
+    registry.register('math.addTen', modB);
+
+    const executor = new Executor({ registry });
+    const ctx = Context.create(executor, createIdentity('test-user'));
+
+    const r1 = await executor.call('math.double', { x: 5 }, ctx);
+    expect(r1['value']).toBe(10);
+
+    const r2 = await executor.call('math.addTen', { x: r1['value'] as number }, ctx);
+    expect(r2['value']).toBe(20);
+  });
+
+  it('middleware intercepts and transforms', async () => {
+    const registry = new Registry();
+    registry.register('echo', new FunctionModule({
+      execute: (inputs) => ({ echo: inputs['msg'] }),
+      moduleId: 'echo',
+      inputSchema: Type.Object({ msg: Type.String() }),
+      outputSchema: Type.Object({ echo: Type.String() }),
+      description: 'Echo back',
+    }));
+
+    class UppercaseMiddleware extends Middleware {
+      override after(
+        _moduleId: string,
+        _inputs: Record<string, unknown>,
+        output: Record<string, unknown>,
+      ): Record<string, unknown> {
+        return { echo: (output['echo'] as string).toUpperCase() };
+      }
+    }
+
+    const executor = new Executor({ registry, middlewares: [new UppercaseMiddleware()] });
+    const result = await executor.call('echo', { msg: 'hello' });
+    expect(result['echo']).toBe('HELLO');
+  });
+});