@firstpick/pi-package-webui 0.4.0 → 0.4.2

package/tests/http-endpoints-harness.test.mjs

@@ -1,6 +1,6 @@
 import assert from "node:assert/strict";
 import { spawn, spawnSync } from "node:child_process";
-import { chmod, mkdtemp, rm, stat } from "node:fs/promises";
+import { chmod, mkdtemp, rm, stat, writeFile } from "node:fs/promises";
 import { networkInterfaces, tmpdir } from "node:os";
 import path from "node:path";
 import { setTimeout as delay } from "node:timers/promises";
@@ -154,6 +154,47 @@ try {
     assert.equal(gitRemote.status, 200);
     assert.equal(gitRemote.body?.ok, true, "remote endpoint should add origin without pushing");
     assert.equal(gitRemote.body?.data?.remoteUrl, "https://github.com/Firstp1ck/pi-webui-http-harness.git");
+
+    await writeFile(path.join(cwd, "single.txt"), "created\n");
+    const gitAddCreated = await request("127.0.0.1", "/api/git-workflow/add", { method: "POST", body: { tab: tabId } });
+    assert.equal(gitAddCreated.status, 200);
+    assert.equal(gitAddCreated.body?.ok, true, "git add endpoint should stage a new single file");
+    const createdDefault = await request("127.0.0.1", `/api/git-workflow/default-commit-message?tab=${encodeURIComponent(tabId)}`);
+    assert.equal(createdDefault.status, 200);
+    assert.equal(createdDefault.body?.ok, true, "default commit message endpoint should return ok for a staged single file");
+    assert.equal(createdDefault.body?.data?.message, "created single.txt");
+    const createdCommit = await request("127.0.0.1", "/api/git-workflow/commit", { method: "POST", body: { variant: "input", message: createdDefault.body?.data?.message, tab: tabId } });
+    assert.equal(createdCommit.status, 200);
+    assert.equal(createdCommit.body?.ok, true, "input commit endpoint should accept the generated single-file default");
+
+    await writeFile(path.join(cwd, "single.txt"), "updated\n");
+    const gitAddUpdated = await request("127.0.0.1", "/api/git-workflow/add", { method: "POST", body: { tab: tabId } });
+    assert.equal(gitAddUpdated.status, 200);
+    assert.equal(gitAddUpdated.body?.ok, true, "git add endpoint should stage a single-file update");
+    const updatedDefault = await request("127.0.0.1", `/api/git-workflow/default-commit-message?tab=${encodeURIComponent(tabId)}`);
+    assert.equal(updatedDefault.status, 200);
+    assert.equal(updatedDefault.body?.data?.message, "updated single.txt");
+    const updatedCommit = await request("127.0.0.1", "/api/git-workflow/commit", { method: "POST", body: { variant: "input", message: updatedDefault.body?.data?.message, tab: tabId } });
+    assert.equal(updatedCommit.status, 200);
+    assert.equal(updatedCommit.body?.ok, true, "input commit endpoint should accept the update default");
+
+    await rm(path.join(cwd, "single.txt"));
+    const gitAddDeleted = await request("127.0.0.1", "/api/git-workflow/add", { method: "POST", body: { tab: tabId } });
+    assert.equal(gitAddDeleted.status, 200);
+    assert.equal(gitAddDeleted.body?.ok, true, "git add endpoint should stage a single-file deletion");
+    const deletedDefault = await request("127.0.0.1", `/api/git-workflow/default-commit-message?tab=${encodeURIComponent(tabId)}`);
+    assert.equal(deletedDefault.status, 200);
+    assert.equal(deletedDefault.body?.data?.message, "deleted single.txt");
+
+    await writeFile(path.join(cwd, "multi-a.txt"), "a\n");
+    await writeFile(path.join(cwd, "multi-b.txt"), "b\n");
+    const gitAddMultiple = await request("127.0.0.1", "/api/git-workflow/add", { method: "POST", body: { tab: tabId } });
+    assert.equal(gitAddMultiple.status, 200);
+    assert.equal(gitAddMultiple.body?.ok, true, "git add endpoint should stage multiple files");
+    const multipleDefault = await request("127.0.0.1", `/api/git-workflow/default-commit-message?tab=${encodeURIComponent(tabId)}`);
+    assert.equal(multipleDefault.status, 200);
+    assert.equal(multipleDefault.body?.ok, true, "default commit message endpoint should still return ok when no default is available");
+    assert.equal(multipleDefault.body?.data?.message, "", "multiple staged files should not get a default commit message");
   } else {
     console.log("http-endpoints-harness: git not available; skipping git init workflow endpoint checks");
   }
@@ -204,8 +245,15 @@ try {
   assert.equal(traversalDelete.status, 403, "session delete outside the session dir must return 403");
   assert.match(String(traversalDelete.body?.error || ""), /session directory/i);
 
+  const initialAuth = await request("127.0.0.1", "/api/remote-auth");
+  assert.equal(initialAuth.status, 200);
+  assert.equal(initialAuth.body?.data?.auth?.enabled, false, "remote PIN auth should be off by default");
+
   const lan = lanAddress();
   if (lan) {
+    const remoteHealthBeforeAuth = await request(lan, "/api/health");
+    assert.equal(remoteHealthBeforeAuth.status, 200, "LAN clients should connect without a PIN while auth is off");
+
     const remoteDelete = await request(lan, "/api/session-delete", {
       method: "POST",
       body: { sessionPath: path.join(cwd, "outside.jsonl"), confirmed: true, tab: tabId },
@@ -221,7 +269,55 @@ try {
 
     const remoteClose = await request(lan, "/api/network/close", { method: "POST" });
     assert.equal(remoteClose.status, 403, "network close must be localhost-only");
+
+    const enableAuth = await request("127.0.0.1", "/api/remote-auth/settings", { method: "POST", body: { enabled: true } });
+    assert.equal(enableAuth.status, 200, "localhost can enable remote PIN auth");
+    const pin = enableAuth.body?.data?.auth?.pin;
+    assert.match(pin, /^\d{4}$/, "enabling remote auth should generate a 4-digit PIN");
+
+    const remoteHealthWithAuth = await request(lan, "/api/health");
+    assert.equal(remoteHealthWithAuth.status, 401, "unauthenticated LAN clients should be challenged while remote auth is on");
+
+    const wrongPin = pin === "0000" ? "0001" : "0000";
+    const badLogin = await request(lan, "/api/remote-auth", { method: "POST", body: { pin: wrongPin } });
+    assert.equal(badLogin.status, 403, "wrong remote PIN should be rejected");
+
+    const loginResponse = await fetch(`http://${lan}:${port}/api/remote-auth`, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ pin }),
+      signal: AbortSignal.timeout(5_000),
+    });
+    assert.equal(loginResponse.status, 200, "correct remote PIN should be accepted");
+    const authCookie = loginResponse.headers.get("set-cookie")?.split(";", 1)[0];
+    assert.ok(authCookie, "remote auth login should set an auth cookie");
+
+    const authedHealth = await fetch(`http://${lan}:${port}/api/health`, {
+      headers: { cookie: authCookie },
+      signal: AbortSignal.timeout(5_000),
+    });
+    assert.equal(authedHealth.status, 200, "authenticated LAN client should reach guarded APIs");
+    await authedHealth.json();
+
+    const remoteSettings = await fetch(`http://${lan}:${port}/api/remote-auth/settings`, {
+      method: "POST",
+      headers: { "content-type": "application/json", cookie: authCookie },
+      body: JSON.stringify({ enabled: false }),
+      signal: AbortSignal.timeout(5_000),
+    });
+    assert.equal(remoteSettings.status, 403, "remote clients must not toggle remote PIN auth settings");
+    await remoteSettings.json().catch(() => undefined);
+
+    const disableAuth = await request("127.0.0.1", "/api/remote-auth/settings", { method: "POST", body: { enabled: false } });
+    assert.equal(disableAuth.status, 200, "localhost can disable remote PIN auth");
+    const remoteHealthAfterDisable = await request(lan, "/api/health");
+    assert.equal(remoteHealthAfterDisable.status, 200, "LAN clients should reconnect without a PIN after auth is disabled");
   } else {
+    const enableAuth = await request("127.0.0.1", "/api/remote-auth/settings", { method: "POST", body: { enabled: true } });
+    assert.equal(enableAuth.status, 200, "localhost can enable remote PIN auth");
+    assert.match(enableAuth.body?.data?.auth?.pin, /^\d{4}$/);
+    const disableAuth = await request("127.0.0.1", "/api/remote-auth/settings", { method: "POST", body: { enabled: false } });
+    assert.equal(disableAuth.status, 200, "localhost can disable remote PIN auth");
     console.log("http-endpoints-harness: no LAN address detected; skipping remote-client checks");
   }
 

package/tests/mobile-static.test.mjs

@@ -267,7 +267,7 @@ assert.match(css, /\.composer-publish-menu:hover > \.composer-publish-button\[da
 assert.match(css, /\.composer-publish-menu-panel \{[\s\S]*?display:\s*none;[\s\S]*?flex-direction:\s*column/, "Publish workflow menu should hide when closed and expand like grouped tabs");
 assert.match(css, /\.composer-publish-menu:hover \.composer-publish-menu-panel,[\s\S]*?\.composer-publish-menu:focus-within \.composer-publish-menu-panel,[\s\S]*?\.composer-publish-menu\.open \.composer-publish-menu-panel \{\n\s+display:\s*flex;/, "Publish workflow menu should open on hover, focus, or explicit open state");
 assert.match(css, /\.composer-native-command-button \{[\s\S]*?color:\s*var\(--ctp-mauve\)/, "skills/tools command menu should have a distinct slash-command button style");
-assert.match(css, /\.composer-options-menu-panel \{[\s\S]*?max-height:\s*min\(88vh, 36rem\)/, "Options menu should be tall enough for common commands without scrolling on normal viewports");
+assert.match(css, /\.composer-options-menu-panel \{[\s\S]*?max-height:\s*min\(calc\(var\(--visual-viewport-height, 100dvh\) - 2rem\), 44rem\)/, "Options menu should be tall enough for common commands without scrolling on normal viewports");
 assert.match(css, /\.composer-native-command-menu-item \{[\s\S]*?color:\s*var\(--ctp-mauve\)/, "skills/tools command menu items should be styled separately from publish actions");
 assert.match(css, /\.composer-actions-panel > \.composer-publish-menu[\s\S]*?grid-column: span 1/, "Publish and command menu buttons should fit beside Git workflow in mobile actions");
 assert.match(css, /\.composer-actions-panel[\s\S]*?bottom:\s*calc\(100% \+ 0\.42rem\)/, "mobile composer actions should open as an above-composer sheet");
@@ -399,6 +399,8 @@ assert.match(app, /initializeCustomBackground\(\)\.catch/, "startup should resto
 assert.match(app, /Restart Web UI to load themes/, "frontend should explain when a stale server cannot serve the themes endpoint");
 assert.match(app, /themeSelect\.addEventListener\("change"/, "side-panel theme selector should switch themes immediately");
 assert.match(app, /open \? "Close for network" : "Open to network"/, "network button should toggle from open to close action");
+assert.match(app, /remoteAuthToggle: \$\("#remoteAuthToggle"\)/, "Controls should expose the remote PIN auth toggle");
+assert.match(app, /api\("\/api\/remote-auth\/settings", \{ method: "POST"/, "remote PIN auth toggle should call the settings endpoint");
 assert.match(app, /api\("\/api\/network\/close", \{ method: "POST"/, "network close action should call the close endpoint");
 assert.match(app, /webuiVersionBadge: \$\("#webuiVersionBadge"\)/, "frontend should bind the Control Deck version badge");
 assert.match(app, /webuiDevBadge: \$\("#webuiDevBadge"\)/, "frontend should bind the Control Deck dev badge");
@@ -561,7 +563,10 @@ assert.match(app, /\["skills", "tuiSkillsCommand"\][\s\S]*\["tools", "tuiToolsCo
 assert.match(app, /function setNativeCommandMenuOpen\(open\)/, "frontend should track the skills/tools command menu open state separately from Publish");
 assert.match(app, /nativeSkillsButton\.hidden = !isOptionalFeatureEnabled\("tuiSkillsCommand"\)[\s\S]*nativeToolsButton\.hidden = !isOptionalFeatureEnabled\("tuiToolsCommand"\)/, "skills/tools menu items should be hidden by their optional feature toggles");
 assert.match(app, /function renderCommands\(\)/, "side-panel commands should be re-renderable from current optional feature state");
-assert.match(app, /function installOptionalFeature\(featureId\)/, "optional features should expose an install action");
+assert.match(app, /function installOptionalFeature\(featureId, \{ update = false \} = \{\}\)/, "optional features should expose install and update actions");
+assert.match(app, /api\("\/api\/optional-features"/, "optional feature panel should fetch package install/update status from the backend");
+assert.match(app, /packageStatus\?\.updateAvailable[\s\S]*action\.textContent = "Update…"/, "optional feature package drift should turn the install action into an update action");
+assert.match(app, /optionalFeatureInstallMessages\.set\(featureId[\s\S]*waiting for package-manager output/, "optional feature installs should show running feedback while npm is active");
 assert.match(app, /api\("\/api\/optional-feature-install"/, "optional feature install action should call the backend installer endpoint");
 assert.match(app, /id: "safetyGuard"[\s\S]*?@firstpick\/pi-extension-safety-guard/, "optional features should include the safety guard companion");
 assert.match(app, /id: "tuiSkillsCommand"[\s\S]*?@firstpick\/pi-extension-setup-skills/, "optional features should include the TUI skills command companion");
@@ -858,7 +863,7 @@ assert.match(css, /\.composer-actions-panel > \.composer-publish-menu:hover::aft
 assert.match(css, /\.composer-actions-panel > \.composer-publish-menu \.composer-publish-menu-panel \{[\s\S]*?position:\s*absolute;[\s\S]*?inset:\s*auto auto calc\(100% \+ 0\.38rem\) 0;[\s\S]*?max-height:\s*min\(34dvh, 18rem\);[\s\S]*?overflow:\s*auto;/, "opened mobile Actions dropdown panels should float upward over the Actions controls with their own scrollbar");
 assert.match(css, /\.composer-actions-panel > \.composer-publish-menu \.composer-publish-menu-panel \{[\s\S]*?width:\s*100%;[\s\S]*?min-width:\s*0;[\s\S]*?max-width:\s*100%;/, "mobile Actions dropdown panels should align to the width of their trigger buttons");
 assert.match(css, /\.composer-actions-panel > \.composer-publish-menu \.composer-publish-menu-item \{[\s\S]*?width:\s*100%;[\s\S]*?min-width:\s*0;[\s\S]*?white-space:\s*normal;/, "mobile Actions dropdown option buttons should not keep desktop min-widths that misalign with triggers");
-assert.match(css, /\.composer-actions-panel > \.composer-options-menu \.composer-publish-menu-panel \{[\s\S]*?inset-inline:\s*auto 0;[\s\S]*?max-height:\s*min\(76dvh, 34rem\);/, "mobile Options dropdown should be tall enough to avoid scrolling for the standard option list");
+assert.match(css, /\.composer-actions-panel > \.composer-options-menu \.composer-publish-menu-panel \{[\s\S]*?inset-inline:\s*auto 0;[\s\S]*?max-height:\s*min\(calc\(var\(--visual-viewport-height, 100dvh\) - 2rem\), 44rem\);/, "mobile Options dropdown should be tall enough to avoid scrolling for the standard option list");
 assert.match(app, /function setMobileTabsExpanded\(/, "mobile tab strip should be JS-toggleable");
 assert.match(css, /@media \(max-width: 720px\), \(max-device-width: 720px\), \(pointer: coarse\) and \(hover: none\) \{[\s\S]*?\.terminal-tab-group \{\n\s+display:\s*grid;\n\s+grid-template-columns:\s*minmax\(0, 1fr\) auto;/, "mobile terminal tab groups should use a stable grid row for the tab and close button when expanded");
 assert.match(css, /@media \(max-width: 720px\), \(max-device-width: 720px\), \(pointer: coarse\) and \(hover: none\) \{[\s\S]*?\.terminal-tab-group-menu \{[\s\S]*?grid-column:\s*1 \/ -1;[\s\S]*?margin:\s*0\.34rem 0 0;/, "mobile terminal tab group menus should not add horizontal margins that overflow and distort the tab card");
@@ -956,7 +961,7 @@ assert.match(server, /WEBUI_CONTROLLED_PACKAGES = new Set\(\[WEBUI_PACKAGE, \.\.
 assert.match(server, /const args = \["--mode", "rpc", "--no-extensions", "--no-skills", "--no-prompt-templates", "--no-themes"\]/, "Web UI tabs should disable implicit resource loading before adding curated resource paths");
 assert.match(server, /normalPiResourcePathsForTab[\s\S]*WEBUI_CONTROLLED_PACKAGES\.has\(packageName\)[\s\S]*continue/, "Web UI tab resource resolution should exclude separately installed Web UI feature packages");
 assert.match(server, /startedWebuiResourcePaths\(resourceType\)/, "Web UI tabs should load feature resources from the started Web UI package");
-assert.match(server, /workspacePackageRootForName\(nodeModulesRef\.packageName\)/, "dev Web UI should prefer top-level workspace packages for node_modules manifest entries");
+assert.match(server, /resolveInstalledPackageSubpath\(nodeModulesRef\.packageName, nodeModulesRef\.subpath\)/, "Web UI should prefer workspace/global/package-root installed packages for node_modules manifest entries");
 assert.match(server, /const CODEX_TOKEN_REFRESH_SKEW_MS = 5 \* 60 \* 1000/, "server should refresh Codex OAuth tokens before they expire");
 assert.match(server, /url\.pathname === "\/api\/codex-usage" && req\.method === "GET"/, "server should expose a sanitized Codex usage endpoint");
 assert.match(server, /OPENAI_CODEX_USAGE_ENDPOINT/, "server should query Codex usage from the backend, not the browser");
@@ -1072,12 +1077,16 @@ assert.match(server, /const OPTIONAL_FEATURE_PACKAGES = new Map/, "server should
 assert.match(server, /\["safetyGuard", "@firstpick\/pi-extension-safety-guard"\]/, "server should allow installing the safety guard optional feature");
 assert.match(server, /\["tuiSkillsCommand", "@firstpick\/pi-extension-setup-skills"\]/, "server should allow installing the TUI skills optional feature");
 assert.match(server, /\["tuiToolsCommand", "@firstpick\/pi-extension-tools"\]/, "server should allow installing the TUI tools optional feature");
+assert.match(server, /function optionalFeaturePackageStatus\(featureId\)/, "server should report optional feature package install/update status");
 assert.match(server, /function installOptionalFeaturePackage\(featureId\)/, "server should provide optional feature package installation helper");
 assert.match(server, /PI_WEBUI_OPTIONAL_FEATURE_INSTALL_ROOT/, "optional feature installs should support an explicit package-manager root override");
-assert.match(server, /function configuredAgentNpmRoot\(\)/, "global Web UI launches should install optional feature packages into Pi's agent npm root, not the npm global prefix");
-assert.match(server, /installRootDeclaresPackage\(.*?@firstpick\/pi-package-webui/s, "optional feature installs should only reuse a node_modules parent that declares the Web UI package dependency");
+assert.match(server, /function configuredAgentNpmRoot\(\)/, "global Web UI launches should consider Pi's agent npm root for optional packages");
+assert.match(server, /installRootDeclaresPackage\(.*?@firstpick\/pi-package-webui/s, "optional feature installs should reuse a node_modules parent that declares the Web UI package dependency");
+assert.match(server, /installRootContainsPackage\(.*?@firstpick\/pi-package-webui/s, "global npm Web UI launches should also accept the prefix containing the Web UI package folder");
+assert.match(server, /resolveInstalledPackageSubpath\(nodeModulesRef\.packageName, nodeModulesRef\.subpath\)/, "started Web UI resource resolution should fall back to globally installed sibling optional packages");
 assert.match(server, /if \(webuiDevServer\) return installRoot/, "source-checkout Web UI launches should still use the checkout root for optional feature installs");
-assert.match(server, /Could not determine a safe optional feature install root/, "optional feature installs should fail closed when no declared package root can be found");
+assert.match(server, /Could not determine a safe optional feature install root/, "optional feature installs should fail closed when no safe package root can be found");
+assert.match(server, /url\.pathname === "\/api\/optional-features" && req\.method === "GET"/, "server should expose optional feature package status endpoint");
 assert.match(server, /url\.pathname === "\/api\/optional-feature-install" && req\.method === "POST"/, "server should expose optional feature install endpoint");
 assert.match(server, /requireLocalhostRoute\(req, url\.pathname\)/, "optional feature install endpoint should use shared localhost trust policy");
 assert.match(server, /url\.pathname === "\/api\/skill-file" && req\.method === "GET"[\s\S]*?getSkillFileData/, "server should expose GET /api/skill-file for editable skill content");
@@ -1102,6 +1111,7 @@ assert.match(readme, /Feedback reactions \(`👍`, `👎`, `\?`\) on final assis
 assert.match(readme, /POST \/api\/action-feedback\?tab=<tabId>/, "README should document the action-feedback endpoint");
 assert.match(readme, /`@` file\/path references with live suggestions/, "README should describe @ file/path reference autocomplete");
 assert.match(readme, /GET \/api\/path-suggestions\?tab=<tabId>&query=<path>/, "README should document the path-suggestions endpoint");
+assert.match(readme, /GET \/api\/optional-features/, "README should document optional feature status endpoint");
 assert.match(readme, /POST \/api\/optional-feature-install/, "README should document optional feature install endpoint");
 assert.match(readme, /server-persisted fast picks/, "README should describe server-persisted fast picks");
 assert.match(readme, /browser notifications when a tab needs an extension UI response and an optional side-panel toggle for agent-done notifications/, "README should describe blocked-tab and agent-done notifications");
@@ -1109,10 +1119,11 @@ assert.match(readme, /blocked-tab browser notifications, and optional agent-done
 assert.match(readme, /Side-panel theme picker backed by optional `@firstpick\/pi-themes-bundle` themes when loaded/, "README should describe optional theme selection");
 assert.match(readme, /## Optional companion packages/, "README should document optional Web UI companion packages");
 assert.match(readme, /curates Pi resources from the Web UI package that started the server/, "README should document started-package-based Web UI feature loading");
-assert.match(readme, /separately installed Web UI companion packages are ignored to avoid loading two copies/, "README should document duplicate companion suppression");
+assert.match(readme, /Companion packages installed as global\/npm-prefix siblings/, "README should document global sibling companion discovery");
+assert.match(readme, /avoiding duplicate loads while keeping global `pi-webui` launches working/, "README should document duplicate companion suppression");
 assert.match(readme, /checks loaded Pi capabilities directly through RPC-visible commands and live widget events/, "README should document capability-based startup checks");
-assert.match(readme, /side panel shows each optional feature as enabled, disabled, or install-needed/, "README should document optional feature side-panel controls");
-assert.match(readme, /Installing a missing feature is an explicit, warned action/, "README should document optional feature install warning behavior");
+assert.match(readme, /side panel shows each optional feature as enabled, disabled, installed-but-not-loaded, update-available, or install-needed/, "README should document optional feature side-panel controls");
+assert.match(readme, /Installing or updating a feature is an explicit, warned action with running\/failure feedback/, "README should document optional feature install and update warning behavior");
 assert.match(readme, /\.\/start-webui\.sh --dev --cwd \/path\/to\/project/, "README should document the dev helper launcher");
 assert.match(readme, /sync-pi-package-symlinks\.sh[\s\S]*only one copy is loaded/, "README should document dev companion symlink setup");
 assert.match(startScript, /--dev\)/, "start-webui.sh should accept a --dev flag");

package/tests/session-auth-harness.test.mjs

@@ -132,6 +132,10 @@ try {
     LOCALHOST_ONLY_POST_ROUTES.has("/api/network/close"),
     "closing network access must be localhost-only like opening it",
   );
+  assert.ok(
+    LOCALHOST_ONLY_POST_ROUTES.has("/api/remote-auth/settings"),
+    "remote PIN auth settings must be localhost-only",
+  );
 } finally {
   await rm(tempDir, { recursive: true, force: true });
   await rm(outsideDir, { recursive: true, force: true });