test: raise Swift SDK coverage

Author: ARCP Swift SDK

Tests/ARCPTests/AuthTests.swift

@@ -0,0 +1,58 @@
+import Foundation
+import Testing
+
+@testable import ARCP
+
+@Suite("Auth validators")
+struct AuthTests {
+    @Test("Bearer validator maps tokens to principals")
+    func bearerHappyPath() async throws {
+        let validator = BearerAuthValidator(subjectsByToken: ["token": "alice"], trustLevel: .untrusted)
+        #expect(validator.supports(.bearer))
+        let principal = try await validator.validate(
+            auth: AuthBlock(scheme: .bearer, token: "token"),
+            challenge: nil
+        )
+        #expect(principal == AuthenticatedPrincipal(subject: "alice", trustLevel: .untrusted))
+    }
+
+    @Test("Bearer validator rejects wrong scheme, missing token, and unknown token")
+    func bearerFailures() async {
+        let validator = BearerAuthValidator(subjectsByToken: ["token": "alice"])
+        await #expect(throws: ARCPError.self) {
+            _ = try await validator.validate(auth: AuthBlock(scheme: .none), challenge: nil)
+        }
+        await #expect(throws: ARCPError.self) {
+            _ = try await validator.validate(auth: AuthBlock(scheme: .bearer), challenge: nil)
+        }
+        await #expect(throws: ARCPError.self) {
+            _ = try await validator.validate(
+                auth: AuthBlock(scheme: .bearer, token: "wrong"),
+                challenge: nil
+            )
+        }
+    }
+
+    @Test("Composite validator dispatches by scheme and reports unsupported schemes")
+    func compositeValidator() async throws {
+        let bearer = BearerAuthValidator([
+            "token": AuthenticatedPrincipal(subject: "alice", trustLevel: .trusted)
+        ])
+        let composite = CompositeAuthValidator([bearer])
+        #expect(composite.supports(.bearer))
+        #expect(!composite.supports(.signedJwt))
+
+        let principal = try await composite.validate(
+            auth: AuthBlock(scheme: .bearer, token: "token"),
+            challenge: nil
+        )
+        #expect(principal.subject == "alice")
+
+        await #expect(throws: ARCPError.self) {
+            _ = try await composite.validate(auth: AuthBlock(scheme: .signedJwt), challenge: nil)
+        }
+        await #expect(throws: ARCPError.self) {
+            _ = try await composite.validate(auth: AuthBlock(scheme: .mtls), challenge: nil)
+        }
+    }
+}

Tests/ARCPTests/CredentialManagerTests.swift

@@ -0,0 +1,98 @@
+import Foundation
+import Testing
+
+@testable import ARCP
+
+@Suite("CredentialManager rotation")
+struct CredentialManagerTests {
+    @Test("rotate persists every credential returned by provisioner")
+    func rotateKeepsFullReturnedSet() async throws {
+        let provisioner = SequenceCredentialProvisioner([
+            [
+                try credential("old_access"),
+                try credential("old_refresh"),
+            ],
+            [
+                try credential("new_access"),
+                try credential("new_refresh"),
+            ],
+        ])
+        let retention = InMemoryCredentialRetention()
+        let manager = CredentialManager(
+            provisioner: provisioner,
+            retention: retention,
+            sessionId: SessionId("sess_credentials")
+        )
+        let jobId = JobId("job_credentials")
+        _ = try await manager.issueForJob(jobId, lease: LeaseSnapshot(expiresAt: Date()))
+
+        let replacement = try await manager.rotate(jobId: jobId, credentialId: "old_access")
+
+        #expect(replacement.id == "new_access")
+        #expect(await manager.outstandingCredentialIds == [
+            "new_access",
+            "new_refresh",
+            "old_refresh",
+        ])
+        #expect(try await retention.loadOutstanding().map(\.1).sorted() == [
+            "new_access",
+            "new_refresh",
+            "old_refresh",
+        ])
+        #expect(await provisioner.revoked == ["old_access"])
+    }
+
+    @Test("rotate can return an in-place replacement from later in returned array")
+    func rotateReturnsMatchingReplacementWhenPresent() async throws {
+        let provisioner = SequenceCredentialProvisioner([
+            [try credential("old_access")],
+            [
+                try credential("paired"),
+                try credential("old_access"),
+            ],
+        ])
+        let manager = CredentialManager(
+            provisioner: provisioner,
+            retention: InMemoryCredentialRetention(),
+            sessionId: SessionId("sess_credentials")
+        )
+        let jobId = JobId("job_credentials")
+        _ = try await manager.issueForJob(jobId, lease: LeaseSnapshot(expiresAt: Date()))
+
+        let replacement = try await manager.rotate(jobId: jobId, credentialId: "old_access")
+
+        #expect(replacement.id == "old_access")
+        #expect(await manager.outstandingCredentialIds == ["old_access", "paired"])
+    }
+
+    private func credential(_ id: String) throws -> ProvisionedCredential {
+        try ProvisionedCredential(
+            id: id,
+            scheme: .bearer,
+            value: "value-\(id)",
+            endpoint: "https://credentials.example.test"
+        )
+    }
+}
+
+private actor SequenceCredentialProvisioner: CredentialProvisioner {
+    private var batches: [[ProvisionedCredential]]
+    private(set) var revoked: [String] = []
+
+    init(_ batches: [[ProvisionedCredential]]) {
+        self.batches = batches
+    }
+
+    func issue(
+        lease: LeaseSnapshot,
+        jobId: JobId,
+        sessionId: SessionId
+    ) async throws -> [ProvisionedCredential] {
+        guard !batches.isEmpty else { return [] }
+        return batches.removeFirst()
+    }
+
+    func revoke(credentialId: String) async throws {
+        revoked.append(credentialId)
+    }
+}

Tests/ARCPTests/StreamManagerTests.swift

@@ -0,0 +1,99 @@
+import Foundation
+import Testing
+
+@testable import ARCP
+
+@Suite("StreamManager")
+struct StreamManagerTests {
+    @Test("outbound handle emits open, chunk, close, and error envelopes")
+    func outboundHandleEmitsLifecycle() async throws {
+        let sink = EnvelopeSink()
+        let manager = StreamManager(sessionId: SessionId("sess_stream"), send: { envelope in
+            await sink.append(envelope)
+        })
+        let handle = try await manager.openOutbound(
+            jobId: JobId("job_stream"),
+            kind: .text,
+            contentType: "text/plain",
+            encoding: "utf-8"
+        )
+        try await handle.sendText("hello", sequence: 1)
+        try await handle.sendChunk(StreamChunkPayload(sequence: 2, content: "world"))
+        try await handle.close(reason: "done")
+        let second = try await manager.openOutbound(
+            jobId: nil,
+            kind: .event,
+            contentType: nil,
+            encoding: nil
+        )
+        try await second.error(.internal(detail: "boom", cause: nil))
+
+        let payloads = await sink.payloads()
+        #expect(payloads.map(\.typeName) == [
+            "stream.open",
+            "stream.chunk",
+            "stream.chunk",
+            "stream.close",
+            "stream.open",
+            "stream.error",
+        ])
+    }
+
+    @Test("inbound subscription receives chunks and finishes on close")
+    func inboundSubscriptionLifecycle() async throws {
+        let manager = StreamManager(sessionId: SessionId("sess_stream"), send: { _ in })
+        let streamId = StreamId("stream_in")
+        let stream = try await manager.subscribeInbound(streamId: streamId)
+        var iterator = stream.makeAsyncIterator()
+
+        await manager.dispatch(
+            envelope: Envelope(
+                streamId: streamId,
+                payload: .streamChunk(StreamChunkPayload(sequence: 1, content: "one"))
+            )
+        )
+        let first = await iterator.next()
+        #expect(first?.content == "one")
+
+        await manager.dispatch(
+            envelope: Envelope(streamId: streamId, payload: .streamClose(StreamClosePayload()))
+        )
+        let ended = await iterator.next()
+        #expect(ended == nil)
+    }
+
+    @Test("duplicate inbound subscription throws failedPrecondition")
+    func duplicateInboundSubscription() async throws {
+        let manager = StreamManager(sessionId: SessionId("sess_stream"), send: { _ in })
+        let streamId = StreamId("stream_dupe")
+        _ = try await manager.subscribeInbound(streamId: streamId)
+        await #expect(throws: ARCPError.self) {
+            _ = try await manager.subscribeInbound(streamId: streamId)
+        }
+    }
+
+    @Test("shutdown finishes active inbound streams")
+    func shutdownFinishesInboundStreams() async throws {
+        let manager = StreamManager(sessionId: SessionId("sess_stream"), send: { _ in })
+        let stream = try await manager.subscribeInbound(streamId: StreamId("stream_shutdown"))
+        var iterator = stream.makeAsyncIterator()
+        await manager.shutdown()
+        #expect(await iterator.next() == nil)
+    }
+}
+
+actor EnvelopeSink {
+    private var envelopes: [Envelope] = []
+
+    func append(_ envelope: Envelope) {
+        envelopes.append(envelope)
+    }
+
+    func payloads() -> [MessageType] {
+        envelopes.map(\.payload)
+    }
+
+    func all() -> [Envelope] {
+        envelopes
+    }
+}