@harness-fe/mcp-server 3.0.1

package/src/dashboardApi.test.ts

@@ -0,0 +1,235 @@
+/**
+ * Tests for the JSON API surface consumed by @harness-fe/dashboard-ui.
+ *
+ * Mirrors the seed setup used by `dashboard.test.ts` so we have parity:
+ * anything the HTML dashboard could show should also be reachable via JSON
+ * once we ship the SPA in PR C.
+ */
+
+import { afterEach, describe, expect, it } from 'vitest';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { Bridge } from './bridge.js';
+import { JsonlStore } from './store/index.js';
+
+const tempDirs: string[] = [];
+function mkTmp(): string {
+    const dir = mkdtempSync(join(tmpdir(), 'harness-dashboard-api-test-'));
+    tempDirs.push(dir);
+    return dir;
+}
+
+afterEach(async () => {
+    while (tempDirs.length) {
+        const d = tempDirs.pop()!;
+        try { rmSync(d, { recursive: true, force: true }); } catch { /* ignore */ }
+    }
+});
+
+async function bootBridge() {
+    const dir = mkTmp();
+    const store = new JsonlStore(dir);
+    const bridge = new Bridge({ port: 0, host: '127.0.0.1', store, taskStore: null, memoryStore: null });
+    await bridge.start();
+    const port = bridge.getBoundPort();
+    if (!port) throw new Error('no port');
+    return { bridge, store, port };
+}
+
+function seed(store: JsonlStore, projectId: string): string {
+    const { randomUUID } = require('node:crypto') as typeof import('node:crypto');
+    const sessionId = randomUUID();
+    store.upsertProject(projectId, { displayName: projectId });
+    store.upsertTab('tab-1', { connectedAt: Date.now(), userAgent: 'test-agent' });
+    store.upsertSession(sessionId, {
+        tabId: 'tab-1',
+        startedAt: Date.now(),
+        url: 'http://localhost:5173/',
+        title: 'Demo',
+        participants: [{ projectId, joinedAt: Date.now() }],
+    });
+    store.appendEvent(sessionId, { ts: 1000, t: 'log', d: { args: ['hello'] } });
+    store.appendEvent(sessionId, { ts: 1100, t: 'err', d: { message: 'boom' } });
+    store.appendRecording(sessionId, {
+        chunkId: 'rrc_a', startTs: 1000, endTs: 2000, eventCount: 3,
+        events: [
+            { type: 4, data: {}, timestamp: 1000 },
+            { type: 2, data: {}, timestamp: 1100 },
+            { type: 3, data: {}, timestamp: 2000 },
+        ],
+    });
+    return sessionId;
+}
+
+describe('Dashboard JSON API', () => {
+    it('GET /api/projects returns project list with recent sessions inline', async () => {
+        const { bridge, store, port } = await bootBridge();
+        try {
+            const sessionId = seed(store, 'my-app');
+            await store.flush();
+            const resp = await fetch(`http://127.0.0.1:${port}/api/projects`);
+            expect(resp.status).toBe(200);
+            expect(resp.headers.get('content-type')).toMatch(/application\/json/);
+            const body = await resp.json() as { projects: Array<{ project: { id: string }; recentSessions: Array<{ id: string }> }> };
+            expect(body.projects).toHaveLength(1);
+            expect(body.projects[0].project.id).toBe('my-app');
+            expect(body.projects[0].recentSessions.map((s) => s.id)).toContain(sessionId);
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('GET /api/projects on empty store returns an empty list (not 500)', async () => {
+        const { bridge, port } = await bootBridge();
+        try {
+            const resp = await fetch(`http://127.0.0.1:${port}/api/projects`);
+            expect(resp.status).toBe(200);
+            const body = await resp.json() as { projects: unknown[] };
+            expect(body.projects).toEqual([]);
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('GET /api/sessions filters by projectId', async () => {
+        const { bridge, store, port } = await bootBridge();
+        try {
+            seed(store, 'project-a');
+            seed(store, 'project-b');
+            await store.flush();
+            const resp = await fetch(`http://127.0.0.1:${port}/api/sessions?projectId=project-a`);
+            expect(resp.status).toBe(200);
+            const body = await resp.json() as { sessions: Array<{ participants: Array<{ projectId: string }> }> };
+            expect(body.sessions.length).toBeGreaterThan(0);
+            for (const s of body.sessions) {
+                expect(s.participants[0].projectId).toBe('project-a');
+            }
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('GET /api/sessions/:id returns session + summary + chunks + timeline + exports', async () => {
+        const { bridge, store, port } = await bootBridge();
+        try {
+            const sessionId = seed(store, 'my-app');
+            await store.flush();
+            const resp = await fetch(`http://127.0.0.1:${port}/api/sessions/${sessionId}`);
+            expect(resp.status).toBe(200);
+            const body = await resp.json() as {
+                session: { id: string };
+                summary: { tabs: string[] };
+                chunks: Array<{ chunkId: string; tabId: string; eventCount: number }>;
+                timeline: Array<{ t: string }>;
+                exports: unknown[];
+            };
+            expect(body.session.id).toBe(sessionId);
+            expect(body.summary.tabs).toContain('tab-1');
+            expect(body.chunks).toHaveLength(1);
+            expect(body.chunks[0].chunkId).toBe('rrc_a');
+            expect(body.chunks[0].eventCount).toBe(3);
+            expect(body.timeline.map((e) => e.t)).toContain('log');
+            expect(body.timeline.map((e) => e.t)).toContain('err');
+            expect(body.exports).toEqual([]);
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('GET /api/sessions/:id returns 404 for unknown id', async () => {
+        const { bridge, port } = await bootBridge();
+        try {
+            const resp = await fetch(`http://127.0.0.1:${port}/api/sessions/no-such-session`);
+            expect(resp.status).toBe(404);
+            const body = await resp.json() as { error: string; sessionId: string };
+            expect(body.error).toMatch(/not found/i);
+            expect(body.sessionId).toBe('no-such-session');
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('POST /api/sessions/:id/replay returns exportId + viewerUrl on success', async () => {
+        const { bridge, store, port } = await bootBridge();
+        try {
+            const sessionId = seed(store, 'my-app');
+            await store.flush();
+            const resp = await fetch(`http://127.0.0.1:${port}/api/sessions/${sessionId}/replay`, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ since: 1000, until: 3000, tabId: 'tab-1' }),
+            });
+            expect(resp.status).toBe(200);
+            const body = await resp.json() as { exportId?: string; viewerUrl?: string; error?: string };
+            expect(body.error).toBeUndefined();
+            expect(body.exportId).toBeTruthy();
+            // viewerUrl is best-effort (depends on bridge.getViewerBaseUrl()); just assert shape.
+            expect(typeof body.exportId === 'string').toBe(true);
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('POST /api/sessions/:id/replay returns 400 with error message for empty window', async () => {
+        const { bridge, store, port } = await bootBridge();
+        try {
+            const sessionId = seed(store, 'my-app');
+            await store.flush();
+            const resp = await fetch(`http://127.0.0.1:${port}/api/sessions/${sessionId}/replay`, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ since: 999_999_000, until: 999_999_100 }),
+            });
+            expect(resp.status).toBe(400);
+            const body = await resp.json() as { error: string };
+            expect(body.error).toMatch(/no rrweb chunks|empty|window/i);
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('POST /api/sessions/:id/replay rejects malformed JSON with 400', async () => {
+        const { bridge, store, port } = await bootBridge();
+        try {
+            const sessionId = seed(store, 'my-app');
+            await store.flush();
+            const resp = await fetch(`http://127.0.0.1:${port}/api/sessions/${sessionId}/replay`, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: 'not json {{{',
+            });
+            expect(resp.status).toBe(400);
+            const body = await resp.json() as { error: string };
+            expect(body.error).toMatch(/invalid JSON/i);
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('non-API root path redirects into the SPA (legacy / no longer serves HTML)', async () => {
+        const { bridge, store, port } = await bootBridge();
+        try {
+            seed(store, 'my-app');
+            await store.flush();
+            const resp = await fetch(`http://127.0.0.1:${port}/?token=abc`, { redirect: 'manual' });
+            expect(resp.status).toBe(302);
+            expect(resp.headers.get('location')).toBe('/dashboard/?token=abc');
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('unknown /api/* paths return 404 JSON (not the HTML 404 page)', async () => {
+        const { bridge, port } = await bootBridge();
+        try {
+            const resp = await fetch(`http://127.0.0.1:${port}/api/bogus/path`);
+            expect(resp.status).toBe(404);
+            expect(resp.headers.get('content-type')).toMatch(/application\/json/);
+            const body = await resp.json() as { error: string };
+            expect(body.error).toBe('not found');
+        } finally {
+            await bridge.stop();
+        }
+    });
+});

package/src/dashboardApi.ts

@@ -0,0 +1,184 @@
+/**
+ * JSON API surface consumed by `@harness-fe/dashboard-ui` (the React SPA).
+ *
+ * The shape mirrors what the legacy server-rendered dashboard.ts displayed,
+ * but as JSON so the SPA can render it with proper components and live
+ * updates. Routes live under `/api/*` to keep them clearly separated from
+ * SPA assets (`/dashboard/*`) and the replay viewer (`/replay/*`).
+ *
+ * Reuses `createReplayExport` from replayCreate.ts for the replay POST —
+ * same logic the legacy dashboard's form submission ran through, just
+ * returns JSON instead of redirecting.
+ *
+ * Auth is already enforced by `isAuthorized` in bridge.ts before this
+ * handler runs, so we never need to check tokens here.
+ */
+
+import type { IncomingMessage, ServerResponse } from 'node:http';
+import type {
+    IStore,
+    ProjectMeta,
+    RecordingChunkSummary,
+    ReplayExportMeta,
+    SessionMeta,
+    SessionSummary,
+    StoreEvent,
+} from './store/types.js';
+import { createReplayExport, type ReplayCreateResult } from './replayCreate.js';
+
+const TIMELINE_DEFAULT_TAIL = 100;
+const SESSIONS_PER_PROJECT = 10;
+
+export interface ProjectListEntry {
+    project: ProjectMeta;
+    recentSessions: SessionMeta[];
+}
+
+export interface SessionDetailResponse {
+    session: SessionMeta;
+    summary: SessionSummary;
+    chunks: RecordingChunkSummary[];
+    timeline: StoreEvent[];
+    exports: ReplayExportMeta[];
+}
+
+export interface ReplayCreateBody {
+    tabId?: string;
+    ts?: number;
+    windowMs?: number;
+    since?: number;
+    until?: number;
+    label?: string;
+}
+
+export function createDashboardApiHandler(
+    store: IStore,
+    getBaseUrl: () => string | undefined,
+    onExportCreated?: (input: { sessionId: string; projectId?: string }) => void,
+): (req: IncomingMessage, res: ServerResponse) => boolean | Promise<boolean> {
+    return async (req, res) => {
+        if (!req.url) return false;
+        const url = new URL(req.url, 'http://localhost');
+        const path = url.pathname;
+        if (!path.startsWith('/api/')) return false;
+        const method = req.method ?? 'GET';
+
+        // GET /api/projects
+        if (method === 'GET' && path === '/api/projects') {
+            const projects = store.listProjects();
+            const entries: ProjectListEntry[] = projects.map((project) => {
+                const recentSessions = store.listSessions({
+                    projectId: project.id,
+                    limit: SESSIONS_PER_PROJECT,
+                });
+                return { project, recentSessions };
+            });
+            sendJson(res, 200, { projects: entries });
+            return true;
+        }
+
+        // GET /api/sessions?projectId=&tabId=&buildId=&limit=
+        if (method === 'GET' && path === '/api/sessions') {
+            const sessions = store.listSessions({
+                projectId: url.searchParams.get('projectId') ?? undefined,
+                tabId: url.searchParams.get('tabId') ?? undefined,
+                buildId: url.searchParams.get('buildId') ?? undefined,
+                limit: parseIntOr(url.searchParams.get('limit'), 50),
+            });
+            sendJson(res, 200, { sessions });
+            return true;
+        }
+
+        // /api/sessions/:id and /api/sessions/:id/replay
+        const sessionMatch = path.match(/^\/api\/sessions\/([^/]+)(\/replay)?$/);
+        if (sessionMatch) {
+            const sessionId = decodeURIComponent(sessionMatch[1]!);
+            const isReplay = !!sessionMatch[2];
+
+            if (isReplay && method === 'POST') {
+                let body: ReplayCreateBody;
+                try {
+                    body = await readJsonBody(req);
+                } catch (err) {
+                    sendJson(res, 400, { error: `invalid JSON body: ${(err as Error).message}` });
+                    return true;
+                }
+                const result: ReplayCreateResult = createReplayExport(store, getBaseUrl(), {
+                    sessionId,
+                    tabId: body.tabId,
+                    ts: body.ts,
+                    windowMs: body.windowMs,
+                    since: body.since,
+                    until: body.until,
+                    label: body.label,
+                });
+                const status = result.error ? 400 : 200;
+                if (!result.error && result.exportId && onExportCreated) {
+                    // Find the session's project so subscribers can filter.
+                    const projectId = store.getSession(sessionId)?.participants[0]?.projectId;
+                    onExportCreated({ sessionId, projectId });
+                }
+                sendJson(res, status, result);
+                return true;
+            }
+
+            if (method === 'GET') {
+                const session = store.getSession(sessionId);
+                if (!session) {
+                    sendJson(res, 404, { error: 'session not found', sessionId });
+                    return true;
+                }
+                const summary = store.summary(sessionId);
+                const chunks = store.listRecordings(sessionId);
+                const tailN = parseIntOr(url.searchParams.get('timeline'), TIMELINE_DEFAULT_TAIL);
+                const timeline = store.tail(sessionId, { n: tailN });
+                // Exports for the session's owning project (filter by sessionId).
+                const projectId = session.participants[0]?.projectId ?? '';
+                const exports = projectId
+                    ? store.listExports(projectId, 50).filter((e) => e.sessionId === sessionId)
+                    : [];
+                const body: SessionDetailResponse = {
+                    session,
+                    summary,
+                    chunks,
+                    timeline,
+                    exports,
+                };
+                sendJson(res, 200, body);
+                return true;
+            }
+        }
+
+        // Any other /api/ path → 404 (consumed so the legacy handler doesn't try).
+        sendJson(res, 404, { error: 'not found', path });
+        return true;
+    };
+}
+
+function sendJson(res: ServerResponse, status: number, body: unknown): void {
+    res.statusCode = status;
+    res.setHeader('content-type', 'application/json; charset=utf-8');
+    res.setHeader('cache-control', 'no-store');
+    res.end(JSON.stringify(body));
+}
+
+async function readJsonBody(req: IncomingMessage): Promise<ReplayCreateBody> {
+    const chunks: Buffer[] = [];
+    let total = 0;
+    const MAX = 1024 * 1024; // 1 MB — replay create bodies are tiny; cap to defend against DoS
+    for await (const chunk of req) {
+        const buf = chunk as Buffer;
+        total += buf.length;
+        if (total > MAX) throw new Error(`request body exceeds ${MAX} bytes`);
+        chunks.push(buf);
+    }
+    if (chunks.length === 0) return {};
+    const text = Buffer.concat(chunks).toString('utf-8');
+    return JSON.parse(text) as ReplayCreateBody;
+}
+
+function parseIntOr(raw: string | null, fallback: number): number {
+    if (raw == null) return fallback;
+    const n = Number.parseInt(raw, 10);
+    return Number.isFinite(n) && n > 0 ? n : fallback;
+}

package/src/dashboardSpa.test.ts

@@ -0,0 +1,239 @@
+/**
+ * Tests for the dashboard SPA static handler.
+ *
+ * These tests don't exercise the React app itself (that lives in
+ * `@harness-fe/dashboard-ui`); they verify mcp-server can find the
+ * built dist, serves index.html with the right headers, and falls back
+ * to index.html for arbitrary client-side routes.
+ */
+import { afterEach, describe, expect, it } from 'vitest';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { Bridge } from './bridge.js';
+import { JsonlStore } from './store/index.js';
+
+const tempDirs: string[] = [];
+function mkTmp(): string {
+    const dir = mkdtempSync(join(tmpdir(), 'harness-spa-test-'));
+    tempDirs.push(dir);
+    return dir;
+}
+
+afterEach(async () => {
+    while (tempDirs.length) {
+        const d = tempDirs.pop()!;
+        try { rmSync(d, { recursive: true, force: true }); } catch { /* ignore */ }
+    }
+});
+
+async function bootBridge() {
+    const dir = mkTmp();
+    const store = new JsonlStore(dir);
+    const bridge = new Bridge({ port: 0, host: '127.0.0.1', store, taskStore: null, memoryStore: null });
+    await bridge.start();
+    const port = bridge.getBoundPort();
+    if (!port) throw new Error('no port');
+    return { bridge, store, port };
+}
+
+describe('Dashboard SPA handler — token handoff', () => {
+    async function bootBridgeWithAuth() {
+        const dir = mkTmp();
+        const store = new JsonlStore(dir);
+        const bridge = new Bridge({
+            port: 0,
+            host: '127.0.0.1',
+            store,
+            taskStore: null,
+            memoryStore: null,
+            auth: { token: 'secret-token' },
+        });
+        await bridge.start();
+        const port = bridge.getBoundPort();
+        if (!port) throw new Error('no port');
+        return { bridge, port };
+    }
+
+    it('first /dashboard/?token=… visit sets the cookie and redirects to a clean URL', async () => {
+        const { bridge, port } = await bootBridgeWithAuth();
+        try {
+            const resp = await fetch(
+                `http://127.0.0.1:${port}/dashboard/?token=secret-token`,
+                { redirect: 'manual' },
+            );
+            expect(resp.status).toBe(302);
+            expect(resp.headers.get('location')).toBe('/dashboard/');
+            const cookie = resp.headers.get('set-cookie') ?? '';
+            expect(cookie).toContain('harness_fe_token=secret-token');
+            expect(cookie).toMatch(/Path=\//);
+            expect(cookie).toMatch(/SameSite=Lax/i);
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('subsequent SPA fetch with the cookie alone is authorized', async () => {
+        const { bridge, port } = await bootBridgeWithAuth();
+        try {
+            const denied = await fetch(`http://127.0.0.1:${port}/dashboard/`);
+            expect(denied.status).toBe(401);
+            const ok = await fetch(`http://127.0.0.1:${port}/dashboard/`, {
+                headers: { cookie: 'harness_fe_token=secret-token' },
+            });
+            expect(ok.status).toBe(200);
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('does not loop-redirect when the cookie is already present', async () => {
+        const { bridge, port } = await bootBridgeWithAuth();
+        try {
+            const resp = await fetch(
+                `http://127.0.0.1:${port}/dashboard/?token=secret-token`,
+                {
+                    redirect: 'manual',
+                    headers: { cookie: 'harness_fe_token=secret-token' },
+                },
+            );
+            expect(resp.status).toBe(200);
+        } finally {
+            await bridge.stop();
+        }
+    });
+});
+
+describe('Dashboard SPA handler', () => {
+    it('GET / redirects to /dashboard/ preserving query (legacy root)', async () => {
+        const { bridge, port } = await bootBridge();
+        try {
+            const resp = await fetch(`http://127.0.0.1:${port}/?token=xyz`, { redirect: 'manual' });
+            expect(resp.status).toBe(302);
+            expect(resp.headers.get('location')).toBe('/dashboard/?token=xyz');
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('GET /sessions/:id redirects to /dashboard/sessions/:id (legacy bookmark)', async () => {
+        const { bridge, port } = await bootBridge();
+        try {
+            const resp = await fetch(
+                `http://127.0.0.1:${port}/sessions/abc-123?token=xyz`,
+                { redirect: 'manual' },
+            );
+            expect(resp.status).toBe(302);
+            expect(resp.headers.get('location')).toBe('/dashboard/sessions/abc-123?token=xyz');
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('GET /dashboard?token=… redirects to /dashboard/ and sets the cookie in one hop', async () => {
+        // Now that token handoff fires before the trailing-slash redirect,
+        // a single 302 should both swap the token to a cookie AND add the
+        // canonical trailing slash. This avoids a double-redirect chain.
+        const dir = mkTmp();
+        const store = new JsonlStore(dir);
+        const bridge = new Bridge({
+            port: 0, host: '127.0.0.1', store, taskStore: null, memoryStore: null,
+            auth: { token: 'abc' },
+        });
+        await bridge.start();
+        const port = bridge.getBoundPort();
+        try {
+            const resp = await fetch(`http://127.0.0.1:${port}/dashboard?token=abc`, { redirect: 'manual' });
+            expect(resp.status).toBe(302);
+            expect(resp.headers.get('location')).toBe('/dashboard/');
+            expect(resp.headers.get('set-cookie') ?? '').toContain('harness_fe_token=abc');
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('GET /dashboard (no token, no cookie, auth disabled) still redirects to /dashboard/', async () => {
+        // Backwards-compat: when auth is disabled, /dashboard still gets
+        // canonicalized — preserves the original behavior the test guarded.
+        const { bridge, port } = await bootBridge();
+        try {
+            const resp = await fetch(`http://127.0.0.1:${port}/dashboard`, { redirect: 'manual' });
+            expect(resp.status).toBe(302);
+            expect(resp.headers.get('location')).toBe('/dashboard/');
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('GET /dashboard/ serves index.html as text/html', async () => {
+        const { bridge, port } = await bootBridge();
+        try {
+            const resp = await fetch(`http://127.0.0.1:${port}/dashboard/`);
+            expect(resp.status).toBe(200);
+            const ct = resp.headers.get('content-type') ?? '';
+            expect(ct).toMatch(/text\/html/);
+            const html = await resp.text();
+            expect(html).toContain('<div id="root">');
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('GET /dashboard/sessions/some-id falls back to index.html (SPA routing)', async () => {
+        const { bridge, port } = await bootBridge();
+        try {
+            const resp = await fetch(`http://127.0.0.1:${port}/dashboard/sessions/abc`);
+            expect(resp.status).toBe(200);
+            const ct = resp.headers.get('content-type') ?? '';
+            expect(ct).toMatch(/text\/html/);
+            const html = await resp.text();
+            expect(html).toContain('<div id="root">');
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('GET /dashboard/../etc/passwd is rejected with 403 (path traversal defense)', async () => {
+        const { bridge, port } = await bootBridge();
+        try {
+            // node's fetch resolves `..` on its own before sending, so we need
+            // to construct the URL such that the server still receives the dots.
+            const resp = await fetch(`http://127.0.0.1:${port}/dashboard/%2e%2e/etc/passwd`);
+            // Either the URL is rejected (403) or it falls back to index.html
+            // because the resolved path is inside dist (anything matching the
+            // SPA prefix is safe). Both are acceptable; the failure mode we
+            // care about is "leaks a file outside dist", which would be 200
+            // with non-HTML content.
+            if (resp.status === 200) {
+                const ct = resp.headers.get('content-type') ?? '';
+                expect(ct).toMatch(/text\/html/);
+            } else {
+                expect([403, 404]).toContain(resp.status);
+            }
+        } finally {
+            await bridge.stop();
+        }
+    });
+
+    it('SPA assets carry immutable cache-control; index.html is no-store', async () => {
+        const { bridge, port } = await bootBridge();
+        try {
+            const idx = await fetch(`http://127.0.0.1:${port}/dashboard/`);
+            expect(idx.headers.get('cache-control')).toBe('no-store');
+            // Find a hashed asset by parsing the HTML for a /dashboard/assets/...
+            const html = await idx.text();
+            const m = html.match(/\/dashboard\/(assets\/[^"]+)/);
+            if (!m) {
+                // No hashed assets discovered — skip the cache assertion in
+                // this environment (e.g. a brand-new install where dist hasn't
+                // built). The first assertion is what matters most.
+                return;
+            }
+            const asset = await fetch(`http://127.0.0.1:${port}/dashboard/${m[1]}`);
+            expect(asset.status).toBe(200);
+            expect(asset.headers.get('cache-control') ?? '').toMatch(/immutable/);
+        } finally {
+            await bridge.stop();
+        }
+    });
+});