draft-board 0.1.0-beta.0

package/app/backend/tests/test_cleanup_service_safety.py

@@ -0,0 +1,417 @@
+"""Tests for cleanup service safety guards.
+
+These tests verify the most dangerous scenarios are properly handled:
+- git worktree remove fails but path remains registered
+- Worktree path equals main repo path (symlink attacks)
+"""
+
+import json
+import tempfile
+from datetime import UTC, datetime
+from pathlib import Path
+from unittest.mock import MagicMock, patch
+from uuid import uuid4
+
+import pytest
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.models.enums import EventType
+from app.models.goal import Goal
+from app.models.ticket import Ticket
+from app.models.ticket_event import TicketEvent
+from app.models.workspace import Workspace
+from app.services.cleanup_service import CleanupService, _sanitize_output
+
+
+class TestSanitizeOutput:
+    """Test the _sanitize_output helper function."""
+
+    def test_removes_null_bytes(self):
+        """Null bytes should be stripped."""
+        input_text = "hello\x00world"
+        result = _sanitize_output(input_text)
+        assert "\x00" not in result
+        assert result == "helloworld"
+
+    def test_removes_control_characters(self):
+        """Control characters (except newline/tab) should be stripped."""
+        # \x01 is SOH, \x7f is DEL
+        input_text = "hello\x01world\x7f!"
+        result = _sanitize_output(input_text)
+        assert result == "helloworld!"
+
+    def test_preserves_newlines_and_tabs(self):
+        """Newlines and tabs should be preserved."""
+        input_text = "line1\nline2\ttab"
+        result = _sanitize_output(input_text)
+        assert result == "line1\nline2\ttab"
+
+    def test_removes_carriage_returns(self):
+        """Carriage returns should be stripped (Windows line endings)."""
+        input_text = "line1\r\nline2\rline3"
+        result = _sanitize_output(input_text)
+        # \r should be stripped, \n should remain
+        assert "\r" not in result
+        assert result == "line1\nline2line3"
+
+    def test_truncates_to_max_length(self):
+        """Output should be truncated to max_length."""
+        input_text = "a" * 1000
+        result = _sanitize_output(input_text, max_length=100)
+        assert len(result) == 100
+
+    def test_handles_none(self):
+        """None input should return None."""
+        assert _sanitize_output(None) is None
+
+
+class TestCleanupServicePathValidation:
+    """Test path validation safety guards."""
+
+    @pytest.mark.asyncio
+    async def test_repo_path_equals_worktree_path_is_blocked(self, db: AsyncSession):
+        """Test that cleanup is blocked when worktree path resolves to repo path.
+
+        This prevents symlink attacks where .draft/worktrees/foo -> /repo
+        """
+        # Create test entities
+        goal = Goal(id=str(uuid4()), title="Test Goal")
+        db.add(goal)
+        await db.flush()
+
+        ticket = Ticket(
+            id=str(uuid4()),
+            goal_id=goal.id,
+            title="Test ticket",
+            state="done",
+        )
+        db.add(ticket)
+        await db.flush()
+
+        with tempfile.TemporaryDirectory() as tmpdir:
+            repo_path = Path(tmpdir)
+            worktrees_dir = repo_path / ".draft/worktrees"
+            worktrees_dir.mkdir(parents=True)
+
+            # Create a symlink that points back to repo root
+            evil_symlink = worktrees_dir / "evil-link"
+            evil_symlink.symlink_to(repo_path)
+
+            workspace = Workspace(
+                id=str(uuid4()),
+                ticket_id=ticket.id,
+                worktree_path=str(evil_symlink),
+                branch_name="test-branch",
+                created_at=datetime.now(UTC),
+            )
+            db.add(workspace)
+            await db.commit()
+
+            service = CleanupService(db)
+
+            # Patch WorkspaceService.get_repo_path to return our temp repo
+            with patch(
+                "app.services.cleanup_service.WorkspaceService.get_repo_path",
+                return_value=repo_path,
+            ):
+                # Execute cleanup - should be blocked
+                result = await service.delete_worktree(
+                    workspace=workspace,
+                    ticket_id=ticket.id,
+                    actor_id="test-actor",
+                    force=False,
+                    delete_branch=False,
+                )
+
+            # Assert: blocked
+            assert result is False
+
+            # Assert: WORKTREE_CLEANUP_FAILED event
+            events_result = await db.execute(
+                select(TicketEvent)
+                .where(TicketEvent.ticket_id == ticket.id)
+                .where(
+                    TicketEvent.event_type == EventType.WORKTREE_CLEANUP_FAILED.value
+                )
+            )
+            events = events_result.scalars().all()
+            assert len(events) == 1
+
+            payload = json.loads(events[0].payload_json)
+            assert payload.get("cleanup_failed") is True
+
+            # Assert: cleaned_up_at remains NULL
+            await db.refresh(workspace)
+            assert workspace.cleaned_up_at is None
+
+    @pytest.mark.asyncio
+    async def test_worktree_path_outside_draft_dir_is_blocked(self, db: AsyncSession):
+        """Test that cleanup is blocked for paths outside .draft/worktrees."""
+        goal = Goal(id=str(uuid4()), title="Test Goal")
+        db.add(goal)
+        await db.flush()
+
+        ticket = Ticket(
+            id=str(uuid4()),
+            goal_id=goal.id,
+            title="Test ticket",
+            state="done",
+        )
+        db.add(ticket)
+        await db.flush()
+
+        with tempfile.TemporaryDirectory() as tmpdir:
+            repo_path = Path(tmpdir)
+            # Create worktrees dir but put workspace path elsewhere
+            worktrees_dir = repo_path / ".draft/worktrees"
+            worktrees_dir.mkdir(parents=True)
+
+            # Path that's NOT under .draft/worktrees
+            evil_path = repo_path / "src" / "evil-dir"
+            evil_path.mkdir(parents=True)
+
+            workspace = Workspace(
+                id=str(uuid4()),
+                ticket_id=ticket.id,
+                worktree_path=str(evil_path),
+                branch_name="test-branch",
+                created_at=datetime.now(UTC),
+            )
+            db.add(workspace)
+            await db.commit()
+
+            service = CleanupService(db)
+
+            with patch(
+                "app.services.cleanup_service.WorkspaceService.get_repo_path",
+                return_value=repo_path,
+            ):
+                result = await service.delete_worktree(
+                    workspace=workspace,
+                    ticket_id=ticket.id,
+                    actor_id="test-actor",
+                    force=False,
+                    delete_branch=False,
+                )
+
+            assert result is False
+
+            events_result = await db.execute(
+                select(TicketEvent)
+                .where(TicketEvent.ticket_id == ticket.id)
+                .where(
+                    TicketEvent.event_type == EventType.WORKTREE_CLEANUP_FAILED.value
+                )
+            )
+            events = events_result.scalars().all()
+            assert len(events) == 1
+            assert "not under" in events[0].reason.lower()
+
+
+class TestCleanupServiceStillRegistered:
+    """Test handling of worktrees that remain registered after removal attempt."""
+
+    @pytest.mark.asyncio
+    async def test_still_registered_after_remove_fails_returns_false(
+        self, db: AsyncSession
+    ):
+        """Test: git worktree remove fails AND path still registered -> returns False."""
+        goal = Goal(id=str(uuid4()), title="Test Goal")
+        db.add(goal)
+        await db.flush()
+
+        ticket = Ticket(
+            id=str(uuid4()),
+            goal_id=goal.id,
+            title="Test ticket",
+            state="done",
+        )
+        db.add(ticket)
+        await db.flush()
+
+        with tempfile.TemporaryDirectory() as tmpdir:
+            repo_path = Path(tmpdir)
+            worktrees_dir = repo_path / ".draft/worktrees"
+            worktrees_dir.mkdir(parents=True)
+
+            # Create actual worktree directory
+            worktree_path = worktrees_dir / "test-worktree"
+            worktree_path.mkdir()
+
+            workspace = Workspace(
+                id=str(uuid4()),
+                ticket_id=ticket.id,
+                worktree_path=str(worktree_path),
+                branch_name="test-branch",
+                created_at=datetime.now(UTC),
+            )
+            db.add(workspace)
+            await db.commit()
+
+            service = CleanupService(db)
+
+            # Mock subprocess: worktree remove fails, list shows still registered
+            with (
+                patch("app.services.cleanup_service.subprocess.run") as mock_run,
+                patch("app.services.cleanup_service.shutil.rmtree") as mock_rmtree,
+                patch(
+                    "app.services.cleanup_service.WorkspaceService.get_repo_path",
+                    return_value=repo_path,
+                ),
+            ):
+
+                def run_side_effect(cmd, **kwargs):
+                    result = MagicMock()
+                    if cmd[:3] == ["git", "worktree", "remove"]:
+                        result.returncode = 1
+                        result.stderr = "error: cannot remove worktree"
+                        result.stdout = ""
+                    elif cmd[:3] == ["git", "worktree", "list"]:
+                        # Return porcelain format showing worktree as registered
+                        result.returncode = 0
+                        result.stdout = f"worktree {worktree_path}\nHEAD abc123\nbranch refs/heads/test-branch\n"
+                        result.stderr = ""
+                    else:
+                        result.returncode = 0
+                        result.stdout = ""
+                        result.stderr = ""
+                    return result
+
+                mock_run.side_effect = run_side_effect
+
+                result = await service.delete_worktree(
+                    workspace=workspace,
+                    ticket_id=ticket.id,
+                    actor_id="test-actor",
+                    force=False,
+                    delete_branch=False,
+                )
+
+                # Assert: Returns False
+                assert result is False
+
+                # Assert: rmtree NOT called (worktree still registered)
+                mock_rmtree.assert_not_called()
+
+            # Assert: cleaned_up_at remains NULL
+            await db.refresh(workspace)
+            assert workspace.cleaned_up_at is None
+
+            # Assert: WORKTREE_CLEANUP_FAILED event with still_registered=True
+            events_result = await db.execute(
+                select(TicketEvent)
+                .where(TicketEvent.ticket_id == ticket.id)
+                .where(
+                    TicketEvent.event_type == EventType.WORKTREE_CLEANUP_FAILED.value
+                )
+            )
+            events = events_result.scalars().all()
+            assert len(events) == 1
+
+            payload = json.loads(events[0].payload_json)
+            assert payload.get("cleanup_failed") is True
+            assert payload.get("still_registered") is True
+            assert payload.get("worktree_removed") is False
+
+    @pytest.mark.asyncio
+    async def test_force_true_still_registered_returns_false(self, db: AsyncSession):
+        """Test: force=True but still registered -> still returns False.
+
+        Even with force=True, we cannot safely proceed if the worktree
+        is still registered. cleaned_up_at must remain NULL.
+        """
+        goal = Goal(id=str(uuid4()), title="Test Goal")
+        db.add(goal)
+        await db.flush()
+
+        ticket = Ticket(
+            id=str(uuid4()),
+            goal_id=goal.id,
+            title="Test ticket",
+            state="done",
+        )
+        db.add(ticket)
+        await db.flush()
+
+        with tempfile.TemporaryDirectory() as tmpdir:
+            repo_path = Path(tmpdir)
+            worktrees_dir = repo_path / ".draft/worktrees"
+            worktrees_dir.mkdir(parents=True)
+
+            worktree_path = worktrees_dir / "test-worktree"
+            worktree_path.mkdir()
+
+            workspace = Workspace(
+                id=str(uuid4()),
+                ticket_id=ticket.id,
+                worktree_path=str(worktree_path),
+                branch_name="test-branch",
+                created_at=datetime.now(UTC),
+            )
+            db.add(workspace)
+            await db.commit()
+
+            service = CleanupService(db)
+
+            with (
+                patch("app.services.cleanup_service.subprocess.run") as mock_run,
+                patch("app.services.cleanup_service.shutil.rmtree") as mock_rmtree,
+                patch(
+                    "app.services.cleanup_service.WorkspaceService.get_repo_path",
+                    return_value=repo_path,
+                ),
+            ):
+
+                def run_side_effect(cmd, **kwargs):
+                    result = MagicMock()
+                    if cmd[:3] == ["git", "worktree", "remove"]:
+                        result.returncode = 1
+                        result.stderr = "error: cannot remove"
+                        result.stdout = ""
+                    elif cmd[:3] == ["git", "worktree", "list"]:
+                        result.returncode = 0
+                        result.stdout = f"worktree {worktree_path}\n"
+                        result.stderr = ""
+                    else:
+                        result.returncode = 0
+                        result.stdout = ""
+                        result.stderr = ""
+                    return result
+
+                mock_run.side_effect = run_side_effect
+
+                # Call with force=True
+                result = await service.delete_worktree(
+                    workspace=workspace,
+                    ticket_id=ticket.id,
+                    actor_id="test-actor",
+                    force=True,  # Force flag!
+                    delete_branch=False,
+                )
+
+                # Assert: STILL returns False - force cannot override "still registered"
+                assert result is False
+
+                # Assert: rmtree NOT called
+                mock_rmtree.assert_not_called()
+
+            # Assert: cleaned_up_at remains NULL (even with force!)
+            await db.refresh(workspace)
+            assert workspace.cleaned_up_at is None
+
+            # Assert: Event has force_used=True + still_registered=True
+            events_result = await db.execute(
+                select(TicketEvent)
+                .where(TicketEvent.ticket_id == ticket.id)
+                .where(
+                    TicketEvent.event_type == EventType.WORKTREE_CLEANUP_FAILED.value
+                )
+            )
+            events = events_result.scalars().all()
+            assert len(events) == 1
+
+            payload = json.loads(events[0].payload_json)
+            assert payload.get("force_used") is True
+            assert payload.get("still_registered") is True
+            assert payload.get("cleanup_failed") is True

package/app/backend/tests/test_middleware.py

@@ -0,0 +1,279 @@
+"""Tests for idempotency and rate limiting middleware.
+
+These tests verify failure modes and edge cases for the SQLite-backed middleware.
+"""
+
+import sqlite3
+import time
+from unittest.mock import patch
+
+import pytest
+from fastapi import FastAPI
+from fastapi.testclient import TestClient
+
+from app.middleware.idempotency import IdempotencyMiddleware
+from app.middleware.rate_limit import RateLimitMiddleware
+
+# =============================================================================
+# Test App Setup
+# =============================================================================
+
+
+def create_test_app(
+    with_idempotency: bool = False,
+    with_rate_limit: bool = False,
+    rate_limit_budget: int = 100,  # Cost-based budget
+    rate_limit_window: int = 60,
+):
+    """Create a test FastAPI app with specified middleware."""
+    app = FastAPI()
+
+    @app.post("/goals/{goal_id}/generate-tickets")
+    async def generate_tickets(goal_id: str):
+        return {"tickets": [], "goal_id": goal_id, "timestamp": time.time()}
+
+    @app.post("/goals/{goal_id}/reflect-on-tickets")
+    async def reflect_on_tickets(goal_id: str):
+        return {"quality": "good", "timestamp": time.time()}
+
+    @app.post("/other")
+    async def other_endpoint():
+        return {"status": "ok"}
+
+    if with_rate_limit:
+        app.add_middleware(
+            RateLimitMiddleware,
+            budget=rate_limit_budget,
+            window_seconds=rate_limit_window,
+        )
+
+    if with_idempotency:
+        app.add_middleware(IdempotencyMiddleware)
+
+    return app
+
+
+# =============================================================================
+# Shared SQLite fixture
+# =============================================================================
+
+
+@pytest.fixture
+def sqlite_test_db(tmp_path):
+    """Create a temporary SQLite database with all required tables."""
+    db_path = str(tmp_path / "test.db")
+    conn = sqlite3.connect(db_path)
+    conn.execute("PRAGMA journal_mode=WAL")
+    conn.execute("""
+        CREATE TABLE idempotency_cache (
+            cache_key TEXT PRIMARY KEY,
+            lock_value TEXT,
+            result_value TEXT,
+            lock_expires_at TIMESTAMP,
+            result_expires_at TIMESTAMP,
+            created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
+        )
+    """)
+    conn.execute("""
+        CREATE TABLE rate_limit_entries (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            client_key TEXT NOT NULL,
+            cost INTEGER NOT NULL DEFAULT 1,
+            recorded_at REAL NOT NULL,
+            expires_at REAL NOT NULL
+        )
+    """)
+    conn.execute("""
+        CREATE TABLE kv_store (
+            key TEXT PRIMARY KEY,
+            value TEXT NOT NULL,
+            expires_at TIMESTAMP,
+            created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
+        )
+    """)
+    conn.commit()
+    conn.close()
+
+    with patch("app.sqlite_kv._DB_PATH", db_path):
+        yield db_path
+
+
+# =============================================================================
+# Idempotency Tests
+# =============================================================================
+
+
+class TestIdempotencyMiddleware:
+    """Tests for IdempotencyMiddleware with SQLite backend."""
+
+    def test_first_request_executes(self, sqlite_test_db):
+        """First request acquires lock via SQLite INSERT OR IGNORE."""
+        app = create_test_app(with_idempotency=True)
+        client = TestClient(app)
+
+        response = client.post(
+            "/goals/123/generate-tickets",
+            json={},
+            headers={"Idempotency-Key": "test-1"},
+        )
+        assert response.status_code == 200
+        assert response.headers.get("X-Execution-ID") is not None
+
+    def test_cached_response_returned(self, sqlite_test_db):
+        """Second request with same key returns cached response."""
+        app = create_test_app(with_idempotency=True)
+        client = TestClient(app)
+
+        # First request
+        response1 = client.post(
+            "/goals/123/generate-tickets",
+            json={},
+            headers={
+                "Idempotency-Key": "test-cache",
+                "X-Client-ID": "test-client",
+            },
+        )
+        assert response1.status_code == 200
+        data1 = response1.json()
+
+        # Second request - should get cached
+        response2 = client.post(
+            "/goals/123/generate-tickets",
+            json={},
+            headers={
+                "Idempotency-Key": "test-cache",
+                "X-Client-ID": "test-client",
+            },
+        )
+        assert response2.status_code == 200
+        assert response2.headers.get("X-Idempotency-Replayed") == "true"
+        data2 = response2.json()
+        assert data1["timestamp"] == data2["timestamp"]
+
+    def test_different_body_returns_409(self, sqlite_test_db):
+        """Same key + different body returns 409."""
+        app = create_test_app(with_idempotency=True)
+        client = TestClient(app)
+
+        # First request
+        client.post(
+            "/goals/123/generate-tickets",
+            json={"body": "original"},
+            headers={
+                "Idempotency-Key": "test-conflict",
+                "X-Client-ID": "test-client",
+            },
+        )
+
+        # Second request with different body
+        response = client.post(
+            "/goals/123/generate-tickets",
+            json={"body": "different"},
+            headers={
+                "Idempotency-Key": "test-conflict",
+                "X-Client-ID": "test-client",
+            },
+        )
+        assert response.status_code == 409
+
+    def test_no_idempotency_key_processes_normally(self, sqlite_test_db):
+        """Requests without idempotency key should process normally."""
+        app = create_test_app(with_idempotency=True)
+        client = TestClient(app)
+
+        response = client.post(
+            "/goals/123/generate-tickets",
+            json={},
+        )
+        assert response.status_code == 200
+
+    def test_idempotency_key_too_long_returns_400(self):
+        """Idempotency key longer than 64 chars should return 400."""
+        app = create_test_app(with_idempotency=True)
+        client = TestClient(app)
+
+        response = client.post(
+            "/goals/123/generate-tickets",
+            json={},
+            headers={"Idempotency-Key": "x" * 100},
+        )
+        assert response.status_code == 400
+        assert "too long" in response.json()["detail"]
+
+    def test_non_idempotent_endpoints_bypass_middleware(self, sqlite_test_db):
+        """Endpoints not in IDEMPOTENT_ENDPOINTS should bypass middleware."""
+        app = create_test_app(with_idempotency=True)
+        client = TestClient(app)
+
+        response = client.post(
+            "/other",
+            json={},
+            headers={"Idempotency-Key": "test-key"},
+        )
+        assert response.status_code == 200
+
+
+# =============================================================================
+# Rate Limit Tests
+# =============================================================================
+
+
+class TestRateLimitMiddleware:
+    """Tests for RateLimitMiddleware with SQLite backend."""
+
+    def test_rate_limit_allows_within_budget(self, sqlite_test_db):
+        """Requests within budget should succeed."""
+        app = create_test_app(with_rate_limit=True, rate_limit_budget=100)
+        client = TestClient(app)
+
+        response = client.post(
+            "/goals/123/generate-tickets",
+            json={},
+        )
+        assert response.status_code == 200
+        assert response.headers.get("X-RateLimit-Limit") == "100"
+
+    def test_rate_limit_blocks_when_exceeded(self, sqlite_test_db):
+        """Requests exceeding budget should get 429."""
+        app = create_test_app(
+            with_rate_limit=True, rate_limit_budget=5, rate_limit_window=60
+        )
+        client = TestClient(app)
+
+        # Make requests until rate limited
+        got_429 = False
+        for _ in range(10):
+            response = client.post(
+                "/goals/123/generate-tickets",
+                json={},
+            )
+            if response.status_code == 429:
+                got_429 = True
+                break
+
+        assert got_429, "Should have been rate limited"
+        data = response.json()
+        assert "Rate limit exceeded" in data["detail"]
+
+    def test_rate_limit_headers_present_on_success(self, sqlite_test_db):
+        """Successful requests should include rate limit headers."""
+        app = create_test_app(with_rate_limit=True, rate_limit_budget=100)
+        client = TestClient(app)
+
+        response = client.post(
+            "/goals/123/generate-tickets",
+            json={},
+        )
+        assert response.status_code == 200
+        assert response.headers.get("X-RateLimit-Limit") == "100"
+        assert response.headers.get("X-RateLimit-Remaining") is not None
+        assert response.headers.get("X-RateLimit-Reset") is not None
+
+    def test_non_rate_limited_endpoints_bypass_middleware(self, sqlite_test_db):
+        """Endpoints not in RATE_LIMITED_ENDPOINTS should bypass middleware."""
+        app = create_test_app(with_rate_limit=True)
+        client = TestClient(app)
+
+        response = client.post("/other", json={})
+        assert response.status_code == 200
+        assert response.headers.get("X-RateLimit-Limit") is None