palaryn 0.1.0

package/dist/tests/integration/storage.test.js

@@ -0,0 +1,826 @@
+"use strict";
+/**
+ * Integration tests for Redis and PostgreSQL storage backends.
+ *
+ * These tests connect to real Redis / Postgres instances and are skipped
+ * automatically when the corresponding environment variable is not set:
+ *
+ *   REDIS_URL      -- e.g. redis://localhost:6379
+ *   DATABASE_URL   -- e.g. postgresql://user:pass@localhost:5432/testdb
+ *
+ * To run locally:
+ *   REDIS_URL=redis://localhost:6379 DATABASE_URL=postgresql://... npx jest tests/integration/storage.test.ts
+ *
+ * In CI with docker-compose the env vars are set automatically.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const ioredis_1 = __importDefault(require("ioredis"));
+const pg_1 = require("pg");
+const crypto_1 = require("crypto");
+const redis_1 = require("../../src/storage/redis");
+const postgres_1 = require("../../src/storage/postgres");
+// ---------------------------------------------------------------------------
+// Skip logic: only run when services are reachable
+// ---------------------------------------------------------------------------
+const REDIS_URL = process.env.REDIS_URL;
+const DATABASE_URL = process.env.DATABASE_URL;
+const describeRedis = REDIS_URL ? describe : describe.skip;
+const describePostgres = DATABASE_URL ? describe : describe.skip;
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Small delay to let fire-and-forget writes land in Redis / Postgres. */
+const settle = (ms = 100) => new Promise((r) => setTimeout(r, ms));
+function makeToolResult(overrides = {}) {
+    return {
+        tool_call_id: 'tc-001',
+        task_id: 'task-001',
+        status: 'ok',
+        policy: { decision: 'allow', reasons: [] },
+        dlp: { detected: [], redactions: [], severity: 'low' },
+        budget: { estimated_cost_usd: 0, spent_cost_usd_task: 0, remaining_cost_usd_task: 100 },
+        timing: { started_at: new Date().toISOString(), duration_ms: 10 },
+        ...overrides,
+    };
+}
+function makeApprovalRecord(overrides = {}) {
+    return {
+        approval_id: 'appr-001',
+        tool_call_id: 'tc-001',
+        task_id: 'task-001',
+        workspace_id: 'ws-001',
+        actor_id: 'actor-001',
+        tool_name: 'http.get',
+        tool_capability: 'read',
+        args_summary: '{}',
+        scope: 'global',
+        reason: 'test',
+        token_hash: 'hash-001',
+        status: 'pending',
+        created_at: new Date().toISOString(),
+        expires_at: new Date(Date.now() + 3600000).toISOString(),
+        ...overrides,
+    };
+}
+function makeAuditEvent(overrides = {}) {
+    return {
+        event_id: (0, crypto_1.randomUUID)(),
+        event_type: 'TOOL_CALL_RECEIVED',
+        timestamp: new Date().toISOString(),
+        tool_call_id: (0, crypto_1.randomUUID)(),
+        task_id: (0, crypto_1.randomUUID)(),
+        workspace_id: 'ws-integration',
+        actor_id: 'actor-integration',
+        tool_name: 'http.get',
+        metadata: {},
+        ...overrides,
+    };
+}
+function makeBudgetState(overrides = {}) {
+    return {
+        task_id: (0, crypto_1.randomUUID)(),
+        workspace_id: 'ws-integration',
+        actor_id: 'actor-integration',
+        spent_usd: 0,
+        steps: 0,
+        started_at: new Date().toISOString(),
+        ...overrides,
+    };
+}
+// ===========================================================================
+//  REDIS INTEGRATION TESTS
+// ===========================================================================
+describeRedis('Redis Storage Integration', () => {
+    let redis;
+    const TEST_PREFIX = `test:${Date.now()}:`;
+    let rateLimitStore;
+    let idempotencyStore;
+    let budgetStore;
+    let auditStore;
+    let approvalStore;
+    beforeAll(() => {
+        redis = new ioredis_1.default(REDIS_URL);
+        const stores = (0, redis_1.createRedisStores)(redis, TEST_PREFIX);
+        rateLimitStore = stores.rateLimitStore;
+        idempotencyStore = stores.idempotencyStore;
+        budgetStore = stores.budgetStore;
+        auditStore = stores.auditStore;
+        approvalStore = stores.approvalStore;
+    });
+    afterEach(async () => {
+        // Clean up all keys created by this test run
+        const pattern = TEST_PREFIX + '*';
+        let cursor = '0';
+        do {
+            const [nextCursor, keys] = await redis.scan(cursor, 'MATCH', pattern, 'COUNT', 200);
+            cursor = nextCursor;
+            if (keys.length > 0) {
+                await redis.del(...keys);
+            }
+        } while (cursor !== '0');
+        // Reset in-memory caches so tests are independent
+        rateLimitStore.reset();
+        idempotencyStore.clear();
+        budgetStore.reset();
+        auditStore.clear();
+        approvalStore.clear();
+        // Let fire-and-forget deletes settle
+        await settle(50);
+    });
+    afterAll(async () => {
+        await redis.quit();
+    });
+    // -------------------------------------------------------------------------
+    //  RedisRateLimitStore
+    // -------------------------------------------------------------------------
+    describe('RedisRateLimitStore', () => {
+        it('should allow requests within the limit', () => {
+            const key = `actor:${(0, crypto_1.randomUUID)()}`;
+            const result = rateLimitStore.hit(key, 60000, 10);
+            expect(result.allowed).toBe(true);
+            expect(result.current).toBe(1);
+            expect(result.limit).toBe(10);
+            expect(result.resetAt).toBeGreaterThan(Date.now() - 1000);
+        });
+        it('should deny requests exceeding the limit', () => {
+            const key = `actor:${(0, crypto_1.randomUUID)()}`;
+            const windowMs = 60000;
+            const maxRequests = 3;
+            // Fire 3 allowed hits
+            for (let i = 0; i < maxRequests; i++) {
+                const r = rateLimitStore.hit(key, windowMs, maxRequests);
+                expect(r.allowed).toBe(true);
+                expect(r.current).toBe(i + 1);
+            }
+            // 4th should be denied
+            const denied = rateLimitStore.hit(key, windowMs, maxRequests);
+            expect(denied.allowed).toBe(false);
+            expect(denied.current).toBe(maxRequests + 1);
+        });
+        it('should expire entries outside the sliding window', async () => {
+            const key = `actor:${(0, crypto_1.randomUUID)()}`;
+            const windowMs = 200; // 200ms window
+            rateLimitStore.hit(key, windowMs, 1);
+            // Wait for the window to expire
+            await settle(300);
+            // Next hit should be within the limit (old entries pruned)
+            const result = rateLimitStore.hit(key, windowMs, 1);
+            expect(result.allowed).toBe(true);
+            expect(result.current).toBe(1);
+        });
+        it('should persist hits to Redis sorted sets', async () => {
+            const key = `actor:${(0, crypto_1.randomUUID)()}`;
+            rateLimitStore.hit(key, 60000, 10);
+            rateLimitStore.hit(key, 60000, 10);
+            // Let the fire-and-forget pipeline execute
+            await settle(200);
+            const redisKey = TEST_PREFIX + 'rl:' + key;
+            const count = await redis.zcard(redisKey);
+            expect(count).toBe(2);
+        });
+    });
+    // -------------------------------------------------------------------------
+    //  RedisIdempotencyStore
+    // -------------------------------------------------------------------------
+    describe('RedisIdempotencyStore', () => {
+        it('should set and get a cached result', async () => {
+            const id = (0, crypto_1.randomUUID)();
+            const result = makeToolResult({ tool_call_id: id });
+            idempotencyStore.set(id, result, 60000);
+            const cached = await idempotencyStore.get(id);
+            expect(cached?.tool_call_id).toBe(id);
+            expect(cached?.status).toBe('ok');
+        });
+        it('should report has() correctly', async () => {
+            const id = (0, crypto_1.randomUUID)();
+            expect(await idempotencyStore.has(id)).toBe(false);
+            idempotencyStore.set(id, makeToolResult({ tool_call_id: id }), 60000);
+            expect(await idempotencyStore.has(id)).toBe(true);
+        });
+        it('should expire entries after TTL', async () => {
+            const id = (0, crypto_1.randomUUID)();
+            const result = makeToolResult({ tool_call_id: id });
+            idempotencyStore.set(id, result, 150); // 150ms TTL
+            const cached = await idempotencyStore.get(id);
+            expect(cached?.tool_call_id).toBe(id);
+            // Wait for local cache expiry
+            await settle(250);
+            expect(await idempotencyStore.get(id)).toBeUndefined();
+            expect(await idempotencyStore.has(id)).toBe(false);
+        });
+        it('should persist to Redis with PX expiry', async () => {
+            const id = (0, crypto_1.randomUUID)();
+            const result = makeToolResult({ tool_call_id: id });
+            idempotencyStore.set(id, result, 30000);
+            // Let fire-and-forget SET complete
+            await settle(200);
+            const redisKey = TEST_PREFIX + 'idem:' + id;
+            const raw = await redis.get(redisKey);
+            expect(raw).not.toBeNull();
+            expect(JSON.parse(raw).tool_call_id).toBe(id);
+            const ttl = await redis.pttl(redisKey);
+            expect(ttl).toBeGreaterThan(0);
+            expect(ttl).toBeLessThanOrEqual(30000);
+        });
+        it('should return undefined for unknown keys', async () => {
+            expect(await idempotencyStore.get((0, crypto_1.randomUUID)())).toBeUndefined();
+        });
+    });
+    // -------------------------------------------------------------------------
+    //  RedisBudgetStore
+    // -------------------------------------------------------------------------
+    describe('RedisBudgetStore', () => {
+        it('should set and get task state', () => {
+            const state = makeBudgetState();
+            budgetStore.setTaskState(state.task_id, state);
+            const retrieved = budgetStore.getTaskState(state.task_id);
+            expect(retrieved).toEqual(state);
+        });
+        it('should return undefined for unknown task', () => {
+            expect(budgetStore.getTaskState((0, crypto_1.randomUUID)())).toBeUndefined();
+        });
+        it('should increment and get counters', () => {
+            const key = `spend:${(0, crypto_1.randomUUID)()}`;
+            expect(budgetStore.getCounter(key)).toBe(0);
+            budgetStore.incrementCounter(key, 1.50);
+            expect(budgetStore.getCounter(key)).toBeCloseTo(1.50);
+            budgetStore.incrementCounter(key, 2.25);
+            expect(budgetStore.getCounter(key)).toBeCloseTo(3.75);
+        });
+        it('should track retry counts', () => {
+            const toolCallId = (0, crypto_1.randomUUID)();
+            expect(budgetStore.getRetryCount(toolCallId)).toBe(0);
+            const count1 = budgetStore.incrementRetryCount(toolCallId);
+            expect(count1).toBe(1);
+            expect(budgetStore.getRetryCount(toolCallId)).toBe(1);
+            const count2 = budgetStore.incrementRetryCount(toolCallId);
+            expect(count2).toBe(2);
+            expect(budgetStore.getRetryCount(toolCallId)).toBe(2);
+        });
+        it('should persist task state to Redis', async () => {
+            const state = makeBudgetState({ spent_usd: 5.99, steps: 3 });
+            budgetStore.setTaskState(state.task_id, state);
+            await settle(200);
+            const redisKey = TEST_PREFIX + 'budget:task:' + state.task_id;
+            const data = await redis.hgetall(redisKey);
+            expect(data.task_id).toBe(state.task_id);
+            expect(Number(data.spent_usd)).toBeCloseTo(5.99);
+            expect(Number(data.steps)).toBe(3);
+        });
+        it('should persist counters to Redis', async () => {
+            const key = `spend:${(0, crypto_1.randomUUID)()}`;
+            budgetStore.incrementCounter(key, 10.5);
+            await settle(200);
+            const redisKey = TEST_PREFIX + 'budget:counters';
+            const raw = await redis.hget(redisKey, key);
+            expect(Number(raw)).toBeCloseTo(10.5);
+        });
+        it('should hydrate from Redis after reset', async () => {
+            const state = makeBudgetState({ spent_usd: 7.77, steps: 5 });
+            budgetStore.setTaskState(state.task_id, state);
+            budgetStore.incrementCounter('daily:actor-1', 42);
+            await settle(200);
+            // Create a fresh store pointed at the same prefix
+            const freshStore = new redis_1.RedisBudgetStore(redis, TEST_PREFIX + 'budget:');
+            await freshStore.hydrate();
+            expect(freshStore.getTaskState(state.task_id)).toEqual(state);
+            expect(freshStore.getCounter('daily:actor-1')).toBe(42);
+        });
+    });
+    // -------------------------------------------------------------------------
+    //  RedisAuditStore
+    // -------------------------------------------------------------------------
+    describe('RedisAuditStore', () => {
+        it('should append and retrieve events by task ID', () => {
+            const taskId = (0, crypto_1.randomUUID)();
+            const event1 = makeAuditEvent({ task_id: taskId, event_type: 'TOOL_CALL_RECEIVED' });
+            const event2 = makeAuditEvent({ task_id: taskId, event_type: 'POLICY_DECIDED' });
+            const otherEvent = makeAuditEvent({ task_id: (0, crypto_1.randomUUID)() });
+            auditStore.append(event1);
+            auditStore.append(event2);
+            auditStore.append(otherEvent);
+            const taskEvents = auditStore.getByTaskId(taskId);
+            expect(taskEvents).toHaveLength(2);
+            expect(taskEvents.map((e) => e.event_id)).toContain(event1.event_id);
+            expect(taskEvents.map((e) => e.event_id)).toContain(event2.event_id);
+        });
+        it('should retrieve events by tool call ID', () => {
+            const toolCallId = (0, crypto_1.randomUUID)();
+            const event = makeAuditEvent({ tool_call_id: toolCallId });
+            const other = makeAuditEvent();
+            auditStore.append(event);
+            auditStore.append(other);
+            const results = auditStore.getByToolCallId(toolCallId);
+            expect(results).toHaveLength(1);
+            expect(results[0].event_id).toBe(event.event_id);
+        });
+        it('should retrieve events by event type', () => {
+            const e1 = makeAuditEvent({ event_type: 'DLP_SCANNED' });
+            const e2 = makeAuditEvent({ event_type: 'DLP_SCANNED' });
+            const e3 = makeAuditEvent({ event_type: 'BUDGET_CHECKED' });
+            auditStore.append(e1);
+            auditStore.append(e2);
+            auditStore.append(e3);
+            const dlpEvents = auditStore.getByEventType('DLP_SCANNED');
+            expect(dlpEvents).toHaveLength(2);
+            const budgetEvents = auditStore.getByEventType('BUDGET_CHECKED');
+            expect(budgetEvents).toHaveLength(1);
+        });
+        it('should return all events via getAll()', () => {
+            auditStore.append(makeAuditEvent());
+            auditStore.append(makeAuditEvent());
+            auditStore.append(makeAuditEvent());
+            const all = auditStore.getAll();
+            expect(all).toHaveLength(3);
+        });
+        it('should persist events to Redis and support hydration', async () => {
+            const taskId = (0, crypto_1.randomUUID)();
+            const event = makeAuditEvent({ task_id: taskId });
+            auditStore.append(event);
+            await settle(200);
+            // Verify data key in Redis
+            const dataKey = TEST_PREFIX + 'audit:data';
+            const raw = await redis.hget(dataKey, event.event_id);
+            expect(raw).not.toBeNull();
+            expect(JSON.parse(raw).event_id).toBe(event.event_id);
+            // Verify task index in Redis
+            const taskKey = TEST_PREFIX + 'audit:task:' + taskId;
+            const members = await redis.zrange(taskKey, 0, -1);
+            expect(members).toContain(event.event_id);
+            // Test hydration with a fresh store
+            const freshStore = new redis_1.RedisAuditStore(redis, TEST_PREFIX + 'audit:');
+            await freshStore.hydrate();
+            const hydrated = freshStore.getAll();
+            expect(hydrated).toHaveLength(1);
+            expect(hydrated[0].event_id).toBe(event.event_id);
+        });
+    });
+    // -------------------------------------------------------------------------
+    //  RedisApprovalStore
+    // -------------------------------------------------------------------------
+    describe('RedisApprovalStore', () => {
+        it('should save and retrieve by ID', () => {
+            const id = (0, crypto_1.randomUUID)();
+            const toolCallId = (0, crypto_1.randomUUID)();
+            const approval = makeApprovalRecord({
+                approval_id: id,
+                tool_call_id: toolCallId,
+                workspace_id: 'ws-test',
+            });
+            approvalStore.save(id, approval);
+            const retrieved = approvalStore.getById(id);
+            expect(retrieved).toEqual(approval);
+        });
+        it('should return undefined for unknown approval', () => {
+            expect(approvalStore.getById((0, crypto_1.randomUUID)())).toBeUndefined();
+        });
+        it('should index and retrieve by token', () => {
+            const id = (0, crypto_1.randomUUID)();
+            const token = `tok-${(0, crypto_1.randomUUID)()}`;
+            const approval = makeApprovalRecord({
+                approval_id: id,
+                workspace_id: 'ws-test',
+            });
+            approvalStore.save(id, approval);
+            approvalStore.indexToken(token, id);
+            const byToken = approvalStore.getByToken(token);
+            expect(byToken).toEqual(approval);
+        });
+        it('should return undefined for unknown token', () => {
+            expect(approvalStore.getByToken('nonexistent-token')).toBeUndefined();
+        });
+        it('should retrieve by tool_call_id', () => {
+            const toolCallId = (0, crypto_1.randomUUID)();
+            const id = (0, crypto_1.randomUUID)();
+            const approval = makeApprovalRecord({
+                approval_id: id,
+                tool_call_id: toolCallId,
+                workspace_id: 'ws-test',
+            });
+            approvalStore.save(id, approval);
+            const result = approvalStore.getByToolCallId(toolCallId);
+            expect(result).toEqual(approval);
+        });
+        it('should find pending approvals', () => {
+            const pending1 = makeApprovalRecord({
+                approval_id: (0, crypto_1.randomUUID)(),
+                status: 'pending',
+                workspace_id: 'ws-a',
+            });
+            const pending2 = makeApprovalRecord({
+                approval_id: (0, crypto_1.randomUUID)(),
+                status: 'pending',
+                workspace_id: 'ws-b',
+            });
+            const approved = makeApprovalRecord({
+                approval_id: (0, crypto_1.randomUUID)(),
+                status: 'approved',
+                workspace_id: 'ws-a',
+            });
+            approvalStore.save(pending1.approval_id, pending1);
+            approvalStore.save(pending2.approval_id, pending2);
+            approvalStore.save(approved.approval_id, approved);
+            // All pending
+            const allPending = approvalStore.findPending();
+            expect(allPending).toHaveLength(2);
+            // Filtered by workspace
+            const wsAPending = approvalStore.findPending('ws-a');
+            expect(wsAPending).toHaveLength(1);
+            expect(wsAPending[0].workspace_id).toBe('ws-a');
+        });
+        it('should update approval status from pending to approved', () => {
+            const id = (0, crypto_1.randomUUID)();
+            const approval = makeApprovalRecord({
+                approval_id: id,
+                workspace_id: 'ws-test',
+            });
+            approvalStore.save(id, approval);
+            expect(approvalStore.findPending()).toHaveLength(1);
+            // Update status
+            const updated = { ...approval, status: 'approved' };
+            approvalStore.save(id, updated);
+            expect(approvalStore.getById(id).status).toBe('approved');
+            expect(approvalStore.findPending()).toHaveLength(0);
+        });
+        it('should persist to Redis and support hydration', async () => {
+            const id = (0, crypto_1.randomUUID)();
+            const token = `tok-${(0, crypto_1.randomUUID)()}`;
+            const approval = makeApprovalRecord({
+                approval_id: id,
+                workspace_id: 'ws-hydrate',
+            });
+            approvalStore.save(id, approval);
+            approvalStore.indexToken(token, id);
+            await settle(200);
+            // Verify data in Redis
+            const dataKey = TEST_PREFIX + 'approvals:data';
+            const raw = await redis.hget(dataKey, id);
+            expect(raw).not.toBeNull();
+            expect(JSON.parse(raw).approval_id).toBe(id);
+            // Verify token index in Redis
+            const tokensKey = TEST_PREFIX + 'approvals:tokens';
+            const tokenApprovalId = await redis.hget(tokensKey, token);
+            expect(tokenApprovalId).toBe(id);
+            // Hydrate a fresh store
+            const freshStore = new redis_1.RedisApprovalStore(redis, TEST_PREFIX + 'approvals:');
+            await freshStore.hydrate();
+            expect(freshStore.getById(id)).toEqual(approval);
+            expect(freshStore.getByToken(token)).toEqual(approval);
+        });
+    });
+});
+// ===========================================================================
+//  POSTGRESQL INTEGRATION TESTS
+// ===========================================================================
+describePostgres('PostgreSQL Storage Integration', () => {
+    let pool;
+    let budgetStore;
+    let auditStore;
+    let approvalStore;
+    let idempotencyStore;
+    let rateLimitStore;
+    beforeAll(async () => {
+        pool = new pg_1.Pool({ connectionString: DATABASE_URL });
+        // Create tables (idempotent DDL)
+        await (0, postgres_1.initPostgresStorage)(pool);
+        budgetStore = new postgres_1.PostgresBudgetStore(pool);
+        auditStore = new postgres_1.PostgresAuditStore(pool);
+        approvalStore = new postgres_1.PostgresApprovalStore(pool);
+        idempotencyStore = new postgres_1.PostgresIdempotencyStore(pool);
+        rateLimitStore = new postgres_1.PostgresRateLimitStore(pool);
+    });
+    afterEach(async () => {
+        // Truncate all tables between tests for isolation.
+        // These are synchronous resets on the in-memory cache + async TRUNCATE.
+        budgetStore.reset();
+        auditStore.clear();
+        approvalStore.clear();
+        idempotencyStore.clear();
+        rateLimitStore.reset();
+        // Wait for the async truncate queries to complete
+        await settle(200);
+    });
+    afterAll(async () => {
+        // Drop test tables so we leave the database clean
+        await pool.query('DROP TABLE IF EXISTS budget_task_states CASCADE');
+        await pool.query('DROP TABLE IF EXISTS budget_counters CASCADE');
+        await pool.query('DROP TABLE IF EXISTS budget_retry_counts CASCADE');
+        await pool.query('DROP TABLE IF EXISTS audit_events CASCADE');
+        await pool.query('DROP TABLE IF EXISTS approvals CASCADE');
+        await pool.query('DROP TABLE IF EXISTS approval_tokens CASCADE');
+        await pool.query('DROP TABLE IF EXISTS idempotency_cache CASCADE');
+        await pool.query('DROP TABLE IF EXISTS rate_limit_hits CASCADE');
+        await pool.end();
+    });
+    // -------------------------------------------------------------------------
+    //  PostgresRateLimitStore
+    // -------------------------------------------------------------------------
+    describe('PostgresRateLimitStore', () => {
+        it('should allow requests within the limit', () => {
+            const key = `actor:${(0, crypto_1.randomUUID)()}`;
+            const result = rateLimitStore.hit(key, 60000, 10);
+            expect(result.allowed).toBe(true);
+            expect(result.current).toBe(1);
+            expect(result.limit).toBe(10);
+        });
+        it('should deny requests exceeding the limit', () => {
+            const key = `actor:${(0, crypto_1.randomUUID)()}`;
+            const maxRequests = 3;
+            for (let i = 0; i < maxRequests; i++) {
+                const r = rateLimitStore.hit(key, 60000, maxRequests);
+                expect(r.allowed).toBe(true);
+            }
+            const denied = rateLimitStore.hit(key, 60000, maxRequests);
+            expect(denied.allowed).toBe(false);
+            expect(denied.current).toBe(maxRequests + 1);
+        });
+        it('should expire entries outside the sliding window', async () => {
+            const key = `actor:${(0, crypto_1.randomUUID)()}`;
+            const windowMs = 200;
+            rateLimitStore.hit(key, windowMs, 1);
+            await settle(300);
+            const result = rateLimitStore.hit(key, windowMs, 1);
+            expect(result.allowed).toBe(true);
+            expect(result.current).toBe(1);
+        });
+        it('should persist hits to Postgres', async () => {
+            const key = `actor:${(0, crypto_1.randomUUID)()}`;
+            rateLimitStore.hit(key, 60000, 10);
+            rateLimitStore.hit(key, 60000, 10);
+            await settle(200);
+            const { rows } = await pool.query('SELECT COUNT(*) AS cnt FROM rate_limit_hits WHERE key = $1', [key]);
+            expect(Number(rows[0].cnt)).toBe(2);
+        });
+    });
+    // -------------------------------------------------------------------------
+    //  PostgresIdempotencyStore
+    // -------------------------------------------------------------------------
+    describe('PostgresIdempotencyStore', () => {
+        it('should set and get a cached result', async () => {
+            const id = (0, crypto_1.randomUUID)();
+            const result = makeToolResult({ tool_call_id: id });
+            idempotencyStore.set(id, result, 60000);
+            const cached = await idempotencyStore.get(id);
+            expect(cached?.tool_call_id).toBe(id);
+            expect(cached?.status).toBe('ok');
+        });
+        it('should report has() correctly', async () => {
+            const id = (0, crypto_1.randomUUID)();
+            expect(await idempotencyStore.has(id)).toBe(false);
+            idempotencyStore.set(id, makeToolResult({ tool_call_id: id }), 60000);
+            expect(await idempotencyStore.has(id)).toBe(true);
+        });
+        it('should expire entries after TTL', async () => {
+            const id = (0, crypto_1.randomUUID)();
+            const result = makeToolResult({ tool_call_id: id });
+            idempotencyStore.set(id, result, 150);
+            const cached = await idempotencyStore.get(id);
+            expect(cached?.tool_call_id).toBe(id);
+            await settle(250);
+            expect(await idempotencyStore.get(id)).toBeUndefined();
+        });
+        it('should persist to Postgres', async () => {
+            const id = (0, crypto_1.randomUUID)();
+            const result = makeToolResult({ tool_call_id: id });
+            idempotencyStore.set(id, result, 60000);
+            await settle(200);
+            const { rows } = await pool.query('SELECT result FROM idempotency_cache WHERE tool_call_id = $1', [id]);
+            expect(rows).toHaveLength(1);
+            expect(rows[0].result.tool_call_id).toBe(id);
+        });
+        it('should hydrate from Postgres after cache clear', async () => {
+            const id = (0, crypto_1.randomUUID)();
+            const result = makeToolResult({ tool_call_id: id });
+            idempotencyStore.set(id, result, 60000);
+            await settle(200);
+            // Create a fresh store and hydrate from Postgres
+            const freshStore = new postgres_1.PostgresIdempotencyStore(pool);
+            await freshStore.hydrate();
+            const hydrated = await freshStore.get(id);
+            expect(hydrated).toBeDefined();
+            expect(hydrated?.tool_call_id).toBe(id);
+        });
+    });
+    // -------------------------------------------------------------------------
+    //  PostgresBudgetStore
+    // -------------------------------------------------------------------------
+    describe('PostgresBudgetStore', () => {
+        it('should set and get task state', () => {
+            const state = makeBudgetState();
+            budgetStore.setTaskState(state.task_id, state);
+            const retrieved = budgetStore.getTaskState(state.task_id);
+            expect(retrieved).toEqual(state);
+        });
+        it('should return undefined for unknown task', () => {
+            expect(budgetStore.getTaskState((0, crypto_1.randomUUID)())).toBeUndefined();
+        });
+        it('should increment and get counters', () => {
+            const key = `spend:${(0, crypto_1.randomUUID)()}`;
+            expect(budgetStore.getCounter(key)).toBe(0);
+            budgetStore.incrementCounter(key, 2.50);
+            expect(budgetStore.getCounter(key)).toBeCloseTo(2.50);
+            budgetStore.incrementCounter(key, 3.75);
+            expect(budgetStore.getCounter(key)).toBeCloseTo(6.25);
+        });
+        it('should track retry counts', () => {
+            const toolCallId = (0, crypto_1.randomUUID)();
+            expect(budgetStore.getRetryCount(toolCallId)).toBe(0);
+            expect(budgetStore.incrementRetryCount(toolCallId)).toBe(1);
+            expect(budgetStore.getRetryCount(toolCallId)).toBe(1);
+            expect(budgetStore.incrementRetryCount(toolCallId)).toBe(2);
+            expect(budgetStore.getRetryCount(toolCallId)).toBe(2);
+        });
+        it('should persist task state to Postgres', async () => {
+            const state = makeBudgetState({ spent_usd: 12.34, steps: 7 });
+            budgetStore.setTaskState(state.task_id, state);
+            await settle(200);
+            const { rows } = await pool.query('SELECT * FROM budget_task_states WHERE task_id = $1', [state.task_id]);
+            expect(rows).toHaveLength(1);
+            expect(Number(rows[0].spent_usd)).toBeCloseTo(12.34);
+            expect(Number(rows[0].steps)).toBe(7);
+        });
+        it('should persist counters to Postgres', async () => {
+            const key = `daily:${(0, crypto_1.randomUUID)()}`;
+            budgetStore.incrementCounter(key, 99.9);
+            await settle(200);
+            const { rows } = await pool.query('SELECT value FROM budget_counters WHERE key = $1', [key]);
+            expect(rows).toHaveLength(1);
+            expect(Number(rows[0].value)).toBeCloseTo(99.9);
+        });
+        it('should hydrate from Postgres', async () => {
+            const state = makeBudgetState({ spent_usd: 4.56, steps: 2 });
+            budgetStore.setTaskState(state.task_id, state);
+            budgetStore.incrementCounter('monthly:org-1', 100);
+            await settle(200);
+            const freshStore = new postgres_1.PostgresBudgetStore(pool);
+            await freshStore.hydrate();
+            expect(freshStore.getTaskState(state.task_id)).toEqual(state);
+            expect(freshStore.getCounter('monthly:org-1')).toBe(100);
+        });
+    });
+    // -------------------------------------------------------------------------
+    //  PostgresAuditStore
+    // -------------------------------------------------------------------------
+    describe('PostgresAuditStore', () => {
+        it('should append and retrieve events by task ID', () => {
+            const taskId = (0, crypto_1.randomUUID)();
+            const e1 = makeAuditEvent({ task_id: taskId, event_type: 'TOOL_CALL_RECEIVED' });
+            const e2 = makeAuditEvent({ task_id: taskId, event_type: 'TOOL_EXECUTED' });
+            const other = makeAuditEvent();
+            auditStore.append(e1);
+            auditStore.append(e2);
+            auditStore.append(other);
+            const taskEvents = auditStore.getByTaskId(taskId);
+            expect(taskEvents).toHaveLength(2);
+            expect(taskEvents.map((e) => e.event_id)).toContain(e1.event_id);
+            expect(taskEvents.map((e) => e.event_id)).toContain(e2.event_id);
+        });
+        it('should retrieve events by tool call ID', () => {
+            const toolCallId = (0, crypto_1.randomUUID)();
+            const event = makeAuditEvent({ tool_call_id: toolCallId });
+            auditStore.append(event);
+            auditStore.append(makeAuditEvent());
+            const results = auditStore.getByToolCallId(toolCallId);
+            expect(results).toHaveLength(1);
+            expect(results[0].event_id).toBe(event.event_id);
+        });
+        it('should retrieve events by event type', () => {
+            auditStore.append(makeAuditEvent({ event_type: 'DLP_SCANNED' }));
+            auditStore.append(makeAuditEvent({ event_type: 'DLP_SCANNED' }));
+            auditStore.append(makeAuditEvent({ event_type: 'BUDGET_CHECKED' }));
+            expect(auditStore.getByEventType('DLP_SCANNED')).toHaveLength(2);
+            expect(auditStore.getByEventType('BUDGET_CHECKED')).toHaveLength(1);
+        });
+        it('should return all events', () => {
+            auditStore.append(makeAuditEvent());
+            auditStore.append(makeAuditEvent());
+            expect(auditStore.getAll()).toHaveLength(2);
+        });
+        it('should persist events to Postgres', async () => {
+            const event = makeAuditEvent();
+            auditStore.append(event);
+            await settle(200);
+            const { rows } = await pool.query('SELECT * FROM audit_events WHERE event_id = $1', [event.event_id]);
+            expect(rows).toHaveLength(1);
+            expect(rows[0].event_type).toBe(event.event_type);
+            expect(rows[0].task_id).toBe(event.task_id);
+            expect(rows[0].tool_name).toBe(event.tool_name);
+        });
+        it('should hydrate from Postgres', async () => {
+            const event = makeAuditEvent({ event_type: 'POLICY_DECIDED' });
+            auditStore.append(event);
+            await settle(200);
+            const freshStore = new postgres_1.PostgresAuditStore(pool);
+            await freshStore.hydrate();
+            const all = freshStore.getAll();
+            expect(all).toHaveLength(1);
+            expect(all[0].event_id).toBe(event.event_id);
+            expect(all[0].event_type).toBe('POLICY_DECIDED');
+        });
+    });
+    // -------------------------------------------------------------------------
+    //  PostgresApprovalStore
+    // -------------------------------------------------------------------------
+    describe('PostgresApprovalStore', () => {
+        it('should save and retrieve by ID', () => {
+            const id = (0, crypto_1.randomUUID)();
+            const toolCallId = (0, crypto_1.randomUUID)();
+            const approval = makeApprovalRecord({
+                approval_id: id,
+                tool_call_id: toolCallId,
+                workspace_id: 'ws-pg-test',
+            });
+            approvalStore.save(id, approval);
+            expect(approvalStore.getById(id)).toEqual(approval);
+        });
+        it('should return undefined for unknown approval', () => {
+            expect(approvalStore.getById((0, crypto_1.randomUUID)())).toBeUndefined();
+        });
+        it('should index and retrieve by token', () => {
+            const id = (0, crypto_1.randomUUID)();
+            const token = `tok-${(0, crypto_1.randomUUID)()}`;
+            const approval = makeApprovalRecord({
+                approval_id: id,
+                workspace_id: 'ws-pg',
+            });
+            approvalStore.save(id, approval);
+            approvalStore.indexToken(token, id);
+            expect(approvalStore.getByToken(token)).toEqual(approval);
+        });
+        it('should retrieve by tool_call_id', () => {
+            const toolCallId = (0, crypto_1.randomUUID)();
+            const id = (0, crypto_1.randomUUID)();
+            const approval = makeApprovalRecord({
+                approval_id: id,
+                tool_call_id: toolCallId,
+                workspace_id: 'ws-pg',
+            });
+            approvalStore.save(id, approval);
+            expect(approvalStore.getByToolCallId(toolCallId)).toEqual(approval);
+        });
+        it('should find pending approvals with workspace filter', () => {
+            const p1 = makeApprovalRecord({
+                approval_id: 'p1',
+                status: 'pending',
+                workspace_id: 'ws-alpha',
+            });
+            const p2 = makeApprovalRecord({
+                approval_id: 'p2',
+                status: 'pending',
+                workspace_id: 'ws-beta',
+            });
+            const a1 = makeApprovalRecord({
+                approval_id: 'a1',
+                status: 'approved',
+                workspace_id: 'ws-alpha',
+            });
+            approvalStore.save('p1', p1);
+            approvalStore.save('p2', p2);
+            approvalStore.save('a1', a1);
+            expect(approvalStore.findPending()).toHaveLength(2);
+            expect(approvalStore.findPending('ws-alpha')).toHaveLength(1);
+            expect(approvalStore.findPending('ws-beta')).toHaveLength(1);
+            expect(approvalStore.findPending('ws-nonexistent')).toHaveLength(0);
+        });
+        it('should update status from pending to denied', () => {
+            const id = (0, crypto_1.randomUUID)();
+            const approval = makeApprovalRecord({
+                approval_id: id,
+                workspace_id: 'ws-pg',
+            });
+            approvalStore.save(id, approval);
+            expect(approvalStore.findPending()).toHaveLength(1);
+            approvalStore.save(id, { ...approval, status: 'denied' });
+            expect(approvalStore.findPending()).toHaveLength(0);
+            expect(approvalStore.getById(id).status).toBe('denied');
+        });
+        it('should persist to Postgres and support hydration', async () => {
+            const id = (0, crypto_1.randomUUID)();
+            const token = `tok-${(0, crypto_1.randomUUID)()}`;
+            const approval = makeApprovalRecord({
+                approval_id: id,
+                workspace_id: 'ws-hydrate-pg',
+            });
+            approvalStore.save(id, approval);
+            approvalStore.indexToken(token, id);
+            await settle(200);
+            // Verify row in Postgres
+            const { rows } = await pool.query('SELECT * FROM approvals WHERE approval_id = $1', [id]);
+            expect(rows).toHaveLength(1);
+            expect(rows[0].status).toBe('pending');
+            // Verify token row
+            const { rows: tokenRows } = await pool.query('SELECT * FROM approval_tokens WHERE token = $1', [token]);
+            expect(tokenRows).toHaveLength(1);
+            expect(tokenRows[0].approval_id).toBe(id);
+            // Hydrate a fresh store
+            const freshStore = new postgres_1.PostgresApprovalStore(pool);
+            await freshStore.hydrate();
+            expect(freshStore.getById(id)).toEqual(approval);
+            expect(freshStore.getByToken(token)).toEqual(approval);
+        });
+    });
+});
+//# sourceMappingURL=storage.test.js.map