Files
Arcrun/credentials/tests/credentials-preservation.test.ts
T
Claude 2707fca32b feat(arcrun): implement arcrun MVP — open-source AI workflow engine
Phase 1-5 complete per .agents/specs/u6u-core-mvp/:

**Phase 1 — Cherry-pick & cleanup**
- Create arcrun/ from cypher-executor, credentials, builtins, registry
- Remove 9 InkStone Service Bindings (KBDB, REGISTRY, CLINIC_*, AICEO, MINI_ME)
- Rewrite component-loader: 3-layer (builtin → WASM_BUCKET R2 → error)
- Remove autoPublishMissing.ts, proxy.ts (AICEO), execution-logger.ts (KBDB)
- Clean all KV namespace IDs and InkStone internal URLs from config files

**Phase 2 — contract.yaml completeness**
- Add credentials_required to gmail, google_sheets, telegram, line_notify
- Add config_example to all 21 components with annotated field descriptions

**Phase 3 — Credential injection**
- Add credential-injector.ts: AES-GCM decrypt from CREDENTIALS_KV
- Integrate into GraphExecutor before WASM execution
- Structured errors with repair instructions when credential missing

**Phase 4 — CLI (acr)**
- cli/package.json: arcrun package, bin: acr, deps: commander/js-yaml/chalk/ora
- 8 commands: init, creds push, push, run, validate, parts, list, logs
- Standard mode: writes directly to user's CF KV via CF REST API
- acr init: interactive setup with arcrun.dev API Key registration

**Phase 5 — Open source release prep**
- README.md: 5-minute quickstart, component table, workflow YAML syntax
- CONTRIBUTING.md: TinyGo dev env, component scaffolding, submission flow
- Security audit: no InkStone internal URLs/IDs in committed files
- .gitignore: exclude credentials.yaml, .wrangler, *.wasm

https://claude.ai/code/session_01BnCdSLVH8tUed9VrrPavgT
2026-04-16 04:06:25 +00:00

80 lines
3.6 KiB
TypeScript

// Preservation Tests — AES-GCM Credential Round-Trip
// Task 2: 確認基線行為(修復前執行,預期通過)
//
// **Validates: Requirements 3.9**
import { SELF } from 'cloudflare:test';
import { describe, it, expect } from 'vitest';
import * as fc from 'fast-check';
// ─────────────────────────────────────────────────────────────────────────────
// Property: Credential round-trip
//
// For all non-zero credential name/secret pairs,
// POST /credentials → GET /credentials/:name/secret returns the same secret.
// This validates AES-GCM encrypt → decrypt round-trip correctness.
//
// **Validates: Requirements 3.9**
// ─────────────────────────────────────────────────────────────────────────────
describe('Preservation: AES-GCM credential round-trip', () => {
it('property: POST /credentials then GET /credentials/:name/secret returns original secret', async () => {
// Generate non-empty name and secret pairs
const nameArb = fc.string({ minLength: 1, maxLength: 30 }).filter(s => s.trim().length > 0);
const secretArb = fc.string({ minLength: 1, maxLength: 100 }).filter(s => s.length > 0);
await fc.assert(
fc.asyncProperty(nameArb, secretArb, async (name, secret) => {
// Use a unique suffix to avoid collisions between runs
const uniqueName = `${name}-${Date.now()}-${Math.random().toString(36).slice(2, 6)}`;
// POST /credentials — store encrypted credential
const createRes = await SELF.fetch('http://localhost/credentials', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ name: uniqueName, secret, type: 'api_key' }),
});
expect(createRes.status).toBe(201);
const created = await createRes.json() as Record<string, unknown>;
expect(created.success).toBe(true);
const credId = (created.data as Record<string, unknown>).id as string;
// GET /credentials/:name/secret — retrieve and decrypt
const getRes = await SELF.fetch(`http://localhost/credentials/${credId}/secret`);
expect(getRes.status).toBe(200);
const retrieved = await getRes.json() as Record<string, unknown>;
expect(retrieved.success).toBe(true);
// The decrypted secret must equal the original
const retrievedSecret = (retrieved.data as Record<string, unknown>).secret as string;
expect(retrievedSecret).toBe(secret);
}),
{ numRuns: 5 }
);
});
it('example: specific name/secret round-trip preserves secret', async () => {
const name = 'preservation-test-key';
const secret = 'my-super-secret-api-key-12345';
const createRes = await SELF.fetch('http://localhost/credentials', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ name, secret, type: 'bearer_token' }),
});
expect(createRes.status).toBe(201);
const created = await createRes.json() as Record<string, unknown>;
const credId = (created.data as Record<string, unknown>).id as string;
const getRes = await SELF.fetch(`http://localhost/credentials/${credId}/secret`);
expect(getRes.status).toBe(200);
const retrieved = await getRes.json() as Record<string, unknown>;
expect((retrieved.data as Record<string, unknown>).secret).toBe(secret);
});
});