@runtypelabs/persona-proxy 3.19.0 → 3.26.0

package/src/index.test.ts

@@ -1,4 +1,4 @@
-import { describe, it, expect, afterEach } from "vitest";
+import { describe, it, expect, afterEach, vi } from "vitest";
 import { createChatProxyApp } from "./index";
 
 describe("CORS middleware", () => {
@@ -70,3 +70,175 @@ describe("CORS middleware", () => {
     expect(res.headers.get("Vary")).toBe("Origin");
   });
 });
+
+describe("CORS preview origins", () => {
+  const savedNodeEnv = process.env.NODE_ENV;
+  const savedVercelEnv = process.env.VERCEL_ENV;
+  const savedPattern = process.env.PREVIEW_ORIGIN_PATTERN;
+
+  afterEach(() => {
+    process.env.NODE_ENV = savedNodeEnv;
+    if (savedVercelEnv === undefined) delete process.env.VERCEL_ENV;
+    else process.env.VERCEL_ENV = savedVercelEnv;
+    if (savedPattern === undefined) delete process.env.PREVIEW_ORIGIN_PATTERN;
+    else process.env.PREVIEW_ORIGIN_PATTERN = savedPattern;
+  });
+
+  const preflight = (app: ReturnType<typeof createChatProxyApp>, origin: string) =>
+    app.request("/api/chat/dispatch", { method: "OPTIONS", headers: { Origin: origin } });
+
+  it("reflects a *.vercel.app preview origin not in the allowlist (default pattern)", async () => {
+    process.env.NODE_ENV = "production";
+    delete process.env.VERCEL_ENV;
+    const app = createChatProxyApp({ allowedOrigins: ["https://good.com"] });
+    const res = await preflight(app, "https://persona-git-feature-x-runtype.vercel.app");
+    expect(res.status).toBe(204);
+    expect(res.headers.get("Access-Control-Allow-Origin")).toBe(
+      "https://persona-git-feature-x-runtype.vercel.app"
+    );
+  });
+
+  it("does not match preview-apex look-alikes", async () => {
+    process.env.NODE_ENV = "production";
+    delete process.env.VERCEL_ENV;
+    const app = createChatProxyApp({ allowedOrigins: ["https://good.com"] });
+    // Apex spoofed as a deeper subdomain of an attacker domain.
+    const spoof = await preflight(app, "https://x.vercel.app.evil.com");
+    expect(spoof.status).toBe(403);
+    // Hyphen instead of dot before the apex.
+    const hyphen = await preflight(app, "https://evil-vercel.app");
+    expect(hyphen.status).toBe(403);
+  });
+
+  it("allows extra preview domains via PREVIEW_ORIGIN_PATTERN env", async () => {
+    process.env.NODE_ENV = "production";
+    delete process.env.VERCEL_ENV;
+    process.env.PREVIEW_ORIGIN_PATTERN = "^https://[a-z0-9-]+\\.preview\\.example\\.com$";
+    const app = createChatProxyApp({ allowedOrigins: ["https://good.com"] });
+    const res = await preflight(app, "https://pr-42.preview.example.com");
+    expect(res.status).toBe(204);
+    expect(res.headers.get("Access-Control-Allow-Origin")).toBe(
+      "https://pr-42.preview.example.com"
+    );
+  });
+
+  it("still rejects a non-preview, non-allowlisted origin in production", async () => {
+    process.env.NODE_ENV = "production";
+    delete process.env.VERCEL_ENV;
+    const app = createChatProxyApp({ allowedOrigins: ["https://good.com"] });
+    const res = await preflight(app, "https://evil.com");
+    expect(res.status).toBe(403);
+  });
+
+  it("disables preview reflection with previewOriginPattern: false", async () => {
+    process.env.NODE_ENV = "production";
+    delete process.env.VERCEL_ENV;
+    const app = createChatProxyApp({
+      allowedOrigins: ["https://good.com"],
+      previewOriginPattern: false,
+    });
+    const res = await preflight(app, "https://persona-git-feature-x-runtype.vercel.app");
+    expect(res.status).toBe(403);
+  });
+
+  it("honors a custom previewOriginPattern", async () => {
+    process.env.NODE_ENV = "production";
+    delete process.env.VERCEL_ENV;
+    const app = createChatProxyApp({
+      allowedOrigins: ["https://good.com"],
+      previewOriginPattern: /^https:\/\/preview\.example\.com$/,
+    });
+    const ok = await preflight(app, "https://preview.example.com");
+    expect(ok.status).toBe(204);
+    expect(ok.headers.get("Access-Control-Allow-Origin")).toBe("https://preview.example.com");
+    // The default *.vercel.app no longer applies once a custom pattern is set.
+    const vercel = await preflight(app, "https://persona-git-x-runtype.vercel.app");
+    expect(vercel.status).toBe(403);
+  });
+
+  it("reflects any origin when the proxy itself is a Vercel preview runtime", async () => {
+    process.env.NODE_ENV = "production";
+    process.env.VERCEL_ENV = "preview";
+    const app = createChatProxyApp({ allowedOrigins: ["https://good.com"] });
+    const res = await preflight(app, "https://anything.example.org");
+    expect(res.status).toBe(204);
+    expect(res.headers.get("Access-Control-Allow-Origin")).toBe("https://anything.example.org");
+  });
+});
+
+describe("dispatch — WebMCP clientTools forwarding", () => {
+  const realFetch = globalThis.fetch;
+
+  afterEach(() => {
+    globalThis.fetch = realFetch;
+  });
+
+  // Capture whatever body the proxy POSTs upstream, and return a minimal
+  // streaming Response so the handler completes.
+  const captureUpstream = () => {
+    const calls: Array<{ url: string; body: Record<string, unknown> | null }> = [];
+    globalThis.fetch = vi.fn(async (url: unknown, init?: { body?: unknown }) => {
+      calls.push({
+        url: String(url),
+        body:
+          typeof init?.body === "string"
+            ? (JSON.parse(init.body) as Record<string, unknown>)
+            : null,
+      });
+      return new Response("data: {}\n\n", {
+        status: 200,
+        headers: { "content-type": "text/event-stream" },
+      });
+    }) as unknown as typeof fetch;
+    return calls;
+  };
+
+  const dispatch = (
+    app: ReturnType<typeof createChatProxyApp>,
+    body: Record<string, unknown>,
+  ) =>
+    app.request("/api/chat/dispatch", {
+      method: "POST",
+      headers: { "Content-Type": "application/json", Origin: "https://example.com" },
+      body: JSON.stringify(body),
+    });
+
+  const clientTools = [
+    {
+      name: "search_products",
+      description: "Search the catalog.",
+      parametersSchema: { type: "object", properties: { query: { type: "string" } } },
+      origin: "webmcp",
+      pageOrigin: "https://example.com",
+    },
+  ];
+
+  it("forwards clientTools[] to the upstream in flow-dispatch mode", async () => {
+    const calls = captureUpstream();
+    const app = createChatProxyApp({ apiKey: "test-key" });
+    const res = await dispatch(app, {
+      messages: [{ role: "user", content: "search for shoes" }],
+      clientTools,
+    });
+    expect(res.status).toBe(200);
+    expect(calls).toHaveLength(1);
+    expect(calls[0]!.body?.clientTools).toEqual(clientTools);
+  });
+
+  it("omits clientTools from the upstream payload when none are provided", async () => {
+    const calls = captureUpstream();
+    const app = createChatProxyApp({ apiKey: "test-key" });
+    await dispatch(app, { messages: [{ role: "user", content: "hi" }] });
+    expect(calls[0]!.body).not.toHaveProperty("clientTools");
+  });
+
+  it("omits clientTools when an empty array is sent", async () => {
+    const calls = captureUpstream();
+    const app = createChatProxyApp({ apiKey: "test-key" });
+    await dispatch(app, {
+      messages: [{ role: "user", content: "hi" }],
+      clientTools: [],
+    });
+    expect(calls[0]!.body).not.toHaveProperty("clientTools");
+  });
+});

package/src/index.ts

@@ -40,6 +40,17 @@ export type ChatProxyOptions = {
   apiKey?: string;
   path?: string;
   allowedOrigins?: string[];
+  /**
+   * Reflect any request origin matching this pattern, in addition to the exact
+   * `allowedOrigins` list. Intended for Vercel **preview** deployments, whose
+   * URLs are per-branch and dynamic (`*-git-<branch>-<team>.vercel.app`) and so
+   * can't be enumerated. Defaults to `https://*.vercel.app`
+   * ({@link DEFAULT_PREVIEW_ORIGIN_PATTERN}); pass a custom `RegExp`, set the
+   * `PREVIEW_ORIGIN_PATTERN` env var, or pass `false` to disable. Independent of
+   * the `VERCEL_ENV === "preview"` runtime check, which always reflects the
+   * caller's origin when the proxy itself is a preview deployment.
+   */
+  previewOriginPattern?: RegExp | false;
   flowId?: string;
   flowConfig?: RuntypeFlowConfig;
   /**
@@ -74,6 +85,56 @@ const getRuntimeEnv = (): RuntimeEnv | undefined => {
 const isDevelopmentRuntime = (): boolean =>
   getRuntimeEnv()?.NODE_ENV === "development";
 
+/**
+ * True when this proxy is itself running as a Vercel **preview** deployment
+ * (`VERCEL_ENV === "preview"`). Vercel sets `NODE_ENV=production` for both
+ * production and preview, so `isDevelopmentRuntime()` can't distinguish them —
+ * `VERCEL_ENV` is the only signal. Preview deployments get per-branch, dynamic
+ * URLs (`*-git-<branch>-<team>.vercel.app`) that can't be enumerated in a
+ * static `allowedOrigins` list, so for CORS we treat a preview runtime like
+ * development and reflect the caller's origin. Safe when `process` is missing.
+ */
+const isVercelPreviewRuntime = (): boolean =>
+  getRuntimeEnv()?.VERCEL_ENV === "preview";
+
+/**
+ * Default origin pattern treated as a Vercel preview/app origin: any
+ * `https://<sub>.vercel.app`. When a *production* proxy is called by a static
+ * preview site (a different, dynamic `*.vercel.app` origin), the origin won't be
+ * in `allowedOrigins`; matching this pattern lets the proxy reflect it so
+ * per-branch preview sites work without enumerating their URLs. To allow other
+ * preview domains, supply your own pattern via the `previewOriginPattern` option
+ * or the `PREVIEW_ORIGIN_PATTERN` env regex; disable with
+ * `previewOriginPattern: false`.
+ *
+ * The `$`-anchored apex prevents look-alikes like `https://x.vercel.app.evil.com`
+ * from matching.
+ */
+const DEFAULT_PREVIEW_ORIGIN_PATTERN = /^https:\/\/[a-z0-9-]+\.vercel\.app$/i;
+
+/**
+ * Resolve the preview-origin pattern from options/env. Precedence:
+ * explicit `options.previewOriginPattern` (a `RegExp`, or `false` to disable) →
+ * `PREVIEW_ORIGIN_PATTERN` env (compiled as a `RegExp`; ignored if invalid) →
+ * {@link DEFAULT_PREVIEW_ORIGIN_PATTERN}.
+ */
+const resolvePreviewOriginPattern = (
+  option: RegExp | false | undefined
+): RegExp | null => {
+  if (option === false) return null;
+  if (option instanceof RegExp) return option;
+  const envPattern = getRuntimeEnv()?.PREVIEW_ORIGIN_PATTERN;
+  if (envPattern) {
+    try {
+      return new RegExp(envPattern);
+    } catch {
+      // Invalid env regex — fall back to the default rather than throwing at
+      // app-construction time.
+    }
+  }
+  return DEFAULT_PREVIEW_ORIGIN_PATTERN;
+};
+
 const DEFAULT_FLOW: RuntypeFlowConfig = {
   name: "Streaming Prompt Flow",
   description: "Streaming chat generated by the widget",
@@ -84,7 +145,7 @@ const DEFAULT_FLOW: RuntypeFlowConfig = {
       type: "prompt",
       enabled: true,
       config: {
-        model: "mercury-2",
+        model: "nemotron-3-ultra-550b-a55b",
         responseFormat: "markdown",
         outputVariable: "prompt_result",
         userPrompt: "{{user_message}}",
@@ -101,11 +162,20 @@ const DEFAULT_FLOW: RuntypeFlowConfig = {
 };
 
 const withCors =
-  (allowedOrigins: string[] | undefined) =>
+  (allowedOrigins: string[] | undefined, previewOriginPattern: RegExp | null) =>
     async (c: Context, next: () => Promise<void>) => {
       const origin = c.req.header("origin");
       const isDevelopment = isDevelopmentRuntime();
-      
+      // A request is preview-allowed when either the proxy itself is a Vercel
+      // preview deployment (reflect any caller, like dev) or the caller's origin
+      // matches the configured preview pattern (e.g. a `*.vercel.app` preview
+      // site calling a production proxy). Both reflect the actual origin.
+      const isPreviewOrigin = Boolean(
+        origin &&
+          (isVercelPreviewRuntime() ||
+            (previewOriginPattern !== null && previewOriginPattern.test(origin)))
+      );
+
       // Determine the CORS origin to allow
       let corsOrigin: string;
       if (!allowedOrigins || allowedOrigins.length === 0) {
@@ -118,6 +188,10 @@ const withCors =
         // In development, allow the actual origin even if not in the list
         // This helps with local development where ports might vary
         corsOrigin = origin;
+      } else if (isPreviewOrigin && origin) {
+        // Vercel preview deployment (or a configured preview origin): reflect the
+        // dynamic per-branch origin that can't be enumerated in allowedOrigins.
+        corsOrigin = origin;
       } else {
         // Production: origin not allowed - reject by not setting CORS headers
         // Return error for preflight, or continue without CORS headers
@@ -152,7 +226,10 @@ export const createChatProxyApp = (options: ChatProxyOptions = {}) => {
   const feedbackPath = options.feedbackPath ?? "/api/feedback";
   const upstream = options.upstreamUrl ?? DEFAULT_ENDPOINT;
 
-  app.use("*", withCors(options.allowedOrigins));
+  const previewOriginPattern = resolvePreviewOriginPattern(
+    options.previewOriginPattern
+  );
+  app.use("*", withCors(options.allowedOrigins, previewOriginPattern));
 
   // Feedback endpoint for collecting upvote/downvote data
   app.post(feedbackPath, async (c) => {
@@ -280,6 +357,20 @@ export const createChatProxyApp = (options: ChatProxyOptions = {}) => {
       } else {
         runtypePayload.flow = flowConfig;
       }
+
+      // WebMCP: forward page-discovered tools so the upstream flow's agent step
+      // can call them. The widget snapshots `document.modelContext` per turn and
+      // ships them as `clientTools[]`; the flow-dispatch payload is rebuilt from
+      // scratch above, so without this they'd be silently dropped and the agent
+      // would never see the page tools. (Agent mode forwards the payload as-is,
+      // so it already carries `clientTools`.) The matching results come back via
+      // the `${path}/resume` endpoint below.
+      if (
+        Array.isArray(clientPayload.clientTools) &&
+        clientPayload.clientTools.length > 0
+      ) {
+        runtypePayload.clientTools = clientPayload.clientTools;
+      }
     }
 
     // Development only: do not log key material or full bodies in production.