pinokiod 7.3.1 → 7.3.4

package/test/environment-cache-preflight.test.js

@@ -0,0 +1,98 @@
+const test = require("node:test")
+const assert = require("node:assert/strict")
+const fs = require("node:fs/promises")
+const fssync = require("node:fs")
+const os = require("node:os")
+const path = require("node:path")
+const Environment = require("../kernel/environment")
+
+const CACHE_KEYS = ["TMP", "TEMP", "TMPDIR", "PIP_TMPDIR", "UV_CACHE_DIR", "PIP_CACHE_DIR"]
+
+const createKernel = (homedir) => ({
+  homedir,
+  kv: {
+    get: async () => null
+  },
+  exists: (...args) => new Promise((resolve) => {
+    fssync.access(path.resolve(homedir, ...args), fssync.constants.F_OK, (error) => {
+      resolve(!error)
+    })
+  })
+})
+
+const withTempHome = async (fn) => {
+  const homedir = await fs.mkdtemp(path.join(os.tmpdir(), "pinokio-cache-preflight-"))
+  try {
+    await fs.writeFile(path.join(homedir, "ENVIRONMENT"), "OTHER=value\n")
+    await fn(homedir)
+  } finally {
+    await fs.rm(homedir, { recursive: true, force: true })
+  }
+}
+
+test("ensurePinokioCacheDirs writes managed cache env defaults and probes directories", async () => {
+  await withTempHome(async (homedir) => {
+    const kernel = createKernel(homedir)
+    const result = await Environment.ensurePinokioCacheDirs(kernel, { throwOnFailure: true })
+
+    assert.equal(result.errors.length, 0)
+    assert.equal(kernel.cacheDirErrors.length, 0)
+    assert.equal(kernel.cacheDirPreflight.length, CACHE_KEYS.length)
+
+    const env = await fs.readFile(path.join(homedir, "ENVIRONMENT"), "utf8")
+    for (const key of CACHE_KEYS) {
+      assert.match(env, new RegExp(`^${key}=\\.\\/cache\\/${key}$`, "m"))
+      const stats = await fs.stat(path.join(homedir, "cache", key))
+      assert.equal(stats.isDirectory(), true)
+    }
+  })
+})
+
+test("ensurePinokioCacheDirs repairs managed cache targets that are not writable directories", async () => {
+  await withTempHome(async (homedir) => {
+    await fs.mkdir(path.join(homedir, "cache"), { recursive: true })
+    await fs.writeFile(path.join(homedir, "cache", "TMP"), "not a directory")
+
+    const kernel = createKernel(homedir)
+    const result = await Environment.ensurePinokioCacheDirs(kernel, { throwOnFailure: true })
+    const tmpResult = result.results.find((item) => item.key === "TMP")
+
+    assert.equal(result.errors.length, 0)
+    assert.equal(tmpResult.repaired, true)
+    const stats = await fs.stat(path.join(homedir, "cache", "TMP"))
+    assert.equal(stats.isDirectory(), true)
+  })
+})
+
+test("requirements ignores malformed pre metadata without breaking launcher checks", async () => {
+  await withTempHome(async (homedir) => {
+    const appDir = path.join(homedir, "api", "demo")
+    await fs.mkdir(appDir, { recursive: true })
+    await fs.writeFile(path.join(appDir, "ENVIRONMENT"), "EXISTING=from-app\n")
+    const kernel = createKernel(homedir)
+
+    const missingArray = await Environment.requirements({ pre: "bad" }, appDir, kernel)
+    assert.deepEqual(missingArray, {
+      items: [],
+      requires_instantiation: false
+    })
+
+    const checked = await Environment.requirements({
+      pre: [
+        null,
+        "bad",
+        { env: 5 },
+        { env: "EXISTING", host: "::bad host::" },
+        { key: "MISSING", default: "fallback" }
+      ]
+    }, appDir, kernel)
+
+    assert.equal(checked.items.length, 2)
+    assert.equal(checked.items[0].env, "EXISTING")
+    assert.equal(checked.items[0].host, "")
+    assert.equal(checked.items[0].val, "from-app")
+    assert.equal(checked.items[1].env, "MISSING")
+    assert.equal(checked.items[1].val, "fallback")
+    assert.equal(checked.requires_instantiation, true)
+  })
+})

package/test/git-bin.test.js

@@ -0,0 +1,59 @@
+const assert = require('node:assert/strict')
+const path = require('node:path')
+const test = require('node:test')
+
+const GitBin = require('../kernel/bin/git')
+
+function createGitBin(platform, packages) {
+  const git = new GitBin()
+  git.kernel = {
+    platform,
+    homedir: '/tmp/pinokio',
+    path: (...parts) => path.join('/tmp/pinokio', ...parts),
+    bin: {
+      installed: {
+        conda: new Set(packages),
+        conda_versions: { git: '2.51.0' },
+      },
+    },
+  }
+  return git
+}
+
+test('Git bin installs Git Credential Manager with the Git bundle', () => {
+  assert.equal(
+    createGitBin('darwin', []).cmd(),
+    'git=2.51.0 git-lfs git-credential-manager=2.7.3 gh=2.82.1'
+  )
+  assert.equal(
+    createGitBin('linux', []).cmd(),
+    'git=2.51.0 git-lfs git-credential-manager=2.7.3 gh=2.82.1'
+  )
+  assert.equal(
+    createGitBin('win32', []).cmd(),
+    'git=2.51.0 git-lfs git-credential-manager=2.7.3 gh=2.82.1 m2-base'
+  )
+})
+
+test('Git bin readiness requires Git Credential Manager and GitHub CLI', async () => {
+  assert.equal(
+    await createGitBin('darwin', ['git', 'git-lfs']).installed(),
+    false
+  )
+  assert.equal(
+    await createGitBin('darwin', ['git', 'git-lfs', 'git-credential-manager']).installed(),
+    false
+  )
+  assert.equal(
+    await createGitBin('darwin', ['git', 'git-lfs', 'git-credential-manager', 'gh']).installed(),
+    true
+  )
+  assert.equal(
+    await createGitBin('win32', ['git', 'git-lfs', 'git-credential-manager', 'gh']).installed(),
+    false
+  )
+  assert.equal(
+    await createGitBin('win32', ['git', 'git-lfs', 'git-credential-manager', 'gh', 'm2-base']).installed(),
+    true
+  )
+})

package/test/git-defaults.test.js

@@ -0,0 +1,150 @@
+const assert = require('node:assert/strict')
+const { execFile } = require('node:child_process')
+const fs = require('node:fs/promises')
+const os = require('node:os')
+const path = require('node:path')
+const test = require('node:test')
+const { promisify } = require('node:util')
+const ini = require('ini')
+
+const KernelGit = require('../kernel/git')
+const execFileAsync = promisify(execFile)
+
+async function withTempHome(fn) {
+  const homedir = await fs.mkdtemp(path.join(os.tmpdir(), 'pinokio-git-defaults-'))
+  try {
+    await fn(homedir)
+  } finally {
+    await fs.rm(homedir, { recursive: true, force: true })
+  }
+}
+
+function createKernel(homedir) {
+  return {
+    homedir,
+    path: (...parts) => path.resolve(homedir, ...parts),
+  }
+}
+
+function githubCredentialSection(config) {
+  return config['credential "https://github'] && config['credential "https://github']['com"']
+}
+
+test('Git defaults configure Git Credential Manager for new Pinokio gitconfig files', async () => {
+  await withTempHome(async (homedir) => {
+    const git = new KernelGit(createKernel(homedir))
+
+    await git.ensureDefaults()
+
+    const config = ini.parse(await fs.readFile(path.join(homedir, 'gitconfig'), 'utf8'))
+    assert.equal(config.credential.helper, 'manager')
+    assert.equal(config.credential.gitHubAuthModes, 'oauth')
+    assert.equal(config.credential.namespace, 'pinokio')
+    assert.equal(githubCredentialSection(config).helper, 'manager')
+    assert.equal(githubCredentialSection(config).provider, 'github')
+  })
+})
+
+test('Git defaults migrate the legacy gh GitHub helper to Git Credential Manager', async () => {
+  await withTempHome(async (homedir) => {
+    await fs.writeFile(path.join(homedir, 'gitconfig'), [
+      '[credential "https://github.com"]',
+      '  helper = !gh auth git-credential',
+      '[user]',
+      '  name = custom',
+      '  email = custom@example.test',
+      '',
+    ].join('\n'))
+    const git = new KernelGit(createKernel(homedir))
+
+    await git.ensureDefaults()
+
+    const config = ini.parse(await fs.readFile(path.join(homedir, 'gitconfig'), 'utf8'))
+    assert.equal(config.credential.helper, 'manager')
+    assert.equal(config.credential.gitHubAuthModes, 'oauth')
+    assert.equal(config.credential.namespace, 'pinokio')
+    assert.equal(githubCredentialSection(config).helper, 'manager')
+    assert.equal(githubCredentialSection(config).provider, 'github')
+    assert.equal(config.user.name, 'custom')
+    assert.equal(config.user.email, 'custom@example.test')
+  })
+})
+
+test('Git defaults reset credential sections to built-in defaults before Git reads config', async () => {
+  await withTempHome(async (homedir) => {
+    const staleHelpers = [
+      '!custom-helper auth git-credential',
+      '!gh auth git-credential',
+      '!gh.exe auth git-credential',
+      `!'${path.win32.join('Z:\\', 'Any Folder', 'bin', 'gh.exe')}' auth git-credential`,
+    ]
+
+    for (const [index, helper] of staleHelpers.entries()) {
+      const caseHome = path.join(homedir, `case-${index}`)
+      await fs.mkdir(caseHome)
+      const gitconfigPath = path.join(caseHome, 'gitconfig')
+      await fs.writeFile(gitconfigPath, [
+        '[credential "https://github.com"]',
+        `  helper = ${helper}`,
+        '  provider = github',
+        '[credential "https://gist.github.com"]',
+        `  helper = ${helper}`,
+        '[credential "https://enterprise.example"]',
+        `  helper = ${helper}`,
+        '[credential]',
+        `  helper = ${helper}`,
+        '  gitHubAuthModes = device',
+        '  namespace = stale',
+        '[user]',
+        '  name = custom',
+        '  email = custom@example.test',
+        '',
+      ].join('\n'))
+      const git = new KernelGit(createKernel(caseHome))
+
+      await git.ensureDefaults()
+
+      const content = await fs.readFile(gitconfigPath, 'utf8')
+      assert.doesNotMatch(content, /git-credential/i)
+      const { stdout } = await execFileAsync('git', ['config', '--file', gitconfigPath, '--list'])
+      assert.match(stdout, /credential\.helper=manager/)
+      assert.match(stdout, /credential\.githubauthmodes=oauth/)
+      assert.match(stdout, /credential\.namespace=pinokio/)
+      assert.match(stdout, /credential\.https:\/\/github\.com\.helper=manager/)
+      assert.doesNotMatch(stdout, /credential\.https:\/\/gist\.github\.com/)
+      assert.doesNotMatch(stdout, /credential\.https:\/\/enterprise\.example/)
+      const config = ini.parse(content)
+      assert.equal(config.user.name, 'custom')
+      assert.equal(config.user.email, 'custom@example.test')
+    }
+  })
+})
+
+test('Git isomorphic auth callback returns GCM credentials for GitHub URLs', async () => {
+  const git = new KernelGit(createKernel('/tmp/pinokio'))
+  let requestedUrl = ''
+  git.getCredentialForUrl = async (url) => {
+    requestedUrl = url
+    return {
+      username: 'octocat',
+      password: 'secret-token'
+    }
+  }
+
+  const auth = await git.getIsomorphicGitAuth('https://github.com/octocat/private.git')
+
+  assert.equal(requestedUrl, 'https://github.com/octocat/private.git')
+  assert.deepEqual(auth, {
+    username: 'octocat',
+    password: 'secret-token'
+  })
+})
+
+test('Git isomorphic auth callback stays anonymous when GCM has no credential', async () => {
+  const git = new KernelGit(createKernel('/tmp/pinokio'))
+  git.getCredentialForUrl = async () => null
+
+  const auth = await git.getIsomorphicGitAuth('https://github.com/octocat/public.git')
+
+  assert.equal(auth, undefined)
+})

package/test/github-api.test.js

@@ -0,0 +1,158 @@
+const assert = require('node:assert/strict')
+const fs = require('node:fs/promises')
+const path = require('node:path')
+const test = require('node:test')
+
+const Github = require('../kernel/api/github')
+
+test('GitHub API parses credentials without exposing token handling to shell commands', () => {
+  const credential = Github.parseCredentialOutput([
+    'protocol=https',
+    'host=github.com',
+    'username=octocat',
+    'password=secret-token',
+    '',
+  ].join('\n'))
+
+  assert.equal(credential.username, 'octocat')
+  assert.equal(credential.password, 'secret-token')
+})
+
+test('GitHub API parses common GitHub remote URL formats', () => {
+  assert.deepEqual(
+    Github.parseGithubRemote('https://github.com/octocat/hello-world.git'),
+    { owner: 'octocat', repo: 'hello-world', fullName: 'octocat/hello-world' }
+  )
+  assert.deepEqual(
+    Github.parseGithubRemote('git@github.com:octocat/hello-world.git'),
+    { owner: 'octocat', repo: 'hello-world', fullName: 'octocat/hello-world' }
+  )
+  assert.deepEqual(
+    Github.parseGithubRemote('ssh://git@github.com/octocat/hello-world.git'),
+    { owner: 'octocat', repo: 'hello-world', fullName: 'octocat/hello-world' }
+  )
+  assert.equal(Github.parseGithubRemote('https://example.com/octocat/hello-world.git'), null)
+})
+
+test('GitHub API parses repository names for user and organization creation', () => {
+  assert.deepEqual(
+    Github.parseRepoName('', '/tmp/hello-world'),
+    { owner: null, repo: 'hello-world' }
+  )
+  assert.deepEqual(
+    Github.parseRepoName('octo-org/hello-world.git', '/tmp/ignored'),
+    { owner: 'octo-org', repo: 'hello-world' }
+  )
+  assert.throws(() => Github.parseRepoName('bad owner/repo', '/tmp/ignored'), /Invalid GitHub owner/)
+  assert.throws(() => Github.parseRepoName('owner/bad repo', '/tmp/ignored'), /Invalid GitHub repository name/)
+})
+
+test('GitHub API builds create repository requests for user and organization targets', () => {
+  assert.deepEqual(
+    Github.buildCreateRepoRequest({
+      owner: null,
+      repo: 'hello-world',
+      authenticatedUser: { login: 'octocat' },
+      visibility: 'private'
+    }),
+    { path: '/user/repos', body: { name: 'hello-world', private: true } }
+  )
+  assert.deepEqual(
+    Github.buildCreateRepoRequest({
+      owner: 'octo-org',
+      repo: 'hello-world',
+      authenticatedUser: { login: 'octocat' },
+      visibility: 'public'
+    }),
+    { path: '/orgs/octo-org/repos', body: { name: 'hello-world', private: false } }
+  )
+  assert.deepEqual(
+    Github.buildCreateRepoRequest({
+      owner: 'octo-org',
+      repo: 'hello-world',
+      authenticatedUser: { login: 'octocat' },
+      visibility: 'internal'
+    }),
+    { path: '/orgs/octo-org/repos', body: { name: 'hello-world', visibility: 'internal' } }
+  )
+  assert.throws(
+    () => Github.buildCreateRepoRequest({
+      owner: null,
+      repo: 'hello-world',
+      authenticatedUser: { login: 'octocat' },
+      visibility: 'internal'
+    }),
+    /Internal repositories require an organization owner/
+  )
+})
+
+test('GitHub create and fork scripts no longer invoke gh repo commands', async () => {
+  const root = path.resolve(__dirname, '..')
+  const createScript = await fs.readFile(path.join(root, 'kernel/scripts/git/create'), 'utf8')
+  const forkScript = await fs.readFile(path.join(root, 'kernel/scripts/git/fork'), 'utf8')
+
+  assert.match(createScript, /"method": "github\.create"/)
+  assert.match(forkScript, /"method": "github\.fork"/)
+  assert.doesNotMatch(createScript, /gh repo/)
+  assert.doesNotMatch(forkScript, /gh repo/)
+})
+
+test('GitHub create refuses to push when origin points somewhere else', async () => {
+  const api = new Github()
+  let requests = 0
+  const commands = []
+
+  api.getCredential = async () => ({ password: 'secret-token' })
+  api.getAuthenticatedUser = async () => ({ login: 'octocat' })
+  api.remoteUrl = async () => 'https://github.com/octocat/old-repo.git'
+  api.githubRequest = async () => {
+    requests += 1
+    return {}
+  }
+  api.runGit = async (args) => {
+    commands.push(args)
+  }
+
+  await assert.rejects(
+    () => api.create({
+      params: {
+        cwd: '/tmp/repo',
+        name: 'octocat/new-repo',
+        visibility: 'public'
+      }
+    }),
+    /origin already points at https:\/\/github\.com\/octocat\/old-repo\.git/
+  )
+
+  assert.equal(requests, 0)
+  assert.deepEqual(commands, [])
+})
+
+test('GitHub fork does not rename or repoint origin', async () => {
+  const api = new Github()
+  const commands = []
+
+  api.remoteUrl = async (_cwd, name) => {
+    if (name === 'origin') return 'https://github.com/source-org/project.git'
+    return ''
+  }
+  api.runGit = async (args) => {
+    commands.push(args)
+  }
+
+  await api.configureForkRemote({
+    cwd: '/tmp/repo',
+    kernel: {},
+    source: { owner: 'source-org', repo: 'project', fullName: 'source-org/project' },
+    forkRepo: {
+      owner: { login: 'octocat' },
+      name: 'project',
+      full_name: 'octocat/project',
+      clone_url: 'https://github.com/octocat/project.git'
+    }
+  })
+
+  assert.deepEqual(commands, [
+    ['remote', 'add', 'octocat', 'https://github.com/octocat/project.git']
+  ])
+})

package/test/github-connection.test.js

@@ -0,0 +1,117 @@
+const assert = require('node:assert/strict')
+const fs = require('node:fs/promises')
+const os = require('node:os')
+const path = require('node:path')
+const test = require('node:test')
+
+const Server = require('../server')
+
+test('GitHub connection ignores legacy gh hosts when no GCM account exists', async () => {
+  const connection = await Server.prototype.get_github_connection.call({
+    get_legacy_github_hosts: async () => [
+      'github.com:',
+      '  git_protocol: https',
+      '  users:',
+      '    cocktailpeanut:',
+      '  user: cocktailpeanut',
+      '',
+    ].join('\n'),
+    github_gcm: async () => '',
+  })
+
+  assert.equal(connection.connected, false)
+  assert.equal(connection.provider, null)
+  assert.equal(connection.display, '')
+  assert.match(connection.legacyHosts, /cocktailpeanut/)
+})
+
+test('GitHub connection reports GCM accounts as connected', async () => {
+  const connection = await Server.prototype.get_github_connection.call({
+    get_legacy_github_hosts: async () => '',
+    github_gcm: async () => 'octocat\n',
+  })
+
+  assert.equal(connection.connected, true)
+  assert.equal(connection.provider, 'gcm')
+  assert.equal(connection.display, 'github.com: octocat')
+})
+
+test('GitHub connection coalesces only concurrent GCM checks', async () => {
+  let calls = 0
+  const context = {
+    get_legacy_github_hosts: async () => '',
+    github_gcm: async () => {
+      calls += 1
+      await new Promise((resolve) => setTimeout(resolve, 10))
+      return 'octocat\n'
+    },
+  }
+
+  const [first, second] = await Promise.all([
+    Server.prototype.get_github_connection.call(context),
+    Server.prototype.get_github_connection.call(context),
+  ])
+
+  assert.equal(calls, 1)
+  assert.equal(first.connected, true)
+  assert.deepEqual(second, first)
+
+  await Server.prototype.get_github_connection.call(context)
+  assert.equal(calls, 2)
+})
+
+test('GitHub login only emits completion marker after credential verification', () => {
+  const { doneMarker, message } = Server.prototype.github_login_params.call({
+    kernel: { platform: 'darwin' }
+  })
+
+  assert.equal(doneMarker, 'PINOKIO_GITHUB_LOGIN_DONE')
+  assert.match(message, /git credential-manager github login --web --force && printf 'protocol=https\\nhost=github\.com\\n\\n' \| GIT_TERMINAL_PROMPT=0 GCM_INTERACTIVE=never git credential fill >\/dev\/null && \(GCM_DONE=INOKIO_GITHUB_LOGIN_DONE; printf 'P%s\\n' "\$GCM_DONE"\)/)
+  assert.doesNotMatch(message, /git credential-manager github login --web --force\s*;/)
+  assert.doesNotMatch(message, /PINOKIO_GITHUB_LOGIN_DONE/)
+})
+
+test('GitHub login uses success-only credential verification on Windows', () => {
+  const { message } = Server.prototype.github_login_params.call({
+    kernel: { platform: 'win32' }
+  })
+
+  assert.match(message, /git credential-manager github login --web --force && cmd \/C "set GIT_TERMINAL_PROMPT=0&& set GCM_INTERACTIVE=never&& \(echo protocol=https& echo host=github\.com& echo\.\) \| git credential fill >NUL" && echo P\^INOKIO_GITHUB_LOGIN_DONE/)
+  assert.doesNotMatch(message, /PINOKIO_GITHUB_LOGIN_DONE/)
+})
+
+test('GitHub logout clears legacy gh auth even when GCM accounts exist', async () => {
+  let clearedLegacyAuth = false
+  const context = {
+    kernel: { platform: 'darwin' },
+    github_logout_command: Server.prototype.github_logout_command,
+    clear_legacy_github_auth: async () => {
+      clearedLegacyAuth = true
+    }
+  }
+
+  const result = await Server.prototype.github_logout_params.call(context, {
+    accounts: ['octocat'],
+    legacyHosts: 'github.com:\n  user: octocat\n'
+  })
+
+  assert.equal(clearedLegacyAuth, true)
+  assert.equal(result.hadLegacyAuth, true)
+  assert.equal(result.message, 'git credential-manager github logout octocat')
+})
+
+test('GitHub legacy auth cleanup removes old gh hosts file', async () => {
+  const dir = await fs.mkdtemp(path.join(os.tmpdir(), 'pinokio-gh-auth-'))
+  const hostsFile = path.join(dir, 'config/gh/hosts.yml')
+  await fs.mkdir(path.dirname(hostsFile), { recursive: true })
+  await fs.writeFile(hostsFile, 'github.com:\n  user: octocat\n')
+
+  await Server.prototype.clear_legacy_github_auth.call({
+    kernel: {
+      path: (relativePath) => path.join(dir, relativePath)
+    }
+  })
+
+  await assert.rejects(() => fs.stat(hostsFile), { code: 'ENOENT' })
+  await fs.rm(dir, { recursive: true, force: true })
+})

package/test/huggingface-bin.test.js

@@ -0,0 +1,25 @@
+const assert = require('node:assert/strict')
+const test = require('node:test')
+
+const Huggingface = require('../kernel/bin/huggingface')
+
+function createHuggingface(version) {
+  const huggingface = new Huggingface()
+  huggingface.kernel = {
+    bin: {
+      installed: {
+        conda: new Set(version ? ['huggingface_hub'] : []),
+        conda_versions: version ? { huggingface_hub: version } : {},
+      },
+    },
+  }
+  return huggingface
+}
+
+test('Huggingface.installed accepts exactly huggingface_hub 1.0.1', async () => {
+  assert.equal(await createHuggingface('1.0.1').installed(), true)
+  assert.equal(await createHuggingface('1.0.1-pyhd8ed1ab_0').installed(), true)
+  assert.equal(await createHuggingface('1.0.2').installed(), false)
+  assert.equal(await createHuggingface('0.35.3').installed(), false)
+  assert.equal(await createHuggingface(null).installed(), false)
+})