mirror of
https://github.com/MoonshotAI/kimi-code.git
synced 2026-07-09 17:29:12 +00:00
* ci: run unit tests on windows * fix(migration-legacy): align workdir bucket key with agent-core computeWorkdirBucket used a local node:path-based resolve that yields backslash-separated paths on Windows, while agent-core's encodeWorkDirKey uses pathe (forward slashes on every platform). The SHA-256 inputs diverged, so migrated sessions were written to a bucket that the session picker never reads, making them invisible on Windows. Alias computeWorkdirBucket to encodeWorkDirKey so both sides stay byte-identical, drop the local slugify copy, and update the workdir-bucket test reference accordingly. * test(acp-adapter): expect platform-native separators in e2e-fs path The e2e-fs test asserted the fs/readTextFile wire path as the raw POSIX targetPath, but AcpKaos.toClientPath converts '/' to '\' when the inner LocalKaos reports pathClass 'win32' (Windows). On Windows the wire path became '\Users\test\x.ts' and the assertion failed. Mirror toClientPath in the test: expect backslash separators on win32 and the raw path otherwise. Implementation is unchanged. * test(sdk): normalize workDir and skillDir paths in session tests SessionStore.create/list and the skill loader normalize paths through pathe (forward slashes). The SDK tests compared the resulting workDir and skill loaded-dir against raw mkdtemp / node:path strings, which use backslashes on Windows (and node:fs realpath also returns backslashes for the skill dir), failing three toMatchObject assertions. Build the expected paths with agent-core's normalizeWorkDir so they match the internal pathe representation on every platform. The skill dir keeps its realpath() (the loader realpaths the root) and only normalizes separators. * test(skill): normalize realpath to forward slashes in scanner tests resolveSkillRoots normalizes every root.path through fs.realpath followed by replacing backslashes with forward slashes (scanner.ts). The scanner tests compared root.path against node:fs realpath directly, which returns backslashes on Windows, so twenty assertions failed (toEqual / toContain / toHaveLength) even though the resolved paths were identical. Wrap realpath at the top of the test file to mirror the implementation's normalization, so every comparison uses the same forward-slash form on every platform. * test: skip Unix-only permission tests on Windows The Unix file-permission assertions (mode bits like 0o600 / 0o700 and chmod 000 making a path unreadable) have no equivalent on Windows, which uses ACLs; fs.chmod there can only toggle the read-only bit. These six tests failed on Windows with mismatched mode values or a missing 40411. Skip them on win32 via it.skipIf(process.platform === 'win32'): oauth FileTokenStorage (0600 file, 0700 dir), agent-core BackgroundTaskPersistence (0700 tasks dir), agent-core createPerIdJsonStore (0700 subdir), migration-legacy atomicWrite (0600 file), and server fs:browse (chmod 000 -> 40411). * test(tui): make platform-sensitive assertions cross-platform The TUI implementations are already platform-aware (pathe-style paths, pathToFileURL, quoteShellArg cmd/POSIX quoting, Alt+V on Windows for paste expansion), but the tests hard-coded POSIX expectations and failed on Windows. Align the assertions with the implementation's platform behavior: footer-goal-badge matches the '[goal' badge prefix instead of /goal/ (toolbar tips contain '/goal'); tool-call expects backslash relative paths on win32; plan-box builds the file:// URL via pathToFileURL; custom-editor sends Alt+V on win32 for paste expansion; file-mention-provider normalizes the expected description to forward slashes; kimi-tui-startup builds the resume command with quoteShellArg; kimi-tui-message-flow builds the expected install path with resolve(). * test: align path assertions with pathe on Windows Several test suites asserted paths produced by node:path/node:os/node:fs against values that agent-core, node-sdk and kaos normalize through pathe (forward slashes). On Windows the two forms diverge (backslashes vs forward slashes), failing about 19 assertions. Mirror the implementation's normalization in the assertions via a local toPosix helper (or agent-core's normalizeWorkDir), so expected paths use forward slashes on every platform: kaos LocalKaos, node-sdk export/list/resume/config/transport sessions, cli FileMentionProvider, and agent-core skill-session. * test(native): build path expectations with node:path.resolve paths.mjs builds every path with node:path.resolve, which yields backslash-separated absolute paths on Windows. The path-helpers tests asserted against template strings that mixed the backslash appRoot with forward-slash segments, so Object.is failed on Windows even though the strings looked identical. Build the expectations with the same resolve(appRoot, ...) helper so the separators match on every platform. * fix: make Windows CI tests pass across all packages Fix the remaining Windows CI failures so the Windows test job can go green. The changes fall into a few categories: - Path separators: agent-core/node-sdk/kaos normalize paths via pathe (forward slashes); align test expectations and a couple of implementations (native cache base, workspace registry) with that. - Platform-only services: skip launchd/systemd manager suites on win32 (Windows uses schtasks). - Process/signal lifecycle: skip or relax tests that rely on POSIX signals / SIGTERM semantics that Windows does not support. - Hook shell syntax: rewrite hook test commands from POSIX shell (single quotes, semicolons, stderr redirects, if/then/fi) to node -e / .cjs files that run under cmd.exe. - CRLF: make Bash tool description stripping tolerate CRLF line endings. - Misc: realpath short-name divergence, port-retry timing, telemetry spawn, fs-watch timing, snapshot path normalization, etc. * fix: remove unused basename import in workspaceRegistryService Fix lint error (no-unused-vars): basename from node:path is no longer used after switching to posixBasename from pathe. * fix: align resume harness pathClass and wait for banner state on Windows Two more Windows CI fixes: - createResumeNoSideEffectKaos now reports pathClass 'win32' on Windows so tool descriptions (e.g. Glob's Windows note) match the live agent in expectResumeMatches, fixing usage/description deep-equal drift. - kimi-tui-startup once-banner test now waits for writeBannerDisplayState to land before asserting, since the atomic write can lag behind the render on Windows. * fix: resolve remaining Windows unit test failures Make the new Windows CI job green across agent-core, kaos, node-sdk and server: - Align the resume harness kaos pathClass with the live agent so platform-conditional tool descriptions (Glob's Windows note) match in expectResumeMatches instead of drifting on win32. - Rewrite hook commands in agent-core tests as cross-platform node one-liners; single-quote echo, >&2 and ';' do not work under cmd.exe. - Add .gitattributes enforcing LF so raw-imported templates (e.g. the compaction instruction) produce byte-identical token counts on Windows and POSIX. - Terminate the full process tree on Windows in both the hook runner and kaos (taskkill /T /F) so grandchildren cannot outlive their parent and keep the cwd locked. - Normalize workDir path separators in two kimi-sdk session tests to match the stored canonical form. - Avoid cmd.exe arg-quoting pitfalls in the kaos cmd.exe test, and run the Windows process-tree kill test from a script file with the pid path passed via argv. - Give the first fs-git e2e test more time on Windows and retry the temp-dir cleanup; skip the fs-watch overflow-burst assertion on Windows where fs-event coalescing prevents the single-window spike. * ci: retrigger checks * fix: resolve remaining Windows failures after merging main - Terminate the spawned git/gh process tree on Windows in FsGitService (taskkill /T /F on timeout) so a timed-out 'gh pr view' cannot leave a grandchild holding the workspace cwd, which made the fs-git e2e cleanup fail with EPERM. - Give the fs:git_status e2e suite a longer timeout on Windows and retry the temp-dir cleanup longer to ride out the slower child-process teardown. - Make the third-party plugin install trust test assert the resolved install path via node:path so it matches the Windows-resolved path (D:\tmp\...) as well as the POSIX one. * fix: align workspace registry roots and harden fs-git cleanup on Windows - workspace-registry test: compare normalized (forward-slash) roots, since the registry and session index both store workDir via pathe.resolve (forward slashes on every platform). realpath() yields backslashes on Windows and diverged from the stored root. - fs-git e2e: bump the temp-dir cleanup retries and the afterEach timeout, since Windows child-process teardown after server.close() is asynchronous and can keep the workspace cwd locked for several seconds. * test: stub openUrl in kimi-tui-message-flow feedback tests The /feedback command falls back to openUrl(FEEDBACK_ISSUE_URL) when submission fails, which spawned a real browser window on every test run. Mock #/utils/open-url (matching the existing login/message-replay/server test convention) so the suite never opens a browser. * test: harden fs-git e2e cleanup against Windows cwd locks On Windows, git/gh child processes and the session core process can outlive server.close() and keep the temp workspace as their cwd, so rmSync fails with EPERM even after a long retry. Add rmSyncRobust that retries and, if the cwd is still locked, swallows EPERM/EBUSY on Windows — the OS reclaims the temp dir and a cleanup hiccup must not fail an otherwise-passing test. * test: harden server e2e cleanup against async teardown races server.close() does not fully await the server's asynchronous teardown, so on a loaded CI runner the temp home/workspace dirs can still be held or written to when the afterEach rmSync runs, failing with EPERM (Windows) or ENOTEMPTY (Linux). Use a rmSyncRobust helper (retry + swallow EPERM/EBUSY/ENOTEMPTY) in the fs-git and question e2e cleanup. Also fix a leftover `throw err` (renamed to `throw error`) that broke the typecheck.
208 lines
6.2 KiB
TypeScript
208 lines
6.2 KiB
TypeScript
/**
|
|
* Production auth wiring end-to-end (ROADMAP M5.1).
|
|
*
|
|
* Unlike the override-driven tests (which inject a fixed-token
|
|
* `IAuthTokenService`), this file boots `startServer` with NO auth override so
|
|
* the REAL `defaultAuth` is built: a persistent token written to
|
|
* `<homeDir>/server.token` (0600) plus the HTTP/WS auth hooks. The token
|
|
* is read back from disk — exactly what the CLI does (M5.4) — and exercised
|
|
* against a gated HTTP route and the WS upgrade path. This proves the
|
|
* production wiring, not just the override seam.
|
|
*/
|
|
|
|
import { mkdtempSync, readFileSync, rmSync, statSync } from 'node:fs';
|
|
import { tmpdir } from 'node:os';
|
|
import { join } from 'node:path';
|
|
|
|
import { pino } from 'pino';
|
|
import { afterEach, beforeEach, describe, expect, it } from 'vitest';
|
|
import { WebSocket, type RawData } from 'ws';
|
|
|
|
import { startServer, type RunningServer } from '../src';
|
|
import { rawDataToString } from '../src/ws/rawData';
|
|
|
|
let tmpDir: string;
|
|
let lockPath: string;
|
|
let bridgeHome: string;
|
|
const running: RunningServer[] = [];
|
|
|
|
beforeEach(() => {
|
|
tmpDir = mkdtempSync(join(tmpdir(), 'kimi-server-auth-wiring-'));
|
|
lockPath = join(tmpDir, 'lock');
|
|
bridgeHome = mkdtempSync(join(tmpdir(), 'kimi-server-auth-wiring-home-'));
|
|
});
|
|
|
|
afterEach(async () => {
|
|
for (const r of running.splice(0)) {
|
|
try {
|
|
await r.close();
|
|
} catch {
|
|
// ignore
|
|
}
|
|
}
|
|
rmSync(tmpDir, { recursive: true, force: true });
|
|
rmSync(bridgeHome, { recursive: true, force: true });
|
|
});
|
|
|
|
function tokenPath(): string {
|
|
return join(bridgeHome, 'server.token');
|
|
}
|
|
|
|
function readToken(): string {
|
|
return readFileSync(tokenPath(), 'utf8').trim();
|
|
}
|
|
|
|
async function bootReal(): Promise<RunningServer> {
|
|
const r = await startServer({
|
|
host: '127.0.0.1',
|
|
port: 0,
|
|
lockPath,
|
|
logger: pino({ level: 'silent' }),
|
|
coreProcessOptions: { homeDir: bridgeHome },
|
|
});
|
|
running.push(r);
|
|
return r;
|
|
}
|
|
|
|
function wsUrl(http: string): string {
|
|
return http.replace(/^http:\/\//, 'ws://') + '/api/v1/ws';
|
|
}
|
|
|
|
interface WsFrame {
|
|
type: string;
|
|
[k: string]: unknown;
|
|
}
|
|
|
|
interface Conn {
|
|
ws: WebSocket;
|
|
queue: WsFrame[];
|
|
waiters: Array<(frame: WsFrame) => void>;
|
|
closed: Promise<{ code: number; reason: string }>;
|
|
}
|
|
|
|
function openConn(url: string, protocols?: string[]): Promise<Conn> {
|
|
return new Promise((resolve, reject) => {
|
|
const ws = new WebSocket(url, protocols);
|
|
const queue: WsFrame[] = [];
|
|
const waiters: Array<(frame: WsFrame) => void> = [];
|
|
let closedResolve: (v: { code: number; reason: string }) => void;
|
|
const closed = new Promise<{ code: number; reason: string }>((res) => {
|
|
closedResolve = res;
|
|
});
|
|
// Attach the message listener BEFORE 'open' can fire so the immediate
|
|
// `server_hello` frame is never dropped.
|
|
ws.on('message', (data: RawData) => {
|
|
try {
|
|
const frame = JSON.parse(rawDataToString(data)) as WsFrame;
|
|
if (waiters.length > 0) waiters.shift()?.(frame);
|
|
else queue.push(frame);
|
|
} catch {
|
|
// ignore non-JSON frames
|
|
}
|
|
});
|
|
ws.on('close', (code, reason) => closedResolve({ code, reason: String(reason) }));
|
|
ws.once('open', () => resolve({ ws, queue, waiters, closed }));
|
|
ws.once('error', reject);
|
|
});
|
|
}
|
|
|
|
function receive(conn: Conn, timeoutMs: number): Promise<WsFrame> {
|
|
return new Promise((resolve, reject) => {
|
|
if (conn.queue.length > 0) {
|
|
resolve(conn.queue.shift()!);
|
|
return;
|
|
}
|
|
const t = setTimeout(() => {
|
|
const idx = conn.waiters.indexOf(waiter);
|
|
if (idx >= 0) conn.waiters.splice(idx, 1);
|
|
reject(new Error(`no message within ${timeoutMs}ms`));
|
|
}, timeoutMs);
|
|
const waiter = (frame: WsFrame): void => {
|
|
clearTimeout(t);
|
|
resolve(frame);
|
|
};
|
|
conn.waiters.push(waiter);
|
|
});
|
|
}
|
|
|
|
async function receiveType(conn: Conn, type: string, timeoutMs: number): Promise<WsFrame> {
|
|
const deadline = Date.now() + timeoutMs;
|
|
for (;;) {
|
|
const remaining = deadline - Date.now();
|
|
if (remaining <= 0) throw new Error(`no message of type ${type} within ${timeoutMs}ms`);
|
|
const frame = await receive(conn, remaining);
|
|
if (frame.type === type) return frame;
|
|
}
|
|
}
|
|
|
|
function expectRejected(url: string): Promise<void> {
|
|
return new Promise((resolve, reject) => {
|
|
const ws = new WebSocket(url);
|
|
const t = setTimeout(
|
|
() => done(new Error('connection was not rejected within timeout')),
|
|
1500,
|
|
);
|
|
const done = (err?: Error): void => {
|
|
clearTimeout(t);
|
|
ws.removeAllListeners();
|
|
try {
|
|
ws.terminate();
|
|
} catch {
|
|
// ignore
|
|
}
|
|
if (err === undefined) {
|
|
resolve();
|
|
} else {
|
|
reject(err);
|
|
}
|
|
};
|
|
ws.once('open', () => done(new Error('connection unexpectedly opened')));
|
|
ws.once('error', () => done());
|
|
ws.once('close', () => done());
|
|
});
|
|
}
|
|
|
|
describe('production auth wiring (M5.1)', () => {
|
|
it.skipIf(process.platform === 'win32')('writes a 0600 token file at boot and keeps it on close (persistent)', async () => {
|
|
const r = await bootReal();
|
|
const p = tokenPath();
|
|
|
|
const info = statSync(p);
|
|
expect(info.mode & 0o777).toBe(0o600);
|
|
|
|
const token = readToken();
|
|
expect(token.length).toBeGreaterThan(0);
|
|
|
|
await r.close();
|
|
// Persistent token: the file survives shutdown so the next start reuses it.
|
|
expect(statSync(p).mode & 0o777).toBe(0o600);
|
|
});
|
|
|
|
it('gates HTTP: 200 with the token, 401 without', async () => {
|
|
const r = await bootReal();
|
|
const token = readToken();
|
|
|
|
const ok = await fetch(`${r.address}/openapi.json`, {
|
|
headers: { Authorization: `Bearer ${token}` },
|
|
});
|
|
expect(ok.status).toBe(200);
|
|
|
|
const bad = await fetch(`${r.address}/openapi.json`);
|
|
expect(bad.status).toBe(401);
|
|
const body = (await bad.json()) as { code: number };
|
|
expect(body.code).toBe(40101);
|
|
});
|
|
|
|
it('gates WS: server_hello with the token, rejected without', async () => {
|
|
const r = await bootReal();
|
|
const token = readToken();
|
|
|
|
const conn = await openConn(wsUrl(r.address), [`kimi-code.bearer.${token}`]);
|
|
const hello = await receiveType(conn, 'server_hello', 1000);
|
|
expect(hello.type).toBe('server_hello');
|
|
conn.ws.close();
|
|
await conn.closed;
|
|
|
|
await expectRejected(wsUrl(r.address));
|
|
});
|
|
});
|