takos-runtime-service 1.0.0

package/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "takos-runtime-service",
+  "version": "1.0.0",
+  "type": "module",
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@aws-sdk/client-s3": "^3.700.0",
+    "@hono/node-server": "^1.13.0",
+    "takos-common": "workspace:*",
+    "hono": "^4.12.4",
+    "yaml": "^2.8.2"
+  },
+  "exports": {
+    ".": "./src/index.ts",
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "src",
+    "package.json"
+  ],
+  "devDependencies": {
+    "typescript": "^5.7.0",
+    "vitest": "^2.1.0"
+  }
+}

package/src/__tests__/middleware/rate-limit.test.ts

@@ -0,0 +1,33 @@
+import { Hono } from 'hono';
+import { describe, expect, it } from 'vitest';
+import { createRateLimiter } from '../../middleware/rate-limit.js';
+
+describe('createRateLimiter maxKeys saturation', () => {
+  it('fails closed when the key store is saturated', async () => {
+    const limiter = createRateLimiter({
+      maxRequests: 5,
+      windowMs: 60_000,
+      maxKeys: 1,
+      keyFn: (c) => c.req.header('x-rate-key') || 'unknown',
+    });
+
+    const app = new Hono();
+    app.use(limiter);
+    app.get('/', (c) => c.json({ ok: true }));
+
+    const first = await app.request('/', {
+      headers: { 'x-rate-key': 'key-1' },
+    });
+    expect(first.status).toBe(200);
+
+    const second = await app.request('/', {
+      headers: { 'x-rate-key': 'key-2' },
+    });
+    expect(second.status).toBe(429);
+    expect(await second.json()).toEqual({
+      error: 'Rate limiter capacity reached. Please try again later.',
+      retry_after_seconds: 60,
+    });
+    expect(second.headers.get('retry-after')).toBe('60');
+  });
+});

package/src/__tests__/middleware/workspace-scope-extended.test.ts

@@ -0,0 +1,163 @@
+import { describe, expect, it } from 'vitest';
+import {
+  getSpaceIdFromPath,
+  collectRequestedSpaceIds,
+  getScopedSpaceId,
+  hasSpaceScopeMismatch,
+  hasAnySpaceScopeMismatch,
+  SPACE_SCOPE_MISMATCH_ERROR,
+} from '../../middleware/space-scope.js';
+
+function createContext(overrides: {
+  path?: string;
+  serviceToken?: { scope_space_id?: string } | null;
+  parsedBody?: Record<string, unknown>;
+} = {}) {
+  const { path = '/repos/ws1/myrepo', serviceToken = null, parsedBody } = overrides;
+  return {
+    req: {
+      path,
+      header: () => undefined,
+    },
+    get(key: string) {
+      if (key === 'serviceToken') return serviceToken;
+      if (key === 'parsedBody') return parsedBody;
+      return undefined;
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// getSpaceIdFromPath
+// ---------------------------------------------------------------------------
+
+describe('getSpaceIdFromPath', () => {
+  it('extracts workspace ID from /repos/:spaceId/:repo path', () => {
+    const c = createContext({ path: '/repos/ws1/myrepo' });
+    expect(getSpaceIdFromPath(c as any)).toBe('ws1');
+  });
+
+  it('extracts workspace ID from deeper paths', () => {
+    const c = createContext({ path: '/repos/ws1/myrepo/branches' });
+    expect(getSpaceIdFromPath(c as any)).toBe('ws1');
+  });
+
+  it('returns null for non-repos path', () => {
+    const c = createContext({ path: '/api/health' });
+    expect(getSpaceIdFromPath(c as any)).toBeNull();
+  });
+
+  it('returns null for too-short repos path', () => {
+    const c = createContext({ path: '/repos/ws1' });
+    expect(getSpaceIdFromPath(c as any)).toBeNull();
+  });
+
+  it('returns null for empty repos path', () => {
+    const c = createContext({ path: '/repos' });
+    expect(getSpaceIdFromPath(c as any)).toBeNull();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// collectRequestedSpaceIds
+// ---------------------------------------------------------------------------
+
+describe('collectRequestedSpaceIds', () => {
+  it('returns unique non-empty strings', () => {
+    expect(collectRequestedSpaceIds(['ws1', 'ws2', 'ws1'])).toEqual(['ws1', 'ws2']);
+  });
+
+  it('filters out non-string values', () => {
+    expect(collectRequestedSpaceIds([null, undefined, 123, 'ws1'])).toEqual(['ws1']);
+  });
+
+  it('filters out empty strings', () => {
+    expect(collectRequestedSpaceIds(['', 'ws1', ''])).toEqual(['ws1']);
+  });
+
+  it('returns empty array for all-invalid input', () => {
+    expect(collectRequestedSpaceIds([null, undefined, '', 0])).toEqual([]);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// getScopedSpaceId
+// ---------------------------------------------------------------------------
+
+describe('getScopedSpaceId', () => {
+  it('returns scope_space_id from service token', () => {
+    const c = createContext({ serviceToken: { scope_space_id: 'ws1' } });
+    expect(getScopedSpaceId(c as any)).toBe('ws1');
+  });
+
+  it('returns undefined when no service token', () => {
+    const c = createContext({ serviceToken: null });
+    expect(getScopedSpaceId(c as any)).toBeUndefined();
+  });
+
+  it('returns undefined when scope_space_id is not a string', () => {
+    const c = createContext({ serviceToken: { scope_space_id: 123 } as any });
+    expect(getScopedSpaceId(c as any)).toBeUndefined();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// hasSpaceScopeMismatch
+// ---------------------------------------------------------------------------
+
+describe('hasSpaceScopeMismatch', () => {
+  it('returns false when no service token', () => {
+    const c = createContext({ serviceToken: null });
+    expect(hasSpaceScopeMismatch(c as any, 'ws1')).toBe(false);
+  });
+
+  it('returns false when spaceId matches scope', () => {
+    const c = createContext({ serviceToken: { scope_space_id: 'ws1' } });
+    expect(hasSpaceScopeMismatch(c as any, 'ws1')).toBe(false);
+  });
+
+  it('returns true when spaceId does not match scope', () => {
+    const c = createContext({ serviceToken: { scope_space_id: 'ws1' } });
+    expect(hasSpaceScopeMismatch(c as any, 'ws2')).toBe(true);
+  });
+
+  it('returns false when spaceId is empty/null/undefined', () => {
+    const c = createContext({ serviceToken: { scope_space_id: 'ws1' } });
+    expect(hasSpaceScopeMismatch(c as any, '')).toBe(false);
+    expect(hasSpaceScopeMismatch(c as any, null)).toBe(false);
+    expect(hasSpaceScopeMismatch(c as any, undefined)).toBe(false);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// hasAnySpaceScopeMismatch
+// ---------------------------------------------------------------------------
+
+describe('hasAnySpaceScopeMismatch', () => {
+  it('returns false when all match', () => {
+    const c = createContext({ serviceToken: { scope_space_id: 'ws1' } });
+    expect(hasAnySpaceScopeMismatch(c as any, ['ws1', 'ws1'])).toBe(false);
+  });
+
+  it('returns true when any mismatch', () => {
+    const c = createContext({ serviceToken: { scope_space_id: 'ws1' } });
+    expect(hasAnySpaceScopeMismatch(c as any, ['ws1', 'ws2'])).toBe(true);
+  });
+
+  it('returns false for empty array', () => {
+    const c = createContext({ serviceToken: { scope_space_id: 'ws1' } });
+    expect(hasAnySpaceScopeMismatch(c as any, [])).toBe(false);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// SPACE_SCOPE_MISMATCH_ERROR
+// ---------------------------------------------------------------------------
+
+describe('SPACE_SCOPE_MISMATCH_ERROR', () => {
+  it('is the expected string', () => {
+    expect(SPACE_SCOPE_MISMATCH_ERROR).toBe(
+      'Token workspace scope does not match requested workspace',
+    );
+  });
+});

package/src/__tests__/routes/actions-start-limits.test.ts

@@ -0,0 +1,139 @@
+import { describe, expect, it, vi } from 'vitest';
+import { createTestApp, testRequest } from '../setup.js';
+
+vi.hoisted(() => {
+  process.env.TAKOS_API_URL = 'https://takos.example.test';
+});
+
+import actionsRoutes from '../../routes/actions/index.js';
+import { SANDBOX_LIMITS } from '../../shared/config.js';
+
+function createStartBody(jobName: string, spaceId: string, stepCount = 1) {
+  return {
+    space_id: spaceId,
+    repoId: 'acme/repo',
+    ref: 'refs/heads/main',
+    sha: 'a'.repeat(40),
+    workflowPath: '.takos/workflows/ci.yml',
+    jobName,
+    steps: Array.from({ length: stepCount }, (_, i) => ({
+      name: `noop-${i + 1}`,
+      run: 'echo hello',
+    })),
+  };
+}
+
+describe('actions start step limits', () => {
+  it('rejects start when step count exceeds maxStepsPerJob', async () => {
+    const app = createTestApp();
+    app.route('/', actionsRoutes);
+
+    const jobId = `steps-over-limit-${Date.now()}`;
+    const response = await testRequest(app, {
+      method: 'POST',
+      path: `/actions/jobs/${jobId}/start`,
+      body: createStartBody(
+        'over-limit',
+        'workspace-step-limit',
+        SANDBOX_LIMITS.maxStepsPerJob + 1,
+      ),
+    });
+
+    expect(response.status).toBe(400);
+    expect(response.body).toEqual({
+      error: {
+        code: 'BAD_REQUEST',
+        message: `Steps exceed per-job limit (max ${SANDBOX_LIMITS.maxStepsPerJob})`,
+      },
+    });
+  });
+
+  it('accepts start when step count equals maxStepsPerJob', async () => {
+    const app = createTestApp();
+    app.route('/', actionsRoutes);
+
+    const jobId = `steps-at-limit-${Date.now()}`;
+
+    try {
+      const response = await testRequest(app, {
+        method: 'POST',
+        path: `/actions/jobs/${jobId}/start`,
+        body: createStartBody(
+          'at-limit',
+          'workspace-step-limit',
+          SANDBOX_LIMITS.maxStepsPerJob,
+        ),
+      });
+
+      expect(response.status).toBe(200);
+      expect(response.body).toMatchObject({
+        jobId,
+        status: 'running',
+        message: 'Job started successfully',
+      });
+    } finally {
+      await testRequest(app, {
+        method: 'DELETE',
+        path: `/actions/jobs/${jobId}`,
+      });
+    }
+  });
+});
+
+describe('actions start concurrency limits', () => {
+  it('applies maxConcurrentJobs per workspace', async () => {
+    const app = createTestApp();
+    app.route('/', actionsRoutes);
+
+    const startedJobIds: string[] = [];
+    const prefix = `concurrency-${Date.now()}`;
+    const workspaceA = 'workspace-a';
+    const workspaceB = 'workspace-b';
+
+    try {
+      for (let i = 0; i < SANDBOX_LIMITS.maxConcurrentJobs; i++) {
+        const jobId = `${prefix}-${i}`;
+        const response = await testRequest(app, {
+          method: 'POST',
+          path: `/actions/jobs/${jobId}/start`,
+          body: createStartBody(`job-${i}`, workspaceA),
+        });
+
+        expect(response.status).toBe(200);
+        startedJobIds.push(jobId);
+      }
+
+      const otherWorkspaceJobId = `${prefix}-other-workspace`;
+      const otherWorkspaceResponse = await testRequest(app, {
+        method: 'POST',
+        path: `/actions/jobs/${otherWorkspaceJobId}/start`,
+        body: createStartBody('job-other-workspace', workspaceB),
+      });
+
+      expect(otherWorkspaceResponse.status).toBe(200);
+      startedJobIds.push(otherWorkspaceJobId);
+
+      const overflowJobId = `${prefix}-overflow`;
+      const overflowResponse = await testRequest(app, {
+        method: 'POST',
+        path: `/actions/jobs/${overflowJobId}/start`,
+        body: createStartBody('overflow-job', workspaceA),
+      });
+
+      expect(overflowResponse.status).toBe(429);
+      expect(overflowResponse.body).toEqual({
+        error: {
+          code: 'RATE_LIMITED',
+          message: `Concurrent job limit reached (max ${SANDBOX_LIMITS.maxConcurrentJobs})`,
+        },
+      });
+    } finally {
+      for (const jobId of startedJobIds) {
+        await testRequest(app, {
+          method: 'DELETE',
+          path: `/actions/jobs/${jobId}`,
+        });
+      }
+    }
+  });
+});

package/src/__tests__/routes/actions-step-warnings.test.ts

@@ -0,0 +1,194 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+import { createTestApp, testRequest } from '../setup.js';
+
+vi.hoisted(() => {
+  process.env.TAKOS_API_URL = 'https://takos.example.test';
+});
+
+const { executeRunMock, executeActionMock, capturedStepEnvs } = vi.hoisted(() => ({
+  executeRunMock: vi.fn(),
+  executeActionMock: vi.fn(),
+  capturedStepEnvs: [] as Array<Record<string, string>>,
+}));
+
+vi.mock('../../runtime/actions/executor.js', () => ({
+  StepExecutor: class {
+    constructor(_workspacePath: string, env: Record<string, string>) {
+      capturedStepEnvs.push(env);
+    }
+
+    executeRun = executeRunMock;
+
+    executeAction = executeActionMock;
+  },
+}));
+
+import actionsRoutes from '../../routes/actions/index.js';
+
+describe('actions step behavior', () => {
+  beforeEach(() => {
+    executeRunMock.mockResolvedValue({
+      exitCode: 0,
+      stdout: 'ok',
+      stderr: '',
+      outputs: {},
+      conclusion: 'success',
+    });
+    executeActionMock.mockResolvedValue({
+      exitCode: 0,
+      stdout: '',
+      stderr: '',
+      outputs: {},
+      conclusion: 'success',
+    });
+    capturedStepEnvs.length = 0;
+  });
+
+  it('keeps secrets masked for printenv-like commands without custom warnings field', async () => {
+    const app = createTestApp();
+    app.route('/', actionsRoutes);
+
+    executeRunMock.mockResolvedValue({
+      exitCode: 0,
+      stdout: 'token=s3cr3t',
+      stderr: '',
+      outputs: {},
+      conclusion: 'success',
+    });
+
+    const jobId = `step-mask-${Date.now()}`;
+
+    try {
+      const startResponse = await testRequest(app, {
+        method: 'POST',
+        path: `/actions/jobs/${jobId}/start`,
+        body: {
+          space_id: 'workspace-step-mask',
+          repoId: 'acme/repo',
+          ref: 'refs/heads/main',
+          sha: 'a'.repeat(40),
+          workflowPath: '.takos/workflows/ci.yml',
+          jobName: 'mask-job',
+          secrets: {
+            TOKEN: 's3cr3t',
+          },
+          steps: [{ name: 'step-1', run: 'echo hello' }],
+        },
+      });
+
+      expect(startResponse.status).toBe(200);
+
+      const stepResponse = await testRequest(app, {
+        method: 'POST',
+        path: `/actions/jobs/${jobId}/step/0`,
+        body: {
+          name: 'step-1',
+          run: 'echo hello',
+        },
+      });
+
+      expect(stepResponse.status).toBe(200);
+      expect(stepResponse.body).toMatchObject({
+        conclusion: 'success',
+        stdout: 'token=***',
+      });
+      expect(stepResponse.body).not.toHaveProperty('warnings');
+
+      const logsResponse = await testRequest(app, {
+        method: 'GET',
+        path: `/actions/jobs/${jobId}/logs`,
+      });
+      const logsBody = logsResponse.body as { logs: string[] };
+      expect(logsResponse.status).toBe(200);
+      expect(logsBody.logs.some((line) => line.includes('token=***'))).toBe(true);
+      expect(logsBody.logs.some((line) => line.includes('s3cr3t'))).toBe(false);
+    } finally {
+      await testRequest(app, {
+        method: 'DELETE',
+        path: `/actions/jobs/${jobId}`,
+      });
+    }
+  });
+
+  it('always sets GITHUB_RUN_ID to jobId', async () => {
+    const app = createTestApp();
+    app.route('/', actionsRoutes);
+
+    const jobId = `with-run-id-${Date.now()}`;
+
+    try {
+      const startResponse = await testRequest(app, {
+        method: 'POST',
+        path: `/actions/jobs/${jobId}/start`,
+        body: {
+          space_id: 'workspace-run-id',
+          repoId: 'acme/repo',
+          ref: 'refs/heads/main',
+          sha: 'a'.repeat(40),
+          workflowPath: '.takos/workflows/ci.yml',
+          jobName: 'run-id-job',
+          steps: [{ name: 'step-1', run: 'echo hello' }],
+        },
+      });
+      expect(startResponse.status).toBe(200);
+
+      const stepResponse = await testRequest(app, {
+        method: 'POST',
+        path: `/actions/jobs/${jobId}/step/0`,
+        body: {
+          name: 'step-1',
+          run: 'echo hello',
+        },
+      });
+
+      expect(stepResponse.status).toBe(200);
+      expect(capturedStepEnvs.at(-1)?.GITHUB_RUN_ID).toBe(jobId);
+    } finally {
+      await testRequest(app, {
+        method: 'DELETE',
+        path: `/actions/jobs/${jobId}`,
+      });
+    }
+  });
+
+  it('falls back to jobId for GITHUB_RUN_ID when runId is omitted', async () => {
+    const app = createTestApp();
+    app.route('/', actionsRoutes);
+
+    const jobId = `fallback-run-id-${Date.now()}`;
+
+    try {
+      const startResponse = await testRequest(app, {
+        method: 'POST',
+        path: `/actions/jobs/${jobId}/start`,
+        body: {
+          space_id: 'workspace-run-id-fallback',
+          repoId: 'acme/repo',
+          ref: 'refs/heads/main',
+          sha: 'a'.repeat(40),
+          workflowPath: '.takos/workflows/ci.yml',
+          jobName: 'fallback-run-id-job',
+          steps: [{ name: 'step-1', run: 'echo hello' }],
+        },
+      });
+      expect(startResponse.status).toBe(200);
+
+      const stepResponse = await testRequest(app, {
+        method: 'POST',
+        path: `/actions/jobs/${jobId}/step/0`,
+        body: {
+          name: 'step-1',
+          run: 'echo hello',
+        },
+      });
+
+      expect(stepResponse.status).toBe(200);
+      expect(capturedStepEnvs.at(-1)?.GITHUB_RUN_ID).toBe(jobId);
+    } finally {
+      await testRequest(app, {
+        method: 'DELETE',
+        path: `/actions/jobs/${jobId}`,
+      });
+    }
+  });
+});

package/src/__tests__/routes/cli-proxy.test.ts

@@ -0,0 +1,72 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+import { createTestApp, testRequest } from '../setup.js';
+
+const hoisted = vi.hoisted(() => {
+  process.env.TAKOS_API_URL = 'https://takos.example.test';
+  process.env.PROXY_BASE_URL = 'https://runtime-host.example.test';
+  return {
+    getSession: vi.fn(),
+    fetch: vi.fn(),
+  };
+});
+
+vi.mock('../../routes/sessions/storage.js', () => ({
+  sessionStore: {
+    getSession: hoisted.getSession,
+  },
+}));
+
+import cliProxyRoutes from '../../routes/cli/proxy.js';
+
+describe('cli-proxy route', () => {
+  beforeEach(() => {
+    hoisted.getSession.mockReset();
+    hoisted.fetch.mockReset();
+    vi.stubGlobal('fetch', hoisted.fetch);
+  });
+
+  afterEach(() => {
+    vi.unstubAllGlobals();
+  });
+
+  it('forwards query parameters via PROXY_BASE_URL while validating the path only', async () => {
+    const app = createTestApp();
+    app.route('/', cliProxyRoutes);
+
+    hoisted.getSession.mockReturnValue({
+      id: 'a12345678901234b',
+      spaceId: 'space-a',
+      proxyToken: 'random-proxy-token-abc',
+      lastAccessedAt: 0,
+    });
+    hoisted.fetch.mockResolvedValue({
+      status: 200,
+      text: async () => JSON.stringify({ ok: true }),
+    });
+
+    const response = await testRequest(app, {
+      method: 'GET',
+      path: '/cli-proxy/api/repos/repo-1/status',
+      query: {
+        ref: 'refs/heads/main',
+        verbose: '1',
+      },
+      headers: {
+        'X-Takos-Session-Id': 'a12345678901234b',
+        'X-Takos-Space-Id': 'space-a',
+      },
+    });
+
+    expect(response.status).toBe(200);
+    expect(response.body).toEqual({ ok: true });
+
+    expect(hoisted.fetch).toHaveBeenCalledTimes(1);
+    const forwardedUrl = hoisted.fetch.mock.calls[0]?.[0] as string;
+    const forwardedOptions = hoisted.fetch.mock.calls[0]?.[1] as { headers: Record<string, string>; method: string };
+
+    expect(forwardedUrl).toBe('https://runtime-host.example.test/forward/cli-proxy/api/repos/repo-1/status?ref=refs%2Fheads%2Fmain&verbose=1');
+    expect(forwardedOptions.method).toBe('GET');
+    expect(forwardedOptions.headers['X-Takos-Session-Id']).toBe('a12345678901234b');
+    expect(forwardedOptions.headers.Authorization).toBe('Bearer random-proxy-token-abc');
+  });
+});