groove-dev 0.27.77 → 0.27.78

package/moe-training/test/server/stitcher.test.js

@@ -0,0 +1,157 @@
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+import { describe, it, beforeEach, afterEach } from 'node:test';
+import assert from 'node:assert/strict';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { EnvelopeStorage } from '../../server/storage.js';
+import { TrajectoryStitcher } from '../../server/stitcher.js';
+
+describe('TrajectoryStitcher', () => {
+  let storage;
+  let stitcher;
+  let tmpDir;
+
+  beforeEach(() => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'stitch-test-'));
+    storage = new EnvelopeStorage(join(tmpDir, 'envelopes'));
+    stitcher = new TrajectoryStitcher(storage);
+  });
+
+  afterEach(() => {
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it('stitches 3 chunks into correct order', () => {
+    const sessionId = 'sess_stitch_001';
+
+    storage.store({
+      session_id: sessionId, chunk_sequence: 2, contributor_id: 'contrib_1',
+      metadata: { model_engine: 'claude-opus-4-6', provider: 'claude-code' },
+      trajectory_log: [
+        { step: 3, type: 'action', tool: 'Edit', token_count: 20 },
+        { step: 4, type: 'observation', content: 'done', token_count: 5 },
+      ],
+    });
+    storage.store({
+      session_id: sessionId, chunk_sequence: 0, contributor_id: 'contrib_1',
+      metadata: { model_engine: 'claude-opus-4-6', provider: 'claude-code' },
+      trajectory_log: [
+        { step: 1, type: 'thought', content: 'plan', token_count: 10 },
+      ],
+    });
+    storage.store({
+      session_id: sessionId, chunk_sequence: 1, contributor_id: 'contrib_1',
+      metadata: { model_engine: 'claude-opus-4-6', provider: 'claude-code' },
+      trajectory_log: [
+        { step: 2, type: 'action', tool: 'Grep', token_count: 15 },
+      ],
+    });
+
+    const result = stitcher.stitch(sessionId);
+
+    assert.ok(result);
+    assert.equal(result.session_id, sessionId);
+    assert.equal(result.total_steps, 4);
+    assert.equal(result.total_chunks, 3);
+    assert.deepEqual(result.trajectory_log.map(s => s.step), [1, 2, 3, 4]);
+  });
+
+  it('has all steps present and ordered by step number', () => {
+    const sessionId = 'sess_stitch_002';
+
+    storage.store({
+      session_id: sessionId, chunk_sequence: 0, contributor_id: 'c1',
+      metadata: {},
+      trajectory_log: [
+        { step: 1, type: 'thought', token_count: 5 },
+        { step: 2, type: 'action', tool: 'Read', token_count: 3 },
+      ],
+    });
+    storage.store({
+      session_id: sessionId, chunk_sequence: 1, contributor_id: 'c1',
+      metadata: {},
+      trajectory_log: [
+        { step: 3, type: 'observation', token_count: 8 },
+      ],
+    });
+
+    const result = stitcher.stitch(sessionId);
+    assert.equal(result.total_steps, 3);
+    assert.equal(result.total_tokens, 16);
+
+    for (let i = 0; i < result.trajectory_log.length - 1; i++) {
+      assert.ok(result.trajectory_log[i].step < result.trajectory_log[i + 1].step);
+    }
+  });
+
+  it('computes step_type_distribution correctly', () => {
+    const sessionId = 'sess_stitch_003';
+
+    storage.store({
+      session_id: sessionId, chunk_sequence: 0, contributor_id: 'c1',
+      metadata: {},
+      trajectory_log: [
+        { step: 1, type: 'thought', token_count: 5 },
+        { step: 2, type: 'action', tool: 'Read', token_count: 3 },
+        { step: 3, type: 'action', tool: 'Edit', token_count: 4 },
+        { step: 4, type: 'observation', token_count: 2 },
+        { step: 5, type: 'error', token_count: 1 },
+      ],
+    });
+
+    const result = stitcher.stitch(sessionId);
+    assert.deepEqual(result.step_type_distribution, {
+      thought: 1,
+      action: 2,
+      observation: 1,
+      error: 1,
+    });
+    assert.deepEqual(result.unique_tools_used.sort(), ['Edit', 'Read']);
+  });
+
+  it('returns null for unknown session', () => {
+    const result = stitcher.stitch('sess_nonexistent');
+    assert.equal(result, null);
+  });
+
+  it('includes outcome from SESSION_CLOSE envelope', () => {
+    const sessionId = 'sess_stitch_004';
+
+    storage.store({
+      session_id: sessionId, chunk_sequence: 0, contributor_id: 'c1',
+      metadata: {},
+      trajectory_log: [{ step: 1, type: 'thought', token_count: 5 }],
+    });
+    storage.store({
+      session_id: sessionId, type: 'SESSION_CLOSE',
+      outcome: { status: 'SUCCESS', total_steps: 1, user_interventions: 0 },
+    });
+
+    const result = stitcher.stitch(sessionId);
+    assert.ok(result.outcome);
+    assert.equal(result.outcome.status, 'SUCCESS');
+  });
+
+  it('links coordination steps', () => {
+    const sessionId = 'sess_stitch_005';
+
+    storage.store({
+      session_id: sessionId, chunk_sequence: 0, contributor_id: 'c1',
+      metadata: {},
+      trajectory_log: [
+        { step: 1, type: 'coordination', coordination_id: 'coord_1', direction: 'outbound', target_agent: 'backend-1', token_count: 5 },
+        { step: 2, type: 'thought', token_count: 3 },
+      ],
+    });
+
+    const result = stitcher.stitch(sessionId);
+    const enriched = stitcher.linkCoordination(result);
+
+    const coordStep = enriched.trajectory_log.find(s => s.type === 'coordination');
+    assert.ok(coordStep.coordination_partner);
+    assert.equal(coordStep.coordination_partner.coordination_id, 'coord_1');
+    assert.equal(coordStep.coordination_partner.linked, true);
+  });
+});

package/moe-training/test/server/verifier.test.js

@@ -0,0 +1,232 @@
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+import { describe, it, beforeEach, afterEach } from 'node:test';
+import assert from 'node:assert/strict';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { generateECDHKeypair, deriveSharedSecret, signEnvelope } from '../../shared/crypto.js';
+import { SessionRegistry } from '../../server/session-registry.js';
+import { EnvelopeVerifier } from '../../server/verifier.js';
+
+const VALID_CONTRIBUTOR = 'c'.repeat(32);
+const VALID_APP_HASH = 'b'.repeat(64);
+
+function makeSignedEnvelope(sessionId, sequence, sharedSecret, extra = {}) {
+  const envelope = {
+    envelope_id: `env_test_${sequence}`,
+    session_id: sessionId,
+    chunk_sequence: sequence,
+    contributor_id: VALID_CONTRIBUTOR,
+    metadata: { model_engine: 'claude-opus-4-6', provider: 'claude-code', agent_role: 'frontend', agent_id: 'frontend-1' },
+    trajectory_log: [{ step: 1, type: 'thought', timestamp: Date.now() / 1000, content: 'test', token_count: 10 }],
+    ...extra,
+  };
+
+  const forHmac = { ...envelope };
+  const envelopeBytes = JSON.stringify(forHmac);
+  const hmac = signEnvelope(sharedSecret, envelopeBytes, sequence);
+
+  envelope.attestation = {
+    session_hmac: hmac,
+    sequence,
+    app_version_hash: VALID_APP_HASH,
+  };
+
+  return envelope;
+}
+
+function makeSignedCloseEnvelope(sessionId, sequence, sharedSecret) {
+  const envelope = {
+    envelope_id: `env_close_${sequence}`,
+    session_id: sessionId,
+    type: 'SESSION_CLOSE',
+    outcome: {
+      status: 'SUCCESS',
+      total_steps: 10,
+      total_chunks: 1,
+      user_interventions: 0,
+      total_tokens: 500,
+      duration_seconds: 60,
+      files_modified: 1,
+      errors_encountered: 0,
+      errors_recovered: 0,
+      coordination_events: 0,
+    },
+  };
+
+  const forHmac = { ...envelope };
+  const envelopeBytes = JSON.stringify(forHmac);
+  const hmac = signEnvelope(sharedSecret, envelopeBytes, sequence);
+
+  envelope.attestation = {
+    session_hmac: hmac,
+    sequence,
+    app_version_hash: VALID_APP_HASH,
+  };
+
+  return envelope;
+}
+
+describe('EnvelopeVerifier', () => {
+  let registry;
+  let verifier;
+  let tmpDir;
+  let sharedSecret;
+  const sessionId = 'sess_verify_001';
+
+  beforeEach(() => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'verify-test-'));
+    registry = new SessionRegistry(join(tmpDir, 'sessions.db'));
+    verifier = new EnvelopeVerifier(registry);
+
+    const clientKeypair = generateECDHKeypair();
+    const result = registry.openSession(
+      sessionId, clientKeypair.publicKey, 'claude-code', 'claude-opus-4-6',
+      'fp_verify', 'hash_verify', '0.27.77'
+    );
+
+    const session = registry.getSession(sessionId);
+    sharedSecret = session.shared_secret;
+  });
+
+  afterEach(() => {
+    registry.close();
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it('accepts a valid envelope with correct HMAC', () => {
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, true);
+  });
+
+  it('rejects a tampered envelope (HMAC fails)', () => {
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    envelope.trajectory_log.push({ step: 2, type: 'action', content: 'injected' });
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('HMAC'));
+  });
+
+  it('rejects wrong sequence number', () => {
+    const envelope = makeSignedEnvelope(sessionId, 5, sharedSecret);
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('sequence'));
+  });
+
+  it('rejects unknown session_id', () => {
+    const envelope = makeSignedEnvelope('sess_nonexistent', 0, sharedSecret);
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('unknown session_id'));
+  });
+
+  it('rejects envelope for closed session', () => {
+    registry.closeSession(sessionId);
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('closed'));
+  });
+
+  it('rejects envelope missing attestation', () => {
+    const envelope = {
+      session_id: sessionId,
+      envelope_id: 'env_no_att',
+      trajectory_log: [],
+    };
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('attestation'));
+  });
+
+  it('increments sequence after successful verification', () => {
+    const env0 = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    const r0 = verifier.verify(env0);
+    assert.equal(r0.valid, true);
+
+    const env1 = makeSignedEnvelope(sessionId, 1, sharedSecret);
+    const r1 = verifier.verify(env1);
+    assert.equal(r1.valid, true);
+
+    const session = registry.getSession(sessionId);
+    assert.equal(session.expected_sequence, 2);
+  });
+
+  // --- New security tests ---
+
+  it('rejects empty HMAC string', () => {
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    envelope.attestation.session_hmac = '';
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('HMAC'));
+  });
+
+  it('rejects missing HMAC field', () => {
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    delete envelope.attestation.session_hmac;
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('HMAC'));
+  });
+
+  it('atomic sequence prevents duplicate sequence acceptance', () => {
+    const env0 = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    const r0 = verifier.verify(env0);
+    assert.equal(r0.valid, true);
+
+    // Re-sign with sequence 0 again (replay attempt)
+    const env0replay = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    const rReplay = verifier.verify(env0replay);
+    assert.equal(rReplay.valid, false);
+    assert.ok(rReplay.reason.includes('sequence'));
+  });
+
+  it('verifyClose checks sequence number', () => {
+    // Send one regular envelope first (sequence 0)
+    const env0 = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    verifier.verify(env0);
+
+    // Close with wrong sequence
+    const closeWrong = makeSignedCloseEnvelope(sessionId, 0, sharedSecret);
+    const resultWrong = verifyClose(verifier, closeWrong);
+    assert.equal(resultWrong.valid, false);
+    assert.ok(resultWrong.reason.includes('sequence'));
+
+    // Close with correct sequence
+    const closeRight = makeSignedCloseEnvelope(sessionId, 1, sharedSecret);
+    const resultRight = verifyClose(verifier, closeRight);
+    assert.equal(resultRight.valid, true);
+  });
+
+  it('verifyClose rejects empty HMAC', () => {
+    const closeEnv = makeSignedCloseEnvelope(sessionId, 0, sharedSecret);
+    closeEnv.attestation.session_hmac = '';
+    const result = verifier.verifyClose(closeEnv);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('HMAC'));
+  });
+
+  it('rejects OFFLINE HMAC marker from offline client', () => {
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    envelope.attestation.session_hmac = 'OFFLINE';
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('HMAC'));
+  });
+
+  it('rejects mega-length HMAC string', () => {
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    envelope.attestation.session_hmac = 'a'.repeat(1_000_000);
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('HMAC'));
+  });
+});
+
+function verifyClose(verifier, envelope) {
+  return verifier.verifyClose(envelope);
+}

package/moe-training/test/shared/crypto.test.js

@@ -0,0 +1,87 @@
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { writeFileSync, mkdtempSync, rmSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import {
+  generateECDHKeypair,
+  deriveSharedSecret,
+  signEnvelope,
+  verifyEnvelope,
+  computeAppHash,
+} from '../../shared/crypto.js';
+
+describe('crypto', () => {
+  it('generates ECDH keypairs with base64 encoded keys', () => {
+    const kp = generateECDHKeypair();
+    assert.ok(kp.publicKey);
+    assert.ok(kp.privateKey);
+    assert.ok(Buffer.from(kp.publicKey, 'base64').length > 0);
+    assert.ok(Buffer.from(kp.privateKey, 'base64').length > 0);
+  });
+
+  it('derives the same shared secret from both sides', () => {
+    const alice = generateECDHKeypair();
+    const bob = generateECDHKeypair();
+
+    const secretA = deriveSharedSecret(alice.privateKey, bob.publicKey);
+    const secretB = deriveSharedSecret(bob.privateKey, alice.publicKey);
+
+    assert.equal(secretA, secretB);
+    assert.ok(Buffer.from(secretA, 'base64').length > 0);
+  });
+
+  it('HMAC sign and verify round-trip', () => {
+    const alice = generateECDHKeypair();
+    const bob = generateECDHKeypair();
+    const secret = deriveSharedSecret(alice.privateKey, bob.publicKey);
+
+    const payload = JSON.stringify({ data: 'test envelope content' });
+    const seq = 1;
+    const hmac = signEnvelope(secret, payload, seq);
+
+    assert.ok(typeof hmac === 'string');
+    assert.ok(hmac.length > 0);
+    assert.ok(verifyEnvelope(secret, payload, seq, hmac));
+  });
+
+  it('verification fails with tampered payload', () => {
+    const alice = generateECDHKeypair();
+    const bob = generateECDHKeypair();
+    const secret = deriveSharedSecret(alice.privateKey, bob.publicKey);
+
+    const payload = JSON.stringify({ data: 'original' });
+    const hmac = signEnvelope(secret, payload, 1);
+
+    const tampered = JSON.stringify({ data: 'tampered' });
+    assert.equal(verifyEnvelope(secret, tampered, 1, hmac), false);
+  });
+
+  it('verification fails with wrong sequence number', () => {
+    const alice = generateECDHKeypair();
+    const bob = generateECDHKeypair();
+    const secret = deriveSharedSecret(alice.privateKey, bob.publicKey);
+
+    const payload = JSON.stringify({ data: 'test' });
+    const hmac = signEnvelope(secret, payload, 1);
+
+    assert.equal(verifyEnvelope(secret, payload, 2, hmac), false);
+  });
+
+  it('computeAppHash returns SHA256 of file contents', () => {
+    const dir = mkdtempSync(join(tmpdir(), 'crypto-test-'));
+    const filePath = join(dir, 'test-file.txt');
+    writeFileSync(filePath, 'hello world');
+
+    const hash = computeAppHash(filePath);
+    assert.ok(typeof hash === 'string');
+    assert.equal(hash.length, 64);
+
+    const hash2 = computeAppHash(filePath);
+    assert.equal(hash, hash2);
+
+    rmSync(dir, { recursive: true });
+  });
+});