responses-proxy 0.1.0

package/dist/dashboard-auth.js

@@ -0,0 +1,318 @@
+import { createHash, randomBytes, randomInt } from "node:crypto";
+import { mkdirSync } from "node:fs";
+import path from "node:path";
+import BetterSqlite3 from "better-sqlite3";
+export class DashboardAuthRepository {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    static create(dbFile) {
+        mkdirSync(path.dirname(dbFile), { recursive: true });
+        const db = new BetterSqlite3(dbFile);
+        ensureDashboardAuthSchema(db);
+        return new DashboardAuthRepository(db);
+    }
+    createChallenge(input) {
+        const now = input.now ?? new Date();
+        const createdAt = now.toISOString();
+        const expiresAt = new Date(now.getTime() + input.ttlMs).toISOString();
+        const id = randomBytes(16).toString("hex");
+        const otp = randomInt(0, 1_000_000).toString().padStart(6, "0");
+        this.db
+            .prepare(`INSERT INTO dashboard_auth_challenges (
+          id,
+          telegram_user_id,
+          otp_hash,
+          expires_at,
+          created_at
+        ) VALUES (?, ?, ?, ?, ?)`)
+            .run(id, input.telegramUserId, hashOtp(id, otp), expiresAt, createdAt);
+        return { id, telegramUserId: input.telegramUserId, otp, expiresAt };
+    }
+    createApprovalChallenge(input) {
+        const now = input.now ?? new Date();
+        const expiresAt = new Date(now.getTime() + input.ttlMs).toISOString();
+        const id = randomBytes(16).toString("hex");
+        const displayCode = randomInt(10, 100).toString().padStart(2, "0");
+        const pollToken = randomBytes(24).toString("base64url");
+        const telegramUserIds = Array.from(new Set(input.telegramUserIds.filter(Boolean)));
+        if (telegramUserIds.length === 0) {
+            throw new Error("Cannot create dashboard approval challenge without Telegram admins.");
+        }
+        const insert = this.db.prepare(`INSERT INTO dashboard_auth_challenges (
+        id,
+        challenge_group_id,
+        telegram_user_id,
+        otp_hash,
+        poll_token_hash,
+        expires_at,
+        created_at
+      ) VALUES (?, ?, ?, ?, ?, ?, ?)`);
+        const createdAt = now.toISOString();
+        for (const telegramUserId of telegramUserIds) {
+            const rowId = randomBytes(16).toString("hex");
+            insert.run(rowId, id, telegramUserId, hashOtp(rowId, displayCode), hashPollToken(pollToken), expiresAt, createdAt);
+        }
+        return { id, displayCode, pollToken, expiresAt };
+    }
+    getApprovalChallengeStatus(input) {
+        const now = input.now ?? new Date();
+        const row = this.getApprovalChallengeRow(input.challengeId, input.pollToken);
+        if (!row) {
+            return { ok: false, reason: "invalid" };
+        }
+        if (row.approved_at) {
+            return {
+                ok: true,
+                status: "approved",
+                challengeId: input.challengeId,
+                expiresAt: row.expires_at,
+                telegramUserId: row.approved_by_telegram_user_id ?? row.telegram_user_id,
+            };
+        }
+        if (row.rejected_at) {
+            return { ok: true, status: "rejected", challengeId: input.challengeId, expiresAt: row.expires_at };
+        }
+        if (new Date(row.expires_at).getTime() < now.getTime()) {
+            return { ok: true, status: "expired", challengeId: input.challengeId, expiresAt: row.expires_at };
+        }
+        if (row.consumed_at) {
+            return { ok: true, status: "consumed", challengeId: input.challengeId, expiresAt: row.expires_at };
+        }
+        return { ok: true, status: "pending", challengeId: input.challengeId, expiresAt: row.expires_at };
+    }
+    resolveApprovalChoice(input) {
+        const now = input.now ?? new Date();
+        const row = this.getAdminChallengeRow(input.challengeId, input.telegramUserId);
+        if (!row) {
+            return { ok: false, reason: "invalid" };
+        }
+        if (row.consumed_at) {
+            return { ok: false, reason: "consumed" };
+        }
+        if (new Date(row.expires_at).getTime() < now.getTime()) {
+            return { ok: false, reason: "expired" };
+        }
+        if (row.approved_at || row.rejected_at) {
+            return { ok: false, reason: "consumed" };
+        }
+        if (hashOtp(row.id, input.selectedCode) === row.otp_hash) {
+            this.db
+                .prepare(`UPDATE dashboard_auth_challenges
+           SET approved_at = ?, approved_by_telegram_user_id = ?
+           WHERE challenge_group_id = ?`)
+                .run(now.toISOString(), input.telegramUserId, input.challengeId);
+            return { ok: true, status: "approved" };
+        }
+        this.db
+            .prepare(`UPDATE dashboard_auth_challenges
+         SET rejected_at = ?, rejected_by_telegram_user_id = ?
+         WHERE challenge_group_id = ?`)
+            .run(now.toISOString(), input.telegramUserId, input.challengeId);
+        return { ok: true, status: "rejected" };
+    }
+    consumeApprovedChallenge(input) {
+        const now = input.now ?? new Date();
+        const row = this.getApprovalChallengeRow(input.challengeId, input.pollToken);
+        if (!row) {
+            return { ok: false, reason: "invalid" };
+        }
+        if (row.rejected_at) {
+            return { ok: false, reason: "rejected" };
+        }
+        if (new Date(row.expires_at).getTime() < now.getTime()) {
+            return { ok: false, reason: "expired" };
+        }
+        if (!row.approved_at) {
+            return { ok: false, reason: "pending" };
+        }
+        if (row.consumed_at) {
+            return { ok: false, reason: "consumed" };
+        }
+        this.db
+            .prepare(`UPDATE dashboard_auth_challenges
+         SET consumed_at = ?
+         WHERE challenge_group_id = ?`)
+            .run(now.toISOString(), input.challengeId);
+        return {
+            ok: true,
+            telegramUserId: row.approved_by_telegram_user_id ?? row.telegram_user_id,
+            expiresAt: row.expires_at,
+        };
+    }
+    consumeChallenge(input) {
+        return this.consumeChallengeForUsers({ telegramUserIds: [input.telegramUserId], otp: input.otp, now: input.now });
+    }
+    consumeChallengeForUsers(input) {
+        const now = input.now ?? new Date();
+        const userIds = Array.from(new Set(input.telegramUserIds.filter(Boolean)));
+        if (userIds.length === 0) {
+            return { ok: false, reason: "invalid" };
+        }
+        const placeholders = userIds.map(() => "?").join(", ");
+        const rows = this.db
+            .prepare(`SELECT * FROM dashboard_auth_challenges
+         WHERE telegram_user_id IN (${placeholders})
+           AND consumed_at IS NULL
+         ORDER BY created_at DESC
+         LIMIT 20`)
+            .all(...userIds);
+        for (const row of rows) {
+            if (hashOtp(row.id, input.otp) !== row.otp_hash) {
+                continue;
+            }
+            if (new Date(row.expires_at).getTime() < now.getTime()) {
+                return { ok: false, reason: "expired" };
+            }
+            this.db
+                .prepare(`UPDATE dashboard_auth_challenges
+           SET consumed_at = ?
+           WHERE id = ?`)
+                .run(now.toISOString(), row.id);
+            return { ok: true, challengeId: row.id, telegramUserId: row.telegram_user_id };
+        }
+        return { ok: false, reason: "invalid" };
+    }
+    createSession(input) {
+        const now = input.now ?? new Date();
+        const timestamp = now.toISOString();
+        const expiresAt = new Date(now.getTime() + input.ttlMs).toISOString();
+        const id = randomBytes(16).toString("hex");
+        const token = randomBytes(32).toString("base64url");
+        this.db
+            .prepare(`INSERT INTO dashboard_auth_sessions (
+          id,
+          session_hash,
+          telegram_user_id,
+          role,
+          expires_at,
+          created_at,
+          updated_at
+        ) VALUES (?, ?, ?, 'admin', ?, ?, ?)`)
+            .run(id, hashSessionToken(token), input.telegramUserId, expiresAt, timestamp, timestamp);
+        return {
+            token,
+            session: {
+                id,
+                telegramUserId: input.telegramUserId,
+                role: "admin",
+                expiresAt,
+            },
+        };
+    }
+    getSessionByToken(token, now = new Date()) {
+        if (!token) {
+            return undefined;
+        }
+        const row = this.db
+            .prepare(`SELECT * FROM dashboard_auth_sessions
+         WHERE session_hash = ?
+           AND revoked_at IS NULL
+         LIMIT 1`)
+            .get(hashSessionToken(token));
+        if (!row || new Date(row.expires_at).getTime() < now.getTime()) {
+            return undefined;
+        }
+        return {
+            id: row.id,
+            telegramUserId: row.telegram_user_id,
+            role: "admin",
+            expiresAt: row.expires_at,
+        };
+    }
+    revokeSessionByToken(token, now = new Date()) {
+        if (!token) {
+            return false;
+        }
+        const timestamp = now.toISOString();
+        const result = this.db
+            .prepare(`UPDATE dashboard_auth_sessions
+         SET revoked_at = ?, updated_at = ?
+         WHERE session_hash = ?
+           AND revoked_at IS NULL`)
+            .run(timestamp, timestamp, hashSessionToken(token));
+        return result.changes > 0;
+    }
+    getApprovalChallengeRow(challengeId, pollToken) {
+        return this.db
+            .prepare(`SELECT * FROM dashboard_auth_challenges
+         WHERE challenge_group_id = ?
+           AND poll_token_hash = ?
+         ORDER BY created_at ASC
+         LIMIT 1`)
+            .get(challengeId, hashPollToken(pollToken));
+    }
+    getAdminChallengeRow(challengeId, telegramUserId) {
+        return this.db
+            .prepare(`SELECT * FROM dashboard_auth_challenges
+         WHERE challenge_group_id = ?
+           AND telegram_user_id = ?
+         ORDER BY created_at ASC
+         LIMIT 1`)
+            .get(challengeId, telegramUserId);
+    }
+}
+function ensureDashboardAuthSchema(db) {
+    db.exec(`
+    CREATE TABLE IF NOT EXISTS dashboard_auth_challenges (
+      id TEXT PRIMARY KEY,
+      challenge_group_id TEXT,
+      telegram_user_id TEXT NOT NULL,
+      otp_hash TEXT NOT NULL,
+      poll_token_hash TEXT,
+      expires_at TEXT NOT NULL,
+      consumed_at TEXT,
+      approved_at TEXT,
+      approved_by_telegram_user_id TEXT,
+      rejected_at TEXT,
+      rejected_by_telegram_user_id TEXT,
+      created_at TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_dashboard_auth_challenges_user
+      ON dashboard_auth_challenges(telegram_user_id, consumed_at, created_at);
+
+    CREATE TABLE IF NOT EXISTS dashboard_auth_sessions (
+      id TEXT PRIMARY KEY,
+      session_hash TEXT NOT NULL UNIQUE,
+      telegram_user_id TEXT NOT NULL,
+      role TEXT NOT NULL,
+      expires_at TEXT NOT NULL,
+      revoked_at TEXT,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_dashboard_auth_sessions_hash
+      ON dashboard_auth_sessions(session_hash, revoked_at, expires_at);
+  `);
+    ensureColumn(db, "dashboard_auth_challenges", "challenge_group_id", "TEXT");
+    ensureColumn(db, "dashboard_auth_challenges", "poll_token_hash", "TEXT");
+    ensureColumn(db, "dashboard_auth_challenges", "approved_at", "TEXT");
+    ensureColumn(db, "dashboard_auth_challenges", "approved_by_telegram_user_id", "TEXT");
+    ensureColumn(db, "dashboard_auth_challenges", "rejected_at", "TEXT");
+    ensureColumn(db, "dashboard_auth_challenges", "rejected_by_telegram_user_id", "TEXT");
+    db.exec(`
+    CREATE INDEX IF NOT EXISTS idx_dashboard_auth_challenges_group
+      ON dashboard_auth_challenges(challenge_group_id, telegram_user_id, created_at);
+  `);
+}
+function hashOtp(challengeId, otp) {
+    return createHash("sha256").update(`${challengeId}:${otp}`).digest("hex");
+}
+function hashSessionToken(token) {
+    return createHash("sha256").update(token).digest("hex");
+}
+function hashPollToken(token) {
+    return createHash("sha256").update(token).digest("hex");
+}
+function ensureColumn(db, tableName, columnName, columnDefinition) {
+    const columns = db
+        .prepare(`PRAGMA table_info(${tableName})`)
+        .all();
+    if (columns.some((column) => column.name === columnName)) {
+        return;
+    }
+    db.exec(`ALTER TABLE ${tableName} ADD COLUMN ${columnName} ${columnDefinition}`);
+}

package/dist/dashboard-auth.test.js

@@ -0,0 +1,133 @@
+import assert from "node:assert/strict";
+import { mkdtempSync, rmSync } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import test from "node:test";
+import { DashboardAuthRepository } from "./dashboard-auth.js";
+import { registerDashboardLoginCallbacks } from "./telegram-bot/dashboard-login.js";
+test("dashboard approval challenge resolves and consumes once", async () => {
+    const tempDir = mkdtempSync(path.join(os.tmpdir(), "responses-proxy-dashboard-auth-"));
+    const dbFile = path.join(tempDir, "auth.sqlite");
+    try {
+        const repo = DashboardAuthRepository.create(dbFile);
+        const challenge = repo.createApprovalChallenge({ telegramUserIds: ["1", "2"], ttlMs: 60_000 });
+        assert.match(challenge.displayCode, /^\d{2}$/);
+        const initial = repo.getApprovalChallengeStatus({ challengeId: challenge.id, pollToken: challenge.pollToken });
+        assert.equal(initial.ok, true);
+        assert.equal(initial.status, "pending");
+        const resolved = repo.resolveApprovalChoice({
+            challengeId: challenge.id,
+            telegramUserId: "1",
+            selectedCode: challenge.displayCode,
+        });
+        assert.equal(resolved.ok, true);
+        assert.equal(resolved.status, "approved");
+        const approved = repo.getApprovalChallengeStatus({ challengeId: challenge.id, pollToken: challenge.pollToken });
+        assert.equal(approved.ok, true);
+        assert.equal(approved.status, "approved");
+        const consumed = repo.consumeApprovedChallenge({ challengeId: challenge.id, pollToken: challenge.pollToken });
+        assert.equal(consumed.ok, true);
+        assert.equal(consumed.telegramUserId, "1");
+        const second = repo.consumeApprovedChallenge({ challengeId: challenge.id, pollToken: challenge.pollToken });
+        assert.equal(second.ok, false);
+        if (!second.ok) {
+            assert.equal(second.reason, "consumed");
+        }
+    }
+    finally {
+        rmSync(tempDir, { recursive: true, force: true });
+    }
+});
+test("dashboard login callback approves or rejects selected code", async () => {
+    const tempDir = mkdtempSync(path.join(os.tmpdir(), "responses-proxy-dashboard-login-"));
+    const dbFile = path.join(tempDir, "auth.sqlite");
+    try {
+        const repo = DashboardAuthRepository.create(dbFile);
+        const challenge = repo.createApprovalChallenge({ telegramUserIds: ["1"], ttlMs: 60_000 });
+        const handler = createCallbackHarness();
+        registerDashboardLoginCallbacks(handler.bot, {
+            telegramBotToken: "token",
+            allowedUserIds: new Set(),
+            allowedChatIds: new Set(),
+            ownerUserIds: new Set(["1"]),
+            adminUserIds: new Set(["1"]),
+            botMode: "polling",
+            proxyAdminBaseUrl: "http://127.0.0.1:8318",
+            defaultModel: "gpt-5.5",
+            publicSignupEnabled: false,
+            requireAdminApproval: true,
+            defaultCustomerRoute: "customers",
+            publicResponsesBaseUrl: "http://127.0.0.1:8318/v1",
+            proxyRequestTimeoutMs: 30_000,
+            sessionDbPath: dbFile,
+            sessionTtlMs: 900_000,
+            rateLimitWindowMs: 60_000,
+            rateLimitMaxRequests: 12,
+            logLevel: "info",
+        }, repo);
+        const approved = handler.find(`v1:dashauth:${challenge.id}:${challenge.displayCode}`);
+        const approveCtx = createCallbackContext({ fromId: 1, chatId: 1, data: `v1:dashauth:${challenge.id}:${challenge.displayCode}` });
+        approveCtx.match = approved.match;
+        await approved.handler(approveCtx);
+        assert.equal(approveCtx.answeredCallbacks[0]?.text, "Dashboard login approved.");
+        assert.match(approveCtx.editedReplies[0]?.text ?? "", /approved/i);
+        const rejectedChallenge = repo.createApprovalChallenge({ telegramUserIds: ["1"], ttlMs: 60_000 });
+        const rejected = handler.find(`v1:dashauth:${rejectedChallenge.id}:00`);
+        const rejectCtx = createCallbackContext({ fromId: 1, chatId: 1, data: `v1:dashauth:${rejectedChallenge.id}:00` });
+        rejectCtx.match = rejected.match;
+        await rejected.handler(rejectCtx);
+        assert.equal(rejectCtx.answeredCallbacks[0]?.show_alert, true);
+        assert.match(rejectCtx.answeredCallbacks[0]?.text ?? "", /Wrong code/i);
+    }
+    finally {
+        rmSync(tempDir, { recursive: true, force: true });
+    }
+});
+function createCallbackHarness() {
+    const callbackHandlers = [];
+    return {
+        bot: {
+            callbackQuery(pattern, handler) {
+                callbackHandlers.push({ pattern, handler });
+            },
+        },
+        find(data) {
+            for (const entry of callbackHandlers) {
+                if (typeof entry.pattern === "string") {
+                    if (entry.pattern === data) {
+                        return { handler: entry.handler, match: [data] };
+                    }
+                    continue;
+                }
+                const match = data.match(entry.pattern);
+                if (match) {
+                    return { handler: entry.handler, match };
+                }
+            }
+            assert.fail(`No callback handler for ${data}`);
+        },
+    };
+}
+function createCallbackContext(input) {
+    const answeredCallbacks = [];
+    const editedReplies = [];
+    return {
+        from: { id: input.fromId },
+        chat: { id: input.chatId, type: "private" },
+        callbackQuery: { data: input.data, message: { message_id: 1, chat: { id: input.chatId, type: "private" } } },
+        answeredCallbacks,
+        editedReplies,
+        answerCallbackQuery(payload) {
+            answeredCallbacks.push(payload ?? {});
+            return Promise.resolve();
+        },
+        editMessageText(text) {
+            editedReplies.push({ text });
+            return Promise.resolve();
+        },
+        reply(text) {
+            editedReplies.push({ text });
+            return Promise.resolve();
+        },
+    };
+}

package/dist/dashboard-serving.test.js

@@ -0,0 +1,235 @@
+import assert from "node:assert/strict";
+import { mkdtempSync, readFileSync, rmSync } from "node:fs";
+import { createServer } from "node:net";
+import os from "node:os";
+import path from "node:path";
+import { spawn } from "node:child_process";
+import test from "node:test";
+import { DashboardAuthRepository } from "./dashboard-auth.js";
+const repoRoot = process.cwd();
+const distClientIndexPath = path.join(repoRoot, "dist", "client", "index.html");
+const distClientIndexHtml = readFileSync(distClientIndexPath, "utf8");
+const builtReactAssetPath = extractBuiltReactAssetPath(distClientIndexHtml);
+test("dashboard serving smoke coverage", { concurrency: false }, async (t) => {
+    await t.test("react mode serves dashboard, preserves backend routes, and logs mode", async () => {
+        const server = await startDashboardServer();
+        try {
+            assert.match(server.output, /Dashboard UI: react \(serving .*dist\/client\)/);
+            const root = await fetchText(`${server.baseUrl}/`);
+            assert.equal(root.response.status, 200);
+            assert.equal(root.response.headers.get("cache-control"), "no-cache");
+            assert.match(root.text, /Responses Proxy React Shell|<div id="root"><\/div>/);
+            const favicon = await fetchText(`${server.baseUrl}/favicon.svg`);
+            assert.equal(favicon.response.status, 200);
+            assert.equal(favicon.response.headers.get("cache-control"), "no-cache");
+            assert.match(favicon.response.headers.get("content-type") ?? "", /image\/svg\+xml/);
+            const health = await fetchJson(`${server.baseUrl}/health`);
+            assert.equal(health.response.status, 200);
+            assert.match(health.response.headers.get("content-type") ?? "", /application\/json/);
+            assert.equal(health.body.ok, true);
+            const protectedBeforeLogin = await fetchJson(`${server.baseUrl}/api/providers`);
+            assert.equal(protectedBeforeLogin.response.status, 401);
+            const approvalRequest = await fetchJson(`${server.baseUrl}/api/dashboard-auth/request-approval`, {
+                method: "POST",
+            });
+            assert.equal(approvalRequest.response.status, 200);
+            assert.equal(typeof approvalRequest.body.debugApprovalCode, "string");
+            assert.match(String(approvalRequest.body.displayCode), /^\d{2}$/);
+            const dashboardAuth = DashboardAuthRepository.create(server.customerDbFile);
+            const resolved = dashboardAuth.resolveApprovalChoice({
+                challengeId: approvalRequest.body.challengeId,
+                telegramUserId: "1",
+                selectedCode: approvalRequest.body.debugApprovalCode,
+            });
+            assert.equal(resolved.ok, true);
+            const poll = await fetchJson(`${server.baseUrl}/api/dashboard-auth/approval-status?challengeId=${encodeURIComponent(approvalRequest.body.challengeId)}&pollToken=${encodeURIComponent(approvalRequest.body.pollToken)}`);
+            assert.equal(poll.response.status, 200);
+            assert.equal(poll.body.status, "approved");
+            const approvedSession = poll.body.session;
+            assert.equal(typeof approvedSession?.telegramUserId, "string");
+            const session = DashboardAuthRepository.create(server.customerDbFile).createSession({
+                telegramUserId: approvedSession?.telegramUserId,
+                ttlMs: 60_000,
+            });
+            const sessionCookie = `responses_proxy_dashboard_session=${encodeURIComponent(session.token)}`;
+            const providers = await fetchJson(`${server.baseUrl}/api/providers`, {
+                headers: { Cookie: sessionCookie },
+            });
+            assert.equal(providers.response.status, 200);
+            assert.match(providers.response.headers.get("content-type") ?? "", /application\/json/);
+            assert.equal(typeof providers.body, "object");
+            assert.doesNotMatch(JSON.stringify(providers.body), /Responses Proxy React Shell/);
+            const authCallback = await fetchText(`${server.baseUrl}/auth/chatgpt/callback`);
+            assert.notEqual(authCallback.response.status, 404);
+            assert.doesNotMatch(authCallback.text, /Responses Proxy React Shell/);
+            assert.match(authCallback.text, /ChatGPT OAuth/);
+            const v1Models = await fetchText(`${server.baseUrl}/v1/models`);
+            assert.notEqual(v1Models.response.status, 200);
+            assert.doesNotMatch(v1Models.text, /Responses Proxy React Shell/);
+            assert.match(v1Models.response.headers.get("content-type") ?? "", /application\/json/);
+        }
+        finally {
+            await server.stop();
+        }
+    });
+    await t.test("legacy dashboard routes are removed", async () => {
+        const server = await startDashboardServer();
+        try {
+            const legacy = await fetchText(`${server.baseUrl}/legacy`);
+            assert.equal(legacy.response.status, 404);
+            assert.match(legacy.response.headers.get("content-type") ?? "", /application\/json/);
+            const legacyAsset = await fetchText(`${server.baseUrl}/legacy/app.js`);
+            assert.equal(legacyAsset.response.status, 404);
+            assert.match(legacyAsset.response.headers.get("content-type") ?? "", /application\/json/);
+            const rootAsset = await fetchText(`${server.baseUrl}/app.js`);
+            assert.equal(rootAsset.response.status, 404);
+            assert.match(rootAsset.response.headers.get("content-type") ?? "", /application\/json/);
+            const health = await fetchJson(`${server.baseUrl}/health`);
+            assert.equal(health.response.status, 200);
+            assert.equal(health.body.ok, true);
+        }
+        finally {
+            await server.stop();
+        }
+    });
+    await t.test("static assets use expected cache policy and block traversal", async () => {
+        const server = await startDashboardServer();
+        try {
+            const reactAsset = await fetchText(`${server.baseUrl}${builtReactAssetPath}`);
+            assert.equal(reactAsset.response.status, 200);
+            assert.equal(reactAsset.response.headers.get("cache-control"), "public, max-age=31536000, immutable");
+            assert.match(reactAsset.response.headers.get("content-type") ?? "", /javascript|text\/css/);
+            const legacyAsset = await fetchText(`${server.baseUrl}/legacy/app.js`);
+            assert.equal(legacyAsset.response.status, 404);
+            const traversal = await fetchText(`${server.baseUrl}/assets/..%2F..%2Fserver.js`);
+            assert.equal(traversal.response.status, 404);
+            assert.match(traversal.response.headers.get("content-type") ?? "", /application\/json/);
+        }
+        finally {
+            await server.stop();
+        }
+    });
+});
+function extractBuiltReactAssetPath(indexHtml) {
+    const match = indexHtml.match(/"(\/assets\/[^"]+\.(?:js|css))"/);
+    assert.ok(match?.[1], "Could not find built React asset reference in dist/client/index.html");
+    return match[1];
+}
+async function fetchText(url, init) {
+    const response = await fetch(url, init);
+    const text = await response.text();
+    return { response, text };
+}
+async function fetchJson(url, init) {
+    const response = await fetch(url, init);
+    const body = (await response.json().catch(() => ({})));
+    return { response, body };
+}
+async function startDashboardServer(extraEnv = {}) {
+    const tempDir = mkdtempSync(path.join(os.tmpdir(), "responses-proxy-dashboard-serving-"));
+    const port = await getFreePort();
+    const child = spawn(process.execPath, ["--import", "tsx", "src/server.ts"], {
+        cwd: repoRoot,
+        env: {
+            ...process.env,
+            PORT: String(port),
+            HOST: "127.0.0.1",
+            UPSTREAM_BASE_URL: "https://api.openai.com",
+            APP_DB_PATH: path.join(tempDir, "app.sqlite"),
+            CUSTOMER_KEY_DB_PATH: path.join(tempDir, "customer.sqlite"),
+            SESSION_LOG_DIR: path.join(tempDir, "sessions"),
+            PROVIDER_USAGE_CHECK_ENABLED: "false",
+            CHATGPT_OAUTH_ENABLED: "false",
+            TELEGRAM_BOT_TOKEN: "test-dashboard-bot-token",
+            TELEGRAM_OWNER_USER_IDS: "1",
+            TELEGRAM_ADMIN_USER_IDS: "1",
+            LOG_LEVEL: "info",
+            ...extraEnv,
+        },
+        stdio: ["ignore", "pipe", "pipe"],
+    });
+    let output = "";
+    child.stdout.on("data", (chunk) => {
+        output += chunk.toString();
+    });
+    child.stderr.on("data", (chunk) => {
+        output += chunk.toString();
+    });
+    try {
+        await waitForServer(`http://127.0.0.1:${port}/health`, child);
+    }
+    catch (error) {
+        child.kill("SIGTERM");
+        rmSync(tempDir, { recursive: true, force: true });
+        throw new Error(`Server failed to start.\n${output}\n${String(error)}`);
+    }
+    return {
+        baseUrl: `http://127.0.0.1:${port}`,
+        customerDbFile: path.join(tempDir, "customer.sqlite"),
+        get output() {
+            return output;
+        },
+        async stop() {
+            await stopChild(child);
+            rmSync(tempDir, { recursive: true, force: true });
+        },
+    };
+}
+async function waitForServer(url, child, timeoutMs = 15_000) {
+    const startedAt = Date.now();
+    while (Date.now() - startedAt < timeoutMs) {
+        if (child.exitCode !== null) {
+            throw new Error(`server exited early with code ${child.exitCode}`);
+        }
+        try {
+            const response = await fetch(url);
+            if (response.ok) {
+                return;
+            }
+        }
+        catch {
+            // Retry until the timeout expires.
+        }
+        await new Promise((resolve) => setTimeout(resolve, 100));
+    }
+    throw new Error(`server did not become ready within ${timeoutMs}ms`);
+}
+async function stopChild(child) {
+    if (child.exitCode !== null) {
+        return;
+    }
+    child.kill("SIGTERM");
+    await new Promise((resolve) => {
+        const timer = setTimeout(() => {
+            if (child.exitCode === null) {
+                child.kill("SIGKILL");
+            }
+        }, 3_000);
+        child.once("exit", () => {
+            clearTimeout(timer);
+            resolve();
+        });
+    });
+}
+async function getFreePort() {
+    return await new Promise((resolve, reject) => {
+        const server = createServer();
+        server.listen(0, "127.0.0.1", () => {
+            const address = server.address();
+            if (!address || typeof address === "string") {
+                server.close();
+                reject(new Error("Could not resolve a free port"));
+                return;
+            }
+            const { port } = address;
+            server.close((error) => {
+                if (error) {
+                    reject(error);
+                    return;
+                }
+                resolve(port);
+            });
+        });
+        server.on("error", reject);
+    });
+}