chore: import upstream snapshot with attribution

This commit is contained in:
wehub-resource-sync
2026-07-13 13:39:12 +08:00
commit d8dcd5f6d1
8604 changed files with 2479390 additions and 0 deletions
@@ -0,0 +1,132 @@
/**
* Tests for GET /api/services/9router/models
*
* Uses an isolated in-memory DB and mocks fetch + service registry.
*/
import { describe, it, beforeEach, afterEach } from "node:test";
import assert from "node:assert/strict";
import fs from "node:fs";
import os from "node:os";
import path from "node:path";
const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omniroute-9router-models-api-"));
process.env.DATA_DIR = TEST_DATA_DIR;
process.env.NODE_ENV = "test";
process.env.DISABLE_SQLITE_AUTO_BACKUP = "true";
process.env.NINEROUTER_PORT = "20130";
// Must import db core first so the DB is initialised at the test path.
const core = await import("../../../../src/lib/db/core.ts");
const { saveServiceModels, getServiceModels } =
await import("../../../../src/lib/db/serviceModels.ts");
// Import the route handler under test (after env is set).
const { GET } = await import("../../../../src/app/api/services/9router/models/route.ts");
const originalFetch = globalThis.fetch;
function resetDb() {
core.resetDbInstance();
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
fs.mkdirSync(TEST_DATA_DIR, { recursive: true });
}
function makeRequest(url: string): Request {
return new Request(url);
}
function makeFetch(status: number, body: unknown): typeof fetch {
return async () =>
new Response(JSON.stringify(body), {
status,
headers: { "Content-Type": "application/json" },
});
}
beforeEach(() => {
resetDb();
globalThis.fetch = originalFetch;
});
afterEach(() => {
globalThis.fetch = originalFetch;
});
describe("GET /api/services/9router/models", () => {
it("returns { data: [] } when no models are stored", async () => {
const req = makeRequest("http://localhost/api/services/9router/models");
const res = await GET(req);
assert.equal(res.status, 200);
const body = await res.json();
assert.ok("data" in body, "response should have a data property");
assert.deepEqual(body.data, []);
});
it("returns stored models as { data: [...] }", async () => {
saveServiceModels("9router", [
{ id: "9router/cx/gpt-5-mini", name: "GPT-5 mini", available: true },
{ id: "9router/auto/sonnet", name: "Sonnet", available: true },
]);
const req = makeRequest("http://localhost/api/services/9router/models");
const res = await GET(req);
assert.equal(res.status, 200);
const body = await res.json();
assert.equal(body.data.length, 2);
assert.equal(body.data[0].id, "9router/cx/gpt-5-mini");
assert.equal(body.data[1].id, "9router/auto/sonnet");
});
it("?refresh=true triggers a sync before returning", async () => {
// Pre-seed with one model so we can tell that the sync ran.
saveServiceModels("9router", [{ id: "9router/old-model", available: true }]);
let fetchCalled = false;
globalThis.fetch = async () => {
fetchCalled = true;
return new Response(
// Upstream returns an unprefixed id — sync should prefix it as "9router/new-model".
JSON.stringify({ data: [{ id: "new-model", object: "model" }] }),
{ status: 200, headers: { "Content-Type": "application/json" } }
);
};
const req = makeRequest("http://localhost/api/services/9router/models?refresh=true");
const res = await GET(req);
assert.equal(res.status, 200);
assert.ok(fetchCalled, "?refresh=true should have triggered a fetch to the service");
const body = await res.json();
// After sync, new model should be present prefixed (old model pruned to unavailable).
const ids = body.data.map((m: { id: string }) => m.id);
assert.ok(ids.includes("9router/new-model"), "synced model should appear in response");
});
it("?refresh=false (default) does NOT trigger a sync", async () => {
saveServiceModels("9router", [{ id: "9router/cached-model", available: true }]);
let fetchCalled = false;
globalThis.fetch = async () => {
fetchCalled = true;
return new Response(JSON.stringify({ data: [] }), { status: 200 });
};
const req = makeRequest("http://localhost/api/services/9router/models");
const res = await GET(req);
assert.equal(res.status, 200);
assert.equal(fetchCalled, false, "GET without ?refresh=true should NOT call fetch");
});
it("response shape always has a data array", async () => {
const req = makeRequest("http://localhost/api/services/9router/models");
const res = await GET(req);
const body = await res.json();
assert.ok(Array.isArray(body.data), "data must always be an array");
});
});
@@ -0,0 +1,100 @@
/**
* Tests for POST /api/services/9router/provider-expose
*/
import { describe, it, beforeEach } from "node:test";
import assert from "node:assert/strict";
import fs from "node:fs";
import os from "node:os";
import path from "node:path";
const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omniroute-9router-provider-expose-"));
process.env.DATA_DIR = TEST_DATA_DIR;
process.env.NODE_ENV = "test";
process.env.DISABLE_SQLITE_AUTO_BACKUP = "true";
// Initialise DB first.
const core = await import("../../../../src/lib/db/core.ts");
const { upsertVersionManagerTool, getVersionManagerTool } =
await import("../../../../src/lib/db/versionManager.ts");
// Import route under test.
const { POST } = await import("../../../../src/app/api/services/9router/provider-expose/route.ts");
function resetDb() {
core.resetDbInstance();
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
fs.mkdirSync(TEST_DATA_DIR, { recursive: true });
}
function makeRequest(body: unknown): Request {
return new Request("http://localhost/api/services/9router/provider-expose", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify(body),
});
}
beforeEach(() => {
resetDb();
});
describe("POST /api/services/9router/provider-expose", () => {
it("returns 400 for invalid JSON body", async () => {
const req = new Request("http://localhost/api/services/9router/provider-expose", {
method: "POST",
body: "not-json",
headers: { "Content-Type": "application/json" },
});
const res = await POST(req);
assert.equal(res.status, 400);
});
it("returns 400 when enabled is missing", async () => {
const req = makeRequest({});
const res = await POST(req);
assert.equal(res.status, 400);
const body = await res.json();
assert.ok(body?.error?.message ?? body?.message, "should have an error message");
});
it("returns 400 when enabled is not a boolean", async () => {
const req = makeRequest({ enabled: "yes" });
const res = await POST(req);
assert.equal(res.status, 400);
});
it("sets providerExpose to true and returns 204", async () => {
await upsertVersionManagerTool({ tool: "9router", status: "stopped" });
const req = makeRequest({ enabled: true });
const res = await POST(req);
assert.equal(res.status, 204);
const row = await getVersionManagerTool("9router");
assert.equal(row?.providerExpose, true, "providerExpose should be true in DB");
});
it("sets providerExpose to false and returns 204", async () => {
await upsertVersionManagerTool({ tool: "9router", status: "stopped" });
// First enable it.
await POST(makeRequest({ enabled: true }));
// Then disable it.
const res = await POST(makeRequest({ enabled: false }));
assert.equal(res.status, 204);
const row = await getVersionManagerTool("9router");
assert.equal(row?.providerExpose, false, "providerExpose should be false in DB");
});
it("error response does not leak stack traces", async () => {
// Missing body triggers 400 — verify the message doesn't contain stack frames.
const req = makeRequest({});
const res = await POST(req);
assert.equal(res.status, 400);
const text = await res.text();
assert.ok(!text.includes("at /"), "error body must not expose stack trace");
});
});
@@ -0,0 +1,127 @@
/**
* Tests for GET /api/services/9router/status?reveal=key (R-01)
*
* - Without ?reveal: returns only masked key
* - With ?reveal=key but missing X-Reveal-Confirm: returns 403
* - With ?reveal=key and X-Reveal-Confirm: yes: returns apiKeyPlain + logs audit
*/
import { describe, it, before, after, beforeEach } from "node:test";
import assert from "node:assert/strict";
import fs from "node:fs";
import os from "node:os";
import path from "node:path";
const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omniroute-9router-reveal-"));
process.env.DATA_DIR = TEST_DATA_DIR;
process.env.NODE_ENV = "test";
process.env.DISABLE_SQLITE_AUTO_BACKUP = "true";
// Bootstrap DB and seed service row
const core = await import("../../../../src/lib/db/core.ts");
const db = core.getDbInstance();
db.prepare(
`INSERT OR IGNORE INTO version_manager (tool, status, port, auto_start, auto_update, provider_expose)
VALUES ('9router', 'stopped', 20130, 0, 1, 1)`
).run();
const { updateVersionManagerTool } = await import("../../../../src/lib/db/versionManager.ts");
await updateVersionManagerTool("9router", {
installedVersion: "0.4.59",
status: "stopped",
});
// Ensure audit_log table exists (compliance init)
const { initAuditLog, countAuditLog } = await import("../../../../src/lib/compliance/index.ts");
initAuditLog();
// Import GET after env is set
const { GET } =
await import("../../../../src/app/api/services/9router/status/route.ts?t=reveal-suite");
function makeRequest(url: string, headers?: Record<string, string>): Request {
return new Request(url, { headers });
}
after(() => {
core.resetDbInstance();
fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true });
});
describe("GET /api/services/9router/status", () => {
it("without ?reveal returns only masked key (no plain)", async () => {
const req = makeRequest("http://localhost/api/services/9router/status");
const res = await GET(req);
assert.equal(res.status, 200);
const body = await res.json();
assert.ok("apiKeyMasked" in body, "should have apiKeyMasked");
assert.ok(!("apiKeyPlain" in body), "should NOT have apiKeyPlain");
});
it("?reveal=key without X-Reveal-Confirm returns 403", async () => {
const req = makeRequest("http://localhost/api/services/9router/status?reveal=key");
const res = await GET(req);
assert.equal(res.status, 403);
const body = await res.json();
assert.ok(
body.error?.message?.toLowerCase().includes("confirm") ||
body.error?.message?.toLowerCase().includes("header") ||
body.message?.toLowerCase().includes("confirm") ||
String(body).toLowerCase().includes("confirm"),
`body should mention confirmation: ${JSON.stringify(body)}`
);
});
it("?reveal=key with wrong X-Reveal-Confirm value returns 403", async () => {
const req = makeRequest("http://localhost/api/services/9router/status?reveal=key", {
"X-Reveal-Confirm": "no",
});
const res = await GET(req);
assert.equal(res.status, 403);
});
it("?reveal=key with X-Reveal-Confirm: yes returns apiKeyPlain", async () => {
const req = makeRequest("http://localhost/api/services/9router/status?reveal=key", {
"X-Reveal-Confirm": "yes",
});
const res = await GET(req);
assert.equal(res.status, 200);
const body = await res.json();
assert.ok(typeof body.apiKeyPlain === "string", "should have apiKeyPlain string");
assert.ok(body.apiKeyPlain.startsWith("nr_"), "plain key should start with nr_");
// masked should also be present
assert.ok("apiKeyMasked" in body, "should still have apiKeyMasked");
});
it("reveal logs an audit entry with action=service.reveal_api_key", async () => {
const countBefore = countAuditLog({ action: "service.reveal_api_key" });
const req = makeRequest("http://localhost/api/services/9router/status?reveal=key", {
"X-Reveal-Confirm": "yes",
});
const res = await GET(req);
assert.equal(res.status, 200);
const countAfter = countAuditLog({ action: "service.reveal_api_key" });
assert.equal(
countAfter,
countBefore + 1,
`audit entries should increase by 1 (was ${countBefore}, now ${countAfter})`
);
});
it("plain key is different from masked key (not trivially masked)", async () => {
const req = makeRequest("http://localhost/api/services/9router/status?reveal=key", {
"X-Reveal-Confirm": "yes",
});
const res = await GET(req);
const body = await res.json();
assert.notEqual(body.apiKeyPlain, body.apiKeyMasked, "plain and masked should differ");
assert.ok(
body.apiKeyPlain.length > body.apiKeyMasked.length ||
!body.apiKeyMasked.includes(body.apiKeyPlain),
"masked should not contain the full plain key"
);
});
});