chainlesschain 0.162.12 → 0.162.13

package/src/lib/__tests__/personal-data-hub-aichat-wizard.test.js

@@ -0,0 +1,209 @@
+/**
+ * cli-side AIChat WebView 鉴权向导 (Phase 10.3.4) unit tests.
+ *
+ * `personal-data-hub-aichat-wizard.js` is ESM. We test the bridge + paste
+ * mode + factory wiring without touching disk by using temp dirs and
+ * dependency injection.
+ */
+
+import { describe, it, expect, beforeEach } from "vitest";
+import { mkdtempSync, rmSync, readFileSync, existsSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+import {
+  createAccountsStore,
+  createVendorAdapterBridge,
+  getAIChatWizard,
+  _jarToArray,
+  _resetForTests,
+  ACCOUNTS_FILE,
+} from "../personal-data-hub-aichat-wizard.js";
+
+// ─── createAccountsStore (real fs, temp dir) ──────────────────────────────
+
+describe("createAccountsStore (ESM, real fs)", () => {
+  let hubDir;
+  beforeEach(() => {
+    hubDir = mkdtempSync(join(tmpdir(), "aichat-store-"));
+  });
+
+  it("returns null for missing file", async () => {
+    const store = createAccountsStore({ hubDir });
+    expect(await store.get("deepseek")).toBeNull();
+    expect(await store.list()).toEqual([]);
+    rmSync(hubDir, { recursive: true, force: true });
+  });
+
+  it("put / get round-trips and creates the 0600 file", async () => {
+    const store = createAccountsStore({ hubDir });
+    await store.put("deepseek", {
+      vendor: "deepseek",
+      cookies: { userToken: "x" },
+    });
+    expect(existsSync(join(hubDir, ACCOUNTS_FILE))).toBe(true);
+    const stored = await store.get("deepseek");
+    expect(stored).toMatchObject({
+      vendor: "deepseek",
+      cookies: { userToken: "x" },
+    });
+    rmSync(hubDir, { recursive: true, force: true });
+  });
+
+  it("delete drops the file when no entries remain", async () => {
+    const store = createAccountsStore({ hubDir });
+    await store.put("kimi", { vendor: "kimi", cookies: { access_token: "x" } });
+    await store.delete("kimi");
+    expect(existsSync(join(hubDir, ACCOUNTS_FILE))).toBe(false);
+    rmSync(hubDir, { recursive: true, force: true });
+  });
+
+  it("throws when hubDir missing", () => {
+    expect(() => createAccountsStore({})).toThrow(/hubDir/);
+  });
+});
+
+// ─── createVendorAdapterBridge ─────────────────────────────────────────────
+
+function fakeSpec(name, validateImpl) {
+  return {
+    name,
+    displayName: name,
+    rateLimits: { perMinute: 10, minIntervalMs: 1000 },
+    cookieDomains: [name + ".example"],
+    validateCookie: validateImpl,
+  };
+}
+
+describe("createVendorAdapterBridge (cli)", () => {
+  it("dispatches to validateCookie and returns its result", async () => {
+    const bridge = createVendorAdapterBridge({
+      specs: [
+        fakeSpec("deepseek", async ({ session }) => ({
+          ok: true,
+          userId: session.cookies[0].name,
+        })),
+      ],
+      _httpClientFactory: () => ({}),
+    });
+    const r = await bridge.registerVendor("deepseek", { userToken: "abc" });
+    expect(r.ok).toBe(true);
+    expect(r.userId).toBe("userToken");
+  });
+
+  it("UNKNOWN_VENDOR for unrecognized", async () => {
+    const bridge = createVendorAdapterBridge({
+      specs: [fakeSpec("deepseek", async () => ({ ok: true }))],
+      _httpClientFactory: () => ({}),
+    });
+    const r = await bridge.registerVendor("ghost", { x: "y" });
+    expect(r.reason).toBe("UNKNOWN_VENDOR");
+  });
+
+  it("VALIDATE_THREW when validateCookie rejects", async () => {
+    const bridge = createVendorAdapterBridge({
+      specs: [
+        fakeSpec("deepseek", async () => {
+          throw new Error("boom");
+        }),
+      ],
+      _httpClientFactory: () => ({}),
+    });
+    const r = await bridge.registerVendor("deepseek", { x: "y" });
+    expect(r.reason).toBe("VALIDATE_THREW");
+    expect(r.error).toMatch(/boom/);
+  });
+
+  it("rejects empty specs", () => {
+    expect(() => createVendorAdapterBridge({ specs: [] })).toThrow(/specs/);
+  });
+});
+
+// ─── _jarToArray ──────────────────────────────────────────────────────────
+
+describe("_jarToArray (cli)", () => {
+  it("array passthrough", () => {
+    expect(_jarToArray([{ name: "a", value: "1" }])).toEqual([
+      { name: "a", value: "1" },
+    ]);
+  });
+  it("object → array", () => {
+    expect(_jarToArray({ a: "1", b: "2" })).toEqual([
+      { name: "a", value: "1" },
+      { name: "b", value: "2" },
+    ]);
+  });
+  it("string → array, splits on ;", () => {
+    expect(_jarToArray("a=1; b=2")).toEqual([
+      { name: "a", value: "1" },
+      { name: "b", value: "2" },
+    ]);
+  });
+  it("nullish → empty", () => {
+    expect(_jarToArray(null)).toEqual([]);
+    expect(_jarToArray(undefined)).toEqual([]);
+  });
+});
+
+// ─── getAIChatWizard — paste-mode is the default ──────────────────────────
+
+describe("getAIChatWizard — paste-mode wiring", () => {
+  let hubDir;
+  beforeEach(() => {
+    _resetForTests();
+    hubDir = mkdtempSync(join(tmpdir(), "aichat-wiz-"));
+  });
+
+  it("openVendorLogin returns paste fallback by default", async () => {
+    const wiz = getAIChatWizard({ hubDir });
+    const r = await wiz.openVendorLogin({ vendor: "deepseek" });
+    expect(r.ok).toBe(true);
+    expect(r.fallbackMode).toBe("paste");
+    expect(r.loginUrl).toMatch(/chat\.deepseek\.com/);
+    expect(r.helpText).toMatch(/外部浏览器/);
+    rmSync(hubDir, { recursive: true, force: true });
+  });
+
+  it("probeCookies with raw cookieHeader succeeds without disk write", async () => {
+    const wiz = getAIChatWizard({ hubDir });
+    const r = await wiz.probeCookies({
+      vendor: "doubao",
+      cookieHeader: "sessionid=abc; sid_guard=xyz",
+    });
+    expect(r.ok).toBe(true);
+    expect(r.source).toBe("paste");
+    expect(r.cookies.sessionid).toBe("abc");
+    rmSync(hubDir, { recursive: true, force: true });
+  });
+
+  it("probeCookies without cookieHeader returns PASTE_REQUIRED", async () => {
+    const wiz = getAIChatWizard({ hubDir });
+    const r = await wiz.probeCookies({ vendor: "doubao" });
+    expect(r.ok).toBe(false);
+    expect(r.reason).toBe("PASTE_REQUIRED");
+    rmSync(hubDir, { recursive: true, force: true });
+  });
+
+  it("registerVendor persists to file when vendorAdapter validates ok", async () => {
+    const _vendorAdapter = {
+      registerVendor: async () => ({ ok: true, userId: "u_42" }),
+    };
+    const wiz = getAIChatWizard({ hubDir, _vendorAdapter });
+    const r = await wiz.registerVendor({
+      vendor: "doubao",
+      cookies: { sessionid: "abc" },
+    });
+    expect(r.ok).toBe(true);
+    expect(r.accountId).toBe("doubao:u_42");
+    const onDisk = JSON.parse(
+      readFileSync(join(hubDir, ACCOUNTS_FILE), "utf-8"),
+    );
+    expect(onDisk.doubao).toBeTruthy();
+    expect(onDisk.doubao.userId).toBe("u_42");
+    rmSync(hubDir, { recursive: true, force: true });
+  });
+
+  it("throws when hubDir is missing", () => {
+    expect(() => getAIChatWizard({})).toThrow(/hubDir/);
+  });
+});

package/src/lib/__tests__/sync-credentials.test.js

@@ -0,0 +1,265 @@
+/**
+ * sync-credentials 单元测试 — Phase 3c follow-up CLI safeStorage.
+ *
+ * 用 tmp dir + _setCcDirForTest 避开真实 ~/.chainlesschain/，
+ * 单测互不污染。
+ */
+
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+
+import {
+  ALLOWED_PROVIDER_IDS,
+  SENSITIVE_FIELDS,
+  MASK,
+  getCredentials,
+  getCredentialsSanitized,
+  hasCredentials,
+  setCredentials,
+  clearCredentials,
+  _setCcDirForTest,
+  _resetCcDirForTest,
+  _keyPath,
+  _vaultPath,
+} from "../sync-credentials.js";
+
+let tmpDir;
+
+beforeEach(() => {
+  tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "cc-sync-cred-test-"));
+  _setCcDirForTest(tmpDir);
+});
+
+afterEach(() => {
+  _resetCcDirForTest();
+  try {
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  } catch (_e) {
+    /* test cleanup best-effort */
+  }
+});
+
+describe("sync-credentials · constants", () => {
+  it("ALLOWED_PROVIDER_IDS includes webdav + oss", () => {
+    expect(ALLOWED_PROVIDER_IDS).toEqual(
+      expect.arrayContaining(["webdav", "oss"]),
+    );
+  });
+
+  it("SENSITIVE_FIELDS includes password + secretAccessKey paths", () => {
+    expect(SENSITIVE_FIELDS).toEqual(
+      expect.arrayContaining([
+        "sync.webdav.password",
+        "sync.oss.secretAccessKey",
+      ]),
+    );
+  });
+});
+
+describe("sync-credentials · master key auto-gen", () => {
+  it("first setCredentials creates key + vault files", () => {
+    expect(fs.existsSync(_keyPath())).toBe(false);
+    expect(fs.existsSync(_vaultPath())).toBe(false);
+    setCredentials("webdav", {
+      url: "https://x",
+      username: "u",
+      password: "p",
+    });
+    expect(fs.existsSync(_keyPath())).toBe(true);
+    expect(fs.existsSync(_vaultPath())).toBe(true);
+  });
+
+  it("key file is 32 bytes", () => {
+    setCredentials("webdav", { url: "https://x", password: "p" });
+    const buf = fs.readFileSync(_keyPath());
+    expect(buf.length).toBe(32);
+  });
+
+  it("vault file is encrypted (NOT plaintext JSON)", () => {
+    // Use a randomly-generated value so security-check.js doesn't flag
+    // this test file as committing a literal password.
+    const probe = "probe-" + Math.random().toString(36).slice(2);
+    setCredentials("webdav", { url: "https://x", password: probe });
+    const buf = fs.readFileSync(_vaultPath());
+    const text = buf.toString("utf-8");
+    expect(text).not.toContain(probe);
+    expect(() => JSON.parse(text)).toThrow();
+  });
+
+  it("reuses same key across calls (deterministic decrypt)", () => {
+    setCredentials("webdav", { url: "https://x", password: "p1" });
+    const keyBefore = fs.readFileSync(_keyPath());
+    setCredentials("webdav", { url: "https://x", password: "p2" });
+    const keyAfter = fs.readFileSync(_keyPath());
+    expect(keyAfter.equals(keyBefore)).toBe(true);
+  });
+});
+
+describe("sync-credentials · round-trip", () => {
+  it("setCredentials → getCredentials returns plain values", () => {
+    setCredentials("webdav", {
+      url: "https://nas",
+      username: "alice",
+      password: "secret",
+      remotePath: "/cc",
+    });
+    const got = getCredentials("webdav");
+    expect(got).toEqual({
+      url: "https://nas",
+      username: "alice",
+      password: "secret",
+      remotePath: "/cc",
+    });
+  });
+
+  it("OSS round-trip preserves all 7 fields", () => {
+    const oss = {
+      endpoint: "https://oss.example.com",
+      region: "us-east-1",
+      bucket: "b",
+      accessKeyId: "AKI",
+      secretAccessKey: "SK",
+      remotePath: "cc/",
+      forcePathStyle: true,
+    };
+    setCredentials("oss", oss);
+    expect(getCredentials("oss")).toEqual(oss);
+  });
+
+  it("multi-provider isolation", () => {
+    setCredentials("webdav", { url: "https://x", password: "p1" });
+    setCredentials("oss", {
+      endpoint: "https://o",
+      bucket: "b",
+      accessKeyId: "k",
+      secretAccessKey: "s",
+    });
+    expect(getCredentials("webdav").password).toBe("p1");
+    expect(getCredentials("oss").secretAccessKey).toBe("s");
+    // Crossover check
+    expect(getCredentials("webdav").secretAccessKey).toBeUndefined();
+    expect(getCredentials("oss").password).toBeUndefined();
+  });
+
+  it("getCredentials before any set returns {}", () => {
+    expect(getCredentials("webdav")).toEqual({});
+  });
+});
+
+describe("sync-credentials · sanitize", () => {
+  it("getCredentialsSanitized masks password field", () => {
+    // Probe value is random to avoid security-check.js pattern hits
+    const probe = "probe-" + Math.random().toString(36).slice(2);
+    setCredentials("webdav", {
+      url: "https://x",
+      username: "u",
+      password: probe,
+      remotePath: "/",
+    });
+    const masked = getCredentialsSanitized("webdav");
+    expect(masked.password).toBe(MASK);
+    expect(masked.url).toBe("https://x"); // unmasked
+    expect(masked.username).toBe("u");
+  });
+
+  it("getCredentialsSanitized masks secretAccessKey", () => {
+    setCredentials("oss", {
+      endpoint: "https://o",
+      bucket: "b",
+      accessKeyId: "AKI",
+      secretAccessKey: "SUPERSECRET",
+    });
+    const masked = getCredentialsSanitized("oss");
+    expect(masked.secretAccessKey).toBe(MASK);
+    expect(masked.accessKeyId).toBe("AKI"); // unmasked
+  });
+
+  it("empty/missing sensitive field not masked", () => {
+    setCredentials("webdav", { url: "https://x", password: "" });
+    const masked = getCredentialsSanitized("webdav");
+    expect(masked.password).toBe(""); // empty stays empty, no mask
+  });
+});
+
+describe("sync-credentials · hasCredentials", () => {
+  it("false before configuration", () => {
+    expect(hasCredentials("webdav")).toBe(false);
+  });
+
+  it("true after any non-empty field saved", () => {
+    setCredentials("webdav", { url: "https://x", password: "p" });
+    expect(hasCredentials("webdav")).toBe(true);
+  });
+
+  it("true even when only sensitive field set", () => {
+    setCredentials("oss", {
+      endpoint: "",
+      bucket: "",
+      accessKeyId: "",
+      secretAccessKey: "s",
+    });
+    expect(hasCredentials("oss")).toBe(true);
+  });
+});
+
+describe("sync-credentials · clearCredentials", () => {
+  it("removes provider creds; other providers untouched", () => {
+    setCredentials("webdav", { url: "https://x", password: "p" });
+    setCredentials("oss", {
+      endpoint: "https://o",
+      bucket: "b",
+      accessKeyId: "k",
+      secretAccessKey: "s",
+    });
+    clearCredentials("webdav");
+    expect(hasCredentials("webdav")).toBe(false);
+    expect(hasCredentials("oss")).toBe(true);
+  });
+
+  it("clearing non-configured provider is a no-op (returns true)", () => {
+    expect(clearCredentials("webdav")).toBe(true);
+  });
+});
+
+describe("sync-credentials · validation", () => {
+  it("setCredentials rejects unknown provider", () => {
+    expect(() => setCredentials("dropbox", { token: "t" })).toThrow(
+      /unknown provider id 'dropbox'/,
+    );
+  });
+
+  it("setCredentials rejects null creds", () => {
+    expect(() => setCredentials("webdav", null)).toThrow(/must be an object/);
+  });
+
+  it("getCredentials rejects unknown provider", () => {
+    expect(() => getCredentials("dropbox")).toThrow(/unknown provider id/);
+  });
+});
+
+describe("sync-credentials · corruption recovery", () => {
+  it("wrong-length key file → helpful error", () => {
+    setCredentials("webdav", { url: "https://x", password: "p" });
+    // Corrupt: truncate key file to 16 bytes
+    fs.writeFileSync(_keyPath(), Buffer.alloc(16));
+    expect(() => getCredentials("webdav")).toThrow(/wrong length/);
+  });
+
+  it("corrupt vault → helpful error", () => {
+    setCredentials("webdav", { url: "https://x", password: "p" });
+    // Write garbage that's at least the min size (12 + 16 + 1 = 29 bytes)
+    fs.writeFileSync(
+      _vaultPath(),
+      Buffer.from("garbage-data-that-is-not-valid-aes-blob-content"),
+    );
+    expect(() => getCredentials("webdav")).toThrow(/decrypt failed/);
+  });
+
+  it("truncated vault (smaller than iv+tag header) → helpful error", () => {
+    setCredentials("webdav", { url: "https://x", password: "p" });
+    fs.writeFileSync(_vaultPath(), Buffer.alloc(10));
+    expect(() => getCredentials("webdav")).toThrow(/too small or invalid/);
+  });
+});