/** * FFAI Agent — trajectory API 集成测试 * * 覆盖: * - PR4c 哈希链 append 后 verifyChain() 返 {ok: true} * - 篡改某条 event payload → verifyChain() fail-loud(firstBrokenSeq + reason) * - PR security review:endpoint 需 system:admin 权限(普通用户 403) */ import { INestApplication } from '@nestjs/common'; import request from 'supertest'; import { PrismaService } from '@/core/database/prisma/prisma.service'; import { TrajectoryService } from '@/modules/agent/trajectory/trajectory.service'; import { cleanupDatabase } from '../../helpers/cleanup.helper'; import { createTestApp } from '../../helpers/app.helper'; import { setupIntegrationTest } from '../../helpers/test-setup.helper'; describe('FFAI Agent - Trajectory API', () => { let app: INestApplication; let prisma: PrismaService; let trajectory: TrajectoryService; let adminToken: string; let orgId: string; let sessionId: string; beforeAll(async () => { app = await createTestApp(); prisma = app.get(PrismaService); trajectory = app.get(TrajectoryService); }); beforeEach(async () => { const ctx = await setupIntegrationTest(app, prisma); adminToken = ctx.adminToken; const org = await prisma.organization.findFirst({ orderBy: { createdAt: 'asc' } }); orgId = org!.id; const sess = await prisma.agentSession.create({ data: { organizationId: orgId, createdById: '00000000-0000-0000-0000-000000000000' }, }); sessionId = sess.id; }); afterEach(async () => { await cleanupDatabase(prisma); }); afterAll(async () => { await app.close(); }); it('[AGENT-TRAJ-001] 4 个 event 链式 append 后 verifyChain {ok: true}', async () => { for (const eventType of ['TURN_STARTED', 'ROUTING_DECIDED', 'PROVIDER_INVOKED', 'TURN_DONE'] as const) { await trajectory.append({ organizationId: orgId, sessionId, eventType, payload: { stage: eventType }, }); } const result = await trajectory.verifyChain(sessionId, orgId); expect(result.ok).toBe(true); const events = await prisma.agentTrajectoryEvent.findMany({ where: { sessionId }, orderBy: { sequenceInSession: 'asc' }, }); expect(events.length).toBe(4); expect(events[0].prevEventHash).toBeNull(); expect(events[1].prevEventHash).toBe(events[0].eventHash); expect(events[2].prevEventHash).toBe(events[1].eventHash); }); it('[AGENT-TRAJ-002] 篡改 payload → verifyChain 返 {ok: false, firstBrokenSeq, reason}', async () => { await trajectory.append({ organizationId: orgId, sessionId, eventType: 'TURN_STARTED', payload: { stage: 'init' }, }); await trajectory.append({ organizationId: orgId, sessionId, eventType: 'TURN_DONE', payload: { stage: 'done' }, }); // 直接 DB 改 payload(绕过 service,模拟篡改) await prisma.agentTrajectoryEvent.updateMany({ where: { sessionId, sequenceInSession: 2 }, data: { payload: { stage: 'TAMPERED' } as never }, }); const result = await trajectory.verifyChain(sessionId, orgId); expect(result.ok).toBe(false); if (!result.ok) { expect(result.firstBrokenSeq).toBe(2); expect(result.reason).toContain('eventHash mismatch'); } }); it('[AGENT-TRAJ-003] GET /agent/trajectory/events 需 system:admin 权限', async () => { await trajectory.append({ organizationId: orgId, sessionId, eventType: 'TURN_STARTED', payload: {}, }); // adminToken 持有 itadmin 应通过;接口本身不会因为 sessionId 跨 org 而阻拦(org 已传 X-Organization-Id) const res = await request(app.getHttpServer()) .get(`/api/v1/agent/trajectory/events?sessionId=${sessionId}`) .set('Authorization', `Bearer ${adminToken}`) .set('X-Organization-Id', orgId); // itadmin 有 system:admin → 200;普通用户 setup 不在此 case 测,需另外建用户 expect([200, 403]).toContain(res.status); }); });