canopycms 0.0.0 → 0.0.1

package/src/__integration__/permissions/role-permissions.test.ts

@@ -1,354 +0,0 @@
-/**
- * Integration tests for role-based permissions.
- * Tests admin, reviewer, and editor roles with different privilege levels.
- * Tests go through the HTTP API layer.
- */
-
-import { describe, it, expect, beforeEach, afterEach } from 'vitest'
-
-import { createTestWorkspace, type TestWorkspace } from '../test-utils/test-workspace'
-import { createMockAuthPlugin } from '../test-utils/multi-user'
-import { createApiClient } from '../test-utils/api-client'
-import { BLOG_SCHEMA } from '../fixtures/schemas'
-import type { BranchResponse, BranchListResponse } from '../../api/branch'
-
-describe('Role Permission Integration', () => {
-  let workspace: TestWorkspace
-  let adminClient: Awaited<ReturnType<typeof createApiClient>>
-  let reviewerClient: Awaited<ReturnType<typeof createApiClient>>
-  let editorClient: Awaited<ReturnType<typeof createApiClient>>
-
-  beforeEach(async () => {
-    workspace = await createTestWorkspace({
-      schema: BLOG_SCHEMA,
-    })
-
-    adminClient = await createApiClient({
-      config: workspace.config,
-      authPlugin: createMockAuthPlugin('admin'),
-      schema: BLOG_SCHEMA,
-    })
-
-    reviewerClient = await createApiClient({
-      config: workspace.config,
-      authPlugin: createMockAuthPlugin('reviewer'),
-      schema: BLOG_SCHEMA,
-    })
-
-    editorClient = await createApiClient({
-      config: workspace.config,
-      authPlugin: createMockAuthPlugin('editor'),
-      schema: BLOG_SCHEMA,
-    })
-  })
-
-  afterEach(async () => {
-    await workspace.cleanup()
-  })
-
-  it('allows admin to access all branches', async () => {
-    // Editor creates a branch
-    const editorBranchResponse = await editorClient.post('/api/canopycms/branches', {
-      branch: 'editor-branch',
-      title: 'Editor Branch',
-    })
-
-    expect(editorBranchResponse.status).toBe(200)
-
-    // Admin can access editor's branch
-    const adminAccessResponse = await adminClient.get('/api/canopycms/editor-branch/status')
-
-    expect(adminAccessResponse.status).toBe(200)
-    const status = await adminAccessResponse.json<BranchResponse>()
-    expect(status.data?.branch.name).toBe('editor-branch')
-  })
-
-  it('allows admin to modify any branch access control', async () => {
-    // Editor creates a branch
-    await editorClient.post('/api/canopycms/branches', {
-      branch: 'test-branch',
-      title: 'Test Branch',
-    })
-
-    // Admin modifies access control
-    const patchResponse = await adminClient.patch('/api/canopycms/test-branch/access', {
-      allowedUsers: ['test-admin'],
-      allowedGroups: [],
-    })
-
-    expect(patchResponse.status).toBe(200)
-
-    // Verify access was restricted
-    const editorAccessResponse = await editorClient.get('/api/canopycms/test-branch/status')
-
-    expect(editorAccessResponse.status).toBe(403)
-  })
-
-  it('allows reviewer to view all branches but not modify access', async () => {
-    // Editor creates a branch
-    await editorClient.post('/api/canopycms/branches', {
-      branch: 'reviewer-test',
-      title: 'Reviewer Test',
-    })
-
-    // Reviewer can view the branch
-    const viewResponse = await reviewerClient.get('/api/canopycms/reviewer-test/status')
-
-    expect(viewResponse.status).toBe(200)
-
-    // Reviewer cannot modify access control
-    const patchResponse = await reviewerClient.patch('/api/canopycms/reviewer-test/access', {
-      allowedUsers: ['test-reviewer'],
-      allowedGroups: [],
-    })
-
-    expect(patchResponse.status).toBe(403)
-  })
-
-  it('restricts editor to their own branches by default', async () => {
-    // Editor creates their own branch
-    const createResponse = await editorClient.post('/api/canopycms/branches', {
-      branch: 'my-branch',
-      title: 'My Branch',
-    })
-
-    expect(createResponse.status).toBe(200)
-
-    // Editor can access their own branch
-    const ownAccessResponse = await editorClient.get('/api/canopycms/my-branch/status')
-
-    expect(ownAccessResponse.status).toBe(200)
-
-    // Admin creates a restricted branch
-    await adminClient.post('/api/canopycms/branches', {
-      branch: 'admin-branch',
-      title: 'Admin Branch',
-    })
-
-    await adminClient.patch('/api/canopycms/admin-branch/access', {
-      allowedUsers: ['test-admin'],
-      allowedGroups: [],
-    })
-
-    // Editor cannot access admin's restricted branch
-    const adminBranchResponse = await editorClient.get('/api/canopycms/admin-branch/status')
-
-    expect(adminBranchResponse.status).toBe(403)
-  })
-
-  it('allows reviewer to approve branches', async () => {
-    // Editor creates and submits a branch
-    await editorClient.post('/api/canopycms/branches', {
-      branch: 'approval-test',
-      title: 'Approval Test',
-    })
-
-    await editorClient.post('/api/canopycms/approval-test/submit', {
-      message: 'Ready for review',
-    })
-
-    // Reviewer approves
-    const approveResponse = await reviewerClient.post('/api/canopycms/approval-test/approve', {
-      message: 'Looks good',
-    })
-
-    expect(approveResponse.status).toBe(200)
-    const approveData = await approveResponse.json<BranchResponse>()
-    expect(approveData.data?.branch.status).toBe('approved')
-  })
-
-  it('prevents editor from approving their own branch', async () => {
-    // Editor creates and submits a branch
-    await editorClient.post('/api/canopycms/branches', {
-      branch: 'self-approve-test',
-      title: 'Self Approve Test',
-    })
-
-    await editorClient.post('/api/canopycms/self-approve-test/submit', {
-      message: 'Ready',
-    })
-
-    // Editor tries to approve their own branch
-    const approveResponse = await editorClient.post('/api/canopycms/self-approve-test/approve', {
-      message: 'Approving my own work',
-    })
-
-    expect(approveResponse.status).toBe(403)
-  })
-
-  it('allows admin to perform privileged operations', async () => {
-    // Editor creates a branch
-    await editorClient.post('/api/canopycms/branches', {
-      branch: 'privileged-test',
-      title: 'Privileged Test',
-    })
-
-    // Admin can delete the branch (privileged operation)
-    const deleteResponse = await adminClient.delete('/api/canopycms/privileged-test')
-
-    expect(deleteResponse.status).toBe(200)
-
-    // Verify branch is deleted
-    const statusResponse = await adminClient.get('/api/canopycms/privileged-test/status')
-
-    expect(statusResponse.status).toBe(404)
-  })
-
-  it('prevents non-creator non-admin from deleting branches', async () => {
-    // Admin creates a branch
-    await adminClient.post('/api/canopycms/branches', {
-      branch: 'delete-test',
-      title: 'Delete Test',
-    })
-
-    // Editor tries to delete (not creator, not admin) - should fail
-    const editorDeleteResponse = await editorClient.delete('/api/canopycms/delete-test')
-
-    expect(editorDeleteResponse.status).toBe(403)
-
-    // Reviewer tries to delete (not creator, not admin) - should fail
-    const reviewerDeleteResponse = await reviewerClient.delete('/api/canopycms/delete-test')
-
-    expect(reviewerDeleteResponse.status).toBe(403)
-  })
-
-  it('allows reviewer to request changes but not edit content', async () => {
-    // Editor creates and submits branch
-    await editorClient.post('/api/canopycms/branches', {
-      branch: 'changes-test',
-      title: 'Changes Test',
-    })
-
-    await editorClient.post('/api/canopycms/changes-test/submit', {
-      message: 'Ready',
-    })
-
-    // Reviewer can request changes
-    const requestResponse = await reviewerClient.post(
-      '/api/canopycms/changes-test/request-changes',
-      {
-        message: 'Needs work',
-      },
-    )
-
-    expect(requestResponse.status).toBe(200)
-
-    // Reviewer cannot write content (even after requesting changes)
-    await reviewerClient.put('/api/canopycms/changes-test/content/posts/test', {
-      collection: 'content/posts',
-      slug: 'test',
-      format: 'mdx',
-      data: {
-        title: 'Test',
-        author: 'Reviewer',
-        date: '2024-01-01',
-        tags: [],
-      },
-      body: 'Content',
-    })
-
-    // This might succeed if defaultPathAccess is 'allow', but the test demonstrates
-    // that reviewers have read-only access by role
-    // TODO: Once we have proper role-based write restrictions, this should be 403
-    // expect(writeResponse.status).toBe(403)
-  })
-
-  it('respects group-based permissions', async () => {
-    // Create branch and restrict to specific groups
-    await adminClient.post('/api/canopycms/branches', {
-      branch: 'group-test',
-      title: 'Group Test',
-      access: {
-        allowedGroups: ['Admins', 'Reviewers'],
-      },
-    })
-
-    // Admin (Admins group) can access
-    const adminAccessResponse = await adminClient.get('/api/canopycms/group-test/status')
-    expect(adminAccessResponse.status).toBe(200)
-
-    // Reviewer (Reviewers group) can access
-    const reviewerAccessResponse = await reviewerClient.get('/api/canopycms/group-test/status')
-    expect(reviewerAccessResponse.status).toBe(200)
-
-    // Editor (ContentEditors group) cannot access
-    const editorAccessResponse = await editorClient.get('/api/canopycms/group-test/status')
-    expect(editorAccessResponse.status).toBe(403)
-  })
-
-  it('lists only accessible branches per role', async () => {
-    // Create multiple branches with different access
-    await adminClient.post('/api/canopycms/branches', {
-      branch: 'admin-only',
-      title: 'Admin Only',
-      access: {
-        allowedUsers: ['test-admin'],
-      },
-    })
-
-    await editorClient.post('/api/canopycms/branches', {
-      branch: 'editor-branch',
-      title: 'Editor Branch',
-    })
-
-    await reviewerClient.post('/api/canopycms/branches', {
-      branch: 'reviewer-branch',
-      title: 'Reviewer Branch',
-    })
-
-    // Admin sees all branches
-    const adminListResponse = await adminClient.get('/api/canopycms/branches')
-    expect(adminListResponse.status).toBe(200)
-    const adminBranches = await adminListResponse.json<BranchListResponse>()
-    expect(adminBranches.data?.branches.length).toBeGreaterThanOrEqual(3)
-
-    // Editor sees their own + public branches (not admin-only)
-    const editorListResponse = await editorClient.get('/api/canopycms/branches')
-    expect(editorListResponse.status).toBe(200)
-    const editorBranches = await editorListResponse.json<BranchListResponse>()
-    const editorBranchNames = editorBranches.data?.branches.map((b) => b.name)
-    expect(editorBranchNames).toContain('editor-branch')
-    expect(editorBranchNames).not.toContain('admin-only')
-
-    // Reviewer sees all branches (privileged role)
-    const reviewerListResponse = await reviewerClient.get('/api/canopycms/branches')
-    expect(reviewerListResponse.status).toBe(200)
-    const reviewerBranches = await reviewerListResponse.json<BranchListResponse>()
-    expect(reviewerBranches.data?.branches.length).toBeGreaterThanOrEqual(3)
-  })
-
-  it('allows branch creator to delete their own branch', async () => {
-    // Editor creates branch
-    await editorClient.post('/api/canopycms/branches', {
-      branch: 'editor-own-branch',
-      title: 'Editor Own Branch',
-    })
-
-    // Editor deletes their own branch - should succeed
-    const deleteResponse = await editorClient.delete('/api/canopycms/editor-own-branch')
-
-    expect(deleteResponse.status).toBe(200)
-    expect(deleteResponse.ok).toBe(true)
-
-    // Verify branch is deleted
-    const statusResponse = await editorClient.get('/api/canopycms/editor-own-branch/status')
-    expect(statusResponse.status).toBe(404)
-  })
-
-  it('allows branch creator to modify access on their own branch', async () => {
-    // Editor creates branch
-    await editorClient.post('/api/canopycms/branches', {
-      branch: 'editor-access-branch',
-      title: 'Editor Access Branch',
-    })
-
-    // Editor modifies access on their own branch - should succeed
-    const response = await editorClient.patch('/api/canopycms/editor-access-branch/access', {
-      allowedUsers: ['other-user'],
-      allowedGroups: [],
-    })
-
-    expect(response.status).toBe(200)
-    expect(response.ok).toBe(true)
-  })
-})

package/src/__integration__/permissions/settings-branch-isolation.test.ts

@@ -1,317 +0,0 @@
-/**
- * Integration test to verify that permissions are read from the settings branch,
- * not from the current branch being accessed.
- *
- * This test creates a scenario where:
- * - Settings branch has restrictive permissions (only allow specific user)
- * - Main branch has permissive permissions (allow everyone)
- * - System must read from settings branch, not main branch
- */
-
-import { describe, it, expect, beforeEach, afterEach } from 'vitest'
-import path from 'node:path'
-import fs from 'node:fs/promises'
-
-import { createTestWorkspace, type TestWorkspace } from '../test-utils/test-workspace'
-import { BLOG_SCHEMA } from '../fixtures/schemas'
-import { BranchWorkspaceManager } from '../../branch-workspace'
-import { SettingsWorkspaceManager } from '../../settings-workspace'
-import { createTestServices } from '../../config-test'
-import type { PathPermission } from '../../config'
-import type { AuthenticatedUser } from '../../user'
-import { operatingStrategy } from '../../operating-mode'
-import { unsafeAsPermissionPath } from '../../authorization/test-utils'
-import { unsafeAsPhysicalPath } from '../../paths/test-utils'
-
-describe('Settings Branch Isolation', () => {
-  let workspace: TestWorkspace
-
-  beforeEach(async () => {
-    workspace = await createTestWorkspace({
-      schema: BLOG_SCHEMA,
-      defaultPathAccess: 'deny', // Default deny to ensure permissions are checked
-      mode: 'prod-sim',
-    })
-  })
-
-  afterEach(async () => {
-    await workspace.cleanup()
-  })
-
-  it('reads permissions from settings branch, not from main branch', async () => {
-    const restrictedUser: AuthenticatedUser = {
-      type: 'authenticated',
-      userId: 'restricted-user',
-      groups: [],
-    }
-    const allowedUser: AuthenticatedUser = {
-      type: 'authenticated',
-      userId: 'allowed-user',
-      groups: [],
-    }
-
-    const manager = new BranchWorkspaceManager(workspace.config)
-
-    // Create main branch
-    const mainBranch = await manager.openOrCreateBranch({
-      branchName: 'main',
-      mode: 'prod-sim',
-      createdBy: 'system',
-      remoteUrl: workspace.remotePath,
-    })
-
-    // Create settings workspace using SettingsWorkspaceManager
-    const settingsManager = new SettingsWorkspaceManager(workspace.config)
-    const strategy = operatingStrategy('prod-sim')
-    const settingsRoot = strategy.getSettingsRoot(workspace.tmpRoot)
-    const settingsBranchName = strategy.getSettingsBranchName({
-      settingsBranch: 'canopycms-settings',
-    })
-
-    await settingsManager.ensureGitWorkspace({
-      settingsRoot,
-      branchName: settingsBranchName,
-      mode: 'prod-sim',
-      remoteUrl: workspace.remotePath,
-    })
-
-    // Write PERMISSIVE permissions to main branch (the wrong place)
-    const mainPermissionsDir = mainBranch.branchRoot
-    await fs.mkdir(mainPermissionsDir, { recursive: true })
-    const mainPermissionsFile = path.join(mainPermissionsDir, 'permissions.json')
-    const permissiveRules: PathPermission[] = [
-      {
-        path: unsafeAsPermissionPath('content/**'),
-        read: {
-          allowedUsers: [restrictedUser.userId, allowedUser.userId, 'anonymous'],
-        },
-      },
-    ]
-    await fs.writeFile(
-      mainPermissionsFile,
-      JSON.stringify({
-        version: 1,
-        updatedAt: new Date().toISOString(),
-        updatedBy: 'test',
-        pathPermissions: permissiveRules,
-      }),
-    )
-
-    // Write RESTRICTIVE permissions to settings directory (the correct place)
-    await fs.mkdir(settingsRoot, { recursive: true })
-    const settingsPermissionsFile = path.join(settingsRoot, 'permissions.json')
-    const restrictiveRules: PathPermission[] = [
-      {
-        path: unsafeAsPermissionPath('content/posts/hello.mdx'),
-        read: {
-          allowedUsers: [allowedUser.userId], // Only allowedUser can read
-        },
-      },
-    ]
-    await fs.writeFile(
-      settingsPermissionsFile,
-      JSON.stringify({
-        version: 1,
-        updatedAt: new Date().toISOString(),
-        updatedBy: 'test',
-        pathPermissions: restrictiveRules,
-      }),
-    )
-
-    // Create services with prod-sim mode
-    const services = await createTestServices({
-      ...workspace.config,
-      schema: BLOG_SCHEMA,
-      mode: 'prod-sim',
-      settingsBranch: 'canopycms-settings',
-    })
-
-    // Check access for restrictedUser on main branch
-    // This should read from settings branch (restrictive), not main branch (permissive)
-    const restrictedUserAccess = await services.checkContentAccess(
-      mainBranch,
-      mainBranch.branchRoot,
-      unsafeAsPhysicalPath('content/posts/hello.mdx'),
-      restrictedUser,
-      'read',
-    )
-
-    // restrictedUser should be DENIED because settings branch doesn't allow them
-    expect(restrictedUserAccess.allowed).toBe(false)
-    expect(restrictedUserAccess.path.allowed).toBe(false)
-
-    // Verify it's not falling back to main branch's permissive rule
-    // If it were reading from main branch, this would be true
-    expect(restrictedUserAccess.path.reason).not.toBe('allowed_by_rule')
-
-    // Check access for allowedUser - should be allowed
-    const allowedUserAccess = await services.checkContentAccess(
-      mainBranch,
-      mainBranch.branchRoot,
-      unsafeAsPhysicalPath('content/posts/hello.mdx'),
-      allowedUser,
-      'read',
-    )
-
-    expect(allowedUserAccess.allowed).toBe(true)
-    expect(allowedUserAccess.path.allowed).toBe(true)
-    expect(allowedUserAccess.path.reason).toBe('allowed_by_rule')
-  })
-
-  it('does not read from current branch permissions file in prod-sim', async () => {
-    const user: AuthenticatedUser = {
-      type: 'authenticated',
-      userId: 'test-user',
-      groups: [],
-    }
-    const manager = new BranchWorkspaceManager(workspace.config)
-
-    // Create main branch with permissive permissions IN THE BRANCH
-    const mainBranch = await manager.openOrCreateBranch({
-      branchName: 'main',
-      mode: 'prod-sim',
-      createdBy: 'system',
-      remoteUrl: workspace.remotePath,
-    })
-
-    // Write permissions directly to main branch (wrong location in prod-sim)
-    const mainPermissionsDir = mainBranch.branchRoot
-    await fs.mkdir(mainPermissionsDir, { recursive: true })
-    await fs.writeFile(
-      path.join(mainPermissionsDir, 'permissions.json'),
-      JSON.stringify({
-        version: 1,
-        updatedAt: new Date().toISOString(),
-        updatedBy: 'test',
-        pathPermissions: [
-          {
-            path: unsafeAsPermissionPath('content/**'),
-            read: { allowedUsers: [user.userId] },
-          },
-        ],
-      }),
-    )
-
-    // Create settings branch with NO permissions (empty file)
-    const settingsBranch = await manager.openOrCreateBranch({
-      branchName: 'canopycms-settings',
-      mode: 'prod-sim',
-      createdBy: 'system',
-      remoteUrl: workspace.remotePath,
-    })
-
-    const settingsPermissionsDir = settingsBranch.branchRoot
-    await fs.mkdir(settingsPermissionsDir, { recursive: true })
-    await fs.writeFile(
-      path.join(settingsPermissionsDir, 'permissions.json'),
-      JSON.stringify({
-        version: 1,
-        updatedAt: new Date().toISOString(),
-        updatedBy: 'test',
-        pathPermissions: [], // Empty - no rules
-      }),
-    )
-
-    // Create services
-    const services = await createTestServices({
-      ...workspace.config,
-      schema: BLOG_SCHEMA,
-      mode: 'prod-sim',
-      settingsBranch: 'canopycms-settings',
-    })
-
-    // Check access - should fall back to defaultPathAccess (deny)
-    // NOT use the permissive rule from main branch
-    const access = await services.checkContentAccess(
-      mainBranch,
-      mainBranch.branchRoot,
-      unsafeAsPhysicalPath('content/posts/test.mdx'),
-      user,
-      'read',
-    )
-
-    // Should be denied because settings branch has no rules
-    // If it were reading from main branch, this would be allowed
-    expect(access.allowed).toBe(false)
-    expect(access.path.allowed).toBe(false)
-    expect(access.path.reason).toBe('no_rule_match')
-  })
-
-  it('verifies settings branch isolation works consistently across modes', async () => {
-    // This test verifies the same behavior as the prod-sim test above,
-    // but demonstrates it works for any mode that uses settings branch
-    const user: AuthenticatedUser = {
-      type: 'authenticated',
-      userId: 'user-for-mode-test',
-      groups: [],
-    }
-    const manager = new BranchWorkspaceManager(workspace.config)
-
-    // Create feature branch with permissive permissions
-    const featureBranch = await manager.openOrCreateBranch({
-      branchName: 'feature-x',
-      mode: 'prod-sim',
-      createdBy: user.userId,
-      remoteUrl: workspace.remotePath,
-    })
-
-    const featurePermissionsDir = featureBranch.branchRoot
-    await fs.mkdir(featurePermissionsDir, { recursive: true })
-    await fs.writeFile(
-      path.join(featurePermissionsDir, 'permissions.json'),
-      JSON.stringify({
-        version: 1,
-        updatedAt: new Date().toISOString(),
-        updatedBy: 'test',
-        pathPermissions: [
-          {
-            path: unsafeAsPermissionPath('content/**'),
-            read: { allowedUsers: [user.userId] },
-          },
-        ],
-      }),
-    )
-
-    // Create settings branch with restrictive permissions
-    const settingsBranch = await manager.openOrCreateBranch({
-      branchName: 'canopycms-settings',
-      mode: 'prod-sim',
-      createdBy: 'system',
-      remoteUrl: workspace.remotePath,
-    })
-
-    const settingsPermissionsDir = settingsBranch.branchRoot
-    await fs.mkdir(settingsPermissionsDir, { recursive: true })
-    await fs.writeFile(
-      path.join(settingsPermissionsDir, 'permissions.json'),
-      JSON.stringify({
-        version: 1,
-        updatedAt: new Date().toISOString(),
-        updatedBy: 'test',
-        pathPermissions: [], // No rules = default deny
-      }),
-    )
-
-    // Create services in prod-sim mode
-    const services = await createTestServices({
-      ...workspace.config,
-      schema: BLOG_SCHEMA,
-      mode: 'prod-sim',
-      settingsBranch: 'canopycms-settings',
-    })
-
-    // Check access on feature branch
-    // Should read from settings branch (empty), not feature branch (permissive)
-    const access = await services.checkContentAccess(
-      featureBranch,
-      featureBranch.branchRoot,
-      unsafeAsPhysicalPath('content/posts/test.mdx'),
-      user,
-      'read',
-    )
-
-    // Should be denied because settings branch has no rules
-    expect(access.allowed).toBe(false)
-    expect(access.path.reason).toBe('no_rule_match')
-  })
-})