@harness-fe/mcp-server 4.0.0-next.2 → 4.0.0-next.3

package/src/dashboardApi.ts

@@ -1,184 +0,0 @@
-/**
- * JSON API surface consumed by `@harness-fe/dashboard-ui` (the React SPA).
- *
- * The shape mirrors what the legacy server-rendered dashboard.ts displayed,
- * but as JSON so the SPA can render it with proper components and live
- * updates. Routes live under `/api/*` to keep them clearly separated from
- * SPA assets (`/dashboard/*`) and the replay viewer (`/replay/*`).
- *
- * Reuses `createReplayExport` from replayCreate.ts for the replay POST —
- * same logic the legacy dashboard's form submission ran through, just
- * returns JSON instead of redirecting.
- *
- * Auth is already enforced by `isAuthorized` in bridge.ts before this
- * handler runs, so we never need to check tokens here.
- */
-
-import type { IncomingMessage, ServerResponse } from 'node:http';
-import type {
-    IStore,
-    ProjectMeta,
-    RecordingChunkSummary,
-    ReplayExportMeta,
-    SessionMeta,
-    SessionSummary,
-    StoreEvent,
-} from './store/types.js';
-import { createReplayExport, type ReplayCreateResult } from './replayCreate.js';
-
-const TIMELINE_DEFAULT_TAIL = 100;
-const SESSIONS_PER_PROJECT = 10;
-
-export interface ProjectListEntry {
-    project: ProjectMeta;
-    recentSessions: SessionMeta[];
-}
-
-export interface SessionDetailResponse {
-    session: SessionMeta;
-    summary: SessionSummary;
-    chunks: RecordingChunkSummary[];
-    timeline: StoreEvent[];
-    exports: ReplayExportMeta[];
-}
-
-export interface ReplayCreateBody {
-    tabId?: string;
-    ts?: number;
-    windowMs?: number;
-    since?: number;
-    until?: number;
-    label?: string;
-}
-
-export function createDashboardApiHandler(
-    store: IStore,
-    getBaseUrl: () => string | undefined,
-    onExportCreated?: (input: { sessionId: string; projectId?: string }) => void,
-): (req: IncomingMessage, res: ServerResponse) => boolean | Promise<boolean> {
-    return async (req, res) => {
-        if (!req.url) return false;
-        const url = new URL(req.url, 'http://localhost');
-        const path = url.pathname;
-        if (!path.startsWith('/api/')) return false;
-        const method = req.method ?? 'GET';
-
-        // GET /api/projects
-        if (method === 'GET' && path === '/api/projects') {
-            const projects = store.listProjects();
-            const entries: ProjectListEntry[] = projects.map((project) => {
-                const recentSessions = store.listSessions({
-                    projectId: project.id,
-                    limit: SESSIONS_PER_PROJECT,
-                });
-                return { project, recentSessions };
-            });
-            sendJson(res, 200, { projects: entries });
-            return true;
-        }
-
-        // GET /api/sessions?projectId=&tabId=&buildId=&limit=
-        if (method === 'GET' && path === '/api/sessions') {
-            const sessions = store.listSessions({
-                projectId: url.searchParams.get('projectId') ?? undefined,
-                tabId: url.searchParams.get('tabId') ?? undefined,
-                buildId: url.searchParams.get('buildId') ?? undefined,
-                limit: parseIntOr(url.searchParams.get('limit'), 50),
-            });
-            sendJson(res, 200, { sessions });
-            return true;
-        }
-
-        // /api/sessions/:id and /api/sessions/:id/replay
-        const sessionMatch = path.match(/^\/api\/sessions\/([^/]+)(\/replay)?$/);
-        if (sessionMatch) {
-            const sessionId = decodeURIComponent(sessionMatch[1]!);
-            const isReplay = !!sessionMatch[2];
-
-            if (isReplay && method === 'POST') {
-                let body: ReplayCreateBody;
-                try {
-                    body = await readJsonBody(req);
-                } catch (err) {
-                    sendJson(res, 400, { error: `invalid JSON body: ${(err as Error).message}` });
-                    return true;
-                }
-                const result: ReplayCreateResult = createReplayExport(store, getBaseUrl(), {
-                    sessionId,
-                    tabId: body.tabId,
-                    ts: body.ts,
-                    windowMs: body.windowMs,
-                    since: body.since,
-                    until: body.until,
-                    label: body.label,
-                });
-                const status = result.error ? 400 : 200;
-                if (!result.error && result.exportId && onExportCreated) {
-                    // Find the session's project so subscribers can filter.
-                    const projectId = store.getSession(sessionId)?.participants[0]?.projectId;
-                    onExportCreated({ sessionId, projectId });
-                }
-                sendJson(res, status, result);
-                return true;
-            }
-
-            if (method === 'GET') {
-                const session = store.getSession(sessionId);
-                if (!session) {
-                    sendJson(res, 404, { error: 'session not found', sessionId });
-                    return true;
-                }
-                const summary = store.summary(sessionId);
-                const chunks = store.listRecordings(sessionId);
-                const tailN = parseIntOr(url.searchParams.get('timeline'), TIMELINE_DEFAULT_TAIL);
-                const timeline = store.tail(sessionId, { n: tailN });
-                // Exports for the session's owning project (filter by sessionId).
-                const projectId = session.participants[0]?.projectId ?? '';
-                const exports = projectId
-                    ? store.listExports(projectId, 50).filter((e) => e.sessionId === sessionId)
-                    : [];
-                const body: SessionDetailResponse = {
-                    session,
-                    summary,
-                    chunks,
-                    timeline,
-                    exports,
-                };
-                sendJson(res, 200, body);
-                return true;
-            }
-        }
-
-        // Any other /api/ path → 404 (consumed so the legacy handler doesn't try).
-        sendJson(res, 404, { error: 'not found', path });
-        return true;
-    };
-}
-
-function sendJson(res: ServerResponse, status: number, body: unknown): void {
-    res.statusCode = status;
-    res.setHeader('content-type', 'application/json; charset=utf-8');
-    res.setHeader('cache-control', 'no-store');
-    res.end(JSON.stringify(body));
-}
-
-async function readJsonBody(req: IncomingMessage): Promise<ReplayCreateBody> {
-    const chunks: Buffer[] = [];
-    let total = 0;
-    const MAX = 1024 * 1024; // 1 MB — replay create bodies are tiny; cap to defend against DoS
-    for await (const chunk of req) {
-        const buf = chunk as Buffer;
-        total += buf.length;
-        if (total > MAX) throw new Error(`request body exceeds ${MAX} bytes`);
-        chunks.push(buf);
-    }
-    if (chunks.length === 0) return {};
-    const text = Buffer.concat(chunks).toString('utf-8');
-    return JSON.parse(text) as ReplayCreateBody;
-}
-
-function parseIntOr(raw: string | null, fallback: number): number {
-    if (raw == null) return fallback;
-    const n = Number.parseInt(raw, 10);
-    return Number.isFinite(n) && n > 0 ? n : fallback;
-}

package/src/dashboardSpa.test.ts

@@ -1,239 +0,0 @@
-/**
- * Tests for the dashboard SPA static handler.
- *
- * These tests don't exercise the React app itself (that lives in
- * `@harness-fe/dashboard-ui`); they verify mcp-server can find the
- * built dist, serves index.html with the right headers, and falls back
- * to index.html for arbitrary client-side routes.
- */
-import { afterEach, describe, expect, it } from 'vitest';
-import { mkdtempSync, rmSync } from 'node:fs';
-import { tmpdir } from 'node:os';
-import { join } from 'node:path';
-import { Bridge } from './bridge.js';
-import { JsonlStore } from './store/index.js';
-
-const tempDirs: string[] = [];
-function mkTmp(): string {
-    const dir = mkdtempSync(join(tmpdir(), 'harness-spa-test-'));
-    tempDirs.push(dir);
-    return dir;
-}
-
-afterEach(async () => {
-    while (tempDirs.length) {
-        const d = tempDirs.pop()!;
-        try { rmSync(d, { recursive: true, force: true }); } catch { /* ignore */ }
-    }
-});
-
-async function bootBridge() {
-    const dir = mkTmp();
-    const store = new JsonlStore(dir);
-    const bridge = new Bridge({ port: 0, host: '127.0.0.1', store, taskStore: null, memoryStore: null });
-    await bridge.start();
-    const port = bridge.getBoundPort();
-    if (!port) throw new Error('no port');
-    return { bridge, store, port };
-}
-
-describe('Dashboard SPA handler — token handoff', () => {
-    async function bootBridgeWithAuth() {
-        const dir = mkTmp();
-        const store = new JsonlStore(dir);
-        const bridge = new Bridge({
-            port: 0,
-            host: '127.0.0.1',
-            store,
-            taskStore: null,
-            memoryStore: null,
-            auth: { token: 'secret-token' },
-        });
-        await bridge.start();
-        const port = bridge.getBoundPort();
-        if (!port) throw new Error('no port');
-        return { bridge, port };
-    }
-
-    it('first /dashboard/?token=… visit sets the cookie and redirects to a clean URL', async () => {
-        const { bridge, port } = await bootBridgeWithAuth();
-        try {
-            const resp = await fetch(
-                `http://127.0.0.1:${port}/dashboard/?token=secret-token`,
-                { redirect: 'manual' },
-            );
-            expect(resp.status).toBe(302);
-            expect(resp.headers.get('location')).toBe('/dashboard/');
-            const cookie = resp.headers.get('set-cookie') ?? '';
-            expect(cookie).toContain('harness_fe_token=secret-token');
-            expect(cookie).toMatch(/Path=\//);
-            expect(cookie).toMatch(/SameSite=Lax/i);
-        } finally {
-            await bridge.stop();
-        }
-    });
-
-    it('subsequent SPA fetch with the cookie alone is authorized', async () => {
-        const { bridge, port } = await bootBridgeWithAuth();
-        try {
-            const denied = await fetch(`http://127.0.0.1:${port}/dashboard/`);
-            expect(denied.status).toBe(401);
-            const ok = await fetch(`http://127.0.0.1:${port}/dashboard/`, {
-                headers: { cookie: 'harness_fe_token=secret-token' },
-            });
-            expect(ok.status).toBe(200);
-        } finally {
-            await bridge.stop();
-        }
-    });
-
-    it('does not loop-redirect when the cookie is already present', async () => {
-        const { bridge, port } = await bootBridgeWithAuth();
-        try {
-            const resp = await fetch(
-                `http://127.0.0.1:${port}/dashboard/?token=secret-token`,
-                {
-                    redirect: 'manual',
-                    headers: { cookie: 'harness_fe_token=secret-token' },
-                },
-            );
-            expect(resp.status).toBe(200);
-        } finally {
-            await bridge.stop();
-        }
-    });
-});
-
-describe('Dashboard SPA handler', () => {
-    it('GET / redirects to /dashboard/ preserving query (legacy root)', async () => {
-        const { bridge, port } = await bootBridge();
-        try {
-            const resp = await fetch(`http://127.0.0.1:${port}/?token=xyz`, { redirect: 'manual' });
-            expect(resp.status).toBe(302);
-            expect(resp.headers.get('location')).toBe('/dashboard/?token=xyz');
-        } finally {
-            await bridge.stop();
-        }
-    });
-
-    it('GET /sessions/:id redirects to /dashboard/sessions/:id (legacy bookmark)', async () => {
-        const { bridge, port } = await bootBridge();
-        try {
-            const resp = await fetch(
-                `http://127.0.0.1:${port}/sessions/abc-123?token=xyz`,
-                { redirect: 'manual' },
-            );
-            expect(resp.status).toBe(302);
-            expect(resp.headers.get('location')).toBe('/dashboard/sessions/abc-123?token=xyz');
-        } finally {
-            await bridge.stop();
-        }
-    });
-
-    it('GET /dashboard?token=… redirects to /dashboard/ and sets the cookie in one hop', async () => {
-        // Now that token handoff fires before the trailing-slash redirect,
-        // a single 302 should both swap the token to a cookie AND add the
-        // canonical trailing slash. This avoids a double-redirect chain.
-        const dir = mkTmp();
-        const store = new JsonlStore(dir);
-        const bridge = new Bridge({
-            port: 0, host: '127.0.0.1', store, taskStore: null, memoryStore: null,
-            auth: { token: 'abc' },
-        });
-        await bridge.start();
-        const port = bridge.getBoundPort();
-        try {
-            const resp = await fetch(`http://127.0.0.1:${port}/dashboard?token=abc`, { redirect: 'manual' });
-            expect(resp.status).toBe(302);
-            expect(resp.headers.get('location')).toBe('/dashboard/');
-            expect(resp.headers.get('set-cookie') ?? '').toContain('harness_fe_token=abc');
-        } finally {
-            await bridge.stop();
-        }
-    });
-
-    it('GET /dashboard (no token, no cookie, auth disabled) still redirects to /dashboard/', async () => {
-        // Backwards-compat: when auth is disabled, /dashboard still gets
-        // canonicalized — preserves the original behavior the test guarded.
-        const { bridge, port } = await bootBridge();
-        try {
-            const resp = await fetch(`http://127.0.0.1:${port}/dashboard`, { redirect: 'manual' });
-            expect(resp.status).toBe(302);
-            expect(resp.headers.get('location')).toBe('/dashboard/');
-        } finally {
-            await bridge.stop();
-        }
-    });
-
-    it('GET /dashboard/ serves index.html as text/html', async () => {
-        const { bridge, port } = await bootBridge();
-        try {
-            const resp = await fetch(`http://127.0.0.1:${port}/dashboard/`);
-            expect(resp.status).toBe(200);
-            const ct = resp.headers.get('content-type') ?? '';
-            expect(ct).toMatch(/text\/html/);
-            const html = await resp.text();
-            expect(html).toContain('<div id="root">');
-        } finally {
-            await bridge.stop();
-        }
-    });
-
-    it('GET /dashboard/sessions/some-id falls back to index.html (SPA routing)', async () => {
-        const { bridge, port } = await bootBridge();
-        try {
-            const resp = await fetch(`http://127.0.0.1:${port}/dashboard/sessions/abc`);
-            expect(resp.status).toBe(200);
-            const ct = resp.headers.get('content-type') ?? '';
-            expect(ct).toMatch(/text\/html/);
-            const html = await resp.text();
-            expect(html).toContain('<div id="root">');
-        } finally {
-            await bridge.stop();
-        }
-    });
-
-    it('GET /dashboard/../etc/passwd is rejected with 403 (path traversal defense)', async () => {
-        const { bridge, port } = await bootBridge();
-        try {
-            // node's fetch resolves `..` on its own before sending, so we need
-            // to construct the URL such that the server still receives the dots.
-            const resp = await fetch(`http://127.0.0.1:${port}/dashboard/%2e%2e/etc/passwd`);
-            // Either the URL is rejected (403) or it falls back to index.html
-            // because the resolved path is inside dist (anything matching the
-            // SPA prefix is safe). Both are acceptable; the failure mode we
-            // care about is "leaks a file outside dist", which would be 200
-            // with non-HTML content.
-            if (resp.status === 200) {
-                const ct = resp.headers.get('content-type') ?? '';
-                expect(ct).toMatch(/text\/html/);
-            } else {
-                expect([403, 404]).toContain(resp.status);
-            }
-        } finally {
-            await bridge.stop();
-        }
-    });
-
-    it('SPA assets carry immutable cache-control; index.html is no-store', async () => {
-        const { bridge, port } = await bootBridge();
-        try {
-            const idx = await fetch(`http://127.0.0.1:${port}/dashboard/`);
-            expect(idx.headers.get('cache-control')).toBe('no-store');
-            // Find a hashed asset by parsing the HTML for a /dashboard/assets/...
-            const html = await idx.text();
-            const m = html.match(/\/dashboard\/(assets\/[^"]+)/);
-            if (!m) {
-                // No hashed assets discovered — skip the cache assertion in
-                // this environment (e.g. a brand-new install where dist hasn't
-                // built). The first assertion is what matters most.
-                return;
-            }
-            const asset = await fetch(`http://127.0.0.1:${port}/dashboard/${m[1]}`);
-            expect(asset.status).toBe(200);
-            expect(asset.headers.get('cache-control') ?? '').toMatch(/immutable/);
-        } finally {
-            await bridge.stop();
-        }
-    });
-});

package/src/dashboardSpa.ts

@@ -1,195 +0,0 @@
-/**
- * HTTP handler that serves the React SPA built by `@harness-fe/dashboard-ui`.
- *
- * Routing rules (after the `isAuthorized` middleware in bridge.ts):
- *   - GET /                          → 302 to /dashboard/?token=<preserved> (legacy root)
- *   - GET /sessions/:id              → 302 to /dashboard/sessions/:id?token=… (legacy bookmarks)
- *   - GET /dashboard                 → 302 to /dashboard/?token=<preserved>
- *   - GET /dashboard/                → serve index.html (SPA shell)
- *   - GET /dashboard/<asset.ext>     → serve that file from dist/ (if it exists)
- *   - GET /dashboard/<other-path>    → serve index.html (SPA client-side routing)
- *
- * The dist directory is resolved at module load via `require.resolve()` on
- * the dashboard-ui package — same trick `replayViewer.ts` uses for
- * rrweb-player. No copy step needed; pnpm workspace symlinks just work in
- * dev, and `pnpm deploy` bundles the dist into the published tarball.
- */
-
-import { createRequire } from 'node:module';
-import { existsSync, readFileSync } from 'node:fs';
-import { dirname, extname, join, resolve as resolvePath } from 'node:path';
-import type { IncomingMessage, ServerResponse } from 'node:http';
-import { DEFAULT_COOKIE_NAME } from './auth.js';
-
-const require = createRequire(import.meta.url);
-
-/**
- * If a request arrived with `?token=` AND no harness_fe_token cookie yet,
- * stamp the cookie and 302 back to the same path without the query.
- *
- * Why this matters: the SPA bundle is loaded by the browser as
- * `<script src="/dashboard/assets/index-XXX.js">` — relative paths without
- * the token query — which would 401 against the upstream auth middleware.
- * Setting the cookie on the first HTML request means every subsequent
- * same-origin fetch (assets, /api/*, WebSocket upgrade) is automatically
- * authenticated, and the visible URL stays clean.
- */
-function maybeHandleTokenHandoff(req: IncomingMessage, res: ServerResponse, url: URL): boolean {
-    const tokenInQuery = url.searchParams.get('token');
-    if (!tokenInQuery) return false;
-    // If the cookie's already set with the same value, nothing to do —
-    // pass through (the browser will follow links without ?token=).
-    const cookies = req.headers.cookie ?? '';
-    if (cookies.includes(`${DEFAULT_COOKIE_NAME}=`)) return false;
-    // Strip token from the URL and 302 back to the canonical path so the
-    // browser bookmarks / shares clean URLs. The cookie carries auth from
-    // here on. Also normalize `/dashboard` → `/dashboard/` in the same hop
-    // so we don't waste a second redirect chasing the trailing slash.
-    url.searchParams.delete('token');
-    const canonicalPath = url.pathname === '/dashboard' ? '/dashboard/' : url.pathname;
-    const remaining = url.searchParams.toString();
-    const clean = `${canonicalPath}${remaining ? '?' + remaining : ''}`;
-    const cookie =
-        `${DEFAULT_COOKIE_NAME}=${encodeURIComponent(tokenInQuery)}; ` +
-        // Path=/ so /api/*, /replay/*, /dashboard/* all see it.
-        // SameSite=Lax keeps the cookie on cross-tab nav.
-        // No HttpOnly: the SPA's WS code may want to surface the token in
-        //   a Bearer header for tools that don't share cookies (rare —
-        //   browsers attach cookies to WS, so this is just defense in depth).
-        // 30-day Max-Age matches the /__auth login flow.
-        `Path=/; SameSite=Lax; Max-Age=2592000`;
-    res.statusCode = 302;
-    res.setHeader('set-cookie', cookie);
-    res.setHeader('location', clean);
-    res.setHeader('cache-control', 'no-store');
-    res.end();
-    return true;
-}
-
-function resolveDashboardDist(): string | undefined {
-    try {
-        const pkgPath = require.resolve('@harness-fe/dashboard-ui/package.json');
-        const dist = join(dirname(pkgPath), 'dist');
-        return existsSync(join(dist, 'index.html')) ? dist : undefined;
-    } catch {
-        return undefined;
-    }
-}
-
-const CONTENT_TYPES: Record<string, string> = {
-    '.html': 'text/html; charset=utf-8',
-    '.js': 'application/javascript; charset=utf-8',
-    '.mjs': 'application/javascript; charset=utf-8',
-    '.css': 'text/css; charset=utf-8',
-    '.json': 'application/json; charset=utf-8',
-    '.svg': 'image/svg+xml',
-    '.png': 'image/png',
-    '.jpg': 'image/jpeg',
-    '.jpeg': 'image/jpeg',
-    '.gif': 'image/gif',
-    '.webp': 'image/webp',
-    '.ico': 'image/x-icon',
-    '.woff': 'font/woff',
-    '.woff2': 'font/woff2',
-    '.txt': 'text/plain; charset=utf-8',
-    '.map': 'application/json; charset=utf-8',
-};
-
-function contentTypeFor(filePath: string): string {
-    return CONTENT_TYPES[extname(filePath).toLowerCase()] ?? 'application/octet-stream';
-}
-
-export function createDashboardSpaHandler(): (
-    req: IncomingMessage,
-    res: ServerResponse,
-) => boolean {
-    const dist = resolveDashboardDist();
-    return (req, res) => {
-        if (!req.url) return false;
-        const url = new URL(req.url, 'http://localhost');
-        const path = url.pathname;
-        const method = req.method ?? 'GET';
-        if (method !== 'GET' && method !== 'HEAD') return false;
-
-        // Legacy paths from the old server-rendered dashboard — redirect into
-        // the SPA preserving the token query so the user stays authenticated.
-        if (path === '/' || path === '/index.html') {
-            res.statusCode = 302;
-            res.setHeader('location', `/dashboard/${url.search ?? ''}`);
-            res.end();
-            return true;
-        }
-        const legacySession = path.match(/^\/sessions\/([^/]+)$/);
-        if (legacySession) {
-            const sid = legacySession[1];
-            res.statusCode = 302;
-            res.setHeader('location', `/dashboard/sessions/${sid}${url.search ?? ''}`);
-            res.end();
-            return true;
-        }
-
-        if (!path.startsWith('/dashboard')) return false;
-
-        // First-load token handoff: ?token=… → cookie + redirect.
-        // Skip for static asset paths; setting the cookie there would still
-        // work but the redirect would break the script tag's request chain.
-        if (!path.startsWith('/dashboard/assets/') && !path.startsWith('/dashboard/static/')) {
-            if (maybeHandleTokenHandoff(req, res, url)) return true;
-        }
-
-        // If dashboard-ui isn't installed (someone using an older deploy
-        // or running tests in isolation), fall through with a friendly
-        // 503 rather than 404 — clearer signal than silent miss.
-        if (!dist) {
-            res.statusCode = 503;
-            res.setHeader('content-type', 'text/plain; charset=utf-8');
-            res.end('Dashboard UI is not bundled with this build.');
-            return true;
-        }
-
-        // /dashboard with no trailing slash → redirect, preserving token.
-        if (path === '/dashboard') {
-            const search = url.search ?? '';
-            res.statusCode = 302;
-            res.setHeader('location', `/dashboard/${search}`);
-            res.end();
-            return true;
-        }
-
-        // Strip the `/dashboard/` prefix to get the relative path inside dist.
-        const rel = path.slice('/dashboard/'.length) || 'index.html';
-
-        // Path traversal defense: resolve against dist and require the
-        // result is still inside dist. Without this, a crafted URL like
-        // `/dashboard/../../etc/passwd` would escape.
-        const candidate = resolvePath(dist, rel);
-        if (!candidate.startsWith(dist + (dist.endsWith('/') ? '' : '/')) && candidate !== dist) {
-            res.statusCode = 403;
-            res.setHeader('content-type', 'text/plain; charset=utf-8');
-            res.end('Forbidden');
-            return true;
-        }
-
-        // Serve the file if it exists; otherwise fall back to index.html
-        // so the SPA's client-side router can take over (this is how /sessions/:id
-        // works without server config).
-        const target = existsSync(candidate) ? candidate : join(dist, 'index.html');
-        try {
-            const body = readFileSync(target);
-            res.statusCode = 200;
-            res.setHeader('content-type', contentTypeFor(target));
-            // Hashed assets are immutable; HTML shells should never cache.
-            const isHashed = /\/assets\/.+-[A-Za-z0-9_-]{6,}\.[a-z0-9]+$/.test(target);
-            res.setHeader(
-                'cache-control',
-                isHashed ? 'public, max-age=31536000, immutable' : 'no-store',
-            );
-            res.end(body);
-        } catch (err) {
-            res.statusCode = 500;
-            res.setHeader('content-type', 'text/plain; charset=utf-8');
-            res.end(`dashboard read error: ${err instanceof Error ? err.message : String(err)}`);
-        }
-        return true;
-    };
-}

package/src/dashboardUrl.test.ts

@@ -1,46 +0,0 @@
-import { describe, expect, it } from 'vitest';
-import { buildDashboardUrl } from './dashboardUrl.js';
-import type { IBridge } from './bridge.js';
-
-function makeBridge(opts: { base?: string; token?: string }): IBridge {
-    return {
-        getViewerBaseUrl: () => opts.base,
-        getAuthToken: () => opts.token,
-    } as unknown as IBridge;
-}
-
-describe('buildDashboardUrl', () => {
-    it('returns the project-list URL with token when both are set', () => {
-        const bridge = makeBridge({ base: 'http://127.0.0.1:47729', token: 'abc' });
-        expect(buildDashboardUrl(bridge)).toBe('http://127.0.0.1:47729/dashboard/?token=abc');
-    });
-
-    it('deep-links into a session detail when sessionId is provided', () => {
-        const bridge = makeBridge({ base: 'http://127.0.0.1:47729', token: 'abc' });
-        expect(buildDashboardUrl(bridge, { sessionId: 'sess-1' })).toBe(
-            'http://127.0.0.1:47729/dashboard/sessions/sess-1?token=abc',
-        );
-    });
-
-    it('URL-encodes the session id', () => {
-        const bridge = makeBridge({ base: 'http://127.0.0.1:47729', token: 'tok' });
-        expect(buildDashboardUrl(bridge, { sessionId: 'a/b c' })).toBe(
-            'http://127.0.0.1:47729/dashboard/sessions/a%2Fb%20c?token=tok',
-        );
-    });
-
-    it('omits the token query when no token is configured', () => {
-        const bridge = makeBridge({ base: 'http://127.0.0.1:47729' });
-        expect(buildDashboardUrl(bridge)).toBe('http://127.0.0.1:47729/dashboard/');
-    });
-
-    it('returns undefined when the bridge has no base URL (no bound port yet)', () => {
-        const bridge = makeBridge({});
-        expect(buildDashboardUrl(bridge)).toBeUndefined();
-    });
-
-    it('URL-encodes the token (defensive against weird characters in HARNESS_FE_TOKEN)', () => {
-        const bridge = makeBridge({ base: 'http://127.0.0.1:47729', token: 'a b&c' });
-        expect(buildDashboardUrl(bridge)).toBe('http://127.0.0.1:47729/dashboard/?token=a%20b%26c');
-    });
-});