Hartmut
c4b01c1bfc
- dispo workbook imports are pinned to DISPO_IMPORT_DIR (default ./imports): tRPC input rejects absolute paths and .. segments, runtime reader re-validates containment via path.relative. Closes a path-traversal class that reached ExcelJS CVEs through admin/compromised tokens. - image validator now checks the full 8-byte PNG magic, enforces PNG IEND and JPEG EOI trailers, scans the decoded buffer for markup polyglot markers (<script, <svg, <iframe, javascript:, onerror=, ...), and explicitly rejects SVG. Provider-generated covers (DALL-E, Gemini) run through the same validator before persistence — an untrusted upstream cannot smuggle a stored-XSS payload past us. - added image-validation.test.ts and tightened documentation. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
150 lines
4.8 KiB
TypeScript
150 lines
4.8 KiB
TypeScript
import { beforeEach, describe, expect, it, vi } from "vitest";
|
|
import { ImportBatchStatus } from "@capakraken/db";
|
|
import { SystemRole } from "@capakraken/shared";
|
|
|
|
vi.mock("@capakraken/application", async (importOriginal) => {
|
|
const actual = await importOriginal<typeof import("@capakraken/application")>();
|
|
return {
|
|
...actual,
|
|
approveEstimateVersion: vi.fn(),
|
|
cloneEstimate: vi.fn(),
|
|
commitDispoImportBatch: vi.fn(),
|
|
countPlanningEntries: vi.fn().mockResolvedValue({ countsByRoleId: new Map() }),
|
|
createEstimateExport: vi.fn(),
|
|
createEstimatePlanningHandoff: vi.fn(),
|
|
createEstimateRevision: vi.fn(),
|
|
assessDispoImportReadiness: vi.fn(),
|
|
loadResourceDailyAvailabilityContexts: vi.fn().mockResolvedValue(new Map()),
|
|
getDashboardDemand: vi.fn().mockResolvedValue([]),
|
|
getDashboardBudgetForecast: vi.fn().mockResolvedValue([]),
|
|
getDashboardOverview: vi.fn(),
|
|
getDashboardSkillGapSummary: vi.fn().mockResolvedValue({
|
|
roleGaps: [],
|
|
totalOpenPositions: 0,
|
|
skillSupplyTop10: [],
|
|
resourcesByRole: [],
|
|
}),
|
|
getDashboardProjectHealth: vi.fn().mockResolvedValue([]),
|
|
getDashboardPeakTimes: vi.fn().mockResolvedValue([]),
|
|
getDashboardTopValueResources: vi.fn().mockResolvedValue([]),
|
|
getEstimateById: vi.fn(),
|
|
listAssignmentBookings: vi.fn().mockResolvedValue([]),
|
|
stageDispoImportBatch: vi.fn(),
|
|
submitEstimateVersion: vi.fn(),
|
|
updateEstimateDraft: vi.fn(),
|
|
};
|
|
});
|
|
|
|
import {
|
|
assessDispoImportReadiness,
|
|
commitDispoImportBatch,
|
|
stageDispoImportBatch,
|
|
} from "@capakraken/application";
|
|
import { executeTool } from "../router/assistant-tools.js";
|
|
import { createToolContext } from "./assistant-tools-dispo-test-helpers.js";
|
|
|
|
describe("assistant dispo import batch delegation tools", () => {
|
|
beforeEach(() => {
|
|
vi.clearAllMocks();
|
|
});
|
|
|
|
it("delegates dispo import batch staging through the real router path", async () => {
|
|
vi.mocked(stageDispoImportBatch).mockResolvedValue({
|
|
id: "batch_1",
|
|
status: ImportBatchStatus.STAGED,
|
|
} as never);
|
|
const ctx = createToolContext({}, { userRole: SystemRole.ADMIN });
|
|
|
|
const result = await executeTool(
|
|
"stage_dispo_import_batch",
|
|
JSON.stringify({
|
|
chargeabilityWorkbookPath: "chargeability.xlsx",
|
|
planningWorkbookPath: "planning.xlsx",
|
|
referenceWorkbookPath: "reference.xlsx",
|
|
costWorkbookPath: "cost.xlsx",
|
|
rosterWorkbookPath: "roster.xlsx",
|
|
notes: "March import",
|
|
}),
|
|
ctx,
|
|
);
|
|
|
|
expect(stageDispoImportBatch).toHaveBeenCalledWith(ctx.db, {
|
|
chargeabilityWorkbookPath: "chargeability.xlsx",
|
|
planningWorkbookPath: "planning.xlsx",
|
|
referenceWorkbookPath: "reference.xlsx",
|
|
costWorkbookPath: "cost.xlsx",
|
|
rosterWorkbookPath: "roster.xlsx",
|
|
notes: "March import",
|
|
});
|
|
expect(JSON.parse(result.content)).toEqual({
|
|
id: "batch_1",
|
|
status: ImportBatchStatus.STAGED,
|
|
});
|
|
});
|
|
|
|
it("delegates dispo import batch validation through the real router path", async () => {
|
|
vi.mocked(assessDispoImportReadiness).mockResolvedValue({
|
|
ready: false,
|
|
checks: [{ key: "stagedResources", status: "warning" }],
|
|
} as never);
|
|
const ctx = createToolContext({}, { userRole: SystemRole.ADMIN });
|
|
|
|
const result = await executeTool(
|
|
"validate_dispo_import_batch",
|
|
JSON.stringify({
|
|
chargeabilityWorkbookPath: "chargeability.xlsx",
|
|
planningWorkbookPath: "planning.xlsx",
|
|
referenceWorkbookPath: "reference.xlsx",
|
|
importBatchId: "batch_1",
|
|
}),
|
|
ctx,
|
|
);
|
|
|
|
expect(assessDispoImportReadiness).toHaveBeenCalledWith({
|
|
chargeabilityWorkbookPath: "chargeability.xlsx",
|
|
planningWorkbookPath: "planning.xlsx",
|
|
referenceWorkbookPath: "reference.xlsx",
|
|
importBatchId: "batch_1",
|
|
});
|
|
expect(JSON.parse(result.content)).toEqual({
|
|
ready: false,
|
|
checks: [{ key: "stagedResources", status: "warning" }],
|
|
});
|
|
});
|
|
|
|
it("delegates dispo import batch commits through the real router path", async () => {
|
|
vi.mocked(commitDispoImportBatch).mockResolvedValue({
|
|
importedAssignments: 7,
|
|
importedProjects: 3,
|
|
} as never);
|
|
const ctx = createToolContext(
|
|
{
|
|
auditLog: {
|
|
create: vi.fn().mockResolvedValue(undefined),
|
|
},
|
|
},
|
|
{ userRole: SystemRole.ADMIN },
|
|
);
|
|
|
|
const result = await executeTool(
|
|
"commit_dispo_import_batch",
|
|
JSON.stringify({
|
|
importBatchId: "batch_1",
|
|
allowTbdUnresolved: true,
|
|
importTbdProjects: false,
|
|
}),
|
|
ctx,
|
|
);
|
|
|
|
expect(commitDispoImportBatch).toHaveBeenCalledWith(ctx.db, {
|
|
importBatchId: "batch_1",
|
|
allowTbdUnresolved: true,
|
|
importTbdProjects: false,
|
|
});
|
|
expect(JSON.parse(result.content)).toEqual({
|
|
importedAssignments: 7,
|
|
importedProjects: 3,
|
|
});
|
|
});
|
|
});
|