Spaces:
Runtime error
Runtime error
| import json | |
| from dataclasses import replace | |
| from pathlib import Path | |
| from nexus_visual_weaver.exporter import export_root, write_export_packet | |
| from nexus_visual_weaver.planner import build_command_center_run | |
| def _make_base_state(**overrides): | |
| """ | |
| Create a test operator state payload with optional field overrides. | |
| Parameters: | |
| **overrides: Fields to override in the base state dictionary. | |
| Returns: | |
| dict: A dictionary containing operator state data for export packet testing. | |
| """ | |
| state = { | |
| "provider_state": "export_ready", | |
| "checkpoint": "approved", | |
| "message": "approved", | |
| "generation": { | |
| "status": "success", | |
| "provider_state": "generated", | |
| "output_path": "/data/artifact.png", | |
| "hf_token_present": True, | |
| "lora_status": "loaded", | |
| "lora_repo_id": "DeverStyle/Flux.2-Klein-Loras", | |
| "lora_message": "Adapter loaded and applied for this generation.", | |
| }, | |
| "creator_controls": { | |
| "reasoning_mode": "Strict", | |
| "wardrobe": {"outerwear": "black patent leather long coat", "footwear": "platform boots"}, | |
| }, | |
| "reference_metadata": [ | |
| { | |
| "source": "upload", | |
| "basename": "C:/Users/speci.000/Downloads/reference.png", | |
| "sha256": "a" * 64, | |
| "size_bytes": 128, | |
| "st3gg_status": "pass", | |
| "export_gate": "clear", | |
| } | |
| ], | |
| "minicpm_judge": {"status": "success", "repo_id": "openbmb/MiniCPM-V-4.6"}, | |
| "nemotron_evidence": {"status": "missing_secret", "repo_id": "nvidia/NVIDIA-Nemotron-Parse-v1.2"}, | |
| } | |
| state.update(overrides) | |
| return state | |
| def test_write_export_packet_records_evidence_without_secrets(monkeypatch) -> None: | |
| export_dir = Path("outputs/test-exports") | |
| monkeypatch.setenv("NEXUS_EXPORT_DIR", str(export_dir)) | |
| run = build_command_center_run("gothic couture archivist, platform boots") | |
| scan = {"status": "pass", "export_gate": "clear", "findings": [], "purification_actions": []} | |
| state = _make_base_state() | |
| result = write_export_packet(run=run, scan=scan, operator_state=state, adult_mode=False) | |
| payload = json.loads(Path(result["path"]).read_text(encoding="utf-8")) | |
| assert payload["run_id"] == run.checkpoint.checkpoint_id | |
| assert payload["hackathon_claims"]["openbmb_lane"] is True | |
| assert payload["hackathon_claims"]["nvidia_nemotron_lane"] is False | |
| assert payload["parameter_budget"]["status"] == "pass" | |
| assert "token" not in json.dumps(payload).lower() | |
| assert payload["artifact"] == "artifact.png" | |
| assert payload["image_basename"] == "artifact.png" | |
| assert payload["generation"]["output_path"] == "artifact.png" | |
| assert payload["lora_status"]["status"] == "loaded" | |
| assert payload["creator_controls"]["wardrobe"]["footwear"] == "platform boots" | |
| assert payload["reference_metadata"][0]["basename"] == "reference.png" | |
| assert "/data/" not in json.dumps(payload) | |
| def test_export_packet_sanitizes_run_id_before_writing(monkeypatch) -> None: | |
| monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports") | |
| run = build_command_center_run("path traversal export brief") | |
| run = replace(run, checkpoint=replace(run.checkpoint, checkpoint_id="../unsafe/path\\with:chars")) | |
| scan = {"status": "pass", "export_gate": "clear"} | |
| result = write_export_packet(run=run, scan=scan, operator_state=_make_base_state(), adult_mode=False) | |
| path = Path(result["path"]) | |
| payload = json.loads(path.read_text(encoding="utf-8")) | |
| assert path.parent == export_root() | |
| assert ".." not in path.name | |
| assert "\\" not in path.name | |
| assert "/" not in path.name | |
| assert payload["run_id"] == "unsafe-path-with-chars" | |
| def test_export_packet_sanitizes_prompt_checkpoint_and_provider_state(monkeypatch) -> None: | |
| monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports") | |
| run = build_command_center_run("prompt contains MINICPM_API_KEY and C:/Users/speci.000/secret.png") | |
| run = replace( | |
| run, | |
| refined_prompt=replace(run.refined_prompt, refined="refined path /data/nexus_visual_weaver/secret.png"), | |
| checkpoint=replace( | |
| run.checkpoint, | |
| recommendation="set NEMOTRON_API_KEY", | |
| required_actions=["review C:/Users/speci.000/Downloads/raw.png"], | |
| ), | |
| ) | |
| scan = {"status": "pass", "export_gate": "clear"} | |
| state = _make_base_state( | |
| provider_state="Bearer " + "hidden-provider-token", | |
| message="operator message with HF_TOKEN", | |
| ) | |
| result = write_export_packet(run=run, scan=scan, operator_state=state, adult_mode=False) | |
| serialized = json.dumps(json.loads(Path(result["path"]).read_text(encoding="utf-8"))) | |
| assert "MINICPM_API_KEY" not in serialized | |
| assert "NEMOTRON_API_KEY" not in serialized | |
| assert "HF_TOKEN" not in serialized | |
| assert "C:/Users/speci.000" not in serialized | |
| assert "/data/" not in serialized | |
| assert "Bearer " + "hidden-provider-token" not in serialized | |
| def test_export_packet_has_correct_schema_version(monkeypatch) -> None: | |
| monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports") | |
| run = build_command_center_run("dark couture brief") | |
| scan = {"status": "pass", "export_gate": "clear"} | |
| state = _make_base_state() | |
| result = write_export_packet(run=run, scan=scan, operator_state=state, adult_mode=False) | |
| payload = json.loads(Path(result["path"]).read_text(encoding="utf-8")) | |
| assert payload["schema"] == "nexus_visual_weaver.export_packet.v1" | |
| def test_export_packet_stores_adult_mode_flag(monkeypatch) -> None: | |
| monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports") | |
| run_public = build_command_center_run("dark couture brief", adult_mode=False) | |
| run_private = build_command_center_run("dark couture brief", adult_mode=True) | |
| scan = {"status": "pass", "export_gate": "clear"} | |
| result_public = write_export_packet(run=run_public, scan=scan, operator_state=_make_base_state(), adult_mode=True) | |
| result_private = write_export_packet(run=run_private, scan=scan, operator_state=_make_base_state(), adult_mode=False) | |
| public_payload = json.loads(Path(result_public["path"]).read_text(encoding="utf-8")) | |
| private_payload = json.loads(Path(result_private["path"]).read_text(encoding="utf-8")) | |
| assert public_payload["adult_mode"] is False | |
| assert private_payload["adult_mode"] is True | |
| assert public_payload["model_stack"][0]["repo_id"] == run_public.model_stack[0].repo_id | |
| assert private_payload["model_stack"][0]["repo_id"] == run_private.model_stack[0].repo_id | |
| def test_export_packet_removes_hf_token_from_generation(monkeypatch) -> None: | |
| monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports") | |
| run = build_command_center_run("gothic platform boots brief") | |
| scan = {"status": "pass", "export_gate": "clear"} | |
| state = _make_base_state( | |
| generation={"status": "success", "output_path": "/data/artifact.png", "hf_token_present": True}, | |
| ) | |
| result = write_export_packet(run=run, scan=scan, operator_state=state, adult_mode=False) | |
| payload = json.loads(Path(result["path"]).read_text(encoding="utf-8")) | |
| assert "hf_token_present" not in payload["generation"] | |
| assert "token" not in json.dumps(payload).lower() | |
| def test_export_packet_hackathon_claims_both_success(monkeypatch) -> None: | |
| monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports") | |
| run = build_command_center_run("couture archivist brief") | |
| scan = {"status": "pass", "export_gate": "clear"} | |
| state = _make_base_state( | |
| minicpm_judge={"status": "success"}, | |
| nemotron_evidence={"status": "success"}, | |
| ) | |
| result = write_export_packet(run=run, scan=scan, operator_state=state, adult_mode=False) | |
| payload = json.loads(Path(result["path"]).read_text(encoding="utf-8")) | |
| assert payload["hackathon_claims"]["openbmb_lane"] is True | |
| assert payload["hackathon_claims"]["nvidia_nemotron_lane"] is True | |
| assert payload["hackathon_claims"]["gradio_space"] is True | |
| assert payload["hackathon_claims"]["off_brand_custom_ui"] is True | |
| def test_export_packet_hackathon_claims_st3gg_export_gate(monkeypatch) -> None: | |
| monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports") | |
| run_clear = build_command_center_run("scan gate test brief clear") | |
| run_blocked = build_command_center_run("scan gate test brief blocked") | |
| scan_clear = {"status": "pass", "export_gate": "clear"} | |
| scan_blocked = {"status": "review", "export_gate": "blocked"} | |
| result_clear = write_export_packet(run=run_clear, scan=scan_clear, operator_state=_make_base_state(), adult_mode=False) | |
| result_blocked = write_export_packet(run=run_blocked, scan=scan_blocked, operator_state=_make_base_state(), adult_mode=False) | |
| payload_clear = json.loads(Path(result_clear["path"]).read_text(encoding="utf-8")) | |
| payload_blocked = json.loads(Path(result_blocked["path"]).read_text(encoding="utf-8")) | |
| assert payload_clear["hackathon_claims"]["st3gg_export_gate"] == "clear" | |
| assert payload_blocked["hackathon_claims"]["st3gg_export_gate"] == "blocked" | |
| def test_export_packet_includes_model_stack_and_prompts(monkeypatch) -> None: | |
| monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports") | |
| run = build_command_center_run("raven archivist couture brief") | |
| scan = {"status": "pass", "export_gate": "clear"} | |
| result = write_export_packet(run=run, scan=scan, operator_state=_make_base_state(), adult_mode=False) | |
| payload = json.loads(Path(result["path"]).read_text(encoding="utf-8")) | |
| assert isinstance(payload["model_stack"], list) | |
| assert len(payload["model_stack"]) > 0 | |
| assert all("repo_id" in entry and "params_b" in entry for entry in payload["model_stack"]) | |
| assert isinstance(payload["prompt"], str) | |
| assert isinstance(payload["refined_prompt"], str) | |
| assert isinstance(payload["created_at_epoch"], int) | |
| def test_export_root_uses_nexus_export_dir_env(monkeypatch) -> None: | |
| custom_dir = Path("outputs/test-exports/custom_export") | |
| monkeypatch.setenv("NEXUS_EXPORT_DIR", str(custom_dir)) | |
| root = export_root() | |
| assert root == custom_dir.resolve() | |
| assert root.is_dir() | |
| def test_export_root_rejects_src_export_dir(monkeypatch) -> None: | |
| unsafe_dir = Path("src/nexus_visual_weaver/export-leak") | |
| monkeypatch.setenv("NEXUS_EXPORT_DIR", str(unsafe_dir)) | |
| root = export_root() | |
| src_root = (Path.cwd() / "src").resolve() | |
| assert root != src_root | |
| assert src_root not in root.parents | |
| assert not unsafe_dir.exists() | |
| def test_export_root_falls_back_to_outputs_when_no_env(monkeypatch) -> None: | |
| monkeypatch.delenv("NEXUS_EXPORT_DIR", raising=False) | |
| # Patch /data so it is not seen as existing | |
| import nexus_visual_weaver.exporter as exporter_mod | |
| original_exists = Path.exists | |
| def patched_exists(self): | |
| """ | |
| Custom exists check that treats "/data" as non-existent. | |
| Returns: | |
| False if the path is "/data", otherwise the original exists check result. | |
| """ | |
| if str(self) == "/data": | |
| return False | |
| return original_exists(self) | |
| monkeypatch.setattr(Path, "exists", patched_exists) | |
| root = export_root() | |
| assert "outputs" in str(root) or "exports" in str(root) | |
| def test_export_packet_returns_both_path_and_packet(monkeypatch) -> None: | |
| monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports") | |
| run = build_command_center_run("return structure brief") | |
| scan = {"status": "pass", "export_gate": "clear"} | |
| result = write_export_packet(run=run, scan=scan, operator_state=_make_base_state(), adult_mode=False) | |
| assert "path" in result | |
| assert "packet" in result | |
| assert isinstance(result["packet"], dict) | |
| assert result["packet"]["schema"] == "nexus_visual_weaver.export_packet.v1" | |
| def test_export_packet_redacts_raw_payload_paths_and_secret_like_values(monkeypatch) -> None: | |
| monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports") | |
| run = build_command_center_run( | |
| "redaction brief", | |
| creator_controls={"wardrobe": {"footwear": "platform boots"}}, | |
| reference_metadata=[{"source": "url", "domain": "shop.example.test", "url_hash": "b" * 64}], | |
| ) | |
| scan = { | |
| "status": "review", | |
| "export_gate": "blocked", | |
| "payload_excerpt": "hf_" + "abcdefghijklmnopqrstuvwxyz123456", | |
| "findings": ["raw hidden bytes at C:/Users/speci.000/Downloads/thing.png"], | |
| "purification_actions": ["base64 payload removed from /data/nexus_visual_weaver/artifact.png"], | |
| } | |
| state = _make_base_state( | |
| generation={ | |
| "status": "success", | |
| "provider_state": "generated", | |
| "output_path": "/data/nexus_visual_weaver/artifact.png", | |
| "hf_token_present": True, | |
| "lora_status": "failed", | |
| "lora_repo_id": "example/lora", | |
| "lora_message": "RuntimeError: failed without token value", | |
| }, | |
| minicpm_judge={ | |
| "status": "failed", | |
| "provider_state": "failed", | |
| "provider": "OpenBMB", | |
| "repo_id": "openbmb/MiniCPM-V-4.6", | |
| "model": "MiniCPM-V-4.6", | |
| "message": "Set MINICPM_API_KEY in Space secrets.", | |
| "evidence": {"raw_summary": "Bearer " + "secret-value", "configured": True}, | |
| }, | |
| reference_metadata=[ | |
| { | |
| "source": "upload", | |
| "basename": "C:/Users/speci.000/Downloads/reference.png", | |
| "sha256": "c" * 64, | |
| "size_bytes": 2048, | |
| "st3gg_status": "review", | |
| "export_gate": "blocked", | |
| } | |
| ], | |
| ) | |
| result = write_export_packet(run=run, scan=scan, operator_state=state, adult_mode=False) | |
| payload = json.loads(Path(result["path"]).read_text(encoding="utf-8")) | |
| serialized = json.dumps(payload) | |
| assert "payload_excerpt" not in serialized | |
| assert "raw_summary" not in serialized | |
| assert "Bearer " + "secret-value" not in serialized | |
| assert "MINICPM_API_KEY" not in serialized | |
| assert "/data/" not in serialized | |
| assert "C:/Users/speci.000/Downloads" not in serialized | |
| assert payload["st3gg_verdict"] == {"status": "review", "export_gate": "blocked"} | |
| assert payload["provider_states"]["minicpm"] == "failed" | |
| def test_export_packet_records_st3gg_override_reason(monkeypatch) -> None: | |
| monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports") | |
| run = build_command_center_run("gothic patent leather platform boots") | |
| scan = {"status": "review", "export_gate": "blocked", "findings": ["metadata review"], "purification_actions": ["strip metadata"]} | |
| state = _make_base_state( | |
| st3gg_override_reason="Operator reviewed the ST3GG findings and is writing an audit packet only.", | |
| export="override", | |
| ) | |
| result = write_export_packet(run=run, scan=scan, operator_state=state, adult_mode=False) | |
| payload = json.loads(Path(result["path"]).read_text(encoding="utf-8")) | |
| assert payload["st3gg_verdict"] == {"status": "review", "export_gate": "blocked"} | |
| assert payload["st3gg_override"] == { | |
| "used": True, | |
| "reason": "Operator reviewed the ST3GG findings and is writing an audit packet only.", | |
| } | |
| # --- _is_within tests --- | |
| from nexus_visual_weaver.exporter import ( | |
| _artifact_name, | |
| _is_within, | |
| _safe_dict, | |
| _safe_export_candidate, | |
| _safe_provider, | |
| _safe_reference_metadata, | |
| _safe_scan, | |
| _sanitize_text, | |
| REPO_ROOT, | |
| ) | |
| def test_is_within_returns_true_for_child_path() -> None: | |
| root = Path("/some/root") | |
| child = Path("/some/root/subdir/file.txt") | |
| assert _is_within(child, root) is True | |
| def test_is_within_returns_false_for_sibling_path() -> None: | |
| root = Path("/some/root") | |
| sibling = Path("/some/other/file.txt") | |
| assert _is_within(sibling, root) is False | |
| def test_is_within_returns_false_for_parent_path() -> None: | |
| root = Path("/some/root/subdir") | |
| parent = Path("/some/root") | |
| assert _is_within(parent, root) is False | |
| def test_is_within_returns_false_for_same_path() -> None: | |
| root = Path("/some/root") | |
| # Same path is not "within" itself (relative_to with same path succeeds but returns empty Path) | |
| # _is_within should return True for same path since relative_to doesn't raise | |
| result = _is_within(root, root) | |
| # Same path: relative_to returns Path('.') or empty - shouldn't raise, returns True | |
| assert result is True | |
| # --- _artifact_name tests --- | |
| def test_artifact_name_returns_filename_from_unix_path() -> None: | |
| assert _artifact_name("/data/nexus_visual_weaver/artifact.png") == "artifact.png" | |
| def test_artifact_name_returns_filename_from_windows_path() -> None: | |
| assert _artifact_name(r"C:\Users\user\Downloads\artifact.png") == "artifact.png" | |
| def test_artifact_name_returns_none_for_none() -> None: | |
| assert _artifact_name(None) is None | |
| def test_artifact_name_returns_none_for_empty_string() -> None: | |
| assert _artifact_name("") is None | |
| def test_artifact_name_returns_filename_for_simple_name() -> None: | |
| assert _artifact_name("artifact.png") == "artifact.png" | |
| # --- _sanitize_text tests --- | |
| def test_sanitize_text_redacts_hf_token() -> None: | |
| fake_token = "hf_" + "abcdefghijklmnopqrstuvwxyz1234567" | |
| text = f"token is {fake_token}" | |
| result = _sanitize_text(text) | |
| assert fake_token not in result | |
| assert "[redacted_secret]" in result | |
| def test_sanitize_text_redacts_bearer_token() -> None: | |
| fake_token = "sk-test-" + "abcdefghijklmnopqrstu" | |
| text = "Authorization: Bearer " + fake_token | |
| result = _sanitize_text(text) | |
| assert fake_token not in result | |
| def test_sanitize_text_redacts_credential_names() -> None: | |
| text = "Please set MINICPM_API_KEY and NEMOTRON_API_KEY" | |
| result = _sanitize_text(text) | |
| assert "MINICPM_API_KEY" not in result | |
| assert "NEMOTRON_API_KEY" not in result | |
| assert "[redacted_credential_name]" in result | |
| def test_sanitize_text_redacts_windows_paths() -> None: | |
| text = "Found at C:\\Users\\user\\Downloads\\artifact.png" | |
| result = _sanitize_text(text) | |
| assert "C:\\Users\\user\\Downloads" not in result | |
| assert "[local_path]/artifact.png" in result | |
| def test_sanitize_text_redacts_data_paths() -> None: | |
| text = "Output stored at /data/nexus_visual_weaver/artifact.png" | |
| result = _sanitize_text(text) | |
| assert "/data/nexus_visual_weaver" not in result | |
| assert "[data]/" in result | |
| def test_sanitize_text_truncates_to_1000_chars() -> None: | |
| long_text = "safe text " * 200 | |
| result = _sanitize_text(long_text) | |
| assert len(result) <= 1000 | |
| assert result.endswith("...") | |
| def test_sanitize_text_does_not_truncate_short_text() -> None: | |
| short_text = "safe short text without secrets" | |
| result = _sanitize_text(short_text) | |
| assert result == short_text | |
| # --- _safe_dict tests --- | |
| def test_safe_dict_drops_sensitive_keys() -> None: | |
| data = { | |
| "status": "ok", | |
| "token": "hf_secretvalue", | |
| "api_key": "sk-secretvalue", | |
| "message": "clean", | |
| } | |
| result = _safe_dict(data) | |
| assert "status" in result | |
| assert "message" in result | |
| assert "token" not in result | |
| assert "api_key" not in result | |
| def test_safe_dict_preserves_safe_keys() -> None: | |
| data = {"status": "pass", "export_gate": "clear", "extension": ".png"} | |
| result = _safe_dict(data) | |
| assert result == data | |
| def test_safe_dict_handles_nested_dicts() -> None: | |
| data = {"outer": {"secret": "hidden", "safe_field": "visible"}} | |
| result = _safe_dict(data) | |
| assert "secret" not in result.get("outer", {}) | |
| assert result["outer"]["safe_field"] == "visible" | |
| def test_safe_dict_limits_lists_to_40() -> None: | |
| data = list(range(50)) | |
| result = _safe_dict(data) | |
| assert len(result) == 40 | |
| def test_safe_dict_sanitizes_string_values() -> None: | |
| data = {"message": "Error: MINICPM_API_KEY not set"} | |
| result = _safe_dict(data) | |
| assert "MINICPM_API_KEY" not in result.get("message", "") | |
| def test_safe_dict_preserves_size_bytes_when_allowed() -> None: | |
| data = {"size_bytes": 1024, "token": "hf_" + "secret123456789012345"} | |
| result = _safe_dict(data, allow_size_bytes=True) | |
| assert "size_bytes" in result | |
| assert result["size_bytes"] == 1024 | |
| assert "token" not in result | |
| def test_safe_dict_drops_size_bytes_by_default() -> None: | |
| # "bytes" matches the sensitive key pattern | |
| data = {"size_bytes": 1024, "status": "ok"} | |
| result = _safe_dict(data) | |
| assert "size_bytes" not in result | |
| def test_safe_dict_returns_non_dict_non_list_unchanged() -> None: | |
| assert _safe_dict(42) == 42 | |
| assert _safe_dict(3.14) == 3.14 | |
| assert _safe_dict(True) is True | |
| assert _safe_dict(None) is None | |
| # --- _safe_scan tests --- | |
| def test_safe_scan_extracts_required_fields() -> None: | |
| scan = { | |
| "status": "pass", | |
| "scanner": "ST3GG v2", | |
| "export_gate": "clear", | |
| "extension": ".png", | |
| "magic": "PNG", | |
| "findings": ["no issues"], | |
| "purification_actions": ["none needed"], | |
| "payload_excerpt": "HIDDEN_SENSITIVE_DATA", | |
| } | |
| result = _safe_scan(scan) | |
| assert result["status"] == "pass" | |
| assert result["scanner"] == "ST3GG v2" | |
| assert result["export_gate"] == "clear" | |
| assert result["extension"] == ".png" | |
| assert result["magic"] == "PNG" | |
| assert "payload_excerpt" not in result | |
| def test_safe_scan_handles_empty_scan() -> None: | |
| result = _safe_scan({}) | |
| assert "status" in result | |
| assert "export_gate" in result | |
| assert result["status"] is None | |
| assert result["export_gate"] is None | |
| def test_safe_scan_sanitizes_findings() -> None: | |
| scan = { | |
| "findings": ["found MINICPM_API_KEY pattern", "raw bytes at C:\\Users\\data\\file.png"], | |
| } | |
| result = _safe_scan(scan) | |
| serialized = json.dumps(result) | |
| assert "MINICPM_API_KEY" not in serialized | |
| assert "C:\\Users\\data" not in serialized | |
| # --- _safe_provider tests --- | |
| def test_safe_provider_extracts_fields() -> None: | |
| provider = { | |
| "status": "success", | |
| "provider_state": "configured", | |
| "provider": "OpenBMB", | |
| "repo_id": "openbmb/MiniCPM-V-4.6", | |
| "model": "MiniCPM-V-4.6", | |
| "message": "judge returned evidence", | |
| "evidence": {"overall_status": "pass"}, | |
| "latency_seconds": 1.23, | |
| } | |
| result = _safe_provider(provider) | |
| assert result["status"] == "success" | |
| assert result["provider"] == "OpenBMB" | |
| assert result["repo_id"] == "openbmb/MiniCPM-V-4.6" | |
| assert result["latency_seconds"] == 1.23 | |
| assert result["evidence"]["overall_status"] == "pass" | |
| def test_safe_provider_handles_none_input() -> None: | |
| result = _safe_provider(None) | |
| assert isinstance(result, dict) | |
| assert "status" in result | |
| assert result["status"] is None | |
| def test_safe_provider_redacts_secret_values_in_evidence() -> None: | |
| provider = { | |
| "status": "failed", | |
| "evidence": {"token_used": "hf_" + "abcdefghijklmnopqrstuvwx", "raw": "sensitive-data"}, | |
| } | |
| result = _safe_provider(provider) | |
| assert "token_used" not in result["evidence"] | |
| assert "raw" not in result["evidence"] | |
| def test_safe_provider_handles_non_dict_evidence() -> None: | |
| provider = {"status": "success", "evidence": "plain string evidence"} | |
| result = _safe_provider(provider) | |
| # Non-dict evidence should be treated as empty | |
| assert result["evidence"] == {} | |
| # --- _safe_reference_metadata tests --- | |
| def test_safe_reference_metadata_returns_empty_for_non_list() -> None: | |
| assert _safe_reference_metadata(None) == [] | |
| assert _safe_reference_metadata("string") == [] | |
| assert _safe_reference_metadata(42) == [] | |
| def test_safe_reference_metadata_extracts_fields_from_records() -> None: | |
| records = [ | |
| { | |
| "source": "upload", | |
| "status": "pass", | |
| "basename": "C:/Users/user/Downloads/reference.png", | |
| "sha256": "a" * 64, | |
| "size_bytes": 1024, | |
| "st3gg_status": "pass", | |
| "export_gate": "clear", | |
| "magic": "PNG", | |
| "extension": ".png", | |
| } | |
| ] | |
| result = _safe_reference_metadata(records) | |
| assert len(result) == 1 | |
| assert result[0]["source"] == "upload" | |
| assert result[0]["basename"] == "reference.png" # Only filename, not full path | |
| assert result[0]["sha256"] == "a" * 64 | |
| assert result[0]["export_gate"] == "clear" | |
| def test_safe_reference_metadata_limits_to_20_records() -> None: | |
| records = [{"source": "upload", "sha256": str(i)} for i in range(30)] | |
| result = _safe_reference_metadata(records) | |
| assert len(result) == 20 | |
| def test_safe_reference_metadata_skips_non_dict_records() -> None: | |
| records = [{"source": "upload"}, "not a dict", None, {"source": "url"}] | |
| result = _safe_reference_metadata(records) | |
| assert len(result) == 2 | |
| assert all(isinstance(r, dict) for r in result) | |
| def test_safe_reference_metadata_includes_url_fields() -> None: | |
| records = [ | |
| { | |
| "source": "url", | |
| "status": "metadata_only", | |
| "domain": "shop.example.test", | |
| "url_hash": "b" * 64, | |
| } | |
| ] | |
| result = _safe_reference_metadata(records) | |
| assert result[0]["domain"] == "shop.example.test" | |
| assert result[0]["url_hash"] == "b" * 64 | |
| # --- _safe_export_candidate tests --- | |
| def test_safe_export_candidate_accepts_outputs_dir() -> None: | |
| candidate = REPO_ROOT / "outputs" / "exports" / "test-subdir" | |
| result = _safe_export_candidate(candidate) | |
| assert result is not None | |
| assert "outputs" in str(result) | |
| def test_safe_export_candidate_rejects_src_dir() -> None: | |
| candidate = REPO_ROOT / "src" / "nexus_visual_weaver" / "exports" | |
| result = _safe_export_candidate(candidate) | |
| assert result is None | |
| def test_safe_export_candidate_rejects_src_root_itself() -> None: | |
| candidate = REPO_ROOT / "src" | |
| result = _safe_export_candidate(candidate) | |
| assert result is None | |