mirror of
https://github.com/koala73/worldmonitor.git
synced 2026-04-25 17:14:57 +02:00
dff14ed344
* feat(agent-readiness): RFC 9727 API catalog + native openapi.yaml serve Closes #3309, part of epic #3306. - Serves the sebuf-bundled OpenAPI spec natively at https://www.worldmonitor.app/openapi.yaml with correct application/yaml content-type (no Mintlify proxy hop). Build-time copy from docs/api/worldmonitor.openapi.yaml. - Publishes RFC 9727 API catalog at /.well-known/api-catalog with service-desc pointing at the native URL, status rel pointing at /api/health, and a separate anchor for the MCP endpoint referencing its SEP-1649 card (#3311). Refs PR #3341 (sebuf v0.11.1 bundle landed). * test(deploy-config): update SPA catch-all regex assertion The deploy-config guardrail hard-codes the SPA catch-all regex string and asserts its Cache-Control is no-cache. The prior commit added openapi.yaml to the exclusion list; this updates the test to match so the guardrail continues to protect HTML entry caching. * fix(agent-readiness): address Greptile review on PR #3343 - Extract openapi.yaml copy into named script `build:openapi` and prefix every web-variant build (build:full/tech/finance/happy/ commodity). prebuild delegates to the same script so the default `npm run build` path is unchanged. Swap shell `cp` for Node's cpSync for cross-platform safety. - Bump service-desc MIME type in /.well-known/api-catalog from application/yaml to application/vnd.oai.openapi (IANA-registered OpenAPI media type). Endpoint Content-Type stays application/yaml for browser/tool compatibility. * fix(agent-readiness): P1 health href + guardrail tests on PR #3343 - status.href in /.well-known/api-catalog was pointing at https://api.worldmonitor.app/health (which serves the SPA HTML, not a health response). Corrected to /api/health, which returns the real {"status":"HEALTHY",...} JSON from api/health.js. - Extend tests/deploy-config.test.mjs with assertions that would have caught this regression: linkset structure, status/service- desc href shapes, and presence of build:openapi across every web-variant build script.
405 lines
18 KiB
JavaScript
405 lines
18 KiB
JavaScript
import { describe, it } from 'node:test';
|
|
import assert from 'node:assert/strict';
|
|
import { readFileSync, existsSync } from 'node:fs';
|
|
import { dirname, resolve } from 'node:path';
|
|
import { fileURLToPath } from 'node:url';
|
|
|
|
const __dirname = dirname(fileURLToPath(import.meta.url));
|
|
const vercelConfig = JSON.parse(readFileSync(resolve(__dirname, '../vercel.json'), 'utf-8'));
|
|
const viteConfigSource = readFileSync(resolve(__dirname, '../vite.config.ts'), 'utf-8');
|
|
|
|
const getCacheHeaderValue = (sourcePath) => {
|
|
const rule = vercelConfig.headers.find((entry) => entry.source === sourcePath);
|
|
const header = rule?.headers?.find((item) => item.key.toLowerCase() === 'cache-control');
|
|
return header?.value ?? null;
|
|
};
|
|
|
|
describe('deploy/cache configuration guardrails', () => {
|
|
it('disables caching for HTML entry routes on Vercel', () => {
|
|
const spaNoCache = getCacheHeaderValue('/((?!api|mcp|oauth|assets|blog|docs|favico|map-styles|data|textures|pro|sw\\.js|workbox-[a-f0-9]+\\.js|manifest\\.webmanifest|offline\\.html|robots\\.txt|sitemap\\.xml|llms\\.txt|llms-full\\.txt|openapi\\.yaml|\\.well-known|wm-widget-sandbox\\.html).*)');
|
|
assert.equal(spaNoCache, 'no-cache, no-store, must-revalidate');
|
|
});
|
|
|
|
it('keeps immutable caching for hashed static assets', () => {
|
|
assert.equal(
|
|
getCacheHeaderValue('/assets/(.*)'),
|
|
'public, max-age=31536000, immutable'
|
|
);
|
|
});
|
|
|
|
it('keeps PWA precache glob free of HTML files', () => {
|
|
assert.match(
|
|
viteConfigSource,
|
|
/globPatterns:\s*\['\*\*\/\*\.\{js,css,ico,png,svg,woff2\}'\]/
|
|
);
|
|
assert.doesNotMatch(viteConfigSource, /globPatterns:\s*\['\*\*\/\*\.\{js,css,html/);
|
|
});
|
|
|
|
it('explicitly disables navigateFallback when HTML is not precached', () => {
|
|
assert.match(viteConfigSource, /navigateFallback:\s*null/);
|
|
assert.doesNotMatch(viteConfigSource, /navigateFallbackDenylist:\s*\[/);
|
|
});
|
|
|
|
it('uses network-only runtime caching for navigation requests', () => {
|
|
assert.match(viteConfigSource, /request\.mode === 'navigate'/);
|
|
assert.match(viteConfigSource, /handler:\s*'NetworkOnly'/);
|
|
});
|
|
|
|
it('contains variant-specific metadata fields used by html replacement and manifest', () => {
|
|
const variantMetaSource = readFileSync(resolve(__dirname, '../src/config/variant-meta.ts'), 'utf-8');
|
|
assert.match(variantMetaSource, /shortName:\s*'/);
|
|
assert.match(variantMetaSource, /subject:\s*'/);
|
|
assert.match(variantMetaSource, /classification:\s*'/);
|
|
assert.match(variantMetaSource, /categories:\s*\[/);
|
|
assert.match(
|
|
viteConfigSource,
|
|
/\.replace\(\/<meta name="subject" content="\.\*\?" \\\/>\/,\s*`<meta name="subject"/
|
|
);
|
|
assert.match(
|
|
viteConfigSource,
|
|
/\.replace\(\/<meta name="classification" content="\.\*\?" \\\/>\/,\s*`<meta name="classification"/
|
|
);
|
|
});
|
|
});
|
|
|
|
const getSecurityHeaders = () => {
|
|
const rule = vercelConfig.headers.find((entry) => entry.source === '/((?!docs).*)');
|
|
return rule?.headers ?? [];
|
|
};
|
|
|
|
const getHeaderValue = (key) => {
|
|
const headers = getSecurityHeaders();
|
|
const header = headers.find((h) => h.key.toLowerCase() === key.toLowerCase());
|
|
return header?.value ?? null;
|
|
};
|
|
|
|
describe('security header guardrails', () => {
|
|
it('includes all 5 required security headers on catch-all route', () => {
|
|
const required = [
|
|
'X-Content-Type-Options',
|
|
'Strict-Transport-Security',
|
|
'Referrer-Policy',
|
|
'Permissions-Policy',
|
|
'Content-Security-Policy',
|
|
];
|
|
const headerKeys = getSecurityHeaders().map((h) => h.key);
|
|
for (const name of required) {
|
|
assert.ok(headerKeys.includes(name), `Missing security header: ${name}`);
|
|
}
|
|
});
|
|
|
|
it('Permissions-Policy disables all expected browser APIs', () => {
|
|
const policy = getHeaderValue('Permissions-Policy');
|
|
const expectedDisabled = [
|
|
'camera=()',
|
|
'microphone=()',
|
|
'accelerometer=()',
|
|
'bluetooth=()',
|
|
'display-capture=()',
|
|
'gyroscope=()',
|
|
'hid=()',
|
|
'idle-detection=()',
|
|
'magnetometer=()',
|
|
'midi=()',
|
|
'payment=(self "https://checkout.dodopayments.com" "https://test.checkout.dodopayments.com" "https://pay.google.com" "https://hooks.stripe.com" "https://js.stripe.com")',
|
|
'screen-wake-lock=()',
|
|
'serial=()',
|
|
'usb=()',
|
|
'xr-spatial-tracking=("https://challenges.cloudflare.com")',
|
|
];
|
|
for (const directive of expectedDisabled) {
|
|
assert.ok(policy.includes(directive), `Permissions-Policy missing: ${directive}`);
|
|
}
|
|
});
|
|
|
|
it('Permissions-Policy delegates media APIs to allowed origins', () => {
|
|
const policy = getHeaderValue('Permissions-Policy');
|
|
// autoplay and encrypted-media delegate to self + YouTube
|
|
for (const api of ['autoplay', 'encrypted-media']) {
|
|
assert.match(
|
|
policy,
|
|
new RegExp(`${api}=\\(self "https://www\\.youtube\\.com" "https://www\\.youtube-nocookie\\.com"\\)`),
|
|
`Permissions-Policy should delegate ${api} to YouTube origins`
|
|
);
|
|
}
|
|
// geolocation delegates to self (used by user-location.ts)
|
|
assert.ok(
|
|
policy.includes('geolocation=(self)'),
|
|
'Permissions-Policy should delegate geolocation to self'
|
|
);
|
|
// picture-in-picture delegates to self + YouTube + Turnstile
|
|
assert.match(
|
|
policy,
|
|
/picture-in-picture=\(self "https:\/\/www\.youtube\.com" "https:\/\/www\.youtube-nocookie\.com" "https:\/\/challenges\.cloudflare\.com"\)/,
|
|
'Permissions-Policy should delegate picture-in-picture to YouTube + Turnstile origins'
|
|
);
|
|
});
|
|
|
|
it('CSP connect-src does not allow unencrypted WebSocket (ws:)', () => {
|
|
const csp = getHeaderValue('Content-Security-Policy');
|
|
const connectSrc = csp.match(/connect-src\s+([^;]+)/)?.[1] ?? '';
|
|
assert.ok(!connectSrc.includes(' ws:'), 'CSP connect-src must not contain ws: (unencrypted WebSocket)');
|
|
assert.ok(connectSrc.includes('wss:'), 'CSP connect-src should keep wss: for secure WebSocket');
|
|
});
|
|
|
|
it('CSP connect-src https: scheme is consistent between header and meta tag', () => {
|
|
const indexHtml = readFileSync(resolve(__dirname, '../index.html'), 'utf-8');
|
|
const headerCsp = getHeaderValue('Content-Security-Policy');
|
|
const metaMatch = indexHtml.match(/http-equiv="Content-Security-Policy"\s+content="([^"]*)"/i);
|
|
assert.ok(metaMatch, 'index.html must have a CSP meta tag');
|
|
|
|
const headerConnectSrc = headerCsp.match(/connect-src\s+([^;]+)/)?.[1] ?? '';
|
|
const metaConnectSrc = metaMatch[1].match(/connect-src\s+([^;]+)/)?.[1] ?? '';
|
|
|
|
const headerHasHttps = /\bhttps:\b/.test(headerConnectSrc);
|
|
const metaHasHttps = /\bhttps:\b/.test(metaConnectSrc);
|
|
|
|
// The CSP violation listener suppresses HTTPS connect-src violations when the meta tag
|
|
// contains https: in connect-src. If the header is tightened without the meta tag,
|
|
// real violations would be silently suppressed. Both must stay in sync.
|
|
assert.equal(headerHasHttps, metaHasHttps,
|
|
`connect-src https: scheme mismatch: header=${headerHasHttps}, meta=${metaHasHttps}. ` +
|
|
'If removing https: from connect-src, update the CSP violation listener in main.ts too.');
|
|
});
|
|
|
|
it('CSP connect-src does not contain localhost in production', () => {
|
|
const csp = getHeaderValue('Content-Security-Policy');
|
|
const connectSrc = csp.match(/connect-src\s+([^;]+)/)?.[1] ?? '';
|
|
assert.ok(!connectSrc.includes('http://localhost'), 'CSP connect-src must not contain http://localhost in production');
|
|
});
|
|
|
|
it('CSP script-src includes wasm-unsafe-eval for WebAssembly support', () => {
|
|
const csp = getHeaderValue('Content-Security-Policy');
|
|
const scriptSrc = csp.match(/script-src\s+([^;]+)/)?.[1] ?? '';
|
|
assert.ok(scriptSrc.includes("'wasm-unsafe-eval'"), 'CSP script-src must include wasm-unsafe-eval for WASM support');
|
|
assert.ok(scriptSrc.includes("'self'"), 'CSP script-src must include self');
|
|
});
|
|
|
|
it('CSP script-src includes Clerk origin for auth UI', () => {
|
|
const csp = getHeaderValue('Content-Security-Policy');
|
|
const scriptSrc = csp.match(/script-src\s+([^;]+)/)?.[1] ?? '';
|
|
assert.ok(
|
|
scriptSrc.includes('clerk.accounts.dev') || scriptSrc.includes('clerk.worldmonitor.app'),
|
|
'CSP script-src must include Clerk origin for auth UI to load'
|
|
);
|
|
});
|
|
|
|
it('CSP frame-src includes Clerk origin for auth modals', () => {
|
|
const csp = getHeaderValue('Content-Security-Policy');
|
|
const frameSrc = csp.match(/frame-src\s+([^;]+)/)?.[1] ?? '';
|
|
assert.ok(
|
|
frameSrc.includes('clerk.accounts.dev') || frameSrc.includes('clerk.worldmonitor.app'),
|
|
'CSP frame-src must include Clerk origin for sign-in modal'
|
|
);
|
|
});
|
|
|
|
it('CSP script-src hashes are in sync between vercel.json header and index.html meta tag', () => {
|
|
const indexHtml = readFileSync(resolve(__dirname, '../index.html'), 'utf-8');
|
|
const headerCsp = getHeaderValue('Content-Security-Policy');
|
|
const metaMatch = indexHtml.match(/http-equiv="Content-Security-Policy"\s+content="([^"]*)"/i);
|
|
assert.ok(metaMatch, 'index.html must have a CSP meta tag');
|
|
const metaCsp = metaMatch[1];
|
|
|
|
const extractHashes = (csp) => {
|
|
const scriptSrc = csp.match(/script-src\s+([^;]+)/)?.[1] ?? '';
|
|
return new Set(scriptSrc.match(/'sha256-[A-Za-z0-9+/=]+'/g) ?? []);
|
|
};
|
|
|
|
const headerHashes = extractHashes(headerCsp);
|
|
const metaHashes = extractHashes(metaCsp);
|
|
|
|
const onlyHeader = [...headerHashes].filter(h => !metaHashes.has(h));
|
|
const onlyMeta = [...metaHashes].filter(h => !headerHashes.has(h));
|
|
|
|
assert.deepEqual(onlyHeader, [],
|
|
`script-src hashes in vercel.json but missing from index.html: ${onlyHeader.join(', ')}. ` +
|
|
'Dual CSP enforces both; mismatched hashes block scripts.');
|
|
assert.deepEqual(onlyMeta, [],
|
|
`script-src hashes in index.html but missing from vercel.json: ${onlyMeta.join(', ')}. ` +
|
|
'Dual CSP enforces both; mismatched hashes block scripts.');
|
|
});
|
|
|
|
it('security.txt exists in public/.well-known/', () => {
|
|
const secTxt = readFileSync(resolve(__dirname, '../public/.well-known/security.txt'), 'utf-8');
|
|
assert.match(secTxt, /^Contact:/m, 'security.txt must have a Contact field');
|
|
assert.match(secTxt, /^Expires:/m, 'security.txt must have an Expires field');
|
|
});
|
|
});
|
|
|
|
// Per-route CSP override for the hosted brief magazine. The renderer
|
|
// emits an inline <script> (swipe/arrow/wheel/touch nav IIFE) whose
|
|
// hash is NOT on the global script-src allowlist, so the catch-all
|
|
// CSP silently blocks it. This rule relaxes script-src to
|
|
// 'unsafe-inline' for /api/brief/* only. All Redis-sourced content
|
|
// flows through escapeHtml() in brief-render.js before interpolation,
|
|
// so unsafe-inline doesn't open an XSS surface.
|
|
const getBriefSecurityHeaders = () => {
|
|
const rule = vercelConfig.headers.find((entry) => entry.source === '/api/brief/(.*)');
|
|
return rule?.headers ?? [];
|
|
};
|
|
|
|
const getBriefCspValue = () => {
|
|
const headers = getBriefSecurityHeaders();
|
|
const header = headers.find((h) => h.key.toLowerCase() === 'content-security-policy');
|
|
return header?.value ?? null;
|
|
};
|
|
|
|
describe('brief magazine CSP override', () => {
|
|
it('rule exists for /api/brief/(.*) with a Content-Security-Policy header', () => {
|
|
const csp = getBriefCspValue();
|
|
assert.ok(csp, 'Missing per-route CSP override for /api/brief/(.*) — the magazine nav IIFE will be blocked');
|
|
});
|
|
|
|
it('script-src includes unsafe-inline so the nav IIFE can execute', () => {
|
|
const csp = getBriefCspValue();
|
|
const scriptSrc = csp.match(/script-src\s+([^;]+)/)?.[1] ?? '';
|
|
assert.ok(
|
|
scriptSrc.includes("'unsafe-inline'"),
|
|
"brief CSP script-src must include 'unsafe-inline' — without it swipe/arrow nav is silently blocked",
|
|
);
|
|
});
|
|
|
|
it('connect-src allows Cloudflare Insights analytics beacon to POST', () => {
|
|
const csp = getBriefCspValue();
|
|
const connectSrc = csp.match(/connect-src\s+([^;]+)/)?.[1] ?? '';
|
|
assert.ok(
|
|
connectSrc.includes('https://cloudflareinsights.com'),
|
|
'brief CSP connect-src must allow cloudflareinsights.com so the CF beacon can POST to /cdn-cgi/rum',
|
|
);
|
|
});
|
|
|
|
it('keeps tight defaults for non-script directives', () => {
|
|
const csp = getBriefCspValue();
|
|
for (const directive of [
|
|
"default-src 'self'",
|
|
"object-src 'none'",
|
|
"form-action 'none'",
|
|
"base-uri 'self'",
|
|
]) {
|
|
assert.ok(csp.includes(directive), `brief CSP missing tight directive: ${directive}`);
|
|
}
|
|
});
|
|
});
|
|
|
|
// Agent readiness: RFC 9727 API catalog at /.well-known/api-catalog and
|
|
// the build-time copy of the OpenAPI spec from docs/api/ into public/.
|
|
// These guardrails protect against:
|
|
// (1) the status endpoint href drifting away from /api/health (the
|
|
// real JSON endpoint; the apex /health serves the SPA HTML);
|
|
// (2) variant build scripts dropping the `npm run build:openapi`
|
|
// prefix and silently shipping web bundles without the spec;
|
|
// (3) the openapi source under docs/ being deleted without a
|
|
// matching removal of the build step.
|
|
describe('agent readiness: api-catalog + openapi build', () => {
|
|
const apiCatalog = JSON.parse(
|
|
readFileSync(resolve(__dirname, '../public/.well-known/api-catalog'), 'utf-8')
|
|
);
|
|
const pkg = JSON.parse(readFileSync(resolve(__dirname, '../package.json'), 'utf-8'));
|
|
|
|
it('api anchor is first and points at the api host root', () => {
|
|
assert.equal(apiCatalog.linkset[0].anchor, 'https://api.worldmonitor.app/');
|
|
});
|
|
|
|
it('status href points at /api/health (SPA lives at /health — would 200 HTML and look healthy)', () => {
|
|
const statusHref = apiCatalog.linkset[0].status[0].href;
|
|
assert.ok(
|
|
statusHref.startsWith('https://api.worldmonitor.app'),
|
|
`status href must be on api.worldmonitor.app, got: ${statusHref}`
|
|
);
|
|
assert.ok(
|
|
statusHref.endsWith('/api/health'),
|
|
`status href must end with /api/health (real JSON endpoint), got: ${statusHref}`
|
|
);
|
|
});
|
|
|
|
it('service-desc points at /openapi.yaml with the OpenAPI media type', () => {
|
|
const serviceDesc = apiCatalog.linkset[0]['service-desc'][0];
|
|
assert.ok(
|
|
serviceDesc.href.endsWith('/openapi.yaml'),
|
|
`service-desc href must end with /openapi.yaml, got: ${serviceDesc.href}`
|
|
);
|
|
assert.equal(serviceDesc.type, 'application/vnd.oai.openapi');
|
|
});
|
|
|
|
it('has a second anchor for the MCP server-card', () => {
|
|
const mcpEntry = apiCatalog.linkset.find((entry) => entry.anchor === 'https://worldmonitor.app/mcp');
|
|
assert.ok(mcpEntry, 'linkset must contain an anchor for https://worldmonitor.app/mcp');
|
|
const mcpServiceDesc = mcpEntry['service-desc']?.[0];
|
|
assert.ok(mcpServiceDesc, 'mcp anchor must have a service-desc entry');
|
|
assert.ok(
|
|
mcpServiceDesc.href.endsWith('/.well-known/mcp/server-card.json'),
|
|
`mcp service-desc href must end with /.well-known/mcp/server-card.json, got: ${mcpServiceDesc.href}`
|
|
);
|
|
});
|
|
|
|
it('exposes a build:openapi script that copies docs/api → public/openapi.yaml', () => {
|
|
const buildOpenapi = pkg.scripts['build:openapi'];
|
|
assert.ok(buildOpenapi, 'package.json must define scripts["build:openapi"]');
|
|
assert.ok(
|
|
buildOpenapi.includes('docs/api/worldmonitor.openapi.yaml'),
|
|
`build:openapi must reference docs/api/worldmonitor.openapi.yaml, got: ${buildOpenapi}`
|
|
);
|
|
assert.ok(
|
|
buildOpenapi.includes('public/openapi.yaml'),
|
|
`build:openapi must write to public/openapi.yaml, got: ${buildOpenapi}`
|
|
);
|
|
});
|
|
|
|
it('every web-variant build chains npm run build:openapi', () => {
|
|
// build:desktop and build:pro are intentionally excluded — Tauri
|
|
// sidecar builds and the standalone pro-test workspace don't ship
|
|
// the OpenAPI spec.
|
|
const webVariants = ['build:full', 'build:tech', 'build:finance', 'build:happy', 'build:commodity'];
|
|
for (const variant of webVariants) {
|
|
const script = pkg.scripts[variant];
|
|
assert.ok(script, `package.json must define scripts["${variant}"]`);
|
|
assert.ok(
|
|
script.includes('npm run build:openapi'),
|
|
`scripts["${variant}"] must chain "npm run build:openapi" so the web bundle ships the spec; got: ${script}`
|
|
);
|
|
}
|
|
});
|
|
|
|
it('keeps a prebuild hook so the default `npm run build` path also copies the spec', () => {
|
|
assert.ok(pkg.scripts.prebuild, 'package.json must define scripts["prebuild"] (default build path uses it)');
|
|
});
|
|
|
|
it('openapi source exists at docs/api/worldmonitor.openapi.yaml', () => {
|
|
// Catches the class of regression where someone cleans generated
|
|
// artifacts and forgets to regenerate before committing — the
|
|
// prebuild step would then fail silently at deploy time.
|
|
const openapiPath = resolve(__dirname, '../docs/api/worldmonitor.openapi.yaml');
|
|
assert.ok(
|
|
existsSync(openapiPath),
|
|
`docs/api/worldmonitor.openapi.yaml must exist — without it, build:openapi fails at deploy time`
|
|
);
|
|
});
|
|
});
|
|
|
|
// PR history: #3204 / #3206 forced the resvg linux-x64-gnu native
|
|
// binding into the carousel function via vercel.json
|
|
// `functions.includeFiles`. That entire workaround became unnecessary
|
|
// once the route moved to @vercel/og on Edge runtime (see
|
|
// api/brief/carousel/...), which bundles satori + resvg-wasm with
|
|
// Vercel-native support. The `functions` block was removed.
|
|
//
|
|
// If any future route ever needs a Vercel `functions` config, keep
|
|
// in mind: the keys are micromatch globs, NOT literal paths.
|
|
// `[userId]` is a character class (match one of u/s/e/r/I/d), not a
|
|
// dynamic segment placeholder. Use `api/foo/**` for routes with
|
|
// dynamic brackets. See skill `vercel-native-binding-peer-dep-missing`
|
|
// for the full story.
|
|
describe('vercel.json functions config (none expected after carousel moved to edge)', () => {
|
|
it('does not define any `functions` block (carousel now uses @vercel/og on edge)', () => {
|
|
assert.equal(
|
|
vercelConfig.functions,
|
|
undefined,
|
|
'No routes currently require a functions config. If adding one, ' +
|
|
'remember Vercel treats the key as a micromatch glob — ' +
|
|
'`[userId]` will silently match one of {u,s,e,r,I,d} and your ' +
|
|
'rule will apply to nothing. See skill ' +
|
|
'vercel-native-binding-peer-dep-missing for the gotcha.',
|
|
);
|
|
});
|
|
});
|