0c1cf3989a
aider_run multi-provider credentials (tools/aider.py):
- _resolve_credentials() — general credential resolver; replaces the previous
OpenRouter-only injection; resolution priority: Anthropic model hint → explicit
host_label → model prefix (openrouter/*, groq/*, deepseek/*, …) → OpenRouter
default → Anthropic API key → any keyed cloud host → local/generic host
- _host_flags() — generates --api-key slug=key for known cloud providers (OpenRouter,
OpenAI, Groq, Together, Fireworks, X.ai, DeepSeek, Mistral); generates
--openai-api-base + --openai-api-key for generic/local hosts (Open WebUI, Ollama);
appends /api suffix for openwebui host_type; auto-prefixes model with 'openai/'
for generic endpoints when model has no / prefix
- Anthropic API keys from providers.anthropic.credentials (not a host entry)
- host_label param added to aider_run and FunctionDeclaration — pick a configured
host by partial label match (e.g. 'OpenRouter', 'Local', 'scott-lt-i7-rtx')
- 16 unit tests for _resolve_credentials covering all resolution paths
main.py: move @app.get("/health") before app.include_router(ui.router) — the
/{username} catch-all in ui.router was swallowing the /health path
Test suite: 37 pre-existing failures → 182/182 passing
- test_tools.py: _task_list() missing priority arg (6 callsites); cron ID regex
c_\w+ → c_[\w-]+ (token_urlsafe includes '-', causing intermittent truncation)
- test_webhooks.py: rewritten for per-user channel config architecture —
patch routers.nextcloud_talk/google_chat.get_user_channels instead of removed
settings fields; corrected endpoints /webhook/nextcloud/scott and
/channels/google-chat/scott; non-empty cfg dicts so falsy-guard passes
- test_health.py: test_unknown_route_404 now uses 3-segment path (/{u}/{p}/x)
since single-segment paths hit the /{username} UI catch-all
- test_api_files.py: removed '../config.py' from not-in-allowed test (ASGI
normalizes it to /config.py which hits /{username} catch-all, not files router)
- test_security.py: same webhook patch target fix; per-user endpoint URLs
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
72 lines
2.4 KiB
Python
72 lines
2.4 KiB
Python
"""
|
|
Tests for GET/PUT /files/* — allowed set enforcement, read/write, IDENTITY.md.
|
|
"""
|
|
import pytest
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_files_list(client):
|
|
r = await client.get("/files")
|
|
assert r.status_code == 200
|
|
files = r.json()["files"]
|
|
names = [f["name"] for f in files]
|
|
assert "SOUL.md" in names
|
|
assert "IDENTITY.md" in names
|
|
assert "USER.md" in names
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_files_get_allowed(client):
|
|
r = await client.get("/files/IDENTITY.md")
|
|
assert r.status_code == 200
|
|
assert "content" in r.json()
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_files_get_not_in_allowed(client):
|
|
"""Files outside the ALLOWED set should return 404, not the file content."""
|
|
# Note: paths with '..' are normalized at the ASGI layer (e.g. /files/../config.py
|
|
# becomes /config.py which hits the /{username} UI catch-all, not the files router).
|
|
# Only test paths that stay within the files router's scope.
|
|
for name in ("TASKS.json", "CRONS.json", "SCRATCH.md", ".env"):
|
|
r = await client.get(f"/files/{name}")
|
|
assert r.status_code == 404, f"Expected 404 for {name}, got {r.status_code}"
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_files_put_and_get(client):
|
|
"""Write a new value and read it back."""
|
|
content = "# Updated PROTOCOLS\nTest content."
|
|
r = await client.put("/files/PROTOCOLS.md", json={"content": content})
|
|
assert r.status_code == 200
|
|
assert r.json()["ok"] is True
|
|
|
|
r2 = await client.get("/files/PROTOCOLS.md")
|
|
assert r2.status_code == 200
|
|
assert r2.json()["content"] == content
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_files_put_not_allowed(client):
|
|
# '../../etc/passwd' normalizes to '/etc/passwd' at the ASGI layer —
|
|
# no route handles PUT there, so 404 or 405 are both acceptable safe responses.
|
|
r = await client.put("/files/../../etc/passwd", json={"content": "pwned"})
|
|
assert r.status_code in (404, 405)
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_files_get_missing_but_allowed(client, home_root):
|
|
"""An allowed file that doesn't exist yet returns 404."""
|
|
# Temporarily remove MEMORY_MID.md
|
|
f = home_root / "scott" / "persona" / "inara" / "MEMORY_MID.md"
|
|
existed = f.exists()
|
|
if existed:
|
|
backup = f.read_text()
|
|
f.unlink()
|
|
try:
|
|
r = await client.get("/files/MEMORY_MID.md")
|
|
assert r.status_code == 404
|
|
finally:
|
|
if existed:
|
|
f.write_text(backup)
|