@desplega.ai/agent-swarm 1.79.0 → 1.79.2

package/src/tests/pages-authed-mode.test.ts

@@ -197,7 +197,11 @@ describe("GET /p/:id — authed mode cookie gate (step-4)", () => {
     const exp = Math.floor(Date.now() / 1000) + 3600;
     const good = await signPageSession({ pageId: id, exp });
     const [head, sig] = good.split(".");
-    const tamperedSig = `${sig!.slice(0, -1)}${sig!.slice(-1) === "A" ? "B" : "A"}`;
+    // Flip a decoded HMAC byte rather than a base64url char — flipping the
+    // last char is flaky (see src/tests/page-session.test.ts for why).
+    const sigBytes = Buffer.from(sig!, "base64url");
+    sigBytes[0] ^= 0x01;
+    const tamperedSig = sigBytes.toString("base64url").replace(/=/g, "");
     const bad = `${head}.${tamperedSig}`;
     const res = await fetch(`${BASE}/p/${id}`, {
       headers: { Cookie: `page_session=${bad}` },

package/src/tests/pages-public-html.test.ts

@@ -83,7 +83,16 @@ describe("GET /p/:id — HTML public path", () => {
     const res = await fetch(`${BASE}/p/${id}`);
     expect(res.status).toBe(200);
     expect(res.headers.get("content-type")?.toLowerCase()).toContain("text/html");
-    expect(res.headers.get("content-security-policy")).toBeTruthy();
+    const csp = res.headers.get("content-security-policy");
+    expect(csp).toBeTruthy();
+    // jsdelivr + unpkg are allowlisted so pages can <script src="…"> common
+    // viz libs (Chart.js, ApexCharts, D3, …) instead of inlining bundles.
+    const scriptSrc = csp?.split(";").find((d) => d.trim().startsWith("script-src ")) ?? "";
+    expect(scriptSrc).toContain("https://cdn.jsdelivr.net");
+    expect(scriptSrc).toContain("https://unpkg.com");
+    const styleSrc = csp?.split(";").find((d) => d.trim().startsWith("style-src ")) ?? "";
+    expect(styleSrc).toContain("https://cdn.jsdelivr.net");
+    expect(styleSrc).toContain("https://unpkg.com");
     const text = await res.text();
     expect(text).toContain("<h1>Hello</h1>");
     expect(text).toContain("class SwarmSDK"); // BROWSER_SDK_JS sentinel

package/src/tests/pages-view-count.test.ts

@@ -0,0 +1,220 @@
+/**
+ * Verifies the per-page view counter:
+ *   - `view_count` bumps on every 200 from `GET /p/:id` and `GET /p/:id.json`
+ *   - 401/403/404 responses do NOT bump
+ *   - Bumps survive across requests (writes are committed)
+ *   - Counter surfaces on `GET /api/pages` listing and `GET /api/pages/:id`
+ *
+ * No dedup by viewer — that's the explicit design (per Taras: "super simple
+ * counter field, that's it"). If someone wants unique views later, that's a
+ * follow-up.
+ */
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import crypto from "node:crypto";
+import { unlink } from "node:fs/promises";
+import {
+  createServer as createHttpServer,
+  type IncomingMessage,
+  type Server,
+  type ServerResponse,
+} from "node:http";
+import { closeDb, initDb } from "../be/db";
+import { handlePages } from "../http/pages";
+import { handlePagesPublic } from "../http/pages-public";
+import { getPathSegments, parseQueryParams } from "../http/utils";
+
+const TEST_DB_PATH = "./test-pages-view-count.sqlite";
+const TEST_PORT = 13095;
+const BASE = `http://localhost:${TEST_PORT}`;
+
+function createTestServer(): Server {
+  return createHttpServer(async (req: IncomingMessage, res: ServerResponse) => {
+    const pathSegments = getPathSegments(req.url || "");
+    const queryParams = parseQueryParams(req.url || "");
+    const myAgentId = req.headers["x-agent-id"] as string | undefined;
+    if (await handlePagesPublic(req, res, pathSegments, queryParams)) return;
+    if (await handlePages(req, res, pathSegments, queryParams, myAgentId)) return;
+    res.writeHead(404);
+    res.end("not found");
+  });
+}
+
+async function getViewCount(id: string, agentId: string): Promise<number> {
+  const res = await fetch(`${BASE}/api/pages/${id}`, {
+    headers: { "X-Agent-ID": agentId },
+  });
+  expect(res.status).toBe(200);
+  const json = (await res.json()) as { viewCount?: number };
+  return typeof json.viewCount === "number" ? json.viewCount : 0;
+}
+
+describe("Pages — view_count counter", () => {
+  let server: Server;
+  const agentId = crypto.randomUUID();
+  const headers = { "Content-Type": "application/json", "X-Agent-ID": agentId };
+
+  beforeAll(async () => {
+    for (const suffix of ["", "-wal", "-shm"]) {
+      try {
+        await unlink(`${TEST_DB_PATH}${suffix}`);
+      } catch {}
+    }
+    initDb(TEST_DB_PATH);
+    server = createTestServer();
+    await new Promise<void>((resolve) => server.listen(TEST_PORT, () => resolve()));
+  });
+
+  afterAll(async () => {
+    await new Promise<void>((resolve) => server.close(() => resolve()));
+    closeDb();
+    for (const suffix of ["", "-wal", "-shm"]) {
+      try {
+        await unlink(`${TEST_DB_PATH}${suffix}`);
+      } catch {}
+    }
+  });
+
+  test("public HTML page: 3 fetches → view_count = 3", async () => {
+    const post = await fetch(`${BASE}/api/pages`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        slug: "view-count-html",
+        title: "View Count HTML",
+        contentType: "text/html",
+        authMode: "public",
+        body: "<h1>hi</h1>",
+      }),
+    });
+    expect(post.status).toBe(201);
+    const { id } = (await post.json()) as { id: string };
+
+    expect(await getViewCount(id, agentId)).toBe(0);
+
+    for (let i = 0; i < 3; i++) {
+      const r = await fetch(`${BASE}/p/${id}`);
+      expect(r.status).toBe(200);
+    }
+
+    expect(await getViewCount(id, agentId)).toBe(3);
+  });
+
+  test("/p/:id.json fetches also bump the counter", async () => {
+    const post = await fetch(`${BASE}/api/pages`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        slug: "view-count-json-path",
+        title: "View Count JSON Path",
+        contentType: "text/html",
+        authMode: "public",
+        body: "<h1>hi</h1>",
+      }),
+    });
+    expect(post.status).toBe(201);
+    const { id } = (await post.json()) as { id: string };
+
+    for (let i = 0; i < 2; i++) {
+      const r = await fetch(`${BASE}/p/${id}.json`);
+      expect(r.status).toBe(200);
+    }
+    // One additional HTML fetch — both paths bump the same counter.
+    expect((await fetch(`${BASE}/p/${id}`)).status).toBe(200);
+    expect(await getViewCount(id, agentId)).toBe(3);
+  });
+
+  test("404 on unknown page id does NOT crash and does not touch any counter", async () => {
+    const bogus = "0".repeat(32);
+    const r = await fetch(`${BASE}/p/${bogus}`);
+    expect(r.status).toBe(404);
+  });
+
+  test("password-protected page: 401 without unlock does NOT bump", async () => {
+    const post = await fetch(`${BASE}/api/pages`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        slug: "view-count-pw",
+        title: "View Count Password",
+        contentType: "text/html",
+        authMode: "password",
+        password: "letmein",
+        body: "<h1>secret</h1>",
+      }),
+    });
+    expect(post.status).toBe(201);
+    const { id } = (await post.json()) as { id: string };
+
+    // No `?key=`, no Basic header → 401, no counter bump.
+    const r1 = await fetch(`${BASE}/p/${id}`);
+    expect(r1.status).toBe(401);
+    const r2 = await fetch(`${BASE}/p/${id}.json`);
+    expect(r2.status).toBe(401);
+
+    expect(await getViewCount(id, agentId)).toBe(0);
+
+    // After unlocking via ?key= → counter bumps.
+    const ok = await fetch(`${BASE}/p/${id}?key=letmein`);
+    expect(ok.status).toBe(200);
+    expect(await getViewCount(id, agentId)).toBe(1);
+  });
+
+  test("authed page: 401 without cookie does NOT bump", async () => {
+    const post = await fetch(`${BASE}/api/pages`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        slug: "view-count-authed",
+        title: "View Count Authed",
+        contentType: "text/html",
+        authMode: "authed",
+        body: "<h1>members only</h1>",
+      }),
+    });
+    expect(post.status).toBe(201);
+    const { id } = (await post.json()) as { id: string };
+
+    // No cookie → 401.
+    const r = await fetch(`${BASE}/p/${id}`);
+    expect(r.status).toBe(401);
+    expect(await getViewCount(id, agentId)).toBe(0);
+  });
+
+  test("JSON content-type page: 302→SPA does NOT double-count (only .json bumps)", async () => {
+    const post = await fetch(`${BASE}/api/pages`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        slug: "view-count-jsonct",
+        title: "JSON Content Page",
+        contentType: "application/json",
+        authMode: "public",
+        body: JSON.stringify({ kind: "spec" }),
+      }),
+    });
+    expect(post.status).toBe(201);
+    const { id } = (await post.json()) as { id: string };
+
+    // /p/:id 302s — should NOT bump.
+    const redir = await fetch(`${BASE}/p/${id}`, { redirect: "manual" });
+    expect(redir.status).toBe(302);
+    expect(await getViewCount(id, agentId)).toBe(0);
+
+    // /p/:id.json bumps.
+    const j = await fetch(`${BASE}/p/${id}.json`);
+    expect(j.status).toBe(200);
+    expect(await getViewCount(id, agentId)).toBe(1);
+  });
+
+  test("listing endpoint exposes viewCount", async () => {
+    const res = await fetch(`${BASE}/api/pages`, {
+      headers: { "X-Agent-ID": agentId },
+    });
+    expect(res.status).toBe(200);
+    const body = (await res.json()) as { pages: Array<{ id: string; viewCount?: number }> };
+    expect(body.pages.length).toBeGreaterThan(0);
+    for (const p of body.pages) {
+      expect(typeof p.viewCount).toBe("number");
+    }
+  });
+});

package/src/tests/swarm-diff.test.ts

@@ -0,0 +1,303 @@
+/**
+ * Smoke tests for the `<swarm-diff>` custom element shipped inside
+ * `SWARM_UI_JS`. Existing browser-side tests in this repo are pure string-
+ * content checks against the SDK constant; we don't have happy-dom or jsdom
+ * in deps. To still verify the element produces sane DOM output, we evaluate
+ * the JS in a hand-rolled stub `window` / `HTMLElement` / `customElements`
+ * scaffold — minimal but enough to assert structural properties (row counts,
+ * anchor ids, severity badges) without dragging in a real DOM lib.
+ */
+import { describe, expect, test } from "bun:test";
+import { SWARM_UI_JS } from "../artifact-sdk/browser-sdk";
+
+const EXAMPLE_HUNK = {
+  hunks: [
+    {
+      old_start: 10,
+      old_lines: 3,
+      new_start: 10,
+      new_lines: 4,
+      lines: [
+        { type: "context", text: "  const x = 1;" },
+        { type: "del", text: "- console.log(x);" },
+        { type: "add", text: "+ logger.info({ x });" },
+        { type: "add", text: "+ return x;" },
+      ],
+      annotations: [{ line: 12, severity: "warn", text: "Avoid raw console.log" }],
+    },
+  ],
+};
+
+type StubInstance = {
+  innerHTML: string;
+  textContent: string;
+  isConnected: boolean;
+  connectedCallback?: () => void;
+  dispatchEvent: (evt: unknown) => boolean;
+};
+
+/**
+ * Build a minimal stub window with just enough surface area to load
+ * SWARM_UI_JS, register the custom element, and exercise the render path.
+ *
+ * Returns both the element constructor and a microtask-flush helper so
+ * callers can simulate the real-browser parse-order race
+ * (`connectedCallback` fires → children get appended → microtask drains).
+ */
+function makeRig(): {
+  Ctor: new () => StubInstance;
+  setText: (el: StubInstance, attrs: Record<string, string>, text: string) => void;
+  flushMicrotasks: () => Promise<void>;
+} {
+  const registry = new Map<string, new () => StubInstance>();
+
+  class StubHTMLElement {
+    innerHTML = "";
+    textContent = "";
+    isConnected = true;
+    _attrs: Record<string, string> = {};
+    getAttribute(name: string): string | null {
+      return this._attrs[name] ?? null;
+    }
+    setAttribute(name: string, value: string): void {
+      this._attrs[name] = value;
+    }
+    connectedCallback?(): void;
+    closest(_selector: string): null {
+      return null;
+    }
+    querySelectorAll(_selector: string): unknown[] {
+      return [];
+    }
+    dispatchEvent(_evt: unknown): boolean {
+      return true;
+    }
+  }
+
+  const customElements = {
+    define(name: string, ctor: new () => StubInstance) {
+      registry.set(name, ctor);
+    },
+    get(name: string) {
+      return registry.get(name);
+    },
+  };
+
+  const win = {
+    customElements,
+    swarmUi: undefined as { renderDiff?: (rootEl: unknown, data: unknown) => void } | undefined,
+    HTMLElement: StubHTMLElement,
+    CustomEvent: class {
+      constructor(
+        public type: string,
+        public init?: { bubbles?: boolean; detail?: unknown },
+      ) {}
+    },
+  };
+
+  // Provide `document` stubs the jump-list path uses.
+  const doc = {
+    querySelectorAll: () => [],
+    addEventListener: () => {},
+    removeEventListener: () => {},
+  };
+
+  // Evaluate SWARM_UI_JS with our stubs in scope. The IIFE inside the
+  // constant captures `window`, `customElements`, `document`, `HTMLElement`,
+  // `CustomEvent`, and `queueMicrotask` — provide each as a free variable.
+  const factory = new Function(
+    "window",
+    "customElements",
+    "document",
+    "HTMLElement",
+    "CustomEvent",
+    "queueMicrotask",
+    "console",
+    `${SWARM_UI_JS}\nreturn window.customElements.get('swarm-diff');`,
+  );
+  const Ctor = factory(
+    win,
+    customElements,
+    doc,
+    StubHTMLElement,
+    win.CustomEvent,
+    queueMicrotask,
+    console,
+  ) as (new () => StubInstance) | undefined;
+  if (!Ctor) throw new Error("custom element did not register");
+
+  return {
+    Ctor,
+    setText(el, attrs, text) {
+      (el as unknown as { _attrs: Record<string, string> })._attrs = attrs;
+      el.textContent = text;
+    },
+    async flushMicrotasks() {
+      // Two yields: one drains the connectedCallback microtask, the next one
+      // drains anything queued by the render path itself.
+      await Promise.resolve();
+      await Promise.resolve();
+    },
+  };
+}
+
+/**
+ * Convenience wrapper for the existing "happy path" tests: build the rig,
+ * pre-set textContent + attrs, fire connectedCallback, flush microtasks,
+ * return innerHTML.
+ */
+async function renderViaStub(text: string, attrs: Record<string, string>): Promise<string> {
+  const rig = makeRig();
+  const el = new rig.Ctor();
+  rig.setText(el, attrs, text);
+  if (typeof el.connectedCallback === "function") el.connectedCallback();
+  await rig.flushMicrotasks();
+  return el.innerHTML;
+}
+
+describe("SWARM_UI_JS", () => {
+  test("is a non-empty string", () => {
+    expect(typeof SWARM_UI_JS).toBe("string");
+    expect(SWARM_UI_JS.length).toBeGreaterThan(500);
+  });
+
+  test("defines swarm-diff + swarm-diff-jumps custom elements", () => {
+    expect(SWARM_UI_JS).toContain("customElements.define('swarm-diff'");
+    expect(SWARM_UI_JS).toContain("customElements.define('swarm-diff-jumps'");
+  });
+
+  test("exposes window.swarmUi.renderDiff as a programmatic entry point", () => {
+    expect(SWARM_UI_JS).toContain("window.swarmUi");
+    expect(SWARM_UI_JS).toContain("renderDiff");
+  });
+});
+
+describe("<swarm-diff> render", () => {
+  test("constructs and renders without throwing on the example input", async () => {
+    const html = await renderViaStub(JSON.stringify(EXAMPLE_HUNK), {
+      file: "src/foo.ts",
+      "base-sha": "abc123",
+      "head-sha": "def456",
+    });
+    expect(html.length).toBeGreaterThan(0);
+  });
+
+  test("renders one <tr> per line in each hunk", async () => {
+    const html = await renderViaStub(JSON.stringify(EXAMPLE_HUNK), { file: "src/foo.ts" });
+    // 4 lines in the example hunk → 4 <tr> rows.
+    const trMatches = html.match(/<tr\b/g) || [];
+    expect(trMatches.length).toBe(4);
+  });
+
+  test("renders file header and SHA range", async () => {
+    const html = await renderViaStub(JSON.stringify(EXAMPLE_HUNK), {
+      file: "src/foo.ts",
+      "base-sha": "abc123",
+      "head-sha": "def456",
+    });
+    expect(html).toContain("src/foo.ts");
+    expect(html).toContain("abc123");
+    expect(html).toContain("def456");
+  });
+
+  test("renders deterministic anchor id per hunk", async () => {
+    const html = await renderViaStub(JSON.stringify(EXAMPLE_HUNK), { file: "src/foo.ts" });
+    expect(html).toContain('id="swarm-diff-src-foo-ts-10"');
+  });
+
+  test("renders severity annotation badge on annotated line", async () => {
+    const html = await renderViaStub(JSON.stringify(EXAMPLE_HUNK), { file: "src/foo.ts" });
+    expect(html).toContain("WARN");
+    expect(html).toContain("Avoid raw console.log");
+  });
+
+  test("handles empty/missing JSON body gracefully (no rows, no throw)", async () => {
+    const html = await renderViaStub("", { file: "empty.ts" });
+    // Should still render an outer container with the file name.
+    expect(html).toContain("empty.ts");
+    // But no <tr> rows.
+    expect(html.match(/<tr\b/g) ?? []).toHaveLength(0);
+  });
+
+  test("escapes user-controlled text content to prevent injection", async () => {
+    const xssHunk = {
+      hunks: [
+        {
+          old_start: 1,
+          old_lines: 1,
+          new_start: 1,
+          new_lines: 1,
+          lines: [{ type: "add", text: "<script>alert('xss')</script>" }],
+          annotations: [],
+        },
+      ],
+    };
+    const html = await renderViaStub(JSON.stringify(xssHunk), { file: "<bad>" });
+    expect(html).not.toContain("<script>alert(");
+    expect(html).toContain("&lt;script&gt;");
+    expect(html).toContain("&lt;bad&gt;");
+  });
+});
+
+describe("<swarm-diff> parse-order regression (Bug #479-1)", () => {
+  // Real browsers fire connectedCallback when the parser sees the opening
+  // tag, BEFORE the JSON text children are parsed. The element MUST defer
+  // its parseHunks/render so it reads textContent AFTER the parser appends
+  // the children. Without the queueMicrotask defer in connectedCallback,
+  // the element renders an empty header and the JSON stays visible as
+  // orphan text — that's the production bug PR #479 shipped initially.
+
+  test("does NOT render synchronously inside connectedCallback (defer required)", () => {
+    const rig = makeRig();
+    const el = new rig.Ctor();
+    // Simulate the real-browser parse order: connectedCallback fires while
+    // textContent is still empty. The element must NOT have rendered yet
+    // — if it does, it's reading textContent too early.
+    rig.setText(el, { file: "src/foo.ts" }, "");
+    if (typeof el.connectedCallback === "function") el.connectedCallback();
+    expect(el.innerHTML).toBe("");
+  });
+
+  test("renders correctly when textContent is appended AFTER connectedCallback but BEFORE microtask drain", async () => {
+    const rig = makeRig();
+    const el = new rig.Ctor();
+    // Parse order: connectedCallback fires with empty textContent, children
+    // get appended, then microtask drains.
+    rig.setText(el, { file: "src/foo.ts" }, "");
+    if (typeof el.connectedCallback === "function") el.connectedCallback();
+    // Parser would now append JSON children. Simulate by setting textContent.
+    el.textContent = JSON.stringify(EXAMPLE_HUNK);
+    await rig.flushMicrotasks();
+    // After the microtask drains, the element must have rendered against
+    // the post-callback textContent.
+    expect(el.innerHTML).toContain("src/foo.ts");
+    expect(el.innerHTML.match(/<tr\b/g) ?? []).toHaveLength(4);
+    expect(el.innerHTML).toContain("WARN");
+  });
+
+  test("re-renders cleanly on reconnection (connectedCallback fires again)", async () => {
+    const rig = makeRig();
+    const el = new rig.Ctor();
+    rig.setText(el, { file: "src/foo.ts" }, JSON.stringify(EXAMPLE_HUNK));
+    if (typeof el.connectedCallback === "function") el.connectedCallback();
+    await rig.flushMicrotasks();
+    const firstRender = el.innerHTML;
+    expect(firstRender).toContain("src/foo.ts");
+    // Re-fire (element was moved or detached + reattached).
+    if (typeof el.connectedCallback === "function") el.connectedCallback();
+    await rig.flushMicrotasks();
+    expect(el.innerHTML).toContain("src/foo.ts");
+    expect(el.innerHTML.match(/<tr\b/g) ?? []).toHaveLength(4);
+  });
+
+  test("aborts render if element disconnected before microtask drains", async () => {
+    const rig = makeRig();
+    const el = new rig.Ctor();
+    rig.setText(el, { file: "src/foo.ts" }, JSON.stringify(EXAMPLE_HUNK));
+    if (typeof el.connectedCallback === "function") el.connectedCallback();
+    // Element gets removed from the DOM before our microtask runs.
+    el.isConnected = false;
+    await rig.flushMicrotasks();
+    expect(el.innerHTML).toBe("");
+  });
+});