apcore-js 0.3.0 → 0.5.0

package/tests/test-acl.test.ts

@@ -1,5 +1,9 @@
-import { describe, it, expect } from 'vitest';
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { writeFileSync, mkdtempSync, rmSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
 import { ACL } from '../src/acl.js';
+import { ACLRuleError, ConfigNotFoundError } from '../src/errors.js';
 import { Context, createIdentity } from '../src/context.js';
 
 function makeContext(opts: {
@@ -204,3 +208,216 @@ describe('ACL', () => {
     expect(acl.removeRule(['x'], ['y'])).toBe(false);
   });
 });
+
+describe('ACL.load', () => {
+  let tmpDir: string;
+
+  beforeEach(() => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'acl-test-'));
+  });
+
+  afterEach(() => {
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it('loads valid ACL from a YAML file', () => {
+    const yamlContent = `
+rules:
+  - callers: ["module.a"]
+    targets: ["module.b"]
+    effect: allow
+    description: "allow a to b"
+`;
+    const filePath = join(tmpDir, 'acl.yaml');
+    writeFileSync(filePath, yamlContent, 'utf-8');
+
+    const acl = ACL.load(filePath);
+    expect(acl.check('module.a', 'module.b')).toBe(true);
+    expect(acl.check('module.x', 'module.y')).toBe(false);
+  });
+
+  it('loads ACL with custom default_effect from YAML', () => {
+    const yamlContent = `
+default_effect: allow
+rules: []
+`;
+    const filePath = join(tmpDir, 'acl.yaml');
+    writeFileSync(filePath, yamlContent, 'utf-8');
+
+    const acl = ACL.load(filePath);
+    expect(acl.check('any.caller', 'any.target')).toBe(true);
+  });
+
+  it('throws ConfigNotFoundError for missing file', () => {
+    const missingPath = join(tmpDir, 'nonexistent.yaml');
+    expect(() => ACL.load(missingPath)).toThrow(ConfigNotFoundError);
+  });
+
+  it('throws ACLRuleError for invalid YAML syntax', () => {
+    const filePath = join(tmpDir, 'bad.yaml');
+    writeFileSync(filePath, ':\n  :\n    - [invalid', 'utf-8');
+
+    expect(() => ACL.load(filePath)).toThrow(ACLRuleError);
+  });
+
+  it('throws ACLRuleError when YAML is not a mapping', () => {
+    const filePath = join(tmpDir, 'array.yaml');
+    writeFileSync(filePath, '- item1\n- item2\n', 'utf-8');
+
+    expect(() => ACL.load(filePath)).toThrow(ACLRuleError);
+    expect(() => ACL.load(filePath)).toThrow(/must be a mapping/);
+  });
+
+  it('throws ACLRuleError when YAML is a scalar', () => {
+    const filePath = join(tmpDir, 'scalar.yaml');
+    writeFileSync(filePath, 'just a string\n', 'utf-8');
+
+    expect(() => ACL.load(filePath)).toThrow(ACLRuleError);
+    expect(() => ACL.load(filePath)).toThrow(/must be a mapping/);
+  });
+
+  it('throws ACLRuleError when rules key is missing', () => {
+    const filePath = join(tmpDir, 'norules.yaml');
+    writeFileSync(filePath, 'default_effect: allow\n', 'utf-8');
+
+    expect(() => ACL.load(filePath)).toThrow(ACLRuleError);
+    expect(() => ACL.load(filePath)).toThrow(/missing required 'rules' key/);
+  });
+
+  it('throws ACLRuleError when rules is not an array', () => {
+    const filePath = join(tmpDir, 'badrules.yaml');
+    writeFileSync(filePath, 'rules: "not-a-list"\n', 'utf-8');
+
+    expect(() => ACL.load(filePath)).toThrow(ACLRuleError);
+    expect(() => ACL.load(filePath)).toThrow(/'rules' must be a list/);
+  });
+
+  it('loads ACL with multiple rules and conditions', () => {
+    const yamlContent = `
+rules:
+  - callers: ["*"]
+    targets: ["admin.panel"]
+    effect: allow
+    description: "admin access"
+    conditions:
+      roles: ["admin"]
+  - callers: ["*"]
+    targets: ["*"]
+    effect: deny
+    description: "deny all"
+`;
+    const filePath = join(tmpDir, 'multi.yaml');
+    writeFileSync(filePath, yamlContent, 'utf-8');
+
+    const acl = ACL.load(filePath);
+    const adminCtx = makeContext({ identityType: 'user', roles: ['admin'] });
+    const userCtx = makeContext({ identityType: 'user', roles: ['viewer'] });
+
+    expect(acl.check('mod.a', 'admin.panel', adminCtx)).toBe(true);
+    expect(acl.check('mod.a', 'admin.panel', userCtx)).toBe(false);
+  });
+});
+
+describe('ACL.reload', () => {
+  let tmpDir: string;
+
+  beforeEach(() => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'acl-reload-'));
+  });
+
+  afterEach(() => {
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it('reloads updated rules from the same YAML file', () => {
+    const filePath = join(tmpDir, 'acl.yaml');
+    writeFileSync(filePath, `
+rules:
+  - callers: ["module.a"]
+    targets: ["module.b"]
+    effect: deny
+    description: "initial deny"
+`, 'utf-8');
+
+    const acl = ACL.load(filePath);
+    expect(acl.check('module.a', 'module.b')).toBe(false);
+
+    writeFileSync(filePath, `
+rules:
+  - callers: ["module.a"]
+    targets: ["module.b"]
+    effect: allow
+    description: "updated allow"
+`, 'utf-8');
+
+    acl.reload();
+    expect(acl.check('module.a', 'module.b')).toBe(true);
+  });
+
+  it('throws ACLRuleError when ACL was not loaded from a file', () => {
+    const acl = new ACL([
+      { callers: ['*'], targets: ['*'], effect: 'allow', description: '' },
+    ]);
+
+    expect(() => acl.reload()).toThrow(ACLRuleError);
+    expect(() => acl.reload()).toThrow(/Cannot reload/);
+  });
+});
+
+describe('ACL constructor validation', () => {
+  it('throws ACLRuleError for invalid defaultEffect', () => {
+    expect(() => new ACL([], 'block')).toThrow(ACLRuleError);
+    expect(() => new ACL([], 'block')).toThrow(/Invalid default_effect/);
+  });
+
+  it('throws ACLRuleError for empty string defaultEffect', () => {
+    expect(() => new ACL([], '')).toThrow(ACLRuleError);
+  });
+});
+
+describe('ACL condition validation', () => {
+  it('returns false when identity_types condition is not an array', () => {
+    const acl = new ACL([{
+      callers: ['*'], targets: ['target'], effect: 'allow', description: '',
+      conditions: { identity_types: 'admin' },
+    }]);
+    const ctx = makeContext({ identityType: 'admin' });
+    expect(acl.check('mod.a', 'target', ctx)).toBe(false);
+  });
+
+  it('returns false when roles condition is not an array', () => {
+    const acl = new ACL([{
+      callers: ['*'], targets: ['target'], effect: 'allow', description: '',
+      conditions: { roles: 'admin' },
+    }]);
+    const ctx = makeContext({ identityType: 'user', roles: ['admin'] });
+    expect(acl.check('mod.a', 'target', ctx)).toBe(false);
+  });
+
+  it('returns false when max_call_depth condition is not a number', () => {
+    const acl = new ACL([{
+      callers: ['*'], targets: ['target'], effect: 'allow', description: '',
+      conditions: { max_call_depth: '5' },
+    }]);
+    const ctx = makeContext({ callChain: ['a'] });
+    expect(acl.check('mod.a', 'target', ctx)).toBe(false);
+  });
+
+  it('returns false for roles condition when identity is null', () => {
+    const acl = new ACL([{
+      callers: ['*'], targets: ['target'], effect: 'allow', description: '',
+      conditions: { roles: ['admin'] },
+    }]);
+    const ctx = makeContext({});
+    expect(acl.check('mod.a', 'target', ctx)).toBe(false);
+  });
+
+  it('returns false for identity_types condition when identity is null', () => {
+    const acl = new ACL([{
+      callers: ['*'], targets: ['target'], effect: 'allow', description: '',
+      conditions: { identity_types: ['admin'] },
+    }]);
+    const ctx = makeContext({});
+    expect(acl.check('mod.a', 'target', ctx)).toBe(false);
+  });
+});

package/tests/test-cancel.test.ts

@@ -0,0 +1,71 @@
+import { describe, it, expect } from 'vitest';
+import { Type } from '@sinclair/typebox';
+import { CancelToken, ExecutionCancelledError } from '../src/cancel.js';
+import { Context } from '../src/context.js';
+import { Executor } from '../src/executor.js';
+import { FunctionModule } from '../src/decorator.js';
+import { Registry } from '../src/registry/registry.js';
+
+describe('CancelToken', () => {
+  it('is initially not cancelled', () => {
+    const token = new CancelToken();
+    expect(token.isCancelled).toBe(false);
+  });
+
+  it('sets flag after cancel()', () => {
+    const token = new CancelToken();
+    token.cancel();
+    expect(token.isCancelled).toBe(true);
+  });
+
+  it('check() does nothing when not cancelled', () => {
+    const token = new CancelToken();
+    expect(() => token.check()).not.toThrow();
+  });
+
+  it('check() throws ExecutionCancelledError when cancelled', () => {
+    const token = new CancelToken();
+    token.cancel();
+    expect(() => token.check()).toThrow(ExecutionCancelledError);
+  });
+
+  it('reset() clears cancellation', () => {
+    const token = new CancelToken();
+    token.cancel();
+    expect(token.isCancelled).toBe(true);
+    token.reset();
+    expect(token.isCancelled).toBe(false);
+    expect(() => token.check()).not.toThrow();
+  });
+});
+
+describe('Executor cancellation', () => {
+  it('respects cancelled token before execution', async () => {
+    const registry = new Registry();
+    const mod = new FunctionModule({
+      execute: () => ({ result: 'ok' }),
+      moduleId: 'test.module',
+      inputSchema: Type.Object({}),
+      outputSchema: Type.Object({ result: Type.String() }),
+      description: 'Simple module',
+    });
+    registry.register('test.module', mod);
+
+    const executor = new Executor({ registry });
+    const token = new CancelToken();
+    token.cancel();
+
+    const ctx = new Context(
+      'trace-1',
+      null,
+      [],
+      executor,
+      null,
+      null,
+      {},
+      token,
+    );
+
+    await expect(executor.call('test.module', {}, ctx)).rejects.toThrow(ExecutionCancelledError);
+  });
+});

package/tests/test-context.test.ts

@@ -149,3 +149,118 @@ describe('Context.child()', () => {
     expect(parent.callChain).toEqual(chainBefore);
   });
 });
+
+describe('Context.toJSON() / Context.fromJSON()', () => {
+  it('round-trips context with identity', () => {
+    const identity = createIdentity('user-42', 'admin', ['superuser', 'editor'], { org: 'acme' });
+    const executor = { name: 'test-executor' };
+    const original = new Context(
+      'trace-abc',
+      'caller-1',
+      ['mod.a', 'mod.b'],
+      executor,
+      identity,
+      { password: '***' },
+      { transient: 'value' },
+    );
+
+    const serialized = original.toJSON();
+    const restored = Context.fromJSON(serialized);
+
+    expect(restored.traceId).toBe(original.traceId);
+    expect(restored.callerId).toBe(original.callerId);
+    expect(restored.callChain).toEqual(['mod.a', 'mod.b']);
+    expect(restored.identity).not.toBeNull();
+    expect(restored.identity!.id).toBe('user-42');
+    expect(restored.identity!.type).toBe('admin');
+    expect([...restored.identity!.roles]).toEqual(['superuser', 'editor']);
+    expect({ ...restored.identity!.attrs }).toEqual({ org: 'acme' });
+    expect(restored.redactedInputs).toEqual({ password: '***' });
+    expect(restored.data).toEqual({ transient: 'value' });
+  });
+
+  it('round-trips context without identity', () => {
+    const original = new Context('trace-xyz', null, [], null, null, null);
+    const serialized = original.toJSON();
+    const restored = Context.fromJSON(serialized);
+
+    expect(restored.traceId).toBe('trace-xyz');
+    expect(restored.callerId).toBeNull();
+    expect(restored.callChain).toEqual([]);
+    expect(restored.identity).toBeNull();
+    expect(restored.redactedInputs).toBeNull();
+  });
+
+  it('excludes executor from toJSON output but includes data', () => {
+    const ctx = new Context('trace-1', null, [], 'my-executor', null, null, { key: 'included' });
+    const serialized = ctx.toJSON();
+
+    expect(serialized).not.toHaveProperty('executor');
+    expect(serialized).toHaveProperty('data');
+    expect(serialized.data).toEqual({ key: 'included' });
+  });
+
+  it('re-injects executor via fromJSON', () => {
+    const ctx = new Context('trace-2', null, [], 'original-exec');
+    const serialized = ctx.toJSON();
+    const newExecutor = { name: 'new-executor' };
+    const restored = Context.fromJSON(serialized, newExecutor);
+
+    expect(restored.executor).toBe(newExecutor);
+  });
+
+  it('defaults executor to null when not provided to fromJSON', () => {
+    const serialized = { traceId: 't1', callerId: null, callChain: [], identity: null, redactedInputs: null };
+    const restored = Context.fromJSON(serialized);
+    expect(restored.executor).toBeNull();
+  });
+
+  it('toJSON returns copies, not references', () => {
+    const identity = createIdentity('u1', 'user', ['r1'], { k: 'v' });
+    const ctx = new Context('t1', null, ['a', 'b'], null, identity, { field: 'val' }, { shared: true });
+    const serialized = ctx.toJSON();
+
+    // Mutate serialized copies
+    (serialized.callChain as string[]).push('mutated');
+    (serialized.identity as Record<string, unknown>).id = 'mutated';
+    (serialized.redactedInputs as Record<string, unknown>).extra = true;
+    (serialized.data as Record<string, unknown>).extra = true;
+
+    // Originals unchanged
+    expect(ctx.callChain).toEqual(['a', 'b']);
+    expect(ctx.identity!.id).toBe('u1');
+    expect(ctx.redactedInputs).toEqual({ field: 'val' });
+    expect(ctx.data).toEqual({ shared: true });
+  });
+
+  it('toJSON excludes internal keys starting with _', () => {
+    const ctx = Context.create();
+    ctx.data['visible'] = 'yes';
+    ctx.data['_tracing_spans'] = [1, 2, 3];
+    ctx.data['_internal'] = 42;
+    const serialized = ctx.toJSON();
+    const data = serialized.data as Record<string, unknown>;
+    expect(data['visible']).toBe('yes');
+    expect(data['_tracing_spans']).toBeUndefined();
+    expect(data['_internal']).toBeUndefined();
+  });
+
+  it('fromJSON handles null roles and attrs gracefully', () => {
+    const json = {
+      traceId: 'test-id',
+      callerId: null,
+      callChain: [],
+      identity: {
+        id: 'user-1',
+        type: 'user',
+        roles: null,
+        attrs: null,
+      },
+      data: {},
+    };
+    const ctx = Context.fromJSON(json);
+    expect(ctx.identity).toBeDefined();
+    expect(ctx.identity!.roles).toEqual([]);
+    expect(ctx.identity!.attrs).toEqual({});
+  });
+});