test: harden decision record storage slice
This commit is contained in:
Eve
@@ -9,6 +9,7 @@ import {
|
||||
createDecisionRecordFileName,
|
||||
createFileDecisionStore,
|
||||
validateDecisionRecordArtifact,
|
||||
__testables as decisionArtifactTestables,
|
||||
} from '../src/storage/index.mjs';
|
||||
import { planDecisionExecution } from '../src/core/decision-runner.mjs';
|
||||
|
||||
@@ -78,6 +79,70 @@ test('decision artifact validates minimal package-owned contract', () => {
|
||||
assert.equal(validateDecisionRecordArtifact(artifact), artifact);
|
||||
});
|
||||
|
||||
test('decision artifact validator rejects malformed top-level or nested fields', () => {
|
||||
assert.throws(() => validateDecisionRecordArtifact(null), /decision record artifact must be an object/);
|
||||
|
||||
const planned = createPlannedDecision();
|
||||
const artifact = createDecisionRecordArtifact({
|
||||
decision: planned.decision,
|
||||
receipt: planned.receipt,
|
||||
recordedAt: '2026-05-08T04:00:00.000Z',
|
||||
});
|
||||
|
||||
const wrongKind = structuredClone(artifact);
|
||||
wrongKind.kind = 'NotDecisionRecordArtifact';
|
||||
assert.throws(() => validateDecisionRecordArtifact(wrongKind), /kind must be DecisionRecordArtifact/);
|
||||
|
||||
const missingReceipt = structuredClone(artifact);
|
||||
delete missingReceipt.spec.receipt;
|
||||
assert.throws(() => validateDecisionRecordArtifact(missingReceipt), /spec\.receipt must be an object record/);
|
||||
|
||||
const blankDeliveryState = structuredClone(artifact);
|
||||
blankDeliveryState.spec.receipt.delivery_state = ' ';
|
||||
assert.throws(() => validateDecisionRecordArtifact(blankDeliveryState), /spec\.receipt\.delivery_state must be a non-empty string/);
|
||||
});
|
||||
|
||||
test('decision artifact validator enforces metadata and spec consistency', () => {
|
||||
const planned = createPlannedDecision();
|
||||
const artifact = createDecisionRecordArtifact({
|
||||
decision: planned.decision,
|
||||
receipt: planned.receipt,
|
||||
recordedAt: '2026-05-08T04:00:00.000Z',
|
||||
source: {
|
||||
task_id: 'task-reporting-governance',
|
||||
correlation_id: 'corr-001',
|
||||
},
|
||||
});
|
||||
|
||||
const mismatchedPolicy = structuredClone(artifact);
|
||||
mismatchedPolicy.metadata.policy_id = 'different-policy';
|
||||
assert.throws(() => validateDecisionRecordArtifact(mismatchedPolicy), /policy_id mismatch between metadata and spec\.decision/);
|
||||
|
||||
const mismatchedDecision = structuredClone(artifact);
|
||||
mismatchedDecision.metadata.decision = 'rewrite';
|
||||
assert.throws(() => validateDecisionRecordArtifact(mismatchedDecision), /decision mismatch between metadata and spec\.decision/);
|
||||
|
||||
const mismatchedTask = structuredClone(artifact);
|
||||
mismatchedTask.metadata.task_id = 'other-task';
|
||||
assert.throws(() => validateDecisionRecordArtifact(mismatchedTask), /task_id mismatch between metadata and spec\.source/);
|
||||
|
||||
const mismatchedCorrelation = structuredClone(artifact);
|
||||
mismatchedCorrelation.metadata.correlation_id = 'corr-other';
|
||||
assert.throws(() => validateDecisionRecordArtifact(mismatchedCorrelation), /correlation_id mismatch between metadata and spec\.source/);
|
||||
});
|
||||
|
||||
test('decision artifact validator rejects malformed recorded_at timestamp', () => {
|
||||
const planned = createPlannedDecision();
|
||||
const artifact = createDecisionRecordArtifact({
|
||||
decision: planned.decision,
|
||||
receipt: planned.receipt,
|
||||
recordedAt: '2026-05-08T04:00:00.000Z',
|
||||
});
|
||||
|
||||
artifact.metadata.recorded_at = 'not-a-timestamp';
|
||||
assert.throws(() => validateDecisionRecordArtifact(artifact), /recorded_at must be a valid ISO-8601 timestamp/);
|
||||
});
|
||||
|
||||
test('decision artifact filename is stable and readable', () => {
|
||||
const planned = createPlannedDecision();
|
||||
const artifact = createDecisionRecordArtifact({
|
||||
@@ -90,6 +155,45 @@ test('decision artifact filename is stable and readable', () => {
|
||||
assert.match(fileName, /^2026-05-08T04-00-00-000Z-no-silence\.missed-checkpoint-force_checkpoint-dec_[a-f0-9-]+\.json$/);
|
||||
});
|
||||
|
||||
test('decision artifact filename sanitizes unsafe policy and decision segments', () => {
|
||||
const artifact = {
|
||||
kind: 'DecisionRecordArtifact',
|
||||
apiVersion: 'reporting-governance/v1alpha1',
|
||||
metadata: {
|
||||
record_id: 'dec_test',
|
||||
recorded_at: '2026-05-08T04:00:00.000Z',
|
||||
policy_id: '../policy with spaces?',
|
||||
decision: 'force checkpoint!',
|
||||
correlation_id: null,
|
||||
task_id: null,
|
||||
event_id: null,
|
||||
},
|
||||
spec: {
|
||||
decision: {
|
||||
policy_id: '../policy with spaces?',
|
||||
decision: 'force checkpoint!',
|
||||
},
|
||||
receipt: {
|
||||
delivery_state: 'pending_external_send',
|
||||
},
|
||||
source: {
|
||||
event_id: null,
|
||||
task_id: null,
|
||||
correlation_id: null,
|
||||
},
|
||||
},
|
||||
};
|
||||
|
||||
const fileName = createDecisionRecordFileName(artifact);
|
||||
assert.equal(fileName, '2026-05-08T04-00-00-000Z-policy-with-spaces-force-checkpoint-dec_test.json');
|
||||
});
|
||||
|
||||
test('sanitizeFileSegment collapses malicious or blank segments to safe file names', () => {
|
||||
assert.equal(decisionArtifactTestables.sanitizeFileSegment('../../etc/passwd', 'fallback'), 'etc-passwd');
|
||||
assert.equal(decisionArtifactTestables.sanitizeFileSegment(' ', 'fallback'), 'fallback');
|
||||
assert.equal(decisionArtifactTestables.sanitizeFileSegment('policy:force/checkpoint', 'fallback'), 'policy-force-checkpoint');
|
||||
});
|
||||
|
||||
test('file decision store writes and reloads a validated decision artifact inside repo root', async (t) => {
|
||||
const sandbox = fs.mkdtempSync(path.join(os.tmpdir(), 'reporting-governance-decision-store-'));
|
||||
t.after(() => fs.rmSync(sandbox, { recursive: true, force: true }));
|
||||
@@ -122,6 +226,79 @@ test('file decision store writes and reloads a validated decision artifact insid
|
||||
assert.equal(loaded.artifact.spec.receipt.delivery_state, 'pending_external_send');
|
||||
});
|
||||
|
||||
test('file decision store load rejects corrupted or malformed artifacts', async (t) => {
|
||||
const sandbox = fs.mkdtempSync(path.join(os.tmpdir(), 'reporting-governance-decision-store-'));
|
||||
t.after(() => fs.rmSync(sandbox, { recursive: true, force: true }));
|
||||
|
||||
const fakeRepoRoot = path.join(sandbox, 'repo');
|
||||
const decisionsDir = path.join(fakeRepoRoot, 'state', 'decisions');
|
||||
fs.mkdirSync(decisionsDir, { recursive: true });
|
||||
|
||||
const store = createFileDecisionStore({
|
||||
decisionsDir,
|
||||
repoRootOverride: fakeRepoRoot,
|
||||
});
|
||||
|
||||
const malformedJsonPath = path.join(decisionsDir, 'broken.json');
|
||||
fs.writeFileSync(malformedJsonPath, '{not-json\n', 'utf8');
|
||||
assert.throws(() => store.load(malformedJsonPath));
|
||||
|
||||
const corruptedArtifactPath = path.join(decisionsDir, 'corrupted.json');
|
||||
fs.writeFileSync(corruptedArtifactPath, `${JSON.stringify({
|
||||
kind: 'DecisionRecordArtifact',
|
||||
apiVersion: 'reporting-governance/v1alpha1',
|
||||
metadata: {
|
||||
recorded_at: '',
|
||||
policy_id: 'no-silence.missed-checkpoint',
|
||||
decision: 'force_checkpoint',
|
||||
},
|
||||
spec: {
|
||||
decision: {
|
||||
policy_id: 'no-silence.missed-checkpoint',
|
||||
decision: 'force_checkpoint',
|
||||
},
|
||||
receipt: {
|
||||
delivery_state: 'pending_external_send',
|
||||
},
|
||||
source: {
|
||||
event_id: null,
|
||||
task_id: null,
|
||||
correlation_id: null,
|
||||
},
|
||||
},
|
||||
}, null, 2)}\n`, 'utf8');
|
||||
assert.throws(() => store.load(corruptedArtifactPath), /metadata\.recorded_at must be a non-empty string/);
|
||||
});
|
||||
|
||||
test('file decision store produces distinct filenames for same decision written twice', async (t) => {
|
||||
const sandbox = fs.mkdtempSync(path.join(os.tmpdir(), 'reporting-governance-decision-store-'));
|
||||
t.after(() => fs.rmSync(sandbox, { recursive: true, force: true }));
|
||||
|
||||
const fakeRepoRoot = path.join(sandbox, 'repo');
|
||||
fs.mkdirSync(fakeRepoRoot, { recursive: true });
|
||||
|
||||
const planned = createPlannedDecision();
|
||||
const store = createFileDecisionStore({
|
||||
decisionsDir: path.join(fakeRepoRoot, 'state', 'decisions'),
|
||||
repoRootOverride: fakeRepoRoot,
|
||||
});
|
||||
|
||||
const first = store.write({
|
||||
decision: planned.decision,
|
||||
receipt: planned.receipt,
|
||||
recordedAt: '2026-05-08T04:00:00.000Z',
|
||||
});
|
||||
const second = store.write({
|
||||
decision: planned.decision,
|
||||
receipt: planned.receipt,
|
||||
recordedAt: '2026-05-08T04:00:00.000Z',
|
||||
});
|
||||
|
||||
assert.notEqual(first.artifact.metadata.record_id, second.artifact.metadata.record_id);
|
||||
assert.notEqual(path.basename(first.artifactPath), path.basename(second.artifactPath));
|
||||
assert.equal(fs.readdirSync(path.join(fakeRepoRoot, 'state', 'decisions')).filter((name) => name.endsWith('.json')).length, 2);
|
||||
});
|
||||
|
||||
test('file decision store rejects decision directory escaping repo root', () => {
|
||||
assert.throws(
|
||||
() => createFileDecisionStore({
|
||||
|
||||
Reference in New Issue
Block a user