mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-06 14:00:09 +02:00
* feat(integrations): add platform-agnostic channel foundation Introduce server/internal/integrations/channel — the contract every inbound IM integration implements, so the core never learns a platform's event JSON. Four pieces: - Channel interface (Type/Connect/Disconnect/Send/Capabilities) + Factory + Config (channel_type + opaque JSON blob, maps to channel_installation). - Normalized InboundMessage/OutboundMessage envelopes + Source/MediaRef/ ReplyCtx/MsgType/ChatType. Envelope holds only cross-platform-true fields; platform specifics live in Raw, read only by the adapter. - Capability bitmask: declaration only, no degrade logic in core. - Registry: Type->Factory map, last-writer-wins, concurrency-safe. Pure package (no DB/network/platform deps). Foundation for MUL-3515; the lark cutover + lark_*->channel_* generalization land in follow-up PRs. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * feat(channel): generalize lark_* tables into channel_* (DB layer) Migration 123 creates channel_installation / channel_user_binding / channel_chat_session_binding / channel_inbound_message_dedup / channel_inbound_audit / channel_outbound_card_message / channel_binding_token. Each carries a channel_type discriminator and a JSONB config for platform-specific identifiers/credentials; cross-platform columns stay flat. Existing Feishu rows are backfilled (channel_type= 'feishu', app_secret_encrypted via base64). NO foreign keys / cascades (MUL-3515 §4) — integrity moves to the app layer in the cutover. queries/channel.sql ports the lark query surface to channel_*, JSONB-aware, plus DeleteChannelUserBindingsByWorkspaceMember / DeleteChannelChatSessionBindingBySession for the app-layer cleanup that replaces the removed cascades. lark_* tables/queries are left in place here and removed once the Go cutover lands, so this commit ships green on its own. Verified: sqlc generate, go build ./..., full migrate chain (1..123) on Postgres 17, and a real-data backfill spot-check (base64 round-trip, NULL-strip, functional unique index on (channel_type, app_id)). MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * fix(channel): name app_id query param + multi-IM install key + null-safe binding merge Addresses review on MUL-3515 (PR #4412): - GetChannelInstallationByAppID: explicitly name params and cast app_id to ::text so sqlc emits AppID string. A bare $2 next to `config ->> 'app_id'` was mis-attributed to the JSONB config column, generating Config []byte. - channel_installation uniqueness -> (workspace_id, agent_id, channel_type), with the UpsertChannelInstallation conflict key matched. Lets one agent hold one installation per IM (feishu + slack + ...) instead of a later install clobbering an earlier one. Behaviorally identical in the current feishu-only world; "one agent, at most one IM overall" stays an app-layer rule per MUL-3515 §4, not a DB constraint. - CreateChannelUserBinding merges jsonb_strip_nulls(EXCLUDED.config) so a re-bind carrying {"union_id": null} no longer erases an already-captured union_id, restoring the old COALESCE(EXCLUDED.union_id, ...) semantics. Regenerated with sqlc v1.31.1. Verified on PG17: re-install replaces in place, feishu+slack coexist, null re-bind keeps union_id, real union_id wins. Co-authored-by: multica-agent <github@multica.ai> * feat(lark): channel-backed Feishu store + fix base64 backfill wrapping Cutover step 1 of switching the lark Go code from lark_* onto the channel_* tables (MUL-3515). Introduces the JSONB config boundary the rest of the cutover sits on, and fixes a latent backfill bug surfaced while building it. - migration 123: strip newlines from the app_secret_encrypted base64 backfill. PostgreSQL encode(...,'base64') MIME-wraps at 76 chars, and a secretbox- sealed ~72-byte secret exceeds that. Go's encoding/json decodes a JSON string into []byte with base64.StdEncoding, which rejects embedded newlines, so without the strip every migrated installation would fail to decrypt its app secret once reads move to channel_installation.config. - store.go: flat domain types (Installation / UserBinding / ChatSessionBinding) with field parity to the retired db.Lark* rows, plus the feishu config codec. Row->domain mappers decode the JSONB config; the secret decoder is whitespace-tolerant so legacy MIME-wrapped data still round-trips, while the encoder emits unwrapped base64. Binding config encodes an absent union_id as "{}" so the upsert's jsonb_strip_nulls merge never clobbers a stored union_id. - store_test.go: 72-byte secret round-trip, MIME-wrapped tolerance, optional null-strip, and flat-column preservation. Verified on PG17. Field parity keeps the upcoming ~190 db.LarkInstallation call sites a mechanical rename. No call sites switched yet; behavior unchanged. Co-authored-by: multica-agent <github@multica.ai> * feat(lark): route inbound integration onto channel_* + explicit membership checks Cutover step 2 (MUL-3515): switch the Feishu Go code from the lark_* queries to channel_* via a ChannelStore adapter, and replace the removed member foreign key with explicit application-layer membership checks. No user-visible behavior change. - channel_store.go: ChannelStore embeds *db.Queries and SHADOWS the ~24 lark query methods with channel_*-backed equivalents, keeping the db.Lark* signatures so the dispatcher/hub/services and their ~20k lines of tests stay untouched; the feishu JSONB config is (de)coded by store.go. Adds IsWorkspaceMember and a tx-aware WithTx. Only production wiring swaps *db.Queries for *ChannelStore. - Membership re-check (§4 removed the lark_user_binding -> member FK, so a binding row no longer proves current membership): * the dispatcher inbound identity step verifies membership after the binding lookup; a former member's stale binding is dropped as non_workspace_member + audited and never reaches chat_session (§4.3 safety property). * RedeemAndBind and BindInstallerTx replace the now-dead FK (23503) branch with an explicit IsWorkspaceMember gate, preserving the existing ErrBindingNotWorkspaceMember outcome without burning the token. - router wires the ChannelStore into the patcher, typing indicator, dispatcher, hub, and the union_id/region backfills; constructor-based services wrap *db.Queries internally so their signatures and nil-check tests are unchanged. Verified: go build ./... ; go vet ; gofmt ; go test -race ./internal/integrations/... (full lark suite green unchanged + new membership drop/error tests). Adapter field mappings (secret base64, union_id RMW, chat-id/open-id remaps, dedup, token, card) checked end-to-end against a PG17 channel_* schema. lark_* tables and queries remain (unused at runtime) until the S3 cleanup-hooks and S4 drop-tables/rename commits. Co-authored-by: multica-agent <github@multica.ai> * fix(channel): renumber generalization migration 123 -> 124 main merged 123_issue_stage after this branch forked, so the branch's 123_channel_generalization now collides on the migration number. The runner keys schema_migrations by full version string and would still apply both, but a duplicate number is a merge hazard and convention violation, so move the channel migration to the next free slot (124). issue_stage (ALTER issue ADD COLUMN stage) and the channel generalization touch disjoint tables; verified on PG17 that 123_issue_stage applies cleanly on a DB already carrying 124_channel_generalization, so the two are order-independent. sqlc regenerated (v1.31.1): only the migration-number comment changed. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * feat(channel): prune channel bindings on member removal + chat session delete MUL-3515 §4 dropped every channel_* foreign key, so the old ON DELETE CASCADE that cleared a user's channel_user_binding when they left a workspace, and a chat's channel_chat_session_binding when its chat_session was deleted, no longer fires. Re-establish that integrity in the application layer, inside the existing transactions: revokeAndRemoveMember -> DeleteChannelUserBindingsByWorkspaceMember, DeleteChatSession -> DeleteChannelChatSessionBindingBySession. Adds real-DB tests for both paths, including a scoping check that a remaining member's binding survives the prune. Verified on PG17: both new tests plus the existing revocation tests and the full handler package pass. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * fix(channel): scope Lark/Feishu store reads to channel_type='feishu' The S2 cutover routed the Feishu integration onto channel_*, but the Lark-facing ChannelStore wrappers read installation / chat-session-binding / outbound-card rows across ALL channel_type values. Once a second IM exists, that would let the Lark hub supervise a non-Feishu installation, the Lark install list show it, /lark/installations/{id} revoke another channel's row, and the outbound patcher / typing indicator act on a non-Feishu chat binding or card. Add a channel_type predicate to the six read/list channel queries and pass channelTypeFeishu from every wrapper: GetChannelInstallation, GetChannelInstallationInWorkspace, ListChannelInstallationsByWorkspace, ListActiveChannelInstallations, GetChannelChatSessionBindingBySession, GetChannelOutboundCardByTask. The S3 cleanup deletes (DeleteChannelUserBindingsByWorkspaceMember / DeleteChannelChatSessionBindingBySession) stay all-channel on purpose: a member leaving or a chat_session being deleted should clear every IM's binding. Adds a real-DB test that seeds a Slack installation/binding/card next to the Feishu ones and asserts the Lark wrappers never return them. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * refactor(channel): replace db.Lark* translation layer with lark domain types S2 introduced ChannelStore as a translation layer that read/wrote channel_* but kept the retired db.Lark* struct/param shapes so the dispatcher/hub/services and their ~20k lines of tests did not have to change. This collapses that layer: the store now takes and returns the package's flat domain types (Installation, UserBinding, ChatSessionBinding, InboundMessageDedup, BindingTokenRow, OutboundCardMessage) and the *Params types in params.go, with channel-neutral field names (ChannelUserID / ChannelChatID / ...). All call sites, fakes, and tests move to the domain types. No behavior change: only channel_* is read/written (as before); db.Lark* is now unused, and the lark_* tables + queries/lark.sql are removed in the next commit. Verified on PG17: go build / vet / gofmt clean, go test -race ./internal/integrations/... green (the ~20k-line fake suite), and the lark + handler suites pass. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * refactor(channel): drop lark_* tables and queries (remove old path) The Go cutover (previous commit) moved the lark package entirely onto channel_* and the domain types, leaving the lark_* tables, queries/lark.sql, and the generated db.Lark* models unused. Remove them per the design (§5: replace, do not keep both): migration 125 drops the seven lark_* tables (data already lives in channel_* since migration 124), and queries/lark.sql is deleted + sqlc regenerated, removing the db.Lark* models and lark query methods. The 125 down recreates the authoritative pre-drop schema (bot_union_id, region, per-installation dedup PK, thread-reply columns). Verified on PG17: fresh migrate up ends with lark_* gone + channel_* present; isolated 125 down/up round-trips correctly; go build / vet / gofmt clean; go test -race ./internal/integrations/... and the handler suite pass. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * fix(migrations): remove trailing blank line at EOF of 125 down migration git diff --check flagged a blank line at EOF of 125_drop_lark_tables.down.sql (a pg_dump-generation artifact). Whitespace only; the recreate SQL is unchanged. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * refactor(channel): defer lark_* table drop to a follow-up migration Preflight deploy review: dropping lark_* in the same release that cuts over (old migration 125) is not rollback/rolling-safe — the v0.3.27 release still reads lark_*, so a rolling deploy or a post-deploy code rollback would hit "relation does not exist". Remove the drop and keep the old tables for one release (standard expand/contract): migration 124 already backfilled lark_* -> channel_*, the new code reads/writes only channel_*, and the physical drop moves to a separate cleanup migration once this ships and is observed. The lark_* tables remain in the schema, so sqlc regenerates the (now unused) db.Lark* models; queries/lark.sql stays deleted (the new code uses channel_*). No code path reads lark_* — only the destructive drop is deferred, keeping the design's no-compat-layer / no-dual-write rule while being deploy-safe. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * fix(channel): skip orphaned installations in hub-boot active scan Preflight deploy review: channel_installation dropped the workspace/agent FK (MUL-3515 §4), so unlike lark_installation it does not cascade away when its workspace is deleted or its agent is hard-deleted (e.g. runtime teardown). The hub-boot query then keeps opening a WebSocket for a bot whose owner is gone. JOIN ListActiveChannelInstallations to live workspace + agent so an orphaned installation is never connected, uniformly for every deletion path. The JOIN matches the old ON DELETE CASCADE semantics (row existence, not agent archival), so an archived-but-present agent's installation is still listed; the orphaned row's encrypted secret is thereby never decrypted/used. Tests: a real-DB handler test asserts a deleted-workspace/agent installation and a non-Feishu one are both excluded; the lark scope test's active-list assertion moved there since the JOIN now needs real workspace/agent fixtures. (Physically deleting dormant orphaned channel rows on workspace/agent deletion is a separate app-layer-cleanup follow-up.) MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * docs(channel): document non-rolling cutover constraint for the lark->channel migration Elon deploy review: keeping the lark_* tables (deferred drop) stops old v0.3.27 code from crashing, but is not full expand/contract. Migration 124 is a one-time backfill; afterwards new code runs on channel_* (lease + dedup on channel_*) while pre-cutover code runs on lark_* (lease + dedup on lark_*). If both run concurrently during a rolling deploy, each side claims the same Feishu bot's WS lease on its own table and double-processes inbound events. This release therefore requires a NON-ROLLING cutover (stop the old hub before applying migration 124 + starting new code; rollback is not lossless once new code writes channel_*). Documented where deployers/reviewers see it: migration 124 header gains a ROLLOUT note; the channel_store.go header is corrected (lark_* tables are retained one release for rollback safety, not "gone"; the store still never touches them). Comment-only — no schema/codegen/behavior change. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * feat(lark): add MULTICA_LARK_HUB_DISABLED switch for the channel cutover The lark_*->channel_* cutover needs a way to make the Feishu bot briefly unavailable WITHOUT taking down the whole multica-api process — the Lark hub is a goroutine inside it, not a separate Deployment. MULTICA_LARK_HUB_DISABLED=true parks the hub at startup: the API serves HTTP normally but never claims a WS lease or opens a Feishu connection. Rollout (see migration 124 ROLLOUT note): ship the new release with the flag SET so new pods run API-only while old pods (hub on lark_*) drain during the rolling deploy — the two hubs never overlap. After the old pods are gone and migration 124 has run, flip the flag off; the new hub comes up on channel_*. The old backend does NOT need this switch — its hub stops when k8s terminates the old pods, not via a flag. Nil-ing LarkHub reuses the existing not-configured path so both the startup start and the shutdown join skip it. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * docs(channel): point migration 124 ROLLOUT note at the hub-disable switch Refine the rollout note to use MULTICA_LARK_HUB_DISABLED for a bot-only cutover (new pods serve API with the hub parked while old pods drain; flip the switch off after the migration), instead of the earlier whole-API recreate. Comment-only. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * docs(channel): fix migration 124 rollout order and document self-host cutover The previous ROLLOUT note shipped the new (channel_*) build before running migration 124, so the channel_*-backed HTTP paths (installation list/install/revoke, chat-session delete, member revoke) would 500 in the window between new-pod boot and the deferred migration. Restate the runbook around two explicit invariants — channel_* must exist before the new build serves those paths, and the old/new hubs must never overlap — and order the steps so channel_* is created first (park old hub -> snapshot -> deploy parked new build -> unpark). Document that default self-host (entrypoint migrate + single-replica Recreate) satisfies both invariants automatically and needs no manual steps; only prd / multi-replica rolling self-host needs the switch procedure. Clarify in main.go that the hub-park switch is generation-agnostic (parks whichever hub the build carries), which is what enables the preparatory release. Refs MUL-3515 Co-authored-by: multica-agent <github@multica.ai> --------- Co-authored-by: J <j@multica.ai> Co-authored-by: multica-agent <github@multica.ai>
834 lines
30 KiB
Go
834 lines
30 KiB
Go
package handler
|
|
|
|
import (
|
|
"context"
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"sort"
|
|
"testing"
|
|
)
|
|
|
|
func TestCreateWorkspace_RejectsReservedSlug(t *testing.T) {
|
|
// Drive the test off the actual reservedSlugs map so the test can never
|
|
// drift from the source of truth. New entries are covered automatically.
|
|
reserved := make([]string, 0, len(reservedSlugs))
|
|
for slug := range reservedSlugs {
|
|
reserved = append(reserved, slug)
|
|
}
|
|
sort.Strings(reserved) // deterministic test order
|
|
|
|
for _, slug := range reserved {
|
|
t.Run(slug, func(t *testing.T) {
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("POST", "/api/workspaces", map[string]any{
|
|
"name": fmt.Sprintf("Test %s", slug),
|
|
"slug": slug,
|
|
})
|
|
testHandler.CreateWorkspace(w, req)
|
|
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("slug %q: expected 400, got %d: %s", slug, w.Code, w.Body.String())
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestCreateWorkspace_DoesNotMarkOnboarded guards the onboarding
|
|
// contract: creating a workspace MUST leave user.onboarded_at NULL so
|
|
// the route guard in apps/web/app/[workspaceSlug]/layout.tsx (and the
|
|
// desktop App.tsx overlay decision) can redirect the un-onboarded user
|
|
// back to /onboarding to finish Step 3. The previous behavior atomically
|
|
// set onboarded_at inside CreateWorkspace; this test makes the new
|
|
// invariant explicit and regression-protected.
|
|
//
|
|
// CompleteOnboarding (Step 3 exit) and AcceptInvitation are the only
|
|
// remaining handlers that flip onboarded_at.
|
|
func TestCreateWorkspace_DoesNotMarkOnboarded(t *testing.T) {
|
|
if testHandler == nil {
|
|
t.Skip("database not available")
|
|
}
|
|
|
|
ctx := context.Background()
|
|
const slug = "handler-tests-onboarded-null"
|
|
_, _ = testPool.Exec(ctx, `DELETE FROM workspace WHERE slug = $1`, slug)
|
|
// Ensure the test user starts un-onboarded so the assertion is meaningful.
|
|
_, _ = testPool.Exec(ctx, `UPDATE "user" SET onboarded_at = NULL WHERE id = $1`, testUserID)
|
|
|
|
t.Cleanup(func() {
|
|
_, _ = testPool.Exec(context.Background(), `DELETE FROM workspace WHERE slug = $1`, slug)
|
|
_, _ = testPool.Exec(context.Background(), `UPDATE "user" SET onboarded_at = NULL WHERE id = $1`, testUserID)
|
|
})
|
|
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("POST", "/api/workspaces", map[string]any{
|
|
"name": "Onboarding Invariant Probe",
|
|
"slug": slug,
|
|
})
|
|
testHandler.CreateWorkspace(w, req)
|
|
if w.Code != http.StatusCreated {
|
|
t.Fatalf("CreateWorkspace: expected 201, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
|
|
var onboardedAt *string
|
|
if err := testPool.QueryRow(ctx, `SELECT onboarded_at FROM "user" WHERE id = $1`, testUserID).Scan(&onboardedAt); err != nil {
|
|
t.Fatalf("lookup user: %v", err)
|
|
}
|
|
if onboardedAt != nil {
|
|
t.Fatalf("CreateWorkspace marked user as onboarded; expected NULL, got %q. The workspace layout hard gate relies on this staying NULL until Step 3 CompleteOnboarding fires.", *onboardedAt)
|
|
}
|
|
}
|
|
|
|
// TestCreateWorkspace_DisabledByConfig guards the self-host gate added by
|
|
// #3433: when DisableWorkspaceCreation is true on the handler config, every
|
|
// caller — even an already-authenticated user — must receive 403 and the
|
|
// workspace row must not be written.
|
|
func TestCreateWorkspace_DisabledByConfig(t *testing.T) {
|
|
if testHandler == nil {
|
|
t.Skip("database not available")
|
|
}
|
|
|
|
const slug = "handler-tests-disabled-create"
|
|
ctx := context.Background()
|
|
_, _ = testPool.Exec(ctx, `DELETE FROM workspace WHERE slug = $1`, slug)
|
|
t.Cleanup(func() {
|
|
_, _ = testPool.Exec(context.Background(), `DELETE FROM workspace WHERE slug = $1`, slug)
|
|
})
|
|
|
|
prev := testHandler.cfg
|
|
testHandler.cfg = Config{
|
|
AllowSignup: prev.AllowSignup,
|
|
DisableWorkspaceCreation: true,
|
|
}
|
|
t.Cleanup(func() { testHandler.cfg = prev })
|
|
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("POST", "/api/workspaces", map[string]any{
|
|
"name": "Disabled Create",
|
|
"slug": slug,
|
|
})
|
|
testHandler.CreateWorkspace(w, req)
|
|
if w.Code != http.StatusForbidden {
|
|
t.Fatalf("CreateWorkspace: expected 403 with flag on, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
|
|
var count int
|
|
if err := testPool.QueryRow(ctx, `SELECT count(*) FROM workspace WHERE slug = $1`, slug).Scan(&count); err != nil {
|
|
t.Fatalf("count workspaces: %v", err)
|
|
}
|
|
if count != 0 {
|
|
t.Fatalf("expected no workspace row to be written when gate fires, found %d", count)
|
|
}
|
|
}
|
|
|
|
// TestDeleteWorkspace_RequiresOwner exercises the in-handler authorization
|
|
// added to DeleteWorkspace by calling the handler directly (bypassing the
|
|
// router-level RequireWorkspaceRoleFromURL middleware). Without the handler
|
|
// check, a non-owner member request would reach DeleteWorkspace and erase the
|
|
// workspace; with it, the handler must return 403 and leave the workspace
|
|
// intact.
|
|
func TestDeleteWorkspace_RequiresOwner(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
const slug = "handler-tests-delete-403"
|
|
_, _ = testPool.Exec(ctx, `DELETE FROM workspace WHERE slug = $1`, slug)
|
|
|
|
var wsID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO workspace (name, slug, description)
|
|
VALUES ($1, $2, $3)
|
|
RETURNING id
|
|
`, "Handler Test Delete 403", slug, "DeleteWorkspace handler permission test").Scan(&wsID); err != nil {
|
|
t.Fatalf("create workspace: %v", err)
|
|
}
|
|
t.Cleanup(func() {
|
|
_, _ = testPool.Exec(context.Background(), `DELETE FROM workspace WHERE id = $1`, wsID)
|
|
})
|
|
|
|
if _, err := testPool.Exec(ctx, `
|
|
INSERT INTO member (workspace_id, user_id, role)
|
|
VALUES ($1, $2, 'admin')
|
|
`, wsID, testUserID); err != nil {
|
|
t.Fatalf("create admin member: %v", err)
|
|
}
|
|
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("DELETE", "/api/workspaces/"+wsID, nil)
|
|
req = withURLParam(req, "id", wsID)
|
|
testHandler.DeleteWorkspace(w, req)
|
|
|
|
if w.Code != http.StatusForbidden {
|
|
t.Fatalf("expected 403 from DeleteWorkspace handler for admin (non-owner), got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
|
|
var exists bool
|
|
if err := testPool.QueryRow(ctx, `SELECT EXISTS (SELECT 1 FROM workspace WHERE id = $1)`, wsID).Scan(&exists); err != nil {
|
|
t.Fatalf("verify workspace: %v", err)
|
|
}
|
|
if !exists {
|
|
t.Fatal("workspace was deleted despite non-owner request — handler-level check did not fire")
|
|
}
|
|
}
|
|
|
|
// TestDeleteWorkspace_OwnerSucceeds is the positive counterpart: an owner
|
|
// calling DeleteWorkspace directly must succeed (204) and the workspace must
|
|
// be gone. This guards the handler check against being too strict.
|
|
func TestDeleteWorkspace_OwnerSucceeds(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
const slug = "handler-tests-delete-ok"
|
|
_, _ = testPool.Exec(ctx, `DELETE FROM workspace WHERE slug = $1`, slug)
|
|
|
|
var wsID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO workspace (name, slug, description)
|
|
VALUES ($1, $2, $3)
|
|
RETURNING id
|
|
`, "Handler Test Delete OK", slug, "DeleteWorkspace handler owner test").Scan(&wsID); err != nil {
|
|
t.Fatalf("create workspace: %v", err)
|
|
}
|
|
t.Cleanup(func() {
|
|
_, _ = testPool.Exec(context.Background(), `DELETE FROM workspace WHERE id = $1`, wsID)
|
|
})
|
|
|
|
if _, err := testPool.Exec(ctx, `
|
|
INSERT INTO member (workspace_id, user_id, role)
|
|
VALUES ($1, $2, 'owner')
|
|
`, wsID, testUserID); err != nil {
|
|
t.Fatalf("create owner member: %v", err)
|
|
}
|
|
if _, err := testPool.Exec(ctx, `
|
|
INSERT INTO github_pending_check_suite (
|
|
workspace_id, installation_id, repo_owner, repo_name, pr_number,
|
|
suite_id, head_sha, app_id, status, suite_updated_at
|
|
)
|
|
VALUES ($1, 123456789, 'multica-ai', 'multica', 3366, 987654321, 'abc123', 15368, 'completed', now())
|
|
`, wsID); err != nil {
|
|
t.Fatalf("create pending check suite: %v", err)
|
|
}
|
|
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("DELETE", "/api/workspaces/"+wsID, nil)
|
|
req = withURLParam(req, "id", wsID)
|
|
testHandler.DeleteWorkspace(w, req)
|
|
|
|
if w.Code != http.StatusNoContent {
|
|
t.Fatalf("expected 204 from DeleteWorkspace handler for owner, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
|
|
var exists bool
|
|
if err := testPool.QueryRow(ctx, `SELECT EXISTS (SELECT 1 FROM workspace WHERE id = $1)`, wsID).Scan(&exists); err != nil {
|
|
t.Fatalf("verify workspace: %v", err)
|
|
}
|
|
if exists {
|
|
t.Fatal("workspace still exists after owner DELETE")
|
|
}
|
|
|
|
var pendingCount int
|
|
if err := testPool.QueryRow(ctx, `SELECT COUNT(*) FROM github_pending_check_suite WHERE workspace_id = $1`, wsID).Scan(&pendingCount); err != nil {
|
|
t.Fatalf("verify pending check suites: %v", err)
|
|
}
|
|
if pendingCount != 0 {
|
|
t.Fatalf("pending check suites were not cleaned up for deleted workspace: %d", pendingCount)
|
|
}
|
|
}
|
|
|
|
// TestUpdateWorkspace_AvatarURL covers the avatar_url field added to
|
|
// UpdateWorkspaceRequest: a PATCH with avatar_url is persisted and surfaced
|
|
// back on the response, and partial updates leave other fields untouched.
|
|
// Route-level authorization (owner/admin) is enforced by middleware in
|
|
// router.go; the handler test calls UpdateWorkspace directly to verify the
|
|
// payload wiring.
|
|
func TestUpdateWorkspace_AvatarURL(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
const slug = "handler-tests-avatar-url"
|
|
_, _ = testPool.Exec(ctx, `DELETE FROM workspace WHERE slug = $1`, slug)
|
|
|
|
var wsID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO workspace (name, slug, description)
|
|
VALUES ($1, $2, $3)
|
|
RETURNING id
|
|
`, "Handler Test Avatar URL", slug, "UpdateWorkspace avatar_url test").Scan(&wsID); err != nil {
|
|
t.Fatalf("create workspace: %v", err)
|
|
}
|
|
t.Cleanup(func() {
|
|
_, _ = testPool.Exec(context.Background(), `DELETE FROM workspace WHERE id = $1`, wsID)
|
|
})
|
|
|
|
if _, err := testPool.Exec(ctx, `
|
|
INSERT INTO member (workspace_id, user_id, role)
|
|
VALUES ($1, $2, 'owner')
|
|
`, wsID, testUserID); err != nil {
|
|
t.Fatalf("create owner member: %v", err)
|
|
}
|
|
|
|
const avatarURL = "https://cdn.example.com/workspaces/abc/logo.png"
|
|
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("PATCH", "/api/workspaces/"+wsID, map[string]any{
|
|
"avatar_url": avatarURL,
|
|
})
|
|
req = withURLParam(req, "id", wsID)
|
|
testHandler.UpdateWorkspace(w, req)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected 200 from UpdateWorkspace, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
|
|
var resp WorkspaceResponse
|
|
if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
|
|
t.Fatalf("decode response: %v", err)
|
|
}
|
|
if resp.AvatarURL == nil || *resp.AvatarURL != avatarURL {
|
|
t.Fatalf("expected avatar_url %q in response, got %v", avatarURL, resp.AvatarURL)
|
|
}
|
|
if resp.Name != "Handler Test Avatar URL" {
|
|
t.Fatalf("name should be unchanged by avatar-only update, got %q", resp.Name)
|
|
}
|
|
|
|
var dbAvatar *string
|
|
if err := testPool.QueryRow(ctx, `SELECT avatar_url FROM workspace WHERE id = $1`, wsID).Scan(&dbAvatar); err != nil {
|
|
t.Fatalf("read avatar_url back: %v", err)
|
|
}
|
|
if dbAvatar == nil || *dbAvatar != avatarURL {
|
|
t.Fatalf("expected avatar_url %q persisted, got %v", avatarURL, dbAvatar)
|
|
}
|
|
|
|
// A follow-up update that doesn't include avatar_url must leave it alone.
|
|
w2 := httptest.NewRecorder()
|
|
req2 := newRequest("PATCH", "/api/workspaces/"+wsID, map[string]any{
|
|
"description": "new description",
|
|
})
|
|
req2 = withURLParam(req2, "id", wsID)
|
|
testHandler.UpdateWorkspace(w2, req2)
|
|
|
|
if w2.Code != http.StatusOK {
|
|
t.Fatalf("expected 200 from second UpdateWorkspace, got %d: %s", w2.Code, w2.Body.String())
|
|
}
|
|
|
|
var resp2 WorkspaceResponse
|
|
if err := json.Unmarshal(w2.Body.Bytes(), &resp2); err != nil {
|
|
t.Fatalf("decode second response: %v", err)
|
|
}
|
|
if resp2.AvatarURL == nil || *resp2.AvatarURL != avatarURL {
|
|
t.Fatalf("avatar_url should be preserved by partial update, got %v", resp2.AvatarURL)
|
|
}
|
|
}
|
|
|
|
func TestUpdateWorkspace_ReposValidation(t *testing.T) {
|
|
ctx := context.Background()
|
|
|
|
const slug = "handler-tests-repos-validation"
|
|
_, _ = testPool.Exec(ctx, `DELETE FROM workspace WHERE slug = $1`, slug)
|
|
|
|
var wsID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO workspace (name, slug, description)
|
|
VALUES ($1, $2, $3)
|
|
RETURNING id
|
|
`, "Handler Test Repos Validation", slug, "UpdateWorkspace repos validation test").Scan(&wsID); err != nil {
|
|
t.Fatalf("create workspace: %v", err)
|
|
}
|
|
t.Cleanup(func() {
|
|
_, _ = testPool.Exec(context.Background(), `DELETE FROM workspace WHERE id = $1`, wsID)
|
|
})
|
|
|
|
if _, err := testPool.Exec(ctx, `
|
|
INSERT INTO member (workspace_id, user_id, role)
|
|
VALUES ($1, $2, 'owner')
|
|
`, wsID, testUserID); err != nil {
|
|
t.Fatalf("create owner member: %v", err)
|
|
}
|
|
|
|
t.Run("rejects invalid repo URLs without persisting", func(t *testing.T) {
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("PATCH", "/api/workspaces/"+wsID, map[string]any{
|
|
"repos": []map[string]any{
|
|
{"url": "not-a-url"},
|
|
},
|
|
})
|
|
req = withURLParam(req, "id", wsID)
|
|
testHandler.UpdateWorkspace(w, req)
|
|
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected 400 from invalid repos update, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
|
|
var raw []byte
|
|
if err := testPool.QueryRow(ctx, `SELECT repos FROM workspace WHERE id = $1`, wsID).Scan(&raw); err != nil {
|
|
t.Fatalf("read repos: %v", err)
|
|
}
|
|
if string(raw) != "[]" {
|
|
t.Fatalf("invalid repos update should not persist, got %s", raw)
|
|
}
|
|
})
|
|
|
|
t.Run("normalizes valid repos", func(t *testing.T) {
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("PATCH", "/api/workspaces/"+wsID, map[string]any{
|
|
"repos": []map[string]any{
|
|
{
|
|
"url": " https://github.com/multica-ai/multica.git ",
|
|
"description": " main monorepo ",
|
|
},
|
|
{
|
|
"url": "https://github.com/multica-ai/multica.git",
|
|
},
|
|
{
|
|
"url": "git@github.com:multica-ai/multica-cloud.git",
|
|
},
|
|
},
|
|
})
|
|
req = withURLParam(req, "id", wsID)
|
|
testHandler.UpdateWorkspace(w, req)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected 200 from valid repos update, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
|
|
var raw []byte
|
|
if err := testPool.QueryRow(ctx, `SELECT repos FROM workspace WHERE id = $1`, wsID).Scan(&raw); err != nil {
|
|
t.Fatalf("read repos: %v", err)
|
|
}
|
|
var repos []workspaceRepoRef
|
|
if err := json.Unmarshal(raw, &repos); err != nil {
|
|
t.Fatalf("decode repos: %v", err)
|
|
}
|
|
if len(repos) != 2 {
|
|
t.Fatalf("expected duplicate URL to be deduped, got %d repos: %s", len(repos), raw)
|
|
}
|
|
if repos[0].URL != "https://github.com/multica-ai/multica.git" || repos[0].Description != "main monorepo" {
|
|
t.Fatalf("first repo not normalized: %+v", repos[0])
|
|
}
|
|
if repos[1].URL != "git@github.com:multica-ai/multica-cloud.git" {
|
|
t.Fatalf("second repo not preserved: %+v", repos[1])
|
|
}
|
|
})
|
|
}
|
|
|
|
// revocationFixture is a minimal (workspace, member-to-revoke, runtime,
|
|
// agent, queued-task, daemon-token) bundle used to drive the revocation
|
|
// tests. The "requester" is always testUserID (owner of the workspace) so
|
|
// `newRequest` passes the existing fixtures' auth context unchanged.
|
|
type revocationFixture struct {
|
|
WorkspaceID string
|
|
TargetUserID string
|
|
MemberID string
|
|
RuntimeID string
|
|
AgentID string
|
|
TaskID string
|
|
DaemonID string
|
|
TokenHash string
|
|
}
|
|
|
|
func setupRevocationFixture(t *testing.T, slug, daemonID string) revocationFixture {
|
|
t.Helper()
|
|
ctx := context.Background()
|
|
|
|
_, _ = testPool.Exec(ctx, `DELETE FROM workspace WHERE slug = $1`, slug)
|
|
|
|
var wsID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO workspace (name, slug, description, issue_prefix)
|
|
VALUES ($1, $2, $3, $4)
|
|
RETURNING id
|
|
`, "Revocation "+slug, slug, "revocation test", "REV").Scan(&wsID); err != nil {
|
|
t.Fatalf("create workspace: %v", err)
|
|
}
|
|
|
|
// Requester (= testUserID) is always an owner so DeleteMember authorization
|
|
// passes. Two owners total so LeaveWorkspace doesn't trip the "must keep
|
|
// at least one owner" guard.
|
|
if _, err := testPool.Exec(ctx, `
|
|
INSERT INTO member (workspace_id, user_id, role) VALUES ($1, $2, 'owner')
|
|
`, wsID, testUserID); err != nil {
|
|
t.Fatalf("create requester member: %v", err)
|
|
}
|
|
|
|
targetEmail := fmt.Sprintf("revocation-%s@multica.ai", slug)
|
|
var targetUserID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO "user" (name, email) VALUES ($1, $2) RETURNING id
|
|
`, "Revocation Target "+slug, targetEmail).Scan(&targetUserID); err != nil {
|
|
t.Fatalf("create target user: %v", err)
|
|
}
|
|
|
|
// Cleanup ordering: workspace first (cascade clears agent_runtime,
|
|
// agent, member, daemon_token), then user (whose deletion would
|
|
// otherwise be blocked by agent.owner_id / agent_runtime.owner_id FKs).
|
|
t.Cleanup(func() {
|
|
_, _ = testPool.Exec(context.Background(), `DELETE FROM workspace WHERE id = $1`, wsID)
|
|
_, _ = testPool.Exec(context.Background(), `DELETE FROM "user" WHERE id = $1`, targetUserID)
|
|
})
|
|
|
|
var memberID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO member (workspace_id, user_id, role) VALUES ($1, $2, 'owner') RETURNING id
|
|
`, wsID, targetUserID).Scan(&memberID); err != nil {
|
|
t.Fatalf("create target member: %v", err)
|
|
}
|
|
|
|
var runtimeID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO agent_runtime (
|
|
workspace_id, daemon_id, name, runtime_mode, provider, status,
|
|
device_info, metadata, owner_id, last_seen_at
|
|
)
|
|
VALUES ($1, $2, 'Target Runtime', 'local', 'multica_daemon', 'online', '', '{}'::jsonb, $3, now())
|
|
RETURNING id
|
|
`, wsID, daemonID, targetUserID).Scan(&runtimeID); err != nil {
|
|
t.Fatalf("insert runtime: %v", err)
|
|
}
|
|
|
|
var agentID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO agent (
|
|
workspace_id, name, description, runtime_mode, runtime_config,
|
|
runtime_id, visibility, max_concurrent_tasks, owner_id
|
|
)
|
|
VALUES ($1, 'Target Agent', '', 'local', '{}'::jsonb, $2, 'workspace', 1, $3)
|
|
RETURNING id
|
|
`, wsID, runtimeID, targetUserID).Scan(&agentID); err != nil {
|
|
t.Fatalf("insert agent: %v", err)
|
|
}
|
|
|
|
var taskID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO agent_task_queue (agent_id, runtime_id, status, priority)
|
|
VALUES ($1, $2, 'queued', 0)
|
|
RETURNING id
|
|
`, agentID, runtimeID).Scan(&taskID); err != nil {
|
|
t.Fatalf("insert task: %v", err)
|
|
}
|
|
|
|
// daemon_token row — paired with the runtime's daemon_id so the
|
|
// revocation should sweep its hash up via DeleteDaemonTokensByWorkspaceAndDaemons.
|
|
rawToken := "mdt_test_" + slug
|
|
sum := sha256.Sum256([]byte(rawToken))
|
|
tokenHash := hex.EncodeToString(sum[:])
|
|
if _, err := testPool.Exec(ctx, `
|
|
INSERT INTO daemon_token (token_hash, workspace_id, daemon_id, expires_at)
|
|
VALUES ($1, $2, $3, now() + interval '1 day')
|
|
`, tokenHash, wsID, daemonID); err != nil {
|
|
t.Fatalf("insert daemon_token: %v", err)
|
|
}
|
|
|
|
return revocationFixture{
|
|
WorkspaceID: wsID,
|
|
TargetUserID: targetUserID,
|
|
MemberID: memberID,
|
|
RuntimeID: runtimeID,
|
|
AgentID: agentID,
|
|
TaskID: taskID,
|
|
DaemonID: daemonID,
|
|
TokenHash: tokenHash,
|
|
}
|
|
}
|
|
|
|
func assertRevoked(t *testing.T, fx revocationFixture) {
|
|
t.Helper()
|
|
ctx := context.Background()
|
|
|
|
var memberExists bool
|
|
if err := testPool.QueryRow(ctx, `SELECT EXISTS (SELECT 1 FROM member WHERE id = $1)`, fx.MemberID).Scan(&memberExists); err != nil {
|
|
t.Fatalf("query member: %v", err)
|
|
}
|
|
if memberExists {
|
|
t.Fatal("member row was not deleted")
|
|
}
|
|
|
|
var runtimeStatus string
|
|
if err := testPool.QueryRow(ctx, `SELECT status FROM agent_runtime WHERE id = $1`, fx.RuntimeID).Scan(&runtimeStatus); err != nil {
|
|
t.Fatalf("query runtime: %v", err)
|
|
}
|
|
if runtimeStatus != "offline" {
|
|
t.Fatalf("expected runtime offline, got %q", runtimeStatus)
|
|
}
|
|
|
|
var archivedAt *string
|
|
if err := testPool.QueryRow(ctx, `SELECT archived_at::text FROM agent WHERE id = $1`, fx.AgentID).Scan(&archivedAt); err != nil {
|
|
t.Fatalf("query agent: %v", err)
|
|
}
|
|
if archivedAt == nil {
|
|
t.Fatal("agent was not archived")
|
|
}
|
|
|
|
var taskStatus string
|
|
if err := testPool.QueryRow(ctx, `SELECT status FROM agent_task_queue WHERE id = $1`, fx.TaskID).Scan(&taskStatus); err != nil {
|
|
t.Fatalf("query task: %v", err)
|
|
}
|
|
if taskStatus != "cancelled" {
|
|
t.Fatalf("expected task cancelled, got %q", taskStatus)
|
|
}
|
|
|
|
var tokenExists bool
|
|
if err := testPool.QueryRow(ctx, `SELECT EXISTS (SELECT 1 FROM daemon_token WHERE token_hash = $1)`, fx.TokenHash).Scan(&tokenExists); err != nil {
|
|
t.Fatalf("query daemon_token: %v", err)
|
|
}
|
|
if tokenExists {
|
|
t.Fatal("daemon_token row was not deleted")
|
|
}
|
|
}
|
|
|
|
// TestDeleteMember_RevokesTargetRuntimes verifies that when an admin removes
|
|
// another member from a workspace, every runtime owned by the removed member
|
|
// has its agents archived, its in-flight tasks cancelled, its row flipped
|
|
// offline, and its daemon_token rows deleted — all atomically with the member
|
|
// row deletion.
|
|
func TestDeleteMember_RevokesTargetRuntimes(t *testing.T) {
|
|
fx := setupRevocationFixture(t, "handler-tests-revoke-kick", "daemon-revoke-kick")
|
|
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("DELETE", "/api/workspaces/"+fx.WorkspaceID+"/members/"+fx.MemberID, nil)
|
|
req.Header.Set("X-Workspace-ID", fx.WorkspaceID)
|
|
req = withURLParams(req, "id", fx.WorkspaceID, "memberId", fx.MemberID)
|
|
testHandler.DeleteMember(w, req)
|
|
|
|
if w.Code != http.StatusNoContent {
|
|
t.Fatalf("DeleteMember: expected 204, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
|
|
assertRevoked(t, fx)
|
|
}
|
|
|
|
// TestDeleteMember_PrunesChannelUserBindings verifies the application-layer
|
|
// replacement for the channel_user_binding member-FK cascade (MUL-3515 §4):
|
|
// removing a member prunes that member's channel bindings, in the same tx as
|
|
// the member-row delete, while leaving a remaining member's binding intact.
|
|
func TestDeleteMember_PrunesChannelUserBindings(t *testing.T) {
|
|
fx := setupRevocationFixture(t, "handler-tests-revoke-binding", "daemon-revoke-binding")
|
|
ctx := context.Background()
|
|
|
|
const appID = "cli_revoke_binding"
|
|
const removedOpenID = "ou_revoke_binding_removed"
|
|
const keepOpenID = "ou_revoke_binding_keep"
|
|
|
|
// channel_* rows have no FK to workspace (MUL-3515 §4), so the fixture's
|
|
// workspace-delete cleanup never reaches them; clear by deterministic key
|
|
// both before (in case a prior run was killed mid-test) and after.
|
|
cleanChannel := func() {
|
|
_, _ = testPool.Exec(context.Background(),
|
|
`DELETE FROM channel_user_binding WHERE channel_user_id = ANY($1)`,
|
|
[]string{removedOpenID, keepOpenID})
|
|
_, _ = testPool.Exec(context.Background(),
|
|
`DELETE FROM channel_installation WHERE channel_type = 'feishu' AND config->>'app_id' = $1`, appID)
|
|
}
|
|
cleanChannel()
|
|
t.Cleanup(cleanChannel)
|
|
|
|
var installID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO channel_installation (workspace_id, agent_id, channel_type, config, installer_user_id)
|
|
VALUES ($1, $2, 'feishu', jsonb_build_object('app_id', $3::text), $4)
|
|
RETURNING id
|
|
`, fx.WorkspaceID, fx.AgentID, appID, testUserID).Scan(&installID); err != nil {
|
|
t.Fatalf("insert channel_installation: %v", err)
|
|
}
|
|
|
|
// Binding for the member being removed — must be pruned.
|
|
if _, err := testPool.Exec(ctx, `
|
|
INSERT INTO channel_user_binding (workspace_id, multica_user_id, installation_id, channel_type, channel_user_id)
|
|
VALUES ($1, $2, $3, 'feishu', $4)
|
|
`, fx.WorkspaceID, fx.TargetUserID, installID, removedOpenID); err != nil {
|
|
t.Fatalf("insert removed-member binding: %v", err)
|
|
}
|
|
|
|
// Binding for the requester (an owner who stays) — must survive, proving
|
|
// the prune is scoped to the removed user, not the whole workspace.
|
|
if _, err := testPool.Exec(ctx, `
|
|
INSERT INTO channel_user_binding (workspace_id, multica_user_id, installation_id, channel_type, channel_user_id)
|
|
VALUES ($1, $2, $3, 'feishu', $4)
|
|
`, fx.WorkspaceID, testUserID, installID, keepOpenID); err != nil {
|
|
t.Fatalf("insert remaining-member binding: %v", err)
|
|
}
|
|
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("DELETE", "/api/workspaces/"+fx.WorkspaceID+"/members/"+fx.MemberID, nil)
|
|
req.Header.Set("X-Workspace-ID", fx.WorkspaceID)
|
|
req = withURLParams(req, "id", fx.WorkspaceID, "memberId", fx.MemberID)
|
|
testHandler.DeleteMember(w, req)
|
|
|
|
if w.Code != http.StatusNoContent {
|
|
t.Fatalf("DeleteMember: expected 204, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
|
|
var removedExists bool
|
|
if err := testPool.QueryRow(ctx,
|
|
`SELECT EXISTS (SELECT 1 FROM channel_user_binding WHERE channel_user_id = $1)`, removedOpenID).Scan(&removedExists); err != nil {
|
|
t.Fatalf("query removed-member binding: %v", err)
|
|
}
|
|
if removedExists {
|
|
t.Fatal("removed member's channel_user_binding was not pruned")
|
|
}
|
|
|
|
var keepExists bool
|
|
if err := testPool.QueryRow(ctx,
|
|
`SELECT EXISTS (SELECT 1 FROM channel_user_binding WHERE channel_user_id = $1)`, keepOpenID).Scan(&keepExists); err != nil {
|
|
t.Fatalf("query remaining-member binding: %v", err)
|
|
}
|
|
if !keepExists {
|
|
t.Fatal("remaining member's channel_user_binding was wrongly pruned")
|
|
}
|
|
}
|
|
|
|
// TestLeaveWorkspace_RevokesOwnRuntimes is the self-removal counterpart: when
|
|
// a member leaves a workspace voluntarily, their own runtimes are revoked
|
|
// with the same atomic write set as DeleteMember.
|
|
func TestLeaveWorkspace_RevokesOwnRuntimes(t *testing.T) {
|
|
fx := setupRevocationFixture(t, "handler-tests-revoke-leave", "daemon-revoke-leave")
|
|
|
|
// Re-target the request from the leaving member's perspective: the
|
|
// leaver is the request actor, not the workspace owner.
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("DELETE", "/api/workspaces/"+fx.WorkspaceID+"/leave", nil)
|
|
req.Header.Set("X-User-ID", fx.TargetUserID)
|
|
req.Header.Set("X-Workspace-ID", fx.WorkspaceID)
|
|
req = withURLParam(req, "id", fx.WorkspaceID)
|
|
testHandler.LeaveWorkspace(w, req)
|
|
|
|
if w.Code != http.StatusNoContent {
|
|
t.Fatalf("LeaveWorkspace: expected 204, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
|
|
assertRevoked(t, fx)
|
|
}
|
|
|
|
// TestDeleteMember_CancelsTasksFromAgentReassignment covers a subtle
|
|
// case: an agent's runtime_id can be changed via UpdateAgent, but
|
|
// agent_task_queue.runtime_id keeps the value from when the task was
|
|
// queued. So after a leaving member is removed, an agent currently bound
|
|
// to their runtime gets archived — but tasks that agent queued under a
|
|
// PRIOR runtime (still owned by another active member) keep their old
|
|
// runtime_id and would not be caught by a runtime-only sweep. Because
|
|
// ClaimAgentTask does not gate on agent.archived_at, those orphaned
|
|
// queued tasks would remain claimable.
|
|
func TestDeleteMember_CancelsTasksFromAgentReassignment(t *testing.T) {
|
|
fx := setupRevocationFixture(t, "handler-tests-revoke-reassign", "daemon-revoke-reassign")
|
|
ctx := context.Background()
|
|
|
|
// Create a SECOND runtime in the workspace owned by the requester
|
|
// (not the leaving member). The agent originally lived here.
|
|
var otherRuntimeID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO agent_runtime (
|
|
workspace_id, daemon_id, name, runtime_mode, provider, status,
|
|
device_info, metadata, owner_id, last_seen_at
|
|
)
|
|
VALUES ($1, $2, 'Other Runtime', 'local', 'multica_daemon', 'online', '', '{}'::jsonb, $3, now())
|
|
RETURNING id
|
|
`, fx.WorkspaceID, "daemon-revoke-reassign-other", testUserID).Scan(&otherRuntimeID); err != nil {
|
|
t.Fatalf("insert other runtime: %v", err)
|
|
}
|
|
|
|
// Queue a task on the agent while it was still pinned to the OTHER
|
|
// runtime (simulating a task created before the agent was reassigned
|
|
// to the leaving member's runtime).
|
|
var orphanTaskID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO agent_task_queue (agent_id, runtime_id, status, priority)
|
|
VALUES ($1, $2, 'queued', 0)
|
|
RETURNING id
|
|
`, fx.AgentID, otherRuntimeID).Scan(&orphanTaskID); err != nil {
|
|
t.Fatalf("insert orphan task: %v", err)
|
|
}
|
|
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("DELETE", "/api/workspaces/"+fx.WorkspaceID+"/members/"+fx.MemberID, nil)
|
|
req.Header.Set("X-Workspace-ID", fx.WorkspaceID)
|
|
req = withURLParams(req, "id", fx.WorkspaceID, "memberId", fx.MemberID)
|
|
testHandler.DeleteMember(w, req)
|
|
|
|
if w.Code != http.StatusNoContent {
|
|
t.Fatalf("DeleteMember: expected 204, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
|
|
assertRevoked(t, fx)
|
|
|
|
// The orphan task — same agent, different runtime — must also be
|
|
// cancelled. Without the by-agent leg in CancelAgentTasksByRuntimeOrAgent
|
|
// this stays 'queued' and would be picked up by the other runtime.
|
|
var orphanStatus string
|
|
if err := testPool.QueryRow(ctx, `SELECT status FROM agent_task_queue WHERE id = $1`, orphanTaskID).Scan(&orphanStatus); err != nil {
|
|
t.Fatalf("query orphan task: %v", err)
|
|
}
|
|
if orphanStatus != "cancelled" {
|
|
t.Fatalf("expected orphan task cancelled (archived agent leftover on other runtime), got %q", orphanStatus)
|
|
}
|
|
|
|
// And the OTHER runtime — owned by an active member — must still be
|
|
// online: revocation is scoped to the leaving member's owned runtimes.
|
|
var otherStatus string
|
|
if err := testPool.QueryRow(ctx, `SELECT status FROM agent_runtime WHERE id = $1`, otherRuntimeID).Scan(&otherStatus); err != nil {
|
|
t.Fatalf("query other runtime: %v", err)
|
|
}
|
|
if otherStatus != "online" {
|
|
t.Fatalf("expected other-member runtime to stay online, got %q", otherStatus)
|
|
}
|
|
}
|
|
|
|
// TestDeleteMember_NoRuntimes_DeletesMember covers the empty-revocation
|
|
// path: a member with no owned runtimes should still have their member row
|
|
// deleted by the same atomic transaction, with no spurious archive/cancel
|
|
// writes.
|
|
func TestDeleteMember_NoRuntimes_DeletesMember(t *testing.T) {
|
|
ctx := context.Background()
|
|
const slug = "handler-tests-revoke-no-runtimes"
|
|
_, _ = testPool.Exec(ctx, `DELETE FROM workspace WHERE slug = $1`, slug)
|
|
|
|
var wsID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO workspace (name, slug, description, issue_prefix)
|
|
VALUES ($1, $2, $3, $4)
|
|
RETURNING id
|
|
`, "Revocation no runtimes", slug, "revocation no-runtimes test", "REV").Scan(&wsID); err != nil {
|
|
t.Fatalf("create workspace: %v", err)
|
|
}
|
|
|
|
if _, err := testPool.Exec(ctx, `
|
|
INSERT INTO member (workspace_id, user_id, role) VALUES ($1, $2, 'owner')
|
|
`, wsID, testUserID); err != nil {
|
|
t.Fatalf("create requester member: %v", err)
|
|
}
|
|
|
|
var targetUserID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO "user" (name, email) VALUES ($1, $2) RETURNING id
|
|
`, "Revocation No Runtimes Target", "revocation-no-runtimes@multica.ai").Scan(&targetUserID); err != nil {
|
|
t.Fatalf("create target user: %v", err)
|
|
}
|
|
t.Cleanup(func() {
|
|
_, _ = testPool.Exec(context.Background(), `DELETE FROM workspace WHERE id = $1`, wsID)
|
|
_, _ = testPool.Exec(context.Background(), `DELETE FROM "user" WHERE id = $1`, targetUserID)
|
|
})
|
|
|
|
var memberID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO member (workspace_id, user_id, role) VALUES ($1, $2, 'admin') RETURNING id
|
|
`, wsID, targetUserID).Scan(&memberID); err != nil {
|
|
t.Fatalf("create target member: %v", err)
|
|
}
|
|
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("DELETE", "/api/workspaces/"+wsID+"/members/"+memberID, nil)
|
|
req.Header.Set("X-Workspace-ID", wsID)
|
|
req = withURLParams(req, "id", wsID, "memberId", memberID)
|
|
testHandler.DeleteMember(w, req)
|
|
|
|
if w.Code != http.StatusNoContent {
|
|
t.Fatalf("DeleteMember: expected 204, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
|
|
var memberExists bool
|
|
if err := testPool.QueryRow(ctx, `SELECT EXISTS (SELECT 1 FROM member WHERE id = $1)`, memberID).Scan(&memberExists); err != nil {
|
|
t.Fatalf("query member: %v", err)
|
|
}
|
|
if memberExists {
|
|
t.Fatal("member row was not deleted")
|
|
}
|
|
}
|