npm - opengstack - Versions diffs - 0.13.7 → 0.13.8 - Mend

opengstack 0.13.7 → 0.13.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (135) hide show

package/bin/opengstack.js +35 -90
package/package.json +2 -3
package/scripts/install-skills.js +29 -58
package/skills/browse/bin/find-browse +21 -0
package/skills/browse/bin/remote-slug +14 -0
package/skills/browse/scripts/build-node-server.sh +48 -0
package/skills/browse/src/activity.ts +208 -0
package/skills/browse/src/browser-manager.ts +959 -0
package/skills/browse/src/buffers.ts +137 -0
package/skills/browse/src/bun-polyfill.cjs +109 -0
package/skills/browse/src/cli.ts +678 -0
package/skills/browse/src/commands.ts +128 -0
package/skills/browse/src/config.ts +150 -0
package/skills/browse/src/cookie-import-browser.ts +625 -0
package/skills/browse/src/cookie-picker-routes.ts +230 -0
package/skills/browse/src/cookie-picker-ui.ts +688 -0
package/skills/browse/src/find-browse.ts +61 -0
package/skills/browse/src/meta-commands.ts +550 -0
package/skills/browse/src/platform.ts +17 -0
package/skills/browse/src/read-commands.ts +358 -0
package/skills/browse/src/server.ts +1192 -0
package/skills/browse/src/sidebar-agent.ts +280 -0
package/skills/browse/src/sidebar-utils.ts +21 -0
package/skills/browse/src/snapshot.ts +407 -0
package/skills/browse/src/url-validation.ts +95 -0
package/skills/browse/src/write-commands.ts +364 -0
package/skills/browse/test/activity.test.ts +120 -0
package/skills/browse/test/adversarial-security.test.ts +32 -0
package/skills/browse/test/browser-manager-unit.test.ts +17 -0
package/skills/browse/test/bun-polyfill.test.ts +72 -0
package/skills/browse/test/commands.test.ts +2075 -0
package/skills/browse/test/compare-board.test.ts +342 -0
package/skills/browse/test/config.test.ts +316 -0
package/skills/browse/test/cookie-import-browser.test.ts +519 -0
package/skills/browse/test/cookie-picker-routes.test.ts +260 -0
package/skills/browse/test/file-drop.test.ts +271 -0
package/skills/browse/test/find-browse.test.ts +50 -0
package/skills/browse/test/findport.test.ts +191 -0
package/skills/browse/test/fixtures/basic.html +33 -0
package/skills/browse/test/fixtures/cursor-interactive.html +22 -0
package/skills/browse/test/fixtures/dialog.html +15 -0
package/skills/browse/test/fixtures/empty.html +2 -0
package/skills/browse/test/fixtures/forms.html +55 -0
package/skills/browse/test/fixtures/iframe.html +30 -0
package/skills/browse/test/fixtures/network-idle.html +30 -0
package/skills/browse/test/fixtures/qa-eval-checkout.html +108 -0
package/skills/browse/test/fixtures/qa-eval-spa.html +98 -0
package/skills/browse/test/fixtures/qa-eval.html +51 -0
package/skills/browse/test/fixtures/responsive.html +49 -0
package/skills/browse/test/fixtures/snapshot.html +55 -0
package/skills/browse/test/fixtures/spa.html +24 -0
package/skills/browse/test/fixtures/states.html +17 -0
package/skills/browse/test/fixtures/upload.html +25 -0
package/skills/browse/test/gstack-config.test.ts +138 -0
package/skills/browse/test/gstack-update-check.test.ts +514 -0
package/skills/browse/test/handoff.test.ts +235 -0
package/skills/browse/test/path-validation.test.ts +91 -0
package/skills/browse/test/platform.test.ts +37 -0
package/skills/browse/test/server-auth.test.ts +65 -0
package/skills/browse/test/sidebar-agent-roundtrip.test.ts +226 -0
package/skills/browse/test/sidebar-agent.test.ts +199 -0
package/skills/browse/test/sidebar-integration.test.ts +320 -0
package/skills/browse/test/sidebar-unit.test.ts +96 -0
package/skills/browse/test/snapshot.test.ts +467 -0
package/skills/browse/test/state-ttl.test.ts +35 -0
package/skills/browse/test/test-server.ts +57 -0
package/skills/browse/test/url-validation.test.ts +72 -0
package/skills/browse/test/watch.test.ts +129 -0
package/skills/careful/bin/check-careful.sh +112 -0
package/skills/cso/ACKNOWLEDGEMENTS.md +14 -0
package/skills/freeze/bin/check-freeze.sh +79 -0
package/skills/qa/references/issue-taxonomy.md +85 -0
package/skills/qa/templates/qa-report-template.md +126 -0
package/skills/review/TODOS-format.md +62 -0
package/skills/review/checklist.md +220 -0
package/skills/review/design-checklist.md +132 -0
package/skills/review/greptile-triage.md +220 -0
/package/{autoplan → skills/autoplan}/SKILL.md +0 -0
/package/{autoplan → skills/autoplan}/SKILL.md.tmpl +0 -0
/package/{benchmark → skills/benchmark}/SKILL.md +0 -0
/package/{benchmark → skills/benchmark}/SKILL.md.tmpl +0 -0
/package/{browse → skills/browse}/SKILL.md +0 -0
/package/{browse → skills/browse}/SKILL.md.tmpl +0 -0
/package/{canary → skills/canary}/SKILL.md +0 -0
/package/{canary → skills/canary}/SKILL.md.tmpl +0 -0
/package/{careful → skills/careful}/SKILL.md +0 -0
/package/{careful → skills/careful}/SKILL.md.tmpl +0 -0
/package/{codex → skills/codex}/SKILL.md +0 -0
/package/{codex → skills/codex}/SKILL.md.tmpl +0 -0
/package/{connect-chrome → skills/connect-chrome}/SKILL.md +0 -0
/package/{connect-chrome → skills/connect-chrome}/SKILL.md.tmpl +0 -0
/package/{cso → skills/cso}/SKILL.md +0 -0
/package/{cso → skills/cso}/SKILL.md.tmpl +0 -0
/package/{design-consultation → skills/design-consultation}/SKILL.md +0 -0
/package/{design-consultation → skills/design-consultation}/SKILL.md.tmpl +0 -0
/package/{design-review → skills/design-review}/SKILL.md +0 -0
/package/{design-review → skills/design-review}/SKILL.md.tmpl +0 -0
/package/{design-shotgun → skills/design-shotgun}/SKILL.md +0 -0
/package/{design-shotgun → skills/design-shotgun}/SKILL.md.tmpl +0 -0
/package/{document-release → skills/document-release}/SKILL.md +0 -0
/package/{document-release → skills/document-release}/SKILL.md.tmpl +0 -0
/package/{freeze → skills/freeze}/SKILL.md +0 -0
/package/{freeze → skills/freeze}/SKILL.md.tmpl +0 -0
/package/{gstack-upgrade → skills/gstack-upgrade}/SKILL.md +0 -0
/package/{gstack-upgrade → skills/gstack-upgrade}/SKILL.md.tmpl +0 -0
/package/{guard → skills/guard}/SKILL.md +0 -0
/package/{guard → skills/guard}/SKILL.md.tmpl +0 -0
/package/{investigate → skills/investigate}/SKILL.md +0 -0
/package/{investigate → skills/investigate}/SKILL.md.tmpl +0 -0
/package/{land-and-deploy → skills/land-and-deploy}/SKILL.md +0 -0
/package/{land-and-deploy → skills/land-and-deploy}/SKILL.md.tmpl +0 -0
/package/{office-hours → skills/office-hours}/SKILL.md +0 -0
/package/{office-hours → skills/office-hours}/SKILL.md.tmpl +0 -0
/package/{plan-ceo-review → skills/plan-ceo-review}/SKILL.md +0 -0
/package/{plan-ceo-review → skills/plan-ceo-review}/SKILL.md.tmpl +0 -0
/package/{plan-design-review → skills/plan-design-review}/SKILL.md +0 -0
/package/{plan-design-review → skills/plan-design-review}/SKILL.md.tmpl +0 -0
/package/{plan-eng-review → skills/plan-eng-review}/SKILL.md +0 -0
/package/{plan-eng-review → skills/plan-eng-review}/SKILL.md.tmpl +0 -0
/package/{qa → skills/qa}/SKILL.md +0 -0
/package/{qa → skills/qa}/SKILL.md.tmpl +0 -0
/package/{qa-only → skills/qa-only}/SKILL.md +0 -0
/package/{qa-only → skills/qa-only}/SKILL.md.tmpl +0 -0
/package/{retro → skills/retro}/SKILL.md +0 -0
/package/{retro → skills/retro}/SKILL.md.tmpl +0 -0
/package/{review → skills/review}/SKILL.md +0 -0
/package/{review → skills/review}/SKILL.md.tmpl +0 -0
/package/{setup-browser-cookies → skills/setup-browser-cookies}/SKILL.md +0 -0
/package/{setup-browser-cookies → skills/setup-browser-cookies}/SKILL.md.tmpl +0 -0
/package/{setup-deploy → skills/setup-deploy}/SKILL.md +0 -0
/package/{setup-deploy → skills/setup-deploy}/SKILL.md.tmpl +0 -0
/package/{ship → skills/ship}/SKILL.md +0 -0
/package/{ship → skills/ship}/SKILL.md.tmpl +0 -0
/package/{unfreeze → skills/unfreeze}/SKILL.md +0 -0
/package/{unfreeze → skills/unfreeze}/SKILL.md.tmpl +0 -0

package/skills/browse/test/sidebar-agent.test.ts ADDED Viewed

@@ -0,0 +1,199 @@
+/**
+ * Tests for sidebar agent queue parsing and inbox writing.
+ *
+ * sidebar-agent.ts functions are not exported (it's an entry-point script),
+ * so we test the same logic inline: JSONL parsing, writeToInbox filesystem
+ * behavior, and edge cases.
+ */
+import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+// ─── Helpers: replicate sidebar-agent logic for unit testing ──────
+/** Parse a single JSONL line — same logic as sidebar-agent poll() */
+function parseQueueLine(line: string): any | null {
+  if (!line.trim()) return null;
+  try {
+    const entry = JSON.parse(line);
+    if (!entry.message && !entry.prompt) return null;
+    return entry;
+  } catch {
+    return null;
+  }
+}
+/** Read all valid entries from a JSONL string — same as countLines + readLine loop */
+function parseQueueFile(content: string): any[] {
+  const entries: any[] = [];
+  const lines = content.split('\n').filter(Boolean);
+  for (const line of lines) {
+    const entry = parseQueueLine(line);
+    if (entry) entries.push(entry);
+  }
+  return entries;
+}
+/** Write to inbox — extracted logic from sidebar-agent.ts writeToInbox() */
+function writeToInbox(
+  gitRoot: string,
+  message: string,
+  pageUrl?: string,
+  sessionId?: string,
+): string | null {
+  if (!gitRoot) return null;
+  const inboxDir = path.join(gitRoot, '.context', 'sidebar-inbox');
+  fs.mkdirSync(inboxDir, { recursive: true });
+  const now = new Date();
+  const timestamp = now.toISOString().replace(/:/g, '-');
+  const filename = `${timestamp}-observation.json`;
+  const tmpFile = path.join(inboxDir, `.${filename}.tmp`);
+  const finalFile = path.join(inboxDir, filename);
+  const inboxMessage = {
+    type: 'observation',
+    timestamp: now.toISOString(),
+    page: { url: pageUrl || 'unknown', title: '' },
+    userMessage: message,
+    sidebarSessionId: sessionId || 'unknown',
+  };
+  fs.writeFileSync(tmpFile, JSON.stringify(inboxMessage, null, 2));
+  fs.renameSync(tmpFile, finalFile);
+  return finalFile;
+}
+// ─── Test setup ──────────────────────────────────────────────────
+let tmpDir: string;
+beforeEach(() => {
+  tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'sidebar-agent-test-'));
+});
+afterEach(() => {
+  fs.rmSync(tmpDir, { recursive: true, force: true });
+});
+// ─── Queue File Parsing ─────────────────────────────────────────
+describe('queue file parsing', () => {
+  test('valid JSONL line parsed correctly', () => {
+    const line = JSON.stringify({ message: 'hello', prompt: 'check this', pageUrl: 'https://example.com' });
+    const entry = parseQueueLine(line);
+    expect(entry).not.toBeNull();
+    expect(entry.message).toBe('hello');
+    expect(entry.prompt).toBe('check this');
+    expect(entry.pageUrl).toBe('https://example.com');
+  });
+  test('malformed JSON line skipped without crash', () => {
+    const entry = parseQueueLine('this is not json {{{');
+    expect(entry).toBeNull();
+  });
+  test('valid JSON without message or prompt is skipped', () => {
+    const line = JSON.stringify({ foo: 'bar' });
+    const entry = parseQueueLine(line);
+    expect(entry).toBeNull();
+  });
+  test('empty file returns no entries', () => {
+    const entries = parseQueueFile('');
+    expect(entries).toEqual([]);
+  });
+  test('file with blank lines returns no entries', () => {
+    const entries = parseQueueFile('\n\n\n');
+    expect(entries).toEqual([]);
+  });
+  test('mixed valid and invalid lines', () => {
+    const content = [
+      JSON.stringify({ message: 'first' }),
+      'not json',
+      JSON.stringify({ unrelated: true }),
+      JSON.stringify({ message: 'second', prompt: 'do stuff' }),
+    ].join('\n');
+    const entries = parseQueueFile(content);
+    expect(entries.length).toBe(2);
+    expect(entries[0].message).toBe('first');
+    expect(entries[1].message).toBe('second');
+  });
+});
+// ─── writeToInbox ────────────────────────────────────────────────
+describe('writeToInbox', () => {
+  test('creates .context/sidebar-inbox/ directory', () => {
+    writeToInbox(tmpDir, 'test message');
+    const inboxDir = path.join(tmpDir, '.context', 'sidebar-inbox');
+    expect(fs.existsSync(inboxDir)).toBe(true);
+    expect(fs.statSync(inboxDir).isDirectory()).toBe(true);
+  });
+  test('writes valid JSON file', () => {
+    const filePath = writeToInbox(tmpDir, 'test message', 'https://example.com', 'session-123');
+    expect(filePath).not.toBeNull();
+    expect(fs.existsSync(filePath!)).toBe(true);
+    const data = JSON.parse(fs.readFileSync(filePath!, 'utf-8'));
+    expect(data.type).toBe('observation');
+    expect(data.userMessage).toBe('test message');
+    expect(data.page.url).toBe('https://example.com');
+    expect(data.sidebarSessionId).toBe('session-123');
+    expect(data.timestamp).toBeTruthy();
+  });
+  test('atomic write — final file exists, no .tmp left', () => {
+    const filePath = writeToInbox(tmpDir, 'atomic test');
+    expect(filePath).not.toBeNull();
+    expect(fs.existsSync(filePath!)).toBe(true);
+    // Check no .tmp files remain in the inbox directory
+    const inboxDir = path.join(tmpDir, '.context', 'sidebar-inbox');
+    const files = fs.readdirSync(inboxDir);
+    const tmpFiles = files.filter(f => f.endsWith('.tmp'));
+    expect(tmpFiles.length).toBe(0);
+    // Final file should end with -observation.json
+    const jsonFiles = files.filter(f => f.endsWith('-observation.json') && !f.startsWith('.'));
+    expect(jsonFiles.length).toBe(1);
+  });
+  test('handles missing git root gracefully', () => {
+    const result = writeToInbox('', 'test');
+    expect(result).toBeNull();
+  });
+  test('defaults pageUrl to unknown when not provided', () => {
+    const filePath = writeToInbox(tmpDir, 'no url provided');
+    expect(filePath).not.toBeNull();
+    const data = JSON.parse(fs.readFileSync(filePath!, 'utf-8'));
+    expect(data.page.url).toBe('unknown');
+  });
+  test('defaults sessionId to unknown when not provided', () => {
+    const filePath = writeToInbox(tmpDir, 'no session');
+    expect(filePath).not.toBeNull();
+    const data = JSON.parse(fs.readFileSync(filePath!, 'utf-8'));
+    expect(data.sidebarSessionId).toBe('unknown');
+  });
+  test('multiple writes create separate files', () => {
+    writeToInbox(tmpDir, 'message 1');
+    // Tiny delay to ensure different timestamps
+    const t = Date.now();
+    while (Date.now() === t) {} // spin until next ms
+    writeToInbox(tmpDir, 'message 2');
+    const inboxDir = path.join(tmpDir, '.context', 'sidebar-inbox');
+    const files = fs.readdirSync(inboxDir).filter(f => f.endsWith('.json') && !f.startsWith('.'));
+    expect(files.length).toBe(2);
+  });
+});

package/skills/browse/test/sidebar-integration.test.ts ADDED Viewed

@@ -0,0 +1,320 @@
+/**
+ * Layer 2: Server HTTP integration tests for sidebar endpoints.
+ * Starts the browse server as a subprocess (no browser via BROWSE_HEADLESS_SKIP),
+ * exercises sidebar HTTP endpoints with fetch(). No Chrome, no Claude, no sidebar-agent.
+ */
+import { describe, test, expect, beforeAll, afterAll, beforeEach } from 'bun:test';
+import { spawn, type Subprocess } from 'bun';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+let serverProc: Subprocess | null = null;
+let serverPort: number = 0;
+let authToken: string = '';
+let tmpDir: string = '';
+let stateFile: string = '';
+let queueFile: string = '';
+async function api(pathname: string, opts: RequestInit & { noAuth?: boolean } = {}): Promise<Response> {
+  const { noAuth, ...fetchOpts } = opts;
+  const headers: Record<string, string> = {
+    'Content-Type': 'application/json',
+    ...(fetchOpts.headers as Record<string, string> || {}),
+  };
+  if (!noAuth && !headers['Authorization'] && authToken) {
+    headers['Authorization'] = `Bearer ${authToken}`;
+  }
+  return fetch(`http://127.0.0.1:${serverPort}${pathname}`, { ...fetchOpts, headers });
+}
+beforeAll(async () => {
+  tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'sidebar-integ-'));
+  stateFile = path.join(tmpDir, 'browse.json');
+  queueFile = path.join(tmpDir, 'sidebar-queue.jsonl');
+  // Ensure queue dir exists
+  fs.mkdirSync(path.dirname(queueFile), { recursive: true });
+  const serverScript = path.resolve(__dirname, '..', 'src', 'server.ts');
+  serverProc = spawn(['bun', 'run', serverScript], {
+    env: {
+      ...process.env,
+      BROWSE_STATE_FILE: stateFile,
+      BROWSE_HEADLESS_SKIP: '1',
+      BROWSE_PORT: '0',
+      SIDEBAR_QUEUE_PATH: queueFile,
+      BROWSE_IDLE_TIMEOUT: '300',
+    },
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
+  // Wait for state file
+  const deadline = Date.now() + 15000;
+  while (Date.now() < deadline) {
+    if (fs.existsSync(stateFile)) {
+      try {
+        const state = JSON.parse(fs.readFileSync(stateFile, 'utf-8'));
+        if (state.port && state.token) {
+          serverPort = state.port;
+          authToken = state.token;
+          break;
+        }
+      } catch {}
+    }
+    await new Promise(r => setTimeout(r, 100));
+  }
+  if (!serverPort) throw new Error('Server did not start in time');
+}, 20000);
+afterAll(() => {
+  if (serverProc) { try { serverProc.kill(); } catch {} }
+  try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+});
+// Reset state between tests — creates a fresh session, clears all queues
+async function resetState() {
+  await api('/sidebar-session/new', { method: 'POST' });
+  fs.writeFileSync(queueFile, '');
+}
+describe('sidebar auth', () => {
+  test('rejects request without auth token', async () => {
+    const resp = await api('/sidebar-command', {
+      method: 'POST',
+      noAuth: true,
+      body: JSON.stringify({ message: 'test' }),
+    });
+    expect(resp.status).toBe(401);
+  });
+  test('rejects request with wrong token', async () => {
+    const resp = await api('/sidebar-command', {
+      method: 'POST',
+      headers: { 'Authorization': 'Bearer wrong-token' },
+      body: JSON.stringify({ message: 'test' }),
+    });
+    expect(resp.status).toBe(401);
+  });
+  test('accepts request with correct token', async () => {
+    const resp = await api('/sidebar-command', {
+      method: 'POST',
+      body: JSON.stringify({ message: 'hello' }),
+    });
+    expect(resp.status).toBe(200);
+    // Clean up
+    await api('/sidebar-agent/kill', { method: 'POST' });
+  });
+});
+describe('sidebar-command → queue', () => {
+  test('writes queue entry with activeTabUrl', async () => {
+    await resetState();
+    const resp = await api('/sidebar-command', {
+      method: 'POST',
+      body: JSON.stringify({
+        message: 'what is on this page?',
+        activeTabUrl: 'https://example.com/test-page',
+      }),
+    });
+    expect(resp.status).toBe(200);
+    const data = await resp.json();
+    expect(data.ok).toBe(true);
+    // Give server a moment to write queue
+    await new Promise(r => setTimeout(r, 100));
+    const content = fs.readFileSync(queueFile, 'utf-8').trim();
+    const lines = content.split('\n').filter(Boolean);
+    expect(lines.length).toBeGreaterThan(0);
+    const entry = JSON.parse(lines[lines.length - 1]);
+    expect(entry.pageUrl).toBe('https://example.com/test-page');
+    expect(entry.prompt).toContain('https://example.com/test-page');
+    await api('/sidebar-agent/kill', { method: 'POST' });
+  });
+  test('falls back when activeTabUrl is null', async () => {
+    await resetState();
+    await api('/sidebar-command', {
+      method: 'POST',
+      body: JSON.stringify({ message: 'test', activeTabUrl: null }),
+    });
+    await new Promise(r => setTimeout(r, 100));
+    const lines = fs.readFileSync(queueFile, 'utf-8').trim().split('\n').filter(Boolean);
+    expect(lines.length).toBeGreaterThan(0);
+    const entry = JSON.parse(lines[lines.length - 1]);
+    // No browser → playwright URL is 'about:blank'
+    expect(entry.pageUrl).toBe('about:blank');
+    await api('/sidebar-agent/kill', { method: 'POST' });
+  });
+  test('rejects chrome:// activeTabUrl and falls back', async () => {
+    await resetState();
+    await api('/sidebar-command', {
+      method: 'POST',
+      body: JSON.stringify({ message: 'test', activeTabUrl: 'chrome://extensions' }),
+    });
+    await new Promise(r => setTimeout(r, 100));
+    const lines = fs.readFileSync(queueFile, 'utf-8').trim().split('\n').filter(Boolean);
+    expect(lines.length).toBeGreaterThan(0);
+    const entry = JSON.parse(lines[lines.length - 1]);
+    expect(entry.pageUrl).toBe('about:blank');
+    await api('/sidebar-agent/kill', { method: 'POST' });
+  });
+  test('rejects empty message', async () => {
+    const resp = await api('/sidebar-command', {
+      method: 'POST',
+      body: JSON.stringify({ message: '' }),
+    });
+    expect(resp.status).toBe(400);
+  });
+});
+describe('sidebar-agent/event → chat buffer', () => {
+  test('agent events appear in /sidebar-chat', async () => {
+    await resetState();
+    // Post mock agent events using Claude's streaming format
+    await api('/sidebar-agent/event', {
+      method: 'POST',
+      body: JSON.stringify({
+        type: 'assistant',
+        message: { content: [{ type: 'text', text: 'Hello from mock agent' }] },
+      }),
+    });
+    const chatData = await (await api('/sidebar-chat?after=0')).json();
+    const textEntry = chatData.entries.find((e: any) => e.type === 'text');
+    expect(textEntry).toBeDefined();
+    expect(textEntry.text).toBe('Hello from mock agent');
+  });
+  test('agent_done transitions status to idle', async () => {
+    await resetState();
+    // Start a command so agent is processing
+    await api('/sidebar-command', {
+      method: 'POST',
+      body: JSON.stringify({ message: 'test' }),
+    });
+    // Verify processing
+    let session = await (await api('/sidebar-session')).json();
+    expect(session.agent.status).toBe('processing');
+    // Send agent_done
+    await api('/sidebar-agent/event', {
+      method: 'POST',
+      body: JSON.stringify({ type: 'agent_done' }),
+    });
+    session = await (await api('/sidebar-session')).json();
+    expect(session.agent.status).toBe('idle');
+  });
+});
+describe('message queuing', () => {
+  test('queues message when agent is processing', async () => {
+    await resetState();
+    // First message starts processing
+    await api('/sidebar-command', {
+      method: 'POST',
+      body: JSON.stringify({ message: 'first' }),
+    });
+    // Second message gets queued
+    const resp = await api('/sidebar-command', {
+      method: 'POST',
+      body: JSON.stringify({ message: 'second' }),
+    });
+    const data = await resp.json();
+    expect(data.ok).toBe(true);
+    expect(data.queued).toBe(true);
+    expect(data.position).toBe(1);
+    await api('/sidebar-agent/kill', { method: 'POST' });
+  });
+  test('returns 429 when queue is full', async () => {
+    await resetState();
+    // First message starts processing
+    await api('/sidebar-command', {
+      method: 'POST',
+      body: JSON.stringify({ message: 'first' }),
+    });
+    // Fill queue (max 5)
+    for (let i = 0; i < 5; i++) {
+      await api('/sidebar-command', {
+        method: 'POST',
+        body: JSON.stringify({ message: `fill-${i}` }),
+      });
+    }
+    // 7th message should be rejected
+    const resp = await api('/sidebar-command', {
+      method: 'POST',
+      body: JSON.stringify({ message: 'overflow' }),
+    });
+    expect(resp.status).toBe(429);
+    await api('/sidebar-agent/kill', { method: 'POST' });
+  });
+});
+describe('chat clear', () => {
+  test('clears chat buffer', async () => {
+    await resetState();
+    // Add some entries
+    await api('/sidebar-agent/event', {
+      method: 'POST',
+      body: JSON.stringify({ type: 'text', text: 'to be cleared' }),
+    });
+    await api('/sidebar-chat/clear', { method: 'POST' });
+    const data = await (await api('/sidebar-chat?after=0')).json();
+    expect(data.entries.length).toBe(0);
+    expect(data.total).toBe(0);
+  });
+});
+describe('agent kill', () => {
+  test('kill adds error entry and returns to idle', async () => {
+    await resetState();
+    // Start a command so agent is processing
+    await api('/sidebar-command', {
+      method: 'POST',
+      body: JSON.stringify({ message: 'kill me' }),
+    });
+    let session = await (await api('/sidebar-session')).json();
+    expect(session.agent.status).toBe('processing');
+    // Kill the agent
+    const killResp = await api('/sidebar-agent/kill', { method: 'POST' });
+    expect(killResp.status).toBe(200);
+    // Check chat for error entry
+    const chatData = await (await api('/sidebar-chat?after=0')).json();
+    const errorEntry = chatData.entries.find((e: any) => e.error === 'Killed by user');
+    expect(errorEntry).toBeDefined();
+    // Agent should be idle (no queue items to auto-process)
+    session = await (await api('/sidebar-session')).json();
+    expect(session.agent.status).toBe('idle');
+  });
+});

package/skills/browse/test/sidebar-unit.test.ts ADDED Viewed

@@ -0,0 +1,96 @@
+/**
+ * Layer 1: Unit tests for sidebar utilities.
+ * Tests pure functions — no server, no processes, no network.
+ */
+import { describe, test, expect } from 'bun:test';
+import { sanitizeExtensionUrl } from '../src/sidebar-utils';
+describe('sanitizeExtensionUrl', () => {
+  test('passes valid http URL', () => {
+    expect(sanitizeExtensionUrl('http://example.com')).toBe('http://example.com/');
+  });
+  test('passes valid https URL', () => {
+    expect(sanitizeExtensionUrl('https://example.com/page?q=1')).toBe('https://example.com/page?q=1');
+  });
+  test('rejects chrome:// URLs', () => {
+    expect(sanitizeExtensionUrl('chrome://extensions')).toBeNull();
+  });
+  test('rejects chrome-extension:// URLs', () => {
+    expect(sanitizeExtensionUrl('chrome-extension://abcdef/popup.html')).toBeNull();
+  });
+  test('rejects javascript: URLs', () => {
+    expect(sanitizeExtensionUrl('javascript:alert(1)')).toBeNull();
+  });
+  test('rejects file:// URLs', () => {
+    expect(sanitizeExtensionUrl('file:///etc/passwd')).toBeNull();
+  });
+  test('rejects data: URLs', () => {
+    expect(sanitizeExtensionUrl('data:text/html,<h1>hi</h1>')).toBeNull();
+  });
+  test('strips raw control characters from URL', () => {
+    // URL constructor percent-encodes \x00 as %00, which is safe
+    // The regex strips any remaining raw control chars after .href normalization
+    const result = sanitizeExtensionUrl('https://example.com/\x00page\x1f');
+    expect(result).not.toBeNull();
+    expect(result!).not.toMatch(/[\x00-\x1f\x7f]/);
+  });
+  test('strips newlines (prompt injection vector)', () => {
+    const result = sanitizeExtensionUrl('https://evil.com/%0AUser:%20ignore');
+    // URL constructor normalizes %0A, control char stripping removes any raw newlines
+    expect(result).not.toBeNull();
+    expect(result!).not.toContain('\n');
+  });
+  test('truncates URLs longer than 2048 chars', () => {
+    const longUrl = 'https://example.com/' + 'a'.repeat(3000);
+    const result = sanitizeExtensionUrl(longUrl);
+    expect(result).not.toBeNull();
+    expect(result!.length).toBeLessThanOrEqual(2048);
+  });
+  test('returns null for null input', () => {
+    expect(sanitizeExtensionUrl(null)).toBeNull();
+  });
+  test('returns null for undefined input', () => {
+    expect(sanitizeExtensionUrl(undefined)).toBeNull();
+  });
+  test('returns null for empty string', () => {
+    expect(sanitizeExtensionUrl('')).toBeNull();
+  });
+  test('returns null for invalid URL string', () => {
+    expect(sanitizeExtensionUrl('not a url at all')).toBeNull();
+  });
+  test('does not crash on weird input', () => {
+    expect(sanitizeExtensionUrl(':///')).toBeNull();
+    expect(sanitizeExtensionUrl('   ')).toBeNull();
+    expect(sanitizeExtensionUrl('\x00\x01\x02')).toBeNull();
+  });
+  test('preserves query parameters and fragments', () => {
+    const url = 'https://example.com/search?q=test&page=2#results';
+    expect(sanitizeExtensionUrl(url)).toBe(url);
+  });
+  test('preserves port numbers', () => {
+    expect(sanitizeExtensionUrl('http://localhost:3000/api')).toBe('http://localhost:3000/api');
+  });
+  test('handles URL with auth (user:pass@host)', () => {
+    const result = sanitizeExtensionUrl('https://user:pass@example.com/');
+    expect(result).not.toBeNull();
+    expect(result).toContain('example.com');
+  });
+});