303 lines
10 KiB
TypeScript
303 lines
10 KiB
TypeScript
import test from "node:test";
|
|
import assert from "node:assert/strict";
|
|
import os from "node:os";
|
|
import path from "node:path";
|
|
import { mkdtemp, rm } from "node:fs/promises";
|
|
|
|
let runtimeRoot = "";
|
|
let data: typeof import("../src/lib/boss-data");
|
|
let masterAgent: typeof import("../src/lib/boss-master-agent");
|
|
let baseState: Awaited<ReturnType<typeof import("../src/lib/boss-data")["readState"]>>;
|
|
|
|
async function setup() {
|
|
if (!runtimeRoot) {
|
|
runtimeRoot = await mkdtemp(path.join(os.tmpdir(), "boss-rbac-master-scope-"));
|
|
process.env.BOSS_RUNTIME_ROOT = runtimeRoot;
|
|
process.env.BOSS_STATE_FILE = path.join(runtimeRoot, "boss-state.json");
|
|
}
|
|
if (!data) {
|
|
data = await import("../src/lib/boss-data.ts");
|
|
baseState = structuredClone(await data.readState());
|
|
}
|
|
if (!masterAgent) {
|
|
masterAgent = await import("../src/lib/boss-master-agent.ts");
|
|
}
|
|
}
|
|
|
|
test.after(async () => {
|
|
if (runtimeRoot) {
|
|
await rm(runtimeRoot, { recursive: true, force: true });
|
|
}
|
|
});
|
|
|
|
test.beforeEach(async () => {
|
|
await setup();
|
|
const state = structuredClone(baseState);
|
|
state.devices.push({
|
|
id: "cloud-backup",
|
|
name: "Cloud Backup Secret Mac",
|
|
avatar: "C",
|
|
account: "other@example.com",
|
|
source: "production",
|
|
status: "online",
|
|
projects: ["cloud-only-project"],
|
|
quota5h: 0,
|
|
quota7d: 0,
|
|
lastSeenAt: "2026-04-26T12:00:00+08:00",
|
|
preferredExecutionMode: "cli",
|
|
});
|
|
state.projects.push({
|
|
id: "cloud-only-project",
|
|
name: "Unauthorized Secret Project",
|
|
pinned: false,
|
|
systemPinned: false,
|
|
deviceIds: ["cloud-backup"],
|
|
preview: "UNAUTHORIZED_PROJECT_PREVIEW_SHOULD_NOT_LEAK",
|
|
updatedAt: "2026-04-26T12:00:00+08:00",
|
|
lastMessageAt: "2026-04-26T12:00:00+08:00",
|
|
isGroup: false,
|
|
threadMeta: {
|
|
projectId: "cloud-only-project",
|
|
threadId: "thread-cloud-only",
|
|
threadDisplayName: "Unauthorized Secret Thread",
|
|
folderName: "Unauthorized Folder",
|
|
activityIconCount: 0,
|
|
updatedAt: "2026-04-26T12:00:00+08:00",
|
|
codexThreadRef: "thread-cloud-only",
|
|
codexFolderRef: "unauthorized-folder",
|
|
},
|
|
groupMembers: [],
|
|
createdByAgent: true,
|
|
collaborationMode: "development",
|
|
approvalState: "not_required",
|
|
unreadCount: 0,
|
|
riskLevel: "low",
|
|
messages: [
|
|
{
|
|
id: "secret-message",
|
|
sender: "assistant",
|
|
senderLabel: "Codex",
|
|
body: "UNAUTHORIZED_SECRET_MESSAGE_SHOULD_NOT_LEAK",
|
|
sentAt: "2026-04-26T12:00:00+08:00",
|
|
kind: "text",
|
|
},
|
|
],
|
|
goals: [],
|
|
versions: [],
|
|
});
|
|
state.threadStatusDocuments = [
|
|
{
|
|
documentId: "visible-status",
|
|
projectId: "master-agent",
|
|
threadId: "visible-thread",
|
|
threadDisplayName: "Visible Status",
|
|
folderName: "Visible Folder",
|
|
deviceId: "mac-studio",
|
|
projectGoal: "VISIBLE_STATUS_DOCUMENT",
|
|
currentPhase: "联调",
|
|
currentProgress: "",
|
|
technicalArchitecture: "",
|
|
currentBlockers: "",
|
|
recommendedNextStep: "",
|
|
keyFiles: [],
|
|
keyCommands: [],
|
|
updatedAt: "2026-04-26T12:00:00+08:00",
|
|
sourceTaskId: "visible-task",
|
|
sourceKind: "full_sync",
|
|
},
|
|
{
|
|
documentId: "secret-status",
|
|
projectId: "cloud-only-project",
|
|
threadId: "thread-cloud-only",
|
|
threadDisplayName: "Secret Status",
|
|
folderName: "Unauthorized Folder",
|
|
deviceId: "cloud-backup",
|
|
projectGoal: "UNAUTHORIZED_STATUS_DOCUMENT_SHOULD_NOT_LEAK",
|
|
currentPhase: "秘密阶段",
|
|
currentProgress: "",
|
|
technicalArchitecture: "",
|
|
currentBlockers: "",
|
|
recommendedNextStep: "",
|
|
keyFiles: [],
|
|
keyCommands: [],
|
|
updatedAt: "2026-04-26T12:00:00+08:00",
|
|
sourceTaskId: "secret-task",
|
|
sourceKind: "full_sync",
|
|
},
|
|
{
|
|
documentId: "cross-device-secret-status",
|
|
projectId: "master-agent",
|
|
threadId: "thread-cross-device-secret",
|
|
threadDisplayName: "Cross Device Secret Status",
|
|
folderName: "Visible Project Unauthorized Device",
|
|
deviceId: "cloud-backup",
|
|
projectGoal: "UNAUTHORIZED_DEVICE_STATUS_DOCUMENT_SHOULD_NOT_LEAK",
|
|
currentPhase: "秘密设备阶段",
|
|
currentProgress: "",
|
|
technicalArchitecture: "",
|
|
currentBlockers: "",
|
|
recommendedNextStep: "",
|
|
keyFiles: [],
|
|
keyCommands: [],
|
|
updatedAt: "2026-04-26T12:00:00+08:00",
|
|
sourceTaskId: "cross-device-secret-task",
|
|
sourceKind: "full_sync",
|
|
},
|
|
];
|
|
state.threadProgressEvents = [
|
|
{
|
|
eventId: "secret-progress",
|
|
projectId: "cloud-only-project",
|
|
threadId: "thread-cloud-only",
|
|
threadDisplayName: "Secret Progress",
|
|
deviceId: "cloud-backup",
|
|
summary: "UNAUTHORIZED_PROGRESS_EVENT_SHOULD_NOT_LEAK",
|
|
eventType: "progress_updated",
|
|
createdAt: "2026-04-26T12:00:00+08:00",
|
|
sourceTaskId: "secret-task",
|
|
},
|
|
{
|
|
eventId: "cross-device-secret-progress",
|
|
projectId: "master-agent",
|
|
threadId: "thread-cross-device-secret",
|
|
threadDisplayName: "Cross Device Secret Progress",
|
|
deviceId: "cloud-backup",
|
|
summary: "UNAUTHORIZED_DEVICE_PROGRESS_EVENT_SHOULD_NOT_LEAK",
|
|
eventType: "progress_updated",
|
|
createdAt: "2026-04-26T12:00:00+08:00",
|
|
sourceTaskId: "cross-device-secret-task",
|
|
},
|
|
];
|
|
state.threadContextSnapshots = [
|
|
{
|
|
snapshotId: "secret-snapshot",
|
|
projectId: "cloud-only-project",
|
|
taskId: "secret-task",
|
|
threadId: "thread-cloud-only",
|
|
title: "Unauthorized Secret Context",
|
|
summary: "UNAUTHORIZED_CONTEXT_SNAPSHOT_SHOULD_NOT_LEAK",
|
|
nodeId: "cloud-backup",
|
|
workerId: "worker-secret",
|
|
sourceKind: "worker_estimator",
|
|
status: "context_urgent",
|
|
contextBudgetRemainingPct: 7,
|
|
contextBudgetLevel: "critical",
|
|
mustFinishBeforeCompaction: true,
|
|
estimatedRemainingTurns: 1,
|
|
estimatedRemainingLargeMessages: 1,
|
|
compactionCount: 0,
|
|
patchPending: false,
|
|
testsPending: false,
|
|
evidencePending: false,
|
|
checklist: [],
|
|
capturedAt: "2026-04-26T12:00:00+08:00",
|
|
},
|
|
{
|
|
snapshotId: "cross-device-secret-snapshot",
|
|
projectId: "master-agent",
|
|
taskId: "cross-device-secret-task",
|
|
threadId: "thread-cross-device-secret",
|
|
title: "Cross Device Secret Context",
|
|
summary: "UNAUTHORIZED_DEVICE_CONTEXT_SNAPSHOT_SHOULD_NOT_LEAK",
|
|
nodeId: "cloud-backup",
|
|
workerId: "worker-cross-device-secret",
|
|
sourceKind: "worker_estimator",
|
|
status: "context_urgent",
|
|
contextBudgetRemainingPct: 9,
|
|
contextBudgetLevel: "critical",
|
|
mustFinishBeforeCompaction: true,
|
|
estimatedRemainingTurns: 1,
|
|
estimatedRemainingLargeMessages: 1,
|
|
compactionCount: 0,
|
|
patchPending: false,
|
|
testsPending: false,
|
|
evidencePending: false,
|
|
checklist: [],
|
|
capturedAt: "2026-04-26T12:00:00+08:00",
|
|
},
|
|
];
|
|
state.deviceSkills = [
|
|
{
|
|
skillId: "mac-studio:boss-server-debug",
|
|
deviceId: "mac-studio",
|
|
name: "boss-server-debug",
|
|
description: "VISIBLE_SKILL",
|
|
path: "/Users/kris/.codex/skills/boss-server-debug/SKILL.md",
|
|
invocation: "$boss-server-debug",
|
|
category: "Mac Studio",
|
|
updatedAt: "2026-04-26T12:00:00+08:00",
|
|
},
|
|
{
|
|
skillId: "cloud-backup:secret-skill",
|
|
deviceId: "cloud-backup",
|
|
name: "secret-skill",
|
|
description: "UNAUTHORIZED_SKILL_SHOULD_NOT_LEAK",
|
|
path: "/tmp/secret/SKILL.md",
|
|
invocation: "$secret-skill",
|
|
category: "Secret",
|
|
updatedAt: "2026-04-26T12:00:00+08:00",
|
|
},
|
|
];
|
|
state.accountDeviceGrants = [
|
|
{
|
|
grantId: "grant-worker-mac-view",
|
|
account: "worker@example.com",
|
|
deviceId: "mac-studio",
|
|
permissions: ["device.view"],
|
|
grantedBy: "krisolo",
|
|
grantedAt: "2026-04-26T12:00:00+08:00",
|
|
},
|
|
];
|
|
state.accountProjectGrants = [
|
|
{
|
|
grantId: "grant-worker-master-ask",
|
|
account: "worker@example.com",
|
|
projectId: "master-agent",
|
|
permissions: ["project.view", "master_agent.ask"],
|
|
grantedBy: "krisolo",
|
|
grantedAt: "2026-04-26T12:00:00+08:00",
|
|
},
|
|
];
|
|
state.accountSkillGrants = [
|
|
{
|
|
grantId: "grant-worker-visible-skill",
|
|
account: "worker@example.com",
|
|
skillId: "mac-studio:boss-server-debug",
|
|
deviceId: "mac-studio",
|
|
permissions: ["skill.view", "skill.use"],
|
|
grantedBy: "krisolo",
|
|
grantedAt: "2026-04-26T12:00:00+08:00",
|
|
},
|
|
];
|
|
await data.writeState(state);
|
|
});
|
|
|
|
test("main agent prompt is built from authorized devices projects and skills only", async () => {
|
|
const state = await data.readState();
|
|
const result = masterAgent.buildAuthorizedMasterAgentPromptForTest({
|
|
state,
|
|
session: {
|
|
account: "worker@example.com",
|
|
role: "member",
|
|
displayName: "Worker",
|
|
},
|
|
projectId: "master-agent",
|
|
requestText: "总结我能看到的项目和运行状态",
|
|
});
|
|
|
|
assert.deepEqual(result.authorizedDeviceIds, ["mac-studio"]);
|
|
assert.equal(result.authorizedProjectIds.includes("master-agent"), true);
|
|
assert.equal(result.authorizedProjectIds.includes("cloud-only-project"), false);
|
|
assert.deepEqual(result.authorizedSkillIds, ["mac-studio:boss-server-debug"]);
|
|
assert.equal(result.prompt.includes("VISIBLE_STATUS_DOCUMENT"), true);
|
|
assert.equal(result.prompt.includes("UNAUTHORIZED_PROJECT_PREVIEW_SHOULD_NOT_LEAK"), false);
|
|
assert.equal(result.prompt.includes("UNAUTHORIZED_STATUS_DOCUMENT_SHOULD_NOT_LEAK"), false);
|
|
assert.equal(result.prompt.includes("UNAUTHORIZED_DEVICE_STATUS_DOCUMENT_SHOULD_NOT_LEAK"), false);
|
|
assert.equal(result.prompt.includes("UNAUTHORIZED_PROGRESS_EVENT_SHOULD_NOT_LEAK"), false);
|
|
assert.equal(result.prompt.includes("UNAUTHORIZED_DEVICE_PROGRESS_EVENT_SHOULD_NOT_LEAK"), false);
|
|
assert.equal(result.prompt.includes("UNAUTHORIZED_CONTEXT_SNAPSHOT_SHOULD_NOT_LEAK"), false);
|
|
assert.equal(result.prompt.includes("UNAUTHORIZED_DEVICE_CONTEXT_SNAPSHOT_SHOULD_NOT_LEAK"), false);
|
|
assert.equal(result.prompt.includes("UNAUTHORIZED_SKILL_SHOULD_NOT_LEAK"), false);
|
|
assert.equal(result.prompt.includes("Cloud Backup Secret Mac"), false);
|
|
});
|