@vellumai/assistant 0.4.37 → 0.4.41

package/src/__tests__/app-migration.test.ts

@@ -0,0 +1,148 @@
+import { existsSync, mkdirSync, readFileSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+
+import { migrateAppToMultifile } from "../memory/app-migration.js";
+import { createApp, getApp, getAppsDir } from "../memory/app-store.js";
+
+// Redirect app storage to a temp directory for test isolation
+const tmpDir = join(import.meta.dir, ".tmp-app-migration-test");
+
+mock.module("../util/platform.js", () => ({
+  getDataDir: () => tmpDir,
+  isContainerized: () => false,
+}));
+
+describe("migrateAppToMultifile", () => {
+  beforeEach(() => {
+    mkdirSync(tmpDir, { recursive: true });
+  });
+
+  afterEach(() => {
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  test("migrates a simple HTML app to src/ layout", () => {
+    const app = createApp({
+      name: "Test App",
+      schemaJson: "{}",
+      htmlDefinition: "<html><body>Hello</body></html>",
+    });
+
+    const result = migrateAppToMultifile(app.id);
+    expect(result.ok).toBe(true);
+    expect(result.error).toBeUndefined();
+
+    const appDir = join(getAppsDir(), app.id);
+
+    // Root index.html is preserved
+    expect(existsSync(join(appDir, "index.html"))).toBe(true);
+    expect(readFileSync(join(appDir, "index.html"), "utf-8")).toBe(
+      "<html><body>Hello</body></html>",
+    );
+
+    // src/index.html created
+    expect(existsSync(join(appDir, "src", "index.html"))).toBe(true);
+
+    // src/main.tsx created
+    const mainTsx = readFileSync(join(appDir, "src", "main.tsx"), "utf-8");
+    expect(mainTsx).toContain("Entry point");
+    // No inline styles in source HTML → no styles.css import
+    expect(mainTsx).not.toContain("import './styles.css'");
+  });
+
+  test("sets formatVersion to 2 after migration", () => {
+    const app = createApp({
+      name: "Version Test",
+      schemaJson: "{}",
+      htmlDefinition: "<html><body>Hi</body></html>",
+    });
+
+    expect(app.formatVersion).toBeUndefined();
+
+    migrateAppToMultifile(app.id);
+
+    const updated = getApp(app.id);
+    expect(updated).not.toBeNull();
+    expect(updated!.formatVersion).toBe(2);
+  });
+
+  test("extracts inline styles to CSS file", () => {
+    const htmlWithStyle = `<html>
+<head><style>body { color: red; }</style></head>
+<body>Styled</body>
+</html>`;
+
+    const app = createApp({
+      name: "Styled App",
+      schemaJson: "{}",
+      htmlDefinition: htmlWithStyle,
+    });
+
+    const result = migrateAppToMultifile(app.id);
+    expect(result.ok).toBe(true);
+
+    const appDir = join(getAppsDir(), app.id);
+
+    // styles.css should contain the extracted CSS
+    const css = readFileSync(join(appDir, "src", "styles.css"), "utf-8");
+    expect(css).toContain("body { color: red; }");
+
+    // src/index.html should have a <link> tag instead of <style>
+    const srcHtml = readFileSync(join(appDir, "src", "index.html"), "utf-8");
+    expect(srcHtml).toContain('<link rel="stylesheet" href="styles.css">');
+    expect(srcHtml).not.toContain("<style>");
+  });
+
+  test("extracts multiple inline style blocks", () => {
+    const html = `<html>
+<head><style>.a { margin: 0; }</style></head>
+<body><style>.b { padding: 0; }</style></body>
+</html>`;
+
+    const app = createApp({
+      name: "Multi Style",
+      schemaJson: "{}",
+      htmlDefinition: html,
+    });
+
+    migrateAppToMultifile(app.id);
+
+    const appDir = join(getAppsDir(), app.id);
+    const css = readFileSync(join(appDir, "src", "styles.css"), "utf-8");
+    expect(css).toContain(".a { margin: 0; }");
+    expect(css).toContain(".b { padding: 0; }");
+  });
+
+  test("migration of already-migrated app is a no-op", () => {
+    const app = createApp({
+      name: "Already Migrated",
+      schemaJson: "{}",
+      htmlDefinition: "<html><body>Done</body></html>",
+    });
+
+    const first = migrateAppToMultifile(app.id);
+    expect(first.ok).toBe(true);
+
+    // Grab the updatedAt after first migration
+    const afterFirst = getApp(app.id);
+    const firstUpdatedAt = afterFirst!.updatedAt;
+
+    // Small delay so updatedAt would differ if re-written
+    const second = migrateAppToMultifile(app.id);
+    expect(second.ok).toBe(true);
+
+    // formatVersion should still be 2
+    const afterSecond = getApp(app.id);
+    expect(afterSecond!.formatVersion).toBe(2);
+
+    // updatedAt should NOT have changed (no-op)
+    expect(afterSecond!.updatedAt).toBe(firstUpdatedAt);
+  });
+
+  test("returns error when app not found", () => {
+    const result = migrateAppToMultifile("nonexistent-id-12345");
+    expect(result.ok).toBe(false);
+    expect(result.error).toContain("App not found");
+  });
+});

package/src/__tests__/app-routes-csp.test.ts

@@ -0,0 +1,202 @@
+import { describe, expect, mock, test } from "bun:test";
+
+// Mock the logger before importing the module under test
+mock.module("../util/logger.js", () => ({
+  getLogger: () =>
+    new Proxy({} as Record<string, unknown>, {
+      get: () => () => {},
+    }),
+}));
+
+// Fake app records keyed by ID
+const legacyApp = {
+  id: "legacy-1",
+  name: "Legacy App",
+  htmlDefinition: "<div>Hello</div>",
+  schemaJson: "{}",
+  createdAt: 0,
+  updatedAt: 0,
+  // No formatVersion → legacy
+};
+
+const multifileApp = {
+  id: "multi-1",
+  name: "Multifile App",
+  htmlDefinition: "",
+  schemaJson: "{}",
+  createdAt: 0,
+  updatedAt: 0,
+  formatVersion: 2,
+};
+
+const apps = new Map<string, typeof legacyApp | typeof multifileApp>([
+  ["legacy-1", legacyApp],
+  ["multi-1", multifileApp],
+]);
+
+mock.module("../memory/app-store.js", () => ({
+  getApp: (id: string) => apps.get(id) ?? null,
+  getAppsDir: () => "/fake/apps",
+  isMultifileApp: (app: Record<string, unknown>) => app.formatVersion === 2,
+}));
+
+// Mock shared-app-links-store (imported by app-routes but unused here)
+mock.module("../memory/shared-app-links-store.js", () => ({
+  createSharedAppLink: () => ({ shareToken: "tok" }),
+  getSharedAppLink: () => null,
+  incrementDownloadCount: () => {},
+  deleteSharedAppLinkByToken: () => false,
+}));
+
+// Stub fs so the multifile path finds a fake dist/index.html
+mock.module("node:fs", () => ({
+  existsSync: (p: string) => p === "/fake/apps/multi-1/dist/index.html",
+  readFileSync: (p: string, _enc?: string) => {
+    if (p === "/fake/apps/multi-1/dist/index.html") {
+      return '<!DOCTYPE html><html><head></head><body><script src="main.js"></script></body></html>';
+    }
+    // Design system CSS — return empty string
+    return "";
+  },
+}));
+
+import {
+  handleServeDistFile,
+  handleServePage,
+} from "../runtime/routes/app-routes.js";
+
+/** Parse CSP header into a directive map. */
+function parseCsp(header: string): Record<string, string> {
+  const directives: Record<string, string> = {};
+  for (const part of header.split(";")) {
+    const trimmed = part.trim();
+    const spaceIdx = trimmed.indexOf(" ");
+    if (spaceIdx === -1) continue;
+    directives[trimmed.slice(0, spaceIdx)] = trimmed.slice(spaceIdx + 1);
+  }
+  return directives;
+}
+
+describe("app-routes CSP headers", () => {
+  describe("legacy apps", () => {
+    test("includes 'unsafe-inline' in script-src", () => {
+      const res = handleServePage("legacy-1");
+      const csp = res.headers.get("Content-Security-Policy")!;
+      const directives = parseCsp(csp);
+      expect(directives["script-src"]).toContain("'unsafe-inline'");
+    });
+
+    test("includes 'unsafe-inline' in style-src", () => {
+      const res = handleServePage("legacy-1");
+      const csp = res.headers.get("Content-Security-Policy")!;
+      const directives = parseCsp(csp);
+      expect(directives["style-src"]).toContain("'unsafe-inline'");
+    });
+
+    test("has img-src with self, data, and https", () => {
+      const res = handleServePage("legacy-1");
+      const csp = res.headers.get("Content-Security-Policy")!;
+      const directives = parseCsp(csp);
+      expect(directives["img-src"]).toContain("'self'");
+      expect(directives["img-src"]).toContain("data:");
+      expect(directives["img-src"]).toContain("https:");
+    });
+  });
+
+  describe("multifile apps", () => {
+    test("does NOT include 'unsafe-inline' in script-src", () => {
+      const res = handleServePage("multi-1");
+      const csp = res.headers.get("Content-Security-Policy")!;
+      const directives = parseCsp(csp);
+      expect(directives["script-src"]).not.toContain("'unsafe-inline'");
+    });
+
+    test("includes 'self' in script-src for external main.js", () => {
+      const res = handleServePage("multi-1");
+      const csp = res.headers.get("Content-Security-Policy")!;
+      const directives = parseCsp(csp);
+      expect(directives["script-src"]).toContain("'self'");
+    });
+
+    test("includes 'unsafe-inline' in style-src", () => {
+      const res = handleServePage("multi-1");
+      const csp = res.headers.get("Content-Security-Policy")!;
+      const directives = parseCsp(csp);
+      expect(directives["style-src"]).toContain("'unsafe-inline'");
+    });
+
+    test("has img-src with self, data, and https", () => {
+      const res = handleServePage("multi-1");
+      const csp = res.headers.get("Content-Security-Policy")!;
+      const directives = parseCsp(csp);
+      expect(directives["img-src"]).toContain("'self'");
+      expect(directives["img-src"]).toContain("data:");
+      expect(directives["img-src"]).toContain("https:");
+    });
+  });
+
+  describe("handleServeDistFile appId validation", () => {
+    test("rejects appId with encoded path traversal (..)", () => {
+      const res = handleServeDistFile("..", "main.js");
+      expect(res.status).toBe(400);
+    });
+
+    test("rejects appId with forward slash", () => {
+      const res = handleServeDistFile("../../etc", "main.js");
+      expect(res.status).toBe(400);
+    });
+
+    test("rejects appId with backslash", () => {
+      const res = handleServeDistFile("foo\\bar", "main.js");
+      expect(res.status).toBe(400);
+    });
+
+    test("rejects empty appId", () => {
+      const res = handleServeDistFile("", "main.js");
+      expect(res.status).toBe(400);
+    });
+
+    test("rejects appId with leading whitespace", () => {
+      const res = handleServeDistFile(" multi-1", "main.js");
+      expect(res.status).toBe(400);
+    });
+
+    test("rejects appId with trailing whitespace", () => {
+      const res = handleServeDistFile("multi-1 ", "main.js");
+      expect(res.status).toBe(400);
+    });
+
+    test("rejects appId containing .. in the middle", () => {
+      const res = handleServeDistFile("foo..bar", "main.js");
+      expect(res.status).toBe(400);
+    });
+
+    test("allows valid appId and filename (file not found is 404)", () => {
+      const res = handleServeDistFile("multi-1", "main.js");
+      // File doesn't exist in our mock fs, so 404
+      expect(res.status).toBe(404);
+    });
+  });
+
+  describe("consistent directives across formats", () => {
+    test("both formats share the same style-src policy", () => {
+      const legacy = handleServePage("legacy-1");
+      const multi = handleServePage("multi-1");
+      const legacyCsp = parseCsp(
+        legacy.headers.get("Content-Security-Policy")!,
+      );
+      const multiCsp = parseCsp(multi.headers.get("Content-Security-Policy")!);
+      expect(legacyCsp["style-src"]).toBe(multiCsp["style-src"]);
+    });
+
+    test("both formats share the same img-src policy", () => {
+      const legacy = handleServePage("legacy-1");
+      const multi = handleServePage("multi-1");
+      const legacyCsp = parseCsp(
+        legacy.headers.get("Content-Security-Policy")!,
+      );
+      const multiCsp = parseCsp(multi.headers.get("Content-Security-Policy")!);
+      expect(legacyCsp["img-src"]).toBe(multiCsp["img-src"]);
+    });
+  });
+});