vibepulse 0.2.0 → 0.2.1

package/.next/standalone/src/lib/nodeProtocol.test.ts

@@ -0,0 +1,159 @@
+import { describe, expect, it } from 'vitest';
+
+import {
+  NODE_PROTOCOL_VERSION,
+  NODE_PROTOCOL_VERSION_HEADER,
+  NODE_SHARED_TOKEN_ENV_VAR,
+  createNodeFailurePayload,
+  createNodeRequestHeaders,
+  getConfiguredNodeToken,
+  guardNodeRequest,
+} from './nodeProtocol';
+
+describe('createNodeRequestHeaders', () => {
+  it('sets the fixed node protocol version and bearer token', () => {
+    const headers = createNodeRequestHeaders(' shared-secret ', { 'x-extra': 'kept' });
+
+    expect(headers.get(NODE_PROTOCOL_VERSION_HEADER)).toBe(NODE_PROTOCOL_VERSION);
+    expect(headers.get('authorization')).toBe('Bearer shared-secret');
+    expect(headers.get('x-extra')).toBe('kept');
+  });
+
+  it('omits bearer auth when token is blank or missing', () => {
+    const blankTokenHeaders = createNodeRequestHeaders('   ', { 'x-extra': 'kept' });
+    const missingTokenHeaders = createNodeRequestHeaders(undefined, { 'x-extra': 'kept' });
+
+    expect(blankTokenHeaders.get(NODE_PROTOCOL_VERSION_HEADER)).toBe(NODE_PROTOCOL_VERSION);
+    expect(blankTokenHeaders.get('authorization')).toBeNull();
+    expect(missingTokenHeaders.get(NODE_PROTOCOL_VERSION_HEADER)).toBe(NODE_PROTOCOL_VERSION);
+    expect(missingTokenHeaders.get('authorization')).toBeNull();
+    expect(blankTokenHeaders.get('x-extra')).toBe('kept');
+  });
+});
+
+describe('getConfiguredNodeToken', () => {
+  it('reads and trims the shared node token from env', () => {
+    expect(
+      getConfiguredNodeToken({
+        [NODE_SHARED_TOKEN_ENV_VAR]: ' secret-token ',
+      } as unknown as NodeJS.ProcessEnv)
+    ).toBe('secret-token');
+  });
+
+  it('returns null when the shared node token is blank', () => {
+    expect(
+      getConfiguredNodeToken({
+        [NODE_SHARED_TOKEN_ENV_VAR]: '   ',
+      } as unknown as NodeJS.ProcessEnv)
+    ).toBeNull();
+  });
+});
+
+describe('guardNodeRequest', () => {
+  it('accepts authenticated node requests with the required version header', () => {
+    const result = guardNodeRequest(new Request('https://node.test/api/node/health', {
+      headers: createNodeRequestHeaders('secret-token'),
+    }), {
+      runtimeRole: 'node',
+      expectedToken: 'secret-token',
+    });
+
+    expect(result).toEqual({ ok: true });
+  });
+
+  it('fails deterministically when the server is not running in node mode', () => {
+    const result = guardNodeRequest(new Request('https://node.test/api/node/health', {
+      headers: createNodeRequestHeaders('secret-token'),
+    }), {
+      runtimeRole: 'hub',
+      expectedToken: 'secret-token',
+    });
+
+    expect(result).toMatchObject({
+      ok: false,
+      status: 503,
+      body: {
+        ok: false,
+        reason: 'node_misconfigured',
+        degraded: true,
+      },
+    });
+  });
+
+  it('accepts requests without bearer auth when node shared token is missing', () => {
+    const result = guardNodeRequest(new Request('https://node.test/api/node/health', {
+      headers: { [NODE_PROTOCOL_VERSION_HEADER]: NODE_PROTOCOL_VERSION },
+    }), {
+      runtimeRole: 'node',
+      expectedToken: '   ',
+    });
+
+    expect(result).toEqual({ ok: true });
+  });
+
+  it('rejects requests without the required node protocol version', () => {
+    const result = guardNodeRequest(new Request('https://node.test/api/node/health', {
+      headers: { authorization: 'Bearer secret-token' },
+    }), {
+      runtimeRole: 'node',
+      expectedToken: 'secret-token',
+    });
+
+    expect(result).toMatchObject({
+      ok: false,
+      status: 426,
+      body: {
+        ok: false,
+        reason: 'unsupported_node_version',
+      },
+    });
+  });
+
+  it('rejects requests without bearer auth', () => {
+    const result = guardNodeRequest(new Request('https://node.test/api/node/health', {
+      headers: { [NODE_PROTOCOL_VERSION_HEADER]: NODE_PROTOCOL_VERSION },
+    }), {
+      runtimeRole: 'node',
+      expectedToken: 'secret-token',
+    });
+
+    expect(result).toMatchObject({
+      ok: false,
+      status: 401,
+      body: {
+        ok: false,
+        reason: 'unauthorized',
+      },
+    });
+  });
+
+  it('rejects requests with the wrong bearer token', () => {
+    const result = guardNodeRequest(new Request('https://node.test/api/node/health', {
+      headers: createNodeRequestHeaders('wrong-token'),
+    }), {
+      runtimeRole: 'node',
+      expectedToken: 'secret-token',
+    });
+
+    expect(result).toMatchObject({
+      ok: false,
+      status: 401,
+      body: {
+        ok: false,
+        reason: 'unauthorized',
+      },
+    });
+  });
+});
+
+describe('createNodeFailurePayload', () => {
+  it('marks upstream failures as degraded and preserves extra fields', () => {
+    expect(createNodeFailurePayload('upstream_timeout', { upstream: { reachable: false } })).toEqual({
+      ok: false,
+      reason: 'upstream_timeout',
+      protocolVersion: NODE_PROTOCOL_VERSION,
+      degraded: true,
+      upstream: { reachable: false },
+    });
+  });
+});

package/.next/standalone/src/lib/nodeProtocol.ts

@@ -0,0 +1,142 @@
+import { RUNTIME_ROLE_ENV_VAR } from '@/lib/runtimeMode';
+
+export const NODE_PROTOCOL_VERSION_HEADER = 'x-vibepulse-node-version';
+export const NODE_PROTOCOL_VERSION = '1';
+export const NODE_SHARED_TOKEN_ENV_VAR = 'VIBEPULSE_NODE_TOKEN';
+
+export type NodeFailureReason =
+  | 'unauthorized'
+  | 'unsupported_node_version'
+  | 'node_misconfigured'
+  | 'upstream_unreachable'
+  | 'upstream_timeout';
+
+export interface NodeFailurePayload {
+  ok: false;
+  reason: NodeFailureReason;
+  protocolVersion: typeof NODE_PROTOCOL_VERSION;
+  degraded?: boolean;
+  [key: string]: unknown;
+}
+
+export type NodeRequestGuardFailure = {
+  ok: false;
+  status: number;
+  body: NodeFailurePayload;
+};
+
+export type NodeRequestGuardResult =
+  | { ok: true }
+  | NodeRequestGuardFailure;
+
+export interface NodeRequestGuardOptions {
+  runtimeRole?: string | undefined;
+  expectedToken?: string | undefined;
+  env?: NodeJS.ProcessEnv;
+}
+
+const NODE_FAILURE_STATUS: Record<NodeFailureReason, number> = {
+  unauthorized: 401,
+  unsupported_node_version: 426,
+  node_misconfigured: 503,
+  upstream_unreachable: 503,
+  upstream_timeout: 504,
+};
+
+function trimToNull(value: string | null | undefined): string | null {
+  if (typeof value !== 'string') {
+    return null;
+  }
+
+  const trimmed = value.trim();
+  return trimmed ? trimmed : null;
+}
+
+function readBearerToken(authorizationHeader: string | null): string | null {
+  const match = authorizationHeader?.match(/^Bearer\s+(.+)$/i);
+  return trimToNull(match?.[1]);
+}
+
+function isDegradedReason(reason: NodeFailureReason): boolean {
+  return reason === 'node_misconfigured' || reason === 'upstream_unreachable' || reason === 'upstream_timeout';
+}
+
+export function getConfiguredNodeToken(env: NodeJS.ProcessEnv = process.env): string | null {
+  return trimToNull(env[NODE_SHARED_TOKEN_ENV_VAR]);
+}
+
+export function createNodeRequestHeaders(token?: string | null, headers?: HeadersInit): Headers {
+  const requestHeaders = new Headers(headers);
+  requestHeaders.set(NODE_PROTOCOL_VERSION_HEADER, NODE_PROTOCOL_VERSION);
+
+  const trimmedToken = trimToNull(token ?? null);
+  if (trimmedToken) {
+    requestHeaders.set('authorization', `Bearer ${trimmedToken}`);
+  }
+
+  return requestHeaders;
+}
+
+export function createNodeFailurePayload(
+  reason: NodeFailureReason,
+  extras?: Record<string, unknown>
+): NodeFailurePayload {
+  return {
+    ok: false,
+    reason,
+    protocolVersion: NODE_PROTOCOL_VERSION,
+    ...(isDegradedReason(reason) ? { degraded: true } : {}),
+    ...(extras ?? {}),
+  };
+}
+
+export function createNodeFailureResponse(
+  reason: NodeFailureReason,
+  extras?: Record<string, unknown>
+): Response {
+  return Response.json(createNodeFailurePayload(reason, extras), {
+    status: NODE_FAILURE_STATUS[reason],
+  });
+}
+
+export function toNodeRequestGuardResponse(failure: NodeRequestGuardFailure): Response {
+  return Response.json(failure.body, { status: failure.status });
+}
+
+export function guardNodeRequest(
+  request: Request,
+  options: NodeRequestGuardOptions = {}
+): NodeRequestGuardResult {
+  const runtimeRole = options.runtimeRole ?? options.env?.[RUNTIME_ROLE_ENV_VAR] ?? process.env[RUNTIME_ROLE_ENV_VAR];
+  if (runtimeRole !== 'node') {
+    return {
+      ok: false,
+      status: NODE_FAILURE_STATUS.node_misconfigured,
+      body: createNodeFailurePayload('node_misconfigured'),
+    };
+  }
+
+  const expectedToken = trimToNull(options.expectedToken) ?? getConfiguredNodeToken(options.env ?? process.env);
+
+  const version = request.headers.get(NODE_PROTOCOL_VERSION_HEADER);
+  if (version !== NODE_PROTOCOL_VERSION) {
+    return {
+      ok: false,
+      status: NODE_FAILURE_STATUS.unsupported_node_version,
+      body: createNodeFailurePayload('unsupported_node_version'),
+    };
+  }
+
+  if (expectedToken) {
+    const presentedToken = readBearerToken(request.headers.get('authorization'));
+    if (!presentedToken || presentedToken !== expectedToken) {
+      return {
+        ok: false,
+        status: NODE_FAILURE_STATUS.unauthorized,
+        body: createNodeFailurePayload('unauthorized'),
+      };
+    }
+  }
+
+  return { ok: true };
+}

package/.next/standalone/src/lib/nodeRegistry.test.ts

@@ -0,0 +1,173 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+import { mkdtemp, readFile, rm } from 'fs/promises';
+import { tmpdir } from 'os';
+import { join } from 'path';
+import { parse } from 'comment-json';
+
+describe('nodeRegistry', () => {
+  let testHomeDir: string;
+  let originalHome: string | undefined;
+  let registry: typeof import('./nodeRegistry');
+
+  beforeEach(async () => {
+    vi.resetModules();
+    testHomeDir = await mkdtemp(join(tmpdir(), 'vibepulse-node-registry-'));
+    originalHome = process.env.HOME;
+    process.env.HOME = testHomeDir;
+    registry = await import('./nodeRegistry');
+  });
+
+  afterEach(async () => {
+    process.env.HOME = originalHome;
+    await rm(testHomeDir, { recursive: true, force: true });
+  });
+
+  it('persists full node records server-side and returns sanitized records', async () => {
+    const created = await registry.createNode({
+      nodeLabel: 'US-East Node',
+      baseUrl: 'https://node-a.example.com/',
+      token: 'secret-token',
+      enabled: true,
+    });
+
+    expect(created).toMatchObject({
+      nodeLabel: 'US-East Node',
+      baseUrl: 'https://node-a.example.com',
+      enabled: true,
+      tokenConfigured: true,
+    });
+    expect('token' in created).toBe(false);
+
+    const list = await registry.listNodes();
+    expect(list).toHaveLength(1);
+    expect('token' in list[0]).toBe(false);
+
+    const persistedRaw = parse(
+      await readFile(registry.NODE_REGISTRY_PATH, 'utf-8'),
+      null,
+      false
+    ) as unknown as {
+      nodes: Array<{ token: string }>;
+    };
+    expect(persistedRaw.nodes[0].token).toBe('secret-token');
+  });
+
+  it('allows creating node records without a token and marks tokenConfigured false', async () => {
+    const created = await registry.createNode({
+      nodeLabel: 'Tokenless Node',
+      baseUrl: 'https://tokenless.example.com/',
+      enabled: true,
+    });
+
+    expect(created).toMatchObject({
+      nodeLabel: 'Tokenless Node',
+      baseUrl: 'https://tokenless.example.com',
+      enabled: true,
+      tokenConfigured: false,
+    });
+
+    const persistedRaw = parse(
+      await readFile(registry.NODE_REGISTRY_PATH, 'utf-8'),
+      null,
+      false
+    ) as unknown as {
+      nodes: Array<{ token: string }>;
+    };
+    expect(persistedRaw.nodes[0].token).toBe('');
+  });
+
+  it('rejects duplicate normalized baseUrl values', async () => {
+    await registry.createNode({
+      nodeLabel: 'Node A',
+      baseUrl: 'https://dup.example.com',
+      token: 'token-a',
+      enabled: true,
+    });
+
+    try {
+      await registry.createNode({
+        nodeLabel: 'Node B',
+        baseUrl: 'https://dup.example.com/',
+        token: 'token-b',
+        enabled: true,
+      });
+      throw new Error('Expected duplicate_base_url error');
+    } catch (error) {
+      expect(error).toMatchObject({ code: 'duplicate_base_url' });
+    }
+  });
+
+  it('rejects malformed URLs and credentialed URLs', async () => {
+    try {
+      await registry.createNode({
+        nodeLabel: 'Bad URL Node',
+        baseUrl: 'not-a-url',
+        token: 'token',
+        enabled: true,
+      });
+      throw new Error('Expected invalid_base_url error for malformed URL');
+    } catch (error) {
+      expect(error).toMatchObject({ code: 'invalid_base_url' });
+    }
+
+    try {
+      await registry.createNode({
+        nodeLabel: 'Credential URL Node',
+        baseUrl: 'https://user:pass@secret.example.com',
+        token: 'token',
+        enabled: true,
+      });
+      throw new Error('Expected invalid_base_url error for credentialed URL');
+    } catch (error) {
+      expect(error).toMatchObject({ code: 'invalid_base_url' });
+    }
+  });
+
+  it('strips query and hash fragments from normalized baseUrl values', async () => {
+    const created = await registry.createNode({
+      nodeLabel: 'Query Node',
+      baseUrl: 'https://query.example.com/base/path/?tenant=acme#frag',
+      token: 'token',
+      enabled: true,
+    });
+
+    expect(created.baseUrl).toBe('https://query.example.com/base/path');
+
+    const list = await registry.listNodes();
+    expect(list).toHaveLength(1);
+    expect(list[0].baseUrl).toBe('https://query.example.com/base/path');
+  });
+
+  it('updates, toggles, and deletes nodes', async () => {
+    const created = await registry.createNode({
+      nodeLabel: 'Mutable Node',
+      baseUrl: 'https://mutable.example.com',
+      token: 'token-1',
+      enabled: true,
+    });
+
+    const updated = await registry.updateNode(created.nodeId, {
+      nodeLabel: 'Mutable Node Updated',
+      baseUrl: 'https://mutable-updated.example.com/',
+      token: 'token-2',
+      enabled: false,
+    });
+
+    expect(updated).toMatchObject({
+      nodeId: created.nodeId,
+      nodeLabel: 'Mutable Node Updated',
+      baseUrl: 'https://mutable-updated.example.com',
+      enabled: false,
+      tokenConfigured: true,
+    });
+
+    const toggled = await registry.toggleNode(created.nodeId);
+    expect(toggled.enabled).toBe(true);
+
+    const deleted = await registry.deleteNode(created.nodeId);
+    expect(deleted).toBe(true);
+
+    const list = await registry.listNodes();
+    expect(list).toEqual([]);
+  });
+});