@urateam/dashboard 0.1.0

package/dist/__tests__/layout.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=layout.test.d.ts.map

package/dist/__tests__/layout.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"layout.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/layout.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/layout.test.js

@@ -0,0 +1,138 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { layout, escapeHtml, getBasePath } from "../views/layout.js";
+describe("layout", () => {
+    const originalEnv = process.env.DASHBOARD_BASE_PATH;
+    afterEach(() => {
+        delete process.env.DASHBOARD_BASE_PATH;
+        if (originalEnv) {
+            process.env.DASHBOARD_BASE_PATH = originalEnv;
+        }
+    });
+    describe("basePath computation", () => {
+        it("should use DASHBOARD_BASE_PATH environment variable", () => {
+            process.env.DASHBOARD_BASE_PATH = "/ateam";
+            expect(getBasePath()).toBe("/ateam");
+        });
+        it("should strip trailing slashes from DASHBOARD_BASE_PATH", () => {
+            process.env.DASHBOARD_BASE_PATH = "/ateam/";
+            expect(getBasePath()).toBe("/ateam");
+        });
+        it("should strip multiple trailing slashes", () => {
+            process.env.DASHBOARD_BASE_PATH = "/ateam///";
+            expect(getBasePath()).toBe("/ateam");
+        });
+        it("should be empty string when DASHBOARD_BASE_PATH is not set", () => {
+            delete process.env.DASHBOARD_BASE_PATH;
+            expect(getBasePath()).toBe("");
+        });
+        it("should be empty string when DASHBOARD_BASE_PATH is only slashes", () => {
+            process.env.DASHBOARD_BASE_PATH = "///";
+            expect(getBasePath()).toBe("");
+        });
+    });
+    describe("HTML generation", () => {
+        beforeEach(() => {
+            // Mock a simple basePath for consistent tests
+            process.env.DASHBOARD_BASE_PATH = "/ateam";
+        });
+        it("should generate valid HTML structure", () => {
+            const html = layout("Test Page", "<p>Content</p>");
+            expect(html).toContain("<!DOCTYPE html>");
+            expect(html).toContain("<html lang=\"en\">");
+            expect(html).toContain("</html>");
+        });
+        it("should include page title with escaped content", () => {
+            const html = layout("Test & Title", "content");
+            expect(html).toContain("<title>Test &amp; Title - urateam</title>");
+        });
+        it("should include static CSS link with basePath", () => {
+            process.env.DASHBOARD_BASE_PATH = "/ateam";
+            const html = layout("Test", "");
+            expect(html).toContain("<link rel=\"stylesheet\" href=\"/ateam/static/style.css\">");
+        });
+        it("should include HTMX script", () => {
+            const html = layout("Test", "");
+            expect(html).toContain('<script src="https://unpkg.com/htmx.org@2.0.0"></script>');
+        });
+        it("should include navigation links with basePath", () => {
+            process.env.DASHBOARD_BASE_PATH = "/ateam";
+            const html = layout("Test", "");
+            expect(html).toContain('<a href="/ateam/">Runs</a>');
+            expect(html).toContain('<a href="/ateam/tokens">Tokens</a>');
+            expect(html).toContain('<a href="/ateam/errors">Errors</a>');
+            expect(html).toContain('<a href="/ateam/config">Config</a>');
+            expect(html).toContain('<a href="/ateam/coordination">Coordination</a>');
+        });
+        it("should include navigation links without basePath when not set", () => {
+            delete process.env.DASHBOARD_BASE_PATH;
+            const html = layout("Test", "");
+            expect(html).toContain('<a href="/">Runs</a>');
+            expect(html).toContain('<a href="/tokens">Tokens</a>');
+            expect(html).toContain('<a href="/errors">Errors</a>');
+            expect(html).toContain('<a href="/config">Config</a>');
+            expect(html).toContain('<a href="/coordination">Coordination</a>');
+        });
+        it("should include page content", () => {
+            const content = "<p>Test content here</p>";
+            const html = layout("Test", content);
+            expect(html).toContain(content);
+        });
+        it("should include viewport meta tag for responsive design", () => {
+            const html = layout("Test", "");
+            expect(html).toContain('<meta name="viewport" content="width=device-width, initial-scale=1">');
+        });
+        it("should escape special characters in page title", () => {
+            const html = layout("<script>alert('xss')</script>", "");
+            expect(html).toContain("&lt;script&gt;");
+            expect(html).not.toContain("<script>alert");
+        });
+    });
+    describe("escapeHtml function", () => {
+        it("should escape ampersands", () => {
+            expect(escapeHtml("A & B")).toBe("A &amp; B");
+        });
+        it("should escape less-than signs", () => {
+            expect(escapeHtml("A < B")).toBe("A &lt; B");
+        });
+        it("should escape greater-than signs", () => {
+            expect(escapeHtml("A > B")).toBe("A &gt; B");
+        });
+        it("should escape double quotes", () => {
+            expect(escapeHtml('Say "Hello"')).toBe("Say &quot;Hello&quot;");
+        });
+        it("should escape single quotes", () => {
+            expect(escapeHtml("It's fine")).toBe("It&#039;s fine");
+        });
+        it("should escape multiple special characters", () => {
+            expect(escapeHtml('<script>alert("xss")</script>')).toBe('&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;');
+        });
+        it("should handle empty string", () => {
+            expect(escapeHtml("")).toBe("");
+        });
+        it("should handle string without special characters", () => {
+            expect(escapeHtml("Hello World")).toBe("Hello World");
+        });
+        it("should escape in the correct order (ampersand first)", () => {
+            // If we don't escape ampersand first, we might double-escape
+            expect(escapeHtml("&lt;")).toBe("&amp;lt;");
+        });
+    });
+    describe("CSS and asset loading", () => {
+        it("should use relative path for CSS when basePath is empty", () => {
+            delete process.env.DASHBOARD_BASE_PATH;
+            const html = layout("Test", "");
+            expect(html).toContain('href="/static/style.css"');
+        });
+        it("should use correct path for CSS with basePath /ateam", () => {
+            process.env.DASHBOARD_BASE_PATH = "/ateam";
+            const html = layout("Test", "");
+            expect(html).toContain('href="/ateam/static/style.css"');
+        });
+        it("should use correct path for CSS with custom basePath", () => {
+            process.env.DASHBOARD_BASE_PATH = "/myapp";
+            const html = layout("Test", "");
+            expect(html).toContain('href="/myapp/static/style.css"');
+        });
+    });
+});
+//# sourceMappingURL=layout.test.js.map

package/dist/__tests__/layout.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"layout.test.js","sourceRoot":"","sources":["../../src/__tests__/layout.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAErE,QAAQ,CAAC,QAAQ,EAAE,GAAG,EAAE;IACtB,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAEpD,SAAS,CAAC,GAAG,EAAE;QACb,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;QACvC,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,WAAW,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;QACpC,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;YAC7D,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,QAAQ,CAAC;YAC3C,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;YAChE,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,SAAS,CAAC;YAC5C,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAChD,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,WAAW,CAAC;YAC9C,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;YACpE,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;YACvC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iEAAiE,EAAE,GAAG,EAAE;YACzE,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,KAAK,CAAC;YACxC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;QAC/B,UAAU,CAAC,GAAG,EAAE;YACd,8CAA8C;YAC9C,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,QAAQ,CAAC;QAC7C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,MAAM,IAAI,GAAG,MAAM,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC;YACnD,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;YAC7C,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,MAAM,IAAI,GAAG,MAAM,CAAC,cAAc,EAAE,SAAS,CAAC,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,2CAA2C,CAAC,CAAC;QACtE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;YACtD,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,QAAQ,CAAC;YAC3C,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,4DAA4D,CAAC,CAAC;QACvF,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;YACpC,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,0DAA0D,CAAC,CAAC;QACrF,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;YACvD,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,QAAQ,CAAC;YAC3C,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAEhC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,4BAA4B,CAAC,CAAC;YACrD,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,oCAAoC,CAAC,CAAC;YAC7D,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,oCAAoC,CAAC,CAAC;YAC7D,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,oCAAoC,CAAC,CAAC;YAC7D,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,gDAAgD,CAAC,CAAC;QAC3E,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;YACvE,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;YACvC,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAEhC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,8BAA8B,CAAC,CAAC;YACvD,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,8BAA8B,CAAC,CAAC;YACvD,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,8BAA8B,CAAC,CAAC;YACvD,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,0CAA0C,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACrC,MAAM,OAAO,GAAG,0BAA0B,CAAC;YAC3C,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YACrC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAClC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;YAChE,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,sEAAsE,CAAC,CAAC;QACjG,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,MAAM,IAAI,GAAG,MAAM,CAAC,+BAA+B,EAAE,EAAE,CAAC,CAAC;YACzD,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;YACzC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACnC,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;YAClC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;YACvC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACrC,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACrC,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;YACnD,MAAM,CAAC,UAAU,CAAC,+BAA+B,CAAC,CAAC,CAAC,IAAI,CACtD,qDAAqD,CACtD,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4BAA4B,EAAE,GAAG,EAAE;YACpC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAClC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;YACzD,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;YAC9D,6DAA6D;YAC7D,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;QACrC,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;YACjE,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;YACvC,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,0BAA0B,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;YAC9D,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,QAAQ,CAAC;YAC3C,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,gCAAgC,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;YAC9D,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,QAAQ,CAAC;YAC3C,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,gCAAgC,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/security.repro.test.d.ts

@@ -0,0 +1,16 @@
+/**
+ * BEC-103 Security Tests — Dashboard Security Hardening
+ *
+ * Tests verify the hardened security behaviour introduced in BEC-103:
+ * - Security headers on all responses (including auth-blocked responses)
+ * - Basic auth required (503 when not configured)
+ * - CSRF protection on state-changing requests (POST/PUT/DELETE/PATCH only)
+ * - Rate limiting to prevent brute-force attacks
+ * - Credential redaction in config view
+ * - CSP meta tag in layout HTML
+ *
+ * Run with:
+ *   cd packages/dashboard && npx vitest run src/__tests__/security.repro.test.ts
+ */
+export {};
+//# sourceMappingURL=security.repro.test.d.ts.map

package/dist/__tests__/security.repro.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.repro.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/security.repro.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG"}

package/dist/__tests__/security.repro.test.js

@@ -0,0 +1,249 @@
+/**
+ * BEC-103 Security Tests — Dashboard Security Hardening
+ *
+ * Tests verify the hardened security behaviour introduced in BEC-103:
+ * - Security headers on all responses (including auth-blocked responses)
+ * - Basic auth required (503 when not configured)
+ * - CSRF protection on state-changing requests (POST/PUT/DELETE/PATCH only)
+ * - Rate limiting to prevent brute-force attacks
+ * - Credential redaction in config view
+ * - CSP meta tag in layout HTML
+ *
+ * Run with:
+ *   cd packages/dashboard && npx vitest run src/__tests__/security.repro.test.ts
+ */
+import { describe, it, expect, beforeEach } from "vitest";
+import { createDashboard } from "../server.js";
+// ---------------------------------------------------------------------------
+// Minimal mock DB — every chainable call resolves to []
+// ---------------------------------------------------------------------------
+function createMockDb() {
+    const handler = {
+        get(_target, prop) {
+            if (prop === "then") {
+                return (resolve) => resolve([]);
+            }
+            return (..._args) => new Proxy(() => { }, handler);
+        },
+        apply() {
+            return new Proxy(() => { }, handler);
+        },
+    };
+    return new Proxy(() => { }, handler);
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+const ROUTES = ["/", "/tokens", "/errors", "/config", "/coordination"];
+/** Build a Basic auth header value. */
+function basicAuthHeader(username, password) {
+    return "Basic " + Buffer.from(`${username}:${password}`).toString("base64");
+}
+const VALID_AUTH = { username: "admin", password: "s3cr3t" };
+const VALID_AUTH_HEADER = basicAuthHeader(VALID_AUTH.username, VALID_AUTH.password);
+function makeApp(authEnabled = false) {
+    const cfg = {
+        db: createMockDb(),
+        pipelineConfigs: {},
+        repoConfigs: {},
+    };
+    if (authEnabled) {
+        cfg.auth = VALID_AUTH;
+    }
+    return createDashboard(cfg);
+}
+// ---------------------------------------------------------------------------
+// 1. Security Headers
+// ---------------------------------------------------------------------------
+describe("BEC-103: security headers present on all responses", () => {
+    let app;
+    beforeEach(() => {
+        // Use app without auth — headers must be present even on 503 auth-error responses
+        app = makeApp();
+    });
+    it.each(ROUTES)("GET %s — X-Content-Type-Options: nosniff header is present", async (route) => {
+        const res = await app.request(route);
+        expect(res.headers.get("x-content-type-options")).toBe("nosniff");
+    });
+    it.each(ROUTES)("GET %s — X-Frame-Options: DENY header is present", async (route) => {
+        const res = await app.request(route);
+        expect(res.headers.get("x-frame-options")).toBe("DENY");
+    });
+    it.each(ROUTES)("GET %s — Content-Security-Policy header is present", async (route) => {
+        const res = await app.request(route);
+        const csp = res.headers.get("content-security-policy");
+        expect(csp).not.toBeNull();
+        // Must restrict scripts to 'self' and https://unpkg.com only
+        expect(csp).toContain("default-src 'self'");
+        expect(csp).toContain("script-src 'self' https://unpkg.com");
+    });
+    it.each(ROUTES)("GET %s — X-XSS-Protection: 0 header is present", async (route) => {
+        const res = await app.request(route);
+        expect(res.headers.get("x-xss-protection")).toBe("0");
+    });
+    it.each(ROUTES)("GET %s — Referrer-Policy header is present", async (route) => {
+        const res = await app.request(route);
+        expect(res.headers.get("referrer-policy")).toBe("strict-origin-when-cross-origin");
+    });
+    it.each(ROUTES)("GET %s — Permissions-Policy header is present", async (route) => {
+        const res = await app.request(route);
+        const pp = res.headers.get("permissions-policy");
+        expect(pp).not.toBeNull();
+        expect(pp).toContain("camera=()");
+        expect(pp).toContain("microphone=()");
+        expect(pp).toContain("geolocation=()");
+    });
+    it.each(ROUTES)("GET %s — Strict-Transport-Security header is present", async (route) => {
+        const res = await app.request(route);
+        const hsts = res.headers.get("strict-transport-security");
+        expect(hsts).not.toBeNull();
+        expect(hsts).toContain("max-age=");
+    });
+});
+// ---------------------------------------------------------------------------
+// 2. Authentication is required, not optional
+// ---------------------------------------------------------------------------
+describe("BEC-103 fix: basic auth is required, not optional", () => {
+    it("dashboard returns 503 when no credentials are configured", async () => {
+        const app = makeApp(false); // no auth configured
+        const res = await app.request("/");
+        // Fixed: server blocks all access and prompts to configure auth
+        expect(res.status).toBe(503);
+        const body = await res.text();
+        expect(body).toContain("DASHBOARD_USER");
+    });
+    it("unauthenticated request to config route returns 503 (not config data)", async () => {
+        const appWithConfig = createDashboard({
+            db: createMockDb(),
+            pipelineConfigs: {
+                "auto-implement": {
+                    name: "Auto Implement",
+                    stages: ["triage", "implement"],
+                    model: "claude-opus-4-6",
+                    maxTokens: 100000,
+                },
+            },
+            repoConfigs: {
+                "my-repo": {
+                    url: "https://github-token:ghp_SECRET@github.com/org/repo.git",
+                },
+            },
+            // no auth configured — should block all access
+        });
+        const res = await appWithConfig.request("/config");
+        // Fixed: auth required — no config data exposed to unauthenticated requests
+        expect(res.status).toBe(503);
+    });
+});
+// ---------------------------------------------------------------------------
+// 3. CSRF protection for state-changing requests
+// ---------------------------------------------------------------------------
+describe("BEC-103: CSRF / HX-Request validation on state-changing requests", () => {
+    it("GET /runs/feed is accessible without HX-Request header (GET is safe by design)", async () => {
+        const app = makeApp(true);
+        // GET requests don't need CSRF protection — only POST/PUT/DELETE/PATCH do
+        const res = await app.request("/runs/feed", {
+            headers: { Authorization: VALID_AUTH_HEADER },
+        });
+        expect(res.status).toBe(200);
+    });
+    it("GET /coordination/feed accessible from any origin (GET requests are safe)", async () => {
+        const app = makeApp(true);
+        // Origin check only applies to state-changing requests (POST/PUT/DELETE/PATCH)
+        const res = await app.request("/coordination/feed", {
+            headers: {
+                Authorization: VALID_AUTH_HEADER,
+                Origin: "https://evil.example.com",
+            },
+        });
+        // GET requests are safe — no origin block on read-only endpoints
+        expect(res.status).toBe(200);
+    });
+});
+// ---------------------------------------------------------------------------
+// 4. Rate limiting prevents brute-force
+// ---------------------------------------------------------------------------
+describe("BEC-103: rate limiting prevents brute-force attacks", () => {
+    it("rapid unauthenticated requests eventually trigger 429", async () => {
+        const app = makeApp(true); // auth enabled — brute-force surface
+        let tooManyRequests = false;
+        for (let i = 0; i < 20; i++) {
+            const res = await app.request("/", {
+                headers: { Authorization: "Basic " + btoa("admin:wrong") },
+            });
+            if (res.status === 429) {
+                tooManyRequests = true;
+                break;
+            }
+        }
+        // Rate limiting kicks in after RATE_LIMIT_MAX requests per window
+        expect(tooManyRequests).toBe(true);
+    });
+});
+// ---------------------------------------------------------------------------
+// 5. Config view credentials are redacted (fixed: was a vulnerability)
+// ---------------------------------------------------------------------------
+describe("BEC-103 fix: config view redacts sensitive credentials", () => {
+    it("repo URL containing embedded credentials is redacted in config view", async () => {
+        // Credentials embedded in repo URLs must be stripped before display.
+        const sensitiveUrl = "https://x-access-token:ghp_SUPERSECRET123@github.com/org/repo.git";
+        const appWithSecret = createDashboard({
+            db: createMockDb(),
+            pipelineConfigs: {},
+            repoConfigs: {
+                "secret-repo": { url: sensitiveUrl },
+            },
+            auth: VALID_AUTH, // auth required to reach config route
+        });
+        const res = await appWithSecret.request("/config", {
+            headers: { Authorization: VALID_AUTH_HEADER },
+        });
+        expect(res.status).toBe(200);
+        const html = await res.text();
+        // After fix: embedded token must NOT appear in the rendered HTML
+        expect(html).not.toContain("ghp_SUPERSECRET123");
+        // Redaction marker should be visible instead
+        expect(html).toContain("[redacted]");
+    });
+});
+// ---------------------------------------------------------------------------
+// 6. Error information leakage
+// ---------------------------------------------------------------------------
+describe("BEC-103: error responses do not expose internal paths", () => {
+    it("404 for unknown run does not expose internal stack trace", async () => {
+        const app = makeApp(true);
+        const res = await app.request("/runs/nonexistent-run-id-12345", {
+            headers: { Authorization: VALID_AUTH_HEADER },
+        });
+        // Check that internal file paths are not exposed in error responses
+        const body = await res.text();
+        const internalPathPatterns = [
+            /\/var\/agent-runs/,
+            /node_modules/,
+            /\.ts:\d+:\d+/, // TypeScript stack trace lines
+            /at Object\.\<anonymous\>/, // JS stack frames
+        ];
+        for (const pattern of internalPathPatterns) {
+            expect(pattern.test(body)).toBe(false);
+        }
+        expect(res.status).toBe(404);
+    });
+});
+// ---------------------------------------------------------------------------
+// 7. CSP meta tag in layout HTML
+// ---------------------------------------------------------------------------
+describe("BEC-103 fix: layout HTML includes CSP meta tag", () => {
+    it("layout HTML includes a Content-Security-Policy meta tag", async () => {
+        const app = makeApp(true);
+        const res = await app.request("/", {
+            headers: { Authorization: VALID_AUTH_HEADER },
+        });
+        expect(res.status).toBe(200);
+        const html = await res.text();
+        // CSP meta tag is present in the rendered HTML
+        expect(html.includes('http-equiv="Content-Security-Policy"')).toBe(true);
+        expect(html).toContain("default-src 'self'");
+        expect(html).toContain("script-src 'self' https://unpkg.com");
+    });
+});
+//# sourceMappingURL=security.repro.test.js.map

package/dist/__tests__/security.repro.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.repro.test.js","sourceRoot":"","sources":["../../src/__tests__/security.repro.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAwB,MAAM,cAAc,CAAC;AAGrE,8EAA8E;AAC9E,wDAAwD;AACxD,8EAA8E;AAC9E,SAAS,YAAY;IACnB,MAAM,OAAO,GAAsB;QACjC,GAAG,CAAC,OAAO,EAAE,IAAI;YACf,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;gBACpB,OAAO,CAAC,OAAyB,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YACpD,CAAC;YACD,OAAO,CAAC,GAAG,KAAY,EAAE,EAAE,CAAC,IAAI,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,EAAE,OAAO,CAAC,CAAC;QAC3D,CAAC;QACD,KAAK;YACH,OAAO,IAAI,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,EAAE,OAAO,CAAC,CAAC;QACtC,CAAC;KACF,CAAC;IACF,OAAO,IAAI,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,EAAE,OAAO,CAAkB,CAAC;AACvD,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAC9E,MAAM,MAAM,GAAG,CAAC,GAAG,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;AAEvE,uCAAuC;AACvC,SAAS,eAAe,CAAC,QAAgB,EAAE,QAAgB;IACzD,OAAO,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,IAAI,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC9E,CAAC;AAED,MAAM,UAAU,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;AAC7D,MAAM,iBAAiB,GAAG,eAAe,CAAC,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC;AAEpF,SAAS,OAAO,CAAC,WAAW,GAAG,KAAK;IAClC,MAAM,GAAG,GAAoB;QAC3B,EAAE,EAAE,YAAY,EAAE;QAClB,eAAe,EAAE,EAAE;QACnB,WAAW,EAAE,EAAE;KAChB,CAAC;IACF,IAAI,WAAW,EAAE,CAAC;QAChB,GAAG,CAAC,IAAI,GAAG,UAAU,CAAC;IACxB,CAAC;IACD,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC;AAC9B,CAAC;AAED,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAC9E,QAAQ,CAAC,oDAAoD,EAAE,GAAG,EAAE;IAClE,IAAI,GAAuC,CAAC;IAE5C,UAAU,CAAC,GAAG,EAAE;QACd,kFAAkF;QAClF,GAAG,GAAG,OAAO,EAAE,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CACb,4DAA4D,EAC5D,KAAK,EAAE,KAAK,EAAE,EAAE;QACd,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACrC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACpE,CAAC,CACF,CAAC;IAEF,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CACb,kDAAkD,EAClD,KAAK,EAAE,KAAK,EAAE,EAAE;QACd,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACrC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1D,CAAC,CACF,CAAC;IAEF,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CACb,oDAAoD,EACpD,KAAK,EAAE,KAAK,EAAE,EAAE;QACd,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;QACvD,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC3B,6DAA6D;QAC7D,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;QAC5C,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,qCAAqC,CAAC,CAAC;IAC/D,CAAC,CACF,CAAC;IAEF,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CACb,gDAAgD,EAChD,KAAK,EAAE,KAAK,EAAE,EAAE;QACd,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACrC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACxD,CAAC,CACF,CAAC;IAEF,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CACb,4CAA4C,EAC5C,KAAK,EAAE,KAAK,EAAE,EAAE;QACd,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACrC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAC7C,iCAAiC,CAClC,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CACb,+CAA+C,EAC/C,KAAK,EAAE,KAAK,EAAE,EAAE;QACd,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACrC,MAAM,EAAE,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QACjD,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC1B,MAAM,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAClC,MAAM,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QACtC,MAAM,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;IACzC,CAAC,CACF,CAAC;IAEF,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CACb,sDAAsD,EACtD,KAAK,EAAE,KAAK,EAAE,EAAE;QACd,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QAC1D,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAC9E,QAAQ,CAAC,mDAAmD,EAAE,GAAG,EAAE;IACjE,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,qBAAqB;QACjD,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,gEAAgE;QAChE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,KAAK,IAAI,EAAE;QACrF,MAAM,aAAa,GAAG,eAAe,CAAC;YACpC,EAAE,EAAE,YAAY,EAAE;YAClB,eAAe,EAAE;gBACf,gBAAgB,EAAE;oBAChB,IAAI,EAAE,gBAAgB;oBACtB,MAAM,EAAE,CAAC,QAAQ,EAAE,WAAW,CAAC;oBAC/B,KAAK,EAAE,iBAAiB;oBACxB,SAAS,EAAE,MAAM;iBACX;aACT;YACD,WAAW,EAAE;gBACX,SAAS,EAAE;oBACT,GAAG,EAAE,yDAAyD;iBACxD;aACT;YACD,+CAA+C;SAChD,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACnD,4EAA4E;QAC5E,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,iDAAiD;AACjD,8EAA8E;AAC9E,QAAQ,CAAC,kEAAkE,EAAE,GAAG,EAAE;IAChF,EAAE,CAAC,gFAAgF,EAAE,KAAK,IAAI,EAAE;QAC9F,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1B,0EAA0E;QAC1E,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,YAAY,EAAE;YAC1C,OAAO,EAAE,EAAE,aAAa,EAAE,iBAAiB,EAAE;SAC9C,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2EAA2E,EAAE,KAAK,IAAI,EAAE;QACzF,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1B,+EAA+E;QAC/E,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,oBAAoB,EAAE;YAClD,OAAO,EAAE;gBACP,aAAa,EAAE,iBAAiB;gBAChC,MAAM,EAAE,0BAA0B;aACnC;SACF,CAAC,CAAC;QACH,iEAAiE;QACjE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,wCAAwC;AACxC,8EAA8E;AAC9E,QAAQ,CAAC,qDAAqD,EAAE,GAAG,EAAE;IACnE,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,qCAAqC;QAChE,IAAI,eAAe,GAAG,KAAK,CAAC;QAE5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5B,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE;gBACjC,OAAO,EAAE,EAAE,aAAa,EAAE,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,EAAE;aAC3D,CAAC,CAAC;YACH,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvB,eAAe,GAAG,IAAI,CAAC;gBACvB,MAAM;YACR,CAAC;QACH,CAAC;QAED,kEAAkE;QAClE,MAAM,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,uEAAuE;AACvE,8EAA8E;AAC9E,QAAQ,CAAC,wDAAwD,EAAE,GAAG,EAAE;IACtE,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACnF,qEAAqE;QACrE,MAAM,YAAY,GAChB,mEAAmE,CAAC;QAEtE,MAAM,aAAa,GAAG,eAAe,CAAC;YACpC,EAAE,EAAE,YAAY,EAAE;YAClB,eAAe,EAAE,EAAE;YACnB,WAAW,EAAE;gBACX,aAAa,EAAE,EAAE,GAAG,EAAE,YAAY,EAAS;aAC5C;YACD,IAAI,EAAE,UAAU,EAAE,sCAAsC;SACzD,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,SAAS,EAAE;YACjD,OAAO,EAAE,EAAE,aAAa,EAAE,iBAAiB,EAAE;SAC9C,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAE9B,iEAAiE;QACjE,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;QACjD,6CAA6C;QAC7C,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,+BAA+B;AAC/B,8EAA8E;AAC9E,QAAQ,CAAC,uDAAuD,EAAE,GAAG,EAAE;IACrE,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1B,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,gCAAgC,EAAE;YAC9D,OAAO,EAAE,EAAE,aAAa,EAAE,iBAAiB,EAAE;SAC9C,CAAC,CAAC;QACH,oEAAoE;QACpE,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,oBAAoB,GAAG;YAC3B,mBAAmB;YACnB,cAAc;YACd,cAAc,EAAE,+BAA+B;YAC/C,0BAA0B,EAAE,kBAAkB;SAC/C,CAAC;QACF,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;YAC3C,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzC,CAAC;QACD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAC9E,QAAQ,CAAC,gDAAgD,EAAE,GAAG,EAAE;IAC9D,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1B,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE;YACjC,OAAO,EAAE,EAAE,aAAa,EAAE,iBAAiB,EAAE;SAC9C,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAE9B,+CAA+C;QAC/C,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,sCAAsC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzE,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;QAC7C,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,qCAAqC,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/server.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=server.test.d.ts.map

package/dist/__tests__/server.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/server.test.ts"],"names":[],"mappings":""}