mirror of
https://github.com/multica-ai/multica.git
synced 2026-06-17 03:38:32 +02:00
c8ab73d38d
* fix: bind quick-create attachments to created issues Co-authored-by: multica-agent <github@multica.ai> * test: use real image markdown in quick-create attachment test Co-authored-by: multica-agent <github@multica.ai> --------- Co-authored-by: J <j@multica.ai> Co-authored-by: multica-agent <github@multica.ai>
225 lines
8.9 KiB
Go
225 lines
8.9 KiB
Go
package handler
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/multica-ai/multica/server/internal/service"
|
|
"github.com/multica-ai/multica/server/pkg/agent"
|
|
)
|
|
|
|
// TestQuickCreateIssueParentTrustBoundary locks the server-side trust boundary
|
|
// for the optional parent_issue_id field on POST /api/issues/quick-create.
|
|
//
|
|
// The frontend seeds parent_issue_id from the "Add sub issue" entry point and
|
|
// otherwise leaves it empty. The handler is the trust boundary: a forged
|
|
// request must not be able to smuggle a foreign parent UUID through to the
|
|
// quick-create task context, and the same-workspace happy path must thread
|
|
// the resolved UUID into QuickCreateContext.ParentIssueID so the daemon claim
|
|
// step can resolve the identifier and emit `--parent <uuid>` in the prompt.
|
|
//
|
|
// Three branches are covered:
|
|
//
|
|
// 1. Same-workspace parent → 202 Accepted, task enqueued with
|
|
// QuickCreateContext.ParentIssueID populated.
|
|
// 2. Foreign-workspace parent → 400 Bad Request, no task enqueued.
|
|
// 3. Bogus UUID parent → 400 Bad Request, no task enqueued.
|
|
func TestQuickCreateIssueParentTrustBoundary(t *testing.T) {
|
|
if testHandler == nil {
|
|
t.Skip("database not available")
|
|
}
|
|
ctx := context.Background()
|
|
|
|
// Resolve the seeded runtime + agent for this workspace, then bump the
|
|
// runtime metadata to a CLI version that clears MinQuickCreateCLIVersion.
|
|
// The seed runtime uses metadata '{}'::jsonb which would otherwise trip
|
|
// the daemon-version gate before we ever reach the parent_issue_id check.
|
|
var runtimeID, agentID string
|
|
if err := testPool.QueryRow(ctx,
|
|
`SELECT id FROM agent_runtime WHERE workspace_id = $1 LIMIT 1`,
|
|
testWorkspaceID,
|
|
).Scan(&runtimeID); err != nil {
|
|
t.Fatalf("fetch runtime: %v", err)
|
|
}
|
|
if err := testPool.QueryRow(ctx,
|
|
`SELECT id FROM agent WHERE workspace_id = $1 LIMIT 1`,
|
|
testWorkspaceID,
|
|
).Scan(&agentID); err != nil {
|
|
t.Fatalf("fetch agent: %v", err)
|
|
}
|
|
if _, err := testPool.Exec(ctx,
|
|
`UPDATE agent_runtime SET metadata = jsonb_build_object('cli_version', $1::text) WHERE id = $2`,
|
|
agent.MinQuickCreateCLIVersion, runtimeID,
|
|
); err != nil {
|
|
t.Fatalf("bump runtime cli_version: %v", err)
|
|
}
|
|
t.Cleanup(func() {
|
|
testPool.Exec(context.Background(),
|
|
`UPDATE agent_runtime SET metadata = '{}'::jsonb WHERE id = $1`, runtimeID)
|
|
})
|
|
|
|
// Same-workspace parent — must be accepted and threaded through.
|
|
var localParentID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO issue (workspace_id, title, creator_id, creator_type, number)
|
|
VALUES ($1, 'quick-create parent (local)', $2, 'member',
|
|
(SELECT COALESCE(MAX(number), 0) + 1 FROM issue WHERE workspace_id = $1))
|
|
RETURNING id
|
|
`, testWorkspaceID, testUserID).Scan(&localParentID); err != nil {
|
|
t.Fatalf("create local parent issue: %v", err)
|
|
}
|
|
t.Cleanup(func() {
|
|
testPool.Exec(context.Background(), `DELETE FROM issue WHERE id = $1`, localParentID)
|
|
})
|
|
|
|
// Foreign-workspace parent — must be rejected.
|
|
var foreignWorkspaceID, foreignUserID, foreignParentID string
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO "user" (name, email) VALUES ($1, $2) RETURNING id
|
|
`, "QuickCreate Foreign", "quickcreate-foreign@multica.ai").Scan(&foreignUserID); err != nil {
|
|
t.Fatalf("create foreign user: %v", err)
|
|
}
|
|
t.Cleanup(func() {
|
|
testPool.Exec(context.Background(), `DELETE FROM "user" WHERE id = $1`, foreignUserID)
|
|
})
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO workspace (name, slug, description, issue_prefix)
|
|
VALUES ($1, $2, $3, $4) RETURNING id
|
|
`, "QuickCreate Foreign WS", "quickcreate-foreign-ws", "", "QCF").Scan(&foreignWorkspaceID); err != nil {
|
|
t.Fatalf("create foreign workspace: %v", err)
|
|
}
|
|
t.Cleanup(func() {
|
|
testPool.Exec(context.Background(), `DELETE FROM workspace WHERE id = $1`, foreignWorkspaceID)
|
|
})
|
|
if err := testPool.QueryRow(ctx, `
|
|
INSERT INTO issue (workspace_id, title, creator_id, creator_type, number)
|
|
VALUES ($1, 'quick-create parent (foreign)', $2, 'member',
|
|
(SELECT COALESCE(MAX(number), 0) + 1 FROM issue WHERE workspace_id = $1))
|
|
RETURNING id
|
|
`, foreignWorkspaceID, foreignUserID).Scan(&foreignParentID); err != nil {
|
|
t.Fatalf("create foreign parent issue: %v", err)
|
|
}
|
|
// The foreign workspace cleanup above cascades, but the issue row also
|
|
// needs a direct cleanup in case workspace deletion ordering changes.
|
|
t.Cleanup(func() {
|
|
testPool.Exec(context.Background(), `DELETE FROM issue WHERE id = $1`, foreignParentID)
|
|
})
|
|
|
|
// Helper for the "must not enqueue" assertions. Each rejection subtest
|
|
// snapshots the count immediately before the request and re-checks after
|
|
// so sibling subtests (and their t.Cleanup deletions) can't false-positive
|
|
// or false-negative this assertion.
|
|
countQuickCreateTasks := func(t *testing.T) int {
|
|
t.Helper()
|
|
var count int
|
|
if err := testPool.QueryRow(context.Background(),
|
|
`SELECT COUNT(*) FROM agent_task_queue WHERE agent_id = $1 AND context->>'type' = 'quick_create'`,
|
|
agentID,
|
|
).Scan(&count); err != nil {
|
|
t.Fatalf("count quick-create tasks: %v", err)
|
|
}
|
|
return count
|
|
}
|
|
|
|
t.Run("same workspace parent enqueues with context", func(t *testing.T) {
|
|
attachmentID := "019ec09d-6222-722b-bdfa-427b105d80be"
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("POST", "/api/issues/quick-create", map[string]any{
|
|
"agent_id": agentID,
|
|
"prompt": "Create a follow-up issue for the local parent",
|
|
"parent_issue_id": localParentID,
|
|
"attachment_ids": []string{attachmentID},
|
|
})
|
|
testHandler.QuickCreateIssue(w, req)
|
|
if w.Code != http.StatusAccepted {
|
|
t.Fatalf("expected 202, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
var resp QuickCreateIssueResponse
|
|
if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
|
|
t.Fatalf("decode response: %v", err)
|
|
}
|
|
t.Cleanup(func() {
|
|
testPool.Exec(context.Background(), `DELETE FROM agent_task_queue WHERE id = $1`, resp.TaskID)
|
|
})
|
|
|
|
// QuickCreateContext.ParentIssueID must contain the resolved UUID —
|
|
// the daemon claim step reads this field to attach the parent
|
|
// identifier and to inject `--parent <uuid>` into the prompt.
|
|
var contextJSON []byte
|
|
if err := testPool.QueryRow(context.Background(),
|
|
`SELECT context FROM agent_task_queue WHERE id = $1`, resp.TaskID,
|
|
).Scan(&contextJSON); err != nil {
|
|
t.Fatalf("load task context: %v", err)
|
|
}
|
|
var qc service.QuickCreateContext
|
|
if err := json.Unmarshal(contextJSON, &qc); err != nil {
|
|
t.Fatalf("unmarshal context: %v", err)
|
|
}
|
|
if qc.Type != service.QuickCreateContextType {
|
|
t.Fatalf("expected type=%q, got %q", service.QuickCreateContextType, qc.Type)
|
|
}
|
|
if qc.ParentIssueID != localParentID {
|
|
t.Fatalf("expected parent_issue_id=%q in context, got %q", localParentID, qc.ParentIssueID)
|
|
}
|
|
if len(qc.AttachmentIDs) != 1 || qc.AttachmentIDs[0] != attachmentID {
|
|
t.Fatalf("expected attachment_ids=[%q] in context, got %#v", attachmentID, qc.AttachmentIDs)
|
|
}
|
|
})
|
|
|
|
t.Run("foreign workspace parent is rejected", func(t *testing.T) {
|
|
before := countQuickCreateTasks(t)
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("POST", "/api/issues/quick-create", map[string]any{
|
|
"agent_id": agentID,
|
|
"prompt": "Try to smuggle a foreign parent",
|
|
"parent_issue_id": foreignParentID,
|
|
})
|
|
testHandler.QuickCreateIssue(w, req)
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected 400 for foreign parent, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
if got := countQuickCreateTasks(t); got != before {
|
|
// Any increase means the foreign-parent request enqueued a
|
|
// task despite the 400 — the trust boundary leaked.
|
|
t.Fatalf("foreign parent must not enqueue a task: expected %d quick-create tasks, got %d", before, got)
|
|
}
|
|
})
|
|
|
|
t.Run("bogus uuid parent is rejected", func(t *testing.T) {
|
|
before := countQuickCreateTasks(t)
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("POST", "/api/issues/quick-create", map[string]any{
|
|
"agent_id": agentID,
|
|
"prompt": "Try a malformed parent UUID",
|
|
"parent_issue_id": "not-a-uuid",
|
|
})
|
|
testHandler.QuickCreateIssue(w, req)
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected 400 for bogus parent, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
if got := countQuickCreateTasks(t); got != before {
|
|
t.Fatalf("bogus parent must not enqueue a task: expected %d quick-create tasks, got %d", before, got)
|
|
}
|
|
})
|
|
|
|
t.Run("bogus uuid attachment id is rejected", func(t *testing.T) {
|
|
before := countQuickCreateTasks(t)
|
|
w := httptest.NewRecorder()
|
|
req := newRequest("POST", "/api/issues/quick-create", map[string]any{
|
|
"agent_id": agentID,
|
|
"prompt": "Try a malformed attachment UUID",
|
|
"attachment_ids": []string{"not-a-uuid"},
|
|
})
|
|
testHandler.QuickCreateIssue(w, req)
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Fatalf("expected 400 for bogus attachment id, got %d: %s", w.Code, w.Body.String())
|
|
}
|
|
if got := countQuickCreateTasks(t); got != before {
|
|
t.Fatalf("bogus attachment id must not enqueue a task: expected %d quick-create tasks, got %d", before, got)
|
|
}
|
|
})
|
|
}
|