mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 2 Wiki Activity

Fix QA validation issues and add M7.1 security fixes (#318)
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details

Browse Source 
Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>
This commit was merged in pull request #318.
This commit is contained in:
Jason Woltje
2026-02-04 03:08:09 +00:00
committed by jason.woltje
parent 482507ce4d
commit a1973e6419
178 changed files with 4902 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

198
apps/api/src/federation/command.service.spec.ts
View File

@@ -4,6 +4,7 @@
import { describe, it, expect, beforeEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import { ModuleRef } from "@nestjs/core";
import { HttpService } from "@nestjs/axios";
import { CommandService } from "./command.service";
import { PrismaService } from "../prisma/prisma.service";
@@ -16,6 +17,7 @@ import {
} from "@prisma/client";
import { of } from "rxjs";
import type { CommandMessage, CommandResponse } from "./types/message.types";
import { UnknownCommandTypeError } from "./errors/command.errors";
describe("CommandService", () => {
let service: CommandService;
@@ -23,6 +25,7 @@ describe("CommandService", () => {
let federationService: FederationService;
let signatureService: SignatureService;
let httpService: HttpService;
let moduleRef: ModuleRef;
const mockWorkspaceId = "workspace-123";
const mockConnectionId = "connection-123";
@@ -77,6 +80,7 @@ describe("CommandService", () => {
federationService = module.get<FederationService>(FederationService);
signatureService = module.get<SignatureService>(SignatureService);
httpService = module.get<HttpService>(HttpService);
moduleRef = module.get<ModuleRef>(ModuleRef);
});
describe("sendCommand", () => {
@@ -238,12 +242,75 @@ describe("CommandService", () => {
});
describe("handleIncomingCommand", () => {
it("should process a valid incoming command", async () => {
it("should process a valid incoming agent command", async () => {
const commandMessage: CommandMessage = {
messageId: "cmd-123",
instanceId: mockInstanceId,
commandType: "spawn_agent",
payload: { agentType: "task_executor" },
commandType: "agent.spawn",
payload: { agentType: "task_executor", taskId: "task-123" },
timestamp: Date.now(),
signature: "signature-123",
};
const mockConnection = {
id: mockConnectionId,
remoteInstanceId: mockInstanceId,
status: FederationConnectionStatus.ACTIVE,
};
const mockIdentity = {
instanceId: "local-instance",
displayName: "Local Instance",
};
const mockFederationAgentService = {
handleAgentCommand: vi.fn().mockResolvedValue({
success: true,
data: { agentId: "agent-123", status: "spawning", spawnedAt: new Date().toISOString() },
}),
};
vi.spyOn(signatureService, "validateTimestamp").mockReturnValue(true);
vi.spyOn(prisma.federationConnection, "findFirst").mockResolvedValue(mockConnection as never);
vi.spyOn(signatureService, "verifyMessage").mockResolvedValue({
valid: true,
error: null,
} as never);
vi.spyOn(federationService, "getInstanceIdentity").mockResolvedValue(mockIdentity as never);
vi.spyOn(signatureService, "signMessage").mockResolvedValue("response-signature");
vi.spyOn(moduleRef, "get").mockReturnValue(mockFederationAgentService as never);
const response = await service.handleIncomingCommand(commandMessage);
expect(response).toMatchObject({
correlationId: "cmd-123",
instanceId: "local-instance",
success: true,
});
expect(signatureService.validateTimestamp).toHaveBeenCalledWith(commandMessage.timestamp);
expect(signatureService.verifyMessage).toHaveBeenCalledWith(
expect.objectContaining({
messageId: "cmd-123",
instanceId: mockInstanceId,
commandType: "agent.spawn",
}),
"signature-123",
mockInstanceId
);
expect(mockFederationAgentService.handleAgentCommand).toHaveBeenCalledWith(
mockInstanceId,
"agent.spawn",
commandMessage.payload
);
});
it("should handle unknown command types and return error response", async () => {
const commandMessage: CommandMessage = {
messageId: "cmd-123",
instanceId: mockInstanceId,
commandType: "unknown.command",
payload: {},
timestamp: Date.now(),
signature: "signature-123",
};
@@ -273,18 +340,125 @@ describe("CommandService", () => {
expect(response).toMatchObject({
correlationId: "cmd-123",
instanceId: "local-instance",
success: true,
success: false,
error: "Unknown command type: unknown.command",
});
});
expect(signatureService.validateTimestamp).toHaveBeenCalledWith(commandMessage.timestamp);
expect(signatureService.verifyMessage).toHaveBeenCalledWith(
expect.objectContaining({
messageId: "cmd-123",
instanceId: mockInstanceId,
commandType: "spawn_agent",
it("should handle business logic errors from agent service and return error response", async () => {
const commandMessage: CommandMessage = {
messageId: "cmd-123",
instanceId: mockInstanceId,
commandType: "agent.spawn",
payload: { agentType: "invalid_type" },
timestamp: Date.now(),
signature: "signature-123",
};
const mockConnection = {
id: mockConnectionId,
remoteInstanceId: mockInstanceId,
status: FederationConnectionStatus.ACTIVE,
};
const mockIdentity = {
instanceId: "local-instance",
displayName: "Local Instance",
};
vi.spyOn(signatureService, "validateTimestamp").mockReturnValue(true);
vi.spyOn(prisma.federationConnection, "findFirst").mockResolvedValue(mockConnection as never);
vi.spyOn(signatureService, "verifyMessage").mockResolvedValue({
valid: true,
error: null,
} as never);
vi.spyOn(federationService, "getInstanceIdentity").mockResolvedValue(mockIdentity as never);
vi.spyOn(signatureService, "signMessage").mockResolvedValue("response-signature");
// Mock FederationAgentService to return error response
const mockFederationAgentService = {
handleAgentCommand: vi.fn().mockResolvedValue({
success: false,
error: "Invalid agent type: invalid_type",
}),
"signature-123",
mockInstanceId
};
vi.spyOn(moduleRef, "get").mockReturnValue(mockFederationAgentService as never);
const response = await service.handleIncomingCommand(commandMessage);
expect(response).toMatchObject({
correlationId: "cmd-123",
instanceId: "local-instance",
success: false,
error: "Invalid agent type: invalid_type",
});
});
it("should let system errors propagate (database connection failure)", async () => {
const commandMessage: CommandMessage = {
messageId: "cmd-123",
instanceId: mockInstanceId,
commandType: "agent.spawn",
payload: { agentType: "task_executor" },
timestamp: Date.now(),
signature: "signature-123",
};
vi.spyOn(signatureService, "validateTimestamp").mockReturnValue(true);
// Simulate database connection failure (system error)
const dbError = new Error("Connection pool exhausted");
dbError.name = "PoolExhaustedError";
vi.spyOn(prisma.federationConnection, "findFirst").mockRejectedValue(dbError);
// System errors should propagate
await expect(service.handleIncomingCommand(commandMessage)).rejects.toThrow(
"Connection pool exhausted"
);
});
it("should let system errors propagate from agent service (not wrapped)", async () => {
const commandMessage: CommandMessage = {
messageId: "cmd-123",
instanceId: mockInstanceId,
commandType: "agent.spawn",
payload: { agentType: "task_executor" },
timestamp: Date.now(),
signature: "signature-123",
};
const mockConnection = {
id: mockConnectionId,
remoteInstanceId: mockInstanceId,
status: FederationConnectionStatus.ACTIVE,
};
const mockIdentity = {
instanceId: "local-instance",
displayName: "Local Instance",
};
// Simulate a system error (not a CommandProcessingError) from agent service
const systemError = new Error("Database connection failed");
systemError.name = "DatabaseError";
const mockFederationAgentService = {
handleAgentCommand: vi.fn().mockRejectedValue(systemError),
};
vi.spyOn(signatureService, "validateTimestamp").mockReturnValue(true);
vi.spyOn(prisma.federationConnection, "findFirst").mockResolvedValue(mockConnection as never);
vi.spyOn(signatureService, "verifyMessage").mockResolvedValue({
valid: true,
error: null,
} as never);
vi.spyOn(federationService, "getInstanceIdentity").mockResolvedValue(mockIdentity as never);
vi.spyOn(moduleRef, "get").mockReturnValue(mockFederationAgentService as never);
// System errors should propagate (not caught by business logic handler)
await expect(service.handleIncomingCommand(commandMessage)).rejects.toThrow(
"Database connection failed"
);
});

28
apps/api/src/federation/command.service.ts
View File

@@ -18,6 +18,7 @@ import {
FederationMessageStatus,
} from "@prisma/client";
import type { CommandMessage, CommandResponse, CommandMessageDetails } from "./types/message.types";
import { CommandProcessingError, UnknownCommandTypeError } from "./errors/command.errors";
@Injectable()
export class CommandService {
@@ -184,13 +185,30 @@ export class CommandService {
responseData = agentResponse.data;
errorMessage = agentResponse.error;
} else {
// Other command types can be added here
responseData = { message: "Command received and processed" };
// Unknown command type - throw business logic error
throw new UnknownCommandTypeError(commandMessage.commandType);
}
} catch (error) {
success = false;
errorMessage = error instanceof Error ? error.message : "Command processing failed";
this.logger.error(`Command processing failed: ${errorMessage}`);
// Only catch expected business logic errors
// System errors (OOM, DB failures, network issues) should propagate
if (error instanceof CommandProcessingError) {
success = false;
errorMessage = error.message;
this.logger.warn(`Command processing failed (business logic): ${errorMessage}`, {
commandType: commandMessage.commandType,
instanceId: commandMessage.instanceId,
messageId: commandMessage.messageId,
});
} else {
// System error - log and re-throw to preserve stack trace
this.logger.error(`System error during command processing: ${String(error)}`, {
commandType: commandMessage.commandType,
instanceId: commandMessage.instanceId,
messageId: commandMessage.messageId,
error: error instanceof Error ? error.stack : String(error),
});
throw error;
}
}
// Get local instance identity

49
apps/api/src/federation/errors/command.errors.ts Normal file
View File

@@ -0,0 +1,49 @@
/**
* Command Processing Errors
*
* Custom error classes for expected business logic errors in command processing.
* These errors should be caught and returned as error responses.
* All other errors (system errors like OOM, DB failures) should propagate.
*/
/**
* Base class for command processing errors that should be caught
* and converted to error responses
*/
export class CommandProcessingError extends Error {
constructor(message: string) {
super(message);
this.name = "CommandProcessingError";
Error.captureStackTrace(this, this.constructor);
}
}
/**
* Error thrown when an unknown or unsupported command type is received
*/
export class UnknownCommandTypeError extends CommandProcessingError {
constructor(commandType: string) {
super(`Unknown command type: ${commandType}`);
this.name = "UnknownCommandTypeError";
}
}
/**
* Error thrown when command payload validation fails
*/
export class InvalidCommandPayloadError extends CommandProcessingError {
constructor(message: string) {
super(message);
this.name = "InvalidCommandPayloadError";
}
}
/**
* Error thrown when agent command execution fails due to business logic
*/
export class AgentCommandError extends CommandProcessingError {
constructor(message: string) {
super(message);
this.name = "AgentCommandError";
}
}

22
apps/api/src/federation/federation-agent.service.spec.ts
View File

@@ -419,13 +419,12 @@ describe("FederationAgentService", () => {
});
});
it("should return error for unknown command type", async () => {
it("should throw UnknownCommandTypeError for unknown command type", async () => {
prisma.federationConnection.findFirst.mockResolvedValue(mockConnection as never);
const result = await service.handleAgentCommand("remote-instance-1", "agent.unknown", {});
expect(result.success).toBe(false);
expect(result.error).toContain("Unknown agent command type: agent.unknown");
await expect(
service.handleAgentCommand("remote-instance-1", "agent.unknown", {})
).rejects.toThrow("Unknown command type: agent.unknown");
});
it("should throw error if connection not found", async () => {
@@ -436,7 +435,7 @@ describe("FederationAgentService", () => {
).rejects.toThrow("No connection found for remote instance");
});
it("should handle orchestrator errors", async () => {
it("should throw AgentCommandError for orchestrator errors", async () => {
const spawnPayload: SpawnAgentCommandPayload = {
taskId: mockTaskId,
agentType: "worker",
@@ -453,14 +452,9 @@ describe("FederationAgentService", () => {
throwError(() => new Error("Orchestrator connection failed")) as never
);
const result = await service.handleAgentCommand(
"remote-instance-1",
"agent.spawn",
spawnPayload
);
expect(result.success).toBe(false);
expect(result.error).toContain("Orchestrator connection failed");
await expect(
service.handleAgentCommand("remote-instance-1", "agent.spawn", spawnPayload)
).rejects.toThrow("Failed to spawn agent: Orchestrator connection failed");
});
});
});

46
apps/api/src/federation/federation-agent.service.ts
View File

@@ -22,6 +22,7 @@ import type {
AgentStatusResponseData,
KillAgentResponseData,
} from "./types/federation-agent.types";
import { AgentCommandError, UnknownCommandTypeError } from "./errors/command.errors";
/**
* Agent command response structure
@@ -222,26 +223,19 @@ export class FederationAgentService {
}
// Route command to appropriate handler
try {
switch (commandType) {
case "agent.spawn":
return await this.handleSpawnCommand(payload as unknown as SpawnAgentCommandPayload);
switch (commandType) {
case "agent.spawn":
return await this.handleSpawnCommand(payload as unknown as SpawnAgentCommandPayload);
case "agent.status":
return await this.handleStatusCommand(payload as unknown as AgentStatusCommandPayload);
case "agent.status":
return await this.handleStatusCommand(payload as unknown as AgentStatusCommandPayload);
case "agent.kill":
return await this.handleKillCommand(payload as unknown as KillAgentCommandPayload);
case "agent.kill":
return await this.handleKillCommand(payload as unknown as KillAgentCommandPayload);
default:
throw new Error(`Unknown agent command type: ${commandType}`);
}
} catch (error) {
this.logger.error(`Error handling agent command: ${String(error)}`);
return {
success: false,
error: error instanceof Error ? error.message : "Unknown error",
};
default:
// Unknown command type - throw business logic error
throw new UnknownCommandTypeError(commandType);
}
}
@@ -285,8 +279,10 @@ export class FederationAgentService {
data: responseData,
};
} catch (error) {
this.logger.error(`Failed to spawn agent: ${String(error)}`);
throw error;
// Wrap orchestrator errors as business logic errors
const errorMessage = error instanceof Error ? error.message : "Failed to spawn agent";
this.logger.error(`Failed to spawn agent: ${errorMessage}`);
throw new AgentCommandError(`Failed to spawn agent: ${errorMessage}`);
}
}
@@ -314,8 +310,10 @@ export class FederationAgentService {
data: responseData,
};
} catch (error) {
this.logger.error(`Failed to get agent status: ${String(error)}`);
throw error;
// Wrap orchestrator errors as business logic errors
const errorMessage = error instanceof Error ? error.message : "Failed to get agent status";
this.logger.error(`Failed to get agent status: ${errorMessage}`);
throw new AgentCommandError(`Failed to get agent status: ${errorMessage}`);
}
}
@@ -347,8 +345,10 @@ export class FederationAgentService {
data: responseData,
};
} catch (error) {
this.logger.error(`Failed to kill agent: ${String(error)}`);
throw error;
// Wrap orchestrator errors as business logic errors
const errorMessage = error instanceof Error ? error.message : "Failed to kill agent";
this.logger.error(`Failed to kill agent: ${errorMessage}`);
throw new AgentCommandError(`Failed to kill agent: ${errorMessage}`);
}
}
}

69
apps/api/src/federation/http-timeout.spec.ts Normal file
View File

@@ -0,0 +1,69 @@
/**
* HTTP Timeout Tests
*
* Verifies that HTTP requests have proper timeout configuration to prevent DoS attacks.
* Issue #282: Add HTTP request timeouts (DoS risk)
*/
import { describe, it, expect, beforeEach } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import { HttpService, HttpModule } from "@nestjs/axios";
import { ConfigModule } from "@nestjs/config";
import { of, delay } from "rxjs";
describe("HTTP Timeout Configuration", () => {
let httpService: HttpService;
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
imports: [
ConfigModule,
HttpModule.register({
timeout: 10000, // 10 seconds
maxRedirects: 5,
}),
],
}).compile();
httpService = module.get<HttpService>(HttpService);
});
it("should have HttpService configured", () => {
expect(httpService).toBeDefined();
});
it("should have axios instance with timeout configured", () => {
const axiosInstance = httpService.axiosRef;
expect(axiosInstance.defaults.timeout).toBe(10000);
});
it("should have max redirects configured", () => {
const axiosInstance = httpService.axiosRef;
expect(axiosInstance.defaults.maxRedirects).toBe(5);
});
});
describe("HTTP Timeout Behavior", () => {
let httpService: HttpService;
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
imports: [
ConfigModule,
HttpModule.register({
timeout: 100, // 100ms for fast testing
maxRedirects: 5,
}),
],
}).compile();
httpService = module.get<HttpService>(HttpService);
});
it("should timeout requests that exceed the configured timeout", async () => {
// This test verifies the timeout mechanism exists
// In a real scenario, a slow server would trigger this
const axiosInstance = httpService.axiosRef;
expect(axiosInstance.defaults.timeout).toBe(100);
});
});