test: add Cortex test suite (77 tests, no LLM calls)

Tests cover: - Smoke: /health, /auth/status, /distill/status (test_health.py) - Persona validation: path traversal, bad names, list_personas (test_persona.py) - Chat API: persona routing, session persistence, error handling (test_api_chat.py) - Files API: ALLOWED set enforcement, read/write, missing files (test_api_files.py) - Webhooks: NC Talk HMAC accept/reject, Google Chat JWT (test_webhooks.py) - Tools: scratch read/write/append/clear, tasks CRUD, cron parser + tools (test_tools.py) - Security: path traversal, replay attack, known gaps documented (test_security.py) All LLM calls mocked — suite runs in ~1.4s. Run: cd cortex && .venv/bin/pytest Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 22:03:42 -04:00
parent 5cadb836fa
commit 92a8f5d894
9 changed files with 981 additions and 0 deletions
--- a/cortex/tests/test_api_files.py
+++ b/cortex/tests/test_api_files.py
@@ -0,0 +1,66 @@
+"""
+Tests for GET/PUT /files/* — allowed set enforcement, read/write, IDENTITY.md.
+"""
+import pytest
+
+
+@pytest.mark.anyio
+async def test_files_list(client):
+    r = await client.get("/files")
+    assert r.status_code == 200
+    files = r.json()["files"]
+    names = [f["name"] for f in files]
+    assert "SOUL.md" in names
+    assert "IDENTITY.md" in names
+    assert "USER.md" in names
+
+
+@pytest.mark.anyio
+async def test_files_get_allowed(client):
+    r = await client.get("/files/IDENTITY.md")
+    assert r.status_code == 200
+    assert "content" in r.json()
+
+
+@pytest.mark.anyio
+async def test_files_get_not_in_allowed(client):
+    """Files outside the ALLOWED set should return 404, not the file content."""
+    for name in ("TASKS.json", "CRONS.json", "SCRATCH.md", "../config.py", ".env"):
+        r = await client.get(f"/files/{name}")
+        assert r.status_code == 404, f"Expected 404 for {name}, got {r.status_code}"
+
+
+@pytest.mark.anyio
+async def test_files_put_and_get(client):
+    """Write a new value and read it back."""
+    content = "# Updated PROTOCOLS\nTest content."
+    r = await client.put("/files/PROTOCOLS.md", json={"content": content})
+    assert r.status_code == 200
+    assert r.json()["ok"] is True
+
+    r2 = await client.get("/files/PROTOCOLS.md")
+    assert r2.status_code == 200
+    assert r2.json()["content"] == content
+
+
+@pytest.mark.anyio
+async def test_files_put_not_allowed(client):
+    r = await client.put("/files/../../etc/passwd", json={"content": "pwned"})
+    assert r.status_code == 404
+
+
+@pytest.mark.anyio
+async def test_files_get_missing_but_allowed(client, personas_root):
+    """An allowed file that doesn't exist yet returns 404."""
+    # Temporarily remove MEMORY_MID.md
+    f = personas_root / "inara" / "MEMORY_MID.md"
+    existed = f.exists()
+    if existed:
+        backup = f.read_text()
+        f.unlink()
+    try:
+        r = await client.get("/files/MEMORY_MID.md")
+        assert r.status_code == 404
+    finally:
+        if existed:
+            f.write_text(backup)