@harness-fe/runtime 4.0.0-next.4 → 4.0.0-next.5

package/dist/client.js

@@ -123,7 +123,7 @@ export class RuntimeClient {
         this.recorder = new RrwebRecorder((chunk) => this.sendEvent(EVENT_NAME.RRWEB, chunk), { checkoutEveryNms: opts.rrwebCheckoutEveryNms });
     }
     start() {
-        const daemonUrl = this.opts.mcpUrl ?? `ws://127.0.0.1:${DEFAULT_WS_PORT}`;
+        const daemonUrl = this.opts.mcpUrl ?? `ws://127.0.0.1:${DEFAULT_WS_PORT}/ws`;
         this.ctx.capture.install((name, payload) => this.sendEvent(name, payload), { daemonUrl });
         this.recorder.start();
         this.connect();
@@ -134,7 +134,7 @@ export class RuntimeClient {
         this.ws?.close();
     }
     connect() {
-        const url = this.opts.mcpUrl ?? `ws://127.0.0.1:${DEFAULT_WS_PORT}`;
+        const url = this.opts.mcpUrl ?? `ws://127.0.0.1:${DEFAULT_WS_PORT}/ws`;
         try {
             this.ws = new WebSocket(url);
         }

package/dist/dashboardUrl.d.ts

@@ -1,15 +1,12 @@
 /**
- * Convert the runtime's `mcpUrl` (a WebSocket URL the plugin gave us) into
- * the dashboard URL the same daemon serves.
+ * Convert the runtime's `mcpUrl` (the gateway WebSocket URL the plugin gave us)
+ * into the console URL the same gateway serves: `<http>://<host>:<port>/console`,
+ * deep-linking to `/console/sessions/:id` when a sessionId is given.
  *
- * The daemon binds one HTTP+WS port; the dashboard lives at
- * `<http-scheme>://<host>:<port>/dashboard/`. The token, if any, is
- * carried in the query string so the browser is pre-authenticated on
- * first hit (after which mcp-server hands it off to a cookie — see
- * `packages/mcp-server/src/dashboardSpa.ts`).
- *
- * Optionally deep-links into a session's detail page when `sessionId` is
- * provided.
+ * This is a **pure shortcut** — it carries NO token. Opening it is plain
+ * navigation; the console authorizes the viewer on its own (admin sign-in or a
+ * pasted read token). The runtime's token is write-only and must never be used
+ * as a console auth grant, so it's deliberately omitted.
  */
 export interface DashboardUrlInput {
     mcpUrl: string;

package/dist/dashboardUrl.js

@@ -10,11 +10,7 @@ export function deriveDashboardUrl(input) {
     }
     const httpScheme = url.protocol === 'wss:' ? 'https:' : 'http:';
     const path = input.sessionId
-        ? `/dashboard/sessions/${encodeURIComponent(input.sessionId)}`
-        : '/dashboard/';
-    const token = url.searchParams.get('token');
-    const search = token ? `?token=${encodeURIComponent(token)}` : '';
-    // Build manually so we don't leak any extra query/hash from the WS URL
-    // (rare, but be defensive — the agent only ever sees what we hand it).
-    return `${httpScheme}//${url.host}${path}${search}`;
+        ? `/console/sessions/${encodeURIComponent(input.sessionId)}`
+        : '/console';
+    return `${httpScheme}//${url.host}${path}`;
 }

package/dist/version.d.ts

@@ -1 +1 @@
-export declare const VERSION = "4.0.0-next.4";
+export declare const VERSION = "4.0.0-next.5";

package/dist/version.js

@@ -1,3 +1,3 @@
 // AUTO-GENERATED by scripts/gen-version.mjs — do not edit by hand.
 // Sourced from package.json at build time so the runtime reports its real version.
-export const VERSION = '4.0.0-next.4';
+export const VERSION = '4.0.0-next.5';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@harness-fe/runtime",
-  "version": "4.0.0-next.4",
+  "version": "4.0.0-next.5",
   "description": "Browser-side SDK injected into the dev page. Connects to the MCP server via WebSocket and executes commands.",
   "type": "module",
   "license": "MIT",
@@ -36,7 +36,9 @@
   "devDependencies": {
     "happy-dom": "^20.9.0",
     "typescript": "^5.6.0",
-    "vitest": "^2.1.9"
+    "vitest": "^2.1.9",
+    "@harness-fe/core": "4.0.0-next.5",
+    "@harness-fe/gateway": "4.0.0-next.5"
   },
   "publishConfig": {
     "access": "public"

package/src/client.ts

@@ -190,7 +190,7 @@ export class RuntimeClient {
 
 
     start(): void {
-        const daemonUrl = this.opts.mcpUrl ?? `ws://127.0.0.1:${DEFAULT_WS_PORT}`;
+        const daemonUrl = this.opts.mcpUrl ?? `ws://127.0.0.1:${DEFAULT_WS_PORT}/ws`;
         this.ctx.capture.install(
             (name, payload) => this.sendEvent(name, payload),
             { daemonUrl },
@@ -206,7 +206,7 @@ export class RuntimeClient {
     }
 
     private connect(): void {
-        const url = this.opts.mcpUrl ?? `ws://127.0.0.1:${DEFAULT_WS_PORT}`;
+        const url = this.opts.mcpUrl ?? `ws://127.0.0.1:${DEFAULT_WS_PORT}/ws`;
         try {
             this.ws = new WebSocket(url);
         } catch (err) {

package/src/dashboardUrl.test.ts

@@ -1,55 +1,36 @@
 import { describe, expect, it } from 'vitest';
 import { deriveDashboardUrl } from './dashboardUrl.js';
 
-describe('deriveDashboardUrl', () => {
-    it('swaps ws:// to http:// and points at /dashboard/', () => {
-        expect(deriveDashboardUrl({ mcpUrl: 'ws://127.0.0.1:47729' })).toBe(
-            'http://127.0.0.1:47729/dashboard/',
+describe('deriveDashboardUrl (pure shortcut — no token)', () => {
+    it('swaps ws:// to http:// and points at /console', () => {
+        expect(deriveDashboardUrl({ mcpUrl: 'ws://127.0.0.1:47729/ws' })).toBe(
+            'http://127.0.0.1:47729/console',
         );
     });
 
     it('swaps wss:// to https:// (production / LAN with TLS)', () => {
-        expect(deriveDashboardUrl({ mcpUrl: 'wss://harness.lan:47729' })).toBe(
-            'https://harness.lan:47729/dashboard/',
+        expect(deriveDashboardUrl({ mcpUrl: 'wss://harness.lan:47729/ws' })).toBe(
+            'https://harness.lan:47729/console',
         );
     });
 
-    it('carries the token query through verbatim', () => {
+    it('deep-links to /console/sessions/:id when sessionId is provided', () => {
         expect(
-            deriveDashboardUrl({ mcpUrl: 'ws://127.0.0.1:47729?token=abc' }),
-        ).toBe('http://127.0.0.1:47729/dashboard/?token=abc');
-    });
-
-    it('URL-encodes the token (defensive against weird HARNESS_FE_TOKEN values)', () => {
-        expect(
-            deriveDashboardUrl({ mcpUrl: 'ws://127.0.0.1:47729?token=a%20b%26c' }),
-        ).toBe('http://127.0.0.1:47729/dashboard/?token=a%20b%26c');
-    });
-
-    it('deep-links to /dashboard/sessions/:id when sessionId is provided', () => {
-        expect(
-            deriveDashboardUrl({
-                mcpUrl: 'ws://127.0.0.1:47729?token=abc',
-                sessionId: 'sess-1',
-            }),
-        ).toBe('http://127.0.0.1:47729/dashboard/sessions/sess-1?token=abc');
+            deriveDashboardUrl({ mcpUrl: 'ws://127.0.0.1:47729/ws?token=abc', sessionId: 'sess-1' }),
+        ).toBe('http://127.0.0.1:47729/console/sessions/sess-1');
     });
 
     it('URL-encodes the session id', () => {
         expect(
-            deriveDashboardUrl({
-                mcpUrl: 'ws://127.0.0.1:47729',
-                sessionId: 'a/b c',
-            }),
-        ).toBe('http://127.0.0.1:47729/dashboard/sessions/a%2Fb%20c');
+            deriveDashboardUrl({ mcpUrl: 'ws://127.0.0.1:47729/ws', sessionId: 'a/b c' }),
+        ).toBe('http://127.0.0.1:47729/console/sessions/a%2Fb%20c');
     });
 
-    it('strips other query/hash from the WS URL — only token is forwarded', () => {
-        expect(
-            deriveDashboardUrl({
-                mcpUrl: 'ws://127.0.0.1:47729/?token=abc&other=secret#hash',
-            }),
-        ).toBe('http://127.0.0.1:47729/dashboard/?token=abc');
+    it('never carries the runtime token — it is a navigation shortcut, not an auth grant', () => {
+        const url = deriveDashboardUrl({ mcpUrl: 'ws://127.0.0.1:47729/ws?token=secret&other=x#h', sessionId: 'sess-1' });
+        expect(url).toBe('http://127.0.0.1:47729/console/sessions/sess-1');
+        expect(url).not.toContain('token');
+        expect(url).not.toContain('secret');
     });
 
     it('returns undefined for empty or invalid input', () => {

package/src/dashboardUrl.ts

@@ -1,15 +1,12 @@
 /**
- * Convert the runtime's `mcpUrl` (a WebSocket URL the plugin gave us) into
- * the dashboard URL the same daemon serves.
+ * Convert the runtime's `mcpUrl` (the gateway WebSocket URL the plugin gave us)
+ * into the console URL the same gateway serves: `<http>://<host>:<port>/console`,
+ * deep-linking to `/console/sessions/:id` when a sessionId is given.
  *
- * The daemon binds one HTTP+WS port; the dashboard lives at
- * `<http-scheme>://<host>:<port>/dashboard/`. The token, if any, is
- * carried in the query string so the browser is pre-authenticated on
- * first hit (after which mcp-server hands it off to a cookie — see
- * `packages/mcp-server/src/dashboardSpa.ts`).
- *
- * Optionally deep-links into a session's detail page when `sessionId` is
- * provided.
+ * This is a **pure shortcut** — it carries NO token. Opening it is plain
+ * navigation; the console authorizes the viewer on its own (admin sign-in or a
+ * pasted read token). The runtime's token is write-only and must never be used
+ * as a console auth grant, so it's deliberately omitted.
  */
 export interface DashboardUrlInput {
     mcpUrl: string;
@@ -26,11 +23,7 @@ export function deriveDashboardUrl(input: DashboardUrlInput): string | undefined
     }
     const httpScheme = url.protocol === 'wss:' ? 'https:' : 'http:';
     const path = input.sessionId
-        ? `/dashboard/sessions/${encodeURIComponent(input.sessionId)}`
-        : '/dashboard/';
-    const token = url.searchParams.get('token');
-    const search = token ? `?token=${encodeURIComponent(token)}` : '';
-    // Build manually so we don't leak any extra query/hash from the WS URL
-    // (rare, but be defensive — the agent only ever sees what we hand it).
-    return `${httpScheme}//${url.host}${path}${search}`;
+        ? `/console/sessions/${encodeURIComponent(input.sessionId)}`
+        : '/console';
+    return `${httpScheme}//${url.host}${path}`;
 }

package/src/overlay.test.ts

@@ -220,12 +220,13 @@ describe('installOverlay', () => {
 
     it('shows the "Open dashboard" button only when the client has an mcpUrl', () => {
         setupDom();
-        installOverlay(makeFakeClient({ mcpUrl: 'ws://127.0.0.1:47729?token=demo' }));
+        installOverlay(makeFakeClient({ mcpUrl: 'ws://127.0.0.1:47729/ws?token=demo' }));
         const root = document.getElementById('__harness_fe_overlay__')!.shadowRoot!;
         const btn = root.querySelector('[data-role=open-dashboard]') as HTMLButtonElement;
         expect(btn.style.display).toBe('');
-        expect(btn.title).toContain('http://127.0.0.1:47729/dashboard/sessions/');
-        expect(btn.title).toContain('token=demo');
+        expect(btn.title).toContain('http://127.0.0.1:47729/console/sessions/');
+        // The overlay link is a pure shortcut — it must NOT carry the runtime token.
+        expect(btn.title).not.toContain('token=');
     });
 
     it('hides the "Open dashboard" button when mcpUrl is missing', () => {
@@ -238,7 +239,7 @@ describe('installOverlay', () => {
 
     it('clicking "Open dashboard" calls window.open with the derived URL in a new tab', () => {
         setupDom();
-        installOverlay(makeFakeClient({ mcpUrl: 'wss://harness.lan:8443?token=t' }));
+        installOverlay(makeFakeClient({ mcpUrl: 'wss://harness.lan:8443/ws?token=t' }));
         const root = document.getElementById('__harness_fe_overlay__')!.shadowRoot!;
         const calls: Array<{ url: string; target: string; features: string }> = [];
         (globalThis.window as unknown as { open: typeof window.open }).open = ((
@@ -252,7 +253,7 @@ describe('installOverlay', () => {
         const btn = root.querySelector('[data-role=open-dashboard]') as HTMLButtonElement;
         btn.click();
         expect(calls).toHaveLength(1);
-        expect(calls[0].url).toBe('https://harness.lan:8443/dashboard/sessions/sess-12345-abcdef-9876?token=t');
+        expect(calls[0].url).toBe('https://harness.lan:8443/console/sessions/sess-12345-abcdef-9876');
         expect(calls[0].target).toBe('_blank');
         expect(calls[0].features).toMatch(/noopener/);
     });

package/src/runtimeClient.e2e.test.ts

@@ -24,15 +24,15 @@ vi.mock('rrweb', () => ({
 import { mkdtempSync, rmSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
-import { Bridge } from '../../daemon/src/bridge.js';
-import { JsonlStore } from '../../daemon/src/store/index.js';
+import { InProcessCoreClient, JsonlStore, type StoreEvent } from '@harness-fe/core';
+import { createGateway, Policy, type GatewayHandle } from '@harness-fe/gateway';
 import { RuntimeClient } from './client.js';
 import { getCaptureStore } from './capture.js';
-import type { StoreEvent } from '../../daemon/src/store/index.js';
 import type { NetworkEntry, StorageEntry, WsEntry } from '@harness-fe/protocol';
 
 interface Env {
-    bridge: Bridge;
+    core: InProcessCoreClient;
+    gw: GatewayHandle;
     store: JsonlStore;
     dir: string;
     port: number;
@@ -59,9 +59,12 @@ async function rmDirWithRetry(dir: string, attempts = 5): Promise<void> {
 async function setup(): Promise<Env> {
     const dir = mkdtempSync(join(tmpdir(), 'harness-rt-e2e-'));
     const store = new JsonlStore(dir);
-    const bridge = new Bridge({ port: 0, host: '127.0.0.1', store, taskStore: null, autoPurge: { enabled: false } });
-    await bridge.start();
-    const port = bridge.getBoundPort();
+    // New architecture: an in-process core behind the gateway front door; the
+    // runtime connects to the gateway's /ws (Open policy → local principal).
+    const core = new InProcessCoreClient({ store, taskStore: null, autoPurge: { enabled: false } });
+    await core.start();
+    const gw = createGateway({ coreClient: core, policy: new Policy({ mode: 'open' }) });
+    const port = await gw.listen(0, '127.0.0.1');
     if (!port) throw new Error('no port');
 
     // happy-dom keeps singletons across tests — reset the patch state so this
@@ -70,7 +73,7 @@ async function setup(): Promise<Env> {
 
     const client = new RuntimeClient({
         projectId: 'rt-e2e',
-        mcpUrl: `ws://127.0.0.1:${port}`,
+        mcpUrl: `ws://127.0.0.1:${port}/ws`,
     });
     client.start();
 
@@ -88,7 +91,7 @@ async function setup(): Promise<Env> {
         throw new Error('runtime-client never connected');
     }
 
-    return { bridge, store, dir, port, client, sessionId: client.sessionId };
+    return { core, gw, store, dir, port, client, sessionId: client.sessionId };
 }
 
 beforeEach(async () => {
@@ -98,7 +101,8 @@ beforeEach(async () => {
 afterEach(async () => {
     if (!env) return;
     env.client.stop();
-    await env.bridge.stop();
+    await env.gw.close();
+    await env.core.stop();
     // close() drains the async write queue — must await, else rmSync races
     // file writes and the dir-recursive-rm trips ENOTEMPTY on Linux CI.
     await env.store.close();
@@ -186,7 +190,7 @@ describe('RuntimeClient E2E — patched WebSocket flows to bridge', () => {
         (window as unknown as { WebSocket: typeof WebSocket }).WebSocket = FakeWS as unknown as typeof WebSocket;
         cap.install(
             (name, payload) => e.client.sendEvent(name, payload),
-            { daemonUrl: `ws://127.0.0.1:${e.port}` },
+            { daemonUrl: `ws://127.0.0.1:${e.port}/ws` },
         );
 
         try {
@@ -245,7 +249,7 @@ describe('RuntimeClient E2E — patched fetch initiator round-trip', () => {
         cap.dispose();
         cap.install(
             (name, payload) => e.client.sendEvent(name, payload),
-            { daemonUrl: `ws://127.0.0.1:${e.port}` },
+            { daemonUrl: `ws://127.0.0.1:${e.port}/ws` },
         );
 
         try {

package/src/version.ts

@@ -1,3 +1,3 @@
 // AUTO-GENERATED by scripts/gen-version.mjs — do not edit by hand.
 // Sourced from package.json at build time so the runtime reports its real version.
-export const VERSION = '4.0.0-next.4';
+export const VERSION = '4.0.0-next.5';