@ishlabs/cli 0.26.1 → 0.27.1

package/dist/lib/upload.js

@@ -96,29 +96,30 @@ export async function validateFile(filePath) {
 // Core upload: 3-step backend-mediated flow
 // ---------------------------------------------------------------------------
 /**
- * Upload a local file to Supabase Storage via the backend's signed URL flow.
- * Returns the public content_url for use in iteration details.
+ * Upload raw bytes to Supabase Storage via the backend's signed URL flow.
+ * Returns the public content_url. The bytes-level core shared by file uploads
+ * and HTML image archiving (no temp file needed).
  */
-export async function uploadStudyContent(client, studyId, filePath, opts) {
-    const resolved = resolvePath(filePath);
-    const { size, mime: detectedMime } = await validateFile(filePath);
-    const mime = opts?.mimeTypeOverride || detectedMime;
-    const name = basename(filePath);
+export async function uploadStudyContentBytes(client, studyId, data, mime, name, opts) {
+    const size = data.byteLength;
     const sizeMB = (size / (1024 * 1024)).toFixed(1);
     const log = (msg) => { if (!opts?.quiet)
         process.stderr.write(msg); };
     // Step 1: Request a signed upload URL from the backend
     log(`Uploading ${name} (${sizeMB} MB)...`);
     const uploadResp = await client.post(`/studies/${studyId}/content/upload`, { content_type: mime, file_size_bytes: size }, { timeout: 60_000 });
-    // Step 2: PUT the raw file bytes to the signed URL
-    const fileBuffer = await readFile(resolved);
+    // Step 2: PUT the raw bytes to the signed URL
     const putResp = await fetch(uploadResp.upload_info.signed_upload_url, {
         method: "PUT",
         headers: {
             "Content-Type": mime,
-            "Content-Length": String(fileBuffer.byteLength),
+            "Content-Length": String(size),
         },
-        body: fileBuffer,
+        // Zero-copy view as Uint8Array<ArrayBuffer>: a Node Buffer's generic
+        // ArrayBufferLike (which includes SharedArrayBuffer) is not a valid fetch
+        // BodyInit, but a plain-ArrayBuffer-backed view is. Node buffers are never
+        // SharedArrayBuffer-backed, so the cast is safe.
+        body: new Uint8Array(data.buffer, data.byteOffset, data.byteLength),
         signal: AbortSignal.timeout(300_000), // 5 min timeout for large files
     });
     if (!putResp.ok) {
@@ -133,6 +134,17 @@ export async function uploadStudyContent(client, studyId, filePath, opts) {
     log(" done.\n");
     return uploadResp.content_url;
 }
+/**
+ * Upload a local file to Supabase Storage via the backend's signed URL flow.
+ * Returns the public content_url for use in iteration details.
+ */
+export async function uploadStudyContent(client, studyId, filePath, opts) {
+    const resolved = resolvePath(filePath);
+    const { mime: detectedMime } = await validateFile(filePath);
+    const mime = opts?.mimeTypeOverride || detectedMime;
+    const fileBuffer = await readFile(resolved);
+    return uploadStudyContentBytes(client, studyId, fileBuffer, mime, basename(filePath), { quiet: opts?.quiet });
+}
 // ---------------------------------------------------------------------------
 // High-level resolvers (URL passthrough or upload)
 // ---------------------------------------------------------------------------
@@ -157,6 +169,91 @@ export async function resolveContentUrls(client, studyId, commaSeparated, opts)
     }
     return results;
 }
+// ---------------------------------------------------------------------------
+// HTML image archiving (text modality)
+// ---------------------------------------------------------------------------
+const MAX_ARCHIVED_IMAGE_BYTES = 15 * 1024 * 1024; // 15 MB per image
+const IMAGE_FETCH_TIMEOUT_MS = 15_000;
+/**
+ * Archive every external `<img>` in a text iteration's `content_html` onto the
+ * workspace storage origin, rewriting each `src` to the uploaded URL.
+ *
+ * Why: the render-to-image worker that lets a participant SEE the page
+ * default-denies egress to every origin except workspace storage (SSRF guard).
+ * An `<img>` pointing at the open web is therefore aborted and renders broken.
+ * The frontend's paste pipeline (`cacheHtmlAssets`) already archives images;
+ * this is the CLI-side equivalent so `ish iteration create --content-html`
+ * produces content whose images actually render. It is a focused subset (just
+ * `<img src>` via regex — the CLI has no HTML-parser dependency); inline
+ * `data:` images, relative paths, and non-image responses are left untouched.
+ *
+ * Best-effort: a single image that cannot be fetched/uploaded is left as-is
+ * with a warning rather than failing the whole create.
+ */
+export async function archiveHtmlImages(client, studyId, html, opts) {
+    const log = (msg) => { if (!opts?.quiet)
+        process.stderr.write(msg); };
+    const imgTags = html.match(/<img\b[^>]*>/gi);
+    if (!imgTags)
+        return html;
+    let result = html;
+    let archived = 0;
+    let failed = 0;
+    const seen = new Map(); // original src -> archived url
+    for (const tag of imgTags) {
+        const srcMatch = tag.match(/\bsrc\s*=\s*("([^"]*)"|'([^']*)')/i);
+        if (!srcMatch)
+            continue;
+        const src = srcMatch[2] ?? srcMatch[3] ?? "";
+        // Only archive remote http(s) images; leave data:/blob:/relative as-is.
+        if (!/^https?:\/\//i.test(src))
+            continue;
+        let archivedUrl = seen.get(src);
+        if (archivedUrl === undefined) {
+            try {
+                archivedUrl = await fetchAndUploadImage(client, studyId, src, archived, opts);
+                seen.set(src, archivedUrl);
+                archived += 1;
+            }
+            catch (e) {
+                failed += 1;
+                const reason = e instanceof Error ? e.message : String(e);
+                log(`  ! could not archive image ${src}: ${reason} (it will not render)\n`);
+                continue;
+            }
+        }
+        // Rewrite this tag: point src at the archived URL and drop srcset so the
+        // browser uses the archived src, not an un-archived srcset candidate.
+        let newTag = tag.replace(srcMatch[0], `src="${archivedUrl}"`);
+        newTag = newTag.replace(/\s+srcset\s*=\s*("[^"]*"|'[^']*')/gi, "");
+        if (newTag !== tag)
+            result = result.replace(tag, newTag);
+    }
+    if (archived > 0 || failed > 0) {
+        log(`Archived ${archived} image(s) to workspace storage${failed ? `, ${failed} failed` : ""}.\n`);
+    }
+    return result;
+}
+async function fetchAndUploadImage(client, studyId, url, index, opts) {
+    const resp = await fetch(url, {
+        signal: AbortSignal.timeout(IMAGE_FETCH_TIMEOUT_MS),
+        redirect: "follow",
+    });
+    if (!resp.ok)
+        throw new Error(`HTTP ${resp.status}`);
+    const ctype = (resp.headers.get("content-type") || "").split(";")[0].trim().toLowerCase();
+    if (!ctype.startsWith("image/")) {
+        throw new Error(`not an image (content-type: ${ctype || "unknown"})`);
+    }
+    const bytes = Buffer.from(await resp.arrayBuffer());
+    if (bytes.byteLength === 0)
+        throw new Error("empty response");
+    if (bytes.byteLength > MAX_ARCHIVED_IMAGE_BYTES) {
+        throw new Error(`image too large (${(bytes.byteLength / (1024 * 1024)).toFixed(1)} MB)`);
+    }
+    const ext = ctype.split("/")[1]?.split("+")[0] || "img";
+    return uploadStudyContentBytes(client, studyId, bytes, ctype, `imported-image-${index}.${ext}`, { quiet: opts?.quiet });
+}
 /**
  * Resolve text content. If the value starts with '@', read the file at
  * the path that follows (curl-style convention). Otherwise return as-is.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ishlabs/cli",
-  "version": "0.26.1",
+  "version": "0.27.1",
   "description": "The command-line interface for ish",
   "type": "module",
   "bin": {
@@ -47,7 +47,7 @@
     "@sentry/node": "^10.13.0",
     "commander": "^13.0.0",
     "http-proxy": "^1.18.1",
-    "playwright-core": "^1.58.2"
+    "playwright-core": "1.59.1"
   },
   "devDependencies": {
     "@types/http-proxy": "^1.17.17",