Phase 5: Föderations-Endpunkte — Cards ist föderierter Peer

Endpoints (alle Pfade aus app-manifest.json): - POST /api/v1/share/receive — User-JWT-Auth, ShareEnvelope-Strict- Validation (cross-user-forbidden), Recipient-Match, Type-Accept- Lookup über Manifest, Payload-Schema-Validation, Handler-Dispatch - POST /api/v1/tools/:name — User-JWT, dispatch nach `cards.create` und `cards.search` mit Tool-Schemas aus @cards/domain - GET /api/v1/search — User-JWT, ILIKE auf cards.fields jsonb + decks.name, baut SearchResultEnvelope für mana-search-Aggregator - GET /api/v1/dsgvo/export?user_id=… — Service-Key, voll-Bundle aller Cards-Daten des Users (decks, cards, reviews, study_sessions, tags, media_refs, import_jobs) - POST /api/v1/dsgvo/delete — Service-Key, kaskadiert via FK-Cascade decks → cards → reviews/media_refs/card_tags/tags/study_sessions plus separates Cleanup von import_jobs Share-Handlers (apps/api/src/share-handlers/): - create_card_from_quote (mana/quote → front=text, back=source) - save_link_as_card (mana/url → front=title, back=url+description) - create_card_from_text (mana/text → front=erste-zeile, back=rest) Alle landen via ensureInboxDeck() in einem auto-erstellten "Inbox"-Deck pro User, inklusive automatischer FSRS-Reviews-Init in Transaktion. Lokales Protocol-Mirror in @cards/domain/src/protocol/ (envelope, payloads, search): TEMPORARY-Markierung mit Swap-Plan auf @mana/shared-share-protocol via Verdaccio sobald NPM_AUTH_TOKEN da ist. Spec-strict — UUID für user_id, ULID für share_id, Crockford-Base32. Service-Key-Middleware mit constant-time-Compare gegen process.env.CARDS_DSGVO_SERVICE_KEY (Phase F-1: ersetzt durch mana-auth.app_service_keys-Lookup). Tests: - 70 Vitest-Tests grün (27 cards-domain + 43 apps/api): - share.test.ts: Auth-Gate, Cross-User-Sperre, User-Mismatch (403), Wrong-Recipient (422), Unknown-Type (422), Invalid-Payload (422), Wrapped { envelope, delivery_token }-Body akzeptiert - tools.test.ts: Auth, Unknown-Tool (404), cards.create-Validation, cards.search-Envelope-Shape - search.test.ts: Auth, Missing-Query (422), Query-too-long (422), Envelope-Version 0.1 + envelope-Felder - dsgvo.test.ts: Service-Key-Gate (401), Missing-User-ID (400), Export-Bundle-Shape, Delete-Counts, Key-not-configured (500) - pnpm run type-check ✅ 4/4 packages - E2E-Smoke gegen Postgres: Quote-Share→Inbox-Deck→Karte→Search-Hit→ DSGVO-Export+Delete-Roundtrip clean (alle 3 Tabellen 0 nach delete) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 17:10:35 +02:00 · 2026-05-08 17:10:35 +02:00 · 0328caa333
commit 0328caa333
parent 89a7a9250b
19 changed files with 1371 additions and 0 deletions
--- a/apps/api/tests/search.test.ts
+++ b/apps/api/tests/search.test.ts
@ -0,0 +1,67 @@
+import { describe, it, expect } from 'vitest';
+import { Hono } from 'hono';
+
+import { searchRouter } from '../src/routes/search.ts';
+import type { CardsDb } from '../src/db/connection.ts';
+
+function buildApp() {
+	const stub = {
+		select: () => ({
+			from: () => ({
+				innerJoin: () => ({
+					where: () => ({ orderBy: () => ({ limit: () => [] }) }),
+				}),
+			}),
+		}),
+	};
+	const app = new Hono();
+	app.route('/api/v1/search', searchRouter({ db: stub as unknown as CardsDb }));
+	return { app };
+}
+
+describe('searchRouter — Auth-Gate', () => {
+	it('GET ohne X-User-Id ist 401', async () => {
+		const { app } = buildApp();
+		const res = await app.request('/api/v1/search?q=foo');
+		expect(res.status).toBe(401);
+	});
+});
+
+describe('searchRouter — Query-Validation', () => {
+	it('GET ohne q ist 422', async () => {
+		const { app } = buildApp();
+		const res = await app.request('/api/v1/search', {
+			headers: { 'X-User-Id': 'u-1' },
+		});
+		expect(res.status).toBe(422);
+	});
+
+	it('GET mit q über 500 Zeichen ist 422', async () => {
+		const { app } = buildApp();
+		const long = 'x'.repeat(501);
+		const res = await app.request(`/api/v1/search?q=${encodeURIComponent(long)}`, {
+			headers: { 'X-User-Id': 'u-1' },
+		});
+		expect(res.status).toBe(422);
+	});
+
+	it('GET mit gültigem q liefert SearchResultEnvelope', async () => {
+		const { app } = buildApp();
+		const res = await app.request('/api/v1/search?q=Konfuzius', {
+			headers: { 'X-User-Id': 'u-1' },
+		});
+		expect(res.status).toBe(200);
+		const body = (await res.json()) as {
+			envelope_version: string;
+			query: string;
+			app: string;
+			results: unknown[];
+			partial: boolean;
+		};
+		expect(body.envelope_version).toBe('0.1');
+		expect(body.query).toBe('Konfuzius');
+		expect(body.app).toBe('cards');
+		expect(Array.isArray(body.results)).toBe(true);
+		expect(body.partial).toBe(false);
+	});
+});