Files
sure/test/controllers/settings/hostings_controller_test.rb
Guillem Arias Fauste c375b8bf5c feat(ai): self-host settings UI for Anthropic provider (5/5) (#1987)
* feat(ai): add Anthropic provider with chat parity (1/5)

Introduces Provider::Anthropic alongside Provider::Openai, implementing
the LlmConcept chat_response contract over the official anthropic Ruby
SDK. Batch ops, PDF, and RAG land in follow-up PRs.

- Provider::Anthropic uses Messages API for sync and streaming responses
- ChatConfig builds requests with ephemeral prompt-cache markers on the
  system prompt and the last tool definition
- MessageFormatter reconstructs multi-turn history (text + tool_use +
  tool_result blocks) from raw Message records, including the paired
  user-role tool_result turn Anthropic requires after every tool_use
- ChatParser maps Anthropic Message into the shared ChatResponse Data
- Registry, Setting, User, Chat default model wired for ANTHROPIC_*
  envs and Setting.anthropic_*; LLM_PROVIDER selects between providers
- Responder forwards raw conversation_history (Array<Message>) so
  providers without hosted conversation state can rebuild context
- OpenAI provider accepts and ignores the new kwarg (no behavior change)

Tests cover provider init, model gating, MessageFormatter for all turn
shapes, ChatConfig request building (max_tokens, system cache, tool
conversion), ChatParser for text / tool_use / mixed blocks, Registry
discovery, and mocked chat_response success / error / function_request
paths. Live VCR cassettes recorded in a follow-up with a real key.

Stacked PRs: 2/5 batch ops + cost ledger, 3/5 PDF, 4/5 pgvector RAG,
5/5 settings UI + disclosure.

* fix(ai): address PR review on Anthropic provider foundation

Surface fixes raised by Codex + CodeRabbit on PR 1/5:

- Provider::Anthropic#chat_response now accepts (and ignores) a
  `messages:` kwarg. Assistant::Responder passes both `messages:`
  (OpenAI-shape) and `conversation_history:` (raw Message records) for
  cross-provider parity, so the previous signature raised
  ArgumentError on the first chat turn through the Anthropic provider.
- Provider::Anthropic#supports_model? bypasses the `claude` prefix
  gate when a custom base_url is configured, mirroring the OpenAI
  provider. Bedrock-shaped IDs like
  `anthropic.claude-sonnet-4-5-20250929-v1:0` and
  `claude-opus-4@20250514` are otherwise rejected by
  Assistant::Provided#get_model_provider and the chat dies.
- Setting.anthropic_access_token is now in
  EncryptedSettingFields::ENCRYPTED_FIELDS so the Anthropic API key
  is encrypted at rest like every other provider secret. Previously
  plaintext while siblings (openai_access_token, twelve_data_api_key,
  external_assistant_token) were ciphertext.
- Chat.default_model falls back to whichever provider is actually
  configured. Previously, with LLM_PROVIDER=anthropic but no
  Anthropic credentials, the default model resolved to a Claude ID
  that no registered provider supported, so chats failed even when
  OpenAI was fully configured. Adds Provider::{Anthropic,Openai}#configured?
  class methods for the readable callsite.
- Provider::Anthropic.effective_model uses
  `ENV["ANTHROPIC_MODEL"].presence || Setting.anthropic_model` so the
  Setting lookup is only performed when the env var is absent — the
  previous `ENV.fetch(KEY, default)` evaluated the default arg
  eagerly on every call.
- Provider::Anthropic::ChatConfig#anthropic_input_schema strips both
  `:strict` and `"strict"` keys so JSON-decoded schemas with string
  keys cannot leak the OpenAI-only flag through to Anthropic.

Test coverage added: supports_model? bypass on custom endpoints,
chat_response messages: kwarg compatibility, default_model fallback
in the three credential combinations, configured? against ENV +
Setting, strict-flag stripping for both key types, and a
`Setting.expects(:anthropic_model).never` assertion proving the
ENV-precedence test now exercises the lazy path.

All 4365 tests pass (1 pre-existing libvips env error unrelated).

* test(chat): make default_model tests resilient to ENV model overrides

CodeRabbit flagged on PR review: the new default_model tests asserted
against Provider::*::DEFAULT_MODEL, but Chat.default_model actually
returns Provider::*.effective_model.presence (which reads
OPENAI_MODEL / ANTHROPIC_MODEL from the environment). With either env
var set, the tests would fail intermittently even though routing was
correct.

- New default_model tests now assert against the provider's
  effective_model directly, so they verify the routing decision
  (which provider's value wins) without coupling to the constant.
- Pre-existing "creates with default model" assertions had the same
  brittleness; switch them to compare against Chat.default_model so
  the chosen model is whatever the env / Setting cascade resolves to.

Verified by running `ANTHROPIC_MODEL=claude-haiku-4-5 OPENAI_MODEL=gpt-4o
bin/rails test test/models/chat_test.rb` — 16 runs, 0 failures
(previously 2 pre-existing failures + 0 from the new tests).

* fix(ai): address local review on Anthropic foundation

- Provider::Anthropic#supports_pdf_processing? bypasses prefix gate for
  custom endpoints, mirroring supports_model?
- Provider::Anthropic#initialize raises Error when custom_endpoint? AND
  model.blank?, parity with Provider::Openai
- stream_chat_response captures partial usage on mid-stream errors and
  records it via the new on_partial callback so chat_response can skip
  the duplicate error row in the outer rescue
- safe_accumulated_message swallows the secondary failure when the SDK
  cannot reconstruct a snapshot
- langfuse_client memoizes properly (||= instead of =) so repeated calls
  don't churn Langfuse instances
- MessageFormatter sorts tool_calls by created_at then id so the
  message array is deterministic across replays; skips tool_calls
  missing both provider_call_id and provider_id rather than sending
  `id: nil` and getting rejected by Anthropic
- Setting.anthropic_access_token default falls back through
  ENV["ANTHROPIC_API_KEY"].presence (was missing .presence, so an
  empty-string env value bled through)
- User#openai_configured? / #anthropic_configured? delegate to the
  Provider::* class methods — single source of truth
- Assistant::Responder renames the OpenAI-shape history builder
  conversation_history → openai_messages_payload so the kwarg name
  matches the local method name (messages: openai_messages_payload,
  conversation_history: chat_message_records)
- Assistant::Builtin stale-history comment updated to reference both
  builders

Adds a streaming chat_response test using ad-hoc subclasses of the
SDK event types so the case/when dispatch matches via is_a? without
stubbing class-level === behavior.

* test(ai): add Anthropic tool_use round-trip + multi-tool turn coverage

Addresses @jjmata's "worth confirming" note on PR #1983: tool-use turns
from prior assistant messages must round-trip correctly when retrieved
from the database.

- New `ChatParser → ToolCall::Function → MessageFormatter` test walks
  the full path: Anthropic response with a tool_use block →
  ChatFunctionRequest → ToolCall::Function.from_function_request →
  persisted on the AssistantMessage → MessageFormatter rebuild on the
  next turn. Asserts the original `tool_use.id` is preserved end-to-end
  as both `tool_use.id` and the paired `tool_result.tool_use_id`, and
  that the original `input` hash and serialized result content survive.
- New multi-tool assistant turn test confirms two tool_use blocks on a
  single assistant message render as two tool_use blocks followed by
  two paired tool_result blocks in a single user-role follow-up,
  matching Anthropic's required alternation.

Both tests exercise the existing PR1 code without behavior changes.

* test(ai): require "ostruct" explicitly in Anthropic provider tests

OpenStruct is moving out of Ruby's default load path (warning in 3.4+,
removed in 3.5+). Tests work today because ActiveSupport transitively
loads it, but that's incidental. Match the existing convention in
test/controllers/settings/hostings_controller_test.rb which explicitly
requires ostruct for the same reason.

* fix(ai): sanitize Langfuse warn logs, normalize tool_use.input, dedup history fetch

Addresses three open CodeRabbit findings on PR #1983.

- Provider::Anthropic Langfuse rescue branches no longer include
  `e.full_message` in `Rails.logger.warn`. `full_message` bundles the
  backtrace + cause chain and on some SDK error types includes the
  serialized request/response payload (prompt, model output). Logs
  now report `#{e.class}: #{e.message}` only. Three sites:
  create_langfuse_trace, log_langfuse_generation, upsert_langfuse_trace.
  Note: Provider::Openai has the same pattern (copy-pasted source) —
  harmonization deferred to a follow-up cleanup PR; this commit fixes
  only the Anthropic provider to keep PR scope tight.

- MessageFormatter#parse_arguments now coerces any non-Hash parsed
  result to `{}`. Anthropic's Messages API requires `tool_use.input`
  to be a JSON object (map); a stored ToolCall::Function record whose
  arguments parse to a scalar, bool, or array (corrupt row, legacy
  data, cross-provider bleed) would otherwise produce a payload the
  API rejects. Normal flow stores Hash arguments end-to-end so the
  fix is defensive — adds 2 tests covering scalar/array JSON strings
  and non-String non-Hash inputs.

- Assistant::Responder dedups the chat-history fetch. The previous
  layout fired two near-identical `chat.messages.where(...).includes(
  :tool_calls).ordered` queries per LLM turn (one for the OpenAI-shape
  payload, one for the raw-records kwarg). A new memoized
  `complete_chat_messages` fetches once; `chat_message_records` filters
  out the current message via `Array#reject`, `openai_messages_payload`
  iterates the cached array unchanged. One SQL query per turn instead
  of two. Memoization scope = single Responder instance (per LLM call),
  so cache invalidation is not a concern.

All 4370 tests pass (1 pre-existing libvips env error unrelated).
Rubocop + brakeman clean.

* fix(ci): replace sk-ant- prefixed test placeholders

Pipelock secret scanner pattern-matches `sk-ant-*` as a real Anthropic
API key and fails the PR security-scan check. Test stubs and
ClimateControl env values used `sk-ant-test`, `sk-ant-from-setting`,
`sk-ant-x`, `sk-ant-y` as obvious placeholders, but the scanner does
not care about value entropy.

Switched to `fake-anthropic-key-*` / `fake-token-*` strings so the
scanner stops flagging them. No production code touched, no behavior
change — Provider::Anthropic still accepts any non-blank token.

* feat(ai): add Anthropic batch ops + LLM cost ledger (2/5)

Implements auto_categorize, auto_detect_merchants, and
enhance_provider_merchants on Provider::Anthropic via forced tool calls,
plus the cost-ledger plumbing they need.

- Provider::Anthropic::AutoCategorizer, AutoMerchantDetector,
  ProviderMerchantEnhancer each define a single output tool whose
  input_schema mirrors the desired output, then force the model to call
  it via tool_choice: { type: "tool", name: ..., disable_parallel_tool_use: true }.
  Anthropic guarantees the tool_use.input matches the schema, so there
  is no JSON parsing fragility, no <think> tag stripping, and no
  json_object/json_schema fallback ladders.
- Concerns::UsageRecorder mirrors the OpenAI sibling but persists
  cache_creation_input_tokens / cache_read_input_tokens to dedicated
  columns instead of metadata.
- Migration adds cache_creation_tokens, cache_read_tokens (nullable
  integers) to llm_usages. OpenAI rows leave them null.
- LlmUsage::PRICING gains Claude 4.x rows (opus-4-7 $15/$75, sonnet-4-6
  $3/$15, haiku-4-5 $1/$5 per MTok). infer_provider returns "anthropic"
  for claude-* via the existing exact/prefix lookup.
- Provider::Anthropic#chat_response now persists cache columns directly
  rather than stashing them in metadata.
- 25-transaction batch cap mirrors the OpenAI provider so the cost
  ledger sees the same shape regardless of which provider ran a batch.

Tests cover the forced-tool-call path, null/None normalization,
case-insensitive merchant matching, the missing-tool_use error path,
and Anthropic-specific pricing + provider inference on LlmUsage.

Stacked on #1983 (PR 1/5). 3/5 PDF + vision next.

* fix(ai): attribute Bedrock model IDs to anthropic + clean nil enum

- LlmUsage.infer_provider now returns "anthropic" for Bedrock /
  Vertex shaped IDs (anthropic.* and anthropic/*), so cost-ledger
  filtering by provider stays correct even when no per-MTok rate is
  stored. Previously these IDs fell through to the "openai" default.
- AutoCategorizer drops the redundant nil sentinel from the
  category_name enum — the union type [string, null] already permits
  null, and some JSON Schema validators reject nil literals inside
  enum arrays.

* test(ai): require "ostruct" in Anthropic batch op tests

Same rationale as the PR1 ostruct fix — explicit require so the tests
don't depend on ActiveSupport's transitive load when Ruby 3.5+ removes
OpenStruct from the default load path.

* feat(ai): Anthropic native PDF processing (3/5)

Implements process_pdf and extract_bank_statement on Provider::Anthropic
using the native `document` content block — no rasterization, no text
pre-extraction.

- Provider::Anthropic::PdfProcessor classifies the document, summarizes
  it, and extracts statement metadata via a forced report_document_analysis
  tool whose input_schema mirrors the existing Provider::Openai output
  (document_type from Import::DOCUMENT_TYPES, summary, extracted_data).
- Provider::Anthropic::BankStatementExtractor returns the same
  { transactions, period, account_holder, account_number, bank_name,
  opening_balance, closing_balance } shape via report_bank_statement so
  downstream pdf_import code is provider-agnostic.
- Both attach the PDF as
  { type: "document", source: { type: "base64", media_type: "application/pdf", data: <b64> } }
  — Claude 3.5+ / 4.x accept this natively (up to 32MB / 100 pages).
  No pdf-reader, no pdftoppm, no chunking for typical statements.
- supports_pdf_processing? (introduced in PR 1) already returns true for
  claude-* models, gating process_pdf with a clear error otherwise.
- Cost ledger rows are persisted via the shared UsageRecorder concern,
  including cache_creation/cache_read tokens.

Tests verify the document block shape, tool_choice forcing, normalized
document_type for unknown classifications, transaction normalization
(date / amount / reference → notes), and the missing-tool_use error
path. Blank pdf_content raises before any client call.

Stacked on #1984 (PR 2/5). 4/5 pgvector RAG next.

* fix(ai): guard PDF size + surface bank-statement truncation

- PdfProcessor and BankStatementExtractor raise upfront when
  pdf_content.bytesize exceeds MAX_PDF_BYTES (32 MB, matching
  Anthropic's hard limit). Previously a 100 MB PDF would be
  base64-encoded (~133 MB) and packed into the JSON body before
  the API rejected it — peak heap ~270 MB per Sidekiq worker.
- BankStatementExtractor inspects response.stop_reason; when the
  model hit max_tokens it logs a warning and flags result[:truncated]
  so downstream callers know the transaction list may be incomplete.
- ISO date pattern added to statement_period_start/end schema in
  PdfProcessor so the model can't return "March 2026" — Anthropic
  enforces the regex via the tool's input_schema.

Tests cover the size guard (raises before any client.messages call),
truncated-result flagging, and the warning log path.

* test(ai): require "ostruct" in Anthropic PDF tests

Match the explicit ostruct require added in PR1/PR2 — same Ruby 3.5+
load-path reason.

* feat(ai): default Anthropic installs to pgvector RAG (4/5)

The provider-agnostic vector store stack (VectorStore::Pgvector + the
Embeddable concern) already shipped to main. This PR closes the
Anthropic loop:

- VectorStore::Registry.adapter_name now returns :pgvector when
  Setting.llm_provider == "anthropic" and no explicit
  VECTOR_STORE_PROVIDER override is set. Anthropic has no hosted vector
  store, so falling back to the local pgvector adapter is the only
  correct default. Explicit VECTOR_STORE_PROVIDER still wins.
- SearchFamilyFiles surfaces a longer message when no adapter is wired
  up — calling out pgvector + EMBEDDING_URI_BASE as the supported
  Anthropic-only path so the user is not stuck with an "OpenAI required"
  hint that is no longer accurate.

The Embeddable concern already pulls embeddings from
EMBEDDING_URI_BASE / EMBEDDING_ACCESS_TOKEN (with OpenAI as fallback),
so Anthropic installs point this at Voyage AI, a local Ollama instance,
or OpenAI embeddings — independent of the chat provider.

Tests cover the new default routing, the existing OpenAI default
staying intact, and explicit VECTOR_STORE_PROVIDER overriding the
Anthropic default.

Stacked on #1985 (PR 3/5). 5/5 settings UI + retention disclosure next.

* feat(ai): self-host settings UI for Anthropic provider (5/5)

Adds the Anthropic panel and the install-wide LLM provider selector to
the self-hosting settings page, plus a shared data-retention
disclosure that covers both OpenAI and Anthropic.

- New _llm_provider_selector partial: select for Setting.llm_provider
  (openai | anthropic), respects the LLM_PROVIDER env var (disables the
  control + shows the "configured through environment variables" hint
  when set, mirroring the existing OpenAI panel behaviour), and renders
  a compact data-handling block with one-line retention statements for
  each provider.
- New _anthropic_settings partial mirrors _openai_settings exactly:
  password-field for the API key with **** redaction, optional
  base_url (for AWS Bedrock / GCP Vertex), optional default model. All
  three fields disable when their ENV var is set.
- show.html.erb renders provider selector + OpenAI panel + Anthropic
  panel under the same "General" section so users can configure either
  (or both) without switching pages.
- Settings::HostingsController#update now permits and persists
  anthropic_access_token (ignoring the **** placeholder, same pattern
  as OpenAI), anthropic_base_url, anthropic_model, and llm_provider
  (validated against %w[openai anthropic]). On Setting::ValidationError
  the rescue branch preserves anthropic_base_url / anthropic_model
  input so the form re-renders with the user's typed values intact —
  parity with the issue #1824 fix for OpenAI.
- Locale keys added under settings.hostings.{llm_provider_selector,
  anthropic_settings}.

Tests cover token update + placeholder redaction, base_url + model
update, llm_provider switch to anthropic, and rejection of unknown
provider values. The existing GET render test still passes, exercising
all three new partials.

Closes the 5/5 Anthropic series stacked on #1986.

* fix(ai): valid Tailwind token + base_url URL validation

- Data-handling block in _llm_provider_selector swaps the invalid
  bg-surface-secondary token for bg-container-inset, matching the
  inset-card pattern used elsewhere in sure-design-system/components.css.
  bg-surface-secondary is not defined anywhere in the design system —
  Tailwind treated it as a no-op, so the block rendered with no
  background contrast.
- Settings::HostingsController validates anthropic_base_url as a
  URI::HTTP (catches https too) and raises Setting::ValidationError
  with a localized message when the input is not parseable.
  Previously any string was persisted, surfacing as an opaque
  connection error at request time instead of an immediate UX failure.
- Blank base_url now clears the setting (was already the case but
  exercised explicitly in tests now).

* fix(ci): replace sk-ant- prefixed token in hostings controller test

Same pipelock secret-scan trigger as PR1 fix on registry/anthropic
tests. The sk-ant-* prefix is matched verbatim by the scanner
regardless of value entropy.

* fix(ai): provision pgvector table when it is the default store

#1986 makes pgvector the default vector store for Anthropic installs, but
CreateVectorStoreChunks only ran when VECTOR_STORE_PROVIDER=pgvector was set
explicitly — so a fresh Anthropic-only install migrated without the
vector_store_chunks table and failed on uploads/searches.

Add VectorStore::Registry.pgvector_effective? as the single source of truth
for "is pgvector active?" (explicit env OR the Anthropic default), and a new
idempotent migration that enables the extension + creates the table whenever
pgvector is effective and the table is missing — covering fresh and
already-migrated installs without drift. Addresses Codex P1.

* fix(ai): provision pgvector table for Anthropic-default installs

Migration gated on raw VECTOR_STORE_PROVIDER==pgvector, so an
Anthropic-default install (which selects pgvector implicitly via
Setting.llm_provider without setting VECTOR_STORE_PROVIDER) skipped
table creation and failed later on a missing vector_store_chunks
relation. Route through VectorStore::Registry.pgvector_effective? —
the single source of truth already shared by the adapter selection.

Addresses Codex P1 review finding.

* fix(ai): provision pgvector chunks table on schema-load installs

The ensure-migration only helps db:migrate upgraders. Fresh installs go
through bin/docker-entrypoint's db:prepare, which loads schema.rb (the
conditional table can't be dumped there — it needs the vector extension)
and marks every migration applied without running it. An Anthropic-only
fresh install therefore selected the pgvector adapter but had no table,
failing with raw PG errors on first upload or search.

Two layers close it:

- VectorStore::Pgvector#ensure_schema! provisions the table idempotently
  on first use (mirrors CreateVectorStoreChunks; memoized; failures wrap
  in VectorStore::Error, which with_response turns into a clean failed
  response).
- VectorStore::Registry#build_pgvector now gates on
  VectorStore::Pgvector.available? (table exists, or extension present),
  so installs whose Postgres lacks pgvector entirely degrade to the
  assistant's provider_not_configured message instead of raising
  mid-chat.

Also resolves the schema.rb version conflict against main (keep the
branch's 2026_06_01_120000, on top of main's current tables).

* fix(ai): address review nitpicks on pgvector provisioning

- Registry: update the adapter doc comment to mention the
  Anthropic-to-pgvector default alongside the openai fallback.
- ensure_schema!: guard the DDL with if_not_exists instead of a Mutex.
  Adapter instances are built per call and never shared across threads,
  so the realistic race is two processes (web + Sidekiq) provisioning
  concurrently; IF NOT EXISTS makes the loser a no-op where a Mutex
  would only serialize threads inside one process.

* fix(ai): address review on Anthropic settings UI

- Require an Anthropic model when a custom base URL is saved, mirroring the
  OpenAI branch. Auto-submit-on-blur could persist a base URL with no model,
  making Provider::Anthropic raise "Model is required..." on every LLM call.
- Narrow the LLM provider selector copy: only chat honors Setting.llm_provider;
  categorization, merchant detection and PDF processing still always use OpenAI.
  Stop advertising provider switching for those flows until they are wired.
- Reset global Setting.* in test teardown to prevent state leakage, and add a
  test covering the new base-URL-requires-model validation.

* feat(ds): conditional LLM provider settings + merged copy

The self-hosting AI section showed both providers' credential blocks at once
and duplicated near-identical copy. Tidy it:

- Replace the provider <select> with a DS::SegmentedControl driving a new
  provider-settings Stimulus controller: only the active provider's panel is
  shown; switching reveals the other instantly and persists Setting.llm_provider.
- Merge the two byte-identical data-retention lines into one provider-neutral
  Data handling note.
- Scope the token-budget copy to OpenAI-compatible calls (read only by
  Provider::Openai) and add an inline 'add a key to activate' hint when the
  active provider is unconfigured.

UI-only; no provider behavior change.

* feat(ds): responsive LLM provider picker (tabs >=sm, select on mobile)

The segmented tabs overflow a phone viewport once there are 3+ providers
(measured: 4 labels want ~409px in a 319px column at 390px wide). Below sm,
fall back to a native <select> -- which doubles as the submitted field -- while
keeping the segmented tabs at sm and up.

Both controls bind to the same provider-settings Stimulus controller (the
select reads its value, the tabs read data-provider), so adding a 3rd/4th
provider scales on mobile with no layout math.

* fix(hostings): sanitize llm provider selector

* test(hostings): avoid brittle provider hint assertion

---------

Co-authored-by: sure-admin <sure-admin@splashblot.com>
2026-06-09 23:00:04 +02:00

525 lines
18 KiB
Ruby

require "test_helper"
require "ostruct"
class Settings::HostingsControllerTest < ActionDispatch::IntegrationTest
include ProviderTestHelper
setup do
sign_in users(:family_admin)
@provider = mock
Provider::Registry.stubs(:get_provider).with(:twelve_data).returns(@provider)
@provider.stubs(:healthy?).returns(true)
Provider::Registry.stubs(:get_provider).with(:yahoo_finance).returns(@provider)
@provider.stubs(:usage).returns(provider_success_response(
OpenStruct.new(
used: 10,
limit: 100,
utilization: 10,
plan: "free",
)
))
end
teardown do
# These tests persist global Setting.* values; reset them so state can't
# leak into later (order-dependent) tests.
%i[anthropic_access_token anthropic_base_url anthropic_model llm_provider].each do |key|
Setting.public_send("#{key}=", nil)
end
end
test "cannot edit when self hosting is disabled" do
@provider.stubs(:usage).returns(@usage_response)
Rails.configuration.stubs(:app_mode).returns("managed".inquiry)
get settings_hosting_url
assert_response :forbidden
patch settings_hosting_url, params: { setting: { onboarding_state: "invite_only" } }
assert_response :forbidden
end
test "should get edit when self hosting is enabled" do
@provider.expects(:usage).returns(@usage_response)
with_self_hosting do
get settings_hosting_url
assert_response :success
end
end
test "can update settings when self hosting is enabled" do
with_self_hosting do
patch settings_hosting_url, params: { setting: { twelve_data_api_key: "1234567890" } }
assert_equal "1234567890", Setting.twelve_data_api_key
end
end
test "can update onboarding state when self hosting is enabled" do
sign_in users(:sure_support_staff)
with_self_hosting do
patch settings_hosting_url, params: { setting: { onboarding_state: "invite_only" } }
assert_equal "invite_only", Setting.onboarding_state
assert Setting.require_invite_for_signup
patch settings_hosting_url, params: { setting: { onboarding_state: "closed" } }
assert_equal "closed", Setting.onboarding_state
refute Setting.require_invite_for_signup
end
end
test "can update openai access token when self hosting is enabled" do
with_self_hosting do
patch settings_hosting_url, params: { setting: { openai_access_token: "token" } }
assert_equal "token", Setting.openai_access_token
end
end
test "can update anthropic access token when self hosting is enabled" do
with_self_hosting do
patch settings_hosting_url, params: { setting: { anthropic_access_token: "fake-anthropic-key-for-tests" } }
assert_equal "fake-anthropic-key-for-tests", Setting.anthropic_access_token
end
end
test "ignores redacted anthropic token placeholder" do
with_self_hosting do
Setting.anthropic_access_token = "previous-token"
patch settings_hosting_url, params: { setting: { anthropic_access_token: "********" } }
assert_equal "previous-token", Setting.anthropic_access_token
end
end
test "can update anthropic base_url and model" do
with_self_hosting do
patch settings_hosting_url, params: { setting: { anthropic_base_url: "https://bedrock.example.com", anthropic_model: "claude-opus-4-7" } }
assert_equal "https://bedrock.example.com", Setting.anthropic_base_url
assert_equal "claude-opus-4-7", Setting.anthropic_model
end
end
test "rejects non-URL anthropic base_url" do
with_self_hosting do
Setting.anthropic_base_url = nil
patch settings_hosting_url, params: { setting: { anthropic_base_url: "not-a-url" } }
assert_response :unprocessable_entity
assert_match(/Anthropic Base URL must be an http/, flash[:alert])
assert_nil Setting.anthropic_base_url
end
end
test "clears anthropic base_url when blank value submitted" do
with_self_hosting do
Setting.anthropic_base_url = "https://bedrock.example.com"
patch settings_hosting_url, params: { setting: { anthropic_base_url: "" } }
assert_nil Setting.anthropic_base_url
end
end
test "requires anthropic model when a custom base_url is set" do
with_self_hosting do
Setting.anthropic_base_url = nil
Setting.anthropic_model = nil
patch settings_hosting_url, params: { setting: { anthropic_base_url: "https://bedrock.example.com" } }
assert_response :unprocessable_entity
assert_match(/Anthropic Model is required/, flash[:alert])
assert_nil Setting.anthropic_base_url
end
end
test "can update llm_provider to anthropic" do
with_self_hosting do
patch settings_hosting_url, params: { setting: { llm_provider: "anthropic" } }
assert_equal "anthropic", Setting.llm_provider
end
end
test "falls back to openai when stored llm_provider is invalid" do
with_self_hosting do
Setting.llm_provider = "bogus"
Provider::Openai.stubs(:configured?).returns(false)
get settings_hosting_url
assert_response :success
assert_select "select[name=?] option[selected][value=?]", "setting[llm_provider]", "openai"
assert_no_match(/translation missing/i, @response.body)
end
ensure
Setting.llm_provider = nil
end
test "rejects unknown llm_provider values" do
with_self_hosting do
Setting.llm_provider = "openai"
patch settings_hosting_url, params: { setting: { llm_provider: "bogus" } }
assert_equal "openai", Setting.llm_provider
end
end
test "can update openai uri base and model together when self hosting is enabled" do
with_self_hosting do
patch settings_hosting_url, params: { setting: { openai_uri_base: "https://api.example.com/v1", openai_model: "gpt-4" } }
assert_equal "https://api.example.com/v1", Setting.openai_uri_base
assert_equal "gpt-4", Setting.openai_model
end
end
test "cannot update openai uri base without model when self hosting is enabled" do
with_self_hosting do
Setting.openai_model = ""
patch settings_hosting_url, params: { setting: { openai_uri_base: "https://api.example.com/v1" } }
assert_response :unprocessable_entity
assert_match(/OpenAI model is required/, flash[:alert])
assert Setting.openai_uri_base.blank?, "Expected openai_uri_base to remain blank after failed validation"
end
end
# Regression: issue #1824. The OpenAI form auto-submits on blur, so entering
# the URI base before the model fires a partial submit that fails validation.
# The re-rendered form must show the user's submitted URI base — not the
# still-blank saved value — so they can finish typing the model.
test "preserves submitted openai uri base in form when validation fails" do
with_self_hosting do
Setting.openai_uri_base = nil
Setting.openai_model = ""
patch settings_hosting_url, params: { setting: { openai_uri_base: "https://api.example.com/v1" } }
assert_response :unprocessable_entity
assert_select "input[name=?]", "setting[openai_uri_base]" do |inputs|
assert_equal "https://api.example.com/v1", inputs.first["value"]
end
end
ensure
Setting.openai_uri_base = nil
Setting.openai_model = nil
end
# PR #1862 review (jjmata): symmetric coverage for the model field. When the
# user changes the URI base and clears the model in the same auto-submit, the
# cross-field validation fails — the re-rendered model input must reflect the
# user's submitted (cleared) value, not silently revert to the saved model.
test "preserves submitted openai model in form when validation fails" do
with_self_hosting do
Setting.openai_uri_base = "https://saved.example.com/v1"
Setting.openai_model = "saved-model"
patch settings_hosting_url, params: { setting: {
openai_uri_base: "https://new.example.com/v1",
openai_model: ""
} }
assert_response :unprocessable_entity
assert_select "input[name=?]", "setting[openai_uri_base]" do |inputs|
assert_equal "https://new.example.com/v1", inputs.first["value"]
end
assert_select "input[name=?]", "setting[openai_model]" do |inputs|
assert_not_equal "saved-model", inputs.first["value"].to_s,
"model field must reflect the submitted (cleared) value, not the saved model"
end
end
ensure
Setting.openai_uri_base = nil
Setting.openai_model = nil
end
test "can update openai model alone when self hosting is enabled" do
with_self_hosting do
patch settings_hosting_url, params: { setting: { openai_model: "gpt-4" } }
assert_equal "gpt-4", Setting.openai_model
end
end
test "cannot clear openai model when custom uri base is set" do
with_self_hosting do
Setting.openai_uri_base = "https://api.example.com/v1"
Setting.openai_model = "gpt-4"
patch settings_hosting_url, params: { setting: { openai_model: "" } }
assert_response :unprocessable_entity
assert_match(/OpenAI model is required/, flash[:alert])
assert_equal "gpt-4", Setting.openai_model
end
end
test "can clear data cache when self hosting is enabled" do
account = accounts(:investment)
holding = account.holdings.first
exchange_rate = exchange_rates(:one)
security_price = holding.security.prices.first
account_balance = account.balances.create!(date: Date.current, balance: 1000, currency: "USD")
with_self_hosting do
perform_enqueued_jobs(only: DataCacheClearJob) do
delete clear_cache_settings_hosting_url
end
end
assert_redirected_to settings_hosting_url
assert_equal I18n.t("settings.hostings.clear_cache.cache_cleared"), flash[:notice]
assert_not ExchangeRate.exists?(exchange_rate.id)
assert_not Security::Price.exists?(security_price.id)
assert_not Holding.exists?(holding.id)
assert_not Balance.exists?(account_balance.id)
end
test "can update assistant type to external" do
with_self_hosting do
assert_equal "builtin", users(:family_admin).family.assistant_type
patch settings_hosting_url, params: { family: { assistant_type: "external" } }
assert_redirected_to settings_hosting_url
assert_equal "external", users(:family_admin).family.reload.assistant_type
end
end
test "ignores invalid assistant type values" do
with_self_hosting do
patch settings_hosting_url, params: { family: { assistant_type: "hacked" } }
assert_redirected_to settings_hosting_url
assert_equal "builtin", users(:family_admin).family.reload.assistant_type
end
end
test "ignores assistant type update when ASSISTANT_TYPE env is set" do
with_self_hosting do
with_env_overrides("ASSISTANT_TYPE" => "external") do
patch settings_hosting_url, params: { family: { assistant_type: "external" } }
assert_redirected_to settings_hosting_url
# DB value should NOT change when env override is active
assert_equal "builtin", users(:family_admin).family.reload.assistant_type
end
end
end
test "can update external assistant settings" do
with_self_hosting do
patch settings_hosting_url, params: { setting: {
external_assistant_url: "https://agent.example.com/v1/chat",
external_assistant_token: "my-secret-token",
external_assistant_agent_id: "finance-bot"
} }
assert_redirected_to settings_hosting_url
assert_equal "https://agent.example.com/v1/chat", Setting.external_assistant_url
assert_equal "my-secret-token", Setting.external_assistant_token
assert_equal "finance-bot", Setting.external_assistant_agent_id
end
ensure
Setting.external_assistant_url = nil
Setting.external_assistant_token = nil
Setting.external_assistant_agent_id = nil
end
test "does not overwrite token with masked placeholder" do
with_self_hosting do
Setting.external_assistant_token = "real-secret"
patch settings_hosting_url, params: { setting: { external_assistant_token: "********" } }
assert_equal "real-secret", Setting.external_assistant_token
end
ensure
Setting.external_assistant_token = nil
end
test "disconnect external assistant clears settings and resets type" do
with_self_hosting do
with_env_overrides("EXTERNAL_ASSISTANT_URL" => nil, "EXTERNAL_ASSISTANT_TOKEN" => nil) do
Setting.external_assistant_url = "https://agent.example.com/v1/chat"
Setting.external_assistant_token = "token"
Setting.external_assistant_agent_id = "finance-bot"
users(:family_admin).family.update!(assistant_type: "external")
delete disconnect_external_assistant_settings_hosting_url
assert_redirected_to settings_hosting_url
# Force cache refresh so configured? reads fresh DB state after
# the disconnect action cleared the settings within its own request.
Setting.clear_cache
assert_not Assistant::External.configured?
assert_equal "builtin", users(:family_admin).family.reload.assistant_type
end
end
ensure
Setting.external_assistant_url = nil
Setting.external_assistant_token = nil
Setting.external_assistant_agent_id = nil
end
test "disconnect external assistant requires admin" do
with_self_hosting do
sign_in users(:family_member)
delete disconnect_external_assistant_settings_hosting_url
assert_redirected_to settings_hosting_url
assert_equal I18n.t("settings.hostings.not_authorized"), flash[:alert]
end
end
test "accepts valid llm budget overrides and blanks clear them" do
with_self_hosting do
patch settings_hosting_url, params: { setting: {
llm_context_window: "4096",
llm_max_response_tokens: "1024",
llm_max_items_per_call: "40"
} }
assert_redirected_to settings_hosting_url
assert_equal 4096, Setting.llm_context_window
assert_equal 1024, Setting.llm_max_response_tokens
assert_equal 40, Setting.llm_max_items_per_call
patch settings_hosting_url, params: { setting: {
llm_context_window: "",
llm_max_response_tokens: "",
llm_max_items_per_call: ""
} }
assert_nil Setting.llm_context_window
assert_nil Setting.llm_max_response_tokens
assert_nil Setting.llm_max_items_per_call
end
ensure
Setting.llm_context_window = nil
Setting.llm_max_response_tokens = nil
Setting.llm_max_items_per_call = nil
end
test "rejects llm budget below field minimum" do
with_self_hosting do
patch settings_hosting_url, params: { setting: { llm_context_window: "0" } }
assert_response :unprocessable_entity
assert_match(/must be a whole number/, flash[:alert])
assert_nil Setting.llm_context_window
patch settings_hosting_url, params: { setting: { llm_max_response_tokens: "-5" } }
assert_response :unprocessable_entity
assert_match(/must be a whole number/, flash[:alert])
assert_nil Setting.llm_max_response_tokens
patch settings_hosting_url, params: { setting: { llm_max_items_per_call: "not-a-number" } }
assert_response :unprocessable_entity
assert_match(/must be a whole number/, flash[:alert])
assert_nil Setting.llm_max_items_per_call
end
ensure
Setting.llm_context_window = nil
Setting.llm_max_response_tokens = nil
Setting.llm_max_items_per_call = nil
end
test "can clear data only when admin" do
with_self_hosting do
sign_in users(:family_member)
assert_no_enqueued_jobs do
delete clear_cache_settings_hosting_url
end
assert_redirected_to settings_hosting_url
assert_equal I18n.t("settings.hostings.not_authorized"), flash[:alert]
end
end
# --- Securities provider toggle ---
test "can update securities providers" do
with_self_hosting do
patch settings_hosting_url, params: { setting: { securities_providers: [ "twelve_data", "yahoo_finance" ] } }
assert_redirected_to settings_hosting_url
assert_equal "twelve_data,yahoo_finance", Setting.securities_providers
end
ensure
Setting.securities_providers = ""
end
test "filters out invalid provider names" do
with_self_hosting do
patch settings_hosting_url, params: { setting: { securities_providers: [ "twelve_data", "fake_provider", "hacked" ] } }
assert_redirected_to settings_hosting_url
# Only valid providers are stored
enabled = Setting.enabled_securities_providers
assert_includes enabled, "twelve_data"
refute_includes enabled, "fake_provider"
refute_includes enabled, "hacked"
end
ensure
Setting.securities_providers = ""
end
test "removing a provider marks linked securities offline" do
with_self_hosting do
security = Security.create!(ticker: "CSPX", exchange_operating_mic: "XLON", price_provider: "tiingo", offline: false)
# First enable tiingo
Setting.securities_providers = "twelve_data,tiingo"
# Then remove tiingo
patch settings_hosting_url, params: { setting: { securities_providers: [ "twelve_data" ] } }
security.reload
assert security.offline?, "Security should be marked offline when its provider is removed"
assert_equal "provider_disabled", security.offline_reason
end
ensure
Setting.securities_providers = ""
end
test "re-adding a provider brings securities back online" do
with_self_hosting do
security = Security.create!(
ticker: "CSPX2", exchange_operating_mic: "XLON",
price_provider: "tiingo", offline: true, offline_reason: "provider_disabled"
)
# Start without tiingo
Setting.securities_providers = "twelve_data"
# Re-add tiingo
patch settings_hosting_url, params: { setting: { securities_providers: [ "twelve_data", "tiingo" ] } }
security.reload
refute security.offline?, "Security should come back online when its provider is re-added"
assert_nil security.offline_reason
end
ensure
Setting.securities_providers = ""
end
end