npm - upfynai-code - Versions diffs - 3.0.4 → 3.2.0 - Mend

upfynai-code 3.0.4 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (258) hide show

package/server/tests/sessions.test.js DELETED Viewed

@@ -1,259 +0,0 @@
-/**
- * End-to-end tests for Session Management & Sandbox Integration
- *
- * These tests verify the new session management REST API, session registry,
- * sandbox command routing, and multi-tab session support.
- *
- * Run: node --test backend/server/tests/sessions.test.js
- */
-import { describe, it, before, after, mock } from 'node:test';
-import assert from 'node:assert/strict';
-// ── Test 1: Session Registry — getAllActiveSessions returns unified list ──
-describe('Session Registry', () => {
-  it('getAllActiveSessions merges sessions from all providers', async () => {
-    // Mock the provider modules before importing sessionRegistry
-    const mockClaudeSessions = ['session-claude-1', 'session-claude-2'];
-    const mockCursorSessions = ['session-cursor-1'];
-    const mockCodexSessions = [{ id: 'session-codex-1', status: 'running', startedAt: new Date().toISOString() }];
-    // Direct test of the registry logic
-    const sessions = [];
-    // Simulate Claude sessions
-    for (const id of mockClaudeSessions) {
-      sessions.push({ sessionId: id, provider: 'claude', status: 'active' });
-    }
-    // Simulate Cursor sessions
-    for (const id of mockCursorSessions) {
-      sessions.push({ sessionId: id, provider: 'cursor', status: 'active' });
-    }
-    // Simulate Codex sessions
-    for (const s of mockCodexSessions) {
-      sessions.push({ sessionId: s.id, provider: 'codex', status: 'active', startedAt: s.startedAt });
-    }
-    assert.equal(sessions.length, 4, 'Should have 4 total sessions across providers');
-    assert.equal(sessions.filter(s => s.provider === 'claude').length, 2);
-    assert.equal(sessions.filter(s => s.provider === 'cursor').length, 1);
-    assert.equal(sessions.filter(s => s.provider === 'codex').length, 1);
-    // Verify all have required fields
-    for (const s of sessions) {
-      assert.ok(s.sessionId, 'Each session must have sessionId');
-      assert.ok(s.provider, 'Each session must have provider');
-      assert.ok(s.status, 'Each session must have status');
-    }
-  });
-  it('abortSession routes to correct provider', async () => {
-    const abortLog = [];
-    // Simulate abort routing
-    const abortByProvider = (sessionId, provider) => {
-      abortLog.push({ sessionId, provider });
-      return true;
-    };
-    const result1 = abortByProvider('s1', 'claude');
-    const result2 = abortByProvider('s2', 'cursor');
-    const result3 = abortByProvider('s3', 'codex');
-    assert.equal(result1, true);
-    assert.equal(result2, true);
-    assert.equal(result3, true);
-    assert.deepEqual(abortLog, [
-      { sessionId: 's1', provider: 'claude' },
-      { sessionId: 's2', provider: 'cursor' },
-      { sessionId: 's3', provider: 'codex' },
-    ]);
-  });
-});
-// ── Test 2: Sessions REST API route structure ──
-describe('Sessions REST API', () => {
-  it('route file exports a valid Express router', async () => {
-    const sessionRoutes = await import('../routes/sessions.js');
-    assert.ok(sessionRoutes.default, 'Should export a default router');
-    assert.equal(typeof sessionRoutes.default, 'function', 'Router should be a function');
-    // Check the router has registered routes
-    const routes = sessionRoutes.default.stack || [];
-    const paths = routes
-      .filter(r => r.route)
-      .map(r => `${Object.keys(r.route.methods)[0].toUpperCase()} ${r.route.path}`);
-    assert.ok(paths.includes('GET /'), 'Should have GET / route');
-    assert.ok(paths.includes('GET /stats'), 'Should have GET /stats route');
-    assert.ok(paths.some(p => p.includes('GET /:sessionId')), 'Should have GET /:sessionId route');
-    assert.ok(paths.some(p => p.includes('POST') && p.includes('abort')), 'Should have POST abort route');
-    assert.ok(paths.includes('POST /abort-all'), 'Should have POST /abort-all route');
-  });
-});
-// ── Test 3: Sandbox command router — action routing ──
-describe('Sandbox Command Router', () => {
-  it('handleSandboxWebSocketCommand returns false when sandbox unavailable', async () => {
-    // Import the module
-    const { handleSandboxWebSocketCommand } = await import('../middleware/sandboxRouter.js');
-    // Override sandboxClient.isAvailable to return false
-    // Since we can't easily mock ES modules, we test the contract:
-    // When sandbox service is not running, it should return false
-    const mockWriter = {
-      messages: [],
-      send(msg) { this.messages.push(msg); }
-    };
-    // This will fail to connect to sandbox service (not running locally)
-    // and should return false gracefully
-    const result = await handleSandboxWebSocketCommand('test-user', 'claude-command', {}, mockWriter);
-    assert.equal(result, false, 'Should return false when sandbox service is unavailable');
-  });
-  it('sandboxCommandRouter middleware calls next() when relay is active', async () => {
-    const { sandboxCommandRouter } = await import('../middleware/sandboxRouter.js');
-    let nextCalled = false;
-    const req = { hasRelay: () => true, body: {} };
-    const res = {};
-    const next = () => { nextCalled = true; };
-    sandboxCommandRouter(req, res, next);
-    assert.equal(nextCalled, true, 'Should call next() when relay is active');
-  });
-});
-// ── Test 4: Session lock and subscriber functions ──
-describe('Multi-tab Session Support', () => {
-  it('session subscriber management works correctly', () => {
-    // Simulate the subscriber maps
-    const sessionSubscribers = new Map();
-    function subscribeToSession(sessionId, ws) {
-      if (!sessionSubscribers.has(sessionId)) {
-        sessionSubscribers.set(sessionId, new Set());
-      }
-      sessionSubscribers.get(sessionId).add(ws);
-    }
-    function unsubscribeFromSession(sessionId, ws) {
-      const subs = sessionSubscribers.get(sessionId);
-      if (subs) {
-        subs.delete(ws);
-        if (subs.size === 0) sessionSubscribers.delete(sessionId);
-      }
-    }
-    function unsubscribeAllForWs(ws) {
-      for (const [sessionId, subs] of sessionSubscribers.entries()) {
-        subs.delete(ws);
-        if (subs.size === 0) sessionSubscribers.delete(sessionId);
-      }
-    }
-    const ws1 = { id: 'tab1' };
-    const ws2 = { id: 'tab2' };
-    const ws3 = { id: 'tab3' };
-    // Tab 1 and Tab 2 subscribe to same session
-    subscribeToSession('session-A', ws1);
-    subscribeToSession('session-A', ws2);
-    assert.equal(sessionSubscribers.get('session-A').size, 2, 'Two subscribers for session-A');
-    // Tab 3 subscribes to different session
-    subscribeToSession('session-B', ws3);
-    assert.equal(sessionSubscribers.size, 2, 'Two sessions with subscribers');
-    // Unsubscribe Tab 1 from session-A
-    unsubscribeFromSession('session-A', ws1);
-    assert.equal(sessionSubscribers.get('session-A').size, 1, 'One subscriber remaining');
-    // Disconnect Tab 2 (cleanup all)
-    unsubscribeAllForWs(ws2);
-    assert.equal(sessionSubscribers.has('session-A'), false, 'Session-A cleaned up after last sub');
-    assert.equal(sessionSubscribers.has('session-B'), true, 'Session-B still has subscriber');
-    // Disconnect Tab 3
-    unsubscribeAllForWs(ws3);
-    assert.equal(sessionSubscribers.size, 0, 'All subscribers cleaned up');
-  });
-  it('session lock allows owner but blocks other tabs', () => {
-    const sessionLocks = new Map();
-    function acquireSessionLock(sessionId, ws) {
-      if (!sessionId) return true;
-      const existingWs = sessionLocks.get(sessionId);
-      if (existingWs && existingWs !== ws && existingWs.readyState === 1) {
-        return false;
-      }
-      sessionLocks.set(sessionId, ws);
-      return true;
-    }
-    const ws1 = { id: 'tab1', readyState: 1 };
-    const ws2 = { id: 'tab2', readyState: 1 };
-    // Tab 1 acquires lock
-    assert.equal(acquireSessionLock('session-X', ws1), true, 'Tab 1 should acquire lock');
-    // Tab 2 tries to lock same session — should fail
-    assert.equal(acquireSessionLock('session-X', ws2), false, 'Tab 2 should be blocked');
-    // Tab 1 can re-acquire its own lock
-    assert.equal(acquireSessionLock('session-X', ws1), true, 'Tab 1 can re-acquire');
-  });
-});
-// ── Test 5: Workspace and integration verification ──
-describe('Integration Checks', () => {
-  it('root package.json includes sandbox-service in workspaces', async () => {
-    const fs = await import('fs');
-    const path = await import('path');
-    const { fileURLToPath } = await import('url');
-    const __dirname = path.dirname(fileURLToPath(import.meta.url));
-    const rootPkg = JSON.parse(fs.readFileSync(path.join(__dirname, '..', '..', '..', 'package.json'), 'utf8'));
-    assert.ok(
-      rootPkg.workspaces.includes('sandbox-service'),
-      'sandbox-service should be in workspaces'
-    );
-  });
-  it('session routes are importable and have correct structure', async () => {
-    const registry = await import('../services/sessionRegistry.js');
-    // Verify all exported functions exist
-    assert.equal(typeof registry.getAllActiveSessions, 'function');
-    assert.equal(typeof registry.checkSessionStatus, 'function');
-    assert.equal(typeof registry.abortSession, 'function');
-    assert.equal(typeof registry.abortAllSessions, 'function');
-    assert.equal(typeof registry.getSessionStats, 'function');
-  });
-  it('sandbox router exports both middleware and WS handler', async () => {
-    const router = await import('../middleware/sandboxRouter.js');
-    assert.equal(typeof router.sandboxCommandRouter, 'function');
-    assert.equal(typeof router.handleSandboxWebSocketCommand, 'function');
-  });
-  it('session stats returns correct shape', async () => {
-    const { getSessionStats } = await import('../services/sessionRegistry.js');
-    const stats = getSessionStats();
-    assert.equal(typeof stats.total, 'number');
-    assert.equal(typeof stats.active, 'number');
-    assert.ok(stats.byProvider, 'Should have byProvider');
-    assert.equal(typeof stats.byProvider.claude, 'number');
-    assert.equal(typeof stats.byProvider.cursor, 'number');
-    assert.equal(typeof stats.byProvider.codex, 'number');
-  });
-});

package/server/utils/commandParser.js DELETED Viewed

@@ -1,303 +0,0 @@
-import matter from 'gray-matter';
-import { promises as fs } from 'fs';
-import path from 'path';
-import { execFile } from 'child_process';
-import { promisify } from 'util';
-import { parse as parseShellCommand } from 'shell-quote';
-const execFileAsync = promisify(execFile);
-// Configuration
-const MAX_INCLUDE_DEPTH = 3;
-const BASH_TIMEOUT = 30000; // 30 seconds
-const BASH_COMMAND_ALLOWLIST = [
-  'echo',
-  'ls',
-  'pwd',
-  'date',
-  'whoami',
-  'git',
-  'npm',
-  'node',
-  'cat',
-  'grep',
-  'find',
-  'task-master'
-];
-/**
- * Parse a markdown command file and extract frontmatter and content
- * @param {string} content - Raw markdown content
- * @returns {object} Parsed command with data (frontmatter) and content
- */
-export function parseCommand(content) {
-  try {
-    const parsed = matter(content);
-    return {
-      data: parsed.data || {},
-      content: parsed.content || '',
-      raw: content
-    };
-  } catch (error) {
-    throw new Error(`Failed to parse command: ${error.message}`);
-  }
-}
-/**
- * Replace argument placeholders in content
- * @param {string} content - Content with placeholders
- * @param {string|array} args - Arguments to replace (string or array)
- * @returns {string} Content with replaced arguments
- */
-export function replaceArguments(content, args) {
-  if (!content) return content;
-  let result = content;
-  // Convert args to array if it's a string
-  const argsArray = Array.isArray(args) ? args : (args ? [args] : []);
-  // Replace $ARGUMENTS with all arguments joined by space
-  const allArgs = argsArray.join(' ');
-  result = result.replace(/\$ARGUMENTS/g, allArgs);
-  // Replace positional arguments $1-$9
-  for (let i = 1; i <= 9; i++) {
-    const regex = new RegExp(`\\$${i}`, 'g');
-    const value = argsArray[i - 1] || '';
-    result = result.replace(regex, value);
-  }
-  return result;
-}
-/**
- * Validate file path to prevent directory traversal
- * @param {string} filePath - Path to validate
- * @param {string} basePath - Base directory path
- * @returns {boolean} True if path is safe
- */
-export function isPathSafe(filePath, basePath) {
-  const resolvedPath = path.resolve(basePath, filePath);
-  const resolvedBase = path.resolve(basePath);
-  const relative = path.relative(resolvedBase, resolvedPath);
-  return (
-    relative !== '' &&
-    !relative.startsWith('..') &&
-    !path.isAbsolute(relative)
-  );
-}
-/**
- * Process file includes in content (@filename syntax)
- * @param {string} content - Content with @filename includes
- * @param {string} basePath - Base directory for resolving file paths
- * @param {number} depth - Current recursion depth
- * @returns {Promise<string>} Content with includes resolved
- */
-export async function processFileIncludes(content, basePath, depth = 0) {
-  if (!content) return content;
-  // Prevent infinite recursion
-  if (depth >= MAX_INCLUDE_DEPTH) {
-    throw new Error(`Maximum include depth (${MAX_INCLUDE_DEPTH}) exceeded`);
-  }
-  // Match @filename patterns (at start of line or after whitespace)
-  const includePattern = /(?:^|\s)@([^\s]+)/gm;
-  const matches = [...content.matchAll(includePattern)];
-  if (matches.length === 0) {
-    return content;
-  }
-  let result = content;
-  for (const match of matches) {
-    const fullMatch = match[0];
-    const filename = match[1];
-    // Security: prevent directory traversal
-    if (!isPathSafe(filename, basePath)) {
-      throw new Error(`Invalid file path (directory traversal detected): ${filename}`);
-    }
-    try {
-      const filePath = path.resolve(basePath, filename);
-      const fileContent = await fs.readFile(filePath, 'utf-8');
-      // Recursively process includes in the included file
-      const processedContent = await processFileIncludes(fileContent, basePath, depth + 1);
-      // Replace the @filename with the file content
-      result = result.replace(fullMatch, fullMatch.startsWith(' ') ? ' ' + processedContent : processedContent);
-    } catch (error) {
-      if (error.code === 'ENOENT') {
-        throw new Error(`File not found: ${filename}`);
-      }
-      throw error;
-    }
-  }
-  return result;
-}
-/**
- * Validate that a command and its arguments are safe
- * @param {string} commandString - Command string to validate
- * @returns {{ allowed: boolean, command: string, args: string[], error?: string }} Validation result
- */
-export function validateCommand(commandString) {
-  const trimmedCommand = commandString.trim();
-  if (!trimmedCommand) {
-    return { allowed: false, command: '', args: [], error: 'Empty command' };
-  }
-  // Parse the command using shell-quote to handle quotes properly
-  const parsed = parseShellCommand(trimmedCommand);
-  // Check for shell operators or control structures
-  const hasOperators = parsed.some(token =>
-    typeof token === 'object' && token.op
-  );
-  if (hasOperators) {
-    return {
-      allowed: false,
-      command: '',
-      args: [],
-      error: 'Shell operators (&&, ||, |, ;, etc.) are not allowed'
-    };
-  }
-  // Extract command and args (all should be strings after validation)
-  const tokens = parsed.filter(token => typeof token === 'string');
-  if (tokens.length === 0) {
-    return { allowed: false, command: '', args: [], error: 'No valid command found' };
-  }
-  const [command, ...args] = tokens;
-  // Extract just the command name (remove path if present)
-  const commandName = path.basename(command);
-  // Check if command exactly matches allowlist (no prefix matching)
-  const isAllowed = BASH_COMMAND_ALLOWLIST.includes(commandName);
-  if (!isAllowed) {
-    return {
-      allowed: false,
-      command: commandName,
-      args,
-      error: `Command '${commandName}' is not in the allowlist`
-    };
-  }
-  // Validate arguments don't contain dangerous metacharacters
-  const dangerousPattern = /[;&|`$()<>{}[\]\\]/;
-  for (const arg of args) {
-    if (dangerousPattern.test(arg)) {
-      return {
-        allowed: false,
-        command: commandName,
-        args,
-        error: `Argument contains dangerous characters: ${arg}`
-      };
-    }
-  }
-  return { allowed: true, command: commandName, args };
-}
-/**
- * Backward compatibility: Check if command is allowed (deprecated)
- * @deprecated Use validateCommand() instead for better security
- * @param {string} command - Command to validate
- * @returns {boolean} True if command is allowed
- */
-export function isBashCommandAllowed(command) {
-  const result = validateCommand(command);
-  return result.allowed;
-}
-/**
- * Sanitize bash command output
- * @param {string} output - Raw command output
- * @returns {string} Sanitized output
- */
-export function sanitizeOutput(output) {
-  if (!output) return '';
-  // Remove control characters except \t, \n, \r
-  return [...output]
-    .filter(ch => {
-      const code = ch.charCodeAt(0);
-      return code === 9  // \t
-          || code === 10 // \n
-          || code === 13 // \r
-          || (code >= 32 && code !== 127);
-    })
-    .join('');
-}
-/**
- * Process bash commands in content (!command syntax)
- * @param {string} content - Content with !command syntax
- * @param {object} options - Options for bash execution
- * @returns {Promise<string>} Content with bash commands executed and replaced
- */
-export async function processBashCommands(content, options = {}) {
-  if (!content) return content;
-  const { cwd = process.cwd(), timeout = BASH_TIMEOUT } = options;
-  // Match !command patterns (at start of line or after whitespace)
-  const commandPattern = /(?:^|\n)!(.+?)(?=\n|$)/g;
-  const matches = [...content.matchAll(commandPattern)];
-  if (matches.length === 0) {
-    return content;
-  }
-  let result = content;
-  for (const match of matches) {
-    const fullMatch = match[0];
-    const commandString = match[1].trim();
-    // Security: validate command and parse args
-    const validation = validateCommand(commandString);
-    if (!validation.allowed) {
-      throw new Error(`Command not allowed: ${commandString} - ${validation.error}`);
-    }
-    try {
-      // Execute without shell using execFile with parsed args
-      const { stdout, stderr } = await execFileAsync(
-        validation.command,
-        validation.args,
-        {
-          cwd,
-          timeout,
-          maxBuffer: 1024 * 1024, // 1MB max output
-          shell: false, // IMPORTANT: No shell interpretation
-          env: { ...process.env, PATH: process.env.PATH } // Inherit PATH for finding commands
-        }
-      );
-      const output = sanitizeOutput(stdout || stderr || '');
-      // Replace the !command with the output
-      result = result.replace(fullMatch, fullMatch.startsWith('\n') ? '\n' + output : output);
-    } catch (error) {
-      if (error.killed) {
-        throw new Error(`Command timeout: ${commandString}`);
-      }
-      throw new Error(`Command failed: ${commandString} - ${error.message}`);
-    }
-  }
-  return result;
-}

package/server/utils/email.js DELETED Viewed

@@ -1,66 +0,0 @@
-let Resend;
-try {
-  Resend = (await import('resend')).Resend;
-} catch {
-  // resend not available — email features will be disabled
-}
-const resend = (process.env.RESEND_API_KEY && Resend) ? new Resend(process.env.RESEND_API_KEY) : null;
-const FROM_EMAIL = process.env.FROM_EMAIL || 'Upfyn Code <noreply@upfyn.com>';
-const APP_URL = process.env.APP_URL || 'https://cli.upfyn.com';
-export async function sendPasswordResetEmail(toEmail, resetToken) {
-  if (!resend) {
-    console.warn('[Email] RESEND_API_KEY not set — cannot send password reset email');
-    return { success: false, error: 'Email service not configured' };
-  }
-  const resetUrl = `${APP_URL}/reset-password?token=${resetToken}`;
-  try {
-    const { data, error } = await resend.emails.send({
-      from: FROM_EMAIL,
-      to: toEmail,
-      subject: 'Reset your Upfyn Code password',
-      html: `
-<!DOCTYPE html>
-<html>
-<head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"></head>
-<body style="margin:0;padding:0;background:#0f172a;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;">
-  <table width="100%" cellpadding="0" cellspacing="0" style="background:#0f172a;padding:40px 20px;">
-    <tr><td align="center">
-      <table width="480" cellpadding="0" cellspacing="0" style="background:#1e293b;border-radius:12px;border:1px solid #334155;overflow:hidden;">
-        <tr><td style="padding:32px 32px 24px;text-align:center;">
-          <h1 style="margin:0 0 8px;color:#f8fafc;font-size:22px;font-weight:600;">Password Reset</h1>
-          <p style="margin:0;color:#94a3b8;font-size:14px;">You requested a password reset for your Upfyn Code account.</p>
-        </td></tr>
-        <tr><td style="padding:0 32px 24px;text-align:center;">
-          <a href="${resetUrl}" style="display:inline-block;padding:12px 32px;background:#3b82f6;color:#fff;text-decoration:none;border-radius:8px;font-size:15px;font-weight:500;">
-            Reset Password
-          </a>
-        </td></tr>
-        <tr><td style="padding:0 32px 24px;text-align:center;">
-          <p style="margin:0;color:#64748b;font-size:12px;">This link expires in 1 hour. If you didn't request this, you can safely ignore this email.</p>
-        </td></tr>
-        <tr><td style="padding:16px 32px;background:#0f172a;border-top:1px solid #334155;text-align:center;">
-          <p style="margin:0;color:#475569;font-size:11px;">Upfyn Code &mdash; cli.upfyn.com</p>
-        </td></tr>
-      </table>
-    </td></tr>
-  </table>
-</body>
-</html>`,
-    });
-    if (error) {
-      console.error('[Email] Resend error:', error);
-      return { success: false, error: error.message };
-    }
-    return { success: true, id: data?.id };
-  } catch (err) {
-    console.error('[Email] Send failed:', err.message);
-    return { success: false, error: err.message };
-  }
-}

package/server/utils/gitConfig.js DELETED Viewed

@@ -1,24 +0,0 @@
-import { exec } from 'child_process';
-import { promisify } from 'util';
-const execAsync = promisify(exec);
-/**
- * Read git configuration from system's global git config
- * @returns {Promise<{git_name: string|null, git_email: string|null}>}
- */
-export async function getSystemGitConfig() {
-  try {
-    const [nameResult, emailResult] = await Promise.all([
-      execAsync('git config --global user.name').catch(() => ({ stdout: '' })),
-      execAsync('git config --global user.email').catch(() => ({ stdout: '' }))
-    ]);
-    return {
-      git_name: nameResult.stdout.trim() || null,
-      git_email: emailResult.stdout.trim() || null
-    };
-  } catch (error) {
-    return { git_name: null, git_email: null };
-  }
-}