@camstack/server 0.1.7 → 0.2.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@camstack/server",
-  "version": "0.1.7",
+  "version": "0.2.0",
   "private": false,
   "exports": {
     "./package.json": "./package.json",
@@ -9,8 +9,8 @@
   },
   "scripts": {
     "build": "tsc -p tsconfig.build.json",
-    "dev": "npx concurrently -n server,ui -c blue,magenta \"tsx watch --env-file=.env --ignore=./camstack-data src/launcher.ts\" \"cd ../../packages/addon-admin-ui && npx vite --port 3001\"",
-    "serve": "tsx watch --env-file=.env --ignore=./camstack-data src/launcher.ts",
+    "dev": "npx concurrently -n server,ui -c blue,magenta \"CAMSTACK_RESTART_TOUCH_FILE=src/launcher.ts tsx watch --env-file=.env --ignore=./camstack-data --ignore=../../packages/core/dist --ignore=../../packages/sdk/dist --ignore=../../packages/ui-library/dist --ignore=../../packages/shm-ring/dist src/launcher.ts\" \"cd ../../packages/addon-admin-ui && npx vite --port 3001\"",
+    "serve": "CAMSTACK_RESTART_TOUCH_FILE=src/launcher.ts tsx watch --env-file=.env --ignore=./camstack-data --ignore=../../packages/core/dist --ignore=../../packages/sdk/dist --ignore=../../packages/ui-library/dist --ignore=../../packages/shm-ring/dist src/launcher.ts",
     "serve:once": "tsx --env-file=.env src/launcher.ts",
     "start": "node --env-file=.env dist/launcher.js",
     "typecheck": "tsc --noEmit",
@@ -20,7 +20,6 @@
   "dependencies": {
     "@camstack/addon-admin-ui": "*",
     "@camstack/addon-advanced-notifier": "*",
-    "@camstack/addon-benchmark": "*",
     "@camstack/addon-pipeline": "*",
     "@camstack/addon-pipeline-orchestrator": "*",
     "@camstack/addon-post-analysis": "*",
@@ -31,25 +30,28 @@
     "@camstack/types": "*",
     "@camstack/ui-library": "*",
     "@fastify/cookie": "^11.0.2",
-    "@fastify/multipart": "^9.0.0",
-    "@fastify/static": "^8.0.0",
+    "@fastify/multipart": "^10.0.0",
+    "@fastify/static": "^9.1.3",
+    "@trpc/client": "^11.16.0",
     "@trpc/server": "^11.16.0",
     "fastify": "^5",
     "js-yaml": "^4",
     "moleculer": "^0.15.0",
-    "tar": "^6.2.1",
+    "superjson": "^2.2.6",
+    "tar": "6.2.1",
     "ws": "^8.20.0",
     "zod": "^4.3.6"
   },
   "devDependencies": {
     "@swc/core": "^1.15.18",
     "@types/js-yaml": "^4",
-    "@types/node": "^22",
+    "@types/node": "^24",
     "@types/tar": "^6.1.13",
     "@types/ws": "^8.18.1",
     "tsx": "^4",
-    "typescript": "^5.7",
+    "typescript": "~6.0.3",
     "unplugin-swc": "^1.5.9",
+    "vite": "^8.0.11",
     "vitest": "*"
   }
 }

package/src/__tests__/addon-install-e2e.test.ts

@@ -10,7 +10,6 @@ import * as path from 'node:path'
 const TEST_ADDONS_DIR = path.resolve('test-output/fresh-addons')
 
 describe('Addon Directory Loading', () => {
-
   beforeAll(() => {
     // Clean slate — delete the test addons directory
     fs.rmSync(TEST_ADDONS_DIR, { recursive: true, force: true })

package/src/__tests__/addon-pages-e2e.test.ts

@@ -18,16 +18,23 @@ import type { AddonContext, IScopedLogger, ProviderRegistration } from '@camstac
 
 interface AdminUIAddonInstance {
   readonly id: string
-  initialize(ctx: AddonContext): Promise<ProviderRegistration[] | void | undefined | {
-    readonly providers?: readonly ProviderRegistration[]
-  }>
+  initialize(ctx: AddonContext): Promise<
+    | ProviderRegistration[]
+    | void
+    | undefined
+    | {
+        readonly providers?: readonly ProviderRegistration[]
+      }
+  >
 }
 
 type AdminUIAddonCtor = new () => AdminUIAddonInstance
 
 async function loadAdminUIAddon(): Promise<AdminUIAddonCtor | null> {
   try {
-    const mod = await import('@camstack/addon-admin-ui/server/addon') as { AdminUIAddon?: AdminUIAddonCtor }
+    const mod = (await import('@camstack/addon-admin-ui/server/addon')) as {
+      AdminUIAddon?: AdminUIAddonCtor
+    }
     return mod.AdminUIAddon ?? null
   } catch {
     return null
@@ -67,9 +74,10 @@ describe('Addon Pages Integration', () => {
     if (result) {
       const regs = Array.isArray(result) ? result : ((result as any).providers ?? [])
       for (const reg of regs as ProviderRegistration[]) {
-        const capName = typeof reg.capability === 'string'
-          ? reg.capability
-          : (reg.capability as any)?.name ?? String(reg.capability)
+        const capName =
+          typeof reg.capability === 'string'
+            ? reg.capability
+            : ((reg.capability as any)?.name ?? String(reg.capability))
         providers.set(capName, reg.provider)
       }
     }
@@ -77,7 +85,6 @@ describe('Addon Pages Integration', () => {
     const provider = providers.get('addon-pages') as { getPages(): unknown[] } | undefined
     expect(provider).toBeDefined()
 
-
     const pages = provider!.getPages()
     expect(pages).toHaveLength(1)
 
@@ -116,17 +123,20 @@ describe('Addon Pages Integration', () => {
     if (result) {
       const regs = Array.isArray(result) ? result : ((result as any).providers ?? [])
       for (const reg of regs as ProviderRegistration[]) {
-        const capName = typeof reg.capability === 'string'
-          ? reg.capability
-          : (reg.capability as any)?.name ?? String(reg.capability)
+        const capName =
+          typeof reg.capability === 'string'
+            ? reg.capability
+            : ((reg.capability as any)?.name ?? String(reg.capability))
         providers.set(capName, reg.provider)
       }
     }
 
-    const ui = providers.get('admin-ui') as {
-      getStaticDir(): Promise<{ readonly staticDir: string }>
-      getVersion(): Promise<{ readonly version: string }>
-    } | undefined
+    const ui = providers.get('admin-ui') as
+      | {
+          getStaticDir(): Promise<{ readonly staticDir: string }>
+          getVersion(): Promise<{ readonly version: string }>
+        }
+      | undefined
     expect(ui).toBeDefined()
     expect(typeof ui!.getStaticDir).toBe('function')
     expect(typeof ui!.getVersion).toBe('function')
@@ -138,7 +148,12 @@ describe('Addon Pages Integration', () => {
     const registry = new CapabilityRegistry(createMockLogger())
     registry.ready()
 
-    registry.declareCapability({ name: 'addon-pages', scope: 'system', mode: 'collection', methods: {} })
+    registry.declareCapability({
+      name: 'addon-pages',
+      scope: 'system',
+      mode: 'collection',
+      methods: {},
+    })
 
     registry.registerProvider('addon-pages', 'benchmark', {
       id: 'benchmark',
@@ -163,14 +178,21 @@ describe('Addon Pages Integration', () => {
     const registry = new CapabilityRegistry(createMockLogger())
     registry.ready()
 
-    registry.declareCapability({ name: 'admin-ui', scope: 'system', mode: 'singleton', methods: {} })
+    registry.declareCapability({
+      name: 'admin-ui',
+      scope: 'system',
+      mode: 'singleton',
+      methods: {},
+    })
 
     registry.registerProvider('admin-ui', 'admin-ui', {
       getStaticDir: async () => ({ staticDir: '/some/path/dist' }),
       getVersion: async () => ({ version: '0.1.0' }),
     })
 
-    const ui = registry.getSingleton<{ getVersion(): Promise<{ readonly version: string }> }>('admin-ui')
+    const ui = registry.getSingleton<{ getVersion(): Promise<{ readonly version: string }> }>(
+      'admin-ui',
+    )
     expect(ui).toBeDefined()
     const version = await ui!.getVersion()
     expect(version.version).toBe('0.1.0')

package/src/__tests__/addon-settings-router.spec.ts

@@ -48,7 +48,12 @@ describe('addon-settings router', () => {
   })
 
   it('updateDevice stores a field and getDeviceOverrides reflects it', async () => {
-    await caller.updateDevice({ addonId: 'my-addon', deviceId: 'cam-1', field: 'resolution', value: '1080p' })
+    await caller.updateDevice({
+      addonId: 'my-addon',
+      deviceId: 'cam-1',
+      field: 'resolution',
+      value: '1080p',
+    })
     const result = await caller.getDeviceOverrides({ addonId: 'my-addon', deviceId: 'cam-1' })
     expect(result).toEqual({ resolution: '1080p' })
   })

package/src/__tests__/addon-upload.spec.ts

@@ -36,10 +36,7 @@ function buildValidTarball(manifest: { name: string; version: string }): Buffer
   const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'vitest-tarball-'))
   try {
     fs.mkdirSync(path.join(tmpDir, 'package'), { recursive: true })
-    fs.writeFileSync(
-      path.join(tmpDir, 'package', 'package.json'),
-      JSON.stringify(manifest),
-    )
+    fs.writeFileSync(path.join(tmpDir, 'package', 'package.json'), JSON.stringify(manifest))
     const tgz = path.join(tmpDir, 'out.tgz')
     execFileSync('tar', ['-czf', tgz, '-C', tmpDir, 'package'])
     return fs.readFileSync(tgz)
@@ -94,9 +91,13 @@ function makeAuth(kind: 'admin' | 'non-admin' | 'invalid' = 'admin'): AuthServic
 
 function makeAddonBridge(installed?: { name: string; version: string }): AddonBridgeService {
   return {
-    getInstaller: vi.fn(() => installed === undefined ? null : ({
-      installFromTgz: vi.fn(async () => installed),
-    })),
+    getInstaller: vi.fn(() =>
+      installed === undefined
+        ? null
+        : {
+            installFromTgz: vi.fn(async () => installed),
+          },
+    ),
     reloadPackages: vi.fn(async () => {}),
   } as unknown as AddonBridgeService
 }
@@ -144,8 +145,12 @@ function makeLogger(): IScopedLogger {
     info: vi.fn(),
     warn: vi.fn(),
     error: vi.fn(),
-    child: vi.fn(function (this: IScopedLogger) { return this }),
-    withTags: vi.fn(function (this: IScopedLogger) { return this }),
+    child: vi.fn(function (this: IScopedLogger) {
+      return this
+    }),
+    withTags: vi.fn(function (this: IScopedLogger) {
+      return this
+    }),
   } as unknown as IScopedLogger
 }
 
@@ -199,7 +204,9 @@ describe('POST /api/addons/upload', () => {
         method: 'POST',
         url: '/api/addons/upload',
         headers: { 'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}` },
-        payload: buildMultipart(TGZ_BOUNDARY, { file: { filename: 'addon-x.tgz', content: VALID_TARBALL } }),
+        payload: buildMultipart(TGZ_BOUNDARY, {
+          file: { filename: 'addon-x.tgz', content: VALID_TARBALL },
+        }),
       })
       expect(res.statusCode).toBe(401)
     })
@@ -214,8 +221,13 @@ describe('POST /api/addons/upload', () => {
       const res = await fastify.inject({
         method: 'POST',
         url: '/api/addons/upload',
-        headers: { 'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`, authorization: 'Bearer token' },
-        payload: buildMultipart(TGZ_BOUNDARY, { file: { filename: 'addon-x.tgz', content: VALID_TARBALL } }),
+        headers: {
+          'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`,
+          authorization: 'Bearer token',
+        },
+        payload: buildMultipart(TGZ_BOUNDARY, {
+          file: { filename: 'addon-x.tgz', content: VALID_TARBALL },
+        }),
       })
       expect(res.statusCode).toBe(403)
     })
@@ -230,8 +242,13 @@ describe('POST /api/addons/upload', () => {
     const res = await fastify.inject({
       method: 'POST',
       url: '/api/addons/upload',
-      headers: { 'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`, authorization: 'Bearer t' },
-      payload: buildMultipart(TGZ_BOUNDARY, { file: { filename: 'evil.exe', content: VALID_TARBALL } }),
+      headers: {
+        'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`,
+        authorization: 'Bearer t',
+      },
+      payload: buildMultipart(TGZ_BOUNDARY, {
+        file: { filename: 'evil.exe', content: VALID_TARBALL },
+      }),
     })
     expect(res.statusCode).toBe(400)
   })
@@ -240,7 +257,9 @@ describe('POST /api/addons/upload', () => {
     // Hub install writes a `.install-source` marker into
     // `${CAMSTACK_DATA}/addons/<addonName>/`. Point CAMSTACK_DATA at an
     // isolated temp dir for the test so the side effect doesn't escape.
-    const tmpRoot = await import('node:fs/promises').then(fs => fs.mkdtemp('/tmp/camstack-upload-test-'))
+    const tmpRoot = await import('node:fs/promises').then((fs) =>
+      fs.mkdtemp('/tmp/camstack-upload-test-'),
+    )
     const previous = process.env['CAMSTACK_DATA']
     process.env['CAMSTACK_DATA'] = tmpRoot
     const fsSync = await import('node:fs')
@@ -256,12 +275,27 @@ describe('POST /api/addons/upload', () => {
       const res = await fastify.inject({
         method: 'POST',
         url: '/api/addons/upload',
-        headers: { 'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`, authorization: 'Bearer t' },
-        payload: buildMultipart(TGZ_BOUNDARY, { file: { filename: 'addon-x.tgz', content: VALID_TARBALL } }),
+        headers: {
+          'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`,
+          authorization: 'Bearer t',
+        },
+        payload: buildMultipart(TGZ_BOUNDARY, {
+          file: { filename: 'addon-x.tgz', content: VALID_TARBALL },
+        }),
       })
       expect(res.statusCode).toBe(200)
-      const body = res.json() as { success: boolean; target: string; packageName: string; version: string }
-      expect(body).toMatchObject({ success: true, target: 'hub', packageName: 'addon-x', version: '2.0.0' })
+      const body = res.json() as {
+        success: boolean
+        target: string
+        packageName: string
+        version: string
+      }
+      expect(body).toMatchObject({
+        success: true,
+        target: 'hub',
+        packageName: 'addon-x',
+        version: '2.0.0',
+      })
     } finally {
       if (previous === undefined) delete process.env['CAMSTACK_DATA']
       else process.env['CAMSTACK_DATA'] = previous
@@ -272,7 +306,9 @@ describe('POST /api/addons/upload', () => {
   it('restarts the server (not an in-process reload) when a framework package is deployed', async () => {
     // @camstack/core ships hub builtins that can't hot-reload in place — the
     // upload path must call restartServer() and SKIP the per-addon restartAddon.
-    const tmpRoot = await import('node:fs/promises').then(fs => fs.mkdtemp('/tmp/camstack-upload-fw-'))
+    const tmpRoot = await import('node:fs/promises').then((fs) =>
+      fs.mkdtemp('/tmp/camstack-upload-fw-'),
+    )
     const previous = process.env['CAMSTACK_DATA']
     process.env['CAMSTACK_DATA'] = tmpRoot
     const fsSync = await import('node:fs')
@@ -282,7 +318,9 @@ describe('POST /api/addons/upload', () => {
       const restartServer = vi.fn((_requestedBy?: string) => {})
       const restartAddon = vi.fn(async (_id: string) => ({ success: true }))
       const registry = {
-        listAddons: vi.fn(() => [{ manifest: { id: 'sqlite-settings', packageName: '@camstack/core' } }]),
+        listAddons: vi.fn(() => [
+          { manifest: { id: 'sqlite-settings', packageName: '@camstack/core' } },
+        ]),
         loadNewAddons: vi.fn(async () => ({ loaded: [] as string[], failed: [] as string[] })),
         restartAddon,
         getCapabilityRegistry: vi.fn(() => ({ getSingleton: vi.fn((_n: string) => null) })),
@@ -299,9 +337,15 @@ describe('POST /api/addons/upload', () => {
       const res = await fastify.inject({
         method: 'POST',
         url: '/api/addons/upload',
-        headers: { 'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`, authorization: 'Bearer t' },
+        headers: {
+          'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`,
+          authorization: 'Bearer t',
+        },
         payload: buildMultipart(TGZ_BOUNDARY, {
-          file: { filename: 'camstack-core-9.9.9.tgz', content: buildValidTarball({ name: '@camstack/core', version: '9.9.9' }) },
+          file: {
+            filename: 'camstack-core-9.9.9.tgz',
+            content: buildValidTarball({ name: '@camstack/core', version: '9.9.9' }),
+          },
         }),
       })
       expect(res.statusCode).toBe(200)
@@ -317,7 +361,11 @@ describe('POST /api/addons/upload', () => {
   })
 
   it('routes to $agent.deploy when nodeId is provided', async () => {
-    const call = vi.fn(async () => ({ success: true, addonId: 'addon-x', path: '/agent/addons/addon-x' }))
+    const call = vi.fn(async () => ({
+      success: true,
+      addonId: 'addon-x',
+      path: '/agent/addons/addon-x',
+    }))
     fastify = await makeServer({
       auth: makeAuth('admin'),
       bridge: makeAddonBridge(),
@@ -326,7 +374,10 @@ describe('POST /api/addons/upload', () => {
     const res = await fastify.inject({
       method: 'POST',
       url: '/api/addons/upload',
-      headers: { 'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`, authorization: 'Bearer t' },
+      headers: {
+        'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`,
+        authorization: 'Bearer t',
+      },
       payload: buildMultipart(TGZ_BOUNDARY, {
         file: { filename: 'addon-x-1.2.3.tgz', content: VALID_TARBALL },
         nodeId: 'agent-frigate',
@@ -346,7 +397,9 @@ describe('POST /api/addons/upload', () => {
   })
 
   it('returns 502 when $agent.deploy throws', async () => {
-    const call = vi.fn(async () => { throw new Error('agent unreachable') })
+    const call = vi.fn(async () => {
+      throw new Error('agent unreachable')
+    })
     fastify = await makeServer({
       auth: makeAuth('admin'),
       bridge: makeAddonBridge(),
@@ -355,7 +408,10 @@ describe('POST /api/addons/upload', () => {
     const res = await fastify.inject({
       method: 'POST',
       url: '/api/addons/upload',
-      headers: { 'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`, authorization: 'Bearer t' },
+      headers: {
+        'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`,
+        authorization: 'Bearer t',
+      },
       payload: buildMultipart(TGZ_BOUNDARY, {
         file: { filename: 'addon-x.tgz', content: VALID_TARBALL },
         nodeId: 'agent-frigate',
@@ -377,7 +433,10 @@ describe('POST /api/addons/upload', () => {
     await fastify.inject({
       method: 'POST',
       url: '/api/addons/upload',
-      headers: { 'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`, authorization: 'Bearer t' },
+      headers: {
+        'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`,
+        authorization: 'Bearer t',
+      },
       payload: buildMultipart(TGZ_BOUNDARY, {
         // Filename is intentionally different from manifest.name to prove
         // that the server reads the manifest, not the filename.
@@ -401,7 +460,10 @@ describe('POST /api/addons/upload', () => {
     const res = await fastify.inject({
       method: 'POST',
       url: '/api/addons/upload',
-      headers: { 'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`, authorization: 'Bearer t' },
+      headers: {
+        'content-type': `multipart/form-data; boundary=${TGZ_BOUNDARY}`,
+        authorization: 'Bearer t',
+      },
       payload: buildMultipart(TGZ_BOUNDARY, {
         file: { filename: 'bogus.tgz', content: INVALID_TARBALL },
       }),

package/src/__tests__/agent-registry.spec.ts

@@ -27,7 +27,9 @@ interface CapturedEmits {
 function createFakes(opts: { preExistingNodeIds?: readonly string[] } = {}) {
   const emits: CapturedEmits = { events: [] }
   const fakeEventBus = {
-    emit: (event: SystemEvent) => { emits.events.push(event) },
+    emit: (event: SystemEvent) => {
+      emits.events.push(event)
+    },
   } as unknown as EventBusService
 
   const localBus = new EventEmitter()
@@ -46,7 +48,9 @@ function createFakes(opts: { preExistingNodeIds?: readonly string[] } = {}) {
         },
       },
     },
-    setOnAgentRegistered: (_cb: (nodeId: string) => void) => { /* no-op in unit tests */ },
+    setOnAgentRegistered: (_cb: (nodeId: string) => void) => {
+      /* no-op in unit tests */
+    },
   } as unknown as MoleculerService
 
   const fakeCapability = {} as unknown as CapabilityService
@@ -87,8 +91,13 @@ describe('AgentRegistryService — agent.online event lifecycle', () => {
         localBus.emit('$node.connected', { node: { id: `agent-${i}` } })
       }
       expect(captured.events).toHaveLength(5)
-      expect(captured.events.map((e) => (e.data as Record<string, unknown>).agentId))
-        .toEqual(['agent-0', 'agent-1', 'agent-2', 'agent-3', 'agent-4'])
+      expect(captured.events.map((e) => (e.data as Record<string, unknown>).agentId)).toEqual([
+        'agent-0',
+        'agent-1',
+        'agent-2',
+        'agent-3',
+        'agent-4',
+      ])
     })
   })
 
@@ -109,7 +118,7 @@ describe('AgentRegistryService — agent.online event lifecycle', () => {
       const workerIds = fakes.emits.events
         .filter((e) => e.category === 'worker.online')
         .map((e) => (e.data as Record<string, unknown>).workerId)
-      expect(agentIds.sort()).toEqual(['dev-agent-0', 'dev-agent-1'])
+      expect(agentIds.toSorted()).toEqual(['dev-agent-0', 'dev-agent-1'])
       expect(workerIds).toEqual(['hub/benchmark'])
     })
 
@@ -138,10 +147,14 @@ describe('AgentRegistryService — agent.online event lifecycle', () => {
   describe('resilience: malformed registry shape', () => {
     it('does not throw if broker.registry.getNodeList is missing', () => {
       const emits: CapturedEmits = { events: [] }
-      const fakeEventBus = { emit: (e: SystemEvent) => emits.events.push(e) } as unknown as EventBusService
+      const fakeEventBus = {
+        emit: (e: SystemEvent) => emits.events.push(e),
+      } as unknown as EventBusService
       const fakeMoleculer = {
         broker: { nodeID: 'hub', localBus: new EventEmitter(), registry: {} },
-        setOnAgentRegistered: (_cb: (nodeId: string) => void) => { /* no-op */ },
+        setOnAgentRegistered: (_cb: (nodeId: string) => void) => {
+          /* no-op */
+        },
       } as unknown as MoleculerService
       const svc = new AgentRegistryService(fakeEventBus, fakeMoleculer, {} as CapabilityService)
       expect(() => svc.onModuleInit()).not.toThrow()
@@ -150,10 +163,14 @@ describe('AgentRegistryService — agent.online event lifecycle', () => {
 
     it('does not throw if broker.registry itself is missing', () => {
       const emits: CapturedEmits = { events: [] }
-      const fakeEventBus = { emit: (e: SystemEvent) => emits.events.push(e) } as unknown as EventBusService
+      const fakeEventBus = {
+        emit: (e: SystemEvent) => emits.events.push(e),
+      } as unknown as EventBusService
       const fakeMoleculer = {
         broker: { nodeID: 'hub', localBus: new EventEmitter() },
-        setOnAgentRegistered: (_cb: (nodeId: string) => void) => { /* no-op */ },
+        setOnAgentRegistered: (_cb: (nodeId: string) => void) => {
+          /* no-op */
+        },
       } as unknown as MoleculerService
       const svc = new AgentRegistryService(fakeEventBus, fakeMoleculer, {} as CapabilityService)
       expect(() => svc.onModuleInit()).not.toThrow()

package/src/__tests__/agent-status-page.spec.ts

@@ -61,9 +61,7 @@ describe('renderAgentStatusPage', () => {
   })
 
   it('calculates memory usage', () => {
-    const html = renderAgentStatusPage(
-      makeStatusData({ memoryTotalMB: 16384, memoryFreeMB: 4096 }),
-    )
+    const html = renderAgentStatusPage(makeStatusData({ memoryTotalMB: 16384, memoryFreeMB: 4096 }))
     // 12288 / 16384 = 75%
     expect(html).toContain('12288')
     expect(html).toContain('75%')

package/src/__tests__/auth-session-cookie.test.ts

@@ -1,5 +1,10 @@
 import { describe, it, expect } from 'vitest'
-import { buildSessionCookie, clearSessionCookie, SESSION_COOKIE } from '../auth/session-cookie.js'
+import {
+  buildSessionCookie,
+  clearSessionCookie,
+  SESSION_COOKIE,
+  isEmbedRedirectTarget,
+} from '../auth/session-cookie.js'
 
 describe('session cookie', () => {
   it('buildSessionCookie produces an httpOnly lax cookie carrying the token', () => {
@@ -19,3 +24,25 @@ describe('session cookie', () => {
     expect(c.options.maxAge).toBe(0)
   })
 })
+
+describe('isEmbedRedirectTarget', () => {
+  it('accepts a stream-broker embed path (with query)', () => {
+    expect(isEmbedRedirectTarget('/addon/stream-broker/embed/?mode=grid')).toBe(true)
+    expect(isEmbedRedirectTarget('/addon/stream-broker/embed/?mode=player&devices=7,8')).toBe(true)
+    expect(isEmbedRedirectTarget('/addon/stream-broker/embed/')).toBe(true)
+  })
+
+  it('rejects open redirects (absolute / protocol-relative / backslash)', () => {
+    expect(isEmbedRedirectTarget('https://evil.com/addon/stream-broker/embed/')).toBe(false)
+    expect(isEmbedRedirectTarget('//evil.com')).toBe(false)
+    expect(isEmbedRedirectTarget('/\\evil.com')).toBe(false)
+    expect(isEmbedRedirectTarget('http://x/addon/stream-broker/embed/')).toBe(false)
+  })
+
+  it('rejects non-embed paths and path traversal', () => {
+    expect(isEmbedRedirectTarget('/addon/other/embed/')).toBe(false)
+    expect(isEmbedRedirectTarget('/etc/passwd')).toBe(false)
+    expect(isEmbedRedirectTarget('/addon/stream-broker/embed/../../secret')).toBe(false)
+    expect(isEmbedRedirectTarget('')).toBe(false)
+  })
+})