opensoma 0.5.0 → 0.6.0

package/src/agent-browser-launcher.test.ts

@@ -0,0 +1,263 @@
+import { afterEach, describe, expect, it } from 'bun:test'
+import { existsSync } from 'node:fs'
+import { mkdtemp, readFile, readdir, rm, stat } from 'node:fs/promises'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+
+import { AgentBrowserLauncher, assertSwmaestroUrl, buildStorageState } from './agent-browser-launcher'
+import type { Spawner } from './agent-browser-launcher'
+
+let createdDirs: string[] = []
+
+afterEach(async () => {
+  for (const dir of createdDirs) {
+    await rm(dir, { recursive: true, force: true })
+  }
+  createdDirs = []
+})
+
+describe('buildStorageState', () => {
+  it('returns a Playwright-compatible storage state with JSESSIONID host-only on www.swmaestro.ai', () => {
+    const state = buildStorageState('test-session-value')
+
+    expect(state).toEqual({
+      cookies: [
+        {
+          name: 'JSESSIONID',
+          value: 'test-session-value',
+          domain: 'www.swmaestro.ai',
+          path: '/',
+          expires: -1,
+          httpOnly: true,
+          secure: true,
+          sameSite: 'Lax',
+        },
+      ],
+      origins: [],
+    })
+  })
+
+  it('does not use a leading-dot domain (host-only, not domain cookie)', () => {
+    const state = buildStorageState('x')
+    expect(state.cookies[0]?.domain).toBe('www.swmaestro.ai')
+    expect(state.cookies[0]?.domain.startsWith('.')).toBe(false)
+  })
+})
+
+describe('assertSwmaestroUrl', () => {
+  it('accepts https://www.swmaestro.ai URLs', () => {
+    expect(() => assertSwmaestroUrl('https://www.swmaestro.ai/sw/main/main.do')).not.toThrow()
+  })
+
+  it('accepts the bare swmaestro.ai apex', () => {
+    expect(() => assertSwmaestroUrl('https://swmaestro.ai/')).not.toThrow()
+  })
+
+  it('rejects non-swmaestro hosts', () => {
+    expect(() => assertSwmaestroUrl('https://evil.example.com/path')).toThrow(/swmaestro\.ai/)
+  })
+
+  it('rejects http:// (forces https)', () => {
+    expect(() => assertSwmaestroUrl('http://www.swmaestro.ai/')).toThrow(/https/)
+  })
+
+  it('rejects malformed URLs', () => {
+    expect(() => assertSwmaestroUrl('not-a-url')).toThrow(/Invalid URL/)
+  })
+})
+
+describe('AgentBrowserLauncher.launch', () => {
+  it('writes a state file with the JSESSIONID and invokes agent-browser with --state and open', async () => {
+    const tmpRoot = await makeTempRoot()
+    const allCommands: string[][] = []
+    let stateContent = ''
+    let stateMode = 0
+    let dirMode = 0
+
+    const spawn: Spawner = (command) => ({
+      exited: (async () => {
+        allCommands.push([...command])
+        if (command[1] === '--state') {
+          const statePath = command[2]
+          if (!statePath) throw new Error('missing state path argument')
+          stateContent = await readFile(statePath, 'utf8')
+          stateMode = (await stat(statePath)).mode & 0o777
+          const dir = statePath.replace(/\/state\.json$/, '')
+          dirMode = (await stat(dir)).mode & 0o777
+        }
+        return 0
+      })(),
+    })
+
+    const launcher = new AgentBrowserLauncher({ spawn, binary: 'agent-browser', tmpDir: tmpRoot })
+    const result = await launcher.launch({
+      url: 'https://www.swmaestro.ai/sw/mypage/myMain/dashboard.do',
+      sessionCookie: 'abc-123-jsessionid',
+    })
+
+    expect(result.exitCode).toBe(0)
+    expect(allCommands[0]).toEqual(['agent-browser', 'close', '--all'])
+
+    const launchCmd = allCommands[1]
+    expect(launchCmd?.[0]).toBe('agent-browser')
+    expect(launchCmd?.[1]).toBe('--state')
+    expect(launchCmd?.[3]).toBe('open')
+    expect(launchCmd?.[4]).toBe('https://www.swmaestro.ai/sw/mypage/myMain/dashboard.do')
+
+    const parsed = JSON.parse(stateContent) as { cookies: Array<{ name: string; value: string }> }
+    expect(parsed.cookies[0]?.name).toBe('JSESSIONID')
+    expect(parsed.cookies[0]?.value).toBe('abc-123-jsessionid')
+
+    expect(stateMode).toBe(0o600)
+    expect(dirMode).toBe(0o700)
+  })
+
+  it('closes any running daemon before launching so --state is not silently ignored', async () => {
+    const tmpRoot = await makeTempRoot()
+    const calls: string[] = []
+
+    const spawn: Spawner = (command) => ({
+      exited: (async () => {
+        if (command[1] === 'close') calls.push('close')
+        if (command[1] === '--state') calls.push('launch')
+        return 0
+      })(),
+    })
+
+    await new AgentBrowserLauncher({ spawn, tmpDir: tmpRoot }).launch({
+      url: 'https://www.swmaestro.ai/sw/main/main.do',
+      sessionCookie: 'x',
+    })
+
+    expect(calls).toEqual(['close', 'launch'])
+  })
+
+  it('never includes the JSESSIONID value in argv', async () => {
+    const tmpRoot = await makeTempRoot()
+    const allArgs: string[] = []
+
+    const spawn: Spawner = (command) => ({
+      exited: (async () => {
+        allArgs.push(...command)
+        return 0
+      })(),
+    })
+
+    const launcher = new AgentBrowserLauncher({ spawn, tmpDir: tmpRoot })
+    await launcher.launch({
+      url: 'https://www.swmaestro.ai/sw/main/main.do',
+      sessionCookie: 'super-secret-jsessionid-value',
+    })
+
+    for (const arg of allArgs) {
+      expect(arg).not.toContain('super-secret-jsessionid-value')
+    }
+  })
+
+  it('cleans up the state directory after agent-browser exits successfully', async () => {
+    const tmpRoot = await makeTempRoot()
+    let capturedStatePath = ''
+
+    const spawn: Spawner = (command) => ({
+      exited: (async () => {
+        if (command[1] === '--state') {
+          capturedStatePath = command[2] ?? ''
+        }
+        return 0
+      })(),
+    })
+
+    await new AgentBrowserLauncher({ spawn, tmpDir: tmpRoot }).launch({
+      url: 'https://www.swmaestro.ai/sw/main/main.do',
+      sessionCookie: 'x',
+    })
+
+    expect(existsSync(capturedStatePath)).toBe(false)
+    const remaining = await readdir(tmpRoot)
+    expect(remaining).toEqual([])
+  })
+
+  it('cleans up the state directory even if agent-browser throws', async () => {
+    const tmpRoot = await makeTempRoot()
+    let capturedStatePath = ''
+
+    const spawn: Spawner = (command) => ({
+      exited: (async () => {
+        if (command[1] === '--state') {
+          capturedStatePath = command[2] ?? ''
+          throw new Error('boom')
+        }
+        return 0
+      })(),
+    })
+
+    await expect(
+      new AgentBrowserLauncher({ spawn, tmpDir: tmpRoot }).launch({
+        url: 'https://www.swmaestro.ai/sw/main/main.do',
+        sessionCookie: 'x',
+      }),
+    ).rejects.toThrow('boom')
+
+    expect(existsSync(capturedStatePath)).toBe(false)
+    const remaining = await readdir(tmpRoot)
+    expect(remaining).toEqual([])
+  })
+
+  it('propagates the agent-browser non-zero exit code', async () => {
+    const tmpRoot = await makeTempRoot()
+    const spawn: Spawner = (command) => ({
+      exited: Promise.resolve(command[1] === '--state' ? 42 : 0),
+    })
+
+    const result = await new AgentBrowserLauncher({ spawn, tmpDir: tmpRoot }).launch({
+      url: 'https://www.swmaestro.ai/sw/main/main.do',
+      sessionCookie: 'x',
+    })
+
+    expect(result.exitCode).toBe(42)
+  })
+
+  it('uses a custom binary path when provided', async () => {
+    const tmpRoot = await makeTempRoot()
+    const observedBinaries: string[] = []
+    const spawn: Spawner = (command) => ({
+      exited: (async () => {
+        observedBinaries.push(command[0] ?? '')
+        return 0
+      })(),
+    })
+
+    await new AgentBrowserLauncher({ spawn, tmpDir: tmpRoot, binary: '/custom/path/agent-browser' }).launch({
+      url: 'https://www.swmaestro.ai/sw/main/main.do',
+      sessionCookie: 'x',
+    })
+
+    expect(new Set(observedBinaries)).toEqual(new Set(['/custom/path/agent-browser']))
+  })
+
+  it('rejects non-swmaestro URLs before spawning anything', async () => {
+    const tmpRoot = await makeTempRoot()
+    let spawnCalled = false
+    const spawn: Spawner = () => {
+      spawnCalled = true
+      return { exited: Promise.resolve(0) }
+    }
+
+    await expect(
+      new AgentBrowserLauncher({ spawn, tmpDir: tmpRoot }).launch({
+        url: 'https://evil.example.com/path',
+        sessionCookie: 'x',
+      }),
+    ).rejects.toThrow(/swmaestro\.ai/)
+
+    expect(spawnCalled).toBe(false)
+    const remaining = await readdir(tmpRoot)
+    expect(remaining).toEqual([])
+  })
+})
+
+async function makeTempRoot(): Promise<string> {
+  const dir = await mkdtemp(join(tmpdir(), 'opensoma-launcher-test-'))
+  createdDirs.push(dir)
+  return dir
+}

package/src/agent-browser-launcher.ts

@@ -0,0 +1,159 @@
+import { randomBytes } from 'node:crypto'
+import { chmod, mkdtemp, rm, writeFile } from 'node:fs/promises'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+
+// Minimal declaration so the web workspace tsconfig (which lacks @types/bun)
+// can type-check this file without error. The real implementation always runs
+// under Bun, which provides the full global at runtime.
+declare const Bun: {
+  spawn(
+    command: string[],
+    options: { stdout: 'inherit'; stderr: 'inherit'; stdin: 'inherit' },
+  ): { exited: Promise<number> }
+}
+
+export interface AgentBrowserLaunchInput {
+  url: string
+  sessionCookie: string
+}
+
+export interface SpawnedProcess {
+  exited: Promise<number>
+}
+
+export type Spawner = (command: string[]) => SpawnedProcess
+
+export interface AgentBrowserLauncherOptions {
+  spawn?: Spawner
+  binary?: string
+  tmpDir?: string
+}
+
+export interface LaunchResult {
+  exitCode: number
+  statePath: string
+}
+
+const SWMAESTRO_HOST = 'www.swmaestro.ai'
+const ALLOWED_HOSTS = new Set([SWMAESTRO_HOST, 'swmaestro.ai'])
+
+interface StorageStateCookie {
+  name: string
+  value: string
+  domain: string
+  path: string
+  expires: number
+  httpOnly: boolean
+  secure: boolean
+  sameSite: 'Strict' | 'Lax' | 'None'
+}
+
+interface StorageState {
+  cookies: StorageStateCookie[]
+  origins: never[]
+}
+
+export function buildStorageState(sessionCookie: string): StorageState {
+  // Java EE JSESSIONID is host-only on the exact host that issued it. Use
+  // www.swmaestro.ai (no leading dot) to match how the native server sets it.
+  // Using `.swmaestro.ai` here would either fail to import or produce a
+  // domain-cookie that the server treats as foreign.
+  return {
+    cookies: [
+      {
+        name: 'JSESSIONID',
+        value: sessionCookie,
+        domain: SWMAESTRO_HOST,
+        path: '/',
+        // -1 is the Playwright/agent-browser convention for session cookies
+        // (no Expires/Max-Age attribute). JSESSIONID is a session cookie.
+        expires: -1,
+        httpOnly: true,
+        secure: true,
+        sameSite: 'Lax',
+      },
+    ],
+    origins: [],
+  }
+}
+
+export function assertSwmaestroUrl(rawUrl: string): URL {
+  let parsed: URL
+  try {
+    parsed = new URL(rawUrl)
+  } catch {
+    throw new Error(`Invalid URL: ${rawUrl}`)
+  }
+
+  if (parsed.protocol !== 'https:') {
+    throw new Error(`URL must use https:// (got ${parsed.protocol}//): ${rawUrl}`)
+  }
+
+  if (!ALLOWED_HOSTS.has(parsed.hostname)) {
+    throw new Error(
+      `URL must point to swmaestro.ai (got ${parsed.hostname}). Cookie injection only works for swmaestro.ai targets.`,
+    )
+  }
+
+  return parsed
+}
+
+function defaultSpawn(command: string[]): SpawnedProcess {
+  // Bun.spawn with array args avoids shell interpretation entirely. The
+  // randomized state-file path appears in argv but the JSESSIONID value
+  // never does — that's the security guarantee.
+  const proc = Bun.spawn(command, {
+    stdout: 'inherit',
+    stderr: 'inherit',
+    stdin: 'inherit',
+  })
+  return { exited: proc.exited }
+}
+
+export class AgentBrowserLauncher {
+  private readonly spawn: Spawner
+  private readonly binary: string
+  private readonly tmpRoot: string
+
+  constructor(options: AgentBrowserLauncherOptions = {}) {
+    this.spawn = options.spawn ?? defaultSpawn
+    this.binary = options.binary ?? 'agent-browser'
+    this.tmpRoot = options.tmpDir ?? tmpdir()
+  }
+
+  async launch(input: AgentBrowserLaunchInput): Promise<LaunchResult> {
+    const target = assertSwmaestroUrl(input.url)
+    const state = buildStorageState(input.sessionCookie)
+
+    // agent-browser ignores --state if a daemon is already running. Close
+    // first so our cookie injection actually takes effect. We don't care
+    // about the close exit code (no-op if no daemon was running).
+    await this.spawn([this.binary, 'close', '--all']).exited
+
+    const stateDir = await this.createStateDir()
+    const statePath = join(stateDir, 'state.json')
+
+    try {
+      await writeFile(statePath, JSON.stringify(state), { mode: 0o600 })
+      await chmod(statePath, 0o600)
+
+      const proc = this.spawn([this.binary, '--state', statePath, 'open', target.toString()])
+      const exitCode = await proc.exited
+      return { exitCode, statePath }
+    } finally {
+      await rm(stateDir, { recursive: true, force: true })
+    }
+  }
+
+  private async createStateDir(): Promise<string> {
+    // Random suffix on the directory name so concurrent launches don't
+    // collide and so the path is hard to predict for same-UID local
+    // attackers. mkdtemp creates with 0700 by default on macOS/Linux but we
+    // chmod to be explicit across platforms.
+    const prefix = `opensoma-agent-browser-${randomBytes(8).toString('hex')}-`
+    const dir = await mkdtemp(join(this.tmpRoot, prefix))
+    await chmod(dir, 0o700)
+    return dir
+  }
+}

package/src/cli.ts

@@ -4,14 +4,15 @@ import { Command } from 'commander'
 
 import pkg from '../package.json' with { type: 'json' }
 import {
+  agentBrowserCommand,
   authCommand,
   dashboardCommand,
-  eventCommand,
   memberCommand,
   mentoringCommand,
   noticeCommand,
   reportCommand,
   roomCommand,
+  scheduleCommand,
   teamCommand,
 } from './commands/index'
 
@@ -45,13 +46,14 @@ program.hook('preAction', async (_thisCommand, actionCommand) => {
 })
 
 program.addCommand(authCommand)
+program.addCommand(agentBrowserCommand)
 program.addCommand(mentoringCommand)
 program.addCommand(roomCommand)
 program.addCommand(dashboardCommand)
 program.addCommand(noticeCommand)
 program.addCommand(teamCommand)
 program.addCommand(memberCommand)
-program.addCommand(eventCommand)
+program.addCommand(scheduleCommand)
 program.addCommand(reportCommand)
 
 program.parse(process.argv)