package api import ( "encoding/json" "net/http" "net/http/httptest" "os" "path/filepath" "strings" "testing" ) func TestServer_NoScripts_Returns404(t *testing.T) { srv, _ := testServer(t) // No scripts configured — all /api/scripts/* should return 404. for _, name := range []string{"deploy", "start-next-task", "unknown"} { req := httptest.NewRequest("POST", "/api/scripts/"+name, nil) w := httptest.NewRecorder() srv.Handler().ServeHTTP(w, req) if w.Code != http.StatusNotFound { t.Errorf("POST /api/scripts/%s: want 404, got %d", name, w.Code) } } } func TestServer_WithScripts_RunsRegisteredScript(t *testing.T) { srv, _ := testServer(t) scriptDir := t.TempDir() scriptPath := filepath.Join(scriptDir, "my-script") if err := os.WriteFile(scriptPath, []byte("#!/bin/sh\necho hello"), 0o755); err != nil { t.Fatal(err) } srv.SetScripts(ScriptRegistry{"my-script": scriptPath}) req := httptest.NewRequest("POST", "/api/scripts/my-script", nil) w := httptest.NewRecorder() srv.Handler().ServeHTTP(w, req) if w.Code != http.StatusOK { t.Fatalf("want 200, got %d; body: %s", w.Code, w.Body.String()) } } func TestServer_WithScripts_UnregisteredReturns404(t *testing.T) { srv, _ := testServer(t) srv.SetScripts(ScriptRegistry{"deploy": "/some/path"}) req := httptest.NewRequest("POST", "/api/scripts/other", nil) w := httptest.NewRecorder() srv.Handler().ServeHTTP(w, req) if w.Code != http.StatusNotFound { t.Errorf("want 404, got %d", w.Code) } } func TestHandleDeploy_Success(t *testing.T) { srv, _ := testServer(t) scriptDir := t.TempDir() scriptPath := filepath.Join(scriptDir, "deploy") if err := os.WriteFile(scriptPath, []byte("#!/bin/sh\necho 'deployed successfully'"), 0o755); err != nil { t.Fatal(err) } srv.SetScripts(ScriptRegistry{"deploy": scriptPath}) req := httptest.NewRequest("POST", "/api/scripts/deploy", nil) w := httptest.NewRecorder() srv.Handler().ServeHTTP(w, req) if w.Code != http.StatusOK { t.Fatalf("status: want 200, got %d; body: %s", w.Code, w.Body.String()) } var body map[string]interface{} if err := json.NewDecoder(w.Body).Decode(&body); err != nil { t.Fatalf("decode: %v", err) } if body["exit_code"] != float64(0) { t.Errorf("exit_code: want 0, got %v", body["exit_code"]) } if output, _ := body["output"].(string); output == "" { t.Errorf("expected non-empty output") } } func TestHandleDeploy_ScriptFails(t *testing.T) { srv, _ := testServer(t) scriptDir := t.TempDir() scriptPath := filepath.Join(scriptDir, "deploy") if err := os.WriteFile(scriptPath, []byte("#!/bin/sh\necho 'build failed' && exit 1"), 0o755); err != nil { t.Fatal(err) } srv.SetScripts(ScriptRegistry{"deploy": scriptPath}) req := httptest.NewRequest("POST", "/api/scripts/deploy", nil) w := httptest.NewRecorder() srv.Handler().ServeHTTP(w, req) if w.Code != http.StatusOK { t.Fatalf("status: want 200, got %d; body: %s", w.Code, w.Body.String()) } var body map[string]interface{} if err := json.NewDecoder(w.Body).Decode(&body); err != nil { t.Fatalf("decode: %v", err) } if body["exit_code"] == float64(0) { t.Errorf("expected non-zero exit_code") } } func TestHandleScript_StderrNotLeakedToResponse(t *testing.T) { srv, _ := testServer(t) scriptDir := t.TempDir() scriptPath := filepath.Join(scriptDir, "deploy") // Script writes sensitive info to stderr and exits non-zero. script := "#!/bin/sh\necho 'stdout output'\necho 'SECRET_TOKEN=abc123' >&2\nexit 1" if err := os.WriteFile(scriptPath, []byte(script), 0o755); err != nil { t.Fatal(err) } srv.SetScripts(ScriptRegistry{"deploy": scriptPath}) req := httptest.NewRequest("POST", "/api/scripts/deploy", nil) w := httptest.NewRecorder() srv.Handler().ServeHTTP(w, req) body := w.Body.String() if strings.Contains(body, "SECRET_TOKEN") { t.Errorf("response must not contain stderr content; got: %s", body) } }