feat: harden enterprise control plane

2026-05-17 02:20:08 +08:00
parent 67511c31f4
commit e1aed590f8
112 changed files with 10977 additions and 2004 deletions
--- a/tests/state-store-maintenance-script.test.ts
+++ b/tests/state-store-maintenance-script.test.ts
@@ -14,9 +14,12 @@ test("state store maintenance script exposes migration, backup, export, and roll

  for (const command of [
    "describe",
+    "validate-schema",
    "backup-file",
    "export-file",
    "migrate-file-to-postgres",
+    "export-postgres-backup",
+    "restore-postgres-backup",
    "rollback-postgres-to-file",
  ]) {
    assert.match(source, new RegExp(command));
@@ -54,3 +57,92 @@ test("backup-file dry run validates local state without requiring postgres", asy
    await rm(root, { recursive: true, force: true });
  }
 });
+
+test("migrate-file-to-postgres dry run requires explicit postgres mode and database url without connecting", async () => {
+  const root = await mkdtemp(path.join(os.tmpdir(), "boss-state-maintenance-"));
+  try {
+    const stateFile = path.join(root, "boss-state.json");
+    await writeFile(stateFile, JSON.stringify({ schemaVersion: 1, migratedAt: "2026-04-27T00:00:00.000Z" }), "utf8");
+
+    await assert.rejects(
+      execFileAsync(process.execPath, [
+        scriptPath.pathname,
+        "migrate-file-to-postgres",
+        "--input",
+        stateFile,
+        "--dry-run",
+      ], {
+        env: {
+          ...process.env,
+          BOSS_STATE_FILE: stateFile,
+          BOSS_STATE_STORE: "file",
+          BOSS_DATABASE_URL: "",
+        },
+      }),
+      /BOSS_STATE_STORE_POSTGRES_REQUIRED/,
+    );
+
+    await assert.rejects(
+      execFileAsync(process.execPath, [
+        scriptPath.pathname,
+        "migrate-file-to-postgres",
+        "--input",
+        stateFile,
+        "--dry-run",
+      ], {
+        env: {
+          ...process.env,
+          BOSS_STATE_FILE: stateFile,
+          BOSS_STATE_STORE: "postgres",
+          BOSS_DATABASE_URL: "",
+        },
+      }),
+      /BOSS_DATABASE_URL_REQUIRED/,
+    );
+
+    const { stdout } = await execFileAsync(process.execPath, [
+      scriptPath.pathname,
+      "migrate-file-to-postgres",
+      "--input",
+      stateFile,
+      "--dry-run",
+    ], {
+      env: {
+        ...process.env,
+        BOSS_STATE_FILE: stateFile,
+        BOSS_STATE_STORE: "postgres",
+        BOSS_DATABASE_URL: "postgres://boss@example.invalid/boss",
+      },
+    });
+
+    const payload = JSON.parse(stdout);
+    assert.equal(payload.ok, true);
+    assert.equal(payload.action, "migrate-file-to-postgres");
+    assert.equal(payload.dryRun, true);
+    assert.equal(payload.postgresConfigured, true);
+    assert.equal(payload.wouldConnect, false);
+    assert.equal(payload.schemaValid, true);
+  } finally {
+    await rm(root, { recursive: true, force: true });
+  }
+});
+
+test("validate-schema rejects an incomplete postgres schema", async () => {
+  const root = await mkdtemp(path.join(os.tmpdir(), "boss-state-maintenance-"));
+  try {
+    const schemaFile = path.join(root, "postgres-state-schema.sql");
+    await writeFile(schemaFile, "CREATE TABLE boss_state_snapshots (state JSONB NOT NULL);", "utf8");
+
+    await assert.rejects(
+      execFileAsync(process.execPath, [
+        scriptPath.pathname,
+        "validate-schema",
+        "--schema",
+        schemaFile,
+      ]),
+      /POSTGRES_SCHEMA_INVALID/,
+    );
+  } finally {
+    await rm(root, { recursive: true, force: true });
+  }
+});