ndomo 0.1.0 → 0.2.1

package/src/http/__tests__/spa.test.ts

@@ -0,0 +1,296 @@
+/**
+ * Tests for SPA static-file serving + client-side routing fallback.
+ *
+ * Uses a temp directory with a fake index.html + asset to avoid
+ * depending on `bun run web:build` output in CI.
+ */
+
+import { mkdtempSync, mkdirSync, writeFileSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { Database } from "bun:sqlite";
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import type { HttpConfig } from "../../config/schema.ts";
+import { runMigrations } from "../../db/migrations.ts";
+import { buildHttpServer } from "../server.ts";
+
+let db: Database;
+let webDir: string;
+let savedPassword: string | undefined;
+
+const AUTH_CONFIG: HttpConfig = {
+  enabled: true,
+  port: 4098,
+  cors: { origins: ["*"] },
+  auth: { required: true },
+};
+
+const NO_AUTH_CONFIG: HttpConfig = {
+  enabled: true,
+  port: 4098,
+  cors: { origins: ["*"] },
+  auth: { required: false },
+};
+
+function basicAuthHeader(password: string): string {
+  const encoded = Buffer.from(`user:${password}`).toString("base64");
+  return `Basic ${encoded}`;
+}
+
+beforeEach(() => {
+  savedPassword = process.env.OPENCODE_SERVER_PASSWORD;
+  process.env.OPENCODE_SERVER_PASSWORD = "test-password";
+  db = new Database(":memory:");
+  db.exec("PRAGMA foreign_keys = ON");
+  runMigrations(db);
+
+  // Create temp web dist with fake SPA files
+  webDir = mkdtempSync(join(tmpdir(), "ndomo-spa-test-"));
+  writeFileSync(
+    join(webDir, "index.html"),
+    '<!DOCTYPE html><html><body><div id="app"></div></body></html>',
+  );
+  mkdirSync(join(webDir, "assets"), { recursive: true });
+  writeFileSync(
+    join(webDir, "assets", "index-abc123.js"),
+    'console.log("spa");',
+  );
+  writeFileSync(
+    join(webDir, "assets", "index-abc123.css"),
+    "body{margin:0}",
+  );
+});
+
+afterEach(() => {
+  if (savedPassword === undefined) {
+    delete process.env.OPENCODE_SERVER_PASSWORD;
+  } else {
+    process.env.OPENCODE_SERVER_PASSWORD = savedPassword;
+  }
+  db.close();
+  rmSync(webDir, { recursive: true, force: true });
+});
+
+describe("SPA root GET /", () => {
+  test("returns 200 text/html with <div id='app'>", async () => {
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: NO_AUTH_CONFIG,
+      webDistDir: webDir,
+    });
+    const res = await app.handle(new Request("http://localhost/"));
+
+    expect(res.status).toBe(200);
+    expect(res.headers.get("Content-Type")).toContain("text/html");
+    const body = await res.text();
+    expect(body).toContain('<div id="app"></div>');
+  });
+});
+
+describe("SPA client-side routing fallback", () => {
+  test("unknown path returns index.html (SPA fallback)", async () => {
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: NO_AUTH_CONFIG,
+      webDistDir: webDir,
+    });
+    const res = await app.handle(new Request("http://localhost/some/spa/route"));
+
+    expect(res.status).toBe(200);
+    expect(res.headers.get("Content-Type")).toContain("text/html");
+    const body = await res.text();
+    expect(body).toContain('<div id="app"></div>');
+  });
+});
+
+describe("SPA static assets", () => {
+  test("serves JS asset with correct content type", async () => {
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: NO_AUTH_CONFIG,
+      webDistDir: webDir,
+    });
+    const res = await app.handle(
+      new Request("http://localhost/assets/index-abc123.js"),
+    );
+
+    expect(res.status).toBe(200);
+    expect(res.headers.get("Content-Type")).toContain("application/javascript");
+    const body = await res.text();
+    expect(body).toContain('console.log("spa")');
+  });
+
+  test("serves CSS asset with correct content type", async () => {
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: NO_AUTH_CONFIG,
+      webDistDir: webDir,
+    });
+    const res = await app.handle(
+      new Request("http://localhost/assets/index-abc123.css"),
+    );
+
+    expect(res.status).toBe(200);
+    expect(res.headers.get("Content-Type")).toContain("text/css");
+  });
+});
+
+describe("SPA does NOT swallow /api/*", () => {
+  test("GET /health returns JSON (not SPA)", async () => {
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: NO_AUTH_CONFIG,
+      webDistDir: webDir,
+    });
+    const res = await app.handle(new Request("http://localhost/health"));
+
+    expect(res.status).toBe(200);
+    expect(res.headers.get("Content-Type")).toContain("application/json");
+    const body = (await res.json()) as { status: string };
+    expect(body.status).toBe("ok");
+  });
+
+  test("GET /api/plans without auth returns 401 (not SPA)", async () => {
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: AUTH_CONFIG,
+      webDistDir: webDir,
+    });
+    const res = await app.handle(new Request("http://localhost/api/plans"));
+
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toBe("invalid_credentials");
+  });
+
+  test("GET /api/plans with auth returns 200 JSON", async () => {
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: AUTH_CONFIG,
+      webDistDir: webDir,
+    });
+    const res = await app.handle(
+      new Request("http://localhost/api/plans", {
+        headers: { Authorization: basicAuthHeader("test-password") },
+      }),
+    );
+
+    expect(res.status).toBe(200);
+    expect(res.headers.get("Content-Type")).toContain("application/json");
+  });
+
+  test("GET /api/plans/nonexistent returns 404 JSON (not SPA fallback)", async () => {
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: AUTH_CONFIG,
+      webDistDir: webDir,
+    });
+    const res = await app.handle(
+      new Request("http://localhost/api/plans/nonexistent-id", {
+        headers: { Authorization: basicAuthHeader("test-password") },
+      }),
+    );
+
+    expect(res.status).toBe(404);
+    expect(res.headers.get("Content-Type")).toContain("application/json");
+  });
+});
+
+describe("SPA is public (no auth required for non-/api paths)", () => {
+  test("GET / returns 200 WITHOUT auth when auth.required=true", async () => {
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: AUTH_CONFIG,
+      webDistDir: webDir,
+    });
+    const res = await app.handle(new Request("http://localhost/"));
+
+    expect(res.status).toBe(200);
+    expect(res.headers.get("Content-Type")).toContain("text/html");
+    const body = await res.text();
+    expect(body).toContain('<div id="app"></div>');
+  });
+
+  test("GET /plans/<any-id> returns 200 WITHOUT auth (SPA fallback)", async () => {
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: AUTH_CONFIG,
+      webDistDir: webDir,
+    });
+    const res = await app.handle(
+      new Request("http://localhost/plans/some-uuid"),
+    );
+
+    expect(res.status).toBe(200);
+    expect(res.headers.get("Content-Type")).toContain("text/html");
+    const body = await res.text();
+    expect(body).toContain('<div id="app"></div>');
+  });
+
+  test("GET /assets/*.js returns 200 WITHOUT auth", async () => {
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: AUTH_CONFIG,
+      webDistDir: webDir,
+    });
+    const res = await app.handle(
+      new Request("http://localhost/assets/index-abc123.js"),
+    );
+
+    expect(res.status).toBe(200);
+    expect(res.headers.get("Content-Type")).toContain("application/javascript");
+  });
+});
+
+describe("SPA path traversal defense", () => {
+  test("path traversal attempt does not serve /etc/passwd", async () => {
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: NO_AUTH_CONFIG,
+      webDistDir: webDir,
+    });
+    const res = await app.handle(
+      new Request("http://localhost/../../etc/passwd"),
+    );
+
+    // Must not serve /etc/passwd — either 200 (SPA fallback) or 400
+    if (res.status === 200) {
+      const body = await res.text();
+      expect(body).toContain('<div id="app"></div>');
+      expect(body).not.toContain("root:");
+    } else {
+      expect([400, 404]).toContain(res.status);
+    }
+  });
+});
+
+describe("SPA disabled when web dir missing", () => {
+  test("returns 503 when webDistDir does not exist", async () => {
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: NO_AUTH_CONFIG,
+      webDistDir: "/nonexistent/path",
+    });
+    const res = await app.handle(new Request("http://localhost/"));
+
+    expect(res.status).toBe(503);
+    const body = await res.text();
+    expect(body).toContain("SPA not built");
+  });
+});
+
+describe("SPA non-GET methods", () => {
+  test("POST to SPA path returns 404 (Elysia GET handler does not match)", async () => {
+    const { app } = await buildHttpServer({
+      db,
+      httpConfig: NO_AUTH_CONFIG,
+      webDistDir: webDir,
+    });
+    const res = await app.handle(
+      new Request("http://localhost/some/path", { method: "POST" }),
+    );
+
+    // Elysia .get() does not match POST → 404
+    expect(res.status).toBe(404);
+  });
+});

package/src/http/auth.ts

@@ -6,11 +6,13 @@
  * Uses timing-safe comparison to prevent timing attacks.
  *
  * Uses onRequest so the hook propagates across Elysia .use() boundaries.
- * Exempts /health from auth (public liveness probe).
+ * Exempts from auth: /health (liveness probe) + non-/api paths (SPA static +
+ * SPA history fallback). Only /api/* requires auth.
  *
  * Behavior:
  * - auth.required === false → skip entirely
  * - /health path → skip (always public)
+ * - non-/api path (SPA) → skip (public — Vue SPA serves static + history fallback)
  * - Password unset/empty → 503 auth_not_configured
  * - Missing/malformed Authorization → 401 + WWW-Authenticate
  * - Wrong password → 401 + WWW-Authenticate
@@ -36,6 +38,11 @@ export function httpBasicAuth(httpConfig: HttpConfig) {
     const url = new URL(request.url);
     if (url.pathname === "/health") return;
 
+    // Exempt non-/api paths — SPA static assets + history fallback are public.
+    // Auth gates only the JSON API surface (/api/*). Users browse the SPA freely,
+    // then enter the password in the in-app AuthPrompt when fetching /api/*.
+    if (!url.pathname.startsWith("/api/")) return;
+
     const password = process.env.OPENCODE_SERVER_PASSWORD;
 
     // Password not configured → 503

package/src/http/server.ts

@@ -9,6 +9,9 @@
  * 4. health route (no auth)
  * 5. /api/plans, /api/tasks, /api/sessions (auth required)
  */
+import { existsSync } from "node:fs";
+import { join, normalize, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
 import type { Database } from "bun:sqlite";
 import type { OpencodeClient } from "@opencode-ai/sdk/client";
 import { Elysia } from "elysia";
@@ -27,6 +30,11 @@ interface BuildHttpServerArgs {
   httpConfig: HttpConfig;
   /** OpenCode SDK client for SSE events. If null/undefined, /api/events returns 503. */
   sdkClient?: OpencodeClient;
+  /**
+   * Override web dist directory for testing. Defaults to ./web/ relative to this file.
+   * Set to a temp dir with index.html + assets for SPA tests.
+   */
+  webDistDir?: string;
 }
 
 export interface HttpServerHandle {
@@ -64,12 +72,73 @@ export async function buildHttpServer(args: BuildHttpServerArgs) {
     .use(sessionsRoute(db))
     .use(eventsRoute(args.sdkClient ?? null));
 
-  // Compose the full app
+  // Resolve web dist dir (configurable for testing, defaults to ./web/ sibling)
+  const WEB_DIST = args.webDistDir
+    ? resolve(args.webDistDir)
+    : fileURLToPath(new URL("./web/", import.meta.url));
+  const INDEX_HTML = join(WEB_DIST, "index.html");
+
+  // Static-file + SPA fallback sub-app
+  const spaApp = new Elysia({ name: "spa-fallback" }).get(
+    "/*",
+    ({ path }) => {
+      // Try static asset first (path traversal safe)
+      // Strip leading slashes so resolve() doesn't treat path as absolute
+      const safePath = normalize(path)
+        .replace(/^(\.\.[/\\])+/g, "")
+        .replace(/^\/+/, "");
+      const assetPath = resolve(WEB_DIST, safePath);
+
+      if (
+        assetPath.startsWith(WEB_DIST) &&
+        safePath !== "" &&
+        existsSync(assetPath)
+      ) {
+        const file = Bun.file(assetPath);
+        const ext = assetPath.split(".").pop() ?? "";
+        const contentTypes: Record<string, string> = {
+          html: "text/html; charset=utf-8",
+          js: "application/javascript; charset=utf-8",
+          css: "text/css; charset=utf-8",
+          json: "application/json; charset=utf-8",
+          svg: "image/svg+xml",
+          png: "image/png",
+          jpg: "image/jpeg",
+          jpeg: "image/jpeg",
+          ico: "image/x-icon",
+          woff: "font/woff",
+          woff2: "font/woff2",
+        };
+        return new Response(file, {
+          headers: {
+            "Content-Type": contentTypes[ext] ?? "application/octet-stream",
+            "Cache-Control": "no-cache",
+          },
+        });
+      }
+
+      // Fallback to SPA index.html for client-side routing
+      if (!existsSync(INDEX_HTML)) {
+        return new Response("SPA not built. Run: bun run web:build", {
+          status: 503,
+        });
+      }
+      return new Response(Bun.file(INDEX_HTML), {
+        headers: {
+          "Content-Type": "text/html; charset=utf-8",
+          "Cache-Control": "no-cache",
+        },
+      });
+    },
+  );
+
+  // Compose the full app — apiProtected BEFORE spaApp so /api/* wins
   const app = new Elysia({ name: "ndomo-http" })
     .use(securityHeaders)
     .use(corsMiddleware(httpConfig.cors.origins))
     .use(healthRoute(db))
-    .use(apiProtected);
+    .use(apiProtected)
+    .use(spaApp);
 
   return {
     app: app as unknown as Elysia,

package/.bun-version

@@ -1 +0,0 @@
-1.3.14

package/.dockerignore

@@ -1,79 +0,0 @@
-# VCS
-.git/
-.gitignore
-
-# Dependencies (regenerated in image)
-node_modules/
-.pnp/
-.pnp.js
-.yarn/
-
-# Build output
-dist/
-build/
-out/
-*.tsbuildinfo
-
-# OpenCode / ndomo runtime state
-.slim/
-.worktrees/
-.ndomo/
-.opencode/
-.opencode-mem/
-
-# DCP data
-.dcp/
-dcp-prompts/
-
-# Databases — never bake into image
-*.sqlite
-*.sqlite-journal
-*.sqlite-shm
-*.sqlite-wal
-
-# Environment / secrets — NEVER bake into image
-.env
-.env.*
-.env.local
-.env.*.local
-
-# Logs
-*.log
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-logs/
-
-# Coverage
-coverage/
-.nyc_output/
-
-# OS artifacts
-.DS_Store
-Thumbs.db
-
-# Editor
-.idea/
-.vscode/
-*.swp
-*.swo
-
-# Documentation (not needed at runtime)
-docs/
-CHANGELOG.md
-README.md
-README.es.md
-
-# Test files (not needed at runtime)
-*.test.ts
-*.test.js
-
-# Miscellaneous
-*.tgz
-.cache/
-.agents/
-skills-lock.json
-
-# Docker metadata (not needed in image)
-Dockerfile
-.dockerignore

package/.editorconfig

@@ -1,18 +0,0 @@
-root = true
-
-[*]
-charset = utf-8
-end_of_line = lf
-indent_style = space
-indent_size = 2
-insert_final_newline = true
-trim_trailing_whitespace = true
-
-[*.md]
-trim_trailing_whitespace = false
-
-[*.{yml,yaml}]
-indent_size = 2
-
-[Makefile]
-indent_style = tab

package/.github/CODEOWNERS

@@ -1,8 +0,0 @@
-# Default owners for everything in the repo
-* @nicosup98
-
-# CI/CD workflows and automation
-.github/ @nicosup98
-
-# Package and build configuration
-package.json @nicosup98

package/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,62 +0,0 @@
-name: Bug Report
-description: Report a bug in ndomo
-title: "[bug]: "
-labels: [bug]
-body:
-  - type: textarea
-    id: description
-    attributes:
-      label: Description
-      description: What went wrong?
-      placeholder: A clear description of the bug.
-    validations:
-      required: true
-  - type: textarea
-    id: steps
-    attributes:
-      label: Steps to reproduce
-      description: How can we reproduce the issue?
-      placeholder: |
-        1.
-        2.
-        3.
-    validations:
-      required: true
-  - type: textarea
-    id: expected
-    attributes:
-      label: Expected behavior
-      description: What should have happened?
-    validations:
-      required: true
-  - type: textarea
-    id: actual
-    attributes:
-      label: Actual behavior
-      description: What actually happened?
-    validations:
-      required: true
-  - type: input
-    id: os
-    attributes:
-      label: OS
-      description: What operating system are you using?
-      placeholder: e.g. Ubuntu 24.04, macOS 14
-    validations:
-      required: true
-  - type: input
-    id: bun-version
-    attributes:
-      label: Bun version
-      description: What bun version are you using? (run `bun --version`)
-      placeholder: e.g. 1.3.14
-    validations:
-      required: true
-  - type: input
-    id: ndomo-version
-    attributes:
-      label: ndomo version
-      description: What ndomo version are you using?
-      placeholder: e.g. 0.1.0
-    validations:
-      required: false

package/.github/ISSUE_TEMPLATE/config.yml

@@ -1,2 +0,0 @@
-blank_issues_enabled: true
-contact_links: []

package/.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,34 +0,0 @@
-name: Feature Request
-description: Suggest a new feature for ndomo
-title: "[feature]: "
-labels: [enhancement]
-body:
-  - type: textarea
-    id: description
-    attributes:
-      label: Description
-      description: What feature do you want?
-      placeholder: A clear description of the feature.
-    validations:
-      required: true
-  - type: textarea
-    id: problem
-    attributes:
-      label: Problem it solves
-      description: What problem does this solve that isn't possible today?
-    validations:
-      required: true
-  - type: textarea
-    id: solution
-    attributes:
-      label: Proposed solution
-      description: How would you implement this?
-    validations:
-      required: true
-  - type: textarea
-    id: alternatives
-    attributes:
-      label: Alternatives considered
-      description: What other approaches did you think about?
-    validations:
-      required: false

package/.github/dependabot.yml

@@ -1,36 +0,0 @@
-# .github/dependabot.yml
-# Dependabot config: weekly auto-PRs for npm + github-actions
-version: 2
-updates:
-  - package-ecosystem: "npm"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-      day: "monday"
-    open-pull-requests-limit: 5
-    labels:
-      - "dependencies"
-    groups:
-      production:
-        applies-to: version-updates
-        dependency-type: "production"
-      development:
-        applies-to: version-updates
-        dependency-type: "development"
-    commit-message:
-      prefix: "chore(deps)"
-
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-      day: "monday"
-    open-pull-requests-limit: 3
-    labels:
-      - "dependencies"
-      - "ci"
-    commit-message:
-      prefix: "ci(actions)"
-    # Auto-merge patch updates for actions (they're already SHA-pinned,
-    # so updates only happen when we bump SHAs intentionally)
-    automerge: false  # keep manual review

package/.github/pull_request_template.md

@@ -1,24 +0,0 @@
-## Description
-
-<!-- What does this PR do? Why is this change needed? -->
-
-## Type of change
-
-- [ ] Bug fix
-- [ ] Feature
-- [ ] Breaking change
-- [ ] Documentation
-- [ ] Refactor
-- [ ] Chore (maintenance, deps, CI)
-
-## Checklist
-
-- [ ] Tests added/updated (if applicable)
-- [ ] Lint passes
-- [ ] Typecheck passes
-- [ ] Smoke test passes
-- [ ] Docs updated (if needed)
-
-## Related issue
-
-<!-- Closes #N or "No related issue" -->