npm - create-workframe - Versions diffs - 0.1.0 - Mend

create-workframe 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (415) hide show

package/workframe-api/tests/test_internal_proxy_auth.py ADDED Viewed

@@ -0,0 +1,125 @@
+"""Internal proxy auth + Google OIDC verification."""
+from __future__ import annotations
+import json
+import os
+import tempfile
+import unittest
+from pathlib import Path
+from unittest.mock import patch
+import google_auth
+import internal_proxy_auth
+import llm_proxy
+import oidc_jwt
+class InternalProxyAuthTests(unittest.TestCase):
+    def setUp(self) -> None:
+        internal_proxy_auth.reset_proxy_token_for_tests()
+        os.environ.pop("WORKFRAME_PROXY_TOKEN", None)
+    def tearDown(self) -> None:
+        internal_proxy_auth.reset_proxy_token_for_tests()
+        os.environ.pop("WORKFRAME_PROXY_TOKEN", None)
+    def test_private_ip_allows_without_token_when_unconfigured(self) -> None:
+        self.assertTrue(internal_proxy_auth.is_internal_client("172.19.0.2"))
+        self.assertFalse(internal_proxy_auth.is_internal_client("8.8.8.8"))
+        class _H:
+            client_address = ("172.19.0.2", 1)
+            headers = {}
+        ok, err = internal_proxy_auth.authorize_internal_proxy(_H())  # type: ignore[arg-type]
+        self.assertTrue(ok)
+        self.assertEqual(err, "")
+    def test_configured_token_requires_header(self) -> None:
+        os.environ["WORKFRAME_PROXY_TOKEN"] = "secret-proxy"
+        class _H:
+            client_address = ("172.19.0.2", 1)
+            headers = {"X-Workframe-Proxy-Token": "secret-proxy"}
+        ok, err = internal_proxy_auth.authorize_internal_proxy(_H())  # type: ignore[arg-type]
+        self.assertTrue(ok)
+        _H.headers = {}
+        ok, err = internal_proxy_auth.authorize_internal_proxy(_H())  # type: ignore[arg-type]
+        self.assertFalse(ok)
+        self.assertEqual(err, "proxy token required")
+    def test_llm_proxy_rejects_missing_token(self) -> None:
+        os.environ["WORKFRAME_PROXY_TOKEN"] = "secret-proxy"
+        class FakeWriter:
+            def __init__(self) -> None:
+                self.data = b""
+            def write(self, chunk: bytes) -> None:
+                self.data += chunk
+            def flush(self) -> None:
+                pass
+        class FakeHandler:
+            client_address = ("172.19.0.2", 1)
+            headers = {"Authorization": "Bearer wf_rt_test"}
+            def __init__(self) -> None:
+                self.wfile = FakeWriter()
+                self.status = 0
+            def send_response(self, status: int) -> None:
+                self.status = status
+            def send_header(self, _key: str, _value: str) -> None:
+                pass
+            def end_headers(self) -> None:
+                pass
+        handler = FakeHandler()
+        handled = llm_proxy.handle_proxy_request(
+            handler,
+            "/internal/llm/openrouter/v1/chat/completions",
+            "POST",
+            b"{}",
+            resolve_secret=lambda *_args: ("OPENROUTER_API_KEY", "sk-test"),
+        )
+        self.assertTrue(handled)
+        self.assertEqual(handler.status, 403)
+        self.assertIn(b"proxy token required", handler.wfile.data)
+    def test_bootstrap_writes_shared_and_data_files(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp:
+            os.environ["WORKFRAME_API_DATA_DIR"] = tmp
+            internal_proxy_auth.reset_proxy_token_for_tests()
+            token = internal_proxy_auth.bootstrap_proxy_token(allow_generate_file=True)
+            self.assertTrue(token)
+            self.assertTrue((Path(tmp) / ".proxy_token").is_file())
+class GoogleOidcTests(unittest.TestCase):
+    def test_verify_google_id_token_checks_signature(self) -> None:
+        with patch.object(oidc_jwt, "verify_rs256_id_token") as verify:
+            verify.return_value = {
+                "email": "user@example.com",
+                "name": "User",
+                "email_verified": True,
+            }
+            with patch.object(google_auth, "_google_creds", return_value=("client-id", "secret")):
+                google_auth._PENDING["state-1"] = {"invite_email": "", "invite_token": ""}
+                with patch.object(google_auth.urllib.request, "urlopen") as urlopen:
+                    urlopen.return_value.__enter__.return_value.read.return_value = json.dumps(
+                        {"id_token": "header.payload.sig"}
+                    ).encode()
+                    profile = google_auth.exchange_google_code("code", "state-1")
+            verify.assert_called_once()
+            self.assertEqual(profile["email"], "user@example.com")
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_invite_runtime_bootstrap.py ADDED Viewed

@@ -0,0 +1,72 @@
+import tempfile
+import unittest
+from pathlib import Path
+from unittest.mock import patch
+import server
+from db_setup import ensure_workframe_schemas
+class InviteRuntimeBootstrapTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self._tmp = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmp.cleanup)
+        self._old_data_dir = server.DATA_DIR
+        self._old_auth_db_path = server.AUTH_DB_PATH
+        self._old_hermes_data = server.HERMES_DATA
+        server.DATA_DIR = Path(self._tmp.name)
+        server.AUTH_DB_PATH = Path(self._tmp.name) / "auth.db"
+        server.HERMES_DATA = Path(self._tmp.name) / "hermes"
+        (server.HERMES_DATA / "profiles").mkdir(parents=True)
+        ensure_workframe_schemas()
+        self.workspace_id = "ws-invite"
+        self.user_id = "user-invited"
+        self.agent_one_id = "a1111111-1111-4111-8111-111111111111"
+        self.agent_two_id = "b2222222-2222-4222-8222-222222222222"
+        conn = server._workframe_db()
+        try:
+            now = "1"
+            conn.execute(
+                "INSERT INTO workspaces (id, slug, display_name, owner_id, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+                (self.workspace_id, "invite", "Invite", "owner-1", "active", now, now),
+            )
+            conn.execute(
+                "INSERT INTO users (id, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?)",
+                (self.user_id, "Invited", "member", "active", now, now),
+            )
+            for ap_id, slug in (
+                (self.agent_one_id, "agent-one"),
+                (self.agent_two_id, "agent-two"),
+            ):
+                conn.execute(
+                    """
+                    INSERT INTO agent_profiles (
+                        id, workspace_id, slug, display_name, is_native, status, created_at, updated_at
+                    ) VALUES (?, ?, ?, ?, 0, 'available', ?, ?)
+                    """,
+                    (ap_id, self.workspace_id, slug, slug, now, now),
+                )
+            conn.commit()
+        finally:
+            conn.close()
+    def tearDown(self) -> None:
+        server.DATA_DIR = self._old_data_dir
+        server.AUTH_DB_PATH = self._old_auth_db_path
+        server.HERMES_DATA = self._old_hermes_data
+    @patch.object(server, "resolve_validated_profile", side_effect=lambda slug: slug)
+    @patch.object(server, "_runtime_profile_on_disk", return_value=False)
+    @patch.object(server, "ensure_runtime_profile")
+    def test_provision_invited_member_agent_runtimes(
+        self,
+        mock_ensure,
+        _on_disk,
+        _validate,
+    ) -> None:
+        server._provision_invited_member_agent_runtimes(self.workspace_id, self.user_id)
+        self.assertEqual(mock_ensure.call_count, 2)
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_kanban_delegation.py ADDED Viewed

@@ -0,0 +1,185 @@
+"""Kanban assignee validation with delegation grants and workspace board mapping."""
+import tempfile
+import unittest
+from pathlib import Path
+from unittest.mock import patch
+import server
+import credential_vault
+import vault_kek
+from db_setup import ensure_workframe_schemas
+class KanbanDelegationTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self._tmp = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmp.cleanup)
+        self._old_data_dir = server.DATA_DIR
+        self._old_auth_db_path = server.AUTH_DB_PATH
+        self._old_hermes_data = server.HERMES_DATA
+        server.DATA_DIR = Path(self._tmp.name)
+        server.AUTH_DB_PATH = Path(self._tmp.name) / "auth.db"
+        server.HERMES_DATA = Path(self._tmp.name) / "hermes"
+        (server.HERMES_DATA / "profiles").mkdir(parents=True)
+        credential_vault.DATA_DIR = server.DATA_DIR
+        credential_vault.VAULT_DB = server.DATA_DIR / "credential_vault.db"
+        vault_kek.DATA_DIR = server.DATA_DIR
+        vault_kek.VAULT_KEK_FILE = server.DATA_DIR / ".vault_kek"
+        credential_vault.ensure_schema()
+        credential_vault.unseal_for_tests()
+        ensure_workframe_schemas()
+        self.workspace_id = "ws-kanban"
+        self.user_a = "cb6a2db4-ac86-4c49-8247-14a1d68aca72"
+        self.user_b = "44fb344c-0954-47b6-a19a-ebbcf20e9680"
+        conn = server._workframe_db()
+        try:
+            now = "1"
+            conn.execute(
+                "INSERT INTO workspaces (id, slug, display_name, owner_id, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+                (self.workspace_id, "dogfood", "Dogfood", self.user_a, "active", now, now),
+            )
+            for uid, name in ((self.user_a, "Fab"), (self.user_b, "Alan")):
+                conn.execute(
+                    "INSERT INTO users (id, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?)",
+                    (uid, name, "member", "active", now, now),
+                )
+                conn.execute(
+                    """
+                    INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at)
+                    VALUES (?, ?, ?, 'member', 'active', ?, ?)
+                    """,
+                    (f"wm-{uid}", self.workspace_id, uid, now, now),
+                )
+            for slug, name in (("workframe-agent", "Workframe Agent"), ("architect", "Architect")):
+                conn.execute(
+                    """
+                    INSERT INTO agent_profiles (id, workspace_id, slug, display_name, is_native, status, created_at, updated_at)
+                    VALUES (?, ?, ?, ?, ?, 'available', ?, ?)
+                    """,
+                    (f"ap-{slug}", self.workspace_id, slug, name, slug == "workframe-agent", now, now),
+                )
+            conn.commit()
+        finally:
+            conn.close()
+        self.runtime_a_arch = server._runtime_profile_slug(self.user_a, "architect")
+        self.runtime_b_arch = server._runtime_profile_slug(self.user_b, "architect")
+    def tearDown(self) -> None:
+        server.DATA_DIR = self._old_data_dir
+        server.AUTH_DB_PATH = self._old_auth_db_path
+        server.HERMES_DATA = self._old_hermes_data
+    def test_cross_user_assignee_blocked_without_grant(self) -> None:
+        ok, reason = server.validate_kanban_assignee(
+            self.runtime_a_arch,
+            self.user_b,
+            self.workspace_id,
+        )
+        self.assertFalse(ok)
+        self.assertEqual(reason, "assignee_owner_forbidden")
+    def test_delegate_grant_allows_cross_user_assignee(self) -> None:
+        server.create_delegation_grant(self.workspace_id, self.user_a, self.user_b)
+        ok, reason = server.validate_kanban_assignee(
+            self.runtime_a_arch,
+            self.user_b,
+            self.workspace_id,
+        )
+        self.assertTrue(ok)
+        self.assertEqual(reason, self.user_a)
+    def test_template_assignee_forbidden_by_default(self) -> None:
+        ok, reason = server.validate_kanban_assignee("architect", self.user_a, self.workspace_id)
+        self.assertFalse(ok)
+        self.assertEqual(reason, "template_assignee_forbidden")
+    @patch.object(server, "_gateway_exec", return_value=(0, "created t_test"))
+    @patch.object(server, "resolve_runtime_assignee", side_effect=lambda t, u, w: server._runtime_profile_slug(u, t))
+    def test_kanban_proxy_create_rejects_cross_user(self, _resolve, _exec) -> None:
+        with self.assertRaises(PermissionError):
+            server.kanban_proxy_create_task(
+                self.workspace_id,
+                self.user_b,
+                {"title": "nope", "template_slug": "architect", "assignee_user_id": self.user_a},
+            )
+        _exec.assert_not_called()
+    @patch.object(server, "_gateway_exec", return_value=(0, "created t_ok"))
+    @patch.object(server, "resolve_runtime_assignee", side_effect=lambda t, u, w: server._runtime_profile_slug(u, t))
+    def test_kanban_proxy_create_with_grant(self, _resolve, _exec) -> None:
+        server.create_delegation_grant(self.workspace_id, self.user_a, self.user_b)
+        result = server.kanban_proxy_create_task(
+            self.workspace_id,
+            self.user_b,
+            {"title": "ok", "template_slug": "architect", "assignee_user_id": self.user_a},
+        )
+        self.assertTrue(result["ok"])
+        _exec.assert_called_once()
+        args = _exec.call_args[0][1]
+        self.assertIn("--board", args)
+        self.assertIn(self.runtime_a_arch, args)
+    def test_ensure_workspace_kanban_board_persists_slug(self) -> None:
+        with patch.object(server, "_gateway_exec", return_value=(0, "ok")):
+            slug = server.ensure_workspace_kanban_board(self.workspace_id)
+        self.assertEqual(slug, "dogfood")
+        row = server._workspace_kanban_board_row(self.workspace_id)
+        self.assertIsNotNone(row)
+        self.assertEqual(str(row["hermes_board_slug"]), "dogfood")
+    @patch.object(server, "ensure_workspace_kanban_board", return_value="dogfood")
+    @patch.object(server, "_gateway_exec", return_value=(0, "created t_cred"))
+    @patch.object(server, "resolve_runtime_assignee", side_effect=lambda t, u, w: server._runtime_profile_slug(u, t))
+    def test_delegated_kanban_uses_assignee_owner_credentials(
+        self,
+        _resolve: object,
+        _exec: object,
+        _board: object,
+    ) -> None:
+        """Bob delegates to Alice's runtime; credentials must be Alice's, not Bob's."""
+        server.create_delegation_grant(self.workspace_id, self.user_a, self.user_b)
+        prof_dir = server._profile_dir(self.runtime_a_arch)
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        (prof_dir / "config.yaml").write_text(
+            "model:\n  default: openrouter/test\n  provider: openrouter\n",
+            encoding="utf-8",
+        )
+        server._user_hermes_home(self.user_a).mkdir(parents=True, exist_ok=True)
+        server._user_hermes_home(self.user_b).mkdir(parents=True, exist_ok=True)
+        credential_vault.store_secret(
+            "alice-or", "sk-alice-owner", env_var="OPENROUTER_API_KEY", provider="openrouter", user_id=self.user_a,
+        )
+        conn = server._workframe_db()
+        try:
+            now = "1"
+            conn.execute(
+                """
+                INSERT INTO credential_bindings (
+                    id, workspace_id, user_id, agent_profile_id, provider,
+                    credential_type, credential_ref, label, is_active,
+                    expires_at, created_by, created_at, updated_at, deleted_at
+                ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+                """,
+                (
+                    "alice-or", None, self.user_a, None, "openrouter",
+                    "api_key", credential_vault.vault_ref("alice-or"), "Alice OR", 1, None, self.user_a,
+                    now, now, None,
+                ),
+            )
+            conn.commit()
+        finally:
+            conn.close()
+        server.kanban_proxy_create_task(
+            self.workspace_id,
+            self.user_b,
+            {"title": "delegated", "template_slug": "architect", "assignee_user_id": self.user_a},
+        )
+        env_text = (prof_dir / ".env").read_text(encoding="utf-8") if (prof_dir / ".env").is_file() else ""
+        self.assertNotIn("sk-alice-owner", env_text)
+        self.assertNotIn("sk-bob-initiator", env_text)
+        self.assertTrue(server._user_can_use_llm(self.user_a, self.workspace_id))
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_llm_proxy.py ADDED Viewed

@@ -0,0 +1,155 @@
+"""LLM proxy path normalization."""
+import os
+import unittest
+from unittest.mock import patch
+import internal_proxy_auth
+import llm_proxy
+class LlmProxyPathTests(unittest.TestCase):
+    def setUp(self) -> None:
+        internal_proxy_auth.reset_proxy_token_for_tests()
+        os.environ.pop("WORKFRAME_PROXY_TOKEN", None)
+    def tearDown(self) -> None:
+        internal_proxy_auth.reset_proxy_token_for_tests()
+        os.environ.pop("WORKFRAME_PROXY_TOKEN", None)
+    def test_normalize_dedup_v1_prefix(self) -> None:
+        base = "https://openrouter.ai/api/v1"
+        self.assertEqual(
+            llm_proxy.normalize_upstream_path(base, "/v1/chat/completions"),
+            "/chat/completions",
+        )
+        self.assertEqual(llm_proxy.normalize_upstream_path(base, "/v1"), "")
+    def test_normalize_keeps_other_paths(self) -> None:
+        base = "https://api.anthropic.com"
+        self.assertEqual(
+            llm_proxy.normalize_upstream_path(base, "/v1/messages"),
+            "/v1/messages",
+        )
+    def test_handler_streams_success_response_chunks(self) -> None:
+        class FakeResponse:
+            status = 200
+            headers = {"Content-Type": "text/event-stream"}
+            def __init__(self) -> None:
+                self._chunks = [b"data: one\n\n", b"data: two\n\n", b""]
+            def __enter__(self):
+                return self
+            def __exit__(self, *_args):
+                return False
+            def read(self, _size: int = -1) -> bytes:
+                return self._chunks.pop(0)
+            def readline(self) -> bytes:
+                return self._chunks.pop(0)
+        class FakeWriter:
+            def __init__(self) -> None:
+                self.writes: list[bytes] = []
+                self.flushes = 0
+            def write(self, data: bytes) -> None:
+                self.writes.append(data)
+            def flush(self) -> None:
+                self.flushes += 1
+        class FakeHandler:
+            client_address = ("172.19.0.2", 1234)
+            headers = {
+                "Authorization": "Bearer wf_rt_test",
+                "X-Workframe-Profile": "u-alice-architect",
+            }
+            def __init__(self) -> None:
+                self.wfile = FakeWriter()
+                self.status = 0
+                self.headers_sent: list[tuple[str, str]] = []
+            def send_response(self, status: int) -> None:
+                self.status = status
+            def send_header(self, key: str, value: str) -> None:
+                self.headers_sent.append((key, value))
+            def end_headers(self) -> None:
+                pass
+        handler = FakeHandler()
+        with patch.object(
+            llm_proxy.turn_credentials,
+            "validate_lease",
+            return_value={
+                "provider": "openrouter",
+                "profile_slug": "u-alice-architect",
+            },
+        ), patch.object(
+            llm_proxy.turn_credentials,
+            "resolve_lease_secret",
+            return_value=("OPENROUTER_API_KEY", "sk-test"),
+        ), patch.object(llm_proxy.urllib.request, "urlopen", return_value=FakeResponse()):
+            handled = llm_proxy.handle_proxy_request(
+                handler,
+                "/internal/llm/openrouter/v1/chat/completions",
+                "POST",
+                b'{"stream":true}',
+                resolve_secret=lambda *_args: ("OPENROUTER_API_KEY", "sk-test"),
+            )
+        self.assertTrue(handled)
+        self.assertEqual(handler.status, 200)
+        self.assertEqual(handler.wfile.writes, [b"data: one\n\n", b"data: two\n\n"])
+        self.assertEqual(handler.wfile.flushes, 2)
+    def test_lease_rejects_profile_mismatch(self) -> None:
+        class FakeHandler:
+            client_address = ("172.19.0.2", 1234)
+            headers = {
+                "Authorization": "Bearer wf_rt_test",
+                "X-Workframe-Profile": "u-bob-architect",
+            }
+            def __init__(self) -> None:
+                self.wfile = type("W", (), {"write": lambda *_a, **_k: None})()
+                self.status = 0
+                self.body = b""
+            def send_response(self, status: int) -> None:
+                self.status = status
+            def send_header(self, _key: str, _value: str) -> None:
+                pass
+            def end_headers(self) -> None:
+                pass
+        handler = FakeHandler()
+        with patch.object(
+            llm_proxy.turn_credentials,
+            "validate_lease",
+            return_value={
+                "provider": "openrouter",
+                "profile_slug": "u-alice-architect",
+            },
+        ):
+            handled = llm_proxy.handle_proxy_request(
+                handler,
+                "/internal/llm/openrouter/v1/models",
+                "GET",
+                None,
+                resolve_secret=lambda *_args: ("OPENROUTER_API_KEY", "sk-test"),
+            )
+        self.assertTrue(handled)
+        self.assertEqual(handler.status, 403)
+if __name__ == "__main__":
+    unittest.main()