palaryn 0.1.0

package/dist/tests/unit/redis-storage.test.js

@@ -0,0 +1,766 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const redis_1 = require("../../src/storage/redis");
+function makeToolResult(overrides = {}) {
+    return {
+        tool_call_id: 'tc-001',
+        task_id: 'task-001',
+        status: 'ok',
+        policy: { decision: 'allow', reasons: [] },
+        dlp: { detected: [], redactions: [], severity: 'low' },
+        budget: { estimated_cost_usd: 0, spent_cost_usd_task: 0, remaining_cost_usd_task: 100 },
+        timing: { started_at: new Date().toISOString(), duration_ms: 10 },
+        ...overrides,
+    };
+}
+function makeApprovalRecord(overrides = {}) {
+    return {
+        approval_id: 'appr-001',
+        tool_call_id: 'tc-001',
+        task_id: 'task-001',
+        workspace_id: 'ws-001',
+        actor_id: 'actor-001',
+        tool_name: 'http.get',
+        tool_capability: 'read',
+        args_summary: '{}',
+        scope: 'global',
+        reason: 'test',
+        token_hash: 'hash-001',
+        status: 'pending',
+        created_at: new Date().toISOString(),
+        expires_at: new Date(Date.now() + 3600000).toISOString(),
+        ...overrides,
+    };
+}
+// ---------------------------------------------------------------------------
+// Mock Redis client
+// ---------------------------------------------------------------------------
+function createMockPipeline(zcardCount = 1) {
+    return {
+        zremrangebyscore: jest.fn().mockReturnThis(),
+        zadd: jest.fn().mockReturnThis(),
+        zcard: jest.fn().mockReturnThis(),
+        pexpire: jest.fn().mockReturnThis(),
+        hset: jest.fn().mockReturnThis(),
+        sadd: jest.fn().mockReturnThis(),
+        srem: jest.fn().mockReturnThis(),
+        exec: jest.fn().mockResolvedValue([
+            [null, 0], // zremrangebyscore result
+            [null, 1], // zadd result
+            [null, zcardCount], // zcard result
+            [null, 1], // pexpire result
+        ]),
+    };
+}
+function createMockRedis(pipeline) {
+    const mp = pipeline || createMockPipeline();
+    return {
+        pipeline: jest.fn().mockReturnValue(mp),
+        get: jest.fn().mockResolvedValue(null),
+        set: jest.fn().mockResolvedValue('OK'),
+        exists: jest.fn().mockResolvedValue(0),
+        del: jest.fn().mockResolvedValue(1),
+        scan: jest.fn().mockResolvedValue(['0', []]),
+        pttl: jest.fn().mockResolvedValue(5000),
+        zremrangebyscore: jest.fn().mockResolvedValue(0),
+        zrangebyscore: jest.fn().mockResolvedValue([]),
+        // Hash operations (for Budget, Audit, Approval stores)
+        hset: jest.fn().mockResolvedValue(1),
+        hget: jest.fn().mockResolvedValue(null),
+        hgetall: jest.fn().mockResolvedValue({}),
+        hdel: jest.fn().mockResolvedValue(1),
+        // Sorted set operations (for Audit store indices)
+        zadd: jest.fn().mockResolvedValue(1),
+        // Set operations (for Approval store pending set)
+        sadd: jest.fn().mockResolvedValue(1),
+        srem: jest.fn().mockResolvedValue(1),
+        smembers: jest.fn().mockResolvedValue([]),
+    };
+}
+// ---------------------------------------------------------------------------
+// RedisRateLimitStore
+// ---------------------------------------------------------------------------
+describe('RedisRateLimitStore', () => {
+    let mockRedis;
+    let mockPipeline;
+    let store;
+    beforeEach(() => {
+        mockPipeline = createMockPipeline();
+        mockRedis = createMockRedis(mockPipeline);
+        store = new redis_1.RedisRateLimitStore(mockRedis);
+    });
+    it('records a hit and returns allowed=true when under the limit', () => {
+        const result = store.hit('actor:agent-001', 60000, 100);
+        expect(result.allowed).toBe(true);
+        expect(result.current).toBe(1);
+        expect(result.limit).toBe(100);
+        expect(typeof result.resetAt).toBe('number');
+        // Verify Redis pipeline was created and executed
+        expect(mockRedis.pipeline).toHaveBeenCalled();
+        expect(mockPipeline.zremrangebyscore).toHaveBeenCalled();
+        expect(mockPipeline.zadd).toHaveBeenCalled();
+        expect(mockPipeline.zcard).toHaveBeenCalled();
+        expect(mockPipeline.pexpire).toHaveBeenCalled();
+        expect(mockPipeline.exec).toHaveBeenCalled();
+    });
+    it('returns allowed=false when the current count exceeds maxRequests', () => {
+        const windowMs = 60000;
+        const maxRequests = 3;
+        // Fill up the window to the limit
+        store.hit('actor:agent-001', windowMs, maxRequests);
+        store.hit('actor:agent-001', windowMs, maxRequests);
+        store.hit('actor:agent-001', windowMs, maxRequests);
+        // Fourth hit should exceed the limit
+        const result = store.hit('actor:agent-001', windowMs, maxRequests);
+        expect(result.allowed).toBe(false);
+        expect(result.current).toBe(4);
+        expect(result.limit).toBe(maxRequests);
+    });
+    it('reset clears local state', () => {
+        store.hit('actor:agent-001', 60000, 100);
+        store.hit('actor:agent-002', 60000, 100);
+        store.reset();
+        // After reset, a hit on the same key should start fresh (current=1)
+        const result = store.hit('actor:agent-001', 60000, 100);
+        expect(result.current).toBe(1);
+        expect(result.allowed).toBe(true);
+    });
+    it('uses the correct key prefix for Redis operations', () => {
+        const customPrefix = 'myrl:';
+        const customStore = new redis_1.RedisRateLimitStore(mockRedis, customPrefix);
+        customStore.hit('actor:agent-001', 60000, 100);
+        // The zadd call should use the prefixed key
+        const zaddArgs = mockPipeline.zadd.mock.calls[0];
+        expect(zaddArgs[0]).toBe('myrl:actor:agent-001');
+        // zremrangebyscore should also use the prefixed key
+        const zremArgs = mockPipeline.zremrangebyscore.mock.calls[0];
+        expect(zremArgs[0]).toBe('myrl:actor:agent-001');
+    });
+    it('uses the default key prefix "rl:" when none is provided', () => {
+        store.hit('workspace:ws-001', 60000, 500);
+        const zaddArgs = mockPipeline.zadd.mock.calls[0];
+        expect(zaddArgs[0]).toBe('rl:workspace:ws-001');
+    });
+});
+// ---------------------------------------------------------------------------
+// RedisIdempotencyStore
+// ---------------------------------------------------------------------------
+describe('RedisIdempotencyStore', () => {
+    let mockRedis;
+    let store;
+    beforeEach(() => {
+        jest.useFakeTimers();
+        mockRedis = createMockRedis();
+        store = new redis_1.RedisIdempotencyStore(mockRedis);
+    });
+    afterEach(() => {
+        jest.useRealTimers();
+    });
+    it('set stores and get retrieves from local cache', async () => {
+        const result = makeToolResult({ tool_call_id: 'tc-001' });
+        const ttlMs = 300000; // 5 minutes
+        store.set('tc-001', result, ttlMs);
+        const retrieved = await store.get('tc-001');
+        expect(retrieved).toEqual(result);
+    });
+    it('get returns undefined for expired entries', async () => {
+        const result = makeToolResult({ tool_call_id: 'tc-002' });
+        const ttlMs = 5000; // 5 seconds
+        store.set('tc-002', result, ttlMs);
+        // Should be available before expiry
+        expect(await store.get('tc-002')).toEqual(result);
+        // Advance time past the TTL
+        jest.advanceTimersByTime(6000);
+        // Should return undefined after expiry
+        expect(await store.get('tc-002')).toBeUndefined();
+    });
+    it('has returns true for cached entries', async () => {
+        store.set('tc-003', makeToolResult({ tool_call_id: 'tc-003' }), 300000);
+        expect(await store.has('tc-003')).toBe(true);
+    });
+    it('has returns false for expired entries', async () => {
+        store.set('tc-004', makeToolResult({ tool_call_id: 'tc-004' }), 5000);
+        // Before expiry
+        expect(await store.has('tc-004')).toBe(true);
+        // Advance past TTL
+        jest.advanceTimersByTime(6000);
+        // After expiry
+        expect(await store.has('tc-004')).toBe(false);
+    });
+    it('clear empties the local cache', async () => {
+        store.set('tc-005', makeToolResult({ tool_call_id: 'tc-005' }), 300000);
+        store.set('tc-006', makeToolResult({ tool_call_id: 'tc-006' }), 300000);
+        expect(await store.has('tc-005')).toBe(true);
+        expect(await store.has('tc-006')).toBe(true);
+        store.clear();
+        expect(await store.get('tc-005')).toBeUndefined();
+        expect(await store.get('tc-006')).toBeUndefined();
+        expect(await store.has('tc-005')).toBe(false);
+        expect(await store.has('tc-006')).toBe(false);
+    });
+    it('set fires an async Redis SET with PX expiry', () => {
+        const result = makeToolResult({ tool_call_id: 'tc-007' });
+        const ttlMs = 60000;
+        store.set('tc-007', result, ttlMs);
+        expect(mockRedis.set).toHaveBeenCalledWith('idem:tc-007', JSON.stringify(result), 'PX', ttlMs);
+    });
+    it('uses the correct key prefix for Redis operations', () => {
+        const customStore = new redis_1.RedisIdempotencyStore(mockRedis, 'myidem:');
+        const result = makeToolResult({ tool_call_id: 'tc-008' });
+        customStore.set('tc-008', result, 60000);
+        expect(mockRedis.set).toHaveBeenCalledWith('myidem:tc-008', JSON.stringify(result), 'PX', 60000);
+    });
+    it('uses the default key prefix "idem:" when none is provided', () => {
+        const result = makeToolResult({ tool_call_id: 'tc-009' });
+        store.set('tc-009', result, 30000);
+        expect(mockRedis.set).toHaveBeenCalledWith('idem:tc-009', JSON.stringify(result), 'PX', 30000);
+    });
+    it('get returns undefined for keys not in the cache', async () => {
+        expect(await store.get('nonexistent')).toBeUndefined();
+    });
+    it('has returns false for keys not in the cache', async () => {
+        expect(await store.has('nonexistent')).toBe(false);
+    });
+});
+// ---------------------------------------------------------------------------
+// RedisBudgetStore
+// ---------------------------------------------------------------------------
+describe('RedisBudgetStore', () => {
+    let mockRedis;
+    let store;
+    beforeEach(() => {
+        mockRedis = createMockRedis();
+        store = new redis_1.RedisBudgetStore(mockRedis);
+    });
+    describe('getTaskState / setTaskState', () => {
+        it('returns undefined for unknown task', () => {
+            expect(store.getTaskState('task-unknown')).toBeUndefined();
+        });
+        it('stores and retrieves a task state from local cache', () => {
+            const state = {
+                task_id: 'task-001',
+                workspace_id: 'ws-001',
+                actor_id: 'actor-001',
+                spent_usd: 0.50,
+                steps: 3,
+                started_at: '2025-01-01T00:00:00Z',
+            };
+            store.setTaskState('task-001', state);
+            expect(store.getTaskState('task-001')).toEqual(state);
+        });
+        it('fires an async HSET to Redis on setTaskState', () => {
+            const state = {
+                task_id: 'task-002',
+                workspace_id: 'ws-002',
+                actor_id: 'actor-002',
+                spent_usd: 1.25,
+                steps: 5,
+                started_at: '2025-06-15T12:00:00Z',
+            };
+            store.setTaskState('task-002', state);
+            expect(mockRedis.hset).toHaveBeenCalledWith('budget:task:task-002', 'task_id', 'task-002', 'workspace_id', 'ws-002', 'actor_id', 'actor-002', 'spent_usd', '1.25', 'steps', '5', 'started_at', '2025-06-15T12:00:00Z');
+        });
+        it('overwrites an existing task state', () => {
+            const state1 = {
+                task_id: 'task-003',
+                workspace_id: 'ws-001',
+                actor_id: 'actor-001',
+                spent_usd: 0,
+                steps: 0,
+                started_at: '2025-01-01T00:00:00Z',
+            };
+            const state2 = { ...state1, spent_usd: 2.50, steps: 10 };
+            store.setTaskState('task-003', state1);
+            store.setTaskState('task-003', state2);
+            expect(store.getTaskState('task-003')).toEqual(state2);
+        });
+    });
+    describe('getCounter / incrementCounter', () => {
+        it('returns 0 for unknown counter', () => {
+            expect(store.getCounter('user:daily:actor-001')).toBe(0);
+        });
+        it('increments and retrieves a counter', () => {
+            store.incrementCounter('user:daily:actor-001', 0.10);
+            store.incrementCounter('user:daily:actor-001', 0.25);
+            expect(store.getCounter('user:daily:actor-001')).toBeCloseTo(0.35);
+        });
+        it('fires HSET to Redis counters hash on increment', () => {
+            store.incrementCounter('ws:monthly:ws-001', 1.50);
+            expect(mockRedis.hset).toHaveBeenCalledWith('budget:counters', 'ws:monthly:ws-001', '1.5');
+        });
+    });
+    describe('getRetryCount / incrementRetryCount', () => {
+        it('returns 0 for unknown tool call', () => {
+            expect(store.getRetryCount('tc-unknown')).toBe(0);
+        });
+        it('increments and returns the new count', () => {
+            expect(store.incrementRetryCount('tc-001')).toBe(1);
+            expect(store.incrementRetryCount('tc-001')).toBe(2);
+            expect(store.getRetryCount('tc-001')).toBe(2);
+        });
+        it('fires HSET to Redis retries hash on increment', () => {
+            store.incrementRetryCount('tc-010');
+            expect(mockRedis.hset).toHaveBeenCalledWith('budget:retries', 'tc-010', '1');
+        });
+    });
+    describe('reset', () => {
+        it('clears all local state', () => {
+            store.setTaskState('task-001', {
+                task_id: 'task-001',
+                workspace_id: 'ws-001',
+                actor_id: 'actor-001',
+                spent_usd: 1,
+                steps: 1,
+                started_at: '2025-01-01T00:00:00Z',
+            });
+            store.incrementCounter('key-1', 5);
+            store.incrementRetryCount('tc-001');
+            store.reset();
+            expect(store.getTaskState('task-001')).toBeUndefined();
+            expect(store.getCounter('key-1')).toBe(0);
+            expect(store.getRetryCount('tc-001')).toBe(0);
+        });
+    });
+    describe('hydrate', () => {
+        it('loads counters and retries from Redis', async () => {
+            mockRedis.hgetall
+                .mockResolvedValueOnce({ 'user:daily:a1': '2.5', 'ws:monthly:ws1': '10' }) // counters
+                .mockResolvedValueOnce({ 'tc-001': '3', 'tc-002': '1' }); // retries
+            await store.hydrate();
+            expect(store.getCounter('user:daily:a1')).toBe(2.5);
+            expect(store.getCounter('ws:monthly:ws1')).toBe(10);
+            expect(store.getRetryCount('tc-001')).toBe(3);
+            expect(store.getRetryCount('tc-002')).toBe(1);
+        });
+        it('loads task states from Redis via SCAN', async () => {
+            const taskData = {
+                task_id: 'task-100',
+                workspace_id: 'ws-100',
+                actor_id: 'actor-100',
+                spent_usd: '5.25',
+                steps: '12',
+                started_at: '2025-03-01T00:00:00Z',
+            };
+            mockRedis.hgetall
+                .mockResolvedValueOnce({}) // counters (empty)
+                .mockResolvedValueOnce({}) // retries (empty)
+                .mockResolvedValueOnce(taskData); // task hash
+            mockRedis.scan.mockResolvedValueOnce(['0', ['budget:task:task-100']]);
+            await store.hydrate();
+            const state = store.getTaskState('task-100');
+            expect(state).toBeDefined();
+            expect(state.task_id).toBe('task-100');
+            expect(state.spent_usd).toBe(5.25);
+            expect(state.steps).toBe(12);
+        });
+        it('handles hydrate errors gracefully', async () => {
+            mockRedis.hgetall.mockRejectedValueOnce(new Error('Redis down'));
+            const consoleSpy = jest.spyOn(console, 'error').mockImplementation(() => { });
+            await store.hydrate();
+            expect(consoleSpy).toHaveBeenCalledWith('[RedisBudgetStore] hydrate failed:', 'Redis down');
+            consoleSpy.mockRestore();
+        });
+    });
+    describe('prefix', () => {
+        it('uses the default prefix "budget:"', () => {
+            store.incrementCounter('mykey', 1);
+            expect(mockRedis.hset).toHaveBeenCalledWith('budget:counters', 'mykey', '1');
+        });
+        it('uses a custom prefix', () => {
+            const customStore = new redis_1.RedisBudgetStore(mockRedis, 'app:budget:');
+            customStore.incrementCounter('mykey', 1);
+            expect(mockRedis.hset).toHaveBeenCalledWith('app:budget:counters', 'mykey', '1');
+        });
+    });
+});
+// ---------------------------------------------------------------------------
+// RedisAuditStore
+// ---------------------------------------------------------------------------
+describe('RedisAuditStore', () => {
+    let mockRedis;
+    let store;
+    const makeEvent = (overrides = {}) => ({
+        event_id: overrides.event_id || 'evt-001',
+        event_type: (overrides.event_type || 'TOOL_CALL_RECEIVED'),
+        timestamp: overrides.timestamp || '2025-01-01T00:00:00Z',
+        tool_call_id: overrides.tool_call_id || 'tc-001',
+        task_id: overrides.task_id || 'task-001',
+        workspace_id: overrides.workspace_id || 'ws-001',
+        actor_id: overrides.actor_id || 'actor-001',
+        tool_name: overrides.tool_name || 'http.get',
+        metadata: overrides.metadata || {},
+    });
+    beforeEach(() => {
+        mockRedis = createMockRedis();
+        store = new redis_1.RedisAuditStore(mockRedis);
+    });
+    describe('append', () => {
+        it('adds event to local cache', () => {
+            const event = makeEvent();
+            store.append(event);
+            expect(store.getAll()).toHaveLength(1);
+            expect(store.getAll()[0]).toEqual(event);
+        });
+        it('fires HSET to store event data in Redis via pipeline', () => {
+            const event = makeEvent({ event_id: 'evt-100' });
+            store.append(event);
+            expect(mockRedis.pipeline).toHaveBeenCalled();
+            const pipeline = mockRedis.pipeline.mock.results[0].value;
+            expect(pipeline.hset).toHaveBeenCalledWith('audit:data', 'evt-100', JSON.stringify(event));
+        });
+        it('fires ZADD for task index via pipeline', () => {
+            const event = makeEvent({ task_id: 'task-abc', timestamp: '2025-06-15T12:00:00Z' });
+            store.append(event);
+            const pipeline = mockRedis.pipeline.mock.results[0].value;
+            const ts = new Date('2025-06-15T12:00:00Z').getTime();
+            expect(pipeline.zadd).toHaveBeenCalledWith('audit:task:task-abc', ts, event.event_id);
+        });
+        it('fires ZADD for tool call index via pipeline', () => {
+            const event = makeEvent({ tool_call_id: 'tc-xyz' });
+            store.append(event);
+            const pipeline = mockRedis.pipeline.mock.results[0].value;
+            expect(pipeline.zadd).toHaveBeenCalledWith('audit:toolcall:tc-xyz', expect.any(Number), event.event_id);
+        });
+        it('fires ZADD for event type index via pipeline', () => {
+            const event = makeEvent({ event_type: 'POLICY_DECIDED' });
+            store.append(event);
+            const pipeline = mockRedis.pipeline.mock.results[0].value;
+            expect(pipeline.zadd).toHaveBeenCalledWith('audit:type:POLICY_DECIDED', expect.any(Number), event.event_id);
+        });
+    });
+    describe('getByTaskId', () => {
+        it('returns events filtered by task_id, sorted by timestamp', () => {
+            store.append(makeEvent({ event_id: 'e1', task_id: 'task-A', timestamp: '2025-01-02T00:00:00Z' }));
+            store.append(makeEvent({ event_id: 'e2', task_id: 'task-B', timestamp: '2025-01-01T00:00:00Z' }));
+            store.append(makeEvent({ event_id: 'e3', task_id: 'task-A', timestamp: '2025-01-01T00:00:00Z' }));
+            const results = store.getByTaskId('task-A');
+            expect(results).toHaveLength(2);
+            expect(results[0].event_id).toBe('e3'); // earlier timestamp
+            expect(results[1].event_id).toBe('e1');
+        });
+        it('returns empty array for unknown task', () => {
+            expect(store.getByTaskId('nonexistent')).toEqual([]);
+        });
+    });
+    describe('getByToolCallId', () => {
+        it('returns events filtered by tool_call_id, sorted by timestamp', () => {
+            store.append(makeEvent({ event_id: 'e1', tool_call_id: 'tc-A', timestamp: '2025-01-03T00:00:00Z' }));
+            store.append(makeEvent({ event_id: 'e2', tool_call_id: 'tc-B' }));
+            store.append(makeEvent({ event_id: 'e3', tool_call_id: 'tc-A', timestamp: '2025-01-01T00:00:00Z' }));
+            const results = store.getByToolCallId('tc-A');
+            expect(results).toHaveLength(2);
+            expect(results[0].event_id).toBe('e3');
+            expect(results[1].event_id).toBe('e1');
+        });
+    });
+    describe('getByEventType', () => {
+        it('returns events filtered by event type', () => {
+            store.append(makeEvent({ event_id: 'e1', event_type: 'TOOL_CALL_RECEIVED' }));
+            store.append(makeEvent({ event_id: 'e2', event_type: 'POLICY_DECIDED' }));
+            store.append(makeEvent({ event_id: 'e3', event_type: 'TOOL_CALL_RECEIVED' }));
+            const results = store.getByEventType('TOOL_CALL_RECEIVED');
+            expect(results).toHaveLength(2);
+            expect(results.every(e => e.event_type === 'TOOL_CALL_RECEIVED')).toBe(true);
+        });
+    });
+    describe('getAll', () => {
+        it('returns a copy of all events', () => {
+            store.append(makeEvent({ event_id: 'e1' }));
+            store.append(makeEvent({ event_id: 'e2' }));
+            const all = store.getAll();
+            expect(all).toHaveLength(2);
+            // Verify it returns a copy, not the internal array
+            all.push(makeEvent({ event_id: 'e3' }));
+            expect(store.getAll()).toHaveLength(2);
+        });
+    });
+    describe('clear', () => {
+        it('removes all events from local cache', () => {
+            store.append(makeEvent({ event_id: 'e1' }));
+            store.append(makeEvent({ event_id: 'e2' }));
+            store.clear();
+            expect(store.getAll()).toHaveLength(0);
+        });
+    });
+    describe('hydrate', () => {
+        it('loads events from Redis data hash', async () => {
+            const event1 = makeEvent({ event_id: 'evt-h1', timestamp: '2025-01-02T00:00:00Z' });
+            const event2 = makeEvent({ event_id: 'evt-h2', timestamp: '2025-01-01T00:00:00Z' });
+            mockRedis.hgetall.mockResolvedValueOnce({
+                'evt-h1': JSON.stringify(event1),
+                'evt-h2': JSON.stringify(event2),
+            });
+            await store.hydrate();
+            const all = store.getAll();
+            expect(all).toHaveLength(2);
+            // Should be sorted by timestamp
+            expect(all[0].event_id).toBe('evt-h2'); // earlier
+            expect(all[1].event_id).toBe('evt-h1');
+        });
+        it('skips unparseable entries during hydrate', async () => {
+            mockRedis.hgetall.mockResolvedValueOnce({
+                'evt-good': JSON.stringify(makeEvent({ event_id: 'evt-good' })),
+                'evt-bad': 'not-valid-json{{{',
+            });
+            await store.hydrate();
+            expect(store.getAll()).toHaveLength(1);
+            expect(store.getAll()[0].event_id).toBe('evt-good');
+        });
+        it('handles hydrate errors gracefully', async () => {
+            mockRedis.hgetall.mockRejectedValueOnce(new Error('Connection refused'));
+            const consoleSpy = jest.spyOn(console, 'error').mockImplementation(() => { });
+            await store.hydrate();
+            expect(consoleSpy).toHaveBeenCalledWith('[RedisAuditStore] hydrate failed:', 'Connection refused');
+            consoleSpy.mockRestore();
+        });
+    });
+    describe('prefix', () => {
+        it('uses the default prefix "audit:"', () => {
+            const event = makeEvent({ event_id: 'evt-p1', task_id: 'task-p1' });
+            store.append(event);
+            const pipeline = mockRedis.pipeline.mock.results[0].value;
+            expect(pipeline.hset).toHaveBeenCalledWith('audit:data', 'evt-p1', expect.any(String));
+            expect(pipeline.zadd).toHaveBeenCalledWith('audit:task:task-p1', expect.any(Number), 'evt-p1');
+        });
+        it('uses a custom prefix', () => {
+            const customStore = new redis_1.RedisAuditStore(mockRedis, 'myapp:audit:');
+            const event = makeEvent({ event_id: 'evt-c1', task_id: 'task-c1' });
+            customStore.append(event);
+            const pipeline = mockRedis.pipeline.mock.results[0].value;
+            expect(pipeline.hset).toHaveBeenCalledWith('myapp:audit:data', 'evt-c1', expect.any(String));
+            expect(pipeline.zadd).toHaveBeenCalledWith('myapp:audit:task:task-c1', expect.any(Number), 'evt-c1');
+        });
+    });
+});
+// ---------------------------------------------------------------------------
+// RedisApprovalStore
+// ---------------------------------------------------------------------------
+describe('RedisApprovalStore', () => {
+    let mockRedis;
+    let store;
+    const makeApproval = (overrides = {}) => makeApprovalRecord(overrides);
+    beforeEach(() => {
+        mockRedis = createMockRedis();
+        store = new redis_1.RedisApprovalStore(mockRedis);
+    });
+    describe('save / getById', () => {
+        it('stores and retrieves an approval by ID', () => {
+            const approval = makeApproval({ approval_id: 'appr-100' });
+            store.save('appr-100', approval);
+            expect(store.getById('appr-100')).toEqual(approval);
+        });
+        it('returns undefined for unknown approval ID', () => {
+            expect(store.getById('nonexistent')).toBeUndefined();
+        });
+        it('fires pipeline to Redis data hash', () => {
+            const approval = makeApproval({ approval_id: 'appr-200' });
+            store.save('appr-200', approval);
+            expect(mockRedis.pipeline).toHaveBeenCalled();
+            const pipeline = mockRedis.pipeline.mock.results[0].value;
+            expect(pipeline.hset).toHaveBeenCalledWith('approvals:data', 'appr-200', JSON.stringify(approval));
+        });
+        it('adds to pending set when status is pending', () => {
+            const approval = makeApproval({ status: 'pending' });
+            store.save('appr-001', approval);
+            const pipeline = mockRedis.pipeline.mock.results[0].value;
+            expect(pipeline.sadd).toHaveBeenCalledWith('approvals:pending', 'appr-001');
+        });
+        it('removes from pending set when status is not pending', () => {
+            const approval = makeApproval({ status: 'approved' });
+            store.save('appr-001', approval);
+            const pipeline = mockRedis.pipeline.mock.results[0].value;
+            expect(pipeline.srem).toHaveBeenCalledWith('approvals:pending', 'appr-001');
+        });
+        it('updates workspace index when workspace_id is present', () => {
+            const approval = makeApproval({ workspace_id: 'ws-500' });
+            store.save('appr-001', approval);
+            const pipeline = mockRedis.pipeline.mock.results[0].value;
+            expect(pipeline.hset).toHaveBeenCalledWith('approvals:workspace:ws-500', 'appr-001', '1');
+        });
+        it('updates tool call index when tool_call_id is present', () => {
+            const approval = makeApproval({ tool_call_id: 'tc-500' });
+            store.save('appr-001', approval);
+            const pipeline = mockRedis.pipeline.mock.results[0].value;
+            expect(pipeline.hset).toHaveBeenCalledWith('approvals:toolcall', 'tc-500', 'appr-001');
+        });
+    });
+    describe('getByToken', () => {
+        it('returns approval by token after indexToken', () => {
+            const approval = makeApproval({ approval_id: 'appr-t1' });
+            store.save('appr-t1', approval);
+            store.indexToken('jwt-token-abc', 'appr-t1');
+            expect(store.getByToken('jwt-token-abc')).toEqual(approval);
+        });
+        it('returns undefined for unknown token', () => {
+            expect(store.getByToken('unknown-token')).toBeUndefined();
+        });
+    });
+    describe('getByToolCallId', () => {
+        it('returns approval matching tool_call_id', () => {
+            const approval = makeApproval({ approval_id: 'appr-tc1', tool_call_id: 'tc-findme' });
+            store.save('appr-tc1', approval);
+            expect(store.getByToolCallId('tc-findme')).toEqual(approval);
+        });
+        it('returns undefined when no approval matches', () => {
+            expect(store.getByToolCallId('tc-nothing')).toBeUndefined();
+        });
+    });
+    describe('findPending', () => {
+        it('returns only pending approvals', () => {
+            store.save('appr-1', makeApproval({ approval_id: 'appr-1', status: 'pending' }));
+            store.save('appr-2', makeApproval({ approval_id: 'appr-2', status: 'approved' }));
+            store.save('appr-3', makeApproval({ approval_id: 'appr-3', status: 'pending' }));
+            const pending = store.findPending();
+            expect(pending).toHaveLength(2);
+            expect(pending.map((a) => a.approval_id).sort()).toEqual(['appr-1', 'appr-3']);
+        });
+        it('filters by workspace_id when provided', () => {
+            store.save('appr-1', makeApproval({ approval_id: 'appr-1', status: 'pending', workspace_id: 'ws-A' }));
+            store.save('appr-2', makeApproval({ approval_id: 'appr-2', status: 'pending', workspace_id: 'ws-B' }));
+            store.save('appr-3', makeApproval({ approval_id: 'appr-3', status: 'pending', workspace_id: 'ws-A' }));
+            const pending = store.findPending('ws-A');
+            expect(pending).toHaveLength(2);
+            expect(pending.every((a) => a.workspace_id === 'ws-A')).toBe(true);
+        });
+        it('returns empty array when no pending approvals exist', () => {
+            store.save('appr-1', makeApproval({ status: 'approved' }));
+            expect(store.findPending()).toEqual([]);
+        });
+    });
+    describe('indexToken', () => {
+        it('stores token-to-approvalId mapping', () => {
+            store.indexToken('my-jwt-token', 'appr-idx1');
+            expect(mockRedis.hset).toHaveBeenCalledWith('approvals:tokens', 'my-jwt-token', 'appr-idx1');
+        });
+        it('allows lookup by token after indexing', () => {
+            const approval = makeApproval({ approval_id: 'appr-idx2' });
+            store.save('appr-idx2', approval);
+            store.indexToken('token-xyz', 'appr-idx2');
+            expect(store.getByToken('token-xyz')).toEqual(approval);
+        });
+    });
+    describe('clear', () => {
+        it('removes all local state', () => {
+            store.save('appr-1', makeApproval({ approval_id: 'appr-1' }));
+            store.save('appr-2', makeApproval({ approval_id: 'appr-2' }));
+            store.indexToken('tok-1', 'appr-1');
+            store.clear();
+            expect(store.getById('appr-1')).toBeUndefined();
+            expect(store.getById('appr-2')).toBeUndefined();
+            expect(store.getByToken('tok-1')).toBeUndefined();
+            expect(store.findPending()).toEqual([]);
+        });
+    });
+    describe('hydrate', () => {
+        it('loads approvals and token index from Redis', async () => {
+            const approval1 = makeApproval({ approval_id: 'appr-h1', status: 'pending' });
+            const approval2 = makeApproval({ approval_id: 'appr-h2', status: 'approved' });
+            mockRedis.hgetall
+                .mockResolvedValueOnce({
+                'appr-h1': JSON.stringify(approval1),
+                'appr-h2': JSON.stringify(approval2),
+            }) // data hash
+                .mockResolvedValueOnce({
+                'tok-h1': 'appr-h1',
+                'tok-h2': 'appr-h2',
+            }); // tokens hash
+            await store.hydrate();
+            expect(store.getById('appr-h1')).toEqual(approval1);
+            expect(store.getById('appr-h2')).toEqual(approval2);
+            expect(store.getByToken('tok-h1')).toEqual(approval1);
+            expect(store.getByToken('tok-h2')).toEqual(approval2);
+            expect(store.findPending()).toHaveLength(1);
+        });
+        it('skips unparseable entries during hydrate', async () => {
+            mockRedis.hgetall
+                .mockResolvedValueOnce({
+                'appr-ok': JSON.stringify(makeApproval({ approval_id: 'appr-ok' })),
+                'appr-bad': '{invalid json!!!',
+            })
+                .mockResolvedValueOnce({});
+            await store.hydrate();
+            expect(store.getById('appr-ok')).toBeDefined();
+            expect(store.getById('appr-bad')).toBeUndefined();
+        });
+        it('handles hydrate errors gracefully', async () => {
+            mockRedis.hgetall.mockRejectedValueOnce(new Error('Redis timeout'));
+            const consoleSpy = jest.spyOn(console, 'error').mockImplementation(() => { });
+            await store.hydrate();
+            expect(consoleSpy).toHaveBeenCalledWith('[RedisApprovalStore] hydrate failed:', 'Redis timeout');
+            consoleSpy.mockRestore();
+        });
+    });
+    describe('prefix', () => {
+        it('uses the default prefix "approvals:"', () => {
+            const approval = makeApproval();
+            store.save('appr-001', approval);
+            const pipeline = mockRedis.pipeline.mock.results[0].value;
+            expect(pipeline.hset).toHaveBeenCalledWith('approvals:data', 'appr-001', expect.any(String));
+        });
+        it('uses a custom prefix', () => {
+            const customStore = new redis_1.RedisApprovalStore(mockRedis, 'myapp:approvals:');
+            const approval = makeApproval();
+            customStore.save('appr-001', approval);
+            const pipeline = mockRedis.pipeline.mock.results[0].value;
+            expect(pipeline.hset).toHaveBeenCalledWith('myapp:approvals:data', 'appr-001', expect.any(String));
+        });
+    });
+});
+// ---------------------------------------------------------------------------
+// createRedisStores
+// ---------------------------------------------------------------------------
+describe('createRedisStores', () => {
+    let mockRedis;
+    beforeEach(() => {
+        mockRedis = createMockRedis();
+    });
+    it('returns all 5 store instances', () => {
+        const stores = (0, redis_1.createRedisStores)(mockRedis);
+        expect(stores.budgetStore).toBeInstanceOf(redis_1.RedisBudgetStore);
+        expect(stores.auditStore).toBeInstanceOf(redis_1.RedisAuditStore);
+        expect(stores.approvalStore).toBeInstanceOf(redis_1.RedisApprovalStore);
+        expect(stores.rateLimitStore).toBeInstanceOf(redis_1.RedisRateLimitStore);
+        expect(stores.idempotencyStore).toBeInstanceOf(redis_1.RedisIdempotencyStore);
+    });
+    it('applies prefix to all stores', () => {
+        const stores = (0, redis_1.createRedisStores)(mockRedis, 'myapp:');
+        // Verify budget store uses prefixed key
+        stores.budgetStore.incrementCounter('test', 1);
+        expect(mockRedis.hset).toHaveBeenCalledWith('myapp:budget:counters', 'test', '1');
+        // Verify audit store uses prefixed key (via pipeline)
+        mockRedis.pipeline.mockClear();
+        stores.auditStore.append({
+            event_id: 'e1',
+            event_type: 'TOOL_CALL_RECEIVED',
+            timestamp: '2025-01-01T00:00:00Z',
+            tool_call_id: 'tc-1',
+            task_id: 'task-1',
+            workspace_id: 'ws-1',
+            actor_id: 'actor-1',
+            tool_name: 'http.get',
+            metadata: {},
+        });
+        expect(mockRedis.pipeline).toHaveBeenCalled();
+        const auditPipeline = mockRedis.pipeline.mock.results[0].value;
+        expect(auditPipeline.hset).toHaveBeenCalledWith('myapp:audit:data', 'e1', expect.any(String));
+        // Clear mock for next assertion
+        mockRedis.pipeline.mockClear();
+        const mp2 = createMockPipeline();
+        mockRedis.pipeline.mockReturnValue(mp2);
+        // Verify approval store uses prefixed key (now via pipeline)
+        stores.approvalStore.save('appr-1', makeApprovalRecord({ approval_id: 'appr-1', status: 'pending', workspace_id: 'ws-1', tool_call_id: 'tc-1' }));
+        expect(mockRedis.pipeline).toHaveBeenCalled();
+        expect(mp2.hset).toHaveBeenCalledWith('myapp:approvals:data', 'appr-1', expect.any(String));
+    });
+    it('uses empty prefix when none is provided', () => {
+        const stores = (0, redis_1.createRedisStores)(mockRedis);
+        stores.budgetStore.incrementCounter('test', 1);
+        expect(mockRedis.hset).toHaveBeenCalledWith('budget:counters', 'test', '1');
+    });
+    it('uses empty prefix when explicitly empty string', () => {
+        const stores = (0, redis_1.createRedisStores)(mockRedis, '');
+        stores.budgetStore.incrementCounter('test', 1);
+        expect(mockRedis.hset).toHaveBeenCalledWith('budget:counters', 'test', '1');
+    });
+});
+//# sourceMappingURL=redis-storage.test.js.map