forked from farhoodlabs/paperclip
Dotta
778e775c35
## Thinking Path > - Paperclip orchestrates AI-agent companies and needs secrets handling to work across local development, hosted operators, and governed agent execution. > - The affected subsystem is the company-scoped secrets control plane: database schema, server services/routes, CLI workflows, and the Secrets settings UI. > - The gap was that secrets were local-only and operators could not manage provider vaults or import existing remote references without exposing plaintext. > - This branch adds provider vault configuration plus an AWS Secrets Manager remote-import path while preserving company boundaries, binding context, and audit trails. > - I kept the PR to a single branch PR, removed unrelated lockfile/package drift, rebased the full branch onto the current `public-gh/master`, and addressed fresh Greptile findings. > - The benefit is a reviewable implementation of provider-backed secrets with focused tests covering provider selection, import conflicts, deleted secret reuse, rotation guards, and AWS signing behavior. ## What Changed - Added provider vault support for company secrets, including provider config storage, default vault handling, health checks, binding usage, access events, and remote import preview/commit. - Added an AWS Secrets Manager provider using SigV4 request signing, bounded request timeouts, namespace guardrails, cached runtime credential resolution, and external-reference linking without plaintext reads. - Added Secrets UI surfaces for vault management and remote import, plus CLI/API documentation for setup and operations. - Stabilized routine webhook secret binding paths and SSH environment-driver fixture bindings discovered during verification. - Addressed Greptile and CI findings: no lockfile/package drift, monotonic migration metadata, disabled-vault default races, soft-deleted secret hiding/recreate behavior, remove behavior with disabled vaults, soft-deleted external-reference re-import, non-active rotation guards, managed-secret soft deletion through PATCH, and per-call AWS SDK credential client churn. - Rebased this branch onto `public-gh/master` at `0e1a5828` and force-pushed with lease to keep this as the single PR for the branch. ## Verification - `git fetch public-gh master` - `git rebase public-gh/master` - `git diff --name-only public-gh/master...HEAD | grep '^pnpm-lock\.yaml$' || true` confirmed `pnpm-lock.yaml` is not in the PR diff. - Confirmed migration ordering: master ends at `0081_optimal_dormammu`; this PR adds `0082_dry_vision` and `0083_company_secret_provider_configs`. - Inspected migrations for repeat safety: new tables/indexes use `IF NOT EXISTS`; foreign keys are guarded by `DO $$ ... IF NOT EXISTS`; column additions use `ADD COLUMN IF NOT EXISTS`. - `pnpm -r typecheck` passed before the Greptile follow-up commits. - `pnpm test:run` ran the full stable Vitest path before the Greptile follow-up commits; it completed with 3 timing-related failures under parallel load: `codex-local-execute.test.ts`, `cursor-local-execute.test.ts`, and `environment-service.test.ts`. - `pnpm --filter @paperclipai/server exec vitest run src/__tests__/codex-local-execute.test.ts src/__tests__/cursor-local-execute.test.ts src/__tests__/environment-service.test.ts` passed on targeted rerun (`24/24`). - `pnpm build` passed before the Greptile follow-up commits. Vite reported existing chunk-size/dynamic-import warnings. - After Greptile follow-up commits: `pnpm --filter @paperclipai/server exec vitest run src/__tests__/secrets-service.test.ts` passed (`26/26`). - After Greptile follow-up commits: `pnpm --filter @paperclipai/server exec vitest run src/__tests__/aws-secrets-manager-provider.test.ts src/__tests__/secrets-service.test.ts` passed (`39/39`). - After Greptile follow-up commits: `pnpm --filter @paperclipai/server typecheck` passed. - Captured Storybook screenshots from `ui/storybook-static` for visual review. - Latest PR checks on `5ca3a5cf`: `policy`, serialized server suites 1/4-4/4, `Canary Dry Run`, `e2e`, `security/snyk`, and `Greptile Review` pass; aggregate `verify` is still registering the completed child checks. - Greptile review loop continued through the latest requested pass; all Greptile review threads are resolved and the latest `Greptile Review` check on `5ca3a5cf` passed with 0 comments added. ## Screenshots Before: the provider-vault and remote-import surfaces did not exist on `master`; these are after-state screenshots from the Storybook fixtures.    ## Risks - Migration risk: this adds new secret provider tables and extends existing secret rows. The migrations were checked for monotonic ordering and idempotent guards, but reviewers should still inspect upgrade behavior carefully. - Provider risk: AWS support uses direct SigV4 requests. Automated tests cover signing, request timeouts, vault-config selection, namespace guardrails, pending-version archival, sanitized provider errors, and service-level cleanup paths. A real-vault AWS smoke test remains deployment validation for an operator with AWS credentials rather than an unverified merge blocker in this local branch. - UI risk: the Secrets page and import dialog are large new surfaces; screenshots are included above for reviewer inspection. - Verification risk: the full local stable test command hit parallel-load timing failures, although the exact failed files passed when rerun directly. - Operational risk: remote import intentionally avoids plaintext reads; operators must understand that imported external references resolve at runtime and may fail if AWS permissions change. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. ## Model Used - OpenAI Codex, GPT-5 coding agent with local shell/tool use in the Paperclip worktree. Exact context-window size was not exposed by the runtime. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [ ] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1374 lines
41 KiB
TypeScript
1374 lines
41 KiB
TypeScript
import type { Server } from "node:http";
|
|
import express from "express";
|
|
import request from "supertest";
|
|
import { afterAll, beforeEach, describe, expect, it, vi } from "vitest";
|
|
import { environmentRoutes } from "../routes/environments.js";
|
|
import { errorHandler } from "../middleware/index.js";
|
|
|
|
const mockAccessService = vi.hoisted(() => ({
|
|
canUser: vi.fn(),
|
|
hasPermission: vi.fn(),
|
|
}));
|
|
|
|
const mockAgentService = vi.hoisted(() => ({
|
|
getById: vi.fn(),
|
|
}));
|
|
|
|
const mockIssueService = vi.hoisted(() => ({
|
|
getById: vi.fn(),
|
|
}));
|
|
|
|
const mockProjectService = vi.hoisted(() => ({
|
|
getById: vi.fn(),
|
|
}));
|
|
|
|
const mockEnvironmentService = vi.hoisted(() => ({
|
|
list: vi.fn(),
|
|
getById: vi.fn(),
|
|
create: vi.fn(),
|
|
update: vi.fn(),
|
|
listLeases: vi.fn(),
|
|
getLeaseById: vi.fn(),
|
|
}));
|
|
|
|
const mockLogActivity = vi.hoisted(() => vi.fn());
|
|
const mockProbeEnvironment = vi.hoisted(() => vi.fn());
|
|
const mockSecretService = vi.hoisted(() => ({
|
|
create: vi.fn(),
|
|
resolveSecretValue: vi.fn(),
|
|
syncSecretRefsForTarget: vi.fn(),
|
|
remove: vi.fn(),
|
|
}));
|
|
const mockValidatePluginEnvironmentDriverConfig = vi.hoisted(() => vi.fn());
|
|
const mockValidatePluginSandboxProviderConfig = vi.hoisted(() => vi.fn());
|
|
const mockListReadyPluginEnvironmentDrivers = vi.hoisted(() => vi.fn());
|
|
const mockResolvePluginSandboxProviderDriverByKey = vi.hoisted(() => vi.fn());
|
|
const mockExecutionWorkspaceService = vi.hoisted(() => ({}));
|
|
|
|
vi.mock("../services/index.js", () => ({
|
|
accessService: () => mockAccessService,
|
|
agentService: () => mockAgentService,
|
|
issueService: () => mockIssueService,
|
|
environmentService: () => mockEnvironmentService,
|
|
logActivity: mockLogActivity,
|
|
projectService: () => mockProjectService,
|
|
}));
|
|
|
|
vi.mock("../services/environment-probe.js", () => ({
|
|
probeEnvironment: mockProbeEnvironment,
|
|
}));
|
|
|
|
vi.mock("../services/secrets.js", () => ({
|
|
secretService: () => mockSecretService,
|
|
}));
|
|
|
|
vi.mock("../services/environments.js", () => ({
|
|
environmentService: () => mockEnvironmentService,
|
|
}));
|
|
|
|
vi.mock("../services/execution-workspaces.js", () => ({
|
|
executionWorkspaceService: () => mockExecutionWorkspaceService,
|
|
}));
|
|
|
|
vi.mock("../services/plugin-environment-driver.js", () => ({
|
|
listReadyPluginEnvironmentDrivers: mockListReadyPluginEnvironmentDrivers,
|
|
resolvePluginSandboxProviderDriverByKey: mockResolvePluginSandboxProviderDriverByKey,
|
|
validatePluginEnvironmentDriverConfig: mockValidatePluginEnvironmentDriverConfig,
|
|
validatePluginSandboxProviderConfig: mockValidatePluginSandboxProviderConfig,
|
|
}));
|
|
|
|
function createEnvironment() {
|
|
const now = new Date("2026-04-16T05:00:00.000Z");
|
|
return {
|
|
id: "env-1",
|
|
companyId: "company-1",
|
|
name: "Local",
|
|
description: "Current development machine",
|
|
driver: "local",
|
|
status: "active" as const,
|
|
config: { shell: "zsh" },
|
|
metadata: { source: "manual" },
|
|
createdAt: now,
|
|
updatedAt: now,
|
|
};
|
|
}
|
|
|
|
let server: Server | null = null;
|
|
let currentActor: Record<string, unknown> = {
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
};
|
|
const routeOptions: Record<string, unknown> = {};
|
|
const originalSecretsProviderEnv = process.env.PAPERCLIP_SECRETS_PROVIDER;
|
|
|
|
function createApp(actor: Record<string, unknown>, options: Record<string, unknown> = {}) {
|
|
currentActor = actor;
|
|
for (const key of Object.keys(routeOptions)) {
|
|
delete routeOptions[key];
|
|
}
|
|
Object.assign(routeOptions, options);
|
|
if (server) return server;
|
|
|
|
const app = express();
|
|
app.use(express.json());
|
|
app.use((req, _res, next) => {
|
|
(req as any).actor = currentActor;
|
|
next();
|
|
});
|
|
app.use("/api", environmentRoutes({} as any, routeOptions as any));
|
|
app.use(errorHandler);
|
|
server = app.listen(0);
|
|
return server;
|
|
}
|
|
|
|
describe("environment routes", () => {
|
|
afterAll(async () => {
|
|
if (originalSecretsProviderEnv === undefined) {
|
|
delete process.env.PAPERCLIP_SECRETS_PROVIDER;
|
|
} else {
|
|
process.env.PAPERCLIP_SECRETS_PROVIDER = originalSecretsProviderEnv;
|
|
}
|
|
if (!server) return;
|
|
await new Promise<void>((resolve, reject) => {
|
|
server?.close((err) => {
|
|
if (err) reject(err);
|
|
else resolve();
|
|
});
|
|
});
|
|
server = null;
|
|
});
|
|
|
|
beforeEach(() => {
|
|
mockAccessService.canUser.mockReset();
|
|
mockAccessService.hasPermission.mockReset();
|
|
mockAgentService.getById.mockReset();
|
|
mockIssueService.getById.mockReset();
|
|
mockProjectService.getById.mockReset();
|
|
mockEnvironmentService.list.mockReset();
|
|
mockEnvironmentService.getById.mockReset();
|
|
mockEnvironmentService.create.mockReset();
|
|
mockEnvironmentService.update.mockReset();
|
|
mockEnvironmentService.listLeases.mockReset();
|
|
mockEnvironmentService.getLeaseById.mockReset();
|
|
mockLogActivity.mockReset();
|
|
mockProbeEnvironment.mockReset();
|
|
mockSecretService.create.mockReset();
|
|
mockSecretService.resolveSecretValue.mockReset();
|
|
mockSecretService.syncSecretRefsForTarget.mockReset();
|
|
mockSecretService.remove.mockReset();
|
|
mockSecretService.create.mockResolvedValue({
|
|
id: "11111111-1111-1111-1111-111111111111",
|
|
});
|
|
mockSecretService.syncSecretRefsForTarget.mockResolvedValue([]);
|
|
mockSecretService.remove.mockResolvedValue(null);
|
|
delete process.env.PAPERCLIP_SECRETS_PROVIDER;
|
|
mockValidatePluginEnvironmentDriverConfig.mockReset();
|
|
mockValidatePluginEnvironmentDriverConfig.mockImplementation(async ({ config }) => config);
|
|
mockValidatePluginSandboxProviderConfig.mockReset();
|
|
mockValidatePluginSandboxProviderConfig.mockImplementation(async ({ provider, config }) => ({
|
|
normalizedConfig: config,
|
|
pluginId: `plugin-${provider}`,
|
|
pluginKey: `plugin.${provider}`,
|
|
driver: {
|
|
driverKey: provider,
|
|
kind: "sandbox_provider",
|
|
displayName: provider,
|
|
configSchema: { type: "object" },
|
|
},
|
|
}));
|
|
mockResolvePluginSandboxProviderDriverByKey.mockReset();
|
|
mockResolvePluginSandboxProviderDriverByKey.mockImplementation(async ({ driverKey }) => (
|
|
driverKey === "secure-plugin"
|
|
? {
|
|
pluginId: "plugin-secure",
|
|
pluginKey: "acme.secure-sandbox-provider",
|
|
driver: {
|
|
driverKey: "secure-plugin",
|
|
kind: "sandbox_provider",
|
|
displayName: "Secure Sandbox",
|
|
configSchema: {
|
|
type: "object",
|
|
properties: {
|
|
template: { type: "string" },
|
|
apiKey: { type: "string", format: "secret-ref" },
|
|
timeoutMs: { type: "number" },
|
|
reuseLease: { type: "boolean" },
|
|
},
|
|
},
|
|
},
|
|
}
|
|
: null
|
|
));
|
|
mockListReadyPluginEnvironmentDrivers.mockReset();
|
|
mockListReadyPluginEnvironmentDrivers.mockResolvedValue([]);
|
|
});
|
|
|
|
it("lists company-scoped environments", async () => {
|
|
mockEnvironmentService.list.mockResolvedValue([createEnvironment()]);
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
});
|
|
|
|
const res = await request(app).get("/api/companies/company-1/environments?driver=local");
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.body).toHaveLength(1);
|
|
expect(mockEnvironmentService.list).toHaveBeenCalledWith("company-1", {
|
|
status: undefined,
|
|
driver: "local",
|
|
});
|
|
});
|
|
|
|
it("returns provider capabilities for the company", async () => {
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
});
|
|
|
|
const res = await request(app).get("/api/companies/company-1/environments/capabilities");
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.drivers.ssh).toBe("supported");
|
|
expect(res.body.sandboxProviders.fake.supportsRunExecution).toBe(false);
|
|
expect(res.body.sandboxProviders).not.toHaveProperty("fake-plugin");
|
|
});
|
|
|
|
it("returns installed plugin-backed sandbox capabilities for environment creation", async () => {
|
|
mockListReadyPluginEnvironmentDrivers.mockResolvedValue([
|
|
{
|
|
pluginId: "plugin-1",
|
|
pluginKey: "acme.secure-sandbox-provider",
|
|
driverKey: "secure-plugin",
|
|
displayName: "Secure Sandbox",
|
|
description: "Provisions schema-driven cloud sandboxes.",
|
|
configSchema: {
|
|
type: "object",
|
|
properties: {
|
|
template: { type: "string" },
|
|
apiKey: { type: "string", format: "secret-ref" },
|
|
},
|
|
},
|
|
},
|
|
]);
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
});
|
|
|
|
const res = await request(app).get("/api/companies/company-1/environments/capabilities");
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.sandboxProviders["secure-plugin"]).toMatchObject({
|
|
status: "supported",
|
|
supportsRunExecution: true,
|
|
supportsReusableLeases: true,
|
|
displayName: "Secure Sandbox",
|
|
source: "plugin",
|
|
pluginKey: "acme.secure-sandbox-provider",
|
|
pluginId: "plugin-1",
|
|
configSchema: {
|
|
type: "object",
|
|
properties: {
|
|
template: { type: "string" },
|
|
apiKey: { type: "string", format: "secret-ref" },
|
|
},
|
|
},
|
|
});
|
|
expect(res.body.adapters.find((row: any) => row.adapterType === "codex_local").sandboxProviders["secure-plugin"])
|
|
.toBe("supported");
|
|
});
|
|
|
|
it("redacts config and metadata for unprivileged agent list reads", async () => {
|
|
mockEnvironmentService.list.mockResolvedValue([createEnvironment()]);
|
|
mockAgentService.getById.mockResolvedValue({
|
|
id: "agent-1",
|
|
companyId: "company-1",
|
|
role: "engineer",
|
|
permissions: { canCreateAgents: false },
|
|
});
|
|
mockAccessService.hasPermission.mockResolvedValue(false);
|
|
const app = createApp({
|
|
type: "agent",
|
|
agentId: "agent-1",
|
|
companyId: "company-1",
|
|
source: "agent_key",
|
|
runId: "run-1",
|
|
});
|
|
|
|
const res = await request(app).get("/api/companies/company-1/environments");
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.body).toEqual([
|
|
expect.objectContaining({
|
|
id: "env-1",
|
|
config: {},
|
|
metadata: null,
|
|
configRedacted: true,
|
|
metadataRedacted: true,
|
|
}),
|
|
]);
|
|
});
|
|
|
|
it("returns full config for privileged environment readers", async () => {
|
|
mockEnvironmentService.getById.mockResolvedValue(createEnvironment());
|
|
mockAgentService.getById.mockResolvedValue({
|
|
id: "agent-1",
|
|
companyId: "company-1",
|
|
role: "cto",
|
|
permissions: { canCreateAgents: true },
|
|
});
|
|
mockAccessService.hasPermission.mockResolvedValue(false);
|
|
const app = createApp({
|
|
type: "agent",
|
|
agentId: "agent-1",
|
|
companyId: "company-1",
|
|
source: "agent_key",
|
|
runId: "run-1",
|
|
});
|
|
|
|
const res = await request(app).get("/api/environments/env-1");
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.config).toEqual({ shell: "zsh" });
|
|
expect(res.body.metadata).toEqual({ source: "manual" });
|
|
expect(res.body.configRedacted).toBeUndefined();
|
|
});
|
|
|
|
it("redacts config and metadata for unprivileged agent detail reads", async () => {
|
|
mockEnvironmentService.getById.mockResolvedValue(createEnvironment());
|
|
mockAgentService.getById.mockResolvedValue({
|
|
id: "agent-1",
|
|
companyId: "company-1",
|
|
role: "engineer",
|
|
permissions: { canCreateAgents: false },
|
|
});
|
|
mockAccessService.hasPermission.mockResolvedValue(false);
|
|
const app = createApp({
|
|
type: "agent",
|
|
agentId: "agent-1",
|
|
companyId: "company-1",
|
|
source: "agent_key",
|
|
runId: "run-1",
|
|
});
|
|
|
|
const res = await request(app).get("/api/environments/env-1");
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.body).toEqual(
|
|
expect.objectContaining({
|
|
id: "env-1",
|
|
config: {},
|
|
metadata: null,
|
|
configRedacted: true,
|
|
metadataRedacted: true,
|
|
}),
|
|
);
|
|
});
|
|
|
|
it("creates an environment and logs activity", async () => {
|
|
const environment = createEnvironment();
|
|
mockAgentService.getById.mockResolvedValue({
|
|
id: "agent-1",
|
|
companyId: "company-1",
|
|
role: "cto",
|
|
permissions: { canCreateAgents: true },
|
|
});
|
|
mockAccessService.hasPermission.mockResolvedValue(false);
|
|
mockEnvironmentService.create.mockResolvedValue(environment);
|
|
const app = createApp({
|
|
type: "agent",
|
|
agentId: "agent-1",
|
|
companyId: "company-1",
|
|
source: "agent_key",
|
|
runId: "run-1",
|
|
});
|
|
|
|
const res = await request(app)
|
|
.post("/api/companies/company-1/environments")
|
|
.send({
|
|
name: "Local",
|
|
driver: "local",
|
|
description: "Current development machine",
|
|
config: { shell: "zsh" },
|
|
});
|
|
|
|
expect(res.status).toBe(201);
|
|
expect(mockEnvironmentService.create).toHaveBeenCalledWith("company-1", {
|
|
name: "Local",
|
|
driver: "local",
|
|
description: "Current development machine",
|
|
status: "active",
|
|
config: { shell: "zsh" },
|
|
});
|
|
expect(mockLogActivity).toHaveBeenCalledWith(
|
|
expect.anything(),
|
|
expect.objectContaining({
|
|
companyId: "company-1",
|
|
actorType: "agent",
|
|
actorId: "agent-1",
|
|
agentId: "agent-1",
|
|
runId: "run-1",
|
|
action: "environment.created",
|
|
entityType: "environment",
|
|
entityId: environment.id,
|
|
}),
|
|
);
|
|
});
|
|
|
|
it("allows non-admin board users with environments:manage to create environments", async () => {
|
|
const environment = createEnvironment();
|
|
mockAccessService.canUser.mockResolvedValue(true);
|
|
mockEnvironmentService.create.mockResolvedValue(environment);
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "session",
|
|
companyIds: ["company-1"],
|
|
isInstanceAdmin: false,
|
|
});
|
|
|
|
const res = await request(app)
|
|
.post("/api/companies/company-1/environments")
|
|
.send({
|
|
name: "Local",
|
|
driver: "local",
|
|
config: {},
|
|
});
|
|
|
|
expect(res.status).toBe(201);
|
|
expect(mockAccessService.canUser).toHaveBeenCalledWith(
|
|
"company-1",
|
|
"user-1",
|
|
"environments:manage",
|
|
);
|
|
});
|
|
|
|
it("rejects non-admin board users without environments:manage", async () => {
|
|
mockAccessService.canUser.mockResolvedValue(false);
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "session",
|
|
companyIds: ["company-1"],
|
|
isInstanceAdmin: false,
|
|
});
|
|
|
|
const res = await request(app)
|
|
.post("/api/companies/company-1/environments")
|
|
.send({
|
|
name: "Local",
|
|
driver: "local",
|
|
config: {},
|
|
});
|
|
|
|
expect(res.status).toBe(403);
|
|
expect(res.body.error).toContain("environments:manage");
|
|
expect(mockEnvironmentService.create).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("allows agents with explicit environments:manage grants to create environments", async () => {
|
|
const environment = createEnvironment();
|
|
mockAgentService.getById.mockResolvedValue({
|
|
id: "agent-1",
|
|
companyId: "company-1",
|
|
role: "engineer",
|
|
permissions: { canCreateAgents: false },
|
|
});
|
|
mockAccessService.hasPermission.mockResolvedValue(true);
|
|
mockEnvironmentService.create.mockResolvedValue(environment);
|
|
const app = createApp({
|
|
type: "agent",
|
|
agentId: "agent-1",
|
|
companyId: "company-1",
|
|
source: "agent_key",
|
|
runId: "run-1",
|
|
});
|
|
|
|
const res = await request(app)
|
|
.post("/api/companies/company-1/environments")
|
|
.send({
|
|
name: "Local",
|
|
driver: "local",
|
|
config: {},
|
|
});
|
|
|
|
expect(res.status).toBe(201);
|
|
expect(mockAccessService.hasPermission).toHaveBeenCalledWith(
|
|
"company-1",
|
|
"agent",
|
|
"agent-1",
|
|
"environments:manage",
|
|
);
|
|
});
|
|
|
|
it("rejects invalid SSH config on create", async () => {
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
});
|
|
|
|
const res = await request(app)
|
|
.post("/api/companies/company-1/environments")
|
|
.send({
|
|
name: "SSH Fixture",
|
|
driver: "ssh",
|
|
config: {
|
|
host: "ssh.example.test",
|
|
username: "ssh-user",
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(422);
|
|
expect(res.body.error).toContain("remote workspace path");
|
|
expect(mockEnvironmentService.create).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("normalizes SSH private keys into secret refs before persistence", async () => {
|
|
const environment = {
|
|
...createEnvironment(),
|
|
id: "env-ssh",
|
|
name: "SSH Fixture",
|
|
driver: "ssh" as const,
|
|
config: {
|
|
host: "ssh.example.test",
|
|
port: 22,
|
|
username: "ssh-user",
|
|
remoteWorkspacePath: "/srv/paperclip/workspace",
|
|
privateKey: null,
|
|
privateKeySecretRef: {
|
|
type: "secret_ref",
|
|
secretId: "11111111-1111-1111-1111-111111111111",
|
|
version: "latest",
|
|
},
|
|
knownHosts: null,
|
|
strictHostKeyChecking: true,
|
|
},
|
|
};
|
|
mockEnvironmentService.create.mockResolvedValue(environment);
|
|
const pluginWorkerManager = {};
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
}, { pluginWorkerManager });
|
|
|
|
const res = await request(app)
|
|
.post("/api/companies/company-1/environments")
|
|
.send({
|
|
name: "SSH Fixture",
|
|
driver: "ssh",
|
|
config: {
|
|
host: "ssh.example.test",
|
|
username: "ssh-user",
|
|
remoteWorkspacePath: "/srv/paperclip/workspace",
|
|
privateKey: " super-secret-key ",
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(201);
|
|
expect(mockEnvironmentService.create).toHaveBeenCalledWith("company-1", expect.objectContaining({
|
|
config: expect.objectContaining({
|
|
privateKey: null,
|
|
privateKeySecretRef: {
|
|
type: "secret_ref",
|
|
secretId: "11111111-1111-1111-1111-111111111111",
|
|
version: "latest",
|
|
},
|
|
}),
|
|
}));
|
|
expect(JSON.stringify(mockEnvironmentService.create.mock.calls[0][1])).not.toContain("super-secret-key");
|
|
expect(mockSecretService.create).toHaveBeenCalledWith(
|
|
"company-1",
|
|
expect.objectContaining({
|
|
provider: "local_encrypted",
|
|
value: "super-secret-key",
|
|
}),
|
|
expect.any(Object),
|
|
);
|
|
});
|
|
|
|
it("uses the configured provider for SSH private key secret materialization", async () => {
|
|
process.env.PAPERCLIP_SECRETS_PROVIDER = "aws_secrets_manager";
|
|
const environment = {
|
|
...createEnvironment(),
|
|
id: "env-ssh",
|
|
name: "SSH Fixture",
|
|
driver: "ssh" as const,
|
|
config: {
|
|
host: "ssh.example.test",
|
|
port: 22,
|
|
username: "ssh-user",
|
|
remoteWorkspacePath: "/srv/paperclip/workspace",
|
|
privateKey: null,
|
|
privateKeySecretRef: {
|
|
type: "secret_ref",
|
|
secretId: "11111111-1111-1111-1111-111111111111",
|
|
version: "latest",
|
|
},
|
|
knownHosts: null,
|
|
strictHostKeyChecking: true,
|
|
},
|
|
};
|
|
mockEnvironmentService.create.mockResolvedValue(environment);
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
});
|
|
|
|
const res = await request(app)
|
|
.post("/api/companies/company-1/environments")
|
|
.send({
|
|
name: "SSH Fixture",
|
|
driver: "ssh",
|
|
config: {
|
|
host: "ssh.example.test",
|
|
username: "ssh-user",
|
|
remoteWorkspacePath: "/srv/paperclip/workspace",
|
|
privateKey: "super-secret-key",
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(201);
|
|
expect(mockSecretService.create).toHaveBeenCalledWith(
|
|
"company-1",
|
|
expect.objectContaining({
|
|
provider: "aws_secrets_manager",
|
|
value: "super-secret-key",
|
|
}),
|
|
expect.any(Object),
|
|
);
|
|
});
|
|
|
|
it("rejects persisted fake sandbox environments", async () => {
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
});
|
|
|
|
const res = await request(app)
|
|
.post("/api/companies/company-1/environments")
|
|
.send({
|
|
name: "Fake Sandbox",
|
|
driver: "sandbox",
|
|
config: {
|
|
provider: "fake",
|
|
image: " ubuntu:24.04 ",
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(422);
|
|
expect(res.body.error).toContain("reserved for internal probes");
|
|
expect(mockEnvironmentService.create).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("creates a sandbox environment with normalized Fake plugin config", async () => {
|
|
const environment = {
|
|
...createEnvironment(),
|
|
id: "env-sandbox-fake-plugin",
|
|
name: "Fake plugin Sandbox",
|
|
driver: "sandbox" as const,
|
|
config: {
|
|
provider: "fake-plugin",
|
|
image: "fake:test",
|
|
timeoutMs: 450000,
|
|
reuseLease: true,
|
|
},
|
|
};
|
|
mockEnvironmentService.create.mockResolvedValue(environment);
|
|
const pluginWorkerManager = {};
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
}, { pluginWorkerManager });
|
|
|
|
const res = await request(app)
|
|
.post("/api/companies/company-1/environments")
|
|
.send({
|
|
name: "Fake plugin Sandbox",
|
|
driver: "sandbox",
|
|
config: {
|
|
provider: "fake-plugin",
|
|
image: "fake:test",
|
|
timeoutMs: "450000",
|
|
reuseLease: true,
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(201);
|
|
expect(mockValidatePluginSandboxProviderConfig).toHaveBeenCalledWith({
|
|
db: expect.anything(),
|
|
workerManager: pluginWorkerManager,
|
|
provider: "fake-plugin",
|
|
config: {
|
|
image: "fake:test",
|
|
timeoutMs: 450000,
|
|
reuseLease: true,
|
|
},
|
|
});
|
|
expect(mockEnvironmentService.create).toHaveBeenCalledWith("company-1", {
|
|
name: "Fake plugin Sandbox",
|
|
driver: "sandbox",
|
|
status: "active",
|
|
config: {
|
|
provider: "fake-plugin",
|
|
image: "fake:test",
|
|
timeoutMs: 450000,
|
|
reuseLease: true,
|
|
},
|
|
});
|
|
expect(mockSecretService.create).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("creates a schema-driven sandbox environment with secret-ref fields persisted as secrets", async () => {
|
|
const environment = {
|
|
...createEnvironment(),
|
|
id: "env-sandbox-secure-plugin",
|
|
name: "Secure Sandbox",
|
|
driver: "sandbox" as const,
|
|
config: {
|
|
provider: "secure-plugin",
|
|
template: "base",
|
|
apiKey: "11111111-1111-1111-1111-111111111111",
|
|
timeoutMs: 450000,
|
|
reuseLease: true,
|
|
},
|
|
};
|
|
mockEnvironmentService.create.mockResolvedValue(environment);
|
|
mockValidatePluginSandboxProviderConfig.mockResolvedValue({
|
|
normalizedConfig: {
|
|
template: "base",
|
|
apiKey: "test-provider-key",
|
|
timeoutMs: 450000,
|
|
reuseLease: true,
|
|
},
|
|
pluginId: "plugin-secure",
|
|
pluginKey: "acme.secure-sandbox-provider",
|
|
driver: {
|
|
driverKey: "secure-plugin",
|
|
kind: "sandbox_provider",
|
|
displayName: "Secure Sandbox",
|
|
configSchema: {
|
|
type: "object",
|
|
properties: {
|
|
template: { type: "string" },
|
|
apiKey: { type: "string", format: "secret-ref" },
|
|
timeoutMs: { type: "number" },
|
|
reuseLease: { type: "boolean" },
|
|
},
|
|
},
|
|
},
|
|
});
|
|
const pluginWorkerManager = {};
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
}, { pluginWorkerManager });
|
|
|
|
const res = await request(app)
|
|
.post("/api/companies/company-1/environments")
|
|
.send({
|
|
name: "Secure Sandbox",
|
|
driver: "sandbox",
|
|
config: {
|
|
provider: "secure-plugin",
|
|
template: " base ",
|
|
apiKey: " test-provider-key ",
|
|
timeoutMs: "450000",
|
|
reuseLease: true,
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(201);
|
|
expect(mockValidatePluginSandboxProviderConfig).toHaveBeenCalledWith({
|
|
db: expect.anything(),
|
|
workerManager: pluginWorkerManager,
|
|
provider: "secure-plugin",
|
|
config: {
|
|
template: " base ",
|
|
apiKey: " test-provider-key ",
|
|
timeoutMs: 450000,
|
|
reuseLease: true,
|
|
},
|
|
});
|
|
expect(mockEnvironmentService.create).toHaveBeenCalledWith("company-1", {
|
|
name: "Secure Sandbox",
|
|
driver: "sandbox",
|
|
status: "active",
|
|
config: {
|
|
provider: "secure-plugin",
|
|
template: "base",
|
|
apiKey: "11111111-1111-1111-1111-111111111111",
|
|
timeoutMs: 450000,
|
|
reuseLease: true,
|
|
},
|
|
});
|
|
expect(JSON.stringify(mockEnvironmentService.create.mock.calls[0][1])).not.toContain("test-provider-key");
|
|
expect(mockSecretService.create).toHaveBeenCalledWith(
|
|
"company-1",
|
|
expect.objectContaining({
|
|
provider: "local_encrypted",
|
|
value: "test-provider-key",
|
|
}),
|
|
expect.any(Object),
|
|
);
|
|
});
|
|
|
|
it("uses the configured provider for schema-driven sandbox secret fields", async () => {
|
|
process.env.PAPERCLIP_SECRETS_PROVIDER = "aws_secrets_manager";
|
|
const environment = {
|
|
...createEnvironment(),
|
|
id: "env-sandbox-secure-plugin",
|
|
name: "Secure Sandbox",
|
|
driver: "sandbox" as const,
|
|
config: {
|
|
provider: "secure-plugin",
|
|
template: "base",
|
|
apiKey: "11111111-1111-1111-1111-111111111111",
|
|
timeoutMs: 450000,
|
|
reuseLease: true,
|
|
},
|
|
};
|
|
mockEnvironmentService.create.mockResolvedValue(environment);
|
|
mockValidatePluginSandboxProviderConfig.mockResolvedValue({
|
|
normalizedConfig: {
|
|
template: "base",
|
|
apiKey: "test-provider-key",
|
|
timeoutMs: 450000,
|
|
reuseLease: true,
|
|
},
|
|
pluginId: "plugin-secure",
|
|
pluginKey: "acme.secure-sandbox-provider",
|
|
driver: {
|
|
driverKey: "secure-plugin",
|
|
kind: "sandbox_provider",
|
|
displayName: "Secure Sandbox",
|
|
configSchema: {
|
|
type: "object",
|
|
properties: {
|
|
template: { type: "string" },
|
|
apiKey: { type: "string", format: "secret-ref" },
|
|
timeoutMs: { type: "number" },
|
|
reuseLease: { type: "boolean" },
|
|
},
|
|
},
|
|
},
|
|
});
|
|
const pluginWorkerManager = {};
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
}, { pluginWorkerManager });
|
|
|
|
const res = await request(app)
|
|
.post("/api/companies/company-1/environments")
|
|
.send({
|
|
name: "Secure Sandbox",
|
|
driver: "sandbox",
|
|
config: {
|
|
provider: "secure-plugin",
|
|
template: "base",
|
|
apiKey: "test-provider-key",
|
|
timeoutMs: "450000",
|
|
reuseLease: true,
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(201);
|
|
expect(mockSecretService.create).toHaveBeenCalledWith(
|
|
"company-1",
|
|
expect.objectContaining({
|
|
provider: "aws_secrets_manager",
|
|
value: "test-provider-key",
|
|
}),
|
|
expect.any(Object),
|
|
);
|
|
});
|
|
|
|
it("validates plugin environment config through the plugin driver host", async () => {
|
|
const environment = {
|
|
...createEnvironment(),
|
|
id: "env-plugin",
|
|
name: "Plugin Sandbox",
|
|
driver: "plugin" as const,
|
|
config: {
|
|
pluginKey: "acme.environments",
|
|
driverKey: "sandbox",
|
|
driverConfig: {
|
|
template: "normalized",
|
|
},
|
|
},
|
|
};
|
|
mockValidatePluginEnvironmentDriverConfig.mockResolvedValue(environment.config);
|
|
mockEnvironmentService.create.mockResolvedValue(environment);
|
|
const pluginWorkerManager = {};
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
}, { pluginWorkerManager });
|
|
|
|
const res = await request(app)
|
|
.post("/api/companies/company-1/environments")
|
|
.send({
|
|
name: "Plugin Sandbox",
|
|
driver: "plugin",
|
|
config: {
|
|
pluginKey: "acme.environments",
|
|
driverKey: "sandbox",
|
|
driverConfig: {
|
|
template: "base",
|
|
},
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(201);
|
|
expect(mockValidatePluginEnvironmentDriverConfig).toHaveBeenCalledWith({
|
|
db: expect.anything(),
|
|
workerManager: pluginWorkerManager,
|
|
config: {
|
|
pluginKey: "acme.environments",
|
|
driverKey: "sandbox",
|
|
driverConfig: {
|
|
template: "base",
|
|
},
|
|
},
|
|
});
|
|
expect(mockEnvironmentService.create).toHaveBeenCalledWith("company-1", expect.objectContaining({
|
|
config: environment.config,
|
|
}));
|
|
});
|
|
|
|
it("rejects unprivileged agent mutations for shared environments", async () => {
|
|
mockAgentService.getById.mockResolvedValue({
|
|
id: "agent-1",
|
|
companyId: "company-1",
|
|
role: "engineer",
|
|
permissions: { canCreateAgents: false },
|
|
});
|
|
mockAccessService.hasPermission.mockResolvedValue(false);
|
|
const app = createApp({
|
|
type: "agent",
|
|
agentId: "agent-1",
|
|
companyId: "company-1",
|
|
source: "agent_key",
|
|
runId: "run-1",
|
|
});
|
|
|
|
const res = await request(app)
|
|
.post("/api/companies/company-1/environments")
|
|
.send({
|
|
name: "Sandbox host",
|
|
driver: "local",
|
|
});
|
|
|
|
expect(res.status).toBe(403);
|
|
expect(res.body.error).toContain("environments:manage");
|
|
expect(mockEnvironmentService.create).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("lists leases for an environment after company access is confirmed", async () => {
|
|
const environment = createEnvironment();
|
|
mockEnvironmentService.getById.mockResolvedValue(environment);
|
|
mockEnvironmentService.listLeases.mockResolvedValue([
|
|
{
|
|
id: "lease-1",
|
|
companyId: "company-1",
|
|
environmentId: environment.id,
|
|
executionWorkspaceId: "workspace-1",
|
|
issueId: null,
|
|
heartbeatRunId: null,
|
|
status: "active",
|
|
providerLeaseId: "provider-lease-1",
|
|
acquiredAt: new Date("2026-04-16T05:00:00.000Z"),
|
|
lastUsedAt: new Date("2026-04-16T05:05:00.000Z"),
|
|
expiresAt: null,
|
|
releasedAt: null,
|
|
metadata: { provider: "fake" },
|
|
createdAt: new Date("2026-04-16T05:00:00.000Z"),
|
|
updatedAt: new Date("2026-04-16T05:05:00.000Z"),
|
|
},
|
|
]);
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
});
|
|
|
|
const res = await request(app).get(`/api/environments/${environment.id}/leases?status=active`);
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(mockEnvironmentService.listLeases).toHaveBeenCalledWith(environment.id, {
|
|
status: "active",
|
|
});
|
|
});
|
|
|
|
it("returns a single lease after company access is confirmed", async () => {
|
|
mockEnvironmentService.getLeaseById.mockResolvedValue({
|
|
id: "lease-1",
|
|
companyId: "company-1",
|
|
environmentId: "env-1",
|
|
executionWorkspaceId: "workspace-1",
|
|
issueId: null,
|
|
heartbeatRunId: "run-1",
|
|
status: "active",
|
|
leasePolicy: "ephemeral",
|
|
provider: "ssh",
|
|
providerLeaseId: "ssh://ssh-user@example.test:22/workspace",
|
|
acquiredAt: new Date("2026-04-16T05:00:00.000Z"),
|
|
lastUsedAt: new Date("2026-04-16T05:05:00.000Z"),
|
|
expiresAt: null,
|
|
releasedAt: null,
|
|
failureReason: null,
|
|
cleanupStatus: null,
|
|
metadata: { remoteCwd: "/workspace" },
|
|
createdAt: new Date("2026-04-16T05:00:00.000Z"),
|
|
updatedAt: new Date("2026-04-16T05:05:00.000Z"),
|
|
});
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
});
|
|
|
|
const res = await request(app).get("/api/environment-leases/lease-1");
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.provider).toBe("ssh");
|
|
expect(mockEnvironmentService.getLeaseById).toHaveBeenCalledWith("lease-1");
|
|
});
|
|
|
|
it("rejects cross-company agent access", async () => {
|
|
mockEnvironmentService.list.mockResolvedValue([]);
|
|
const app = createApp({
|
|
type: "agent",
|
|
agentId: "agent-2",
|
|
companyId: "company-2",
|
|
source: "agent_key",
|
|
runId: "run-2",
|
|
});
|
|
|
|
const res = await request(app).get("/api/companies/company-1/environments");
|
|
|
|
expect(res.status).toBe(403);
|
|
expect(res.body.error).toContain("another company");
|
|
expect(mockEnvironmentService.list).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("logs a redacted update summary instead of raw config or metadata", async () => {
|
|
const environment = createEnvironment();
|
|
mockEnvironmentService.getById.mockResolvedValue(environment);
|
|
mockEnvironmentService.update.mockResolvedValue({
|
|
...environment,
|
|
status: "archived",
|
|
});
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
});
|
|
|
|
const res = await request(app)
|
|
.patch(`/api/environments/${environment.id}`)
|
|
.send({
|
|
status: "archived",
|
|
config: {
|
|
apiKey: "super-secret",
|
|
token: "another-secret",
|
|
},
|
|
metadata: {
|
|
password: "do-not-log",
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(mockLogActivity).toHaveBeenCalledWith(
|
|
expect.anything(),
|
|
expect.objectContaining({
|
|
action: "environment.updated",
|
|
details: {
|
|
changedFields: ["config", "metadata", "status"],
|
|
status: "archived",
|
|
configChanged: true,
|
|
configTopLevelKeyCount: expect.any(Number),
|
|
metadataChanged: true,
|
|
metadataTopLevelKeyCount: 1,
|
|
},
|
|
}),
|
|
);
|
|
expect(JSON.stringify(mockLogActivity.mock.calls[0][1].details)).not.toContain("super-secret");
|
|
expect(JSON.stringify(mockLogActivity.mock.calls[0][1].details)).not.toContain("do-not-log");
|
|
});
|
|
|
|
it("resets config instead of inheriting SSH secrets when switching to local without an explicit config", async () => {
|
|
const environment = {
|
|
...createEnvironment(),
|
|
name: "SSH Fixture",
|
|
driver: "ssh" as const,
|
|
config: {
|
|
host: "ssh.example.test",
|
|
port: 22,
|
|
username: "ssh-user",
|
|
remoteWorkspacePath: "/srv/paperclip/workspace",
|
|
privateKey: "super-secret-key",
|
|
knownHosts: "known-host",
|
|
strictHostKeyChecking: true,
|
|
},
|
|
};
|
|
mockEnvironmentService.getById.mockResolvedValue(environment);
|
|
mockEnvironmentService.update.mockResolvedValue({
|
|
...createEnvironment(),
|
|
driver: "local" as const,
|
|
config: {},
|
|
});
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
});
|
|
|
|
const res = await request(app)
|
|
.patch(`/api/environments/${environment.id}`)
|
|
.send({
|
|
driver: "local",
|
|
});
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(mockEnvironmentService.update).toHaveBeenCalledWith(environment.id, {
|
|
driver: "local",
|
|
config: {},
|
|
});
|
|
expect(JSON.stringify(mockEnvironmentService.update.mock.calls[0][1])).not.toContain("super-secret-key");
|
|
expect(JSON.stringify(mockEnvironmentService.update.mock.calls[0][1])).not.toContain("known-host");
|
|
});
|
|
|
|
it("requires explicit SSH config when switching from local to SSH", async () => {
|
|
mockEnvironmentService.getById.mockResolvedValue(createEnvironment());
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
});
|
|
|
|
const res = await request(app)
|
|
.patch("/api/environments/env-1")
|
|
.send({
|
|
driver: "ssh",
|
|
});
|
|
|
|
expect(res.status).toBe(422);
|
|
expect(res.body.error).toContain("host");
|
|
expect(mockEnvironmentService.update).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("rejects switching an environment to the built-in fake sandbox provider", async () => {
|
|
mockEnvironmentService.getById.mockResolvedValue(createEnvironment());
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
});
|
|
|
|
const res = await request(app)
|
|
.patch("/api/environments/env-1")
|
|
.send({
|
|
driver: "sandbox",
|
|
config: {
|
|
provider: "fake",
|
|
image: "ubuntu:24.04",
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(422);
|
|
expect(res.body.error).toContain("reserved for internal probes");
|
|
expect(mockEnvironmentService.update).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("returns 404 when patching a missing environment", async () => {
|
|
mockEnvironmentService.getById.mockResolvedValue(null);
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
});
|
|
|
|
const res = await request(app)
|
|
.patch("/api/environments/missing-env")
|
|
.send({ status: "archived" });
|
|
|
|
expect(res.status).toBe(404);
|
|
expect(res.body.error).toBe("Environment not found");
|
|
expect(mockLogActivity).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("probes an SSH environment and logs the result", async () => {
|
|
const environment = {
|
|
...createEnvironment(),
|
|
name: "SSH Fixture",
|
|
driver: "ssh" as const,
|
|
config: {
|
|
host: "ssh.example.test",
|
|
port: 22,
|
|
username: "ssh-user",
|
|
remoteWorkspacePath: "/srv/paperclip/workspace",
|
|
privateKey: null,
|
|
knownHosts: null,
|
|
strictHostKeyChecking: true,
|
|
},
|
|
};
|
|
mockEnvironmentService.getById.mockResolvedValue(environment);
|
|
mockProbeEnvironment.mockResolvedValue({
|
|
ok: true,
|
|
driver: "ssh",
|
|
summary: "Connected to ssh-user@ssh.example.test and verified the remote workspace path.",
|
|
details: {
|
|
host: "ssh.example.test",
|
|
},
|
|
});
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
runId: "run-1",
|
|
});
|
|
|
|
const res = await request(app)
|
|
.post(`/api/environments/${environment.id}/probe`)
|
|
.send({});
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.ok).toBe(true);
|
|
expect(mockProbeEnvironment).toHaveBeenCalledWith(expect.anything(), environment, {
|
|
pluginWorkerManager: undefined,
|
|
});
|
|
expect(mockLogActivity).toHaveBeenCalledWith(
|
|
expect.anything(),
|
|
expect.objectContaining({
|
|
companyId: "company-1",
|
|
action: "environment.probed",
|
|
entityType: "environment",
|
|
entityId: environment.id,
|
|
details: expect.objectContaining({
|
|
driver: "ssh",
|
|
ok: true,
|
|
}),
|
|
}),
|
|
);
|
|
});
|
|
|
|
it("probes a sandbox environment and logs the result", async () => {
|
|
const environment = {
|
|
...createEnvironment(),
|
|
id: "env-sandbox",
|
|
name: "Fake Sandbox",
|
|
driver: "sandbox" as const,
|
|
config: {
|
|
provider: "fake",
|
|
image: "ubuntu:24.04",
|
|
reuseLease: true,
|
|
},
|
|
};
|
|
mockEnvironmentService.getById.mockResolvedValue(environment);
|
|
mockProbeEnvironment.mockResolvedValue({
|
|
ok: true,
|
|
driver: "sandbox",
|
|
summary: "Fake sandbox provider is ready for image ubuntu:24.04.",
|
|
details: {
|
|
provider: "fake",
|
|
image: "ubuntu:24.04",
|
|
reuseLease: true,
|
|
},
|
|
});
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
runId: "run-1",
|
|
});
|
|
|
|
const res = await request(app)
|
|
.post(`/api/environments/${environment.id}/probe`)
|
|
.send({});
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.body.driver).toBe("sandbox");
|
|
expect(mockProbeEnvironment).toHaveBeenCalledWith(expect.anything(), environment, {
|
|
pluginWorkerManager: undefined,
|
|
});
|
|
expect(mockLogActivity).toHaveBeenCalledWith(
|
|
expect.anything(),
|
|
expect.objectContaining({
|
|
companyId: "company-1",
|
|
action: "environment.probed",
|
|
entityType: "environment",
|
|
entityId: environment.id,
|
|
details: expect.objectContaining({
|
|
driver: "sandbox",
|
|
ok: true,
|
|
}),
|
|
}),
|
|
);
|
|
});
|
|
|
|
it("probes unsaved provider config without persisting secrets", async () => {
|
|
mockProbeEnvironment.mockResolvedValue({
|
|
ok: true,
|
|
driver: "sandbox",
|
|
summary: "Fake plugin sandbox provider is ready.",
|
|
details: { provider: "fake-plugin" },
|
|
});
|
|
const pluginWorkerManager = {};
|
|
const app = createApp({
|
|
type: "board",
|
|
userId: "user-1",
|
|
source: "local_implicit",
|
|
runId: "run-1",
|
|
}, { pluginWorkerManager });
|
|
|
|
const res = await request(app)
|
|
.post("/api/companies/company-1/environments/probe-config")
|
|
.send({
|
|
name: "Draft Fake plugin",
|
|
driver: "sandbox",
|
|
config: {
|
|
provider: "fake-plugin",
|
|
template: "base",
|
|
apiKey: "unsaved-test-key",
|
|
timeoutMs: 300000,
|
|
reuseLease: true,
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(mockEnvironmentService.create).not.toHaveBeenCalled();
|
|
expect(mockSecretService.create).not.toHaveBeenCalled();
|
|
expect(mockProbeEnvironment).toHaveBeenCalledWith(
|
|
expect.anything(),
|
|
expect.objectContaining({
|
|
id: "unsaved",
|
|
driver: "sandbox",
|
|
config: expect.objectContaining({
|
|
apiKey: "unsaved-test-key",
|
|
}),
|
|
}),
|
|
expect.objectContaining({
|
|
pluginWorkerManager,
|
|
resolvedConfig: expect.objectContaining({
|
|
driver: "sandbox",
|
|
}),
|
|
}),
|
|
);
|
|
expect(JSON.stringify(mockLogActivity.mock.calls[0][1].details)).not.toContain("unsaved-test-key");
|
|
});
|
|
});
|