hub-note-outline-self-hosted-route.test.mjs
file-level
1
files
1
commits
0
hotspots
0
🧊 dead
0
💥 blast risk
| 1 | /** |
| 2 | * Self-hosted Hub NoteOutline route contract tests. |
| 3 | * |
| 4 | * The local Hub route exposes heading-only NoteOutline metadata without adding |
| 5 | * search, persistence, provider, body, snippet, resource URI, or write-back |
| 6 | * surfaces. |
| 7 | */ |
| 8 | import { describe, it } from 'node:test'; |
| 9 | import assert from 'node:assert/strict'; |
| 10 | import fs from 'fs'; |
| 11 | import path from 'path'; |
| 12 | import { fileURLToPath } from 'url'; |
| 13 | |
| 14 | const __dirname = path.dirname(fileURLToPath(import.meta.url)); |
| 15 | const repoRoot = path.dirname(__dirname); |
| 16 | |
| 17 | function readRepoFile(relativePath) { |
| 18 | return fs.readFileSync(path.join(repoRoot, relativePath), 'utf8'); |
| 19 | } |
| 20 | |
| 21 | function routeSource() { |
| 22 | const src = readRepoFile('hub/server.mjs'); |
| 23 | const start = src.indexOf("app.get('/api/v1/note-outline'"); |
| 24 | // Bound to the note-outline route ONLY: end at the very next route (document-tree). |
| 25 | // Including later sibling routes (e.g. metadata-facets, which legitimately reads |
| 26 | // `note.frontmatter`) would make the body-free assertions below match neighbouring code. |
| 27 | const end = src.indexOf("// GET /api/v1/document-tree", start); |
| 28 | assert.notEqual(start, -1, 'self-hosted note-outline route must exist'); |
| 29 | assert.notEqual(end, -1, 'route must stay before the document-tree route'); |
| 30 | return src.slice(start, end); |
| 31 | } |
| 32 | |
| 33 | describe('self-hosted Hub NoteOutline route', () => { |
| 34 | it('unit: registers the local Hub route behind auth, rate limit, and vault access', () => { |
| 35 | const src = readRepoFile('hub/server.mjs'); |
| 36 | |
| 37 | assert.match(src, /app\.use\('\/api\/v1\/note-outline', jwtAuth, apiLimiter, requireVaultAccess\)/); |
| 38 | assert.match(src, /import \{ buildNoteOutline \} from '\.\.\/lib\/note-outline\.mjs'/); |
| 39 | assert.match(src, /app\.get\('\/api\/v1\/note-outline'/); |
| 40 | }); |
| 41 | |
| 42 | it('integration: reads one vault-relative path through readNote and buildNoteOutline only', () => { |
| 43 | const route = routeSource(); |
| 44 | |
| 45 | assert.match(route, /const requestedPath = typeof req\.query\.path === 'string'/); |
| 46 | assert.match(route, /resolveVaultRelativePath\(req\.vaultPath, requestedPath\)/); |
| 47 | assert.match(route, /buildNoteOutline\(readNote\(req\.vaultPath, requestedPath\)\)/); |
| 48 | assert.doesNotMatch(route, /runSearch|runKeywordSearch|embedWithUsage|completeChat/); |
| 49 | }); |
| 50 | |
| 51 | it('end-to-end: OpenAPI documents the same body-free endpoint', () => { |
| 52 | const api = readRepoFile('docs/openapi.yaml'); |
| 53 | |
| 54 | assert.match(api, /\/note-outline:/); |
| 55 | assert.match(api, /knowtation\.note_outline\/v1/); |
| 56 | assert.match(api, /#\/components\/schemas\/NoteOutline/); |
| 57 | }); |
| 58 | |
| 59 | it('stress: route checks remain bounded to Hub server, parser, and OpenAPI sources', () => { |
| 60 | const started = Date.now(); |
| 61 | const sources = [ |
| 62 | readRepoFile('hub/server.mjs'), |
| 63 | readRepoFile('lib/note-outline.mjs'), |
| 64 | readRepoFile('docs/openapi.yaml'), |
| 65 | ]; |
| 66 | |
| 67 | assert.equal(sources.length, 3); |
| 68 | assert.ok(Date.now() - started < 300); |
| 69 | }); |
| 70 | |
| 71 | it('data-integrity: route does not write, persist, index, vectorize, cache, or sidecar NoteOutline', () => { |
| 72 | const route = routeSource(); |
| 73 | |
| 74 | assert.doesNotMatch(route, /writeNote|deleteNote|localStorage|sessionStorage|index|vector|summary|memory|sidecar/i); |
| 75 | }); |
| 76 | |
| 77 | it('performance: route stays one-note and provider-free', () => { |
| 78 | const route = routeSource(); |
| 79 | |
| 80 | assert.match(route, /buildNoteOutline\(readNote\(req\.vaultPath, requestedPath\)\)/); |
| 81 | assert.doesNotMatch(route, /runListNotes|\/api\/v1\/notes\?|PageIndex|OCR|LLM|provider/i); |
| 82 | }); |
| 83 | |
| 84 | it('security: route sanitizes invalid, missing, forbidden, and upstream errors', () => { |
| 85 | const route = routeSource(); |
| 86 | |
| 87 | assert.match(route, /code: 'INVALID_PATH'/); |
| 88 | assert.match(route, /code: 'FORBIDDEN'/); |
| 89 | assert.match(route, /code: 'NOT_FOUND'/); |
| 90 | assert.match(route, /code: 'UPSTREAM_ERROR'/); |
| 91 | assert.doesNotMatch(route, /res\.json\(\{[\s\S]*body|snippet|frontmatter|raw_canister_payload|provider_payload|mcp_resource_uri/); |
| 92 | }); |
| 93 | }); |