takos-runtime-service 1.0.0

package/src/__tests__/routes/git-http.test.ts

@@ -0,0 +1,218 @@
+import { Hono } from 'hono';
+import * as fs from 'fs/promises';
+import path from 'path';
+import type { ChildProcessWithoutNullStreams, SpawnOptionsWithoutStdio } from 'child_process';
+import { EventEmitter } from 'events';
+import { PassThrough } from 'stream';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+
+const hoisted = vi.hoisted(() => ({
+  reposBaseDir: '/tmp/takos-runtime-git-http-tests',
+  spawn: vi.fn(),
+  gracefulKill: vi.fn(),
+}));
+
+vi.mock('../../shared/config.js', () => ({
+  REPOS_BASE_DIR: hoisted.reposBaseDir,
+}));
+
+vi.mock('child_process', () => ({
+  spawn: hoisted.spawn,
+}));
+
+vi.mock('../../utils/process-kill.js', () => ({
+  gracefulKill: hoisted.gracefulKill,
+}));
+
+import gitHttpRoutes from '../../routes/git/http.js';
+
+interface MockChildProcess extends ChildProcessWithoutNullStreams {
+  stdin: PassThrough;
+  stdout: PassThrough;
+  stderr: PassThrough;
+  killed: boolean;
+}
+
+function createTestApp() {
+  const app = new Hono();
+  app.route('/', gitHttpRoutes);
+  return app;
+}
+
+async function createRepoDir(spaceId: string, repoName: string): Promise<void> {
+  await fs.mkdir(path.join(hoisted.reposBaseDir, spaceId, `${repoName}.git`), { recursive: true });
+}
+
+function createMockChildProcess(): MockChildProcess {
+  const child = new EventEmitter() as MockChildProcess;
+  child.stdin = new PassThrough();
+  child.stdout = new PassThrough();
+  child.stderr = new PassThrough();
+  child.killed = false;
+  child.kill = vi.fn(() => {
+    child.killed = true;
+    return true;
+  }) as ChildProcessWithoutNullStreams['kill'];
+  return child;
+}
+
+describe('git-http route hardening', () => {
+  beforeEach(async () => {
+    vi.clearAllMocks();
+    vi.useRealTimers();
+    await fs.rm(hoisted.reposBaseDir, { recursive: true, force: true });
+    await fs.mkdir(hoisted.reposBaseDir, { recursive: true });
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+  });
+
+  it('rejects workspace-scoped JWT that targets another workspace', async () => {
+    const app = new Hono();
+    // Simulate service token middleware setting serviceToken on context
+    app.use('*', async (c, next) => {
+      c.set('serviceToken', { scope_space_id: 'ws-allowed' } as any);
+      await next();
+    });
+    app.route('/', gitHttpRoutes);
+
+    const response = await app.request('/git/ws-denied/repo.git/info/refs?service=git-upload-pack');
+
+    expect(response.status).toBe(403);
+    const body = await response.json();
+    expect(body).toEqual({
+      error: {
+        code: 'FORBIDDEN',
+        message: 'Token workspace scope does not match requested workspace',
+      },
+    });
+  });
+
+  it('supports LFS batch endpoint and reports missing download objects', async () => {
+    const spaceId = 'ws123';
+    const repoName = 'repo123';
+    const oid = 'a'.repeat(64);
+    await createRepoDir(spaceId, repoName);
+
+    const app = createTestApp();
+
+    const batchUpload = await app.request(
+      `/git/${spaceId}/${repoName}.git/info/lfs/objects/batch`,
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/vnd.git-lfs+json',
+          'Host': 'localhost',
+        },
+        body: JSON.stringify({
+          operation: 'upload',
+          objects: [{ oid, size: 12 }],
+        }),
+      }
+    );
+
+    expect(batchUpload.status).toBe(200);
+    const uploadBody = await batchUpload.json();
+    expect(uploadBody).toMatchObject({
+      transfer: 'basic',
+      objects: [
+        {
+          oid,
+          actions: {
+            upload: {
+              href: expect.stringContaining(`/git/${spaceId}/${repoName}.git/info/lfs/objects/${oid}`),
+            },
+          },
+        },
+      ],
+    });
+
+    const batchDownload = await app.request(
+      `/git/${spaceId}/${repoName}.git/info/lfs/objects/batch`,
+      {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/vnd.git-lfs+json',
+          'Host': 'localhost',
+        },
+        body: JSON.stringify({
+          operation: 'download',
+          objects: [{ oid, size: 12 }],
+        }),
+      }
+    );
+
+    expect(batchDownload.status).toBe(200);
+    const downloadBody = await batchDownload.json();
+    expect(downloadBody).toMatchObject({
+      transfer: 'basic',
+      objects: [
+        {
+          oid,
+          error: {
+            code: 404,
+            message: 'Object does not exist',
+          },
+        },
+      ],
+    });
+  });
+
+  it('returns 400 for invalid oid in both LFS upload/download object handlers', async () => {
+    const spaceId = 'ws-invalid-oid';
+    const repoName = 'repo-invalid-oid';
+    await createRepoDir(spaceId, repoName);
+    const app = createTestApp();
+
+    const invalidOid = 'not-a-valid-oid';
+    const putResponse = await app.request(
+      `/git/${spaceId}/${repoName}.git/info/lfs/objects/${invalidOid}`,
+      { method: 'PUT' }
+    );
+    const getResponse = await app.request(
+      `/git/${spaceId}/${repoName}.git/info/lfs/objects/${invalidOid}`
+    );
+
+    expect(putResponse.status).toBe(400);
+    const putBody = await putResponse.json();
+    expect(putBody).toEqual({ error: { code: 'BAD_REQUEST', message: 'Invalid LFS object id' } });
+    expect(getResponse.status).toBe(400);
+    const getBody = await getResponse.json();
+    expect(getBody).toEqual({ error: { code: 'BAD_REQUEST', message: 'Invalid LFS object id' } });
+  });
+
+  it('keeps PUT content-length validation response', async () => {
+    const app = createTestApp();
+
+    const response = await app.request(
+      `/git/ws-content-length/repo-content-length.git/info/lfs/objects/${'a'.repeat(64)}`,
+      {
+        method: 'PUT',
+        headers: {
+          'Content-Length': 'abc',
+        },
+      }
+    );
+
+    expect(response.status).toBe(400);
+    const body = await response.json();
+    expect(body).toEqual({ error: { code: 'BAD_REQUEST', message: 'Invalid Content-Length' } });
+  });
+
+  it('returns 404 for missing LFS object download', async () => {
+    const spaceId = 'ws-missing-object';
+    const repoName = 'repo-missing-object';
+    const oid = 'b'.repeat(64);
+    await createRepoDir(spaceId, repoName);
+
+    const app = createTestApp();
+    const response = await app.request(
+      `/git/${spaceId}/${repoName}.git/info/lfs/objects/${oid}`
+    );
+
+    expect(response.status).toBe(404);
+    const body = await response.json();
+    expect(body).toEqual({ error: { code: 'NOT_FOUND', message: 'LFS object not found' } });
+  });
+});

package/src/__tests__/routes/git-lfs-policy.test.ts

@@ -0,0 +1,112 @@
+import { describe, expect, it, vi } from 'vitest';
+
+vi.mock('../../shared/config.js', () => ({
+  REPOS_BASE_DIR: '/tmp/test-repos',
+}));
+
+import {
+  buildLfsBatchObjectResponse,
+  getLfsObjectPath,
+  normalizeLfsOid,
+  parseContentLength,
+  parseLfsBatchRequest,
+} from '../../routes/git/http.js';
+
+describe('git-lfs policy helpers', () => {
+  it('normalizes valid oid and rejects invalid values', () => {
+    const upper = 'A'.repeat(64);
+    expect(normalizeLfsOid(upper)).toBe('a'.repeat(64));
+    expect(normalizeLfsOid('invalid')).toBeNull();
+    expect(normalizeLfsOid(undefined)).toBeNull();
+  });
+
+  it('parses valid LFS batch request and normalizes object oids', () => {
+    const parsed = parseLfsBatchRequest({
+      operation: 'upload',
+      objects: [{ oid: 'A'.repeat(64), size: 42 }],
+    });
+
+    expect(parsed).toEqual({
+      operation: 'upload',
+      objects: [{ oid: 'a'.repeat(64), size: 42 }],
+    });
+  });
+
+  it('rejects malformed LFS batch request payloads', () => {
+    expect(parseLfsBatchRequest({ operation: 'upload', objects: [{ oid: 'abc', size: 1 }] })).toBeNull();
+    expect(parseLfsBatchRequest({ operation: 'download', objects: [{ oid: 'a'.repeat(64), size: -1 }] })).toBeNull();
+    expect(parseLfsBatchRequest({ operation: 'download' })).toBeNull();
+    expect(parseLfsBatchRequest(null)).toBeNull();
+  });
+
+  it('parses content length consistently', () => {
+    expect(parseContentLength(undefined)).toBeNull();
+    expect(parseContentLength('')).toBeNull();
+    expect(parseContentLength('123')).toBe(123);
+    expect(Number.isNaN(parseContentLength('12x'))).toBe(true);
+  });
+
+  it('builds stable object paths from oid sharding', () => {
+    const oid = 'ab'.padEnd(64, 'c');
+    expect(getLfsObjectPath('/repo.git', oid)).toBe(
+      '/repo.git/lfs/objects/ab/cc/'.concat(oid)
+    );
+  });
+
+  it('builds upload/download batch responses from existence policy', () => {
+    const oid = 'a'.repeat(64);
+    const href = `https://example.test/git/ws/repo.git/info/lfs/objects/${oid}`;
+
+    expect(
+      buildLfsBatchObjectResponse({
+        operation: 'upload',
+        oid,
+        size: 12,
+        exists: true,
+        href,
+      })
+    ).toEqual({ oid, size: 12 });
+
+    expect(
+      buildLfsBatchObjectResponse({
+        operation: 'upload',
+        oid,
+        size: 12,
+        exists: false,
+        href,
+      })
+    ).toEqual({
+      oid,
+      size: 12,
+      actions: { upload: { href, expires_in: 3600 } },
+    });
+
+    expect(
+      buildLfsBatchObjectResponse({
+        operation: 'download',
+        oid,
+        size: 12,
+        exists: false,
+        href,
+      })
+    ).toEqual({
+      oid,
+      size: 12,
+      error: { code: 404, message: 'Object does not exist' },
+    });
+
+    expect(
+      buildLfsBatchObjectResponse({
+        operation: 'download',
+        oid,
+        size: 12,
+        exists: true,
+        href,
+      })
+    ).toEqual({
+      oid,
+      size: 12,
+      actions: { download: { href, expires_in: 3600 } },
+    });
+  });
+});

package/src/__tests__/routes/sessions/store.test.ts

@@ -0,0 +1,72 @@
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import { describe, expect, it, vi } from 'vitest';
+
+vi.mock('../../../shared/config.js', () => ({
+  HEARTBEAT_INTERVAL_MS: 120000,
+  HEARTBEAT_ASSUMED_INTERVAL_MS: 2 * 60 * 1000,
+  PROXY_BASE_URL: undefined,
+  SESSION_IDLE_TIMEOUT_MS: 10 * 60 * 1000,
+  SESSION_MAX_DURATION_MS: 60 * 60 * 1000,
+  SESSION_CLEANUP_INTERVAL_MS: 30 * 1000,
+  MAX_SESSIONS_PER_WORKSPACE: 2,
+  MAX_TOTAL_SESSIONS: 100000,
+}));
+
+import { sessionStore } from '../../../routes/sessions/storage.js';
+
+describe('session owner binding', () => {
+  it('rejects session reuse when owner sub does not match', async () => {
+    const sessionId = 'a12345678901234b';
+    const spaceId = 'ws046owner1';
+
+    try {
+      await sessionStore.getSessionDir(sessionId, spaceId, 'owner-a');
+      expect(() => sessionStore.getSessionWithValidation(sessionId, spaceId, 'owner-a')).not.toThrow();
+      expect(() => sessionStore.getSessionWithValidation(sessionId, spaceId, 'owner-b')).toThrow(
+        'Session does not belong to the authenticated owner'
+      );
+    } finally {
+      await sessionStore.destroySession(sessionId, spaceId, 'owner-a');
+    }
+  });
+
+  it('rejects retroactive owner binding when session was created without explicit owner', async () => {
+    const sessionId = 'a12345678901234c';
+    const spaceId = 'ws046owner2';
+
+    try {
+      await sessionStore.getSessionDir(sessionId, spaceId);
+      expect(() => sessionStore.getSessionWithValidation(sessionId, spaceId)).not.toThrow();
+      expect(() => sessionStore.getSessionWithValidation(sessionId, spaceId, 'owner-a')).toThrow(
+        'Session does not belong to the authenticated owner'
+      );
+      expect(() => sessionStore.getSessionWithValidation(sessionId, spaceId, 'owner-b')).toThrow(
+        'Session does not belong to the authenticated owner'
+      );
+    } finally {
+      await sessionStore.destroySession(sessionId, spaceId);
+    }
+  });
+});
+
+describe('.takos-session metadata', () => {
+  it('stores only session_id and space_id', async () => {
+    const sessionId = 'a12345678901234d';
+    const spaceId = 'ws046owner3';
+
+    try {
+      const workDir = await sessionStore.getSessionDir(sessionId, spaceId, 'owner-a');
+      const sessionInfoPath = path.join(workDir, '.takos-session');
+      const sessionInfo = JSON.parse(await fs.readFile(sessionInfoPath, 'utf-8')) as Record<string, unknown>;
+
+      expect(sessionInfo).toEqual({
+        session_id: sessionId,
+        space_id: spaceId,
+      });
+      expect(sessionInfo).not.toHaveProperty('api_url');
+    } finally {
+      await sessionStore.destroySession(sessionId, spaceId, 'owner-a');
+    }
+  });
+});

package/src/__tests__/routes/workspace-scope.test.ts

@@ -0,0 +1,45 @@
+import { describe, expect, it } from 'vitest';
+
+import { getSpaceIdFromBody } from '../../middleware/space-scope.js';
+
+function createContext(body: unknown): { get: (key: string) => unknown } {
+  return {
+    get(key: string) {
+      if (key === 'parsedBody') return body;
+      return undefined;
+    },
+  };
+}
+
+describe('getSpaceIdFromBody', () => {
+  it('returns spaceId from camelCase body field', () => {
+    const c = createContext({ spaceId: 'ws-camel' });
+    expect(getSpaceIdFromBody(c as any, 'spaceId')).toBe('ws-camel');
+  });
+
+  it('returns space_id from snake_case body field', () => {
+    const c = createContext({ space_id: 'ws-snake' });
+    expect(getSpaceIdFromBody(c as any, 'space_id')).toBe('ws-snake');
+  });
+
+  it('returns null for missing, empty, and non-string values', () => {
+    const invalidBodies: unknown[] = [
+      undefined,
+      null,
+      false,
+      0,
+      '',
+      {},
+      { spaceId: '' },
+      { spaceId: 123 },
+      { space_id: '' },
+      { space_id: 123 },
+    ];
+
+    for (const body of invalidBodies) {
+      const c = createContext(body);
+      expect(getSpaceIdFromBody(c as any, 'spaceId')).toBeNull();
+      expect(getSpaceIdFromBody(c as any, 'space_id')).toBeNull();
+    }
+  });
+});

package/src/__tests__/runtime/action-registry.test.ts

@@ -0,0 +1,208 @@
+import { describe, expect, it, vi } from 'vitest';
+
+vi.mock('../../shared/config.js', () => ({
+  REPOS_BASE_DIR: '/repos',
+  WORKDIR_BASE_DIR: '/tmp',
+  GIT_ENDPOINT_URL: 'https://git.takos.dev',
+}));
+
+vi.mock('../../runtime/git.js', () => ({
+  cloneAndCheckout: vi.fn(),
+}));
+
+import {
+  parseActionRef,
+  validateActionComponent,
+  resolveInputs,
+  buildInputEnv,
+} from '../../runtime/actions/action-registry.js';
+
+// ---------------------------------------------------------------------------
+// parseActionRef
+// ---------------------------------------------------------------------------
+
+describe('parseActionRef', () => {
+  it('parses owner/repo@ref', () => {
+    expect(parseActionRef('actions/checkout@v4')).toEqual({
+      owner: 'actions',
+      repo: 'checkout',
+      actionPath: '',
+      ref: 'v4',
+    });
+  });
+
+  it('parses owner/repo/subpath@ref', () => {
+    expect(parseActionRef('actions/toolkit/packages/core@v1')).toEqual({
+      owner: 'actions',
+      repo: 'toolkit',
+      actionPath: 'packages/core',
+      ref: 'v1',
+    });
+  });
+
+  it('defaults to main when no @ref', () => {
+    expect(parseActionRef('owner/repo')).toEqual({
+      owner: 'owner',
+      repo: 'repo',
+      actionPath: '',
+      ref: 'main',
+    });
+  });
+
+  it('handles empty ref after @', () => {
+    expect(parseActionRef('owner/repo@')).toEqual({
+      owner: 'owner',
+      repo: 'repo',
+      actionPath: '',
+      ref: 'main',
+    });
+  });
+
+  it('handles single component (no slash)', () => {
+    expect(parseActionRef('single@v1')).toEqual({
+      owner: 'single',
+      repo: '',
+      actionPath: '',
+      ref: 'v1',
+    });
+  });
+
+  it('handles deep nested action path', () => {
+    expect(parseActionRef('org/repo/a/b/c@v2')).toEqual({
+      owner: 'org',
+      repo: 'repo',
+      actionPath: 'a/b/c',
+      ref: 'v2',
+    });
+  });
+});
+
+// ---------------------------------------------------------------------------
+// validateActionComponent
+// ---------------------------------------------------------------------------
+
+describe('validateActionComponent', () => {
+  it('accepts valid component', () => {
+    expect(() => validateActionComponent('actions', 'owner')).not.toThrow();
+    expect(() => validateActionComponent('my-repo_v2', 'repo')).not.toThrow();
+    expect(() => validateActionComponent('v1.0.0', 'ref')).not.toThrow();
+  });
+
+  it('rejects component with slash', () => {
+    expect(() => validateActionComponent('path/to', 'owner')).toThrow('Invalid action owner');
+  });
+
+  it('rejects component with spaces', () => {
+    expect(() => validateActionComponent('has space', 'repo')).toThrow('Invalid action repo');
+  });
+
+  it('rejects component with special chars', () => {
+    expect(() => validateActionComponent('bad@char', 'ref')).toThrow('Invalid action ref');
+  });
+
+  it('rejects empty component', () => {
+    expect(() => validateActionComponent('', 'owner')).toThrow('Invalid action owner');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// resolveInputs
+// ---------------------------------------------------------------------------
+
+describe('resolveInputs', () => {
+  it('resolves provided inputs', () => {
+    const definitions = {
+      name: { description: 'Name', required: true },
+    };
+    const { resolvedInputs, missing } = resolveInputs(definitions, { name: 'John' });
+    expect(resolvedInputs).toEqual({ name: 'John' });
+    expect(missing).toEqual([]);
+  });
+
+  it('uses default values when not provided', () => {
+    const definitions = {
+      name: { description: 'Name', default: 'Default' },
+    };
+    const { resolvedInputs, missing } = resolveInputs(definitions, {});
+    expect(resolvedInputs).toEqual({ name: 'Default' });
+    expect(missing).toEqual([]);
+  });
+
+  it('reports missing required inputs', () => {
+    const definitions = {
+      name: { description: 'Name', required: true },
+    };
+    const { resolvedInputs, missing } = resolveInputs(definitions, {});
+    expect(missing).toEqual(['name']);
+  });
+
+  it('matches inputs case-insensitively', () => {
+    const definitions = {
+      Name: { description: 'Name', required: true },
+    };
+    const { resolvedInputs } = resolveInputs(definitions, { name: 'John' });
+    expect(resolvedInputs).toEqual({ Name: 'John' });
+  });
+
+  it('passes through undefined definitions', () => {
+    const { resolvedInputs, missing } = resolveInputs(undefined, { extra: 'value' });
+    expect(resolvedInputs).toEqual({ extra: 'value' });
+    expect(missing).toEqual([]);
+  });
+
+  it('normalizes boolean default values', () => {
+    const definitions = {
+      flag: { description: 'Flag', default: true },
+    };
+    const { resolvedInputs } = resolveInputs(definitions, {});
+    expect(resolvedInputs).toEqual({ flag: 'true' });
+  });
+
+  it('normalizes null default to empty string', () => {
+    const definitions = {
+      val: { description: 'Val', default: null },
+    };
+    const { resolvedInputs } = resolveInputs(definitions, {});
+    expect(resolvedInputs).toEqual({ val: '' });
+  });
+
+  it('passes through extra inputs not in definitions', () => {
+    const definitions = {
+      defined: { description: 'Defined' },
+    };
+    const { resolvedInputs } = resolveInputs(definitions, {
+      defined: 'yes',
+      extra: 'bonus',
+    });
+    expect(resolvedInputs).toEqual({ defined: 'yes', extra: 'bonus' });
+  });
+});
+
+// ---------------------------------------------------------------------------
+// buildInputEnv
+// ---------------------------------------------------------------------------
+
+describe('buildInputEnv', () => {
+  it('creates INPUT_* env vars', () => {
+    expect(buildInputEnv({ name: 'John', version: '1.0' })).toEqual({
+      INPUT_NAME: 'John',
+      INPUT_VERSION: '1.0',
+    });
+  });
+
+  it('uppercases and sanitizes key names', () => {
+    expect(buildInputEnv({ 'my-input': 'value' })).toEqual({
+      INPUT_MY_INPUT: 'value',
+    });
+  });
+
+  it('handles empty inputs', () => {
+    expect(buildInputEnv({})).toEqual({});
+  });
+
+  it('replaces dots in key names', () => {
+    expect(buildInputEnv({ 'dotted.key': 'val' })).toEqual({
+      INPUT_DOTTED_KEY: 'val',
+    });
+  });
+});