@m-kopa/launchpad-cli 0.23.0

package/skills/marquee-share/tests/upload.test.ts

@@ -0,0 +1,311 @@
+// Tests for the wrap + upload layer of the Marquee share skill.
+//
+// `shareToMarquee` is the public surface of Task 4: it wraps
+// already-rendered content HTML into the branded template, POSTs the
+// self-contained document to `${resourceUrl}/api/uploads`, and returns
+// the parsed `view_url`.
+//
+// Like the auth `flow.test.ts`, every external dependency is injected:
+//   * `fetcher`       — a fake server standing in for the Marquee API.
+//   * `tokenProvider` — a fake `getValidToken`, so these tests never
+//     touch the real auth layer / browser / session file.
+//
+// What is pinned: the request method + URL, the `Content-Type:
+// text/html` header, the `Authorization: Bearer <token>` header, the
+// body being the WRAPPED branded document (not the raw content), and
+// `view_url` being parsed back out of the JSON response.
+
+import { describe, expect, test, vi } from "vitest";
+import { shareToMarquee, MarqueeUploadError } from "../src/upload/index.js";
+import type { SkillConfig } from "../src/config.js";
+
+const RESOURCE_URL = "https://marquee.launchpad.m-kopa.us";
+const UPLOADS_ENDPOINT = `${RESOURCE_URL}/api/uploads`;
+const FAKE_TOKEN = "fake-access-token-for-tests";
+
+function cfg(): SkillConfig {
+  return { resourceUrl: RESOURCE_URL, sessionPath: "/tmp/unused-session.json" };
+}
+
+interface CapturedRequest {
+  url: string;
+  method: string;
+  headers: Headers;
+  body: string;
+}
+
+/**
+ * A fake Marquee `/api/uploads` server. Captures the request it
+ * received and answers with a configurable response. Defaults to a
+ * 200 with a realistic upload-response body.
+ */
+function makeFakeServer(
+  cap: { request?: CapturedRequest },
+  response?: { status: number; body: unknown },
+): typeof fetch {
+  return vi.fn(
+    async (input: Parameters<typeof fetch>[0], init?: RequestInit) => {
+      // `input` can be a string, a URL, or a Request. `Request` does
+      // not override `toString()` (it would yield "[object Request]"),
+      // so read its `url` property; a URL stringifies correctly.
+      const url =
+        input instanceof Request ? input.url : String(input);
+      cap.request = {
+        url,
+        method: init?.method ?? "GET",
+        headers: new Headers(init?.headers),
+        body: typeof init?.body === "string" ? init.body : "",
+      };
+      if (response) {
+        return new Response(JSON.stringify(response.body), {
+          status: response.status,
+        });
+      }
+      return new Response(
+        JSON.stringify({
+          id: "abc123def456ghi7",
+          view_url: `${RESOURCE_URL}/v/abc123def456ghi7`,
+          owner_sub: "sub-123",
+          created_at: "2026-05-17T00:00:00.000Z",
+          size_bytes: 42,
+          content_sha256: "0".repeat(64),
+        }),
+        { status: 200 },
+      );
+    },
+  ) as unknown as typeof fetch;
+}
+
+/** A fake `getValidToken` — never touches the real auth layer. */
+function fakeTokenProvider(token = FAKE_TOKEN): () => Promise<string> {
+  return vi.fn(async () => token);
+}
+
+describe("shareToMarquee — request shape", () => {
+  test("POSTs to the resource's /api/uploads endpoint", async () => {
+    const cap: { request?: CapturedRequest } = {};
+    await shareToMarquee(
+      { title: "T", contentHtml: "<p>hi</p>" },
+      {
+        config: cfg(),
+        fetcher: makeFakeServer(cap),
+        tokenProvider: fakeTokenProvider(),
+      },
+    );
+    expect(cap.request?.url).toBe(UPLOADS_ENDPOINT);
+    expect(cap.request?.method).toBe("POST");
+  });
+
+  test("sends Content-Type: text/html", async () => {
+    const cap: { request?: CapturedRequest } = {};
+    await shareToMarquee(
+      { title: "T", contentHtml: "<p>hi</p>" },
+      {
+        config: cfg(),
+        fetcher: makeFakeServer(cap),
+        tokenProvider: fakeTokenProvider(),
+      },
+    );
+    expect(cap.request?.headers.get("content-type")).toMatch(/^text\/html/);
+  });
+
+  test("sends Authorization: Bearer <token> from the token provider", async () => {
+    const cap: { request?: CapturedRequest } = {};
+    await shareToMarquee(
+      { title: "T", contentHtml: "<p>hi</p>" },
+      {
+        config: cfg(),
+        fetcher: makeFakeServer(cap),
+        tokenProvider: fakeTokenProvider("a-specific-token-value"),
+      },
+    );
+    expect(cap.request?.headers.get("authorization")).toBe(
+      "Bearer a-specific-token-value",
+    );
+  });
+
+  test("the request body is the WRAPPED branded document, not the raw content", async () => {
+    const cap: { request?: CapturedRequest } = {};
+    await shareToMarquee(
+      { title: "Report", contentHtml: "<p>raw-inner-content</p>" },
+      {
+        config: cfg(),
+        fetcher: makeFakeServer(cap),
+        tokenProvider: fakeTokenProvider(),
+      },
+    );
+    const body = cap.request?.body ?? "";
+    // The branded shell wrapped it.
+    expect(body.startsWith("<!DOCTYPE html>")).toBe(true);
+    // The caller's content is inside the shell.
+    expect(body).toContain("<p>raw-inner-content</p>");
+    // The escaped title made it into the shell.
+    expect(body).toContain("<title>Report</title>");
+  });
+
+  test("respects a custom resourceUrl from config", async () => {
+    const cap: { request?: CapturedRequest } = {};
+    const preview = "https://marquee-preview.example.com";
+    await shareToMarquee(
+      { title: "T", contentHtml: "<p>x</p>" },
+      {
+        config: { resourceUrl: preview, sessionPath: "/tmp/s.json" },
+        fetcher: makeFakeServer(cap),
+        tokenProvider: fakeTokenProvider(),
+      },
+    );
+    expect(cap.request?.url).toBe(`${preview}/api/uploads`);
+  });
+});
+
+describe("shareToMarquee — response parsing", () => {
+  test("returns the parsed view_url from a 200 response", async () => {
+    const cap: { request?: CapturedRequest } = {};
+    const result = await shareToMarquee(
+      { title: "T", contentHtml: "<p>x</p>" },
+      {
+        config: cfg(),
+        fetcher: makeFakeServer(cap, {
+          status: 200,
+          body: {
+            id: "zzz999",
+            view_url: "https://marquee.launchpad.m-kopa.us/v/zzz999",
+          },
+        }),
+        tokenProvider: fakeTokenProvider(),
+      },
+    );
+    expect(result.viewUrl).toBe(
+      "https://marquee.launchpad.m-kopa.us/v/zzz999",
+    );
+  });
+
+  test("returns the id alongside the view_url when present", async () => {
+    const result = await shareToMarquee(
+      { title: "T", contentHtml: "<p>x</p>" },
+      {
+        config: cfg(),
+        fetcher: makeFakeServer(
+          {},
+          {
+            status: 200,
+            body: { id: "the-id-16chars77", view_url: `${RESOURCE_URL}/v/the-id-16chars77` },
+          },
+        ),
+        tokenProvider: fakeTokenProvider(),
+      },
+    );
+    expect(result.id).toBe("the-id-16chars77");
+  });
+});
+
+describe("shareToMarquee — error handling", () => {
+  test("throws MarqueeUploadError on a non-2xx response", async () => {
+    await expect(
+      shareToMarquee(
+        { title: "T", contentHtml: "<p>x</p>" },
+        {
+          config: cfg(),
+          fetcher: makeFakeServer(
+            {},
+            { status: 401, body: { error: "unauthenticated" } },
+          ),
+          tokenProvider: fakeTokenProvider(),
+        },
+      ),
+    ).rejects.toBeInstanceOf(MarqueeUploadError);
+  });
+
+  test("the upload error carries the HTTP status", async () => {
+    await shareToMarquee(
+      { title: "T", contentHtml: "<p>x</p>" },
+      {
+        config: cfg(),
+        fetcher: makeFakeServer(
+          {},
+          { status: 413, body: { error: "payload_too_large" } },
+        ),
+        tokenProvider: fakeTokenProvider(),
+      },
+    ).catch((e: unknown) => {
+      expect(e).toBeInstanceOf(MarqueeUploadError);
+      expect((e as MarqueeUploadError).status).toBe(413);
+    });
+    expect.assertions(2);
+  });
+
+  test("throws MarqueeUploadError when a 200 response lacks view_url", async () => {
+    await expect(
+      shareToMarquee(
+        { title: "T", contentHtml: "<p>x</p>" },
+        {
+          config: cfg(),
+          fetcher: makeFakeServer({}, { status: 200, body: { id: "x" } }),
+          tokenProvider: fakeTokenProvider(),
+        },
+      ),
+    ).rejects.toBeInstanceOf(MarqueeUploadError);
+  });
+
+  test("throws MarqueeUploadError on a non-JSON 200 response", async () => {
+    const fetcher = vi.fn(
+      async () => new Response("not json", { status: 200 }),
+    ) as unknown as typeof fetch;
+    await expect(
+      shareToMarquee(
+        { title: "T", contentHtml: "<p>x</p>" },
+        { config: cfg(), fetcher, tokenProvider: fakeTokenProvider() },
+      ),
+    ).rejects.toBeInstanceOf(MarqueeUploadError);
+  });
+
+  // `JSON.parse` happily yields `null`, an array, or a bare primitive
+  // for valid-but-wrong-shape JSON. Reading `.view_url` off `null`
+  // would throw a raw `TypeError`; these cases must instead surface as
+  // a typed `MarqueeUploadError`.
+  test.each([
+    ["a literal `null` body", null],
+    ["a JSON array body", ["not", "an", "object"]],
+    ["a bare-number body", 42],
+    ["a bare-string body", "ok"],
+  ])(
+    "throws MarqueeUploadError on a 200 response with %s",
+    async (_label, body) => {
+      await expect(
+        shareToMarquee(
+          { title: "T", contentHtml: "<p>x</p>" },
+          {
+            config: cfg(),
+            fetcher: makeFakeServer({}, { status: 200, body }),
+            tokenProvider: fakeTokenProvider(),
+          },
+        ),
+      ).rejects.toBeInstanceOf(MarqueeUploadError);
+    },
+  );
+});
+
+describe("shareToMarquee — token-leak safety", () => {
+  test("a thrown upload error does not embed the bearer token", async () => {
+    const secretToken = "SENTINEL-UPLOAD-TOKEN-deadbeef";
+    let caught: unknown;
+    try {
+      await shareToMarquee(
+        { title: "T", contentHtml: "<p>x</p>" },
+        {
+          config: cfg(),
+          fetcher: makeFakeServer({}, { status: 500, body: { error: "boom" } }),
+          tokenProvider: fakeTokenProvider(secretToken),
+        },
+      );
+    } catch (e) {
+      caught = e;
+    }
+    expect(caught).toBeInstanceOf(MarqueeUploadError);
+    const serialised = `${String(caught)} ${JSON.stringify(
+      caught,
+      Object.getOwnPropertyNames(caught),
+    )}`;
+    expect(serialised).not.toContain(secretToken);
+  });
+});

package/skills/marquee-share/tsconfig.json

@@ -0,0 +1,23 @@
+{
+  "compilerOptions": {
+    "target": "es2022",
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "noUncheckedIndexedAccess": true,
+    "exactOptionalPropertyTypes": true,
+    "noImplicitOverride": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noFallthroughCasesInSwitch": true,
+    "lib": ["es2022"],
+    "types": ["node"],
+    "skipLibCheck": true,
+    "isolatedModules": true,
+    "verbatimModuleSyntax": true,
+    "resolveJsonModule": true,
+    "noEmit": true
+  },
+  "include": ["src/**/*", "tests/**/*"],
+  "exclude": ["node_modules"]
+}

package/skills/marquee-share/vitest.config.ts

@@ -0,0 +1,15 @@
+// vitest.config.ts — plain Node pool.
+//
+// The skill runs as a Node/bun program on a developer's machine. It
+// legitimately uses `node:fs`, `node:http`, `node:crypto`,
+// `node:child_process` — unlike the marquee Pages app (which targets
+// workerd). Vitest's default Node pool is the right harness, scoped
+// to this package's own `tests/` directory only.
+
+import { defineConfig } from "vitest/config";
+
+export default defineConfig({
+  test: {
+    include: ["tests/**/*.test.ts"],
+  },
+});