hub-section-source-self-hosted-route.test.mjs
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd
feat(calendar): enforce agent context tiers in retrieval AP…
Human
minor
⚠ breaking
1 day ago
| 1 | /** |
| 2 | * Self-hosted Hub SectionSource route contract tests. |
| 3 | * |
| 4 | * The local Hub UI at localhost:3333 calls the same body-free endpoint as the |
| 5 | * hosted UI. These tests keep that route registered on `hub/server.mjs` without |
| 6 | * adding search, persistence, provider, body, snippet, or write-back surfaces. |
| 7 | */ |
| 8 | import { describe, it } from 'node:test'; |
| 9 | import assert from 'node:assert/strict'; |
| 10 | import fs from 'fs'; |
| 11 | import path from 'path'; |
| 12 | import { fileURLToPath } from 'url'; |
| 13 | |
| 14 | const __dirname = path.dirname(fileURLToPath(import.meta.url)); |
| 15 | const repoRoot = path.dirname(__dirname); |
| 16 | |
| 17 | function readRepoFile(relativePath) { |
| 18 | return fs.readFileSync(path.join(repoRoot, relativePath), 'utf8'); |
| 19 | } |
| 20 | |
| 21 | function routeSource() { |
| 22 | const src = readRepoFile('hub/server.mjs'); |
| 23 | const start = src.indexOf("app.get('/api/v1/section-source'"); |
| 24 | const end = src.indexOf('// GET /api/v1/calendar/timeline', start); |
| 25 | assert.notEqual(start, -1, 'self-hosted section-source route must exist'); |
| 26 | assert.notEqual(end, -1, 'route must stay before the calendar routes'); |
| 27 | return src.slice(start, end); |
| 28 | } |
| 29 | |
| 30 | describe('self-hosted Hub SectionSource route', () => { |
| 31 | it('unit: registers the local Hub route behind auth, rate limit, and vault access', () => { |
| 32 | const src = readRepoFile('hub/server.mjs'); |
| 33 | |
| 34 | assert.match(src, /app\.use\('\/api\/v1\/section-source', jwtAuth, apiLimiter, requireVaultAccess\)/); |
| 35 | assert.match(src, /import \{ readSectionSource \} from '\.\.\/lib\/section-source-note\.mjs'/); |
| 36 | assert.match(src, /app\.get\('\/api\/v1\/section-source'/); |
| 37 | }); |
| 38 | |
| 39 | it('integration: reads one vault-relative path through readSectionSource only', () => { |
| 40 | const route = routeSource(); |
| 41 | |
| 42 | assert.match(route, /const requestedPath = typeof req\.query\.path === 'string'/); |
| 43 | assert.match(route, /resolveVaultRelativePath\(req\.vaultPath, requestedPath\)/); |
| 44 | assert.match(route, /readSectionSource\(req\.vaultPath, requestedPath\)/); |
| 45 | assert.doesNotMatch(route, /runSearch|runKeywordSearch|embedWithUsage|completeChat/); |
| 46 | }); |
| 47 | |
| 48 | it('end-to-end: Hub UI Sections button and local route point at the same endpoint', () => { |
| 49 | const ui = readRepoFile('web/hub/hub.js'); |
| 50 | const route = routeSource(); |
| 51 | |
| 52 | assert.match(ui, /return '\/api\/v1\/section-source\?path=' \+ encodeURIComponent\(path\)/); |
| 53 | assert.match(route, /app\.get\('\/api\/v1\/section-source'/); |
| 54 | }); |
| 55 | |
| 56 | it('stress: route checks remain bounded to Hub server and UI sources', () => { |
| 57 | const started = Date.now(); |
| 58 | const sources = [ |
| 59 | readRepoFile('hub/server.mjs'), |
| 60 | readRepoFile('web/hub/hub.js'), |
| 61 | readRepoFile('lib/section-source-note.mjs'), |
| 62 | ]; |
| 63 | |
| 64 | assert.equal(sources.length, 3); |
| 65 | assert.ok(Date.now() - started < 300); |
| 66 | }); |
| 67 | |
| 68 | it('data-integrity: route does not write, persist, index, vectorize, or cache SectionSource', () => { |
| 69 | const route = routeSource(); |
| 70 | |
| 71 | assert.doesNotMatch(route, /writeNote|deleteNote|localStorage|sessionStorage|index|vector|summary|memory|sidecar/i); |
| 72 | }); |
| 73 | |
| 74 | it('performance: route stays one-note and provider-free', () => { |
| 75 | const route = routeSource(); |
| 76 | |
| 77 | assert.match(route, /readSectionSource\(req\.vaultPath, requestedPath\)/); |
| 78 | assert.doesNotMatch(route, /runListNotes|\/api\/v1\/notes\?|PageIndex|OCR|LLM|provider/i); |
| 79 | }); |
| 80 | |
| 81 | it('security: route sanitizes invalid, missing, forbidden, and upstream errors', () => { |
| 82 | const route = routeSource(); |
| 83 | |
| 84 | assert.match(route, /code: 'INVALID_PATH'/); |
| 85 | assert.match(route, /code: 'FORBIDDEN'/); |
| 86 | assert.match(route, /code: 'NOT_FOUND'/); |
| 87 | assert.match(route, /code: 'UPSTREAM_ERROR'/); |
| 88 | assert.doesNotMatch(route, /res\.json\(\{[\s\S]*body|snippet|frontmatter|raw_canister_payload|provider_payload|mcp_resource_uri/); |
| 89 | }); |
| 90 | }); |
File History
2 commits
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd
feat(calendar): enforce agent context tiers in retrieval AP…
Human
minor
⚠
1 day ago
sha256:9103f98c89257ed2b01c237cea895dabb3e85ea337dccb1161c175e4422355b6
docs: accept Calendar Events v0 spec with Phase 0 security …
Human
1 day ago