tryassay 0.22.0 → 0.22.1

package/demo/js/timeline.js

@@ -1,394 +1,80 @@
-// timeline.js — Right panel phase steps + metrics + timing
-// Subscribes to AppState events, renders phase progression, verification results,
-// global elapsed clock, per-phase durations, and heartbeat feedback
+// timeline.js — Compact status bar updates (replaces old timeline panel)
+// Updates the bottom status bar with phase, elapsed time, and task counts.
 
-const PHASES = [
-  { id: 'idle', name: 'Idle' },
-  { id: 'initializing', name: 'Initializing' },
-  { id: 'plan_questioning', name: 'Refining Requirements' },
-  { id: 'plan_refining', name: 'Updating Requirements' },
-  { id: 'planning', name: 'Planning Architecture' },
-  { id: 'verifying_plan', name: 'Verifying Plan' },
-  { id: 'requirements_refining', name: 'Reviewing Plan' },
-  { id: 'scaffolding', name: 'Scaffolding Project' },
-  { id: 'building_feature', name: 'Building Features' },
-  { id: 'build_verifying', name: 'Verifying Code' },
-  { id: 'build_repairing', name: 'Repairing Build' },
-  { id: 'integration_verifying', name: 'Integration Verification' },
-  { id: 'functional_testing', name: 'Functional Testing' },
-  { id: 'functional_repairing', name: 'Repairing Failures' },
-  { id: 'cross_verifying', name: 'Cross-Verifying' },
-  { id: 'finalizing', name: 'Finalizing' },
-  { id: 'completed', name: 'Completed' },
-  { id: 'failed', name: 'Failed' }
-];
+const AppState = window.AppState;
 
-// Phases that map to a canonical phase for display
-const PHASE_ALIASES = {
-  'building_wave': 'building_feature',
-  'awaiting_approval': 'requirements_refining',
-};
+let clockInterval = null;
+let startTime = null;
 
-// Track per-phase data
-const phaseData = {};
-
-// ── Timing state ──
-let globalStartTime = null;
-let globalClockInterval = null;
-let activePhaseClockInterval = null;
-const phaseStartTimes = {};   // phaseId → timestamp
-const phaseDurations = {};    // phaseId → seconds
-let currentActivePhase = 'idle';
-
-// ── Heartbeat state ──
-let lastEventTime = null;
-let heartbeatInterval = null;
-const HEARTBEAT_THRESHOLD_MS = 4000; // show heartbeat after 4s of silence
-
-function resetPhaseData() {
-  for (const p of PHASES) {
-    phaseData[p.id] = { tasks: [], verifications: [] };
-  }
-}
-
-function resetTimingState() {
-  globalStartTime = null;
-  if (globalClockInterval) clearInterval(globalClockInterval);
-  if (activePhaseClockInterval) clearInterval(activePhaseClockInterval);
-  if (heartbeatInterval) clearInterval(heartbeatInterval);
-  globalClockInterval = null;
-  activePhaseClockInterval = null;
-  heartbeatInterval = null;
-  lastEventTime = null;
-  currentActivePhase = 'idle';
-  for (const key of Object.keys(phaseStartTimes)) delete phaseStartTimes[key];
-  for (const key of Object.keys(phaseDurations)) delete phaseDurations[key];
-
-  // Reset clock display
-  const clockEl = document.getElementById('global-clock');
-  const clockVal = document.getElementById('clock-value');
-  if (clockEl) clockEl.classList.add('hidden');
-  if (clockVal) clockVal.textContent = '00:00';
-}
-
-function resolvePhase(phaseId) {
-  return PHASE_ALIASES[phaseId] || phaseId;
-}
-
-function getPhaseIndex(phaseId) {
-  const resolved = resolvePhase(phaseId);
-  return PHASES.findIndex(p => p.id === resolved);
-}
-
-// ── Time formatting ──
-
-function formatElapsed(ms) {
-  const totalSec = Math.floor(ms / 1000);
-  const min = Math.floor(totalSec / 60);
-  const sec = totalSec % 60;
-  const tenths = Math.floor((ms % 1000) / 100);
-  if (min > 0) {
-    return `${min}:${sec.toString().padStart(2, '0')}.${tenths}`;
-  }
-  return `${sec}.${tenths}s`;
-}
-
-function formatClockDisplay(ms) {
-  const totalSec = Math.floor(ms / 1000);
-  const min = Math.floor(totalSec / 60);
-  const sec = totalSec % 60;
-  return `${min.toString().padStart(2, '0')}:${sec.toString().padStart(2, '0')}`;
-}
-
-// ── Global clock ──
-
-function startGlobalClock() {
-  if (globalStartTime) return; // already running
-  globalStartTime = Date.now();
-  const clockEl = document.getElementById('global-clock');
-  const clockVal = document.getElementById('clock-value');
-  if (clockEl) clockEl.classList.remove('hidden');
-
-  globalClockInterval = setInterval(() => {
-    if (!globalStartTime) return;
-    const elapsed = Date.now() - globalStartTime;
-    if (clockVal) clockVal.textContent = formatClockDisplay(elapsed);
-  }, 100);
-}
-
-function stopGlobalClock() {
-  // Don't clear globalStartTime — keep final time displayed
-  if (globalClockInterval) {
-    clearInterval(globalClockInterval);
-    globalClockInterval = null;
-  }
-}
-
-// ── Phase timing ──
-
-function onPhaseEnter(phaseId) {
-  const resolved = resolvePhase(phaseId);
-
-  // Start global clock on first non-idle phase
-  if (resolved !== 'idle') {
-    startGlobalClock();
-  }
-
-  // Record phase start
-  phaseStartTimes[resolved] = Date.now();
-  currentActivePhase = resolved;
-  lastEventTime = Date.now();
-
-  // Start active phase clock (updates the active step's elapsed badge)
-  if (activePhaseClockInterval) clearInterval(activePhaseClockInterval);
-  activePhaseClockInterval = setInterval(() => {
-    updateActivePhaseElapsed();
-    updateHeartbeat();
-  }, 100);
-
-  // Stop global clock on terminal phases
-  if (resolved === 'completed' || resolved === 'failed') {
-    stopGlobalClock();
-    // Record final duration for the terminal phase itself
-    phaseDurations[resolved] = 0;
-    if (activePhaseClockInterval) {
-      clearInterval(activePhaseClockInterval);
-      activePhaseClockInterval = null;
-    }
-    if (heartbeatInterval) {
-      clearInterval(heartbeatInterval);
-      heartbeatInterval = null;
+export function initTimeline() {
+  AppState.on('phase_change', ({ from, to }) => {
+    if (from === 'idle' && to !== 'idle') {
+      startClock();
     }
-  }
-}
-
-function onPhaseExit(phaseId) {
-  const resolved = resolvePhase(phaseId);
-  const start = phaseStartTimes[resolved];
-  if (start) {
-    phaseDurations[resolved] = (Date.now() - start) / 1000;
-  }
-}
-
-function updateActivePhaseElapsed() {
-  const resolved = currentActivePhase;
-  const start = phaseStartTimes[resolved];
-  if (!start) return;
-
-  const elapsedEl = document.querySelector('.phase-elapsed-live');
-  if (elapsedEl) {
-    const elapsed = Date.now() - start;
-    elapsedEl.textContent = formatElapsed(elapsed);
-  }
-}
-
-// ── Heartbeat ──
-
-function recordEvent() {
-  lastEventTime = Date.now();
-  // Hide heartbeat immediately when event arrives
-  const hb = document.querySelector('.heartbeat-indicator');
-  if (hb) hb.classList.remove('visible');
-}
-
-function updateHeartbeat() {
-  if (!lastEventTime) return;
-  const silence = Date.now() - lastEventTime;
-  const hb = document.querySelector('.heartbeat-indicator');
-  if (!hb) return;
-
-  if (silence > HEARTBEAT_THRESHOLD_MS) {
-    hb.classList.add('visible');
-  } else {
-    hb.classList.remove('visible');
-  }
-}
-
-// ── Render ──
 
-function renderSteps(currentPhase) {
-  const container = document.getElementById('timeline-steps');
-  if (!container) return;
-
-  const currentIdx = getPhaseIndex(currentPhase);
-
-  container.innerHTML = '';
-
-  for (let i = 0; i < PHASES.length; i++) {
-    const phase = PHASES[i];
-    const step = document.createElement('div');
-    step.className = 'timeline-step';
-    step.dataset.phase = phase.id;
-
-    if (i < currentIdx) {
-      step.classList.add('completed');
-    } else if (i === currentIdx) {
-      step.classList.add('active');
-    } else {
-      step.classList.add('pending');
+    const phaseEl = document.getElementById('status-phase');
+    if (phaseEl) {
+      phaseEl.textContent = `phase: ${formatPhase(to)}`;
     }
 
-    // Step header row: name + duration
-    const headerRow = document.createElement('div');
-    headerRow.className = 'step-header';
-
-    const nameEl = document.createElement('div');
-    nameEl.className = 'step-name';
-    nameEl.textContent = phase.name;
-    headerRow.appendChild(nameEl);
-
-    // Duration badge for completed phases
-    if (i < currentIdx && phaseDurations[phase.id] !== undefined) {
-      const dur = phaseDurations[phase.id];
-      const durEl = document.createElement('span');
-      durEl.className = 'phase-duration';
-      durEl.textContent = dur < 60 ? `${dur.toFixed(1)}s` : `${Math.floor(dur / 60)}m${Math.floor(dur % 60)}s`;
-      headerRow.appendChild(durEl);
+    const clockEl = document.getElementById('global-clock');
+    if (clockEl && to !== 'idle') {
+      clockEl.classList.remove('hidden');
     }
 
-    // Live elapsed for active phase
-    if (i === currentIdx && phase.id !== 'idle' && phase.id !== 'completed' && phase.id !== 'failed') {
-      const elapsedEl = document.createElement('span');
-      elapsedEl.className = 'phase-elapsed-live';
-      const start = phaseStartTimes[phase.id];
-      if (start) {
-        elapsedEl.textContent = formatElapsed(Date.now() - start);
-      }
-      headerRow.appendChild(elapsedEl);
+    if (to === 'completed' || to === 'failed') {
+      stopClock();
     }
+  });
 
-    step.appendChild(headerRow);
-
-    // Heartbeat indicator (only on active step)
-    if (i === currentIdx && phase.id !== 'idle' && phase.id !== 'completed' && phase.id !== 'failed') {
-      const hbEl = document.createElement('div');
-      hbEl.className = 'heartbeat-indicator';
-      hbEl.innerHTML = '<span class="heartbeat-dot"></span> working';
-      step.appendChild(hbEl);
+  AppState.on('metric_update', (metrics) => {
+    const tasksEl = document.getElementById('status-tasks');
+    if (tasksEl) {
+      tasksEl.textContent = `tasks: ${metrics.tasksComplete}/${metrics.totalTasks}`;
     }
+  });
 
-    const detailsEl = document.createElement('div');
-    detailsEl.className = 'step-details';
-
-    const data = phaseData[phase.id];
-    if (data) {
-      for (const task of data.tasks) {
-        const taskEl = document.createElement('div');
-        taskEl.className = 'step-task';
-        const badge = document.createElement('span');
-        badge.className = 'agent-badge';
-        badge.textContent = task.agent || 'agent';
-        taskEl.appendChild(badge);
-        const label = document.createTextNode(` ${task.name || task.title || task.id}`);
-        taskEl.appendChild(label);
-        detailsEl.appendChild(taskEl);
-      }
-
-      for (const v of data.verifications) {
-        const vEl = document.createElement('div');
-        vEl.className = 'verification-item';
-        vEl.classList.add(v.result === 'pass' ? 'pass' : 'fail');
-
-        const icon = document.createTextNode(v.result === 'pass' ? '\u2713 ' : '\u2717 ');
-        vEl.appendChild(icon);
-
-        const claim = document.createTextNode(v.claim || v.message || 'claim');
-        vEl.appendChild(claim);
+  AppState.on('reset', () => {
+    stopClock();
+    const phaseEl = document.getElementById('status-phase');
+    const elapsedEl = document.getElementById('status-elapsed');
+    const tasksEl = document.getElementById('status-tasks');
+    const clockEl = document.getElementById('global-clock');
+    if (phaseEl) phaseEl.textContent = 'phase: idle';
+    if (elapsedEl) elapsedEl.textContent = 'elapsed: 00:00';
+    if (tasksEl) tasksEl.textContent = 'tasks: 0/0';
+    if (clockEl) clockEl.classList.add('hidden');
+  });
+}
 
-        const methodBadge = document.createElement('span');
-        methodBadge.className = 'method-badge';
-        methodBadge.textContent = v.method || 'llm';
-        vEl.appendChild(methodBadge);
+function startClock() {
+  startTime = Date.now();
+  clockInterval = setInterval(() => {
+    const elapsed = Date.now() - startTime;
+    const formatted = formatTime(elapsed);
 
-        detailsEl.appendChild(vEl);
-      }
-    }
+    const elapsedEl = document.getElementById('status-elapsed');
+    if (elapsedEl) elapsedEl.textContent = `elapsed: ${formatted}`;
 
-    step.appendChild(detailsEl);
-    container.appendChild(step);
-  }
+    const clockValue = document.getElementById('clock-value');
+    if (clockValue) clockValue.textContent = formatted;
+  }, 1000);
+}
 
-  // Auto-scroll to active step
-  const activeStep = container.querySelector('.timeline-step.active');
-  if (activeStep) {
-    activeStep.scrollIntoView({ behavior: 'smooth', block: 'nearest' });
+function stopClock() {
+  if (clockInterval) {
+    clearInterval(clockInterval);
+    clockInterval = null;
   }
 }
 
-function updateMetrics(metrics) {
-  const tasks = document.getElementById('metric-tasks');
-  const claims = document.getElementById('metric-claims');
-  const failed = document.getElementById('metric-failed');
-  const files = document.getElementById('metric-files');
-
-  if (tasks) tasks.textContent = `${metrics.tasksComplete}/${metrics.totalTasks}`;
-  if (claims) claims.textContent = metrics.claimsVerified;
-  if (failed) failed.textContent = metrics.claimsFailed;
-  if (files) files.textContent = metrics.filesGenerated;
+function formatTime(ms) {
+  const totalSeconds = Math.floor(ms / 1000);
+  const minutes = Math.floor(totalSeconds / 60);
+  const seconds = totalSeconds % 60;
+  return `${String(minutes).padStart(2, '0')}:${String(seconds).padStart(2, '0')}`;
 }
 
-export function initTimeline() {
-  const state = window.AppState;
-  if (!state) return;
-
-  resetPhaseData();
-  resetTimingState();
-  renderSteps('idle');
-  updateMetrics(state.get().metrics);
-
-  state.on('phase_change', ({ from, to }) => {
-    const resolvedFrom = resolvePhase(from);
-    const resolvedTo = resolvePhase(to);
-
-    // Record duration for outgoing phase
-    onPhaseExit(resolvedFrom);
-
-    // Start timing for incoming phase
-    onPhaseEnter(resolvedTo);
-
-    renderSteps(resolvedTo);
-    recordEvent();
-  });
-
-  state.on('task_update', (task) => {
-    if (!task) return;
-    const currentPhase = resolvePhase(state.get().phase);
-
-    // Handle single task
-    if (task && task.id) {
-      const pd = phaseData[currentPhase];
-      if (pd && !pd.tasks.find(t => t.id === task.id)) {
-        pd.tasks.push(task);
-      }
-      renderSteps(currentPhase);
-    }
-    recordEvent();
-  });
-
-  state.on('verification', (v) => {
-    if (!v) return;
-    const currentPhase = resolvePhase(state.get().phase);
-    const pd = phaseData[currentPhase];
-    if (pd) {
-      pd.verifications.push(v);
-      renderSteps(currentPhase);
-    }
-    recordEvent();
-  });
-
-  state.on('code_generated', () => {
-    recordEvent();
-  });
-
-  state.on('metric_update', (metrics) => {
-    updateMetrics(metrics);
-    recordEvent();
-  });
-
-  state.on('reset', () => {
-    resetPhaseData();
-    resetTimingState();
-    renderSteps('idle');
-    updateMetrics({ tasksComplete: 0, totalTasks: 0, claimsVerified: 0, claimsFailed: 0, filesGenerated: 0 });
-  });
+function formatPhase(phase) {
+  return phase.replace(/_/g, ' ').replace(/\b\w/g, c => c);
 }

package/dist/api/server.d.ts

@@ -4,8 +4,10 @@ export declare class TeamApiServer {
     private appSessions;
     private server;
     private port;
+    private demoMode;
     constructor(opts?: {
         port?: number;
+        demoMode?: boolean;
     });
     /** Register an API key for testing/development. */
     registerApiKey(key: string, tier: 'team' | 'pro' | 'platform', orgId: string): void;

package/dist/api/server.js

@@ -11,18 +11,22 @@
 // ============================================================
 import { createServer } from 'node:http';
 import { randomUUID } from 'node:crypto';
-import { spawn } from 'node:child_process';
 import { PricingEnforcer } from './pricing-enforcer.js';
 import { TeamSessionManager } from './team-session.js';
 import { AppCreateOrchestrator } from '../runtime/app-create-orchestrator.js';
+import { validateAppDescription } from '../runtime/input-validator.js';
+import { scanForInjection } from '../runtime/prompt-guard.js';
+import { safeSpawn } from '../runtime/safe-executor.js';
 export class TeamApiServer {
     pricingEnforcer;
     sessionManager;
     appSessions = new Map();
     server = null;
     port;
+    demoMode;
     constructor(opts) {
         this.port = opts?.port ?? 3800;
+        this.demoMode = opts?.demoMode ?? false;
         this.pricingEnforcer = new PricingEnforcer();
         this.sessionManager = new TeamSessionManager();
     }
@@ -72,15 +76,17 @@ export class TeamApiServer {
             res.end();
             return;
         }
-        // Authenticate
+        // Authenticate (skip in demo mode)
         const apiKey = this.extractApiKey(req);
-        if (!apiKey && path !== '/health') {
-            this.sendError(res, 401, 'Missing API key. Include Authorization: Bearer <key>');
-            return;
-        }
-        if (apiKey && !this.pricingEnforcer.isValidKey(apiKey) && path !== '/health') {
-            this.sendError(res, 403, 'Invalid API key');
-            return;
+        if (!this.demoMode) {
+            if (!apiKey && path !== '/health') {
+                this.sendError(res, 401, 'Missing API key. Include Authorization: Bearer <key>');
+                return;
+            }
+            if (apiKey && !this.pricingEnforcer.isValidKey(apiKey) && path !== '/health') {
+                this.sendError(res, 403, 'Invalid API key');
+                return;
+            }
         }
         // Route
         if (path === '/health' && method === 'GET') {
@@ -283,26 +289,41 @@ export class TeamApiServer {
     // ── App Creation Handlers ────────────────────────────────
     async handleAppCreate(req, res, _apiKey) {
         const body = await this.readBody(req);
-        let request;
+        let parsed;
         try {
-            request = JSON.parse(body);
+            parsed = JSON.parse(body);
         }
         catch {
             this.sendError(res, 400, 'Invalid JSON body');
             return;
         }
-        if (!request.name || !request.description || !request.techStack) {
-            this.sendError(res, 400, 'Missing required fields: name, description, techStack');
+        // Validate and sanitize input at the trust boundary
+        const validation = validateAppDescription(parsed);
+        if (!validation.valid) {
+            this.sendError(res, 400, `Validation: ${validation.errors.map(e => `${e.field}: ${e.message}`).join('; ')}`);
             return;
         }
+        const request = validation.sanitized;
+        // Scan for prompt injection in user-provided text
+        const descGuard = scanForInjection(request.description);
+        if (descGuard.action === 'block') {
+            this.sendError(res, 400, `Request blocked: suspicious content detected in description (score: ${descGuard.score.toFixed(2)})`);
+            return;
+        }
+        if (descGuard.action === 'warn') {
+            console.warn(`[prompt-guard] Warning on app description (score: ${descGuard.score.toFixed(2)}):`, descGuard.findings);
+        }
         // Parse optional flags from request body
-        const bodyParsed = JSON.parse(body);
+        const bodyParsed = parsed;
         const sessionId = randomUUID();
         const orchestrator = new AppCreateOrchestrator(request, {
             outputPath: process.cwd(),
             autoApprove: bodyParsed.autoApprove,
             skipFunctionalTesting: bodyParsed.skipFunctionalTesting,
             skipPlanQuestions: bodyParsed.skipPlanQuestions,
+            supabaseOrgId: process.env.SUPABASE_ORG_ID,
+            supabaseRegion: process.env.SUPABASE_REGION,
+            documents: bodyParsed.documents,
         });
         const session = {
             id: sessionId,
@@ -563,6 +584,16 @@ export class TeamApiServer {
             this.sendError(res, 400, 'Missing required field: answers (array)');
             return;
         }
+        // Scan custom text answers for prompt injection
+        for (const answer of parsed.answers) {
+            if (answer.customText) {
+                const answerGuard = scanForInjection(answer.customText);
+                if (answerGuard.action === 'block') {
+                    this.sendError(res, 400, `Answer blocked: suspicious content in custom text (score: ${answerGuard.score.toFixed(2)})`);
+                    return;
+                }
+            }
+        }
         session.orchestrator.submitAnswers(parsed.answers);
         this.sendJson(res, 200, { status: 'received' });
     }
@@ -589,7 +620,22 @@ export class TeamApiServer {
             this.sendError(res, 400, 'Missing required field: message (string)');
             return;
         }
-        session.orchestrator.submitChatMessage(parsed.message, parsed.cardAnswers);
+        // Scan chat message for prompt injection
+        const chatGuard = scanForInjection(parsed.message);
+        if (chatGuard.action === 'block') {
+            this.sendError(res, 400, `Message blocked: suspicious content detected (score: ${chatGuard.score.toFixed(2)})`);
+            return;
+        }
+        if (chatGuard.action === 'warn') {
+            console.warn(`[prompt-guard] Warning on chat message (score: ${chatGuard.score.toFixed(2)}):`, chatGuard.findings);
+        }
+        // Append document contents to message if provided
+        let messageWithDocs = parsed.message;
+        if (parsed.documents && parsed.documents.length > 0) {
+            const docText = parsed.documents.map(d => `\n\n--- Attached: ${d.name} ---\n${d.content}`).join('');
+            messageWithDocs = parsed.message + docText;
+        }
+        session.orchestrator.submitChatMessage(messageWithDocs, parsed.cardAnswers);
         this.sendJson(res, 200, { status: 'received' });
     }
     // ── App Launch Handlers ─────────────────────────────────
@@ -613,9 +659,8 @@ export class TeamApiServer {
         }
         const projectPath = session.result.projectPath;
         session.launchStatus = 'installing';
-        const install = spawn('npm', ['install'], {
+        const install = safeSpawn('npm', ['install'], {
             cwd: projectPath,
-            shell: true,
             stdio: ['ignore', 'pipe', 'pipe'],
         });
         install.on('close', (code) => {
@@ -625,9 +670,8 @@ export class TeamApiServer {
                 return;
             }
             session.launchStatus = 'starting';
-            const dev = spawn('npm', ['run', 'dev'], {
+            const dev = safeSpawn('npm', ['run', 'dev'], {
                 cwd: projectPath,
-                shell: true,
                 stdio: ['ignore', 'pipe', 'pipe'],
             });
             session.launchProcess = dev;