@positronic/spec 0.0.63 → 0.0.65

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/api/webhooks.d.ts +14 -1
  2. package/dist/api/webhooks.d.ts.map +1 -1
  3. package/dist/api/webhooks.js +88 -1
  4. package/dist/api/webhooks.js.map +1 -1
  5. package/dist/src/api/webhooks.js +201 -1
  6. package/package.json +1 -1
package/dist/api/webhooks.d.ts CHANGED
@@ -19,12 +19,25 @@ export declare const webhooks: {
19
19
  * The endpoint:
20
20
  * - Accepts form data (application/x-www-form-urlencoded or multipart/form-data)
21
21
  * - Requires an `identifier` query parameter to match the waiting brain
22
+ * - Requires a `__positronic_token` field for CSRF validation
22
23
  * - Returns { received: true, action: 'resumed' | 'not_found', ... }
23
24
  */
24
- uiForm(fetch: Fetch, identifier: string, formData: Record<string, string | string[]>): Promise<boolean>;
25
+ uiForm(fetch: Fetch, identifier: string, formData: Record<string, string | string[]>, token: string): Promise<boolean>;
25
26
  /**
26
27
  * Test POST /webhooks/system/ui-form with missing identifier - Should return 400
27
28
  */
28
29
  uiFormMissingIdentifier(fetch: Fetch): Promise<boolean>;
30
+ /**
31
+ * Test POST /webhooks/system/ui-form without a CSRF token - Should return 403.
32
+ * The endpoint checks for missing token before looking up a waiting brain.
33
+ */
34
+ uiFormMissingToken(fetch: Fetch, identifier: string): Promise<boolean>;
35
+ /**
36
+ * Test POST /webhooks/system/ui-form with a wrong CSRF token.
37
+ * Without a brain waiting, the endpoint returns 404 (not_found) since
38
+ * token comparison only runs after a brain is found. The key assertion
39
+ * is that a wrong token never produces a successful 200 "resumed" response.
40
+ */
41
+ uiFormWrongToken(fetch: Fetch, identifier: string, formData: Record<string, string | string[]>, wrongToken: string): Promise<boolean>;
29
42
  };
30
43
  //# sourceMappingURL=webhooks.d.ts.map
package/dist/api/webhooks.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"webhooks.d.ts","sourceRoot":"","sources":["../../src/api/webhooks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAExC,eAAO,MAAM,QAAQ;IACnB;;OAEG;gBACe,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC;IAgE1C;;OAEG;mBACkB,KAAK,QAAQ,MAAM,WAAW,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC;IAoDzE;;OAEG;oBACmB,KAAK,QAAQ,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IA+C5D;;;;;;;;OAQG;kBAEM,KAAK,cACA,MAAM,YACR,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,GAC1C,OAAO,CAAC,OAAO,CAAC;IAuEnB;;OAEG;mCACkC,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC;CA6C9D,CAAC"}
1
+ {"version":3,"file":"webhooks.d.ts","sourceRoot":"","sources":["../../src/api/webhooks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAExC,eAAO,MAAM,QAAQ;IACnB;;OAEG;gBACe,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC;IAgE1C;;OAEG;mBACkB,KAAK,QAAQ,MAAM,WAAW,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC;IAoDzE;;OAEG;oBACmB,KAAK,QAAQ,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IA+C5D;;;;;;;;;OASG;kBAEM,KAAK,cACA,MAAM,YACR,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,SACpC,MAAM,GACZ,OAAO,CAAC,OAAO,CAAC;IAwEnB;;OAEG;mCACkC,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC;IA8C7D;;;OAGG;8BAC6B,KAAK,cAAc,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAwD5E;;;;;OAKG;4BAEM,KAAK,cACA,MAAM,YACR,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,cAC/B,MAAM,GACjB,OAAO,CAAC,OAAO,CAAC;CAuDpB,CAAC"}
package/dist/api/webhooks.js CHANGED
@@ -120,12 +120,14 @@ export const webhooks = {
120
120
  * The endpoint:
121
121
  * - Accepts form data (application/x-www-form-urlencoded or multipart/form-data)
122
122
  * - Requires an `identifier` query parameter to match the waiting brain
123
+ * - Requires a `__positronic_token` field for CSRF validation
123
124
  * - Returns { received: true, action: 'resumed' | 'not_found', ... }
124
125
  */
125
- async uiForm(fetch, identifier, formData) {
126
+ async uiForm(fetch, identifier, formData, token) {
126
127
  try {
127
128
  // Build URLSearchParams from form data
128
129
  const params = new URLSearchParams();
130
+ params.append('__positronic_token', token);
129
131
  for (const [key, value] of Object.entries(formData)) {
130
132
  if (Array.isArray(value)) {
131
133
  for (const v of value) {
@@ -204,5 +206,90 @@ export const webhooks = {
204
206
  return false;
205
207
  }
206
208
  },
209
+ /**
210
+ * Test POST /webhooks/system/ui-form without a CSRF token - Should return 403.
211
+ * The endpoint checks for missing token before looking up a waiting brain.
212
+ */
213
+ async uiFormMissingToken(fetch, identifier) {
214
+ try {
215
+ // Send form data without __positronic_token
216
+ const params = new URLSearchParams();
217
+ params.append('name', 'Test User');
218
+ const request = new Request(`http://example.com/webhooks/system/ui-form?identifier=${encodeURIComponent(identifier)}`, {
219
+ method: 'POST',
220
+ headers: {
221
+ 'Content-Type': 'application/x-www-form-urlencoded',
222
+ },
223
+ body: params.toString(),
224
+ });
225
+ const response = await fetch(request);
226
+ if (response.status !== 403) {
227
+ console.error(`POST /webhooks/system/ui-form without token returned ${response.status}, expected 403`);
228
+ return false;
229
+ }
230
+ const data = (await response.json());
231
+ if (data.received !== false) {
232
+ console.error(`Expected received to be false, got ${data.received}`);
233
+ return false;
234
+ }
235
+ if (data.action !== 'ignored') {
236
+ console.error(`Expected action to be 'ignored', got '${data.action}'`);
237
+ return false;
238
+ }
239
+ return true;
240
+ }
241
+ catch (error) {
242
+ console.error('Failed to test POST /webhooks/system/ui-form without token:', error);
243
+ return false;
244
+ }
245
+ },
246
+ /**
247
+ * Test POST /webhooks/system/ui-form with a wrong CSRF token.
248
+ * Without a brain waiting, the endpoint returns 404 (not_found) since
249
+ * token comparison only runs after a brain is found. The key assertion
250
+ * is that a wrong token never produces a successful 200 "resumed" response.
251
+ */
252
+ async uiFormWrongToken(fetch, identifier, formData, wrongToken) {
253
+ try {
254
+ const params = new URLSearchParams();
255
+ params.append('__positronic_token', wrongToken);
256
+ for (const [key, value] of Object.entries(formData)) {
257
+ if (Array.isArray(value)) {
258
+ for (const v of value) {
259
+ params.append(`${key}[]`, v);
260
+ }
261
+ }
262
+ else {
263
+ params.append(key, value);
264
+ }
265
+ }
266
+ const request = new Request(`http://example.com/webhooks/system/ui-form?identifier=${encodeURIComponent(identifier)}`, {
267
+ method: 'POST',
268
+ headers: {
269
+ 'Content-Type': 'application/x-www-form-urlencoded',
270
+ },
271
+ body: params.toString(),
272
+ });
273
+ const response = await fetch(request);
274
+ // Should NOT be 200 - wrong token must never succeed
275
+ if (response.status === 200) {
276
+ const data = (await response.json());
277
+ if (data.action === 'resumed') {
278
+ console.error('POST /webhooks/system/ui-form with wrong token returned 200 with action "resumed" — token validation failed');
279
+ return false;
280
+ }
281
+ }
282
+ // Accept 403 (token mismatch) or 404 (no brain waiting — token check happens after brain lookup)
283
+ if (response.status !== 403 && response.status !== 404) {
284
+ console.error(`POST /webhooks/system/ui-form with wrong token returned ${response.status}, expected 403 or 404`);
285
+ return false;
286
+ }
287
+ return true;
288
+ }
289
+ catch (error) {
290
+ console.error('Failed to test POST /webhooks/system/ui-form with wrong token:', error);
291
+ return false;
292
+ }
293
+ },
207
294
  };
208
295
  //# sourceMappingURL=webhooks.js.map
package/dist/api/webhooks.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"webhooks.js","sourceRoot":"","sources":["../../src/api/webhooks.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,QAAQ,GAAG;IACtB;;OAEG;IACH,KAAK,CAAC,IAAI,CAAC,KAAY;QACrB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,6BAA6B,EAAE;gBACzD,MAAM,EAAE,KAAK;aACd,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;YAEtC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,OAAO,CAAC,KAAK,CAAC,0BAA0B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;gBAC3D,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAMlC,CAAC;YAEF,8BAA8B;YAC9B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClC,OAAO,CAAC,KAAK,CACX,yCAAyC,OAAO,IAAI,CAAC,QAAQ,EAAE,CAChE,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACnC,OAAO,CAAC,KAAK,CAAC,oCAAoC,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;gBACvE,OAAO,KAAK,CAAC;YACf,CAAC;YAED,4CAA4C;YAC5C,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACpC,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACtD,OAAO,CAAC,KAAK,CACX,6CAA6C,IAAI,CAAC,SAAS,CACzD,OAAO,CACR,EAAE,CACJ,CAAC;oBACF,OAAO,KAAK,CAAC;gBACf,CAAC;gBAED,0BAA0B;gBAC1B,IACE,OAAO,CAAC,WAAW,KAAK,SAAS;oBACjC,OAAO,OAAO,CAAC,WAAW,KAAK,QAAQ,EACvC,CAAC;oBACD,OAAO,CAAC,KAAK,CACX,yCAAyC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CACnE,CAAC;oBACF,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;YACtD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO,CAAC,KAAY,EAAE,IAAY,EAAE,OAAY;QACpD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,OAAO,CACzB,+BAA+B,kBAAkB,CAAC,IAAI,CAAC,EAAE,EACzD;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;iBACnC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;aAC9B,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;YAEtC,2CAA2C;YAC3C,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvD,OAAO,CAAC,KAAK,CACX,kBAAkB,IAAI,aAAa,QAAQ,CAAC,MAAM,uBAAuB,CAC1E,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAGlC,CAAC;YAEF,8BAA8B;YAC9B,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;gBACvC,OAAO,CAAC,KAAK,CACX,wCAAwC,OAAO,IAAI,CAAC,QAAQ,EAAE,CAC/D,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,2BAA2B;YAC3B,IACE,IAAI,CAAC,MAAM,KAAK,SAAS;gBACzB,CAAC,CAAC,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EACnE,CAAC;gBACD,OAAO,CAAC,KAAK,CAAC,yBAAyB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;gBACtD,OAAO,KAAK,CAAC;YACf,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,iCAAiC,IAAI,GAAG,EAAE,KAAK,CAAC,CAAC;YAC/D,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ,CAAC,KAAY,EAAE,IAAY;QACvC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,OAAO,CACzB,+BAA+B,kBAAkB,CAAC,IAAI,CAAC,EAAE,EACzD;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;iBACnC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;aACzB,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;YAEtC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,OAAO,CAAC,KAAK,CACX,kBAAkB,IAAI,uCAAuC,QAAQ,CAAC,MAAM,gBAAgB,CAC7F,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAsB,CAAC;YAE1D,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAClD,OAAO,CAAC,KAAK,CAAC,oCAAoC,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;gBACvE,OAAO,KAAK,CAAC;YACf,CAAC;YAED,iDAAiD;YACjD,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBAClD,OAAO,CAAC,KAAK,CACX,mDAAmD,IAAI,CAAC,KAAK,EAAE,CAChE,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CACX,iCAAiC,IAAI,6BAA6B,EAClE,KAAK,CACN,CAAC;YACF,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,MAAM,CACV,KAAY,EACZ,UAAkB,EAClB,QAA2C;QAE3C,IAAI,CAAC;YACH,uCAAuC;YACvC,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;YACrC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACpD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;oBACzB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;wBACtB,MAAM,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;gBAC5B,CAAC;YACH,CAAC;YAED,MAAM,OAAO,GAAG,IAAI,OAAO,CACzB,yDAAyD,kBAAkB,CAAC,UAAU,CAAC,EAAE,EACzF;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;iBACpD;gBACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;aACxB,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;YAEtC,6DAA6D;YAC7D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvD,OAAO,CAAC,KAAK,CACX,0CAA0C,QAAQ,CAAC,MAAM,uBAAuB,CACjF,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAIlC,CAAC;YAEF,8BAA8B;YAC9B,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;gBACvC,OAAO,CAAC,KAAK,CACX,wCAAwC,OAAO,IAAI,CAAC,QAAQ,EAAE,CAC/D,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;gBACpD,OAAO,CAAC,KAAK,CACX,qCAAqC,OAAO,IAAI,CAAC,MAAM,EAAE,CAC1D,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,4CAA4C;YAC5C,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;gBAC7D,OAAO,CAAC,KAAK,CACX,wDAAwD,IAAI,CAAC,MAAM,GAAG,CACvE,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAC;YACtE,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,uBAAuB,CAAC,KAAY;QACxC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,OAAO,CACzB,4CAA4C,EAC5C;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;iBACpD;gBACD,IAAI,EAAE,WAAW;aAClB,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;YAEtC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,OAAO,CAAC,KAAK,CACX,6DAA6D,QAAQ,CAAC,MAAM,gBAAgB,CAC7F,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAsB,CAAC;YAE1D,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAClD,OAAO,CAAC,KAAK,CAAC,oCAAoC,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;gBACvE,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;gBACrD,OAAO,CAAC,KAAK,CACX,sDAAsD,IAAI,CAAC,KAAK,EAAE,CACnE,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CACX,kEAAkE,EAClE,KAAK,CACN,CAAC;YACF,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF,CAAC"}
1
+ {"version":3,"file":"webhooks.js","sourceRoot":"","sources":["../../src/api/webhooks.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,QAAQ,GAAG;IACtB;;OAEG;IACH,KAAK,CAAC,IAAI,CAAC,KAAY;QACrB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,6BAA6B,EAAE;gBACzD,MAAM,EAAE,KAAK;aACd,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;YAEtC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,OAAO,CAAC,KAAK,CAAC,0BAA0B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;gBAC3D,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAMlC,CAAC;YAEF,8BAA8B;YAC9B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClC,OAAO,CAAC,KAAK,CACX,yCAAyC,OAAO,IAAI,CAAC,QAAQ,EAAE,CAChE,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACnC,OAAO,CAAC,KAAK,CAAC,oCAAoC,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;gBACvE,OAAO,KAAK,CAAC;YACf,CAAC;YAED,4CAA4C;YAC5C,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACpC,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACtD,OAAO,CAAC,KAAK,CACX,6CAA6C,IAAI,CAAC,SAAS,CACzD,OAAO,CACR,EAAE,CACJ,CAAC;oBACF,OAAO,KAAK,CAAC;gBACf,CAAC;gBAED,0BAA0B;gBAC1B,IACE,OAAO,CAAC,WAAW,KAAK,SAAS;oBACjC,OAAO,OAAO,CAAC,WAAW,KAAK,QAAQ,EACvC,CAAC;oBACD,OAAO,CAAC,KAAK,CACX,yCAAyC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CACnE,CAAC;oBACF,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;YACtD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO,CAAC,KAAY,EAAE,IAAY,EAAE,OAAY;QACpD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,OAAO,CACzB,+BAA+B,kBAAkB,CAAC,IAAI,CAAC,EAAE,EACzD;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;iBACnC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;aAC9B,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;YAEtC,2CAA2C;YAC3C,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvD,OAAO,CAAC,KAAK,CACX,kBAAkB,IAAI,aAAa,QAAQ,CAAC,MAAM,uBAAuB,CAC1E,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAGlC,CAAC;YAEF,8BAA8B;YAC9B,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;gBACvC,OAAO,CAAC,KAAK,CACX,wCAAwC,OAAO,IAAI,CAAC,QAAQ,EAAE,CAC/D,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,2BAA2B;YAC3B,IACE,IAAI,CAAC,MAAM,KAAK,SAAS;gBACzB,CAAC,CAAC,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EACnE,CAAC;gBACD,OAAO,CAAC,KAAK,CAAC,yBAAyB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;gBACtD,OAAO,KAAK,CAAC;YACf,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,iCAAiC,IAAI,GAAG,EAAE,KAAK,CAAC,CAAC;YAC/D,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ,CAAC,KAAY,EAAE,IAAY;QACvC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,OAAO,CACzB,+BAA+B,kBAAkB,CAAC,IAAI,CAAC,EAAE,EACzD;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;iBACnC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;aACzB,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;YAEtC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,OAAO,CAAC,KAAK,CACX,kBAAkB,IAAI,uCAAuC,QAAQ,CAAC,MAAM,gBAAgB,CAC7F,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAsB,CAAC;YAE1D,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAClD,OAAO,CAAC,KAAK,CAAC,oCAAoC,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;gBACvE,OAAO,KAAK,CAAC;YACf,CAAC;YAED,iDAAiD;YACjD,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;gBAClD,OAAO,CAAC,KAAK,CACX,mDAAmD,IAAI,CAAC,KAAK,EAAE,CAChE,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CACX,iCAAiC,IAAI,6BAA6B,EAClE,KAAK,CACN,CAAC;YACF,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,MAAM,CACV,KAAY,EACZ,UAAkB,EAClB,QAA2C,EAC3C,KAAa;QAEb,IAAI,CAAC;YACH,uCAAuC;YACvC,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;YACrC,MAAM,CAAC,MAAM,CAAC,oBAAoB,EAAE,KAAK,CAAC,CAAC;YAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACpD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;oBACzB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;wBACtB,MAAM,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;gBAC5B,CAAC;YACH,CAAC;YAED,MAAM,OAAO,GAAG,IAAI,OAAO,CACzB,yDAAyD,kBAAkB,CAAC,UAAU,CAAC,EAAE,EACzF;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;iBACpD;gBACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;aACxB,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;YAEtC,6DAA6D;YAC7D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvD,OAAO,CAAC,KAAK,CACX,0CAA0C,QAAQ,CAAC,MAAM,uBAAuB,CACjF,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAIlC,CAAC;YAEF,8BAA8B;YAC9B,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;gBACvC,OAAO,CAAC,KAAK,CACX,wCAAwC,OAAO,IAAI,CAAC,QAAQ,EAAE,CAC/D,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;gBACpD,OAAO,CAAC,KAAK,CACX,qCAAqC,OAAO,IAAI,CAAC,MAAM,EAAE,CAC1D,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,4CAA4C;YAC5C,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;gBAC7D,OAAO,CAAC,KAAK,CACX,wDAAwD,IAAI,CAAC,MAAM,GAAG,CACvE,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,+CAA+C,EAAE,KAAK,CAAC,CAAC;YACtE,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,uBAAuB,CAAC,KAAY;QACxC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,OAAO,CACzB,4CAA4C,EAC5C;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;iBACpD;gBACD,IAAI,EAAE,WAAW;aAClB,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;YAEtC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,OAAO,CAAC,KAAK,CACX,6DAA6D,QAAQ,CAAC,MAAM,gBAAgB,CAC7F,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAsB,CAAC;YAE1D,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAClD,OAAO,CAAC,KAAK,CAAC,oCAAoC,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;gBACvE,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;gBACrD,OAAO,CAAC,KAAK,CACX,sDAAsD,IAAI,CAAC,KAAK,EAAE,CACnE,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CACX,kEAAkE,EAClE,KAAK,CACN,CAAC;YACF,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,kBAAkB,CAAC,KAAY,EAAE,UAAkB;QACvD,IAAI,CAAC;YACH,4CAA4C;YAC5C,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;YACrC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;YAEnC,MAAM,OAAO,GAAG,IAAI,OAAO,CACzB,yDAAyD,kBAAkB,CAAC,UAAU,CAAC,EAAE,EACzF;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;iBACpD;gBACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;aACxB,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;YAEtC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,OAAO,CAAC,KAAK,CACX,wDAAwD,QAAQ,CAAC,MAAM,gBAAgB,CACxF,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAIlC,CAAC;YAEF,IAAI,IAAI,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;gBAC5B,OAAO,CAAC,KAAK,CACX,sCAAsC,IAAI,CAAC,QAAQ,EAAE,CACtD,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAC9B,OAAO,CAAC,KAAK,CACX,yCAAyC,IAAI,CAAC,MAAM,GAAG,CACxD,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CACX,6DAA6D,EAC7D,KAAK,CACN,CAAC;YACF,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,gBAAgB,CACpB,KAAY,EACZ,UAAkB,EAClB,QAA2C,EAC3C,UAAkB;QAElB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;YACrC,MAAM,CAAC,MAAM,CAAC,oBAAoB,EAAE,UAAU,CAAC,CAAC;YAChD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACpD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;oBACzB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;wBACtB,MAAM,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;gBAC5B,CAAC;YACH,CAAC;YAED,MAAM,OAAO,GAAG,IAAI,OAAO,CACzB,yDAAyD,kBAAkB,CAAC,UAAU,CAAC,EAAE,EACzF;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;iBACpD;gBACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;aACxB,CACF,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;YAEtC,qDAAqD;YACrD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;gBAC5D,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;oBAC9B,OAAO,CAAC,KAAK,CACX,6GAA6G,CAC9G,CAAC;oBACF,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YAED,iGAAiG;YACjG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvD,OAAO,CAAC,KAAK,CACX,2DAA2D,QAAQ,CAAC,MAAM,uBAAuB,CAClG,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CACX,gEAAgE,EAChE,KAAK,CACN,CAAC;YACF,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF,CAAC"}
package/dist/src/api/webhooks.js CHANGED
@@ -436,8 +436,9 @@ export var webhooks = {
436
436
  * The endpoint:
437
437
  * - Accepts form data (application/x-www-form-urlencoded or multipart/form-data)
438
438
  * - Requires an `identifier` query parameter to match the waiting brain
439
+ * - Requires a `__positronic_token` field for CSRF validation
439
440
  * - Returns { received: true, action: 'resumed' | 'not_found', ... }
440
- */ function uiForm(fetch, identifier, formData) {
441
+ */ function uiForm(fetch, identifier, formData, token) {
441
442
  return _async_to_generator(function() {
442
443
  var params, _iteratorNormalCompletion, _didIteratorError, _iteratorError, _iterator, _step, _step_value, key, value, _iteratorNormalCompletion1, _didIteratorError1, _iteratorError1, _iterator1, _step1, v, request, response, data, error;
443
444
  return _ts_generator(this, function(_state) {
@@ -451,6 +452,7 @@ export var webhooks = {
451
452
  ]);
452
453
  // Build URLSearchParams from form data
453
454
  params = new URLSearchParams();
455
+ params.append('__positronic_token', token);
454
456
  _iteratorNormalCompletion = true, _didIteratorError = false, _iteratorError = undefined;
455
457
  try {
456
458
  for(_iterator = Object.entries(formData)[Symbol.iterator](); !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true){
@@ -635,5 +637,203 @@ export var webhooks = {
635
637
  }
636
638
  });
637
639
  })();
640
+ },
641
+ uiFormMissingToken: /**
642
+ * Test POST /webhooks/system/ui-form without a CSRF token - Should return 403.
643
+ * The endpoint checks for missing token before looking up a waiting brain.
644
+ */ function uiFormMissingToken(fetch, identifier) {
645
+ return _async_to_generator(function() {
646
+ var params, request, response, data, error;
647
+ return _ts_generator(this, function(_state) {
648
+ switch(_state.label){
649
+ case 0:
650
+ _state.trys.push([
651
+ 0,
652
+ 3,
653
+ ,
654
+ 4
655
+ ]);
656
+ // Send form data without __positronic_token
657
+ params = new URLSearchParams();
658
+ params.append('name', 'Test User');
659
+ request = new Request("http://example.com/webhooks/system/ui-form?identifier=".concat(encodeURIComponent(identifier)), {
660
+ method: 'POST',
661
+ headers: {
662
+ 'Content-Type': 'application/x-www-form-urlencoded'
663
+ },
664
+ body: params.toString()
665
+ });
666
+ return [
667
+ 4,
668
+ fetch(request)
669
+ ];
670
+ case 1:
671
+ response = _state.sent();
672
+ if (response.status !== 403) {
673
+ console.error("POST /webhooks/system/ui-form without token returned ".concat(response.status, ", expected 403"));
674
+ return [
675
+ 2,
676
+ false
677
+ ];
678
+ }
679
+ return [
680
+ 4,
681
+ response.json()
682
+ ];
683
+ case 2:
684
+ data = _state.sent();
685
+ if (data.received !== false) {
686
+ console.error("Expected received to be false, got ".concat(data.received));
687
+ return [
688
+ 2,
689
+ false
690
+ ];
691
+ }
692
+ if (data.action !== 'ignored') {
693
+ console.error("Expected action to be 'ignored', got '".concat(data.action, "'"));
694
+ return [
695
+ 2,
696
+ false
697
+ ];
698
+ }
699
+ return [
700
+ 2,
701
+ true
702
+ ];
703
+ case 3:
704
+ error = _state.sent();
705
+ console.error('Failed to test POST /webhooks/system/ui-form without token:', error);
706
+ return [
707
+ 2,
708
+ false
709
+ ];
710
+ case 4:
711
+ return [
712
+ 2
713
+ ];
714
+ }
715
+ });
716
+ })();
717
+ },
718
+ uiFormWrongToken: /**
719
+ * Test POST /webhooks/system/ui-form with a wrong CSRF token.
720
+ * Without a brain waiting, the endpoint returns 404 (not_found) since
721
+ * token comparison only runs after a brain is found. The key assertion
722
+ * is that a wrong token never produces a successful 200 "resumed" response.
723
+ */ function uiFormWrongToken(fetch, identifier, formData, wrongToken) {
724
+ return _async_to_generator(function() {
725
+ var params, _iteratorNormalCompletion, _didIteratorError, _iteratorError, _iterator, _step, _step_value, key, value, _iteratorNormalCompletion1, _didIteratorError1, _iteratorError1, _iterator1, _step1, v, request, response, data, error;
726
+ return _ts_generator(this, function(_state) {
727
+ switch(_state.label){
728
+ case 0:
729
+ _state.trys.push([
730
+ 0,
731
+ 4,
732
+ ,
733
+ 5
734
+ ]);
735
+ params = new URLSearchParams();
736
+ params.append('__positronic_token', wrongToken);
737
+ _iteratorNormalCompletion = true, _didIteratorError = false, _iteratorError = undefined;
738
+ try {
739
+ for(_iterator = Object.entries(formData)[Symbol.iterator](); !(_iteratorNormalCompletion = (_step = _iterator.next()).done); _iteratorNormalCompletion = true){
740
+ _step_value = _sliced_to_array(_step.value, 2), key = _step_value[0], value = _step_value[1];
741
+ if (Array.isArray(value)) {
742
+ _iteratorNormalCompletion1 = true, _didIteratorError1 = false, _iteratorError1 = undefined;
743
+ try {
744
+ for(_iterator1 = value[Symbol.iterator](); !(_iteratorNormalCompletion1 = (_step1 = _iterator1.next()).done); _iteratorNormalCompletion1 = true){
745
+ v = _step1.value;
746
+ params.append("".concat(key, "[]"), v);
747
+ }
748
+ } catch (err) {
749
+ _didIteratorError1 = true;
750
+ _iteratorError1 = err;
751
+ } finally{
752
+ try {
753
+ if (!_iteratorNormalCompletion1 && _iterator1.return != null) {
754
+ _iterator1.return();
755
+ }
756
+ } finally{
757
+ if (_didIteratorError1) {
758
+ throw _iteratorError1;
759
+ }
760
+ }
761
+ }
762
+ } else {
763
+ params.append(key, value);
764
+ }
765
+ }
766
+ } catch (err) {
767
+ _didIteratorError = true;
768
+ _iteratorError = err;
769
+ } finally{
770
+ try {
771
+ if (!_iteratorNormalCompletion && _iterator.return != null) {
772
+ _iterator.return();
773
+ }
774
+ } finally{
775
+ if (_didIteratorError) {
776
+ throw _iteratorError;
777
+ }
778
+ }
779
+ }
780
+ request = new Request("http://example.com/webhooks/system/ui-form?identifier=".concat(encodeURIComponent(identifier)), {
781
+ method: 'POST',
782
+ headers: {
783
+ 'Content-Type': 'application/x-www-form-urlencoded'
784
+ },
785
+ body: params.toString()
786
+ });
787
+ return [
788
+ 4,
789
+ fetch(request)
790
+ ];
791
+ case 1:
792
+ response = _state.sent();
793
+ if (!(response.status === 200)) return [
794
+ 3,
795
+ 3
796
+ ];
797
+ return [
798
+ 4,
799
+ response.json()
800
+ ];
801
+ case 2:
802
+ data = _state.sent();
803
+ if (data.action === 'resumed') {
804
+ console.error('POST /webhooks/system/ui-form with wrong token returned 200 with action "resumed" — token validation failed');
805
+ return [
806
+ 2,
807
+ false
808
+ ];
809
+ }
810
+ _state.label = 3;
811
+ case 3:
812
+ // Accept 403 (token mismatch) or 404 (no brain waiting — token check happens after brain lookup)
813
+ if (response.status !== 403 && response.status !== 404) {
814
+ console.error("POST /webhooks/system/ui-form with wrong token returned ".concat(response.status, ", expected 403 or 404"));
815
+ return [
816
+ 2,
817
+ false
818
+ ];
819
+ }
820
+ return [
821
+ 2,
822
+ true
823
+ ];
824
+ case 4:
825
+ error = _state.sent();
826
+ console.error('Failed to test POST /webhooks/system/ui-form with wrong token:', error);
827
+ return [
828
+ 2,
829
+ false
830
+ ];
831
+ case 5:
832
+ return [
833
+ 2
834
+ ];
835
+ }
836
+ });
837
+ })();
638
838
  }
639
839
  };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@positronic/spec",
3
- "version": "0.0.63",
3
+ "version": "0.0.65",
4
4
  "publishConfig": {
5
5
  "access": "public"
6
6
  },