takos-runtime-service 1.0.0

package/src/__tests__/runtime/logging.test.ts

@@ -0,0 +1,65 @@
+import { describe, expect, it, vi } from 'vitest';
+
+vi.mock('../../shared/config.js', () => ({
+  MAX_LOG_LINES: 5,
+}));
+
+import { pushLog } from '../../runtime/logging.js';
+
+describe('pushLog', () => {
+  it('pushes a message to the log array', () => {
+    const logs: string[] = [];
+    pushLog(logs, 'hello');
+    expect(logs).toEqual(['hello']);
+  });
+
+  it('pushes multiple messages', () => {
+    const logs: string[] = [];
+    pushLog(logs, 'first');
+    pushLog(logs, 'second');
+    expect(logs).toEqual(['first', 'second']);
+  });
+
+  it('truncates individual lines exceeding 10000 chars', () => {
+    const logs: string[] = [];
+    const longLine = 'x'.repeat(15000);
+    pushLog(logs, longLine);
+    expect(logs[0]).toHaveLength(10000 + '...[truncated]'.length);
+    expect(logs[0].endsWith('...[truncated]')).toBe(true);
+  });
+
+  it('stops appending after MAX_LOG_LINES and adds truncation notice', () => {
+    const logs: string[] = [];
+    // MAX_LOG_LINES is mocked to 5
+    for (let i = 0; i < 10; i++) {
+      pushLog(logs, `line ${i}`);
+    }
+    // Should have 5 normal lines + 1 truncation notice = 6 total
+    expect(logs).toHaveLength(6);
+    expect(logs[5]).toBe('...log truncated');
+  });
+
+  it('adds truncation notice only once', () => {
+    const logs: string[] = [];
+    for (let i = 0; i < 20; i++) {
+      pushLog(logs, `line ${i}`);
+    }
+    const truncationCount = logs.filter(l => l === '...log truncated').length;
+    expect(truncationCount).toBe(1);
+  });
+
+  it('sanitizes message with provided sanitizer', () => {
+    const logs: string[] = [];
+    const sanitizer = {
+      sanitize: (text: string) => text.replace(/secret/g, '***'),
+    };
+    pushLog(logs, 'my secret value', sanitizer as any);
+    expect(logs[0]).toBe('my *** value');
+  });
+
+  it('works without sanitizer', () => {
+    const logs: string[] = [];
+    pushLog(logs, 'no sanitizer', undefined);
+    expect(logs[0]).toBe('no sanitizer');
+  });
+});

package/src/__tests__/runtime/paths.test.ts

@@ -0,0 +1,236 @@
+import * as fs from 'fs/promises';
+import * as os from 'os';
+import path from 'path';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+
+vi.mock('../../shared/config.js', () => ({
+  REPOS_BASE_DIR: '/repos',
+  WORKDIR_BASE_DIR: os.tmpdir(),
+}));
+
+import {
+  isPathWithinBase,
+  resolvePathWithin,
+  getRepoPath,
+  resolveWorkDirPath,
+  verifyPathWithinAfterAccess,
+  verifyPathWithinBeforeCreate,
+  verifyNoSymlinkPathComponents,
+  resolveRepoGitPath,
+} from '../../runtime/paths.js';
+import { SymlinkEscapeError, SymlinkNotAllowedError } from '../../shared/errors.js';
+
+let tempDir: string;
+
+beforeEach(async () => {
+  tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'takos-paths-test-'));
+});
+
+afterEach(async () => {
+  await fs.rm(tempDir, { recursive: true, force: true });
+});
+
+// ---------------------------------------------------------------------------
+// isPathWithinBase
+// ---------------------------------------------------------------------------
+
+describe('isPathWithinBase', () => {
+  it('returns true for a child path', () => {
+    expect(isPathWithinBase('/base', '/base/child')).toBe(true);
+  });
+
+  it('returns true for deeply nested path', () => {
+    expect(isPathWithinBase('/base', '/base/a/b/c/d')).toBe(true);
+  });
+
+  it('returns true for base itself when allowBase is true', () => {
+    expect(isPathWithinBase('/base', '/base', { allowBase: true })).toBe(true);
+  });
+
+  it('returns false for base itself when allowBase is false', () => {
+    expect(isPathWithinBase('/base', '/base', { allowBase: false })).toBe(false);
+  });
+
+  it('returns false for path outside base', () => {
+    expect(isPathWithinBase('/base', '/other/path')).toBe(false);
+  });
+
+  it('returns false for parent path', () => {
+    expect(isPathWithinBase('/base/child', '/base')).toBe(false);
+  });
+
+  it('returns false for traversal path', () => {
+    expect(isPathWithinBase('/base', '/base/../other')).toBe(false);
+  });
+
+  it('handles resolveInputs option', () => {
+    expect(isPathWithinBase('/tmp', '/tmp/./child', { resolveInputs: true })).toBe(true);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// resolvePathWithin
+// ---------------------------------------------------------------------------
+
+describe('resolvePathWithin', () => {
+  it('resolves a valid relative path', () => {
+    const result = resolvePathWithin(tempDir, 'subdir/file.txt', 'test');
+    expect(result).toBe(path.resolve(tempDir, 'subdir/file.txt'));
+  });
+
+  it('throws on empty target', () => {
+    expect(() => resolvePathWithin(tempDir, '', 'test')).toThrow('Invalid test path');
+  });
+
+  it('throws on whitespace-only target', () => {
+    expect(() => resolvePathWithin(tempDir, '   ', 'test')).toThrow('Invalid test path');
+  });
+
+  it('throws on absolute path when not allowed', () => {
+    expect(() => resolvePathWithin(tempDir, '/etc/passwd', 'test')).toThrow(
+      'Absolute test paths are not allowed',
+    );
+  });
+
+  it('throws on path traversal', () => {
+    expect(() => resolvePathWithin(tempDir, '../etc/passwd', 'test')).toThrow(
+      'Path traversal not allowed in test',
+    );
+  });
+
+  it('allows absolute paths when allowAbsolute is true', () => {
+    const absPath = path.join(tempDir, 'allowed');
+    const result = resolvePathWithin(tempDir, absPath, 'test', false, true);
+    expect(result).toBe(path.resolve(absPath));
+  });
+
+  it('rejects absolute paths outside base even when allowAbsolute is true', () => {
+    expect(() => resolvePathWithin(tempDir, '/completely/different', 'test', false, true)).toThrow();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// getRepoPath
+// ---------------------------------------------------------------------------
+
+describe('getRepoPath', () => {
+  it('builds correct repo path', () => {
+    const result = getRepoPath('workspace1', 'myrepo');
+    expect(result).toBe(path.join('/repos', 'workspace1', 'myrepo.git'));
+  });
+
+  it('throws on empty spaceId', () => {
+    expect(() => getRepoPath('', 'myrepo')).toThrow('spaceId is required');
+  });
+
+  it('throws on empty repoName', () => {
+    expect(() => getRepoPath('ws1', '')).toThrow('repoName is required');
+  });
+
+  it('throws on spaceId with invalid characters', () => {
+    expect(() => getRepoPath('ws/../evil', 'repo')).toThrow('invalid characters');
+  });
+
+  it('throws on repoName with invalid characters', () => {
+    expect(() => getRepoPath('ws1', 'repo/../../evil')).toThrow('invalid characters');
+  });
+
+  it('throws on spaceId starting with non-alphanumeric', () => {
+    expect(() => getRepoPath('_ws', 'repo')).toThrow('must start with an alphanumeric');
+  });
+
+  it('throws on repoName exceeding 128 characters', () => {
+    expect(() => getRepoPath('ws1', 'a'.repeat(129))).toThrow('too long');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// resolveRepoGitPath
+// ---------------------------------------------------------------------------
+
+describe('resolveRepoGitPath', () => {
+  it('accepts valid absolute .git path under REPOS_BASE_DIR', () => {
+    const p = '/repos/ws1/myrepo.git';
+    expect(resolveRepoGitPath(p)).toBe(path.resolve(p));
+  });
+
+  it('rejects relative path', () => {
+    expect(() => resolveRepoGitPath('ws1/myrepo.git')).toThrow('Invalid repoGitPath');
+  });
+
+  it('rejects path not ending in .git', () => {
+    expect(() => resolveRepoGitPath('/repos/ws1/myrepo')).toThrow('Invalid repoGitPath');
+  });
+
+  it('rejects path outside REPOS_BASE_DIR', () => {
+    expect(() => resolveRepoGitPath('/other/ws1/myrepo.git')).toThrow('Invalid repoGitPath');
+  });
+
+  it('rejects REPOS_BASE_DIR itself as .git', () => {
+    // /repos is the base but doesn't end with .git - would already fail
+    expect(() => resolveRepoGitPath('/repos')).toThrow('Invalid repoGitPath');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// verifyPathWithinAfterAccess
+// ---------------------------------------------------------------------------
+
+describe('verifyPathWithinAfterAccess', () => {
+  it('succeeds for path within base', async () => {
+    const child = path.join(tempDir, 'child');
+    await fs.mkdir(child, { recursive: true });
+    const result = await verifyPathWithinAfterAccess(tempDir, child, 'test');
+    expect(result).toBe(await fs.realpath(child));
+  });
+
+  it('throws SymlinkEscapeError for path outside base', async () => {
+    const outside = await fs.mkdtemp(path.join(os.tmpdir(), 'outside-'));
+    try {
+      await expect(
+        verifyPathWithinAfterAccess(tempDir, outside, 'test'),
+      ).rejects.toThrow(SymlinkEscapeError);
+    } finally {
+      await fs.rm(outside, { recursive: true, force: true });
+    }
+  });
+});
+
+// ---------------------------------------------------------------------------
+// verifyNoSymlinkPathComponents
+// ---------------------------------------------------------------------------
+
+describe('verifyNoSymlinkPathComponents', () => {
+  it('succeeds for path with no symlinks', async () => {
+    const child = path.join(tempDir, 'a', 'b');
+    await fs.mkdir(child, { recursive: true });
+    await expect(
+      verifyNoSymlinkPathComponents(tempDir, child, 'test'),
+    ).resolves.not.toThrow();
+  });
+
+  it('throws SymlinkNotAllowedError when path component is symlink', async () => {
+    const realDir = path.join(tempDir, 'real');
+    await fs.mkdir(realDir, { recursive: true });
+    const symlinkDir = path.join(tempDir, 'sym');
+    await fs.symlink(realDir, symlinkDir);
+    const target = path.join(symlinkDir, 'file');
+
+    await expect(
+      verifyNoSymlinkPathComponents(tempDir, target, 'test'),
+    ).rejects.toThrow(SymlinkNotAllowedError);
+  });
+
+  it('succeeds when path does not exist (ENOENT)', async () => {
+    const nonexistent = path.join(tempDir, 'nonexistent', 'deep', 'path');
+    await expect(
+      verifyNoSymlinkPathComponents(tempDir, nonexistent, 'test'),
+    ).resolves.not.toThrow();
+  });
+
+  it('succeeds for base path itself', async () => {
+    await expect(
+      verifyNoSymlinkPathComponents(tempDir, tempDir, 'test'),
+    ).resolves.not.toThrow();
+  });
+});

package/src/__tests__/runtime/secrets.test.ts

@@ -0,0 +1,247 @@
+import { describe, expect, it } from 'vitest';
+import {
+  SecretsSanitizer,
+  mightExposeSecrets,
+  shouldBlockForSecretExposure,
+  createSecretsSanitizer,
+  collectSensitiveEnvValues,
+} from '../../runtime/actions/secrets.js';
+
+// ---------------------------------------------------------------------------
+// SecretsSanitizer
+// ---------------------------------------------------------------------------
+
+describe('SecretsSanitizer', () => {
+  it('sanitizes known secret values', () => {
+    const sanitizer = new SecretsSanitizer();
+    sanitizer.registerSecrets({ API_KEY: 'my-secret-key' });
+
+    expect(sanitizer.sanitize('token is my-secret-key here')).toBe('token is *** here');
+  });
+
+  it('sanitizes multiple secrets', () => {
+    const sanitizer = new SecretsSanitizer();
+    sanitizer.registerSecrets({
+      KEY1: 'secret1',
+      KEY2: 'secret2',
+    });
+
+    expect(sanitizer.sanitize('secret1 and secret2')).toBe('*** and ***');
+  });
+
+  it('handles empty secrets', () => {
+    const sanitizer = new SecretsSanitizer();
+    sanitizer.registerSecrets({});
+    expect(sanitizer.sanitize('no secrets here')).toBe('no secrets here');
+  });
+
+  it('ignores empty string values in secrets', () => {
+    const sanitizer = new SecretsSanitizer();
+    sanitizer.registerSecrets({ EMPTY: '' });
+    expect(sanitizer.sanitize('some text')).toBe('some text');
+  });
+
+  it('returns input unchanged when no secrets registered', () => {
+    const sanitizer = new SecretsSanitizer();
+    expect(sanitizer.sanitize('hello world')).toBe('hello world');
+  });
+
+  it('returns empty string unchanged', () => {
+    const sanitizer = new SecretsSanitizer();
+    sanitizer.registerSecrets({ KEY: 'secret' });
+    expect(sanitizer.sanitize('')).toBe('');
+  });
+
+  it('handles regex special characters in secrets', () => {
+    const sanitizer = new SecretsSanitizer();
+    sanitizer.registerSecrets({ KEY: 'special.chars+and*more' });
+
+    expect(sanitizer.sanitize('has special.chars+and*more in it')).toBe('has *** in it');
+  });
+
+  it('handles multiple occurrences of same secret', () => {
+    const sanitizer = new SecretsSanitizer();
+    sanitizer.registerSecrets({ KEY: 'abc' });
+
+    expect(sanitizer.sanitize('abc abc abc')).toBe('*** *** ***');
+  });
+
+  it('sanitizes logs array', () => {
+    const sanitizer = new SecretsSanitizer();
+    sanitizer.registerSecrets({ KEY: 'secret' });
+
+    const logs = ['line with secret', 'clean line', 'another secret'];
+    const sanitized = sanitizer.sanitizeLogs(logs);
+    expect(sanitized).toEqual(['line with ***', 'clean line', 'another ***']);
+  });
+
+  it('handles long secrets via string replacement fallback', () => {
+    const longSecret = 'a'.repeat(5000);
+    const sanitizer = new SecretsSanitizer();
+    sanitizer.registerSecrets({ KEY: longSecret });
+
+    const text = `prefix ${longSecret} suffix`;
+    expect(sanitizer.sanitize(text)).toBe('prefix *** suffix');
+  });
+
+  it('registerSecretValues adds values', () => {
+    const sanitizer = new SecretsSanitizer();
+    sanitizer.registerSecretValues(['val1', 'val2']);
+
+    expect(sanitizer.sanitize('val1 and val2')).toBe('*** and ***');
+  });
+
+  it('clear removes all secrets', () => {
+    const sanitizer = new SecretsSanitizer();
+    sanitizer.registerSecrets({ KEY: 'secret' });
+    sanitizer.clear();
+
+    expect(sanitizer.sanitize('secret')).toBe('secret');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// createSecretsSanitizer
+// ---------------------------------------------------------------------------
+
+describe('createSecretsSanitizer', () => {
+  it('creates sanitizer with secrets', () => {
+    const sanitizer = createSecretsSanitizer({ KEY: 'value' });
+    expect(sanitizer.sanitize('the value is here')).toBe('the *** is here');
+  });
+
+  it('masks non-empty secrets regardless of length', () => {
+    const sanitizer = createSecretsSanitizer({
+      ONE: 'x',
+      THREE: 'abc',
+      EMPTY: '',
+    });
+
+    expect(sanitizer.sanitize('x abc value')).toBe('*** *** value');
+  });
+
+  it('creates sanitizer with extra values', () => {
+    const sanitizer = createSecretsSanitizer({}, ['extra']);
+    expect(sanitizer.sanitize('extra text')).toBe('*** text');
+  });
+
+  it('creates sanitizer with both secrets and extras', () => {
+    const sanitizer = createSecretsSanitizer({ KEY: 'secret' }, ['extra']);
+    expect(sanitizer.sanitize('secret and extra')).toBe('*** and ***');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// mightExposeSecrets
+// ---------------------------------------------------------------------------
+
+describe('mightExposeSecrets', () => {
+  it('detects bare "env" command', () => {
+    expect(mightExposeSecrets('env')).not.toBeNull();
+    expect(mightExposeSecrets('  env  ')).not.toBeNull();
+  });
+
+  it('detects bare "printenv" command', () => {
+    expect(mightExposeSecrets('printenv')).not.toBeNull();
+  });
+
+  it('detects "export -p"', () => {
+    expect(mightExposeSecrets('export -p')).not.toBeNull();
+  });
+
+  it('returns null for safe commands', () => {
+    expect(mightExposeSecrets('echo hello')).toBeNull();
+    expect(mightExposeSecrets('npm install')).toBeNull();
+  });
+
+  it('returns null for env with arguments', () => {
+    expect(mightExposeSecrets('env VAR=value command')).toBeNull();
+  });
+
+  it('returns null for printenv with arguments', () => {
+    expect(mightExposeSecrets('printenv HOME')).toBeNull();
+  });
+
+  it('skips comment lines', () => {
+    expect(mightExposeSecrets('# env')).toBeNull();
+  });
+
+  it('skips empty lines', () => {
+    expect(mightExposeSecrets('\n\n')).toBeNull();
+  });
+
+  it('detects in multiline command', () => {
+    expect(mightExposeSecrets('echo hello\nenv')).not.toBeNull();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// shouldBlockForSecretExposure
+// ---------------------------------------------------------------------------
+
+describe('shouldBlockForSecretExposure', () => {
+  it('blocks bare env', () => {
+    expect(shouldBlockForSecretExposure('env')).toBe(true);
+  });
+
+  it('does not block safe commands', () => {
+    expect(shouldBlockForSecretExposure('npm test')).toBe(false);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// collectSensitiveEnvValues
+// ---------------------------------------------------------------------------
+
+describe('collectSensitiveEnvValues', () => {
+  it('returns empty array for undefined env', () => {
+    expect(collectSensitiveEnvValues(undefined)).toEqual([]);
+  });
+
+  it('returns empty array for env with no sensitive keys', () => {
+    expect(collectSensitiveEnvValues({ CI: 'true', NODE_ENV: 'test' })).toEqual([]);
+  });
+
+  it('collects TAKOS_TOKEN value', () => {
+    expect(collectSensitiveEnvValues({ TAKOS_TOKEN: 'tok123' })).toEqual(['tok123']);
+  });
+
+  it('collects TAKOS_SESSION_ID value', () => {
+    expect(collectSensitiveEnvValues({ TAKOS_SESSION_ID: 'sess123' })).toEqual(['sess123']);
+  });
+
+  it('collects keys matching SECRET pattern', () => {
+    expect(collectSensitiveEnvValues({ MY_SECRET: 'val' })).toEqual(['val']);
+  });
+
+  it('collects keys matching PASSWORD pattern', () => {
+    expect(collectSensitiveEnvValues({ DB_PASSWORD: 'pass' })).toEqual(['pass']);
+  });
+
+  it('collects keys matching TOKEN pattern', () => {
+    expect(collectSensitiveEnvValues({ API_TOKEN: 'tok' })).toEqual(['tok']);
+  });
+
+  it('collects keys matching API_KEY pattern', () => {
+    expect(collectSensitiveEnvValues({ MY_API_KEY: 'key' })).toEqual(['key']);
+  });
+
+  it('collects keys matching AUTH pattern', () => {
+    expect(collectSensitiveEnvValues({ AUTH_HEADER: 'bearer xyz' })).toEqual(['bearer xyz']);
+  });
+
+  it('skips empty values', () => {
+    expect(collectSensitiveEnvValues({ MY_SECRET: '' })).toEqual([]);
+  });
+
+  it('collects multiple sensitive values', () => {
+    const result = collectSensitiveEnvValues({
+      TAKOS_TOKEN: 'tok',
+      MY_SECRET: 'sec',
+      SAFE_KEY: 'safe',
+    });
+    expect(result).toContain('tok');
+    expect(result).toContain('sec');
+    expect(result).not.toContain('safe');
+  });
+});