Void-Homelab/tests/api/audit.test.js

import { describe, it, expect, beforeAll, beforeEach } from 'vitest';
import request from 'supertest';
import { setup } from './helpers.js';
import * as spacesRepo from '../../lib/db/repos/spaces.js';
import * as pagesRepo from '../../lib/db/repos/pages.js';
import * as agentsRepo from '../../lib/db/repos/agents.js';

let app, ownerHeaders, space;
const owner = { kind: 'user', id: null };

beforeAll(async () => { ({ app, ownerHeaders } = await setup()); });
beforeEach(async () => {
  space = await spacesRepo.create(
    { slug: `s-${Date.now()}-${Math.random().toString(36).slice(2,5)}`, name: 'S' }, owner
  );
});

describe('audit routes', () => {
  it('GET /entity/:type/:id returns create + update entries ordered DESC', async () => {
    const page = await pagesRepo.create(
      { space_id: space.id, slug: 'pg-au', title: 'T1' }, owner
    );
    await pagesRepo.update(page.id, { title: 'T2' }, owner);
    const res = await request(app)
      .get(`/api/audit/entity/page/${page.id}`).set(ownerHeaders);
    expect(res.status).toBe(200);
    expect(res.body.length).toBeGreaterThanOrEqual(2);
    const actions = res.body.map(e => e.action);
    expect(actions).toContain('create');
    expect(actions).toContain('update');
  });

  it('GET /entity/:type/:id respects limit', async () => {
    const page = await pagesRepo.create(
      { space_id: space.id, slug: 'pg-lim', title: 'T1' }, owner
    );
    for (const t of ['T2','T3','T4']) {
      await pagesRepo.update(page.id, { title: t }, owner);
    }
    const res = await request(app)
      .get(`/api/audit/entity/page/${page.id}?limit=2`).set(ownerHeaders);
    expect(res.body.length).toBe(2);
  });

  it('GET /actor filters by actor_kind=user', async () => {
    await pagesRepo.create({ space_id: space.id, slug: 'a-u', title: 'Au' }, owner);
    const res = await request(app)
      .get('/api/audit/actor?actor_kind=user').set(ownerHeaders);
    expect(res.status).toBe(200);
    expect(res.body.every(e => e.actor_kind === 'user')).toBe(true);
  });

  it('GET /actor with actor_id filters tightly', async () => {
    const agent = await agentsRepo.create({
      slug: `au-agent-${Date.now()}`, name: 'A', kind: 'claude', model: 'sonnet',
      capabilities: { read: true, write: true }, scopes: { page: true }
    }, owner);
    const actor = { kind: 'agent', id: agent.id };
    await pagesRepo.create({ space_id: space.id, slug: 'a-x', title: 'X' }, actor);
    const res = await request(app)
      .get(`/api/audit/actor?actor_kind=agent&actor_id=${agent.id}`).set(ownerHeaders);
    expect(res.status).toBe(200);
    expect(res.body.length).toBeGreaterThan(0);
    expect(res.body.every(e => e.actor_id === agent.id)).toBe(true);
  });

  it('agent token → 403 on audit endpoints (owner-only)', async () => {
    const agent = await agentsRepo.create({
      slug: `au-403-${Date.now()}`, name: 'A', kind: 'claude', model: 'sonnet',
      capabilities: { read: true }, scopes: {}
    }, owner);
    const { token } = await agentsRepo.createToken(agent.id, 'test');
    const headers = { Authorization: `Bearer ${token}` };
    const e = await request(app)
      .get('/api/audit/entity/page/00000000-0000-0000-0000-000000000000').set(headers);
    expect(e.status).toBe(403);
    const a = await request(app).get('/api/audit/actor').set(headers);
    expect(a.status).toBe(403);
  });

  it('invalid entity_type → 400', async () => {
    const res = await request(app)
      .get('/api/audit/entity/widget/00000000-0000-0000-0000-000000000000').set(ownerHeaders);
    expect(res.status).toBe(400);
  });
});