/** * Tests for Managed API * * Covers: * - Browser session pairing/registration lifecycle * - Workspace ownership enforcement on tasks * - Session connectivity validation * - Unauthorized access (wrong workspace, missing auth) */ import { createWorkspace, createApiKey, createPairingToken, consumePairingToken, getBrowserSession, validateSessionToken, createTaskRun, getTaskRun, listTaskRuns, recordUsage, getUsageSummary, ensureDefaultWorkspace, type ApiKey, type Workspace, } from "./store.js"; let wsA: Workspace; let wsB: Workspace; let keyA: ApiKey; let keyB: ApiKey; function setup() { wsA = createWorkspace("Workspace A"); wsB = createWorkspace("Workspace B"); keyA = createApiKey(wsA.id, "key-a"); keyB = createApiKey(wsB.id, "key-b"); } function assert(condition: boolean, msg: string) { if (!condition) throw new Error(`FAIL: ${msg}`); console.log(` ✓ ${msg}`); } // --- Test: Pairing Token Lifecycle --- function testPairingTokenLifecycle() { console.log("\n--- Pairing Token Lifecycle ---"); // Create pairing token from workspace A const pt = createPairingToken(wsA.id, keyA.id); assert(pt._plainToken.startsWith("hic_pair_"), "Pairing token has correct prefix"); assert(pt.workspaceId === wsA.id, "Pairing token bound to workspace A"); assert(!pt.consumed, "Pairing token not yet consumed"); assert(pt.expiresAt > Date.now(), "Pairing token not expired"); // Consume it using the plaintext token — creates a browser session const session = consumePairingToken(pt._plainToken); assert(session !== null, "Session created from pairing token"); assert(session!.workspaceId === wsA.id, "Session inherits workspace from pairing token"); assert(session!.sessionToken.startsWith("hic_sess_"), "Session token has correct prefix"); assert(session!.status === "connected", "Session starts as connected"); // Cannot consume again const session2 = consumePairingToken(pt._plainToken); assert(session2 === null, "Cannot consume pairing token twice"); // Invalid token returns null const session3 = consumePairingToken("hic_pair_bogus"); assert(session3 === null, "Invalid pairing token returns null"); } // --- Test: Session Token Validation --- function testSessionTokenValidation() { console.log("\n--- Session Token Validation ---"); const pt = createPairingToken(wsA.id, keyA.id); const session = consumePairingToken(pt._plainToken)!; // Valid session token (session.sessionToken is plaintext from consumePairingToken) const validated = validateSessionToken(session.sessionToken); assert(validated !== null, "Valid session token validates"); assert(validated!.id === session.id, "Validated session has correct ID"); assert(validated!.workspaceId === wsA.id, "Validated session has correct workspace"); // Invalid session token const invalid = validateSessionToken("hic_sess_bogus"); assert(invalid === null, "Invalid session token returns null"); } // --- Test: Workspace Ownership on Tasks --- function testWorkspaceOwnership() { console.log("\n--- Workspace Ownership ---"); // Create a task in workspace A const task = createTaskRun({ workspaceId: wsA.id, apiKeyId: keyA.id, task: "test task", browserSessionId: "session-1", }); // Workspace A can see it const fromA = getTaskRun(task.id); assert(fromA !== null, "Task exists"); assert(fromA!.workspaceId === wsA.id, "Task belongs to workspace A"); // List tasks for workspace A includes it const listA = listTaskRuns(wsA.id); assert(listA.some((t) => t.id === task.id), "Workspace A list includes the task"); // List tasks for workspace B does NOT include it const listB = listTaskRuns(wsB.id); assert(!listB.some((t) => t.id === task.id), "Workspace B list does NOT include the task"); // Cross-workspace check const crossCheck = getTaskRun(task.id); assert( crossCheck!.workspaceId !== wsB.id, "Task workspace does not match workspace B" ); } // --- Test: Session Must Belong to Workspace --- function testSessionWorkspaceBinding() { console.log("\n--- Session Workspace Binding ---"); // Create session in workspace A via pairing token const ptA = createPairingToken(wsA.id, keyA.id); const sessionA = consumePairingToken(ptA._plainToken)!; // Session belongs to workspace A assert(sessionA.workspaceId === wsA.id, "Session belongs to workspace A"); // Create session in workspace B const ptB = createPairingToken(wsB.id, keyB.id); const sessionB = consumePairingToken(ptB._plainToken)!; assert(sessionB.workspaceId === wsB.id, "Session belongs to workspace B"); // Workspace A cannot use workspace B's session for task creation // (The API enforces this — we test the data model here) const sessionFromStore = getBrowserSession(sessionB.id); assert( sessionFromStore!.workspaceId !== wsA.id, "Workspace A cannot claim workspace B's session" ); } // --- Test: Pairing Token Expiry --- function testPairingTokenExpiry() { console.log("\n--- Pairing Token Expiry ---"); // Test that a nonexistent/invalid token returns null (covers the expired path) const session = consumePairingToken("hic_pair_this_token_does_not_exist_at_all"); assert(session === null, "Invalid/nonexistent pairing token cannot be consumed"); } // --- Test: Usage Attribution --- function testUsageAttribution() { console.log("\n--- Usage Attribution ---"); const task = createTaskRun({ workspaceId: wsA.id, apiKeyId: keyA.id, task: "usage test", }); recordUsage({ workspaceId: wsA.id, apiKeyId: keyA.id, taskRunId: task.id, inputTokens: 10000, outputTokens: 500, apiCalls: 5, model: "gemini-2.5-flash", }); const summaryA = getUsageSummary(wsA.id); assert(summaryA.totalInputTokens >= 10000, "Usage attributed to workspace A"); assert(summaryA.totalApiCalls >= 5, "API calls attributed to workspace A"); assert(summaryA.totalCostUsd > 0, "Cost calculated"); const summaryB = getUsageSummary(wsB.id); assert(summaryB.totalInputTokens === 0, "Workspace B has no usage"); } // --- Run all --- function runAll() { console.log("=== Managed API Tests ==="); setup(); testPairingTokenLifecycle(); testSessionTokenValidation(); testWorkspaceOwnership(); testSessionWorkspaceBinding(); testPairingTokenExpiry(); testUsageAttribution(); console.log("\n=== All tests passed ===\n"); } runAll();