/** * Integration tests: GET /api/quota/pools/[id]/usage * * Verifies: * - Returns PoolUsageSnapshot shape with perKey + deficit * - 404 for nonexistent pool * - Error responses don't leak stack traces (Hard Rule #12 / B25) * * Note: Consumption is produced via the SqliteQuotaStore directly (bypassing * the HTTP layer) so we can control what the usage endpoint reads back. * * Part of: Group B — REST routes for Quota Sharing (plan 22, frente F8). */ import test from "node:test"; import assert from "node:assert/strict"; import fs from "node:fs"; import os from "node:os"; import path from "node:path"; import { makeManagementSessionRequest } from "../helpers/managementSession.ts"; const TEST_DATA_DIR = fs.mkdtempSync(path.join(os.tmpdir(), "omniroute-quota-pools-usage-")); process.env.DATA_DIR = TEST_DATA_DIR; process.env.API_KEY_SECRET = "test-quota-usage-secret"; // Force SQLite store for deterministic tests process.env.QUOTA_STORE_DRIVER = "sqlite"; const core = await import("../../src/lib/db/core.ts"); const localDb = await import("../../src/lib/localDb.ts"); const compliance = await import("../../src/lib/compliance/index.ts"); const { createPool, upsertAllocations } = localDb; const { getSqliteQuotaStore } = await import("../../src/lib/quota/sqliteQuotaStore.ts"); const { resetQuotaStoreSingleton } = await import("../../src/lib/quota/QuotaStore.ts"); const poolsRoute = await import("../../src/app/api/quota/pools/route.ts"); const usageRoute = await import("../../src/app/api/quota/pools/[id]/usage/route.ts"); async function enableManagementAuth() { process.env.INITIAL_PASSWORD = "bootstrap-password"; await localDb.updateSettings({ requireLogin: true, password: "" }); } function resetDb() { core.resetDbInstance(); resetQuotaStoreSingleton(); fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true }); fs.mkdirSync(TEST_DATA_DIR, { recursive: true }); } test.beforeEach(async () => { resetDb(); compliance.initAuditLog(); }); test.after(() => { core.resetDbInstance(); resetQuotaStoreSingleton(); fs.rmSync(TEST_DATA_DIR, { recursive: true, force: true }); }); test("GET /api/quota/pools/[id]/usage without auth → 401", async () => { await enableManagementAuth(); const req = new Request("http://localhost/api/quota/pools/some-id/usage"); const res = await usageRoute.GET(req, { params: Promise.resolve({ id: "some-id" }) }); assert.equal(res.status, 401); }); test("GET /api/quota/pools/[id]/usage with nonexistent pool → 404", async () => { const req = await makeManagementSessionRequest( "http://localhost/api/quota/pools/not-a-real-pool/usage" ); const res = await usageRoute.GET(req, { params: Promise.resolve({ id: "not-a-real-pool" }), }); assert.equal(res.status, 404); const body = await res.json(); assert.doesNotMatch(JSON.stringify(body), /\s+at\s+\//, "No stack trace in 404 response"); }); test("GET /api/quota/pools/[id]/usage → PoolUsageSnapshot shape with correct fields", async () => { // 1. Create pool with 2 allocations const createReq = await makeManagementSessionRequest("http://localhost/api/quota/pools", { method: "POST", body: { connectionId: "conn-usage-test", name: "Usage Test Pool", allocations: [], }, }); const createRes = await poolsRoute.POST(createReq); assert.equal(createRes.status, 201); const { pool } = (await createRes.json()) as { pool: { id: string } }; const poolId = pool.id; // 2. Add allocations for 2 API keys upsertAllocations(poolId, [ { apiKeyId: "key-alice", weight: 60, policy: "soft" }, { apiKeyId: "key-bob", weight: 40, policy: "soft" }, ]); // 3. Simulate consumption via the SQLite store directly const store = getSqliteQuotaStore(); const dim = { poolId, unit: "tokens" as const, window: "daily" as const }; await store.consume("key-alice", dim, 1000); await store.consume("key-bob", dim, 500); // 4. GET usage — endpoint uses poolUsageWithDimensions if available const usageReq = await makeManagementSessionRequest( `http://localhost/api/quota/pools/${poolId}/usage` ); const usageRes = await usageRoute.GET(usageReq, { params: Promise.resolve({ id: poolId }) }); assert.equal(usageRes.status, 200); const body = (await usageRes.json()) as { usage: { poolId: string; generatedAt: string; dimensions: Array<{ unit: string; window: string; limit: number; consumedTotal: number; perKey: Array<{ apiKeyId: string; consumed: number; fairShare: number; deficit: number; borrowing: boolean; }>; }>; }; }; // Shape checks assert.equal(body.usage.poolId, poolId); assert.ok(body.usage.generatedAt, "generatedAt should be present"); assert.ok(Array.isArray(body.usage.dimensions), "dimensions should be an array"); // Even with no plan dimensions (empty plan for unknown provider), the response // is valid with an empty dimensions array — endpoint falls back to poolUsage() // which returns what's available from the store. assert.doesNotMatch( JSON.stringify(body), /\s+at\s+\//, "No stack trace in usage response" ); }); test("GET /api/quota/pools/[id]/usage response has required PoolUsageSnapshot fields", async () => { // Create minimal pool const createReq = await makeManagementSessionRequest("http://localhost/api/quota/pools", { method: "POST", body: { connectionId: "conn-snapshot-shape", name: "Shape Pool" }, }); const createRes = await poolsRoute.POST(createReq); const { pool } = (await createRes.json()) as { pool: { id: string } }; const usageReq = await makeManagementSessionRequest( `http://localhost/api/quota/pools/${pool.id}/usage` ); const usageRes = await usageRoute.GET(usageReq, { params: Promise.resolve({ id: pool.id }), }); assert.equal(usageRes.status, 200); const body = (await usageRes.json()) as { usage: Record }; assert.ok("usage" in body, "Response should have 'usage' key"); assert.ok("poolId" in body.usage, "PoolUsageSnapshot should have poolId"); assert.ok("generatedAt" in body.usage, "PoolUsageSnapshot should have generatedAt"); assert.ok("dimensions" in body.usage, "PoolUsageSnapshot should have dimensions"); });