reviewflow 3.36.1 → 3.37.1

package/dist/tests/acceptance/196-least-privilege-platform-token.acceptance.test.js

@@ -0,0 +1,197 @@
+import { describe, it, expect } from 'vitest';
+import { AUTO_EXECUTOR_CAPABILITIES, EXECUTOR_CAPABILITY_TABLE, } from '../../modules/platform-integration/entities/executorToken/executorCapability.js';
+import { resolvePinnedThreadFetchTarget, resolvePinnedThreads, } from '../../modules/platform-integration/services/pinnedThreadFetchTarget.js';
+import { buildScopedExecutorEnvironment, ENV_ALLOWLIST, MissingExecutorTokenError, } from '../../modules/platform-integration/services/scopedExecutorEnvironment.js';
+import { executeActionsFromContext } from '../../modules/review-execution/services/contextActionsExecutor.js';
+import { dispatchConstrainedActions } from '../../modules/review-execution/services/dispatchConstrainedActions.js';
+const TOKEN = 'glpat-service-token-acceptance';
+const TEMP_ROOT = '/tmp/reviewflow-executor-acceptance';
+class RecordingFileWriter {
+    writes = [];
+    ensuredDirs = [];
+    write(path, contents) {
+        this.writes.push({ path, contents });
+    }
+    ensureDir(path) {
+        this.ensuredDirs.push(path);
+    }
+}
+class RecordingExecutor {
+    calls = [];
+    run = (command, args) => {
+        this.calls.push({ command, args });
+    };
+}
+class RecordingCliExecutor {
+    commands = [];
+    run = (command) => {
+        this.commands.push(command);
+        return '';
+    };
+}
+class RecordingPostGateway {
+    posts = [];
+    postComment = async (input) => {
+        this.posts.push(input);
+    };
+}
+class RecordingThreadFetch {
+    calls = [];
+    fetchThreads = (projectPath, mrNumber) => {
+        this.calls.push({ projectPath, mrNumber });
+        return [];
+    };
+}
+class StubInventoryGateway {
+    pages = [];
+    setPages(pages) {
+        this.pages = pages;
+    }
+    fetchPage(_projectPath, _mergeRequestNumber, page) {
+        const found = this.pages.find((candidate) => candidate.page === page);
+        if (!found)
+            throw new Error(`no page ${page}`);
+        return found;
+    }
+}
+class RecordingLogger {
+    warnings = [];
+    errors = [];
+    info() { }
+    warn(_obj, message) {
+        this.warnings.push(message);
+    }
+    debug() { }
+    error(_obj, message) {
+        this.errors.push(message);
+    }
+}
+const dispatchContext = {
+    platform: 'gitlab',
+    projectPath: 'group/project',
+    mrNumber: 42,
+    localPath: '/tmp/repo',
+};
+function resolveDiscussionWrites(executor) {
+    return executor.calls.filter((call) => call.args.includes('PUT') && call.args.some((arg) => arg.includes('/discussions/')));
+}
+function buildContextWith(actions, threadIds) {
+    return {
+        version: '1',
+        mergeRequestId: 'gitlab-group/project-42',
+        platform: 'gitlab',
+        projectPath: 'group/project',
+        mergeRequestNumber: 42,
+        createdAt: '2026-01-01T00:00:00.000Z',
+        threads: threadIds.map((id) => ({
+            id,
+            file: null,
+            line: null,
+            status: 'open',
+            body: 'thread',
+        })),
+        actions,
+        progress: { phase: 'completed', currentStep: null },
+    };
+}
+describe('SPEC-196 least-privilege platform token (acceptance)', () => {
+    describe('AC1 — dedicated service token, fail-closed', () => {
+        it('refuses to construct the executor environment when the token is absent (zero file writes)', () => {
+            const fileWriter = new RecordingFileWriter();
+            expect(() => buildScopedExecutorEnvironment({
+                parentEnv: { PATH: '/usr/bin' },
+                isolatedDir: TEMP_ROOT,
+                fileWriter,
+            })).toThrow(MissingExecutorTokenError);
+            expect(fileWriter.writes).toHaveLength(0);
+            expect(fileWriter.ensuredDirs).toHaveLength(0);
+        });
+    });
+    describe('AC2/AC3 — env built by allowlist, token never in env', () => {
+        it('keeps the child env keyset within the allowlist, drops the canary, and never carries the token', () => {
+            const fileWriter = new RecordingFileWriter();
+            const { env } = buildScopedExecutorEnvironment({
+                parentEnv: {
+                    REVIEWFLOW_EXECUTOR_TOKEN: TOKEN,
+                    PATH: '/usr/bin',
+                    LANG: 'en_US.UTF-8',
+                    AMBIENT_ADMIN_TOKEN: 'canary',
+                },
+                isolatedDir: TEMP_ROOT,
+                fileWriter,
+            });
+            for (const key of Object.keys(env)) {
+                expect(ENV_ALLOWLIST).toContain(key);
+            }
+            expect('AMBIENT_ADMIN_TOKEN' in env).toBe(false);
+            for (const value of Object.values(env)) {
+                expect(value).not.toBe(TOKEN);
+            }
+            expect(fileWriter.writes[0]?.contents).toContain(TOKEN);
+            expect(fileWriter.writes[0]?.path.startsWith(TEMP_ROOT)).toBe(true);
+        });
+    });
+    describe('AC5 — minimal role frozen per action', () => {
+        it('locks the auto-executor capability set to exactly {readMr, postComment}', () => {
+            expect([...AUTO_EXECUTOR_CAPABILITIES].toSorted()).toEqual(['postComment', 'readMr']);
+            expect(EXECUTOR_CAPABILITY_TABLE.threadResolve.autoPath).toBe(false);
+            expect(EXECUTOR_CAPABILITY_TABLE.revoke.autoPath).toBe(false);
+        });
+    });
+    describe('AC6/AC7 — removed write verbs are inert, postComment still fires', () => {
+        it('through the stdout chokepoint: postComment fires once, THREAD_RESOLVE records zero write calls, no throw', async () => {
+            const executor = new RecordingExecutor();
+            const postGateway = new RecordingPostGateway();
+            const inventory = new StubInventoryGateway();
+            inventory.setPages([{ page: 1, totalPages: 1, threadIds: ['10'] }]);
+            const actions = [
+                { type: 'POST_COMMENT', body: 'review summary' },
+                { type: 'THREAD_RESOLVE', threadId: '10' },
+                { type: 'FETCH_THREADS' },
+            ];
+            await dispatchConstrainedActions(actions, {
+                context: dispatchContext,
+                provenance: 'untrusted',
+                inventoryGateway: inventory,
+                logger: new RecordingLogger(),
+                executor: executor.run,
+                postGateway,
+            });
+            expect(postGateway.posts).toHaveLength(1);
+            expect(postGateway.posts[0]?.body).toBe('review summary');
+            expect(resolveDiscussionWrites(executor)).toHaveLength(0);
+        });
+        it('through the context-file path: a THREAD_RESOLVE on an empty authenticated inventory records zero write calls', async () => {
+            const executor = new RecordingCliExecutor();
+            const context = buildContextWith([{ type: 'THREAD_RESOLVE', threadId: '10' }], []);
+            await executeActionsFromContext(context, '/tmp/repo', new RecordingLogger(), executor.run);
+            expect(executor.commands).toHaveLength(0);
+        });
+    });
+    describe('AC9 — action-target identity pinned to trusted provenance, fail-closed', () => {
+        it('an unrecognized projectPath resolves to no target (fail-closed)', () => {
+            const target = resolvePinnedThreadFetchTarget({
+                payloadProjectPath: 'attacker/unknown',
+                payloadMrNumber: 5,
+                findRepository: () => null,
+                gatedMrNumber: 5,
+            });
+            expect(target).toBeNull();
+        });
+        it('the followup path never calls fetchThreads for an unrecognized project (empty action surface)', () => {
+            const fetch = new RecordingThreadFetch();
+            const logger = new RecordingLogger();
+            const threads = resolvePinnedThreads({
+                payloadProjectPath: 'attacker/unknown',
+                payloadMrNumber: 5,
+                findRepository: () => null,
+                gatedMrNumber: 5,
+                fetchThreads: fetch.fetchThreads,
+                logger,
+            });
+            expect(threads).toEqual([]);
+            expect(fetch.calls).toHaveLength(0);
+        });
+    });
+});
+//# sourceMappingURL=196-least-privilege-platform-token.acceptance.test.js.map

package/dist/tests/acceptance/196-least-privilege-platform-token.acceptance.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"196-least-privilege-platform-token.acceptance.test.js","sourceRoot":"","sources":["../../../src/tests/acceptance/196-least-privilege-platform-token.acceptance.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAE9C,OAAO,EACL,0BAA0B,EAC1B,yBAAyB,GAC1B,MAAM,6EAA6E,CAAC;AACrF,OAAO,EACL,8BAA8B,EAC9B,oBAAoB,GACrB,MAAM,oEAAoE,CAAC;AAC5E,OAAO,EACL,8BAA8B,EAC9B,aAAa,EACb,yBAAyB,GAC1B,MAAM,sEAAsE,CAAC;AAO9E,OAAO,EAAE,yBAAyB,EAAE,MAAM,+DAA+D,CAAC;AAC1G,OAAO,EAAE,0BAA0B,EAAE,MAAM,mEAAmE,CAAC;AAE/G,MAAM,KAAK,GAAG,gCAAgC,CAAC;AAC/C,MAAM,SAAS,GAAG,qCAAqC,CAAC;AAExD,MAAM,mBAAmB;IACP,MAAM,GAA8C,EAAE,CAAC;IACvD,WAAW,GAAa,EAAE,CAAC;IAC3C,KAAK,CAAC,IAAY,EAAE,QAAgB;QAClC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IACvC,CAAC;IACD,SAAS,CAAC,IAAY;QACpB,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;CACF;AAED,MAAM,iBAAiB;IACZ,KAAK,GAA+C,EAAE,CAAC;IAChE,GAAG,GAAG,CAAC,OAAe,EAAE,IAAc,EAAQ,EAAE;QAC9C,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;IACrC,CAAC,CAAC;CACH;AAED,MAAM,oBAAoB;IACf,QAAQ,GAAa,EAAE,CAAC;IACjC,GAAG,GAAG,CAAC,OAAe,EAAU,EAAE;QAChC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5B,OAAO,EAAE,CAAC;IACZ,CAAC,CAAC;CACH;AAED,MAAM,oBAAoB;IACf,KAAK,GAAmE,EAAE,CAAC;IACpF,WAAW,GAAG,KAAK,EAAE,KAIpB,EAAiB,EAAE;QAClB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzB,CAAC,CAAC;CACH;AAED,MAAM,oBAAoB;IACR,KAAK,GAAqD,EAAE,CAAC;IAC7E,YAAY,GAAG,CAAC,WAAmB,EAAE,QAAgB,EAAE,EAAE;QACvD,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC3C,OAAO,EAAE,CAAC;IACZ,CAAC,CAAC;CACH;AAED,MAAM,oBAAoB;IAChB,KAAK,GAA0B,EAAE,CAAC;IAC1C,QAAQ,CAAC,KAA4B;QACnC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;IACD,SAAS,CAAC,YAAoB,EAAE,mBAA2B,EAAE,IAAY;QACvE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;QACtE,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,KAAK,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QAC/C,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED,MAAM,eAAe;IACV,QAAQ,GAAa,EAAE,CAAC;IACxB,MAAM,GAAa,EAAE,CAAC;IAC/B,IAAI,KAAU,CAAC;IACf,IAAI,CAAC,IAAY,EAAE,OAAe;QAChC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC9B,CAAC;IACD,KAAK,KAAU,CAAC;IAChB,KAAK,CAAC,IAAY,EAAE,OAAe;QACjC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC5B,CAAC;CACF;AAED,MAAM,eAAe,GAAG;IACtB,QAAQ,EAAE,QAAiB;IAC3B,WAAW,EAAE,eAAe;IAC5B,QAAQ,EAAE,EAAE;IACZ,SAAS,EAAE,WAAW;CACvB,CAAC;AAEF,SAAS,uBAAuB,CAC9B,QAA2B;IAE3B,OAAO,QAAQ,CAAC,KAAK,CAAC,MAAM,CAC1B,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAC9F,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAuB,EAAE,SAAmB;IACpE,OAAO;QACL,OAAO,EAAE,GAAG;QACZ,cAAc,EAAE,yBAAyB;QACzC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,eAAe;QAC5B,kBAAkB,EAAE,EAAE;QACtB,SAAS,EAAE,0BAA0B;QACrC,OAAO,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;YAC9B,EAAE;YACF,IAAI,EAAE,IAAI;YACV,IAAI,EAAE,IAAI;YACV,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC;QACH,OAAO;QACP,QAAQ,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE;KACpD,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,sDAAsD,EAAE,GAAG,EAAE;IACpE,QAAQ,CAAC,4CAA4C,EAAE,GAAG,EAAE;QAC1D,EAAE,CAAC,2FAA2F,EAAE,GAAG,EAAE;YACnG,MAAM,UAAU,GAAG,IAAI,mBAAmB,EAAE,CAAC;YAC7C,MAAM,CAAC,GAAG,EAAE,CACV,8BAA8B,CAAC;gBAC7B,SAAS,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE;gBAC/B,WAAW,EAAE,SAAS;gBACtB,UAAU;aACX,CAAC,CACH,CAAC,OAAO,CAAC,yBAAyB,CAAC,CAAC;YACrC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC1C,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,sDAAsD,EAAE,GAAG,EAAE;QACpE,EAAE,CAAC,gGAAgG,EAAE,GAAG,EAAE;YACxG,MAAM,UAAU,GAAG,IAAI,mBAAmB,EAAE,CAAC;YAC7C,MAAM,EAAE,GAAG,EAAE,GAAG,8BAA8B,CAAC;gBAC7C,SAAS,EAAE;oBACT,yBAAyB,EAAE,KAAK;oBAChC,IAAI,EAAE,UAAU;oBAChB,IAAI,EAAE,aAAa;oBACnB,mBAAmB,EAAE,QAAQ;iBAC9B;gBACD,WAAW,EAAE,SAAS;gBACtB,UAAU;aACX,CAAC,CAAC;YAEH,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnC,MAAM,CAAC,aAAa,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACvC,CAAC;YACD,MAAM,CAAC,qBAAqB,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACjD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;gBACvC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAChC,CAAC;YACD,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YACxD,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,sCAAsC,EAAE,GAAG,EAAE;QACpD,EAAE,CAAC,yEAAyE,EAAE,GAAG,EAAE;YACjF,MAAM,CAAC,CAAC,GAAG,0BAA0B,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC,CAAC;YACtF,MAAM,CAAC,yBAAyB,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrE,MAAM,CAAC,yBAAyB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,kEAAkE,EAAE,GAAG,EAAE;QAChF,EAAE,CAAC,0GAA0G,EAAE,KAAK,IAAI,EAAE;YACxH,MAAM,QAAQ,GAAG,IAAI,iBAAiB,EAAE,CAAC;YACzC,MAAM,WAAW,GAAG,IAAI,oBAAoB,EAAE,CAAC;YAC/C,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;YAC7C,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YAEpE,MAAM,OAAO,GAAmB;gBAC9B,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,gBAAgB,EAAE;gBAChD,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,IAAI,EAAE;gBAC1C,EAAE,IAAI,EAAE,eAAe,EAAE;aAC1B,CAAC;YAEF,MAAM,0BAA0B,CAAC,OAAO,EAAE;gBACxC,OAAO,EAAE,eAAe;gBACxB,UAAU,EAAE,WAAW;gBACvB,gBAAgB,EAAE,SAAS;gBAC3B,MAAM,EAAE,IAAI,eAAe,EAAE;gBAC7B,QAAQ,EAAE,QAAQ,CAAC,GAAG;gBACtB,WAAW;aACZ,CAAC,CAAC;YAEH,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC1C,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAC1D,MAAM,CAAC,uBAAuB,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC5D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8GAA8G,EAAE,KAAK,IAAI,EAAE;YAC5H,MAAM,QAAQ,GAAG,IAAI,oBAAoB,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,gBAAgB,CAAC,CAAC,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;YAEnF,MAAM,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,IAAI,eAAe,EAAE,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC;YAE3F,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC5C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,wEAAwE,EAAE,GAAG,EAAE;QACtF,EAAE,CAAC,iEAAiE,EAAE,GAAG,EAAE;YACzE,MAAM,MAAM,GAAG,8BAA8B,CAAC;gBAC5C,kBAAkB,EAAE,kBAAkB;gBACtC,eAAe,EAAE,CAAC;gBAClB,cAAc,EAAE,GAAG,EAAE,CAAC,IAAI;gBAC1B,aAAa,EAAE,CAAC;aACjB,CAAC,CAAC;YACH,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC5B,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+FAA+F,EAAE,GAAG,EAAE;YACvG,MAAM,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC;YACzC,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;YAErC,MAAM,OAAO,GAAG,oBAAoB,CAAC;gBACnC,kBAAkB,EAAE,kBAAkB;gBACtC,eAAe,EAAE,CAAC;gBAClB,cAAc,EAAE,GAAG,EAAE,CAAC,IAAI;gBAC1B,aAAa,EAAE,CAAC;gBAChB,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,MAAM;aACP,CAAC,CAAC;YAEH,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YAC5B,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/tests/acceptance/197-trusted-actor-provenance-gate.acceptance.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=197-trusted-actor-provenance-gate.acceptance.test.d.ts.map

package/dist/tests/acceptance/197-trusted-actor-provenance-gate.acceptance.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"197-trusted-actor-provenance-gate.acceptance.test.d.ts","sourceRoot":"","sources":["../../../src/tests/acceptance/197-trusted-actor-provenance-gate.acceptance.test.ts"],"names":[],"mappings":""}

package/dist/tests/acceptance/197-trusted-actor-provenance-gate.acceptance.test.js

@@ -0,0 +1,413 @@
+import { vi } from 'vitest';
+const mockConfig = {
+    server: { port: 3000 },
+    user: { gitlabUsername: 'claude-bot', githubUsername: 'claude-bot' },
+    queue: { maxConcurrent: 1, deduplicationWindowMs: 60000 },
+    repositories: [],
+};
+const mockRepoConfig = {
+    name: 'test-project',
+    platform: 'gitlab',
+    localPath: '/home/user/projects/test-project',
+    remoteUrl: 'https://gitlab.com/test-org/test-project.git',
+    skill: 'review-front',
+    enabled: true,
+};
+vi.mock('@/config/loader.js', () => ({
+    loadConfig: vi.fn(() => mockConfig),
+    findRepositoryByProjectPath: vi.fn(() => mockRepoConfig),
+}));
+vi.mock('@/security/verifier.js', () => ({
+    verifyGitLabSignature: vi.fn(() => ({ valid: true })),
+    getGitLabEventType: vi.fn(() => 'Merge Request Hook'),
+    getGitLabEventUuid: vi.fn(() => undefined),
+}));
+vi.mock('@/frameworks/queue/pQueueAdapter.js', () => ({
+    createJobId: vi.fn(() => 'gitlab-test-org/test-project-42'),
+    enqueueReview: vi.fn(() => Promise.resolve(true)),
+    updateJobProgress: vi.fn(),
+    cancelJob: vi.fn(),
+}));
+vi.mock('@/claude/invoker.js', () => ({
+    invokeClaudeReview: vi.fn(),
+    sendNotification: vi.fn(),
+}));
+vi.mock('@/main/websocket.js', () => ({
+    startWatchingReviewContext: vi.fn(),
+    stopWatchingReviewContext: vi.fn(),
+}));
+vi.mock('@/config/projectConfig.js', () => ({
+    loadProjectConfig: vi.fn(() => null),
+    getProjectAgents: vi.fn(() => null),
+    getProjectAgentsOrFocusDefaults: vi.fn(() => null),
+    getFollowupAgents: vi.fn(() => null),
+    getProjectLanguage: vi.fn(() => 'en'),
+}));
+vi.mock('@/modules/review-execution/interface-adapters/gateways/reviewContext.fileSystem.gateway.js', () => ({
+    ReviewContextFileSystemGateway: vi.fn().mockImplementation(() => ({
+        create: vi.fn(),
+        read: vi.fn(() => null),
+        delete: vi.fn(() => ({ deleted: true })),
+        updateProgress: vi.fn(),
+    })),
+}));
+vi.mock('@/modules/platform-integration/interface-adapters/gateways/threadFetch.gitlab.gateway.js', () => ({
+    GitLabThreadFetchGateway: vi.fn().mockImplementation(() => ({
+        fetchThreads: vi.fn(() => []),
+    })),
+    defaultGitLabExecutor: vi.fn(),
+}));
+vi.mock('@/modules/platform-integration/interface-adapters/gateways/diffMetadataFetch.gitlab.gateway.js', () => ({
+    GitLabDiffMetadataFetchGateway: vi.fn().mockImplementation(() => ({
+        fetchDiffMetadata: vi.fn(() => undefined),
+    })),
+}));
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { enqueueReview } from '../../frameworks/queue/pQueueAdapter.js';
+import { MEMBER_ACCESS_LEVELS } from '../../modules/platform-integration/entities/memberAccess/memberAccess.js';
+import { handleGitLabWebhook } from '../../modules/platform-integration/interface-adapters/controllers/webhook/gitlab.controller.js';
+import { IsTrustedActorUseCase } from '../../modules/platform-integration/usecases/isTrustedActor.usecase.js';
+import { GateClaudeInvocationUseCase } from '../../modules/review-execution/usecases/gateClaudeInvocation.usecase.js';
+import { CheckFollowupNeededUseCase } from '../../modules/tracking/usecases/tracking/checkFollowupNeeded.usecase.js';
+import { HandlePlatformApprovalUseCase } from '../../modules/tracking/usecases/tracking/handlePlatformApproval.usecase.js';
+import { RecordBypassUseCase } from '../../modules/tracking/usecases/tracking/recordBypass.usecase.js';
+import { RecordPushUseCase } from '../../modules/tracking/usecases/tracking/recordPush.usecase.js';
+import { RecordReviewCompletionUseCase } from '../../modules/tracking/usecases/tracking/recordReviewCompletion.usecase.js';
+import { SyncThreadsUseCase } from '../../modules/tracking/usecases/tracking/syncThreads.usecase.js';
+import { TrackAssignmentUseCase } from '../../modules/tracking/usecases/tracking/trackAssignment.usecase.js';
+import { TransitionStateUseCase } from '../../modules/tracking/usecases/tracking/transitionState.usecase.js';
+import { verifyGitLabSignature, getGitLabEventType } from '../../security/verifier.js';
+import { GitLabEventFactory } from '../../tests/factories/gitLabEvent.factory.js';
+import { TrackedMrFactory } from '../../tests/factories/trackedMr.factory.js';
+import { StubApprovalRevocationGateway } from '../../tests/stubs/approvalRevocation.stub.js';
+import { createStubLogger } from '../../tests/stubs/logger.stub.js';
+import { StubMemberAccessGateway } from '../../tests/stubs/memberAccess.stub.js';
+import { StubNoteCommentPostGateway } from '../../tests/stubs/noteCommentPost.stub.js';
+import { StubPendingReviewRequestGateway } from '../../tests/stubs/pendingReviewRequest.stub.js';
+const logger = createStubLogger();
+const TRACKED_MR_ID = 'gitlab-test-org/test-project-42';
+const PROJECT_PATH = 'test-org/test-project';
+function createMockTrackingGateway(initialMr) {
+    return {
+        getById: vi.fn(() => initialMr),
+        getByNumber: vi.fn(() => null),
+        create: vi.fn(),
+        update: vi.fn(),
+        getByState: vi.fn(() => []),
+        getActiveMrs: vi.fn(() => []),
+        remove: vi.fn(() => true),
+        archive: vi.fn(() => true),
+        recordReviewEvent: vi.fn(),
+        recordPush: vi.fn(() => null),
+        loadTracking: vi.fn(() => null),
+        saveTracking: vi.fn(),
+    };
+}
+function createStubContextGateway() {
+    return {
+        create: vi.fn(() => ({ success: true, filePath: '' })),
+        read: vi.fn(() => null),
+        delete: vi.fn(() => ({ success: true, deleted: true })),
+        exists: vi.fn(() => false),
+        getFilePath: vi.fn(() => ''),
+        appendAction: vi.fn(() => ({ success: true })),
+        updateProgress: vi.fn(() => ({ success: true })),
+        setResult: vi.fn(() => ({ success: true })),
+        listAll: vi.fn(() => []),
+    };
+}
+function createAcceptAllEnforceBudget() {
+    return {
+        execute: vi.fn(async () => ({
+            accepted: true,
+            status: {
+                limitUsd: 200,
+                consumedUsd: 0,
+                remainingUsd: 200,
+                percentUsed: 0,
+                exceeded: false,
+                periodStart: '2026-05-01T00:00:00.000Z',
+            },
+        })),
+    };
+}
+function buildBaseDeps(trackingGateway) {
+    const threadFetchGateway = { fetchThreads: vi.fn(() => []) };
+    return {
+        reviewContextGateway: createStubContextGateway(),
+        threadFetchGateway,
+        diffMetadataFetchGateway: {
+            fetchDiffMetadata: vi.fn(() => ({ baseSha: 'abc', headSha: 'def', startSha: 'ghi' })),
+        },
+        diffStatsFetchGateway: { fetchDiffStats: vi.fn(() => null) },
+        trackAssignment: new TrackAssignmentUseCase(trackingGateway),
+        recordCompletion: new RecordReviewCompletionUseCase(trackingGateway),
+        recordPush: new RecordPushUseCase(trackingGateway),
+        transitionState: new TransitionStateUseCase(trackingGateway),
+        checkFollowupNeeded: new CheckFollowupNeededUseCase(trackingGateway),
+        syncThreads: new SyncThreadsUseCase(trackingGateway, threadFetchGateway),
+        enforceBudget: createAcceptAllEnforceBudget(),
+        broadcastBudgetExceeded: vi.fn(),
+        getRepositories: vi.fn(() => []),
+        removeWorktree: vi.fn(async () => ({ status: 'removed' })),
+        recordBypass: new RecordBypassUseCase(trackingGateway),
+        noteCommentPostGateway: new StubNoteCommentPostGateway(),
+        handlePlatformApproval: new HandlePlatformApprovalUseCase(trackingGateway),
+        approvalRevocationGateway: new StubApprovalRevocationGateway(),
+        getQualityThreshold: () => null,
+        now: () => '2026-05-26T12:00:00.000Z',
+    };
+}
+/**
+ * Wires the SPEC-197 chokepoint: a real IsTrustedActorUseCase backed by the recording
+ * StubMemberAccessGateway, and a real full-auto GateClaudeInvocationUseCase whose park
+ * branch saves into the StubPendingReviewRequestGateway. Observable job state is the only
+ * thing asserted — enqueue call count, pending saveCount, and the HTTP reply.
+ */
+function buildGatedDeps(trackingGateway, memberAccess, pendingGateway) {
+    const gateClaudeInvocation = new GateClaudeInvocationUseCase({
+        getTriggerMode: () => 'full-auto',
+        pendingReviewRequestGateway: pendingGateway,
+        enqueue: enqueueReview,
+        broadcastPendingChanged: () => { },
+        logger,
+    });
+    return {
+        ...buildBaseDeps(trackingGateway),
+        gateClaudeInvocation,
+        isTrustedActor: new IsTrustedActorUseCase(memberAccess),
+    };
+}
+function buildFollowupMr() {
+    return TrackedMrFactory.create({
+        id: TRACKED_MR_ID,
+        mrNumber: 42,
+        platform: 'gitlab',
+        project: PROJECT_PATH,
+        state: 'pending-review',
+        openThreads: 3,
+        autoFollowup: true,
+        lastPushAt: '2026-05-26T12:00:00.000Z',
+        lastReviewAt: '2026-05-25T12:00:00.000Z',
+    });
+}
+function buildNoteEvent(note) {
+    return {
+        object_kind: 'note',
+        event_type: 'note',
+        user: { username: 'note-author', name: 'Note Author' },
+        project: {
+            id: 1,
+            name: 'test-project',
+            path_with_namespace: PROJECT_PATH,
+            web_url: 'https://gitlab.com/test-org/test-project',
+            git_http_url: 'https://gitlab.com/test-org/test-project.git',
+        },
+        object_attributes: {
+            id: 7,
+            note,
+            noteable_type: 'MergeRequest',
+            noteable_id: 99,
+        },
+        merge_request: {
+            iid: 42,
+            title: 'Test MR',
+            state: 'opened',
+            source_branch: 'feature/test',
+            target_branch: 'main',
+            url: 'https://gitlab.com/test-org/test-project/-/merge_requests/42',
+        },
+    };
+}
+function asRequest(body) {
+    return { body, headers: {} };
+}
+describe('SPEC-197 trusted-actor trigger provenance gate (acceptance — full chokepoint handleGitLabWebhook)', () => {
+    let mockReply;
+    beforeEach(() => {
+        vi.clearAllMocks();
+        mockReply = {
+            status: vi.fn().mockReturnThis(),
+            send: vi.fn().mockReturnThis(),
+        };
+    });
+    afterEach(() => {
+        vi.resetAllMocks();
+    });
+    describe('AC1 — reviewer-added gate', () => {
+        it('parks a reviewer-added trigger from a Reporter and enqueues one from a Developer', async () => {
+            const reporterTracking = createMockTrackingGateway(null);
+            const reporterMembers = new StubMemberAccessGateway();
+            reporterMembers.setAccess('reporter-actor', MEMBER_ACCESS_LEVELS.reporter);
+            const reporterPending = new StubPendingReviewRequestGateway();
+            const reporterDeps = buildGatedDeps(reporterTracking, reporterMembers, reporterPending);
+            const reporterEvent = GitLabEventFactory.createWithReviewerAdded('claude-bot');
+            reporterEvent.user = { username: 'reporter-actor', name: 'Reporter Actor' };
+            await handleGitLabWebhook(asRequest(reporterEvent), mockReply, logger, reporterTracking, reporterDeps);
+            expect(enqueueReview).not.toHaveBeenCalled();
+            expect(reporterPending.saveCount).toBe(1);
+            const developerTracking = createMockTrackingGateway(null);
+            const developerMembers = new StubMemberAccessGateway();
+            developerMembers.setAccess('dev-actor', MEMBER_ACCESS_LEVELS.developer);
+            const developerPending = new StubPendingReviewRequestGateway();
+            const developerDeps = buildGatedDeps(developerTracking, developerMembers, developerPending);
+            const developerEvent = GitLabEventFactory.createWithReviewerAdded('claude-bot');
+            developerEvent.user = { username: 'dev-actor', name: 'Dev Actor' };
+            await handleGitLabWebhook(asRequest(developerEvent), mockReply, logger, developerTracking, developerDeps);
+            expect(enqueueReview).toHaveBeenCalledTimes(1);
+            expect(developerPending.saveCount).toBe(0);
+        });
+    });
+    describe('AC2 — followup / MR-update gate', () => {
+        it('parks a followup from a Reporter and enqueues one from a Developer (payloads differ only by username)', async () => {
+            const reporterTracking = createMockTrackingGateway(buildFollowupMr());
+            reporterTracking.getByNumber.mockReturnValue(buildFollowupMr());
+            reporterTracking.recordPush.mockReturnValue(buildFollowupMr());
+            const reporterMembers = new StubMemberAccessGateway();
+            reporterMembers.setAccess('reporter-actor', MEMBER_ACCESS_LEVELS.reporter);
+            const reporterPending = new StubPendingReviewRequestGateway();
+            const reporterDeps = buildGatedDeps(reporterTracking, reporterMembers, reporterPending);
+            const reporterEvent = GitLabEventFactory.createMrUpdate();
+            reporterEvent.user = { username: 'reporter-actor', name: 'Reporter Actor' };
+            await handleGitLabWebhook(asRequest(reporterEvent), mockReply, logger, reporterTracking, reporterDeps);
+            expect(enqueueReview).not.toHaveBeenCalled();
+            expect(reporterPending.saveCount).toBe(1);
+            const developerTracking = createMockTrackingGateway(buildFollowupMr());
+            developerTracking.getByNumber.mockReturnValue(buildFollowupMr());
+            developerTracking.recordPush.mockReturnValue(buildFollowupMr());
+            const developerMembers = new StubMemberAccessGateway();
+            developerMembers.setAccess('dev-actor', MEMBER_ACCESS_LEVELS.developer);
+            const developerPending = new StubPendingReviewRequestGateway();
+            const developerDeps = buildGatedDeps(developerTracking, developerMembers, developerPending);
+            const developerEvent = GitLabEventFactory.createMrUpdate();
+            developerEvent.user = { username: 'dev-actor', name: 'Dev Actor' };
+            await handleGitLabWebhook(asRequest(developerEvent), mockReply, logger, developerTracking, developerDeps);
+            expect(enqueueReview).toHaveBeenCalledTimes(1);
+            expect(developerPending.saveCount).toBe(0);
+        });
+    });
+    describe('AC3 — note / comment gate', () => {
+        it('parks a note from a Reporter with 202 untrusted-actor and lets a Developer note proceed', async () => {
+            vi.mocked(getGitLabEventType).mockReturnValue('Note Hook');
+            const reporterTracking = createMockTrackingGateway(TrackedMrFactory.create({
+                id: TRACKED_MR_ID,
+                mrNumber: 42,
+                platform: 'gitlab',
+                project: PROJECT_PATH,
+            }));
+            const reporterMembers = new StubMemberAccessGateway();
+            reporterMembers.setAccess('note-author', MEMBER_ACCESS_LEVELS.reporter);
+            const reporterPending = new StubPendingReviewRequestGateway();
+            const reporterDeps = buildGatedDeps(reporterTracking, reporterMembers, reporterPending);
+            await handleGitLabWebhook(asRequest(buildNoteEvent('/bypass-quality "reason here"')), mockReply, logger, reporterTracking, reporterDeps);
+            expect(mockReply.status).toHaveBeenCalledWith(202);
+            expect(mockReply.send).toHaveBeenCalledWith(expect.objectContaining({ status: 'pending-confirmation', reason: 'untrusted-actor' }));
+            expect(reporterTracking.update).not.toHaveBeenCalled();
+            const developerTracking = createMockTrackingGateway(TrackedMrFactory.create({
+                id: TRACKED_MR_ID,
+                mrNumber: 42,
+                platform: 'gitlab',
+                project: PROJECT_PATH,
+            }));
+            const developerMembers = new StubMemberAccessGateway();
+            developerMembers.setAccess('note-author', MEMBER_ACCESS_LEVELS.developer);
+            const developerPending = new StubPendingReviewRequestGateway();
+            const developerDeps = buildGatedDeps(developerTracking, developerMembers, developerPending);
+            const developerReply = {
+                status: vi.fn().mockReturnThis(),
+                send: vi.fn().mockReturnThis(),
+            };
+            await handleGitLabWebhook(asRequest(buildNoteEvent('/bypass-quality "reason here"')), developerReply, logger, developerTracking, developerDeps);
+            expect(developerReply.status).not.toHaveBeenCalledWith(202);
+            expect(developerReply.send).toHaveBeenCalledWith(expect.objectContaining({ status: 'bypass-recorded' }));
+        });
+    });
+    describe('AC4 — fail-closed membership resolution', () => {
+        it('parks every trigger type when membership resolution throws', async () => {
+            const reviewerTracking = createMockTrackingGateway(null);
+            const reviewerMembers = new StubMemberAccessGateway();
+            reviewerMembers.setShouldFail(true);
+            const reviewerPending = new StubPendingReviewRequestGateway();
+            const reviewerDeps = buildGatedDeps(reviewerTracking, reviewerMembers, reviewerPending);
+            const reviewerEvent = GitLabEventFactory.createWithReviewerAdded('claude-bot');
+            reviewerEvent.user = { username: 'dev-actor', name: 'Dev Actor' };
+            await handleGitLabWebhook(asRequest(reviewerEvent), mockReply, logger, reviewerTracking, reviewerDeps);
+            expect(enqueueReview).not.toHaveBeenCalled();
+            expect(reviewerPending.saveCount).toBe(1);
+            const followupTracking = createMockTrackingGateway(buildFollowupMr());
+            followupTracking.getByNumber.mockReturnValue(buildFollowupMr());
+            followupTracking.recordPush.mockReturnValue(buildFollowupMr());
+            const followupMembers = new StubMemberAccessGateway();
+            followupMembers.setShouldFail(true);
+            const followupPending = new StubPendingReviewRequestGateway();
+            const followupDeps = buildGatedDeps(followupTracking, followupMembers, followupPending);
+            const followupEvent = GitLabEventFactory.createMrUpdate();
+            followupEvent.user = { username: 'dev-actor', name: 'Dev Actor' };
+            await handleGitLabWebhook(asRequest(followupEvent), mockReply, logger, followupTracking, followupDeps);
+            expect(enqueueReview).not.toHaveBeenCalled();
+            expect(followupPending.saveCount).toBe(1);
+            vi.mocked(getGitLabEventType).mockReturnValue('Note Hook');
+            const noteTracking = createMockTrackingGateway(TrackedMrFactory.create({
+                id: TRACKED_MR_ID,
+                mrNumber: 42,
+                platform: 'gitlab',
+                project: PROJECT_PATH,
+            }));
+            const noteMembers = new StubMemberAccessGateway();
+            noteMembers.setShouldFail(true);
+            const notePending = new StubPendingReviewRequestGateway();
+            const noteDeps = buildGatedDeps(noteTracking, noteMembers, notePending);
+            const noteReply = {
+                status: vi.fn().mockReturnThis(),
+                send: vi.fn().mockReturnThis(),
+            };
+            await handleGitLabWebhook(asRequest(buildNoteEvent('/bypass-quality "reason here"')), noteReply, logger, noteTracking, noteDeps);
+            expect(noteReply.status).toHaveBeenCalledWith(202);
+            expect(noteReply.send).toHaveBeenCalledWith(expect.objectContaining({ status: 'pending-confirmation', reason: 'untrusted-actor' }));
+            expect(noteTracking.update).not.toHaveBeenCalled();
+        });
+    });
+    describe('AC5 — cache does not widen trust', () => {
+        it('parks a trigger from an unprimed username even after another username resolved Developer', async () => {
+            const memberAccess = new StubMemberAccessGateway();
+            memberAccess.setAccess('dev-actor', MEMBER_ACCESS_LEVELS.developer);
+            const pendingGateway = new StubPendingReviewRequestGateway();
+            const trustedTracking = createMockTrackingGateway(null);
+            const trustedDeps = buildGatedDeps(trustedTracking, memberAccess, pendingGateway);
+            const trustedEvent = GitLabEventFactory.createWithReviewerAdded('claude-bot');
+            trustedEvent.user = { username: 'dev-actor', name: 'Dev Actor' };
+            await handleGitLabWebhook(asRequest(trustedEvent), mockReply, logger, trustedTracking, trustedDeps);
+            expect(enqueueReview).toHaveBeenCalledTimes(1);
+            expect(pendingGateway.saveCount).toBe(0);
+            const malloryTracking = createMockTrackingGateway(null);
+            const malloryDeps = buildGatedDeps(malloryTracking, memberAccess, pendingGateway);
+            const malloryEvent = GitLabEventFactory.createWithReviewerAdded('claude-bot');
+            malloryEvent.user = { username: 'mallory', name: 'Mallory' };
+            await handleGitLabWebhook(asRequest(malloryEvent), mockReply, logger, malloryTracking, malloryDeps);
+            expect(enqueueReview).toHaveBeenCalledTimes(1);
+            expect(pendingGateway.saveCount).toBe(1);
+            expect(memberAccess.calls).toEqual([
+                { projectPath: PROJECT_PATH, username: 'dev-actor' },
+                { projectPath: PROJECT_PATH, username: 'mallory' },
+            ]);
+        });
+    });
+    describe('AC6 — token-boundary ordering', () => {
+        it('rejects an invalid-token trigger with 401 and never queries the membership gateway', async () => {
+            vi.mocked(verifyGitLabSignature).mockReturnValueOnce({ valid: false, error: 'bad-token' });
+            const tracking = createMockTrackingGateway(null);
+            const memberAccess = new StubMemberAccessGateway();
+            memberAccess.setAccess('dev-actor', MEMBER_ACCESS_LEVELS.developer);
+            const pendingGateway = new StubPendingReviewRequestGateway();
+            const deps = buildGatedDeps(tracking, memberAccess, pendingGateway);
+            const event = GitLabEventFactory.createWithReviewerAdded('claude-bot');
+            event.user = { username: 'dev-actor', name: 'Dev Actor' };
+            await handleGitLabWebhook(asRequest(event), mockReply, logger, tracking, deps);
+            expect(mockReply.status).toHaveBeenCalledWith(401);
+            expect(mockReply.send).toHaveBeenCalledWith({ error: 'bad-token' });
+            expect(enqueueReview).not.toHaveBeenCalled();
+            expect(memberAccess.calls.length).toBe(0);
+        });
+    });
+});
+//# sourceMappingURL=197-trusted-actor-provenance-gate.acceptance.test.js.map